mosaicstack/stack
1
0
Fork 0
Code Issues 23 Pull Requests 3 Actions Packages Projects Releases 14 Wiki Activity

Compare commits

base: mosaicstack:feat/us007-agent-registration
Branches Tags
mosaicstack:main mosaicstack:fix/tooling-eval-injection-jq-json mosaicstack:feat/agent-send-class mosaicstack:fix/wrapper-hardening-tls-credpath-cicwait mosaicstack:docs/framework-agency-patterns mosaicstack:feat/framework-constitution-alpha mosaicstack:feat/us007-agent-registration mosaicstack:docs/merge-authority-rule mosaicstack:feat/mosaic-as-provisioning mosaicstack:fix/pr-ci-wait-stdin-collision mosaicstack:fix/t_301e4e3b-pr-merge-gitea-empty-uid mosaicstack:ci/publish-appservice-image mosaicstack:feat/mosaic-as-daemon mosaicstack:feat/mosaic-as-m4a mosaicstack:fix/pi-token-lean-skills mosaicstack:fix/git-wrapper-rollup-20260526 mosaicstack:fix/git-wrapper-repo-detection mosaicstack:fix/woodpecker-wrapper-legacy-mosaic mosaicstack:fix/t-a292e96f-gitea-pr-metadata mosaicstack:fix/gitea-pr-metadata-login-t-a292e96f mosaicstack:fix/t_a292e96f-pr-metadata-gitea mosaicstack:fix/t_3a368a52-gitea-usc-login mosaicstack:fix/bootstrap-hotfix mosaicstack:fix/populate-known-packages-list mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.31 mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4
..
compare: mosaicstack:647fd9a8356a9fd1191f212f60e2c4c400106f5c
Branches Tags
mosaicstack:main mosaicstack:fix/tooling-eval-injection-jq-json mosaicstack:feat/agent-send-class mosaicstack:fix/wrapper-hardening-tls-credpath-cicwait mosaicstack:docs/framework-agency-patterns mosaicstack:feat/framework-constitution-alpha mosaicstack:feat/us007-agent-registration mosaicstack:docs/merge-authority-rule mosaicstack:feat/mosaic-as-provisioning mosaicstack:fix/pr-ci-wait-stdin-collision mosaicstack:fix/t_301e4e3b-pr-merge-gitea-empty-uid mosaicstack:ci/publish-appservice-image mosaicstack:feat/mosaic-as-daemon mosaicstack:feat/mosaic-as-m4a mosaicstack:fix/pi-token-lean-skills mosaicstack:fix/git-wrapper-rollup-20260526 mosaicstack:fix/git-wrapper-repo-detection mosaicstack:fix/woodpecker-wrapper-legacy-mosaic mosaicstack:fix/t-a292e96f-gitea-pr-metadata mosaicstack:fix/gitea-pr-metadata-login-t-a292e96f mosaicstack:fix/t_a292e96f-pr-metadata-gitea mosaicstack:fix/t_3a368a52-gitea-usc-login mosaicstack:fix/bootstrap-hotfix mosaicstack:fix/populate-known-packages-list mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.31 mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4

2 Commits
feat/us007 ... 647fd9a835

Author SHA1 Message Date
Jason Woltje
647fd9a835 docs: note new-session trigger for mission toolset reload
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
2026-06-11 13:20:41 -05:00
Jason Woltje
b31699de81 docs: add mission control and coordination resilience docs 2026-06-11 13:20:19 -05:00
50 changed files with 91 additions and 2539 deletions
Expand all files Collapse all files

236
apps/appservice/src/__tests__/server.test.ts
View File

@@ -3,8 +3,6 @@ import { describe, expect, it, vi } from 'vitest';
import { AppserviceDaemon } from '../server.js';
import type { DaemonConfig, DaemonRequest } from '../server.js';
const AGENTS_TYPE = 'org.uscllc.mosaic_as.agents';
const cfg: DaemonConfig = {
homeserverUrl: 'https://hs.example',
domain: 'hs.example',
@@ -139,240 +137,6 @@ describe('AppserviceDaemon routing', () => {
expect(res.status).toBe(405);
});
it('provisions a room as the AS sender with space linking', async () => {
const calls: Array<{ url: URL; body: unknown }> = [];
const fetchMock = vi.fn(async (input: URL | string, init?: RequestInit) => {
const url = new URL(String(input));
calls.push({ url, body: init?.body ? JSON.parse(String(init.body)) : undefined });
if (url.pathname.endsWith('/createRoom'))
return jsonResponse(200, { room_id: '!new:hs.example' });
return jsonResponse(200, {});
});
const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
const res = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/provision/rooms',
authorizationHeader: 'Bearer bridge-secret',
body: {
name: 'proj-x',
alias: 'mosaic-proj-x',
invite: ['@jason.woltje:hs.example'],
space_id: '!space:hs.example',
},
}),
);
expect(res.status).toBe(200);
expect(res.body.room_id).toBe('!new:hs.example');
expect(res.body.space_linked).toBe(true);
const create = calls.find((c) => c.url.pathname.endsWith('/createRoom'));
expect(create!.url.searchParams.get('user_id')).toBe('@mosaic-as:hs.example');
const body = create!.body as Record<string, unknown>;
expect(body.room_alias_name).toBe('mosaic-proj-x');
expect((body.power_level_content_override as Record<string, unknown>).users).toEqual({
'@mosaic-as:hs.example': 100,
});
expect(calls.some((c) => c.url.pathname.includes('/state/m.space.child/'))).toBe(true);
expect(calls.some((c) => c.url.pathname.includes('/state/m.space.parent/'))).toBe(true);
});
it('space-link failure still returns the room id (no orphan)', async () => {
const fetchMock = vi.fn(async (input: URL | string) => {
const url = new URL(String(input));
if (url.pathname.endsWith('/createRoom'))
return jsonResponse(200, { room_id: '!new:hs.example' });
if (url.pathname.includes('/state/m.space.child/'))
return jsonResponse(403, { errcode: 'M_FORBIDDEN', error: 'no PL in space' });
return jsonResponse(200, {});
});
const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
const res = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/provision/rooms',
authorizationHeader: 'Bearer bridge-secret',
body: { name: 'proj-x', space_id: '!space:hs.example' },
}),
);
expect(res.status).toBe(200);
expect(res.body.room_id).toBe('!new:hs.example');
expect(res.body.space_linked).toBe(false);
expect(String(res.body.space_error)).toContain('403');
});
it('invite list cap enforced', async () => {
const { daemon } = makeDaemon();
const res = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/provision/rooms',
authorizationHeader: 'Bearer bridge-secret',
body: { name: 'x', invite: Array.from({ length: 51 }, (_, i) => `@u${i}:hs`) },
}),
);
expect(res.status).toBe(400);
});
it('provision rejects bad payloads and requires auth', async () => {
const { daemon } = makeDaemon();
const noAuth = await daemon.handle(
request({ method: 'POST', path: '/bridge/v1/provision/rooms', body: { name: 'x' } }),
);
expect(noAuth.status).toBe(403);
const bad = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/provision/rooms',
authorizationHeader: 'Bearer bridge-secret',
body: { name: '', alias: 'BAD ALIAS' },
}),
);
expect(bad.status).toBe(400);
});
// A daemon whose fetch mock backs account_data with a mutable in-test object,
// so register/verify/revoke round-trip through the (faked) homeserver.
const makeAgentDaemon = () => {
const accountData: { value: Record<string, unknown> | null } = { value: null };
const fetchMock = vi.fn(async (input: URL | string, init?: RequestInit) => {
const url = new URL(String(input));
const path = url.pathname;
if (path.includes(`/account_data/${AGENTS_TYPE}`)) {
if (init?.method === 'PUT') {
accountData.value = JSON.parse(String(init.body)) as Record<string, unknown>;
return jsonResponse(200, {});
}
if (accountData.value === null) {
return jsonResponse(404, { errcode: 'M_NOT_FOUND', error: 'not found' });
}
return jsonResponse(200, accountData.value);
}
if (path.endsWith('/register')) return jsonResponse(200, { user_id: 'whatever' });
if (path.includes('/send/m.room.message/')) return jsonResponse(200, { event_id: '$sent' });
return jsonResponse(200, {});
});
const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
return { daemon, fetchMock };
};
const registerAgent = async (
daemon: AppserviceDaemon,
body: Record<string, unknown> = { alias: 'pi0', host: 'web1' },
) =>
daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/agents',
authorizationHeader: 'Bearer bridge-secret',
body,
}),
);
it('host token registers an agent and returns agent_user_id + bridge_token', async () => {
const { daemon, fetchMock } = makeAgentDaemon();
const res = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
expect(res.status).toBe(200);
expect(res.body.agent_user_id).toBe('@agent-pi0-web1:hs.example');
expect(String(res.body.bridge_token).startsWith('magt_')).toBe(true);
const registerCall = fetchMock.mock.calls
.map((c) => new URL(String(c[0])))
.find((u) => u.pathname.endsWith('/register'));
expect(registerCall).toBeDefined();
});
it('register requires a HOST token (agent token and no token are 403)', async () => {
const { daemon } = makeAgentDaemon();
const minted = await registerAgent(daemon);
const agentToken = String(minted.body.bridge_token);
const asAgent = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/agents',
authorizationHeader: `Bearer ${agentToken}`,
body: { alias: 'pi1', host: 'web2' },
}),
);
expect(asAgent.status).toBe(403);
const noAuth = await daemon.handle(
request({ method: 'POST', path: '/bridge/v1/agents', body: { alias: 'pi1', host: 'web2' } }),
);
expect(noAuth.status).toBe(403);
});
it('agent-scoped token may send as itself but not as another agent', async () => {
const { daemon } = makeAgentDaemon();
const minted = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
const agentToken = String(minted.body.bridge_token);
const self = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/messages',
authorizationHeader: `Bearer ${agentToken}`,
body: { room_id: '!r:hs.example', agent: 'pi0-web1', body: 'hi' },
}),
);
expect(self.status).toBe(200);
const other = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/messages',
authorizationHeader: `Bearer ${agentToken}`,
body: { room_id: '!r:hs.example', agent: 'pi9-web9', body: 'hi' },
}),
);
expect(other.status).toBe(403);
expect(other.body.error).toBe('token not scoped to this agent');
});
it('revoked agent token is rejected on messages', async () => {
const { daemon } = makeAgentDaemon();
const minted = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
const agentToken = String(minted.body.bridge_token);
const revoke = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/agents/revoke',
authorizationHeader: 'Bearer bridge-secret',
body: { agent_user_id: '@agent-pi0-web1:hs.example' },
}),
);
expect(revoke.status).toBe(200);
expect(revoke.body.revoked).toBe(1);
const afterRevoke = await daemon.handle(
request({
method: 'POST',
path: '/bridge/v1/messages',
authorizationHeader: `Bearer ${agentToken}`,
body: { room_id: '!r:hs.example', agent: 'pi0-web1', body: 'hi' },
}),
);
expect(afterRevoke.status).toBe(403);
});
it('GET /bridge/v1/agents lists registered agents (host only)', async () => {
const { daemon } = makeAgentDaemon();
await registerAgent(daemon, { alias: 'pi0', host: 'web1', display_name: 'Pi Zero' });
const res = await daemon.handle(
request({
method: 'GET',
path: '/bridge/v1/agents',
authorizationHeader: 'Bearer bridge-secret',
}),
);
expect(res.status).toBe(200);
const agents = res.body.agents as Array<Record<string, unknown>>;
expect(agents).toHaveLength(1);
expect(agents[0]?.agent_user_id).toBe('@agent-pi0-web1:hs.example');
expect(agents[0]?.display_name).toBe('Pi Zero');
});
it('empty bridge token list denies everything', async () => {
const daemon = new AppserviceDaemon({ ...cfg, bridgeTokens: [] }, undefined, () => {});
const res = await daemon.handle(

