fix(installer): clearer pnpm/corepack errors + dev-aware --check

Review follow-ups on the --dev feature:
- Pin corepack to pnpm@10.6.2 (the repo packageManager) and surface
  corepack enable/prepare failures, with an actionable hard-fail when pnpm
  is still absent — the fresh-machine path no longer dies on a bare
  "command not found".
- `--check --dev` now reports the installed version instead of a
  misleading "Could not reach registry" warning (dev mode skips the
  registry lookup).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RMoEx7hfdFGjUiCHuN1RRi

apps/gateway/src/federation/federation.module.ts

@@ -7,7 +7,7 @@ import { FederationController } from './federation.controller.js';
 import { CapabilitiesController } from './server/verbs/capabilities.controller.js';
 import { GrantsService } from './grants.service.js';
 import { FederationClientService, QuerySourceService } from './client/index.js';
-import { FederationAuthGuard, FederationScopeService } from './server/index.js';
+import { FederationAuthGuard } from './server/index.js';
 
 @Module({
   controllers: [EnrollmentController, FederationController, CapabilitiesController],
@@ -19,7 +19,6 @@ import { FederationAuthGuard, FederationScopeService } from './server/index.js';
     FederationClientService,
     QuerySourceService,
     FederationAuthGuard,
-    FederationScopeService,
   ],
   exports: [
     CaService,
@@ -28,7 +27,6 @@ import { FederationAuthGuard, FederationScopeService } from './server/index.js';
     FederationClientService,
     QuerySourceService,
     FederationAuthGuard,
-    FederationScopeService,
   ],
 })
 export class FederationModule {}

apps/gateway/src/federation/server/__tests__/scope.service.spec.ts

@@ -1,324 +0,0 @@
-/**
- * Unit tests for FederationScopeService (FED-M3-04).
- *
- * Coverage:
- *  - resource allowlist deny
- *  - excluded resource deny
- *  - invalid scope deny
- *  - invalid requested limit deny
- *  - native RBAC deny as subjectUserId
- *  - scope/native filter intersection for personal and team rows
- *  - native RBAC personal deny wins over scope include_personal allow/default
- *  - max_rows_per_query cap
- */
-
-import { beforeEach, describe, expect, it, vi } from 'vitest';
-import { FederationScopeService, type FederationNativeRbacEvaluator } from '../scope.service.js';
-import type { FederationContext } from '../federation-context.js';
-
-const GRANT_ID = 'grant-1';
-const PEER_ID = 'peer-1';
-const SUBJECT_USER_ID = 'user-1';
-
-function makeContext(scope: Record<string, unknown>): FederationContext {
-  return {
-    grantId: GRANT_ID,
-    peerId: PEER_ID,
-    subjectUserId: SUBJECT_USER_ID,
-    scope,
-  };
-}
-
-function makeNativeRbac(
-  result: Awaited<ReturnType<FederationNativeRbacEvaluator['evaluateReadAccess']>>,
-): FederationNativeRbacEvaluator {
-  return {
-    evaluateReadAccess: vi.fn().mockResolvedValue(result),
-  };
-}
-
-describe('FederationScopeService', () => {
-  let service: FederationScopeService;
-
-  beforeEach(() => {
-    service = new FederationScopeService();
-  });
-
-  it('allows a granted resource and returns a capped query filter', async () => {
-    const nativeRbac = makeNativeRbac({
-      allowed: true,
-      access: { includePersonal: true, teamIds: ['team-1', 'team-2'] },
-    });
-
-    const result = await service.evaluateAccess({
-      context: makeContext({
-        resources: ['tasks'],
-        filters: { tasks: { include_teams: ['team-1', 'team-3'], include_personal: true } },
-        max_rows_per_query: 50,
-      }),
-      resource: 'tasks',
-      requestedLimit: 500,
-      nativeRbac,
-    });
-
-    expect(result).toEqual({
-      allowed: true,
-      filter: {
-        resource: 'tasks',
-        subjectUserId: SUBJECT_USER_ID,
-        includePersonal: true,
-        teamIds: ['team-1'],
-        limit: 50,
-        maxRowsPerQuery: 50,
-      },
-    });
-    expect(nativeRbac.evaluateReadAccess).toHaveBeenCalledWith({
-      grantId: GRANT_ID,
-      peerId: PEER_ID,
-      subjectUserId: SUBJECT_USER_ID,
-      resource: 'tasks',
-    });
-  });
-
-  it('defaults absent resource filters to native RBAC personal and team visibility', async () => {
-    const result = await service.evaluateAccess({
-      context: makeContext({ resources: ['notes'], max_rows_per_query: 100 }),
-      resource: 'notes',
-      nativeRbac: makeNativeRbac({
-        allowed: true,
-        access: { includePersonal: true, teamIds: ['team-1', 'team-2'] },
-      }),
-    });
-
-    expect(result).toMatchObject({
-      allowed: true,
-      filter: {
-        includePersonal: true,
-        teamIds: ['team-1', 'team-2'],
-        limit: 100,
-      },
-    });
-  });
-
-  it('honors include_personal false even when native RBAC allows personal rows', async () => {
-    const result = await service.evaluateAccess({
-      context: makeContext({
-        resources: ['memory'],
-        filters: { memory: { include_personal: false } },
-        max_rows_per_query: 25,
-      }),
-      resource: 'memory',
-      nativeRbac: makeNativeRbac({
-        allowed: true,
-        access: { includePersonal: true, teamIds: [] },
-      }),
-    });
-
-    expect(result).toMatchObject({
-      allowed: true,
-      filter: {
-        includePersonal: false,
-        teamIds: [],
-      },
-    });
-  });
-
-  it('does not leak personal rows when scope allows personal but native RBAC denies personal', async () => {
-    const result = await service.evaluateAccess({
-      context: makeContext({
-        resources: ['tasks'],
