Jarvis
7524d6e919
fix(federation): address #494 review findings (FED-M2-04)
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
H1: Replace HS256/HMAC signing with real JWK signing (ES256/RS256/ES384)
via jose SignJWT. Algorithm derived from JWK kty/crv. Provisioner
password dropped as signing input; kept only as optional env var for
PBES2-decrypt path at startup.
H2: Clamp cert TTL to 900s (15 min) in both DTO validator and issueCert().
Default changed to 300s (5 min). @Max reduced to 15*60.
H3: Real CSR validation via @peculiar/x509: parse PEM, verify self-
signature, reject weak keys (RSA<2048, bad EC curves), reject MD5/SHA-1.
New validateCsr() throws CaServiceError code INVALID_CSR on failure.
H4: Replace hardcoded \x24 DER length in federation.tpl with dynamic
printf "%c" (len ...) encoding. Add UUID-shape validation for grantId
and subjectUserId in buildOtt() with code INVALID_GRANT_ID.
H5: Load JWK into KeyObject once (lazy, cached). provisionerKeyJson raw
string not stored as class field. provisionerPassword not stored.
M1: Set JWT sub to CSR CN (extracted via @peculiar/x509) instead of URL.
M2: Add jti: crypto.randomUUID() to OTT claims.
M3: Drop top-level sha claim; keep only step.sha.
M4: extractSerial() throws CaServiceError code CERT_PARSE instead of
returning 'unknown' on failure.
M5: Set timeout: 5000 on https.RequestOptions + req.setTimeout(5000).
M6: OTT signature verified with jose.jwtVerify in tests. Added real P-256
CSR test via @peculiar/x509 generator. Added provisionerPassword
leak-check test.
M7: Constructor validates STEP_CA_URL must be https://.
Verification: typecheck ✓, 385 tests pass (16 new), lint ✓, format ✓.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-04-21 22:34:05 -05:00
Jarvis
9f5c28c0ce
feat(federation): Step-CA client service for grant certs (FED-M2-04)
...
- Add CaService (@Injectable) that POSTs CSRs to step-ca /1.0/sign over
HTTPS with a pinned CA root cert; builds HS256 OTT with custom claims
mosaic_grant_id and mosaic_subject_user_id plus step.sha CSR fingerprint
- Add CaServiceError with cause + remediation for fail-loud contract
- Add IssueCertRequestDto and IssuedCertDto with class-validator decorators
- Add FederationModule exporting CaService; wire into AppModule
- Replace federation.tpl TODO placeholder with real step-ca Go template
emitting OID 1.3.6.1.4.1.99999.1 (grantId) and .2 (subjectUserId) as
DER UTF8String extensions (tag 0x0C, length 0x24, base64-encoded value)
- Update infra/step-ca/init.sh to patch mosaic-fed provisioner config with
templateFile path via jq on first boot (idempotent)
- Append OID assignment registry and CA env var table to docs/federation/SETUP.md
- 11 unit tests pass: happy path, certChain fallbacks, HTTP 401/4xx, malformed
CSR (no HTTP call), non-JSON response, connection error, JWT claim assertions
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-04-21 22:34:05 -05:00
bf082d95a0
feat(federation): seal federation peer client keys at rest (FED-M2-05) ( #495 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 03:10:20 +00:00
bb24292cf7
fix(federation): healthcheck + restart policy for federated-test stacks ( #492 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 02:56:40 +00:00
f2cda52e1a
fix(deploy): bump gateway image digest to sha-9f1a081 [DEPLOY-IMG-FIX] ( #491 )
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
2026-04-22 02:35:19 +00:00
7d7cf012f0
feat(federation): scope schema validator [FED-M2-03] ( #489 )
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/push/publish Pipeline failed
2026-04-22 02:31:13 +00:00
c56dda74aa
feat(federation): Step-CA sidecar in federated compose [FED-M2-02] ( #490 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-22 02:21:49 +00:00
9f1a08185e
docs(federation): S21 tracking — DEPLOY-01/02 done, IMG-FIX in flight, M2-01 in remediation ( #487 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-22 02:02:36 +00:00
d2e408656b
fix(docker): pnpm deploy for self-contained gateway runtime image ( #488 )
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
2026-04-22 02:02:29 +00:00
54c278b871
feat(db): federation schema — grants/peers/audit_log [FED-M2-01] ( #486 )
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
2026-04-22 02:02:21 +00:00
4dbd429203
feat(deploy): portainer stack template for federation test instances [DEPLOY-02] ( #485 )
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
2026-04-22 01:34:44 +00:00
b985d7bfe2
docs(federation): M2 mission planning — TASKS decomposition + manifest update ( #483 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-22 01:24:00 +00:00
45e8f02c91
feat(mosaic-portainer): PORTAINER_INSECURE flag for self-signed TLS ( #484 )
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
2026-04-22 01:21:54 +00:00
54c422ab06
Merge pull request 'docs(federation): close FED-M1 milestone' ( #481 ) from feat/federation-m1-close into main
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/tag/publish Pipeline was successful
2026-04-20 02:20:43 +00:00
Jarvis
b9fb8aab57
docs(federation): close FED-M1 milestone
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
- TASKS.md: mark FED-M1-12 done with PR/issue/tag references
- MISSION-MANIFEST.md: phase=M1 complete, progress 1/7, M1 row done with PR range #470-#481, session log appended
- scratchpad: Session 19 entry covering M1-09 → M1-12 with PR ledger and M1 retrospective learnings
Refs #460
2026-04-19 21:12:52 -05:00
78841f228a
docs(federation): operator setup + migration guides (FED-M1-11) ( #480 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 02:07:15 +00:00
dc4afee848