109
apps/appservice/src/server.ts
View File

@@ -1,14 +1,10 @@
import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
import {
AgentTokenStore,
AppserviceIntent,
TransactionHandler,
validateBridgeMessage,
validateBridgeTyping,
validateProvisionRoom,
validateRegisterAgent,
validateRevokeAgent,
} from '@mosaicstack/appservice';
import type { AppserviceConfig, MatrixEvent } from '@mosaicstack/appservice';
@@ -40,13 +36,6 @@ const safeEqual = (a: string, b: string): boolean => timingSafeEqual(digest(a),
const TXN_PATH = /^\/_matrix\/app\/v1\/transactions\/([^/]+)$/;
/**
* Resolved identity for an authenticated /bridge/v1/* caller. Host principals
* (the agent-comms host daemons) are unrestricted; agent principals are scoped
* to a single virtual user and may only act as themselves.
*/
export type BridgePrincipal = { kind: 'host' } | { kind: 'agent'; agentUserId: string } | null;
/**
* HTTP-framework-agnostic request router for the mosaic-as daemon: the
* Application Service transactions endpoint (Synapse-facing) plus the
@@ -56,7 +45,6 @@ export type BridgePrincipal = { kind: 'host' } | { kind: 'agent'; agentUserId: s
export class AppserviceDaemon {
readonly intent: AppserviceIntent;
private readonly transactions: TransactionHandler;
private readonly agents: AgentTokenStore;
constructor(
private readonly cfg: DaemonConfig,
@@ -64,7 +52,6 @@ export class AppserviceDaemon {
private readonly log: (line: string) => void = (line) => console.log(line),
) {
this.intent = new AppserviceIntent(cfg, fetchImpl);
this.agents = new AgentTokenStore(this.intent);
this.transactions = new TransactionHandler({
hsToken: cfg.hsToken,
onEvent: (event) => this.onEvent(event),
@@ -81,20 +68,10 @@ export class AppserviceDaemon {
}
}
/** Resolve the calling principal, or null when unauthorized. Fail-closed:
* host tokens win (timing-safe compare); otherwise a magt_* bearer is looked
* up in the agent token store; anything else is rejected. */
private async bridgeAuthorized(
authorizationHeader: string | undefined,
): Promise<BridgePrincipal> {
if (!authorizationHeader?.startsWith('Bearer ')) return null;
private bridgeAuthorized(authorizationHeader: string | undefined): boolean {
if (!authorizationHeader?.startsWith('Bearer ')) return false;
const presented = authorizationHeader.slice('Bearer '.length);
if (this.cfg.bridgeTokens.some((token) => safeEqual(presented, token))) {
return { kind: 'host' };
}
const agentUserId = await this.agents.verifyToken(presented);
if (agentUserId) return { kind: 'agent', agentUserId };
return null;
return this.cfg.bridgeTokens.some((token) => safeEqual(presented, token));
}
async handle(req: DaemonRequest): Promise<DaemonResponse> {
@@ -111,60 +88,12 @@ export class AppserviceDaemon {
}
if (req.path.startsWith('/bridge/v1/')) {
const principal = await this.bridgeAuthorized(req.authorizationHeader);
if (!principal) {
if (!this.bridgeAuthorized(req.authorizationHeader)) {
return { status: 403, body: { errcode: 'M_FORBIDDEN', error: 'bad bridge token' } };
}
try {
if (req.method === 'POST' && req.path === '/bridge/v1/agents') {
if (principal.kind !== 'host') {
return {
status: 403,
body: { errcode: 'M_FORBIDDEN', error: 'agents cannot register agents' },
};
}
validateRegisterAgent(req.body);
const { agentUserId, token } = await this.agents.register({
alias: req.body.alias,
host: req.body.host,
displayName: req.body.display_name,
});
this.log(`registered agent ${agentUserId}`);
return { status: 200, body: { agent_user_id: agentUserId, bridge_token: token } };
}
if (req.method === 'POST' && req.path === '/bridge/v1/agents/revoke') {
if (principal.kind !== 'host') {
return {
status: 403,
body: { errcode: 'M_FORBIDDEN', error: 'agents cannot revoke agents' },
};
}
validateRevokeAgent(req.body);
const revoked = await this.agents.revoke(req.body.agent_user_id);
this.log(`revoked ${revoked} token(s) for ${req.body.agent_user_id}`);
return { status: 200, body: { revoked } };
}
if (req.method === 'GET' && req.path === '/bridge/v1/agents') {
if (principal.kind !== 'host') {
return {
status: 403,
body: { errcode: 'M_FORBIDDEN', error: 'agents cannot list agents' },
};
}
const agents = await this.agents.list();
return { status: 200, body: { agents } };
}
if (req.method === 'POST' && req.path === '/bridge/v1/messages') {
validateBridgeMessage(req.body);
if (
principal.kind === 'agent' &&
this.intent.agentUserId(req.body.agent) !== principal.agentUserId
) {
return {
status: 403,
body: { errcode: 'M_FORBIDDEN', error: 'token not scoped to this agent' },
};
}
const eventId = await this.intent.sendAsAgent({
roomId: req.body.room_id,
agent: req.body.agent,
@@ -177,39 +106,9 @@ export class AppserviceDaemon {
}
if (req.method === 'POST' && req.path === '/bridge/v1/typing') {
validateBridgeTyping(req.body);
if (
principal.kind === 'agent' &&
this.intent.agentUserId(req.body.agent) !== principal.agentUserId
) {
return {
status: 403,
body: { errcode: 'M_FORBIDDEN', error: 'token not scoped to this agent' },
};
}
await this.intent.setTyping(req.body.room_id, req.body.agent, req.body.typing);
return { status: 200, body: {} };
}
if (req.method === 'POST' && req.path === '/bridge/v1/provision/rooms') {
validateProvisionRoom(req.body);
const result = await this.intent.createRoom({
name: req.body.name,
alias: req.body.alias,
topic: req.body.topic,
invite: req.body.invite,
spaceId: req.body.space_id,
});
this.log(
`provisioned room ${result.roomId} (${req.body.name}) space_linked=${result.spaceLinked}`,
);
return {
status: 200,
body: {
room_id: result.roomId,
space_linked: result.spaceLinked,
...(result.spaceError ? { space_error: result.spaceError } : {}),
},
};
}
} catch (error) {
const message = error instanceof Error ? error.message : String(error);
this.log(`bridge error ${req.method} ${req.path}: ${message}`);

50
docs/scratchpads/536-wrapper-login-pin.md
View File

@@ -1,50 +0,0 @@
# Issue 536 Wrapper Login Pin Scratchpad
## Metadata
- Date: 2026-06-12
- Worktree: `/home/hermes/agent-work/536-wrapper-audit`
- Branch: `fix/536-wrapper-login-pin`
- Coordinator: `mos-claude`
- Issue: `mosaicstack/stack#536`
- Scope: Audit and fix Gitea git wrappers that hardcode or incorrectly inherit tea login/instance selection.
## Objective
Fix the framework git wrappers so Gitea issue/PR operations resolve the tea login from the target repository host instead of pinning `mosaicstack`. The fix must cover the class of bug across `packages/mosaic/framework/tools/git/`, not only `issue-close.sh`.
## Acceptance Criteria
1. `issue-close.sh` no longer uses `--login mosaicstack` for non-mosaic hosts.
2. All wrappers in `packages/mosaic/framework/tools/git/` avoid hardcoded Gitea login fallback where host-specific resolution is available.
3. Host-specific resolution works for `git.mosaicstack.dev` and `git.uscllc.com` using configured credentials / tea login data.
4. Read-only verification runs against both Gitea instances where possible.
5. Queue guard passes before push, PR is opened referencing #536, and merge is left to the coordinator.
## Progress Log
- Read required Mosaic hard-gate docs and coordinator briefing.
- Read issue #536 via Gitea API with mosaicstack credentials.
- Initial audit found hardcoded `${GITEA_LOGIN:-mosaicstack}` in issue and PR wrappers, plus shared `get_gitea_repo_args`.
- Added host-aware Gitea login resolution in `detect-platform.sh`, including exact host matching for `tea login list` entries and HTTPS remotes with embedded credentials.
- Updated Gitea issue, PR, milestone, and CI wrappers to use resolved host-specific tea login arguments instead of defaulting to `mosaicstack`.
- Added authenticated API fallbacks for close/reopen paths so wrappers can still operate when a matching `tea` login is absent but token credentials are available.
- Added regression coverage for stale `GITEA_LOGIN`, exact host matching, `--repo` override flows, USC issue close routing, mosaicstack API fallback, and PR metadata/merge fallbacks.
- Delta after PR #538 review: extended host-aware login/repo resolution to PowerShell wrappers, Bash milestone wrappers, and API-only `--repo` fallback paths.
- Delta after live USC `pr-create.sh` repro: tightened `GITEA_LOGIN` trust so stale login names are ignored unless the tea login itself matches the target host, and added USC API fallback coverage for `pr-create.sh`.
## Verification
- `bash -n packages/mosaic/framework/tools/git/*.sh`
- `packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh`
- `packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh`
- `packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh`
- `pwsh -NoProfile` parse check for all `packages/mosaic/framework/tools/git/*.ps1`
- `pnpm typecheck`
- `pnpm lint`
- `pnpm format:check`
- `pnpm --filter @mosaicstack/mosaic test -- src/commands/git-wrapper-redirects.spec.ts`
- `pnpm test` progressed past wrapper redirect assertions; local run then stopped on `apps/gateway` Postgres connection refused at `localhost:5433`, which CI provides as a service.
- Live read-only: direct Gitea API read of `mosaicstack/stack#536` with `User-Agent: curl/8`.
- Live read-only: USC temporary repo remote to `https://git.uscllc.com/USC/uconnect.git`; `issue-list.sh -n 1` resolved the USC login and returned USC issues.
- Independent Codex review final verdict: approve, no findings.

20
guides/BOOTSTRAP.md
View File

@@ -453,26 +453,6 @@ Initialize standard labels and the first pre-MVP milestone:
---
## Secrets Bootstrap (Required for Every New App)
Every new application MUST complete the following secrets bootstrap before deploying to any non-local environment. This is a hard gate — deployment without completed secrets bootstrap is forbidden.
### Secrets bootstrap checklist
- [ ] Vault path created: `vault kv put secret/k3s/<app>/ ...` with all required secret fields
- [ ] Required secrets listed in project README under a "Secrets architecture" section, including:
- Vault path(s) used
- All required secret keys and their purpose
- Whether the app uses ESO bridge (default) or Direct-Vault (opt-in, with justification)
- [ ] `external-secret.yaml` manifest committed to repo's `deploy/` or `k8s/` directory
- [ ] Deployment YAML references the synced k8s Secret via `secretKeyRef` (not raw env vars or `.env` files)
- [ ] App startup has schema-based validation for all required env vars (zod / pydantic / envconfig equivalent) that exits non-zero on missing required values
- [ ] Direct-Vault opt-in (if applicable): justification documented in README + AppRole provisioned + bootstrap credentials stored in Vault and synced via a separate `ExternalSecret`
See `~/.config/mosaic/guides/VAULT-SECRETS.md` for full worked examples of the ESO bridge pattern, the Direct-Vault opt-in pattern, and the forbidden antipatterns.
---
## Checklist
After bootstrapping, verify:

371
guides/VAULT-SECRETS.md
View File

@@ -203,374 +203,3 @@ Error: token expired
3. **Audit logging** - All access is logged; act accordingly
4. **No local copies** - Don't store secrets in files or env vars long-term
5. **Rotate on compromise** - Immediately rotate any exposed secrets
---
## Secrets Architecture Decision Matrix
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
| --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
| **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
| **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
| **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
| **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
**Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
---
## ESO Bridge Pattern (Default)
This is the required default for all k8s workloads. Follow this exact pattern unless a documented dynamic-secrets requirement justifies Direct-Vault.
### 1. Provision Vault path
```bash
# Write the secrets for the app (run once; use IaC/Terraform for repeatable provisioning)
vault kv put secret/k3s/<app> \
db_password="..." \
api_key="..." \
jwt_secret="..."
```
Use the canonical path structure: `secret/k3s/<app>` for k3s cluster workloads.
### 2. ExternalSecret manifest
Commit this to the repo's `deploy/` or `k8s/` directory:
```yaml
# deploy/external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: <app>-secrets
namespace: <namespace>
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend # ClusterSecretStore name — verify with cluster admin
kind: ClusterSecretStore
target:
name: <app>-secrets # k8s Secret name that will be created
creationPolicy: Owner
data:
- secretKey: DB_PASSWORD # key in the k8s Secret
remoteRef:
key: secret/k3s/<app> # Vault path
property: db_password # field within the Vault secret
- secretKey: API_KEY
remoteRef:
key: secret/k3s/<app>
property: api_key
- secretKey: JWT_SECRET
remoteRef:
key: secret/k3s/<app>
property: jwt_secret
```
### 3. Deployment manifest — reference synced k8s Secret
```yaml
# deploy/deployment.yaml (env section)
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: <app>-secrets # matches ExternalSecret target.name
key: DB_PASSWORD
- name: API_KEY
valueFrom:
secretKeyRef:
name: <app>-secrets
key: API_KEY
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: <app>-secrets
key: JWT_SECRET
- name: PORT
value: '3000' # safe-default: non-secret, no Vault needed
```
### 4. App-side schema validation — TypeScript (zod)
Validate all required env vars at startup. Exit non-zero on missing values.
```typescript
// src/env.ts
import { z } from 'zod';
const envSchema = z.object({
DB_PASSWORD: z.string().min(1, 'DB_PASSWORD is required'),
API_KEY: z.string().min(1, 'API_KEY is required'),
JWT_SECRET: z.string().min(32, 'JWT_SECRET must be at least 32 chars'),
PORT: z.coerce.number().default(3000),
NODE_ENV: z.enum(['development', 'production', 'test']).default('production'),
});
const result = envSchema.safeParse(process.env);
if (!result.success) {
console.error('Missing or invalid environment variables:');
console.error(result.error.flatten().fieldErrors);
process.exit(1);
}
export const env = result.data;
```
### 4b. App-side schema validation — Python (pydantic)
```python
# src/config.py
from pydantic_settings import BaseSettings, SettingsConfigDict
class Settings(BaseSettings):
db_password: str
api_key: str
jwt_secret: str
port: int = 3000
node_env: str = "production"
model_config = SettingsConfigDict(env_file=None) # no .env in prod
try:
settings = Settings()
except Exception as e:
import sys
print(f"Missing or invalid environment variables: {e}", file=sys.stderr)
sys.exit(1)
```
### 4c. App-side schema validation — Go (envconfig)
```go
// config/config.go
package config
import (
"fmt"
"github.com/kelseyhightower/envconfig"
)
type Config struct {
DBPassword string `envconfig:"DB_PASSWORD" required:"true"`
APIKey string `envconfig:"API_KEY" required:"true"`
JWTSecret string `envconfig:"JWT_SECRET" required:"true"`
Port int `envconfig:"PORT" default:"3000"`
}
func Load() (*Config, error) {
var cfg Config
if err := envconfig.Process("", &cfg); err != nil {
return nil, fmt.Errorf("invalid environment: %w", err)
}
return &cfg, nil
}
```
In your `main.go`:
```go
cfg, err := config.Load()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
```
---
## Direct-Vault Opt-In Pattern
Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB rotation with short TTLs, AWS STS, PKI, per-request audit). Document the justification in the project README under "Secrets architecture" before implementing.
### When it is justified
- Vault DB secrets engine with lease TTLs shorter than a typical pod lifecycle (< 1 hour)
- AWS STS assume-role tokens generated per-request
- Vault PKI short-lived certificates (< 24 hours) that must be renewed within a running pod
- Per-request audit trail requirement (each app call must appear separately in Vault audit log)
### Provision an AppRole for the app
```bash
# Enable AppRole auth (if not already enabled)
vault auth enable approle
# Create a Vault policy for the app
# Note: KV v2 paths require both the exact path (for the top-level secret) and the
# wildcard (for sub-paths). Always include both to avoid permission denied errors.
vault policy write <app>-policy - <<EOF
path "secret/data/k3s/<app>" {
capabilities = ["read"]
}
path "secret/data/k3s/<app>/*" {
capabilities = ["read"]
}
path "database/creds/<app>-role" {
capabilities = ["read"]
}
EOF
# Create the AppRole
vault write auth/approle/role/<app>-role \
token_policies="<app>-policy" \
token_ttl=1h \
token_max_ttl=4h \
secret_id_ttl=0
# Retrieve role-id and secret-id
vault read auth/approle/role/<app>-role/role-id
vault write -f auth/approle/role/<app>-role/secret-id
```
### Bootstrap AppRole credentials via ESO (solving the chicken-and-egg problem)
The AppRole `role-id` and `secret-id` are themselves secrets. Store them in Vault at a bootstrap path, then use ESO to sync them into a k8s Secret. The app reads that k8s Secret at startup to authenticate with Vault directly.
```bash
# Store the bootstrap credentials in Vault
vault kv put secret/k3s/<app>-bootstrap \
role_id="<role-id>" \
secret_id="<secret-id>"
```
```yaml
# deploy/external-secret-bootstrap.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: <app>-vault-auth
namespace: <namespace>
spec:
refreshInterval: 24h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: <app>-vault-auth
creationPolicy: Owner
data:
- secretKey: VAULT_ROLE_ID
remoteRef:
key: secret/k3s/<app>-bootstrap
property: role_id
- secretKey: VAULT_SECRET_ID
remoteRef:
key: secret/k3s/<app>-bootstrap
property: secret_id
```
```yaml
# deploy/deployment.yaml (env section for Direct-Vault app)
env:
- name: VAULT_ADDR
value: 'https://vault.example.com' # safe-default: non-secret cluster address
- name: VAULT_ROLE_ID
valueFrom:
secretKeyRef:
name: <app>-vault-auth
key: VAULT_ROLE_ID
- name: VAULT_SECRET_ID
valueFrom:
secretKeyRef:
name: <app>-vault-auth
key: VAULT_SECRET_ID
```
### App-side Vault client pattern
```typescript
// src/vault-client.ts — only exists in Direct-Vault apps
import vault from 'node-vault';
import { z } from 'zod';
const bootstrapSchema = z.object({
VAULT_ADDR: z.string().url(),
VAULT_ROLE_ID: z.string().min(1),
VAULT_SECRET_ID: z.string().min(1),
});
const bootstrap = bootstrapSchema.parse(process.env);
const client = vault({ endpoint: bootstrap.VAULT_ADDR });
export async function getVaultClient() {
const { auth } = await client.approleLogin({
role_id: bootstrap.VAULT_ROLE_ID,
secret_id: bootstrap.VAULT_SECRET_ID,
});
client.token = auth.client_token;
return client;
}
```
Document in README under "Secrets architecture": the Vault path, why Direct-Vault is required, and the lease/renewal strategy.
---
## Forbidden Patterns (CI Lint Targets)
The following patterns are forbidden in all Mosaic projects. CI lint SHOULD catch these automatically (implementation tracked separately). Agents MUST NOT introduce these patterns.
### 1. Untagged fallback defaults for required values
```yaml
# FORBIDDEN — required secret with silent fallback
environment:
- DB_PASSWORD=${DB_PASSWORD:-changeme}
- API_KEY=${API_KEY:-}
# REQUIRED — fast-fail on missing required values
environment:
- DB_PASSWORD=${DB_PASSWORD:?DB_PASSWORD is required}
- API_KEY=${API_KEY:?API_KEY is required}
# ALLOWED — true convenience default, tagged
environment:
- PORT=${PORT:-3000} # safe-default: non-secret, app works at any port
```
This applies to: `docker-compose.yml`, k8s manifests, Helm `values.yaml`, any env file committed to git.
### 2. Vault KV calls in application source code (ESO-default projects)
```python
# FORBIDDEN in ESO-default apps — direct Vault client in app source
import hvac
client = hvac.Client(url=os.environ['VAULT_ADDR'])
secret = client.secrets.kv.v2.read_secret_version(path='myapp/db')
```
ESO-default apps read env vars only. Direct-Vault clients belong only in apps with a documented dynamic-secrets justification in README.
### 3. Hardcoded secrets or API keys in committed files
```python
# FORBIDDEN — hardcoded credential
DB_PASSWORD = "supersecret123"
API_KEY = "sk-live-abc123"
```
No exceptions. CI lint must flag any string matching common secret patterns (`password`, `secret`, `api_key`, `token` assigned a literal non-env-var value).
### 4. `.env` files in production deployment paths
```
# FORBIDDEN — .env file in a production deploy path
deploy/.env
k8s/.env
docker/.env
# ALLOWED — local dev only
.env.example # template only, no real values
.env # local dev, must be in .gitignore
```
`.env` files are acceptable in local-dev contexts only and MUST be in `.gitignore`. They are forbidden in any path that a CI pipeline or production deployment process reads directly.