-        filters: { tasks: { include_personal: true } },
-        max_rows_per_query: 25,
-      }),
-      resource: 'tasks',
-      nativeRbac: makeNativeRbac({
-        allowed: true,
-        access: { includePersonal: false, teamIds: ['team-1'] },
-      }),
-    });
-
-    expect(result).toMatchObject({
-      allowed: true,
-      filter: {
-        includePersonal: false,
-        teamIds: ['team-1'],
-      },
-    });
-  });
-
-  it('does not widen native RBAC when scope includes teams the user cannot access', async () => {
-    const result = await service.evaluateAccess({
-      context: makeContext({
-        resources: ['tasks'],
-        filters: { tasks: { include_teams: ['team-2'], include_personal: false } },
-        max_rows_per_query: 25,
-      }),
-      resource: 'tasks',
-      nativeRbac: makeNativeRbac({
-        allowed: true,
-        access: { includePersonal: true, teamIds: ['team-1'] },
-      }),
-    });
-
-    expect(result).toMatchObject({
-      allowed: true,
-      filter: {
-        includePersonal: false,
-        teamIds: [],
-      },
-    });
-  });
-
-  it('denies invalid grant scope before RBAC evaluation', async () => {
-    const nativeRbac = makeNativeRbac({
-      allowed: true,
-      access: { includePersonal: true, teamIds: [] },
-    });
-
-    const result = await service.evaluateAccess({
-      context: makeContext({ resources: [], max_rows_per_query: 100 }),
-      resource: 'tasks',
-      nativeRbac,
-    });
-
-    expect(result).toMatchObject({
-      allowed: false,
-      deny: {
-        code: 'invalid_scope',
-        stage: 'scope_parse',
-        statusCode: 400,
-        grantId: GRANT_ID,
-        subjectUserId: SUBJECT_USER_ID,
-        resource: 'tasks',
-      },
-    });
-    expect(nativeRbac.evaluateReadAccess).not.toHaveBeenCalled();
-  });
-
-  it('denies unsupported resource names before RBAC evaluation', async () => {
-    const nativeRbac = makeNativeRbac({
-      allowed: true,
-      access: { includePersonal: true, teamIds: [] },
-    });
-
-    const result = await service.evaluateAccess({
-      context: makeContext({ resources: ['tasks'], max_rows_per_query: 100 }),
-      resource: 'unknown_resource',
-      nativeRbac,
-    });
-
-    expect(result).toMatchObject({
-      allowed: false,
-      deny: {
-        code: 'invalid_resource',
-        stage: 'resource_allowlist',
-        statusCode: 403,
-      },
-    });
-    expect(nativeRbac.evaluateReadAccess).not.toHaveBeenCalled();
-  });
-
-  it('denies resources explicitly present in excluded_resources before allowlist miss', async () => {
-    const nativeRbac = makeNativeRbac({
-      allowed: true,
-      access: { includePersonal: true, teamIds: [] },
-    });
-
-    const result = await service.evaluateAccess({
-      context: makeContext({
-        resources: ['tasks'],
-        excluded_resources: ['credentials'],
-        max_rows_per_query: 100,
-      }),
-      resource: 'credentials',
-      nativeRbac,
-    });
-
-    expect(result).toMatchObject({
-      allowed: false,
-      deny: {
-        code: 'resource_excluded',
-        stage: 'resource_exclusion',
-        statusCode: 403,
-        resource: 'credentials',
-      },
-    });
-    expect(nativeRbac.evaluateReadAccess).not.toHaveBeenCalled();
-  });
-
-  it('denies supported resources that are not granted by scope', async () => {
-    const nativeRbac = makeNativeRbac({
-      allowed: true,
-      access: { includePersonal: true, teamIds: [] },
-    });
-
-    const result = await service.evaluateAccess({
-      context: makeContext({ resources: ['tasks'], max_rows_per_query: 100 }),
-      resource: 'notes',
-      nativeRbac,
-    });
-
-    expect(result).toMatchObject({
-      allowed: false,
-      deny: {
-        code: 'resource_not_granted',
-        stage: 'resource_allowlist',
-        statusCode: 403,
-        resource: 'notes',
-      },
-    });
-    expect(nativeRbac.evaluateReadAccess).not.toHaveBeenCalled();
-  });
-
-  it('denies invalid requested row limits before RBAC evaluation', async () => {
-    const nativeRbac = makeNativeRbac({
-      allowed: true,
-      access: { includePersonal: true, teamIds: [] },
-    });
-
-    const result = await service.evaluateAccess({
-      context: makeContext({ resources: ['tasks'], max_rows_per_query: 100 }),
-      resource: 'tasks',
-      requestedLimit: 0,
-      nativeRbac,
-    });
-
-    expect(result).toMatchObject({
-      allowed: false,
-      deny: {
-        code: 'invalid_limit',
-        stage: 'row_cap',
-        statusCode: 400,
-        details: { requestedLimit: 0 },
-      },
-    });
-    expect(nativeRbac.evaluateReadAccess).not.toHaveBeenCalled();
-  });
-
-  it('denies when native RBAC rejects subjectUserId access to the resource', async () => {
-    const result = await service.evaluateAccess({
-      context: makeContext({ resources: ['tasks'], max_rows_per_query: 100 }),
-      resource: 'tasks',
-      nativeRbac: makeNativeRbac({
-        allowed: false,
-        reason: 'read:tasks denied',
-        details: { permission: 'tasks:read' },
-      }),
-    });
-
-    expect(result).toEqual({
-      allowed: false,
-      deny: {
-        code: 'native_rbac_denied',
-        stage: 'native_rbac',
-        statusCode: 403,
-        message: 'read:tasks denied',
-        grantId: GRANT_ID,
-        peerId: PEER_ID,
-        subjectUserId: SUBJECT_USER_ID,
-        resource: 'tasks',
-        details: { permission: 'tasks:read' },
-      },
-    });
-  });
-});

