mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
ebd842f00730372a48af066f02f332c384d2e809
stack/docs/scratchpads
History
Jason Woltje ebd842f007
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
fix(#278): Implement CSRF protection using double-submit cookie pattern 
Implemented comprehensive CSRF protection for all state-changing endpoints
(POST, PATCH, DELETE) using the double-submit cookie pattern.

Security Implementation:
- Created CsrfGuard using double-submit cookie validation
- Token set in httpOnly cookie and validated against X-CSRF-Token header
- Applied guard to FederationController (vulnerable endpoints)
- Safe HTTP methods (GET, HEAD, OPTIONS) automatically exempted
- Signature-based endpoints (@SkipCsrf decorator) exempted

Components Added:
- CsrfGuard: Validates cookie and header token match
- CsrfController: GET /api/v1/csrf/token endpoint for token generation
- @SkipCsrf(): Decorator to exempt endpoints with alternative auth
- Comprehensive tests (20 tests, all passing)

Protected Endpoints:
- POST /api/v1/federation/connections/initiate
- POST /api/v1/federation/connections/:id/accept
- POST /api/v1/federation/connections/:id/reject
- POST /api/v1/federation/connections/:id/disconnect
- POST /api/v1/federation/instance/regenerate-keys

Exempted Endpoints:
- POST /api/v1/federation/incoming/connect (signature-verified)
- GET requests (safe methods)

Security Features:
- httpOnly cookies prevent XSS attacks
- SameSite=strict prevents subdomain attacks
- Cryptographically secure random tokens (32 bytes)
- 24-hour token expiry
- Structured logging for security events

Testing:
- 14 guard tests covering all scenarios
- 6 controller tests for token generation
- Quality gates: lint, typecheck, build all passing

Note: Frontend integration required to use tokens. Clients must:
1. GET /api/v1/csrf/token to receive token
2. Include token in X-CSRF-Token header for state-changing requests