116
packages/appservice/src/__tests__/agent-store.test.ts
View File

@@ -1,116 +0,0 @@
import { describe, expect, it } from 'vitest';
import { AGENTS_ACCOUNT_DATA_TYPE, AgentTokenStore } from '../agent-store.js';
import type { AppserviceIntent } from '../intent.js';
/** Fake intent: in-memory account_data, no-op user provisioning. Only the
* surface AgentTokenStore touches is implemented. */
const makeFakeIntent = () => {
const store: Record<string, Record<string, unknown>> = {};
const fake = {
domain: 'hs.example',
getSenderAccountData: async (type: string): Promise<Record<string, unknown> | null> =>
store[type] ?? null,
setSenderAccountData: async (type: string, content: Record<string, unknown>): Promise<void> => {
store[type] = structuredClone(content);
},
ensureRegistered: async (agent: string): Promise<string> => `@agent-${agent}:hs.example`,
setDisplayName: async (): Promise<void> => {},
};
return { intent: fake as unknown as AppserviceIntent, store };
};
describe('AgentTokenStore', () => {
it('mints a magt_ token and stores only its sha256 (never plaintext)', async () => {
const { intent, store } = makeFakeIntent();
const s = new AgentTokenStore(intent);
const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
expect(agentUserId).toBe('@agent-pi0-web1:hs.example');
expect(token.startsWith('magt_')).toBe(true);
const raw = JSON.stringify(store[AGENTS_ACCOUNT_DATA_TYPE]);
expect(raw).not.toContain(token);
// The stored hash is sha256hex(token), 64 hex chars.
const { createHash } = await import('node:crypto');
const hash = createHash('sha256').update(token).digest('hex');
expect(raw).toContain(hash);
});
it('verifyToken returns the agentUserId for a fresh token, null otherwise', async () => {
const { intent } = makeFakeIntent();
const s = new AgentTokenStore(intent);
const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
expect(await s.verifyToken(token)).toBe(agentUserId);
expect(await s.verifyToken('magt_garbage')).toBeNull();
expect(await s.verifyToken('not-a-token')).toBeNull();
expect(await s.verifyToken('')).toBeNull();
});
it('revoke invalidates tokens, returns count, and hides agent from list', async () => {
const { intent } = makeFakeIntent();
const s = new AgentTokenStore(intent);
const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);
const count = await s.revoke(agentUserId);
expect(count).toBe(1);
expect(await s.verifyToken(token)).toBeNull();
expect((await s.list()).map((a) => a.agent_user_id)).not.toContain(agentUserId);
// Idempotent on unknown / already-revoked.
expect(await s.revoke(agentUserId)).toBe(0);
expect(await s.revoke('@agent-nope:hs.example')).toBe(0);
});
it('re-register after revoke yields a working token and the agent reappears', async () => {
const { intent } = makeFakeIntent();
const s = new AgentTokenStore(intent);
const { agentUserId, token: t1 } = await s.register({ alias: 'pi0', host: 'web1' });
await s.revoke(agentUserId);
const { token: t2 } = await s.register({ alias: 'pi0', host: 'web1' });
expect(await s.verifyToken(t1)).toBeNull();
expect(await s.verifyToken(t2)).toBe(agentUserId);
expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);
});
it('agent A token never verifies as agent B', async () => {
const { intent } = makeFakeIntent();
const s = new AgentTokenStore(intent);
const a = await s.register({ alias: 'pi0', host: 'web1' });
const b = await s.register({ alias: 'pi1', host: 'web2' });
expect(await s.verifyToken(a.token)).toBe(a.agentUserId);
expect(await s.verifyToken(b.token)).toBe(b.agentUserId);
expect(a.agentUserId).not.toBe(b.agentUserId);
});
it('rejects an ambiguous re-registration that collides on one Matrix id', async () => {
const { intent } = makeFakeIntent();
const s = new AgentTokenStore(intent);
// alias="a-b",host="c" and alias="a",host="b-c" both -> @agent-a-b-c.
const first = await s.register({ alias: 'a-b', host: 'c' });
expect(first.agentUserId).toBe('@agent-a-b-c:hs.example');
await expect(s.register({ alias: 'a', host: 'b-c' })).rejects.toThrow(/collision/);
// The original registration is untouched: still one active token, correct pair.
expect(await s.verifyToken(first.token)).toBe(first.agentUserId);
const summary = (await s.list()).find((x) => x.agent_user_id === first.agentUserId);
expect(summary?.alias).toBe('a-b');
expect(summary?.host).toBe('c');
expect(summary?.active_token_count).toBe(1);
});
it('display_name is stored and surfaced in list', async () => {
const { intent } = makeFakeIntent();
const s = new AgentTokenStore(intent);
await s.register({ alias: 'pi0', host: 'web1', displayName: 'Pi Zero' });
const summary = (await s.list())[0];
expect(summary?.display_name).toBe('Pi Zero');
expect(summary?.active_token_count).toBe(1);
});
});

63
packages/appservice/src/agent-registry.dto.ts
View File

@@ -1,63 +0,0 @@
/** DTOs for agent registration + scoped/revocable bridge tokens (US-007). */
export interface RegisterAgentDto {
/** Agent alias slug, e.g. "pi0". Combined with host into the agent slug. */
alias: string;
/** Host slug, e.g. "web1". Combined with alias into the agent slug. */
host: string;
display_name?: string;
}
export interface RevokeAgentDto {
agent_user_id: string;
}
export interface RegisterAgentResponse {
agent_user_id: string;
bridge_token: string;
}
export interface AgentSummary {
agent_user_id: string;
alias: string;
host: string;
display_name?: string;
created_at: string;
active_token_count: number;
}
const SLUG_RE = /^[a-z0-9][a-z0-9_.-]*$/;
/** Combined agent slug, e.g. alias="pi0", host="web1" -> "pi0-web1". */
export function agentSlug(alias: string, host: string): string {
return `${alias}-${host}`;
}
const assertSlug = (value: unknown, field: string): void => {
if (typeof value !== 'string' || value.length === 0 || !SLUG_RE.test(value)) {
throw new Error(`${field} must match [a-z0-9][a-z0-9_.-]* (lowercase, non-empty)`);
}
};
export function validateRegisterAgent(input: unknown): asserts input is RegisterAgentDto {
const o = input as Partial<RegisterAgentDto> | null | undefined;
if (!o || typeof o !== 'object') throw new Error('payload must be an object');
assertSlug(o.alias, 'alias');
assertSlug(o.host, 'host');
if (o.display_name !== undefined) {
if (typeof o.display_name !== 'string' || o.display_name.length === 0) {
throw new Error('display_name must be a non-empty string');
}
if (o.display_name.length > 100) {
throw new Error('display_name must be at most 100 chars');
}
}
}
export function validateRevokeAgent(input: unknown): asserts input is RevokeAgentDto {
const o = input as Partial<RevokeAgentDto> | null | undefined;
if (!o || typeof o !== 'object') throw new Error('payload must be an object');
if (typeof o.agent_user_id !== 'string' || !o.agent_user_id.startsWith('@')) {
throw new Error('agent_user_id must be a Matrix user id');
}
}

160
packages/appservice/src/agent-store.ts
View File

@@ -1,160 +0,0 @@
import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
import { agentSlug } from './agent-registry.dto.js';
import type { AgentSummary } from './agent-registry.dto.js';
import type { AppserviceIntent } from './intent.js';
/** account_data type holding the agent registry on the AS sender user. */
export const AGENTS_ACCOUNT_DATA_TYPE = 'org.uscllc.mosaic_as.agents';
const TOKEN_PREFIX = 'magt_';
interface StoredAgent {
alias: string;
host: string;
display_name?: string;
created_at: string;
/** sha256hex of each active token. Plaintext tokens are NEVER stored. */
token_hashes: string[];
revoked_at?: string;
}
interface AgentRegistry {
agents: Record<string, StoredAgent>;
}
const sha256hex = (value: string): string => createHash('sha256').update(value).digest('hex');
const mintToken = (): string => `${TOKEN_PREFIX}${randomBytes(32).toString('base64url')}`;
/**
* Persists scoped/revocable bridge tokens for agent virtual users in Matrix
* account_data on the AS sender user (no new infra; survives restart).
*
* Tokens are stored only as sha256 hashes (the high-entropy `magt_` token makes
* plain sha256 safe — no salt/KDF needed since brute force is infeasible).
*
* KNOWN v1 LIMIT: Synapse caps a single account_data object (default
* max_account_data_size, ~100KB). Each agent + hash entry is small, so this
* supports thousands of agents, but a very large fleet would eventually need a
* dedicated store. Revoked agents with no active tokens are pruned of hashes
* (kept as tombstones) to bound growth.
*/
export class AgentTokenStore {
constructor(private readonly intent: AppserviceIntent) {}
/** Read the registry fresh from account_data (low-frequency ops favor
* correctness over caching; verifyToken/list also read fresh). */
private async read(): Promise<AgentRegistry> {
const data = await this.intent.getSenderAccountData(AGENTS_ACCOUNT_DATA_TYPE);
const agents = data?.agents;
if (agents && typeof agents === 'object') {
return { agents: agents as Record<string, StoredAgent> };
}
return { agents: {} };
}
private async write(registry: AgentRegistry): Promise<void> {
await this.intent.setSenderAccountData(AGENTS_ACCOUNT_DATA_TYPE, {
agents: registry.agents,
});
}
/** Ensure the virtual user exists, mint a fresh token, store its hash, and
* return the plaintext token ONCE. Clears any prior revocation. */
async register(opts: {
alias: string;
host: string;
displayName?: string;
}): Promise<{ agentUserId: string; token: string }> {
const slug = agentSlug(opts.alias, opts.host);
const agentUserId = await this.intent.ensureRegistered(slug);
if (opts.displayName !== undefined) {
await this.intent.setDisplayName(slug, opts.displayName);
}
const token = mintToken();
const hash = sha256hex(token);
const registry = await this.read();
const existing = registry.agents[agentUserId];
if (existing) {
// The agent slug `<alias>-<host>` joins with a `-`, which is also a legal
// slug char, so distinct pairs can collide on one Matrix id (e.g.
// a/b-c and a-b/c both -> @agent-a-b-c). They ARE the same Matrix user,
// but silently overwriting the stored alias/host of a different pair
// would conflate two logical agents into one token bucket. Reject the
// ambiguous re-registration instead of overwriting.
if (existing.alias !== opts.alias || existing.host !== opts.host) {
throw new Error(
`agent id collision: ${agentUserId} already registered as ` +
`${existing.alias}/${existing.host}, refusing ${opts.alias}/${opts.host}`,
);
}
if (opts.displayName !== undefined) existing.display_name = opts.displayName;
existing.token_hashes = [...existing.token_hashes, hash];
delete existing.revoked_at;
} else {
registry.agents[agentUserId] = {
alias: opts.alias,
host: opts.host,
...(opts.displayName !== undefined ? { display_name: opts.displayName } : {}),
created_at: new Date().toISOString(),
token_hashes: [hash],
};
}
await this.write(registry);
return { agentUserId, token };
}
/** Return the agentUserId bound to an active (non-revoked) token, else null.
* Constant-time hash comparison; no early-out on match. */
async verifyToken(token: string): Promise<string | null> {
if (!token.startsWith(TOKEN_PREFIX)) return null;
const presented = Buffer.from(sha256hex(token), 'hex');
const registry = await this.read();
let matched: string | null = null;
for (const [agentUserId, agent] of Object.entries(registry.agents)) {
if (agent.revoked_at) continue;
for (const stored of agent.token_hashes) {
const candidate = Buffer.from(stored, 'hex');
if (candidate.length === presented.length && timingSafeEqual(candidate, presented)) {
// No early break: keep scanning so timing does not reveal match position.
matched = agentUserId;
}
}
}
return matched;
}
/** Revoke all active tokens for an agent. Idempotent; returns count revoked. */
async revoke(agentUserId: string): Promise<number> {
const registry = await this.read();
const agent = registry.agents[agentUserId];
if (!agent) return 0;
const count = agent.token_hashes.length;
agent.token_hashes = [];
agent.revoked_at = new Date().toISOString();
await this.write(registry);
return count;
}
/** List agents with at least one active token (never advertise revoked/phantom). */
async list(): Promise<AgentSummary[]> {
const registry = await this.read();
const out: AgentSummary[] = [];
for (const [agentUserId, agent] of Object.entries(registry.agents)) {
if (agent.revoked_at || agent.token_hashes.length === 0) continue;
out.push({
agent_user_id: agentUserId,
alias: agent.alias,
host: agent.host,
...(agent.display_name !== undefined ? { display_name: agent.display_name } : {}),
created_at: agent.created_at,
active_token_count: agent.token_hashes.length,
});
}
return out;
}
}

