Jarvis
55c870f421
fix(federation): security hardening — OID verification, atomic activation, audit on failure
...
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/pr/ci Pipeline failed
CRIT-1: Add post-issuance OID verification in CaService.issueCert() — parses
the returned cert with @peculiar/x509 and validates that OIDs 1.3.6.1.4.1.99999.1
(mosaic_grant_id) and 1.3.6.1.4.1.99999.2 (mosaic_subject_user_id) are present
and match the request values. Throws CaServiceError on mismatch or absence.
CRIT-2: Guard grant activation in the redeem() transaction with
WHERE status='pending' (RETURNING to detect no-op). Throw ConflictException
if the grant was already activated. Also add WHERE state='pending' guard on
the federationPeers UPDATE.
HIGH-2: Remove 90-day silent fallback in extractCertNotAfter() — an unparseable
cert now propagates as a 500 error rather than silently setting a wrong expiry.
HIGH-4: Log only the first 8 hex chars of the enrollment token in the issueCert
failure error log — never log the full 64-char token.
HIGH-5: Wrap redeem() body in try/catch; write a best-effort failure audit row
(outside transaction, .catch(() => {}) guarded) on any error path so all
enrollment attempts are audited regardless of outcome.
MED-3: Verify grantId ↔ peerId binding in createToken() before inserting the
token — prevents cross-wiring a grant to an attacker-controlled peer.
Closes #461
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-04-22 00:49:35 -05:00
0ee5b14c68
test(federation): M2 E2E peer-add enrollment flow (FED-M2-10) ( #500 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 05:37:06 +00:00
3eee176cc3
test(federation): M2 integration tests (FED-M2-09) ( #499 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 05:08:24 +00:00
74fe60d8d6
feat(federation): admin controller + CLI federation commands (FED-M2-08) ( #498 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 04:39:46 +00:00
0bfaa56e9e
feat(federation): enrollment controller + single-use token flow (FED-M2-07) ( #497 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 04:23:19 +00:00
01dd6b9fa1
feat(federation): grants service CRUD + status transitions (FED-M2-06) ( #496 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 03:57:12 +00:00
1038ae76e1
feat(federation): Step-CA client service for grant certs (FED-M2-04) ( #494 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 03:34:37 +00:00
bf082d95a0
feat(federation): seal federation peer client keys at rest (FED-M2-05) ( #495 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 03:10:20 +00:00
bb24292cf7
fix(federation): healthcheck + restart policy for federated-test stacks ( #492 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 02:56:40 +00:00
f2cda52e1a
fix(deploy): bump gateway image digest to sha-9f1a081 [DEPLOY-IMG-FIX] ( #491 )
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
2026-04-22 02:35:19 +00:00
7d7cf012f0
feat(federation): scope schema validator [FED-M2-03] ( #489 )
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/push/publish Pipeline failed
2026-04-22 02:31:13 +00:00
c56dda74aa
feat(federation): Step-CA sidecar in federated compose [FED-M2-02] ( #490 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-22 02:21:49 +00:00
9f1a08185e
docs(federation): S21 tracking — DEPLOY-01/02 done, IMG-FIX in flight, M2-01 in remediation ( #487 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 02:02:36 +00:00
d2e408656b
fix(docker): pnpm deploy for self-contained gateway runtime image ( #488 )
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
2026-04-22 02:02:29 +00:00
54c278b871
feat(db): federation schema — grants/peers/audit_log [FED-M2-01] ( #486 )
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
2026-04-22 02:02:21 +00:00
4dbd429203
feat(deploy): portainer stack template for federation test instances [DEPLOY-02] ( #485 )
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
2026-04-22 01:34:44 +00:00
b985d7bfe2
docs(federation): M2 mission planning — TASKS decomposition + manifest update ( #483 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-22 01:24:00 +00:00
45e8f02c91
feat(mosaic-portainer): PORTAINER_INSECURE flag for self-signed TLS ( #484 )
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
2026-04-22 01:21:54 +00:00
54c422ab06
Merge pull request 'docs(federation): close FED-M1 milestone' ( #481 ) from feat/federation-m1-close into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/tag/publish Pipeline was successful
2026-04-20 02:20:43 +00:00
Jarvis
b9fb8aab57
docs(federation): close FED-M1 milestone
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
- TASKS.md: mark FED-M1-12 done with PR/issue/tag references
- MISSION-MANIFEST.md: phase=M1 complete, progress 1/7, M1 row done with PR range #470-#481, session log appended
- scratchpad: Session 19 entry covering M1-09 → M1-12 with PR ledger and M1 retrospective learnings
