chore: move gateway default port from 4000 to 14242

Port 4000 collides with too many dev tools (Phoenix, GraphQL tools, etc.). Switch to 14242 — unregistered with IANA, no known conflicts, safely within the User Ports range and outside Linux ephemeral port range (32768+). Updates all hardcoded defaults across gateway, web client, CLI commands, playwright config, .env.example, and docs. Bumps @mosaic/cli and @mosaic/mosaic to 0.0.14. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-04 15:16:54 -05:00
22 changed files with 61 additions and 61 deletions
--- a/.env.example
+++ b/.env.example
@@ -23,8 +23,8 @@ VALKEY_URL=redis://localhost:6380


 # ─── Gateway ─────────────────────────────────────────────────────────────────
-# TCP port the NestJS/Fastify gateway listens on (default: 4000)
-GATEWAY_PORT=4000
+# TCP port the NestJS/Fastify gateway listens on (default: 14242)
+GATEWAY_PORT=14242

 # Comma-separated list of allowed CORS origins.
 # Must include the web app origin in production.
@@ -37,12 +37,12 @@ GATEWAY_CORS_ORIGIN=http://localhost:3000
 BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string

 # Public base URL of the gateway (used by BetterAuth for callback URLs)
-BETTER_AUTH_URL=http://localhost:4000
+BETTER_AUTH_URL=http://localhost:14242


 # ─── Web App (Next.js) ───────────────────────────────────────────────────────
 # Public gateway URL — accessible from the browser, not just the server.
-NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
+NEXT_PUBLIC_GATEWAY_URL=http://localhost:14242


 # ─── OpenTelemetry ───────────────────────────────────────────────────────────
@@ -121,12 +121,12 @@ OTEL_SERVICE_NAME=mosaic-gateway
 # ─── Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable) ─────────────
 # DISCORD_BOT_TOKEN=
 # DISCORD_GUILD_ID=
-# DISCORD_GATEWAY_URL=http://localhost:4000
+# DISCORD_GATEWAY_URL=http://localhost:14242


 # ─── Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable) ───────────
 # TELEGRAM_BOT_TOKEN=
-# TELEGRAM_GATEWAY_URL=http://localhost:4000
+# TELEGRAM_GATEWAY_URL=http://localhost:14242


 # ─── SSO Providers (add credentials to enable) ───────────────────────────────
--- a/apps/gateway/src/auth/auth.module.ts
+++ b/apps/gateway/src/auth/auth.module.ts
@@ -14,7 +14,7 @@ import { SsoController } from './sso.controller.js';
      useFactory: (db: Db): Auth =>
        createAuth({
          db,
-          baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
+          baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:14242',
          secret: process.env['BETTER_AUTH_SECRET'],
        }),
      inject: [DB],
--- a/apps/gateway/src/main.ts
+++ b/apps/gateway/src/main.ts
@@ -59,7 +59,7 @@ async function bootstrap(): Promise<void> {
  mountAuthHandler(app);
  mountMcpHandler(app, app.get(McpService));

-  const port = Number(process.env['GATEWAY_PORT'] ?? 4000);
+  const port = Number(process.env['GATEWAY_PORT'] ?? 14242);
  await app.listen(port, '0.0.0.0');
  logger.log(`Gateway listening on port ${port}`);
 }
--- a/apps/gateway/src/plugin/plugin.module.ts
+++ b/apps/gateway/src/plugin/plugin.module.ts
@@ -48,7 +48,7 @@ class TelegramChannelPluginAdapter implements IChannelPlugin {
  }
 }

