mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
9b0445cd5b0b58019ba7cad38c73c808b94dd7eb
stack/docs/tasks.md
Jason Woltje a5ed260fbd
All checks were successful
ci/woodpecker/push/web Pipeline was successful
Details
feat(web): MS15 Phase 1 — Design System & App Shell (#451) 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
2026-02-22 20:57:06 +00:00

70 KiB
Raw Blame History

Tasks

MS15-DashboardShell (0.0.15) — Dashboard Shell & Design System

Orchestrator: Claude Code (Opus 4.6) Started: 2026-02-22 Branch: feat/ms15-design-system (Phase 1), feat/ms15-shared-components (Phase 2), feat/ms15-dashboard-page (Phase 3) Milestone: MS15-DashboardShell (0.0.15) PRD: docs/PRD.md

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
MS15-FE-001 done Design token system overhaul (globals.css → dashboard.html tokens, dark/light, fonts) #448 web feat/ms15-design-system MS15-FE-002,MS15-FE-003,MS15-FE-004,MS15-UI-001 w-1 2026-02-22T14:30Z 2026-02-22T15:00Z 25K 18K Combined with FE-002. Commit e615fa8. Build passes.
MS15-FE-002 done App shell grid layout (sidebar + full-width header + main content) #448 web feat/ms15-design-system MS15-FE-001 MS15-FE-003,MS15-FE-004,MS15-FE-005 w-1 2026-02-22T14:30Z 2026-02-22T15:00Z 20K 0K Combined with FE-001 (same commit).
MS15-FE-003 done Sidebar component (collapsible, nav groups, icons, badges, user card footer) #448 web feat/ms15-design-system MS15-FE-002 MS15-FE-005 w-3 2026-02-22T15:30Z 2026-02-22T16:00Z 25K 67K 4 nav groups, SidebarContext, collapse toggle. Commit 04f9918.
MS15-FE-004 done Topbar/Header component (logo, search, status, notifications, theme toggle, avatar dropdown) #448 web feat/ms15-design-system MS15-FE-002 MS15-FE-005 w-4 2026-02-22T15:30Z 2026-02-22T16:00Z 25K 44K Search, status, notifications, avatar dropdown. Commit 04f9918.
MS15-FE-005 done Responsive layout (breakpoints, hamburger, sidebar auto-hide at mobile) #448 web feat/ms15-design-system MS15-FE-003,MS15-FE-004 MS15-QA-001 w-5 2026-02-22T16:00Z 2026-02-22T16:30Z 20K 57K Mobile overlay, hamburger, matchMedia. Commit 28620b2.
MS15-FE-006 done Loading spinner (Mosaic logo icon with rotation animation, site-wide) #448 web feat/ms15-design-system MS15-FE-001 w-2 2026-02-22T14:30Z 2026-02-22T15:00Z 10K 8K MosaicLogo + MosaicSpinner components. Same commit e615fa8.
MS15-UI-001 not-started Align packages/ui tokens with new CSS variable design system #449 ui feat/ms15-shared-components MS15-FE-001 MS15-UI-002,MS15-UI-003,MS15-UI-004 20K
MS15-UI-002 not-started Update Card, Badge, Button, Dot component variants to match reference #449 ui feat/ms15-shared-components MS15-UI-001 MS15-DASH-001 25K
MS15-UI-003 not-started Create MetricsStrip, ProgressBar, FilterTabs shared components #449 ui feat/ms15-shared-components MS15-UI-001 MS15-DASH-001 20K
MS15-UI-004 not-started Create SectionHeader, Table, LogLine shared components #449 ui feat/ms15-shared-components MS15-UI-001 MS15-DASH-002 15K
MS15-UI-005 not-started Create Terminal panel component (bottom drawer, tabs, output) #449 web feat/ms15-shared-components MS15-UI-001 20K
MS15-DASH-001 not-started Dashboard metrics strip (6 cells, colored borders, values, trends) #450 web feat/ms15-dashboard-page MS15-UI-002,MS15-UI-003 15K
MS15-DASH-002 not-started Active Orchestrator Sessions card with agent nodes #450 web feat/ms15-dashboard-page MS15-UI-004 20K
MS15-DASH-003 not-started Quick Actions 2x2 grid #450 web feat/ms15-dashboard-page MS15-UI-002 10K
MS15-DASH-004 not-started Activity Feed sidebar card #450 web feat/ms15-dashboard-page MS15-UI-002 15K
MS15-DASH-005 not-started Token Budget sidebar card with progress bars #450 web feat/ms15-dashboard-page MS15-UI-003 10K
MS15-QA-001 done Baseline tests (lint, typecheck, build) and situational tests (responsive, themes) #448 web feat/ms15-design-system MS15-FE-005 orch 2026-02-22T16:30Z 2026-02-22T16:35Z 15K 2K lint 0 errors, typecheck clean, build passes. All caches hit.
MS15-DOC-001 not-started Documentation: design system reference, component docs #448 docs feat/ms15-design-system MS15-QA-001 10K

M10-Telemetry (0.0.10) — Telemetry Integration

Orchestrator: Claude Code Started: 2026-02-15 Branch: feature/m10-telemetry Milestone: M10-Telemetry (0.0.10)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
TEL-001 done Install @mosaicstack/telemetry-client in API + NestJS module #369 api feature/m10-telemetry TEL-004,TEL-006,TEL-007 w-1 2026-02-15T10:00Z 2026-02-15T10:37Z 20K 25K
TEL-002 done Install mosaicstack-telemetry in Coordinator #370 coordinator feature/m10-telemetry TEL-005,TEL-006 w-2 2026-02-15T10:00Z 2026-02-15T10:34Z 15K 20K
TEL-003 done Add telemetry config to docker-compose and .env #374 devops feature/m10-telemetry w-3 2026-02-15T10:38Z 2026-02-15T10:40Z 8K 10K
TEL-004 done Track LLM task completions via Mosaic Telemetry #371 api feature/m10-telemetry TEL-001 TEL-007 w-4 2026-02-15T10:38Z 2026-02-15T10:44Z 25K 30K
TEL-005 done Track orchestrator agent task completions #372 coordinator feature/m10-telemetry TEL-002 w-5 2026-02-15T10:45Z 2026-02-15T10:52Z 20K 25K
TEL-006 done Prediction integration for cost estimation #373 api feature/m10-telemetry TEL-001,TEL-002 TEL-007 w-6 2026-02-15T10:45Z 2026-02-15T10:51Z 20K 25K
TEL-007 done Frontend: Token usage and cost dashboard #375 web feature/m10-telemetry TEL-004,TEL-006 TEL-008 w-7 2026-02-15T10:53Z 2026-02-15T11:03Z 30K 115K
TEL-008 done Documentation: Telemetry integration guide #376 docs feature/m10-telemetry TEL-007 w-8 2026-02-15T10:53Z 2026-02-15T10:58Z 15K 75K

