stack

Author	SHA1	Message	Date
Hermes Agent	46d828f166	fix(framework/tools): self-review fixes from defect survey (#546 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/pr/ci Pipeline failed Details Two defects an independent survey of the tooling surface found in the new helpers, fixed pre-gate: - lane-brief.sh: label filter used jq contains() (substring) — `-l security` wrongly matched label `domain/6-security`. Now exact-token match against tea's space-separated labels string. Verified live: `-l security` -> 0, `-l domain/6-security` -> the real holders. - ci-wait.sh: unknown owner silently defaulted to the `usc` Woodpecker instance (wrong credentials, wrong pipelines). Now fails hard requiring `-a <instance>`, matching lane-brief's FATAL-on-unresolved behavior. Verified: usc owner still infers and exits 0; unknown owner exits 2 with guidance. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Kt2D8TsnDwhtzEAPijsNmR	2026-06-18 13:45:06 -05:00
Hermes Agent	d7028f959b	feat(framework/tools): orchestration helpers — lane-brief.sh + ci-wait.sh (#546 ) Some checks failed ci/woodpecker/push/ci Pipeline was canceled Details ci/woodpecker/pr/ci Pipeline was canceled Details Two additive orchestration tools distilled from forensic analysis of a live U-Connect delivery session, both adopted by the live orchestrator before this contribution. lane-brief.sh (git/): one call returns the CURRENT open issue set for a repo lane (milestone/label) from Gitea, classified for dispatch. Defeats stale worker self-report (workers brief from static notes and report already-CLOSED issues as "todo"). Closed excluded by definition; partitions by PR-linkage (reliable) not assignee/dependency (empty in this fleet). Login resolution: -L > $GITEA_LOGIN > owner inference > detect-platform.sh fallback. ci-wait.sh (woodpecker/): blocks until pipeline(s) reach terminal state, wrapping pipeline-status.sh (resolves repo->id, instance-aware). Replaces hand-rolled `curl .../repos/1/pipelines/$n` loops that hardcode repo id 1. Intended as a Monitor command + long (>=1500s) timed fallback, not a tight poll. Exit 0=all success / 1=terminal non-success / 2=usage / 3=timeout. Tested live vs usc/uconnect. README updated. No version bump (separate release PR per convention). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Kt2D8TsnDwhtzEAPijsNmR	2026-06-18 13:30:13 -05:00
jason.woltje	b8807e60df	feat(agent-reflection): durable kernel — reflection.v1 capture + risk-floor + Phase-0 (#545 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-16 21:35:40 +00:00
jason.woltje	c461380a4a	feat(mosaic-as): agent registration + scoped/revocable tokens (US-007) (#541 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-16 01:10:44 +00:00
jason.woltje	98a771c8f8	Fix Gitea wrapper login resolution (#538 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-12 02:34:18 +00:00
jason.woltje	bd9527c033	docs(framework): canonize merge-authority policy (hard gate 13 + E2E gate note) (#537 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-11 23:56:20 +00:00
jason.woltje	aa221bf92e	release(mosaic): bump @mosaicstack/mosaic 0.0.30 -> 0.0.31 (#534 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details ci/woodpecker/tag/publish Pipeline was successful Details mosaic-v0.0.31	2026-06-11 19:55:43 +00:00
jason.woltje	799df40f4e	feat(appservice): room provisioning (M4c) (#535 ) Some checks failed ci/woodpecker/push/publish Pipeline was canceled Details ci/woodpecker/push/ci Pipeline was canceled Details	2026-06-11 19:50:55 +00:00
jason.woltje	b79e9f32c6	chore(framework): canonize Vault-as-SSOT + ESO-default secrets policy (#519 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-11 19:07:00 +00:00
jason.woltje	89d69eb23b	docs: add mission control and coordination resilience docs (#511 ) Some checks failed ci/woodpecker/push/ci Pipeline was canceled Details ci/woodpecker/push/publish Pipeline was canceled Details	2026-06-11 19:06:35 +00:00
jason.woltje	59b611ba8a	refactor(framework): thin-core prompt diet — cut injected contract ~53% (#529 ) Some checks failed ci/woodpecker/push/ci Pipeline was canceled Details ci/woodpecker/push/publish Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details	2026-06-11 18:10:42 +00:00
jason.woltje	dfa0be42f6	feat(framework/tools): inter-agent tmux comms — agent-send.sh + addressing standard (#533 ) Some checks failed ci/woodpecker/push/ci Pipeline was canceled Details ci/woodpecker/push/publish Pipeline was canceled Details	2026-06-11 18:01:44 +00:00
jason.woltje	bb96a3f23e	ci: publish mosaic-as appservice image (#532 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-10 23:00:38 +00:00
jason.woltje	48b2f28e45	feat(appservice): mosaic-as daemon host + container (M4a) (#531 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-10 22:16:28 +00:00
jason.woltje	8f09c910a9	feat(appservice): Matrix Application Service core library (M4a) (#530 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-10 21:23:25 +00:00
jason.woltje	dde95a59b3	fix(pi): reduce startup skill-token overhead (#527 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-06-05 18:36:42 +00:00
jason.woltje	821e19dcbb	fix(mosaic-tools): roll up Gitea and Woodpecker wrapper fixes (#524 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-05-26 20:56:09 +00:00
jason.woltje	755df9079e	Merge pull request 'fix(db): bootstrap migrations on local-tier gateway startup' (#510 ) from fix/db-bootstrap-migrations into main	2026-05-04 22:13:14 +00:00
jason.woltje	ac5650d9f9	fix(db): bootstrap migrations on local-tier gateway startup Fresh `mosaic gateway install` (npm) left the gateway DB schema empty — sign-in 500'd with `relation "users" does not exist`, and every entry point (auth, bootstrap setup) failed because they all query the users table first. Five stacked bugs on the local (PGlite) tier: 1. `packages/db/package.json` `files: ["dist"]` excluded the `drizzle/` SQL migrations from the published tarball. 2. `runMigrations()` only supports postgres-js — unusable for embedded PGlite. 3. `apps/gateway/src/database/database.module.ts` never invoked migrations at startup. 4. `createPgliteDb` didn't load pgvector, so migration 0001's `CREATE EXTENSION vector` failed. 5. Drizzle's PG migrator wraps every migration in one outer transaction, which trips Postgres' `check_safe_enum_use` on migration 0009 (`ALTER TYPE ADD VALUE 'pending'` → `SET DEFAULT 'pending'` in the same tx). Changes: - Ship `drizzle/` in the published tarball. - `createPgliteDb` loads `@electric-sql/pglite/vector`. - New `runPgliteMigrations(handle)` walks the Drizzle journal and runs each statement-breakpoint chunk through PGlite's `client.exec()` (autocommit per statement). Records into `drizzle.__drizzle_migrations` for interop with the postgres-js path. Per-statement try/catch surfaces which statement of which migration failed. - `DatabaseModule` runs migrations in `OnModuleInit` before `app.listen()`. Local tier: explicit `runPgliteMigrations` then `storageAdapter.migrate()`. Postgres tier: just `storageAdapter.migrate()`, which already calls `runMigrations(url)` internally — no double-call. - Removed `packages/storage/src/test-utils/pglite-with-vector.ts`. The "intentionally not exported" rationale is moot now that migration 0001 forces pgvector load anyway. The integration test uses `createPgliteDb` + `runPgliteMigrations` from `@mosaicstack/db`. Tests: BetterAuth tables exist after migrate; idempotent (re-runs 0009); partial-failure surfaces statement-level context and leaves no ledger row. QA on a fresh PGlite install: - `Applying PGlite schema migrations...` then `Initializing storage adapter (pglite)...` in startup log. - `GET /api/bootstrap/status` → `{"needsSetup":true}` HTTP 200 (was 500). - `POST /api/bootstrap/setup` reaches Zod validator (was 500). Scope: this PR fixes the local (PGlite) tier. Postgres-tier first install still has the outer-transaction problem and a journal ordering bug (0009's `when` < 0008's). Documented inline as TODO and in the scratchpad — needs a separate change with real-Postgres validation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 17:06:50 -05:00
jason.woltje	bd83f86740	Merge pull request 'feat(federation): mTLS AuthGuard with OID-based grant resolution (FED-M3-03)' (#509 ) from feat/federation-m3-auth-guard into main All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-25 13:27:20 +00:00
Jarvis	0af3e218a1	fix(federation/auth-guard): remediate CRIT-1/CRIT-2 + HIGH-1..4 review findings All checks were successful ci/woodpecker/pr/ci Pipeline was successful Details ci/woodpecker/push/ci Pipeline was successful Details - CRIT-1: Validate cert subjectUserId against grant.subjectUserId from DB; use authoritative DB value in FederationContext - CRIT-2: Add @Inject(GrantsService) decorator (tsx/esbuild requirement) - HIGH-1: Validate UTF8String TLV tag, length, and bounds in OID parser - HIGH-2: Collapse all 403 wire messages to a generic string to prevent grant enumeration; keep internal logger detail - HIGH-3: Assert federation wire envelope shape in all guard tests - HIGH-4: Regression test for subjectUserId cert/DB mismatch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 06:33:37 -05:00
Jarvis	b01c9b3bb0	feat(federation): mTLS AuthGuard with OID-based grant resolution (FED-M3-03) Adds FederationAuthGuard that validates inbound mTLS client certs on federation API routes. Extracts custom OIDs (grantId, subjectUserId), loads the grant+peer from DB in one query, asserts active status, and validates cert serial as defense-in-depth. Attaches FederationContext to requests on success and uses federation wire-format error envelopes (not raw NestJS exceptions) for 401/403 responses. New files: - apps/gateway/src/federation/oid.util.ts — shared OID extraction (no dupe ASN.1 logic) - apps/gateway/src/federation/server/federation-auth.guard.ts — guard impl - apps/gateway/src/federation/server/federation-context.ts — FederationContext type + module augment - apps/gateway/src/federation/server/index.ts — barrel export - apps/gateway/src/federation/server/__tests__/federation-auth.guard.spec.ts — 11 unit tests Modified: - apps/gateway/src/federation/grants.service.ts — adds getGrantWithPeer() with join - apps/gateway/src/federation/federation.module.ts — registers FederationAuthGuard as provider Closes #462 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 06:33:37 -05:00
jason.woltje	b67f2c9f08	Merge pull request 'feat(federation): outbound mTLS FederationClient (FED-M3-08)' (#508 ) from feat/federation-m3-client into main All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-24 04:30:29 +00:00
Jarvis	37675ae3f2	fix(federation/client): serialize cache fills, destroy evicted Agent, cover env-var guard All checks were successful ci/woodpecker/pr/ci Pipeline was successful Details ci/woodpecker/push/ci Pipeline was successful Details - HIGH-A: resolveEntry now uses promise-cache pattern so concurrent callers serialize on a single in-flight build, eliminating duplicate key material in heap and duplicate DB round-trips - HIGH-B: flushPeer destroys the evicted undici Agent so stale TLS connections close on cert rotation - MED-C: add regression test for PEER_MISCONFIGURED when STEP_CA_ROOT_CERT_PATH is unset Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-23 22:56:57 -05:00
Jarvis	a4a6769a6d	fix(federation/client): pin Step-CA root, fix lockfile, harden cache test All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details CRIT-1: regenerate pnpm-lock.yaml so apps/gateway resolves undici@7.24.6 (prior PR pushed package.json without lockfile update; CI failed with ERR_PNPM_OUTDATED_LOCKFILE). Incidentally cleans 57 lines of stale peer-dep entries. CRIT-2: cache-hit test no longer swallows resolveEntry errors. Calls the private method directly twice and asserts identity equality plus a single DB select, removing the silent-failure path the prior assertion allowed. HIGH-1: mTLS Agent now pins Step-CA root via STEP_CA_ROOT_CERT_PATH. Without the env var resolveEntry throws PEER_MISCONFIGURED, refusing to dial peers against the public trust store. PEM is read once and cached on the service instance. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-23 22:30:09 -05:00
Jarvis	21650fb194	feat(federation): outbound mTLS FederationClient (FED-M3-08) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/pr/ci Pipeline failed Details Implements FederationClientService — a NestJS injectable that dials peer gateways over mTLS (undici Agent with cert+sealed-key from federation_peers), invokes list/get/capabilities verbs, validates responses via Zod, and surfaces all failure modes as typed FederationClientError with a coherent error code taxonomy (PEER_NOT_FOUND, PEER_INACTIVE, PEER_MISCONFIGURED, NETWORK, FORBIDDEN, HTTP_{status}, INVALID_RESPONSE). Per-peer Agent instances are cached in a Map for the service lifetime; flushPeer(peerId) invalidates the cache for M5/M6 cert rotation and revocation events. Wired into FederationModule providers + exports so QuerySourceService (M3-09) can inject it. 13 unit tests covering all required scenarios via undici MockAgent + real sealClientKey/unsealClientKey round-trip. Closes #462 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-23 22:16:52 -05:00
jason.woltje	89c733e0b9	feat(federation): two-gateway test harness scaffold (FED-M3-02) (#505 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-24 03:01:25 +00:00
jason.woltje	ee3f2defd9	feat(types): federation v1 DTOs (FED-M3-01) (#506 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-24 02:54:40 +00:00
jason.woltje	7342c1290d	fix(federation): use real PEM certs in enrollment + ca service tests (#507 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-24 02:43:42 +00:00
jason.woltje	e64ddd2c1c	docs(federation): M3 mission planning — 14-task decomposition (#504 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-24 01:13:40 +00:00
jason.woltje	4ece6dc643	chore(federation): M2 milestone close (FED-M2-13) (#503 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/tag/publish Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details fed-v0.2.0-m2	2026-04-22 06:09:54 +00:00
jason.woltje	194c3b603e	docs(federation): M2 Step-CA setup guide + admin CLI reference (FED-M2-12) (#502 ) Some checks failed ci/woodpecker/push/publish Pipeline failed Details ci/woodpecker/push/ci Pipeline failed Details	2026-04-22 06:06:45 +00:00
jason.woltje	fc1600b738	fix(federation): security hardening — OID verification, atomic activation, audit on failure (#501 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-22 06:02:52 +00:00
jason.woltje	0ee5b14c68	test(federation): M2 E2E peer-add enrollment flow (FED-M2-10) (#500 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 05:37:06 +00:00
jason.woltje	3eee176cc3	test(federation): M2 integration tests (FED-M2-09) (#499 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 05:08:24 +00:00
jason.woltje	74fe60d8d6	feat(federation): admin controller + CLI federation commands (FED-M2-08) (#498 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 04:39:46 +00:00
jason.woltje	0bfaa56e9e	feat(federation): enrollment controller + single-use token flow (FED-M2-07) (#497 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 04:23:19 +00:00
jason.woltje	01dd6b9fa1	feat(federation): grants service CRUD + status transitions (FED-M2-06) (#496 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 03:57:12 +00:00
jason.woltje	1038ae76e1	feat(federation): Step-CA client service for grant certs (FED-M2-04) (#494 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 03:34:37 +00:00
jason.woltje	bf082d95a0	feat(federation): seal federation peer client keys at rest (FED-M2-05) (#495 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 03:10:20 +00:00
jason.woltje	bb24292cf7	fix(federation): healthcheck + restart policy for federated-test stacks (#492 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 02:56:40 +00:00
jason.woltje	f2cda52e1a	fix(deploy): bump gateway image digest to sha-9f1a081 [DEPLOY-IMG-FIX] (#491 ) All checks were successful ci/woodpecker/push/publish Pipeline was successful Details ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details	2026-04-22 02:35:19 +00:00
jason.woltje	7d7cf012f0	feat(federation): scope schema validator [FED-M2-03] (#489 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-22 02:31:13 +00:00
jason.woltje	c56dda74aa	feat(federation): Step-CA sidecar in federated compose [FED-M2-02] (#490 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-22 02:21:49 +00:00
jason.woltje	9f1a08185e	docs(federation): S21 tracking — DEPLOY-01/02 done, IMG-FIX in flight, M2-01 in remediation (#487 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 02:02:36 +00:00
jason.woltje	d2e408656b	fix(docker): pnpm deploy for self-contained gateway runtime image (#488 ) Some checks failed ci/woodpecker/push/publish Pipeline failed Details ci/woodpecker/push/ci Pipeline failed Details	2026-04-22 02:02:29 +00:00
jason.woltje	54c278b871	feat(db): federation schema — grants/peers/audit_log [FED-M2-01] (#486 ) Some checks failed ci/woodpecker/push/publish Pipeline failed Details ci/woodpecker/push/ci Pipeline failed Details	2026-04-22 02:02:21 +00:00
jason.woltje	4dbd429203	feat(deploy): portainer stack template for federation test instances [DEPLOY-02] (#485 ) All checks were successful ci/woodpecker/push/publish Pipeline was successful Details ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details	2026-04-22 01:34:44 +00:00
jason.woltje	b985d7bfe2	docs(federation): M2 mission planning — TASKS decomposition + manifest update (#483 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-22 01:24:00 +00:00
jason.woltje	45e8f02c91	feat(mosaic-portainer): PORTAINER_INSECURE flag for self-signed TLS (#484 ) Some checks failed ci/woodpecker/push/publish Pipeline failed Details ci/woodpecker/push/ci Pipeline failed Details	2026-04-22 01:21:54 +00:00

1 2 3 4 5 ...

442 Commits