-const DEFAULT_GATEWAY_URL = 'http://localhost:4000';
+const DEFAULT_GATEWAY_URL = 'http://localhost:14242';

 function createPluginRegistry(): IChannelPlugin[] {
  const plugins: IChannelPlugin[] = [];
--- a/apps/web/playwright.config.ts
+++ b/apps/web/playwright.config.ts
@@ -5,7 +5,7 @@ import { defineConfig, devices } from '@playwright/test';
 *
 * Assumes:
 *   - Next.js web app running on http://localhost:3000
- *   - NestJS gateway running on http://localhost:4000
+ *   - NestJS gateway running on http://localhost:14242
 *
 * Run with:   pnpm --filter @mosaic/web test:e2e
 */
--- a/apps/web/src/lib/api.ts
+++ b/apps/web/src/lib/api.ts
@@ -1,4 +1,4 @@
-const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:4000';
+const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:14242';

 export interface ApiRequestInit extends Omit<RequestInit, 'body'> {
  body?: unknown;
--- a/apps/web/src/lib/auth-client.ts
+++ b/apps/web/src/lib/auth-client.ts
@@ -2,7 +2,7 @@ import { createAuthClient } from 'better-auth/react';
 import { adminClient, genericOAuthClient } from 'better-auth/client/plugins';

 export const authClient = createAuthClient({
-  baseURL: process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:4000',
+  baseURL: process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:14242',
  plugins: [adminClient(), genericOAuthClient()],
 });

--- a/apps/web/src/lib/socket.ts
+++ b/apps/web/src/lib/socket.ts
@@ -1,6 +1,6 @@
 import { io, type Socket } from 'socket.io-client';

-const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:4000';
+const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:14242';

 let socket: Socket | null = null;