Refs #460
2026-04-19 21:12:52 -05:00
78841f228a
docs(federation): operator setup + migration guides (FED-M1-11) ( #480 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 02:07:15 +00:00
dc4afee848
fix(storage): redact credentials in driver errors + advisory lock (FED-M1-10) ( #479 )
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/push/publish Pipeline failed
2026-04-20 02:02:57 +00:00
1e2b8ac8de
test(federation): standalone regression canary — no breakage from M1 (FED-M1-09) ( #478 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 01:46:35 +00:00
15d849c166
test(storage): integration test for migrate-tier (FED-M1-08) + camelCase column fix ( #477 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-20 01:40:02 +00:00
78251d4af8
test(federation): integration tests for federated tier gateway boot (FED-M1-07) ( #476 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 01:13:10 +00:00
1a4b1ebbf1
feat(gateway,storage): mosaic gateway doctor with tier health JSON (FED-M1-06) ( #475 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 01:00:39 +00:00
ccad30dd27
feat(storage): mosaic storage migrate-tier with dry-run + idempotency (FED-M1-05) ( #474 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 00:35:08 +00:00
4c2b177eab
feat(gateway): tier-detector with fail-fast PG/Valkey/pgvector probes (FED-M1-04) ( #473 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 00:07:07 +00:00
58169f9979
feat(storage): pgvector adapter support gated on tier=federated (FED-M1-03) ( #472 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 23:42:18 +00:00
51402bdb6d
feat(infra): docker-compose.federated.yml overlay (FED-M1-02) ( #471 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 23:21:31 +00:00
9c89c32684
feat(config): add federated tier + rename team→standalone (FED-M1-01) ( #470 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-19 23:11:11 +00:00
8aabb8c5b2
docs(mission): author MVP rollup manifest, archive install-ux-v2 ( #469 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 22:51:11 +00:00
66512550df
docs(federation): PRD, milestones, mission manifest, and M1 task breakdown ( #468 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 22:27:09 +00:00
46dd799548
docs(federation): PRD, milestones, mission manifest, and M1 task breakdown ( #467 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 22:09:20 +00:00
5f03c05523
chore(release): @mosaicstack/mosaic 0.0.30 ( #459 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-12 02:18:17 +00:00
c3f810bbd1
fix(mosaic): seed TOOLS.md from defaults on install ( #458 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-12 02:02:21 +00:00
b2cbf898d7
docs(scratchpad): finalize yolo runtime hotfix evidence ( #456 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Follow-up to mosaicstack/stack#455 .
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-11 17:14:00 +00:00
b2cec8c6ba
fix(mosaic): stop yolo runtime from leaking runtime name as first user message ( #455 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Fixes mosaicstack/stack#454
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-11 16:57:43 +00:00
81c1775a03
chore(release): @mosaicstack/mosaic 0.0.29 ( #453 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/tag/publish Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-08 00:42:54 +00:00
f64ec12f39
fix(installer): preserve credentials dir and seed STANDARDS.md ( #452 )
...
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-08 00:40:49 +00:00
026382325c
feat(framework): superpowers enforcement, typecheck hook, file-ownership rules ( #451 )
...
ci/woodpecker/manual/ci Pipeline was successful
ci/woodpecker/manual/publish Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-07 00:44:22 +00:00
1bfd8570d6
chore(release): @mosaicstack/mosaic 0.0.28 ( #450 )
2026-04-06 00:46:31 +00:00
312acd8bad
chore: sweep mosaicstack/mosaic-stack → mosaicstack/stack + add short install URL ( #448 )
2026-04-06 00:39:56 +00:00
d08b969918
fix(mosaic): mask password input in TUI login prompt ( #449 )
2026-04-06 00:33:54 +00:00
051de0d8a9
docs: update README for mosaicstack/stack repo rename ( #447 )
2026-04-06 00:22:20 +00:00
bd76df1a50
feat(mosaic): drill-down main menu + provider-first flow + quick start ( #446 )
2026-04-06 00:15:23 +00:00
62b2ce2da1
docs: orchestrator close-out IUV-M02 ( #445 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-05 23:50:55 +00:00
172bacb30f
feat(mosaic): IUV-M02 — CORS/FQDN UX polish + skill installer rework ( #444 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-05 23:44:07 +00:00
43667d7349
docs: orchestrator close-out IUV-M01 — mark tasks done, append session 2 ( #443 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-05 22:40:08 +00:00
783884376c
docs: mark IUV-M01 complete — mosaic-v0.0.26 released ( #436 ) ( #442 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-05 22:31:37 +00:00