fix(storage): redact credentials in driver errors + advisory lock (FED-M1-10) ( #479 )
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/push/publish Pipeline failed
2026-04-20 02:02:57 +00:00
1e2b8ac8de
test(federation): standalone regression canary — no breakage from M1 (FED-M1-09) ( #478 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 01:46:35 +00:00
15d849c166
test(storage): integration test for migrate-tier (FED-M1-08) + camelCase column fix ( #477 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-20 01:40:02 +00:00
78251d4af8
test(federation): integration tests for federated tier gateway boot (FED-M1-07) ( #476 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 01:13:10 +00:00
1a4b1ebbf1
feat(gateway,storage): mosaic gateway doctor with tier health JSON (FED-M1-06) ( #475 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 01:00:39 +00:00
ccad30dd27
feat(storage): mosaic storage migrate-tier with dry-run + idempotency (FED-M1-05) ( #474 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 00:35:08 +00:00
4c2b177eab
feat(gateway): tier-detector with fail-fast PG/Valkey/pgvector probes (FED-M1-04) ( #473 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-20 00:07:07 +00:00
58169f9979
feat(storage): pgvector adapter support gated on tier=federated (FED-M1-03) ( #472 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 23:42:18 +00:00
51402bdb6d
feat(infra): docker-compose.federated.yml overlay (FED-M1-02) ( #471 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 23:21:31 +00:00
9c89c32684
feat(config): add federated tier + rename team→standalone (FED-M1-01) ( #470 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-19 23:11:11 +00:00
8aabb8c5b2
docs(mission): author MVP rollup manifest, archive install-ux-v2 ( #469 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 22:51:11 +00:00
66512550df
docs(federation): PRD, milestones, mission manifest, and M1 task breakdown ( #468 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 22:27:09 +00:00
46dd799548
docs(federation): PRD, milestones, mission manifest, and M1 task breakdown ( #467 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-19 22:09:20 +00:00
5f03c05523
chore(release): @mosaicstack/mosaic 0.0.30 ( #459 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-12 02:18:17 +00:00
c3f810bbd1
fix(mosaic): seed TOOLS.md from defaults on install ( #458 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-12 02:02:21 +00:00
b2cbf898d7
docs(scratchpad): finalize yolo runtime hotfix evidence ( #456 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Follow-up to mosaicstack/stack#455 .
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-11 17:14:00 +00:00
b2cec8c6ba
fix(mosaic): stop yolo runtime from leaking runtime name as first user message ( #455 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
Fixes mosaicstack/stack#454
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-11 16:57:43 +00:00
81c1775a03
chore(release): @mosaicstack/mosaic 0.0.29 ( #453 )
...
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/tag/publish Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-08 00:42:54 +00:00
f64ec12f39
fix(installer): preserve credentials dir and seed STANDARDS.md ( #452 )
...
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-08 00:40:49 +00:00
026382325c
feat(framework): superpowers enforcement, typecheck hook, file-ownership rules ( #451 )
...
ci/woodpecker/manual/ci Pipeline was successful
ci/woodpecker/manual/publish Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-04-07 00:44:22 +00:00
1bfd8570d6
chore(release): @mosaicstack/mosaic 0.0.28 ( #450 )
2026-04-06 00:46:31 +00:00
312acd8bad
chore: sweep mosaicstack/mosaic-stack → mosaicstack/stack + add short install URL ( #448 )
2026-04-06 00:39:56 +00:00
d08b969918
fix(mosaic): mask password input in TUI login prompt ( #449 )
2026-04-06 00:33:54 +00:00
051de0d8a9
docs: update README for mosaicstack/stack repo rename ( #447 )
2026-04-06 00:22:20 +00:00
bd76df1a50
feat(mosaic): drill-down main menu + provider-first flow + quick start ( #446 )
2026-04-06 00:15:23 +00:00
62b2ce2da1
docs: orchestrator close-out IUV-M02 ( #445 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-05 23:50:55 +00:00
172bacb30f
feat(mosaic): IUV-M02 — CORS/FQDN UX polish + skill installer rework ( #444 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-05 23:44:07 +00:00
43667d7349
docs: orchestrator close-out IUV-M01 — mark tasks done, append session 2 ( #443 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-05 22:40:08 +00:00
783884376c
docs: mark IUV-M01 complete — mosaic-v0.0.26 released ( #436 ) ( #442 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline failed
2026-04-05 22:31:37 +00:00
c08aa6fa46
fix: add vitest.config.ts to eslint allowDefaultProject ( #440 build fix) ( #441 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/tag/publish Pipeline was successful
2026-04-05 22:01:57 +00:00
0ae932ab34
fix: bootstrap hotfix — DTO erasure, wizard failure, port prefill, Pi SDK copy (mosaic-v0.0.26) ( #440 )
ci/woodpecker/push/publish Pipeline failed
ci/woodpecker/push/ci Pipeline was successful
2026-04-05 21:43:30 +00:00
a8cd52e88c
docs: scaffold install-ux-v2 mission ( #439 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-05 21:27:19 +00:00
a4c94d9a90
chore(release): @mosaicstack/mosaic 0.0.25 ( #435 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/tag/publish Pipeline was successful
2026-04-05 20:53:19 +00:00
cee838d22e
docs: close out install-ux-hardening mission ( #434 )
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/publish Pipeline was successful
2026-04-05 19:19:54 +00:00
