mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting

Browse Source
This commit is contained in:
Jason Woltje
2026-03-13 08:25:57 -05:00
parent 9eb48e1d9b
commit 180604661e
22 changed files with 696 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/gateway/package.json
View File

@@ -8,10 +8,11 @@
"build": "tsc",
"dev": "tsx watch src/main.ts",
"lint": "eslint src",
"typecheck": "tsc --noEmit",
"typecheck": "tsc --noEmit -p tsconfig.typecheck.json",
"test": "vitest run --passWithNoTests"
},
"dependencies": {
"@fastify/helmet": "^13.0.2",
"@mariozechner/pi-ai": "~0.57.1",
"@mariozechner/pi-coding-agent": "~0.57.1",
"@mosaic/auth": "workspace:^",
@@ -25,6 +26,7 @@
"@nestjs/core": "^11.0.0",
"@nestjs/platform-fastify": "^11.0.0",
"@nestjs/platform-socket.io": "^11.0.0",
"@nestjs/throttler": "^6.5.0",
"@nestjs/websockets": "^11.0.0",
"@opentelemetry/auto-instrumentations-node": "^0.71.0",
"@opentelemetry/exporter-metrics-otlp-http": "^0.213.0",
@@ -35,6 +37,8 @@
"@opentelemetry/semantic-conventions": "^1.40.0",
"@sinclair/typebox": "^0.34.48",
"better-auth": "^1.5.5",
"class-transformer": "^0.5.1",
"class-validator": "^0.15.1",
"fastify": "^5.0.0",
"node-cron": "^4.2.1",
"reflect-metadata": "^0.2.0",

89
apps/gateway/src/__tests__/resource-ownership.test.ts Normal file
View File

@@ -0,0 +1,89 @@
import { ForbiddenException } from '@nestjs/common';
import { describe, expect, it, vi } from 'vitest';
import { ConversationsController } from '../conversations/conversations.controller.js';
import { MissionsController } from '../missions/missions.controller.js';
import { ProjectsController } from '../projects/projects.controller.js';
import { TasksController } from '../tasks/tasks.controller.js';
function createBrain() {
return {
conversations: {
findAll: vi.fn(),
findById: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
findMessages: vi.fn(),
addMessage: vi.fn(),
},
projects: {
findAll: vi.fn(),
findById: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
},
missions: {
findAll: vi.fn(),
findById: vi.fn(),
findByProject: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
},
tasks: {
findAll: vi.fn(),
findById: vi.fn(),
findByProject: vi.fn(),
findByMission: vi.fn(),
findByStatus: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
},
};
}
describe('Resource ownership checks', () => {
it('forbids access to another user conversation', async () => {
const brain = createBrain();
brain.conversations.findById.mockResolvedValue({ id: 'conv-1', userId: 'user-2' });
const controller = new ConversationsController(brain as never);
await expect(controller.findOne('conv-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException,
);
});
it('forbids access to another user project', async () => {
const brain = createBrain();
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new ProjectsController(brain as never);
await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException,
);
});
it('forbids access to a mission owned by another project owner', async () => {
const brain = createBrain();
brain.missions.findById.mockResolvedValue({ id: 'mission-1', projectId: 'project-1' });
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new MissionsController(brain as never);
await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException,
);
});
it('forbids access to a task owned by another project owner', async () => {
const brain = createBrain();
brain.tasks.findById.mockResolvedValue({ id: 'task-1', projectId: 'project-1' });
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new TasksController(brain as never);
await expect(controller.findOne('task-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException,
);
});
});

2
apps/gateway/src/agent/provider.service.ts
View File

@@ -89,7 +89,7 @@ export class ProviderService implements OnModuleInit {
const modelsEnv = process.env['OLLAMA_MODELS'] ?? 'llama3.2,codellama,mistral';
const modelIds = modelsEnv
.split(',')
.map((m) => m.trim())
.map((modelId: string) => modelId.trim())
.filter(Boolean);
this.registerCustomProvider({

