mosaicstack/stack
1
0
Fork 0
Code Issues 19 Pull Requests Actions Packages Projects Releases 13 Wiki Activity

Compare commits

base: mosaicstack:fed-v0.2.0-m2
Branches Tags
mosaicstack:main mosaicstack:chore/federation-m2-close mosaicstack:docs/federation-m2-docs mosaicstack:fix/federation-m2-security mosaicstack:feat/federation-m2-e2e mosaicstack:feat/federation-m2-integration mosaicstack:feat/federation-m2-ca-service mosaicstack:fix/federation-test-stack-healthcheck mosaicstack:deploy/gateway-image-update mosaicstack:feat/federation-m2-stepca mosaicstack:feat/federation-m2-scope-schema mosaicstack:fix/gateway-dockerfile-pnpm-deploy mosaicstack:docs/federation-s21-tracking mosaicstack:feat/federation-m2-schema mosaicstack:feat/federation-m1-doctor mosaicstack:feat/federation-m1-migrate mosaicstack:feat/federation-m1-detector mosaicstack:feat/federation-m1-pgvector mosaicstack:feat/federation-m1-compose mosaicstack:feat/federation-m1-tier-config mosaicstack:docs/mvp-mission-manifest mosaicstack:docs/federation-planning mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4
..
compare: mosaicstack:v0.1.0
Branches Tags
mosaicstack:main mosaicstack:chore/federation-m2-close mosaicstack:docs/federation-m2-docs mosaicstack:fix/federation-m2-security mosaicstack:feat/federation-m2-e2e mosaicstack:feat/federation-m2-integration mosaicstack:feat/federation-m2-ca-service mosaicstack:fix/federation-test-stack-healthcheck mosaicstack:deploy/gateway-image-update mosaicstack:feat/federation-m2-stepca mosaicstack:feat/federation-m2-scope-schema mosaicstack:fix/gateway-dockerfile-pnpm-deploy mosaicstack:docs/federation-s21-tracking mosaicstack:feat/federation-m2-schema mosaicstack:feat/federation-m1-doctor mosaicstack:feat/federation-m1-migrate mosaicstack:feat/federation-m1-detector mosaicstack:feat/federation-m1-pgvector mosaicstack:feat/federation-m1-compose mosaicstack:feat/federation-m1-tier-config mosaicstack:docs/mvp-mission-manifest mosaicstack:docs/federation-planning mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4

1 Commits
fed-v0.2.0 ... v0.1.0

Author SHA1 Message Date
Jason Woltje
66dd3ee995 chore: add agent column to TASKS.md schema 2026-03-19 20:07:25 -05:00
892 changed files with 2303 additions and 133206 deletions
Expand all files Collapse all files

41
.env.example
View File

@@ -23,8 +23,8 @@ VALKEY_URL=redis://localhost:6380
# ─── Gateway ─────────────────────────────────────────────────────────────────
# TCP port the NestJS/Fastify gateway listens on (default: 14242)
GATEWAY_PORT=14242
# TCP port the NestJS/Fastify gateway listens on (default: 4000)
GATEWAY_PORT=4000
# Comma-separated list of allowed CORS origins.
# Must include the web app origin in production.
@@ -37,12 +37,12 @@ GATEWAY_CORS_ORIGIN=http://localhost:3000
BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
# Public base URL of the gateway (used by BetterAuth for callback URLs)
BETTER_AUTH_URL=http://localhost:14242
BETTER_AUTH_URL=http://localhost:4000
# ─── Web App (Next.js) ───────────────────────────────────────────────────────
# Public gateway URL — accessible from the browser, not just the server.
NEXT_PUBLIC_GATEWAY_URL=http://localhost:14242
NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
# ─── OpenTelemetry ───────────────────────────────────────────────────────────
@@ -62,15 +62,9 @@ OTEL_SERVICE_NAME=mosaic-gateway
# Comma-separated list of Ollama model IDs to register (default: llama3.2,codellama,mistral)
# OLLAMA_MODELS=llama3.2,codellama,mistral
# Anthropic (claude-sonnet-4-6, claude-opus-4-6, claude-haiku-4-5)
# ANTHROPIC_API_KEY=sk-ant-...
# OpenAI (gpt-4o, gpt-4o-mini, o3-mini)
# OpenAI — required for embedding and log-summarization features
# OPENAI_API_KEY=sk-...
# Z.ai / GLM (glm-4.5, glm-4.5-air, glm-4.5-flash)
# ZAI_API_KEY=...
# Custom providers — JSON array of provider configs
# Format: [{"id":"<id>","baseUrl":"<url>","apiKey":"<key>","models":[{"id":"<model-id>","name":"<label>"}]}]
# MOSAIC_CUSTOM_PROVIDERS=
@@ -121,34 +115,15 @@ OTEL_SERVICE_NAME=mosaic-gateway
# ─── Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable) ─────────────
# DISCORD_BOT_TOKEN=
# DISCORD_GUILD_ID=
# DISCORD_GATEWAY_URL=http://localhost:14242
# DISCORD_GATEWAY_URL=http://localhost:4000
# ─── Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable) ───────────
# TELEGRAM_BOT_TOKEN=
# TELEGRAM_GATEWAY_URL=http://localhost:14242
# TELEGRAM_GATEWAY_URL=http://localhost:4000
# ─── SSO Providers (add credentials to enable) ───────────────────────────────
# --- Authentik (optional — set AUTHENTIK_CLIENT_ID to enable) ---
# ─── Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable) ────────────
# AUTHENTIK_ISSUER=https://auth.example.com/application/o/mosaic/
# AUTHENTIK_CLIENT_ID=
# AUTHENTIK_CLIENT_SECRET=
# --- WorkOS (optional — set WORKOS_CLIENT_ID to enable) ---
# WORKOS_ISSUER=https://your-company.authkit.app
# WORKOS_CLIENT_ID=client_...
# WORKOS_CLIENT_SECRET=sk_live_...
# --- Keycloak (optional — set KEYCLOAK_CLIENT_ID to enable) ---
# KEYCLOAK_ISSUER=https://auth.example.com/realms/master
# Legacy alternative if you prefer to compose the issuer from separate vars:
# KEYCLOAK_URL=https://auth.example.com
# KEYCLOAK_REALM=master
# KEYCLOAK_CLIENT_ID=mosaic
# KEYCLOAK_CLIENT_SECRET=
# Feature flags — set to true alongside provider credentials to show SSO buttons in the UI
# NEXT_PUBLIC_WORKOS_ENABLED=true
# NEXT_PUBLIC_KEYCLOAK_ENABLED=true

3
.gitignore vendored
View File

@@ -9,6 +9,3 @@ coverage
*.tsbuildinfo
.pnpm-store
docs/reports/
# Step-CA dev password — real file is gitignored; commit only the .example
infra/step-ca/dev-password

2
.npmrc
View File

@@ -1 +1 @@
@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/
@mosaic:registry=https://git.mosaicstack.dev/api/packages/mosaic/npm/

31
.woodpecker/ci.yml
View File

@@ -15,7 +15,6 @@ steps:
image: *node_image
commands:
- corepack enable
- apk add --no-cache python3 make g++
- pnpm install --frozen-lockfile
typecheck:
@@ -45,30 +44,18 @@ steps:
test:
image: *node_image
environment:
DATABASE_URL: postgresql://mosaic:mosaic@postgres:5432/mosaic
commands:
- *enable_pnpm
# Install postgresql-client for pg_isready
- apk add --no-cache postgresql-client
# Wait up to 30s for postgres to be ready
- |
for i in $(seq 1 30); do
pg_isready -h postgres -p 5432 -U mosaic && break
echo "Waiting for postgres ($i/30)..."
sleep 1
done
# Run migrations (DATABASE_URL is set in environment above)
- pnpm --filter @mosaicstack/db run db:migrate
# Run all tests
- pnpm test
depends_on:
- typecheck
services:
postgres:
image: pgvector/pgvector:pg17
environment:
POSTGRES_USER: mosaic
POSTGRES_PASSWORD: mosaic
POSTGRES_DB: mosaic
build:
image: *node_image
commands:
- *enable_pnpm
- pnpm build
depends_on:
- lint
- format
- test

140
.woodpecker/publish.yml
View File

@@ -1,140 +0,0 @@
# Build, publish npm packages, and push Docker images
# Runs only on main branch push/tag
variables:
- &node_image 'node:22-alpine'
- &enable_pnpm 'corepack enable'
when:
- branch: [main]
event: [push, manual, tag]
steps:
install:
image: *node_image
commands:
- corepack enable
- pnpm install --frozen-lockfile
build:
image: *node_image
commands:
- *enable_pnpm
- pnpm build
depends_on:
- install
publish-npm:
image: *node_image
environment:
NPM_TOKEN:
from_secret: gitea_token
commands:
- *enable_pnpm
# Configure auth for Gitea npm registry
- |
echo "//git.mosaicstack.dev/api/packages/mosaicstack/npm/:_authToken=$NPM_TOKEN" > ~/.npmrc
echo "@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/" >> ~/.npmrc
# Publish non-private packages to Gitea.
#
# The only publish failure we tolerate is "version already exists" —
# that legitimately happens when only some packages were bumped in
# the merge. Any other failure (registry 404, auth error, network
# error) MUST fail the pipeline loudly: the previous
# `|| echo "... continuing"` fallback silently hid a 404 from the
# Gitea org rename and caused every @mosaicstack/* publish to fall
# on the floor while CI still reported green.
- |
# Portable sh (Alpine ash) — avoid bashisms like PIPESTATUS.
set +e
pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public >/tmp/publish.log 2>&1
EXIT=$?
set -e
cat /tmp/publish.log
if [ "$EXIT" -eq 0 ]; then
echo "[publish] all packages published successfully"
exit 0
fi
# Hard registry / auth / network errors → fatal. Match npm's own
# error lines specifically to avoid false positives on arbitrary
# log text that happens to contain "E404" etc.
if grep -qE "npm (error|ERR!) code (E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND)" /tmp/publish.log; then
echo "[publish] FATAL: registry/auth/network error detected — failing pipeline" >&2
exit 1
fi
# Only tolerate the explicit "version already published" case.
# npm returns this as E403 with body "You cannot publish over..."
# or EPUBLISHCONFLICT depending on version.
if grep -qE "EPUBLISHCONFLICT|You cannot publish over|previously published" /tmp/publish.log; then
echo "[publish] some packages already at this version — continuing (non-fatal)"
exit 0
fi
echo "[publish] FATAL: publish failed with unrecognized error — failing pipeline" >&2
exit 1
depends_on:
- build
# TODO: Uncomment when ready to publish to npmjs.org
# publish-npmjs:
# image: *node_image
# environment:
# NPM_TOKEN:
# from_secret: npmjs_token
# commands:
# - *enable_pnpm
# - apk add --no-cache jq bash
# - bash scripts/publish-npmjs.sh
# depends_on:
# - build
# when:
# - event: [tag]
build-gateway:
image: gcr.io/kaniko-project/executor:debug
environment:
REGISTRY_USER:
from_secret: gitea_username
REGISTRY_PASS:
from_secret: gitea_password
CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
CI_COMMIT_TAG: ${CI_COMMIT_TAG}
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
commands:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
- |
DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/gateway:sha-${CI_COMMIT_SHA:0:7}"
if [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/gateway:latest"
fi
if [ -n "$CI_COMMIT_TAG" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/gateway:$CI_COMMIT_TAG"
fi
/kaniko/executor --context . --dockerfile docker/gateway.Dockerfile $DESTINATIONS
depends_on:
- build
build-web:
image: gcr.io/kaniko-project/executor:debug
environment:
REGISTRY_USER:
from_secret: gitea_username
REGISTRY_PASS:
from_secret: gitea_password
CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
CI_COMMIT_TAG: ${CI_COMMIT_TAG}
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
commands:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
- |
DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/web:sha-${CI_COMMIT_SHA:0:7}"
if [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/web:latest"
fi
if [ -n "$CI_COMMIT_TAG" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/web:$CI_COMMIT_TAG"
fi
/kaniko/executor --context . --dockerfile docker/web.Dockerfile $DESTINATIONS
depends_on:
- build

37
AGENTS.md
View File

@@ -21,11 +21,11 @@ Mosaic Stack is a self-hosted, multi-user AI agent platform. TypeScript monorepo
| `apps/web` | Next.js dashboard | React 19, Tailwind |
| `packages/types` | Shared TypeScript contracts | class-validator |
| `packages/db` | Drizzle ORM schema + migrations | drizzle-orm, postgres |
| `packages/auth` | BetterAuth configuration | better-auth, @mosaicstack/db |
| `packages/brain` | Data layer (PG-backed) | @mosaicstack/db |
| `packages/auth` | BetterAuth configuration | better-auth, @mosaic/db |
| `packages/brain` | Data layer (PG-backed) | @mosaic/db |
| `packages/queue` | Valkey task queue + MCP | ioredis |
| `packages/coord` | Mission coordination | @mosaicstack/queue |
| `packages/mosaic` | Unified `mosaic` CLI + TUI | Ink, Pi SDK, commander |
| `packages/coord` | Mission coordination | @mosaic/queue |
| `packages/cli` | Unified CLI + Pi TUI | Ink, Pi SDK |
| `plugins/discord` | Discord channel plugin | discord.js |
| `plugins/telegram` | Telegram channel plugin | Telegraf |
@@ -33,9 +33,9 @@ Mosaic Stack is a self-hosted, multi-user AI agent platform. TypeScript monorepo
1. Gateway is the single API surface — all clients connect through it
2. Pi SDK is ESM-only — gateway and CLI must use ESM
3. Socket.IO typed events defined in `@mosaicstack/types` enforce compile-time contracts
3. Socket.IO typed events defined in `@mosaic/types` enforce compile-time contracts
4. OTEL auto-instrumentation loads before NestJS bootstrap
5. BetterAuth manages auth tables; schema defined in `@mosaicstack/db`
5. BetterAuth manages auth tables; schema defined in `@mosaic/db`
6. Docker Compose provides PG (5433), Valkey (6380), OTEL Collector (4317/4318), Jaeger (16686)
7. Explicit `@Inject()` decorators required in NestJS (tsx/esbuild doesn't emit decorator metadata)
@@ -53,28 +53,3 @@ pnpm typecheck && pnpm lint && pnpm format:check # Quality gates
- ESM everywhere (`"type": "module"`, `.js` extensions in imports)
- NodeNext module resolution in all tsconfigs
- Scratchpads are mandatory for non-trivial tasks
## docs/TASKS.md — Schema (CANONICAL)
The `agent` column specifies the required model for each task. **This is set at task creation by the orchestrator and must not be changed by workers.**
| Value | When to use | Budget |
| --------- | ----------------------------------------------------------- | -------------------------- |
| `codex` | All coding tasks (default for implementation) | OpenAI credits — preferred |
| `glm-5.1` | Cost-sensitive coding where Codex is unavailable | Z.ai credits |
| `haiku` | Review gates, verify tasks, status checks, docs-only | Cheapest Claude tier |
| `sonnet` | Complex planning, multi-file reasoning, architecture review | Claude quota |
| `opus` | Major cross-cutting architecture decisions ONLY | Most expensive — minimize |
| `—` | No preference / auto-select cheapest capable | Pipeline decides |
Pipeline crons read this column and spawn accordingly. Workers never modify `docs/TASKS.md` — only the orchestrator writes it.
**Full schema:**
```
| id | status | description | issue | agent | repo | branch | depends_on | estimate | notes |
```
- `status`: `not-started` | `in-progress` | `done` | `failed` | `blocked` | `needs-qa`
- `agent`: model value from table above (set before spawning)
- `estimate`: token budget e.g. `8K`, `25K`