--- a/docs/TASKS-TUI_Improvements.md
+++ b/docs/TASKS-TUI_Improvements.md
@@ -93,7 +93,7 @@ packages/cli/src/tui/
 cd /home/jwoltje/src/mosaic-mono-v1-worktrees/tui-improvements
 pnpm --filter @mosaic/cli exec tsx src/cli.ts tui
 # or after build:
-node packages/cli/dist/cli.js tui --gateway http://localhost:4000
+node packages/cli/dist/cli.js tui --gateway http://localhost:14242
 ```

 ### Quality Gates
--- a/docs/guides/admin-guide.md
+++ b/docs/guides/admin-guide.md
@@ -229,11 +229,11 @@ external clients. Authentication requires a valid BetterAuth session (cookie or

 ### Gateway

-| Variable              | Default                 | Description                                    |
-| --------------------- | ----------------------- | ---------------------------------------------- |
-| `GATEWAY_PORT`        | `4000`                  | Port the gateway listens on                    |
-| `GATEWAY_CORS_ORIGIN` | `http://localhost:3000` | Allowed CORS origin for browser clients        |
-| `BETTER_AUTH_URL`     | `http://localhost:4000` | Public URL of the gateway (used by BetterAuth) |
+| Variable              | Default                  | Description                                    |
+| --------------------- | ------------------------ | ---------------------------------------------- |
+| `GATEWAY_PORT`        | `14242`                  | Port the gateway listens on                    |
+| `GATEWAY_CORS_ORIGIN` | `http://localhost:3000`  | Allowed CORS origin for browser clients        |
+| `BETTER_AUTH_URL`     | `http://localhost:14242` | Public URL of the gateway (used by BetterAuth) |

 ### SSO (Optional)

@@ -292,13 +292,13 @@ Each OIDC provider requires its client ID, client secret, and issuer URL togethe

 ### Plugins

-| Variable               | Description                                                               |
-| ---------------------- | ------------------------------------------------------------------------- |
-| `DISCORD_BOT_TOKEN`    | Discord bot token (enables Discord plugin)                                |
-| `DISCORD_GUILD_ID`     | Discord guild/server ID                                                   |
-| `DISCORD_GATEWAY_URL`  | Gateway URL for Discord plugin to call (default: `http://localhost:4000`) |
-| `TELEGRAM_BOT_TOKEN`   | Telegram bot token (enables Telegram plugin)                              |
-| `TELEGRAM_GATEWAY_URL` | Gateway URL for Telegram plugin to call                                   |
+| Variable               | Description                                                                |
+| ---------------------- | -------------------------------------------------------------------------- |
+| `DISCORD_BOT_TOKEN`    | Discord bot token (enables Discord plugin)                                 |
+| `DISCORD_GUILD_ID`     | Discord guild/server ID                                                    |
+| `DISCORD_GATEWAY_URL`  | Gateway URL for Discord plugin to call (default: `http://localhost:14242`) |
+| `TELEGRAM_BOT_TOKEN`   | Telegram bot token (enables Telegram plugin)                               |
+| `TELEGRAM_GATEWAY_URL` | Gateway URL for Telegram plugin to call                                    |

 ### Observability

@@ -309,9 +309,9 @@ Each OIDC provider requires its client ID, client secret, and issuer URL togethe

 ### Web App

-| Variable                  | Default                 | Description                            |
-| ------------------------- | ----------------------- | -------------------------------------- |
-| `NEXT_PUBLIC_GATEWAY_URL` | `http://localhost:4000` | Gateway URL used by the Next.js client |
+| Variable                  | Default                  | Description                            |
+| ------------------------- | ------------------------ | -------------------------------------- |
+| `NEXT_PUBLIC_GATEWAY_URL` | `http://localhost:14242` | Gateway URL used by the Next.js client |

 ### Coordination

--- a/docs/guides/deployment.md
+++ b/docs/guides/deployment.md
@@ -194,7 +194,7 @@ server {

    # WebSocket support (for chat.gateway.ts / Socket.IO)
    location /socket.io/ {
-        proxy_pass http://127.0.0.1:4000;
+        proxy_pass http://127.0.0.1:14242;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@@ -204,7 +204,7 @@ server {

    # REST + auth
    location / {
-        proxy_pass http://127.0.0.1:4000;
+        proxy_pass http://127.0.0.1:14242;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -234,11 +234,11 @@ server {
 # /etc/caddy/Caddyfile

 your-domain.example.com {
-    reverse_proxy /socket.io/* localhost:4000 {
+    reverse_proxy /socket.io/* localhost:14242 {
        header_up Upgrade {http.upgrade}
        header_up Connection {http.connection}
    }
-    reverse_proxy localhost:4000
+    reverse_proxy localhost:14242
 }

 app.your-domain.example.com {
@@ -328,7 +328,7 @@ MaxRetentionSec=30day
 - Set `BETTER_AUTH_SECRET` to a cryptographically random value (`openssl rand -base64 32`).
 - Restrict `GATEWAY_CORS_ORIGIN` to your exact frontend origin — do not use `*`.
 - Run services as a dedicated non-root system user (e.g., `mosaic`).
- Firewall: only expose ports 80/443 externally; keep 4000 and 3000 bound to `127.0.0.1`.
+- Firewall: only expose ports 80/443 externally; keep 14242 and 3000 bound to `127.0.0.1`.
 - Set `AGENT_FILE_SANDBOX_DIR` to a directory outside the application root to prevent agent tools from accessing source code.
 - If using `AGENT_USER_TOOLS`, enumerate only the tools non-admin users need.

--- a/docs/guides/dev-guide.md
+++ b/docs/guides/dev-guide.md
@@ -112,11 +112,11 @@ DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic
 BETTER_AUTH_SECRET=change-me-to-a-random-secret

 # Gateway
-GATEWAY_PORT=4000
+GATEWAY_PORT=14242
 GATEWAY_CORS_ORIGIN=http://localhost:3000

 # Web
-NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
+NEXT_PUBLIC_GATEWAY_URL=http://localhost:14242

 # Optional: Ollama
 OLLAMA_BASE_URL=http://localhost:11434
@@ -141,7 +141,7 @@ migrations in production).
 pnpm --filter @mosaic/gateway exec tsx src/main.ts
 ```

-The gateway starts on port `4000` by default.
+The gateway starts on port `14242` by default.

 ### 6. Start the Web App

@@ -395,7 +395,7 @@ directory are defined there.

 ## API Endpoint Reference

-All endpoints are served by the gateway at `http://localhost:4000` by default.
+All endpoints are served by the gateway at `http://localhost:14242` by default.