7
apps/gateway/src/agent/routing.service.ts
View File

@@ -145,8 +145,11 @@ export class RoutingService {
private classifyTier(model: ModelInfo): CostTier {
const cost = model.cost.input;
if (cost <= COST_TIER_THRESHOLDS.cheap.maxInput) return 'cheap';
if (cost <= COST_TIER_THRESHOLDS.standard.maxInput) return 'standard';
const cheapThreshold = COST_TIER_THRESHOLDS['cheap'];
const standardThreshold = COST_TIER_THRESHOLDS['standard'];
if (cost <= cheapThreshold.maxInput) return 'cheap';
if (cost <= standardThreshold.maxInput) return 'standard';
return 'premium';
}

9
apps/gateway/src/app.module.ts
View File

@@ -1,4 +1,5 @@
import { Module } from '@nestjs/common';
import { APP_GUARD } from '@nestjs/core';
import { HealthController } from './health/health.controller.js';
import { DatabaseModule } from './database/database.module.js';
import { AuthModule } from './auth/auth.module.js';
@@ -13,9 +14,11 @@ import { CoordModule } from './coord/coord.module.js';
import { MemoryModule } from './memory/memory.module.js';
import { LogModule } from './log/log.module.js';
import { SkillsModule } from './skills/skills.module.js';
import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
@Module({
imports: [
ThrottlerModule.forRoot([{ name: 'default', ttl: 60_000, limit: 60 }]),
DatabaseModule,
AuthModule,
BrainModule,
@@ -31,5 +34,11 @@ import { SkillsModule } from './skills/skills.module.js';
SkillsModule,
],
controllers: [HealthController],
providers: [
{
provide: APP_GUARD,
useClass: ThrottlerGuard,
},
],
})
export class AppModule {}

11
apps/gateway/src/auth/resource-ownership.ts Normal file
View File

@@ -0,0 +1,11 @@
import { ForbiddenException } from '@nestjs/common';
export function assertOwner(
ownerId: string | null | undefined,
userId: string,
resourceName: string,
): void {
if (!ownerId || ownerId !== userId) {
throw new ForbiddenException(`${resourceName} does not belong to the current user`);
}
}

80
apps/gateway/src/chat/__tests__/chat-security.test.ts Normal file
View File

@@ -0,0 +1,80 @@
import { readFileSync } from 'node:fs';
import { resolve } from 'node:path';
import { validateSync } from 'class-validator';
import { describe, expect, it, vi } from 'vitest';
import { SendMessageDto } from '../../conversations/conversations.dto.js';
import { ChatRequestDto } from '../chat.dto.js';
import { validateSocketSession } from '../chat.gateway-auth.js';
describe('Chat controller source hardening', () => {
it('applies AuthGuard and reads the current user', () => {
const source = readFileSync(resolve('src/chat/chat.controller.ts'), 'utf8');
expect(source).toContain('@UseGuards(AuthGuard)');
expect(source).toContain('@CurrentUser() user: { id: string }');
});
});
describe('WebSocket session authentication', () => {
it('returns null when the handshake does not resolve to a session', async () => {
const result = await validateSocketSession(
{},
{
api: {
getSession: vi.fn().mockResolvedValue(null),
},
},
);
expect(result).toBeNull();
});
it('returns the resolved session when Better Auth accepts the headers', async () => {
const session = { user: { id: 'user-1' }, session: { id: 'session-1' } };
const result = await validateSocketSession(
{ cookie: 'session=abc' },
{
api: {
getSession: vi.fn().mockResolvedValue(session),
},
},
);
expect(result).toBe(session);
});
});
describe('Chat DTO validation', () => {
it('rejects unsupported message roles and system messages', () => {
const dto = Object.assign(new SendMessageDto(), {
content: 'hello',
role: 'system',
});
const errors = validateSync(dto);
expect(errors.length).toBeGreaterThan(0);
});
it('rejects oversized conversation message content above 32000 characters', () => {
const dto = Object.assign(new SendMessageDto(), {
content: 'x'.repeat(32_001),
role: 'user',
});
const errors = validateSync(dto);
expect(errors.length).toBeGreaterThan(0);
});
it('rejects oversized chat content above 10000 characters', () => {
const dto = Object.assign(new ChatRequestDto(), {
content: 'x'.repeat(10_001),
});
const errors = validateSync(dto);
expect(errors.length).toBeGreaterThan(0);
});
});