apps/gateway/src/federation/server/index.ts

@@ -10,22 +10,4 @@
  */
 
 export { FederationAuthGuard } from './federation-auth.guard.js';
-export { FederationScopeService } from './scope.service.js';
 export type { FederationContext } from './federation-context.js';
-export type {
-  FederationNativeRbacAccess,
-  FederationNativeRbacAllowedResult,
-  FederationNativeRbacDeniedResult,
-  FederationNativeRbacEvaluator,
-  FederationNativeRbacRequest,
-  FederationNativeRbacResult,
-  FederationScopeAllowedResult,
-  FederationScopeDeniedResult,
-  FederationScopeDenyCode,
-  FederationScopeDenyDetails,
-  FederationScopeDenyReason,
-  FederationScopeDenyStage,
-  FederationScopeEvaluationInput,
-  FederationScopeEvaluationResult,
-  FederationScopeQueryFilter,
-} from './scope.service.js';

apps/gateway/src/federation/server/scope.service.ts

@@ -1,272 +0,0 @@
-/**
- * FederationScopeService — M3 server-side scope enforcement pipeline.
- *
- * Pure trust-boundary service: it validates the grant scope, asks an injected
- * native RBAC evaluator what the subject user can read locally, intersects that
- * answer with the federation scope filters, and returns a query filter for the
- * verb controllers. The service performs no DB calls directly.
- */
-
-import { Injectable } from '@nestjs/common';
-import {
-  FEDERATION_RESOURCE_VALUES,
-  type FederationResource,
-  FederationScopeError,
-  parseFederationScope,
-} from '../scope-schema.js';
-import type { FederationContext } from './federation-context.js';
-
-const federationResourceSet: ReadonlySet<string> = new Set<string>(FEDERATION_RESOURCE_VALUES);
-
-export type FederationScopeDenyStage =
-  | 'scope_parse'
-  | 'resource_allowlist'
-  | 'resource_exclusion'
-  | 'native_rbac'
-  | 'row_cap';
-
-export type FederationScopeDenyCode =
-  | 'invalid_scope'
-  | 'invalid_resource'
-  | 'resource_not_granted'
-  | 'resource_excluded'
-  | 'native_rbac_denied'
-  | 'invalid_limit';
-
-export type FederationScopeDenyStatus = 400 | 403;
-
-export interface FederationScopeDenyDetails {
-  readonly [key: string]: string | number | boolean | readonly string[];
-}
-
-export interface FederationScopeDenyReason {
-  readonly code: FederationScopeDenyCode;
-  readonly stage: FederationScopeDenyStage;
-  readonly statusCode: FederationScopeDenyStatus;
-  readonly message: string;
-  readonly grantId: string;
-  readonly peerId: string;
-  readonly subjectUserId: string;
-  readonly resource: string;
-  readonly details?: FederationScopeDenyDetails;
-}
-
-export interface FederationNativeRbacRequest {
-  readonly grantId: string;
-  readonly peerId: string;
-  readonly subjectUserId: string;
-  readonly resource: FederationResource;
-}
-
-export interface FederationNativeRbacAccess {
-  /** Whether this user may read personal rows for this resource. */
-  readonly includePersonal: boolean;
-
-  /** Team IDs this user may read for this resource under native RBAC. */
-  readonly teamIds: readonly string[];
-}
-
-export interface FederationNativeRbacAllowedResult {
-  readonly allowed: true;
-  readonly access: FederationNativeRbacAccess;
-}
-
-export interface FederationNativeRbacDeniedResult {
-  readonly allowed: false;
-  readonly reason?: string;
-  readonly details?: FederationScopeDenyDetails;
-}
-
-export type FederationNativeRbacResult =
-  | FederationNativeRbacAllowedResult
-  | FederationNativeRbacDeniedResult;
-
-export interface FederationNativeRbacEvaluator {
-  evaluateReadAccess(request: FederationNativeRbacRequest): Promise<FederationNativeRbacResult>;
-}
-
-export interface FederationScopeEvaluationInput {
-  readonly context: FederationContext;
-  readonly resource: string;
-  readonly requestedLimit?: number;
-  readonly nativeRbac: FederationNativeRbacEvaluator;
-}
-
-export interface FederationScopeQueryFilter {
-  readonly resource: FederationResource;
-  readonly subjectUserId: string;
-  readonly includePersonal: boolean;
-  readonly teamIds: readonly string[];
-  readonly limit: number;
-  readonly maxRowsPerQuery: number;
-}
-
-export interface FederationScopeAllowedResult {
-  readonly allowed: true;
-  readonly filter: FederationScopeQueryFilter;
-}
-
-export interface FederationScopeDeniedResult {
-  readonly allowed: false;
-  readonly deny: FederationScopeDenyReason;
-}
-
-export type FederationScopeEvaluationResult =
-  | FederationScopeAllowedResult
-  | FederationScopeDeniedResult;
-
-function isFederationResource(resource: string): resource is FederationResource {
-  return federationResourceSet.has(resource);
-}
-
-function uniqueStrings(values: readonly string[]): readonly string[] {
-  return Array.from(new Set<string>(values));
-}
-
-function intersectTeamIds(
-  nativeTeamIds: readonly string[],
-  scopedTeamIds: readonly string[] | undefined,
-): readonly string[] {
-  const uniqueNativeTeamIds = uniqueStrings(nativeTeamIds);
-
-  if (scopedTeamIds === undefined) {
-    return uniqueNativeTeamIds;
-  }
-
-  const nativeSet = new Set<string>(uniqueNativeTeamIds);
-  return uniqueStrings(scopedTeamIds).filter((teamId: string): boolean => nativeSet.has(teamId));
-}
-
-function makeDenyReason(params: {
-  readonly code: FederationScopeDenyCode;
-  readonly stage: FederationScopeDenyStage;
-  readonly statusCode?: FederationScopeDenyStatus;
-  readonly message: string;
-  readonly context: FederationContext;
-  readonly resource: string;
-  readonly details?: FederationScopeDenyDetails;
-}): FederationScopeDeniedResult {
-  return {
-    allowed: false,
-    deny: {
-      code: params.code,
-      stage: params.stage,
-      statusCode: params.statusCode ?? 403,
-      message: params.message,
-      grantId: params.context.grantId,
-      peerId: params.context.peerId,
-      subjectUserId: params.context.subjectUserId,
-      resource: params.resource,
-      ...(params.details !== undefined ? { details: params.details } : {}),
-    },
-  };
-}
-
-@Injectable()
-export class FederationScopeService {
-  async evaluateAccess(
-    input: FederationScopeEvaluationInput,
-  ): Promise<FederationScopeEvaluationResult> {
-    const { context, resource, requestedLimit, nativeRbac } = input;
-
-    let scope: ReturnType<typeof parseFederationScope>;
-    try {
-      scope = parseFederationScope(context.scope);
-    } catch (error: unknown) {
-      const message =
-        error instanceof FederationScopeError
-          ? 'Federation grant scope is invalid'
-          : 'Federation grant scope could not be parsed';
-      const details = error instanceof Error ? { reason: error.message } : undefined;
-      return makeDenyReason({
-        code: 'invalid_scope',
-        stage: 'scope_parse',
-        statusCode: 400,
-        message,
-        context,
-        resource,
-        ...(details !== undefined ? { details } : {}),
-      });
-    }
-
-    if (!isFederationResource(resource)) {
-      return makeDenyReason({
-        code: 'invalid_resource',
-        stage: 'resource_allowlist',
-        message: 'Requested federation resource is not supported',
-        context,
-        resource,
-        details: { supportedResources: FEDERATION_RESOURCE_VALUES },
-      });
-    }
-
-    if (scope.excluded_resources.includes(resource)) {
-      return makeDenyReason({
-        code: 'resource_excluded',
-        stage: 'resource_exclusion',
-        message: 'Requested federation resource is explicitly excluded by grant scope',
-        context,
-        resource,
-      });
-    }
-
-    if (!scope.resources.includes(resource)) {
-      return makeDenyReason({
-        code: 'resource_not_granted',
-        stage: 'resource_allowlist',
-        message: 'Requested federation resource is not granted by scope',
-        context,
-        resource,
-        details: { grantedResources: scope.resources },
-      });
-    }
-
-    if (requestedLimit !== undefined && (!Number.isInteger(requestedLimit) || requestedLimit < 1)) {
-      return makeDenyReason({
-        code: 'invalid_limit',
-        stage: 'row_cap',
-        statusCode: 400,
-        message: 'Requested row limit must be a positive integer',
-        context,
-        resource,
-        details: { requestedLimit },
-      });
-    }
-
-    const nativeResult = await nativeRbac.evaluateReadAccess({
-      grantId: context.grantId,
-      peerId: context.peerId,
-      subjectUserId: context.subjectUserId,
-      resource,
-    });
-
-    if (!nativeResult.allowed) {
-      return makeDenyReason({
-        code: 'native_rbac_denied',
-        stage: 'native_rbac',
-        message: nativeResult.reason ?? 'Subject user is not allowed to read this resource',
-        context,
-        resource,
-        ...(nativeResult.details !== undefined ? { details: nativeResult.details } : {}),
-      });
-    }
-
-    const scopeFilter = scope.filters?.[resource];
-    const includePersonal =
-      Boolean(scopeFilter?.include_personal ?? true) && nativeResult.access.includePersonal;
-    const teamIds = intersectTeamIds(nativeResult.access.teamIds, scopeFilter?.include_teams);
-    const limit = Math.min(requestedLimit ?? scope.max_rows_per_query, scope.max_rows_per_query);
-
-    return {
-      allowed: true,
-      filter: {
-        resource,
-        subjectUserId: context.subjectUserId,
-        includePersonal,
-        teamIds,
-        limit,
-        maxRowsPerQuery: scope.max_rows_per_query,
-      },
-    };
-  }
-}

docs/federation/TASKS.md

@@ -91,22 +91,22 @@ Goal: Two federated gateways exchange real data over mTLS. Inbound requests pass
 >
 > **Tracking issue:** #462.
 