M11-CIPipeline (0.0.11) — CI Pipeline #360 Remediation

Orchestrator: Claude Code Started: 2026-02-12 Branch: fix/ci-* Epic: #360

CI Fix Round 6

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
CI-FIX6-001 done Add @mosaic/ui build to web.yml build-shared step (fixes 10 test suites + 20 typecheck errs) ci fix/ci-366 CI-FIX6-003 w-14 2026-02-12T21:00Z 2026-02-12T21:01Z 3K 3K
CI-FIX6-002 done Move spec file removal to builder stage (layer-aware); add tar CVEs to .trivyignore orchestrator fix/ci-366 CI-FIX6-004 w-15 2026-02-12T21:00Z 2026-02-12T21:15Z 3K 5K
CI-FIX6-003 done Add React.ChangeEvent types to ~10 web files with untyped event handlers (49 lint + 19 TS) web fix/ci-366 CI-FIX6-001 CI-FIX6-004 w-16 2026-02-12T21:02Z 2026-02-12T21:08Z 12K 8K
CI-FIX6-004 done Verification: pnpm lint && pnpm typecheck && pnpm test on web; Dockerfile find validation all fix/ci-366 CI-FIX6-002,CI-FIX6-003 orch 2026-02-12T21:08Z 2026-02-12T21:10Z 5K 2K

M12-MatrixBridge (0.0.12) — Matrix/Element Bridge Integration

Orchestrator: Claude Code Started: 2026-02-15 Branch: feature/m12-matrix-bridge Epic: #377

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
MB-001 done Install matrix-bot-sdk and create MatrixService skeleton #378 api feature/m12-matrix-bridge MB-003,MB-004,MB-005,MB-006,MB-007,MB-008 worker-1 2026-02-15T10:00Z 2026-02-15T10:20Z 20K 15K
MB-002 done Add Synapse + Element Web to docker-compose for dev #384 docker feature/m12-matrix-bridge worker-2 2026-02-15T10:00Z 2026-02-15T10:15Z 15K 5K
MB-003 done Register MatrixService in BridgeModule with conditional loading #379 api feature/m12-matrix-bridge MB-001 MB-008 worker-3 2026-02-15T10:25Z 2026-02-15T10:35Z 12K 20K
MB-004 done Workspace-to-Matrix-Room mapping and provisioning #380 api feature/m12-matrix-bridge MB-001 MB-005,MB-006,MB-008 worker-4 2026-02-15T10:25Z 2026-02-15T10:35Z 20K 39K
MB-005 done Matrix command handling — receive and dispatch commands #381 api feature/m12-matrix-bridge MB-001,MB-004 MB-007,MB-008 worker-5 2026-02-15T10:40Z 2026-02-15T14:27Z 20K 27K
MB-006 done Herald Service: Add Matrix output adapter #382 api feature/m12-matrix-bridge MB-001,MB-004 MB-008 worker-6 2026-02-15T10:40Z 2026-02-15T14:25Z 18K 109K
MB-007 done Streaming AI responses via Matrix message edits #383 api feature/m12-matrix-bridge MB-001,MB-005 MB-008 worker-7 2026-02-15T14:30Z 2026-02-15T14:35Z 20K 28K
MB-008 done Matrix bridge E2E integration tests #385 api feature/m12-matrix-bridge MB-001,MB-003,MB-004,MB-005,MB-006,MB-007 MB-009 worker-8 2026-02-15T14:38Z 2026-02-15T14:40Z 25K 35K
MB-009 done Documentation: Matrix bridge setup and architecture #386 docs feature/m12-matrix-bridge MB-008 worker-9 2026-02-15T14:38Z 2026-02-15T14:39Z 10K 12K
MB-010 done Sample Matrix swarm deployment compose file #387 docker feature/m12-matrix-bridge 2026-02-15 0 0

| MB-011 | done | Remediate code review and security review findings | #377 | api | feature/m12-matrix-bridge | MB-001..MB-010 | | worker-10 | 2026-02-15T15:00Z | 2026-02-15T15:10Z | 30K | 145K |

Phase Summary

Phase Tasks Description
1 - Foundation MB-001, MB-002 SDK install, dev infrastructure
2 - Module Integration MB-003, MB-004 Module registration, DB mapping
3 - Core Features MB-005, MB-006 Command handling, Herald adapter
4 - Advanced Features MB-007 Streaming responses
5 - Testing MB-008 E2E integration tests
6 - Documentation MB-009 Setup guide, architecture docs
7 - Review Remediation MB-011 Fix all code review + security findings

Review Findings Resolved (MB-011)

# Severity Finding Fix
1 CRITICAL sendThreadMessage hardcodes controlRoomId — wrong room Added channelId to ThreadMessageOptions, use options.channelId
2 CRITICAL void handleRoomMessage swallows ALL errors Added .catch() with logger.error
3 CRITICAL handleFixCommand: dead thread on dispatch failure Wrapped dispatch in try-catch with user-visible error
4 CRITICAL provisionRoom: orphaned Matrix room on DB failure try-catch around DB update with logged warning
5 HIGH Missing MATRIX_BOT_USER_ID validation (infinite loop risk) Added throw in connect() if missing
6 HIGH streamResponse finally block can throw/mask errors Wrapped setTypingIndicator in nested try-catch
7 HIGH streamResponse catch editMessage can throw/mask Wrapped editMessage in nested try-catch
8 HIGH HeraldService error log missing provider identity Added provider.constructor.name to error log
9 HIGH MatrixRoomService uses unsafe type assertion Replaced with public getClient() method
10 HIGH BridgeModule factory incomplete env var validation Added warnings for missing vars when token set
11 MEDIUM setup-bot.sh JSON injection via shell variables Replaced with jq -n for safe JSON construction