31
packages/appservice/src/bridge.dto.ts
View File

@@ -50,34 +50,3 @@ export function validateBridgeTyping(input: unknown): asserts input is BridgeTyp
assertAgentSlug(o.agent);
if (typeof o.typing !== 'boolean') throw new Error('typing must be a boolean');
}
export interface ProvisionRoomDto {
name: string;
alias?: string;
topic?: string;
invite?: string[];
space_id?: string;
}
export function validateProvisionRoom(input: unknown): asserts input is ProvisionRoomDto {
const o = input as Partial<ProvisionRoomDto> | null | undefined;
if (!o || typeof o !== 'object') throw new Error('payload must be an object');
if (typeof o.name !== 'string' || o.name.length === 0) throw new Error('name is required');
if (o.alias !== undefined && (!/^[a-z0-9_.-]+$/.test(o.alias) || o.alias.length > 200)) {
throw new Error('alias must match [a-z0-9_.-]+ (max 200 chars)');
}
if (o.invite !== undefined) {
if (
!Array.isArray(o.invite) ||
o.invite.some((u) => typeof u !== 'string' || !u.startsWith('@'))
) {
throw new Error('invite must be a list of Matrix user ids');
}
if (o.invite.length > 50) {
throw new Error('invite list exceeds maximum of 50');
}
}
if (o.space_id !== undefined && (typeof o.space_id !== 'string' || !o.space_id.startsWith('!'))) {
throw new Error('space_id must be a Matrix room id');
}
}

16
packages/appservice/src/index.ts
View File

@@ -4,20 +4,8 @@ export { TransactionHandler } from './transactions.js';
export type { TransactionHandlerOptions } from './transactions.js';
export { buildRegistration, registrationToYaml } from './registration.js';
export type { RegistrationOptions } from './registration.js';
export {
validateBridgeMessage,
validateBridgeTyping,
validateProvisionRoom,
} from './bridge.dto.js';
export type { BridgeMessageDto, BridgeTypingDto, ProvisionRoomDto } from './bridge.dto.js';
export { agentSlug, validateRegisterAgent, validateRevokeAgent } from './agent-registry.dto.js';
export type {
RegisterAgentDto,
RevokeAgentDto,
RegisterAgentResponse,
AgentSummary,
} from './agent-registry.dto.js';
export { AgentTokenStore, AGENTS_ACCOUNT_DATA_TYPE } from './agent-store.js';
export { validateBridgeMessage, validateBridgeTyping } from './bridge.dto.js';
export type { BridgeMessageDto, BridgeTypingDto } from './bridge.dto.js';
export type {
AppserviceConfig,
EventHandler,

78
packages/appservice/src/intent.ts
View File

@@ -172,58 +172,6 @@ export class AppserviceIntent {
});
}
/** Create a room as the AS sender: agents get PL 50 by namespace via the
* sender (PL 100); humans invited at default PL. Optionally link into a
* space (m.space.child + m.space.parent). Returns the room id. */
async createRoom(options: {
name: string;
alias?: string;
topic?: string;
invite?: string[];
spaceId?: string;
}): Promise<{ roomId: string; spaceLinked: boolean; spaceError?: string }> {
const body: Record<string, unknown> = {
name: options.name,
preset: 'private_chat',
invite: options.invite ?? [],
power_level_content_override: {
users: { [this.senderUserId]: 100 },
// state_default 50 stays; the AS sender can grant agents as needed.
},
};
if (options.alias) body.room_alias_name = options.alias;
if (options.topic) body.topic = options.topic;
const res = await this.request('POST', '/_matrix/client/v3/createRoom', {
userId: this.senderUserId,
body,
});
const roomId = res.room_id;
if (typeof roomId !== 'string') throw new Error('createRoom returned no room_id');
if (!options.spaceId) {
return { roomId, spaceLinked: false };
}
// Space-link failures must NOT throw: the room already exists, and an
// exception would hide the room_id (orphaned room, no recovery path).
const encodedSpaceId = encodeURIComponent(options.spaceId);
const encodedRoomId = encodeURIComponent(roomId);
try {
await this.request(
'PUT',
`/_matrix/client/v3/rooms/${encodedSpaceId}/state/m.space.child/${encodedRoomId}`,
{ userId: this.senderUserId, body: { via: [this.cfg.domain], suggested: true } },
);
await this.request(
'PUT',
`/_matrix/client/v3/rooms/${encodedRoomId}/state/m.space.parent/${encodedSpaceId}`,
{ userId: this.senderUserId, body: { via: [this.cfg.domain], canonical: true } },
);
} catch (error) {
const message = error instanceof Error ? error.message : String(error);
return { roomId, spaceLinked: false, spaceError: message };
}
return { roomId, spaceLinked: true };
}
/** Set display name for an agent's virtual user. */
async setDisplayName(agent: string, displayName: string): Promise<void> {
const userId = await this.ensureRegistered(agent);
@@ -233,30 +181,4 @@ export class AppserviceIntent {
body: { displayname: displayName },
});
}
/** Read an account_data object on the AS sender user. Returns null when the
* key has never been written (M_NOT_FOUND), so callers can treat that as an
* empty store; any other error propagates. */
async getSenderAccountData(type: string): Promise<Record<string, unknown> | null> {
const user = encodeURIComponent(this.senderUserId);
const key = encodeURIComponent(type);
try {
return await this.request('GET', `/_matrix/client/v3/user/${user}/account_data/${key}`, {
userId: this.senderUserId,
});
} catch (err) {
if (err instanceof MatrixApiError && err.errcode === 'M_NOT_FOUND') return null;
throw err;
}
}
/** Write an account_data object on the AS sender user. */
async setSenderAccountData(type: string, content: Record<string, unknown>): Promise<void> {
const user = encodeURIComponent(this.senderUserId);
const key = encodeURIComponent(type);
await this.request('PUT', `/_matrix/client/v3/user/${user}/account_data/${key}`, {
userId: this.senderUserId,
body: content,
});
}
}

1
packages/mosaic/framework/defaults/AGENTS.md
View File

@@ -34,7 +34,6 @@ At session start, additionally:
10. Manual `docker build` / `docker push` for deployment is FORBIDDEN when CI/CD pipelines exist in the repository. CI is the ONLY canonical build path for container images.
11. Before ANY build or deployment action, you MUST check for existing CI/CD pipeline configuration (`.woodpecker/`, `.woodpecker.yml`, `.github/workflows/`, etc.). If pipelines exist, use them — do not build locally.
12. The mandatory intake procedure is NOT conditional on perceived task complexity. A "simple" commit-push-deploy task has the same procedural requirements as a multi-file feature. Skipping intake because a task "seems simple" is the most common framework violation.
13. **Merge authority (coordinated work):** when a coordinator/orchestrator session is active for the work, the post-review MERGE GO-AHEAD is the coordinator's to give — once code has passed the required review gates, request the coordinator's go-ahead and merge on their confirmation; do NOT wait on the human owner personally. Solo (uncoordinated) delivery keeps the default: merge without routine confirmation per gates 2 and 9. A "No self-merge" note on a PR means no UNREVIEWED self-merge — it does not suspend coordinator-authorized merges. (Policy: Jason, 2026-06-11.)
## Non-Negotiable Operating Rules (condensed — full detail in `guides/E2E-DELIVERY.md`)

10
packages/mosaic/framework/defaults/STANDARDS.md
View File

@@ -27,16 +27,6 @@ Master/slave model:
- Do not perform destructive git/file actions without explicit instruction.
- Browser automation (Playwright, Cypress, Puppeteer) MUST run in headless mode. Never launch a visible browser — it collides with the user's display and active session.
### Secrets handling (HARD RULE)
- Vault is the canonical source-of-truth for every secret in every environment. No exceptions.
- For k8s workloads, the default read path is **External Secrets Operator → k8s Secret → env var** (`secretKeyRef`). The app reads standard env vars; no Vault client in app code.
- Direct-Vault clients in application code are **opt-in only**, justified per-app by a documented dynamic-secrets requirement (e.g., DB rotation, AWS STS). Default to ESO. Document the justification in the project's README under "Secrets architecture".
- `${VAR:-default}` fallback syntax in any deployment configuration (compose, k8s manifests, Helm values, env files committed to git) is **forbidden** for required values. Use `${VAR:?VAR is required}` to fast-fail. Defaults are allowed only for true conveniences (e.g. `${PORT:-3000}`) and MUST be tagged `# safe-default: <reason>` so a reviewer can confirm the intent.
- `.env` files in production deployment paths are **forbidden**. `.env.example` and `.env` in local-dev paths are fine.
- App startup MUST validate required secrets against a schema (zod / pydantic / equivalent) and exit non-zero on missing required values. Never run with defaulted weak fallbacks.
- New apps: bootstrap checklist (see `~/.config/mosaic/guides/BOOTSTRAP.md`) MUST include Vault path provisioning + `ExternalSecret` manifest + README declaring the Vault path and required keys.
## Session Lifecycle Contract
- Start: `scripts/agent/session-start.sh`

20
packages/mosaic/framework/guides/BOOTSTRAP.md
View File

@@ -453,26 +453,6 @@ Initialize standard labels and the first pre-MVP milestone:
---
## Secrets Bootstrap (Required for Every New App)
Every new application MUST complete the following secrets bootstrap before deploying to any non-local environment. This is a hard gate — deployment without completed secrets bootstrap is forbidden.
### Secrets bootstrap checklist
- [ ] Vault path created: `vault kv put secret/k3s/<app>/ ...` with all required secret fields
- [ ] Required secrets listed in project README under a "Secrets architecture" section, including:
- Vault path(s) used
- All required secret keys and their purpose
- Whether the app uses ESO bridge (default) or Direct-Vault (opt-in, with justification)
- [ ] `external-secret.yaml` manifest committed to repo's `deploy/` or `k8s/` directory
- [ ] Deployment YAML references the synced k8s Secret via `secretKeyRef` (not raw env vars or `.env` files)
- [ ] App startup has schema-based validation for all required env vars (zod / pydantic / envconfig equivalent) that exits non-zero on missing required values
- [ ] Direct-Vault opt-in (if applicable): justification documented in README + AppRole provisioned + bootstrap credentials stored in Vault and synced via a separate `ExternalSecret`
See `~/.config/mosaic/guides/VAULT-SECRETS.md` for full worked examples of the ESO bridge pattern, the Direct-Vault opt-in pattern, and the forbidden antipatterns.
---
## Checklist
After bootstrapping, verify:

5
packages/mosaic/framework/guides/E2E-DELIVERY.md
View File

@@ -88,11 +88,6 @@ For implementation work, you MUST run this cycle in order:
### Post-PR Hard Gate (Execute Sequentially, No Exceptions)
> **Merge authority:** if a coordinator/orchestrator session is active for this
> work, obtain the coordinator's merge go-ahead after review passes, then run
> the gate (AGENTS.md hard gate "Merge authority"). Solo delivery proceeds
> without asking.
1. `~/.config/mosaic/tools/git/ci-queue-wait.sh --purpose merge -B main`
2. `~/.config/mosaic/tools/git/pr-merge.sh -n <PR_NUMBER> -m squash`
3. `~/.config/mosaic/tools/git/pr-ci-wait.sh -n <PR_NUMBER>`