29
apps/gateway/src/chat/chat.controller.ts
View File

@@ -1,12 +1,20 @@
import { Controller, Post, Body, Logger, HttpException, HttpStatus, Inject } from '@nestjs/common';
import {
Controller,
Post,
Body,
Logger,
HttpException,
HttpStatus,
Inject,
UseGuards,
} from '@nestjs/common';
import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
import { Throttle } from '@nestjs/throttler';
import { AgentService } from '../agent/agent.service.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { v4 as uuid } from 'uuid';
interface ChatRequest {
conversationId?: string;
content: string;
}
import { ChatRequestDto } from './chat.dto.js';
interface ChatResponse {
conversationId: string;
@@ -14,13 +22,18 @@ interface ChatResponse {
}
@Controller('api/chat')
@UseGuards(AuthGuard)
export class ChatController {
private readonly logger = new Logger(ChatController.name);
constructor(@Inject(AgentService) private readonly agentService: AgentService) {}
@Post()
async chat(@Body() body: ChatRequest): Promise<ChatResponse> {
@Throttle({ default: { limit: 10, ttl: 60_000 } })
async chat(
@Body() body: ChatRequestDto,
@CurrentUser() user: { id: string },
): Promise<ChatResponse> {
const conversationId = body.conversationId ?? uuid();
try {
@@ -36,6 +49,8 @@ export class ChatController {
throw new HttpException('Agent session unavailable', HttpStatus.SERVICE_UNAVAILABLE);
}
this.logger.debug(`Handling chat request for user=${user.id}, conversation=${conversationId}`);
let responseText = '';
const done = new Promise<void>((resolve, reject) => {

31
apps/gateway/src/chat/chat.dto.ts Normal file
View File

@@ -0,0 +1,31 @@
import { IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
export class ChatRequestDto {
@IsOptional()
@IsUUID()
conversationId?: string;
@IsString()
@MaxLength(10_000)
content!: string;
}
export class ChatSocketMessageDto {
@IsOptional()
@IsUUID()
conversationId?: string;
@IsString()
@MaxLength(10_000)
content!: string;
@IsOptional()
@IsString()
@MaxLength(255)
provider?: string;
@IsOptional()
@IsString()
@MaxLength(255)
modelId?: string;
}

30
apps/gateway/src/chat/chat.gateway-auth.ts Normal file
View File

@@ -0,0 +1,30 @@
import type { IncomingHttpHeaders } from 'node:http';
import { fromNodeHeaders } from 'better-auth/node';
export interface SocketSessionResult {
session: unknown;
user: { id: string };
}
export interface SessionAuth {
api: {
getSession(context: { headers: Headers }): Promise<SocketSessionResult | null>;
};
}
export async function validateSocketSession(
headers: IncomingHttpHeaders,
auth: SessionAuth,
): Promise<SocketSessionResult | null> {
const sessionHeaders = fromNodeHeaders(headers);
const result = await auth.api.getSession({ headers: sessionHeaders });
if (!result) {
return null;
}
return {
session: result.session,
user: { id: result.user.id },
};
}

33
apps/gateway/src/chat/chat.gateway.ts
View File

@@ -11,18 +11,17 @@ import {
} from '@nestjs/websockets';
import { Server, Socket } from 'socket.io';
import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
import type { Auth } from '@mosaic/auth';
import { AgentService } from '../agent/agent.service.js';
import { AUTH } from '../auth/auth.tokens.js';
import { v4 as uuid } from 'uuid';
interface ChatMessage {
conversationId?: string;
content: string;
provider?: string;
modelId?: string;
}
import { ChatSocketMessageDto } from './chat.dto.js';
import { validateSocketSession } from './chat.gateway-auth.js';
@WebSocketGateway({
cors: { origin: '*' },
cors: {
origin: process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000',
},
namespace: '/chat',
})
export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewayDisconnect {
@@ -35,13 +34,25 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
{ conversationId: string; cleanup: () => void }
>();
constructor(@Inject(AgentService) private readonly agentService: AgentService) {}
constructor(
@Inject(AgentService) private readonly agentService: AgentService,
@Inject(AUTH) private readonly auth: Auth,
) {}
afterInit(): void {
this.logger.log('Chat WebSocket gateway initialized');
}
handleConnection(client: Socket): void {
async handleConnection(client: Socket): Promise<void> {
const session = await validateSocketSession(client.handshake.headers, this.auth);
if (!session) {
this.logger.warn(`Rejected unauthenticated WebSocket client: ${client.id}`);
client.disconnect();
return;
}
client.data.user = session.user;
client.data.session = session.session;
this.logger.log(`Client connected: ${client.id}`);
}
@@ -58,7 +69,7 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
@SubscribeMessage('message')
async handleMessage(
@ConnectedSocket() client: Socket,
@MessageBody() data: ChatMessage,
@MessageBody() data: ChatSocketMessageDto,
): Promise<void> {
const conversationId = data.conversationId ?? uuid();

