stack

mosaic/stack

Fork 0

Files

History

Jason Woltje 0a527d2a4e

ci/woodpecker/push/woodpecker Pipeline failed

Details

fix(#279 ): Validate orchestrator URL configuration (SSRF risk)

Implemented comprehensive URL validation to prevent SSRF attacks:
- Created URL validator utility with protocol whitelist (http/https only)
- Blocked access to private IP ranges (10.x, 192.168.x, 172.16-31.x)
- Blocked loopback addresses (127.x, localhost, 0.0.0.0)
- Blocked link-local addresses (169.254.x)
- Blocked IPv6 localhost (::1, ::)
- Allow localhost in development/test environments only
- Added structured audit logging for invalid URL attempts
- Comprehensive test coverage (37 tests for URL validator)

Security Impact:
- Prevents attackers from redirecting agent spawn requests to internal services
- Blocks data exfiltration via malicious orchestrator URL
- All agent operations now validated against SSRF

Files changed:
- apps/api/src/federation/utils/url-validator.ts (new)
- apps/api/src/federation/utils/url-validator.spec.ts (new)
- apps/api/src/federation/federation-agent.service.ts (validation integration)
- apps/api/src/federation/federation-agent.service.spec.ts (test updates)
- apps/api/src/federation/audit.service.ts (audit logging)
- apps/api/src/federation/federation.module.ts (service exports)

Fixes #279

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-03 20:47:41 -06:00

1-project-scaffold.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

2-postgresql-pgvector-schema.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

3-prisma-orm-setup.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

4-authentik-oidc-final-status.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

4-authentik-oidc.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

5-crud-apis.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

6-basic-web-ui.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

7-8-type-safety-fixes.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

7-activity-logging.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

8-docker-compose.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

36-traefik-integration.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

42-jarvis-chat-overlay.md

feat(#42 ): Implement persistent Jarvis chat overlay

2026-02-03 20:24:41 -06:00

52-active-projects-widget.md

feat(#52 ): implement Active Projects & Agent Chains widget

2026-02-03 19:17:13 -06:00

65-full-text-search.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

66-search-api-endpoint.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

67-search-ui.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

69-embedding-generation.md

feat(#71 ): implement graph data API

2026-02-02 15:27:00 -06:00

70-semantic-search-api.md

feat(#71 ): implement graph data API

2026-02-02 15:27:00 -06:00

71-graph-data-api.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

72-graph-visualization.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

84-instance-identity-model.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

85-connect-disconnect-protocol.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

86-authentik-oidc-integration-security-fixes.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

86-authentik-oidc-integration.md

feat(#86 ): implement Authentik OIDC integration for federation

2026-02-03 12:34:24 -06:00

87-cross-instance-identity-linking.md

feat(#87 ): implement cross-instance identity linking for federation

2026-02-03 12:55:37 -06:00

88-query-message-type.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

89-command-message-type.md

feat(#89 ): implement COMMAND message type for federation

2026-02-03 13:30:16 -06:00

89-implementation-summary.md

feat(#89 ): implement COMMAND message type for federation

2026-02-03 13:30:16 -06:00

89-migration-needed.md

feat(#89 ): implement COMMAND message type for federation

2026-02-03 13:30:16 -06:00

90-event-subscriptions-summary.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