371
packages/mosaic/framework/guides/VAULT-SECRETS.md
View File

@@ -203,374 +203,3 @@ Error: token expired
3. **Audit logging** - All access is logged; act accordingly
4. **No local copies** - Don't store secrets in files or env vars long-term
5. **Rotate on compromise** - Immediately rotate any exposed secrets
---
## Secrets Architecture Decision Matrix
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
| --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
| **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
| **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
| **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
| **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
**Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
---
## ESO Bridge Pattern (Default)
This is the required default for all k8s workloads. Follow this exact pattern unless a documented dynamic-secrets requirement justifies Direct-Vault.
### 1. Provision Vault path
```bash
# Write the secrets for the app (run once; use IaC/Terraform for repeatable provisioning)
vault kv put secret/k3s/<app> \
db_password="..." \
api_key="..." \
jwt_secret="..."
```
Use the canonical path structure: `secret/k3s/<app>` for k3s cluster workloads.
### 2. ExternalSecret manifest
Commit this to the repo's `deploy/` or `k8s/` directory:
```yaml
# deploy/external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: <app>-secrets
namespace: <namespace>
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend # ClusterSecretStore name — verify with cluster admin
kind: ClusterSecretStore
target:
name: <app>-secrets # k8s Secret name that will be created
creationPolicy: Owner
data:
- secretKey: DB_PASSWORD # key in the k8s Secret
remoteRef:
key: secret/k3s/<app> # Vault path
property: db_password # field within the Vault secret
- secretKey: API_KEY
remoteRef:
key: secret/k3s/<app>
property: api_key
- secretKey: JWT_SECRET
remoteRef:
key: secret/k3s/<app>
property: jwt_secret
```
### 3. Deployment manifest — reference synced k8s Secret
```yaml
# deploy/deployment.yaml (env section)
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: <app>-secrets # matches ExternalSecret target.name
key: DB_PASSWORD
- name: API_KEY
valueFrom:
secretKeyRef:
name: <app>-secrets
key: API_KEY
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: <app>-secrets
key: JWT_SECRET
- name: PORT
value: '3000' # safe-default: non-secret, no Vault needed
```
### 4. App-side schema validation — TypeScript (zod)
Validate all required env vars at startup. Exit non-zero on missing values.
```typescript
// src/env.ts
import { z } from 'zod';
const envSchema = z.object({
DB_PASSWORD: z.string().min(1, 'DB_PASSWORD is required'),
API_KEY: z.string().min(1, 'API_KEY is required'),
JWT_SECRET: z.string().min(32, 'JWT_SECRET must be at least 32 chars'),
PORT: z.coerce.number().default(3000),
NODE_ENV: z.enum(['development', 'production', 'test']).default('production'),
});
const result = envSchema.safeParse(process.env);
if (!result.success) {
console.error('Missing or invalid environment variables:');
console.error(result.error.flatten().fieldErrors);
process.exit(1);
}
export const env = result.data;
```
### 4b. App-side schema validation — Python (pydantic)
```python
# src/config.py
from pydantic_settings import BaseSettings, SettingsConfigDict
class Settings(BaseSettings):
db_password: str
api_key: str
jwt_secret: str
port: int = 3000
node_env: str = "production"
model_config = SettingsConfigDict(env_file=None) # no .env in prod
try:
settings = Settings()
except Exception as e:
import sys
print(f"Missing or invalid environment variables: {e}", file=sys.stderr)
sys.exit(1)
```
### 4c. App-side schema validation — Go (envconfig)
```go
// config/config.go
package config
import (
"fmt"
"github.com/kelseyhightower/envconfig"
)
type Config struct {
DBPassword string `envconfig:"DB_PASSWORD" required:"true"`
APIKey string `envconfig:"API_KEY" required:"true"`
JWTSecret string `envconfig:"JWT_SECRET" required:"true"`
Port int `envconfig:"PORT" default:"3000"`
}
func Load() (*Config, error) {
var cfg Config
if err := envconfig.Process("", &cfg); err != nil {
return nil, fmt.Errorf("invalid environment: %w", err)
}
return &cfg, nil
}
```
In your `main.go`:
```go
cfg, err := config.Load()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
```
---
## Direct-Vault Opt-In Pattern
Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB rotation with short TTLs, AWS STS, PKI, per-request audit). Document the justification in the project README under "Secrets architecture" before implementing.
### When it is justified
- Vault DB secrets engine with lease TTLs shorter than a typical pod lifecycle (< 1 hour)
- AWS STS assume-role tokens generated per-request
- Vault PKI short-lived certificates (< 24 hours) that must be renewed within a running pod
- Per-request audit trail requirement (each app call must appear separately in Vault audit log)
### Provision an AppRole for the app
```bash
# Enable AppRole auth (if not already enabled)
vault auth enable approle
# Create a Vault policy for the app
# Note: KV v2 paths require both the exact path (for the top-level secret) and the
# wildcard (for sub-paths). Always include both to avoid permission denied errors.
vault policy write <app>-policy - <<EOF
path "secret/data/k3s/<app>" {
capabilities = ["read"]
}
path "secret/data/k3s/<app>/*" {
capabilities = ["read"]
}
path "database/creds/<app>-role" {
capabilities = ["read"]
}
EOF
# Create the AppRole
vault write auth/approle/role/<app>-role \
token_policies="<app>-policy" \
token_ttl=1h \
token_max_ttl=4h \
secret_id_ttl=0
# Retrieve role-id and secret-id
vault read auth/approle/role/<app>-role/role-id
vault write -f auth/approle/role/<app>-role/secret-id
```
### Bootstrap AppRole credentials via ESO (solving the chicken-and-egg problem)
The AppRole `role-id` and `secret-id` are themselves secrets. Store them in Vault at a bootstrap path, then use ESO to sync them into a k8s Secret. The app reads that k8s Secret at startup to authenticate with Vault directly.
```bash
# Store the bootstrap credentials in Vault
vault kv put secret/k3s/<app>-bootstrap \
role_id="<role-id>" \
secret_id="<secret-id>"
```
```yaml
# deploy/external-secret-bootstrap.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: <app>-vault-auth
namespace: <namespace>
spec:
refreshInterval: 24h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: <app>-vault-auth
creationPolicy: Owner
data:
- secretKey: VAULT_ROLE_ID
remoteRef:
key: secret/k3s/<app>-bootstrap
property: role_id
- secretKey: VAULT_SECRET_ID
remoteRef:
key: secret/k3s/<app>-bootstrap
property: secret_id
```
```yaml
# deploy/deployment.yaml (env section for Direct-Vault app)
env:
- name: VAULT_ADDR
value: 'https://vault.example.com' # safe-default: non-secret cluster address
- name: VAULT_ROLE_ID
valueFrom:
secretKeyRef:
name: <app>-vault-auth
key: VAULT_ROLE_ID
- name: VAULT_SECRET_ID
valueFrom:
secretKeyRef:
name: <app>-vault-auth
key: VAULT_SECRET_ID
```
### App-side Vault client pattern
```typescript
// src/vault-client.ts — only exists in Direct-Vault apps
import vault from 'node-vault';
import { z } from 'zod';
const bootstrapSchema = z.object({
VAULT_ADDR: z.string().url(),
VAULT_ROLE_ID: z.string().min(1),
VAULT_SECRET_ID: z.string().min(1),
});
const bootstrap = bootstrapSchema.parse(process.env);
const client = vault({ endpoint: bootstrap.VAULT_ADDR });
export async function getVaultClient() {
const { auth } = await client.approleLogin({
role_id: bootstrap.VAULT_ROLE_ID,
secret_id: bootstrap.VAULT_SECRET_ID,
});
client.token = auth.client_token;
return client;
}
```
Document in README under "Secrets architecture": the Vault path, why Direct-Vault is required, and the lease/renewal strategy.
---
## Forbidden Patterns (CI Lint Targets)
The following patterns are forbidden in all Mosaic projects. CI lint SHOULD catch these automatically (implementation tracked separately). Agents MUST NOT introduce these patterns.
### 1. Untagged fallback defaults for required values
```yaml
# FORBIDDEN — required secret with silent fallback
environment:
- DB_PASSWORD=${DB_PASSWORD:-changeme}
- API_KEY=${API_KEY:-}
# REQUIRED — fast-fail on missing required values
environment:
- DB_PASSWORD=${DB_PASSWORD:?DB_PASSWORD is required}
- API_KEY=${API_KEY:?API_KEY is required}
# ALLOWED — true convenience default, tagged
environment:
- PORT=${PORT:-3000} # safe-default: non-secret, app works at any port
```
This applies to: `docker-compose.yml`, k8s manifests, Helm `values.yaml`, any env file committed to git.
### 2. Vault KV calls in application source code (ESO-default projects)
```python
# FORBIDDEN in ESO-default apps — direct Vault client in app source
import hvac
client = hvac.Client(url=os.environ['VAULT_ADDR'])
secret = client.secrets.kv.v2.read_secret_version(path='myapp/db')
```
ESO-default apps read env vars only. Direct-Vault clients belong only in apps with a documented dynamic-secrets justification in README.
### 3. Hardcoded secrets or API keys in committed files
```python
# FORBIDDEN — hardcoded credential
DB_PASSWORD = "supersecret123"
API_KEY = "sk-live-abc123"
```
No exceptions. CI lint must flag any string matching common secret patterns (`password`, `secret`, `api_key`, `token` assigned a literal non-env-var value).
### 4. `.env` files in production deployment paths
```
# FORBIDDEN — .env file in a production deploy path
deploy/.env
k8s/.env
docker/.env
# ALLOWED — local dev only
.env.example # template only, no real values
.env # local dev, must be in .gitignore
```
`.env` files are acceptable in local-dev contexts only and MUST be in `.gitignore`. They are forbidden in any path that a CI pipeline or production deployment process reads directly.

4
packages/mosaic/framework/tools/git/ci-queue-wait.sh
View File

@@ -137,7 +137,7 @@ gitea_get_branch_head_sha() {
local branch="$3"
local token="$4"
local url="https://${host}/api/v1/repos/${repo}/branches/${branch}"
curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -c '
curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
import json, sys
data = json.load(sys.stdin)
commit = data.get("commit") or {}
@@ -151,7 +151,7 @@ gitea_get_commit_status_json() {
local sha="$3"
local token="$4"
local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
curl -fsSL -H "Authorization: token ${token}" "$url"
}
while [[ $# -gt 0 ]]; do

148
packages/mosaic/framework/tools/git/detect-platform.ps1
View File

@@ -55,154 +55,6 @@ function Get-GitRepoInfo {
return $repoPath
}
function Get-GitRemoteHost {
[CmdletBinding()]
param()
$remoteUrl = git remote get-url origin 2>$null
if ([string]::IsNullOrEmpty($remoteUrl)) {
Write-Error "Not a git repository or no origin remote"
return $null
}
if ($remoteUrl -match "^https?://([^/]+)/") {
$remoteHost = $Matches[1]
return ($remoteHost -replace "^.*@", "")
}
if ($remoteUrl -match "^git@([^:]+):") {
return $Matches[1]
}
return $null
}
function Get-TeaLoginList {
[CmdletBinding()]
param()
$json = tea login list --output json 2>$null
if (-not $json) {
return @()
}
try {
$items = $json | ConvertFrom-Json
} catch {
return @()
}
if ($null -eq $items) {
return @()
}
return @($items)
}
function Test-GiteaUrlMatchesHost {
[CmdletBinding()]
param(
[string]$Url,
[string]$GiteaHost
)
if ([string]::IsNullOrEmpty($Url) -or [string]::IsNullOrEmpty($GiteaHost)) {
return $false
}
try {
$uri = [Uri]$Url
return $uri.Host -eq $GiteaHost
} catch {
return $false
}
}
function Find-TeaLoginForHost {
[CmdletBinding()]
param([Parameter(Mandatory=$true)][string]$GiteaHost)
foreach ($login in Get-TeaLoginList) {
$name = if ($login.name) { [string]$login.name } elseif ($login.Name) { [string]$login.Name } else { "" }
$url = if ($login.url) { [string]$login.url } elseif ($login.URL) { [string]$login.URL } else { "" }
if ([string]::IsNullOrEmpty($name) -or [string]::IsNullOrEmpty($url)) {
continue
}
try {
$uri = [Uri]$url
if ($uri.Host -eq $GiteaHost) {
return $name
}
} catch {
continue
}
}
return $null
}
function Test-TeaLoginMatchesHost {
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)][string]$LoginName,
[Parameter(Mandatory=$true)][string]$GiteaHost
)
foreach ($login in Get-TeaLoginList) {
$name = if ($login.name) { [string]$login.name } elseif ($login.Name) { [string]$login.Name } else { "" }
$url = if ($login.url) { [string]$login.url } elseif ($login.URL) { [string]$login.URL } else { "" }
if ($name -ne $LoginName -or [string]::IsNullOrEmpty($url)) {
continue
}
try {
$uri = [Uri]$url
return $uri.Host -eq $GiteaHost
} catch {
return $false
}
}
return $false
}
function Get-GiteaLoginForHost {
[CmdletBinding()]
param([string]$GiteaHost)
if ([string]::IsNullOrEmpty($GiteaHost)) {
$GiteaHost = Get-GitRemoteHost
}
if ([string]::IsNullOrEmpty($GiteaHost)) {
return $null
}
if ($env:GITEA_LOGIN) {
if (Test-TeaLoginMatchesHost -LoginName $env:GITEA_LOGIN -GiteaHost $GiteaHost) {
return $env:GITEA_LOGIN
}
}
return Find-TeaLoginForHost -GiteaHost $GiteaHost
}
function Get-GiteaRepoArgs {
[CmdletBinding()]
param()
$repo = Get-GitRepoInfo
$hostName = Get-GitRemoteHost
$login = Get-GiteaLoginForHost -GiteaHost $hostName
if ([string]::IsNullOrEmpty($repo) -or [string]::IsNullOrEmpty($login)) {
return @()
}
return @("--repo", $repo, "--login", $login)
}
function Get-GitRepoOwner {
[CmdletBinding()]
param()

208
packages/mosaic/framework/tools/git/detect-platform.sh
View File

@@ -78,211 +78,10 @@ get_repo_slug() {
get_repo_info
}
gitea_url_matches_host() {
local url="${1:-}" host="${2:-}"
[[ -n "$url" && -n "$host" ]] || return 1
[[ "${url%/}" == "https://$host" || "${url%/}" == "http://$host" || "${url%/}" == *"//$host" ]]
}
get_gitea_service_for_host() {
local host="$1"
local cred_file="${MOSAIC_CREDENTIALS_FILE:-$HOME/src/jarvis-brain/credentials.json}"
case "$host" in
git.mosaicstack.dev)
echo "mosaicstack"
return 0
;;
git.uscllc.com)
echo "usc"
return 0
;;
esac
[[ -f "$cred_file" ]] || return 1
command -v jq >/dev/null 2>&1 || return 1
jq -r --arg host "$host" '
.gitea // {}
| to_entries[]
| select((.value.url // "" | sub("/+$"; "")) | test("https?://" + $host + "$"))
| .key
' "$cred_file" | head -n 1
}
find_tea_login_for_host() {
local host="$1"
local logins_json
command -v tea >/dev/null 2>&1 || return 1
logins_json=$(tea login list --output json 2>/dev/null) || return 1
TEA_LOGINS_JSON="$logins_json" python3 - "$host" <<'PY'
import json
import os
import sys
from urllib.parse import urlparse
host = sys.argv[1]
try:
logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
except Exception:
raise SystemExit(1)
for login in logins if isinstance(logins, list) else []:
url = str(login.get("url") or login.get("URL") or "")
name = str(login.get("name") or login.get("Name") or "")
parsed = urlparse(url)
if parsed.hostname == host and name:
print(name)
raise SystemExit(0)
raise SystemExit(1)
PY
}
tea_login_matches_host() {
local login_name="$1" host="$2"
local logins_json
command -v tea >/dev/null 2>&1 || return 1
logins_json=$(tea login list --output json 2>/dev/null) || return 1
TEA_LOGINS_JSON="$logins_json" python3 - "$login_name" "$host" <<'PY'
import json
import os
import sys
from urllib.parse import urlparse
login_name, host = sys.argv[1], sys.argv[2]
try:
logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
except Exception:
raise SystemExit(1)
for login in logins if isinstance(logins, list) else []:
url = str(login.get("url") or login.get("URL") or "")
name = str(login.get("name") or login.get("Name") or "")
parsed = urlparse(url)
if name == login_name and parsed.hostname == host:
raise SystemExit(0)
raise SystemExit(1)
PY
}
get_gitea_login_for_host() {
local host="${1:-}"
local login
if [[ -z "$host" ]]; then
host=$(get_remote_host) || return 1
fi
if [[ -n "${GITEA_LOGIN:-}" ]]; then
if tea_login_matches_host "$GITEA_LOGIN" "$host"; then
echo "$GITEA_LOGIN"
return 0
fi
fi
login=$(find_tea_login_for_host "$host" || true)
if [[ -n "$login" ]]; then
echo "$login"
return 0
fi
return 1
}
get_default_tea_login() {
local logins_json
command -v tea >/dev/null 2>&1 || return 1
logins_json=$(tea login list --output json 2>/dev/null) || return 1
TEA_LOGINS_JSON="$logins_json" python3 - <<'PY'
import json
import os
try:
logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
except Exception:
raise SystemExit(1)
if not isinstance(logins, list) or not logins:
raise SystemExit(1)
for login in logins:
if not isinstance(login, dict):
continue
is_default = str(login.get("default") or login.get("Default") or "").lower()
name = str(login.get("name") or login.get("Name") or "")
if name and is_default == "true":
print(name)
raise SystemExit(0)
for login in logins:
if not isinstance(login, dict):
continue
name = str(login.get("name") or login.get("Name") or "")
if name:
print(name)
raise SystemExit(0)
raise SystemExit(1)
PY
}
get_gitea_login_for_repo_override() {
local login
if [[ -n "${GITEA_LOGIN:-}" ]]; then
echo "$GITEA_LOGIN"
return 0
fi
login=$(get_default_tea_login || true)
if [[ -n "$login" ]]; then
echo "$login"
return 0
fi
return 1
}
get_host_from_url() {
local url="${1:-}"
[[ -n "$url" ]] || return 1
python3 - "$url" <<'PY'
import sys
from urllib.parse import urlparse
parsed = urlparse(sys.argv[1])
if parsed.hostname:
print(parsed.hostname)
raise SystemExit(0)
raise SystemExit(1)
PY
}
get_gitea_api_host_for_repo_override() {
if [[ -n "${GITEA_HOST:-}" ]]; then
echo "$GITEA_HOST"
return 0
fi
get_host_from_url "${GITEA_URL:-}"
}
get_gitea_repo_args() {
local repo host login
local repo
repo=$(get_repo_slug) || return 1
host=$(get_remote_host) || return 1
login=$(get_gitea_login_for_host "$host") || return 1
printf -- '--repo %q --login %q' "$repo" "$login"
}
get_gitea_login() {
get_gitea_login_for_host "$(get_remote_host)"
printf -- '--repo %q --login %q' "$repo" "${GITEA_LOGIN:-mosaicstack}"
}
get_remote_host() {
@@ -292,8 +91,7 @@ get_remote_host() {
return 1
fi
if [[ "$remote_url" =~ ^https?://([^/]+)/ ]]; then
local host="${BASH_REMATCH[1]}"
echo "${host##*@}"
echo "${BASH_REMATCH[1]}"
return 0
fi
if [[ "$remote_url" =~ ^git@([^:]+): ]]; then