10
CLAUDE.md
View File

@@ -10,7 +10,7 @@ Self-hosted, multi-user AI agent platform. TypeScript monorepo.
- **Web**: Next.js 16 + React 19 (`apps/web`)
- **ORM**: Drizzle ORM + PostgreSQL 17 + pgvector (`packages/db`)
- **Auth**: BetterAuth (`packages/auth`)
- **Agent**: Pi SDK (`packages/agent`, `packages/mosaic`)
- **Agent**: Pi SDK (`packages/agent`, `packages/cli`)
- **Queue**: Valkey 8 (`packages/queue`)
- **Build**: pnpm workspaces + Turborepo
- **CI**: Woodpecker CI
@@ -26,13 +26,13 @@ pnpm test # Vitest (all packages)
pnpm build # Build all packages
# Database
pnpm --filter @mosaicstack/db db:push # Push schema to PG (dev)
pnpm --filter @mosaicstack/db db:generate # Generate migrations
pnpm --filter @mosaicstack/db db:migrate # Run migrations
pnpm --filter @mosaic/db db:push # Push schema to PG (dev)
pnpm --filter @mosaic/db db:generate # Generate migrations
pnpm --filter @mosaic/db db:migrate # Run migrations
# Dev
docker compose up -d # Start PG, Valkey, OTEL, Jaeger
pnpm --filter @mosaicstack/gateway exec tsx src/main.ts # Start gateway
pnpm --filter @mosaic/gateway exec tsx src/main.ts # Start gateway
```
## Conventions

362
README.md
View File

@@ -1,362 +0,0 @@
# Mosaic Stack
Self-hosted, multi-user AI agent platform. One config, every runtime, same standards.
Mosaic gives you a unified launcher for Claude Code, Codex, OpenCode, and Pi — injecting consistent system prompts, guardrails, skills, and mission context into every session. A NestJS gateway provides the API surface, a Next.js dashboard gives you the UI, and a plugin system connects Discord, Telegram, and more.
## Quick Install
```bash
curl -fsSL https://mosaicstack.dev/install.sh | bash
```
Or use the direct URL:
```bash
bash <(curl -fsSL https://git.mosaicstack.dev/mosaicstack/stack/raw/branch/main/tools/install.sh)
```
The installer auto-launches the setup wizard, which walks you through gateway install and verification. Flags for non-interactive use:
```bash
bash <(curl -fsSL …) --yes # Accept all defaults
bash <(curl -fsSL …) --yes --no-auto-launch # Install only, skip wizard
```
This installs both components:
| Component | What | Where |
| ----------------------- | ---------------------------------------------------------------- | -------------------- |
| **Framework** | Bash launcher, guides, runtime configs, tools, skills | `~/.config/mosaic/` |
| **@mosaicstack/mosaic** | Unified `mosaic` CLI — TUI, gateway client, wizard, auto-updater | `~/.npm-global/bin/` |
After install, the wizard runs automatically or you can invoke it manually:
```bash
mosaic wizard # Full guided setup (gateway install → verify)
```
### Requirements
- Node.js ≥ 20
- npm (for global @mosaicstack/mosaic install)
- One or more runtimes: [Claude Code](https://docs.anthropic.com/en/docs/claude-code), [Codex](https://github.com/openai/codex), [OpenCode](https://opencode.ai), or [Pi](https://github.com/mariozechner/pi-coding-agent)
## Usage
### Launching Agent Sessions
```bash
mosaic pi # Launch Pi with Mosaic injection
mosaic claude # Launch Claude Code with Mosaic injection
mosaic codex # Launch Codex with Mosaic injection
mosaic opencode # Launch OpenCode with Mosaic injection
mosaic yolo claude # Claude with dangerous-permissions mode
mosaic yolo pi # Pi in yolo mode
```
The launcher verifies your config, checks for `SOUL.md`, injects your `AGENTS.md` standards into the runtime, and forwards all arguments.
### TUI & Gateway
```bash
mosaic tui # Interactive TUI connected to the gateway
mosaic gateway login # Authenticate with a gateway instance
mosaic sessions list # List active agent sessions
```
### Gateway Management
```bash
mosaic gateway install # Install and configure the gateway service
mosaic gateway verify # Post-install health check
mosaic gateway login # Authenticate and store a session token
mosaic gateway config rotate-token # Rotate your API token
mosaic gateway config recover-token # Recover a token via BetterAuth cookie
```
If you already have a gateway account but no token, use `mosaic gateway config recover-token` to retrieve one without recreating your account.
### Configuration
Mosaic supports three storage tiers: `local` (PGlite, single-host), `standalone` (PostgreSQL, single-host), and `federated` (PostgreSQL + pgvector + Valkey, multi-host). See [Federated Tier Setup](docs/federation/SETUP.md) for multi-user and production deployments, or [Migrating to Federated](docs/guides/migrate-tier.md) to upgrade from existing tiers.
```bash
mosaic config show # Print full config as JSON
mosaic config get <key> # Read a specific key
mosaic config set <key> <val># Write a key
mosaic config edit # Open config in $EDITOR
mosaic config path # Print config file path
```
### Management
```bash
mosaic doctor # Health audit — detect drift and missing files
mosaic sync # Sync skills from canonical source
mosaic update # Check for and install CLI updates
mosaic wizard # Full guided setup wizard
mosaic bootstrap <path> # Bootstrap a repo with Mosaic standards
mosaic coord init # Initialize a new orchestration mission
mosaic prdy init # Create a PRD via guided session
```
### Sub-package Commands
Each Mosaic sub-package exposes its API surface through the unified CLI:
```bash
# User management
mosaic auth users list
mosaic auth users create
mosaic auth sso
# Agent brain (projects, missions, tasks)
mosaic brain projects
mosaic brain missions
mosaic brain tasks
mosaic brain conversations
# Agent forge pipeline
mosaic forge run
mosaic forge status
mosaic forge resume
mosaic forge personas
# Structured logging
mosaic log tail
mosaic log search
mosaic log export
mosaic log level
# MACP protocol
mosaic macp tasks
mosaic macp submit
mosaic macp gate
mosaic macp events
# Agent memory
mosaic memory search
mosaic memory stats
mosaic memory insights
mosaic memory preferences
# Task queue (Valkey)
mosaic queue list
mosaic queue stats
mosaic queue pause
mosaic queue resume
mosaic queue jobs
mosaic queue drain
# Object storage
mosaic storage status
mosaic storage tier
mosaic storage export
mosaic storage import
mosaic storage migrate
```
### Telemetry
```bash
# Local observability (OTEL / Jaeger)
mosaic telemetry local status
mosaic telemetry local tail
mosaic telemetry local jaeger
# Remote telemetry (dry-run by default)
mosaic telemetry status
mosaic telemetry opt-in
mosaic telemetry opt-out
mosaic telemetry test
mosaic telemetry upload # Dry-run unless opted in
```
Consent state is persisted in config. Remote upload is a no-op until you run `mosaic telemetry opt-in`.
## Development
### Prerequisites
- Node.js ≥ 20
- pnpm 10.6+
- Docker & Docker Compose
### Setup
```bash
git clone git@git.mosaicstack.dev:mosaicstack/stack.git
cd stack
# Start infrastructure (Postgres, Valkey, Jaeger)
docker compose up -d
# Install dependencies
pnpm install
# Run migrations
pnpm --filter @mosaicstack/db run db:migrate
# Start all services in dev mode
pnpm dev
```
### Infrastructure
Docker Compose provides:
| Service | Port | Purpose |
| --------------------- | --------- | ---------------------- |
| PostgreSQL (pgvector) | 5433 | Primary database |
| Valkey | 6380 | Task queue + caching |
| Jaeger | 16686 | Distributed tracing UI |
| OTEL Collector | 4317/4318 | Telemetry ingestion |
### Quality Gates
```bash
pnpm typecheck # TypeScript type checking (all packages)
pnpm lint # ESLint (all packages)
pnpm test # Vitest (all packages)
pnpm format:check # Prettier check
pnpm format # Prettier auto-fix
```
### CI
Woodpecker CI runs on every push:
- `pnpm install --frozen-lockfile`
- Database migration against a fresh Postgres
- `pnpm test` (Turbo-orchestrated across all packages)
npm packages are published to the Gitea package registry on main merges.
## Architecture
```
stack/
├── apps/
│ ├── gateway/ NestJS API + WebSocket hub (Fastify, Socket.IO, OTEL)
│ └── web/ Next.js dashboard (React 19, Tailwind)
├── packages/
│ ├── mosaic/ Unified CLI — TUI, gateway client, wizard, sub-package commands
│ ├── types/ Shared TypeScript contracts (Socket.IO typed events)
│ ├── db/ Drizzle ORM schema + migrations (pgvector)
│ ├── auth/ BetterAuth configuration
│ ├── brain/ Data layer (PG-backed)
│ ├── queue/ Valkey task queue + MCP
│ ├── coord/ Mission coordination
│ ├── forge/ Multi-stage AI pipeline (intake → board → plan → code → review)
│ ├── macp/ MACP protocol — credential resolution, gate runner, events
│ ├── agent/ Agent session management
│ ├── memory/ Agent memory layer
│ ├── log/ Structured logging
│ ├── prdy/ PRD creation and validation
│ ├── quality-rails/ Quality templates (TypeScript, Next.js, monorepo)
│ └── design-tokens/ Shared design tokens
├── plugins/
│ ├── discord/ Discord channel plugin (discord.js)
│ ├── telegram/ Telegram channel plugin (Telegraf)
│ ├── macp/ OpenClaw MACP runtime plugin
│ └── mosaic-framework/ OpenClaw framework injection plugin
├── tools/
│ └── install.sh Unified installer (framework + npm CLI, --yes / --no-auto-launch)
├── scripts/agent/ Agent session lifecycle scripts
├── docker-compose.yml Dev infrastructure
└── .woodpecker/ CI pipeline configs
```
### Key Design Decisions
- **Gateway is the single API surface** — all clients (TUI, web, Discord, Telegram) connect through it
- **ESM everywhere** — `"type": "module"`, `.js` extensions in imports, NodeNext resolution
- **Socket.IO typed events** — defined in `@mosaicstack/types`, enforced at compile time
- **OTEL auto-instrumentation** — loads before NestJS bootstrap
- **Explicit `@Inject()` decorators** — required since tsx/esbuild doesn't emit decorator metadata
### Framework (`~/.config/mosaic/`)
The framework is the bash-based standards layer installed to every developer machine:
```
~/.config/mosaic/
├── AGENTS.md ← Central standards (loaded into every runtime)
├── SOUL.md ← Agent identity (name, style, guardrails)
├── USER.md ← User profile (name, timezone, preferences)
├── TOOLS.md ← Machine-level tool reference
├── bin/mosaic ← Unified launcher (claude, codex, opencode, pi, yolo)
├── guides/ ← E2E delivery, orchestrator protocol, PRD, etc.
├── runtime/ ← Per-runtime configs (claude/, codex/, opencode/, pi/)
├── skills/ ← Universal skills (synced from agent-skills repo)
├── tools/ ← Tool suites (orchestrator, git, quality, prdy, etc.)
└── memory/ ← Persistent agent memory (preserved across upgrades)
```
### Forge Pipeline
Forge is a multi-stage AI pipeline for autonomous feature delivery:
```
Intake → Discovery → Board Review → Planning (3 stages) → Coding → Review → Remediation → Test → Deploy
```
Each stage has a dispatch mode (`exec` for research/review, `yolo` for coding), quality gates, and timeouts. The board review uses multiple AI personas (CEO, CTO, CFO, COO + specialists) to evaluate briefs before committing resources.
## Upgrading
Run the installer again — it handles upgrades automatically:
```bash
curl -fsSL https://mosaicstack.dev/install.sh | bash
```
Or use the direct URL:
```bash
bash <(curl -fsSL https://git.mosaicstack.dev/mosaicstack/stack/raw/branch/main/tools/install.sh)
```
Or use the CLI:
```bash
mosaic update # Check + install CLI updates
mosaic update --check # Check only, don't install
```
The CLI also performs a background update check on every invocation (cached for 1 hour).
### Installer Flags
```bash
bash tools/install.sh --check # Version check only
bash tools/install.sh --framework # Framework only (skip npm CLI)
bash tools/install.sh --cli # npm CLI only (skip framework)
bash tools/install.sh --ref v1.0 # Install from a specific git ref
bash tools/install.sh --yes # Non-interactive, accept all defaults
bash tools/install.sh --no-auto-launch # Skip auto-launch of wizard
```
## Contributing
```bash
# Create a feature branch
git checkout -b feat/my-feature
# Make changes, then verify
pnpm typecheck && pnpm lint && pnpm test && pnpm format:check
# Commit (husky runs lint-staged automatically)
git commit -m "feat: description of change"
# Push and create PR
git push -u origin feat/my-feature
```
DTOs go in `*.dto.ts` files at module boundaries. Scratchpads (`docs/scratchpads/`) are mandatory for non-trivial tasks. See `AGENTS.md` for the full standards reference.
## License
Proprietary — all rights reserved.

61
apps/gateway/package.json
View File

@@ -1,23 +1,9 @@
{
"name": "@mosaicstack/gateway",
"version": "0.0.6",
"repository": {
"type": "git",
"url": "https://git.mosaicstack.dev/mosaicstack/stack.git",
"directory": "apps/gateway"
},
"name": "@mosaic/gateway",
"version": "0.0.0",
"private": true,
"type": "module",
"main": "dist/main.js",
"bin": {
"mosaic-gateway": "dist/main.js"
},
"files": [
"dist"
],
"publishConfig": {
"registry": "https://git.mosaicstack.dev/api/packages/mosaicstack/npm/",
"access": "public"
},
"scripts": {
"build": "tsc",
"dev": "tsx watch src/main.ts",
@@ -26,49 +12,40 @@
"test": "vitest run --passWithNoTests"
},
"dependencies": {
"@anthropic-ai/sdk": "^0.80.0",
"@fastify/helmet": "^13.0.2",
"@mariozechner/pi-ai": "^0.65.0",
"@mariozechner/pi-coding-agent": "^0.65.0",
"@mariozechner/pi-ai": "~0.57.1",
"@mariozechner/pi-coding-agent": "~0.57.1",
"@modelcontextprotocol/sdk": "^1.27.1",
"@mosaicstack/auth": "workspace:^",
"@mosaicstack/brain": "workspace:^",
"@mosaicstack/config": "workspace:^",
"@mosaicstack/coord": "workspace:^",
"@mosaicstack/db": "workspace:^",
"@mosaicstack/discord-plugin": "workspace:^",
"@mosaicstack/log": "workspace:^",
"@mosaicstack/memory": "workspace:^",
"@mosaicstack/queue": "workspace:^",
"@mosaicstack/storage": "workspace:^",
"@mosaicstack/telegram-plugin": "workspace:^",
"@mosaicstack/types": "workspace:^",
"@mosaic/auth": "workspace:^",
"@mosaic/queue": "workspace:^",
"@mosaic/brain": "workspace:^",
"@mosaic/coord": "workspace:^",
"@mosaic/db": "workspace:^",
"@mosaic/discord-plugin": "workspace:^",
"@mosaic/log": "workspace:^",
"@mosaic/memory": "workspace:^",
"@mosaic/telegram-plugin": "workspace:^",
"@mosaic/types": "workspace:^",
"@nestjs/common": "^11.0.0",
"@nestjs/core": "^11.0.0",
"@nestjs/platform-fastify": "^11.0.0",
"@nestjs/platform-socket.io": "^11.0.0",
"@nestjs/throttler": "^6.5.0",
"@nestjs/websockets": "^11.0.0",
"@opentelemetry/auto-instrumentations-node": "^0.72.0",
"@opentelemetry/auto-instrumentations-node": "^0.71.0",
"@opentelemetry/exporter-metrics-otlp-http": "^0.213.0",
"@opentelemetry/exporter-trace-otlp-http": "^0.213.0",
"@opentelemetry/resources": "^2.6.0",
"@opentelemetry/sdk-metrics": "^2.6.0",
"@opentelemetry/sdk-node": "^0.213.0",
"@opentelemetry/semantic-conventions": "^1.40.0",
"@peculiar/x509": "^2.0.0",
"@sinclair/typebox": "^0.34.48",
"better-auth": "^1.5.5",
"bullmq": "^5.71.0",
"class-transformer": "^0.5.1",
"class-validator": "^0.15.1",
"dotenv": "^17.3.1",
"fastify": "^5.0.0",
"ioredis": "^5.10.0",
"jose": "^6.2.2",
"node-cron": "^4.2.1",
"openai": "^6.32.0",
"postgres": "^3.4.8",
"reflect-metadata": "^0.2.0",
"rxjs": "^7.8.0",
"socket.io": "^4.8.0",
@@ -76,17 +53,11 @@
"zod": "^4.3.6"
},
"devDependencies": {
"@nestjs/testing": "^11.1.18",
"@swc/core": "^1.15.24",
"@swc/helpers": "^0.5.21",
"@types/node": "^22.0.0",
"@types/node-cron": "^3.0.11",
"@types/supertest": "^7.2.0",
"@types/uuid": "^10.0.0",
"supertest": "^7.2.2",
"tsx": "^4.0.0",
"typescript": "^5.8.0",
"unplugin-swc": "^1.5.9",
"vitest": "^2.0.0"
}
}

605
apps/gateway/src/__tests__/conversation-persistence.test.ts
View File

@@ -1,605 +0,0 @@
/**
* Integration tests for conversation persistence and context resume (M1-008).
*
* Verifies the full flow end-to-end using in-memory mocks:
* 1. User messages are persisted when sent via ChatGateway.
* 2. Assistant responses are persisted with metadata on agent:end.
* 3. Conversation history is loaded and injected into context on session resume.
* 4. The search endpoint returns matching messages.
*/
import { BadRequestException, NotFoundException } from '@nestjs/common';
import { describe, expect, it, vi, beforeEach } from 'vitest';
import type { ConversationHistoryMessage } from '../agent/agent.service.js';
import { ConversationsController } from '../conversations/conversations.controller.js';
import type { Message } from '@mosaicstack/brain';
// ---------------------------------------------------------------------------
// Shared test data
// ---------------------------------------------------------------------------
const USER_ID = 'user-test-001';
const CONV_ID = 'conv-test-001';
function makeConversation(overrides?: Record<string, unknown>) {
return {
id: CONV_ID,
userId: USER_ID,
title: null,
projectId: null,
archived: false,
createdAt: new Date('2026-01-01T00:00:00Z'),
updatedAt: new Date('2026-01-01T00:00:00Z'),
...overrides,
};
}
function makeMessage(
role: 'user' | 'assistant' | 'system',
content: string,
overrides?: Record<string, unknown>,
) {
return {
id: `msg-${role}-${Math.random().toString(36).slice(2)}`,
conversationId: CONV_ID,
role,
content,
metadata: null,
createdAt: new Date('2026-01-01T00:01:00Z'),
...overrides,
};
}
// ---------------------------------------------------------------------------
// Helper: build a mock ConversationsRepo
// ---------------------------------------------------------------------------
function createMockBrain(options?: {
conversation?: ReturnType<typeof makeConversation> | undefined;
messages?: ReturnType<typeof makeMessage>[];
searchResults?: Array<{
messageId: string;
conversationId: string;
conversationTitle: string | null;
role: 'user' | 'assistant' | 'system';
content: string;
createdAt: Date;
}>;
}) {
const conversation = options?.conversation;
const messages = options?.messages ?? [];
const searchResults = options?.searchResults ?? [];
return {
conversations: {
findAll: vi.fn().mockResolvedValue(conversation ? [conversation] : []),
findById: vi.fn().mockResolvedValue(conversation),
create: vi.fn().mockResolvedValue(conversation ?? makeConversation()),
update: vi.fn().mockResolvedValue(conversation),
remove: vi.fn().mockResolvedValue(true),
findMessages: vi.fn().mockResolvedValue(messages),
addMessage: vi.fn().mockImplementation((data: unknown) => {
const d = data as {
conversationId: string;
role: 'user' | 'assistant' | 'system';
content: string;
metadata?: Record<string, unknown>;
};
return Promise.resolve(makeMessage(d.role, d.content, { metadata: d.metadata ?? null }));
}),
searchMessages: vi.fn().mockResolvedValue(searchResults),
},
};
}
// ---------------------------------------------------------------------------
// 1. ConversationsRepo: addMessage persists user message
// ---------------------------------------------------------------------------
describe('ConversationsRepo.addMessage — user message persistence', () => {
it('persists a user message and returns the saved record', async () => {
const brain = createMockBrain({ conversation: makeConversation() });
const result = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'user',
content: 'Hello, agent!',
metadata: { timestamp: '2026-01-01T00:01:00.000Z' },
},
USER_ID,
);
expect(brain.conversations.addMessage).toHaveBeenCalledOnce();
expect(result).toBeDefined();
expect(result!.role).toBe('user');
expect(result!.content).toBe('Hello, agent!');
expect(result!.conversationId).toBe(CONV_ID);
});
it('returns undefined when conversation does not belong to the user', async () => {
// Simulate the repo enforcement: ownership mismatch returns undefined
const brain = createMockBrain({ conversation: undefined });
brain.conversations.addMessage = vi.fn().mockResolvedValue(undefined);
const result = await brain.conversations.addMessage(
{ conversationId: CONV_ID, role: 'user', content: 'Hello' },
'other-user',
);
expect(result).toBeUndefined();
});
});
// ---------------------------------------------------------------------------
// 2. ConversationsRepo.addMessage — assistant response with metadata
// ---------------------------------------------------------------------------