Notes

  • #387 already completed in commit 6e20fc5
  • #377 is the EPIC issue — closed after all reviews remediated
  • 187 tests passing after remediation (41 matrix, 20 streaming, 10 room, 26 integration, 27 herald, 25 discord, + others)

M13-SpeechServices (0.0.13) — TTS & STT Integration

Orchestrator: Claude Code Started: 2026-02-15 Branch: feature/m13-speech-services Milestone: M13-SpeechServices (0.0.13) Epic: #388

Phase 1: Foundation (Config + Module + Providers)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
SP-CFG-001 done #401: Speech services environment variables and ConfigModule integration #401 api feature/m13-speech-services SP-MOD-001,SP-DOC-001 worker-1 2026-02-15T06:00Z 2026-02-15T06:07Z 15K 15K 51 tests, 4cc43be
SP-MOD-001 done #389: Create SpeechModule with provider abstraction layer #389 api feature/m13-speech-services SP-CFG-001 SP-STT-001,SP-TTS-001,SP-MID-001 worker-2 2026-02-15T06:08Z 2026-02-15T06:14Z 25K 25K 27 tests, c40373f

Phase 2: Providers (STT + TTS)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
SP-STT-001 done #390: Implement STT provider with Speaches/faster-whisper integration #390 api feature/m13-speech-services SP-MOD-001 SP-EP-001,SP-WS-001 worker-4 2026-02-15T06:15Z 2026-02-15T06:25Z 20K 50K 27 tests, 3ae9e53
SP-TTS-001 done #391: Implement tiered TTS provider architecture #391 api feature/m13-speech-services SP-MOD-001 SP-TTS-002,SP-TTS-003,SP-TTS-004,SP-EP-002 worker-5 2026-02-15T06:15Z 2026-02-15T06:25Z 20K 35K 30 tests, b5edb4f
SP-TTS-002 done #393: Implement Kokoro-FastAPI TTS provider (default tier) #393 api feature/m13-speech-services SP-TTS-001 SP-EP-002 worker-6 2026-02-15T06:26Z 2026-02-15T06:33Z 15K 25K 48 tests, 79b1d81
SP-TTS-003 done #394: Implement Chatterbox TTS provider (premium tier, voice cloning) #394 api feature/m13-speech-services SP-TTS-001 SP-EP-002 worker-7 2026-02-15T06:26Z 2026-02-15T06:34Z 15K 25K 26 tests, d37c78f
SP-TTS-004 done #395: Implement Piper TTS provider via OpenedAI Speech (fallback tier) #395 api feature/m13-speech-services SP-TTS-001 SP-EP-002 worker-8 2026-02-15T06:35Z 2026-02-15T06:44Z 12K 15K 37 tests, 6c46556

Phase 3: Middleware + REST Endpoints

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
SP-MID-001 done #398: Audio format validation and preprocessing middleware #398 api feature/m13-speech-services SP-MOD-001 SP-EP-001,SP-EP-002 worker-9 2026-02-15T06:35Z 2026-02-15T06:42Z 15K 25K 36 tests, 7b4fda6
SP-EP-001 done #392: Create /api/speech/transcribe REST endpoint #392 api feature/m13-speech-services SP-STT-001,SP-MID-001 SP-WS-001,SP-FE-001 worker-10 2026-02-15T06:45Z 2026-02-15T06:52Z 20K 25K 10 tests, 527262a
SP-EP-002 done #396: Create /api/speech/synthesize REST endpoint #396 api feature/m13-speech-services SP-TTS-002,SP-TTS-003,SP-TTS-004,SP-MID-001 SP-FE-002 worker-11 2026-02-15T06:45Z 2026-02-15T06:53Z 20K 35K 17 tests, 527262a

Phase 4: WebSocket Streaming

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
SP-WS-001 done #397: Implement WebSocket streaming transcription endpoint #397 api feature/m13-speech-services SP-STT-001,SP-EP-001 SP-FE-001 worker-12 2026-02-15T06:54Z 2026-02-15T07:00Z 20K 30K 29 tests, 28c9e6f

Phase 5: Docker/DevOps

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
SP-DOC-001 done #399: Docker Compose dev overlay for speech services #399 devops feature/m13-speech-services SP-CFG-001 SP-DOC-002 worker-3 2026-02-15T06:08Z 2026-02-15T06:10Z 10K 15K 52553c8
SP-DOC-002 done #400: Docker Compose swarm/prod deployment for speech services #400 devops feature/m13-speech-services SP-DOC-001 worker-13 2026-02-15T06:54Z 2026-02-15T06:56Z 10K 8K b3d6d73

Phase 6: Frontend

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
SP-FE-001 done #402: Frontend voice input component (microphone capture + transcription) #402 web feature/m13-speech-services SP-EP-001,SP-WS-001 SP-FE-003 worker-14 2026-02-15T07:01Z 2026-02-15T07:12Z 25K 50K 34 tests, 74d6c10
SP-FE-002 done #403: Frontend audio playback component for TTS output #403 web feature/m13-speech-services SP-EP-002 SP-FE-003 worker-15 2026-02-15T07:01Z 2026-02-15T07:11Z 20K 50K 32 tests, 74d6c10
SP-FE-003 done #404: Frontend speech settings page (provider selection, voice config) #404 web feature/m13-speech-services SP-FE-001,SP-FE-002 SP-E2E-001 worker-16 2026-02-15T07:13Z 2026-02-15T07:22Z 20K 35K 30 tests, bc86947