8
packages/mosaic/framework/tools/git/issue-assign.ps1
View File

@@ -75,11 +75,6 @@ switch ($platform) {
Write-Host "Issue #$Issue updated successfully"
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
$needsEdit = $false
$cmd = @("tea", "issue", "edit", $Issue)
@@ -92,7 +87,7 @@ switch ($platform) {
$needsEdit = $true
}
if ($Milestone) {
$milestoneList = tea milestones list @repoArgs 2>$null
$milestoneList = tea milestones list 2>$null
$milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
if ($milestoneId) {
$cmd += @("--milestone", $milestoneId)
@@ -103,7 +98,6 @@ switch ($platform) {
}
if ($needsEdit) {
$cmd += $repoArgs
& $cmd[0] $cmd[1..($cmd.Length-1)]
Write-Host "Issue #$Issue updated successfully"
} else {

8
packages/mosaic/framework/tools/git/issue-assign.sh
View File

@@ -98,11 +98,7 @@ case "$PLATFORM" in
;;
gitea)
# tea issue edit syntax
REPO_ARGS=$(get_gitea_repo_args) || {
echo "Error: Could not resolve Gitea repo/login args for remote host" >&2
exit 1
}
CMD="tea issue edit $ISSUE $REPO_ARGS"
CMD="tea issue edit $ISSUE"
NEEDS_EDIT=false
if [[ -n "$ASSIGNEE" ]]; then
@@ -116,7 +112,7 @@ case "$PLATFORM" in
NEEDS_EDIT=true
fi
if [[ -n "$MILESTONE" ]]; then
MILESTONE_ID=$(tea milestones list $REPO_ARGS 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
MILESTONE_ID=$(tea milestones list 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
if [[ -n "$MILESTONE_ID" ]]; then
CMD="$CMD --milestone $MILESTONE_ID"
NEEDS_EDIT=true

48
packages/mosaic/framework/tools/git/issue-close.sh
View File

@@ -44,43 +44,10 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
fi
# Detect platform and close issue
detect_platform >/dev/null
detect_platform
OWNER=$(get_repo_owner)
REPO=$(get_repo_name)
gitea_issue_comment_api() {
local host token url payload
host=$(get_remote_host) || return 1
token=$(get_gitea_token "$host") || return 1
url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}/comments"
payload=$(COMMENT="$COMMENT" python3 - <<'PY'
import json
import os
print(json.dumps({"body": os.environ["COMMENT"]}))
PY
)
curl -fsS -X POST \
-H "User-Agent: curl/8" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d "$payload" \
"$url" >/dev/null
}
gitea_issue_close_api() {
local host token url
host=$(get_remote_host) || return 1
token=$(get_gitea_token "$host") || return 1
url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}"
curl -fsS -X PATCH \
-H "User-Agent: curl/8" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d '{"state":"closed"}' \
"$url" >/dev/null
}
if [[ "$PLATFORM" == "github" ]]; then
if [[ -n "$COMMENT" ]]; then
gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"
@@ -88,19 +55,10 @@ if [[ "$PLATFORM" == "github" ]]; then
gh issue close "$ISSUE_NUMBER"
echo "Closed GitHub issue #$ISSUE_NUMBER"
elif [[ "$PLATFORM" == "gitea" ]]; then
GITEA_LOGIN_NAME=$(get_gitea_login || true)
if [[ -n "$GITEA_LOGIN_NAME" ]]; then
if [[ -n "$COMMENT" ]]; then
tea issue comment "$ISSUE_NUMBER" "$COMMENT" --repo "$OWNER/$REPO" --login "$GITEA_LOGIN_NAME"
fi
tea issue close "$ISSUE_NUMBER" --repo "$OWNER/$REPO" --login "$GITEA_LOGIN_NAME"
else
echo "No tea login configured for $(get_remote_host); using authenticated Gitea API fallback." >&2
if [[ -n "$COMMENT" ]]; then
gitea_issue_comment_api
fi
gitea_issue_close_api
tea issue comment "$ISSUE_NUMBER" "$COMMENT" --repo "$OWNER/$REPO" --login "${GITEA_LOGIN:-mosaicstack}"
fi
tea issue close "$ISSUE_NUMBER" --repo "$OWNER/$REPO" --login "${GITEA_LOGIN:-mosaicstack}"
echo "Closed Gitea issue #$ISSUE_NUMBER"
else
echo "Error: Unknown platform"

2
packages/mosaic/framework/tools/git/issue-comment.sh
View File

@@ -47,7 +47,7 @@ if [[ -z "$COMMENT" ]]; then
exit 1
fi
detect_platform >/dev/null
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"

8
packages/mosaic/framework/tools/git/issue-create.ps1
View File

@@ -58,17 +58,12 @@ switch ($platform) {
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
$cmd = @("tea", "issue", "create", "--title", $Title)
if ($Body) { $cmd += @("--description", $Body) }
if ($Labels) { $cmd += @("--labels", $Labels) }
if ($Milestone) {
# Try to get milestone ID by name
$milestoneList = tea milestones list @repoArgs 2>$null
$milestoneList = tea milestones list 2>$null
$milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
if ($milestoneId) {
$cmd += @("--milestone", $milestoneId)
@@ -76,7 +71,6 @@ switch ($platform) {
Write-Warning "Could not find milestone '$Milestone', creating without milestone"
}
}
$cmd += $repoArgs
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
default {

8
packages/mosaic/framework/tools/git/issue-create.sh
View File

@@ -48,7 +48,6 @@ PY
url="https://${host}/api/v1/repos/${repo}/issues"
curl -fsS -X POST \
-H "User-Agent: curl/8" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d "$payload" \
@@ -122,12 +121,7 @@ case "$PLATFORM" in
gitea)
if command -v tea >/dev/null 2>&1; then
REPO_SLUG=$(get_repo_slug)
GITEA_LOGIN_NAME=$(get_gitea_login) || {
echo "Warning: could not resolve Gitea login for tea; trying Gitea API fallback..." >&2
gitea_issue_create_api
exit $?
}
REPO_ARGS=(--repo "$REPO_SLUG" --login "$GITEA_LOGIN_NAME")
REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
CMD=(tea issue create "${REPO_ARGS[@]}" --title "$TITLE")
[[ -n "$BODY" ]] && CMD+=(--description "$BODY")
[[ -n "$LABELS" ]] && CMD+=(--labels "$LABELS")

8
packages/mosaic/framework/tools/git/issue-edit.sh
View File

@@ -60,7 +60,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
exit 1
fi
detect_platform >/dev/null
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
CMD="gh issue edit $ISSUE_NUMBER"
@@ -71,11 +71,7 @@ if [[ "$PLATFORM" == "github" ]]; then
eval $CMD
echo "Updated GitHub issue #$ISSUE_NUMBER"
elif [[ "$PLATFORM" == "gitea" ]]; then
REPO_ARGS=$(get_gitea_repo_args) || {
echo "Error: Could not resolve Gitea repo/login args for remote host" >&2
exit 1
}
CMD="tea issue edit $ISSUE_NUMBER $REPO_ARGS"
CMD="tea issue edit $ISSUE_NUMBER"
[[ -n "$TITLE" ]] && CMD="$CMD --title \"$TITLE\""
[[ -n "$BODY" ]] && CMD="$CMD --description \"$BODY\""
[[ -n "$LABELS" ]] && CMD="$CMD --add-labels \"$LABELS\""

6
packages/mosaic/framework/tools/git/issue-list.ps1
View File

@@ -63,15 +63,9 @@ switch ($platform) {
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
$cmd = @("tea", "issues", "list", "--state", $State, "--limit", $Limit)
if ($Label) { $cmd += @("--labels", $Label) }
if ($Milestone) { $cmd += @("--milestones", $Milestone) }
$cmd += $repoArgs
& $cmd[0] $cmd[1..($cmd.Length-1)]
if ($Assignee) {
Write-Warning "Assignee filtering may require manual review for Gitea"

13
packages/mosaic/framework/tools/git/issue-list.sh
View File

@@ -98,18 +98,7 @@ case "$PLATFORM" in
"${CMD[@]}"
;;
gitea)
if [[ -n "$REPO_OVERRIDE" ]]; then
GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
exit 1
}
else
GITEA_LOGIN_NAME=$(get_gitea_login) || {
echo "Error: Could not resolve Gitea login for remote host" >&2
exit 1
}
fi
CMD=(tea issues list --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME" --state "$STATE" --limit "$LIMIT")
CMD=(tea issues list --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}" --state "$STATE" --limit "$LIMIT")
[[ -n "$LABEL" ]] && CMD+=(--labels "$LABEL")
[[ -n "$MILESTONE" ]] && CMD+=(--milestones "$MILESTONE")
# Note: tea may not support assignee filter directly in all versions.

50
packages/mosaic/framework/tools/git/issue-reopen.sh
View File

@@ -42,42 +42,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
exit 1
fi
detect_platform >/dev/null
OWNER=$(get_repo_owner)
REPO=$(get_repo_name)
gitea_issue_comment_api() {
local host token url payload
host=$(get_remote_host) || return 1
token=$(get_gitea_token "$host") || return 1
url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}/comments"
payload=$(COMMENT="$COMMENT" python3 - <<'PY'
import json
import os
print(json.dumps({"body": os.environ["COMMENT"]}))
PY
)
curl -fsS -X POST \
-H "User-Agent: curl/8" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d "$payload" \
"$url" >/dev/null
}
gitea_issue_reopen_api() {
local host token url
host=$(get_remote_host) || return 1
token=$(get_gitea_token "$host") || return 1
url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}"
curl -fsS -X PATCH \
-H "User-Agent: curl/8" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d '{"state":"open"}' \
"$url" >/dev/null
}
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
if [[ -n "$COMMENT" ]]; then
@@ -86,19 +51,10 @@ if [[ "$PLATFORM" == "github" ]]; then
gh issue reopen "$ISSUE_NUMBER"
echo "Reopened GitHub issue #$ISSUE_NUMBER"
elif [[ "$PLATFORM" == "gitea" ]]; then
REPO_ARGS=$(get_gitea_repo_args || true)
if [[ -n "$REPO_ARGS" ]]; then
if [[ -n "$COMMENT" ]]; then
tea issue comment "$ISSUE_NUMBER" "$COMMENT" $REPO_ARGS
fi
tea issue reopen "$ISSUE_NUMBER" $REPO_ARGS
else
echo "No tea login configured for $(get_remote_host); using authenticated Gitea API fallback." >&2
if [[ -n "$COMMENT" ]]; then
gitea_issue_comment_api
fi
gitea_issue_reopen_api
tea issue comment "$ISSUE_NUMBER" "$COMMENT" $(get_gitea_repo_args)
fi
tea issue reopen "$ISSUE_NUMBER" $(get_gitea_repo_args)
echo "Reopened Gitea issue #$ISSUE_NUMBER"
else
echo "Error: Unknown platform"

6
packages/mosaic/framework/tools/git/issue-view.sh
View File

@@ -29,9 +29,9 @@ gitea_issue_view_api() {
url="https://${host}/api/v1/repos/${repo}/issues/${ISSUE_NUMBER}"
if command -v python3 >/dev/null 2>&1; then
curl -fsS -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -m json.tool
curl -fsS -H "Authorization: token ${token}" "$url" | python3 -m json.tool
else
curl -fsS -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
curl -fsS -H "Authorization: token ${token}" "$url"
fi
}
@@ -61,7 +61,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
exit 1
fi
detect_platform >/dev/null
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
gh issue view "$ISSUE_NUMBER"

8
packages/mosaic/framework/tools/git/milestone-close.sh
View File

@@ -36,17 +36,13 @@ if [[ -z "$TITLE" ]]; then
exit 1
fi
detect_platform >/dev/null
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
gh api -X PATCH "/repos/{owner}/{repo}/milestones/$(gh api "/repos/{owner}/{repo}/milestones" --jq ".[] | select(.title==\"$TITLE\") | .number")" -f state=closed
echo "Closed GitHub milestone: $TITLE"
elif [[ "$PLATFORM" == "gitea" ]]; then
REPO_ARGS=$(get_gitea_repo_args) || {
echo "Error: Could not resolve Gitea repo/login for remote host" >&2
exit 1
}
tea milestone close "$TITLE" $REPO_ARGS
tea milestone close "$TITLE"
echo "Closed Gitea milestone: $TITLE"
else
echo "Error: Unknown platform"