90-event-subscriptions.md

feat(#90 ): implement EVENT subscriptions for federation

2026-02-03 13:45:00 -06:00

91-connection-manager-ui.md

feat(#91 ): implement Connection Manager UI for federation

2026-02-03 14:03:44 -06:00

92-aggregated-dashboard.md

feat(#92 ): implement Aggregated Dashboard View

2026-02-03 14:18:18 -06:00

93-agent-spawn-via-federation.md

feat(#94 ): implement spoke configuration UI

2026-02-03 14:51:59 -06:00

94-spoke-configuration-ui.md

feat(#94 ): implement spoke configuration UI

2026-02-03 14:51:59 -06:00

122-llm-provider-interface.md

feat(#122 ): create LLM provider interface

2026-01-31 11:38:38 -06:00

123-ollama-provider.md

feat(#123 ): port Ollama LLM provider

2026-01-31 12:10:43 -06:00

126-llm-manager-service.md

feat(#126 ): create LLM Manager Service

2026-01-31 12:22:14 -06:00

128-llm-provider-schema.md

feat(#128 ): add LlmProviderInstance Prisma schema

2026-01-31 11:57:40 -06:00

143-validate-50-percent-rule.md

test(#143 ): Validate 50% rule prevents context exhaustion

2026-02-01 17:56:04 -06:00

149-test-rejection-loop.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

150-orchestration-loop.md

docs(#150 ): Add scratchpad for orchestration loop implementation

2026-02-01 20:22:07 -06:00

155-context-monitor.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

157-webhook-receiver.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

158-issue-parser.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

163-bullmq-dependencies.md

feat(#163 ): Add BullMQ dependencies

2026-02-01 20:56:45 -06:00

164-database-schema-jobs.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

165-bullmq-module-setup.md

feat(#165 ): Implement BullMQ module setup

2026-02-01 21:01:25 -06:00

166-stitcher-module.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

167-runner-jobs-crud.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

168-job-steps-tracking.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

169-job-events-audit.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

170-discord-bridge.md

feat(#170 ): Implement mosaic-bridge module for Discord

2026-02-01 21:26:40 -06:00

171-command-parser.md

feat(#171 ): Implement chat command parsing

2026-02-01 21:32:53 -06:00

172-herald-status.md

feat(#172 ): Implement Herald status updates

2026-02-01 21:42:44 -06:00

173-websocket-gateway.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

174-sse-endpoint.md

docs(#162 ): Finalize M4.2-Infrastructure token tracking report

2026-02-02 08:18:55 -06:00

175-e2e-harness.md

feat(#175 ): Implement E2E test harness

2026-02-01 21:44:04 -06:00

176-coordinator-integration.md

feat(#176 ): Integrate M4.2 infrastructure with M4.1 coordinator

2026-02-01 21:54:34 -06:00

179-security-nodejs-deps.md

fix(#179 ): Update vulnerable Node.js dependencies

2026-02-01 20:54:25 -06:00

180-security-pnpm-dockerfiles.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

181-security-go-stdlib-postgres.md

fix(#181 ): Update Alpine packages to patch Go stdlib vulnerabilities in postgres image

2026-02-01 20:54:57 -06:00

182-fix-prisma-enum-tests.md

fix(#182 ): fix Prisma enum import in job-steps tests

2026-02-02 11:41:11 -06:00

183-remove-hardcoded-workspace-id.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

184-add-coordinator-auth.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

185-fix-herald-error-handling.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

186-add-dto-validation.md

fix(#196 ): fix race condition in job status updates

2026-02-02 12:51:17 -06:00

187-implement-sse-error-recovery.md

fix(#187 ): implement server-side SSE error recovery

2026-02-02 12:41:12 -06:00

188-sanitize-discord-logs.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

189-add-job-events-index.md

fix(#189 ): add composite database index for job_events table

2026-02-02 12:30:19 -06:00

190-fix-mermaid-xss.md

fix(#190 ): fix XSS vulnerability in Mermaid rendering

2026-02-02 12:03:36 -06:00

192-fix-cors-configuration.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

196-fix-job-status-race-condition.md

fix(#196 ): fix race condition in job status updates

2026-02-02 12:51:17 -06:00

197-add-explicit-return-types.md

docs(#197 ): update scratchpad with completion status

2026-02-02 12:55:17 -06:00

198-strengthen-websocket-auth.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

199-implement-rate-limiting.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

271-oidc-token-validation.md

fix(#271 ): implement OIDC token validation (authentication bypass)

2026-02-03 16:50:06 -06:00

272-rate-limiting.md

fix(#272 ): Add rate limiting to federation endpoints (DoS protection)

2026-02-03 18:58:00 -06:00

273-capability-enforcement.md

feat(#273 ): Implement capability-based authorization for federation

2026-02-03 19:53:09 -06:00

274-command-injection.md

fix(#274 ): Add input validation to prevent command injection in git operations

2026-02-03 20:17:47 -06:00

275-silent-connection-failures.md

fix(#275 ): Prevent silent connection initiation failures

2026-02-03 20:21:06 -06:00

276-workspace-authorization.md

fix(#276 ): Add comprehensive audit logging for incoming connections

2026-02-03 20:24:46 -06:00

277-comprehensive-audit-logging.md

fix(#277 ): Add comprehensive security event logging for command injection

2026-02-03 20:27:45 -06:00

278-csrf-protection.md

fix(#278 ): Implement CSRF protection using double-submit cookie pattern

2026-02-03 20:35:00 -06:00

279-orchestrator-url-validation.md

fix(#279 ): Validate orchestrator URL configuration (SSRF risk)

2026-02-03 20:47:41 -06:00

orch-101-setup.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

orch-102-health.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

orch-103-docker.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

orch-104-pipeline.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

orch-105-spawner.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

orch-105-summary.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

orch-106-sandbox.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-107-valkey.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-108-queue.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-109-lifecycle.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-110-git-ops.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-111-worktrees.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-112-conflicts.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-113-coordinator.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-114-gates.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-115-dispatch.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-116-fifty-percent.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-117-killswitch.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-118-cleanup.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-119-completion-summary.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-119-security.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-120-secrets.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-121-mechanical.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-122-ai-review.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-123-yolo.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orch-124-task-config.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

orchestrator-typescript-fixes.md

feat(#66 ): implement tag filtering in search API endpoint

2026-02-02 14:33:31 -06:00

remediation-session.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00

security-fixes-activity-api.md

feat(#93 ): implement agent spawn via federation

2026-02-03 14:37:06 -06:00