40
apps/gateway/src/conversations/conversations.controller.ts
View File

@@ -16,7 +16,8 @@ import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import type {
import { assertOwner } from '../auth/resource-ownership.js';
import {
CreateConversationDto,
UpdateConversationDto,
SendMessageDto,
@@ -33,10 +34,8 @@ export class ConversationsController {
}
@Get(':id')
async findOne(@Param('id') id: string) {
const conversation = await this.brain.conversations.findById(id);
if (!conversation) throw new NotFoundException('Conversation not found');
return conversation;
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
return this.getOwnedConversation(id, user.id);
}
@Post()
@@ -49,7 +48,12 @@ export class ConversationsController {
}
@Patch(':id')
async update(@Param('id') id: string, @Body() dto: UpdateConversationDto) {
async update(
@Param('id') id: string,
@Body() dto: UpdateConversationDto,
@CurrentUser() user: { id: string },
) {
await this.getOwnedConversation(id, user.id);
const conversation = await this.brain.conversations.update(id, dto);
if (!conversation) throw new NotFoundException('Conversation not found');
return conversation;
@@ -57,22 +61,25 @@ export class ConversationsController {
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string) {
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getOwnedConversation(id, user.id);
const deleted = await this.brain.conversations.remove(id);
if (!deleted) throw new NotFoundException('Conversation not found');
}
@Get(':id/messages')
async listMessages(@Param('id') id: string) {
const conversation = await this.brain.conversations.findById(id);
if (!conversation) throw new NotFoundException('Conversation not found');
async listMessages(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getOwnedConversation(id, user.id);
return this.brain.conversations.findMessages(id);
}
@Post(':id/messages')
async addMessage(@Param('id') id: string, @Body() dto: SendMessageDto) {
const conversation = await this.brain.conversations.findById(id);
if (!conversation) throw new NotFoundException('Conversation not found');
async addMessage(
@Param('id') id: string,
@Body() dto: SendMessageDto,
@CurrentUser() user: { id: string },
) {
await this.getOwnedConversation(id, user.id);
return this.brain.conversations.addMessage({
conversationId: id,
role: dto.role,
@@ -80,4 +87,11 @@ export class ConversationsController {
metadata: dto.metadata,
});
}
private async getOwnedConversation(id: string, userId: string) {
const conversation = await this.brain.conversations.findById(id);
if (!conversation) throw new NotFoundException('Conversation not found');
assertOwner(conversation.userId, userId, 'Conversation');
return conversation;
}
}

31
apps/gateway/src/conversations/conversations.dto.ts
View File

@@ -1,15 +1,36 @@
export interface CreateConversationDto {
import { IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
export class CreateConversationDto {
@IsOptional()
@IsString()
@MaxLength(255)
title?: string;
@IsOptional()
@IsUUID()
projectId?: string;
}
export interface UpdateConversationDto {
export class UpdateConversationDto {
@IsOptional()
@IsString()
@MaxLength(255)
title?: string;
@IsOptional()
@IsUUID()
projectId?: string | null;
}
export interface SendMessageDto {
role: 'user' | 'assistant' | 'system';
content: string;
export class SendMessageDto {
@IsIn(['user', 'assistant', 'system'])
role!: 'user' | 'assistant' | 'system';
@IsString()
@MaxLength(10_000)
content!: string;
@IsOptional()
@IsObject()
metadata?: Record<string, unknown>;
}

