stack

Author	SHA1	Message	Date
Jarvis	0af3e218a1	fix(federation/auth-guard): remediate CRIT-1/CRIT-2 + HIGH-1..4 review findings All checks were successful ci/woodpecker/pr/ci Pipeline was successful Details ci/woodpecker/push/ci Pipeline was successful Details - CRIT-1: Validate cert subjectUserId against grant.subjectUserId from DB; use authoritative DB value in FederationContext - CRIT-2: Add @Inject(GrantsService) decorator (tsx/esbuild requirement) - HIGH-1: Validate UTF8String TLV tag, length, and bounds in OID parser - HIGH-2: Collapse all 403 wire messages to a generic string to prevent grant enumeration; keep internal logger detail - HIGH-3: Assert federation wire envelope shape in all guard tests - HIGH-4: Regression test for subjectUserId cert/DB mismatch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 06:33:37 -05:00
Jarvis	b01c9b3bb0	feat(federation): mTLS AuthGuard with OID-based grant resolution (FED-M3-03) Adds FederationAuthGuard that validates inbound mTLS client certs on federation API routes. Extracts custom OIDs (grantId, subjectUserId), loads the grant+peer from DB in one query, asserts active status, and validates cert serial as defense-in-depth. Attaches FederationContext to requests on success and uses federation wire-format error envelopes (not raw NestJS exceptions) for 401/403 responses. New files: - apps/gateway/src/federation/oid.util.ts — shared OID extraction (no dupe ASN.1 logic) - apps/gateway/src/federation/server/federation-auth.guard.ts — guard impl - apps/gateway/src/federation/server/federation-context.ts — FederationContext type + module augment - apps/gateway/src/federation/server/index.ts — barrel export - apps/gateway/src/federation/server/__tests__/federation-auth.guard.spec.ts — 11 unit tests Modified: - apps/gateway/src/federation/grants.service.ts — adds getGrantWithPeer() with join - apps/gateway/src/federation/federation.module.ts — registers FederationAuthGuard as provider Closes #462 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 06:33:37 -05:00
Jarvis	37675ae3f2	fix(federation/client): serialize cache fills, destroy evicted Agent, cover env-var guard All checks were successful ci/woodpecker/pr/ci Pipeline was successful Details ci/woodpecker/push/ci Pipeline was successful Details - HIGH-A: resolveEntry now uses promise-cache pattern so concurrent callers serialize on a single in-flight build, eliminating duplicate key material in heap and duplicate DB round-trips - HIGH-B: flushPeer destroys the evicted undici Agent so stale TLS connections close on cert rotation - MED-C: add regression test for PEER_MISCONFIGURED when STEP_CA_ROOT_CERT_PATH is unset Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-23 22:56:57 -05:00
Jarvis	a4a6769a6d	fix(federation/client): pin Step-CA root, fix lockfile, harden cache test All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details CRIT-1: regenerate pnpm-lock.yaml so apps/gateway resolves undici@7.24.6 (prior PR pushed package.json without lockfile update; CI failed with ERR_PNPM_OUTDATED_LOCKFILE). Incidentally cleans 57 lines of stale peer-dep entries. CRIT-2: cache-hit test no longer swallows resolveEntry errors. Calls the private method directly twice and asserts identity equality plus a single DB select, removing the silent-failure path the prior assertion allowed. HIGH-1: mTLS Agent now pins Step-CA root via STEP_CA_ROOT_CERT_PATH. Without the env var resolveEntry throws PEER_MISCONFIGURED, refusing to dial peers against the public trust store. PEM is read once and cached on the service instance. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-23 22:30:09 -05:00
Jarvis	21650fb194	feat(federation): outbound mTLS FederationClient (FED-M3-08) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/pr/ci Pipeline failed Details Implements FederationClientService — a NestJS injectable that dials peer gateways over mTLS (undici Agent with cert+sealed-key from federation_peers), invokes list/get/capabilities verbs, validates responses via Zod, and surfaces all failure modes as typed FederationClientError with a coherent error code taxonomy (PEER_NOT_FOUND, PEER_INACTIVE, PEER_MISCONFIGURED, NETWORK, FORBIDDEN, HTTP_{status}, INVALID_RESPONSE). Per-peer Agent instances are cached in a Map for the service lifetime; flushPeer(peerId) invalidates the cache for M5/M6 cert rotation and revocation events. Wired into FederationModule providers + exports so QuerySourceService (M3-09) can inject it. 13 unit tests covering all required scenarios via undici MockAgent + real sealClientKey/unsealClientKey round-trip. Closes #462 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-23 22:16:52 -05:00
jason.woltje	7342c1290d	fix(federation): use real PEM certs in enrollment + ca service tests (#507 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-24 02:43:42 +00:00