Phase 7: Testing + Documentation

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used notes
SP-E2E-001 done #405: E2E integration tests for speech services #405 api feature/m13-speech-services SP-EP-001,SP-EP-002,SP-WS-001,SP-FE-003 SP-DOCS-001 worker-17 2026-02-15T07:23Z 2026-02-15T07:32Z 25K 35K 30 tests, d2c7602
SP-DOCS-001 done #406: Documentation - Speech services architecture, API, and deployment #406 docs feature/m13-speech-services SP-E2E-001 worker-18 2026-02-15T07:23Z 2026-02-15T07:29Z 15K 35K 24065aa

Auth-Frontend-Remediation (<0.1.0) — Auth & Frontend Remediation

Orchestrator: Claude Code Started: 2026-02-16 Branch: fix/auth-frontend-remediation Milestone: Auth-Frontend-Remediation (<0.1.0) Epic: #411

Phase 1: Critical Backend Fixes (#412)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
AUTH-001 done 1.1: Add OIDC_REDIRECT_URI to validation with URL + path checks #412 api fix/auth-frontend-remediation AUTH-002 w-1 2026-02-16T11:00Z 2026-02-16T11:04Z 10K 12K
AUTH-002 done 1.2: Wrap BetterAuth handler in try/catch with error logging #412 api fix/auth-frontend-remediation AUTH-001 w-3 2026-02-16T11:05Z 2026-02-16T11:09Z 10K 15K
AUTH-003 done 1.3: Fix docker-compose OIDC_REDIRECT_URI default #412 devops fix/auth-frontend-remediation w-2 2026-02-16T11:00Z 2026-02-16T11:05Z 3K 5K
AUTH-004 done 1.4: Enable PKCE in genericOAuth config #412 api fix/auth-frontend-remediation w-2 2026-02-16T11:00Z 2026-02-16T11:05Z 5K 5K
AUTH-005 done 1.5: Add @SkipCsrf() documentation with BetterAuth CSRF rationale #412 api fix/auth-frontend-remediation w-2 2026-02-16T11:00Z 2026-02-16T11:05Z 3K 5K
AUTH-V01 done Phase 1 verification: quality gates pass #412 all fix/auth-frontend-remediation AUTH-001,AUTH-002,AUTH-003,AUTH-004,AUTH-005 AUTH-006 orch 2026-02-16T11:10Z 2026-02-16T11:10Z 5K 2K

Phase 2: Auth Config Discovery (#413)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
AUTH-006 done 2.1: Add AuthProvider and AuthConfigResponse types to @mosaic/shared #413 shared fix/auth-frontend-remediation AUTH-V01 AUTH-007 w-4 2026-02-16T11:12Z 2026-02-16T11:13Z 5K 3K
AUTH-007 done 2.2-2.3: Implement getAuthConfig() + GET /auth/config endpoint #413 api fix/auth-frontend-remediation AUTH-006 AUTH-008 w-5 2026-02-16T11:13Z 2026-02-16T11:17Z 15K 15K
AUTH-008 done 2.4: Add secret-leakage prevention test #413 api fix/auth-frontend-remediation AUTH-007 AUTH-009 w-6 2026-02-16T11:18Z 2026-02-16T11:20Z 8K 8K
AUTH-009 done 2.5: Implement isOidcProviderReachable() health check #413 api fix/auth-frontend-remediation AUTH-007 w-7 2026-02-16T11:18Z 2026-02-16T11:23Z 10K 12K
AUTH-V02 done Phase 2 verification: quality gates pass #413 all fix/auth-frontend-remediation AUTH-006,AUTH-007,AUTH-008,AUTH-009 AUTH-010 orch 2026-02-16T11:24Z 2026-02-16T11:25Z 5K 2K

Phase 3: Backend Hardening (#414)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
AUTH-010 done 3.1: Extract trustedOrigins to getTrustedOrigins() with env vars #414 api fix/auth-frontend-remediation AUTH-V02 AUTH-011 w-8 2026-02-16T11:26Z 2026-02-16T11:31Z 10K 15K
AUTH-011 done 3.2: Align CORS config in main.ts with getTrustedOrigins() #414 api fix/auth-frontend-remediation AUTH-010 w-10 2026-02-16T11:32Z 2026-02-16T11:33Z 8K 8K
AUTH-012 done 3.3: Update session config (7d abs, 2h idle, cookie attrs) #414 api fix/auth-frontend-remediation AUTH-V02 w-9 2026-02-16T11:26Z 2026-02-16T11:29Z 8K 8K
AUTH-013 done 3.4: Add TRUSTED_ORIGINS, COOKIE_DOMAIN to .env.example #414 devops fix/auth-frontend-remediation AUTH-010 w-11 2026-02-16T11:32Z 2026-02-16T11:33Z 3K 3K
AUTH-V03 done Phase 3 verification: quality gates pass #414 all fix/auth-frontend-remediation AUTH-010,AUTH-011,AUTH-012,AUTH-013 AUTH-014 orch 2026-02-16T11:34Z 2026-02-16T11:34Z 5K 2K

Phase 4: Frontend Foundation (#415)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
AUTH-014 done 4.1: Fix theme storage key (jarvis-theme -> mosaic-theme) #415 web fix/auth-frontend-remediation AUTH-V03 w-12 2026-02-16T11:35Z 2026-02-16T11:44Z 5K 5K
AUTH-015 done 4.2: Create AuthErrorBanner component (PDA-friendly, blue theme) #415 web fix/auth-frontend-remediation AUTH-V03 AUTH-020 w-13 2026-02-16T11:35Z 2026-02-16T11:44Z 12K 12K
AUTH-016 done 4.3: Create AuthDivider component #415 web fix/auth-frontend-remediation AUTH-V03 AUTH-020 w-12 2026-02-16T11:35Z 2026-02-16T11:44Z 5K 5K
AUTH-017 done 4.4: Create OAuthButton component (replaces LoginButton) #415 web fix/auth-frontend-remediation AUTH-V03 AUTH-020 w-13 2026-02-16T11:35Z 2026-02-16T11:44Z 12K 12K
AUTH-018 done 4.5: Create LoginForm component with email/password validation #415 web fix/auth-frontend-remediation AUTH-V03 AUTH-020 w-13 2026-02-16T11:35Z 2026-02-16T11:44Z 15K 15K
AUTH-019 done 4.6: Create SessionExpiryWarning component #415 web fix/auth-frontend-remediation AUTH-V03 AUTH-025 w-12 2026-02-16T11:35Z 2026-02-16T11:44Z 10K 10K
AUTH-V04 done Phase 4 verification: quality gates pass #415 all fix/auth-frontend-remediation AUTH-014,AUTH-015,AUTH-016,AUTH-017,AUTH-018,AUTH-019 AUTH-020 orch 2026-02-16T11:45Z 2026-02-16T11:45Z 5K 2K