13
packages/mosaic/framework/tools/git/milestone-create.ps1
View File

@@ -59,12 +59,7 @@ if ($List) {
gh api repos/:owner/:repo/milestones --jq '.[] | "\(.number)`t\(.title)`t\(.state)`t\(.open_issues)/\(.closed_issues) issues"'
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
tea milestones list @repoArgs
tea milestones list
}
default {
Write-Error "Could not detect git platform"
@@ -90,15 +85,9 @@ switch ($platform) {
Write-Host "Milestone '$Title' created successfully"
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
$cmd = @("tea", "milestones", "create", "--title", $Title)
if ($Description) { $cmd += @("--description", $Description) }
if ($Due) { $cmd += @("--deadline", $Due) }
$cmd += $repoArgs
& $cmd[0] $cmd[1..($cmd.Length-1)]
Write-Host "Milestone '$Title' created successfully"
}

18
packages/mosaic/framework/tools/git/milestone-create.sh
View File

@@ -77,11 +77,7 @@ if [[ "$LIST_ONLY" == true ]]; then
gh api repos/:owner/:repo/milestones --jq '.[] | "\(.number)\t\(.title)\t\(.state)\t\(.open_issues)/\(.closed_issues) issues"'
;;
gitea)
REPO_ARGS=$(get_gitea_repo_args) || {
echo "Error: Could not resolve Gitea repo/login for remote host" >&2
exit 1
}
tea milestones list $REPO_ARGS
tea milestones list
;;
*)
echo "Error: Could not detect git platform" >&2
@@ -108,14 +104,10 @@ case "$PLATFORM" in
echo "Milestone '$TITLE' created successfully"
;;
gitea)
REPO_ARGS=$(get_gitea_repo_args) || {
echo "Error: Could not resolve Gitea repo/login for remote host" >&2
exit 1
}
CMD=(tea milestones create --title "$TITLE")
[[ -n "$DESCRIPTION" ]] && CMD+=(--description "$DESCRIPTION")
[[ -n "$DUE_DATE" ]] && CMD+=(--deadline "$DUE_DATE")
"${CMD[@]}" $REPO_ARGS
CMD="tea milestones create --title \"$TITLE\""
[[ -n "$DESCRIPTION" ]] && CMD="$CMD --description \"$DESCRIPTION\""
[[ -n "$DUE_DATE" ]] && CMD="$CMD --deadline \"$DUE_DATE\""
eval "$CMD"
echo "Milestone '$TITLE' created successfully"
;;
*)

8
packages/mosaic/framework/tools/git/milestone-list.sh
View File

@@ -31,16 +31,12 @@ while [[ $# -gt 0 ]]; do
esac
done
detect_platform >/dev/null
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
gh api "/repos/{owner}/{repo}/milestones?state=$STATE" --jq '.[] | "\(.title) (\(.state)) - \(.open_issues) open, \(.closed_issues) closed"'
elif [[ "$PLATFORM" == "gitea" ]]; then
REPO_ARGS=$(get_gitea_repo_args) || {
echo "Error: Could not resolve Gitea repo/login for remote host" >&2
exit 1
}
tea milestone list $REPO_ARGS
tea milestone list
else
echo "Error: Unknown platform"
exit 1

24
packages/mosaic/framework/tools/git/pr-ci-wait.sh
View File

@@ -11,7 +11,6 @@ PR_NUMBER=""
TIMEOUT_SEC=1800
INTERVAL_SEC=15
REPO_OVERRIDE=""
HOST_OVERRIDE=""
usage() {
cat <<EOF
@@ -20,7 +19,6 @@ Usage: $(basename "$0") -n <pr_number> [-t timeout_sec] [-i interval_sec]
Options:
-n, --number NUMBER PR number (required)
-r, --repo OWNER/REPO Repository slug (default: infer from git origin)
--host HOST Gitea host for --repo API calls (or set GITEA_HOST/GITEA_URL)
-t, --timeout SECONDS Max wait time in seconds (default: 1800)
-i, --interval SECONDS Poll interval in seconds (default: 15)
-h, --help Show this help
@@ -126,7 +124,7 @@ gitea_get_pr_head_sha() {
local repo="$2"
local token="$3"
local url="https://${host}/api/v1/repos/${repo}/pulls/${PR_NUMBER}"
curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -c '
curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
import json, sys
data = json.load(sys.stdin)
print((data.get("head") or {}).get("sha", ""))
@@ -139,7 +137,7 @@ gitea_get_commit_status_json() {
local token="$3"
local sha="$4"
local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
curl -fsSL -H "Authorization: token ${token}" "$url"
}
while [[ $# -gt 0 ]]; do
@@ -152,10 +150,6 @@ while [[ $# -gt 0 ]]; do
REPO_OVERRIDE="$2"
shift 2
;;
--host)
HOST_OVERRIDE="$2"
shift 2
;;
-t|--timeout)
TIMEOUT_SEC="$2"
shift 2
@@ -217,19 +211,7 @@ if [[ "$PLATFORM" == "github" ]]; then
fi
echo "[pr-ci-wait] Platform=github PR=#${PR_NUMBER} head_sha=${HEAD_SHA}"
elif [[ "$PLATFORM" == "gitea" ]]; then
if [[ -n "$HOST_OVERRIDE" ]]; then
HOST="$HOST_OVERRIDE"
elif [[ -n "$REPO_OVERRIDE" ]]; then
HOST=$(get_gitea_api_host_for_repo_override) || {
echo "Error: Gitea host is required with --repo. Pass --host or set GITEA_HOST/GITEA_URL." >&2
exit 1
}
else
HOST=$(get_remote_host) || {
echo "Error: Could not determine Gitea host from git origin." >&2
exit 1
}
fi
HOST=$(get_remote_host 2>/dev/null || echo "git.mosaicstack.dev")
TOKEN=$(get_gitea_token "$HOST") || {
echo "Error: Gitea token not found. Set GITEA_TOKEN or configure ~/.git-credentials." >&2
exit 1

2
packages/mosaic/framework/tools/git/pr-close.sh
View File

@@ -42,7 +42,7 @@ if [[ -z "$PR_NUMBER" ]]; then
exit 1
fi
detect_platform >/dev/null
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
if [[ -n "$COMMENT" ]]; then

9
packages/mosaic/framework/tools/git/pr-create.ps1
View File

@@ -9,6 +9,7 @@ param(
[Alias("b")]
[string]$Body,
[Alias("B")]
[string]$Base,
[Alias("H")]
@@ -100,11 +101,6 @@ switch ($platform) {
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
$cmd = @("tea", "pr", "create", "--title", $Title)
if ($Body) { $cmd += @("--description", $Body) }
if ($Base) { $cmd += @("--base", $Base) }
@@ -112,7 +108,7 @@ switch ($platform) {
if ($Labels) { $cmd += @("--labels", $Labels) }
if ($Milestone) {
$milestoneList = tea milestones list @repoArgs 2>$null
$milestoneList = tea milestones list 2>$null
$milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
if ($milestoneId) {
$cmd += @("--milestone", $milestoneId)
@@ -125,7 +121,6 @@ switch ($platform) {
Write-Warning "Draft PR may not be supported by your tea version"
}
$cmd += $repoArgs
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
default {

8
packages/mosaic/framework/tools/git/pr-create.sh
View File

@@ -56,7 +56,6 @@ PY
url="https://${host}/api/v1/repos/${repo}/pulls"
curl -fsS -X POST \
-H "User-Agent: curl/8" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d "$payload" \
@@ -178,12 +177,7 @@ case "$PLATFORM" in
# is unreliable in Mosaic worktrees/profile shells. Use arrays instead
# of eval so markdown backticks/body content are not shell-executed.
REPO_SLUG=$(get_repo_slug)
GITEA_LOGIN_NAME=$(get_gitea_login) || {
echo "Warning: could not resolve Gitea login for tea; trying Gitea API fallback..." >&2
gitea_pr_create_api
exit $?
}
REPO_ARGS=(--repo "$REPO_SLUG" --login "$GITEA_LOGIN_NAME")
REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
CMD=(tea pr create "${REPO_ARGS[@]}" --title "$TITLE")
[[ -n "$BODY" ]] && CMD+=(--description "$BODY")
[[ -n "$BASE_BRANCH" ]] && CMD+=(--base "$BASE_BRANCH")

26
packages/mosaic/framework/tools/git/pr-diff.sh
View File

@@ -11,7 +11,6 @@ source "$SCRIPT_DIR/detect-platform.sh"
PR_NUMBER=""
OUTPUT_FILE=""
REPO_OVERRIDE=""
HOST_OVERRIDE=""
while [[ $# -gt 0 ]]; do
case $1 in
@@ -27,17 +26,12 @@ while [[ $# -gt 0 ]]; do
REPO_OVERRIDE="$2"
shift 2
;;
--host)
HOST_OVERRIDE="$2"
shift 2
;;
-h|--help)
echo "Usage: pr-diff.sh -n <pr_number> [-r owner/repo] [--host host] [-o <output_file>]"
echo "Usage: pr-diff.sh -n <pr_number> [-r owner/repo] [-o <output_file>]"
echo ""
echo "Options:"
echo " -n, --number PR number (required)"
echo " -r, --repo Repository slug (default: infer from git origin)"
echo " --host Gitea host for --repo API calls (or set GITEA_HOST/GITEA_URL)"
echo " -o, --output Output file (optional, prints to stdout if omitted)"
echo " -h, --help Show this help"
exit 0
@@ -75,28 +69,16 @@ if [[ "$PLATFORM" == "github" ]]; then
fi
elif [[ "$PLATFORM" == "gitea" ]]; then
# tea doesn't have a direct diff command — use the API
if [[ -n "$HOST_OVERRIDE" ]]; then
HOST="$HOST_OVERRIDE"
elif [[ -n "$REPO_OVERRIDE" ]]; then
HOST=$(get_gitea_api_host_for_repo_override) || {
echo "Error: Gitea host is required with --repo. Pass --host or set GITEA_HOST/GITEA_URL." >&2
exit 1
}
else
HOST=$(get_remote_host) || {
echo "Error: Could not determine Gitea host from git origin." >&2
exit 1
}
fi
HOST=$(get_remote_host 2>/dev/null || echo "git.mosaicstack.dev")
DIFF_URL="https://${HOST}/api/v1/repos/${REPO_INFO}/pulls/${PR_NUMBER}.diff"
GITEA_API_TOKEN=$(get_gitea_token "$HOST" || true)
if [[ -n "$GITEA_API_TOKEN" ]]; then
DIFF_CONTENT=$(curl -sS -H "User-Agent: curl/8" -H "Authorization: token $GITEA_API_TOKEN" "$DIFF_URL")
DIFF_CONTENT=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" "$DIFF_URL")
else
DIFF_CONTENT=$(curl -sS -H "User-Agent: curl/8" "$DIFF_URL")
DIFF_CONTENT=$(curl -sS "$DIFF_URL")
fi
if [[ -n "$OUTPUT_FILE" ]]; then

6
packages/mosaic/framework/tools/git/pr-list.ps1
View File

@@ -58,11 +58,6 @@ switch ($platform) {
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
$cmd = @("tea", "pr", "list", "--state", $State, "--limit", $Limit)
if ($Label) {
@@ -72,7 +67,6 @@ switch ($platform) {
Write-Warning "Author filtering may require manual review for Gitea"
}
$cmd += $repoArgs
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
default {

13
packages/mosaic/framework/tools/git/pr-list.sh
View File

@@ -93,18 +93,7 @@ case "$PLATFORM" in
"${CMD[@]}"
;;
gitea)
if [[ -n "$REPO_OVERRIDE" ]]; then
GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
exit 1
}
else
GITEA_LOGIN_NAME=$(get_gitea_login) || {
echo "Error: Could not resolve Gitea login for remote host" >&2
exit 1
}
fi
CMD=(tea pr list --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME" --state "$STATE" --limit "$LIMIT")
CMD=(tea pr list --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}" --state "$STATE" --limit "$LIMIT")
# tea filtering may be limited
if [[ -n "$LABEL" ]]; then

6
packages/mosaic/framework/tools/git/pr-merge.ps1
View File

@@ -74,11 +74,6 @@ switch ($platform) {
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
"gitea" {
$repoArgs = @(Get-GiteaRepoArgs)
if ($repoArgs.Length -eq 0) {
Write-Error "Could not resolve Gitea repo/login for remote host"
exit 1
}
if (-not $SkipQueueGuard) {
$timeout = if ($env:MOSAIC_CI_QUEUE_TIMEOUT_SEC) { [int]$env:MOSAIC_CI_QUEUE_TIMEOUT_SEC } else { 900 }
$interval = if ($env:MOSAIC_CI_QUEUE_POLL_SEC) { [int]$env:MOSAIC_CI_QUEUE_POLL_SEC } else { 15 }
@@ -92,7 +87,6 @@ switch ($platform) {
Write-Warning "Branch deletion after merge may need to be done separately with tea"
}
$cmd += $repoArgs
& $cmd[0] $cmd[1..($cmd.Length-1)]
}
default {

34
packages/mosaic/framework/tools/git/pr-merge.sh
View File

@@ -106,6 +106,34 @@ PLATFORM=$(detect_platform)
OWNER=$(get_repo_owner)
REPO=$(get_repo_name)
find_tea_login_for_host() {
local host="$1"
local logins_json
command -v tea >/dev/null 2>&1 || return 1
logins_json=$(tea login list --output json 2>/dev/null) || return 1
TEA_LOGINS_JSON="$logins_json" python3 - "$host" <<'PY'
import json
import os
import sys
host = sys.argv[1]
try:
logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
except Exception:
raise SystemExit(1)
for login in logins if isinstance(logins, list) else []:
url = str(login.get("url") or login.get("URL") or "")
name = str(login.get("name") or login.get("Name") or "")
if url.rstrip("/").endswith(host) and name:
print(name)
raise SystemExit(0)
raise SystemExit(1)
PY
}
is_known_tea_empty_identity_failure() {
local error_file="$1"
@@ -136,7 +164,6 @@ merge_gitea_with_api() {
if [[ -n "$token" ]]; then
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" \
-X POST \
-H "User-Agent: curl/8" \
-H "Authorization: token $token" \
-H 'Content-Type: application/json' \
-d "$payload" \
@@ -152,7 +179,6 @@ merge_gitea_with_api() {
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" \
-X POST \
-u "$basic_auth" \
-H "User-Agent: curl/8" \
-H 'Content-Type: application/json' \
-d "$payload" \
"$api_url" || true)
@@ -188,7 +214,7 @@ if [[ "$DRY_RUN" == true ]]; then
echo "Error: Cannot determine host from origin remote URL" >&2
exit 1
}
TEA_LOGIN="$(get_gitea_login_for_host "$HOST" || true)"
TEA_LOGIN="${GITEA_LOGIN:-$(find_tea_login_for_host "$HOST" || true)}"
if [[ -n "$TEA_LOGIN" ]]; then
echo "Dry run: would merge PR #$PR_NUMBER on $HOST with tea login '$TEA_LOGIN' (base=$BASE_BRANCH, method=squash)."
else
@@ -211,7 +237,7 @@ case "$PLATFORM" in
echo "Error: Cannot determine host from origin remote URL" >&2
exit 1
}
TEA_LOGIN="$(get_gitea_login_for_host "$HOST" || true)"
TEA_LOGIN="${GITEA_LOGIN:-$(find_tea_login_for_host "$HOST" || true)}"
if [[ -n "$TEA_LOGIN" ]]; then
mkdir -p "${AGENT_WORK_ROOT:-/home/hermes/agent-work}"