jason.woltje	fc1600b738	fix(federation): security hardening — OID verification, atomic activation, audit on failure (#501 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-22 06:02:52 +00:00
jason.woltje	0ee5b14c68	test(federation): M2 E2E peer-add enrollment flow (FED-M2-10) (#500 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 05:37:06 +00:00
jason.woltje	3eee176cc3	test(federation): M2 integration tests (FED-M2-09) (#499 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 05:08:24 +00:00
jason.woltje	74fe60d8d6	feat(federation): admin controller + CLI federation commands (FED-M2-08) (#498 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 04:39:46 +00:00
jason.woltje	0bfaa56e9e	feat(federation): enrollment controller + single-use token flow (FED-M2-07) (#497 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 04:23:19 +00:00
jason.woltje	01dd6b9fa1	feat(federation): grants service CRUD + status transitions (FED-M2-06) (#496 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 03:57:12 +00:00
jason.woltje	1038ae76e1	feat(federation): Step-CA client service for grant certs (FED-M2-04) (#494 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 03:34:37 +00:00
jason.woltje	bf082d95a0	feat(federation): seal federation peer client keys at rest (FED-M2-05) (#495 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-22 03:10:20 +00:00
jason.woltje	7d7cf012f0	feat(federation): scope schema validator [FED-M2-03] (#489 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-22 02:31:13 +00:00
jason.woltje	78251d4af8	test(federation): integration tests for federated tier gateway boot (FED-M1-07) (#476 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-20 01:13:10 +00:00
jason.woltje	1a4b1ebbf1	feat(gateway,storage): mosaic gateway doctor with tier health JSON (FED-M1-06) (#475 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-20 01:00:39 +00:00
jason.woltje	4c2b177eab	feat(gateway): tier-detector with fail-fast PG/Valkey/pgvector probes (FED-M1-04) (#473 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-20 00:07:07 +00:00
jason.woltje	312acd8bad	chore: sweep mosaicstack/mosaic-stack → mosaicstack/stack + add short install URL (#448 )	2026-04-06 00:39:56 +00:00
jason.woltje	c08aa6fa46	fix: add vitest.config.ts to eslint allowDefaultProject (#440 build fix) (#441 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details ci/woodpecker/tag/publish Pipeline was successful Details	2026-04-05 22:01:57 +00:00
jason.woltje	0ae932ab34	fix: bootstrap hotfix — DTO erasure, wizard failure, port prefill, Pi SDK copy (mosaic-v0.0.26) (#440 ) Some checks failed ci/woodpecker/push/publish Pipeline failed Details ci/woodpecker/push/ci Pipeline was successful Details	2026-04-05 21:43:30 +00:00
Jarvis	31008ef7ff	fix: update Gitea org references from mosaic/ to mosaicstack/ All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details - Update all package.json repo URLs (mosaic/mosaic-stack → mosaicstack/mosaic-stack) - Update npm registry URLs (/api/packages/mosaic/npm → /api/packages/mosaicstack/npm) - Update woodpecker publish destinations - Update tools/install.sh registry and repo base URLs	2026-04-04 22:31:20 -05:00
Jarvis	774b76447d	fix: rename all packages from @mosaic/* to @mosaicstack/* Some checks failed ci/woodpecker/pr/ci Pipeline failed Details ci/woodpecker/push/ci Pipeline failed Details - Updated all package.json name fields and dependency references - Updated all TypeScript/JavaScript imports - Updated .woodpecker/publish.yml filters and registry paths - Updated tools/install.sh scope default - Updated .npmrc registry paths (worktree + host) - Enhanced update-checker.ts with checkForAllUpdates() multi-package support - Updated CLI update command to show table of all packages - Added KNOWN_PACKAGES, formatAllPackagesTable, getInstallAllCommand - Marked checkForUpdate() with @deprecated JSDoc Closes #391	2026-04-04 21:43:23 -05:00
jason.woltje	80994bdc8e	fix(packages): bump db/memory/queue for PGlite + adapter factories (#389 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-05 02:20:23 +00:00
jason.woltje	255ba46a4d	fix(packages): republish @mosaic/config and bump dependents (#386 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-05 01:56:57 +00:00
jason.woltje	c0d0fd44b7	refactor(storage): replace better-sqlite3 with PGlite adapter (#378 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-04 21:58:14 +00:00
jason.woltje	30c0fb1308	fix: remediate npm deprecation warnings in @mosaic/gateway 0.0.3 (#377 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-04 21:03:54 +00:00
jason.woltje	e3f64c79d9	chore: move gateway default port from 4000 to 14242 (#375 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-04 20:17:40 +00:00