Phase 5: Login Page Integration (#416)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
AUTH-020 done 5.1-5.2: Fetch /auth/config and render providers dynamically #416 web fix/auth-frontend-remediation AUTH-V04,AUTH-V02 AUTH-021 w-14 2026-02-16T11:46Z 2026-02-16T11:52Z 20K 15K
AUTH-021 done 5.3-5.4: Error display from query params + loading states #416 web fix/auth-frontend-remediation AUTH-020 AUTH-022 w-15 2026-02-16T11:53Z 2026-02-16T11:57Z 12K 12K
AUTH-022 done 5.5: Delete old LoginButton.tsx and update imports #416 web fix/auth-frontend-remediation AUTH-020 w-16 2026-02-16T11:53Z 2026-02-16T11:54Z 5K 4K
AUTH-023 done 5.6-5.7: Responsive layout + accessibility audit #416 web fix/auth-frontend-remediation AUTH-020,AUTH-021 w-17 2026-02-16T11:58Z 2026-02-16T12:03Z 12K 25K
AUTH-V05 done Phase 5 verification: quality gates pass #416 all fix/auth-frontend-remediation AUTH-020,AUTH-021,AUTH-022,AUTH-023 AUTH-024 orch 2026-02-16T12:04Z 2026-02-16T12:04Z 5K 2K

Phase 6: Error Recovery & Polish (#417)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
AUTH-024 done 6.1: Create auth-errors.ts with PDA error parsing and mapping #417 web fix/auth-frontend-remediation AUTH-V05 AUTH-025 w-18 2026-02-16T12:10Z 2026-02-16T12:15Z 12K 12K
AUTH-025 done 6.2: Add retry logic for network errors (3x exponential backoff) #417 web fix/auth-frontend-remediation AUTH-V05 w-20 2026-02-16T12:16Z 2026-02-16T12:22Z 10K 15K
AUTH-026 done 6.3-6.4: AuthProvider session-expiring state + SessionExpiryWarning #417 web fix/auth-frontend-remediation AUTH-V05,AUTH-019 w-19 2026-02-16T12:10Z 2026-02-16T12:15Z 15K 20K
AUTH-027 done 6.5: Update auth-client.ts error messages to PDA-friendly #417 web fix/auth-frontend-remediation AUTH-024 w-21 2026-02-16T12:16Z 2026-02-16T12:18Z 8K 10K
AUTH-V06 done Phase 6 verification: quality gates pass #417 all fix/auth-frontend-remediation AUTH-024,AUTH-025,AUTH-026,AUTH-027 orch 2026-02-16T12:23Z 2026-02-16T12:24Z 5K 2K

Phase 7: Review Remediation (#411)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
AUTH-028 done 7.1: Frontend fixes — wire fetchWithRetry, dedupe errors, fix OAuth/catch/signout #411 web fix/auth-frontend-remediation AUTH-V06 AUTH-030 w-22 2026-02-16T18:29Z 2026-02-16T18:33Z 20K 15K
AUTH-029 done 7.2: Backend fixes — COOKIE_DOMAIN, TRUSTED_ORIGINS validation, verifySession #411 api fix/auth-frontend-remediation AUTH-V06 AUTH-030 w-23 2026-02-16T18:29Z 2026-02-16T18:31Z 15K 12K
AUTH-030 done 7.3: Missing tests — getAccessToken, isAdmin, null cases, getClientIp #411 all fix/auth-frontend-remediation AUTH-028,AUTH-029 AUTH-V07 w-24 2026-02-16T18:34Z 2026-02-16T18:37Z 15K 15K
AUTH-V07 done Phase 7 verification: 191 web + 106 API tests passing #411 all fix/auth-frontend-remediation AUTH-030 orch 2026-02-16T18:37Z 2026-02-16T18:38Z 5K 2K

Phase 8: QA Remediation — Backend Error Handling (#411)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
QA-001 done CRITICAL: AuthGuard — let infrastructure errors propagate instead of wrapping as 401 #411 api fix/auth-frontend-remediation QA-V08 w-25 2026-02-16T19:00Z 2026-02-16T19:10Z 12K 9K
QA-002 done CRITICAL+HIGH: verifySession — invert error classification (allowlist auth errors, re-throw everything else) + typed return type + health check escalation #411 api fix/auth-frontend-remediation QA-001,QA-V08 w-26 2026-02-16T19:00Z 2026-02-16T19:15Z 25K 8K
QA-003 done MEDIUM: auth.config.ts — replace null coalescing with throw in getOidcPlugins + include error details in getTrustedOrigins catch #411 api fix/auth-frontend-remediation QA-V08 w-27 2026-02-16T19:16Z 2026-02-16T19:25Z 10K 3K
QA-004 done MEDIUM: auth.controller.ts — use HttpException(401) instead of raw Error in getSession + PDA-friendly handleAuth error message #411 api fix/auth-frontend-remediation QA-V08 w-28 2026-02-16T19:16Z 2026-02-16T19:22Z 10K 7K
QA-V08 done Phase 8 verification: 128 auth tests pass, 2 pre-existing failures (DB/package), no regressions #411 all fix/auth-frontend-remediation QA-001,QA-002,QA-003,QA-004 QA-005 orch 2026-02-16T19:26Z 2026-02-16T19:27Z 5K 2K