6
packages/mosaic/framework/tools/git/pr-metadata.sh
View File

@@ -59,7 +59,7 @@ curl_gitea_pull() {
token=$(get_gitea_token "$HOST" || true)
if [[ -n "$token" ]]; then
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "User-Agent: curl/8" -H "Authorization: token $token" "$api_url" || true)
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "Authorization: token $token" "$api_url" || true)
if [[ "$raw_code" =~ ^2 ]]; then
cat "$body_file"
rm -f "$body_file"
@@ -70,7 +70,7 @@ curl_gitea_pull() {
basic_auth=$(get_gitea_basic_auth "$HOST" || true)
if [[ -n "$basic_auth" ]]; then
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -u "$basic_auth" -H "User-Agent: curl/8" "$api_url" || true)
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -u "$basic_auth" "$api_url" || true)
if [[ "$raw_code" =~ ^2 ]]; then
cat "$body_file"
rm -f "$body_file"
@@ -80,7 +80,7 @@ curl_gitea_pull() {
fi
if [[ -z "${http_code:-}" ]]; then
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "User-Agent: curl/8" "$api_url" || true)
raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" "$api_url" || true)
http_code="$raw_code"
fi

2
packages/mosaic/framework/tools/git/pr-review.sh
View File

@@ -53,7 +53,7 @@ if [[ -z "$ACTION" ]]; then
exit 1
fi
detect_platform >/dev/null
detect_platform
if [[ "$PLATFORM" == "github" ]]; then
case $ACTION in

13
packages/mosaic/framework/tools/git/pr-view.sh
View File

@@ -58,18 +58,7 @@ fi
if [[ "$PLATFORM" == "github" ]]; then
gh pr view "$PR_NUMBER" --repo "$REPO_INFO"
elif [[ "$PLATFORM" == "gitea" ]]; then
if [[ -n "$REPO_OVERRIDE" ]]; then
GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
exit 1
}
else
GITEA_LOGIN_NAME=$(get_gitea_login) || {
echo "Error: Could not resolve Gitea login for remote host" >&2
exit 1
}
fi
tea pr "$PR_NUMBER" --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME"
tea pr "$PR_NUMBER" --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}"
else
echo "Error: Unknown platform"
exit 1

233
packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh
View File

@@ -1,233 +0,0 @@
#!/usr/bin/env bash
# Regression harness for host-specific Gitea tea login resolution.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
WORK_DIR="${MOSAIC_TEST_WORK_DIR:-$PWD/.mosaic-test-work/gitea-login-resolution}"
REPO_DIR="$WORK_DIR/repo"
BIN_DIR="$WORK_DIR/bin"
LOG_FILE="$WORK_DIR/calls.log"
CREDENTIALS_FILE="$WORK_DIR/credentials.json"
rm -rf "$WORK_DIR"
mkdir -p "$REPO_DIR" "$BIN_DIR"
git -C "$REPO_DIR" init -q
git -C "$REPO_DIR" remote add origin https://git.uscllc.com/USC/uconnect.git
cat > "$CREDENTIALS_FILE" <<'JSON'
{
"gitea": {
"mosaicstack": {
"url": "https://git.mosaicstack.dev",
"token": "mosaic-token"
},
"usc": {
"url": "https://git.uscllc.com",
"token": "usc-token"
}
}
}
JSON
cat > "$BIN_DIR/tea" <<'SH'
#!/usr/bin/env bash
set -euo pipefail
if [[ "$*" == "login list --output json" ]]; then
cat <<'JSON'
[
{"name":"evil-usc","url":"https://evilgit.uscllc.com","user":"bad.actor"},
{"name":"usc","url":"https://git.uscllc.com","user":"jason.woltje"}
]
JSON
exit 0
fi
printf 'tea %s\n' "$*" >> "$MOSAIC_TEST_LOG"
if [[ "${MOSAIC_TEA_FAIL_PR_CREATE:-}" == "1" && "$*" == pr\ create* ]]; then
echo 'GetUserByName: simulated stale login failure' >&2
exit 1
fi
exit 0
SH
cat > "$BIN_DIR/curl" <<'SH'
#!/usr/bin/env bash
set -euo pipefail
printf 'curl %s\n' "$*" >> "$MOSAIC_TEST_LOG"
url="${*: -1}"
case "$url" in
*/pulls/*.diff)
printf 'diff --git a/file b/file\n'
;;
*/pulls/*)
printf '{"head":{"sha":"abc123"}}'
;;
*/commits/*/status)
printf '{"state":"success","statuses":[{"context":"ci/mock","status":"success"}]}'
;;
*)
printf '{}'
;;
esac
SH
chmod +x "$BIN_DIR/tea" "$BIN_DIR/curl"
run_in_repo() {
(
cd "$REPO_DIR"
PATH="$BIN_DIR:$PATH" \
MOSAIC_CREDENTIALS_FILE="$CREDENTIALS_FILE" \
MOSAIC_TEST_LOG="$LOG_FILE" \
"$@"
)
}
usc_login=$(run_in_repo bash -c '
export GITEA_LOGIN=mosaicstack
export GITEA_URL=https://git.mosaicstack.dev
source "'"$SCRIPT_DIR"'/detect-platform.sh"
get_gitea_login
')
if [[ "$usc_login" != "usc" ]]; then
echo "Expected USC host to resolve tea login 'usc' despite stale mosaicstack env; got '$usc_login'" >&2
exit 1
fi
usc_login_with_usc_url=$(run_in_repo bash -c '
export GITEA_LOGIN=mosaicstack
export GITEA_URL=https://git.uscllc.com
source "'"$SCRIPT_DIR"'/detect-platform.sh"
get_gitea_login
')
if [[ "$usc_login_with_usc_url" != "usc" ]]; then
echo "Expected USC host to reject stale GITEA_LOGIN even when GITEA_URL matches USC; got '$usc_login_with_usc_url'" >&2
exit 1
fi
usc_login_without_url=$(run_in_repo bash -c '
export GITEA_LOGIN=mosaicstack
unset GITEA_URL
source "'"$SCRIPT_DIR"'/detect-platform.sh"
get_gitea_login
')
if [[ "$usc_login_without_url" != "usc" ]]; then
echo "Expected USC host to ignore unmatched GITEA_LOGIN without URL; got '$usc_login_without_url'" >&2
exit 1
fi
git -C "$REPO_DIR" remote set-url origin https://hermes:token@git.uscllc.com/USC/uconnect.git
embedded_host=$(run_in_repo bash -c '
source "'"$SCRIPT_DIR"'/detect-platform.sh"
get_remote_host
')
if [[ "$embedded_host" != "git.uscllc.com" ]]; then
echo "Expected credential-bearing remote host to strip userinfo; got '$embedded_host'" >&2
exit 1
fi
git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
override_login=$(run_in_repo bash -c '
export GITEA_LOGIN=usc
source "'"$SCRIPT_DIR"'/detect-platform.sh"
get_gitea_login_for_repo_override
')
if [[ "$override_login" != "usc" ]]; then
echo "Expected --repo override path to honor explicit GITEA_LOGIN; got '$override_login'" >&2
exit 1
fi
git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
: > "$LOG_FILE"
run_in_repo env GITEA_LOGIN=usc "$SCRIPT_DIR/issue-list.sh" --repo USC/uconnect -n 1
grep -q -- 'tea issues list --repo USC/uconnect --login usc' "$LOG_FILE"
git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
: > "$LOG_FILE"
run_in_repo "$SCRIPT_DIR/issue-close.sh" -i 42
grep -q -- 'tea issue close 42 --repo USC/uconnect --login usc' "$LOG_FILE"
if grep -q -- '--login mosaicstack' "$LOG_FILE"; then
echo "issue-close.sh used hardcoded mosaicstack login on USC host" >&2
exit 1
fi
: > "$LOG_FILE"
run_in_repo "$SCRIPT_DIR/milestone-list.sh"
grep -q -- 'tea milestone list --repo USC/uconnect --login usc' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo "$SCRIPT_DIR/milestone-create.sh" -t "0.2.0" -d "USC milestone"
grep -q -- 'tea milestones create --title 0.2.0 --description USC milestone --repo USC/uconnect --login usc' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo "$SCRIPT_DIR/milestone-close.sh" -t "0.2.0"
grep -q -- 'tea milestone close 0.2.0 --repo USC/uconnect --login usc' "$LOG_FILE"
if command -v pwsh >/dev/null 2>&1; then
: > "$LOG_FILE"
run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/issue-list.ps1" -Limit 1
grep -q -- 'tea issues list --state open --limit 1 --repo USC/uconnect --login usc' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/issue-create.ps1" -Title "PowerShell issue"
grep -q -- 'tea issue create --title PowerShell issue --repo USC/uconnect --login usc' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-list.ps1" -Limit 1
grep -q -- 'tea pr list --state open --limit 1 --repo USC/uconnect --login usc' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-create.ps1" -Title "PowerShell PR"
grep -q -- 'tea pr create --title PowerShell PR --head master --repo USC/uconnect --login usc' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-merge.ps1" -Number 42 -SkipQueueGuard
grep -q -- 'tea pr merge 42 --style squash --repo USC/uconnect --login usc' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/milestone-create.ps1" -List
grep -q -- 'tea milestones list --repo USC/uconnect --login usc' "$LOG_FILE"
fi
: > "$LOG_FILE"
if run_in_repo "$SCRIPT_DIR/pr-diff.sh" --repo USC/uconnect -n 7 >/dev/null 2>&1; then
echo "Expected pr-diff.sh --repo without host to fail loud" >&2
exit 1
fi
if grep -q -- 'git.mosaicstack.dev/api/v1/repos/USC/uconnect' "$LOG_FILE"; then
echo "pr-diff.sh --repo defaulted API host to git.mosaicstack.dev" >&2
exit 1
fi
: > "$LOG_FILE"
run_in_repo env GITEA_URL=https://git.uscllc.com "$SCRIPT_DIR/pr-diff.sh" --repo USC/uconnect -n 7 >/dev/null
grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls/7.diff' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo "$SCRIPT_DIR/pr-ci-wait.sh" --repo USC/uconnect --host git.uscllc.com -n 9 -t 2 -i 1
grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls/9' "$LOG_FILE"
grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/commits/abc123/status' "$LOG_FILE"
: > "$LOG_FILE"
run_in_repo env MOSAIC_TEA_FAIL_PR_CREATE=1 GITEA_TOKEN=usc-token GITEA_URL=https://git.uscllc.com "$SCRIPT_DIR/pr-create.sh" -t "USC API fallback" -H feature/pr-create
grep -q -- 'tea pr create --repo USC/uconnect --login usc --title USC API fallback --head feature/pr-create' "$LOG_FILE"
grep -q -- 'curl .*Authorization: token usc-token .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"
if grep -q -- 'git.mosaicstack.dev/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"; then
echo "pr-create.sh API fallback defaulted USC repo to git.mosaicstack.dev" >&2
exit 1
fi
git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
: > "$LOG_FILE"
run_in_repo env GITEA_TOKEN=mosaic-token GITEA_URL=https://git.mosaicstack.dev "$SCRIPT_DIR/issue-close.sh" -i 536
grep -q -- 'curl .*https://git.mosaicstack.dev/api/v1/repos/mosaicstack/stack/issues/536' "$LOG_FILE"
if grep -q -- 'tea issue close 536 .*--login mosaicstack' "$LOG_FILE"; then
echo "issue-close.sh invented a mosaicstack tea login instead of using API fallback" >&2
exit 1
fi
echo "Gitea login resolution regression harness passed"

9
packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh
View File

@@ -23,10 +23,6 @@ cat > "$MOCK_BIN/tea" <<'EOF'
set -euo pipefail
printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
printf '\n' >> "$PR_MERGE_TEST_LOG"
if [[ "$*" == *"login list"* ]]; then
echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
exit 0
fi
if [[ "$*" == *"pr merge"* ]]; then
echo 'user does not exist [uid: 0, name: ]' >&2
exit 1
@@ -103,7 +99,6 @@ git remote add origin https://git.mosaicstack.dev/mosaicstack/stack.git
export PATH="$MOCK_BIN:$PATH"
export PR_MERGE_TEST_LOG="$LOG_FILE"
export GITEA_LOGIN="git.mosaicstack.dev"
export GITEA_URL="https://git.mosaicstack.dev"
export GITEA_TOKEN="redacted-test-token"
OUTPUT="$SANDBOX/output.log"
@@ -132,10 +127,6 @@ cat > "$MOCK_BIN/tea" <<'EOF'
set -euo pipefail
printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
printf '\n' >> "$PR_MERGE_TEST_LOG"
if [[ "$*" == *"login list"* ]]; then
echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
exit 0
fi
if [[ "$*" == *"pr merge"* ]]; then
echo 'tea network timeout' >&2
exit 2

2
packages/mosaic/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@mosaicstack/mosaic",
"version": "0.0.31",
"version": "0.0.30",
"repository": {
"type": "git",
"url": "https://git.mosaicstack.dev/mosaicstack/stack.git",

4
packages/mosaic/src/commands/git-wrapper-redirects.spec.ts
View File

@@ -15,8 +15,8 @@ describe('Gitea git wrapper API calls', () => {
(scriptName) => {
const script = readGitTool(scriptName);
expect(script).not.toMatch(/curl -fsS\s+(?:-H "[^"]+"\s+)*-H "Authorization: token/);
expect(script).toMatch(/curl -fsSL\s+(?:-H "[^"]+"\s+)*-H "Authorization: token/);
expect(script).not.toContain('curl -fsS -H "Authorization: token');
expect(script).toContain('curl -fsSL -H "Authorization: token');
},
);
});