describe('ConversationsRepo.addMessage — assistant response metadata', () => {
it('persists assistant message with model, provider, tokens and toolCalls metadata', async () => {
const assistantMetadata = {
timestamp: '2026-01-01T00:02:00.000Z',
model: 'claude-3-5-sonnet-20241022',
provider: 'anthropic',
toolCalls: [
{
toolCallId: 'tc-001',
toolName: 'read_file',
args: { path: '/foo/bar.ts' },
isError: false,
},
],
tokenUsage: {
input: 1000,
output: 250,
cacheRead: 0,
cacheWrite: 0,
total: 1250,
},
};
const brain = createMockBrain({ conversation: makeConversation() });
const result = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'assistant',
content: 'Here is the file content you requested.',
metadata: assistantMetadata,
},
USER_ID,
);
expect(result).toBeDefined();
expect(result!.role).toBe('assistant');
expect(result!.content).toBe('Here is the file content you requested.');
expect(result!.metadata).toMatchObject({
model: 'claude-3-5-sonnet-20241022',
provider: 'anthropic',
tokenUsage: { input: 1000, output: 250, total: 1250 },
});
expect((result!.metadata as Record<string, unknown>)['toolCalls']).toHaveLength(1);
expect(
(
(result!.metadata as Record<string, unknown>)['toolCalls'] as Array<Record<string, unknown>>
)[0]!['toolName'],
).toBe('read_file');
});
});
// ---------------------------------------------------------------------------
// 3. ChatGateway.loadConversationHistory — session resume loads history
// ---------------------------------------------------------------------------
describe('Conversation resume — history loading', () => {
it('maps DB messages to ConversationHistoryMessage shape', () => {
// Simulate what ChatGateway.loadConversationHistory does:
// convert DB Message rows to ConversationHistoryMessage for context injection.
const dbMessages = [
makeMessage('user', 'What is the capital of France?', {
createdAt: new Date('2026-01-01T00:01:00Z'),
}),
makeMessage('assistant', 'The capital of France is Paris.', {
createdAt: new Date('2026-01-01T00:01:05Z'),
}),
makeMessage('user', 'And Germany?', { createdAt: new Date('2026-01-01T00:02:00Z') }),
makeMessage('assistant', 'The capital of Germany is Berlin.', {
createdAt: new Date('2026-01-01T00:02:05Z'),
}),
];
// Replicate the mapping logic from ChatGateway
const history: ConversationHistoryMessage[] = dbMessages.map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
expect(history).toHaveLength(4);
expect(history[0]).toEqual({
role: 'user',
content: 'What is the capital of France?',
createdAt: new Date('2026-01-01T00:01:00Z'),
});
expect(history[1]).toEqual({
role: 'assistant',
content: 'The capital of France is Paris.',
createdAt: new Date('2026-01-01T00:01:05Z'),
});
expect(history[2]!.role).toBe('user');
expect(history[3]!.role).toBe('assistant');
});
it('returns empty array when conversation has no messages', async () => {
const brain = createMockBrain({ conversation: makeConversation(), messages: [] });
const messages = await brain.conversations.findMessages(CONV_ID, USER_ID);
expect(messages).toHaveLength(0);
// Gateway produces empty history → no context injection
const history: ConversationHistoryMessage[] = (messages as Message[]).map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
expect(history).toHaveLength(0);
});
it('returns empty array when conversation does not belong to the user', async () => {
const brain = createMockBrain({ conversation: undefined });
brain.conversations.findMessages = vi.fn().mockResolvedValue([]);
const messages = await brain.conversations.findMessages(CONV_ID, 'other-user');
expect(messages).toHaveLength(0);
});
it('preserves message order (ascending by createdAt)', async () => {
const ordered = [
makeMessage('user', 'First', { createdAt: new Date('2026-01-01T00:01:00Z') }),
makeMessage('assistant', 'Second', { createdAt: new Date('2026-01-01T00:01:05Z') }),
makeMessage('user', 'Third', { createdAt: new Date('2026-01-01T00:02:00Z') }),
];
const brain = createMockBrain({ conversation: makeConversation(), messages: ordered });
const messages = await brain.conversations.findMessages(CONV_ID, USER_ID);
expect(messages[0]!.content).toBe('First');
expect(messages[1]!.content).toBe('Second');
expect(messages[2]!.content).toBe('Third');
});
});
// ---------------------------------------------------------------------------
// 4. AgentService.buildHistoryPromptSection — context injection format
// ---------------------------------------------------------------------------
describe('AgentService — buildHistoryPromptSection (context injection)', () => {
/**
* Replicate the private method logic to test it in isolation.
* The real method lives in AgentService but is private; we mirror the
* exact logic here so the test is independent of the service's constructor.
*/
function buildHistoryPromptSection(
history: ConversationHistoryMessage[],
contextWindow: number,
_sessionId: string,
): string {
const TOKEN_BUDGET = Math.floor(contextWindow * 0.8);
const HISTORY_HEADER = '## Conversation History (resumed session)\n\n';
const formatMessage = (msg: ConversationHistoryMessage): string => {
const roleLabel =
msg.role === 'user' ? 'User' : msg.role === 'assistant' ? 'Assistant' : 'System';
return `**${roleLabel}:** ${msg.content}`;
};
const estimateTokens = (text: string) => Math.ceil(text.length / 4);
const formatted = history.map((msg) => formatMessage(msg));
const fullHistory = formatted.join('\n\n');
const fullTokens = estimateTokens(HISTORY_HEADER + fullHistory);
if (fullTokens <= TOKEN_BUDGET) {
return HISTORY_HEADER + fullHistory;
}
// History exceeds budget — summarize oldest messages, keep recent verbatim
const SUMMARY_RESERVE = Math.floor(TOKEN_BUDGET * 0.2);
const verbatimBudget = TOKEN_BUDGET - SUMMARY_RESERVE;
let verbatimTokens = 0;
let verbatimCutIndex = history.length;
for (let i = history.length - 1; i >= 0; i--) {
const t = estimateTokens(formatted[i]!);
if (verbatimTokens + t > verbatimBudget) break;
verbatimTokens += t;
verbatimCutIndex = i;
}
const summarizedMessages = history.slice(0, verbatimCutIndex);
const verbatimMessages = history.slice(verbatimCutIndex);
let summaryText = '';
if (summarizedMessages.length > 0) {
const topics = summarizedMessages
.filter((m) => m.role === 'user')
.map((m) => m.content.slice(0, 120).replace(/\n/g, ' '))
.join('; ');
summaryText =
`**Previous conversation summary** (${summarizedMessages.length} messages omitted for brevity):\n` +
`Topics discussed: ${topics || '(no user messages in summarized portion)'}`;
}
const verbatimSection = verbatimMessages.map((m) => formatMessage(m)).join('\n\n');
const parts: string[] = [HISTORY_HEADER];
if (summaryText) parts.push(summaryText);
if (verbatimSection) parts.push(verbatimSection);
return parts.join('\n\n');
}
it('includes header and all messages when history fits within context budget', () => {
const history: ConversationHistoryMessage[] = [
{ role: 'user', content: 'Hello', createdAt: new Date() },
{ role: 'assistant', content: 'Hi there!', createdAt: new Date() },
];
const result = buildHistoryPromptSection(history, 8192, 'session-1');
expect(result).toContain('## Conversation History (resumed session)');
expect(result).toContain('**User:** Hello');
expect(result).toContain('**Assistant:** Hi there!');
});
it('labels roles correctly (user, assistant, system)', () => {
const history: ConversationHistoryMessage[] = [
{ role: 'system', content: 'You are helpful.', createdAt: new Date() },
{ role: 'user', content: 'Ping', createdAt: new Date() },
{ role: 'assistant', content: 'Pong', createdAt: new Date() },
];
const result = buildHistoryPromptSection(history, 8192, 'session-2');
expect(result).toContain('**System:** You are helpful.');
expect(result).toContain('**User:** Ping');
expect(result).toContain('**Assistant:** Pong');
});
it('summarizes old messages when history exceeds 80% of context window', () => {
// Create enough messages to exceed a tiny context window budget
const longContent = 'A'.repeat(200);
const history: ConversationHistoryMessage[] = Array.from({ length: 20 }, (_, i) => ({
role: (i % 2 === 0 ? 'user' : 'assistant') as 'user' | 'assistant',
content: `${longContent} message ${i}`,
createdAt: new Date(),
}));
// Use a small context window so history definitely exceeds 80%
const result = buildHistoryPromptSection(history, 512, 'session-3');
// Should contain the summary prefix
expect(result).toContain('messages omitted for brevity');
expect(result).toContain('Topics discussed:');
});
it('returns only header for empty history', () => {
const result = buildHistoryPromptSection([], 8192, 'session-4');
// With empty history, the full history join is '' and the section is just the header
expect(result).toContain('## Conversation History (resumed session)');
});
});
// ---------------------------------------------------------------------------
// 5. ConversationsController.search — GET /api/conversations/search
// ---------------------------------------------------------------------------
describe('ConversationsController — search endpoint', () => {
let brain: ReturnType<typeof createMockBrain>;
let controller: ConversationsController;
beforeEach(() => {
const searchResults = [
{
messageId: 'msg-001',
conversationId: CONV_ID,
conversationTitle: 'Test Chat',
role: 'user' as const,
content: 'What is the capital of France?',
createdAt: new Date('2026-01-01T00:01:00Z'),
},
{
messageId: 'msg-002',
conversationId: CONV_ID,
conversationTitle: 'Test Chat',
role: 'assistant' as const,
content: 'The capital of France is Paris.',
createdAt: new Date('2026-01-01T00:01:05Z'),
},
];
brain = createMockBrain({ searchResults });
controller = new ConversationsController(brain as never);
});
it('returns matching messages for a valid search query', async () => {
const results = await controller.search({ q: 'France' }, { id: USER_ID });
expect(brain.conversations.searchMessages).toHaveBeenCalledWith(USER_ID, 'France', 20, 0);
expect(results).toHaveLength(2);
expect(results[0]).toMatchObject({
messageId: 'msg-001',
role: 'user',
content: 'What is the capital of France?',
});
expect(results[1]).toMatchObject({
messageId: 'msg-002',
role: 'assistant',
content: 'The capital of France is Paris.',
});
});
it('uses custom limit and offset when provided', async () => {
await controller.search({ q: 'Paris', limit: 5, offset: 10 }, { id: USER_ID });
expect(brain.conversations.searchMessages).toHaveBeenCalledWith(USER_ID, 'Paris', 5, 10);
});
it('throws BadRequestException when query is empty', async () => {
await expect(controller.search({ q: '' }, { id: USER_ID })).rejects.toBeInstanceOf(
BadRequestException,
);
await expect(controller.search({ q: ' ' }, { id: USER_ID })).rejects.toBeInstanceOf(
BadRequestException,
);
});
it('trims whitespace from query before passing to repo', async () => {
await controller.search({ q: ' Berlin ' }, { id: USER_ID });
expect(brain.conversations.searchMessages).toHaveBeenCalledWith(
USER_ID,
'Berlin',
expect.any(Number),
expect.any(Number),
);
});
it('returns empty array when no messages match', async () => {
brain.conversations.searchMessages = vi.fn().mockResolvedValue([]);
const results = await controller.search({ q: 'xyzzy-no-match' }, { id: USER_ID });
expect(results).toHaveLength(0);
});
});
// ---------------------------------------------------------------------------
// 6. ConversationsController — messages CRUD
// ---------------------------------------------------------------------------
describe('ConversationsController — message CRUD', () => {
it('listMessages returns 404 when conversation is not owned by user', async () => {
const brain = createMockBrain({ conversation: undefined });
const controller = new ConversationsController(brain as never);
await expect(controller.listMessages(CONV_ID, { id: USER_ID })).rejects.toBeInstanceOf(
NotFoundException,
);
});
it('listMessages returns the messages for an owned conversation', async () => {
const msgs = [makeMessage('user', 'Test message'), makeMessage('assistant', 'Test reply')];
const brain = createMockBrain({ conversation: makeConversation(), messages: msgs });
const controller = new ConversationsController(brain as never);
const result = await controller.listMessages(CONV_ID, { id: USER_ID });
expect(result).toHaveLength(2);
expect(result[0]!.role).toBe('user');
expect(result[1]!.role).toBe('assistant');
});
it('addMessage returns the persisted message', async () => {
const brain = createMockBrain({ conversation: makeConversation() });
const controller = new ConversationsController(brain as never);
const result = await controller.addMessage(
CONV_ID,
{ role: 'user', content: 'Persisted content' },
{ id: USER_ID },
);
expect(result).toBeDefined();
expect(result.role).toBe('user');
expect(result.content).toBe('Persisted content');
});
});
// ---------------------------------------------------------------------------
// 7. End-to-end persistence flow simulation
// ---------------------------------------------------------------------------
describe('End-to-end persistence flow', () => {
it('simulates a full conversation: persist user message → persist assistant response → resume with history', async () => {
// ── Step 1: Conversation is created ────────────────────────────────────
const brain = createMockBrain({ conversation: makeConversation() });
await brain.conversations.create({ id: CONV_ID, userId: USER_ID });
expect(brain.conversations.create).toHaveBeenCalledOnce();
// ── Step 2: User message is persisted ──────────────────────────────────
const userMsg = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'user',
content: 'Explain monads in simple terms.',
metadata: { timestamp: '2026-01-01T00:01:00.000Z' },
},
USER_ID,
);
expect(userMsg).toBeDefined();
expect(userMsg!.role).toBe('user');
// ── Step 3: Assistant response is persisted with metadata ───────────────
const assistantMeta = {
timestamp: '2026-01-01T00:01:10.000Z',
model: 'claude-3-5-sonnet-20241022',
provider: 'anthropic',
toolCalls: [],
tokenUsage: { input: 500, output: 120, cacheRead: 0, cacheWrite: 0, total: 620 },
};
const assistantMsg = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'assistant',
content: 'A monad is a design pattern that wraps values in a context...',
metadata: assistantMeta,
},
USER_ID,
);
expect(assistantMsg).toBeDefined();
expect(assistantMsg!.role).toBe('assistant');
// ── Step 4: On session resume, history is loaded ────────────────────────
const storedMessages = [
makeMessage('user', 'Explain monads in simple terms.', {
createdAt: new Date('2026-01-01T00:01:00Z'),
metadata: { timestamp: '2026-01-01T00:01:00.000Z' },
}),
makeMessage('assistant', 'A monad is a design pattern that wraps values in a context...', {
createdAt: new Date('2026-01-01T00:01:10Z'),
metadata: assistantMeta,
}),
];
brain.conversations.findMessages = vi.fn().mockResolvedValue(storedMessages);
const dbMessages = await brain.conversations.findMessages(CONV_ID, USER_ID);
expect(dbMessages).toHaveLength(2);
// ── Step 5: History is mapped for context injection ─────────────────────
const history: ConversationHistoryMessage[] = (dbMessages as Message[]).map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
expect(history[0]).toMatchObject({
role: 'user',
content: 'Explain monads in simple terms.',
});
expect(history[1]).toMatchObject({
role: 'assistant',
content: 'A monad is a design pattern that wraps values in a context...',
});
// ── Step 6: History roles are valid for injection ───────────────────────
for (const msg of history) {
expect(['user', 'assistant', 'system']).toContain(msg.role);
expect(typeof msg.content).toBe('string');
expect(msg.createdAt).toBeInstanceOf(Date);
}
});
});

485
apps/gateway/src/__tests__/cross-user-isolation.test.ts
View File

@@ -1,485 +0,0 @@
/**
* Integration test: Cross-user data isolation (M2-007)
*
* Verifies that every repository query path is scoped to the requesting user —
* no user can read, write, or enumerate another user's records.
*
* Test strategy:
* - Two real users (User A, User B) are inserted directly into the database.
* - Realistic data (conversations + messages, agent configs, preferences,
* insights) is created for each user.
* - A shared system agent is inserted so both users can see it via
* findAccessible().
* - All assertions are made against the live database (no mocks).
* - All inserted rows are cleaned up in the afterAll hook.
*
* Requires: DATABASE_URL pointing at a running PostgreSQL instance with
* pgvector enabled and the Mosaic schema already applied.
*/
import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
import { createDb } from '@mosaicstack/db';
import { createConversationsRepo } from '@mosaicstack/brain';
import { createAgentsRepo } from '@mosaicstack/brain';
import { createPreferencesRepo, createInsightsRepo } from '@mosaicstack/memory';
import { users, conversations, messages, agents, preferences, insights } from '@mosaicstack/db';
import { eq } from '@mosaicstack/db';
import type { DbHandle } from '@mosaicstack/db';
// ─── Fixed IDs so the afterAll cleanup is deterministic ──────────────────────
const USER_A_ID = 'test-iso-user-a';
const USER_B_ID = 'test-iso-user-b';
const CONV_A_ID = 'aaaaaaaa-0000-0000-0000-000000000001';
const CONV_B_ID = 'bbbbbbbb-0000-0000-0000-000000000001';
const MSG_A_ID = 'aaaaaaaa-0000-0000-0000-000000000002';
const MSG_B_ID = 'bbbbbbbb-0000-0000-0000-000000000002';
const AGENT_A_ID = 'aaaaaaaa-0000-0000-0000-000000000003';
const AGENT_B_ID = 'bbbbbbbb-0000-0000-0000-000000000003';
const AGENT_SYS_ID = 'ffffffff-0000-0000-0000-000000000001';
const PREF_A_ID = 'aaaaaaaa-0000-0000-0000-000000000004';
const PREF_B_ID = 'bbbbbbbb-0000-0000-0000-000000000004';
const INSIGHT_A_ID = 'aaaaaaaa-0000-0000-0000-000000000005';
const INSIGHT_B_ID = 'bbbbbbbb-0000-0000-0000-000000000005';
// ─── Test fixture ─────────────────────────────────────────────────────────────
let handle: DbHandle;
let dbAvailable = false;
beforeAll(async () => {
try {
handle = createDb();
const db = handle.db;
// Insert two users
await db
.insert(users)
.values([
{
id: USER_A_ID,
name: 'Isolation Test User A',
email: 'test-iso-user-a@example.invalid',
emailVerified: false,
},
{
id: USER_B_ID,
name: 'Isolation Test User B',
email: 'test-iso-user-b@example.invalid',
emailVerified: false,
},
])
.onConflictDoNothing();
// Conversations — one per user
await db
.insert(conversations)
.values([
{ id: CONV_A_ID, userId: USER_A_ID, title: 'User A conversation' },
{ id: CONV_B_ID, userId: USER_B_ID, title: 'User B conversation' },
])
.onConflictDoNothing();
// Messages — one per conversation
await db
.insert(messages)
.values([
{
id: MSG_A_ID,
conversationId: CONV_A_ID,
role: 'user',
content: 'Hello from User A',
},
{
id: MSG_B_ID,
conversationId: CONV_B_ID,
role: 'user',
content: 'Hello from User B',
},
])
.onConflictDoNothing();
// Agent configs — private agents (one per user) + one system agent
await db
.insert(agents)
.values([
{
id: AGENT_A_ID,
name: 'Agent A (private)',
provider: 'test',
model: 'test-model',
ownerId: USER_A_ID,
isSystem: false,
},
{
id: AGENT_B_ID,
name: 'Agent B (private)',
provider: 'test',
model: 'test-model',
ownerId: USER_B_ID,
isSystem: false,
},
{
id: AGENT_SYS_ID,
name: 'Shared System Agent',
provider: 'test',
model: 'test-model',
ownerId: null,
isSystem: true,
},
])
.onConflictDoNothing();
// Preferences — one per user (same key, different values)
await db
.insert(preferences)
.values([
{
id: PREF_A_ID,
userId: USER_A_ID,
key: 'theme',
value: 'dark',
category: 'appearance',
},
{
id: PREF_B_ID,
userId: USER_B_ID,
key: 'theme',
value: 'light',
category: 'appearance',
},
])
.onConflictDoNothing();
// Insights — no embedding to keep the fixture simple; embedding-based search
// is tested separately with a zero-vector that falls outside maxDistance
await db
.insert(insights)
.values([
{
id: INSIGHT_A_ID,