Phase 9: QA Remediation — Frontend Error Handling (#411)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
QA-005 done CRITICAL+HIGH: auth-context.tsx — production logging, replace isBackendError with parseAuthError, fix signOut classification, add session-expired state #411 web fix/auth-frontend-remediation QA-V08 QA-007,QA-V09 w-29 2026-02-16T19:28Z 2026-02-16T19:45Z 25K 85K
QA-006 done MEDIUM: auth-client.ts — log JSON parse error in signInWithCredentials + add logging to getAccessToken/isAdmin silent defaults #411 web fix/auth-frontend-remediation QA-V08 QA-V09 w-30 2026-02-16T19:28Z 2026-02-16T19:50Z 12K 15K
QA-007 done HIGH: login/page.tsx — show explicit error state instead of silent email-only fallback when config fetch fails #411 web fix/auth-frontend-remediation QA-005 QA-V09 w-31 2026-02-16T19:51Z 2026-02-16T19:56Z 15K 18K
QA-008 done LOW: auth-errors.ts — derive KNOWN_CODES from Object.keys(ERROR_MESSAGES) to eliminate duplication #411 web fix/auth-frontend-remediation QA-V08 QA-V09 w-32 2026-02-16T19:51Z 2026-02-16T19:53Z 3K 4K
QA-V09 done Phase 9 verification: 194 auth web tests pass, no regressions #411 all fix/auth-frontend-remediation QA-005,QA-006,QA-007,QA-008 QA-009 orch 2026-02-16T19:57Z 2026-02-16T19:58Z 5K 2K

Phase 10: QA Remediation — Comment & Documentation Fixes (#411)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
QA-009 done CRITICAL: Fix updateAge comment (not idle timeout — it's session refresh throttle), fix .env.example OIDC vars, fix username->email bug in signInWithCredentials #411 api,web fix/auth-frontend-remediation QA-V09 QA-V10 w-33 2026-02-16T19:59Z 2026-02-16T20:05Z 12K 12K
QA-010 done MINOR: Fix JSDoc issues — response.ok is 2xx not "200", remove "Automatic token refresh" claim, remove "Enable for now" comment, fix CSRF comment placement, fix 403 mapping comment #411 api,web fix/auth-frontend-remediation QA-V09 QA-V10 w-34 2026-02-16T19:59Z 2026-02-16T20:03Z 8K 8K
QA-V10 done Phase 10 verification: 71 tests pass, no regressions #411 all fix/auth-frontend-remediation QA-009,QA-010 QA-011 orch 2026-02-16T20:06Z 2026-02-16T20:07Z 5K 2K

Phase 11: QA Remediation — Type Design Improvements (#411)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
QA-011 done HIGH: Unify 4 request-with-user types (RequestWithSession, AuthRequest, BetterAuthRequest, RequestWithUser) into AuthenticatedRequest #411 api fix/auth-frontend-remediation QA-V10 QA-V11 w-35 2026-02-16T20:08Z 2026-02-16T20:16Z 20K 15K
QA-012 done LOW: Add RetryOptions value clamping (maxRetries>=0, baseDelayMs>=100, backoffFactor>=1) #411 web fix/auth-frontend-remediation QA-V10 QA-V11 w-36 2026-02-16T20:08Z 2026-02-16T20:12Z 5K 4K
QA-V11 done Phase 11 verification: 125 tests pass (106 API + 19 web), types compile #411 all fix/auth-frontend-remediation QA-011,QA-012 QA-013 orch 2026-02-16T20:17Z 2026-02-16T20:18Z 5K 2K

Phase 12: QA Remediation — Test Coverage Gaps (#411)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
QA-013 done Add signOut failure path test — verify user cleared + authError set to proper type on apiPost rejection #411 web fix/auth-frontend-remediation QA-V11 QA-V12 w-37 2026-02-16T20:19Z 2026-02-16T20:26Z 10K 4K
QA-014 done Add verifySession non-Error thrown value test — verify returns null for string/object throws #411 api fix/auth-frontend-remediation QA-V11 QA-V12 w-38 2026-02-16T20:19Z 2026-02-16T20:23Z 8K 4K
QA-015 done Add handleCredentialsLogin error message fallback test + fix refreshSession test to actually call refresh #411 web fix/auth-frontend-remediation QA-V11 QA-V12 w-39 2026-02-16T20:27Z 2026-02-16T20:30Z 12K 7K
QA-V12 done Phase 12 verification: 309 tests pass (201 web + 108 API) — final quality gate #411 all fix/auth-frontend-remediation QA-013,QA-014,QA-015 orch 2026-02-16T20:31Z 2026-02-16T20:32Z 5K 2K

Phase 13: QA Round 2 — Backend Hardening (#411)

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
QA2-001 done MEDIUM: Narrow verifySession allowlist — "token expired"/"session expired" instead of bare "expired", exact match "unauthorized" #411 api fix/auth-frontend-remediation QA2-003,QA2-V13 w-40 2026-02-16T21:00Z 2026-02-16T21:02Z 10K 4K
QA2-002 done MEDIUM: Add runtime null checks in auth.controller getSession/getProfile — defense-in-depth for AuthenticatedRequest #411 api fix/auth-frontend-remediation QA2-V13 w-42 2026-02-16T21:03Z 2026-02-16T21:05Z 8K 5K
QA2-003 done MEDIUM: Sanitize Bearer tokens from logged error stacks + add logger.warn for non-Error thrown values in verifySession #411 api fix/auth-frontend-remediation QA2-001 QA2-V13 w-44 2026-02-16T21:06Z 2026-02-16T21:08Z 8K 5K
QA2-004 done MEDIUM: classifyAuthError — map invalid_credentials/session_expired to null instead of "backend" (don't show error banner for normal 401) #411 web fix/auth-frontend-remediation QA2-V13 w-41 2026-02-16T21:00Z 2026-02-16T21:02Z 10K 5K
QA2-005 done MEDIUM: Login page — route BetterAuth result.error.message through parseAuthError for PDA-friendly sanitization #411 web fix/auth-frontend-remediation QA2-V13 w-43 2026-02-16T21:03Z 2026-02-16T21:05Z 8K 4K
QA2-006 done LOW: AuthGuard user validation branch tests — malformed user (missing id/email/name), non-object user, string user #411 api fix/auth-frontend-remediation QA2-V13 w-45 2026-02-16T21:06Z 2026-02-16T21:09Z 8K 5K
QA2-V13 done Phase 13 verification: 272 tests pass (126 web + 146 API), 2 pre-existing failures, no regressions #411 all fix/auth-frontend-remediation QA2-001,QA2-002,QA2-003,QA2-004,QA2-005,QA2-006 orch 2026-02-16T21:10Z 2026-02-16T21:12Z 5K 2K