 ### Authentication

--- a/docs/guides/user-guide.md
+++ b/docs/guides/user-guide.md
@@ -16,7 +16,7 @@
 ### Prerequisites

 Mosaic Stack requires a running gateway. Your administrator provides the URL
-(default: `http://localhost:4000`) and creates your account.
+(default: `http://localhost:14242`) and creates your account.

 ### Logging In (Web)

@@ -177,7 +177,7 @@ mosaic --help
 ### Signing In

 ```bash
-mosaic login --gateway http://localhost:4000 --email you@example.com
+mosaic login --gateway http://localhost:14242 --email you@example.com
 ```

 You are prompted for a password if `--password` is not supplied. The session
@@ -191,12 +191,12 @@ mosaic tui

 Options:

-| Flag                    | Default                 | Description                        |
-| ----------------------- | ----------------------- | ---------------------------------- |
-| `--gateway <url>`       | `http://localhost:4000` | Gateway URL                        |
-| `--conversation <id>`   | —                       | Resume a specific conversation     |
-| `--model <modelId>`     | server default          | Model to use (e.g. `llama3.2`)     |
-| `--provider <provider>` | server default          | Provider (e.g. `ollama`, `openai`) |
+| Flag                    | Default                  | Description                        |
+| ----------------------- | ------------------------ | ---------------------------------- |
+| `--gateway <url>`       | `http://localhost:14242` | Gateway URL                        |
+| `--conversation <id>`   | —                        | Resume a specific conversation     |
+| `--model <modelId>`     | server default           | Model to use (e.g. `llama3.2`)     |
+| `--provider <provider>` | server default           | Provider (e.g. `ollama`, `openai`) |

 If no valid session exists you are prompted to sign in before the TUI launches.

--- a/packages/auth/src/auth.ts
+++ b/packages/auth/src/auth.ts
@@ -35,7 +35,7 @@ export function createAuth(config: AuthConfig) {
      provider: 'pg',
      usePlural: true,
    }),
-    baseURL: baseURL ?? process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
+    baseURL: baseURL ?? process.env['BETTER_AUTH_URL'] ?? 'http://localhost:14242',
    secret: secret ?? process.env['BETTER_AUTH_SECRET'],
    basePath: '/api/auth',
    trustedOrigins,
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@mosaic/cli",
-  "version": "0.0.13",
+  "version": "0.0.14",
  "repository": {
    "type": "git",
    "url": "https://git.mosaicstack.dev/mosaic/mosaic-stack.git",
--- a/packages/cli/src/cli.ts
+++ b/packages/cli/src/cli.ts
@@ -33,7 +33,7 @@ registerLaunchCommands(program);
 program
  .command('login')
  .description('Sign in to a Mosaic gateway')
-  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
  .option('-e, --email <email>', 'Email address')
  .option('-p, --password <password>', 'Password')
  .action(async (opts: { gateway: string; email?: string; password?: string }) => {
@@ -67,7 +67,7 @@ program
 program
  .command('tui')
  .description('Launch interactive TUI connected to the gateway')
-  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
  .option('-c, --conversation <id>', 'Resume a conversation by ID')
  .option('-m, --model <modelId>', 'Model ID to use (e.g. gpt-4o, llama3.2)')
  .option('-p, --provider <provider>', 'Provider to use (e.g. openai, ollama)')
@@ -208,7 +208,7 @@ const sessionsCmd = program.command('sessions').description('Manage active agent
 sessionsCmd
  .command('list')
  .description('List active agent sessions')
-  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
  .action(async (opts: { gateway: string }) => {
    const { withAuth } = await import('./commands/with-auth.js');
    const auth = await withAuth(opts.gateway);
@@ -243,7 +243,7 @@ sessionsCmd
 sessionsCmd
  .command('resume <id>')
  .description('Resume an existing agent session in the TUI')
-  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
  .action(async (id: string, opts: { gateway: string }) => {
    const { loadSession, validateSession } = await import('./auth.js');