userId: USER_A_ID,
content: 'User A insight',
source: 'user',
category: 'general',
relevanceScore: 1.0,
},
{
id: INSIGHT_B_ID,
userId: USER_B_ID,
content: 'User B insight',
source: 'user',
category: 'general',
relevanceScore: 1.0,
},
])
.onConflictDoNothing();
dbAvailable = true;
} catch {
// Database is not reachable (e.g., CI environment without Postgres on port 5433).
// All tests in this suite will be skipped.
}
});
// Skip all tests in this file when the database is not reachable (e.g., CI without Postgres).
beforeEach((ctx) => {
if (!dbAvailable) {
ctx.skip();
}
});
afterAll(async () => {
if (!handle) return;
const db = handle.db;
// Delete in dependency order (FK constraints)
await db.delete(messages).where(eq(messages.id, MSG_A_ID));
await db.delete(messages).where(eq(messages.id, MSG_B_ID));
await db.delete(conversations).where(eq(conversations.id, CONV_A_ID));
await db.delete(conversations).where(eq(conversations.id, CONV_B_ID));
await db.delete(agents).where(eq(agents.id, AGENT_A_ID));
await db.delete(agents).where(eq(agents.id, AGENT_B_ID));
await db.delete(agents).where(eq(agents.id, AGENT_SYS_ID));
await db.delete(preferences).where(eq(preferences.id, PREF_A_ID));
await db.delete(preferences).where(eq(preferences.id, PREF_B_ID));
await db.delete(insights).where(eq(insights.id, INSIGHT_A_ID));
await db.delete(insights).where(eq(insights.id, INSIGHT_B_ID));
await db.delete(users).where(eq(users.id, USER_A_ID));
await db.delete(users).where(eq(users.id, USER_B_ID));
await handle.close();
});
// ─── Conversations isolation ──────────────────────────────────────────────────
describe('ConversationsRepo — cross-user isolation', () => {
it('User A can find their own conversation by id', async () => {
const repo = createConversationsRepo(handle.db);
const conv = await repo.findById(CONV_A_ID, USER_A_ID);
expect(conv).toBeDefined();
expect(conv!.id).toBe(CONV_A_ID);
});
it('User B cannot find User A conversation by id (returns undefined)', async () => {
const repo = createConversationsRepo(handle.db);
const conv = await repo.findById(CONV_A_ID, USER_B_ID);
expect(conv).toBeUndefined();
});
it('User A cannot find User B conversation by id (returns undefined)', async () => {
const repo = createConversationsRepo(handle.db);
const conv = await repo.findById(CONV_B_ID, USER_A_ID);
expect(conv).toBeUndefined();
});
it('findAll returns only own conversations for User A', async () => {
const repo = createConversationsRepo(handle.db);
const convs = await repo.findAll(USER_A_ID);
const ids = convs.map((c) => c.id);
expect(ids).toContain(CONV_A_ID);
expect(ids).not.toContain(CONV_B_ID);
});
it('findAll returns only own conversations for User B', async () => {
const repo = createConversationsRepo(handle.db);
const convs = await repo.findAll(USER_B_ID);
const ids = convs.map((c) => c.id);
expect(ids).toContain(CONV_B_ID);
expect(ids).not.toContain(CONV_A_ID);
});
});
// ─── Messages isolation ───────────────────────────────────────────────────────
describe('ConversationsRepo.findMessages — cross-user isolation', () => {
it('User A can read messages from their own conversation', async () => {
const repo = createConversationsRepo(handle.db);
const msgs = await repo.findMessages(CONV_A_ID, USER_A_ID);
const ids = msgs.map((m) => m.id);
expect(ids).toContain(MSG_A_ID);
});
it('User B cannot read messages from User A conversation (returns empty array)', async () => {
const repo = createConversationsRepo(handle.db);
const msgs = await repo.findMessages(CONV_A_ID, USER_B_ID);
expect(msgs).toHaveLength(0);
});
it('User A cannot read messages from User B conversation (returns empty array)', async () => {
const repo = createConversationsRepo(handle.db);
const msgs = await repo.findMessages(CONV_B_ID, USER_A_ID);
expect(msgs).toHaveLength(0);
});
it('addMessage is rejected when user does not own the conversation', async () => {
const repo = createConversationsRepo(handle.db);
const result = await repo.addMessage(
{
conversationId: CONV_A_ID,
role: 'user',
content: 'Attempted injection by User B',
},
USER_B_ID,
);
expect(result).toBeUndefined();
});
});
// ─── Agent configs isolation ──────────────────────────────────────────────────
describe('AgentsRepo.findAccessible — cross-user isolation', () => {
it('User A sees their own private agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessible = await repo.findAccessible(USER_A_ID);
const ids = accessible.map((a) => a.id);
expect(ids).toContain(AGENT_A_ID);
});
it('User A does NOT see User B private agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessible = await repo.findAccessible(USER_A_ID);
const ids = accessible.map((a) => a.id);
expect(ids).not.toContain(AGENT_B_ID);
});
it('User B does NOT see User A private agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessible = await repo.findAccessible(USER_B_ID);
const ids = accessible.map((a) => a.id);
expect(ids).not.toContain(AGENT_A_ID);
});
it('Both users can see the shared system agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessibleA = await repo.findAccessible(USER_A_ID);
const accessibleB = await repo.findAccessible(USER_B_ID);
expect(accessibleA.map((a) => a.id)).toContain(AGENT_SYS_ID);
expect(accessibleB.map((a) => a.id)).toContain(AGENT_SYS_ID);
});
it('findSystem returns the system agent for any caller', async () => {
const repo = createAgentsRepo(handle.db);
const system = await repo.findSystem();
const ids = system.map((a) => a.id);
expect(ids).toContain(AGENT_SYS_ID);
});
it('update with ownerId prevents User B from modifying User A agent', async () => {
const repo = createAgentsRepo(handle.db);
const result = await repo.update(AGENT_A_ID, { model: 'hacked' }, USER_B_ID);
expect(result).toBeUndefined();
// Verify the agent was not actually mutated
const unchanged = await repo.findById(AGENT_A_ID);
expect(unchanged?.model).toBe('test-model');
});
it('remove prevents User B from deleting User A agent', async () => {
const repo = createAgentsRepo(handle.db);
const deleted = await repo.remove(AGENT_A_ID, USER_B_ID);
expect(deleted).toBe(false);
// Verify the agent still exists
const still = await repo.findById(AGENT_A_ID);
expect(still).toBeDefined();
});
});
// ─── Preferences isolation ────────────────────────────────────────────────────
describe('PreferencesRepo — cross-user isolation', () => {
it('User A can retrieve their own preferences', async () => {
const repo = createPreferencesRepo(handle.db);
const prefs = await repo.findByUser(USER_A_ID);
const ids = prefs.map((p) => p.id);
expect(ids).toContain(PREF_A_ID);
});
it('User A preferences do not contain User B preferences', async () => {
const repo = createPreferencesRepo(handle.db);
const prefs = await repo.findByUser(USER_A_ID);
const ids = prefs.map((p) => p.id);
expect(ids).not.toContain(PREF_B_ID);
});
it('User B preferences do not contain User A preferences', async () => {
const repo = createPreferencesRepo(handle.db);
const prefs = await repo.findByUser(USER_B_ID);
const ids = prefs.map((p) => p.id);
expect(ids).not.toContain(PREF_A_ID);
});
it('findByUserAndKey is scoped to the requesting user', async () => {
const repo = createPreferencesRepo(handle.db);
// Both users have key "theme" — each should only see their own value
const prefA = await repo.findByUserAndKey(USER_A_ID, 'theme');
const prefB = await repo.findByUserAndKey(USER_B_ID, 'theme');
expect(prefA).toBeDefined();
// Drizzle returns JSONB values as parsed JS values; '"dark"' (JSON string) → 'dark'
expect(prefA!.value).toBe('dark');
expect(prefB).toBeDefined();
expect(prefB!.value).toBe('light');
});
it('remove is scoped to the requesting user (cannot delete another user pref)', async () => {
const repo = createPreferencesRepo(handle.db);
// User B tries to delete User A's "theme" preference — should silently fail
const deleted = await repo.remove(USER_B_ID, 'theme');
// This only deletes USER_B's own "theme" row; re-insert it for afterAll cleanup
expect(deleted).toBe(true); // deletes User B's OWN theme pref
// User A's theme pref must be untouched
const prefA = await repo.findByUserAndKey(USER_A_ID, 'theme');
expect(prefA).toBeDefined();
// Re-insert User B's preference so afterAll cleanup still finds it
await repo.upsert({
id: PREF_B_ID,
userId: USER_B_ID,
key: 'theme',
value: 'light',
category: 'appearance',
});
});
});
// ─── Insights isolation ───────────────────────────────────────────────────────
describe('InsightsRepo — cross-user isolation', () => {
it('User A can retrieve their own insights', async () => {
const repo = createInsightsRepo(handle.db);
const list = await repo.findByUser(USER_A_ID);
const ids = list.map((i) => i.id);
expect(ids).toContain(INSIGHT_A_ID);
});
it('User A insights do not contain User B insights', async () => {
const repo = createInsightsRepo(handle.db);
const list = await repo.findByUser(USER_A_ID);
const ids = list.map((i) => i.id);
expect(ids).not.toContain(INSIGHT_B_ID);
});
it('User B insights do not contain User A insights', async () => {
const repo = createInsightsRepo(handle.db);
const list = await repo.findByUser(USER_B_ID);
const ids = list.map((i) => i.id);
expect(ids).not.toContain(INSIGHT_A_ID);
});
it('findById is scoped to the requesting user', async () => {
const repo = createInsightsRepo(handle.db);
const own = await repo.findById(INSIGHT_A_ID, USER_A_ID);
const cross = await repo.findById(INSIGHT_A_ID, USER_B_ID);
expect(own).toBeDefined();
expect(cross).toBeUndefined();
});
it('searchByEmbedding returns only own insights', async () => {
const repo = createInsightsRepo(handle.db);
// Our test insights have no embedding — the query filters WHERE embedding IS NOT NULL
// so the result set is empty, which already proves no cross-user leakage.
// Using a 1536-dimension zero vector as the query embedding.
const zeroVector = Array<number>(1536).fill(0);
const resultsA = await repo.searchByEmbedding(USER_A_ID, zeroVector, 50, 2.0);
const resultsB = await repo.searchByEmbedding(USER_B_ID, zeroVector, 50, 2.0);
// The raw SQL query returns row objects directly (not wrapped in { insight }).
// Cast via unknown to extract id safely regardless of the return shape.
const toId = (r: unknown): string =>
((r as Record<string, unknown>)['id'] as string | undefined) ??
((r as Record<string, Record<string, unknown>>)['insight']?.['id'] as string | undefined) ??
'';
const idsInA = resultsA.map(toId);
const idsInB = resultsB.map(toId);
// User B's insight must never appear in User A's search results
expect(idsInA).not.toContain(INSIGHT_B_ID);
// User A's insight must never appear in User B's search results
expect(idsInB).not.toContain(INSIGHT_A_ID);
});
it('update is scoped to the requesting user', async () => {
const repo = createInsightsRepo(handle.db);
const result = await repo.update(INSIGHT_A_ID, USER_B_ID, { content: 'hacked' });
expect(result).toBeUndefined();
// Verify the insight was not mutated
const unchanged = await repo.findById(INSIGHT_A_ID, USER_A_ID);
expect(unchanged?.content).toBe('User A insight');
});
it('remove is scoped to the requesting user', async () => {
const repo = createInsightsRepo(handle.db);
const deleted = await repo.remove(INSIGHT_A_ID, USER_B_ID);
expect(deleted).toBe(false);
// Verify the insight still exists
const still = await repo.findById(INSIGHT_A_ID, USER_A_ID);
expect(still).toBeDefined();
});
});

64
apps/gateway/src/__tests__/integration/federated-boot.pg-unreachable.integration.test.ts
View File

@@ -1,64 +0,0 @@
/**
* Test B — Gateway boot refuses (fail-fast) when PG is unreachable.
*
* Prereq: docker compose -f docker-compose.federated.yml --profile federated up -d
* (Valkey must be running; only PG is intentionally misconfigured.)
* Run: FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federated-boot.pg-unreachable.integration.test.ts
*
* Skipped when FEDERATED_INTEGRATION !== '1'.
*/
import net from 'node:net';
import { beforeAll, describe, expect, it } from 'vitest';
import { TierDetectionError, detectAndAssertTier } from '@mosaicstack/storage';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const VALKEY_URL = 'redis://localhost:6380';
/**
* Reserves a guaranteed-closed port at runtime by binding to an ephemeral OS
* port (port 0) and immediately releasing it. The OS will not reassign the
* port during the TIME_WAIT window, so it remains closed for the duration of
* this test.
*/
async function reserveClosedPort(): Promise<number> {
return new Promise((resolve, reject) => {
const server = net.createServer();
server.listen(0, '127.0.0.1', () => {
const addr = server.address();
if (typeof addr !== 'object' || !addr) return reject(new Error('no addr'));
const port = addr.port;
server.close(() => resolve(port));
});
server.on('error', reject);
});
}
describe.skipIf(!run)('federated boot — PG unreachable', () => {
let badPgUrl: string;
beforeAll(async () => {
const closedPort = await reserveClosedPort();
badPgUrl = `postgresql://mosaic:mosaic@localhost:${closedPort}/mosaic`;
});
it('detectAndAssertTier throws TierDetectionError with service: postgres when PG is down', async () => {
const brokenConfig = {
tier: 'federated' as const,
storage: {
type: 'postgres' as const,
url: badPgUrl,
enableVector: true,
},
queue: {
type: 'bullmq',
url: VALKEY_URL,
},
};
await expect(detectAndAssertTier(brokenConfig)).rejects.toSatisfy(
(err: unknown) => err instanceof TierDetectionError && err.service === 'postgres',
);
}, 10_000);
});

50
apps/gateway/src/__tests__/integration/federated-boot.success.integration.test.ts
View File

@@ -1,50 +0,0 @@
/**
* Test A — Gateway boot succeeds when federated services are up.
*
* Prereq: docker compose -f docker-compose.federated.yml --profile federated up -d
* Run: FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federated-boot.success.integration.test.ts
*
* Skipped when FEDERATED_INTEGRATION !== '1'.
*/
import postgres from 'postgres';
import { afterAll, describe, expect, it } from 'vitest';
import { detectAndAssertTier } from '@mosaicstack/storage';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
const VALKEY_URL = 'redis://localhost:6380';
const federatedConfig = {
tier: 'federated' as const,
storage: {
type: 'postgres' as const,
url: PG_URL,
enableVector: true,
},
queue: {
type: 'bullmq',
url: VALKEY_URL,
},
};
describe.skipIf(!run)('federated boot — success path', () => {
let sql: ReturnType<typeof postgres> | undefined;
afterAll(async () => {
if (sql) {
await sql.end({ timeout: 2 }).catch(() => {});
}
});
it('detectAndAssertTier resolves without throwing when federated services are up', async () => {
await expect(detectAndAssertTier(federatedConfig)).resolves.toBeUndefined();
}, 10_000);
it('pgvector extension is registered (pg_extension row exists)', async () => {
sql = postgres(PG_URL, { max: 1, connect_timeout: 5, idle_timeout: 5 });
const rows = await sql`SELECT * FROM pg_extension WHERE extname = 'vector'`;
expect(rows).toHaveLength(1);
}, 10_000);
});

43
apps/gateway/src/__tests__/integration/federated-pgvector.integration.test.ts
View File

@@ -1,43 +0,0 @@
/**
* Test C — pgvector extension is functional end-to-end.
*
* Creates a temp table with a vector(3) column, inserts a row, and queries it
* back — confirming the extension is not just registered but operational.
*
* Prereq: docker compose -f docker-compose.federated.yml --profile federated up -d
* Run: FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federated-pgvector.integration.test.ts
*
* Skipped when FEDERATED_INTEGRATION !== '1'.
*/
import postgres from 'postgres';
import { afterAll, describe, expect, it } from 'vitest';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
let sql: ReturnType<typeof postgres> | undefined;
afterAll(async () => {
if (sql) {
await sql.end({ timeout: 2 }).catch(() => {});
}
});
describe.skipIf(!run)('federated pgvector — functional end-to-end', () => {
it('vector ops round-trip: INSERT [1,2,3] and SELECT returns [1,2,3]', async () => {
sql = postgres(PG_URL, { max: 1, connect_timeout: 5, idle_timeout: 5 });
await sql`CREATE TEMP TABLE t (id int, embedding vector(3))`;
await sql`INSERT INTO t VALUES (1, '[1,2,3]')`;
const rows = await sql`SELECT embedding FROM t`;
expect(rows).toHaveLength(1);
// The postgres driver returns vector columns as strings like '[1,2,3]'.
// Normalise by parsing the string representation.
const raw = rows[0]?.['embedding'] as string;
const parsed = JSON.parse(raw) as number[];
expect(parsed).toEqual([1, 2, 3]);
}, 10_000);
});

243
apps/gateway/src/__tests__/integration/federation-m2-e2e.integration.test.ts
View File

@@ -1,243 +0,0 @@
/**
* Federation M2 E2E test — peer-add enrollment flow (FED-M2-10).
*
* Covers MILESTONES.md acceptance test #6:
* "`peer add <url>` on Server A yields an `active` peer record with a valid cert + key"
*
* This test simulates two gateways using a single bootstrapped NestJS app:
* - "Server A": the admin API that generates a keypair and stores the cert
* - "Server B": the enrollment endpoint that signs the CSR
* Both share the same DB + Step-CA in the test environment.
*
* Prerequisites:
* docker compose -f docker-compose.federated.yml --profile federated up -d
*
* Run:
* FEDERATED_INTEGRATION=1 STEP_CA_AVAILABLE=1 \
* STEP_CA_URL=https://localhost:9000 \
* STEP_CA_PROVISIONER_KEY_JSON="$(docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json)" \
* STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt \
* pnpm --filter @mosaicstack/gateway test \
* src/__tests__/integration/federation-m2-e2e.integration.test.ts
*
* Obtaining Step-CA credentials:
* # Extract provisioner key from running container:
* # docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json
* # Copy root cert from container:
* # docker cp $(docker ps -qf name=step-ca):/home/step/certs/root_ca.crt /tmp/step-ca-root.crt
* # Then: export STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt
*
* Skipped unless both FEDERATED_INTEGRATION=1 and STEP_CA_AVAILABLE=1 are set.
*/
import * as crypto from 'node:crypto';
import { afterAll, beforeAll, describe, expect, it } from 'vitest';
import { Test } from '@nestjs/testing';
import { ValidationPipe } from '@nestjs/common';
import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
import supertest from 'supertest';
import {
createDb,
type Db,
type DbHandle,
federationPeers,
federationGrants,
federationEnrollmentTokens,
inArray,
eq,
} from '@mosaicstack/db';
import * as schema from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import { AdminGuard } from '../../admin/admin.guard.js';
import { FederationModule } from '../../federation/federation.module.js';
import { GrantsService } from '../../federation/grants.service.js';
import { EnrollmentService } from '../../federation/enrollment.service.js';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const stepCaRun =
run &&
process.env['STEP_CA_AVAILABLE'] === '1' &&
!!process.env['STEP_CA_URL'] &&
!!process.env['STEP_CA_PROVISIONER_KEY_JSON'] &&
!!process.env['STEP_CA_ROOT_CERT_PATH'];
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
const RUN_ID = crypto.randomUUID();
describe.skipIf(!stepCaRun)('federation M2 E2E — peer add enrollment flow', () => {
let handle: DbHandle;
let db: Db;
let app: NestFastifyApplication;
let agent: ReturnType<typeof supertest>;
let grantsService: GrantsService;
let enrollmentService: EnrollmentService;
const createdTokenGrantIds: string[] = [];
const createdGrantIds: string[] = [];
const createdPeerIds: string[] = [];
const createdUserIds: string[] = [];
beforeAll(async () => {
process.env['BETTER_AUTH_SECRET'] ??= 'test-e2e-sealing-key';
handle = createDb(PG_URL);
db = handle.db;
const moduleRef = await Test.createTestingModule({
imports: [FederationModule],
providers: [{ provide: DB, useValue: db }],
})
.overrideGuard(AdminGuard)
.useValue({ canActivate: () => true })
.compile();