jason.woltje	fc7fa11923	feat: local tier gateway with PGlite + Gitea-only publishing (#371 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-04 18:39:20 +00:00
jason.woltje	86d6c214fe	feat: gateway publishability + npmjs publish script (#370 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-04 18:07:05 +00:00
jason.woltje	39ccba95d0	feat: mosaic gateway CLI daemon management + admin token auth (#369 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-04 18:03:12 +00:00
Jarvis	04a80fb9ba	feat(config): add MosaicConfig schema + loader with tier auto-detection Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-02 21:03:00 -05:00
Jarvis	e128a7a322	feat(gateway): wire adapter factories + DI tokens alongside existing providers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-02 20:44:11 -05:00
Jarvis	e084a88a9d	chore: bump all packages to 0.0.2 — drop alpha prerelease tag All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details Switches from 0.0.1-alpha.2 to 0.0.2. Clean semver, no prerelease suffixes. We're still alpha (0.0.x range).	2026-04-02 20:03:55 -05:00
jason.woltje	0d12471868	feat: add web search, file edit, MCP management, file refs, and /stop to CLI/TUI (#348 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline was successful Details	2026-04-02 18:08:30 +00:00
Jason Woltje	e599f5fe38	fix(web): add public/ directory — fixes Docker build COPY failure All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details Kaniko fails when COPY --from=builder references a path that doesn't exist. The web app had no public/ directory, causing build-web to fail with 'no such file or directory' on the public assets COPY step.	2026-04-01 13:09:03 -05:00
Jason Woltje	316807581c	fix: parse VALKEY_URL into RedisOptions object for BullMQ connection BullMQ v5 RedisConnection constructor does: Object.assign({ port: 6379, host: '127.0.0.1' }, opts) When opts is a URL string (via 'as unknown as ConnectionOptions'), Object.assign only copies character-index properties from the string, so the default port 6379 was never overridden — causing ECONNREFUSED against the wrong port instead of the configured 6380. Fix: parse VALKEY_URL with new URL() and return a plain RedisOptions object { host, port, ... } so Object.assign merges it correctly.	2026-03-30 20:42:03 -05:00
Jason Woltje	a532fd43b2	feat(M6-006,M6-007,M7-001,M7-002): admin jobs API, job event logging, channel adapter interface, message protocol (#325 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 01:21:03 +00:00
Jason Woltje	701bb69e6c	feat(M4-013,M5-001,M5-002,M5-003): routing e2e tests, agent config loading, model+agent switching (#323 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 01:09:09 +00:00
Jason Woltje	1035d13fc0	feat(M5-004,M5-005,M5-006,M5-007): session-conversation binding, session:info broadcast, agent creation from TUI, and session metrics (#321 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 00:58:07 +00:00
Jason Woltje	b18976a7aa	feat(M4-009,M4-010,M4-011): routing rules CRUD, per-user overrides, agent capabilities (#320 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 00:48:42 +00:00
Jason Woltje	9b22477643	feat(routing): implement routing decision pipeline — M4-006 (#318 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 00:41:04 +00:00
Jason Woltje	6a969fbf5f	fix(ci)+feat(M3-010/011): skip DB-gated tests in CI + provider_credentials migration (#317 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 00:34:31 +00:00
Jason Woltje	fa84bde6f6	feat(routing): task classifier + default rules + CI test fixes — M4-004/005 (#316 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 00:26:49 +00:00
Jason Woltje	0ee6bfe9de	feat(routing): routing_rules schema + types — M4-001/002/003 (#315 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-23 00:08:56 +00:00
Jason Woltje	10761f3e47	feat(providers): OpenRouter adapter + Ollama embedding support — M3-004/006 (#311 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/pr/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-21 21:38:09 +00:00
Jason Woltje	08da6b76d1	feat(M3-003): OpenAI provider adapter for Codex gpt-5.4 (#310 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-21 21:35:43 +00:00
Jason Woltje	5d4efb467c	feat(M3-002): implement AnthropicAdapter for Claude Sonnet 4.6, Opus 4.6, and Haiku 4.5 (#309 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-21 21:33:55 +00:00
Jason Woltje	6c6bcbdb7f	feat(M3-007,M3-009): provider health check scheduler and Ollama embedding default (#308 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-21 21:30:15 +00:00
Jason Woltje	34d4dbbabd	feat(M3-008): define model capability matrix (#303 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-21 21:19:07 +00:00

1 2 3

145 Commits