-| id        | status      | description                                                                                                                                                                                                                                                                                            | issue | agent  | branch                               | depends_on       | estimate | notes                                                                                                                                                    |
-| --------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----- | ------ | ------------------------------------ | ---------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| FED-M3-01 | done        | `packages/types/src/federation/` — request/response DTOs for `list`, `get`, `capabilities` verbs. Wire-format zod schemas + inferred TS types. Includes `FederationRequest`, `FederationListResponse<T>`, `FederationGetResponse<T>`, `FederationCapabilitiesResponse`, error envelope, `_source` tag. | #462  | sonnet | feat/federation-m3-types             | —                | 4K       | Reusable from gateway server + client + harness. Pure types — no I/O, no NestJS.                                                                         |
-| FED-M3-02 | done        | `tools/federation-harness/` scaffold: `docker-compose.two-gateways.yml` (Server A + Server B + step-CA), `seed.ts` (provisions grants, peers, sample tasks/notes/credentials per scope variant), `harness.ts` helper (boots stack, returns typed clients). README documents harness use.               | #462  | sonnet | feat/federation-m3-harness           | DEPLOY-04 (soft) | 8K       | Falls back to local docker-compose if `mos-test-1/-2` not yet redeployed (DEPLOY chain blocked on IMG-FIX). Permanent test infra used by M3+.            |
-| FED-M3-03 | done        | `apps/gateway/src/federation/server/federation-auth.guard.ts` (NestJS guard). Validates inbound client cert from Fastify TLS context, extracts `grantId` + `subjectUserId` from custom OIDs, loads grant from DB, asserts `status='active'`, attaches `FederationContext` to request.                  | #462  | sonnet | feat/federation-m3-auth-guard        | M3-01            | 8K       | Reuses OID parsing logic mirrored from `ca.service.ts` post-issuance verification. 401 on malformed/missing OIDs; 403 on revoked/expired/missing grant.  |
-| FED-M3-04 | in-progress | `apps/gateway/src/federation/server/scope.service.ts`. Pipeline: (1) resource allowlist + excluded check, (2) native RBAC eval as `subjectUserId`, (3) scope filter intersection (`include_teams`, `include_personal`), (4) `max_rows_per_query` cap. Pure service — DB calls injected.                | #462  | sonnet | feat/federation-m3-scope-service     | M3-01            | 10K      | Hardest correctness target in M3. Reuses `parseFederationScope` (M2-03). Returns either `{ allowed: true, filter }` or structured deny reason for audit. |
-| FED-M3-05 | not-started | `apps/gateway/src/federation/server/verbs/list.controller.ts`. Wires AuthGuard → ScopeService → tasks/notes/memory query layer; applies row cap; tags rows with `_source`. Resource selector via path param.                                                                                           | #462  | sonnet | feat/federation-m3-verb-list         | M3-03, M3-04     | 6K       | Routes: `POST /api/federation/v1/list/:resource`. No body persistence. Audit write deferred to M4.                                                       |
-| FED-M3-06 | not-started | `apps/gateway/src/federation/server/verbs/get.controller.ts`. Single-resource fetch by id; same pipeline as list. 404 on not-found, 403 on RBAC/scope deny — both audited the same way.                                                                                                                | #462  | sonnet | feat/federation-m3-verb-get          | M3-03, M3-04     | 6K       | `POST /api/federation/v1/get/:resource/:id`. Mirrors list controller patterns.                                                                           |
-| FED-M3-07 | in-progress | `apps/gateway/src/federation/server/verbs/capabilities.controller.ts`. Read-only enumeration: returns `{ resources, excluded_resources, max_rows_per_query, supported_verbs }` derived from grant scope. Always allowed for an active grant — no RBAC eval.                                            | #462  | sonnet | feat/federation-m3-verb-capabilities | M3-03            | 4K       | `GET /api/federation/v1/capabilities`. Smallest verb; useful sanity check that mTLS + auth guard work end-to-end.                                        |
-| FED-M3-08 | done        | `apps/gateway/src/federation/client/federation-client.service.ts`. Outbound mTLS dialer: picks `(certPem, sealed clientKey)` from `federation_peers`, unwraps key, builds undici Agent with mTLS, calls peer verb, parses typed response, wraps non-2xx into `FederationClientError`.                  | #462  | sonnet | feat/federation-m3-client            | M3-01            | 8K       | Independent of server stream — can land in parallel with M3-03/04. Cert/key cached per-peer; flushed by future M5/M6 logic.                              |
-| FED-M3-09 | in-progress | `apps/gateway/src/federation/client/query-source.service.ts`. Accepts `source: "local" \| "federated:<host>" \| "all"` from gateway query layer; for `"all"` fans out to local + each peer in parallel; merges results; tags every row with `_source`.                                                 | #462  | sonnet | feat/federation-m3-query-source      | M3-08            | 8K       | Per-peer failure surfaces as `_partial: true` in response, not hard failure (sets up M5 offline UX). M5 adds caching + circuit breaker on top.           |
-| FED-M3-10 | not-started | Integration tests for MILESTONES.md M3 acceptance #6 (malformed OIDs → 401; valid cert + revoked grant → 403) and #7 (`max_rows_per_query` cap). Real PG, mocked TLS context (Fastify req shim).                                                                                                       | #462  | sonnet | feat/federation-m3-integration       | M3-05, M3-06     | 8K       | Vitest profile gated by `FEDERATED_INTEGRATION=1`. Single-gateway suite; no harness required.                                                            |
-| FED-M3-11 | not-started | E2E tests for MILESTONES.md M3 acceptance #1, #2, #3, #4, #5, #8, #9, #10 (8 cases). Uses harness from M3-02; two real gateways, real Step-CA, real mTLS. Each test asserts both happy-path response and audit/no-persist invariants.                                                                  | #462  | sonnet | feat/federation-m3-e2e               | M3-02, M3-09     | 12K      | Largest single task. Each acceptance gets its own `it(...)` for clear failure attribution.                                                               |
-| FED-M3-12 | not-started | Independent security review (sonnet, not author of M3-03/04/05/06/07/08/09): focus on cert-SAN spoofing, OID extraction edge cases, scope-bypass via filter manipulation, RBAC-bypass via subjectUser swap, response leakage when scope deny.                                                          | #462  | sonnet | feat/federation-m3-security-review   | M3-11            | 10K      | Two review rounds budgeted. PRD requires explicit test for every 401/403 path — review verifies coverage.                                                |
-| FED-M3-13 | not-started | Docs update: `docs/federation/SETUP.md` mTLS handshake section, new `docs/federation/HARNESS.md` for federation-harness usage, OID reference table in SETUP.md, scope enforcement pipeline diagram. Runbook still M7-deferred.                                                                         | #462  | haiku  | feat/federation-m3-docs              | M3-12            | 5K       | One ASCII diagram for the auth-guard → scope → RBAC pipeline; helps future reviewers reason about denial paths.                                          |
-| FED-M3-14 | not-started | PR aggregate close, CI green, merge to main, close #462. Release tag `fed-v0.3.0-m3`. Update mission manifest M3 row → done; M4 row → in-progress when work begins.                                                                                                                                    | #462  | sonnet | chore/federation-m3-close            | M3-13            | 3K       | Same close pattern as M1-12 / M2-13.                                                                                                                     |