app = moduleRef.createNestApplication<NestFastifyApplication>(new FastifyAdapter());
app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
await app.init();
await app.getHttpAdapter().getInstance().ready();
agent = supertest(app.getHttpServer());
grantsService = moduleRef.get(GrantsService);
enrollmentService = moduleRef.get(EnrollmentService);
}, 30_000);
afterAll(async () => {
if (db && createdTokenGrantIds.length > 0) {
await db
.delete(federationEnrollmentTokens)
.where(inArray(federationEnrollmentTokens.grantId, createdTokenGrantIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (db && createdGrantIds.length > 0) {
await db
.delete(federationGrants)
.where(inArray(federationGrants.id, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (db && createdPeerIds.length > 0) {
await db
.delete(federationPeers)
.where(inArray(federationPeers.id, createdPeerIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (db && createdUserIds.length > 0) {
await db
.delete(schema.users)
.where(inArray(schema.users.id, createdUserIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (app)
await app.close().catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
if (handle)
await handle.close().catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
});
// -------------------------------------------------------------------------
// #6 — peer add: keypair → enrollment → cert storage → active peer record
// -------------------------------------------------------------------------
it('#6 — peer add flow: keypair → enrollment → cert storage → active peer record', async () => {
// Create a subject user to satisfy FK on federation_grants.subject_user_id
const userId = crypto.randomUUID();
await db
.insert(schema.users)
.values({
id: userId,
name: `e2e-user-${RUN_ID}`,
email: `e2e-${RUN_ID}@federation-test.invalid`,
emailVerified: false,
})
.onConflictDoNothing();
createdUserIds.push(userId);
// ── Step A: "Server B" setup ─────────────────────────────────────────
// Server B admin creates a grant and generates an enrollment token to
// share out-of-band with Server A's operator.
// Insert a placeholder peer on "Server B" to satisfy the grant FK
const serverBPeerId = crypto.randomUUID();
await db
.insert(federationPeers)
.values({
id: serverBPeerId,
commonName: `server-b-peer-${RUN_ID}`,
displayName: 'Server B Placeholder',
certPem: '-----BEGIN CERTIFICATE-----\nMOCK\n-----END CERTIFICATE-----\n',
certSerial: `serial-b-${serverBPeerId}`,
certNotAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
state: 'pending',
})
.onConflictDoNothing();
createdPeerIds.push(serverBPeerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: { resources: ['tasks'], excluded_resources: [], max_rows_per_query: 100 },
peerId: serverBPeerId,
});
createdGrantIds.push(grant.id);
createdTokenGrantIds.push(grant.id);
const { token } = await enrollmentService.createToken({
grantId: grant.id,
peerId: serverBPeerId,
ttlSeconds: 900,
});
// ── Step B: "Server A" generates keypair ─────────────────────────────
const keypairRes = await agent
.post('/api/admin/federation/peers/keypair')
.send({
commonName: `e2e-peer-${RUN_ID.slice(0, 8)}`,
displayName: 'E2E Test Peer',
endpointUrl: 'https://test.invalid',
})
.set('Content-Type', 'application/json');
expect(keypairRes.status).toBe(201);
const { peerId, csrPem } = keypairRes.body as { peerId: string; csrPem: string };
expect(typeof peerId).toBe('string');
expect(csrPem).toContain('-----BEGIN CERTIFICATE REQUEST-----');
createdPeerIds.push(peerId);
// ── Step C: Enrollment (simulates Server A sending CSR to Server B) ──
const enrollRes = await agent
.post(`/api/federation/enrollment/${token}`)
.send({ csrPem })
.set('Content-Type', 'application/json');
expect(enrollRes.status).toBe(200);
const { certPem, certChainPem } = enrollRes.body as {
certPem: string;
certChainPem: string;
};
expect(certPem).toContain('-----BEGIN CERTIFICATE-----');
expect(certChainPem).toContain('-----BEGIN CERTIFICATE-----');
// ── Step D: "Server A" stores the cert ───────────────────────────────
const storeRes = await agent
.patch(`/api/admin/federation/peers/${peerId}/cert`)
.send({ certPem })
.set('Content-Type', 'application/json');
expect(storeRes.status).toBe(200);
// ── Step E: Verify peer record in DB ─────────────────────────────────
const [peer] = await db
.select()
.from(federationPeers)
.where(eq(federationPeers.id, peerId))
.limit(1);
expect(peer).toBeDefined();
expect(peer?.state).toBe('active');
expect(peer?.certPem).toContain('-----BEGIN CERTIFICATE-----');
expect(typeof peer?.certSerial).toBe('string');
expect((peer?.certSerial ?? '').length).toBeGreaterThan(0);
// clientKeyPem is a sealed ciphertext — must not be a raw PEM
expect(peer?.clientKeyPem?.startsWith('-----BEGIN')).toBe(false);
// certNotAfter must be in the future
expect(peer?.certNotAfter?.getTime()).toBeGreaterThan(Date.now());
}, 60_000);
});

483
apps/gateway/src/__tests__/integration/federation-m2.integration.test.ts
View File

@@ -1,483 +0,0 @@
/**
* Federation M2 integration tests (FED-M2-09).
*
* Covers MILESTONES.md acceptance tests #1, #2, #3, #5, #7, #8.
*
* Prerequisites:
* docker compose -f docker-compose.federated.yml --profile federated up -d
*
* Run DB-only tests (no Step-CA):
* FEDERATED_INTEGRATION=1 BETTER_AUTH_SECRET=test-secret pnpm --filter @mosaicstack/gateway test \
* src/__tests__/integration/federation-m2.integration.test.ts
*
* Run all tests including Step-CA-dependent ones:
* FEDERATED_INTEGRATION=1 STEP_CA_AVAILABLE=1 \
* STEP_CA_URL=https://localhost:9000 \
* STEP_CA_PROVISIONER_KEY_JSON="$(docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json)" \
* STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt \
* pnpm --filter @mosaicstack/gateway test \
* src/__tests__/integration/federation-m2.integration.test.ts
*
* Obtaining Step-CA credentials:
* # Extract provisioner key from running container:
* # docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json
* # Copy root cert from container:
* # docker cp $(docker ps -qf name=step-ca):/home/step/certs/root_ca.crt /tmp/step-ca-root.crt
* # Then: export STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt
*/
import * as crypto from 'node:crypto';
import { afterAll, beforeAll, describe, expect, it } from 'vitest';
import { Test } from '@nestjs/testing';
import { GoneException } from '@nestjs/common';
import { Pkcs10CertificateRequestGenerator, X509Certificate as PeculiarX509 } from '@peculiar/x509';
import {
createDb,
type Db,
type DbHandle,
federationPeers,
federationGrants,
federationEnrollmentTokens,
inArray,
eq,
} from '@mosaicstack/db';
import * as schema from '@mosaicstack/db';
import { seal } from '@mosaicstack/auth';
import { DB } from '../../database/database.module.js';
import { GrantsService } from '../../federation/grants.service.js';
import { EnrollmentService } from '../../federation/enrollment.service.js';
import { CaService } from '../../federation/ca.service.js';
import { FederationScopeError } from '../../federation/scope-schema.js';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const stepCaRun = run && process.env['STEP_CA_AVAILABLE'] === '1';
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
// ---------------------------------------------------------------------------
// Helpers for test data isolation
// ---------------------------------------------------------------------------
/** Unique run prefix to identify rows created by this test run. */
const RUN_ID = crypto.randomUUID();
/** Insert a minimal user row to satisfy the FK on federation_grants.subject_user_id. */
async function insertTestUser(db: Db, id: string): Promise<void> {
await db
.insert(schema.users)
.values({
id,
name: `test-user-${id}`,
email: `test-${id}@federation-test.invalid`,
emailVerified: false,
})
.onConflictDoNothing();
}
/** Insert a minimal peer row to satisfy the FK on federation_grants.peer_id. */
async function insertTestPeer(db: Db, id: string, suffix: string = ''): Promise<void> {
await db
.insert(federationPeers)
.values({
id,
commonName: `test-peer-${RUN_ID}-${suffix}`,
displayName: `Test Peer ${suffix}`,
certPem: '-----BEGIN CERTIFICATE-----\nMOCK\n-----END CERTIFICATE-----\n',
certSerial: `test-serial-${id}`,
certNotAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
state: 'pending',
})
.onConflictDoNothing();
}
// ---------------------------------------------------------------------------
// DB-only test module (CaService mocked so env vars not required)
// ---------------------------------------------------------------------------
function buildDbModule(db: Db) {
return Test.createTestingModule({
providers: [
{ provide: DB, useValue: db },
GrantsService,
{
provide: CaService,
useValue: {
issueCert: async () => {
throw new Error('CaService.issueCert should not be called in DB-only tests');
},
},
},
EnrollmentService,
],
}).compile();
}
// ---------------------------------------------------------------------------
// Test suite — DB-only (no Step-CA)
// ---------------------------------------------------------------------------
describe.skipIf(!run)('federation M2 — DB-only tests', () => {
let handle: DbHandle;
let db: Db;
let grantsService: GrantsService;
/** IDs created during this run — cleaned up in afterAll. */
const createdGrantIds: string[] = [];
const createdPeerIds: string[] = [];
const createdUserIds: string[] = [];
beforeAll(async () => {
process.env['BETTER_AUTH_SECRET'] ??= 'test-integration-sealing-key-not-for-prod';
handle = createDb(PG_URL);
db = handle.db;
const moduleRef = await buildDbModule(db);
grantsService = moduleRef.get(GrantsService);
});
afterAll(async () => {
// Clean up in FK-safe order: tokens → grants → peers → users
if (db && createdGrantIds.length > 0) {
await db
.delete(federationEnrollmentTokens)
.where(inArray(federationEnrollmentTokens.grantId, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
await db
.delete(federationGrants)
.where(inArray(federationGrants.id, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdPeerIds.length > 0) {
await db
.delete(federationPeers)
.where(inArray(federationPeers.id, createdPeerIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdUserIds.length > 0) {
await db
.delete(schema.users)
.where(inArray(schema.users.id, createdUserIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (handle)
await handle.close().catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
});
// -------------------------------------------------------------------------
// #1 — grant create writes a pending row
// -------------------------------------------------------------------------
it('#1 — createGrant writes a pending row to DB', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['tasks'],
excluded_resources: [],
max_rows_per_query: 100,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'test1');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
createdGrantIds.push(grant.id);
// Verify the row exists in DB with correct shape
const [row] = await db
.select()
.from(federationGrants)
.where(eq(federationGrants.id, grant.id))
.limit(1);
expect(row).toBeDefined();
expect(row?.status).toBe('pending');
expect(row?.peerId).toBe(peerId);
expect(row?.subjectUserId).toBe(userId);
const storedScope = row?.scope as Record<string, unknown>;
expect(storedScope['resources']).toEqual(['tasks']);
expect(storedScope['max_rows_per_query']).toBe(100);
}, 15_000);
// -------------------------------------------------------------------------
// #7 — scope with unknown resource type rejected
// -------------------------------------------------------------------------
it('#7 — createGrant rejects scope with unknown resource type', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const invalidScope = {
resources: ['totally_unknown_resource'],
excluded_resources: [],
max_rows_per_query: 100,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'test7');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
await expect(
grantsService.createGrant({
subjectUserId: userId,
scope: invalidScope,
peerId,
}),
).rejects.toThrow(FederationScopeError);
}, 15_000);
// -------------------------------------------------------------------------
// #8 — listGrants returns accurate status for grants in various states
// -------------------------------------------------------------------------
it('#8 — listGrants returns accurate status for grants in various states', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['notes'],
excluded_resources: [],
max_rows_per_query: 50,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'test8');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
// Create two pending grants via GrantsService
const grantA = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
const grantB = await grantsService.createGrant({
subjectUserId: userId,
scope: { resources: ['tasks'], excluded_resources: [], max_rows_per_query: 50 },
peerId,
});
createdGrantIds.push(grantA.id, grantB.id);
// Insert a third grant directly in 'revoked' state to test status variety
const [grantC] = await db
.insert(federationGrants)
.values({
id: crypto.randomUUID(),
subjectUserId: userId,
peerId,
scope: validScope,
status: 'revoked',
revokedAt: new Date(),
})
.returning();
createdGrantIds.push(grantC!.id);
// List all grants for this peer
const allForPeer = await grantsService.listGrants({ peerId });
const ourGrantIds = new Set([grantA.id, grantB.id, grantC!.id]);
const ourGrants = allForPeer.filter((g) => ourGrantIds.has(g.id));
expect(ourGrants).toHaveLength(3);
const pendingGrants = ourGrants.filter((g) => g.status === 'pending');
const revokedGrants = ourGrants.filter((g) => g.status === 'revoked');
expect(pendingGrants).toHaveLength(2);
expect(revokedGrants).toHaveLength(1);
// Status-filtered query
const pendingOnly = await grantsService.listGrants({ peerId, status: 'pending' });
const ourPending = pendingOnly.filter((g) => ourGrantIds.has(g.id));
expect(ourPending.every((g) => g.status === 'pending')).toBe(true);
// Verify peer list from DB also shows the peer rows with correct state
const peers = await db.select().from(federationPeers).where(eq(federationPeers.id, peerId));
expect(peers).toHaveLength(1);
expect(peers[0]?.state).toBe('pending');
}, 15_000);
// -------------------------------------------------------------------------
// #5 — client_key_pem encrypted at rest
// -------------------------------------------------------------------------
it('#5 — clientKeyPem stored in DB is a sealed ciphertext (not a valid PEM)', async () => {
const peerId = crypto.randomUUID();
const rawPem = '-----BEGIN PRIVATE KEY-----\nMOCK\n-----END PRIVATE KEY-----\n';
const sealed = seal(rawPem);
await db.insert(federationPeers).values({
id: peerId,
commonName: `test-peer-${RUN_ID}-sealed`,
displayName: 'Sealed Key Test Peer',
certPem: '-----BEGIN CERTIFICATE-----\nMOCK\n-----END CERTIFICATE-----\n',
certSerial: `test-serial-sealed-${peerId}`,
certNotAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
state: 'pending',
clientKeyPem: sealed,
});
createdPeerIds.push(peerId);
const [row] = await db
.select()
.from(federationPeers)
.where(eq(federationPeers.id, peerId))
.limit(1);
expect(row).toBeDefined();
// The stored value must NOT be a valid PEM — it's a sealed ciphertext blob
expect(row?.clientKeyPem).toBeDefined();
expect(row?.clientKeyPem?.startsWith('-----BEGIN')).toBe(false);
// The sealed value should be non-trivial (at least 20 chars)
expect((row?.clientKeyPem ?? '').length).toBeGreaterThan(20);
}, 15_000);
});
// ---------------------------------------------------------------------------
// Test suite — Step-CA gated
// ---------------------------------------------------------------------------
describe.skipIf(!stepCaRun)('federation M2 — Step-CA tests', () => {
let handle: DbHandle;
let db: Db;
let grantsService: GrantsService;
let enrollmentService: EnrollmentService;
const createdGrantIds: string[] = [];
const createdPeerIds: string[] = [];
const createdUserIds: string[] = [];
beforeAll(async () => {
handle = createDb(PG_URL);
db = handle.db;
// Use real CaService — env vars (STEP_CA_URL, STEP_CA_PROVISIONER_KEY_JSON,
// STEP_CA_ROOT_CERT_PATH) must be set when STEP_CA_AVAILABLE=1
const moduleRef = await Test.createTestingModule({
providers: [{ provide: DB, useValue: db }, CaService, GrantsService, EnrollmentService],
}).compile();
grantsService = moduleRef.get(GrantsService);
enrollmentService = moduleRef.get(EnrollmentService);
});
afterAll(async () => {
if (db && createdGrantIds.length > 0) {
await db
.delete(federationEnrollmentTokens)
.where(inArray(federationEnrollmentTokens.grantId, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
await db
.delete(federationGrants)
.where(inArray(federationGrants.id, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdPeerIds.length > 0) {
await db
.delete(federationPeers)
.where(inArray(federationPeers.id, createdPeerIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdUserIds.length > 0) {
await db
.delete(schema.users)
.where(inArray(schema.users.id, createdUserIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (handle)
await handle.close().catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
});
/** Generate a P-256 key pair and PKCS#10 CSR, returning the CSR as PEM. */
async function generateCsrPem(cn: string): Promise<string> {
const alg = { name: 'ECDSA', namedCurve: 'P-256', hash: 'SHA-256' };
const keyPair = await crypto.subtle.generateKey(alg, true, ['sign', 'verify']);
const csr = await Pkcs10CertificateRequestGenerator.create({
name: `CN=${cn}`,
keys: keyPair,
signingAlgorithm: alg,
});
return csr.toString('pem');
}
// -------------------------------------------------------------------------
// #2 — enrollment signs CSR and returns cert
// -------------------------------------------------------------------------
it('#2 — redeem returns a certPem containing a valid PEM certificate', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['tasks'],
excluded_resources: [],
max_rows_per_query: 100,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'ca-test2');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
createdGrantIds.push(grant.id);
const { token } = await enrollmentService.createToken({
grantId: grant.id,
peerId,
ttlSeconds: 900,
});
const csrPem = await generateCsrPem(`gateway-test-${RUN_ID.slice(0, 8)}`);
const result = await enrollmentService.redeem(token, csrPem);
expect(result.certPem).toContain('-----BEGIN CERTIFICATE-----');
expect(result.certChainPem).toContain('-----BEGIN CERTIFICATE-----');
// Verify the issued cert parses cleanly
const cert = new PeculiarX509(result.certPem);
expect(cert.serialNumber).toBeTruthy();
}, 30_000);
// -------------------------------------------------------------------------
// #3 — token single-use; second attempt returns GoneException
// -------------------------------------------------------------------------
it('#3 — second redeem of the same token throws GoneException', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['notes'],
excluded_resources: [],
max_rows_per_query: 50,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'ca-test3');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
createdGrantIds.push(grant.id);
const { token } = await enrollmentService.createToken({
grantId: grant.id,
peerId,
ttlSeconds: 900,
});
const csrPem = await generateCsrPem(`gateway-test-replay-${RUN_ID.slice(0, 8)}`);
// First redeem must succeed
const result = await enrollmentService.redeem(token, csrPem);
expect(result.certPem).toContain('-----BEGIN CERTIFICATE-----');
// Second redeem with the same token must be rejected
await expect(enrollmentService.redeem(token, csrPem)).rejects.toThrow(GoneException);
}, 30_000);
});

6
apps/gateway/src/__tests__/resource-ownership.test.ts
View File

@@ -57,13 +57,11 @@ function createBrain() {