25
apps/gateway/src/main.ts
View File

@@ -1,19 +1,36 @@
import './tracing.js';
import 'reflect-metadata';
import { NestFactory } from '@nestjs/core';
import { Logger } from '@nestjs/common';
import { Logger, ValidationPipe } from '@nestjs/common';
import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
import helmet from '@fastify/helmet';
import { AppModule } from './app.module.js';
import { mountAuthHandler } from './auth/auth.controller.js';
async function bootstrap(): Promise<void> {
if (!process.env['BETTER_AUTH_SECRET']) {
throw new Error('BETTER_AUTH_SECRET is required');
}
const logger = new Logger('Bootstrap');
const app = await NestFactory.create<NestFastifyApplication>(AppModule, new FastifyAdapter());
const app = await NestFactory.create<NestFastifyApplication>(
AppModule,
new FastifyAdapter({ bodyLimit: 1_048_576 }),
);
await app.register(helmet as never, { contentSecurityPolicy: false });
app.useGlobalPipes(
new ValidationPipe({
whitelist: true,
forbidNonWhitelisted: true,
transform: true,
}),
);
mountAuthHandler(app);
const port = process.env['GATEWAY_PORT'] ?? 4000;
await app.listen(port as number, '0.0.0.0');
const port = Number(process.env['GATEWAY_PORT'] ?? 4000);
await app.listen(port, '0.0.0.0');
logger.log(`Gateway listening on port ${port}`);
}

49
apps/gateway/src/missions/missions.controller.ts
View File

@@ -2,6 +2,7 @@ import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
@@ -15,7 +16,9 @@ import {
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import type { CreateMissionDto, UpdateMissionDto } from './missions.dto.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { assertOwner } from '../auth/resource-ownership.js';
import { CreateMissionDto, UpdateMissionDto } from './missions.dto.js';
@Controller('api/missions')
@UseGuards(AuthGuard)
@@ -28,10 +31,8 @@ export class MissionsController {
}
@Get(':id')
async findOne(@Param('id') id: string) {
const mission = await this.brain.missions.findById(id);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
return this.getOwnedMission(id, user.id);
}
@Post()
@@ -45,7 +46,15 @@ export class MissionsController {
}
@Patch(':id')
async update(@Param('id') id: string, @Body() dto: UpdateMissionDto) {
async update(
@Param('id') id: string,
@Body() dto: UpdateMissionDto,
@CurrentUser() user: { id: string },
) {
await this.getOwnedMission(id, user.id);
if (dto.projectId) {
await this.getOwnedProject(dto.projectId, user.id, 'Mission');
}
const mission = await this.brain.missions.update(id, dto);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
@@ -53,8 +62,34 @@ export class MissionsController {
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string) {
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getOwnedMission(id, user.id);
const deleted = await this.brain.missions.remove(id);
if (!deleted) throw new NotFoundException('Mission not found');
}
private async getOwnedMission(id: string, userId: string) {
const mission = await this.brain.missions.findById(id);
if (!mission) throw new NotFoundException('Mission not found');
await this.getOwnedProject(mission.projectId, userId, 'Mission');
return mission;
}
private async getOwnedProject(
projectId: string | null | undefined,
userId: string,
resourceName: string,
) {
if (!projectId) {
throw new ForbiddenException(`${resourceName} does not belong to the current user`);
}
const project = await this.brain.projects.findById(projectId);
if (!project) {
throw new ForbiddenException(`${resourceName} does not belong to the current user`);
}
assertOwner(project.ownerId, userId, resourceName);
return project;
}
}

38
apps/gateway/src/missions/missions.dto.ts
View File

@@ -1,14 +1,46 @@
export interface CreateMissionDto {
name: string;
import { IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
const missionStatuses = ['planning', 'active', 'paused', 'completed', 'failed'] as const;
export class CreateMissionDto {
@IsString()
@MaxLength(255)
name!: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string;
@IsOptional()
@IsUUID()
projectId?: string;
@IsOptional()
@IsIn(missionStatuses)
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
}
export interface UpdateMissionDto {
export class UpdateMissionDto {
@IsOptional()
@IsString()
@MaxLength(255)
name?: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string | null;
@IsOptional()
@IsUUID()
projectId?: string | null;
@IsOptional()
@IsIn(missionStatuses)
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
@IsOptional()
@IsObject()
metadata?: Record<string, unknown> | null;
}