Summary

Phase Issue Tasks Total Estimate
1 - Critical Backend Fixes #412 6 36K
2 - Auth Config Discovery #413 5 43K
3 - Backend Hardening #414 5 34K
4 - Frontend Foundation #415 7 64K
5 - Login Page Integration #416 5 54K
6 - Error Recovery & Polish #417 5 50K
7 - Review Remediation #411 4 55K
8 - QA: Backend Error Handling #411 5 62K
9 - QA: Frontend Error Handling #411 5 60K
10 - QA: Comment Fixes #411 3 25K
11 - QA: Type Design #411 3 30K
12 - QA: Test Coverage #411 4 35K
13 - QA R2: Hardening + Tests #411 7 57K
Total 64 605K

2026-02-17 Full Code/Security/QA Review

Reviewer: Jarvis (Codex runtime) Scope: Monorepo code review + security review + QA verification Branch: fix/auth-frontend-remediation

Verification Snapshot

  • pnpm lint: pass
  • pnpm typecheck: pass
  • pnpm --filter @mosaic/api test -- src/mosaic-telemetry/mosaic-telemetry.module.spec.ts src/auth/auth-rls.integration.spec.ts src/credentials/user-credential.model.spec.ts src/job-events/job-events.performance.spec.ts src/knowledge/services/fulltext-search.spec.ts: pass (DB-bound suites intentionally skipped unless RUN_DB_TESTS=true)
  • pnpm audit --prod: pass (0 vulnerabilities after overrides + lock refresh)

Remediation Tasks

id status severity category description evidence
REV-2026-001 done high security+functional Web dashboard widgets call orchestrator GET /agents directly without X-API-Key, but orchestrator protects all /agents routes with OrchestratorApiKeyGuard. This creates a broken production path or pressures exposing a sensitive API key client-side. Add a server-side proxy/BFF route and remove direct browser calls. apps/web/src/app/api/orchestrator/agents/route.ts:1, apps/web/src/components/widgets/AgentStatusWidget.tsx:32, apps/web/src/components/widgets/TaskProgressWidget.tsx:103
REV-2026-002 done high security RLS context helpers are now applied in TasksService service boundaries (create, findAll, findOne, update, remove) with safe fallback behavior for test doubles; controller now passes user context for list/detail paths, and regression tests assert context usage. apps/api/src/tasks/tasks.service.ts:27, apps/api/src/tasks/tasks.controller.ts:54, apps/api/src/tasks/tasks.service.spec.ts:15
REV-2026-003 done medium security Docker sandbox defaults still use bridge networking; isolation hardening is incomplete by default. Move default to none and explicitly opt in to egress where required. apps/orchestrator/src/config/orchestrator.config.ts:32, apps/orchestrator/src/spawner/docker-sandbox.service.ts:115, apps/orchestrator/src/spawner/docker-sandbox.service.ts:265
REV-2026-004 done high security Production dependency chain hardened via root overrides: replaced legacy request with @cypress/request, pinned tough-cookie and qs to patched ranges, and forced patched ajv; lockfile updated and production audit now reports zero vulnerabilities. package.json:68, pnpm-lock.yaml:1, pnpm audit --prod --json (0 vulnerabilities)
REV-2026-005 done high qa API test suite is not hermetic for default pnpm test: database-backed tests run when DATABASE_URL exists but credentials are invalid, causing hard failures. Gate integration/perf suites behind explicit integration flag and connectivity preflight, or split commands in turbo pipeline. apps/api/src/credentials/user-credential.model.spec.ts:18, apps/api/src/knowledge/services/fulltext-search.spec.ts:30, apps/api/src/job-events/job-events.performance.spec.ts:19, apps/api/src/auth/auth-rls.integration.spec.ts:10
REV-2026-006 done medium qa+architecture MosaicTelemetryModule imports AuthModule, causing telemetry module tests to fail on unrelated ENCRYPTION_KEY auth config requirements. Decouple telemetry module dependencies or provide test-safe module overrides. apps/api/src/mosaic-telemetry/mosaic-telemetry.module.ts:36, apps/api/src/mosaic-telemetry/mosaic-telemetry.module.spec.ts:1
REV-2026-007 done medium qa Frontend skip cleanup completed for scoped findings: TasksWidget, CalendarWidget, and LinkAutocomplete coverage now runs with deterministic assertions and no stale it.skip markers in those suites. apps/web/src/components/widgets/__tests__/TasksWidget.test.tsx:1, apps/web/src/components/widgets/__tests__/CalendarWidget.test.tsx:1, apps/web/src/components/knowledge/__tests__/LinkAutocomplete.test.tsx:1
REV-2026-008 done low tooling Repo session bootstrap reliability issue: scripts/agent/session-start.sh fails due stale branch tracking ref, which can silently block required lifecycle checks. Update script to tolerate missing remote branch or self-heal branch config. scripts/agent/session-start.sh:10, scripts/agent/session-start.sh:16, scripts/agent/session-start.sh:34