describe('Resource ownership checks', () => {
it('forbids access to another user conversation', async () => {
const brain = createBrain();
// The repo enforces ownership via the WHERE clause; it returns undefined when the
// conversation does not belong to the requesting user.
brain.conversations.findById.mockResolvedValue(undefined);
brain.conversations.findById.mockResolvedValue({ id: 'conv-1', userId: 'user-2' });
const controller = new ConversationsController(brain as never);
await expect(controller.findOne('conv-1', { id: 'user-1' })).rejects.toBeInstanceOf(
NotFoundException,
ForbiddenException,
);
});

377
apps/gateway/src/__tests__/session-hardening.test.ts
View File

@@ -1,377 +0,0 @@
/**
* M5-008: Session hardening verification tests.
*
* Verifies:
* 1. /model command switches model → session:info reflects updated modelId
* 2. /agent command switches agent config → system prompt / agentName changes
* 3. Session resume binds to a conversation (history injected via conversationHistory option)
* 4. Session metrics track token usage and message count correctly
*/
import { describe, it, expect, vi, beforeEach } from 'vitest';
import type {
AgentSession,
AgentSessionOptions,
ConversationHistoryMessage,
} from '../agent/agent.service.js';
import type { SessionInfoDto, SessionMetrics, SessionTokenMetrics } from '../agent/session.dto.js';
// ---------------------------------------------------------------------------
// Helpers — minimal AgentSession fixture
// ---------------------------------------------------------------------------
function makeMetrics(overrides?: Partial<SessionMetrics>): SessionMetrics {
return {
tokens: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
modelSwitches: 0,
messageCount: 0,
lastActivityAt: new Date().toISOString(),
...overrides,
};
}
function makeSession(overrides?: Partial<AgentSession>): AgentSession {
return {
id: 'session-001',
provider: 'anthropic',
modelId: 'claude-3-5-sonnet-20241022',
piSession: {} as AgentSession['piSession'],
listeners: new Set(),
unsubscribe: vi.fn(),
createdAt: Date.now(),
promptCount: 0,
channels: new Set(),
skillPromptAdditions: [],
sandboxDir: '/tmp',
allowedTools: null,
metrics: makeMetrics(),
...overrides,
};
}
function sessionToInfo(session: AgentSession): SessionInfoDto {
return {
id: session.id,
provider: session.provider,
modelId: session.modelId,
...(session.agentName ? { agentName: session.agentName } : {}),
createdAt: new Date(session.createdAt).toISOString(),
promptCount: session.promptCount,
channels: Array.from(session.channels),
durationMs: Date.now() - session.createdAt,
metrics: { ...session.metrics },
};
}
// ---------------------------------------------------------------------------
// Replicated AgentService methods (tested in isolation without full DI setup)
// ---------------------------------------------------------------------------
function updateSessionModel(session: AgentSession, modelId: string): void {
session.modelId = modelId;
session.metrics.modelSwitches += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
function applyAgentConfig(
session: AgentSession,
agentConfigId: string,
agentName: string,
modelId?: string,
): void {
session.agentConfigId = agentConfigId;
session.agentName = agentName;
if (modelId) {
updateSessionModel(session, modelId);
}
}
function recordTokenUsage(session: AgentSession, tokens: SessionTokenMetrics): void {
session.metrics.tokens.input += tokens.input;
session.metrics.tokens.output += tokens.output;
session.metrics.tokens.cacheRead += tokens.cacheRead;
session.metrics.tokens.cacheWrite += tokens.cacheWrite;
session.metrics.tokens.total += tokens.total;
session.metrics.lastActivityAt = new Date().toISOString();
}
function recordMessage(session: AgentSession): void {
session.metrics.messageCount += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
// ---------------------------------------------------------------------------
// 1. /model command — switches model → session:info updated
// ---------------------------------------------------------------------------
describe('/model command — model switch reflected in session:info', () => {
let session: AgentSession;
beforeEach(() => {
session = makeSession();
});
it('updates modelId when /model is called with a model name', () => {
updateSessionModel(session, 'claude-opus-4-5-20251001');
expect(session.modelId).toBe('claude-opus-4-5-20251001');
});
it('increments modelSwitches metric after /model command', () => {
expect(session.metrics.modelSwitches).toBe(0);
updateSessionModel(session, 'gpt-4o');
expect(session.metrics.modelSwitches).toBe(1);
updateSessionModel(session, 'claude-3-5-sonnet-20241022');
expect(session.metrics.modelSwitches).toBe(2);
});
it('session:info DTO reflects the new modelId after switch', () => {
updateSessionModel(session, 'claude-haiku-3-5-20251001');
const info = sessionToInfo(session);
expect(info.modelId).toBe('claude-haiku-3-5-20251001');
expect(info.metrics.modelSwitches).toBe(1);
});
it('lastActivityAt is updated after model switch', () => {
const before = session.metrics.lastActivityAt;
// Ensure at least 1ms passes
vi.setSystemTime(Date.now() + 1);
updateSessionModel(session, 'new-model');
vi.useRealTimers();
expect(session.metrics.lastActivityAt).not.toBe(before);
});
});
// ---------------------------------------------------------------------------
// 2. /agent command — switches agent config → system prompt / agentName updated
// ---------------------------------------------------------------------------
describe('/agent command — agent config applied to session', () => {
let session: AgentSession;
beforeEach(() => {
session = makeSession();
});
it('sets agentConfigId and agentName on the session', () => {
applyAgentConfig(session, 'agent-uuid-001', 'CodeReviewer');
expect(session.agentConfigId).toBe('agent-uuid-001');
expect(session.agentName).toBe('CodeReviewer');
});
it('also updates modelId when agent config carries a model', () => {
applyAgentConfig(session, 'agent-uuid-002', 'DataAnalyst', 'gpt-4o-mini');
expect(session.agentName).toBe('DataAnalyst');
expect(session.modelId).toBe('gpt-4o-mini');
expect(session.metrics.modelSwitches).toBe(1);
});
it('does NOT update modelId when agent config has no model', () => {
const originalModel = session.modelId;
applyAgentConfig(session, 'agent-uuid-003', 'Planner', undefined);
expect(session.modelId).toBe(originalModel);
expect(session.metrics.modelSwitches).toBe(0);
});
it('session:info DTO reflects agentName after /agent switch', () => {
applyAgentConfig(session, 'agent-uuid-004', 'DevBot');
const info = sessionToInfo(session);
expect(info.agentName).toBe('DevBot');
});
it('multiple /agent calls update to the latest agent', () => {
applyAgentConfig(session, 'agent-001', 'FirstAgent');
applyAgentConfig(session, 'agent-002', 'SecondAgent');
expect(session.agentConfigId).toBe('agent-002');
expect(session.agentName).toBe('SecondAgent');
});
});
// ---------------------------------------------------------------------------
// 3. Session resume — binds to conversation via conversationHistory
// ---------------------------------------------------------------------------
describe('Session resume — binds to conversation', () => {
it('conversationHistory option is preserved in session options', () => {
const history: ConversationHistoryMessage[] = [
{
role: 'user',
content: 'Hello, what is TypeScript?',
createdAt: new Date('2026-01-01T00:01:00Z'),
},
{
role: 'assistant',
content: 'TypeScript is a typed superset of JavaScript.',
createdAt: new Date('2026-01-01T00:01:05Z'),
},
];
const options: AgentSessionOptions = {
conversationHistory: history,
provider: 'anthropic',
modelId: 'claude-3-5-sonnet-20241022',
};
expect(options.conversationHistory).toHaveLength(2);
expect(options.conversationHistory![0]!.role).toBe('user');
expect(options.conversationHistory![1]!.role).toBe('assistant');
});
it('session with conversationHistory option carries the conversation binding', () => {
const CONV_ID = 'conv-resume-001';
const history: ConversationHistoryMessage[] = [
{ role: 'user', content: 'Prior question', createdAt: new Date('2026-01-01T00:01:00Z') },
];
// Simulate what ChatGateway does: pass conversationId + history to createSession
const options: AgentSessionOptions = {
conversationHistory: history,
};
// The session ID is the conversationId in the gateway
const session = makeSession({ id: CONV_ID });
expect(session.id).toBe(CONV_ID);
expect(options.conversationHistory).toHaveLength(1);
});
it('empty conversationHistory is valid (new conversation)', () => {
const options: AgentSessionOptions = {
conversationHistory: [],
};
expect(options.conversationHistory).toHaveLength(0);
});
it('resumed session preserves all message roles', () => {
const history: ConversationHistoryMessage[] = [
{ role: 'system', content: 'You are a helpful assistant.', createdAt: new Date() },
{ role: 'user', content: 'Question 1', createdAt: new Date() },
{ role: 'assistant', content: 'Answer 1', createdAt: new Date() },
{ role: 'user', content: 'Question 2', createdAt: new Date() },
];
const roles = history.map((m) => m.role);
expect(roles).toEqual(['system', 'user', 'assistant', 'user']);
});
});
// ---------------------------------------------------------------------------
// 4. Session metrics — token usage and message count
// ---------------------------------------------------------------------------
describe('Session metrics — token usage and message count', () => {
let session: AgentSession;
beforeEach(() => {
session = makeSession();
});
it('starts with zero metrics', () => {
expect(session.metrics.tokens.input).toBe(0);
expect(session.metrics.tokens.output).toBe(0);
expect(session.metrics.tokens.total).toBe(0);
expect(session.metrics.messageCount).toBe(0);
expect(session.metrics.modelSwitches).toBe(0);
});
it('accumulates token usage across multiple turns', () => {
recordTokenUsage(session, {
input: 100,
output: 50,
cacheRead: 0,
cacheWrite: 0,
total: 150,
});
recordTokenUsage(session, {
input: 200,
output: 80,
cacheRead: 10,
cacheWrite: 5,
total: 295,
});
expect(session.metrics.tokens.input).toBe(300);
expect(session.metrics.tokens.output).toBe(130);
expect(session.metrics.tokens.cacheRead).toBe(10);
expect(session.metrics.tokens.cacheWrite).toBe(5);
expect(session.metrics.tokens.total).toBe(445);
});
it('increments message count with each recordMessage call', () => {
expect(session.metrics.messageCount).toBe(0);
recordMessage(session);
expect(session.metrics.messageCount).toBe(1);
recordMessage(session);
recordMessage(session);
expect(session.metrics.messageCount).toBe(3);
});
it('session:info DTO exposes correct metrics snapshot', () => {
recordTokenUsage(session, {
input: 500,
output: 100,
cacheRead: 20,
cacheWrite: 10,
total: 630,
});
recordMessage(session);
recordMessage(session);
updateSessionModel(session, 'claude-haiku-3-5-20251001');
const info = sessionToInfo(session);
expect(info.metrics.tokens.input).toBe(500);
expect(info.metrics.tokens.output).toBe(100);
expect(info.metrics.tokens.total).toBe(630);
expect(info.metrics.messageCount).toBe(2);
expect(info.metrics.modelSwitches).toBe(1);
});
it('metrics are independent per session', () => {
const sessionA = makeSession({ id: 'session-A' });
const sessionB = makeSession({ id: 'session-B' });
recordTokenUsage(sessionA, { input: 100, output: 50, cacheRead: 0, cacheWrite: 0, total: 150 });
recordMessage(sessionA);
// Session B should remain at zero
expect(sessionB.metrics.tokens.input).toBe(0);
expect(sessionB.metrics.messageCount).toBe(0);
// Session A should have updated values
expect(sessionA.metrics.tokens.input).toBe(100);
expect(sessionA.metrics.messageCount).toBe(1);
});
it('lastActivityAt is updated after recording tokens', () => {
const before = session.metrics.lastActivityAt;
vi.setSystemTime(new Date(Date.now() + 100));
recordTokenUsage(session, { input: 10, output: 5, cacheRead: 0, cacheWrite: 0, total: 15 });
vi.useRealTimers();
expect(session.metrics.lastActivityAt).not.toBe(before);
});
it('lastActivityAt is updated after recording a message', () => {
const before = session.metrics.lastActivityAt;
vi.setSystemTime(new Date(Date.now() + 100));
recordMessage(session);
vi.useRealTimers();
expect(session.metrics.lastActivityAt).not.toBe(before);
});
});

4
apps/gateway/src/admin/admin-health.controller.ts
View File

@@ -1,6 +1,6 @@
import { Controller, Get, Inject, UseGuards } from '@nestjs/common';
import { sql, type Db } from '@mosaicstack/db';
import { createQueue } from '@mosaicstack/queue';
import { sql, type Db } from '@mosaic/db';
import { createQueue } from '@mosaic/queue';
import { DB } from '../database/database.module.js';
import { AgentService } from '../agent/agent.service.js';
import { ProviderService } from '../agent/provider.service.js';

128
apps/gateway/src/admin/admin-jobs.controller.ts
View File

@@ -1,128 +0,0 @@
import {
Controller,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Optional,
Param,
Post,
Query,
UseGuards,
} from '@nestjs/common';
import { AdminGuard } from './admin.guard.js';
import { QueueService } from '../queue/queue.service.js';
import type { JobDto, JobListDto, JobStatus, QueueListDto } from '../queue/queue-admin.dto.js';
@Controller('api/admin/jobs')
@UseGuards(AdminGuard)
export class AdminJobsController {
constructor(
@Optional()
@Inject(QueueService)
private readonly queueService: QueueService | null,
) {}
/**
* GET /api/admin/jobs
* List jobs across all queues. Optional ?status=active|completed|failed|waiting|delayed
*/
@Get()
async listJobs(@Query('status') status?: string): Promise<JobListDto> {
if (!this.queueService) {
return { jobs: [], total: 0 };
}
const validStatuses: JobStatus[] = ['active', 'completed', 'failed', 'waiting', 'delayed'];
const normalised = status as JobStatus | undefined;
if (normalised && !validStatuses.includes(normalised)) {
return { jobs: [], total: 0 };
}
const jobs: JobDto[] = await this.queueService.listJobs(normalised);
return { jobs, total: jobs.length };
}
/**
* POST /api/admin/jobs/:id/retry
* Retry a specific failed job. The id is "<queue>__<bullmq-job-id>".
*/
@Post(':id/retry')
@HttpCode(HttpStatus.OK)
async retryJob(@Param('id') id: string): Promise<{ ok: boolean; message: string }> {
if (!this.queueService) {
throw new NotFoundException('Queue service is not available');
}
const result = await this.queueService.retryJob(id);
if (!result.ok) {
throw new NotFoundException(result.message);
}
return result;
}
/**
* GET /api/admin/jobs/queues
* Return status for all managed queues.
*/
@Get('queues')
async listQueues(): Promise<QueueListDto> {
if (!this.queueService) {
return { queues: [] };
}
const health = await this.queueService.getHealthStatus();
const queues = Object.entries(health.queues).map(([name, stats]) => ({
name,
waiting: stats.waiting,
active: stats.active,
completed: stats.completed,
failed: stats.failed,
delayed: 0,
paused: stats.paused,
}));
return { queues };
}
/**
* POST /api/admin/jobs/queues/:name/pause
* Pause the named queue.
*/
@Post('queues/:name/pause')
@HttpCode(HttpStatus.OK)
async pauseQueue(@Param('name') name: string): Promise<{ ok: boolean; message: string }> {
if (!this.queueService) {
throw new NotFoundException('Queue service is not available');
}
const result = await this.queueService.pauseQueue(name);
if (!result.ok) {
throw new NotFoundException(result.message);
}
return result;
}
/**
* POST /api/admin/jobs/queues/:name/resume
* Resume the named queue.
*/
@Post('queues/:name/resume')
@HttpCode(HttpStatus.OK)
async resumeQueue(@Param('name') name: string): Promise<{ ok: boolean; message: string }> {
if (!this.queueService) {
throw new NotFoundException('Queue service is not available');
}
const result = await this.queueService.resumeQueue(name);
if (!result.ok) {
throw new NotFoundException(result.message);
}
return result;
}
}

90
apps/gateway/src/admin/admin-tokens.controller.ts
View File

@@ -1,90 +0,0 @@
import {
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
Param,
Post,
UseGuards,
} from '@nestjs/common';
import { randomBytes, createHash } from 'node:crypto';
import { eq, type Db, adminTokens } from '@mosaicstack/db';
import { v4 as uuid } from 'uuid';
import { DB } from '../database/database.module.js';
import { AdminGuard } from './admin.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import type {
CreateTokenDto,
TokenCreatedDto,
TokenDto,
TokenListDto,
} from './admin-tokens.dto.js';
function hashToken(plaintext: string): string {
return createHash('sha256').update(plaintext).digest('hex');
}
function toTokenDto(row: typeof adminTokens.$inferSelect): TokenDto {
return {
id: row.id,
label: row.label,
scope: row.scope,
expiresAt: row.expiresAt?.toISOString() ?? null,
lastUsedAt: row.lastUsedAt?.toISOString() ?? null,
createdAt: row.createdAt.toISOString(),
};
}
@Controller('api/admin/tokens')
@UseGuards(AdminGuard)
export class AdminTokensController {
constructor(@Inject(DB) private readonly db: Db) {}
@Post()
async create(
@Body() dto: CreateTokenDto,
@CurrentUser() user: { id: string },
): Promise<TokenCreatedDto> {
const plaintext = randomBytes(32).toString('hex');
const tokenHash = hashToken(plaintext);
const id = uuid();
const expiresAt = dto.expiresInDays
? new Date(Date.now() + dto.expiresInDays * 24 * 60 * 60 * 1000)
: null;
const [row] = await this.db
.insert(adminTokens)
.values({
id,
userId: user.id,
tokenHash,
label: dto.label ?? 'CLI token',
scope: dto.scope ?? 'admin',
expiresAt,
})
.returning();
return { ...toTokenDto(row!), plaintext };
}
@Get()
async list(@CurrentUser() user: { id: string }): Promise<TokenListDto> {
const rows = await this.db
.select()
.from(adminTokens)
.where(eq(adminTokens.userId, user.id))
.orderBy(adminTokens.createdAt);
return { tokens: rows.map(toTokenDto), total: rows.length };
}
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async revoke(@Param('id') id: string, @CurrentUser() _user: { id: string }): Promise<void> {
await this.db.delete(adminTokens).where(eq(adminTokens.id, id));
}
}

33
apps/gateway/src/admin/admin-tokens.dto.ts
View File

@@ -1,33 +0,0 @@
import { IsString, IsOptional, IsInt, Min } from 'class-validator';
export class CreateTokenDto {
@IsString()
label!: string;
@IsOptional()
@IsString()
scope?: string;
@IsOptional()
@IsInt()
@Min(1)
expiresInDays?: number;
}
export interface TokenDto {
id: string;
label: string;
scope: string;
expiresAt: string | null;
lastUsedAt: string | null;
createdAt: string;
}
export interface TokenCreatedDto extends TokenDto {
plaintext: string;
}
export interface TokenListDto {
tokens: TokenDto[];
total: number;
}

4
apps/gateway/src/admin/admin.controller.ts
View File

@@ -13,8 +13,8 @@ import {
Post,
UseGuards,
} from '@nestjs/common';
import { eq, type Db, users as usersTable } from '@mosaicstack/db';
import type { Auth } from '@mosaicstack/auth';
import { eq, type Db, users as usersTable } from '@mosaic/db';
import type { Auth } from '@mosaic/auth';
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
import { AdminGuard } from './admin.guard.js';

75
apps/gateway/src/admin/admin.guard.ts
View File

@@ -6,11 +6,10 @@ import {
Injectable,
UnauthorizedException,
} from '@nestjs/common';
import { createHash } from 'node:crypto';
import { fromNodeHeaders } from 'better-auth/node';
import type { Auth } from '@mosaicstack/auth';
import type { Db } from '@mosaicstack/db';
import { eq, adminTokens, users as usersTable } from '@mosaicstack/db';
import type { Auth } from '@mosaic/auth';
import type { Db } from '@mosaic/db';
import { eq, users as usersTable } from '@mosaic/db';
import type { FastifyRequest } from 'fastify';
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
@@ -20,8 +19,6 @@ interface UserWithRole {
role?: string;
}
type AuthenticatedRequest = FastifyRequest & { user: unknown; session: unknown };
@Injectable()
export class AdminGuard implements CanActivate {
constructor(
@@ -31,64 +28,8 @@ export class AdminGuard implements CanActivate {
async canActivate(context: ExecutionContext): Promise<boolean> {
const request = context.switchToHttp().getRequest<FastifyRequest>();
// Try bearer token auth first
const authHeader = request.raw.headers['authorization'];
if (authHeader?.startsWith('Bearer ')) {
return this.validateBearerToken(request, authHeader.slice(7));
}
// Fall back to BetterAuth session
return this.validateSession(request);
}
private async validateBearerToken(request: FastifyRequest, plaintext: string): Promise<boolean> {
const tokenHash = createHash('sha256').update(plaintext).digest('hex');
const [row] = await this.db
.select({
tokenId: adminTokens.id,
userId: adminTokens.userId,
scope: adminTokens.scope,
expiresAt: adminTokens.expiresAt,
userName: usersTable.name,
userEmail: usersTable.email,
userRole: usersTable.role,
})
.from(adminTokens)
.innerJoin(usersTable, eq(adminTokens.userId, usersTable.id))
.where(eq(adminTokens.tokenHash, tokenHash))
.limit(1);
if (!row) {
throw new UnauthorizedException('Invalid API token');
}
if (row.expiresAt && row.expiresAt < new Date()) {
throw new UnauthorizedException('API token expired');
}
if (row.userRole !== 'admin') {
throw new ForbiddenException('Admin access required');
}
// Update last-used timestamp (fire-and-forget)
this.db
.update(adminTokens)
.set({ lastUsedAt: new Date() })
.where(eq(adminTokens.id, row.tokenId))
.then(() => {})
.catch(() => {});
const req = request as AuthenticatedRequest;
req.user = { id: row.userId, name: row.userName, email: row.userEmail, role: row.userRole };
req.session = { id: `token:${row.tokenId}`, userId: row.userId };
return true;
}
private async validateSession(request: FastifyRequest): Promise<boolean> {
const headers = fromNodeHeaders(request.raw.headers);
const result = await this.auth.api.getSession({ headers });
if (!result) {
@@ -97,6 +38,8 @@ export class AdminGuard implements CanActivate {
const user = result.user as UserWithRole;
// Ensure the role field is populated. better-auth should include additionalFields
// in the session, but as a fallback, fetch the role from the database if needed.
let userRole = user.role;
if (!userRole) {
const [dbUser] = await this.db
@@ -105,6 +48,7 @@ export class AdminGuard implements CanActivate {
.where(eq(usersTable.id, user.id))
.limit(1);
userRole = dbUser?.role ?? 'member';
// Update the session user object with the fetched role
(user as UserWithRole).role = userRole;
}
@@ -112,9 +56,8 @@ export class AdminGuard implements CanActivate {
throw new ForbiddenException('Admin access required');
}
const req = request as AuthenticatedRequest;
req.user = result.user;
req.session = result.session;
(request as FastifyRequest & { user: unknown; session: unknown }).user = result.user;
(request as FastifyRequest & { user: unknown; session: unknown }).session = result.session;
return true;
}

11
apps/gateway/src/admin/admin.module.ts
View File

@@ -1,19 +1,10 @@
import { Module } from '@nestjs/common';
import { AdminController } from './admin.controller.js';
import { AdminHealthController } from './admin-health.controller.js';
import { AdminJobsController } from './admin-jobs.controller.js';
import { AdminTokensController } from './admin-tokens.controller.js';
import { BootstrapController } from './bootstrap.controller.js';
import { AdminGuard } from './admin.guard.js';
@Module({
controllers: [
AdminController,
AdminHealthController,
AdminJobsController,
AdminTokensController,
BootstrapController,
],
controllers: [AdminController, AdminHealthController],
providers: [AdminGuard],
})
export class AdminModule {}

102
apps/gateway/src/admin/bootstrap.controller.ts
View File

@@ -1,102 +0,0 @@
import {
Body,
Controller,
ForbiddenException,
Get,
Inject,
InternalServerErrorException,
Post,
} from '@nestjs/common';
import { randomBytes, createHash } from 'node:crypto';
import { count, eq, type Db, users as usersTable, adminTokens } from '@mosaicstack/db';
import type { Auth } from '@mosaicstack/auth';
import { v4 as uuid } from 'uuid';
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
import { BootstrapSetupDto } from './bootstrap.dto.js';
import type { BootstrapStatusDto, BootstrapResultDto } from './bootstrap.dto.js';
@Controller('api/bootstrap')
export class BootstrapController {
constructor(
@Inject(AUTH) private readonly auth: Auth,
@Inject(DB) private readonly db: Db,
) {}
@Get('status')
async status(): Promise<BootstrapStatusDto> {
const [result] = await this.db.select({ total: count() }).from(usersTable);
return { needsSetup: (result?.total ?? 0) === 0 };
}
@Post('setup')
async setup(@Body() dto: BootstrapSetupDto): Promise<BootstrapResultDto> {
// Only allow setup when zero users exist
const [result] = await this.db.select({ total: count() }).from(usersTable);
if ((result?.total ?? 0) > 0) {
throw new ForbiddenException('Setup already completed — users exist');
}
// Create admin user via BetterAuth API
const authApi = this.auth.api as unknown as {
createUser: (opts: {
body: { name: string; email: string; password: string; role?: string };
}) => Promise<{
user: { id: string; name: string; email: string };
}>;
};
const created = await authApi.createUser({
body: {
name: dto.name,
email: dto.email,
password: dto.password,
role: 'admin',
},
});
// Verify user was created
const [user] = await this.db
.select()
.from(usersTable)
.where(eq(usersTable.id, created.user.id))
.limit(1);
if (!user) throw new InternalServerErrorException('User created but not found');
// Ensure role is admin (createUser may not set it via BetterAuth)
if (user.role !== 'admin') {
await this.db.update(usersTable).set({ role: 'admin' }).where(eq(usersTable.id, user.id));
}
// Generate admin API token
const plaintext = randomBytes(32).toString('hex');
const tokenHash = createHash('sha256').update(plaintext).digest('hex');
const tokenId = uuid();
const [token] = await this.db
.insert(adminTokens)
.values({
id: tokenId,
userId: user.id,
tokenHash,
label: 'Initial setup token',
scope: 'admin',
})
.returning();
return {
user: {
id: user.id,
name: user.name,
email: user.email,
role: 'admin',
},
token: {
id: token!.id,
plaintext,
label: token!.label,
},
};
}
}

31
apps/gateway/src/admin/bootstrap.dto.ts
View File

@@ -1,31 +0,0 @@
import { IsString, IsEmail, MinLength } from 'class-validator';
export class BootstrapSetupDto {
@IsString()
name!: string;
@IsEmail()
email!: string;
@IsString()
@MinLength(8)
password!: string;
}
export interface BootstrapStatusDto {
needsSetup: boolean;
}
export interface BootstrapResultDto {
user: {
id: string;
name: string;
email: string;
role: string;
};
token: {
id: string;
plaintext: string;
label: string;
};
}

190
apps/gateway/src/admin/bootstrap.e2e.spec.ts
View File

@@ -1,190 +0,0 @@
/**
* E2E integration test — POST /api/bootstrap/setup
*
* Regression guard for the `import type { BootstrapSetupDto }` class-erasure
* bug (IUV-M01, issue #436).
*
* When `BootstrapSetupDto` is imported with `import type`, TypeScript erases
* the class at compile time. NestJS then sees `Object` as the `@Body()`
* metatype, and ValidationPipe with `whitelist:true + forbidNonWhitelisted:true`
* treats every property as non-whitelisted, returning:
*
* 400 { message: ["property email should not exist", "property password should not exist"] }
*
* The fix is a plain value import (`import { BootstrapSetupDto }`), which
* preserves the class reference so Nest can read the class-validator decorators.
*
* This test MUST fail if `import type` is re-introduced on `BootstrapSetupDto`.
* A controller unit test that constructs ValidationPipe manually won't catch
* this — only the real DI binding path exercises the metatype lookup.
*/
import 'reflect-metadata';
import { describe, it, expect, afterAll, beforeAll } from 'vitest';
import { Test } from '@nestjs/testing';
import { ValidationPipe, type INestApplication } from '@nestjs/common';
import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
import request from 'supertest';
import { BootstrapController } from './bootstrap.controller.js';
import type { BootstrapResultDto } from './bootstrap.dto.js';
// ─── Minimal mock dependencies ───────────────────────────────────────────────
/**
* We use explicit `@Inject(AUTH)` / `@Inject(DB)` in the controller so we
* can provide mock values by token without spinning up the real DB or Auth.
*/
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
const MOCK_USER_ID = 'mock-user-id-001';
const mockAuth = {
api: {
createUser: () =>
Promise.resolve({
user: {
id: MOCK_USER_ID,
name: 'Admin',
email: 'admin@example.com',
},
}),
},
};
// Override db.select() so the second query (verify user exists) returns a user.
// The bootstrap controller calls select().from() twice:
// 1. count() to check zero users → returns [{total: 0}]
// 2. select().where().limit() → returns [the created user]
let selectCallCount = 0;
const mockDbWithUser = {
select: () => {
selectCallCount++;
return {
from: () => {
if (selectCallCount === 1) {
// First call: count — zero users
return Promise.resolve([{ total: 0 }]);
}
// Subsequent calls: return a mock user row
return {
where: () => ({
limit: () =>
Promise.resolve([
{
id: MOCK_USER_ID,
name: 'Admin',
email: 'admin@example.com',
role: 'admin',
},
]),
}),
};
},
};
},
update: () => ({
set: () => ({
where: () => Promise.resolve([]),
}),
}),
insert: () => ({
values: () => ({
returning: () =>
Promise.resolve([
{
id: 'token-id-001',
label: 'Initial setup token',
},
]),
}),
}),
};
// ─── Test suite ───────────────────────────────────────────────────────────────
describe('POST /api/bootstrap/setup — ValidationPipe DTO binding', () => {
let app: INestApplication;
beforeAll(async () => {
selectCallCount = 0;
const moduleRef = await Test.createTestingModule({
controllers: [BootstrapController],
providers: [
{ provide: AUTH, useValue: mockAuth },
{ provide: DB, useValue: mockDbWithUser },
],
}).compile();
app = moduleRef.createNestApplication<NestFastifyApplication>(new FastifyAdapter());
// Mirror main.ts configuration exactly — this is what reproduced the 400.
app.useGlobalPipes(
new ValidationPipe({
whitelist: true,
forbidNonWhitelisted: true,
transform: true,
}),
);
await app.init();
// Fastify requires waiting for the adapter to be ready
await app.getHttpAdapter().getInstance().ready();
});
afterAll(async () => {
await app.close();
});
it('returns 201 (not 400) when a valid {name, email, password} body is sent', async () => {
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({ name: 'Admin', email: 'admin@example.com', password: 'password123' })
.set('Content-Type', 'application/json');
// Before the fix (import type), Nest ValidationPipe returned 400 with
// "property email should not exist" / "property password should not exist"
// because the DTO class was erased and every field looked non-whitelisted.
expect(res.status).not.toBe(400);
expect(res.status).toBe(201);
const body = res.body as BootstrapResultDto;
expect(body.user).toBeDefined();
expect(body.user.email).toBe('admin@example.com');
expect(body.token).toBeDefined();
expect(body.token.plaintext).toBeDefined();
});
it('returns 400 when extra forbidden properties are sent', async () => {
// This proves ValidationPipe IS active and working (forbidNonWhitelisted).
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({
name: 'Admin',
email: 'admin@example.com',
password: 'password123',
extraField: 'should-be-rejected',
})
.set('Content-Type', 'application/json');
expect(res.status).toBe(400);
});
it('returns 400 when email is invalid', async () => {
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({ name: 'Admin', email: 'not-an-email', password: 'password123' })
.set('Content-Type', 'application/json');
expect(res.status).toBe(400);
});
it('returns 400 when password is too short', async () => {
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({ name: 'Admin', email: 'admin@example.com', password: 'short' })
.set('Content-Type', 'application/json');
expect(res.status).toBe(400);
});
});

770
apps/gateway/src/agent/__tests__/provider-adapters.test.ts
View File

@@ -1,770 +0,0 @@
/**
* Provider Adapter Integration Tests — M3-012
*
* Verifies that all five provider adapters (Anthropic, OpenAI, OpenRouter, Z.ai, Ollama)
* are properly integrated: registration, model listing, graceful degradation without
* API keys, capability matrix correctness, and ProviderCredentialsService behaviour.
*
* These tests are designed to run in CI with no real API keys; they test graceful
* degradation and static configuration rather than live network calls.
*/
import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent';
import { AnthropicAdapter } from '../adapters/anthropic.adapter.js';
import { OpenAIAdapter } from '../adapters/openai.adapter.js';
import { OpenRouterAdapter } from '../adapters/openrouter.adapter.js';
import { ZaiAdapter } from '../adapters/zai.adapter.js';
import { OllamaAdapter } from '../adapters/ollama.adapter.js';
import { ProviderService } from '../provider.service.js';
import {
getModelCapability,
MODEL_CAPABILITIES,
findModelsByCapability,
} from '../model-capabilities.js';
// ---------------------------------------------------------------------------
// Environment helpers
// ---------------------------------------------------------------------------
const ALL_PROVIDER_KEYS = [
'ANTHROPIC_API_KEY',
'OPENAI_API_KEY',
'OPENROUTER_API_KEY',
'ZAI_API_KEY',
'ZAI_BASE_URL',
'OLLAMA_BASE_URL',
'OLLAMA_HOST',
'OLLAMA_MODELS',
'BETTER_AUTH_SECRET',
] as const;
type EnvKey = (typeof ALL_PROVIDER_KEYS)[number];
function saveAndClearEnv(): Map<EnvKey, string | undefined> {
const saved = new Map<EnvKey, string | undefined>();
for (const key of ALL_PROVIDER_KEYS) {
saved.set(key, process.env[key]);
delete process.env[key];
}
return saved;
}
function restoreEnv(saved: Map<EnvKey, string | undefined>): void {
for (const key of ALL_PROVIDER_KEYS) {
const value = saved.get(key);
if (value === undefined) {
delete process.env[key];
} else {
process.env[key] = value;
}
}
}
function makeRegistry(): ModelRegistry {
return ModelRegistry.inMemory(AuthStorage.inMemory());
}
// ---------------------------------------------------------------------------
// 1. Adapter registration tests
// ---------------------------------------------------------------------------
describe('AnthropicAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when ANTHROPIC_API_KEY is missing', async () => {
const adapter = new AnthropicAdapter(makeRegistry());
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns expected models when ANTHROPIC_API_KEY is set', async () => {
process.env['ANTHROPIC_API_KEY'] = 'sk-ant-test';
const adapter = new AnthropicAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const ids = models.map((m) => m.id);
expect(ids).toContain('claude-opus-4-6');
expect(ids).toContain('claude-sonnet-4-6');
expect(ids).toContain('claude-haiku-4-5');
for (const model of models) {
expect(model.provider).toBe('anthropic');
expect(model.contextWindow).toBe(200000);
}
});
it('healthCheck returns down with error when ANTHROPIC_API_KEY is missing', async () => {
const adapter = new AnthropicAdapter(makeRegistry());
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/ANTHROPIC_API_KEY/);
expect(health.lastChecked).toBeTruthy();
});
it('adapter name is "anthropic"', () => {
expect(new AnthropicAdapter(makeRegistry()).name).toBe('anthropic');
});
});
describe('OpenAIAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when OPENAI_API_KEY is missing', async () => {
const adapter = new OpenAIAdapter(makeRegistry());
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns Codex model when OPENAI_API_KEY is set', async () => {
process.env['OPENAI_API_KEY'] = 'sk-openai-test';
const adapter = new OpenAIAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const ids = models.map((m) => m.id);
expect(ids).toContain(OpenAIAdapter.CODEX_MODEL_ID);
const codex = models.find((m) => m.id === OpenAIAdapter.CODEX_MODEL_ID)!;
expect(codex.provider).toBe('openai');
expect(codex.contextWindow).toBe(128_000);
expect(codex.maxTokens).toBe(16_384);
});
it('healthCheck returns down with error when OPENAI_API_KEY is missing', async () => {
const adapter = new OpenAIAdapter(makeRegistry());
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/OPENAI_API_KEY/);
});
it('adapter name is "openai"', () => {
expect(new OpenAIAdapter(makeRegistry()).name).toBe('openai');
});
});
describe('OpenRouterAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
// Prevent real network calls during registration — stub global fetch
vi.stubGlobal(
'fetch',
vi.fn().mockResolvedValue({
ok: true,
json: () =>
Promise.resolve({
data: [
{
id: 'openai/gpt-4o',
name: 'GPT-4o',
context_length: 128000,
top_provider: { max_completion_tokens: 4096 },
pricing: { prompt: '0.000005', completion: '0.000015' },
architecture: { input_modalities: ['text', 'image'] },
},
],
}),
}),
);
});
afterEach(() => {
restoreEnv(savedEnv);
vi.unstubAllGlobals();
});
it('skips registration gracefully when OPENROUTER_API_KEY is missing', async () => {
vi.unstubAllGlobals(); // no fetch call expected
const adapter = new OpenRouterAdapter();
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns models when OPENROUTER_API_KEY is set', async () => {
process.env['OPENROUTER_API_KEY'] = 'sk-or-test';
const adapter = new OpenRouterAdapter();
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const first = models[0]!;
expect(first.provider).toBe('openrouter');
expect(first.id).toBe('openai/gpt-4o');
expect(first.inputTypes).toContain('image');
});
it('healthCheck returns down with error when OPENROUTER_API_KEY is missing', async () => {
vi.unstubAllGlobals(); // no fetch call expected
const adapter = new OpenRouterAdapter();
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/OPENROUTER_API_KEY/);
});
it('continues registration with empty model list when model fetch fails', async () => {
process.env['OPENROUTER_API_KEY'] = 'sk-or-test';
vi.stubGlobal(
'fetch',
vi.fn().mockResolvedValue({
ok: false,
status: 500,
}),
);
const adapter = new OpenRouterAdapter();
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('adapter name is "openrouter"', () => {
expect(new OpenRouterAdapter().name).toBe('openrouter');
});
});
describe('ZaiAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when ZAI_API_KEY is missing', async () => {
const adapter = new ZaiAdapter();
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns glm-5 when ZAI_API_KEY is set', async () => {
process.env['ZAI_API_KEY'] = 'zai-test-key';
const adapter = new ZaiAdapter();
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const ids = models.map((m) => m.id);
expect(ids).toContain('glm-5');
const glm = models.find((m) => m.id === 'glm-5')!;
expect(glm.provider).toBe('zai');
});
it('healthCheck returns down with error when ZAI_API_KEY is missing', async () => {
const adapter = new ZaiAdapter();
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/ZAI_API_KEY/);
});
it('adapter name is "zai"', () => {
expect(new ZaiAdapter().name).toBe('zai');
});
});
describe('OllamaAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when OLLAMA_BASE_URL is missing', async () => {
const adapter = new OllamaAdapter(makeRegistry());
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers via OLLAMA_HOST fallback when OLLAMA_BASE_URL is absent', async () => {
process.env['OLLAMA_HOST'] = 'http://localhost:11434';
const adapter = new OllamaAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
});
it('registers default models (llama3.2, codellama, mistral) + embedding models', async () => {
process.env['OLLAMA_BASE_URL'] = 'http://localhost:11434';
const adapter = new OllamaAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