26
apps/gateway/src/projects/projects.controller.ts
View File

@@ -16,7 +16,8 @@ import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import type { CreateProjectDto, UpdateProjectDto } from './projects.dto.js';
import { assertOwner } from '../auth/resource-ownership.js';
import { CreateProjectDto, UpdateProjectDto } from './projects.dto.js';
@Controller('api/projects')
@UseGuards(AuthGuard)
@@ -29,10 +30,8 @@ export class ProjectsController {
}
@Get(':id')
async findOne(@Param('id') id: string) {
const project = await this.brain.projects.findById(id);
if (!project) throw new NotFoundException('Project not found');
return project;
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
return this.getOwnedProject(id, user.id);
}
@Post()
@@ -46,7 +45,12 @@ export class ProjectsController {
}
@Patch(':id')
async update(@Param('id') id: string, @Body() dto: UpdateProjectDto) {
async update(
@Param('id') id: string,
@Body() dto: UpdateProjectDto,
@CurrentUser() user: { id: string },
) {
await this.getOwnedProject(id, user.id);
const project = await this.brain.projects.update(id, dto);
if (!project) throw new NotFoundException('Project not found');
return project;
@@ -54,8 +58,16 @@ export class ProjectsController {
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string) {
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getOwnedProject(id, user.id);
const deleted = await this.brain.projects.remove(id);
if (!deleted) throw new NotFoundException('Project not found');
}
private async getOwnedProject(id: string, userId: string) {
const project = await this.brain.projects.findById(id);
if (!project) throw new NotFoundException('Project not found');
assertOwner(project.ownerId, userId, 'Project');
return project;
}
}

32
apps/gateway/src/projects/projects.dto.ts
View File

@@ -1,12 +1,38 @@
export interface CreateProjectDto {
name: string;
import { IsIn, IsObject, IsOptional, IsString, MaxLength } from 'class-validator';
const projectStatuses = ['active', 'paused', 'completed', 'archived'] as const;
export class CreateProjectDto {
@IsString()
@MaxLength(255)
name!: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string;
@IsOptional()
@IsIn(projectStatuses)
status?: 'active' | 'paused' | 'completed' | 'archived';
}
export interface UpdateProjectDto {
export class UpdateProjectDto {
@IsOptional()
@IsString()
@MaxLength(255)
name?: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string | null;
@IsOptional()
@IsIn(projectStatuses)
status?: 'active' | 'paused' | 'completed' | 'archived';
@IsOptional()
@IsObject()
metadata?: Record<string, unknown> | null;
}

64
apps/gateway/src/tasks/tasks.controller.ts
View File

@@ -2,6 +2,7 @@ import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
@@ -16,7 +17,9 @@ import {
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import type { CreateTaskDto, UpdateTaskDto } from './tasks.dto.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { assertOwner } from '../auth/resource-ownership.js';
import { CreateTaskDto, UpdateTaskDto } from './tasks.dto.js';
@Controller('api/tasks')
@UseGuards(AuthGuard)
@@ -39,10 +42,8 @@ export class TasksController {
}
@Get(':id')
async findOne(@Param('id') id: string) {
const task = await this.brain.tasks.findById(id);
if (!task) throw new NotFoundException('Task not found');
return task;
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
return this.getOwnedTask(id, user.id);
}
@Post()
@@ -61,7 +62,18 @@ export class TasksController {
}
@Patch(':id')
async update(@Param('id') id: string, @Body() dto: UpdateTaskDto) {
async update(
@Param('id') id: string,
@Body() dto: UpdateTaskDto,
@CurrentUser() user: { id: string },
) {
await this.getOwnedTask(id, user.id);
if (dto.projectId) {
await this.getOwnedProject(dto.projectId, user.id, 'Task');
}
if (dto.missionId) {
await this.getOwnedMission(dto.missionId, user.id, 'Task');
}
const task = await this.brain.tasks.update(id, {
...dto,
dueDate: dto.dueDate ? new Date(dto.dueDate) : dto.dueDate === null ? null : undefined,
@@ -72,8 +84,46 @@ export class TasksController {
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string) {
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getOwnedTask(id, user.id);
const deleted = await this.brain.tasks.remove(id);
if (!deleted) throw new NotFoundException('Task not found');
}
private async getOwnedTask(id: string, userId: string) {
const task = await this.brain.tasks.findById(id);
if (!task) throw new NotFoundException('Task not found');
if (task.projectId) {
await this.getOwnedProject(task.projectId, userId, 'Task');
return task;
}
if (task.missionId) {
await this.getOwnedMission(task.missionId, userId, 'Task');
return task;
}
throw new ForbiddenException('Task does not belong to the current user');
}
private async getOwnedMission(missionId: string, userId: string, resourceName: string) {
const mission = await this.brain.missions.findById(missionId);
if (!mission?.projectId) {
throw new ForbiddenException(`${resourceName} does not belong to the current user`);
}
await this.getOwnedProject(mission.projectId, userId, resourceName);
return mission;
}
private async getOwnedProject(projectId: string, userId: string, resourceName: string) {
const project = await this.brain.projects.findById(projectId);
if (!project) {
throw new ForbiddenException(`${resourceName} does not belong to the current user`);
}
assertOwner(project.ownerId, userId, resourceName);
return project;
}
}