2026-02-17 Orchestrator Streaming + Queue Control Follow-up

Orchestrator: Jarvis (Codex runtime) Branch: fix/auth-frontend-remediation

Tasks

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
ORCH-FU-001 done Add orchestrator SSE event stream endpoint and service fan-out (/agents/events) with initial snapshot + heartbeat #411 orchestrator,web fix/auth-frontend-remediation REV-2026-001 orch 2026-02-17T15:00Z 2026-02-17T15:18Z 20K 24K
ORCH-FU-002 done Add queue control API (/queue/stats, /queue/pause, /queue/resume) and web proxy routes #411 orchestrator,web fix/auth-frontend-remediation ORCH-FU-001 orch 2026-02-17T15:18Z 2026-02-17T15:24Z 12K 15K
ORCH-FU-003 done Wire TaskProgressWidget and AgentStatusWidget to live SSE updates with polling fallback #411 web fix/auth-frontend-remediation ORCH-FU-001 orch 2026-02-17T15:24Z 2026-02-17T15:33Z 15K 18K
ORCH-FU-004 done Persist spawned state in lifecycle + align queue state transitions/events for spawned/non-spawned paths #411 orchestrator fix/auth-frontend-remediation ORCH-FU-001 orch 2026-02-17T15:33Z 2026-02-17T15:40Z 15K 18K
ORCH-FU-005 done Harden repo-local Mosaic linkage paths (~/.config/mosaic) and ignore orchestrator runtime artifacts #411 docs,tooling fix/auth-frontend-remediation ORCH-FU-004 orch 2026-02-17T15:40Z 2026-02-17T15:45Z 8K 6K
ORCH-FU-V01 done Verification: orchestrator and web targeted test suites pass after follow-up changes #411 all fix/auth-frontend-remediation ORCH-FU-001 orch 2026-02-17T15:45Z 2026-02-17T15:48Z 5K 3K

Verification Snapshot

  • pnpm --filter @mosaic/orchestrator test -- src/api/queue/queue.controller.spec.ts src/api/agents/agents.controller.spec.ts src/api/agents/agents-killswitch.controller.spec.ts src/queue/queue.service.spec.ts src/config/orchestrator.config.spec.ts: pass (26 files, 737 tests)
  • pnpm --filter @mosaic/web test -- src/components/widgets/__tests__/TaskProgressWidget.test.tsx src/components/widgets/__tests__/AgentStatusWidget.test.tsx: pass (89 files, 1117 tests, 3 skipped)

2026-02-17 Orchestrator Observability Follow-up

Orchestrator: Jarvis (Codex runtime) Branch: feature/mosaic-stack-finalization

Tasks

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
ORCH-OBS-001 done Add recent event buffer + endpoint (GET /agents/events/recent?limit=) for non-SSE polling clients #411 orchestrator feature/mosaic-stack-finalization ORCH-FU-001 orch 2026-02-17T16:20Z 2026-02-17T16:28Z 10K 8K
ORCH-OBS-002 done Add web proxy route for recent orchestrator events (/api/orchestrator/events/recent) #411 web feature/mosaic-stack-finalization ORCH-OBS-001 orch 2026-02-17T16:28Z 2026-02-17T16:31Z 5K 4K
ORCH-OBS-003 done Add repo-level monitor script (scripts/agent/orchestrator-events.sh) for recent/watch modes #411 tooling feature/mosaic-stack-finalization ORCH-OBS-001 orch 2026-02-17T16:31Z 2026-02-17T16:36Z 8K 5K
ORCH-OBS-004 done Add tests/docs updates for recent events and operator command usage #411 orchestrator,docs feature/mosaic-stack-finalization ORCH-OBS-001 orch 2026-02-17T16:36Z 2026-02-17T16:40Z 8K 6K
ORCH-OBS-005 done Fix HUD widget ID generation/parsing for hyphenated widget types (quick-capture, agent-status) #411 web feature/mosaic-stack-finalization ORCH-OBS-004 orch 2026-02-17T16:42Z 2026-02-17T16:48Z 8K 6K
ORCH-OBS-006 done Add WidgetRenderer regression tests for hyphenated widget IDs #411 web feature/mosaic-stack-finalization ORCH-OBS-005 orch 2026-02-17T16:48Z 2026-02-17T16:50Z 5K 3K
ORCH-OBS-007 done Add OrchestratorEventsWidget for live/recent orchestration visibility with Matrix signal hints #411 web feature/mosaic-stack-finalization ORCH-OBS-002 orch 2026-02-17T16:55Z 2026-02-17T17:03Z 12K 9K
ORCH-OBS-008 done Integrate new widget into HUD/WidgetRegistry and extend widget regression coverage #411 web feature/mosaic-stack-finalization ORCH-OBS-007 orch 2026-02-17T17:03Z 2026-02-17T17:08Z 10K 7K
ORCH-OBS-009 done Seed default/reset local HUD layout with orchestration widgets so visibility works out-of-box #411 web feature/mosaic-stack-finalization ORCH-OBS-008 orch 2026-02-17T17:10Z 2026-02-17T17:14Z 8K 6K
ORCH-OBS-010 done Enrich TaskProgressWidget with latest recent-event context from /api/orchestrator/events/recent #411 web feature/mosaic-stack-finalization ORCH-OBS-009 orch 2026-02-17T17:15Z 2026-02-17T17:20Z 8K 6K
ORCH-OBS-011 done Add orchestrator health proxy and readiness badge (ready/degraded) in events widget #411 web feature/mosaic-stack-finalization ORCH-OBS-010 orch 2026-02-17T17:22Z 2026-02-17T17:27Z 8K 6K

2026-02-17 Issue 424 — Orchestrator Provider-Aware Startup

Orchestrator: Jarvis (Codex runtime) Issue: #424 Branch: fix/orchestrator-runtime-provider-config

Tasks

id status description issue repo branch depends_on blocks agent started_at completed_at estimate used
ORCH-424-001 done Remove hard startup dependency on CLAUDE_API_KEY unless provider explicitly requires it #424 orchestrator fix/orchestrator-runtime-provider-config ORCH-424-002 2026-02-17T17:15:18-06:00 12K
ORCH-424-002 done Add provider/runtime-aware validation and startup diagnostics for required key availability #424 orchestrator fix/orchestrator-runtime-provider-config ORCH-424-001 ORCH-424-003 2026-02-17T17:15:18-06:00 10K
ORCH-424-003 done Update env example docs for Codex/OpenCode/Claude multi-provider startup behavior #424 orchestrator,docs fix/orchestrator-runtime-provider-config ORCH-424-002 ORCH-424-V01 2026-02-17T17:15:18-06:00 8K
ORCH-424-V01 done Verification: pnpm lint && pnpm typecheck && pnpm test healthy for non-Claude startup/runtime paths #424 all fix/orchestrator-runtime-provider-config ORCH-424-001,ORCH-424-002,ORCH-424-003 2026-02-17T17:15:18-06:00 5K
Reference in New Issue View Git Blame Copy Permalink