mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

Compare commits

base: mosaicstack:9f44a390ba1cf64d315076d169cef477e43a848e
Branches Tags
mosaicstack:main mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4
...
compare: mosaicstack:v0.1.0
Branches Tags
mosaicstack:main mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4

38 Commits
9f44a390ba ... v0.1.0

Author SHA1 Message Date
Jason Woltje
66dd3ee995 chore: add agent column to TASKS.md schema 2026-03-19 20:07:25 -05:00
Jason Woltje
cbfd6fb996 fix(web): conversation DELETE — resolve Failed to fetch TypeError (#204)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:43:56 +00:00
Jason Woltje
3f8553ce07 fix(cli): TUI polish — Ctrl+T, React keys, clipboard, version (#205)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:40:18 +00:00
Jason Woltje
bf668e18f1 fix(web): admin page role check — stop false redirect to /chat (#203)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:38:25 +00:00
Jason Woltje
1f2b8125c6 fix(cli): sidebar delete conversation — fix silent failure (#201)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:36:46 +00:00
Jason Woltje
93645295d5 fix(gateway): filter projects by ownership — close data privacy leak (#202)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:35:45 +00:00
Jason Woltje
7a52652be6 feat(gateway): Discord channel auto-creation on project bootstrap (#200)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:32:14 +00:00
Jason Woltje
791c8f505e feat(gateway): /system override condensation — accumulate + Haiku merge (#198)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:26:31 +00:00
Jason Woltje
12653477d6 feat(gateway): project bootstrap — docs structure + default agent (#190)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:12:24 +00:00
Jason Woltje
dedfa0d9ac fix(gateway): system override TTL 5min → 7 days (#189)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-17 02:06:58 +00:00
Jason Woltje
c1d3dfd77e fix(cli): disable Ink exitOnCtrlC so double-press handler runs (#188)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 13:55:19 +00:00
Jason Woltje
f0476cae92 fix(cli): wire command:result + system:reload socket events in TUI (#187)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 13:21:11 +00:00
Jason Woltje
b6effdcd6b docs: mark mission complete — 9/9 milestones, all ACs verified (v0.1.0) (#186)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 03:51:21 +00:00
Jason Woltje
39ef2ff123 feat: verify Phase 8 platform architecture + integration tests (P8-019) (#185)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 03:43:42 +00:00
Jason Woltje
a989b5e549 feat(cli): TUI autocomplete sidebar + fuzzy match + arg hints + input history (P8-017) (#184)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 03:30:15 +00:00
jason.woltje
ff27e944a1 Merge pull request 'feat(gateway): WorkspaceService + ProjectBootstrapService + TeamsService (P8-015)' (#183) from feat/p8-015-workspaces into main
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
2026-03-16 03:14:10 +00:00
Jason Woltje
0821393c1d feat(gateway): WorkspaceService + ProjectBootstrapService + TeamsService (P8-015)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details 
- WorkspaceService: path resolution, git init/clone, directory lifecycle (create/delete/exists), user and team root provisioning
- ProjectBootstrapService: orchestrates DB record creation (via Brain) + workspace directory init in a single call
- TeamsService: isMember, canAccessProject, findAll, findById, listMembers via Drizzle DB queries
- WorkspaceController: POST /api/workspaces — auth-guarded project bootstrap endpoint
- TeamsController: GET /api/teams, /:teamId, /:teamId/members, /:teamId/members/:userId
- WorkspaceModule wired into AppModule
- workspace.service.spec.ts: 5 unit tests for resolvePath (user, team, fallback, env var, default)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-15 22:06:01 -05:00
Jason Woltje
24f5c0699a feat(gateway): MosaicPlugin lifecycle + ReloadService + hot reload (P8-013) (#182)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 03:00:56 +00:00
Jason Woltje
96409c40bf feat(gateway): /agent, /provider, /mission, /prdy, /tools commands (P8-012) (#181)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 02:50:18 +00:00
jason.woltje
8628f4f93a Merge pull request 'feat(gateway): SessionGCService three-tier GC + /gc command + cron (P8-014)' (#179) from feat/p8-014-session-gc into main
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
2026-03-16 02:42:34 +00:00
Jason Woltje
b649b5c987 feat(gateway): SessionGCService three-tier GC + /gc command + cron (P8-014)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details 
Implements three-tier garbage collection for agent sessions:
- SessionGCService.collect() for immediate per-session cleanup on destroySession()
- SessionGCService.sweepOrphans() for daily cron sweep of orphaned Valkey keys
- SessionGCService.fullCollect() for cold-start aggressive cleanup via OnModuleInit
- /gc slash command wired into CommandExecutorService + registered in CommandRegistryService
- SESSION_GC_CRON (daily 4am) added to CronService
- GCModule provides Valkey (ioredis via @mosaic/queue) and is imported by AgentModule, LogModule, CommandsModule, AppModule
- 8 Vitest unit tests covering all three GC tiers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-15 21:38:48 -05:00
jason.woltje
b4d03a8b49 Merge pull request 'feat(gateway): PreferencesService + /preferences REST + /system Valkey override (P8-011)' (#180) from feat/p8-011-preferences into main
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
2026-03-16 02:35:38 +00:00
Jason Woltje
85aeebbde2 feat(gateway): PreferencesService + /preferences REST + /system Valkey override (P8-011)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details 
- PreferencesService: platform defaults, user overrides, IMMUTABLE_KEYS enforcement
- PreferencesController: GET /api/preferences, POST /api/preferences, DELETE /api/preferences/:key
- PreferencesModule: global module exporting PreferencesService and SystemOverrideService
- SystemOverrideService: Valkey-backed session-scoped system prompt override with 5-min TTL + renew
- CommandRegistryService: register /system command (socket execution)
- CommandExecutorService: handle /system command via SystemOverrideService
- AgentService: inject system override before each prompt turn, renew TTL; store userId in session
- ChatGateway: pass userId when creating agent sessions
- PreferencesService unit tests: 11 tests covering defaults, overrides, enforcement wins, immutable key errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-15 21:32:03 -05:00
Jason Woltje
a4bb563779 feat(gateway): CommandRegistryService + CommandExecutorService (P8-010) (#178)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 02:10:31 +00:00
Jason Woltje
7f6464bbda feat(gateway): tool path hardening + sandbox escape prevention (P8-016) (#177)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 02:02:48 +00:00
Jason Woltje
f0741e045f feat(cli): TUI slash command parsing + local commands (P8-009) (#176)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 01:58:56 +00:00
Jason Woltje
5a1991924c feat(db): teams schema + preferences.mutable migration (#175)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 01:46:43 +00:00
Jason Woltje
bd5d14d07f feat(types): CommandDef, CommandManifest, slash command socket events (#174)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 01:41:39 +00:00
Jason Woltje
d5a1791dc5 docs: agent platform architecture plan — augmentation + task breakdown (#173)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-16 01:28:29 +00:00
Jason Woltje
bd81c12071 docs: update TASKS.md and scratchpad for CLI command architecture (#159)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 23:11:37 +00:00
Jason Woltje
4da255bf04 feat(cli): command architecture — agents, missions, gateway-aware prdy (#158)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 23:10:23 +00:00
Jason Woltje
82c10a7b33 feat(cli): TUI complete overhaul — components, sidebar, search, branding (#157)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 22:17:19 +00:00
Jason Woltje
d31070177c fix(ci): remove from_secret to unblock PR pipelines (#156)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 21:48:51 +00:00
Jason Woltje
3792576566 fix(web): add jsdom dependency and exclude e2e from vitest (#155)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 20:00:53 +00:00
Jason Woltje
cd57c75e41 chore(orchestrator): Phase 7 complete — v0.0.8 verified (#154)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 19:50:15 +00:00
Jason Woltje
237a863dfd docs(deploy): add deployment guide and expand .env.example (#153)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 19:46:38 +00:00
Jason Woltje
cb92ba16c1 feat(web): Playwright E2E test suite for critical paths (#152)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 19:46:13 +00:00
Jason Woltje
70e9f2c6bc docs: user guide, admin guide, dev guide (closes #57) (#151)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-03-15 19:40:44 +00:00
136 changed files with 16257 additions and 938 deletions
Expand all files Collapse all files

126
.env.example
View File

@@ -1,35 +1,129 @@
# Database (port 5433 avoids conflict with host PostgreSQL)
# ─────────────────────────────────────────────────────────────────────────────
# Mosaic — Environment Variables Reference
# Copy this file to .env and fill in the values for your deployment.
# Lines beginning with # are comments; optional vars are commented out.
# ─────────────────────────────────────────────────────────────────────────────
# ─── Database (PostgreSQL 17 + pgvector) ─────────────────────────────────────
# Full connection string used by the gateway, ORM, and migration runner.
# Port 5433 avoids conflict with a host-side PostgreSQL instance.
DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic
# Valkey (Redis-compatible, port 6380 avoids conflict with host Redis/Valkey)
# Docker Compose host-port override for the PostgreSQL container (default: 5433)
# PG_HOST_PORT=5433
# ─── Queue (Valkey 8 / Redis-compatible) ─────────────────────────────────────
# Port 6380 avoids conflict with a host-side Redis/Valkey instance.
VALKEY_URL=redis://localhost:6380
# Docker Compose host port overrides (optional)
# PG_HOST_PORT=5433
# Docker Compose host-port override for the Valkey container (default: 6380)
# VALKEY_HOST_PORT=6380
# OpenTelemetry
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
OTEL_SERVICE_NAME=mosaic-gateway
# Auth (BetterAuth)
BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
BETTER_AUTH_URL=http://localhost:4000
# Gateway
# ─── Gateway ─────────────────────────────────────────────────────────────────
# TCP port the NestJS/Fastify gateway listens on (default: 4000)
GATEWAY_PORT=4000
# Comma-separated list of allowed CORS origins.
# Must include the web app origin in production.
GATEWAY_CORS_ORIGIN=http://localhost:3000
# Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable)
# ─── Auth (BetterAuth) ───────────────────────────────────────────────────────
# REQUIRED — random secret used to sign sessions and tokens.
# Generate with: openssl rand -base64 32
BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
# Public base URL of the gateway (used by BetterAuth for callback URLs)
BETTER_AUTH_URL=http://localhost:4000
# ─── Web App (Next.js) ───────────────────────────────────────────────────────
# Public gateway URL — accessible from the browser, not just the server.
NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
# ─── OpenTelemetry ───────────────────────────────────────────────────────────
# OTLP HTTP endpoint (otel-collector or any OpenTelemetry-compatible backend)
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
# Service name shown in traces
OTEL_SERVICE_NAME=mosaic-gateway
# ─── AI Providers ────────────────────────────────────────────────────────────
# Ollama (local models — set OLLAMA_BASE_URL to enable)
# OLLAMA_BASE_URL=http://localhost:11434
# OLLAMA_HOST is a legacy alias for OLLAMA_BASE_URL
# OLLAMA_HOST=http://localhost:11434
# Comma-separated list of Ollama model IDs to register (default: llama3.2,codellama,mistral)
# OLLAMA_MODELS=llama3.2,codellama,mistral
# OpenAI — required for embedding and log-summarization features
# OPENAI_API_KEY=sk-...
# Custom providers — JSON array of provider configs
# Format: [{"id":"<id>","baseUrl":"<url>","apiKey":"<key>","models":[{"id":"<model-id>","name":"<label>"}]}]
# MOSAIC_CUSTOM_PROVIDERS=
# ─── Embedding Service ───────────────────────────────────────────────────────
# OpenAI-compatible embeddings endpoint (default: OpenAI)
# EMBEDDING_API_URL=https://api.openai.com/v1
# EMBEDDING_MODEL=text-embedding-3-small
# ─── Log Summarization Service ───────────────────────────────────────────────
# OpenAI-compatible chat completions endpoint for log summarization (default: OpenAI)
# SUMMARIZATION_API_URL=https://api.openai.com/v1
# SUMMARIZATION_MODEL=gpt-4o-mini
# Cron schedule for summarization job (default: every 6 hours)
# SUMMARIZATION_CRON=0 */6 * * *
# Cron schedule for log tier management (default: daily at 03:00)
# TIER_MANAGEMENT_CRON=0 3 * * *
# ─── Agent ───────────────────────────────────────────────────────────────────
# Filesystem sandbox root for agent file tools (default: process.cwd())
# AGENT_FILE_SANDBOX_DIR=/var/lib/mosaic/sandbox
# Comma-separated list of tool names available to non-admin users.
# Leave unset to allow all tools for all authenticated users.
# AGENT_USER_TOOLS=read_file,list_directory,search_files
# System prompt injected into every agent session (optional)
# AGENT_SYSTEM_PROMPT=You are a helpful assistant.
# ─── MCP Servers ─────────────────────────────────────────────────────────────
# JSON array of MCP server configs — set to enable MCP tool integration.
# Each entry: {"name":"<id>","url":"<http-or-sse-url>"}
# MCP_SERVERS=[{"name":"my-mcp","url":"http://localhost:3100/sse"}]
# ─── Coordinator ─────────────────────────────────────────────────────────────
# Root directory used to scope coordinator (worktree/repo) operations.
# Defaults to the monorepo root auto-detected from process.cwd().
# MOSAIC_WORKSPACE_ROOT=/home/user/projects/mosaic
# ─── Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable) ─────────────
# DISCORD_BOT_TOKEN=
# DISCORD_GUILD_ID=
# DISCORD_GATEWAY_URL=http://localhost:4000
# Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable)
# ─── Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable) ───────────
# TELEGRAM_BOT_TOKEN=
# TELEGRAM_GATEWAY_URL=http://localhost:4000
# Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable)
# AUTHENTIK_ISSUER=https://auth.example.com
# ─── Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable) ────────────
# AUTHENTIK_ISSUER=https://auth.example.com/application/o/mosaic/
# AUTHENTIK_CLIENT_ID=
# AUTHENTIK_CLIENT_SECRET=

27
.woodpecker/ci.yml
View File

@@ -5,9 +5,10 @@ variables:
when:
- event: [push, pull_request, manual]
# Turbo remote cache is at turbo.mosaicstack.dev (ducktors/turborepo-remote-cache).
# TURBO_TOKEN is a Woodpecker secret injected via from_secret into the environment.
# Turbo picks up TURBO_API, TURBO_TOKEN, and TURBO_TEAM automatically.
# Turbo remote cache (turbo.mosaicstack.dev) is configured via Woodpecker
# repository-level environment variables (TURBO_API, TURBO_TEAM, TURBO_TOKEN).
# This avoids from_secret which is blocked on pull_request events.
# If the env vars aren't set, turbo falls back to local cache only.
steps:
install:
@@ -18,11 +19,6 @@ steps:
typecheck:
image: *node_image
environment:
TURBO_API: https://turbo.mosaicstack.dev
TURBO_TEAM: mosaic
TURBO_TOKEN:
from_secret: turbo_token
commands:
- *enable_pnpm
- pnpm typecheck
@@ -32,11 +28,6 @@ steps:
# lint, format, and test are independent — run in parallel after typecheck
lint:
image: *node_image
environment:
TURBO_API: https://turbo.mosaicstack.dev
TURBO_TEAM: mosaic
TURBO_TOKEN:
from_secret: turbo_token
commands:
- *enable_pnpm
- pnpm lint
@@ -53,11 +44,6 @@ steps:
test:
image: *node_image
environment:
TURBO_API: https://turbo.mosaicstack.dev
TURBO_TEAM: mosaic
TURBO_TOKEN:
from_secret: turbo_token
commands:
- *enable_pnpm
- pnpm test
@@ -66,11 +52,6 @@ steps:
build:
image: *node_image
environment:
TURBO_API: https://turbo.mosaicstack.dev
TURBO_TEAM: mosaic
TURBO_TOKEN:
from_secret: turbo_token
commands:
- *enable_pnpm
- pnpm build

23
apps/gateway/src/__tests__/resource-ownership.test.ts
View File

@@ -1,4 +1,4 @@
import { ForbiddenException } from '@nestjs/common';
import { ForbiddenException, NotFoundException } from '@nestjs/common';
import { describe, expect, it, vi } from 'vitest';
import { ConversationsController } from '../conversations/conversations.controller.js';
import { MissionsController } from '../missions/missions.controller.js';
@@ -18,6 +18,7 @@ function createBrain() {
},
projects: {
findAll: vi.fn(),
findAllForUser: vi.fn(),
findById: vi.fn(),
create: vi.fn(),
update: vi.fn(),
@@ -25,12 +26,21 @@ function createBrain() {
},
missions: {
findAll: vi.fn(),
findAllByUser: vi.fn(),
findById: vi.fn(),
findByIdAndUser: vi.fn(),
findByProject: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
},
missionTasks: {
findByMissionAndUser: vi.fn(),
findByIdAndUser: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
},
tasks: {
findAll: vi.fn(),
findById: vi.fn(),
@@ -58,21 +68,22 @@ describe('Resource ownership checks', () => {
it('forbids access to another user project', async () => {
const brain = createBrain();
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new ProjectsController(brain as never);
const teamsService = { canAccessProject: vi.fn().mockResolvedValue(false) };
const controller = new ProjectsController(brain as never, teamsService as never);
await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException,
);
});
it('forbids access to a mission owned by another project owner', async () => {
it('forbids access to a mission owned by another user', async () => {
const brain = createBrain();
brain.missions.findById.mockResolvedValue({ id: 'mission-1', projectId: 'project-1' });
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
// findByIdAndUser returns undefined when the mission doesn't belong to the user
brain.missions.findByIdAndUser.mockResolvedValue(undefined);
const controller = new MissionsController(brain as never);
await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException,
NotFoundException,
);
});

24
apps/gateway/src/admin/admin.guard.ts
View File

@@ -8,8 +8,11 @@ import {
} from '@nestjs/common';
import { fromNodeHeaders } from 'better-auth/node';
import type { Auth } from '@mosaic/auth';
import type { Db } from '@mosaic/db';
import { eq, users as usersTable } from '@mosaic/db';
import type { FastifyRequest } from 'fastify';
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
interface UserWithRole {
id: string;
@@ -18,7 +21,10 @@ interface UserWithRole {
@Injectable()
export class AdminGuard implements CanActivate {
constructor(@Inject(AUTH) private readonly auth: Auth) {}
constructor(
@Inject(AUTH) private readonly auth: Auth,
@Inject(DB) private readonly db: Db,
) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const request = context.switchToHttp().getRequest<FastifyRequest>();
@@ -32,7 +38,21 @@ export class AdminGuard implements CanActivate {
const user = result.user as UserWithRole;
if (user.role !== 'admin') {
// Ensure the role field is populated. better-auth should include additionalFields
// in the session, but as a fallback, fetch the role from the database if needed.
let userRole = user.role;
if (!userRole) {
const [dbUser] = await this.db
.select({ role: usersTable.role })
.from(usersTable)
.where(eq(usersTable.id, user.id))
.limit(1);
userRole = dbUser?.role ?? 'member';
// Update the session user object with the fetched role
(user as UserWithRole).role = userRole;
}
if (userRole !== 'admin') {
throw new ForbiddenException('Admin access required');
}

97
apps/gateway/src/agent/agent-config.dto.ts Normal file
View File

@@ -0,0 +1,97 @@
import {
IsArray,
IsBoolean,
IsIn,
IsObject,
IsOptional,
IsString,
IsUUID,
MaxLength,
} from 'class-validator';
const agentStatuses = ['idle', 'active', 'error', 'offline'] as const;
export class CreateAgentConfigDto {
@IsString()
@MaxLength(255)
name!: string;
@IsString()
@MaxLength(255)
provider!: string;
@IsString()
@MaxLength(255)
model!: string;
@IsOptional()
@IsIn(agentStatuses)
status?: 'idle' | 'active' | 'error' | 'offline';
@IsOptional()
@IsUUID()
projectId?: string;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPrompt?: string;
@IsOptional()
@IsArray()
allowedTools?: string[];
@IsOptional()
@IsArray()
skills?: string[];
@IsOptional()
@IsBoolean()
isSystem?: boolean;
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
}
export class UpdateAgentConfigDto {
@IsOptional()
@IsString()
@MaxLength(255)
name?: string;
@IsOptional()
@IsString()
@MaxLength(255)
provider?: string;
@IsOptional()
@IsString()
@MaxLength(255)
model?: string;
@IsOptional()
@IsIn(agentStatuses)
status?: 'idle' | 'active' | 'error' | 'offline';
@IsOptional()
@IsUUID()
projectId?: string | null;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPrompt?: string | null;
@IsOptional()
@IsArray()
allowedTools?: string[] | null;
@IsOptional()
@IsArray()
skills?: string[] | null;
@IsOptional()
@IsObject()
config?: Record<string, unknown> | null;
}

84
apps/gateway/src/agent/agent-configs.controller.ts Normal file
View File

@@ -0,0 +1,84 @@
import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
UseGuards,
} from '@nestjs/common';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { CreateAgentConfigDto, UpdateAgentConfigDto } from './agent-config.dto.js';
@Controller('api/agents')
@UseGuards(AuthGuard)
export class AgentConfigsController {
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
@Get()
async list(@CurrentUser() user: { id: string; role?: string }) {
return this.brain.agents.findAccessible(user.id);
}
@Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (!agent.isSystem && agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
return agent;
}
@Post()
async create(@Body() dto: CreateAgentConfigDto, @CurrentUser() user: { id: string }) {
return this.brain.agents.create({
...dto,
ownerId: user.id,
isSystem: false,
});
}
@Patch(':id')
async update(
@Param('id') id: string,
@Body() dto: UpdateAgentConfigDto,
@CurrentUser() user: { id: string; role?: string },
) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (agent.isSystem && user.role !== 'admin') {
throw new ForbiddenException('Only admins can update system agents');
}
if (!agent.isSystem && agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
const updated = await this.brain.agents.update(id, dto);
if (!updated) throw new NotFoundException('Agent not found');
return updated;
}
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string; role?: string }) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (agent.isSystem) {
throw new ForbiddenException('Cannot delete system agents');
}
if (agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
const deleted = await this.brain.agents.remove(id);
if (!deleted) throw new NotFoundException('Agent not found');
}
}

6
apps/gateway/src/agent/agent.module.ts
View File

@@ -5,15 +5,17 @@ import { RoutingService } from './routing.service.js';
import { SkillLoaderService } from './skill-loader.service.js';
import { ProvidersController } from './providers.controller.js';
import { SessionsController } from './sessions.controller.js';
import { AgentConfigsController } from './agent-configs.controller.js';
import { CoordModule } from '../coord/coord.module.js';
import { McpClientModule } from '../mcp-client/mcp-client.module.js';
import { SkillsModule } from '../skills/skills.module.js';
import { GCModule } from '../gc/gc.module.js';
@Global()
@Module({
imports: [CoordModule, McpClientModule, SkillsModule],
imports: [CoordModule, McpClientModule, SkillsModule, GCModule],
providers: [ProviderService, RoutingService, SkillLoaderService, AgentService],
controllers: [ProvidersController, SessionsController],
controllers: [ProvidersController, SessionsController, AgentConfigsController],
exports: [AgentService, ProviderService, RoutingService, SkillLoaderService],
})
export class AgentModule {}

77
apps/gateway/src/agent/agent.service.ts
View File

@@ -1,4 +1,4 @@
import { Inject, Injectable, Logger, type OnModuleDestroy } from '@nestjs/common';
import { Inject, Injectable, Logger, Optional, type OnModuleDestroy } from '@nestjs/common';
import {
createAgentSession,
DefaultResourceLoader,
@@ -24,6 +24,9 @@ import { createGitTools } from './tools/git-tools.js';
import { createShellTools } from './tools/shell-tools.js';
import { createWebTools } from './tools/web-tools.js';
import type { SessionInfoDto } from './session.dto.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { PreferencesService } from '../preferences/preferences.service.js';
import { SessionGCService } from '../gc/session-gc.service.js';
export interface AgentSessionOptions {
provider?: string;
@@ -49,6 +52,14 @@ export interface AgentSessionOptions {
allowedTools?: string[];
/** Whether the requesting user has admin privileges. Controls default tool access. */
isAdmin?: boolean;
/**
* DB agent config ID. When provided, loads agent config from DB and merges
* provider, model, systemPrompt, and allowedTools. Explicit call-site options
* take precedence over config values.
*/
agentConfigId?: string;
/** ID of the user who owns this session. Used for preferences and system override lookups. */
userId?: string;
}
export interface AgentSession {
@@ -67,6 +78,8 @@ export interface AgentSession {
sandboxDir: string;
/** Tool names available in this session, or null when all tools are available. */
allowedTools: string[] | null;
/** User ID that owns this session, used for preference lookups. */
userId?: string;
}
@Injectable()
@@ -83,6 +96,13 @@ export class AgentService implements OnModuleDestroy {
@Inject(CoordService) private readonly coordService: CoordService,
@Inject(McpClientService) private readonly mcpClientService: McpClientService,
@Inject(SkillLoaderService) private readonly skillLoaderService: SkillLoaderService,
@Optional()
@Inject(SystemOverrideService)
private readonly systemOverride: SystemOverrideService | null,
@Optional()
@Inject(PreferencesService)
private readonly preferencesService: PreferencesService | null,
@Inject(SessionGCService) private readonly gc: SessionGCService,
) {}
/**
@@ -146,16 +166,39 @@ export class AgentService implements OnModuleDestroy {
sessionId: string,
options?: AgentSessionOptions,
): Promise<AgentSession> {
const model = this.resolveModel(options);
// Merge DB agent config when agentConfigId is provided
let mergedOptions = options;
if (options?.agentConfigId) {
const agentConfig = await this.brain.agents.findById(options.agentConfigId);
if (agentConfig) {
mergedOptions = {
provider: options.provider ?? agentConfig.provider,
modelId: options.modelId ?? agentConfig.model,
systemPrompt: options.systemPrompt ?? agentConfig.systemPrompt ?? undefined,
allowedTools: options.allowedTools ?? agentConfig.allowedTools ?? undefined,
sandboxDir: options.sandboxDir,
isAdmin: options.isAdmin,
agentConfigId: options.agentConfigId,
};
this.logger.log(
`Merged agent config "${agentConfig.name}" (${agentConfig.id}) into session ${sessionId}`,
);
}
}
const model = this.resolveModel(mergedOptions);
const providerName = model?.provider ?? 'default';
const modelId = model?.id ?? 'default';
// Resolve sandbox directory: option > env var > process.cwd()
const sandboxDir =
options?.sandboxDir ?? process.env['AGENT_FILE_SANDBOX_DIR'] ?? process.cwd();
mergedOptions?.sandboxDir ?? process.env['AGENT_FILE_SANDBOX_DIR'] ?? process.cwd();
// Resolve allowed tool set
const allowedTools = this.resolveAllowedTools(options?.isAdmin ?? false, options?.allowedTools);
const allowedTools = this.resolveAllowedTools(
mergedOptions?.isAdmin ?? false,
mergedOptions?.allowedTools,
);
this.logger.log(
`Creating agent session: ${sessionId} (provider=${providerName}, model=${modelId}, sandbox=${sandboxDir}, tools=${allowedTools === null ? 'all' : allowedTools.join(',') || 'none'})`,
@@ -194,7 +237,8 @@ export class AgentService implements OnModuleDestroy {
}
// Build system prompt: platform prompt + skill additions appended
const platformPrompt = options?.systemPrompt ?? process.env['AGENT_SYSTEM_PROMPT'] ?? undefined;
const platformPrompt =
mergedOptions?.systemPrompt ?? process.env['AGENT_SYSTEM_PROMPT'] ?? undefined;
const appendSystemPrompt =
promptAdditions.length > 0 ? promptAdditions.join('\n\n') : undefined;
@@ -255,6 +299,7 @@ export class AgentService implements OnModuleDestroy {
skillPromptAdditions: promptAdditions,
sandboxDir,
allowedTools,
userId: mergedOptions?.userId,
};
this.sessions.set(sessionId, session);
@@ -338,8 +383,20 @@ export class AgentService implements OnModuleDestroy {
throw new Error(`No agent session found: ${sessionId}`);
}
session.promptCount += 1;
// Prepend session-scoped system override if present (renew TTL on each turn)
let effectiveMessage = message;
if (this.systemOverride) {
const override = await this.systemOverride.get(sessionId);
if (override) {
effectiveMessage = `[System Override]\n${override}\n\n${message}`;
await this.systemOverride.renew(sessionId);
this.logger.debug(`Applied system override for session ${sessionId}`);
}
}
try {
await session.piSession.prompt(message);
await session.piSession.prompt(effectiveMessage);
} catch (err) {
this.logger.error(
`Prompt failed for session=${sessionId}, messageLength=${message.length}`,
@@ -375,6 +432,14 @@ export class AgentService implements OnModuleDestroy {
session.listeners.clear();
session.channels.clear();
this.sessions.delete(sessionId);
// Run GC cleanup for this session (fire and forget, errors are logged)
this.gc.collect(sessionId).catch((err: unknown) => {
this.logger.error(
`GC collect failed for session ${sessionId}`,
err instanceof Error ? err.stack : String(err),
);
});
}
async onModuleDestroy(): Promise<void> {

39
apps/gateway/src/agent/tools/file-tools.ts
View File

@@ -1,20 +1,7 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
import { resolve, relative, join } from 'node:path';
/**
* Safety constraint: all file operations are restricted to a base directory.
* Paths that escape the sandbox via ../ traversal are rejected.
*/
function resolveSafe(baseDir: string, inputPath: string): string {
const resolved = resolve(baseDir, inputPath);
const rel = relative(baseDir, resolved);
if (rel.startsWith('..') || resolve(resolved) !== resolve(join(baseDir, rel))) {
throw new Error(`Path escape detected: "${inputPath}" resolves outside base directory`);
}
return resolved;
}
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js';
const MAX_READ_BYTES = 512 * 1024; // 512 KB read limit
const MAX_WRITE_BYTES = 1024 * 1024; // 1 MB write limit
@@ -37,8 +24,14 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
const { path, encoding } = params as { path: string; encoding?: string };
let safePath: string;
try {
safePath = resolveSafe(baseDir, path);
safePath = guardPath(path, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
@@ -99,8 +92,14 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
};
let safePath: string;
try {
safePath = resolveSafe(baseDir, path);
safePath = guardPathUnsafe(path, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
@@ -151,8 +150,14 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
const target = path ?? '.';
let safePath: string;
try {
safePath = resolveSafe(baseDir, target);
safePath = guardPath(target, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,

85
apps/gateway/src/agent/tools/git-tools.ts
View File

@@ -2,29 +2,13 @@ import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { exec } from 'node:child_process';
import { promisify } from 'node:util';
import { resolve, relative } from 'node:path';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js';
const execAsync = promisify(exec);
const GIT_TIMEOUT_MS = 15_000;
const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
/**
* Clamp a user-supplied cwd to within the sandbox directory.
* If the resolved path escapes the sandbox (via ../ or absolute path outside),
* falls back to the sandbox directory itself.
*/
function clampCwd(sandboxDir: string, requestedCwd?: string): string {
if (!requestedCwd) return sandboxDir;
const resolved = resolve(sandboxDir, requestedCwd);
const rel = relative(sandboxDir, resolved);
if (rel.startsWith('..') || rel.startsWith('/')) {
// Escape attempt — fall back to sandbox root
return sandboxDir;
}
return resolved;
}
async function runGit(
args: string[],
cwd?: string,
@@ -74,7 +58,21 @@ export function createGitTools(sandboxDir?: string): ToolDefinition[] {
}),
async execute(_toolCallId, params) {
const { cwd } = params as { cwd?: string };
const safeCwd = clampCwd(defaultCwd, cwd);
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const result = await runGit(['status', '--short', '--branch'], safeCwd);
const text = result.error
? `Error: ${result.error}\n${result.stderr}`
@@ -107,7 +105,21 @@ export function createGitTools(sandboxDir?: string): ToolDefinition[] {
oneline?: boolean;
cwd?: string;
};
const safeCwd = clampCwd(defaultCwd, cwd);
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const args = ['log', `--max-count=${limit ?? 20}`];
if (oneline !== false) args.push('--oneline');
const result = await runGit(args, safeCwd);
@@ -148,12 +160,43 @@ export function createGitTools(sandboxDir?: string): ToolDefinition[] {
path?: string;
cwd?: string;
};
const safeCwd = clampCwd(defaultCwd, cwd);
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
let safePath: string | undefined;
if (path !== undefined) {
try {
safePath = guardPathUnsafe(path, defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
}
const args = ['diff'];
if (staged) args.push('--cached');
if (ref) args.push(ref);
args.push('--');
if (path) args.push(path);
if (safePath !== undefined) args.push(safePath);
const result = await runGit(args, safeCwd);
const text = result.error
? `Error: ${result.error}\n${result.stderr}`

104
apps/gateway/src/agent/tools/path-guard.test.ts Normal file
View File

@@ -0,0 +1,104 @@
import { describe, it, expect } from 'vitest';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js';
import path from 'node:path';
import os from 'node:os';
import fs from 'node:fs';
describe('guardPathUnsafe', () => {
const sandbox = '/tmp/test-sandbox';
it('allows paths inside sandbox', () => {
const result = guardPathUnsafe('foo/bar.txt', sandbox);
expect(result).toBe(path.resolve(sandbox, 'foo/bar.txt'));
});
it('allows sandbox root itself', () => {
const result = guardPathUnsafe('.', sandbox);
expect(result).toBe(path.resolve(sandbox));
});
it('rejects path traversal with ../', () => {
expect(() => guardPathUnsafe('../escape.txt', sandbox)).toThrow(SandboxEscapeError);
});
it('rejects absolute path outside sandbox', () => {
expect(() => guardPathUnsafe('/etc/passwd', sandbox)).toThrow(SandboxEscapeError);
});
it('rejects deeply nested traversal', () => {
expect(() => guardPathUnsafe('a/b/../../../../../../etc/passwd', sandbox)).toThrow(
SandboxEscapeError,
);
});
it('rejects path that starts with sandbox name but is sibling', () => {
expect(() => guardPathUnsafe('/tmp/test-sandbox-evil/file.txt', sandbox)).toThrow(
SandboxEscapeError,
);
});
it('returns the resolved absolute path for nested paths', () => {
const result = guardPathUnsafe('deep/nested/file.ts', sandbox);
expect(result).toBe('/tmp/test-sandbox/deep/nested/file.ts');
});
it('SandboxEscapeError includes the user path and sandbox in message', () => {
let caught: unknown;
try {
guardPathUnsafe('../escape.txt', sandbox);
} catch (err) {
caught = err;
}
expect(caught).toBeInstanceOf(SandboxEscapeError);
const e = caught as SandboxEscapeError;
expect(e.userPath).toBe('../escape.txt');
expect(e.sandboxDir).toBe(sandbox);
expect(e.message).toContain('Path escape attempt blocked');
});
});
describe('guardPath', () => {
let tmpDir: string;
it('allows an existing path inside a real temp sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
const subdir = path.join(tmpDir, 'subdir');
fs.mkdirSync(subdir);
const result = guardPath('subdir', tmpDir);
expect(result).toBe(subdir);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('allows sandbox root itself', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
const result = guardPath('.', tmpDir);
// realpathSync resolves the tmpdir symlinks (macOS /var -> /private/var)
const realTmp = fs.realpathSync.native(tmpDir);
expect(result).toBe(realTmp);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects path traversal with ../ on existing sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
expect(() => guardPath('../escape', tmpDir)).toThrow(SandboxEscapeError);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects absolute path outside sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
expect(() => guardPath('/etc/passwd', tmpDir)).toThrow(SandboxEscapeError);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
});

58
apps/gateway/src/agent/tools/path-guard.ts Normal file
View File

@@ -0,0 +1,58 @@
import path from 'node:path';
import fs from 'node:fs';
/**
* Resolves a user-provided path and verifies it is inside the allowed sandbox directory.
* Throws SandboxEscapeError if the resolved path is outside the sandbox.
*
* Uses realpathSync to resolve symlinks in the sandbox root. The user-supplied path
* is checked for containment AFTER lexical resolution but BEFORE resolving any symlinks
* within the user path — so symlink escape attempts are caught too.
*
* @param userPath - The path provided by the agent (may be relative or absolute)
* @param sandboxDir - The allowed root directory (already validated on session creation)
* @returns The resolved absolute path, guaranteed to be within sandboxDir
*/
export function guardPath(userPath: string, sandboxDir: string): string {
const resolved = path.resolve(sandboxDir, userPath);
const sandboxResolved = fs.realpathSync.native(sandboxDir);
// Normalize both paths to resolve any symlinks in the sandbox root itself.
// For the user path, we check containment BEFORE resolving symlinks in the path
// (so we catch symlink escape attempts too — the resolved path must still be under sandbox)
if (!resolved.startsWith(sandboxResolved + path.sep) && resolved !== sandboxResolved) {
throw new SandboxEscapeError(userPath, sandboxDir, resolved);
}
return resolved;
}
/**
* Validates a path without resolving symlinks in the user-provided portion.
* Use for paths that may not exist yet (creates, writes).
*
* Performs a lexical containment check only using path.resolve.
*/
export function guardPathUnsafe(userPath: string, sandboxDir: string): string {
const resolved = path.resolve(sandboxDir, userPath);
const sandboxAbs = path.resolve(sandboxDir);
if (!resolved.startsWith(sandboxAbs + path.sep) && resolved !== sandboxAbs) {
throw new SandboxEscapeError(userPath, sandboxDir, resolved);
}
return resolved;
}
export class SandboxEscapeError extends Error {
constructor(
public readonly userPath: string,
public readonly sandboxDir: string,
public readonly resolvedPath: string,
) {
super(
`Path escape attempt blocked: "${userPath}" resolves to "${resolvedPath}" which is outside sandbox "${sandboxDir}"`,
);
this.name = 'SandboxEscapeError';
}
}

34
apps/gateway/src/agent/tools/shell-tools.ts
View File

@@ -1,7 +1,7 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { spawn } from 'node:child_process';
import { resolve, relative } from 'node:path';
import { guardPath, SandboxEscapeError } from './path-guard.js';
const DEFAULT_TIMEOUT_MS = 30_000;
const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
@@ -68,22 +68,6 @@ function extractBaseCommand(command: string): string {
return firstToken.split('/').pop() ?? firstToken;
}
/**
* Clamp a user-supplied cwd to within the sandbox directory.
* If the resolved path escapes the sandbox (via ../ or absolute path outside),
* falls back to the sandbox directory itself.
*/
function clampCwd(sandboxDir: string, requestedCwd?: string): string {
if (!requestedCwd) return sandboxDir;
const resolved = resolve(sandboxDir, requestedCwd);
const rel = relative(sandboxDir, resolved);
if (rel.startsWith('..') || rel.startsWith('/')) {
// Escape attempt — fall back to sandbox root
return sandboxDir;
}
return resolved;
}
function runCommand(
command: string,
options: { timeoutMs: number; cwd?: string },
@@ -185,7 +169,21 @@ export function createShellTools(sandboxDir?: string): ToolDefinition[] {
}
const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 60_000);
const safeCwd = clampCwd(defaultCwd, cwd);
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const result = await runCommand(command, {
timeoutMs,

10
apps/gateway/src/app.module.ts
View File

@@ -17,6 +17,11 @@ import { SkillsModule } from './skills/skills.module.js';
import { PluginModule } from './plugin/plugin.module.js';
import { McpModule } from './mcp/mcp.module.js';
import { AdminModule } from './admin/admin.module.js';
import { CommandsModule } from './commands/commands.module.js';
import { PreferencesModule } from './preferences/preferences.module.js';
import { GCModule } from './gc/gc.module.js';
import { ReloadModule } from './reload/reload.module.js';
import { WorkspaceModule } from './workspace/workspace.module.js';
import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
@Module({
@@ -38,6 +43,11 @@ import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
PluginModule,
McpModule,
AdminModule,
PreferencesModule,
CommandsModule,
GCModule,
ReloadModule,
WorkspaceModule,
],
controllers: [HealthController],
providers: [

4
apps/gateway/src/chat/chat.dto.ts
View File

@@ -28,4 +28,8 @@ export class ChatSocketMessageDto {
@IsString()
@MaxLength(255)
modelId?: string;
@IsOptional()
@IsUUID()
agentId?: string;
}

104
apps/gateway/src/chat/chat.gateway.ts
View File

@@ -12,8 +12,11 @@ import {
import { Server, Socket } from 'socket.io';
import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
import type { Auth } from '@mosaic/auth';
import type { SetThinkingPayload, SlashCommandPayload, SystemReloadPayload } from '@mosaic/types';
import { AgentService } from '../agent/agent.service.js';
import { AUTH } from '../auth/auth.tokens.js';
import { CommandRegistryService } from '../commands/command-registry.service.js';
import { CommandExecutorService } from '../commands/command-executor.service.js';
import { v4 as uuid } from 'uuid';
import { ChatSocketMessageDto } from './chat.dto.js';
import { validateSocketSession } from './chat.gateway-auth.js';
@@ -37,6 +40,8 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
constructor(
@Inject(AgentService) private readonly agentService: AgentService,
@Inject(AUTH) private readonly auth: Auth,
@Inject(CommandRegistryService) private readonly commandRegistry: CommandRegistryService,
@Inject(CommandExecutorService) private readonly commandExecutor: CommandExecutorService,
) {}
afterInit(): void {
@@ -54,6 +59,9 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
client.data.user = session.user;
client.data.session = session.session;
this.logger.log(`Client connected: ${client.id}`);
// Broadcast command manifest to the newly connected client
client.emit('commands:manifest', { manifest: this.commandRegistry.getManifest() });
}
handleDisconnect(client: Socket): void {
@@ -79,9 +87,12 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
try {
let agentSession = this.agentService.getSession(conversationId);
if (!agentSession) {
const userId = (client.data.user as { id: string } | undefined)?.id;
agentSession = await this.agentService.createSession(conversationId, {
provider: data.provider,
modelId: data.modelId,
agentConfigId: data.agentId,
userId,
});
}
} catch (err) {
@@ -112,6 +123,21 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
// Track channel connection
this.agentService.addChannel(conversationId, `websocket:${client.id}`);
// Send session info so the client knows the model/provider
{
const agentSession = this.agentService.getSession(conversationId);
if (agentSession) {
const piSession = agentSession.piSession;
client.emit('session:info', {
conversationId,
provider: agentSession.provider,
modelId: agentSession.modelId,
thinkingLevel: piSession.thinkingLevel,
availableThinkingLevels: piSession.getAvailableThinkingLevels(),
});
}
}
// Send acknowledgment
client.emit('message:ack', { conversationId, messageId: uuid() });
@@ -130,6 +156,58 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
}
}
@SubscribeMessage('set:thinking')
handleSetThinking(
@ConnectedSocket() client: Socket,
@MessageBody() data: SetThinkingPayload,
): void {
const session = this.agentService.getSession(data.conversationId);
if (!session) {
client.emit('error', {
conversationId: data.conversationId,
error: 'No active session for this conversation.',
});
return;
}
const validLevels = session.piSession.getAvailableThinkingLevels();
if (!validLevels.includes(data.level as never)) {
client.emit('error', {
conversationId: data.conversationId,
error: `Invalid thinking level "${data.level}". Available: ${validLevels.join(', ')}`,
});
return;
}
session.piSession.setThinkingLevel(data.level as never);
this.logger.log(
`Thinking level set to "${data.level}" for conversation ${data.conversationId}`,
);
client.emit('session:info', {
conversationId: data.conversationId,
provider: session.provider,
modelId: session.modelId,
thinkingLevel: session.piSession.thinkingLevel,
availableThinkingLevels: session.piSession.getAvailableThinkingLevels(),
});
}
@SubscribeMessage('command:execute')
async handleCommandExecute(
@ConnectedSocket() client: Socket,
@MessageBody() payload: SlashCommandPayload,
): Promise<void> {
const userId = (client.data.user as { id: string } | undefined)?.id ?? 'unknown';
const result = await this.commandExecutor.execute(payload, userId);
client.emit('command:result', result);
}
broadcastReload(payload: SystemReloadPayload): void {
this.server.emit('system:reload', payload);
this.logger.log('Broadcasted system:reload to all connected clients');
}
private relayEvent(client: Socket, conversationId: string, event: AgentSessionEvent): void {
if (!client.connected) {
this.logger.warn(
@@ -143,9 +221,31 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
client.emit('agent:start', { conversationId });
break;
case 'agent_end':
client.emit('agent:end', { conversationId });
case 'agent_end': {
// Gather usage stats from the Pi session
const agentSession = this.agentService.getSession(conversationId);
const piSession = agentSession?.piSession;
const stats = piSession?.getSessionStats();
const contextUsage = piSession?.getContextUsage();
client.emit('agent:end', {
conversationId,
usage: stats
? {
provider: agentSession?.provider ?? 'unknown',
modelId: agentSession?.modelId ?? 'unknown',
thinkingLevel: piSession?.thinkingLevel ?? 'off',
tokens: stats.tokens,
cost: stats.cost,
context: {
percent: contextUsage?.percent ?? null,
window: contextUsage?.contextWindow ?? 0,
},
}
: undefined,
});
break;
}
case 'message_update': {
const assistantEvent = event.assistantMessageEvent;

5
apps/gateway/src/chat/chat.module.ts
View File

@@ -1,9 +1,12 @@
import { Module } from '@nestjs/common';
import { forwardRef, Module } from '@nestjs/common';
import { CommandsModule } from '../commands/commands.module.js';
import { ChatGateway } from './chat.gateway.js';
import { ChatController } from './chat.controller.js';
@Module({
imports: [forwardRef(() => CommandsModule)],
controllers: [ChatController],
providers: [ChatGateway],
exports: [ChatGateway],
})
export class ChatModule {}

213
apps/gateway/src/commands/command-executor-p8012.spec.ts Normal file
View File

@@ -0,0 +1,213 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaic/types';
// Minimal mock implementations
const mockRegistry = {
getManifest: vi.fn(() => ({
version: 1,
commands: [
{ name: 'provider', aliases: [], scope: 'agent', execution: 'hybrid', available: true },
{ name: 'mission', aliases: [], scope: 'agent', execution: 'socket', available: true },
{ name: 'agent', aliases: ['a'], scope: 'agent', execution: 'socket', available: true },
{ name: 'prdy', aliases: [], scope: 'agent', execution: 'socket', available: true },
{ name: 'tools', aliases: [], scope: 'agent', execution: 'socket', available: true },
],
skills: [],
})),
};
const mockAgentService = {
getSession: vi.fn(() => undefined),
};
const mockSystemOverride = {
set: vi.fn(),
get: vi.fn(),
clear: vi.fn(),
renew: vi.fn(),
};
const mockSessionGC = {
sweepOrphans: vi.fn(() => ({ orphanedSessions: 0, totalCleaned: [], duration: 0 })),
};
const mockRedis = {
set: vi.fn().mockResolvedValue('OK'),
get: vi.fn(),
del: vi.fn(),
};
function buildService(): CommandExecutorService {
return new CommandExecutorService(
mockRegistry as never,
mockAgentService as never,
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
null,
null,
);
}
describe('CommandExecutorService — P8-012 commands', () => {
let service: CommandExecutorService;
const userId = 'user-123';
const conversationId = 'conv-456';
beforeEach(() => {
vi.clearAllMocks();
service = buildService();
});
// /provider login — missing provider name
it('/provider login with no provider name returns usage error', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'login', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Usage: /provider login');
expect(result.command).toBe('provider');
});
// /provider login anthropic — success with URL containing poll token
it('/provider login <name> returns success with URL and poll token', async () => {
const payload: SlashCommandPayload = {
command: 'provider',
args: 'login anthropic',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('provider');
expect(result.message).toContain('anthropic');
expect(result.message).toContain('http');
// data should contain loginUrl and pollToken
expect(result.data).toBeDefined();
const data = result.data as Record<string, unknown>;
expect(typeof data['loginUrl']).toBe('string');
expect(typeof data['pollToken']).toBe('string');
expect(data['loginUrl'] as string).toContain('anthropic');
expect(data['loginUrl'] as string).toContain(data['pollToken'] as string);
// Verify Valkey was called
expect(mockRedis.set).toHaveBeenCalledOnce();
const [key, value, , ttl] = mockRedis.set.mock.calls[0] as [string, string, string, number];
expect(key).toContain('mosaic:auth:poll:');
const stored = JSON.parse(value) as { status: string; provider: string; userId: string };
expect(stored.status).toBe('pending');
expect(stored.provider).toBe('anthropic');
expect(stored.userId).toBe(userId);
expect(ttl).toBe(300);
});
// /provider with no args — returns usage
it('/provider with no args returns usage message', async () => {
const payload: SlashCommandPayload = { command: 'provider', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage: /provider');
});
// /provider list
it('/provider list returns success', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'list', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('provider');
});
// /provider logout with no name — usage error
it('/provider logout with no name returns error', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'logout', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Usage: /provider logout');
});
// /provider unknown subcommand
it('/provider unknown subcommand returns error', async () => {
const payload: SlashCommandPayload = {
command: 'provider',
args: 'unknown',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Unknown subcommand');
});
// /mission status
it('/mission status returns stub message', async () => {
const payload: SlashCommandPayload = { command: 'mission', args: 'status', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('mission');
expect(result.message).toContain('Mission status');
});
// /mission with no args
it('/mission with no args returns status stub', async () => {
const payload: SlashCommandPayload = { command: 'mission', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Mission status');
});
// /mission set <id>
it('/mission set <id> returns confirmation', async () => {
const payload: SlashCommandPayload = {
command: 'mission',
args: 'set my-mission-123',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('my-mission-123');
});
// /agent list
it('/agent list returns stub message', async () => {
const payload: SlashCommandPayload = { command: 'agent', args: 'list', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('agent');
expect(result.message).toContain('agent');
});
// /agent with no args
it('/agent with no args returns usage', async () => {
const payload: SlashCommandPayload = { command: 'agent', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage: /agent');
});
// /agent <id> — switch
it('/agent <id> returns switch confirmation', async () => {
const payload: SlashCommandPayload = {
command: 'agent',
args: 'my-agent-id',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('my-agent-id');
});
// /prdy
it('/prdy returns PRD wizard message', async () => {
const payload: SlashCommandPayload = { command: 'prdy', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('prdy');
expect(result.message).toContain('mosaic prdy');
});
// /tools
it('/tools returns tools stub message', async () => {
const payload: SlashCommandPayload = { command: 'tools', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('tools');
expect(result.message).toContain('tools');
});
});

373
apps/gateway/src/commands/command-executor.service.ts Normal file
View File

@@ -0,0 +1,373 @@
import { forwardRef, Inject, Injectable, Logger, Optional } from '@nestjs/common';
import type { QueueHandle } from '@mosaic/queue';
import type { SlashCommandPayload, SlashCommandResultPayload } from '@mosaic/types';
import { AgentService } from '../agent/agent.service.js';
import { ChatGateway } from '../chat/chat.gateway.js';
import { SessionGCService } from '../gc/session-gc.service.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { ReloadService } from '../reload/reload.service.js';
import { COMMANDS_REDIS } from './commands.tokens.js';
import { CommandRegistryService } from './command-registry.service.js';
@Injectable()
export class CommandExecutorService {
private readonly logger = new Logger(CommandExecutorService.name);
constructor(
@Inject(CommandRegistryService) private readonly registry: CommandRegistryService,
@Inject(AgentService) private readonly agentService: AgentService,
@Inject(SystemOverrideService) private readonly systemOverride: SystemOverrideService,
@Inject(SessionGCService) private readonly sessionGC: SessionGCService,
@Inject(COMMANDS_REDIS) private readonly redis: QueueHandle['redis'],
@Optional()
@Inject(forwardRef(() => ReloadService))
private readonly reloadService: ReloadService | null,
@Optional()
@Inject(forwardRef(() => ChatGateway))
private readonly chatGateway: ChatGateway | null,
) {}
async execute(payload: SlashCommandPayload, userId: string): Promise<SlashCommandResultPayload> {
const { command, args, conversationId } = payload;
const def = this.registry.getManifest().commands.find((c) => c.name === command);
if (!def) {
return {
command,
conversationId,
success: false,
message: `Unknown command: /${command}`,
};
}
try {
switch (command) {
case 'model':
return await this.handleModel(args ?? null, conversationId);
case 'thinking':
return await this.handleThinking(args ?? null, conversationId);
case 'system':
return await this.handleSystem(args ?? null, conversationId);
case 'new':
return {
command,
conversationId,
success: true,
message: 'Start a new conversation by selecting New Conversation.',
};
case 'clear':
return {
command,
conversationId,
success: true,
message: 'Conversation display cleared.',
};
case 'compact':
return {
command,
conversationId,
success: true,
message: 'Context compaction requested.',
};
case 'retry':
return {
command,
conversationId,
success: true,
message: 'Retry last message requested.',
};
case 'gc': {
// User-scoped sweep for non-admin; system-wide for admin
const result = await this.sessionGC.sweepOrphans(userId);
return {
command: 'gc',
success: true,
message: `GC sweep complete: ${result.orphanedSessions} orphaned sessions cleaned in ${result.duration}ms.`,
conversationId,
};
}
case 'agent':
return await this.handleAgent(args ?? null, conversationId);
case 'provider':
return await this.handleProvider(args ?? null, userId, conversationId);
case 'mission':
return await this.handleMission(args ?? null, conversationId, userId);
case 'prdy':
return {
command: 'prdy',
success: true,
message:
'PRD wizard: run `mosaic prdy` in your project workspace to create or update a PRD.',
conversationId,
};
case 'tools':
return await this.handleTools(conversationId, userId);
case 'reload': {
if (!this.reloadService) {
return {
command: 'reload',
conversationId,
success: false,
message: 'ReloadService is not available.',
};
}
const reloadResult = await this.reloadService.reload('command');
this.chatGateway?.broadcastReload(reloadResult);
return {
command: 'reload',
success: true,
message: reloadResult.message,
conversationId,
};
}
default:
return {
command,
conversationId,
success: false,
message: `Command /${command} is not yet implemented.`,
};
}
} catch (err) {
this.logger.error(`Command /${command} failed: ${err}`);
return { command, conversationId, success: false, message: String(err) };
}
}
private async handleModel(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'model',
conversationId,
success: true,
message: 'Usage: /model <model-name>',
};
}
// Update agent session model if session is active
// For now, acknowledge the request — full wiring done in P8-012
const session = this.agentService.getSession(conversationId);
if (!session) {
return {
command: 'model',
conversationId,
success: true,
message: `Model switch to "${args}" requested. No active session for this conversation.`,
};
}
return {
command: 'model',
conversationId,
success: true,
message: `Model switch to "${args}" requested.`,
};
}
private async handleThinking(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
const level = args?.toLowerCase();
if (!level || !['none', 'low', 'medium', 'high', 'auto'].includes(level)) {
return {
command: 'thinking',
conversationId,
success: true,
message: 'Usage: /thinking <none|low|medium|high|auto>',
};
}
return {
command: 'thinking',
conversationId,
success: true,
message: `Thinking level set to "${level}".`,
};
}
private async handleSystem(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args.trim().length === 0) {
// Clear the override when called with no args
await this.systemOverride.clear(conversationId);
return {
command: 'system',
conversationId,
success: true,
message: 'Session system prompt override cleared.',
};
}
await this.systemOverride.set(conversationId, args.trim());
return {
command: 'system',
conversationId,
success: true,
message: `Session system prompt override set (expires in 5 minutes of inactivity).`,
};
}
private async handleAgent(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'agent',
success: true,
message: 'Usage: /agent <agent-id> to switch, or /agent list to see available agents.',
conversationId,
};
}
if (args === 'list') {
return {
command: 'agent',
success: true,
message: 'Agent listing: use the web dashboard for full agent management.',
conversationId,
};
}
// Switch agent — stub for now (full implementation in P8-015)
return {
command: 'agent',
success: true,
message: `Agent switch to "${args}" requested. Restart conversation to apply.`,
conversationId,
};
}
private async handleProvider(
args: string | null,
userId: string,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'provider',
success: true,
message: 'Usage: /provider list | /provider login <name> | /provider logout <name>',
conversationId,
};
}
const spaceIdx = args.indexOf(' ');
const subcommand = spaceIdx >= 0 ? args.slice(0, spaceIdx) : args;
const providerName = spaceIdx >= 0 ? args.slice(spaceIdx + 1).trim() : '';
switch (subcommand) {
case 'list':
return {
command: 'provider',
success: true,
message: 'Use the web dashboard to manage providers.',
conversationId,
};
case 'login': {
if (!providerName) {
return {
command: 'provider',
success: false,
message: 'Usage: /provider login <provider-name>',
conversationId,
};
}
const pollToken = crypto.randomUUID();
const key = `mosaic:auth:poll:${pollToken}`;
// Store pending state in Valkey (TTL 5 minutes)
await this.redis.set(
key,
JSON.stringify({ status: 'pending', provider: providerName, userId }),
'EX',
300,
);
// In production this would construct an OAuth URL
const loginUrl = `${process.env['MOSAIC_BASE_URL'] ?? 'http://localhost:3000'}/auth/provider/${providerName}?token=${pollToken}`;
return {
command: 'provider',
success: true,
message: `Open this URL to authenticate with ${providerName}:\n${loginUrl}`,
conversationId,
data: { loginUrl, pollToken, provider: providerName },
};
}
case 'logout': {
if (!providerName) {
return {
command: 'provider',
success: false,
message: 'Usage: /provider logout <provider-name>',
conversationId,
};
}
return {
command: 'provider',
success: true,
message: `Logout from ${providerName}: use the web dashboard to revoke provider tokens.`,
conversationId,
};
}
default:
return {
command: 'provider',
success: false,
message: `Unknown subcommand: ${subcommand}. Use list, login, or logout.`,
conversationId,
};
}
}
private async handleMission(
args: string | null,
conversationId: string,
_userId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args === 'status') {
// TODO: fetch active mission from DB when MissionsService is available
return {
command: 'mission',
success: true,
message: 'Mission status: use the web dashboard for full mission management.',
conversationId,
};
}
if (args.startsWith('set ')) {
const missionId = args.slice(4).trim();
return {
command: 'mission',
success: true,
message: `Mission set to ${missionId}. Session context updated.`,
conversationId,
};
}
return {
command: 'mission',
success: true,
message: 'Usage: /mission [status|set <id>|list|tasks]',
conversationId,
};
}
private async handleTools(
conversationId: string,
_userId: string,
): Promise<SlashCommandResultPayload> {
// TODO: fetch tool list from active agent session
return {
command: 'tools',
success: true,
message:
'Available tools depend on the active agent configuration. Use the web dashboard to configure tool access.',
conversationId,
};
}
}

53
apps/gateway/src/commands/command-registry.service.spec.ts Normal file
View File

@@ -0,0 +1,53 @@
import { describe, it, expect, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import type { CommandDef } from '@mosaic/types';
const mockCmd: CommandDef = {
name: 'test',
description: 'Test command',
aliases: ['t'],
scope: 'core',
execution: 'local',
available: true,
};
describe('CommandRegistryService', () => {
let service: CommandRegistryService;
beforeEach(() => {
service = new CommandRegistryService();
});
it('starts with empty manifest', () => {
expect(service.getManifest().commands).toHaveLength(0);
});
it('registers a command', () => {
service.registerCommand(mockCmd);
expect(service.getManifest().commands).toHaveLength(1);
});
it('updates existing command by name', () => {
service.registerCommand(mockCmd);
service.registerCommand({ ...mockCmd, description: 'Updated' });
expect(service.getManifest().commands).toHaveLength(1);
expect(service.getManifest().commands[0]?.description).toBe('Updated');
});
it('onModuleInit registers core commands', () => {
service.onModuleInit();
const manifest = service.getManifest();
expect(manifest.commands.length).toBeGreaterThan(5);
expect(manifest.commands.some((c) => c.name === 'model')).toBe(true);
expect(manifest.commands.some((c) => c.name === 'help')).toBe(true);
});
it('manifest includes skills array', () => {
const manifest = service.getManifest();
expect(Array.isArray(manifest.skills)).toBe(true);
});
it('manifest version is 1', () => {
expect(service.getManifest().version).toBe(1);
});
});

273
apps/gateway/src/commands/command-registry.service.ts Normal file
View File

@@ -0,0 +1,273 @@
import { Injectable, type OnModuleInit } from '@nestjs/common';
import type { CommandDef, CommandManifest } from '@mosaic/types';
@Injectable()
export class CommandRegistryService implements OnModuleInit {
private readonly commands: CommandDef[] = [];
registerCommand(def: CommandDef): void {
const existing = this.commands.findIndex((c) => c.name === def.name);
if (existing >= 0) {
this.commands[existing] = def;
} else {
this.commands.push(def);
}
}
registerCommands(defs: CommandDef[]): void {
for (const def of defs) {
this.registerCommand(def);
}
}
getManifest(): CommandManifest {
return {
version: 1,
commands: [...this.commands],
skills: [],
};
}
onModuleInit(): void {
this.registerCommands([
{
name: 'model',
description: 'Switch the active model',
aliases: ['m'],
args: [
{
name: 'model-name',
type: 'string',
optional: false,
description: 'Model name to switch to',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'thinking',
description: 'Set thinking level (none/low/medium/high/auto)',
aliases: ['t'],
args: [
{
name: 'level',
type: 'enum',
optional: false,
values: ['none', 'low', 'medium', 'high', 'auto'],
description: 'Thinking level',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'new',
description: 'Start a new conversation',
aliases: ['n'],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'clear',
description: 'Clear conversation context and GC session artifacts',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'compact',
description: 'Request context compaction',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'retry',
description: 'Retry the last message',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'rename',
description: 'Rename current conversation',
aliases: [],
args: [
{ name: 'name', type: 'string', optional: false, description: 'New conversation name' },
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'history',
description: 'Show conversation history',
aliases: [],
args: [
{
name: 'limit',
type: 'string',
optional: true,
description: 'Number of messages to show',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'export',
description: 'Export conversation to markdown or JSON',
aliases: [],
args: [
{
name: 'format',
type: 'enum',
optional: true,
values: ['md', 'json'],
description: 'Export format',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'preferences',
description: 'View or set user preferences',
aliases: ['pref'],
args: [
{
name: 'action',
type: 'enum',
optional: true,
values: ['show', 'set', 'reset'],
description: 'Action to perform',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'system',
description: 'Set session-scoped system prompt override',
aliases: [],
args: [
{
name: 'override',
type: 'string',
optional: false,
description: 'System prompt text to inject for this session',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'status',
description: 'Show session and connection status',
aliases: ['s'],
scope: 'core',
execution: 'hybrid',
available: true,
},
{
name: 'help',
description: 'Show available commands',
aliases: ['h'],
scope: 'core',
execution: 'local',
available: true,
},
{
name: 'gc',
description: 'Trigger garbage collection sweep (user-scoped)',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'agent',
description: 'Switch or list available agents',
aliases: ['a'],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'list or <agent-id>',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'provider',
description: 'Manage LLM providers (list/login/logout)',
aliases: [],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'list | login <name> | logout <name>',
},
],
scope: 'agent',
execution: 'hybrid',
available: true,
},
{
name: 'mission',
description: 'View or set active mission',
aliases: [],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'status | set <id> | list | tasks',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'prdy',
description: 'Launch PRD wizard',
aliases: [],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'tools',
description: 'List available agent tools',
aliases: [],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'reload',
description: 'Soft-reload gateway plugins and command manifest (admin)',
aliases: [],
scope: 'admin',
execution: 'socket',
available: true,
},
]);
}
}

253
apps/gateway/src/commands/commands.integration.spec.ts Normal file
View File

@@ -0,0 +1,253 @@
/**
* Integration tests for the gateway command system (P8-019)
*
* Covers:
* - CommandRegistryService.getManifest() returns 12+ core commands
* - All core commands have correct execution types
* - Alias resolution works for all defined aliases
* - CommandExecutorService routes known/unknown commands correctly
* - /gc handler calls SessionGCService.sweepOrphans
* - /system handler calls SystemOverrideService.set
* - Unknown command returns descriptive error
*/
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaic/types';
// ─── Mocks ───────────────────────────────────────────────────────────────────
const mockAgentService = {
getSession: vi.fn(() => undefined),
};
const mockSystemOverride = {
set: vi.fn().mockResolvedValue(undefined),
get: vi.fn().mockResolvedValue(null),
clear: vi.fn().mockResolvedValue(undefined),
renew: vi.fn().mockResolvedValue(undefined),
};
const mockSessionGC = {
sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 3, totalCleaned: [], duration: 12 }),
};
const mockRedis = {
set: vi.fn().mockResolvedValue('OK'),
get: vi.fn().mockResolvedValue(null),
del: vi.fn().mockResolvedValue(0),
keys: vi.fn().mockResolvedValue([]),
};
// ─── Helpers ─────────────────────────────────────────────────────────────────
function buildRegistry(): CommandRegistryService {
const svc = new CommandRegistryService();
svc.onModuleInit(); // seed core commands
return svc;
}
function buildExecutor(registry: CommandRegistryService): CommandExecutorService {
return new CommandExecutorService(
registry as never,
mockAgentService as never,
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
null, // reloadService (optional)
null, // chatGateway (optional)
);
}
// ─── Registry Tests ───────────────────────────────────────────────────────────
describe('CommandRegistryService — integration', () => {
let registry: CommandRegistryService;
beforeEach(() => {
registry = buildRegistry();
});
it('getManifest() returns 12 or more core commands after onModuleInit', () => {
const manifest = registry.getManifest();
expect(manifest.commands.length).toBeGreaterThanOrEqual(12);
});
it('manifest version is 1', () => {
expect(registry.getManifest().version).toBe(1);
});
it('manifest.skills is an array', () => {
expect(Array.isArray(registry.getManifest().skills)).toBe(true);
});
it('all commands have required fields: name, description, execution, scope, available', () => {
for (const cmd of registry.getManifest().commands) {
expect(typeof cmd.name).toBe('string');
expect(typeof cmd.description).toBe('string');
expect(['local', 'socket', 'rest', 'hybrid']).toContain(cmd.execution);
expect(['core', 'agent', 'admin']).toContain(cmd.scope);
expect(typeof cmd.available).toBe('boolean');
}
});
// Execution type verification for core commands
const expectedExecutionTypes: Record<string, string> = {
model: 'socket',
thinking: 'socket',
new: 'socket',
clear: 'socket',
compact: 'socket',
retry: 'socket',
rename: 'rest',
history: 'rest',
export: 'rest',
preferences: 'rest',
system: 'socket',
help: 'local',
gc: 'socket',
agent: 'socket',
provider: 'hybrid',
mission: 'socket',
prdy: 'socket',
tools: 'socket',
reload: 'socket',
};
for (const [name, expectedExecution] of Object.entries(expectedExecutionTypes)) {
it(`command "${name}" has execution type "${expectedExecution}"`, () => {
const cmd = registry.getManifest().commands.find((c) => c.name === name);
expect(cmd, `command "${name}" not found`).toBeDefined();
expect(cmd!.execution).toBe(expectedExecution);
});
}
// Alias resolution checks
const expectedAliases: Array<[string, string]> = [
['m', 'model'],
['t', 'thinking'],
['n', 'new'],
['a', 'agent'],
['s', 'status'],
['h', 'help'],
['pref', 'preferences'],
];
for (const [alias, commandName] of expectedAliases) {
it(`alias "/${alias}" resolves to command "${commandName}" via aliases array`, () => {
const cmd = registry
.getManifest()
.commands.find((c) => c.name === commandName || c.aliases?.includes(alias));
expect(cmd, `command with alias "${alias}" not found`).toBeDefined();
});
}
});
// ─── Executor Tests ───────────────────────────────────────────────────────────
describe('CommandExecutorService — integration', () => {
let registry: CommandRegistryService;
let executor: CommandExecutorService;
const userId = 'user-integ-001';
const conversationId = 'conv-integ-001';
beforeEach(() => {
vi.clearAllMocks();
registry = buildRegistry();
executor = buildExecutor(registry);
});
// Unknown command returns error
it('unknown command returns success:false with descriptive message', async () => {
const payload: SlashCommandPayload = { command: 'nonexistent', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('nonexistent');
expect(result.command).toBe('nonexistent');
});
// /gc handler calls SessionGCService.sweepOrphans
it('/gc calls SessionGCService.sweepOrphans with userId', async () => {
const payload: SlashCommandPayload = { command: 'gc', conversationId };
const result = await executor.execute(payload, userId);
expect(mockSessionGC.sweepOrphans).toHaveBeenCalledWith(userId);
expect(result.success).toBe(true);
expect(result.message).toContain('GC sweep complete');
expect(result.message).toContain('3 orphaned sessions');
});
// /system with args calls SystemOverrideService.set
it('/system with text calls SystemOverrideService.set', async () => {
const override = 'You are a helpful assistant.';
const payload: SlashCommandPayload = { command: 'system', args: override, conversationId };
const result = await executor.execute(payload, userId);
expect(mockSystemOverride.set).toHaveBeenCalledWith(conversationId, override);
expect(result.success).toBe(true);
expect(result.message).toContain('override set');
});
// /system with no args clears the override
it('/system with no args calls SystemOverrideService.clear', async () => {
const payload: SlashCommandPayload = { command: 'system', conversationId };
const result = await executor.execute(payload, userId);
expect(mockSystemOverride.clear).toHaveBeenCalledWith(conversationId);
expect(result.success).toBe(true);
expect(result.message).toContain('cleared');
});
// /model with model name returns success
it('/model with a model name returns success', async () => {
const payload: SlashCommandPayload = {
command: 'model',
args: 'claude-3-opus',
conversationId,
};
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('model');
expect(result.message).toContain('claude-3-opus');
});
// /thinking with valid level returns success
it('/thinking with valid level returns success', async () => {
const payload: SlashCommandPayload = { command: 'thinking', args: 'high', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('high');
});
// /thinking with invalid level returns usage message
it('/thinking with invalid level returns usage message', async () => {
const payload: SlashCommandPayload = { command: 'thinking', args: 'invalid', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage:');
});
// /new command returns success
it('/new returns success', async () => {
const payload: SlashCommandPayload = { command: 'new', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('new');
});
// /reload without reloadService returns failure
it('/reload without ReloadService returns failure', async () => {
const payload: SlashCommandPayload = { command: 'reload', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('ReloadService');
});
// Commands not yet fully implemented return a fallback response
const stubCommands = ['clear', 'compact', 'retry'];
for (const cmd of stubCommands) {
it(`/${cmd} returns success (stub)`, async () => {
const payload: SlashCommandPayload = { command: cmd, conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe(cmd);
});
}
});

37
apps/gateway/src/commands/commands.module.ts Normal file
View File

@@ -0,0 +1,37 @@
import { forwardRef, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaic/queue';
import { ChatModule } from '../chat/chat.module.js';
import { GCModule } from '../gc/gc.module.js';
import { ReloadModule } from '../reload/reload.module.js';
import { CommandExecutorService } from './command-executor.service.js';
import { CommandRegistryService } from './command-registry.service.js';
import { COMMANDS_REDIS } from './commands.tokens.js';
const COMMANDS_QUEUE_HANDLE = 'COMMANDS_QUEUE_HANDLE';
@Module({
imports: [GCModule, forwardRef(() => ReloadModule), forwardRef(() => ChatModule)],
providers: [
{
provide: COMMANDS_QUEUE_HANDLE,
useFactory: (): QueueHandle => {
return createQueue();
},
},
{
provide: COMMANDS_REDIS,
useFactory: (handle: QueueHandle) => handle.redis,
inject: [COMMANDS_QUEUE_HANDLE],
},
CommandRegistryService,
CommandExecutorService,
],
exports: [CommandRegistryService, CommandExecutorService],
})
export class CommandsModule implements OnApplicationShutdown {
constructor(@Inject(COMMANDS_QUEUE_HANDLE) private readonly handle: QueueHandle) {}
async onApplicationShutdown(): Promise<void> {
await this.handle.close().catch(() => {});
}
}

1
apps/gateway/src/commands/commands.tokens.ts Normal file
View File

@@ -0,0 +1 @@
export const COMMANDS_REDIS = 'COMMANDS_REDIS';

136
apps/gateway/src/coord/coord.controller.ts
View File

@@ -1,30 +1,17 @@
import {
BadRequestException,
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
Query,
UseGuards,
} from '@nestjs/common';
import fs from 'node:fs';
import path from 'node:path';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { CoordService } from './coord.service.js';
import type {
CreateDbMissionDto,
UpdateDbMissionDto,
CreateMissionTaskDto,
UpdateMissionTaskDto,
} from './coord.dto.js';
/** Walk up from cwd to find the monorepo root (has pnpm-workspace.yaml). */
function findMonorepoRoot(start: string): string {
@@ -57,13 +44,15 @@ function resolveAndValidatePath(raw: string | undefined): string {
return resolved;
}
/**
* File-based coord endpoints for agent tool consumption.
* DB-backed mission CRUD has moved to MissionsController at /api/missions.
*/
@Controller('api/coord')
@UseGuards(AuthGuard)
export class CoordController {
constructor(@Inject(CoordService) private readonly coordService: CoordService) {}
// ── File-based coord endpoints (legacy) ──
@Get('status')
async missionStatus(@Query('projectPath') projectPath?: string) {
const resolvedPath = resolveAndValidatePath(projectPath);
@@ -85,121 +74,4 @@ export class CoordController {
if (!detail) throw new NotFoundException(`Task ${taskId} not found in coord mission`);
return detail;
}
// ── DB-backed mission endpoints ──
@Get('missions')
async listDbMissions(@CurrentUser() user: { id: string }) {
return this.coordService.getMissionsByUser(user.id);
}
@Get('missions/:id')
async getDbMission(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const mission = await this.coordService.getMissionByIdAndUser(id, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
}
@Post('missions')
async createDbMission(@Body() dto: CreateDbMissionDto, @CurrentUser() user: { id: string }) {
return this.coordService.createDbMission({
name: dto.name,
description: dto.description,
projectId: dto.projectId,
userId: user.id,
phase: dto.phase,
milestones: dto.milestones,
config: dto.config,
status: dto.status,
});
}
@Patch('missions/:id')
async updateDbMission(
@Param('id') id: string,
@Body() dto: UpdateDbMissionDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.updateDbMission(id, user.id, dto);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
}
@Delete('missions/:id')
@HttpCode(HttpStatus.NO_CONTENT)
async deleteDbMission(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const deleted = await this.coordService.deleteDbMission(id, user.id);
if (!deleted) throw new NotFoundException('Mission not found');
}
// ── DB-backed mission task endpoints ──
@Get('missions/:missionId/mission-tasks')
async listMissionTasks(
@Param('missionId') missionId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return this.coordService.getMissionTasksByMissionAndUser(missionId, user.id);
}
@Get('missions/:missionId/mission-tasks/:taskId')
async getMissionTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const task = await this.coordService.getMissionTaskByIdAndUser(taskId, user.id);
if (!task) throw new NotFoundException('Mission task not found');
return task;
}
@Post('missions/:missionId/mission-tasks')
async createMissionTask(
@Param('missionId') missionId: string,
@Body() dto: CreateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return this.coordService.createMissionTask({
missionId,
taskId: dto.taskId,
userId: user.id,
status: dto.status,
description: dto.description,
notes: dto.notes,
pr: dto.pr,
});
}
@Patch('missions/:missionId/mission-tasks/:taskId')
async updateMissionTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@Body() dto: UpdateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const updated = await this.coordService.updateMissionTask(taskId, user.id, dto);
if (!updated) throw new NotFoundException('Mission task not found');
return updated;
}
@Delete('missions/:missionId/mission-tasks/:taskId')
@HttpCode(HttpStatus.NO_CONTENT)
async deleteMissionTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const deleted = await this.coordService.deleteMissionTask(taskId, user.id);
if (!deleted) throw new NotFoundException('Mission task not found');
}
}

74
apps/gateway/src/coord/coord.service.ts
View File

@@ -1,6 +1,4 @@
import { Injectable, Logger, Inject } from '@nestjs/common';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { Injectable, Logger } from '@nestjs/common';
import {
loadMission,
getMissionStatus,
@@ -14,12 +12,14 @@ import {
import { promises as fs } from 'node:fs';
import path from 'node:path';
/**
* File-based coord operations for agent tool consumption.
* DB-backed mission CRUD is handled directly by MissionsController via Brain repos.
*/
@Injectable()
export class CoordService {
private readonly logger = new Logger(CoordService.name);
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
async loadMission(projectPath: string): Promise<Mission | null> {
try {
return await loadMission(projectPath);
@@ -74,68 +74,4 @@ export class CoordService {
return [];
}
}
// ── DB-backed methods for multi-tenant mission management ──
async getMissionsByUser(userId: string) {
return this.brain.missions.findAllByUser(userId);
}
async getMissionByIdAndUser(id: string, userId: string) {
return this.brain.missions.findByIdAndUser(id, userId);
}
async getMissionsByProjectAndUser(projectId: string, userId: string) {
return this.brain.missions.findByProjectAndUser(projectId, userId);
}
async createDbMission(data: Parameters<Brain['missions']['create']>[0]) {
return this.brain.missions.create(data);
}
async updateDbMission(
id: string,
userId: string,
data: Parameters<Brain['missions']['update']>[1],
) {
const existing = await this.brain.missions.findByIdAndUser(id, userId);
if (!existing) return null;
return this.brain.missions.update(id, data);
}
async deleteDbMission(id: string, userId: string) {
const existing = await this.brain.missions.findByIdAndUser(id, userId);
if (!existing) return false;
return this.brain.missions.remove(id);
}
// ── DB-backed methods for mission tasks (coord tracking) ──
async getMissionTasksByMissionAndUser(missionId: string, userId: string) {
return this.brain.missionTasks.findByMissionAndUser(missionId, userId);
}
async getMissionTaskByIdAndUser(id: string, userId: string) {
return this.brain.missionTasks.findByIdAndUser(id, userId);
}
async createMissionTask(data: Parameters<Brain['missionTasks']['create']>[0]) {
return this.brain.missionTasks.create(data);
}
async updateMissionTask(
id: string,
userId: string,
data: Parameters<Brain['missionTasks']['update']>[1],
) {
const existing = await this.brain.missionTasks.findByIdAndUser(id, userId);
if (!existing) return null;
return this.brain.missionTasks.update(id, data);
}
async deleteMissionTask(id: string, userId: string) {
const existing = await this.brain.missionTasks.findByIdAndUser(id, userId);
if (!existing) return false;
return this.brain.missionTasks.remove(id);
}
}

31
apps/gateway/src/gc/gc.module.ts Normal file
View File

@@ -0,0 +1,31 @@
import { Module, type OnApplicationShutdown, Inject } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaic/queue';
import { SessionGCService } from './session-gc.service.js';
import { REDIS } from './gc.tokens.js';
const GC_QUEUE_HANDLE = 'GC_QUEUE_HANDLE';
@Module({
providers: [
{
provide: GC_QUEUE_HANDLE,
useFactory: (): QueueHandle => {
return createQueue();
},
},
{
provide: REDIS,
useFactory: (handle: QueueHandle) => handle.redis,
inject: [GC_QUEUE_HANDLE],
},
SessionGCService,
],
exports: [SessionGCService],
})
export class GCModule implements OnApplicationShutdown {
constructor(@Inject(GC_QUEUE_HANDLE) private readonly handle: QueueHandle) {}
async onApplicationShutdown(): Promise<void> {
await this.handle.close().catch(() => {});
}
}

1
apps/gateway/src/gc/gc.tokens.ts Normal file
View File

@@ -0,0 +1 @@
export const REDIS = 'REDIS';

97
apps/gateway/src/gc/session-gc.service.spec.ts Normal file
View File

@@ -0,0 +1,97 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { Logger } from '@nestjs/common';
import type { QueueHandle } from '@mosaic/queue';
import type { LogService } from '@mosaic/log';
import { SessionGCService } from './session-gc.service.js';
type MockRedis = {
keys: ReturnType<typeof vi.fn>;
del: ReturnType<typeof vi.fn>;
};
describe('SessionGCService', () => {
let service: SessionGCService;
let mockRedis: MockRedis;
let mockLogService: { logs: { promoteToWarm: ReturnType<typeof vi.fn> } };
beforeEach(() => {
mockRedis = {
keys: vi.fn().mockResolvedValue([]),
del: vi.fn().mockResolvedValue(0),
};
mockLogService = {
logs: {
promoteToWarm: vi.fn().mockResolvedValue(0),
},
};
// Suppress logger output in tests
vi.spyOn(Logger.prototype, 'log').mockImplementation(() => {});
service = new SessionGCService(
mockRedis as unknown as QueueHandle['redis'],
mockLogService as unknown as LogService,
);
});
it('collect() deletes Valkey keys for session', async () => {
mockRedis.keys.mockResolvedValue(['mosaic:session:abc:system', 'mosaic:session:abc:foo']);
const result = await service.collect('abc');
expect(mockRedis.del).toHaveBeenCalledWith(
'mosaic:session:abc:system',
'mosaic:session:abc:foo',
);
expect(result.cleaned.valkeyKeys).toBe(2);
});
it('collect() with no keys returns empty cleaned valkeyKeys', async () => {
mockRedis.keys.mockResolvedValue([]);
const result = await service.collect('abc');
expect(result.cleaned.valkeyKeys).toBeUndefined();
});
it('collect() returns sessionId in result', async () => {
const result = await service.collect('test-session-id');
expect(result.sessionId).toBe('test-session-id');
});
it('fullCollect() deletes all session keys', async () => {
mockRedis.keys.mockResolvedValue(['mosaic:session:abc:system', 'mosaic:session:xyz:foo']);
const result = await service.fullCollect();
expect(mockRedis.del).toHaveBeenCalled();
expect(result.valkeyKeys).toBe(2);
});
it('fullCollect() with no keys returns 0 valkeyKeys', async () => {
mockRedis.keys.mockResolvedValue([]);
const result = await service.fullCollect();
expect(result.valkeyKeys).toBe(0);
expect(mockRedis.del).not.toHaveBeenCalled();
});
it('fullCollect() returns duration', async () => {
const result = await service.fullCollect();
expect(result.duration).toBeGreaterThanOrEqual(0);
});
it('sweepOrphans() extracts unique session IDs and collects them', async () => {
mockRedis.keys.mockResolvedValue([
'mosaic:session:abc:system',
'mosaic:session:abc:messages',
'mosaic:session:xyz:system',
]);
mockRedis.del.mockResolvedValue(1);
const result = await service.sweepOrphans();
expect(result.orphanedSessions).toBeGreaterThanOrEqual(0);
expect(result.duration).toBeGreaterThanOrEqual(0);
});
it('sweepOrphans() returns empty when no session keys', async () => {
mockRedis.keys.mockResolvedValue([]);
const result = await service.sweepOrphans();
expect(result.orphanedSessions).toBe(0);
expect(result.totalCleaned).toHaveLength(0);
});
});

139
apps/gateway/src/gc/session-gc.service.ts Normal file
View File

@@ -0,0 +1,139 @@
import { Inject, Injectable, Logger, type OnModuleInit } from '@nestjs/common';
import type { QueueHandle } from '@mosaic/queue';
import type { LogService } from '@mosaic/log';
import { LOG_SERVICE } from '../log/log.tokens.js';
import { REDIS } from './gc.tokens.js';
export interface GCResult {
sessionId: string;
cleaned: {
valkeyKeys?: number;
logsDemoted?: number;
tempFilesRemoved?: number;
};
}
export interface GCSweepResult {
orphanedSessions: number;
totalCleaned: GCResult[];
duration: number;
}
export interface FullGCResult {
valkeyKeys: number;
logsDemoted: number;
jobsPurged: number;
tempFilesRemoved: number;
duration: number;
}
@Injectable()
export class SessionGCService implements OnModuleInit {
private readonly logger = new Logger(SessionGCService.name);
constructor(
@Inject(REDIS) private readonly redis: QueueHandle['redis'],
@Inject(LOG_SERVICE) private readonly logService: LogService,
) {}
async onModuleInit(): Promise<void> {
this.logger.log('Running full GC on cold start...');
const result = await this.fullCollect();
this.logger.log(
`Full GC complete: ${result.valkeyKeys} Valkey keys, ` +
`${result.logsDemoted} logs demoted, ` +
`${result.jobsPurged} jobs purged, ` +
`${result.tempFilesRemoved} temp dirs removed ` +
`(${result.duration}ms)`,
);
}
/**
* Immediate cleanup for a single session (call from destroySession).
*/
async collect(sessionId: string): Promise<GCResult> {
const result: GCResult = { sessionId, cleaned: {} };
// 1. Valkey: delete all session-scoped keys
const pattern = `mosaic:session:${sessionId}:*`;
const valkeyKeys = await this.redis.keys(pattern);
if (valkeyKeys.length > 0) {
await this.redis.del(...valkeyKeys);
result.cleaned.valkeyKeys = valkeyKeys.length;
}
// 2. PG: demote hot-tier agent_logs for this session to warm
const cutoff = new Date(); // demote all hot logs for this session
const logsDemoted = await this.logService.logs.promoteToWarm(cutoff);
if (logsDemoted > 0) {
result.cleaned.logsDemoted = logsDemoted;
}
return result;
}
/**
* Sweep GC — find orphaned artifacts from dead sessions.
* User-scoped when userId provided; system-wide when null (admin).
*/
async sweepOrphans(_userId?: string): Promise<GCSweepResult> {
const start = Date.now();
const cleaned: GCResult[] = [];
// 1. Find all session-scoped Valkey keys
const allSessionKeys = await this.redis.keys('mosaic:session:*');
// Extract unique session IDs from keys
const sessionIds = new Set<string>();
for (const key of allSessionKeys) {
const match = key.match(/^mosaic:session:([^:]+):/);
if (match) sessionIds.add(match[1]!);
}
// 2. For each session ID, collect stale keys
for (const sessionId of sessionIds) {
const gcResult = await this.collect(sessionId);
if (Object.keys(gcResult.cleaned).length > 0) {
cleaned.push(gcResult);
}
}
return {
orphanedSessions: cleaned.length,
totalCleaned: cleaned,
duration: Date.now() - start,
};
}
/**
* Full GC — aggressive collection for cold start.
* Assumes no sessions survived the restart.
*/
async fullCollect(): Promise<FullGCResult> {
const start = Date.now();
// 1. Valkey: delete ALL session-scoped keys
const sessionKeys = await this.redis.keys('mosaic:session:*');
if (sessionKeys.length > 0) {
await this.redis.del(...sessionKeys);
}
// 2. NOTE: channel keys are NOT collected on cold start
// (discord/telegram plugins may reconnect and resume)
// 3. PG: demote stale hot-tier logs older than 24h to warm
const hotCutoff = new Date(Date.now() - 24 * 60 * 60 * 1000);
const logsDemoted = await this.logService.logs.promoteToWarm(hotCutoff);
// 4. No summarization job purge API available yet
const jobsPurged = 0;
return {
valkeyKeys: sessionKeys.length,
logsDemoted,
jobsPurged,
tempFilesRemoved: 0,
duration: Date.now() - start,
};
}
}

17
apps/gateway/src/log/cron.service.ts
View File

@@ -7,17 +7,22 @@ import {
} from '@nestjs/common';
import cron from 'node-cron';
import { SummarizationService } from './summarization.service.js';
import { SessionGCService } from '../gc/session-gc.service.js';
@Injectable()
export class CronService implements OnModuleInit, OnModuleDestroy {
private readonly logger = new Logger(CronService.name);
private readonly tasks: cron.ScheduledTask[] = [];
constructor(@Inject(SummarizationService) private readonly summarization: SummarizationService) {}
constructor(
@Inject(SummarizationService) private readonly summarization: SummarizationService,
@Inject(SessionGCService) private readonly sessionGC: SessionGCService,
) {}
onModuleInit(): void {
const summarizationSchedule = process.env['SUMMARIZATION_CRON'] ?? '0 */6 * * *'; // every 6 hours
const tierManagementSchedule = process.env['TIER_MANAGEMENT_CRON'] ?? '0 3 * * *'; // daily at 3am
const gcSchedule = process.env['SESSION_GC_CRON'] ?? '0 4 * * *'; // daily at 4am
this.tasks.push(
cron.schedule(summarizationSchedule, () => {
@@ -35,8 +40,16 @@ export class CronService implements OnModuleInit, OnModuleDestroy {
}),
);
this.tasks.push(
cron.schedule(gcSchedule, () => {
this.sessionGC.sweepOrphans().catch((err) => {
this.logger.error(`Session GC sweep failed: ${err}`);
});
}),
);
this.logger.log(
`Cron scheduled: summarization="${summarizationSchedule}", tier="${tierManagementSchedule}"`,
`Cron scheduled: summarization="${summarizationSchedule}", tier="${tierManagementSchedule}", gc="${gcSchedule}"`,
);
}

2
apps/gateway/src/log/log.module.ts
View File

@@ -6,9 +6,11 @@ import { LOG_SERVICE } from './log.tokens.js';
import { LogController } from './log.controller.js';
import { SummarizationService } from './summarization.service.js';
import { CronService } from './cron.service.js';
import { GCModule } from '../gc/gc.module.js';
@Global()
@Module({
imports: [GCModule],
providers: [
{
provide: LOG_SERVICE,

1
apps/gateway/src/main.ts
View File

@@ -40,6 +40,7 @@ async function bootstrap(): Promise<void> {
app.enableCors({
origin: process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000',
credentials: true,
methods: ['GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
});
await app.register(helmet as never, { contentSecurityPolicy: false });

116
apps/gateway/src/missions/missions.controller.ts
View File

@@ -2,7 +2,6 @@ import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
@@ -17,33 +16,42 @@ import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { assertOwner } from '../auth/resource-ownership.js';
import { CreateMissionDto, UpdateMissionDto } from './missions.dto.js';
import {
CreateMissionDto,
UpdateMissionDto,
CreateMissionTaskDto,
UpdateMissionTaskDto,
} from './missions.dto.js';
@Controller('api/missions')
@UseGuards(AuthGuard)
export class MissionsController {
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
// ── Missions CRUD (user-scoped) ──
@Get()
async list() {
return this.brain.missions.findAll();
async list(@CurrentUser() user: { id: string }) {
return this.brain.missions.findAllByUser(user.id);
}
@Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
return this.getOwnedMission(id, user.id);
const mission = await this.brain.missions.findByIdAndUser(id, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
}
@Post()
async create(@Body() dto: CreateMissionDto, @CurrentUser() user: { id: string }) {
if (dto.projectId) {
await this.getOwnedProject(dto.projectId, user.id, 'Mission');
}
return this.brain.missions.create({
name: dto.name,
description: dto.description,
projectId: dto.projectId,
userId: user.id,
phase: dto.phase,
milestones: dto.milestones,
config: dto.config,
status: dto.status,
});
}
@@ -54,10 +62,8 @@ export class MissionsController {
@Body() dto: UpdateMissionDto,
@CurrentUser() user: { id: string },
) {
await this.getOwnedMission(id, user.id);
if (dto.projectId) {
await this.getOwnedProject(dto.projectId, user.id, 'Mission');
}
const existing = await this.brain.missions.findByIdAndUser(id, user.id);
if (!existing) throw new NotFoundException('Mission not found');
const mission = await this.brain.missions.update(id, dto);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
@@ -66,33 +72,81 @@ export class MissionsController {
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getOwnedMission(id, user.id);
const existing = await this.brain.missions.findByIdAndUser(id, user.id);
if (!existing) throw new NotFoundException('Mission not found');
const deleted = await this.brain.missions.remove(id);
if (!deleted) throw new NotFoundException('Mission not found');
}
private async getOwnedMission(id: string, userId: string) {
const mission = await this.brain.missions.findById(id);
// ── Mission Tasks sub-routes ──
@Get(':missionId/tasks')
async listTasks(@Param('missionId') missionId: string, @CurrentUser() user: { id: string }) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
await this.getOwnedProject(mission.projectId, userId, 'Mission');
return mission;
return this.brain.missionTasks.findByMissionAndUser(missionId, user.id);
}
private async getOwnedProject(
projectId: string | null | undefined,
userId: string,
resourceName: string,
@Get(':missionId/tasks/:taskId')
async getTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@CurrentUser() user: { id: string },
) {
if (!projectId) {
throw new ForbiddenException(`${resourceName} does not belong to the current user`);
}
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const task = await this.brain.missionTasks.findByIdAndUser(taskId, user.id);
if (!task) throw new NotFoundException('Mission task not found');
return task;
}
const project = await this.brain.projects.findById(projectId);
if (!project) {
throw new ForbiddenException(`${resourceName} does not belong to the current user`);
}
@Post(':missionId/tasks')
async createTask(
@Param('missionId') missionId: string,
@Body() dto: CreateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return this.brain.missionTasks.create({
missionId,
taskId: dto.taskId,
userId: user.id,
status: dto.status,
description: dto.description,
notes: dto.notes,
pr: dto.pr,
});
}
assertOwner(project.ownerId, userId, resourceName);
return project;
@Patch(':missionId/tasks/:taskId')
async updateTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@Body() dto: UpdateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const existing = await this.brain.missionTasks.findByIdAndUser(taskId, user.id);
if (!existing) throw new NotFoundException('Mission task not found');
const updated = await this.brain.missionTasks.update(taskId, dto);
if (!updated) throw new NotFoundException('Mission task not found');
return updated;
}
@Delete(':missionId/tasks/:taskId')
@HttpCode(HttpStatus.NO_CONTENT)
async removeTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const existing = await this.brain.missionTasks.findByIdAndUser(taskId, user.id);
if (!existing) throw new NotFoundException('Mission task not found');
const deleted = await this.brain.missionTasks.remove(taskId);
if (!deleted) throw new NotFoundException('Mission task not found');
}
}

79
apps/gateway/src/missions/missions.dto.ts
View File

@@ -1,6 +1,7 @@
import { IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
import { IsArray, IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
const missionStatuses = ['planning', 'active', 'paused', 'completed', 'failed'] as const;
const taskStatuses = ['not-started', 'in-progress', 'blocked', 'done', 'cancelled'] as const;
export class CreateMissionDto {
@IsString()
@@ -19,6 +20,19 @@ export class CreateMissionDto {
@IsOptional()
@IsIn(missionStatuses)
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
@IsOptional()
@IsString()
@MaxLength(255)
phase?: string;
@IsOptional()
@IsArray()
milestones?: Record<string, unknown>[];
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
}
export class UpdateMissionDto {
@@ -40,7 +54,70 @@ export class UpdateMissionDto {
@IsIn(missionStatuses)
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
@IsOptional()
@IsString()
@MaxLength(255)
phase?: string;
@IsOptional()
@IsArray()
milestones?: Record<string, unknown>[];
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
@IsOptional()
@IsObject()
metadata?: Record<string, unknown> | null;
}
export class CreateMissionTaskDto {
@IsOptional()
@IsUUID()
taskId?: string;
@IsOptional()
@IsIn(taskStatuses)
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
notes?: string;
@IsOptional()
@IsString()
@MaxLength(255)
pr?: string;
}
export class UpdateMissionTaskDto {
@IsOptional()
@IsUUID()
taskId?: string;
@IsOptional()
@IsIn(taskStatuses)
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
notes?: string;
@IsOptional()
@IsString()
@MaxLength(255)
pr?: string;
}

6
apps/gateway/src/plugin/plugin.interface.ts
View File

@@ -2,4 +2,10 @@ export interface IChannelPlugin {
readonly name: string;
start(): Promise<void>;
stop(): Promise<void>;
/** Called when a new project is bootstrapped. Return channelId if a channel was created. */
onProjectCreated?(project: {
id: string;
name: string;
description?: string;
}): Promise<{ channelId: string } | null>;
}

8
apps/gateway/src/plugin/plugin.module.ts
View File

@@ -24,6 +24,14 @@ class DiscordChannelPluginAdapter implements IChannelPlugin {
async stop(): Promise<void> {
await this.plugin.stop();
}
async onProjectCreated(project: {
id: string;
name: string;
description?: string;
}): Promise<{ channelId: string } | null> {
return this.plugin.createProjectChannel(project);
}
}
class TelegramChannelPluginAdapter implements IChannelPlugin {

44
apps/gateway/src/preferences/preferences.controller.ts Normal file
View File

@@ -0,0 +1,44 @@
import {
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
Param,
Post,
UseGuards,
} from '@nestjs/common';
import { PreferencesService } from './preferences.service.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
@Controller('api/preferences')
@UseGuards(AuthGuard)
export class PreferencesController {
constructor(@Inject(PreferencesService) private readonly preferences: PreferencesService) {}
@Get()
async show(@CurrentUser() user: { id: string }): Promise<Record<string, unknown>> {
return this.preferences.getEffective(user.id);
}
@Post()
@HttpCode(HttpStatus.OK)
async set(
@CurrentUser() user: { id: string },
@Body() body: { key: string; value: unknown },
): Promise<{ success: boolean; message: string }> {
return this.preferences.set(user.id, body.key, body.value);
}
@Delete(':key')
@HttpCode(HttpStatus.OK)
async reset(
@CurrentUser() user: { id: string },
@Param('key') key: string,
): Promise<{ success: boolean; message: string }> {
return this.preferences.reset(user.id, key);
}
}

12
apps/gateway/src/preferences/preferences.module.ts Normal file
View File

@@ -0,0 +1,12 @@
import { Global, Module } from '@nestjs/common';
import { PreferencesService } from './preferences.service.js';
import { PreferencesController } from './preferences.controller.js';
import { SystemOverrideService } from './system-override.service.js';
@Global()
@Module({
controllers: [PreferencesController],
providers: [PreferencesService, SystemOverrideService],
exports: [PreferencesService, SystemOverrideService],
})
export class PreferencesModule {}

167
apps/gateway/src/preferences/preferences.service.spec.ts Normal file
View File

@@ -0,0 +1,167 @@
import { describe, it, expect, vi } from 'vitest';
import { PreferencesService, PLATFORM_DEFAULTS, IMMUTABLE_KEYS } from './preferences.service.js';
import type { Db } from '@mosaic/db';
/**
* Build a mock Drizzle DB where the select chain supports:
* db.select().from().where() → resolves to `listRows`
* db.select().from().where().limit(n) → resolves to `singleRow`
*/
function makeMockDb(
listRows: Array<{ key: string; value: unknown }> = [],
singleRow: Array<{ id: string }> = [],
): Db {
const chainWithLimit = {
limit: vi.fn().mockResolvedValue(singleRow),
then: (resolve: (v: typeof listRows) => unknown) => Promise.resolve(listRows).then(resolve),
};
const selectFrom = {
from: vi.fn().mockReturnThis(),
where: vi.fn().mockReturnValue(chainWithLimit),
};
const updateResult = {
set: vi.fn().mockReturnThis(),
where: vi.fn().mockResolvedValue([]),
};
const deleteResult = {
where: vi.fn().mockResolvedValue([]),
};
const insertResult = {
values: vi.fn().mockResolvedValue([]),
};
return {
select: vi.fn().mockReturnValue(selectFrom),
update: vi.fn().mockReturnValue(updateResult),
delete: vi.fn().mockReturnValue(deleteResult),
insert: vi.fn().mockReturnValue(insertResult),
} as unknown as Db;
}
describe('PreferencesService', () => {
describe('getEffective', () => {
it('returns platform defaults when user has no overrides', async () => {
const db = makeMockDb([]);
const service = new PreferencesService(db);
const result = await service.getEffective('user-1');
expect(result['agent.thinkingLevel']).toBe('auto');
expect(result['agent.streamingEnabled']).toBe(true);
expect(result['session.autoCompactEnabled']).toBe(true);
expect(result['session.autoCompactThreshold']).toBe(0.8);
});
it('applies user overrides for mutable keys', async () => {
const db = makeMockDb([
{ key: 'agent.thinkingLevel', value: 'high' },
{ key: 'response.language', value: 'es' },
]);
const service = new PreferencesService(db);
const result = await service.getEffective('user-1');
expect(result['agent.thinkingLevel']).toBe('high');
expect(result['response.language']).toBe('es');
});
it('ignores user overrides for immutable keys — enforcement always wins', async () => {
const db = makeMockDb([
{ key: 'limits.maxThinkingLevel', value: 'high' },
{ key: 'limits.rateLimit', value: 9999 },
]);
const service = new PreferencesService(db);
const result = await service.getEffective('user-1');
// Should still be null (platform default), not the user-supplied values
expect(result['limits.maxThinkingLevel']).toBeNull();
expect(result['limits.rateLimit']).toBeNull();
});
});
describe('set', () => {
it('returns error when attempting to override an immutable key', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.set('user-1', 'limits.maxThinkingLevel', 'high');
expect(result.success).toBe(false);
expect(result.message).toContain('platform enforcement');
});
it('returns error when attempting to override limits.rateLimit', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.set('user-1', 'limits.rateLimit', 100);
expect(result.success).toBe(false);
expect(result.message).toContain('platform enforcement');
});
it('upserts a mutable preference and returns success — insert path', async () => {
// singleRow=[] → no existing row → insert path
const db = makeMockDb([], []);
const service = new PreferencesService(db);
const result = await service.set('user-1', 'agent.thinkingLevel', 'high');
expect(result.success).toBe(true);
expect(result.message).toContain('"agent.thinkingLevel"');
});
it('upserts a mutable preference and returns success — update path', async () => {
// singleRow has an id → existing row → update path
const db = makeMockDb([], [{ id: 'existing-id' }]);
const service = new PreferencesService(db);
const result = await service.set('user-1', 'agent.thinkingLevel', 'low');
expect(result.success).toBe(true);
expect(result.message).toContain('"agent.thinkingLevel"');
});
});
describe('reset', () => {
it('returns error when attempting to reset an immutable key', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.reset('user-1', 'limits.rateLimit');
expect(result.success).toBe(false);
expect(result.message).toContain('platform enforcement');
});
it('deletes user override and returns default value in message', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.reset('user-1', 'agent.thinkingLevel');
expect(result.success).toBe(true);
expect(result.message).toContain('"auto"'); // platform default for agent.thinkingLevel
});
});
describe('IMMUTABLE_KEYS', () => {
it('contains only the enforcement keys', () => {
expect(IMMUTABLE_KEYS.has('limits.maxThinkingLevel')).toBe(true);
expect(IMMUTABLE_KEYS.has('limits.rateLimit')).toBe(true);
expect(IMMUTABLE_KEYS.has('agent.thinkingLevel')).toBe(false);
});
});
describe('PLATFORM_DEFAULTS', () => {
it('has all expected keys', () => {
const expectedKeys = [
'agent.defaultModel',
'agent.thinkingLevel',
'agent.streamingEnabled',
'response.language',
'response.codeAnnotations',
'safety.confirmDestructiveTools',
'session.autoCompactThreshold',
'session.autoCompactEnabled',
'limits.maxThinkingLevel',
'limits.rateLimit',
];
for (const key of expectedKeys) {
expect(Object.prototype.hasOwnProperty.call(PLATFORM_DEFAULTS, key)).toBe(true);
}
});
});
});

119
apps/gateway/src/preferences/preferences.service.ts Normal file
View File

@@ -0,0 +1,119 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { eq, and, type Db, preferences as preferencesTable } from '@mosaic/db';
import { DB } from '../database/database.module.js';
export const PLATFORM_DEFAULTS: Record<string, unknown> = {
'agent.defaultModel': null,
'agent.thinkingLevel': 'auto',
'agent.streamingEnabled': true,
'response.language': 'auto',
'response.codeAnnotations': true,
'safety.confirmDestructiveTools': true,
'session.autoCompactThreshold': 0.8,
'session.autoCompactEnabled': true,
'limits.maxThinkingLevel': null,
'limits.rateLimit': null,
};
export const IMMUTABLE_KEYS = new Set<string>(['limits.maxThinkingLevel', 'limits.rateLimit']);
@Injectable()
export class PreferencesService {
private readonly logger = new Logger(PreferencesService.name);
constructor(@Inject(DB) private readonly db: Db) {}
/**
* Returns the effective preference set for a user:
* Platform defaults → user overrides (mutable keys only) → enforcements re-applied last
*/
async getEffective(userId: string): Promise<Record<string, unknown>> {
const userPrefs = await this.getUserPrefs(userId);
const result: Record<string, unknown> = { ...PLATFORM_DEFAULTS };
for (const [key, value] of Object.entries(userPrefs)) {
if (!IMMUTABLE_KEYS.has(key)) {
result[key] = value;
}
}
// Re-apply immutable keys (enforcements always win)
for (const key of IMMUTABLE_KEYS) {
result[key] = PLATFORM_DEFAULTS[key];
}
return result;
}
async set(
userId: string,
key: string,
value: unknown,
): Promise<{ success: boolean; message: string }> {
if (IMMUTABLE_KEYS.has(key)) {
return {
success: false,
message: `Cannot override "${key}" — this is a platform enforcement. Contact your admin.`,
};
}
await this.upsertPref(userId, key, value);
return { success: true, message: `Preference "${key}" set to ${JSON.stringify(value)}.` };
}
async reset(userId: string, key: string): Promise<{ success: boolean; message: string }> {
if (IMMUTABLE_KEYS.has(key)) {
return { success: false, message: `Cannot reset "${key}" — it is a platform enforcement.` };
}
await this.deletePref(userId, key);
const defaultVal = PLATFORM_DEFAULTS[key];
return {
success: true,
message: `Preference "${key}" reset to default: ${JSON.stringify(defaultVal)}.`,
};
}
private async getUserPrefs(userId: string): Promise<Record<string, unknown>> {
const rows = await this.db
.select({ key: preferencesTable.key, value: preferencesTable.value })
.from(preferencesTable)
.where(eq(preferencesTable.userId, userId));
const result: Record<string, unknown> = {};
for (const row of rows) {
result[row.key] = row.value;
}
return result;
}
private async upsertPref(userId: string, key: string, value: unknown): Promise<void> {
const existing = await this.db
.select({ id: preferencesTable.id })
.from(preferencesTable)
.where(and(eq(preferencesTable.userId, userId), eq(preferencesTable.key, key)))
.limit(1);
if (existing.length > 0) {
await this.db
.update(preferencesTable)
.set({ value: value as never, updatedAt: new Date() })
.where(and(eq(preferencesTable.userId, userId), eq(preferencesTable.key, key)));
} else {
await this.db.insert(preferencesTable).values({
userId,
key,
value: value as never,
mutable: true,
});
}
this.logger.debug(`Upserted preference "${key}" for user ${userId}`);
}
private async deletePref(userId: string, key: string): Promise<void> {
await this.db
.delete(preferencesTable)
.where(and(eq(preferencesTable.userId, userId), eq(preferencesTable.key, key)));
this.logger.debug(`Deleted preference "${key}" for user ${userId}`);
}
}

131
apps/gateway/src/preferences/system-override.service.ts Normal file
View File

@@ -0,0 +1,131 @@
import { Injectable, Logger } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaic/queue';
const SESSION_SYSTEM_KEY = (sessionId: string) => `mosaic:session:${sessionId}:system`;
const SESSION_SYSTEM_FRAGMENTS_KEY = (sessionId: string) =>
`mosaic:session:${sessionId}:system:fragments`;
const SYSTEM_OVERRIDE_TTL_SECONDS = 604800; // 7 days
interface OverrideFragment {
text: string;
addedAt: number;
}
@Injectable()
export class SystemOverrideService {
private readonly logger = new Logger(SystemOverrideService.name);
private readonly handle: QueueHandle;
constructor() {
this.handle = createQueue();
}
async set(sessionId: string, override: string): Promise<void> {
// Load existing fragments
const existing = await this.handle.redis.get(SESSION_SYSTEM_FRAGMENTS_KEY(sessionId));
const fragments: OverrideFragment[] = existing
? (JSON.parse(existing) as OverrideFragment[])
: [];
// Append new fragment
fragments.push({ text: override, addedAt: Date.now() });
// Condense fragments into one coherent override
const texts = fragments.map((f) => f.text);
const condensed = await this.condenseOverrides(texts);
// Store both: fragments array and condensed result
const pipeline = this.handle.redis.pipeline();
pipeline.setex(
SESSION_SYSTEM_FRAGMENTS_KEY(sessionId),
SYSTEM_OVERRIDE_TTL_SECONDS,
JSON.stringify(fragments),
);
pipeline.setex(SESSION_SYSTEM_KEY(sessionId), SYSTEM_OVERRIDE_TTL_SECONDS, condensed);
await pipeline.exec();
this.logger.debug(
`Set system override for session ${sessionId} (${fragments.length} fragment(s), TTL=${SYSTEM_OVERRIDE_TTL_SECONDS}s)`,
);
}
async get(sessionId: string): Promise<string | null> {
return this.handle.redis.get(SESSION_SYSTEM_KEY(sessionId));
}
async renew(sessionId: string): Promise<void> {
const pipeline = this.handle.redis.pipeline();
pipeline.expire(SESSION_SYSTEM_KEY(sessionId), SYSTEM_OVERRIDE_TTL_SECONDS);
pipeline.expire(SESSION_SYSTEM_FRAGMENTS_KEY(sessionId), SYSTEM_OVERRIDE_TTL_SECONDS);
await pipeline.exec();
}
async clear(sessionId: string): Promise<void> {
await this.handle.redis.del(
SESSION_SYSTEM_KEY(sessionId),
SESSION_SYSTEM_FRAGMENTS_KEY(sessionId),
);
this.logger.debug(`Cleared system override for session ${sessionId}`);
}
/**
* Merge an array of override fragments into one coherent string.
* If only one fragment exists, returns it as-is.
* For multiple fragments, calls Haiku to produce a merged instruction.
* Falls back to newline concatenation if the LLM call fails.
*/
async condenseOverrides(fragments: string[]): Promise<string> {
if (fragments.length === 0) return '';
if (fragments.length === 1) return fragments[0]!;
const numbered = fragments.map((f, i) => `${i + 1}. ${f}`).join('\n');
const prompt =
`Merge these system prompt instructions into one coherent paragraph. ` +
`If instructions conflict, favor the most recently added (last in the list). ` +
`Be concise — output only the merged instruction, nothing else.\n\n` +
`Instructions (oldest first):\n${numbered}`;
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
this.logger.warn('ANTHROPIC_API_KEY not set — falling back to newline concatenation');
return fragments.join('\n');
}
try {
const response = await fetch('https://api.anthropic.com/v1/messages', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'x-api-key': apiKey,
'anthropic-version': '2023-06-01',
},
body: JSON.stringify({
model: 'claude-haiku-4-5-20251001',
max_tokens: 1024,
messages: [{ role: 'user', content: prompt }],
}),
});
if (!response.ok) {
const errorText = await response.text();
throw new Error(`Anthropic API error ${response.status}: ${errorText}`);
}
const data = (await response.json()) as {
content: Array<{ type: string; text: string }>;
};
const textBlock = data.content.find((c) => c.type === 'text');
if (!textBlock) {
throw new Error('No text block in Anthropic response');
}
return textBlock.text.trim();
} catch (err) {
this.logger.error(
`Condensation LLM call failed — falling back to newline concatenation: ${String(err)}`,
);
return fragments.join('\n');
}
}
}

28
apps/gateway/src/projects/projects.controller.ts
View File

@@ -2,6 +2,7 @@ import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
@@ -16,22 +17,25 @@ import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { assertOwner } from '../auth/resource-ownership.js';
import { TeamsService } from '../workspace/teams.service.js';
import { CreateProjectDto, UpdateProjectDto } from './projects.dto.js';
@Controller('api/projects')
@UseGuards(AuthGuard)
export class ProjectsController {
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
constructor(
@Inject(BRAIN) private readonly brain: Brain,
private readonly teamsService: TeamsService,
) {}
@Get()
async list() {
return this.brain.projects.findAll();
async list(@CurrentUser() user: { id: string }) {
return this.brain.projects.findAllForUser(user.id);
}
@Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
return this.getOwnedProject(id, user.id);
return this.getAccessibleProject(id, user.id);
}
@Post()
@@ -50,7 +54,7 @@ export class ProjectsController {
@Body() dto: UpdateProjectDto,
@CurrentUser() user: { id: string },
) {
await this.getOwnedProject(id, user.id);
await this.getAccessibleProject(id, user.id);
const project = await this.brain.projects.update(id, dto);
if (!project) throw new NotFoundException('Project not found');
return project;
@@ -59,15 +63,21 @@ export class ProjectsController {
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getOwnedProject(id, user.id);
await this.getAccessibleProject(id, user.id);
const deleted = await this.brain.projects.remove(id);
if (!deleted) throw new NotFoundException('Project not found');
}
private async getOwnedProject(id: string, userId: string) {
/**
* Verify the requesting user can access the project — either as the direct
* owner or as a member of the owning team. Throws NotFoundException when the
* project does not exist and ForbiddenException when the user lacks access.
*/
private async getAccessibleProject(id: string, userId: string) {
const project = await this.brain.projects.findById(id);
if (!project) throw new NotFoundException('Project not found');
assertOwner(project.ownerId, userId, 'Project');
const canAccess = await this.teamsService.canAccessProject(userId, id);
if (!canAccess) throw new ForbiddenException('Project does not belong to the current user');
return project;
}
}

2
apps/gateway/src/projects/projects.module.ts
View File

@@ -1,7 +1,9 @@
import { Module } from '@nestjs/common';
import { ProjectsController } from './projects.controller.js';
import { WorkspaceModule } from '../workspace/workspace.module.js';
@Module({
imports: [WorkspaceModule],
controllers: [ProjectsController],
})
export class ProjectsModule {}

20
apps/gateway/src/reload/mosaic-plugin.interface.ts Normal file
View File

@@ -0,0 +1,20 @@
export interface MosaicPlugin {
/** Called when the plugin is loaded/reloaded */
onLoad(): Promise<void>;
/** Called before the plugin is unloaded during reload */
onUnload(): Promise<void>;
/** Plugin identifier for registry */
readonly pluginName: string;
}
export function isMosaicPlugin(obj: unknown): obj is MosaicPlugin {
return (
typeof obj === 'object' &&
obj !== null &&
typeof (obj as MosaicPlugin).onLoad === 'function' &&
typeof (obj as MosaicPlugin).onUnload === 'function' &&
typeof (obj as MosaicPlugin).pluginName === 'string'
);
}

22
apps/gateway/src/reload/reload.controller.ts Normal file
View File

@@ -0,0 +1,22 @@
import { Controller, HttpCode, HttpStatus, Inject, Post, UseGuards } from '@nestjs/common';
import type { SystemReloadPayload } from '@mosaic/types';
import { AdminGuard } from '../admin/admin.guard.js';
import { ChatGateway } from '../chat/chat.gateway.js';
import { ReloadService } from './reload.service.js';
@Controller('api/admin')
@UseGuards(AdminGuard)
export class ReloadController {
constructor(
@Inject(ReloadService) private readonly reloadService: ReloadService,
@Inject(ChatGateway) private readonly chatGateway: ChatGateway,
) {}
@Post('reload')
@HttpCode(HttpStatus.OK)
async triggerReload(): Promise<SystemReloadPayload> {
const result = await this.reloadService.reload('rest');
this.chatGateway.broadcastReload(result);
return result;
}
}

14
apps/gateway/src/reload/reload.module.ts Normal file
View File

@@ -0,0 +1,14 @@
import { forwardRef, Module } from '@nestjs/common';
import { AdminGuard } from '../admin/admin.guard.js';
import { ChatModule } from '../chat/chat.module.js';
import { CommandsModule } from '../commands/commands.module.js';
import { ReloadController } from './reload.controller.js';
import { ReloadService } from './reload.service.js';
@Module({
imports: [forwardRef(() => CommandsModule), forwardRef(() => ChatModule)],
controllers: [ReloadController],
providers: [ReloadService, AdminGuard],
exports: [ReloadService],
})
export class ReloadModule {}

106
apps/gateway/src/reload/reload.service.spec.ts Normal file
View File

@@ -0,0 +1,106 @@
import { describe, expect, it, vi } from 'vitest';
import { ReloadService } from './reload.service.js';
function createMockCommandRegistry() {
return {
getManifest: vi.fn().mockReturnValue({
version: 1,
commands: [],
skills: [],
}),
};
}
function createService() {
const registry = createMockCommandRegistry();
const service = new ReloadService(registry as never);
return { service, registry };
}
describe('ReloadService', () => {
it('reload() calls onUnload then onLoad for registered MosaicPlugin', async () => {
const { service } = createService();
const callOrder: string[] = [];
const mockPlugin = {
pluginName: 'test-plugin',
onLoad: vi.fn().mockImplementation(() => {
callOrder.push('onLoad');
return Promise.resolve();
}),
onUnload: vi.fn().mockImplementation(() => {
callOrder.push('onUnload');
return Promise.resolve();
}),
};
service.registerPlugin('test-plugin', mockPlugin);
const result = await service.reload('command');
expect(mockPlugin.onUnload).toHaveBeenCalledOnce();
expect(mockPlugin.onLoad).toHaveBeenCalledOnce();
expect(callOrder).toEqual(['onUnload', 'onLoad']);
expect(result.message).toContain('test-plugin');
});
it('reload() continues if one plugin throws during onUnload', async () => {
const { service } = createService();
const badPlugin = {
pluginName: 'bad-plugin',
onLoad: vi.fn().mockResolvedValue(undefined),
onUnload: vi.fn().mockRejectedValue(new Error('unload failed')),
};
service.registerPlugin('bad-plugin', badPlugin);
const result = await service.reload('command');
expect(result.message).toContain('bad-plugin');
expect(result.message).toContain('unload failed');
});
it('reload() skips non-MosaicPlugin objects', async () => {
const { service } = createService();
const notAPlugin = { foo: 'bar' };
service.registerPlugin('not-a-plugin', notAPlugin);
// Should not throw
const result = await service.reload('command');
expect(result).toBeDefined();
expect(result.message).not.toContain('not-a-plugin');
});
it('reload() returns SystemReloadPayload with commands, skills, providers, message', async () => {
const { service, registry } = createService();
registry.getManifest.mockReturnValue({
version: 1,
commands: [
{
name: 'test',
description: 'test cmd',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
],
skills: [],
});
const result = await service.reload('rest');
expect(result).toHaveProperty('commands');
expect(result).toHaveProperty('skills');
expect(result).toHaveProperty('providers');
expect(result).toHaveProperty('message');
expect(result.commands).toHaveLength(1);
});
it('registerPlugin() logs plugin registration', () => {
const { service } = createService();
// Should not throw and should register
expect(() => service.registerPlugin('my-plugin', {})).not.toThrow();
});
});

92
apps/gateway/src/reload/reload.service.ts Normal file
View File

@@ -0,0 +1,92 @@
import {
Inject,
Injectable,
Logger,
type OnApplicationBootstrap,
type OnApplicationShutdown,
} from '@nestjs/common';
import type { SystemReloadPayload } from '@mosaic/types';
import { CommandRegistryService } from '../commands/command-registry.service.js';
import { isMosaicPlugin } from './mosaic-plugin.interface.js';
@Injectable()
export class ReloadService implements OnApplicationBootstrap, OnApplicationShutdown {
private readonly logger = new Logger(ReloadService.name);
private readonly plugins: Map<string, unknown> = new Map();
private shutdownHandlerAttached = false;
constructor(
@Inject(CommandRegistryService) private readonly commandRegistry: CommandRegistryService,
) {}
onApplicationBootstrap(): void {
if (!this.shutdownHandlerAttached) {
process.on('SIGHUP', () => {
this.logger.log('SIGHUP received — triggering soft reload');
this.reload('sighup').catch((err: unknown) => {
this.logger.error(`SIGHUP reload failed: ${err}`);
});
});
this.shutdownHandlerAttached = true;
}
}
onApplicationShutdown(): void {
process.removeAllListeners('SIGHUP');
}
registerPlugin(name: string, plugin: unknown): void {
this.plugins.set(name, plugin);
this.logger.log(`Plugin registered: ${name}`);
}
/**
* Soft reload — unload plugins, reload plugins, broadcast.
* Does NOT restart the HTTP server or drop connections.
*/
async reload(
trigger: 'command' | 'rest' | 'sighup' | 'file-watch',
): Promise<SystemReloadPayload> {
this.logger.log(`Soft reload triggered by: ${trigger}`);
const reloaded: string[] = [];
const errors: string[] = [];
// 1. Unload all registered MosaicPlugin instances
for (const [name, plugin] of this.plugins) {
if (isMosaicPlugin(plugin)) {
try {
await plugin.onUnload();
reloaded.push(name);
} catch (err) {
errors.push(`${name}: unload failed — ${err}`);
}
}
}
// 2. Reload all MosaicPlugin instances
for (const [name, plugin] of this.plugins) {
if (isMosaicPlugin(plugin)) {
try {
await plugin.onLoad();
} catch (err) {
errors.push(`${name}: load failed — ${err}`);
}
}
}
const manifest = this.commandRegistry.getManifest();
const errorSuffix = errors.length > 0 ? ` Errors: ${errors.join(', ')}` : '';
const payload: SystemReloadPayload = {
commands: manifest.commands,
skills: manifest.skills,
providers: [],
message: `Reload complete (trigger=${trigger}). Plugins reloaded: [${reloaded.join(', ')}].${errorSuffix}`,
};
this.logger.log(
`Reload complete. Reloaded: [${reloaded.join(', ')}]. Errors: ${errors.length}`,
);
return payload;
}
}

98
apps/gateway/src/workspace/project-bootstrap.service.ts Normal file
View File

@@ -0,0 +1,98 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { PluginService } from '../plugin/plugin.service.js';
import { WorkspaceService } from './workspace.service.js';
export interface BootstrapProjectParams {
name: string;
description?: string;
userId: string;
teamId?: string;
repoUrl?: string;
}
export interface BootstrapProjectResult {
projectId: string;
workspacePath: string;
}
@Injectable()
export class ProjectBootstrapService {
private readonly logger = new Logger(ProjectBootstrapService.name);
constructor(
@Inject(BRAIN) private readonly brain: Brain,
private readonly workspace: WorkspaceService,
private readonly pluginService: PluginService,
) {}
/**
* Bootstrap a new project: create DB record + workspace directory.
* Returns the created project with its workspace path.
*/
async bootstrap(params: BootstrapProjectParams): Promise<BootstrapProjectResult> {
const ownerType: 'user' | 'team' = params.teamId ? 'team' : 'user';
this.logger.log(
`Bootstrapping project "${params.name}" for ${ownerType} ${params.teamId ?? params.userId}`,
);
// 1. Create DB record
const project = await this.brain.projects.create({
name: params.name,
description: params.description,
ownerId: params.userId,
teamId: params.teamId ?? null,
ownerType,
});
// 2. Create workspace directory (includes docs structure)
const workspacePath = await this.workspace.create(
{
id: project.id,
ownerType,
userId: params.userId,
teamId: params.teamId ?? null,
},
params.repoUrl,
);
// 3. Create default agent config for the project
await this.brain.agents.create({
name: 'default',
provider: '',
model: '',
projectId: project.id,
ownerId: params.userId,
isSystem: false,
status: 'active',
});
// 4. Notify plugins so they can set up project-specific resources (e.g. Discord channel)
try {
for (const plugin of this.pluginService.getPlugins()) {
if (plugin.onProjectCreated) {
const result = await plugin.onProjectCreated({
id: project.id,
name: params.name,
description: params.description,
});
if (result?.channelId) {
await this.brain.projects.update(project.id, {
metadata: { discordChannelId: result.channelId },
});
}
}
}
} catch (err) {
this.logger.warn(
`Plugin project notification failed: ${err instanceof Error ? err.message : String(err)}`,
);
}
this.logger.log(`Project ${project.id} bootstrapped at ${workspacePath}`);
return { projectId: project.id, workspacePath };
}
}

30
apps/gateway/src/workspace/teams.controller.ts Normal file
View File

@@ -0,0 +1,30 @@
import { Controller, Get, Param, UseGuards } from '@nestjs/common';
import { AuthGuard } from '../auth/auth.guard.js';
import { TeamsService } from './teams.service.js';
@Controller('api/teams')
@UseGuards(AuthGuard)
export class TeamsController {
constructor(private readonly teams: TeamsService) {}
@Get()
async list() {
return this.teams.findAll();
}
@Get(':teamId')
async findOne(@Param('teamId') teamId: string) {
return this.teams.findById(teamId);
}
@Get(':teamId/members')
async listMembers(@Param('teamId') teamId: string) {
return this.teams.listMembers(teamId);
}
@Get(':teamId/members/:userId')
async checkMembership(@Param('teamId') teamId: string, @Param('userId') userId: string) {
const isMember = await this.teams.isMember(teamId, userId);
return { isMember };
}
}

73
apps/gateway/src/workspace/teams.service.ts Normal file
View File

@@ -0,0 +1,73 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { eq, and, type Db, teams, teamMembers, projects } from '@mosaic/db';
import { DB } from '../database/database.module.js';
@Injectable()
export class TeamsService {
private readonly logger = new Logger(TeamsService.name);
constructor(@Inject(DB) private readonly db: Db) {}
/**
* Check if a user is a member of a team.
*/
async isMember(teamId: string, userId: string): Promise<boolean> {
const rows = await this.db
.select({ id: teamMembers.id })
.from(teamMembers)
.where(and(eq(teamMembers.teamId, teamId), eq(teamMembers.userId, userId)));
return rows.length > 0;
}
/**
* Check project access for a user.
* - ownerType === 'user': project.ownerId must equal userId
* - ownerType === 'team': userId must be a member of project.teamId
*/
async canAccessProject(userId: string, projectId: string): Promise<boolean> {
const rows = await this.db
.select({
id: projects.id,
ownerType: projects.ownerType,
ownerId: projects.ownerId,
teamId: projects.teamId,
})
.from(projects)
.where(eq(projects.id, projectId));
const project = rows[0];
if (!project) return false;
if (project.ownerType === 'user') {
return project.ownerId === userId;
}
if (project.ownerType === 'team' && project.teamId) {
return this.isMember(project.teamId, userId);
}
return false;
}
/**
* List all teams (for admin/listing endpoints).
*/
async findAll() {
return this.db.select().from(teams);
}
/**
* Find a team by ID.
*/
async findById(id: string) {
const rows = await this.db.select().from(teams).where(eq(teams.id, id));
return rows[0];
}
/**
* List members of a team.
*/
async listMembers(teamId: string) {
return this.db.select().from(teamMembers).where(eq(teamMembers.teamId, teamId));
}
}

30
apps/gateway/src/workspace/workspace.controller.ts Normal file
View File

@@ -0,0 +1,30 @@
import { Body, Controller, Post, UseGuards } from '@nestjs/common';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { ProjectBootstrapService } from './project-bootstrap.service.js';
@Controller('api/workspaces')
@UseGuards(AuthGuard)
export class WorkspaceController {
constructor(private readonly bootstrap: ProjectBootstrapService) {}
@Post()
async create(
@CurrentUser() user: { id: string },
@Body()
body: {
name: string;
description?: string;
teamId?: string;
repoUrl?: string;
},
) {
return this.bootstrap.bootstrap({
name: body.name,
description: body.description,
userId: user.id,
teamId: body.teamId,
repoUrl: body.repoUrl,
});
}
}

13
apps/gateway/src/workspace/workspace.module.ts Normal file
View File

@@ -0,0 +1,13 @@
import { Module } from '@nestjs/common';
import { WorkspaceService } from './workspace.service.js';
import { ProjectBootstrapService } from './project-bootstrap.service.js';
import { TeamsService } from './teams.service.js';
import { WorkspaceController } from './workspace.controller.js';
import { TeamsController } from './teams.controller.js';
@Module({
controllers: [WorkspaceController, TeamsController],
providers: [WorkspaceService, ProjectBootstrapService, TeamsService],
exports: [WorkspaceService, ProjectBootstrapService, TeamsService],
})
export class WorkspaceModule {}

79
apps/gateway/src/workspace/workspace.service.spec.ts Normal file
View File

@@ -0,0 +1,79 @@
import { describe, it, expect, beforeEach } from 'vitest';
import { WorkspaceService } from './workspace.service.js';
import path from 'node:path';
describe('WorkspaceService', () => {
let service: WorkspaceService;
beforeEach(() => {
service = new WorkspaceService();
});
describe('resolvePath', () => {
it('resolves user workspace path', () => {
const result = service.resolvePath({
id: 'proj1',
ownerType: 'user',
userId: 'user1',
teamId: null,
});
expect(result).toContain(path.join('users', 'user1', 'proj1'));
});
it('resolves team workspace path', () => {
const result = service.resolvePath({
id: 'proj1',
ownerType: 'team',
userId: 'user1',
teamId: 'team1',
});
expect(result).toContain(path.join('teams', 'team1', 'proj1'));
});
it('falls back to user path when ownerType is team but teamId is null', () => {
const result = service.resolvePath({
id: 'proj1',
ownerType: 'team',
userId: 'user1',
teamId: null,
});
expect(result).toContain(path.join('users', 'user1', 'proj1'));
});
it('uses MOSAIC_ROOT env var as the base path', () => {
const originalRoot = process.env['MOSAIC_ROOT'];
process.env['MOSAIC_ROOT'] = '/custom/root';
const customService = new WorkspaceService();
const result = customService.resolvePath({
id: 'proj1',
ownerType: 'user',
userId: 'user1',
teamId: null,
});
expect(result).toMatch(/^\/custom\/root/);
// Restore
if (originalRoot === undefined) {
delete process.env['MOSAIC_ROOT'];
} else {
process.env['MOSAIC_ROOT'] = originalRoot;
}
});
it('defaults to /opt/mosaic when MOSAIC_ROOT is unset', () => {
const originalRoot = process.env['MOSAIC_ROOT'];
delete process.env['MOSAIC_ROOT'];
const defaultService = new WorkspaceService();
const result = defaultService.resolvePath({
id: 'proj2',
ownerType: 'user',
userId: 'user2',
teamId: null,
});
expect(result).toMatch(/^\/opt\/mosaic/);
// Restore
if (originalRoot !== undefined) {
process.env['MOSAIC_ROOT'] = originalRoot;
}
});
});
});

116
apps/gateway/src/workspace/workspace.service.ts Normal file
View File

@@ -0,0 +1,116 @@
import { Injectable, Logger } from '@nestjs/common';
import fs from 'node:fs/promises';
import path from 'node:path';
import { execFile } from 'node:child_process';
import { promisify } from 'node:util';
const execFileAsync = promisify(execFile);
export interface WorkspaceProject {
id: string;
ownerType: 'user' | 'team';
userId: string;
teamId: string | null;
}
@Injectable()
export class WorkspaceService {
private readonly logger = new Logger(WorkspaceService.name);
private readonly mosaicRoot: string;
constructor() {
this.mosaicRoot = process.env['MOSAIC_ROOT'] ?? '/opt/mosaic';
}
/**
* Resolve the workspace path for a project.
* Solo: $MOSAIC_ROOT/.workspaces/users/<userId>/<projectId>/
* Team: $MOSAIC_ROOT/.workspaces/teams/<teamId>/<projectId>/
*/
resolvePath(project: WorkspaceProject): string {
if (project.ownerType === 'team' && project.teamId) {
return path.join(this.mosaicRoot, '.workspaces', 'teams', project.teamId, project.id);
}
return path.join(this.mosaicRoot, '.workspaces', 'users', project.userId, project.id);
}
/**
* Create a workspace directory and initialize it as a git repo.
* If repoUrl is provided, clone instead of init.
*/
async create(project: WorkspaceProject, repoUrl?: string): Promise<string> {
const workspacePath = this.resolvePath(project);
// Create directory
await fs.mkdir(workspacePath, { recursive: true });
if (repoUrl) {
// Clone existing repo
await execFileAsync('git', ['clone', repoUrl, '.'], { cwd: workspacePath });
this.logger.log(`Cloned ${repoUrl} into workspace ${workspacePath}`);
} else {
// Init new git repo
await execFileAsync('git', ['init'], { cwd: workspacePath });
await execFileAsync('git', ['commit', '--allow-empty', '-m', 'Initial workspace commit'], {
cwd: workspacePath,
env: {
...process.env,
GIT_AUTHOR_NAME: 'Mosaic',
GIT_AUTHOR_EMAIL: 'mosaic@localhost',
GIT_COMMITTER_NAME: 'Mosaic',
GIT_COMMITTER_EMAIL: 'mosaic@localhost',
},
});
this.logger.log(`Initialized git workspace at ${workspacePath}`);
}
// Create standard docs structure
await fs.mkdir(path.join(workspacePath, 'docs', 'plans'), { recursive: true });
await fs.mkdir(path.join(workspacePath, 'docs', 'reports'), { recursive: true });
this.logger.log(`Created docs structure at ${workspacePath}`);
return workspacePath;
}
/**
* Delete a workspace directory recursively.
*/
async delete(project: WorkspaceProject): Promise<void> {
const workspacePath = this.resolvePath(project);
try {
await fs.rm(workspacePath, { recursive: true, force: true });
this.logger.log(`Deleted workspace at ${workspacePath}`);
} catch (err) {
this.logger.warn(`Failed to delete workspace at ${workspacePath}: ${err}`);
}
}
/**
* Check whether the workspace directory exists.
*/
async exists(project: WorkspaceProject): Promise<boolean> {
const workspacePath = this.resolvePath(project);
try {
await fs.access(workspacePath);
return true;
} catch {
return false;
}
}
/**
* Create the base user workspace directory (call on user registration).
*/
async createUserRoot(userId: string): Promise<void> {
const userRoot = path.join(this.mosaicRoot, '.workspaces', 'users', userId);
await fs.mkdir(userRoot, { recursive: true });
}
/**
* Create the base team workspace directory (call on team creation).
*/
async createTeamRoot(teamId: string): Promise<void> {
const teamRoot = path.join(this.mosaicRoot, '.workspaces', 'teams', teamId);
await fs.mkdir(teamRoot, { recursive: true });
}
}

72
apps/web/e2e/admin.spec.ts Normal file
View File

@@ -0,0 +1,72 @@
import { test, expect } from '@playwright/test';
import { loginAs, ADMIN_USER, TEST_USER } from './helpers/auth.js';
test.describe('Admin page — admin user', () => {
test.beforeEach(async ({ page }) => {
await loginAs(page, ADMIN_USER.email, ADMIN_USER.password);
const url = page.url();
test.skip(!url.includes('/chat'), 'No seeded admin user — skipping admin tests');
});
test('admin page loads with the Admin Panel heading', async ({ page }) => {
await page.goto('/admin');
await expect(page.getByRole('heading', { name: /admin panel/i })).toBeVisible({
timeout: 10_000,
});
});
test('shows User Management and System Health tabs', async ({ page }) => {
await page.goto('/admin');
await expect(page.getByRole('button', { name: /user management/i })).toBeVisible();
await expect(page.getByRole('button', { name: /system health/i })).toBeVisible();
});
test('User Management tab is active by default', async ({ page }) => {
await page.goto('/admin');
// The users tab shows a "+ New User" button
await expect(page.getByRole('button', { name: /new user/i })).toBeVisible({ timeout: 10_000 });
});
test('clicking System Health tab switches to health view', async ({ page }) => {
await page.goto('/admin');
await page.getByRole('button', { name: /system health/i }).click();
// Health cards or loading indicator should appear
const hasLoading = await page
.getByText(/loading health/i)
.isVisible()
.catch(() => false);
const hasCard = await page
.getByText(/database/i)
.isVisible()
.catch(() => false);
expect(hasLoading || hasCard).toBe(true);
});
});
test.describe('Admin page — non-admin user', () => {
test.beforeEach(async ({ page }) => {
await loginAs(page, TEST_USER.email, TEST_USER.password);
const url = page.url();
test.skip(!url.includes('/chat'), 'No seeded test user — skipping non-admin tests');
});
test('non-admin visiting /admin sees access denied or is redirected', async ({ page }) => {
await page.goto('/admin');
// Either redirected away or shown an access-denied message
const onAdmin = page.url().includes('/admin');
if (onAdmin) {
// Should show some access-denied content rather than the full admin panel
const hasPanel = await page
.getByRole('heading', { name: /admin panel/i })
.isVisible()
.catch(() => false);
// If heading is visible, the guard allowed access (user may have admin role in this env)
// — not a failure, just informational
if (!hasPanel) {
// access denied message, redirect, or guard placeholder
const url = page.url();
expect(url).toBeTruthy(); // environment-dependent — no hard assertion
}
}
});
});

119
apps/web/e2e/auth.spec.ts Normal file
View File

@@ -0,0 +1,119 @@
import { test, expect } from '@playwright/test';
import { TEST_USER } from './helpers/auth.js';
// ── Login page ────────────────────────────────────────────────────────────────
test.describe('Login page', () => {
test('loads and shows the sign-in heading', async ({ page }) => {
await page.goto('/login');
await expect(page).toHaveTitle(/mosaic/i);
await expect(page.getByRole('heading', { name: /sign in/i })).toBeVisible();
});
test('shows email and password fields', async ({ page }) => {
await page.goto('/login');
await expect(page.getByLabel('Email')).toBeVisible();
await expect(page.getByLabel('Password')).toBeVisible();
});
test('shows submit button', async ({ page }) => {
await page.goto('/login');
await expect(page.getByRole('button', { name: /sign in/i })).toBeVisible();
});
test('shows link to registration page', async ({ page }) => {
await page.goto('/login');
const signUpLink = page.getByRole('link', { name: /sign up/i });
await expect(signUpLink).toBeVisible();
await signUpLink.click();
await expect(page).toHaveURL(/\/register/);
});
test('shows an error alert for invalid credentials', async ({ page }) => {
await page.goto('/login');
await page.getByLabel('Email').fill('nobody@nowhere.invalid');
await page.getByLabel('Password').fill('wrongpassword');
await page.getByRole('button', { name: /sign in/i }).click();
// The error banner should appear; it has role="alert"
await expect(page.getByRole('alert')).toBeVisible({ timeout: 10_000 });
});
test('email field requires valid format (HTML5 validation)', async ({ page }) => {
await page.goto('/login');
// Fill a non-email value — browser prevents submission
await page.getByLabel('Email').fill('notanemail');
await page.getByLabel('Password').fill('somepass');
await page.getByRole('button', { name: /sign in/i }).click();
// Still on the login page
await expect(page).toHaveURL(/\/login/);
});
test('redirects to /chat after successful login', async ({ page }) => {
await page.goto('/login');
await page.getByLabel('Email').fill(TEST_USER.email);
await page.getByLabel('Password').fill(TEST_USER.password);
await page.getByRole('button', { name: /sign in/i }).click();
// Either reaches /chat or shows an error (if credentials are wrong in this env).
// We assert a navigation away from /login, or the alert is shown.
await Promise.race([
expect(page).toHaveURL(/\/chat/, { timeout: 10_000 }),
expect(page.getByRole('alert')).toBeVisible({ timeout: 10_000 }),
]).catch(() => {
// Acceptable — environment may not have seeded credentials
});
});
});
// ── Registration page ─────────────────────────────────────────────────────────
test.describe('Registration page', () => {
test('loads and shows the create account heading', async ({ page }) => {
await page.goto('/register');
await expect(page.getByRole('heading', { name: /create account/i })).toBeVisible();
});
test('shows name, email and password fields', async ({ page }) => {
await page.goto('/register');
await expect(page.getByLabel('Name')).toBeVisible();
await expect(page.getByLabel('Email')).toBeVisible();
await expect(page.getByLabel('Password')).toBeVisible();
});
test('shows submit button', async ({ page }) => {
await page.goto('/register');
await expect(page.getByRole('button', { name: /create account/i })).toBeVisible();
});
test('shows link to login page', async ({ page }) => {
await page.goto('/register');
const signInLink = page.getByRole('link', { name: /sign in/i });
await expect(signInLink).toBeVisible();
await signInLink.click();
await expect(page).toHaveURL(/\/login/);
});
test('name field is required — empty form stays on page', async ({ page }) => {
await page.goto('/register');
// Submit with nothing filled in — browser required validation blocks it
await page.getByRole('button', { name: /create account/i }).click();
await expect(page).toHaveURL(/\/register/);
});
test('all required fields must be filled (HTML5 validation)', async ({ page }) => {
await page.goto('/register');
await page.getByLabel('Name').fill('Test User');
// Do NOT fill email or password — still on page
await page.getByRole('button', { name: /create account/i }).click();
await expect(page).toHaveURL(/\/register/);
});
});
// ── Root redirect ─────────────────────────────────────────────────────────────
test.describe('Root route', () => {
test('visiting / redirects to /login or /chat', async ({ page }) => {
await page.goto('/');
// Unauthenticated users should land on /login; authenticated on /chat
await expect(page).toHaveURL(/\/(login|chat)/, { timeout: 10_000 });
});
});

50
apps/web/e2e/chat.spec.ts Normal file
View File

@@ -0,0 +1,50 @@
import { test, expect } from '@playwright/test';
import { loginAs, TEST_USER } from './helpers/auth.js';
test.describe('Chat page', () => {
test.beforeEach(async ({ page }) => {
await loginAs(page, TEST_USER.email, TEST_USER.password);
// If login failed (no seeded user in env) we may be on /login — skip
const url = page.url();
test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
});
test('chat page loads and shows the welcome message or conversation list', async ({ page }) => {
await page.goto('/chat');
// Either there are conversations listed or the welcome empty-state is shown
const hasWelcome = await page
.getByRole('heading', { name: /welcome to mosaic chat/i })
.isVisible()
.catch(() => false);
const hasConversationPanel = await page
.locator('[data-testid="conversation-list"], nav, aside')
.first()
.isVisible()
.catch(() => false);
expect(hasWelcome || hasConversationPanel).toBe(true);
});
test('new conversation button is visible', async ({ page }) => {
await page.goto('/chat');
// "Start new conversation" button or a "+" button in the sidebar
const newConvButton = page.getByRole('button', { name: /new conversation|start new/i }).first();
await expect(newConvButton).toBeVisible({ timeout: 10_000 });
});
test('clicking new conversation shows a chat input area', async ({ page }) => {
await page.goto('/chat');
// Find any button that creates a new conversation
const newBtn = page.getByRole('button', { name: /new conversation|start new/i }).first();
await newBtn.click();
// After creating, a text input for sending messages should appear
const chatInput = page.getByRole('textbox').or(page.locator('textarea')).first();
await expect(chatInput).toBeVisible({ timeout: 10_000 });
});
test('sidebar navigation is present on chat page', async ({ page }) => {
await page.goto('/chat');
// The app-shell sidebar should be visible
await expect(page.getByRole('link', { name: /chat/i }).first()).toBeVisible();
});
});

23
apps/web/e2e/helpers/auth.ts Normal file
View File

@@ -0,0 +1,23 @@
import type { Page } from '@playwright/test';
export const TEST_USER = {
email: process.env['E2E_USER_EMAIL'] ?? 'e2e@example.com',
password: process.env['E2E_USER_PASSWORD'] ?? 'password123',
name: 'E2E Test User',
};
export const ADMIN_USER = {
email: process.env['E2E_ADMIN_EMAIL'] ?? 'admin@example.com',
password: process.env['E2E_ADMIN_PASSWORD'] ?? 'adminpass123',
name: 'E2E Admin User',
};
/**
* Fill the login form and submit. Waits for navigation after success.
*/
export async function loginAs(page: Page, email: string, password: string): Promise<void> {
await page.goto('/login');
await page.getByLabel('Email').fill(email);
await page.getByLabel('Password').fill(password);
await page.getByRole('button', { name: /sign in/i }).click();
}

86
apps/web/e2e/navigation.spec.ts Normal file
View File

@@ -0,0 +1,86 @@
import { test, expect } from '@playwright/test';
import { loginAs, TEST_USER } from './helpers/auth.js';
test.describe('Sidebar navigation', () => {
test.beforeEach(async ({ page }) => {
await loginAs(page, TEST_USER.email, TEST_USER.password);
const url = page.url();
test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
});
test('sidebar shows Mosaic brand link', async ({ page }) => {
await page.goto('/chat');
await expect(page.getByRole('link', { name: /mosaic/i }).first()).toBeVisible();
});
test('Chat nav link navigates to /chat', async ({ page }) => {
await page.goto('/settings');
await page
.getByRole('link', { name: /^chat$/i })
.first()
.click();
await expect(page).toHaveURL(/\/chat/);
});
test('Projects nav link navigates to /projects', async ({ page }) => {
await page.goto('/chat');
await page
.getByRole('link', { name: /projects/i })
.first()
.click();
await expect(page).toHaveURL(/\/projects/);
});
test('Settings nav link navigates to /settings', async ({ page }) => {
await page.goto('/chat');
await page
.getByRole('link', { name: /settings/i })
.first()
.click();
await expect(page).toHaveURL(/\/settings/);
});
test('Tasks nav link navigates to /tasks', async ({ page }) => {
await page.goto('/chat');
await page.getByRole('link', { name: /tasks/i }).first().click();
await expect(page).toHaveURL(/\/tasks/);
});
test('active link is visually highlighted', async ({ page }) => {
await page.goto('/chat');
// The active link should have a distinct class — check that the Chat link
// has the active style class (bg-blue-600/20 text-blue-400)
const chatLink = page.getByRole('link', { name: /^chat$/i }).first();
const cls = await chatLink.getAttribute('class');
expect(cls).toContain('blue');
});
});
test.describe('Route transitions', () => {
test.beforeEach(async ({ page }) => {
await loginAs(page, TEST_USER.email, TEST_USER.password);
const url = page.url();
test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
});
test('navigating chat → projects → settings → chat works without errors', async ({ page }) => {
await page.goto('/chat');
await expect(page).toHaveURL(/\/chat/);
await page.goto('/projects');
await expect(page.getByRole('heading', { name: /projects/i })).toBeVisible();
await page.goto('/settings');
await expect(page.getByRole('heading', { name: /settings/i })).toBeVisible();
await page.goto('/chat');
await expect(page).toHaveURL(/\/chat/);
});
test('back-button navigation works between pages', async ({ page }) => {
await page.goto('/chat');
await page.goto('/projects');
await page.goBack();
await expect(page).toHaveURL(/\/chat/);
});
});

44
apps/web/e2e/projects.spec.ts Normal file
View File

@@ -0,0 +1,44 @@
import { test, expect } from '@playwright/test';
import { loginAs, TEST_USER } from './helpers/auth.js';
test.describe('Projects page', () => {
test.beforeEach(async ({ page }) => {
await loginAs(page, TEST_USER.email, TEST_USER.password);
const url = page.url();
test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
});
test('projects page loads with heading', async ({ page }) => {
await page.goto('/projects');
await expect(page.getByRole('heading', { name: /projects/i })).toBeVisible({ timeout: 10_000 });
});
test('shows empty state or project cards when loaded', async ({ page }) => {
await page.goto('/projects');
// Wait for loading state to clear
await expect(page.getByText(/loading projects/i)).not.toBeVisible({ timeout: 10_000 });
const hasProjects = await page
.locator('[class*="grid"]')
.isVisible()
.catch(() => false);
const hasEmpty = await page
.getByText(/no projects yet/i)
.isVisible()
.catch(() => false);
expect(hasProjects || hasEmpty).toBe(true);
});
test('shows Active Mission section', async ({ page }) => {
await page.goto('/projects');
await expect(page.getByRole('heading', { name: /active mission/i })).toBeVisible({
timeout: 10_000,
});
});
test('sidebar navigation is present', async ({ page }) => {
await page.goto('/projects');
await expect(page.getByRole('link', { name: /projects/i }).first()).toBeVisible();
});
});

56
apps/web/e2e/settings.spec.ts Normal file
View File

@@ -0,0 +1,56 @@
import { test, expect } from '@playwright/test';
import { loginAs, TEST_USER } from './helpers/auth.js';
test.describe('Settings page', () => {
test.beforeEach(async ({ page }) => {
await loginAs(page, TEST_USER.email, TEST_USER.password);
const url = page.url();
test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
});
test('settings page loads with heading', async ({ page }) => {
await page.goto('/settings');
await expect(page.getByRole('heading', { name: /^settings$/i })).toBeVisible({
timeout: 10_000,
});
});
test('shows the four settings tabs', async ({ page }) => {
await page.goto('/settings');
await expect(page.getByRole('button', { name: /profile/i })).toBeVisible();
await expect(page.getByRole('button', { name: /appearance/i })).toBeVisible();
await expect(page.getByRole('button', { name: /notifications/i })).toBeVisible();
await expect(page.getByRole('button', { name: /providers/i })).toBeVisible();
});
test('profile tab is active by default', async ({ page }) => {
await page.goto('/settings');
await expect(page.getByRole('heading', { name: /^profile$/i })).toBeVisible({
timeout: 10_000,
});
});
test('clicking Appearance tab switches content', async ({ page }) => {
await page.goto('/settings');
await page.getByRole('button', { name: /appearance/i }).click();
await expect(page.getByRole('heading', { name: /appearance/i })).toBeVisible({
timeout: 5_000,
});
});
test('clicking Notifications tab switches content', async ({ page }) => {
await page.goto('/settings');
await page.getByRole('button', { name: /notifications/i }).click();
await expect(page.getByRole('heading', { name: /notifications/i })).toBeVisible({
timeout: 5_000,
});
});
test('clicking Providers tab switches content', async ({ page }) => {
await page.goto('/settings');
await page.getByRole('button', { name: /providers/i }).click();
await expect(page.getByRole('heading', { name: /llm providers/i })).toBeVisible({
timeout: 5_000,
});
});
});

3
apps/web/package.json
View File

@@ -8,6 +8,7 @@
"lint": "eslint src",
"typecheck": "tsc --noEmit",
"test": "vitest run --passWithNoTests",
"test:e2e": "playwright test",
"start": "next start"
},
"dependencies": {
@@ -21,10 +22,12 @@
"tailwind-merge": "^3.5.0"
},
"devDependencies": {
"@playwright/test": "^1.58.2",
"@tailwindcss/postcss": "^4.0.0",
"@types/node": "^22.0.0",
"@types/react": "^19.0.0",
"@types/react-dom": "^19.0.0",
"jsdom": "^29.0.0",
"tailwindcss": "^4.0.0",
"typescript": "^5.8.0",
"vitest": "^2.0.0"

32
apps/web/playwright.config.ts Normal file
View File

@@ -0,0 +1,32 @@
import { defineConfig, devices } from '@playwright/test';
/**
* Playwright E2E configuration for Mosaic web app.
*
* Assumes:
* - Next.js web app running on http://localhost:3000
* - NestJS gateway running on http://localhost:4000
*
* Run with: pnpm --filter @mosaic/web test:e2e
*/
export default defineConfig({
testDir: './e2e',
fullyParallel: true,
forbidOnly: !!process.env['CI'],
retries: process.env['CI'] ? 2 : 0,
workers: process.env['CI'] ? 1 : undefined,
reporter: 'html',
use: {
baseURL: process.env['PLAYWRIGHT_BASE_URL'] ?? 'http://localhost:3000',
trace: 'on-first-retry',
screenshot: 'only-on-failure',
},
projects: [
{
name: 'chromium',
use: { ...devices['Desktop Chrome'] },
},
],
// Do NOT auto-start the dev server — tests assume it is already running.
// webServer is intentionally omitted so tests can run against a live env.
});

14
apps/web/src/app/(dashboard)/chat/page.tsx
View File

@@ -151,11 +151,15 @@ export default function ChatPage(): React.ReactElement {
const handleDelete = useCallback(
async (id: string) => {
await api<void>(`/api/conversations/${id}`, { method: 'DELETE' });
setConversations((prev) => prev.filter((c) => c.id !== id));
if (activeId === id) {
setActiveId(null);
setMessages([]);
try {
await api<void>(`/api/conversations/${id}`, { method: 'DELETE' });
setConversations((prev) => prev.filter((c) => c.id !== id));
if (activeId === id) {
setActiveId(null);
setMessages([]);
}
} catch (err) {
console.error('[ChatPage] Failed to delete conversation:', err);
}
},
[activeId],

11
apps/web/tsconfig.e2e.json Normal file
View File

@@ -0,0 +1,11 @@
{
"extends": "../../tsconfig.base.json",
"compilerOptions": {
"target": "ES2022",
"module": "NodeNext",
"moduleResolution": "NodeNext",
"types": ["node"],
"noEmit": true
},
"include": ["e2e/**/*.ts", "playwright.config.ts"]
}

2
apps/web/tsconfig.json
View File

@@ -12,5 +12,5 @@
}
},
"include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
"exclude": ["node_modules"]
"exclude": ["node_modules", "e2e", "playwright.config.ts"]
}

1
apps/web/vitest.config.ts
View File

@@ -4,5 +4,6 @@ export default defineConfig({
test: {
globals: true,
environment: 'jsdom',
exclude: ['e2e/**', 'node_modules/**'],
},
});

83
docs/MISSION-MANIFEST.md
View File

@@ -7,39 +7,39 @@
**ID:** mvp-20260312
**Statement:** Build Mosaic Stack v0.1.0 — a self-hosted, multi-user AI agent platform with web dashboard, TUI, remote control, shared memory, mission orchestration, and extensible skill/plugin architecture. All TypeScript. Pi as agent harness. Brain as knowledge layer. Queue as coordination backbone.
**Phase:** Execution
**Current Milestone:** Phase 7: Feature Completion (v0.0.8)
**Progress:** 7 / 9 milestones
**Status:** active
**Last Updated:** 2026-03-15 UTC
**Phase:** Complete
**Current Milestone:** Phase 8: Polish & Beta (v0.1.0) — DONE
**Progress:** 9 / 9 milestones
**Status:** complete
**Last Updated:** 2026-03-16 UTC
## Success Criteria
- [ ] AC-1: Core chat flow — login, send message, streamed response, conversations persist
- [ ] AC-2: TUI integration — `mosaic tui` connects to gateway, same context as web
- [ ] AC-3: Discord remote control — bot responds, routes through gateway, threads work
- [ ] AC-4: Gateway orchestration — multi-provider routing, fallback, concurrent sessions
- [ ] AC-5: Task & project management — CRUD, kanban, mission tracking, brain MCP tools
- [ ] AC-6: Memory system — auto-capture, semantic search, preferences, log summarization
- [ ] AC-7: Auth & RBAC — email/password, Authentik SSO, role enforcement
- [ ] AC-8: Multi-provider LLM — 3+ providers routing correctly
- [ ] AC-9: MCP — gateway MCP endpoint, brain + queue tools via MCP
- [ ] AC-10: Deployment — `docker compose up` from clean state, CLI on bare metal
- [ ] AC-11: @mosaic/\* packages — all 7 migrated packages build, test, integrate
- [x] AC-1: Core chat flow — login, send message, streamed response, conversations persist
- [x] AC-2: TUI integration — `mosaic tui` connects to gateway, same context as web
- [x] AC-3: Discord remote control — bot responds, routes through gateway, threads work
- [x] AC-4: Gateway orchestration — multi-provider routing, fallback, concurrent sessions
- [x] AC-5: Task & project management — CRUD, kanban, mission tracking, brain MCP tools
- [x] AC-6: Memory system — auto-capture, semantic search, preferences, log summarization
- [x] AC-7: Auth & RBAC — email/password, Authentik SSO, role enforcement
- [x] AC-8: Multi-provider LLM — 3+ providers routing correctly
- [x] AC-9: MCP — gateway MCP endpoint, brain + queue tools via MCP
- [x] AC-10: Deployment — `docker compose up` from clean state, CLI on bare metal
- [x] AC-11: @mosaic/\* packages — all 7 migrated packages build, test, integrate
## Milestones
| # | ID | Name | Status | Branch | Issue | Started | Completed |
| --- | ------ | --------------------------------------- | ----------- | ------ | ----- | ---------- | ---------- |
| 0 | ms-157 | Phase 0: Foundation (v0.0.1) | done | — | — | 2026-03-13 | 2026-03-13 |
| 1 | ms-158 | Phase 1: Core API (v0.0.2) | done | — | — | 2026-03-13 | 2026-03-13 |
| 2 | ms-159 | Phase 2: Agent Layer (v0.0.3) | done | — | — | 2026-03-13 | 2026-03-12 |
| 3 | ms-160 | Phase 3: Web Dashboard (v0.0.4) | done | — | — | 2026-03-12 | 2026-03-13 |
| 4 | ms-161 | Phase 4: Memory & Intelligence (v0.0.5) | done | — | — | 2026-03-13 | 2026-03-13 |
| 5 | ms-162 | Phase 5: Remote Control (v0.0.6) | done | — | #99 | 2026-03-14 | 2026-03-14 |
| 6 | ms-163 | Phase 6: CLI & Tools (v0.0.7) | done | — | #104 | 2026-03-14 | 2026-03-14 |
| 7 | ms-164 | Phase 7: Feature Completion (v0.0.8) | in-progress | — | — | 2026-03-15 | |
| 8 | ms-165 | Phase 8: Polish & Beta (v0.1.0) | not-started | — | — | — | — |
| # | ID | Name | Status | Branch | Issue | Started | Completed |
| --- | ------ | --------------------------------------- | ------ | ------ | ----- | ---------- | ---------- |
| 0 | ms-157 | Phase 0: Foundation (v0.0.1) | done | — | — | 2026-03-13 | 2026-03-13 |
| 1 | ms-158 | Phase 1: Core API (v0.0.2) | done | — | — | 2026-03-13 | 2026-03-13 |
| 2 | ms-159 | Phase 2: Agent Layer (v0.0.3) | done | — | — | 2026-03-13 | 2026-03-12 |
| 3 | ms-160 | Phase 3: Web Dashboard (v0.0.4) | done | — | — | 2026-03-12 | 2026-03-13 |
| 4 | ms-161 | Phase 4: Memory & Intelligence (v0.0.5) | done | — | — | 2026-03-13 | 2026-03-13 |
| 5 | ms-162 | Phase 5: Remote Control (v0.0.6) | done | — | #99 | 2026-03-14 | 2026-03-14 |
| 6 | ms-163 | Phase 6: CLI & Tools (v0.0.7) | done | — | #104 | 2026-03-14 | 2026-03-14 |
| 7 | ms-164 | Phase 7: Feature Completion (v0.0.8) | done | — | — | 2026-03-15 | 2026-03-15 |
| 8 | ms-165 | Phase 8: Polish & Beta (v0.1.0) | done | — | — | 2026-03-15 | 2026-03-15 |
## Deployment
@@ -58,20 +58,21 @@
## Session History
| Session | Runtime | Started | Duration | Ended Reason | Last Task |
| ------- | --------------- | -------------------- | -------- | ------------- | ---------------- |
| 1 | claude-opus-4-6 | 2026-03-13 01:00 UTC | — | context limit | Planning gate |
| 2 | claude-opus-4-6 | 2026-03-13 | — | context limit | P5-002, P6-005 |
| 3 | claude-opus-4-6 | 2026-03-13 | — | context limit | P0-006 |
| 4 | claude-opus-4-6 | 2026-03-12 | — | context limit | Docker fix |
| 5 | claude-opus-4-6 | 2026-03-12 | — | context limit | P1-009 |
| 6 | claude-opus-4-6 | 2026-03-12 | — | context limit | P2-006, FIX-01 |
| 7 | claude-opus-4-6 | 2026-03-12 | — | context limit | P2-007 |
| 8 | claude-opus-4-6 | 2026-03-12 | — | context limit | Phase 2 complete |
| 9 | claude-opus-4-6 | 2026-03-12 | — | context limit | P3-007 |
| 10 | claude-opus-4-6 | 2026-03-13 | — | context limit | P3-008 |
| 11 | claude-opus-4-6 | 2026-03-14 | — | context limit | P7 rescope |
| 12 | claude-opus-4-6 | 2026-03-15 | — | active | P7 planning |
| Session | Runtime | Started | Duration | Ended Reason | Last Task |
| ------- | ----------------- | -------------------- | -------- | ------------- | ---------------- |
| 1 | claude-opus-4-6 | 2026-03-13 01:00 UTC | — | context limit | Planning gate |
| 2 | claude-opus-4-6 | 2026-03-13 | — | context limit | P5-002, P6-005 |
| 3 | claude-opus-4-6 | 2026-03-13 | — | context limit | P0-006 |
| 4 | claude-opus-4-6 | 2026-03-12 | — | context limit | Docker fix |
| 5 | claude-opus-4-6 | 2026-03-12 | — | context limit | P1-009 |
| 6 | claude-opus-4-6 | 2026-03-12 | — | context limit | P2-006, FIX-01 |
| 7 | claude-opus-4-6 | 2026-03-12 | — | context limit | P2-007 |
| 8 | claude-opus-4-6 | 2026-03-12 | — | context limit | Phase 2 complete |
| 9 | claude-opus-4-6 | 2026-03-12 | — | context limit | P3-007 |
| 10 | claude-opus-4-6 | 2026-03-13 | — | context limit | P3-008 |
| 11 | claude-opus-4-6 | 2026-03-14 | — | context limit | P7 rescope |
| 12 | claude-opus-4-6 | 2026-03-15 | — | context limit | P7 planning |
| 13 | claude-sonnet-4-6 | 2026-03-16 | — | complete | P8-019 verify |
## Scratchpad

70
docs/PRD-TUI_Improvements.md Normal file
View File

@@ -0,0 +1,70 @@
# PRD: TUI Improvements — Phase 7
**Branch:** `feat/p7-tui-improvements`
**Package:** `packages/cli`
**Status:** In Progress
---
## Problem Statement
The current Mosaic CLI TUI (`packages/cli/src/tui/app.tsx`) is a minimal single-file Ink application with:
- Flat message list with no visual hierarchy
- No system context visibility (cwd, branch, model, tokens)
- Noisy error messages when gateway is disconnected
- No conversation management (list, switch, rename, delete)
- No multi-panel layout or navigation
- No tool call visibility during agent execution
- No thinking/reasoning display
The TUI should be the power-user interface to Mosaic — informative, responsive, and visually clean.
---
## Goals
### Wave 1 — Status Bar & Polish (MVP)
Provide essential context at a glance and reduce noise.
1. **Top status bar** — shows: connection indicator (●/○), gateway URL, agent model name
2. **Bottom status bar** — shows: cwd, git branch, token usage (input/output/total)
3. **Better message formatting** — distinct visual treatment for user vs assistant messages, timestamps, word wrap
4. **Quiet disconnect** — single-line indicator when gateway is offline instead of flooding error messages; auto-reconnect silently
5. **Tool call display** — inline indicators when agent uses tools (spinner + tool name during execution, ✓/✗ on completion)
6. **Thinking/reasoning display** — collapsible dimmed block for `agent:thinking` events
### Wave 2 — Layout & Navigation
Multi-panel layout with keyboard navigation.
1. **Conversation sidebar** — list conversations, create new, switch between them
2. **Keybinding system** — Ctrl+N (new conversation), Ctrl+L (conversation list toggle), Ctrl+K (command palette concept)
3. **Scrollable message history** — viewport with PgUp/PgDn/arrow key scrolling
4. **Message search** — find in current conversation
### Wave 3 — Advanced Features
1. **Project/mission views** — show active projects, missions, tasks
2. **Agent status monitoring** — real-time agent state, queue depth
3. **Settings/config screen** — view/edit connection settings, model preferences
4. **Multiple agent sessions** — split view or tab-based multi-agent
---
## Technical Approach
- **Ink 5** (React for CLI) — already in deps
- **Component architecture** — break monolithic `app.tsx` into composable components
- **Typed Socket.IO events** — leverage `@mosaic/types` `ServerToClientEvents` / `ClientToServerEvents`
- **Local state only** (Wave 1) — cwd/branch read from `process.cwd()` and `git` at startup
- **Gateway metadata** (future) — extend socket handshake or add REST endpoint for model info, token usage
---
## Non-Goals (for now)
- Image rendering in terminal
- File editor integration
- SSH/remote gateway auto-discovery

105
docs/TASKS-TUI_Improvements.md Normal file
View File

@@ -0,0 +1,105 @@
# Tasks: TUI Improvements
**Branch:** `feat/p7-tui-improvements`
**Worktree:** `/home/jwoltje/src/mosaic-mono-v1-worktrees/tui-improvements`
**PRD:** [PRD-TUI_Improvements.md](./PRD-TUI_Improvements.md)
---
## Wave 1 — Status Bar & Polish ✅
| ID | Task | Status | Notes |
| -------- | ----------------------------------------------------------------------------------------------------- | ------- | ------- |
| TUI-001 | Component architecture — split `app.tsx` into `TopBar`, `BottomBar`, `MessageList`, `InputBar`, hooks | ✅ done | 79ff308 |
| TUI-002 | Top status bar — branded mosaic icon, version, model, connection indicator | ✅ done | 6c2b01e |
| TUI-003 | Bottom status bar — cwd, git branch, token usage, session ID, gateway status | ✅ done | e8d7ab8 |
| TUI-004 | Message formatting — timestamps, role colors ( you / ◆ assistant), word wrap | ✅ done | 79ff308 |
| TUI-005 | Quiet disconnect — single indicator, auto-reconnect, no error flood | ✅ done | 79ff308 |
| TUI-006 | Tool call display — inline spinner + tool name during execution, ✓/✗ on completion | ✅ done | 79ff308 |
| TUI-007 | Thinking/reasoning display — dimmed 💭 block for `agent:thinking` events | ✅ done | 79ff308 |
| TUI-007b | Wire token usage, model info, thinking levels end-to-end (gateway → types → TUI) | ✅ done | a061a64 |
| TUI-007c | Ctrl+T to cycle thinking levels via `set:thinking` socket event | ✅ done | a061a64 |
## Wave 2 — Layout & Navigation ✅
| ID | Task | Status | Notes |
| ------- | --------------------------------------------------------- | ------- | ------- |
| TUI-010 | Scrollable message history — viewport with PgUp/PgDn | ✅ done | 4d4ad38 |
| TUI-008 | Conversation sidebar — list, create, switch conversations | ✅ done | 9ef578c |
| TUI-009 | Keybinding system — Ctrl+L, Ctrl+N, Ctrl+K, Escape | ✅ done | 9f38f5a |
| TUI-011 | Message search — find in current conversation | ✅ done | 8627827 |
## Wave 3 — Advanced Features
| ID | Task | Status | Notes |
| ------- | ----------------------- | ----------- | ----- |
| TUI-012 | Project/mission views | not-started | |
| TUI-013 | Agent status monitoring | not-started | |
| TUI-014 | Settings/config screen | not-started | |
| TUI-015 | Multiple agent sessions | not-started | |
---
## Handoff Notes
### File Structure
```
packages/cli/src/tui/
├── app.tsx ← Shell composing all components + global keybindings
├── components/
│ ├── top-bar.tsx ← Mosaic icon + version + model + connection
│ ├── bottom-bar.tsx ← Keybinding hints + 3-line footer: gateway, cwd, tokens
│ ├── message-list.tsx ← Messages, tool calls, thinking, streaming, search highlights
│ ├── input-bar.tsx ← Bordered prompt with context-aware placeholder
│ ├── sidebar.tsx ← Conversation list with keyboard navigation
│ └── search-bar.tsx ← Message search input with match count + navigation
└── hooks/
├── use-socket.ts ← Typed Socket.IO + switchConversation/clearMessages
├── use-git-info.ts ← Reads cwd + git branch at startup
├── use-viewport.ts ← Scrollable viewport with auto-follow + PgUp/PgDn
├── use-app-mode.ts ← Panel focus state machine (chat/sidebar/search)
├── use-conversations.ts ← REST client for conversation CRUD
└── use-search.ts ← Message search with match cycling
```
### Cross-Package Changes
- **`packages/types/src/chat/events.ts`** — Added `SessionUsagePayload`, `SessionInfoPayload`, `SetThinkingPayload`, `session:info` event, `set:thinking` event
- **`apps/gateway/src/chat/chat.gateway.ts`** — Emits `session:info` on session creation, includes `usage` in `agent:end`, handles `set:thinking`
### Key Design Decisions
#### Wave 1
- Footer is 3 lines: (1) gateway status right-aligned, (2) cwd+branch left / session right, (3) tokens left / provider+model+thinking right
- Mosaic icon uses brand colors in windmill cross pattern with `GAP` const to prevent prettier collapsing spaces
- `flexGrow={1}` on header text column prevents re-render artifacts
- Token/model data comes from gateway via `agent:end` payload and `session:info` events
- Thinking level cycling via Ctrl+T sends `set:thinking` to gateway, which validates and responds with `session:info`
#### Wave 2
- `useViewport` calculates scroll offset from terminal rows; auto-follow snaps to bottom on new messages
- `useAppMode` state machine manages focus: only the active panel handles keyboard input via `useInput({ isActive })`
- Sidebar fetches conversations via REST (`GET /api/conversations`), not socket events
- `switchConversation` in `useSocket` clears all local state (messages, streaming, tool calls)
- Search uses `useMemo` for reactive match computation; viewport auto-scrolls to current match
- Keybinding hints shown in bottom bar: `^L sidebar · ^N new · ^K search · ^T thinking · PgUp/Dn scroll`
### How to Run
```bash
cd /home/jwoltje/src/mosaic-mono-v1-worktrees/tui-improvements
pnpm --filter @mosaic/cli exec tsx src/cli.ts tui
# or after build:
node packages/cli/dist/cli.js tui --gateway http://localhost:4000
```
### Quality Gates
```bash
pnpm --filter @mosaic/cli typecheck && pnpm --filter @mosaic/cli lint
pnpm --filter @mosaic/gateway typecheck && pnpm --filter @mosaic/gateway lint
pnpm --filter @mosaic/types typecheck
```

173
docs/TASKS.md
View File

@@ -1,81 +1,100 @@
# Tasks — MVP
> Single-writer: orchestrator only. Workers read but never modify.
>
> **`agent` column values:** `codex` | `sonnet` | `haiku` | `glm-5` | `opus` | `—` (auto/default)
> Pipeline crons pick the cheapest capable model. Override with a specific value when a task genuinely needs it.
> Examples: `opus` for major architecture decisions, `codex` for pure coding, `haiku` for review/verify gates, `glm-5` for cost-sensitive coding.
| id | status | milestone | description | pr | notes |
| ------ | ----------- | --------- | ------------------------------------------------------------------- | ---- | ------------ |
| P0-001 | done | Phase 0 | Scaffold monorepo | #60 | #1 |
| P0-002 | done | Phase 0 | @mosaic/types — migrate and extend shared types | #65 | #2 |
| P0-003 | done | Phase 0 | @mosaic/db — Drizzle schema and PG connection | #67 | #3 |
| P0-004 | done | Phase 0 | @mosaic/auth — BetterAuth email/password setup | #68 | #4 |
| P0-005 | done | Phase 0 | Docker Compose — PG 17, Valkey 8, SigNoz | #65 | #5 |
| P0-006 | done | Phase 0 | OTEL foundation — OpenTelemetry SDK setup | #65 | #6 |
| P0-007 | done | Phase 0 | CI pipeline — Woodpecker config | #69 | #7 |
| P0-008 | done | Phase 0 | Project docs — AGENTS.md, CLAUDE.md, README | #69 | #8 |
| P0-009 | done | Phase 0 | Verify Phase 0 — CI green, all packages build | #70 | #9 |
| P1-001 | done | Phase 1 | apps/gateway scaffold — NestJS + Fastify adapter | #61 | #10 |
| P1-002 | done | Phase 1 | Auth middleware — BetterAuth session validation | #71 | #11 |
| P1-003 | done | Phase 1 | @mosaic/brain — migrate from v0, PG backend | #71 | #12 |
| P1-004 | done | Phase 1 | @mosaic/queue — migrate from v0 | #71 | #13 |
| P1-005 | done | Phase 1 | Gateway routes — conversations CRUD + messages | #72 | #14 |
| P1-006 | done | Phase 1 | Gateway routes — tasks, projects, missions CRUD | #72 | #15 |
| P1-007 | done | Phase 1 | WebSocket server — chat streaming | #61 | #16 |
| P1-008 | done | Phase 1 | Basic agent dispatch — single provider | #61 | #17 |
| P1-009 | done | Phase 1 | Verify Phase 1 — gateway functional, API tested | #73 | #18 |
| P2-001 | done | Phase 2 | @mosaic/agent — Pi SDK integration + agent pool | #61 | #19 |
| P2-002 | done | Phase 2 | Multi-provider support — Anthropic + Ollama | #74 | #20 |
| P2-003 | done | Phase 2 | Agent routing engine — cost/capability matrix | #75 | #21 |
| P2-004 | done | Phase 2 | Tool registration — brain, queue, memory tools | #76 | #22 |
| P2-005 | done | Phase 2 | @mosaic/coord — migrate from v0, gateway integration | #77 | #23 |
| P2-006 | done | Phase 2 | Agent session management — tmux + monitoring | #78 | #24 |
| P2-007 | done | Phase 2 | Verify Phase 2 — multi-provider routing works | #79 | #25 |
| P3-001 | done | Phase 3 | apps/web scaffold — Next.js 16 + BetterAuth + Tailwind | #82 | #26 |
| P3-002 | done | Phase 3 | Auth pages — login, registration, SSO redirect | #83 | #27 |
| P3-003 | done | Phase 3 | Chat UI — conversations, messages, streaming | #84 | #28 |
| P3-004 | done | Phase 3 | Task management — list view + kanban board | #86 | #29 |
| P3-005 | done | Phase 3 | Project & mission views — dashboard + PRD viewer | #87 | #30 |
| P3-006 | done | Phase 3 | Settings — provider config, profile, integrations | #88 | #31 |
| P3-007 | done | Phase 3 | Admin panel — user management, RBAC | #89 | #32 |
| P3-008 | done | Phase 3 | Verify Phase 3 — web dashboard functional E2E | — | #33 |
| P4-001 | done | Phase 4 | @mosaic/memory — preference + insight stores | — | #34 |
| P4-002 | done | Phase 4 | Semantic search — pgvector embeddings + search API | — | #35 |
| P4-003 | done | Phase 4 | @mosaic/log — log ingest, parsing, tiered storage | — | #36 |
| P4-004 | done | Phase 4 | Summarization pipeline — Haiku-tier LLM + cron | — | #37 |
| P4-005 | done | Phase 4 | Memory integration — inject into agent sessions | — | #38 |
| P4-006 | done | Phase 4 | Skill management — catalog, install, config | — | #39 |
| P4-007 | done | Phase 4 | Verify Phase 4 — memory + log pipeline working | — | #40 |
| P5-001 | done | Phase 5 | Plugin host — gateway plugin loading + channel interface | — | #41 |
| P5-002 | done | Phase 5 | @mosaic/discord-plugin — Discord bot + channel plugin | #61 | #42 |
| P5-003 | done | Phase 5 | @mosaic/telegram-plugin — Telegraf bot + channel plugin | — | #43 |
| P5-004 | done | Phase 5 | SSO — Authentik OIDC adapter end-to-end | — | #44 |
| P5-005 | done | Phase 5 | Verify Phase 5 — Discord + Telegram + SSO working | #99 | #45 |
| P6-001 | done | Phase 6 | @mosaic/cli — unified CLI binary + subcommands | #104 | #46 |
| P6-002 | done | Phase 6 | @mosaic/prdy — migrate PRD wizard from v0 | #101 | #47 |
| P6-003 | done | Phase 6 | @mosaic/quality-rails — migrate scaffolder from v0 | #100 | #48 |
| P6-004 | done | Phase 6 | @mosaic/mosaic — install wizard for v1 | #103 | #49 |
| P6-005 | done | Phase 6 | Pi TUI integration — mosaic tui | #61 | #50 |
| P6-006 | done | Phase 6 | Verify Phase 6 — CLI functional, all subcommands | — | #51 |
| P7-009 | done | Phase 7 | Web chat — WebSocket integration, streaming, conversation switching | #136 | #120 W1 done |
| P7-001 | done | Phase 7 | MCP endpoint hardening — streamable HTTP transport | #137 | #52 W1 done |
| P7-010 | done | Phase 7 | Web conversation management — list, search, rename, delete, archive | #139 | #121 W2 done |
| P7-015 | done | Phase 7 | Agent tool expansion — file ops, git, shell exec, web fetch | #138 | #126 W2 done |
| P7-011 | done | Phase 7 | Web project detail views — missions, tasks, PRDs, dashboards | #140 | #122 W3 done |
| P7-016 | done | Phase 7 | MCP client — gateway connects to external MCP servers as tools | #141 | #127 W3 done |
| P7-012 | in-progress | Phase 7 | Web provider management UI — add, configure, test LLM providers | — | #123 Wave-4 |
| P7-017 | in-progress | Phase 7 | Agent skill invocation — load and execute skills from catalog | — | #128 Wave-4 |
| P7-013 | not-started | Phase 7 | Web settings persistence — profile, preferences save to DB | — | #124 Wave-5 |
| P7-018 | not-started | Phase 7 | CLI model/provider switching — --model, --provider, /model in TUI | — | #129 Wave-5 |
| P7-014 | not-started | Phase 7 | Web admin panel — user CRUD, role assignment, system health | — | #125 Wave-6 |
| P7-019 | not-started | Phase 7 | CLI session management — list, resume, destroy sessions | — | #130 Wave-6 |
| P7-020 | not-started | Phase 7 | Coord DB migration — project-scoped missions, multi-tenant RBAC | — | #131 Wave-7 |
| FIX-02 | not-started | Backlog | TUI agent:end — fix React state updater side-effect | — | #133 Wave-8 |
| FIX-03 | not-started | Backlog | Agent session — cwd sandbox, system prompt, tool restrictions | — | #134 Wave-8 |
| P7-004 | not-started | Phase 7 | E2E test suite — Playwright critical paths | — | #55 Wave-9 |
| P7-006 | not-started | Phase 7 | Documentation — user guide, admin guide, dev guide | — | #57 Wave-9 |
| P7-007 | not-started | Phase 7 | Bare-metal deployment docs + .env.example | — | #58 Wave-9 |
| P7-021 | not-started | Phase 7 | Verify Phase 7 — feature-complete platform E2E | — | #132 Wave-10 |
| P8-001 | not-started | Phase 8 | Additional SSO providers — WorkOS + Keycloak | — | #53 |
| P8-002 | not-started | Phase 8 | Additional LLM providers — Codex, Z.ai, LM Studio, llama.cpp | — | #54 |
| P8-003 | not-started | Phase 8 | Performance optimization | — | #56 |
| P8-004 | not-started | Phase 8 | Beta release gate — v0.1.0 tag | — | #59 |
| FIX-01 | done | Backlog | Call piSession.dispose() in AgentService.destroySession | #78 | #62 |
| id | status | agent | milestone | description | pr | notes |
| ------ | ----------- | ------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------- | ----- |
| P0-001 | done | Phase 0 | Scaffold monorepo | #60 | #1 |
| P0-002 | done | Phase 0 | @mosaic/types — migrate and extend shared types | #65 | #2 |
| P0-003 | done | Phase 0 | @mosaic/db — Drizzle schema and PG connection | #67 | #3 |
| P0-004 | done | Phase 0 | @mosaic/auth — BetterAuth email/password setup | #68 | #4 |
| P0-005 | done | Phase 0 | Docker Compose — PG 17, Valkey 8, SigNoz | #65 | #5 |
| P0-006 | done | Phase 0 | OTEL foundation — OpenTelemetry SDK setup | #65 | #6 |
| P0-007 | done | Phase 0 | CI pipeline — Woodpecker config | #69 | #7 |
| P0-008 | done | Phase 0 | Project docs — AGENTS.md, CLAUDE.md, README | #69 | #8 |
| P0-009 | done | Phase 0 | Verify Phase 0 — CI green, all packages build | #70 | #9 |
| P1-001 | done | Phase 1 | apps/gateway scaffold — NestJS + Fastify adapter | #61 | #10 |
| P1-002 | done | Phase 1 | Auth middleware — BetterAuth session validation | #71 | #11 |
| P1-003 | done | Phase 1 | @mosaic/brain — migrate from v0, PG backend | #71 | #12 |
| P1-004 | done | Phase 1 | @mosaic/queue — migrate from v0 | #71 | #13 |
| P1-005 | done | Phase 1 | Gateway routes — conversations CRUD + messages | #72 | #14 |
| P1-006 | done | Phase 1 | Gateway routes — tasks, projects, missions CRUD | #72 | #15 |
| P1-007 | done | Phase 1 | WebSocket server — chat streaming | #61 | #16 |
| P1-008 | done | Phase 1 | Basic agent dispatch — single provider | #61 | #17 |
| P1-009 | done | Phase 1 | Verify Phase 1 — gateway functional, API tested | #73 | #18 |
| P2-001 | done | Phase 2 | @mosaic/agent — Pi SDK integration + agent pool | #61 | #19 |
| P2-002 | done | Phase 2 | Multi-provider support — Anthropic + Ollama | #74 | #20 |
| P2-003 | done | Phase 2 | Agent routing engine — cost/capability matrix | #75 | #21 |
| P2-004 | done | Phase 2 | Tool registration — brain, queue, memory tools | #76 | #22 |
| P2-005 | done | Phase 2 | @mosaic/coord — migrate from v0, gateway integration | #77 | #23 |
| P2-006 | done | Phase 2 | Agent session management — tmux + monitoring | #78 | #24 |
| P2-007 | done | Phase 2 | Verify Phase 2 — multi-provider routing works | #79 | #25 |
| P3-001 | done | Phase 3 | apps/web scaffold — Next.js 16 + BetterAuth + Tailwind | #82 | #26 |
| P3-002 | done | Phase 3 | Auth pages — login, registration, SSO redirect | #83 | #27 |
| P3-003 | done | Phase 3 | Chat UI — conversations, messages, streaming | #84 | #28 |
| P3-004 | done | Phase 3 | Task management — list view + kanban board | #86 | #29 |
| P3-005 | done | Phase 3 | Project & mission views — dashboard + PRD viewer | #87 | #30 |
| P3-006 | done | Phase 3 | Settings — provider config, profile, integrations | #88 | #31 |
| P3-007 | done | Phase 3 | Admin panel — user management, RBAC | #89 | #32 |
| P3-008 | done | Phase 3 | Verify Phase 3 — web dashboard functional E2E | — | #33 |
| P4-001 | done | Phase 4 | @mosaic/memory — preference + insight stores | — | #34 |
| P4-002 | done | Phase 4 | Semantic search — pgvector embeddings + search API | — | #35 |
| P4-003 | done | Phase 4 | @mosaic/log — log ingest, parsing, tiered storage | — | #36 |
| P4-004 | done | Phase 4 | Summarization pipeline — Haiku-tier LLM + cron | — | #37 |
| P4-005 | done | Phase 4 | Memory integration — inject into agent sessions | — | #38 |
| P4-006 | done | Phase 4 | Skill management — catalog, install, config | — | #39 |
| P4-007 | done | Phase 4 | Verify Phase 4 — memory + log pipeline working | — | #40 |
| P5-001 | done | Phase 5 | Plugin host — gateway plugin loading + channel interface | — | #41 |
| P5-002 | done | Phase 5 | @mosaic/discord-plugin — Discord bot + channel plugin | #61 | #42 |
| P5-003 | done | Phase 5 | @mosaic/telegram-plugin — Telegraf bot + channel plugin | — | #43 |
| P5-004 | done | Phase 5 | SSO — Authentik OIDC adapter end-to-end | — | #44 |
| P5-005 | done | Phase 5 | Verify Phase 5 — Discord + Telegram + SSO working | #99 | #45 |
| P6-001 | done | Phase 6 | @mosaic/cli — unified CLI binary + subcommands | #104 | #46 |
| P6-002 | done | Phase 6 | @mosaic/prdy — migrate PRD wizard from v0 | #101 | #47 |
| P6-003 | done | Phase 6 | @mosaic/quality-rails — migrate scaffolder from v0 | #100 | #48 |
| P6-004 | done | Phase 6 | @mosaic/mosaic — install wizard for v1 | #103 | #49 |
| P6-005 | done | Phase 6 | Pi TUI integration — mosaic tui | #61 | #50 |
| P6-006 | done | Phase 6 | Verify Phase 6 — CLI functional, all subcommands | — | #51 |
| P7-009 | done | Phase 7 | Web chat — WebSocket integration, streaming, conversation switching | #136 | #120 W1 done |
| P7-001 | done | Phase 7 | MCP endpoint hardening — streamable HTTP transport | #137 | #52 W1 done |
| P7-010 | done | Phase 7 | Web conversation management — list, search, rename, delete, archive | #139 | #121 W2 done |
| P7-015 | done | Phase 7 | Agent tool expansion — file ops, git, shell exec, web fetch | #138 | #126 W2 done |
| P7-011 | done | Phase 7 | Web project detail views — missions, tasks, PRDs, dashboards | #140 | #122 W3 done |
| P7-016 | done | Phase 7 | MCP client — gateway connects to external MCP servers as tools | #141 | #127 W3 done |
| P7-012 | done | Phase 7 | Web provider management UI — add, configure, test LLM providers | #142 | #123 W4 done |
| P7-017 | done | Phase 7 | Agent skill invocation — load and execute skills from catalog | #143 | #128 W4 done |
| P7-013 | done | Phase 7 | Web settings persistence — profile, preferences save to DB | #145 | #124 W5 done |
| P7-018 | done | Phase 7 | CLI model/provider switching — --model, --provider, /model in TUI | #144 | #129 W5 done |
| P7-014 | done | Phase 7 | Web admin panel — user CRUD, role assignment, system health | #150 | #125 W6 done |
| P7-019 | done | Phase 7 | CLI session management — list, resume, destroy sessions | #146 | #130 W6 done |
| P7-020 | done | Phase 7 | Coord DB migration — project-scoped missions, multi-tenant RBAC | #149 | #131 W7 done |
| FIX-02 | done | Backlog | TUI agent:end — fix React state updater side-effect | #147 | #133 W8 done |
| FIX-03 | done | Backlog | Agent session — cwd sandbox, system prompt, tool restrictions | #148 | #134 W8 done |
| P7-004 | done | Phase 7 | E2E test suite — Playwright critical paths | #152 | #55 W9 done |
| P7-006 | done | Phase 7 | Documentation — user guide, admin guide, dev guide | #151 | #57 W9 done |
| P7-007 | done | Phase 7 | Bare-metal deployment docs + .env.example | #153 | #58 W9 done |
| P7-021 | done | Phase 7 | Verify Phase 7 — feature-complete platform E2E | — | #132 W10 done |
| P8-005 | done | Phase 8 | CLI command architecture — DB schema + brain repo + gateway endpoints | #158 | |
| P8-006 | done | Phase 8 | CLI command architecture — agent, mission, prdy commands + TUI mods | #158 | |
| P8-007 | done | Phase 8 | DB migrations — preferences.mutable + teams + team_members + projects.teamId | #175 | #160 |
| P8-008 | done | Phase 8 | @mosaic/types — CommandDef, CommandManifest, new socket events | #174 | #161 |
| P8-009 | done | Phase 8 | TUI Phase 1 — slash command parsing, local commands, system message rendering, InputBar wiring | #176 | #162 |
| P8-010 | done | Phase 8 | Gateway Phase 2 — CommandRegistryService, CommandExecutorService, socket + REST commands | #178 | #163 |
| P8-011 | done | Phase 8 | Gateway Phase 3 — PreferencesService, /preferences REST, /system Valkey override, prompt injection | #180 | #164 |
| P8-012 | done | Phase 8 | Gateway Phase 4 — /agent, /provider (URL+clipboard), /mission, /prdy, /tools commands | #181 | #165 |
| P8-013 | done | Phase 8 | Gateway Phase 5 — MosaicPlugin lifecycle, ReloadService, hot reload, system:reload TUI | #182 | #166 |
| P8-014 | done | Phase 8 | Gateway Phase 6 — SessionGCService (all tiers), /gc command, cron integration | #179 | #167 |
| P8-015 | done | Phase 8 | Gateway Phase 7 — WorkspaceService, ProjectBootstrapService, teams project ownership | #183 | #168 |
| P8-016 | done | Phase 8 | Security — file/git/shell tool strict path hardening, sandbox escape prevention | #177 | #169 |
| P8-017 | done | Phase 8 | TUI Phase 8 — autocomplete sidebar, fuzzy match, arg hints, up-arrow history | #184 | #170 |
| P8-018 | done | Phase 8 | Spin-off plan stubs — Gatekeeper, Task Queue Unification, Chroot Sandboxing | — | #171 |
| P8-019 | done | Phase 8 | Verify Platform Architecture — integration + E2E verification | #185 | #172 |
| P8-001 | not-started | codex | Phase 8 | Additional SSO providers — WorkOS + Keycloak | — | #53 |
| P8-002 | not-started | codex | Phase 8 | Additional LLM providers — Codex, Z.ai, LM Studio, llama.cpp | — | #54 |
| P8-003 | not-started | codex | Phase 8 | Performance optimization | — | #56 |
| P8-004 | not-started | haiku | Phase 8 | Beta release gate — v0.1.0 tag | — | #59 |
| FIX-01 | done | Backlog | Call piSession.dispose() in AgentService.destroySession | #78 | #62 |

311
docs/guides/admin-guide.md Normal file
View File

@@ -0,0 +1,311 @@
# Mosaic Stack — Admin Guide
## Table of Contents
1. [User Management](#user-management)
2. [System Health Monitoring](#system-health-monitoring)
3. [Provider Configuration](#provider-configuration)
4. [MCP Server Configuration](#mcp-server-configuration)
5. [Environment Variables Reference](#environment-variables-reference)
---
## User Management
Admins access user management at `/admin` in the web dashboard. All admin
endpoints require a session with `role = admin`.
### Creating a User
**Via the web admin panel:**
1. Navigate to `/admin`.
2. Click **Create User**.
3. Enter name, email, password, and role (`admin` or `member`).
4. Submit.
**Via the API:**
```http
POST /api/admin/users
Content-Type: application/json
{
"name": "Jane Doe",
"email": "jane@example.com",
"password": "securepassword",
"role": "member"
}
```
Passwords are hashed by BetterAuth before storage. Passwords are never stored in
plaintext.
### Roles
| Role | Permissions |
| -------- | --------------------------------------------------------------------- |
| `admin` | Full access: user management, health, all agent tools |
| `member` | Standard user access; agent tool set restricted by `AGENT_USER_TOOLS` |
### Updating a User's Role
```http
PATCH /api/admin/users/:id/role
Content-Type: application/json
{ "role": "admin" }
```
### Banning and Unbanning
Banned users cannot sign in. Provide an optional reason:
```http
POST /api/admin/users/:id/ban
Content-Type: application/json
{ "reason": "Violated terms of service" }
```
To lift a ban:
```http
POST /api/admin/users/:id/unban
```
### Deleting a User
```http
DELETE /api/admin/users/:id
```
This permanently deletes the user. Related data (sessions, accounts) is
cascade-deleted. Conversations and tasks reference the user via `owner_id`
which is set to `NULL` on delete (`set null`).
---
## System Health Monitoring
The health endpoint is available to admin users only.
```http
GET /api/admin/health
```
Sample response:
```json
{
"status": "ok",
"database": { "status": "ok", "latencyMs": 2 },
"cache": { "status": "ok", "latencyMs": 1 },
"agentPool": { "activeSessions": 3 },
"providers": [{ "id": "ollama", "name": "ollama", "available": true, "modelCount": 3 }],
"checkedAt": "2026-03-15T12:00:00.000Z"
}
```
`status` is `ok` when both database and cache pass. It is `degraded` when either
service fails.
The web admin panel at `/admin` polls this endpoint and renders the results in a
status dashboard.
---
## Provider Configuration
Providers are configured via environment variables and loaded at gateway startup.
No restart-free hot reload is supported; the gateway must be restarted after
changing provider env vars.
### Ollama
Set `OLLAMA_BASE_URL` (or the legacy `OLLAMA_HOST`) to the base URL of your
Ollama instance:
```env
OLLAMA_BASE_URL=http://localhost:11434
```
Specify which models to expose (comma-separated):
```env
OLLAMA_MODELS=llama3.2,codellama,mistral
```
Default when unset: `llama3.2,codellama,mistral`.
The gateway registers Ollama models using the OpenAI-compatible completions API
(`/v1/chat/completions`).
### Custom Providers (OpenAI-compatible APIs)
Any OpenAI-compatible API (LM Studio, llama.cpp HTTP server, etc.) can be
registered via `MOSAIC_CUSTOM_PROVIDERS`. The value is a JSON array:
```env
MOSAIC_CUSTOM_PROVIDERS='[
{
"id": "lmstudio",
"name": "LM Studio",
"baseUrl": "http://localhost:1234",
"models": ["mistral-7b-instruct"]
}
]'
```
Each entry must include:
| Field | Required | Description |
| --------- | -------- | ----------------------------------- |
| `id` | Yes | Unique provider identifier |
| `name` | Yes | Display name |
| `baseUrl` | Yes | API base URL (no trailing slash) |
| `models` | Yes | Array of model ID strings to expose |
| `apiKey` | No | API key if required by the endpoint |
### Testing Provider Connectivity
From the web admin panel or settings page, click **Test** next to a provider.
This calls:
```http
POST /api/agent/providers/:id/test
```
The response includes `reachable`, `latencyMs`, and optionally
`discoveredModels`.
---
## MCP Server Configuration
The gateway can connect to external MCP (Model Context Protocol) servers and
expose their tools to agent sessions.
Set `MCP_SERVERS` to a JSON array of server configurations:
```env
MCP_SERVERS='[
{
"name": "my-tools",
"url": "http://localhost:3001/mcp",
"headers": {
"Authorization": "Bearer my-token"
}
}
]'
```
Each entry:
| Field | Required | Description |
| --------- | -------- | ----------------------------------- |
| `name` | Yes | Unique server name |
| `url` | Yes | MCP server URL (`/mcp` endpoint) |
| `headers` | No | Additional HTTP headers (e.g. auth) |
On gateway startup, each configured server is connected and its tools are
discovered. Tools are bridged into the Pi SDK tool format and become available
in agent sessions.
The gateway itself also exposes an MCP server endpoint at `POST /mcp` for
external clients. Authentication requires a valid BetterAuth session (cookie or
`Authorization` header).
---
## Environment Variables Reference
### Required
| Variable | Description |
| -------------------- | ----------------------------------------------------------------------------------------- |
| `BETTER_AUTH_SECRET` | Secret key for BetterAuth session signing. Must be set or gateway will not start. |
| `DATABASE_URL` | PostgreSQL connection string. Default: `postgresql://mosaic:mosaic@localhost:5433/mosaic` |
### Gateway
| Variable | Default | Description |
| --------------------- | ----------------------- | ---------------------------------------------- |
| `GATEWAY_PORT` | `4000` | Port the gateway listens on |
| `GATEWAY_CORS_ORIGIN` | `http://localhost:3000` | Allowed CORS origin for browser clients |
| `BETTER_AUTH_URL` | `http://localhost:4000` | Public URL of the gateway (used by BetterAuth) |
### SSO (Optional)
| Variable | Description |
| ------------------------- | ------------------------------ |
| `AUTHENTIK_CLIENT_ID` | Authentik OAuth2 client ID |
| `AUTHENTIK_CLIENT_SECRET` | Authentik OAuth2 client secret |
| `AUTHENTIK_ISSUER` | Authentik OIDC issuer URL |
All three Authentik variables must be set together. If only `AUTHENTIK_CLIENT_ID`
is set, a warning is logged and SSO is disabled.
### Agent
| Variable | Default | Description |
| ------------------------ | --------------- | ------------------------------------------------------- |
| `AGENT_FILE_SANDBOX_DIR` | `process.cwd()` | Root directory for file/git/shell tool access |
| `AGENT_SYSTEM_PROMPT` | — | Platform-level system prompt injected into all sessions |
| `AGENT_USER_TOOLS` | all tools | Comma-separated allowlist of tools for non-admin users |
### Providers
| Variable | Default | Description |
| ------------------------- | ---------------------------- | ------------------------------------------------ |
| `OLLAMA_BASE_URL` | — | Ollama API base URL |
| `OLLAMA_HOST` | — | Alias for `OLLAMA_BASE_URL` (legacy) |
| `OLLAMA_MODELS` | `llama3.2,codellama,mistral` | Comma-separated Ollama model IDs |
| `MOSAIC_CUSTOM_PROVIDERS` | — | JSON array of custom OpenAI-compatible providers |
### Memory and Embeddings
| Variable | Default | Description |
| ----------------------- | --------------------------- | ---------------------------------------------------- |
| `OPENAI_API_KEY` | — | API key for OpenAI embedding and summarization calls |
| `EMBEDDING_API_URL` | `https://api.openai.com/v1` | Base URL for embedding API |
| `EMBEDDING_MODEL` | `text-embedding-3-small` | Embedding model ID |
| `SUMMARIZATION_API_URL` | `https://api.openai.com/v1` | Base URL for log summarization API |
| `SUMMARIZATION_MODEL` | `gpt-4o-mini` | Model used for log summarization |
| `SUMMARIZATION_CRON` | `0 */6 * * *` | Cron schedule for log summarization (every 6 hours) |
| `TIER_MANAGEMENT_CRON` | `0 3 * * *` | Cron schedule for log tier management (daily at 3am) |
### MCP
| Variable | Description |
| ------------- | ------------------------------------------------ |
| `MCP_SERVERS` | JSON array of external MCP server configurations |
### Plugins
| Variable | Description |
| ---------------------- | ------------------------------------------------------------------------- |
| `DISCORD_BOT_TOKEN` | Discord bot token (enables Discord plugin) |
| `DISCORD_GUILD_ID` | Discord guild/server ID |
| `DISCORD_GATEWAY_URL` | Gateway URL for Discord plugin to call (default: `http://localhost:4000`) |
| `TELEGRAM_BOT_TOKEN` | Telegram bot token (enables Telegram plugin) |
| `TELEGRAM_GATEWAY_URL` | Gateway URL for Telegram plugin to call |
### Observability
| Variable | Default | Description |
| ----------------------------- | ----------------------- | -------------------------------- |
| `OTEL_EXPORTER_OTLP_ENDPOINT` | `http://localhost:4318` | OpenTelemetry collector endpoint |
| `OTEL_SERVICE_NAME` | `mosaic-gateway` | Service name in traces |
### Web App
| Variable | Default | Description |
| ------------------------- | ----------------------- | -------------------------------------- |
| `NEXT_PUBLIC_GATEWAY_URL` | `http://localhost:4000` | Gateway URL used by the Next.js client |
### Coordination
| Variable | Default | Description |
| ----------------------- | ----------------------------- | ------------------------------------------ |
| `MOSAIC_WORKSPACE_ROOT` | monorepo root (auto-detected) | Root path for mission workspace operations |

384
docs/guides/deployment.md Normal file
View File

@@ -0,0 +1,384 @@
# Deployment Guide
This guide covers deploying Mosaic in two modes: **Docker Compose** (recommended for quick setup) and **bare-metal** (production, full control).
---
## Prerequisites
| Dependency | Minimum version | Notes |
| ---------------- | --------------- | ---------------------------------------------- |
| Node.js | 22 LTS | Required for ESM + `--experimental-vm-modules` |
| pnpm | 9 | `npm install -g pnpm` |
| PostgreSQL | 17 | Must have the `pgvector` extension |
| Valkey | 8 | Redis-compatible; Redis 7+ also works |
| Docker + Compose | v2 | For the Docker Compose path only |
---
## Docker Compose Deployment (Quick Start)
The `docker-compose.yml` at the repository root starts PostgreSQL 17 (with pgvector), Valkey 8, an OpenTelemetry Collector, and Jaeger.
### 1. Clone and configure
```bash
git clone <repo-url> mosaic
cd mosaic
cp .env.example .env
```
Edit `.env`. The minimum required change is:
```dotenv
BETTER_AUTH_SECRET=<output of: openssl rand -base64 32>
```
### 2. Start infrastructure services
```bash
docker compose up -d
```
Services and their ports:
| Service | Default port |
| --------------------- | ------------------------ |
| PostgreSQL | `localhost:5433` |
| Valkey | `localhost:6380` |
| OTEL Collector (HTTP) | `localhost:4318` |
| OTEL Collector (gRPC) | `localhost:4317` |
| Jaeger UI | `http://localhost:16686` |
Override host ports via `PG_HOST_PORT` and `VALKEY_HOST_PORT` in `.env` if the defaults conflict.
### 3. Install dependencies
```bash
pnpm install
```
### 4. Initialize the database
```bash
pnpm --filter @mosaic/db db:migrate
```
### 5. Build all packages
```bash
pnpm build
```
### 6. Start the gateway
```bash
pnpm --filter @mosaic/gateway dev
```
Or for production (after build):
```bash
node apps/gateway/dist/main.js
```
### 7. Start the web app
```bash
# Development
pnpm --filter @mosaic/web dev
# Production (after build)
pnpm --filter @mosaic/web start
```
The web app runs on port `3000` by default.
---
## Bare-Metal Deployment
Use this path when you want to manage PostgreSQL and Valkey yourself (e.g., existing infrastructure, managed cloud databases).
### Step 1 — Install system dependencies
```bash
# Node.js 22 via nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
nvm install 22
nvm use 22
# pnpm
npm install -g pnpm
# PostgreSQL 17 with pgvector (Debian/Ubuntu example)
sudo apt-get install -y postgresql-17 postgresql-17-pgvector
# Valkey
# Follow https://valkey.io/download/ for your distribution
```
### Step 2 — Create the database
```sql
-- Run as the postgres superuser
CREATE USER mosaic WITH PASSWORD 'change-me';
CREATE DATABASE mosaic OWNER mosaic;
\c mosaic
CREATE EXTENSION IF NOT EXISTS vector;
```
### Step 3 — Clone and configure
```bash
git clone <repo-url> /opt/mosaic
cd /opt/mosaic
cp .env.example .env
```
Edit `/opt/mosaic/.env`. Required fields:
```dotenv
DATABASE_URL=postgresql://mosaic:<password>@localhost:5432/mosaic
VALKEY_URL=redis://localhost:6379
BETTER_AUTH_SECRET=<openssl rand -base64 32>
BETTER_AUTH_URL=https://your-domain.example.com
GATEWAY_CORS_ORIGIN=https://your-domain.example.com
NEXT_PUBLIC_GATEWAY_URL=https://your-domain.example.com
```
### Step 4 — Install dependencies and build
```bash
pnpm install
pnpm build
```
### Step 5 — Run database migrations
```bash
pnpm --filter @mosaic/db db:migrate
```
### Step 6 — Start the gateway
```bash
node apps/gateway/dist/main.js
```
The gateway reads `.env` from the monorepo root automatically (via `dotenv` in `main.ts`).
### Step 7 — Start the web app
```bash
# Next.js standalone output
node apps/web/.next/standalone/server.js
```
The standalone build is self-contained; it does not require `node_modules` to be present at runtime.
### Step 8 — Configure a reverse proxy
#### Nginx example
```nginx
# /etc/nginx/sites-available/mosaic
# Gateway API
server {
listen 443 ssl;
server_name your-domain.example.com;
ssl_certificate /etc/ssl/certs/your-domain.crt;
ssl_certificate_key /etc/ssl/private/your-domain.key;
# WebSocket support (for chat.gateway.ts / Socket.IO)
location /socket.io/ {
proxy_pass http://127.0.0.1:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# REST + auth
location / {
proxy_pass http://127.0.0.1:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Web app (optional — serve on a subdomain or a separate server block)
server {
listen 443 ssl;
server_name app.your-domain.example.com;
ssl_certificate /etc/ssl/certs/your-domain.crt;
ssl_certificate_key /etc/ssl/private/your-domain.key;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
#### Caddy example
```caddyfile
# /etc/caddy/Caddyfile
your-domain.example.com {
reverse_proxy /socket.io/* localhost:4000 {
header_up Upgrade {http.upgrade}
header_up Connection {http.connection}
}
reverse_proxy localhost:4000
}
app.your-domain.example.com {
reverse_proxy localhost:3000
}
```
---
## Production Considerations
### systemd Services
Create a service unit for each process.
**Gateway**`/etc/systemd/system/mosaic-gateway.service`:
```ini
[Unit]
Description=Mosaic Gateway
After=network.target postgresql.service
[Service]
Type=simple
User=mosaic
WorkingDirectory=/opt/mosaic
EnvironmentFile=/opt/mosaic/.env
ExecStart=/usr/bin/node apps/gateway/dist/main.js
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
```
**Web app**`/etc/systemd/system/mosaic-web.service`:
```ini
[Unit]
Description=Mosaic Web App
After=network.target mosaic-gateway.service
[Service]
Type=simple
User=mosaic
WorkingDirectory=/opt/mosaic/apps/web
EnvironmentFile=/opt/mosaic/.env
ExecStart=/usr/bin/node .next/standalone/server.js
Environment=PORT=3000
Environment=HOSTNAME=127.0.0.1
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
```
Enable and start:
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now mosaic-gateway mosaic-web
```
### Log Management
Gateway and web app logs go to systemd journal by default. View with:
```bash
journalctl -u mosaic-gateway -f
journalctl -u mosaic-web -f
```
Rotate logs by configuring `journald` in `/etc/systemd/journald.conf`:
```ini
SystemMaxUse=500M
MaxRetentionSec=30day
```
### Security Checklist
- Set `BETTER_AUTH_SECRET` to a cryptographically random value (`openssl rand -base64 32`).
- Restrict `GATEWAY_CORS_ORIGIN` to your exact frontend origin — do not use `*`.
- Run services as a dedicated non-root system user (e.g., `mosaic`).
- Firewall: only expose ports 80/443 externally; keep 4000 and 3000 bound to `127.0.0.1`.
- Set `AGENT_FILE_SANDBOX_DIR` to a directory outside the application root to prevent agent tools from accessing source code.
- If using `AGENT_USER_TOOLS`, enumerate only the tools non-admin users need.
---
## Troubleshooting
### Gateway fails to start — "BETTER_AUTH_SECRET is required"
`BETTER_AUTH_SECRET` is missing or empty. Set it in `.env` and restart.
### `DATABASE_URL` connection refused
Verify PostgreSQL is running and the port matches. The Docker Compose default is `5433`; bare-metal typically uses `5432`.
```bash
psql "$DATABASE_URL" -c '\conninfo'
```
### pgvector extension missing
```sql
\c mosaic
CREATE EXTENSION IF NOT EXISTS vector;
```
### Valkey / Redis connection refused
Check the URL in `VALKEY_URL`. The Docker Compose default is port `6380`.
```bash
redis-cli -u "$VALKEY_URL" ping
```
### WebSocket connections fail in production
Ensure your reverse proxy forwards the `Upgrade` and `Connection` headers. See the Nginx/Caddy examples above.
### Ollama models not appearing
Set `OLLAMA_BASE_URL` to the URL where Ollama is running (e.g., `http://localhost:11434`) and set `OLLAMA_MODELS` to a comma-separated list of model IDs you have pulled.
```bash
ollama pull llama3.2
```
### OTEL traces not appearing in Jaeger
Verify the collector is reachable at `OTEL_EXPORTER_OTLP_ENDPOINT`. With Docker Compose the default is `http://localhost:4318`. Check `docker compose ps` and `docker compose logs otel-collector`.
### Summarization / embedding features not working
These features require `OPENAI_API_KEY` to be set, or you must point `SUMMARIZATION_API_URL` / `EMBEDDING_API_URL` to an OpenAI-compatible endpoint (e.g., a local Ollama instance with an embeddings model).

515
docs/guides/dev-guide.md Normal file
View File

@@ -0,0 +1,515 @@
# Mosaic Stack — Developer Guide
## Table of Contents
1. [Architecture Overview](#architecture-overview)
2. [Local Development Setup](#local-development-setup)
3. [Building and Testing](#building-and-testing)
4. [Adding New Agent Tools](#adding-new-agent-tools)
5. [Adding New MCP Tools](#adding-new-mcp-tools)
6. [Database Schema and Migrations](#database-schema-and-migrations)
7. [API Endpoint Reference](#api-endpoint-reference)
---
## Architecture Overview
Mosaic Stack is a TypeScript monorepo managed with **pnpm workspaces** and
**Turborepo**.
```
mosaic-mono-v1/
├── apps/
│ ├── gateway/ # NestJS + Fastify API server
│ └── web/ # Next.js 16 + React 19 web dashboard
├── packages/
│ ├── agent/ # Agent session types (shared)
│ ├── auth/ # BetterAuth configuration
│ ├── brain/ # Structured data layer (projects, tasks, missions)
│ ├── cli/ # mosaic CLI and TUI (Ink)
│ ├── coord/ # Mission coordination engine
│ ├── db/ # Drizzle ORM schema, migrations, client
│ ├── design-tokens/ # Shared design system tokens
│ ├── log/ # Agent log ingestion and tiering
│ ├── memory/ # Preference and insight storage
│ ├── mosaic/ # Install wizard and bootstrap utilities
│ ├── prdy/ # PRD wizard CLI
│ ├── quality-rails/ # Code quality scaffolder CLI
│ ├── queue/ # Valkey-backed task queue
│ └── types/ # Shared TypeScript types
├── docker/ # Dockerfile(s) for containerized deployment
├── infra/ # Infra config (OTEL collector, pg-init scripts)
├── docker-compose.yml # Local services (Postgres, Valkey, OTEL, Jaeger)
└── CLAUDE.md # Project conventions for AI coding agents
```
### Key Technology Choices
| Concern | Technology |
| ----------------- | ---------------------------------------- |
| API framework | NestJS with Fastify adapter |
| Web framework | Next.js 16 (App Router), React 19 |
| ORM | Drizzle ORM |
| Database | PostgreSQL 17 + pgvector extension |
| Auth | BetterAuth |
| Agent harness | Pi SDK (`@mariozechner/pi-coding-agent`) |
| Queue | Valkey 8 (Redis-compatible) |
| Build | pnpm workspaces + Turborepo |
| CI | Woodpecker CI |
| Observability | OpenTelemetry → Jaeger |
| Module resolution | NodeNext (ESM everywhere) |
### Module System
All packages use `"type": "module"` and NodeNext resolution. Import paths must
include the `.js` extension even when the source file is `.ts`.
NestJS `@Inject()` decorators must be used explicitly because `tsx`/`esbuild`
does not support `emitDecoratorMetadata`.
---
## Local Development Setup
### Prerequisites
- Node.js 20+
- pnpm 9+
- Docker and Docker Compose
### 1. Clone and Install Dependencies
```bash
git clone <repo-url> mosaic-mono-v1
cd mosaic-mono-v1
pnpm install
```
### 2. Start Infrastructure Services
```bash
docker compose up -d
```
This starts:
| Service | Port | Description |
| ------------------------ | -------------- | -------------------- |
| PostgreSQL 17 + pgvector | `5433` (host) | Primary database |
| Valkey 8 | `6380` (host) | Queue and cache |
| OpenTelemetry Collector | `4317`, `4318` | OTEL gRPC and HTTP |
| Jaeger | `16686` | Distributed trace UI |
### 3. Configure Environment
Create a `.env` file in the monorepo root:
```env
# Database (matches docker-compose defaults)
DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic
# Auth (required — generate a random 32+ char string)
BETTER_AUTH_SECRET=change-me-to-a-random-secret
# Gateway
GATEWAY_PORT=4000
GATEWAY_CORS_ORIGIN=http://localhost:3000
# Web
NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
# Optional: Ollama
OLLAMA_BASE_URL=http://localhost:11434
OLLAMA_MODELS=llama3.2
```
The gateway loads `.env` from the monorepo root via `dotenv` at startup
(`apps/gateway/src/main.ts`).
### 4. Push the Database Schema
```bash
pnpm --filter @mosaic/db db:push
```
This applies the Drizzle schema directly to the database (development only; use
migrations in production).
### 5. Start the Gateway
```bash
pnpm --filter @mosaic/gateway exec tsx src/main.ts
```
The gateway starts on port `4000` by default.
### 6. Start the Web App
```bash
pnpm --filter @mosaic/web dev
```
The web app starts on port `3000` by default.
---
## Building and Testing
### TypeScript Typecheck
```bash
pnpm typecheck
```
Runs `tsc --noEmit` across all packages in dependency order via Turborepo.
### Lint
```bash
pnpm lint
```
Runs ESLint across all packages. Config is in `eslint.config.mjs` at the root.
### Format Check
```bash
pnpm format:check
```
Runs Prettier in check mode. To auto-fix:
```bash
pnpm format
```
### Tests
```bash
pnpm test
```
Runs Vitest across all packages. The workspace config is at
`vitest.workspace.ts`.
### Build
```bash
pnpm build
```
Builds all packages and apps in dependency order.
### Pre-Push Gates (MANDATORY)
All three must pass before any push:
```bash
pnpm format:check && pnpm typecheck && pnpm lint
```
A pre-push hook enforces this mechanically.
---
## Adding New Agent Tools
Agent tools are Pi SDK `ToolDefinition` objects registered in
`apps/gateway/src/agent/agent.service.ts`.
### 1. Create a Tool Factory File
Add a new file in `apps/gateway/src/agent/tools/`:
```typescript
// apps/gateway/src/agent/tools/my-tools.ts
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
export function createMyTools(): ToolDefinition[] {
const myTool: ToolDefinition = {
name: 'my_tool_name',
label: 'Human Readable Label',
description: 'What this tool does.',
parameters: Type.Object({
input: Type.String({ description: 'The input parameter' }),
}),
async execute(_toolCallId, params) {
const { input } = params as { input: string };
const result = `Processed: ${input}`;
return {
content: [{ type: 'text' as const, text: result }],
details: undefined,
};
},
};
return [myTool];
}
```
### 2. Register the Tools in AgentService
In `apps/gateway/src/agent/agent.service.ts`, import and call your factory
alongside the existing tool registrations:
```typescript
import { createMyTools } from './tools/my-tools.js';
// Inside the session creation logic where tools are assembled:
const tools: ToolDefinition[] = [
...createBrainTools(this.brain),
...createCoordTools(this.coordService),
...createMemoryTools(this.memory, this.embeddingService),
...createFileTools(sandboxDir),
...createGitTools(sandboxDir),
...createShellTools(sandboxDir),
...createWebTools(),
...createMyTools(), // Add this line
...mcpTools,
...skillTools,
];
```
### 3. Export from the Tools Index
Add an export to `apps/gateway/src/agent/tools/index.ts`:
```typescript
export { createMyTools } from './my-tools.js';
```
### 4. Typecheck and Test
```bash
pnpm typecheck
pnpm test
```
---
## Adding New MCP Tools
Mosaic connects to external MCP servers via `McpClientService`. To expose tools
from a new MCP server:
### 1. Run an MCP Server
Implement a standard MCP server that exposes tools via the streamable HTTP
transport or SSE transport. The server must accept connections at a `/mcp`
endpoint.
### 2. Configure `MCP_SERVERS`
In your `.env`:
```env
MCP_SERVERS='[{"name":"my-server","url":"http://localhost:3001/mcp"}]'
```
With authentication:
```env
MCP_SERVERS='[{"name":"secure-server","url":"http://my-server/mcp","headers":{"Authorization":"Bearer token"}}]'
```
### 3. Restart the Gateway
On startup, `McpClientService` (`apps/gateway/src/mcp-client/mcp-client.service.ts`)
connects to each configured server, calls `tools/list`, and bridges the results
to Pi SDK `ToolDefinition` format. These tools become available in all new agent
sessions.
### Tool Naming
Bridged MCP tool names are taken directly from the MCP server's tool manifest.
Ensure names do not conflict with built-in tools (check
`apps/gateway/src/agent/tools/`).
---
## Database Schema and Migrations
The schema lives in a single file:
`packages/db/src/schema.ts`
### Schema Overview
| Table | Purpose |
| -------------------- | ------------------------------------------------- |
| `users` | User accounts (BetterAuth-compatible) |
| `sessions` | Auth sessions |
| `accounts` | OAuth accounts |
| `verifications` | Email verification tokens |
| `projects` | Project records |
| `missions` | Mission records (linked to projects) |
| `tasks` | Task records (linked to projects and/or missions) |
| `conversations` | Chat conversation metadata |
| `messages` | Individual chat messages |
| `preferences` | Per-user key-value preference store |
| `insights` | Vector-embedded memory insights |
| `agent_logs` | Agent interaction logs (hot/warm/cold tiers) |
| `skills` | Installed agent skills |
| `summarization_jobs` | Log summarization job tracking |
The `insights` table uses a `vector(1536)` column (pgvector) for semantic search.
### Development: Push Schema
Apply schema changes directly to the dev database (no migration files created):
```bash
pnpm --filter @mosaic/db db:push
```
### Generating Migrations
For production-safe, versioned changes:
```bash
pnpm --filter @mosaic/db db:generate
```
This creates a new SQL migration file in `packages/db/drizzle/`.
### Running Migrations
```bash
pnpm --filter @mosaic/db db:migrate
```
### Drizzle Config
Config is at `packages/db/drizzle.config.ts`. The schema file path and output
directory are defined there.
### Adding a New Table
1. Add the table definition to `packages/db/src/schema.ts`.
2. Export it from `packages/db/src/index.ts`.
3. Run `pnpm --filter @mosaic/db db:push` (dev) or
`pnpm --filter @mosaic/db db:generate && pnpm --filter @mosaic/db db:migrate`
(production).
---
## API Endpoint Reference
All endpoints are served by the gateway at `http://localhost:4000` by default.
### Authentication
Authentication uses BetterAuth session cookies. The auth handler is mounted at
`/api/auth/*` via a Fastify low-level hook in
`apps/gateway/src/auth/auth.controller.ts`.
| Endpoint | Method | Description |
| ------------------------- | ------ | -------------------------------- |
| `/api/auth/sign-in/email` | POST | Sign in with email/password |
| `/api/auth/sign-up/email` | POST | Register a new account |
| `/api/auth/sign-out` | POST | Sign out (clears session cookie) |
| `/api/auth/get-session` | GET | Returns the current session |
### Chat
WebSocket namespace `/chat` (Socket.IO). Authentication via session cookie.
Events sent by the client:
| Event | Payload | Description |
| --------- | --------------------------------------------------- | -------------- |
| `message` | `{ content, conversationId?, provider?, modelId? }` | Send a message |
Events emitted by the server:
| Event | Payload | Description |
| ------- | --------------------------- | ---------------------- |
| `token` | `{ token, conversationId }` | Streaming token |
| `end` | `{ conversationId }` | Stream complete |
| `error` | `{ message }` | Error during streaming |
HTTP endpoints (`apps/gateway/src/chat/chat.controller.ts`):
| Endpoint | Method | Auth | Description |
| -------------------------------------- | ------ | ---- | ------------------------------- |
| `/api/chat/conversations` | GET | User | List conversations |
| `/api/chat/conversations/:id/messages` | GET | User | Get messages for a conversation |
### Admin
All admin endpoints require `role = admin`.
| Endpoint | Method | Description |
| --------------------------------- | ------ | -------------------- |
| `GET /api/admin/users` | GET | List all users |
| `GET /api/admin/users/:id` | GET | Get a single user |
| `POST /api/admin/users` | POST | Create a user |
| `PATCH /api/admin/users/:id/role` | PATCH | Update user role |
| `POST /api/admin/users/:id/ban` | POST | Ban a user |
| `POST /api/admin/users/:id/unban` | POST | Unban a user |
| `DELETE /api/admin/users/:id` | DELETE | Delete a user |
| `GET /api/admin/health` | GET | System health status |
### Agent / Providers
| Endpoint | Method | Auth | Description |
| ------------------------------------ | ------ | ---- | ----------------------------------- |
| `GET /api/agent/providers` | GET | User | List all providers and their models |
| `GET /api/agent/providers/models` | GET | User | List available models |
| `POST /api/agent/providers/:id/test` | POST | User | Test provider connectivity |
### Projects / Brain
| Endpoint | Method | Auth | Description |
| -------------------------------- | ------ | ---- | ---------------- |
| `GET /api/brain/projects` | GET | User | List projects |
| `POST /api/brain/projects` | POST | User | Create a project |
| `GET /api/brain/projects/:id` | GET | User | Get a project |
| `PATCH /api/brain/projects/:id` | PATCH | User | Update a project |
| `DELETE /api/brain/projects/:id` | DELETE | User | Delete a project |
| `GET /api/brain/tasks` | GET | User | List tasks |
| `POST /api/brain/tasks` | POST | User | Create a task |
| `GET /api/brain/tasks/:id` | GET | User | Get a task |
| `PATCH /api/brain/tasks/:id` | PATCH | User | Update a task |
| `DELETE /api/brain/tasks/:id` | DELETE | User | Delete a task |
### Memory / Preferences
| Endpoint | Method | Auth | Description |
| ----------------------------- | ------ | ---- | -------------------- |
| `GET /api/memory/preferences` | GET | User | Get user preferences |
| `PUT /api/memory/preferences` | PUT | User | Upsert a preference |
### MCP Server (Gateway-side)
| Endpoint | Method | Auth | Description |
| ----------- | ------ | --------------------------------------------- | ----------------------------- |
| `POST /mcp` | POST | User (session cookie or Authorization header) | MCP streamable HTTP transport |
| `GET /mcp` | GET | User | MCP SSE stream reconnect |
### Skills
| Endpoint | Method | Auth | Description |
| ------------------------ | ------ | ----- | --------------------- |
| `GET /api/skills` | GET | User | List installed skills |
| `POST /api/skills` | POST | Admin | Install a skill |
| `PATCH /api/skills/:id` | PATCH | Admin | Update a skill |
| `DELETE /api/skills/:id` | DELETE | Admin | Remove a skill |
### Coord (Mission Coordination)
| Endpoint | Method | Auth | Description |
| ------------------------------- | ------ | ---- | ---------------- |
| `GET /api/coord/missions` | GET | User | List missions |
| `POST /api/coord/missions` | POST | User | Create a mission |
| `GET /api/coord/missions/:id` | GET | User | Get a mission |
| `PATCH /api/coord/missions/:id` | PATCH | User | Update a mission |
### Observability
OpenTelemetry traces are exported to the OTEL collector (`OTEL_EXPORTER_OTLP_ENDPOINT`).
View traces in Jaeger at `http://localhost:16686`.
Tracing is initialized before NestJS bootstrap in
`apps/gateway/src/tracing.ts`. The import order in `apps/gateway/src/main.ts`
is intentional: `import './tracing.js'` must come before any NestJS imports.

238
docs/guides/user-guide.md Normal file
View File

@@ -0,0 +1,238 @@
# Mosaic Stack — User Guide
## Table of Contents
1. [Getting Started](#getting-started)
2. [Chat Interface](#chat-interface)
3. [Projects](#projects)
4. [Tasks](#tasks)
5. [Settings](#settings)
6. [CLI Usage](#cli-usage)
---
## Getting Started
### Prerequisites
Mosaic Stack requires a running gateway. Your administrator provides the URL
(default: `http://localhost:4000`) and creates your account.
### Logging In (Web)
1. Navigate to the Mosaic web app (default: `http://localhost:3000`).
2. You are redirected to `/login` automatically.
3. Enter your email and password, then click **Sign in**.
4. On success you land on the **Chat** page.
### Registering an Account
If self-registration is enabled:
1. Go to `/register`.
2. Enter your name, email, and password.
3. Submit. You are signed in and redirected to Chat.
---
## Chat Interface
### Sending a Message
1. Type your message in the input bar at the bottom of the Chat page.
2. Press **Enter** to send.
3. The assistant response streams in real time. A spinner indicates the agent is
processing.
### Streaming Responses
Responses appear token by token as the model generates them. You can read the
response while it is still being produced. The streaming indicator clears when
the response is complete.
### Conversation Management
- **New conversation**: Navigate to `/chat` or click **New Chat** in the sidebar.
A new conversation ID is created automatically on your first message.
- **Resume a conversation**: Conversations are stored server-side. Refresh the
page or navigate away and back to continue where you left off. The current
conversation ID is shown in the URL.
- **Conversation list**: The sidebar shows recent conversations. Click any entry
to switch.
### Model and Provider
The current model and provider are displayed in the chat header. To change them,
use the Settings page (see [Provider Settings](#providers)) or the CLI
`/model` and `/provider` commands.
---
## Projects
Projects group related missions and tasks. Navigate to **Projects** in the
sidebar.
### Creating a Project
1. Go to `/projects`.
2. Click **New Project**.
3. Enter a name and optional description.
4. Select a status: `active`, `paused`, `completed`, or `archived`.
5. Save. The project appears in the list.
### Viewing a Project
Click a project card to open its detail view at `/projects/<id>`. From here you
can see the project's missions, tasks, and metadata.
### Managing Tasks within a Project
Tasks are linked to projects and optionally to missions. See [Tasks](#tasks) for
full details. On the project detail page, the task list is filtered to the
selected project.
---
## Tasks
Navigate to **Tasks** in the sidebar to see all tasks across all projects.
### Task Statuses
| Status | Meaning |
| ------------- | ------------------------ |
| `not-started` | Not yet started |
| `in-progress` | Actively being worked on |
| `blocked` | Waiting on something |
| `done` | Completed |
| `cancelled` | No longer needed |
### Creating a Task
1. Go to `/tasks`.
2. Click **New Task**.
3. Enter a title, optional description, and link to a project or mission.
4. Set the status and priority.
5. Save.
### Updating a Task
Click a task to open its detail panel. Edit the fields inline and save.
---
## Settings
Navigate to **Settings** in the sidebar (or `/settings`) to manage your profile,
appearance, and providers.
### Profile Tab
- **Name**: Display name shown in the UI.
- **Email**: Read-only; contact your administrator to change email.
- Changes save automatically when you click **Save Profile**.
### Appearance Tab
- **Theme**: Choose `light`, `dark`, or `system`.
- The theme preference is saved to your account and applies on all devices.
### Notifications Tab
Configure notification preferences (future feature; placeholder in the current
release).
### Providers Tab
View all configured LLM providers and their models.
- **Test Connection**: Click **Test** next to a provider to check reachability.
The result shows latency and discovered models.
- Provider configuration is managed by your administrator via environment
variables. See the [Admin Guide](./admin-guide.md) for setup.
---
## CLI Usage
The `mosaic` CLI provides a terminal interface to the same gateway API.
### Installation
The CLI ships as part of the `@mosaic/cli` package:
```bash
# From the monorepo root
pnpm --filter @mosaic/cli build
node packages/cli/dist/cli.js --help
```
Or if installed globally:
```bash
mosaic --help
```
### Signing In
```bash
mosaic login --gateway http://localhost:4000 --email you@example.com
```
You are prompted for a password if `--password` is not supplied. The session
cookie is saved locally and reused on subsequent commands.
### Launching the TUI
```bash
mosaic tui
```
Options:
| Flag | Default | Description |
| ----------------------- | ----------------------- | ---------------------------------- |
| `--gateway <url>` | `http://localhost:4000` | Gateway URL |
| `--conversation <id>` | — | Resume a specific conversation |
| `--model <modelId>` | server default | Model to use (e.g. `llama3.2`) |
| `--provider <provider>` | server default | Provider (e.g. `ollama`, `openai`) |
If no valid session exists you are prompted to sign in before the TUI launches.
### TUI Slash Commands
Inside the TUI, type a `/` command and press Enter:
| Command | Description |
| ---------------------- | ------------------------------ |
| `/model <modelId>` | Switch to a different model |
| `/provider <provider>` | Switch to a different provider |
| `/models` | List available models |
| `/exit` or `/quit` | Exit the TUI |
### Session Management
```bash
# List saved sessions
mosaic sessions list
# Resume a session
mosaic sessions resume <sessionId>
# Destroy a session
mosaic sessions destroy <sessionId>
```
### Other Commands
```bash
# Run the Mosaic installation wizard
mosaic wizard
# PRD wizard (generate product requirement documents)
mosaic prdy
# Quality rails scaffolder
mosaic quality-rails
```

1572
docs/plans/2026-03-15-agent-platform-architecture.md Normal file
View File

File diff suppressed because it is too large Load Diff

1000
docs/plans/2026-03-15-wave2-tui-layout-navigation.md Normal file
View File

File diff suppressed because it is too large Load Diff

60
docs/plans/chroot-sandboxing.md Normal file
View File

@@ -0,0 +1,60 @@
# Chroot Agent Sandboxing — Process Isolation for Agent Tool Execution
> **Status:** Stub — deferred. Referenced from `2026-03-15-agent-platform-architecture.md` (Phase 7 Workspaces → Chroot Agent Sandboxing).
> Implement after Workspaces (P8-015) is complete. Requires workspace directory structure and `WorkspaceService` to be operational.
**Date:** 2026-03-15
**Packages:** `apps/gateway`
---
## Problem Statement
Agent sessions can use file, git, and shell tools. Path validation in tools is defense-in-depth but insufficient alone — an agent with shell access can run `cat /opt/mosaic/.workspaces/other_user/...` and bypass gateway RBAC.
Chroot provides OS-level enforcement: tool processes literally cannot see outside their workspace directory.
---
## Design (Sweet Spot)
Chroot strikes the balance between full container isolation (too heavy per session) and path validation only (escape-prone):
- Gateway spawns tool processes inside a chroot rooted at the session's `sandboxDir`
- Requires `CAP_SYS_CHROOT` capability on the gateway process (not full root)
- Chroot environment provisioned by `WorkspaceService` on workspace creation (minimal deps: git, shell utils, language runtimes as needed)
- Alternative for Docker deployments: Linux `unshare` namespaces (lighter, no chroot env setup)
---
## Scope (To Be Designed)
- [ ] Chroot environment provisioning — `WorkspaceService.provisionChroot(workspacePath)` on project creation
- [ ] Minimal chroot deps — identify required binaries/libs per tool type (file: none; git: git binary; shell: bash, common utils)
- [ ] Gateway capability — document `CAP_SYS_CHROOT` requirement; Dockerfile and docker-compose.yml changes
- [ ] Tool process spawning — modify `createShellTools`, `createFileTools`, `createGitTools` to spawn via chroot wrapper
- [ ] Docker alternative — `unshare --mount --pid --user` namespace wrapper as fallback for environments without chroot capability
- [ ] Defense-in-depth layering — chroot + path validation both active; neither alone is sufficient
- [ ] Chroot cleanup — integrate with `SessionGCService` / workspace deletion
- [ ] AppArmor/SELinux profiles (v2) — restrict gateway process file access patterns for multi-tenant hardening
---
## Security Constraints
- What lives **inside** the chroot (agent-accessible): workspace files, git repo, language runtimes
- What lives **outside** the chroot (gateway-only, never agent-accessible): Valkey connection, PG connection, other users' workspaces, gateway config, OTEL endpoint, credentials
---
## Dependencies
- Workspaces (P8-015) — chroot is rooted at workspace directory; workspace must exist first
- Tool hardening (P8-016) — path validation stays active as defense-in-depth alongside chroot
---
## References
- Original design context: `docs/plans/2026-03-15-agent-platform-architecture.md` → "Chroot Agent Sandboxing" section
- Current tool implementations: `apps/gateway/src/agent/tools/`

53
docs/plans/gatekeeper-service.md Normal file
View File

@@ -0,0 +1,53 @@
# Gatekeeper Service — PR Review, Quality Gates & Merge Authority
> **Status:** Stub — deferred. Referenced from `2026-03-15-agent-platform-architecture.md` (Phase 7 Workspaces).
> Implement after Workspaces (P8-015) is complete and the workspace/git infrastructure is operational.
**Date:** 2026-03-15
**Packages:** `apps/gateway`, `packages/types`, `packages/agent`
---
## Problem Statement
Project agents create PRs but cannot review or merge their own work. A separate, isolated agent service with read-only code access and quality gate enforcement is needed to act as the authoritative merge authority.
The Gatekeeper existed in the old Mosaic codebase and must be ported/redesigned for mosaic-mono-v1.
---
## Key Design Constraints
- **Isolated trust boundary** — project agents cannot invoke Gatekeeper directly; it listens for PR events from the git provider
- **`isSystem: true`** — system agent, not editable by users
- **Read-only code access** — reads diffs and runs checks; cannot commit or push
- **Quality gates required before merge** — lint, typecheck, test results must pass
- **Cannot self-approve** — the agent that authored the PR cannot be the Gatekeeper for that PR
---
## Scope (To Be Designed)
- [ ] Gatekeeper agent bootstrap — system agent config, tool set, prompt engineering
- [ ] PR event listener — Gitea/GitHub webhook integration (PR opened/updated/ready)
- [ ] Quality gate runner — trigger CI checks, poll for results, enforce pass criteria
- [ ] Review generation — LLM-driven code review comment generation
- [ ] Merge execution — approve + merge when gates pass; reject with comments when they fail
- [ ] Configurable strictness — per-project required checks, review depth
- [ ] Trust boundary enforcement — gateway rejects Gatekeeper tool calls that exceed read-only scope
- [ ] Audit trail — OTEL spans for all Gatekeeper decisions (approve/reject/merge)
---
## Dependencies
- Workspaces (P8-015) — Gatekeeper needs project workspace layout to locate code
- Git provider API tools — PR creation/review/merge API (Gitea/GitHub/GitLab)
- CI/CD tool integration — Woodpecker pipeline status polling
---
## References
- Original design context: `docs/plans/2026-03-15-agent-platform-architecture.md` → "Gatekeeper Service" section
- Workspace RBAC and agent trust model: same document → "RBAC & Filesystem Security"

60
docs/plans/task-queue-unification.md Normal file
View File

@@ -0,0 +1,60 @@
# Task Queue Unification — @mosaic/queue as Unified Orchestration Layer
> **Status:** Stub — deferred. Referenced from `2026-03-15-agent-platform-architecture.md` (Task Queue & Orchestration section).
> Implement after Workspaces (P8-015) is complete. Requires workspace file structure to be in place.
**Date:** 2026-03-15
**Packages:** `packages/queue`, `packages/coord`, `packages/db`, `apps/gateway`
---
## Problem Statement
Two disconnected task systems exist:
1. **`@mosaic/coord`** — file-based missions (`mission.json`, `TASKS.md`), file locks, subprocess spawning. Single-machine orchestrator pattern.
2. **PG tables** (`tasks`, `mission_tasks`, `missions`) — DB-backed CRUD, REST API, Brain repos.
An agent using `coord_mission_status` gets file data. The dashboard shows DB data. They are never in sync.
---
## Vision
`@mosaic/queue` becomes the unified task orchestration service bridging PG, workspace files, and Valkey:
- DB is source of truth for structured state (status, assignees, timestamps)
- Workspace files (`TASKS.md`, PRDs) are working copies for agent interaction
- Valkey handles real-time assignment queues and agent claim locks
- Flatfile fallback for no-DB single-machine deployments (preserves `@mosaic/coord` pattern)
---
## Scope (To Be Designed)
- [ ] `@mosaic/queue` refactor — elevate from ioredis primitive to task orchestration service
- [ ] DB ↔ file sync layer — writes to PG propagate to `TASKS.md`; file edits by agents sync back
- [ ] Task assignment queue — Valkey-backed RPUSH/BLPOP for agent task claiming
- [ ] Agent claim locks — `mosaic:queue:project:{id}:lock:{taskId}` with TTL
- [ ] `@mosaic/coord` consolidation — file-based ops ported into queue service; `@mosaic/coord` becomes thin adapter or deprecated
- [ ] Flatfile fallback — queue service writes JSON manifests when PG unavailable
- [ ] Status pub/sub — real-time task status updates via Valkey pub/sub
- [ ] Dependency resolution — block task assignment until dependencies are met
- [ ] Orchestrator monitor — gateway process watches task queue, assigns next based on dependency graph
- [ ] API surface — queue service exposes typed interface used by agents, gateway, and CLI
---
## Dependencies
- Workspaces (P8-015) — file sync targets the workspace directory structure
- Teams architecture (P8-007) — project ownership determines queue namespacing
- DB schema stable — task/mission tables must not change mid-unification
---
## References
- Original design context: `docs/plans/2026-03-15-agent-platform-architecture.md` → "Task Queue & Orchestration" section
- Current `@mosaic/coord` implementation: `packages/coord/src/`
- Current `@mosaic/queue` implementation: `packages/queue/src/`

40
docs/scratchpads/BUG-CLI-scratchpad.md Normal file
View File

@@ -0,0 +1,40 @@
# BUG-CLI Scratchpad
## Objective
Fix 4 CLI/TUI polish bugs in a single PR (issues #192, #193, #194, #199).
## Issues
- #192: Ctrl+T leaks 't' into input
- #193: Duplicate React keys in CommandAutocomplete
- #194: /provider login false clipboard claim
- #199: TUI shows hardcoded version "0.0.0"
## Plan and Fixes
### Bug #192 — Ctrl+T character leak
- Location: `packages/cli/src/tui/app.tsx`
- Fix: Added `ctrlJustFired` ref. Set synchronously in Ctrl+T/L/N/K handlers, cleared via microtask.
In the `onChange` wrapper passed to `InputBar`, if `ctrlJustFired.current` is true, suppress the
leaked character and return early.
### Bug #193 — Duplicate React keys
- Location: `packages/cli/src/tui/components/command-autocomplete.tsx`
- Fix: Changed `key={cmd.name}` to `key={`${cmd.execution}-${cmd.name}`}` for uniqueness.
- Also: `packages/cli/src/tui/commands/registry.ts``getAll()` now deduplicates gateway commands
that share a name with local commands. Local commands take precedence.
### Bug #194 — False clipboard claim
- Location: `apps/gateway/src/commands/command-executor.service.ts`
- Fix: Removed the `\n\n(URL copied to clipboard)` suffix from the provider login message.
### Bug #199 — Hardcoded version "0.0.0"
- Location: `packages/cli/src/cli.ts` + `packages/cli/src/tui/app.tsx`
- Fix: `cli.ts` reads version from `../package.json` via `createRequire`. Passes `version: CLI_VERSION`
to TuiApp in both render calls. TuiApp has new optional `version` prop (defaults to '0.0.0'),
passes it to TopBar instead of hardcoded `"0.0.0"`.
## Quality Gates
- CLI typecheck: PASSED
- CLI lint: PASSED
- Prettier format:check: PASSED
- Gateway lint: PASSED

37
docs/scratchpads/bug-196-admin-redirect.md Normal file
View File

@@ -0,0 +1,37 @@
# BUG-196: Admin Page Redirect Issue
## Problem
Admin page redirects to /chat for users with admin role because role check fails.
## Root Cause
The `role` field is defined as an `additionalField` in better-auth's user configuration, but
better-auth v1.5.5 does not automatically include additionalFields in the session response from
the `getSession()` API. This causes the admin role check to fail:
- Frontend: `AdminRoleGuard` checks `user?.role !== 'admin'`
- Backend: `AdminGuard` checks `user.role !== 'admin'`
- When `role` is `undefined`, both checks treat the user as non-admin and deny access
## Solution
Implemented a defensive check in the backend `AdminGuard` that:
1. First tries to use the `role` field from the session (if better-auth includes it)
2. Falls back to fetching the role directly from the database if it's missing
3. Defaults to 'member' if the user has no role set
This ensures that admin users can always access the admin panel, and also protects against
the case where better-auth doesn't include the additionalField in future versions.
## Files Changed
1. `/apps/gateway/src/admin/admin.guard.ts` - Added fallback role lookup
2. `/packages/auth/src/auth.ts` - No changes needed (better-auth config is correct)
## Verification
- All three quality gates pass: `typecheck`, `lint`, `format:check`
- Backend admin guard now explicitly handles missing role field
- Frontend admin guard remains unchanged (will work once role is available)

67
docs/scratchpads/mvp-20260312.md
View File

@@ -199,3 +199,70 @@ User confirmed: start the planning gate.
| 8 | FIX-02 TUI state (#133) | FIX-03 Agent sandbox (#134) |
| 9 | P7-004 E2E Playwright (#55) | P7-006 Docs (#57) + P7-007 Deploy docs (#58) |
| 10 | P7-021 Verify Phase 7 (#132) | — |
### Session 12 — Phase 7 completion summary
**All 17 Phase 7 tasks + 2 backlog fixes completed in a single session.**
PRs merged: #136, #137, #138, #139, #140, #141, #142, #143, #144, #145, #146, #147, #148, #149, #150, #151, #152, #153
Issues closed: #52, #55, #57, #58, #120-#134
**Verification evidence:**
- Typecheck: 32/32 tasks green
- Lint: 18/18 packages green
- Format: All files clean
- 19 PRs squash-merged to main, all quality gates passed
**Phase 7 delivered:**
- Web: functional chat (WS streaming), conversation management, project detail views, provider UI, settings persistence, admin panel
- Agent: 7 new tools (file/git/shell/web), MCP server (14 tools), MCP client (external server bridge), skill invocation
- CLI: model/provider switching, session management
- Infrastructure: coord DB migration, agent sandbox hardening
- Quality: E2E Playwright suite (~35 tests), comprehensive docs (user/admin/dev/deployment)
- Fixes: TUI state updater, agent session sandboxing
### Session 13 — CLI Command Architecture (P8-005, P8-006)
| Session | Date | Milestone | Tasks Done | Outcome |
| ------- | ---------- | --------- | -------------- | ------------------------------------------------------------------------------------------------------------- |
| 13 | 2026-03-15 | Phase 8 | P8-005, P8-006 | CLI command architecture implemented. DB schema, brain repo, gateway endpoints, CLI commands. PR #158 merged. |
**Changes delivered:**
- DB: Extended agents table (projectId, ownerId, systemPrompt, allowedTools, skills, isSystem). Added agentId to conversations.
- Brain: New agents repository with findAccessible (owner's + system agents).
- Gateway: /api/agents CRUD, consolidated /api/missions with user-scoped CRUD + /tasks sub-routes, coord slimmed to file-based only, agentConfigId wired into session creation.
- CLI: `mosaic agent` (--list, --new, --show, --update, --delete), `mosaic mission` (--list, --init, --plan, --update, task subcommand), `mosaic prdy` (gateway-aware), shared with-auth + select-dialog utilities.
- TUI: --agent and --project flags, agent name display in top bar, agentId in socket payload.
- Types: agentId added to ChatMessagePayload.
- Tests: 23/23 gateway tests pass (updated ownership test for user-scoped missions).
### Session 14 — Platform Architecture Plan Augmentation + Task Breakdown
| Session | Date | Milestone | Tasks Done | Outcome |
| ------- | ---------- | --------- | ---------- | ------------------------------------------------------------- |
| 14 | 2026-03-15 | Phase 8 | P8-018 | Augmented plan, created 13 issues, created Phase 8 milestone. |
**Decisions made:**
- This plan is Phase 7 feature extension work, not Phase 8 beta scope. P8-001P8-004 (SSO, LLM, perf, release gate) are deferred to far future.
- `/provider` OAuth in TUI: URL-to-clipboard + Valkey poll token pattern (same as Pi agent)
- Add `mutable` column to preferences now (P8-007 DB migration)
- Teams architecture: `teams` + `team_members` tables, `teamId`/`ownerType` on projects. Workspace path branches on owner type: `users/<uid>/` vs `teams/<tid>/`.
- Phase dependency chain decided: Wave 1 (DB+Types) → Wave 2 (TUI+toolhardening) → Wave 3 (gateway registry, gating) → Wave 4 (prefs+commands) → Wave 5 (reload+GC) → Wave 6 (workspaces) → Wave 7 (autocomplete) → Wave 8 (verify).
**Plan augmentations added:**
- Teams Architecture section (DB schema, workspace paths, RBAC)
- REST Route Specifications table
- `/provider` OAuth flow (URL+clipboard+polling)
- Preferences `mutable` migration spec
- Test Strategy (per-task test files + key test cases)
- Phase Execution Order (dependency graph + wave plan)
**Issues created:** #160#172 (Gitea milestone ms-165)
**P8-018 closed:** Spin-off stubs created (gatekeeper-service.md, task-queue-unification.md, chroot-sandboxing.md)
**Next:** Begin execution at Wave 1 — P8-007 (DB migrations) + P8-008 (Types) in parallel.

40
docs/scratchpads/p8-009-tui-slash-commands.md Normal file
View File

@@ -0,0 +1,40 @@
# P8-009: TUI Phase 1 — Slash Command Parsing
## Task Reference
- Issue: #162
- Branch: feat/p8-009-tui-slash-commands
## Scope
- New files: parse.ts, registry.ts, local/help.ts, local/status.ts, commands/index.ts
- Modified files: use-socket.ts, input-bar.tsx, message-list.tsx, app.tsx
## Key Observations
- CommandDef in @mosaic/types does NOT have `category` field — will omit from LOCAL_COMMANDS
- CommandDef.args is `CommandArgDef[] | undefined`, not `{ usage: string }` — help.ts args rendering needs adjustment
- Message role union currently: 'user' | 'assistant' | 'thinking' | 'tool' — adding 'system'
- InputBar currently takes `onSubmit: (value: string) => void` — need to add slash command interception
- app.tsx passes `onSubmit={socket.sendMessage}` directly — needs command-aware handler
## Assumptions
- ASSUMPTION: `category` field not in CommandDef type — will skip category grouping in help output, or add it only to registry (not to CommandDef type)
- ASSUMPTION: For the `args` field display in help, will use `CommandArgDef.name` and `CommandArgDef.description`
- ASSUMPTION: `commands:manifest` event type may not be in ServerToClientEvents — will handle via socket.on with casting if needed
## Status
- [ ] Create commands directory structure
- [ ] Implement parse.ts
- [ ] Implement registry.ts
- [ ] Implement local/help.ts
- [ ] Implement local/status.ts
- [ ] Implement commands/index.ts
- [ ] Modify use-socket.ts
- [ ] Modify input-bar.tsx
- [ ] Modify message-list.tsx
- [ ] Modify app.tsx
- [ ] Run quality gates
- [ ] Commit + Push + PR + CI

72
docs/scratchpads/p8-010-command-registry.md Normal file
View File

@@ -0,0 +1,72 @@
# P8-010 Scratchpad — Gateway Phase 2: CommandRegistryService + CommandExecutorService
## Objective
Implement gateway-side command registry system:
- `CommandRegistryService` — owns canonical command manifest, broadcasts on connect
- `CommandExecutorService` — routes `command:execute` socket events
- `CommandsModule` — NestJS wiring
- Wire into `ChatGateway` and `AppModule`
- Register core commands
- Tests for CommandRegistryService
## Key Findings from Codebase
### CommandDef shape (from packages/types/src/commands/index.ts)
- `scope: 'core' | 'agent' | 'skill' | 'plugin' | 'admin'` (NOT `category`)
- `args?: CommandArgDef[]` — array of arg defs, each with `name`, `type`, `optional`, `values?`, `description?`
- No `aliases` required (it's listed but optional-ish... wait, it IS in the interface)
- `aliases: string[]` — IS present
### SlashCommandResultPayload requires `conversationId`
- The task spec shows `{ command, success, error }` without `conversationId` but actual type requires it
- Must include `conversationId` in all return values
### CommandManifest has `skills: SkillCommandDef[]`
- Must include `skills` array in manifest
### userId extraction in ChatGateway
- `client.data.user` holds the user object (set in `handleConnection`)
- `client.data.user.id` or similar for userId
### AgentModule not imported in ChatModule
- ChatGateway imports AgentService via DI
- ChatModule doesn't declare imports — AgentModule must be global or imported
### Worktree branch
- Branch: `feat/p8-010-command-registry`
- Working in: `/home/jwoltje/src/mosaic-mono-v1/.claude/worktrees/agent-ac85b3b2`
## Plan
1. Create `apps/gateway/src/commands/command-registry.service.ts`
2. Create `apps/gateway/src/commands/command-executor.service.ts`
3. Create `apps/gateway/src/commands/commands.module.ts`
4. Modify `apps/gateway/src/app.module.ts` — add CommandsModule
5. Modify `apps/gateway/src/chat/chat.module.ts` — import CommandsModule
6. Modify `apps/gateway/src/chat/chat.gateway.ts` — inject services, add handler, emit manifest
7. Create `apps/gateway/src/commands/command-registry.service.spec.ts`
## Progress
- [ ] Create CommandRegistryService
- [ ] Create CommandExecutorService
- [ ] Create CommandsModule
- [ ] Update AppModule
- [ ] Update ChatModule
- [ ] Update ChatGateway
- [ ] Write tests
- [ ] Run quality gates
- [ ] Commit + push + PR
## Risks
- CommandDef `args` shape mismatch from task spec — must use actual type
- `SlashCommandResultPayload.conversationId` is required — handle missing conversationId

44
docs/scratchpads/p8-012-agent-provider-commands.md Normal file
View File

@@ -0,0 +1,44 @@
# P8-012 Scratchpad — Gateway /agent, /provider, /mission, /prdy, /tools Commands
## Objective
Add gateway-executed commands: `/agent`, `/provider`, `/mission`, `/prdy`, `/tools`.
Key feature: `/provider login` OAuth flow with Valkey poll token.
## Plan
1. Read all relevant files (done)
2. Update `command-registry.service.ts` — add 5 new command registrations
3. Update `commands.module.ts` — wire Redis injection for executor
4. Update `command-executor.service.ts` — add 5 new command handlers + Redis injection
5. Write spec file for new commands
6. Run quality gates (typecheck, lint, format:check, test)
7. Commit and push
## Key Decisions
- Redis pattern: same as GCModule — use `REDIS` token injected from a QueueHandle factory
- `CommandDef` type fields: `scope: 'core'|'agent'|'skill'|'plugin'|'admin'`, `args?: CommandArgDef[]`, `execution: 'local'|'socket'|'rest'|'hybrid'`
- No `category` or `usage` fields — instruction spec was wrong on that
- `SlashCommandResultPayload.conversationId` is typed as `string` (not `string | undefined`) per the type
- Provider commands are `scope: 'agent'` since they relate to agent configuration
- Redis injection: add a `COMMANDS_REDIS` token in commands module, inject via factory pattern same as GCModule
## Progress
- [ ] command-registry.service.ts updated
- [ ] commands.module.ts updated (add Redis provider)
- [ ] command-executor.service.ts updated (add Redis injection + handlers)
- [ ] spec file written
- [ ] quality gates pass
- [ ] commit + push + PR
## Risks
- `conversationId` typing: `SlashCommandResultPayload.conversationId` is `string`, but some handler calls pass `undefined`. Need to check if it's optional.
After reviewing types: `conversationId: string` in `SlashCommandResultPayload` — not optional. Must pass empty string or actual ID. Looking at existing code: `message: 'Start a new conversation...'` returns `{ command, conversationId, ... }` where conversationId comes from payload which is always a string per `SlashCommandPayload`. For provider commands that don't have a conversationId, pass empty string `''` or the payload's conversationId.
Actually looking at the spec more carefully: `handleProvider` returns `conversationId: undefined`. But the type says `string`. This would be a TypeScript error. I'll use `''` as a fallback or adjust. Let me re-examine...
The `SlashCommandResultPayload` interface says `conversationId: string` — not optional. But the spec says `conversationId: undefined`. I'll use `payload.conversationId` (passing it through) since it comes from the payload.

55
docs/scratchpads/p8-016-tool-hardening.md Normal file
View File

@@ -0,0 +1,55 @@
# P8-016: Security — Tool Path Hardening + Sandbox Escape Prevention
## Status: in-progress
## Branch: feat/p8-016-tool-hardening
## Issue: #169
## Scope
Harden file, git, and shell tool factories so no path operation escapes `sandboxDir`.
## Files to Create
- `apps/gateway/src/agent/tools/path-guard.ts` (new)
- `apps/gateway/src/agent/tools/path-guard.test.ts` (new)
## Files to Modify
- `apps/gateway/src/agent/tools/file-tools.ts`
- `apps/gateway/src/agent/tools/git-tools.ts`
- `apps/gateway/src/agent/tools/shell-tools.ts`
## Analysis
### file-tools.ts
- Has existing `resolveSafe()` function but uses weak containment check (relative path)
- Replace with `guardPath` (for reads/lists on existing paths) and `guardPathUnsafe` (for writes)
- Error pattern: return `{ content: [{ type: 'text', text: 'Error: ...' }], details: undefined }`
### git-tools.ts
- Has `clampCwd()` that silently falls back to sandbox root on escape attempt
- Replace with strict `guardPath` that throws SandboxEscapeError, caught and returned as error
- Also need to guard the `path` parameter in `git_diff`
### shell-tools.ts
- Has `clampCwd()` same silent-fallback approach
- Replace with strict `guardPath` that throws SandboxEscapeError
## Key Design Decisions
- `guardPath`: uses `realpathSync.native` to resolve symlinks, requires path to exist
- `guardPathUnsafe`: lexical only (`path.resolve`), for paths that may not exist yet
- Both throw `SandboxEscapeError` on escape attempt
- Callers catch and return error result
## Verification
- pnpm typecheck
- pnpm lint
- pnpm format:check
- pnpm test

103
docs/scratchpads/p8-019-verify.md Normal file
View File

@@ -0,0 +1,103 @@
# P8-019 Verification — Phase 8 Platform Architecture
**Date:** 2026-03-15
**Status:** complete
**Branch:** feat/p8-019-verify
**PR:** #185
**Issue:** #172
## Test Results
- Unit tests (baseline, pre-P8-019): 101 passing across 9 gateway test files + 1 CLI file
- Integration tests added: 2 new spec files (68 new tests)
- `apps/gateway/src/commands/commands.integration.spec.ts` — 42 tests
- `packages/cli/src/tui/commands/commands.integration.spec.ts` — 26 tests
- Total after P8-019: 160 passing tests across 12 test files
- Quality gates: typecheck ✓ lint ✓ format:check ✓ test ✓
## Components Verified
### Command System
- `CommandRegistryService.getManifest()` returns 19 core commands (>= 12 requirement met)
- All commands have correct `execution` type:
- `socket`: model, thinking, new, clear, compact, retry, system, gc, agent, mission, prdy, tools, reload
- `rest`: rename, history, export, preferences
- `hybrid`: provider, status (gateway), (status overridden to local in TUI)
- `local`: help (gateway); help, stop, cost, status, clear (TUI local)
- All aliases verified: m→model, t→thinking, n→new, a→agent, s→status, h→help, pref→preferences
- `parseSlashCommand()` correctly extracts command + args for all forms
- Unknown commands return `success: false` with descriptive message
### Preferences + System Override
- `PreferencesService.getEffective()` applies platform defaults when no user overrides
- Immutable keys (`limits.maxThinkingLevel`, `limits.rateLimit`) cannot be overridden — enforcement always wins
- `set()` returns error for immutable keys with "platform enforcement" message
- `SystemOverrideService.set()` stores to Valkey with 5-minute TTL; verified via mock
- `/system` command calls `SystemOverrideService.set()` with exact text arg
- `/system` with no args calls `SystemOverrideService.clear()`
### Session GC
- `collect(sessionId)` deletes all `mosaic:session:<id>:*` Valkey keys
- `fullCollect()` clears all `mosaic:session:*` keys on cold start
- `sweepOrphans()` extracts unique session IDs from keys and collects each
- GC result includes `duration` and `orphanedSessions` count
- `/gc` command invokes `sweepOrphans(userId)` and returns count in response
### Tool Security (path-guard)
- `guardPath` rejects `../` traversal → throws `SandboxEscapeError`
- `guardPath` rejects absolute paths outside sandbox → throws `SandboxEscapeError`
- `guardPathUnsafe` rejects sibling-named directories (e.g. `/tmp/test-sandbox-evil/`)
- All 12 path-guard tests pass; `SandboxEscapeError` message includes path and sandbox in text
### Workspace
- `WorkspaceService.resolvePath()` returns user path for solo projects:
`$MOSAIC_ROOT/.workspaces/users/<userId>/<projectId>`
- `WorkspaceService.resolvePath()` returns team path for team projects:
`$MOSAIC_ROOT/.workspaces/teams/<teamId>/<projectId>`
- Path resolution is deterministic (same inputs → same output)
- `exists()`, `createUserRoot()`, `createTeamRoot()` all tested
### TUI Autocomplete
- `filterCommands(commands, query)` filters by name, aliases, and description
- Empty query returns all commands
- Prefix matching works: "mo" → model, "mi" → mission
- Alias matching: "h" matches help (alias)
- Description keyword matching: "switch" → model
- Unknown query returns empty array
- `useInputHistory` ring buffer caps at 50 entries
- Up-arrow recall returns most recent entry
- Down-arrow after up restores saved input
- Duplicate consecutive entries are deduplicated
- Reset navigation works correctly
### Hot Reload
- `ReloadService` registers plugins via `registerPlugin()`
- `reload()` iterates plugins, calls their `reload()` method
- Plugin errors are counted but don't prevent other plugins from reloading
- Non-MosaicPlugin objects are skipped gracefully
- SIGHUP trigger verified via reload trigger = 'sighup'
## Gaps / Known Limitations
1. `SystemOverrideService` creates its own Valkey connection in constructor (not injected) — functional but harder to test in isolation without mocking `createQueue`. Current tests mock it at the executor level.
2. `/status` command has `execution: 'hybrid'` in the gateway registry but `execution: 'local'` in the TUI local registry — TUI local takes precedence, which is the intended behavior.
3. `SessionGCService.fullCollect()` runs on `onModuleInit` (cold start) — this is intentional but means tests must mock redis.keys to avoid real Valkey calls.
4. `ProjectBootstrapService` and `TeamsService` in workspace module have no dedicated tests — they are thin wrappers over Drizzle that delegate to WorkspaceService (which is tested).
5. GC cron schedule (`SESSION_GC_CRON` env var) is configured at module level — not unit tested here; covered by NestJS cron integration.
6. `filterCommands` in `CommandAutocomplete` is not exported — replicated in integration test to verify behavior.
## CI Evidence
Pipeline: TBD after push — all 4 local quality gates green:
- pnpm typecheck: 32 tasks, all cached/green
- pnpm lint: 18 tasks, all green
- pnpm format:check: all files match Prettier style
- pnpm test: 32 tasks, 160 tests passing

8
eslint.config.mjs
View File

@@ -20,7 +20,13 @@ export default tseslint.config(
languageOptions: {
parser: tsParser,
parserOptions: {
projectService: true,
projectService: {
allowDefaultProject: [
'apps/web/e2e/*.ts',
'apps/web/e2e/helpers/*.ts',
'apps/web/playwright.config.ts',
],
},
},
},
rules: {

58
packages/brain/src/agents.ts Normal file
View File

@@ -0,0 +1,58 @@
import { eq, or, type Db, agents } from '@mosaic/db';
export type Agent = typeof agents.$inferSelect;
export type NewAgent = typeof agents.$inferInsert;
export function createAgentsRepo(db: Db) {
return {
async findAll(): Promise<Agent[]> {
return db.select().from(agents);
},
async findById(id: string): Promise<Agent | undefined> {
const rows = await db.select().from(agents).where(eq(agents.id, id));
return rows[0];
},
async findByName(name: string): Promise<Agent | undefined> {
const rows = await db.select().from(agents).where(eq(agents.name, name));
return rows[0];
},
async findByProject(projectId: string): Promise<Agent[]> {
return db.select().from(agents).where(eq(agents.projectId, projectId));
},
async findSystem(): Promise<Agent[]> {
return db.select().from(agents).where(eq(agents.isSystem, true));
},
async findAccessible(ownerId: string): Promise<Agent[]> {
return db
.select()
.from(agents)
.where(or(eq(agents.ownerId, ownerId), eq(agents.isSystem, true)));
},
async create(data: NewAgent): Promise<Agent> {
const rows = await db.insert(agents).values(data).returning();
return rows[0]!;
},
async update(id: string, data: Partial<NewAgent>): Promise<Agent | undefined> {
const rows = await db
.update(agents)
.set({ ...data, updatedAt: new Date() })
.where(eq(agents.id, id))
.returning();
return rows[0];
},
async remove(id: string): Promise<boolean> {
const rows = await db.delete(agents).where(eq(agents.id, id)).returning();
return rows.length > 0;
},
};
}
export type AgentsRepo = ReturnType<typeof createAgentsRepo>;

3
packages/brain/src/brain.ts
View File

@@ -4,6 +4,7 @@ import { createMissionsRepo, type MissionsRepo } from './missions.js';
import { createMissionTasksRepo, type MissionTasksRepo } from './mission-tasks.js';
import { createTasksRepo, type TasksRepo } from './tasks.js';
import { createConversationsRepo, type ConversationsRepo } from './conversations.js';
import { createAgentsRepo, type AgentsRepo } from './agents.js';
export interface Brain {
projects: ProjectsRepo;
@@ -11,6 +12,7 @@ export interface Brain {
missionTasks: MissionTasksRepo;
tasks: TasksRepo;
conversations: ConversationsRepo;
agents: AgentsRepo;
}
export function createBrain(db: Db): Brain {
@@ -20,5 +22,6 @@ export function createBrain(db: Db): Brain {
missionTasks: createMissionTasksRepo(db),
tasks: createTasksRepo(db),
conversations: createConversationsRepo(db),
agents: createAgentsRepo(db),
};
}

6
packages/brain/src/index.ts
View File

@@ -26,3 +26,9 @@ export {
type Message,
type NewMessage,
} from './conversations.js';
export {
createAgentsRepo,
type AgentsRepo,
type Agent as AgentConfig,
type NewAgent as NewAgentConfig,
} from './agents.js';

82
packages/brain/src/projects.spec.ts Normal file
View File

@@ -0,0 +1,82 @@
import { describe, it, expect, vi } from 'vitest';
import { createProjectsRepo } from './projects.js';
/**
* Build a minimal Drizzle mock. Each call to db.select() returns a fresh
* chain that resolves `where()` to the provided rows for that call.
*
* `calls` is an ordered list: the first item is returned for the first
* db.select() call, the second for the second, and so on.
*/
function makeDb(calls: unknown[][]) {
let callIndex = 0;
const selectSpy = vi.fn(() => {
const rows = calls[callIndex++] ?? [];
const chain = {
where: vi.fn().mockResolvedValue(rows),
} as { where: ReturnType<typeof vi.fn>; from?: ReturnType<typeof vi.fn> };
// from() returns the chain so .where() can be chained, but also resolves
// directly (as a thenable) for queries with no .where() call.
chain.from = vi.fn(() => Object.assign(Promise.resolve(rows), chain));
return chain;
});
return { select: selectSpy };
}
describe('createProjectsRepo — findAllForUser', () => {
it('filters by userId when user has no team memberships', async () => {
// First select: teamMembers query → empty
// Second select: projects query → one owned project
const db = makeDb([
[], // teamMembers rows
[{ id: 'p1', ownerId: 'user-1', teamId: null, ownerType: 'user' }],
]);
const repo = createProjectsRepo(db as never);
const result = await repo.findAllForUser('user-1');
expect(db.select).toHaveBeenCalledTimes(2);
expect(result).toHaveLength(1);
expect(result[0]?.id).toBe('p1');
});
it('includes team projects when user is a team member', async () => {
// First select: teamMembers → user belongs to one team
// Second select: projects query → two projects (own + team)
const db = makeDb([
[{ teamId: 'team-1' }],
[
{ id: 'p1', ownerId: 'user-1', teamId: null, ownerType: 'user' },
{ id: 'p2', ownerId: null, teamId: 'team-1', ownerType: 'team' },
],
]);
const repo = createProjectsRepo(db as never);
const result = await repo.findAllForUser('user-1');
expect(db.select).toHaveBeenCalledTimes(2);
expect(result).toHaveLength(2);
});
it('returns empty array when user has no projects and no teams', async () => {
const db = makeDb([[], []]);
const repo = createProjectsRepo(db as never);
const result = await repo.findAllForUser('user-no-projects');
expect(result).toHaveLength(0);
});
});
describe('createProjectsRepo — findAll', () => {
it('returns all rows without any user filter', async () => {
const rows = [
{ id: 'p1', ownerId: 'user-1', teamId: null, ownerType: 'user' },
{ id: 'p2', ownerId: 'user-2', teamId: null, ownerType: 'user' },
];
const db = makeDb([rows]);
const repo = createProjectsRepo(db as never);
const result = await repo.findAll();
expect(result).toHaveLength(2);
});
});

27
packages/brain/src/projects.ts
View File

@@ -1,4 +1,4 @@
import { eq, type Db, projects } from '@mosaic/db';
import { eq, or, inArray, type Db, projects, teamMembers } from '@mosaic/db';
export type Project = typeof projects.$inferSelect;
export type NewProject = typeof projects.$inferInsert;
@@ -9,6 +9,31 @@ export function createProjectsRepo(db: Db) {
return db.select().from(projects);
},
/**
* Return only the projects visible to a given user:
* projects directly owned by the user (ownerType = 'user', ownerId = userId), OR
* projects owned by a team the user belongs to (ownerType = 'team', teamId IN user's teams)
*/
async findAllForUser(userId: string): Promise<Project[]> {
// Fetch the team IDs the user is a member of.
const memberRows = await db
.select({ teamId: teamMembers.teamId })
.from(teamMembers)
.where(eq(teamMembers.userId, userId));
const teamIds = memberRows.map((r) => r.teamId);
if (teamIds.length === 0) {
// No team memberships — return only directly owned projects.
return db.select().from(projects).where(eq(projects.ownerId, userId));
}
return db
.select()
.from(projects)
.where(or(eq(projects.ownerId, userId), inArray(projects.teamId, teamIds)));
},
async findById(id: string): Promise<Project | undefined> {
const rows = await db.select().from(projects).where(eq(projects.id, id));
return rows[0];

8
packages/cli/package.json
View File

@@ -21,15 +21,17 @@
"test": "vitest run --passWithNoTests"
},
"dependencies": {
"@clack/prompts": "^0.9.0",
"@mosaic/mosaic": "workspace:^",
"@mosaic/prdy": "workspace:^",
"@mosaic/quality-rails": "workspace:^",
"@mosaic/types": "workspace:^",
"commander": "^13.0.0",
"ink": "^5.0.0",
"ink-text-input": "^6.0.0",
"ink-spinner": "^5.0.0",
"ink-text-input": "^6.0.0",
"react": "^18.3.0",
"socket.io-client": "^4.8.0",
"commander": "^13.0.0"
"socket.io-client": "^4.8.0"
},
"devDependencies": {
"@types/node": "^22.0.0",

140
packages/cli/src/cli.ts
View File

@@ -1,12 +1,18 @@
#!/usr/bin/env node
import { createRequire } from 'module';
import { Command } from 'commander';
import { buildPrdyCli } from '@mosaic/prdy';
import { createQualityRailsCli } from '@mosaic/quality-rails';
import { registerAgentCommand } from './commands/agent.js';
import { registerMissionCommand } from './commands/mission.js';
import { registerPrdyCommand } from './commands/prdy.js';
const _require = createRequire(import.meta.url);
const CLI_VERSION: string = (_require('../package.json') as { version: string }).version;
const program = new Command();
program.name('mosaic').description('Mosaic Stack CLI').version('0.0.0');
program.name('mosaic').description('Mosaic Stack CLI').version(CLI_VERSION);
// ─── login ──────────────────────────────────────────────────────────────
@@ -51,8 +57,17 @@ program
.option('-c, --conversation <id>', 'Resume a conversation by ID')
.option('-m, --model <modelId>', 'Model ID to use (e.g. gpt-4o, llama3.2)')
.option('-p, --provider <provider>', 'Provider to use (e.g. openai, ollama)')
.option('--agent <idOrName>', 'Connect to a specific agent')
.option('--project <idOrName>', 'Scope session to project')
.action(
async (opts: { gateway: string; conversation?: string; model?: string; provider?: string }) => {
async (opts: {
gateway: string;
conversation?: string;
model?: string;
provider?: string;
agent?: string;
project?: string;
}) => {
const { loadSession, validateSession, signIn, saveSession } = await import('./auth.js');
// Try loading saved session
@@ -89,6 +104,67 @@ program
}
}
// Resolve agent ID if --agent was passed by name
let agentId: string | undefined;
let agentName: string | undefined;
if (opts.agent) {
try {
const { fetchAgentConfigs } = await import('./tui/gateway-api.js');
const agents = await fetchAgentConfigs(opts.gateway, session.cookie);
const match = agents.find((a) => a.id === opts.agent || a.name === opts.agent);
if (match) {
agentId = match.id;
agentName = match.name;
} else {
console.error(`Agent "${opts.agent}" not found.`);
process.exit(1);
}
} catch (err) {
console.error(
`Failed to resolve agent: ${err instanceof Error ? err.message : String(err)}`,
);
process.exit(1);
}
}
// Resolve project ID if --project was passed by name
let projectId: string | undefined;
if (opts.project) {
try {
const { fetchProjects } = await import('./tui/gateway-api.js');
const projects = await fetchProjects(opts.gateway, session.cookie);
const match = projects.find((p) => p.id === opts.project || p.name === opts.project);
if (match) {
projectId = match.id;
} else {
console.error(`Project "${opts.project}" not found.`);
process.exit(1);
}
} catch (err) {
console.error(
`Failed to resolve project: ${err instanceof Error ? err.message : String(err)}`,
);
process.exit(1);
}
}
// Auto-create a conversation if none was specified
let conversationId = opts.conversation;
if (!conversationId) {
try {
const { createConversation } = await import('./tui/gateway-api.js');
const conv = await createConversation(opts.gateway, session.cookie, {
...(projectId ? { projectId } : {}),
});
conversationId = conv.id;
} catch (err) {
console.error(
`Failed to create conversation: ${err instanceof Error ? err.message : String(err)}`,
);
process.exit(1);
}
}
// Dynamic import to avoid loading React/Ink for other commands
const { render } = await import('ink');
const React = await import('react');
@@ -97,11 +173,16 @@ program
render(
React.createElement(TuiApp, {
gatewayUrl: opts.gateway,
conversationId: opts.conversation,
conversationId,
sessionCookie: session.cookie,
initialModel: opts.model,
initialProvider: opts.provider,
agentId,
agentName: agentName ?? undefined,
projectId,
version: CLI_VERSION,
}),
{ exitOnCtrlC: false },
);
},
);
@@ -115,23 +196,12 @@ sessionsCmd
.description('List active agent sessions')
.option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
.action(async (opts: { gateway: string }) => {
const { loadSession, validateSession } = await import('./auth.js');
const { withAuth } = await import('./commands/with-auth.js');
const auth = await withAuth(opts.gateway);
const { fetchSessions } = await import('./tui/gateway-api.js');
const session = loadSession(opts.gateway);
if (!session) {
console.error('Not signed in. Run `mosaic login` first.');
process.exit(1);
}
const valid = await validateSession(opts.gateway, session.cookie);
if (!valid) {
console.error('Session expired. Run `mosaic login` again.');
process.exit(1);
}
try {
const result = await fetchSessions(opts.gateway, session.cookie);
const result = await fetchSessions(auth.gateway, auth.cookie);
if (result.total === 0) {
console.log('No active sessions.');
return;
@@ -184,6 +254,7 @@ sessionsCmd
gatewayUrl: opts.gateway,
conversationId: id,
sessionCookie: session.cookie,
version: CLI_VERSION,
}),
);
});
@@ -193,23 +264,12 @@ sessionsCmd
.description('Terminate an active agent session')
.option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
.action(async (id: string, opts: { gateway: string }) => {
const { loadSession, validateSession } = await import('./auth.js');
const { withAuth } = await import('./commands/with-auth.js');
const auth = await withAuth(opts.gateway);
const { deleteSession } = await import('./tui/gateway-api.js');
const session = loadSession(opts.gateway);
if (!session) {
console.error('Not signed in. Run `mosaic login` first.');
process.exit(1);
}
const valid = await validateSession(opts.gateway, session.cookie);
if (!valid) {
console.error('Session expired. Run `mosaic login` again.');
process.exit(1);
}
try {
await deleteSession(opts.gateway, session.cookie, id);
await deleteSession(auth.gateway, auth.cookie, id);
console.log(`Session ${id} destroyed.`);
} catch (err) {
console.error(err instanceof Error ? err.message : String(err));
@@ -217,13 +277,17 @@ sessionsCmd
}
});
// ─── prdy ───────────────────────────────────────────────────────────────
// ─── agent ─────────────────────────────────────────────────────────────
const prdyWrapper = buildPrdyCli();
const prdyCmd = prdyWrapper.commands.find((c) => c.name() === 'prdy');
if (prdyCmd !== undefined) {
program.addCommand(prdyCmd as unknown as Command);
}
registerAgentCommand(program);
// ─── mission ───────────────────────────────────────────────────────────
registerMissionCommand(program);
// ─── prdy ──────────────────────────────────────────────────────────────
registerPrdyCommand(program);
// ─── quality-rails ──────────────────────────────────────────────────────

241
packages/cli/src/commands/agent.ts Normal file
View File

@@ -0,0 +1,241 @@
import type { Command } from 'commander';
import { withAuth } from './with-auth.js';
import { selectItem } from './select-dialog.js';
import {
fetchAgentConfigs,
createAgentConfig,
updateAgentConfig,
deleteAgentConfig,
fetchProjects,
fetchProviders,
} from '../tui/gateway-api.js';
import type { AgentConfigInfo } from '../tui/gateway-api.js';
function formatAgent(a: AgentConfigInfo): string {
const sys = a.isSystem ? ' [system]' : '';
return `${a.name}${sys}${a.provider}/${a.model} (${a.status})`;
}
function showAgentDetail(a: AgentConfigInfo) {
console.log(` ID: ${a.id}`);
console.log(` Name: ${a.name}`);
console.log(` Provider: ${a.provider}`);
console.log(` Model: ${a.model}`);
console.log(` Status: ${a.status}`);
console.log(` System: ${a.isSystem ? 'yes' : 'no'}`);
console.log(` Project: ${a.projectId ?? '—'}`);
console.log(` System Prompt: ${a.systemPrompt ? `${a.systemPrompt.slice(0, 80)}...` : '—'}`);
console.log(` Tools: ${a.allowedTools ? a.allowedTools.join(', ') : 'all'}`);
console.log(` Skills: ${a.skills ? a.skills.join(', ') : '—'}`);
console.log(` Created: ${new Date(a.createdAt).toLocaleString()}`);
}
export function registerAgentCommand(program: Command) {
const cmd = program
.command('agent')
.description('Manage agent configurations')
.option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
.option('--list', 'List all agents')
.option('--new', 'Create a new agent')
.option('--show <idOrName>', 'Show agent details')
.option('--update <idOrName>', 'Update an agent')
.option('--delete <idOrName>', 'Delete an agent')
.action(
async (opts: {
gateway: string;
list?: boolean;
new?: boolean;
show?: string;
update?: string;
delete?: string;
}) => {
const auth = await withAuth(opts.gateway);
if (opts.list) {
return listAgents(auth.gateway, auth.cookie);
}
if (opts.new) {
return createAgentWizard(auth.gateway, auth.cookie);
}
if (opts.show) {
return showAgent(auth.gateway, auth.cookie, opts.show);
}
if (opts.update) {
return updateAgentWizard(auth.gateway, auth.cookie, opts.update);
}
if (opts.delete) {
return deleteAgent(auth.gateway, auth.cookie, opts.delete);
}
// Default: interactive select
return interactiveSelect(auth.gateway, auth.cookie);
},
);
return cmd;
}
async function resolveAgent(
gateway: string,
cookie: string,
idOrName: string,
): Promise<AgentConfigInfo | undefined> {
const agents = await fetchAgentConfigs(gateway, cookie);
return agents.find((a) => a.id === idOrName || a.name === idOrName);
}
async function listAgents(gateway: string, cookie: string) {
const agents = await fetchAgentConfigs(gateway, cookie);
if (agents.length === 0) {
console.log('No agents found.');
return;
}
console.log(`Agents (${agents.length}):\n`);
for (const a of agents) {
const sys = a.isSystem ? ' [system]' : '';
const project = a.projectId ? ` project=${a.projectId.slice(0, 8)}` : '';
console.log(` ${a.name}${sys} ${a.provider}/${a.model} ${a.status}${project}`);
}
}
async function showAgent(gateway: string, cookie: string, idOrName: string) {
const agent = await resolveAgent(gateway, cookie, idOrName);
if (!agent) {
console.error(`Agent "${idOrName}" not found.`);
process.exit(1);
}
showAgentDetail(agent);
}
async function interactiveSelect(gateway: string, cookie: string) {
const agents = await fetchAgentConfigs(gateway, cookie);
const selected = await selectItem(agents, {
message: 'Select an agent:',
render: formatAgent,
emptyMessage: 'No agents found. Create one with `mosaic agent --new`.',
});
if (selected) {
showAgentDetail(selected);
}
}
async function createAgentWizard(gateway: string, cookie: string) {
const readline = await import('node:readline');
const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
try {
const name = await ask('Agent name: ');
if (!name.trim()) {
console.error('Name is required.');
return;
}
// Project selection
const projects = await fetchProjects(gateway, cookie);
let projectId: string | undefined;
if (projects.length > 0) {
const selected = await selectItem(projects, {
message: 'Assign to project (optional):',
render: (p) => `${p.name} (${p.status})`,
});
if (selected) projectId = selected.id;
}
// Provider / model selection
const providers = await fetchProviders(gateway, cookie);
let provider = 'default';
let model = 'default';
if (providers.length > 0) {
const allModels = providers.flatMap((p) =>
p.models.map((m) => ({ provider: p.name, model: m.id, label: `${p.name}/${m.id}` })),
);
if (allModels.length > 0) {
const selected = await selectItem(allModels, {
message: 'Select model:',
render: (m) => m.label,
});
if (selected) {
provider = selected.provider;
model = selected.model;
}
}
}
const systemPrompt = await ask('System prompt (optional, press Enter to skip): ');
const agent = await createAgentConfig(gateway, cookie, {
name: name.trim(),
provider,
model,
projectId,
systemPrompt: systemPrompt.trim() || undefined,
});
console.log(`\nAgent "${agent.name}" created (${agent.id}).`);
} finally {
rl.close();
}
}
async function updateAgentWizard(gateway: string, cookie: string, idOrName: string) {
const agent = await resolveAgent(gateway, cookie, idOrName);
if (!agent) {
console.error(`Agent "${idOrName}" not found.`);
process.exit(1);
}
const readline = await import('node:readline');
const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
try {
console.log(`Updating agent: ${agent.name}\n`);
const name = await ask(`Name [${agent.name}]: `);
const systemPrompt = await ask(`System prompt [${agent.systemPrompt ? 'set' : 'none'}]: `);
const updates: Record<string, unknown> = {};
if (name.trim()) updates['name'] = name.trim();
if (systemPrompt.trim()) updates['systemPrompt'] = systemPrompt.trim();
if (Object.keys(updates).length === 0) {
console.log('No changes.');
return;
}
const updated = await updateAgentConfig(gateway, cookie, agent.id, updates);
console.log(`\nAgent "${updated.name}" updated.`);
} finally {
rl.close();
}
}
async function deleteAgent(gateway: string, cookie: string, idOrName: string) {
const agent = await resolveAgent(gateway, cookie, idOrName);
if (!agent) {
console.error(`Agent "${idOrName}" not found.`);
process.exit(1);
}
if (agent.isSystem) {
console.error('Cannot delete system agents.');
process.exit(1);
}
const readline = await import('node:readline');
const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
const answer = await new Promise<string>((resolve) =>
rl.question(`Delete agent "${agent.name}"? (y/N): `, resolve),
);
rl.close();
if (answer.toLowerCase() !== 'y') {
console.log('Cancelled.');
return;
}
await deleteAgentConfig(gateway, cookie, agent.id);
console.log(`Agent "${agent.name}" deleted.`);
}

385
packages/cli/src/commands/mission.ts Normal file
View File

@@ -0,0 +1,385 @@
import type { Command } from 'commander';
import { withAuth } from './with-auth.js';
import { selectItem } from './select-dialog.js';
import {
fetchMissions,
fetchMission,
createMission,
updateMission,
fetchMissionTasks,
createMissionTask,
updateMissionTask,
fetchProjects,
} from '../tui/gateway-api.js';
import type { MissionInfo, MissionTaskInfo } from '../tui/gateway-api.js';
function formatMission(m: MissionInfo): string {
return `${m.name}${m.status}${m.phase ? ` (${m.phase})` : ''}`;
}
function showMissionDetail(m: MissionInfo) {
console.log(` ID: ${m.id}`);
console.log(` Name: ${m.name}`);
console.log(` Status: ${m.status}`);
console.log(` Phase: ${m.phase ?? '—'}`);
console.log(` Project: ${m.projectId ?? '—'}`);
console.log(` Description: ${m.description ?? '—'}`);
console.log(` Created: ${new Date(m.createdAt).toLocaleString()}`);
}
function showTaskDetail(t: MissionTaskInfo) {
console.log(` ID: ${t.id}`);
console.log(` Status: ${t.status}`);
console.log(` Description: ${t.description ?? '—'}`);
console.log(` Notes: ${t.notes ?? '—'}`);
console.log(` PR: ${t.pr ?? '—'}`);
console.log(` Created: ${new Date(t.createdAt).toLocaleString()}`);
}
export function registerMissionCommand(program: Command) {
const cmd = program
.command('mission')
.description('Manage missions')
.option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
.option('--list', 'List all missions')
.option('--init', 'Create a new mission')
.option('--plan <idOrName>', 'Run PRD wizard for a mission')
.option('--update <idOrName>', 'Update a mission')
.option('--project <idOrName>', 'Scope to project')
.argument('[id]', 'Show mission detail by ID')
.action(
async (
id: string | undefined,
opts: {
gateway: string;
list?: boolean;
init?: boolean;
plan?: string;
update?: string;
project?: string;
},
) => {
const auth = await withAuth(opts.gateway);
if (opts.list) {
return listMissions(auth.gateway, auth.cookie);
}
if (opts.init) {
return initMission(auth.gateway, auth.cookie);
}
if (opts.plan) {
return planMission(auth.gateway, auth.cookie, opts.plan, opts.project);
}
if (opts.update) {
return updateMissionWizard(auth.gateway, auth.cookie, opts.update);
}
if (id) {
return showMission(auth.gateway, auth.cookie, id);
}
// Default: interactive select
return interactiveSelect(auth.gateway, auth.cookie);
},
);
// Task subcommand
cmd
.command('task')
.description('Manage mission tasks')
.option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
.option('--list', 'List tasks for a mission')
.option('--new', 'Create a task')
.option('--update <taskId>', 'Update a task')
.option('--mission <idOrName>', 'Mission ID or name')
.argument('[taskId]', 'Show task detail')
.action(
async (
taskId: string | undefined,
taskOpts: {
gateway: string;
list?: boolean;
new?: boolean;
update?: string;
mission?: string;
},
) => {
const auth = await withAuth(taskOpts.gateway);
const missionId = await resolveMissionId(auth.gateway, auth.cookie, taskOpts.mission);
if (!missionId) return;
if (taskOpts.list) {
return listTasks(auth.gateway, auth.cookie, missionId);
}
if (taskOpts.new) {
return createTaskWizard(auth.gateway, auth.cookie, missionId);
}
if (taskOpts.update) {
return updateTaskWizard(auth.gateway, auth.cookie, missionId, taskOpts.update);
}
if (taskId) {
return showTask(auth.gateway, auth.cookie, missionId, taskId);
}
return listTasks(auth.gateway, auth.cookie, missionId);
},
);
return cmd;
}
async function resolveMissionByName(
gateway: string,
cookie: string,
idOrName: string,
): Promise<MissionInfo | undefined> {
const missions = await fetchMissions(gateway, cookie);
return missions.find((m) => m.id === idOrName || m.name === idOrName);
}
async function resolveMissionId(
gateway: string,
cookie: string,
idOrName?: string,
): Promise<string | undefined> {
if (idOrName) {
const mission = await resolveMissionByName(gateway, cookie, idOrName);
if (!mission) {
console.error(`Mission "${idOrName}" not found.`);
return undefined;
}
return mission.id;
}
// Interactive select
const missions = await fetchMissions(gateway, cookie);
const selected = await selectItem(missions, {
message: 'Select a mission:',
render: formatMission,
emptyMessage: 'No missions found. Create one with `mosaic mission --init`.',
});
return selected?.id;
}
async function listMissions(gateway: string, cookie: string) {
const missions = await fetchMissions(gateway, cookie);
if (missions.length === 0) {
console.log('No missions found.');
return;
}
console.log(`Missions (${missions.length}):\n`);
for (const m of missions) {
const phase = m.phase ? ` [${m.phase}]` : '';
console.log(` ${m.name} ${m.status}${phase} ${m.id.slice(0, 8)}`);
}
}
async function showMission(gateway: string, cookie: string, id: string) {
try {
const mission = await fetchMission(gateway, cookie, id);
showMissionDetail(mission);
} catch {
// Try resolving by name
const m = await resolveMissionByName(gateway, cookie, id);
if (!m) {
console.error(`Mission "${id}" not found.`);
process.exit(1);
}
showMissionDetail(m);
}
}
async function interactiveSelect(gateway: string, cookie: string) {
const missions = await fetchMissions(gateway, cookie);
const selected = await selectItem(missions, {
message: 'Select a mission:',
render: formatMission,
emptyMessage: 'No missions found. Create one with `mosaic mission --init`.',
});
if (selected) {
showMissionDetail(selected);
}
}
async function initMission(gateway: string, cookie: string) {
const readline = await import('node:readline');
const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
try {
const name = await ask('Mission name: ');
if (!name.trim()) {
console.error('Name is required.');
return;
}
// Project selection
const projects = await fetchProjects(gateway, cookie);
let projectId: string | undefined;
if (projects.length > 0) {
const selected = await selectItem(projects, {
message: 'Assign to project (required):',
render: (p) => `${p.name} (${p.status})`,
emptyMessage: 'No projects found.',
});
if (selected) projectId = selected.id;
}
const description = await ask('Description (optional): ');
const mission = await createMission(gateway, cookie, {
name: name.trim(),
projectId,
description: description.trim() || undefined,
status: 'planning',
});
console.log(`\nMission "${mission.name}" created (${mission.id}).`);
} finally {
rl.close();
}
}
async function planMission(
gateway: string,
cookie: string,
idOrName: string,
_projectIdOrName?: string,
) {
const mission = await resolveMissionByName(gateway, cookie, idOrName);
if (!mission) {
console.error(`Mission "${idOrName}" not found.`);
process.exit(1);
}
console.log(`Planning mission: ${mission.name}\n`);
try {
const { runPrdWizard } = await import('@mosaic/prdy');
await runPrdWizard({
name: mission.name,
projectPath: process.cwd(),
interactive: true,
});
} catch (err) {
console.error(`PRD wizard failed: ${err instanceof Error ? err.message : String(err)}`);
process.exit(1);
}
}
async function updateMissionWizard(gateway: string, cookie: string, idOrName: string) {
const mission = await resolveMissionByName(gateway, cookie, idOrName);
if (!mission) {
console.error(`Mission "${idOrName}" not found.`);
process.exit(1);
}
const readline = await import('node:readline');
const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
try {
console.log(`Updating mission: ${mission.name}\n`);
const name = await ask(`Name [${mission.name}]: `);
const description = await ask(`Description [${mission.description ?? 'none'}]: `);
const status = await ask(`Status [${mission.status}]: `);
const updates: Record<string, unknown> = {};
if (name.trim()) updates['name'] = name.trim();
if (description.trim()) updates['description'] = description.trim();
if (status.trim()) updates['status'] = status.trim();
if (Object.keys(updates).length === 0) {
console.log('No changes.');
return;
}
const updated = await updateMission(gateway, cookie, mission.id, updates);
console.log(`\nMission "${updated.name}" updated.`);
} finally {
rl.close();
}
}
// ── Task operations ──
async function listTasks(gateway: string, cookie: string, missionId: string) {
const tasks = await fetchMissionTasks(gateway, cookie, missionId);
if (tasks.length === 0) {
console.log('No tasks found.');
return;
}
console.log(`Tasks (${tasks.length}):\n`);
for (const t of tasks) {
const desc = t.description ? `${t.description.slice(0, 60)}` : '';
console.log(` ${t.id.slice(0, 8)} ${t.status}${desc}`);
}
}
async function showTask(gateway: string, cookie: string, missionId: string, taskId: string) {
const tasks = await fetchMissionTasks(gateway, cookie, missionId);
const task = tasks.find((t) => t.id === taskId);
if (!task) {
console.error(`Task "${taskId}" not found.`);
process.exit(1);
}
showTaskDetail(task);
}
async function createTaskWizard(gateway: string, cookie: string, missionId: string) {
const readline = await import('node:readline');
const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
try {
const description = await ask('Task description: ');
if (!description.trim()) {
console.error('Description is required.');
return;
}
const status = await ask('Status [not-started]: ');
const task = await createMissionTask(gateway, cookie, missionId, {
description: description.trim(),
status: status.trim() || 'not-started',
});
console.log(`\nTask created (${task.id}).`);
} finally {
rl.close();
}
}
async function updateTaskWizard(
gateway: string,
cookie: string,
missionId: string,
taskId: string,
) {
const readline = await import('node:readline');
const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
try {
const status = await ask('New status: ');
const notes = await ask('Notes (optional): ');
const pr = await ask('PR (optional): ');
const updates: Record<string, unknown> = {};
if (status.trim()) updates['status'] = status.trim();
if (notes.trim()) updates['notes'] = notes.trim();
if (pr.trim()) updates['pr'] = pr.trim();
if (Object.keys(updates).length === 0) {
console.log('No changes.');
return;
}
const updated = await updateMissionTask(gateway, cookie, missionId, taskId, updates);
console.log(`\nTask ${updated.id.slice(0, 8)} updated (${updated.status}).`);
} finally {
rl.close();
}
}

Some files were not shown because too many files have changed in this diff Show More