85
apps/gateway/src/tasks/tasks.dto.ts
View File

@@ -1,24 +1,103 @@
export interface CreateTaskDto {
title: string;
import {
ArrayMaxSize,
IsArray,
IsIn,
IsISO8601,
IsObject,
IsOptional,
IsString,
IsUUID,
MaxLength,
} from 'class-validator';
const taskStatuses = ['not-started', 'in-progress', 'blocked', 'done', 'cancelled'] as const;
const taskPriorities = ['critical', 'high', 'medium', 'low'] as const;
export class CreateTaskDto {
@IsString()
@MaxLength(255)
title!: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string;
@IsOptional()
@IsIn(taskStatuses)
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
@IsOptional()
@IsIn(taskPriorities)
priority?: 'critical' | 'high' | 'medium' | 'low';
@IsOptional()
@IsUUID()
projectId?: string;
@IsOptional()
@IsUUID()
missionId?: string;
@IsOptional()
@IsString()
@MaxLength(255)
assignee?: string;
@IsOptional()
@IsArray()
@ArrayMaxSize(50)
@IsString({ each: true })
tags?: string[];
@IsOptional()
@IsISO8601()
dueDate?: string;
}
export interface UpdateTaskDto {
export class UpdateTaskDto {
@IsOptional()
@IsString()
@MaxLength(255)
title?: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string | null;
@IsOptional()
@IsIn(taskStatuses)
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
@IsOptional()
@IsIn(taskPriorities)
priority?: 'critical' | 'high' | 'medium' | 'low';
@IsOptional()
@IsUUID()
projectId?: string | null;
@IsOptional()
@IsUUID()
missionId?: string | null;
@IsOptional()
@IsString()
@MaxLength(255)
assignee?: string | null;
@IsOptional()
@IsArray()
@ArrayMaxSize(50)
@IsString({ each: true })
tags?: string[] | null;
@IsOptional()
@IsISO8601()
dueDate?: string | null;
@IsOptional()
@IsObject()
metadata?: Record<string, unknown> | null;
}

14
apps/gateway/tsconfig.typecheck.json Normal file
View File

@@ -0,0 +1,14 @@
{
"extends": "./tsconfig.json",
"compilerOptions": {
"rootDir": "../..",
"baseUrl": ".",
"paths": {
"@mosaic/auth": ["../../packages/auth/src/index.ts"],
"@mosaic/brain": ["../../packages/brain/src/index.ts"],
"@mosaic/coord": ["../../packages/coord/src/index.ts"],
"@mosaic/db": ["../../packages/db/src/index.ts"],
"@mosaic/types": ["../../packages/types/src/index.ts"]
}
}
}