@@ -276,7 +276,7 @@ sessionsCmd
 sessionsCmd
  .command('destroy <id>')
  .description('Terminate an active agent session')
-  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
  .action(async (id: string, opts: { gateway: string }) => {
    const { withAuth } = await import('./commands/with-auth.js');
    const auth = await withAuth(opts.gateway);
--- a/packages/cli/src/commands/agent.ts
+++ b/packages/cli/src/commands/agent.ts
@@ -34,7 +34,7 @@ export function registerAgentCommand(program: Command) {
  const cmd = program
    .command('agent')
    .description('Manage agent configurations')
-    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
    .option('--list', 'List all agents')
    .option('--new', 'Create a new agent')
    .option('--show <idOrName>', 'Show agent details')
--- a/packages/cli/src/commands/gateway.ts
+++ b/packages/cli/src/commands/gateway.ts
@@ -17,7 +17,7 @@ function resolveOpts(raw: GatewayParentOpts): { host: string; port: number; toke
  const meta = readMeta();
  return {
    host: raw.host ?? meta?.host ?? 'localhost',
-    port: parseInt(raw.port, 10) || meta?.port || 4000,
+    port: parseInt(raw.port, 10) || meta?.port || 14242,
    token: raw.token ?? meta?.adminToken,
  };
 }
@@ -28,7 +28,7 @@ export function registerGatewayCommand(program: Command): void {
    .description('Manage the Mosaic gateway daemon')
    .helpOption('--help', 'Display help')
    .option('-h, --host <host>', 'Gateway host', 'localhost')
-    .option('-p, --port <port>', 'Gateway port', '4000')
+    .option('-p, --port <port>', 'Gateway port', '14242')
    .option('-t, --token <token>', 'Admin API token')
    .action(() => {
      gw.outputHelp();
--- a/packages/cli/src/commands/gateway/install.ts
+++ b/packages/cli/src/commands/gateway/install.ts
@@ -67,7 +67,7 @@ async function doInstall(rl: ReturnType<typeof createInterface>, opts: InstallOp
  const tier = tierAnswer === '2' ? 'team' : 'local';

  const port =
-    opts.port !== 4000
+    opts.port !== 14242
      ? opts.port
      : parseInt(
          (await prompt(rl, `Gateway port [${opts.port.toString()}]: `)) || opts.port.toString(),
--- a/packages/cli/src/commands/mission.ts
+++ b/packages/cli/src/commands/mission.ts
@@ -40,7 +40,7 @@ export function registerMissionCommand(program: Command) {
  const cmd = program
    .command('mission')
    .description('Manage missions')
-    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
    .option('--list', 'List all missions')
    .option('--init', 'Create a new mission')
    .option('--plan <idOrName>', 'Run PRD wizard for a mission')
@@ -86,7 +86,7 @@ export function registerMissionCommand(program: Command) {
  cmd
    .command('task')
    .description('Manage mission tasks')
-    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
    .option('--list', 'List tasks for a mission')
    .option('--new', 'Create a task')
    .option('--update <taskId>', 'Update a task')
--- a/packages/cli/src/commands/prdy.ts
+++ b/packages/cli/src/commands/prdy.ts
@@ -6,7 +6,7 @@ export function registerPrdyCommand(program: Command) {
  const cmd = program
    .command('prdy')
    .description('PRD wizard — create and manage Product Requirement Documents')
-    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
+    .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:14242')
    .option('--init [name]', 'Create a new PRD')
    .option('--update [name]', 'Update an existing PRD')
    .option('--project <idOrName>', 'Scope to project')
--- a/packages/mosaic/package.json
+++ b/packages/mosaic/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@mosaic/mosaic",
-  "version": "0.0.13",
+  "version": "0.0.14",
  "repository": {
    "type": "git",
    "url": "https://git.mosaicstack.dev/mosaic/mosaic-stack.git",