+| id        | status      | description                                                                                                                                                                                                                                                                                            | issue | agent  | branch                               | depends_on                        | estimate | notes                                                                                                                                                    |
+| --------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----- | ------ | ------------------------------------ | --------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| FED-M3-01 | done        | `packages/types/src/federation/` — request/response DTOs for `list`, `get`, `capabilities` verbs. Wire-format zod schemas + inferred TS types. Includes `FederationRequest`, `FederationListResponse<T>`, `FederationGetResponse<T>`, `FederationCapabilitiesResponse`, error envelope, `_source` tag. | #462  | sonnet | feat/federation-m3-types             | —                                 | 4K       | Reusable from gateway server + client + harness. Pure types — no I/O, no NestJS.                                                                         |
+| FED-M3-02 | done        | `tools/federation-harness/` scaffold: `docker-compose.two-gateways.yml` (Server A + Server B + step-CA), `seed.ts` (provisions grants, peers, sample tasks/notes/credentials per scope variant), `harness.ts` helper (boots stack, returns typed clients). README documents harness use.               | #462  | sonnet | feat/federation-m3-harness           | DEPLOY-04 (soft)                  | 8K       | Falls back to local docker-compose if `mos-test-1/-2` not yet redeployed (DEPLOY chain blocked on IMG-FIX). Permanent test infra used by M3+.            |
+| FED-M3-03 | done        | `apps/gateway/src/federation/server/federation-auth.guard.ts` (NestJS guard). Validates inbound client cert from Fastify TLS context, extracts `grantId` + `subjectUserId` from custom OIDs, loads grant from DB, asserts `status='active'`, attaches `FederationContext` to request.                  | #462  | sonnet | feat/federation-m3-auth-guard        | M3-01                             | 8K       | Reuses OID parsing logic mirrored from `ca.service.ts` post-issuance verification. 401 on malformed/missing OIDs; 403 on revoked/expired/missing grant.  |
+| FED-M3-04 | in-progress | `apps/gateway/src/federation/server/scope.service.ts`. Pipeline: (1) resource allowlist + excluded check, (2) native RBAC eval as `subjectUserId`, (3) scope filter intersection (`include_teams`, `include_personal`), (4) `max_rows_per_query` cap. Pure service — DB calls injected.                | #462  | sonnet | feat/federation-m3-scope-service     | M3-01                             | 10K      | Hardest correctness target in M3. Reuses `parseFederationScope` (M2-03). Returns either `{ allowed: true, filter }` or structured deny reason for audit. |
+| FED-M3-05 | in-progress | `apps/gateway/src/federation/server/verbs/list.controller.ts`. Wires AuthGuard → ScopeService → tasks/notes/memory query layer; applies row cap; tags rows with `_source`. Resource selector via path param.                                                                                           | #462  | sonnet | feat/federation-m3-verb-list         | M3-03, M3-04                      | 6K       | Routes: `POST /api/federation/v1/list/:resource`. No body persistence. Audit write deferred to M4.                                                       |
+| FED-M3-06 | not-started | `apps/gateway/src/federation/server/verbs/get.controller.ts`. Single-resource fetch by id; same pipeline as list. 404 on not-found, 403 on RBAC/scope deny — both audited the same way.                                                                                                                | #462  | sonnet | feat/federation-m3-verb-get          | M3-03, M3-04                      | 6K       | `POST /api/federation/v1/get/:resource/:id`. Mirrors list controller patterns.                                                                           |
+| FED-M3-07 | done        | `apps/gateway/src/federation/server/verbs/capabilities.controller.ts`. Read-only enumeration: returns `{ resources, excluded_resources, max_rows_per_query, supported_verbs }` derived from grant scope. Always allowed for an active grant — no RBAC eval.                                            | #462  | sonnet | feat/federation-m3-verb-capabilities | M3-03                             | 4K       | `GET /api/federation/v1/capabilities`. Smallest verb; useful sanity check that mTLS + auth guard work end-to-end.                                        |
+| FED-M3-08 | done        | `apps/gateway/src/federation/client/federation-client.service.ts`. Outbound mTLS dialer: picks `(certPem, sealed clientKey)` from `federation_peers`, unwraps key, builds undici Agent with mTLS, calls peer verb, parses typed response, wraps non-2xx into `FederationClientError`.                  | #462  | sonnet | feat/federation-m3-client            | M3-01                             | 8K       | Independent of server stream — can land in parallel with M3-03/04. Cert/key cached per-peer; flushed by future M5/M6 logic.                              |
+| FED-M3-09 | done        | `apps/gateway/src/federation/client/query-source.service.ts`. Accepts `source: "local" \| "federated:<host>" \| "all"` from gateway query layer; for `"all"` fans out to local + each peer in parallel; merges results; tags every row with `_source`.                                                 | #462  | sonnet | feat/federation-m3-query-source      | M3-08                             | 8K       | Per-peer failure surfaces as `_partial: true` in response, not hard failure (sets up M5 offline UX). M5 adds caching + circuit breaker on top.           |
+| FED-M3-10 | not-started | Integration tests for MILESTONES.md M3 acceptance #6 (malformed OIDs → 401; valid cert + revoked grant → 403) and #7 (`max_rows_per_query` cap). Real PG, mocked TLS context (Fastify req shim).                                                                                                       | #462  | sonnet | feat/federation-m3-integration       | M3-05, M3-06                      | 8K       | Vitest profile gated by `FEDERATED_INTEGRATION=1`. Single-gateway suite; no harness required.                                                            |
+| FED-M3-11 | not-started | E2E tests for MILESTONES.md M3 acceptance #1, #2, #3, #4, #5, #8, #9, #10 (8 cases). Uses harness from M3-02; two real gateways, real Step-CA, real mTLS. Each test asserts both happy-path response and audit/no-persist invariants.                                                                  | #462  | sonnet | feat/federation-m3-e2e               | M3-02, M3-04, M3-05, M3-06, M3-09 | 12K      | Largest single task. Each acceptance gets its own `it(...)` for clear failure attribution.                                                               |
+| FED-M3-12 | not-started | Independent security review (sonnet, not author of M3-03/04/05/06/07/08/09): focus on cert-SAN spoofing, OID extraction edge cases, scope-bypass via filter manipulation, RBAC-bypass via subjectUser swap, response leakage when scope deny.                                                          | #462  | sonnet | feat/federation-m3-security-review   | M3-11                             | 10K      | Two review rounds budgeted. PRD requires explicit test for every 401/403 path — review verifies coverage.                                                |
+| FED-M3-13 | not-started | Docs update: `docs/federation/SETUP.md` mTLS handshake section, new `docs/federation/HARNESS.md` for federation-harness usage, OID reference table in SETUP.md, scope enforcement pipeline diagram. Runbook still M7-deferred.                                                                         | #462  | haiku  | feat/federation-m3-docs              | M3-12                             | 5K       | One ASCII diagram for the auth-guard → scope → RBAC pipeline; helps future reviewers reason about denial paths.                                          |
+| FED-M3-14 | not-started | PR aggregate close, CI green, merge to main, close #462. Release tag `fed-v0.3.0-m3`. Update mission manifest M3 row → done; M4 row → in-progress when work begins.                                                                                                                                    | #462  | sonnet | chore/federation-m3-close            | M3-13                             | 3K       | Same close pattern as M1-12 / M2-13.                                                                                                                     |
 
 **M3 estimate:** ~100K tokens (vs MILESTONES.md 40K — same per-task breakdown pattern as M1/M2: tests, review, and docs split out from implementation cost). Largest milestone in the federation mission.
 
@@ -120,6 +120,8 @@ Goal: Two federated gateways exchange real data over mTLS. Inbound requests pass
 
 **Backlog sync — 2026-06-24 (orchestrator):** Status reconciled against `origin/main` (release 0.0.48). Landed on main: **FED-M3-01** (DTOs, PR #506), **FED-M3-02** (harness scaffold, PR #505), **FED-M3-03** (mTLS auth-guard, PR #509 — CRIT-1/2 + HIGH-1..4 remediated in-PR), **FED-M3-08** (outbound mTLS client, PR #508). With M3-01/03/08 merged, three cards became dependency-clear and were dispatched to the idle coder lane: **FED-M3-04** scope.service → coder0 (`feat/federation-m3-scope-service`); **FED-M3-09** query-source + **FED-M3-07** capabilities verb → coder1 (`feat/federation-m3-query-source` first). Reviewer warmed for the M3 trust-boundary PRs. Remaining blocked-by-DAG: M3-05/06 (await M3-04), M3-10 (await M3-05/06), M3-11 (await M3-09), M3-12→14 (tail). Deploy chain (DEPLOY-IMG-FIX → 03/04) still independent of M3 code — harness local docker-compose fallback covers M3-11.
 
+**Backlog sync #2 — 2026-06-24 (orchestrator):** **FED-M3-09** (query-source) merged via PR #673 and **FED-M3-07** (capabilities) merged via PR #674 — both squash-merged on independent agent review-of-record + green CI (formal Gitea approve unavailable under the shared service account; merge is not gated by the self-approve guard). **FED-M3-05** (list verb) dispatched to coder1 (based on the M3-04 branch, rebase onto main once #672 lands). **FED-M3-04** (scope.service, PR #672) is in review-changes (one include_personal no-leak test outstanding). **DAG fix:** corrected `FED-M3-11` depends_on from `M3-02, M3-09` → `M3-02, M3-04, M3-05, M3-06, M3-09` — the E2E acceptance cases (#1–#5, #8–#10) exercise list/get over mTLS, so the server verbs + scope service are hard prerequisites; the original edge set omitted them and caused a premature M3-11 dispatch. Note: M3 read-path invariant for M3-11 is **no-persist + existing enrollment audit only** — read-verb audit-log writes are deferred to M4 (see M3-05/06 notes), so M3-11 must not assert read-audit-log entries.
+
 ## Milestone 4 — search + audit + rate limit (FED-M4)
 
 _Deferred. Issue #463._

docs/scratchpads/462-fed-m3-04-scope-service.md

@@ -1,60 +0,0 @@
-# Scratchpad — FED-M3-04 Scope Service
-
-## Objective
-
-Implement `apps/gateway/src/federation/server/scope.service.ts` for the M3 inbound federation scope-enforcement pipeline.
-
-## Scope / Constraints
-
-- Task: FED-M3-04, issue #462.
-- Branch: `feat/federation-m3-scope-service` from `origin/main` @ 0.0.48.
-- Pure service: no direct DB access; native RBAC/data access is injected per evaluation call.
-- Reuse `parseFederationScope` from M2-03.
-- Workers do not edit `docs/federation/TASKS.md` per repo AGENTS.md.
-
-## Acceptance Criteria
-
-1. Resource allowlist and `excluded_resources` enforced.
-2. Native RBAC evaluated as `subjectUserId` through an injected evaluator.
-3. Scope filter intersection supports `include_teams` and `include_personal` without widening native RBAC.
-4. `max_rows_per_query` caps requested limits.
-5. Service returns `{ allowed: true, filter }` or a structured deny reason usable by M4 audit.
-6. Unit tests cover every deny path.
-
-## Plan
-
-1. Inspect existing federation scope/schema/auth guard contracts.
-2. Add pure `FederationScopeService` plus typed result/filter/deny interfaces.
-3. Add focused unit tests for happy paths, filter intersection, row cap, and deny paths.
-4. Export/register service for future verb controllers.
-5. Run situational tests, baseline gates, code review, then PR.
-
-## Budget
-
-- Provided model tier: sonnet.
-- Estimate from task row: 10K tokens.
-- Working cap assumption: keep implementation focused to FED-M3-04 surfaces only.
-
-## Progress
-
-- Intake complete; dirty base worktree avoided by creating isolated worktree at `/home/jarvis/src/mosaic-mono-v1-fed-m3-04`.
-- Project PRD and federation task spec reviewed.
-- Added `FederationScopeService` with structured allow/deny result types and injected native RBAC evaluator contract.
-- Added unit coverage for happy path, row cap, filter intersection, and every deny path.
-- Exported/registered the service for upcoming M3 verb controllers.
-
-## Verification Evidence
-
-- `pnpm --filter @mosaicstack/gateway test -- src/federation/server/__tests__/scope.service.spec.ts` — pass (10 tests before review update; 11 tests after adding include_personal no-leak coverage).
-- `pnpm build` — pass (23 successful tasks).
-- `pnpm typecheck` — pass (41 successful tasks; re-run after review update).
-- `pnpm lint` — pass (23 successful tasks; re-run after review update).
-- `pnpm format:check` — pass (re-run after review update).
-- `pnpm test` — pass after starting local `postgres`/`valkey` and running `pnpm --filter @mosaicstack/db db:push` for the DB-backed cross-user isolation suite (41 successful tasks; gateway 477 passed / 11 skipped).
-- Code review: `~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted` — approve, 0 findings.
-- Security review: `~/.config/mosaic/tools/codex/codex-security-review.sh --uncommitted` — risk none, 0 findings.
-
-## Risks / Blockers
-
-- Issue #462 is already closed in provider output; likely milestone tracking mismatch. Will still reference #462 in PR body unless orchestrator redirects.
-- Local full-test setup required `docker compose up -d postgres valkey` + `db:push`; containers were stopped with `docker compose down` after verification.

docs/scratchpads/672-fleet-personas-timeout.md

@@ -0,0 +1,25 @@
+# Scratchpad — fleet-personas spec timeout
+
+## Objective
+
+Raise the `@mosaicstack/mosaic` Vitest timeout to 30s at config level so filesystem-backed fleet drift-guard specs (`fleet-personas`, `fleet-profiles`, and siblings) stop false-reding under contended CI.
+
+## Plan
+
+1. Move timeout policy into `packages/mosaic/vitest.config.ts` with `testTimeout: 30_000`.
+2. Remove the narrower `fleet-personas.spec.ts` local override so PR #677 fixes the suite class, not one file.
+3. Run targeted fleet specs plus typecheck/lint/format gates.
+4. Commit, queue guard, push, PR update.
+
+## Evidence
+
+- `pnpm --filter @mosaicstack/mosaic test -- src/commands/fleet-personas.spec.ts` — pass (8 tests; initial narrow fix).
+- `pnpm typecheck` — pass (41 tasks; initial narrow fix).
+- `pnpm lint` — pass (23 tasks; initial narrow fix).
+- `pnpm format:check` — pass after formatting this scratchpad (initial narrow fix).
+- Package-wide timeout follow-up:
+  - `pnpm --filter @mosaicstack/mosaic test -- src/commands/fleet-personas.spec.ts src/commands/fleet-profiles.spec.ts` — pass (24 tests).
+  - `pnpm --filter @mosaicstack/mosaic test` — pass (44 files / 618 tests).
+  - `pnpm typecheck` — pass (41 tasks).
+  - `pnpm lint` — pass (23 tasks).
+  - `pnpm format:check` — pass.

eslint.config.mjs

@@ -30,6 +30,7 @@ export default tseslint.config(
             'apps/gateway/vitest.config.ts',
             'packages/db/vitest.config.ts',
             'packages/storage/vitest.config.ts',
+            'packages/mosaic/vitest.config.ts',
             'packages/mosaic/__tests__/*.ts',
             'tools/federation-harness/*.ts',
           ],

packages/mosaic/vitest.config.ts

@@ -4,5 +4,6 @@ export default defineConfig({
   test: {
     globals: true,
     environment: 'node',
+    testTimeout: 30_000,
   },
 });

tools/install.sh

@@ -16,6 +16,10 @@
 #   --framework       Install/upgrade framework only (skip npm CLI)
 #   --cli             Install/upgrade npm CLI only (skip framework)
 #   --ref <branch>    Git ref for framework archive (default: main)
+#   --dev             Build CLI + gateway FROM SOURCE at --ref instead of the
+#                     registry @latest. Zero registry writes — packs local
+#                     tarballs and installs them globally. Use to test a branch
+#                     end-to-end before cutting a release.
 #   --yes             Accept all defaults; headless/non-interactive install
 #   --no-auto-launch  Skip automatic mosaic wizard + gateway install on first install
 #   --uninstall       Reverse the install: remove framework dir, CLI package, and npmrc line
@@ -27,6 +31,7 @@
 #   MOSAIC_PREFIX       — npm global prefix          (default: ~/.npm-global)
 #   MOSAIC_NO_COLOR     — disable colour             (set to 1)
 #   MOSAIC_REF          — git ref for framework      (default: main)
+#   MOSAIC_DEV          — equivalent to --dev         (set to 1)
 #   MOSAIC_ASSUME_YES   — equivalent to --yes        (set to 1)
 # ──────────────────────────────────────────────────────────────────────────────
 #
@@ -43,6 +48,7 @@ FLAG_CLI=true
 FLAG_NO_AUTO_LAUNCH=false
 FLAG_YES=false
 FLAG_UNINSTALL=false
+FLAG_DEV=false
 GIT_REF="${MOSAIC_REF:-main}"
 
 # MOSAIC_ASSUME_YES env var acts the same as --yes
@@ -50,12 +56,18 @@ if [[ "${MOSAIC_ASSUME_YES:-0}" == "1" ]]; then
   FLAG_YES=true
 fi
 
+# MOSAIC_DEV env var acts the same as --dev
+if [[ "${MOSAIC_DEV:-0}" == "1" ]]; then
+  FLAG_DEV=true
+fi
+
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --check)          FLAG_CHECK=true; shift ;;
     --framework)      FLAG_CLI=false; shift ;;
     --cli)            FLAG_FRAMEWORK=false; shift ;;
     --ref)            GIT_REF="${2:-main}"; shift 2 ;;
+    --dev)            FLAG_DEV=true; shift ;;
     --yes|-y)         FLAG_YES=true; shift ;;
     --no-auto-launch) FLAG_NO_AUTO_LAUNCH=true; shift ;;
     --uninstall)      FLAG_UNINSTALL=true; shift ;;
@@ -72,6 +84,17 @@ CLI_PKG="${SCOPE}/mosaic"
 REPO_BASE="https://git.mosaicstack.dev/mosaicstack/stack"
 ARCHIVE_URL="${REPO_BASE}/archive/${GIT_REF}.tar.gz"
 
+# In dev (build-from-source) mode the gateway is installed globally from a
+# locally-built tarball. Tell the wizard / gateway-config stage NOT to overwrite
+# it with the registry @latest build (honored by gatewayConfigStage).
+if [[ "$FLAG_DEV" == "true" ]]; then
+  export MOSAIC_GATEWAY_SKIP_NPM_INSTALL=1
+fi
+
+# Shared monorepo checkout (populated on demand by ensure_monorepo).
+WORK_DIR=""
+EXTRACTED_DIR=""
+
 # ─── uninstall path ───────────────────────────────────────────────────────────
 # Shell-level uninstall for when the CLI is broken or not available.
 # Handles: framework directory, npm CLI package, npmrc scope line.
@@ -239,6 +262,99 @@ framework_version() {
   fi
 }
 
+# Download + extract the monorepo archive at $GIT_REF exactly once per run.
+# Sets the script-level EXTRACTED_DIR to the repo root. Reused by both the
+# framework install (Part 1) and the dev build-from-source path (Part 2).
+ensure_monorepo() {
+  if [[ -n "$EXTRACTED_DIR" ]] && [[ -d "$EXTRACTED_DIR" ]]; then
+    return 0
+  fi
+
+  require_cmd tar
+
+  WORK_DIR="$(mktemp -d "${TMPDIR:-/tmp}/mosaic-install-XXXXXX")"
+  # shellcheck disable=SC2317
+  cleanup_work() { [[ -n "$WORK_DIR" ]] && rm -rf "$WORK_DIR"; }
+  trap cleanup_work EXIT
+
+  info "Downloading source from ${GIT_REF}…"
+  if command -v curl &>/dev/null; then
+    curl -fsSL "$ARCHIVE_URL" | tar xz -C "$WORK_DIR"
+  elif command -v wget &>/dev/null; then
+    wget -qO- "$ARCHIVE_URL" | tar xz -C "$WORK_DIR"
+  else
+    fail "curl or wget required to download source."
+    exit 1
+  fi
+
+  # Gitea archives extract to <repo-name>/ inside the work dir
+  EXTRACTED_DIR="$(find "$WORK_DIR" -maxdepth 1 -mindepth 1 -type d | head -1)"
+  if [[ -z "$EXTRACTED_DIR" ]] || [[ ! -d "$EXTRACTED_DIR" ]]; then
+    fail "Could not locate extracted source in archive."
+    ls -la "$WORK_DIR" >&2
+    exit 1
+  fi
+}
+
+# Build @mosaicstack/mosaic + @mosaicstack/gateway from source and install both
+# globally from locally-packed tarballs. ZERO registry writes. Workspace deps
+# (brain/config/db/…) are pulled from the registry at the versions pinned in
+# each package.json — `pnpm pack` rewrites `workspace:*` to those versions.
+install_cli_from_source() {
+  local src="$EXTRACTED_DIR"
+  local out_dir="$WORK_DIR/dist-tarballs"
+  mkdir -p "$out_dir"
+
+  # pnpm via corepack (ships with Node >= 16.9; required by Node >= 20 preflight).
+  # Pin to the repo's packageManager version so the build matches CI. Surface
+  # corepack failures so the fresh-machine case gives an actionable error
+  # instead of a bare "command not found".
+  if ! command -v pnpm &>/dev/null; then
+    info "Activating pnpm via corepack…"
+    corepack enable 2>&1 | sed 's/^/  /' || warn "corepack enable failed — pnpm may need manual install."
+    corepack prepare pnpm@10.6.2 --activate 2>&1 | sed 's/^/  /' \
+      || warn "corepack prepare failed — pnpm may need manual install."
+  fi
+  if ! command -v pnpm &>/dev/null; then
+    fail "pnpm not available after corepack activation."
+    echo "  Install pnpm manually (https://pnpm.io/installation) and re-run with --dev."
+    exit 1
+  fi
+
+  info "Installing workspace dependencies (pnpm install)…"
+  ( cd "$src" && pnpm install ) 2>&1 | sed 's/^/  /'
+
+  info "Building CLI + gateway from source…"
+  ( cd "$src" && pnpm --filter "@mosaicstack/mosaic..." --filter "@mosaicstack/gateway..." run build ) 2>&1 | sed 's/^/  /'
+
+  info "Packing local tarballs…"
+  ( cd "$src/packages/mosaic" && pnpm pack --pack-destination "$out_dir" ) 2>&1 | sed 's/^/  /'
+  ( cd "$src/apps/gateway"    && pnpm pack --pack-destination "$out_dir" ) 2>&1 | sed 's/^/  /'
+
+  local cli_tgz gw_tgz
+  cli_tgz="$(ls -1t "$out_dir"/mosaicstack-mosaic-*.tgz 2>/dev/null | head -1)"
+  gw_tgz="$(ls -1t "$out_dir"/mosaicstack-gateway-*.tgz 2>/dev/null | head -1)"
+
+  if [[ ! -f "$cli_tgz" ]]; then
+    fail "CLI tarball was not produced by pnpm pack."
+    exit 1
+  fi
+  if [[ ! -f "$gw_tgz" ]]; then
+    fail "Gateway tarball was not produced by pnpm pack."
+    exit 1
+  fi
+
+  # Gateway first so it is present globally before the CLI's wizard runs (which
+  # skips its own gateway install via MOSAIC_GATEWAY_SKIP_NPM_INSTALL=1).
+  info "Installing gateway from source tarball (global)…"
+  npm install -g "$gw_tgz" --prefix="$PREFIX" 2>&1 | sed 's/^/  /'
+
+  info "Installing CLI from source tarball (global)…"
+  npm install -g "$cli_tgz" --prefix="$PREFIX" 2>&1 | sed 's/^/  /'
+
+  ok "Installed from source: CLI $(installed_cli_version)"
+}
+
 # ─── preflight ────────────────────────────────────────────────────────────────
 
 require_cmd node
@@ -282,25 +398,8 @@ if [[ "$FLAG_FRAMEWORK" == "true" ]]; then
       warn "Framework not installed."
     fi
   else
-    # Download repo archive and extract framework
-    require_cmd tar
-
-    WORK_DIR="$(mktemp -d "${TMPDIR:-/tmp}/mosaic-install-XXXXXX")"
-    cleanup_work() { rm -rf "$WORK_DIR"; }
-    trap cleanup_work EXIT
-
-    info "Downloading framework from ${GIT_REF}…"
-    if command -v curl &>/dev/null; then
-      curl -fsSL "$ARCHIVE_URL" | tar xz -C "$WORK_DIR"
-    elif command -v wget &>/dev/null; then
-      wget -qO- "$ARCHIVE_URL" | tar xz -C "$WORK_DIR"
-    else
-      fail "curl or wget required to download framework."
-      exit 1
-    fi
-
-    # Gitea archives extract to <repo-name>/ inside the work dir
-    EXTRACTED_DIR="$(find "$WORK_DIR" -maxdepth 1 -mindepth 1 -type d | head -1)"
+    # Download repo archive and extract framework (shared with the dev build)
+    ensure_monorepo
     FRAMEWORK_SRC="$EXTRACTED_DIR/packages/mosaic/framework"
 
     if [[ ! -d "$FRAMEWORK_SRC" ]]; then
@@ -356,7 +455,11 @@ if [[ "$FLAG_CLI" == "true" ]]; then
   fi
 
   CURRENT="$(installed_cli_version)"
-  LATEST="$(latest_cli_version)"
+  if [[ "$FLAG_DEV" == "true" ]]; then
+    LATEST=""
+  else
+    LATEST="$(latest_cli_version)"
+  fi
 
   if [[ -n "$CURRENT" ]]; then
     dim "  Installed: ${CLI_PKG}@${CURRENT}"
@@ -364,7 +467,9 @@ if [[ "$FLAG_CLI" == "true" ]]; then
     dim "  Installed: (none)"
   fi
 
-  if [[ -n "$LATEST" ]]; then
+  if [[ "$FLAG_DEV" == "true" ]]; then
+    dim "  Source:    ${REPO_BASE} (ref: ${GIT_REF}, build-from-source)"
+  elif [[ -n "$LATEST" ]]; then
     dim "  Latest:    ${CLI_PKG}@${LATEST}"
   else
     dim "  Latest:    (registry unreachable)"
@@ -372,7 +477,9 @@ if [[ "$FLAG_CLI" == "true" ]]; then
   echo ""
 
   if [[ "$FLAG_CHECK" == "true" ]]; then
-    if [[ -z "$LATEST" ]]; then
+    if [[ "$FLAG_DEV" == "true" ]]; then
+      info "Dev mode: installed version is ${CURRENT:-(none)} (no registry comparison)."
+    elif [[ -z "$LATEST" ]]; then
       warn "Could not reach registry."
     elif [[ -z "$CURRENT" ]]; then
       warn "Not installed."
@@ -383,6 +490,16 @@ if [[ "$FLAG_CLI" == "true" ]]; then
     else
       ok "Up to date (or ahead of registry)."
     fi
+  elif [[ "$FLAG_DEV" == "true" ]]; then
+    info "Dev mode — building CLI + gateway from source at ref ${GIT_REF}…"
+    ensure_monorepo
+    install_cli_from_source
+
+    # PATH check for npm prefix
+    if [[ ":$PATH:" != *":$PREFIX/bin:"* ]]; then
+      warn "$PREFIX/bin is not on your PATH"
+      dim "  Add to your shell rc:  export PATH=\"$PREFIX/bin:\$PATH\""
+    fi
   else
     if [[ -z "$LATEST" ]]; then
       warn "Could not reach registry at $REGISTRY — skipping npm CLI."