39
pnpm-lock.yaml generated
View File

@@ -41,6 +41,9 @@ importers:
apps/gateway:
dependencies:
'@fastify/helmet':
specifier: ^13.0.2
version: 13.0.2
'@mariozechner/pi-ai':
specifier: ~0.57.1
version: 0.57.1(ws@8.19.0)(zod@4.3.6)
@@ -80,6 +83,9 @@ importers:
'@nestjs/platform-socket.io':
specifier: ^11.0.0
version: 11.1.16(@nestjs/common@11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/websockets@11.1.16)(rxjs@7.8.2)
'@nestjs/throttler':
specifier: ^6.5.0
version: 6.5.0(@nestjs/common@11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.16)(reflect-metadata@0.2.2)
'@nestjs/websockets':
specifier: ^11.0.0
version: 11.1.16(@nestjs/common@11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.16)(@nestjs/platform-socket.io@11.1.16)(reflect-metadata@0.2.2)(rxjs@7.8.2)
@@ -110,6 +116,12 @@ importers:
better-auth:
specifier: ^1.5.5
version: 1.5.5(drizzle-kit@0.31.9)(drizzle-orm@0.45.1(@opentelemetry/api@1.9.0)(@types/pg@8.15.6)(kysely@0.28.11)(postgres@3.4.8))(mongodb@7.1.0(socks@2.8.7))(next@16.1.6(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@2.1.9(@types/node@22.19.15)(lightningcss@1.31.1))
class-transformer:
specifier: ^0.5.1
version: 0.5.1
class-validator:
specifier: ^0.15.1
version: 0.15.1
fastify:
specifier: ^5.0.0
version: 5.8.2
@@ -1361,6 +1373,9 @@ packages:
'@fastify/forwarded@3.0.1':
resolution: {integrity: sha512-JqDochHFqXs3C3Ml3gOY58zM7OqO9ENqPo0UqAjAjH8L01fRZqwX9iLeX34//kiJubF7r2ZQHtBRU36vONbLlw==}
'@fastify/helmet@13.0.2':
resolution: {integrity: sha512-tO1QMkOfNeCt9l4sG/FiWErH4QMm+RjHzbMTrgew1DYOQ2vb/6M1G2iNABBrD7Xq6dUk+HLzWW8u+rmmhQHifA==}
'@fastify/merge-json-schemas@0.2.1':
resolution: {integrity: sha512-OA3KGBCy6KtIvLf8DINC5880o5iBlDX4SxzLQS8HorJAbqluzLRn80UXU0bxZn7UOFhFgpRJDasfwn9nG4FG4A==}
@@ -1710,6 +1725,13 @@ packages:
'@nestjs/websockets': ^11.0.0
rxjs: ^7.1.0
'@nestjs/throttler@6.5.0':
resolution: {integrity: sha512-9j0ZRfH0QE1qyrj9JjIRDz5gQLPqq9yVC2nHsrosDVAfI5HHw08/aUAWx9DZLSdQf4HDkmhTTEGLrRFHENvchQ==}
peerDependencies:
'@nestjs/common': ^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0
'@nestjs/core': ^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0
reflect-metadata: ^0.1.13 || ^0.2.0
'@nestjs/websockets@11.1.16':
resolution: {integrity: sha512-kfLhCFsq6139JVFCQpbFB6LOEjZzdpE7JzXsZtRbVjqmsgTKVSIh8gKRgzpcq27rbLNqHhhZavboOltOfSxZow==}
peerDependencies:
@@ -3709,6 +3731,10 @@ packages:
resolution: {integrity: sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==}
engines: {node: '>=8'}
helmet@8.1.0:
resolution: {integrity: sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==}
engines: {node: '>=18.0.0'}
highlight.js@10.7.3:
resolution: {integrity: sha512-tzcUFauisWKNHaRkN4Wjl/ZA07gENAjFl3J/c480dprkGTg5EQstgaNFqBfUqCq54kZRIEcreTsAgF/m2quD7A==}
@@ -5924,6 +5950,11 @@ snapshots:
'@fastify/forwarded@3.0.1': {}
'@fastify/helmet@13.0.2':
dependencies:
fastify-plugin: 5.1.0
helmet: 8.1.0
'@fastify/merge-json-schemas@0.2.1':
dependencies:
dequal: 2.0.3
@@ -6294,6 +6325,12 @@ snapshots:
- supports-color
- utf-8-validate
'@nestjs/throttler@6.5.0(@nestjs/common@11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.16)(reflect-metadata@0.2.2)':
dependencies:
'@nestjs/common': 11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2)
'@nestjs/core': 11.1.16(@nestjs/common@11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/websockets@11.1.16)(reflect-metadata@0.2.2)(rxjs@7.8.2)
reflect-metadata: 0.2.2
'@nestjs/websockets@11.1.16(@nestjs/common@11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.16)(@nestjs/platform-socket.io@11.1.16)(reflect-metadata@0.2.2)(rxjs@7.8.2)':
dependencies:
'@nestjs/common': 11.1.16(class-transformer@0.5.1)(class-validator@0.15.1)(reflect-metadata@0.2.2)(rxjs@7.8.2)
@@ -8590,6 +8627,8 @@ snapshots:
has-flag@4.0.0: {}
helmet@8.1.0: {}
highlight.js@10.7.3: {}
hosted-git-info@9.0.2: