5d683d401e
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Priority Fixes (Required Before Production): H3: Add rate limiting to webhook endpoint - Added slowapi library for FastAPI rate limiting - Implemented per-IP rate limiting (100 req/min) on webhook endpoint - Added global rate limiting support via slowapi M4: Add subprocess timeouts to all gates - Added timeout=300 (5 minutes) to all subprocess.run() calls in gates - Implemented proper TimeoutExpired exception handling - Removed dead CalledProcessError handlers (check=False makes them unreachable) M2: Add input validation on QualityCheckRequest - Validate files array size (max 1000 files) - Validate file paths (no path traversal, no null bytes, no absolute paths) - Validate diff summary size (max 10KB) - Validate taskId and agentId format (non-empty) Additional Fixes: H1: Fix coverage.json path resolution - Use absolute paths resolved from project root - Validate path is within project boundaries (prevent path traversal) Code Review Cleanup: - Moved imports to module level in quality_orchestrator.py - Refactored mock detection logic into separate helper methods - Removed dead subprocess.CalledProcessError exception handlers from all gates Testing: - Added comprehensive tests for all security fixes - All 339 coordinator tests pass - All 447 orchestrator tests pass - Followed TDD principles (RED-GREEN-REFACTOR) Security Impact: - Prevents webhook DoS attacks via rate limiting - Prevents hung processes via subprocess timeouts - Prevents path traversal attacks via input validation - Prevents malformed input attacks via comprehensive validation Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Mosaic Orchestrator
Agent orchestration service for Mosaic Stack built with NestJS.
Overview
The Orchestrator is the execution plane of Mosaic Stack, responsible for:
- Spawning and managing Claude agents
- Task queue management (Valkey-backed)
- Agent health monitoring and recovery
- Git workflow automation
- Quality gate enforcement callbacks
- Killswitch emergency stop
Architecture
Part of the Mosaic Stack monorepo at apps/orchestrator/.
Controlled by apps/coordinator/ (Quality Coordinator).
Monitored via apps/web/ (Agent Dashboard).
Development
# Install dependencies (from monorepo root)
pnpm install
# Run in dev mode (watch mode)
pnpm --filter @mosaic/orchestrator dev
# Build
pnpm --filter @mosaic/orchestrator build
# Start production
pnpm --filter @mosaic/orchestrator start:prod
# Test
pnpm --filter @mosaic/orchestrator test
# Generate module (NestJS CLI)
cd apps/orchestrator
nest generate module <name>
nest generate controller <name>
nest generate service <name>
NestJS Architecture
- Modules: Feature-based organization (spawner, queue, monitor, etc.)
- Controllers: HTTP endpoints (health, agents, tasks)
- Services: Business logic
- Providers: Dependency injection
Configuration
Environment variables loaded via @nestjs/config.
See .env.example for required vars.
Documentation
- Architecture:
/docs/ORCHESTRATOR-MONOREPO-SETUP.md - API Contracts:
/docs/M6-ISSUE-AUDIT.md - Milestone: M6-AgentOrchestration (0.0.6)