Fixes #278

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 20:35:00 -06:00
..
1-project-scaffold.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
2-postgresql-pgvector-schema.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
3-prisma-orm-setup.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
4-authentik-oidc-final-status.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
4-authentik-oidc.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
5-crud-apis.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
6-basic-web-ui.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
7-8-type-safety-fixes.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
7-activity-logging.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
8-docker-compose.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
36-traefik-integration.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
42-jarvis-chat-overlay.md
feat(#42): Implement persistent Jarvis chat overlay
2026-02-03 20:24:41 -06:00
52-active-projects-widget.md
feat(#52): implement Active Projects & Agent Chains widget
2026-02-03 19:17:13 -06:00
65-full-text-search.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
66-search-api-endpoint.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
67-search-ui.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
69-embedding-generation.md
feat(#71): implement graph data API
2026-02-02 15:27:00 -06:00
70-semantic-search-api.md
feat(#71): implement graph data API
2026-02-02 15:27:00 -06:00
71-graph-data-api.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
72-graph-visualization.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
84-instance-identity-model.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
85-connect-disconnect-protocol.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
86-authentik-oidc-integration-security-fixes.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
86-authentik-oidc-integration.md
feat(#86): implement Authentik OIDC integration for federation
2026-02-03 12:34:24 -06:00
87-cross-instance-identity-linking.md
feat(#87): implement cross-instance identity linking for federation
2026-02-03 12:55:37 -06:00
88-query-message-type.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
89-command-message-type.md
feat(#89): implement COMMAND message type for federation
2026-02-03 13:30:16 -06:00
89-implementation-summary.md
feat(#89): implement COMMAND message type for federation
2026-02-03 13:30:16 -06:00
89-migration-needed.md
feat(#89): implement COMMAND message type for federation
2026-02-03 13:30:16 -06:00
90-event-subscriptions-summary.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
90-event-subscriptions.md
feat(#90): implement EVENT subscriptions for federation
2026-02-03 13:45:00 -06:00
91-connection-manager-ui.md
feat(#91): implement Connection Manager UI for federation
2026-02-03 14:03:44 -06:00
92-aggregated-dashboard.md
feat(#92): implement Aggregated Dashboard View
2026-02-03 14:18:18 -06:00
93-agent-spawn-via-federation.md
feat(#94): implement spoke configuration UI
2026-02-03 14:51:59 -06:00
94-spoke-configuration-ui.md
feat(#94): implement spoke configuration UI
2026-02-03 14:51:59 -06:00
122-llm-provider-interface.md
feat(#122): create LLM provider interface
2026-01-31 11:38:38 -06:00
123-ollama-provider.md
feat(#123): port Ollama LLM provider
2026-01-31 12:10:43 -06:00
126-llm-manager-service.md
feat(#126): create LLM Manager Service
2026-01-31 12:22:14 -06:00
128-llm-provider-schema.md
feat(#128): add LlmProviderInstance Prisma schema
2026-01-31 11:57:40 -06:00
143-validate-50-percent-rule.md
test(#143): Validate 50% rule prevents context exhaustion
2026-02-01 17:56:04 -06:00
149-test-rejection-loop.md
fix(#180): Update pnpm to 10.27.0 in Dockerfiles
2026-02-01 20:52:43 -06:00
150-orchestration-loop.md
docs(#150): Add scratchpad for orchestration loop implementation
2026-02-01 20:22:07 -06:00
155-context-monitor.md
fix(#180): Update pnpm to 10.27.0 in Dockerfiles
2026-02-01 20:52:43 -06:00
157-webhook-receiver.md
fix(#180): Update pnpm to 10.27.0 in Dockerfiles
2026-02-01 20:52:43 -06:00
158-issue-parser.md
fix(#180): Update pnpm to 10.27.0 in Dockerfiles
2026-02-01 20:52:43 -06:00
163-bullmq-dependencies.md
feat(#163): Add BullMQ dependencies
2026-02-01 20:56:45 -06:00
164-database-schema-jobs.md
feat(#167): Implement Runner jobs CRUD and queue submission
2026-02-01 21:09:03 -06:00
165-bullmq-module-setup.md
feat(#165): Implement BullMQ module setup
2026-02-01 21:01:25 -06:00
166-stitcher-module.md
feat(#167): Implement Runner jobs CRUD and queue submission
2026-02-01 21:09:03 -06:00
167-runner-jobs-crud.md
feat(#168): Implement job steps tracking
2026-02-01 21:16:23 -06:00
168-job-steps-tracking.md
feat(#168): Implement job steps tracking
2026-02-01 21:16:23 -06:00
169-job-events-audit.md
feat(#168): Implement job steps tracking
2026-02-01 21:16:23 -06:00
170-discord-bridge.md
feat(#170): Implement mosaic-bridge module for Discord
2026-02-01 21:26:40 -06:00
171-command-parser.md
feat(#171): Implement chat command parsing
2026-02-01 21:32:53 -06:00
172-herald-status.md
feat(#172): Implement Herald status updates
2026-02-01 21:42:44 -06:00
173-websocket-gateway.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
174-sse-endpoint.md
docs(#162): Finalize M4.2-Infrastructure token tracking report
2026-02-02 08:18:55 -06:00
175-e2e-harness.md
feat(#175): Implement E2E test harness
2026-02-01 21:44:04 -06:00
176-coordinator-integration.md
feat(#176): Integrate M4.2 infrastructure with M4.1 coordinator
2026-02-01 21:54:34 -06:00
179-security-nodejs-deps.md
fix(#179): Update vulnerable Node.js dependencies
2026-02-01 20:54:25 -06:00
180-security-pnpm-dockerfiles.md
feat(#167): Implement Runner jobs CRUD and queue submission
2026-02-01 21:09:03 -06:00
181-security-go-stdlib-postgres.md
fix(#181): Update Alpine packages to patch Go stdlib vulnerabilities in postgres image
2026-02-01 20:54:57 -06:00
182-fix-prisma-enum-tests.md
fix(#182): fix Prisma enum import in job-steps tests
2026-02-02 11:41:11 -06:00
183-remove-hardcoded-workspace-id.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
184-add-coordinator-auth.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
185-fix-herald-error-handling.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
186-add-dto-validation.md
fix(#196): fix race condition in job status updates
2026-02-02 12:51:17 -06:00
187-implement-sse-error-recovery.md
fix(#187): implement server-side SSE error recovery
2026-02-02 12:41:12 -06:00
188-sanitize-discord-logs.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
189-add-job-events-index.md
fix(#189): add composite database index for job_events table
2026-02-02 12:30:19 -06:00
190-fix-mermaid-xss.md
fix(#190): fix XSS vulnerability in Mermaid rendering
2026-02-02 12:03:36 -06:00
192-fix-cors-configuration.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
196-fix-job-status-race-condition.md
fix(#196): fix race condition in job status updates
2026-02-02 12:51:17 -06:00
197-add-explicit-return-types.md
docs(#197): update scratchpad with completion status
2026-02-02 12:55:17 -06:00
198-strengthen-websocket-auth.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
199-implement-rate-limiting.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
271-oidc-token-validation.md
fix(#271): implement OIDC token validation (authentication bypass)
2026-02-03 16:50:06 -06:00
272-rate-limiting.md
fix(#272): Add rate limiting to federation endpoints (DoS protection)
2026-02-03 18:58:00 -06:00
273-capability-enforcement.md
feat(#273): Implement capability-based authorization for federation
2026-02-03 19:53:09 -06:00
274-command-injection.md
fix(#274): Add input validation to prevent command injection in git operations
2026-02-03 20:17:47 -06:00
275-silent-connection-failures.md
fix(#275): Prevent silent connection initiation failures
2026-02-03 20:21:06 -06:00
276-workspace-authorization.md
fix(#276): Add comprehensive audit logging for incoming connections
2026-02-03 20:24:46 -06:00
277-comprehensive-audit-logging.md
fix(#277): Add comprehensive security event logging for command injection
2026-02-03 20:27:45 -06:00
278-csrf-protection.md
fix(#278): Implement CSRF protection using double-submit cookie pattern
2026-02-03 20:35:00 -06:00
orch-101-setup.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
orch-102-health.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
orch-103-docker.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
orch-104-pipeline.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
orch-105-spawner.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
orch-105-summary.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
orch-106-sandbox.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-107-valkey.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-108-queue.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-109-lifecycle.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-110-git-ops.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-111-worktrees.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-112-conflicts.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-113-coordinator.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-114-gates.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-115-dispatch.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-116-fifty-percent.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-117-killswitch.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-118-cleanup.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-119-completion-summary.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-119-security.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-120-secrets.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-121-mechanical.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-122-ai-review.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-123-yolo.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orch-124-task-config.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
orchestrator-typescript-fixes.md
feat(#66): implement tag filtering in search API endpoint
2026-02-02 14:33:31 -06:00
remediation-session.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00
security-fixes-activity-api.md
feat(#93): implement agent spawn via federation
2026-02-03 14:37:06 -06:00