const ids = models.map((m) => m.id);
// Default completion models
expect(ids).toContain('llama3.2');
expect(ids).toContain('codellama');
expect(ids).toContain('mistral');
// Embedding models
expect(ids).toContain('nomic-embed-text');
expect(ids).toContain('mxbai-embed-large');
for (const model of models) {
expect(model.provider).toBe('ollama');
}
});
it('registers custom OLLAMA_MODELS list', async () => {
process.env['OLLAMA_BASE_URL'] = 'http://localhost:11434';
process.env['OLLAMA_MODELS'] = 'phi3,gemma2';
const adapter = new OllamaAdapter(makeRegistry());
await adapter.register();
const completionIds = adapter.listModels().map((m) => m.id);
expect(completionIds).toContain('phi3');
expect(completionIds).toContain('gemma2');
expect(completionIds).not.toContain('llama3.2');
});
it('healthCheck returns down with error when OLLAMA_BASE_URL is missing', async () => {
const adapter = new OllamaAdapter(makeRegistry());
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/OLLAMA_BASE_URL/);
});
it('adapter name is "ollama"', () => {
expect(new OllamaAdapter(makeRegistry()).name).toBe('ollama');
});
});
// ---------------------------------------------------------------------------
// 2. ProviderService integration
// ---------------------------------------------------------------------------
describe('ProviderService — adapter array integration', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('contains all 5 adapters (ollama, anthropic, openai, openrouter, zai)', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
// Exercise getAdapter for all five known provider names
const expectedProviders = ['ollama', 'anthropic', 'openai', 'openrouter', 'zai'];
for (const name of expectedProviders) {
const adapter = service.getAdapter(name);
expect(adapter, `Expected adapter "${name}" to be registered`).toBeDefined();
expect(adapter!.name).toBe(name);
}
});
it('healthCheckAll runs without crashing and returns status for all 5 providers', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
const results = await service.healthCheckAll();
expect(typeof results).toBe('object');
const expectedProviders = ['ollama', 'anthropic', 'openai', 'openrouter', 'zai'];
for (const name of expectedProviders) {
const health = results[name];
expect(health, `Expected health result for provider "${name}"`).toBeDefined();
expect(['healthy', 'degraded', 'down']).toContain(health!.status);
expect(health!.lastChecked).toBeTruthy();
}
});
it('healthCheckAll reports "down" for all providers when no keys are set', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
const results = await service.healthCheckAll();
// All unconfigured providers should be down (not healthy)
for (const [, health] of Object.entries(results)) {
expect(['down', 'degraded']).toContain(health.status);
}
});
it('getProvidersHealth returns entries for all 5 providers', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
const healthList = service.getProvidersHealth();
const names = healthList.map((h) => h.name);
for (const expected of ['ollama', 'anthropic', 'openai', 'openrouter', 'zai']) {
expect(names).toContain(expected);
}
for (const entry of healthList) {
expect(entry).toHaveProperty('name');
expect(entry).toHaveProperty('status');
expect(entry).toHaveProperty('lastChecked');
expect(typeof entry.modelCount).toBe('number');
}
});
it('service initialises without error when all env keys are absent', async () => {
const service = new ProviderService(null);
await expect(service.onModuleInit()).resolves.toBeUndefined();
service.onModuleDestroy();
});
});
// ---------------------------------------------------------------------------
// 3. Model capability matrix
// ---------------------------------------------------------------------------
describe('Model capability matrix', () => {
const expectedModels: Array<{
id: string;
provider: string;
tier: string;
contextWindow: number;
reasoning?: boolean;
vision?: boolean;
embedding?: boolean;
}> = [
{
id: 'claude-opus-4-6',
provider: 'anthropic',
tier: 'premium',
contextWindow: 200000,
reasoning: true,
vision: true,
},
{
id: 'claude-sonnet-4-6',
provider: 'anthropic',
tier: 'standard',
contextWindow: 200000,
reasoning: true,
vision: true,
},
{
id: 'claude-haiku-4-5',
provider: 'anthropic',
tier: 'cheap',
contextWindow: 200000,
reasoning: false,
vision: true,
},
{
id: 'codex-gpt-5.4',
provider: 'openai',
tier: 'premium',
contextWindow: 128000,
},
{
id: 'glm-5',
provider: 'zai',
tier: 'standard',
contextWindow: 128000,
},
{
id: 'llama3.2',
provider: 'ollama',
tier: 'local',
contextWindow: 128000,
},
{
id: 'codellama',
provider: 'ollama',
tier: 'local',
contextWindow: 16000,
},
{
id: 'mistral',
provider: 'ollama',
tier: 'local',
contextWindow: 32000,
},
{
id: 'nomic-embed-text',
provider: 'ollama',
tier: 'local',
contextWindow: 8192,
embedding: true,
},
{
id: 'mxbai-embed-large',
provider: 'ollama',
tier: 'local',
contextWindow: 8192,
embedding: true,
},
];
it('MODEL_CAPABILITIES contains all expected model IDs', () => {
const allIds = MODEL_CAPABILITIES.map((m) => m.id);
for (const { id } of expectedModels) {
expect(allIds, `Expected model "${id}" in capability matrix`).toContain(id);
}
});
it('getModelCapability() returns correct tier and context window for each model', () => {
for (const expected of expectedModels) {
const cap = getModelCapability(expected.id);
expect(cap, `getModelCapability("${expected.id}") should be defined`).toBeDefined();
expect(cap!.provider).toBe(expected.provider);
expect(cap!.tier).toBe(expected.tier);
expect(cap!.contextWindow).toBe(expected.contextWindow);
}
});
it('Anthropic models have correct capability flags (tools, streaming, vision, reasoning)', () => {
for (const expected of expectedModels.filter((m) => m.provider === 'anthropic')) {
const cap = getModelCapability(expected.id)!;
expect(cap.capabilities.tools).toBe(true);
expect(cap.capabilities.streaming).toBe(true);
if (expected.vision !== undefined) {
expect(cap.capabilities.vision).toBe(expected.vision);
}
if (expected.reasoning !== undefined) {
expect(cap.capabilities.reasoning).toBe(expected.reasoning);
}
}
});
it('Embedding models have embedding flag=true and other flags=false', () => {
for (const expected of expectedModels.filter((m) => m.embedding)) {
const cap = getModelCapability(expected.id)!;
expect(cap.capabilities.embedding).toBe(true);
expect(cap.capabilities.tools).toBe(false);
expect(cap.capabilities.streaming).toBe(false);
expect(cap.capabilities.reasoning).toBe(false);
}
});
it('findModelsByCapability filters by tier correctly', () => {
const premiumModels = findModelsByCapability({ tier: 'premium' });
expect(premiumModels.length).toBeGreaterThan(0);
for (const m of premiumModels) {
expect(m.tier).toBe('premium');
}
});
it('findModelsByCapability filters by provider correctly', () => {
const anthropicModels = findModelsByCapability({ provider: 'anthropic' });
expect(anthropicModels.length).toBe(3);
for (const m of anthropicModels) {
expect(m.provider).toBe('anthropic');
}
});
it('findModelsByCapability filters by capability flags correctly', () => {
const reasoningModels = findModelsByCapability({ capabilities: { reasoning: true } });
expect(reasoningModels.length).toBeGreaterThan(0);
for (const m of reasoningModels) {
expect(m.capabilities.reasoning).toBe(true);
}
const embeddingModels = findModelsByCapability({ capabilities: { embedding: true } });
expect(embeddingModels.length).toBeGreaterThan(0);
for (const m of embeddingModels) {
expect(m.capabilities.embedding).toBe(true);
}
});
it('getModelCapability returns undefined for unknown model IDs', () => {
expect(getModelCapability('not-a-real-model')).toBeUndefined();
expect(getModelCapability('')).toBeUndefined();
});
it('all Anthropic models have maxOutputTokens > 0', () => {
const anthropicModels = MODEL_CAPABILITIES.filter((m) => m.provider === 'anthropic');
for (const m of anthropicModels) {
expect(m.maxOutputTokens).toBeGreaterThan(0);
}
});
});
// ---------------------------------------------------------------------------
// 4. ProviderCredentialsService — unit-level tests (encrypt/decrypt logic)
// ---------------------------------------------------------------------------
describe('ProviderCredentialsService — encryption helpers', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
/**
* The service uses module-level functions (encrypt/decrypt) that depend on
* BETTER_AUTH_SECRET. We test the behaviour through the service's public API
* using an in-memory mock DB so no real Postgres connection is needed.
*/
it('store/retrieve/remove work correctly with mock DB and BETTER_AUTH_SECRET set', async () => {
process.env['BETTER_AUTH_SECRET'] = 'test-secret-for-unit-tests-only';
// Build a minimal in-memory DB mock
const rows = new Map<
string,
{
encryptedValue: string;
credentialType: string;
expiresAt: Date | null;
metadata: null;
createdAt: Date;
updatedAt: Date;
}
>();
// We import the service but mock its DB dependency manually
// by testing the encrypt/decrypt indirectly — using the real module.
const { ProviderCredentialsService } = await import('../provider-credentials.service.js');
// Capture stored value from upsert call
let storedEncryptedValue = '';
let storedCredentialType = '';
const captureInsert = vi.fn().mockImplementation(() => ({
values: vi
.fn()
.mockImplementation((data: { encryptedValue: string; credentialType: string }) => {
storedEncryptedValue = data.encryptedValue;
storedCredentialType = data.credentialType;
rows.set('user1:anthropic', {
encryptedValue: data.encryptedValue,
credentialType: data.credentialType,
expiresAt: null,
metadata: null,
createdAt: new Date(),
updatedAt: new Date(),
});
return {
onConflictDoUpdate: vi.fn().mockResolvedValue(undefined),
};
}),
}));
const captureSelect = vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
limit: vi.fn().mockImplementation(() => {
const row = rows.get('user1:anthropic');
return Promise.resolve(row ? [row] : []);
}),
}),
}),
});
const captureDelete = vi.fn().mockReturnValue({
where: vi.fn().mockResolvedValue(undefined),
});
const db = {
insert: captureInsert,
select: captureSelect,
delete: captureDelete,
};
const service = new ProviderCredentialsService(db as never);
// store
await service.store('user1', 'anthropic', 'api_key', 'sk-ant-secret-value');
// verify encrypted value is not plain text
expect(storedEncryptedValue).not.toBe('sk-ant-secret-value');
expect(storedEncryptedValue.length).toBeGreaterThan(0);
expect(storedCredentialType).toBe('api_key');
// retrieve
const retrieved = await service.retrieve('user1', 'anthropic');
expect(retrieved).toBe('sk-ant-secret-value');
// remove (clears the row)
rows.delete('user1:anthropic');
const afterRemove = await service.retrieve('user1', 'anthropic');
expect(afterRemove).toBeNull();
});
it('retrieve returns null when no credential is stored', async () => {
process.env['BETTER_AUTH_SECRET'] = 'test-secret-for-unit-tests-only';
const { ProviderCredentialsService } = await import('../provider-credentials.service.js');
const emptyDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
limit: vi.fn().mockResolvedValue([]),
}),
}),
}),
};
const service = new ProviderCredentialsService(emptyDb as never);
const result = await service.retrieve('user-nobody', 'anthropic');
expect(result).toBeNull();
});
it('listProviders returns only metadata, never decrypted values', async () => {
process.env['BETTER_AUTH_SECRET'] = 'test-secret-for-unit-tests-only';
const { ProviderCredentialsService } = await import('../provider-credentials.service.js');
const fakeRow = {
provider: 'anthropic',
credentialType: 'api_key',
expiresAt: null,
metadata: null,
createdAt: new Date(),
updatedAt: new Date(),
};
const listDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockResolvedValue([fakeRow]),
}),
}),
};
const service = new ProviderCredentialsService(listDb as never);
const providers = await service.listProviders('user1');
expect(providers).toHaveLength(1);
expect(providers[0]!.provider).toBe('anthropic');
expect(providers[0]!.credentialType).toBe('api_key');
expect(providers[0]!.exists).toBe(true);
// Critically: no encrypted or plain-text value is exposed
expect(providers[0]).not.toHaveProperty('encryptedValue');
expect(providers[0]).not.toHaveProperty('value');
expect(providers[0]).not.toHaveProperty('apiKey');
});
});

142
apps/gateway/src/agent/__tests__/provider.service.test.ts
View File

@@ -1,142 +0,0 @@
import { beforeEach, afterEach, describe, expect, it } from 'vitest';
import { ProviderService } from '../provider.service.js';
const ENV_KEYS = [
'ANTHROPIC_API_KEY',
'OPENAI_API_KEY',
'ZAI_API_KEY',
'OLLAMA_BASE_URL',
'OLLAMA_HOST',
'OLLAMA_MODELS',
'MOSAIC_CUSTOM_PROVIDERS',
] as const;
type EnvKey = (typeof ENV_KEYS)[number];
describe('ProviderService', () => {
const savedEnv = new Map<EnvKey, string | undefined>();
beforeEach(() => {
for (const key of ENV_KEYS) {
savedEnv.set(key, process.env[key]);
delete process.env[key];
}
});
afterEach(() => {
for (const key of ENV_KEYS) {
const value = savedEnv.get(key);
if (value === undefined) {
delete process.env[key];
} else {
process.env[key] = value;
}
}
});
it('skips API-key providers when env vars are missing (no models become available)', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
// Pi's built-in registry may include model definitions for all providers, but
// without API keys none of them should be available (usable).
const availableModels = service.listAvailableModels();
const availableProviderIds = new Set(availableModels.map((m) => m.provider));
expect(availableProviderIds).not.toContain('anthropic');
expect(availableProviderIds).not.toContain('openai');
expect(availableProviderIds).not.toContain('zai');
// Providers list may show built-in providers, but they should not be marked available
const providers = service.listProviders();
for (const p of providers.filter((p) => ['anthropic', 'openai', 'zai'].includes(p.id))) {
expect(p.available).toBe(false);
}
});
it('registers Anthropic provider with correct models when ANTHROPIC_API_KEY is set', async () => {
process.env['ANTHROPIC_API_KEY'] = 'test-anthropic';
const service = new ProviderService(null);
await service.onModuleInit();
const providers = service.listProviders();
const anthropic = providers.find((p) => p.id === 'anthropic');
expect(anthropic).toBeDefined();
expect(anthropic!.available).toBe(true);
expect(anthropic!.models.map((m) => m.id)).toEqual([
'claude-opus-4-6',
'claude-sonnet-4-6',
'claude-haiku-4-5',
]);
// All Anthropic models have 200k context window
for (const m of anthropic!.models) {
expect(m.contextWindow).toBe(200000);
}
});
it('registers OpenAI provider with correct models when OPENAI_API_KEY is set', async () => {
process.env['OPENAI_API_KEY'] = 'test-openai';
const service = new ProviderService(null);
await service.onModuleInit();
const providers = service.listProviders();
const openai = providers.find((p) => p.id === 'openai');
expect(openai).toBeDefined();
expect(openai!.available).toBe(true);
expect(openai!.models.map((m) => m.id)).toEqual(['codex-gpt-5-4']);
});
it('registers Z.ai provider with correct models when ZAI_API_KEY is set', async () => {
process.env['ZAI_API_KEY'] = 'test-zai';
const service = new ProviderService(null);
await service.onModuleInit();
const providers = service.listProviders();
const zai = providers.find((p) => p.id === 'zai');
expect(zai).toBeDefined();
expect(zai!.available).toBe(true);
// Pi's registry may include additional glm variants; verify our registered model is present
expect(zai!.models.map((m) => m.id)).toContain('glm-5');
});
it('registers all three providers when all keys are set', async () => {
process.env['ANTHROPIC_API_KEY'] = 'test-anthropic';
process.env['OPENAI_API_KEY'] = 'test-openai';
process.env['ZAI_API_KEY'] = 'test-zai';
const service = new ProviderService(null);
await service.onModuleInit();
const providerIds = service.listProviders().map((p) => p.id);
expect(providerIds).toContain('anthropic');
expect(providerIds).toContain('openai');
expect(providerIds).toContain('zai');
});
it('can find registered Anthropic models by provider+id', async () => {
process.env['ANTHROPIC_API_KEY'] = 'test-anthropic';
const service = new ProviderService(null);
await service.onModuleInit();
const sonnet = service.findModel('anthropic', 'claude-sonnet-4-6');
expect(sonnet).toBeDefined();
expect(sonnet!.provider).toBe('anthropic');
expect(sonnet!.id).toBe('claude-sonnet-4-6');
});
it('can find registered Z.ai models by provider+id', async () => {
process.env['ZAI_API_KEY'] = 'test-zai';
const service = new ProviderService(null);
await service.onModuleInit();
const glm = service.findModel('zai', 'glm-4.5');
expect(glm).toBeDefined();
expect(glm!.provider).toBe('zai');
expect(glm!.id).toBe('glm-4.5');
});
});

2
apps/gateway/src/agent/__tests__/routing.service.test.ts
View File

@@ -1,6 +1,6 @@
import { describe, it, expect, beforeEach, vi } from 'vitest';
import { RoutingService } from '../routing.service.js';
import type { ModelInfo } from '@mosaicstack/types';
import type { ModelInfo } from '@mosaic/types';
const mockModels: ModelInfo[] = [
{

191
apps/gateway/src/agent/adapters/anthropic.adapter.ts
View File

@@ -1,191 +0,0 @@
import { Logger } from '@nestjs/common';
import Anthropic from '@anthropic-ai/sdk';
import type { ModelRegistry } from '@mariozechner/pi-coding-agent';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
/**
* Anthropic provider adapter.
*
* Registers Claude models with the Pi ModelRegistry via the Anthropic SDK.
* Configuration is driven by environment variables:
* ANTHROPIC_API_KEY — Anthropic API key (required)
*/
export class AnthropicAdapter implements IProviderAdapter {
readonly name = 'anthropic';
private readonly logger = new Logger(AnthropicAdapter.name);
private client: Anthropic | null = null;
private registeredModels: ModelInfo[] = [];
constructor(private readonly registry: ModelRegistry) {}
async register(): Promise<void> {
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
this.logger.warn('Skipping Anthropic provider registration: ANTHROPIC_API_KEY not set');
return;
}
this.client = new Anthropic({ apiKey });
const models: ModelInfo[] = [
{
id: 'claude-opus-4-6',
provider: 'anthropic',
name: 'Claude Opus 4.6',
reasoning: true,
contextWindow: 200000,
maxTokens: 32000,
inputTypes: ['text', 'image'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
{
id: 'claude-sonnet-4-6',
provider: 'anthropic',
name: 'Claude Sonnet 4.6',
reasoning: true,
contextWindow: 200000,
maxTokens: 16000,
inputTypes: ['text', 'image'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
{
id: 'claude-haiku-4-5',
provider: 'anthropic',
name: 'Claude Haiku 4.5',
reasoning: false,
contextWindow: 200000,
maxTokens: 8192,
inputTypes: ['text', 'image'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
];
this.registry.registerProvider('anthropic', {
apiKey,
baseUrl: 'https://api.anthropic.com',
api: 'anthropic' as never,
models: models.map((m) => ({
id: m.id,
name: m.name,
reasoning: m.reasoning,
input: m.inputTypes as ('text' | 'image')[],
cost: m.cost,
contextWindow: m.contextWindow,
maxTokens: m.maxTokens,
})),
});
this.registeredModels = models;
this.logger.log(
`Anthropic provider registered with models: ${models.map((m) => m.id).join(', ')}`,
);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'ANTHROPIC_API_KEY not configured',
};
}
const start = Date.now();
try {
const client = this.client ?? new Anthropic({ apiKey });
await client.models.list({ limit: 1 });
const latencyMs = Date.now() - start;
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
const status = error.includes('401') || error.includes('403') ? 'degraded' : 'down';
return { status, latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion from Anthropic using the messages API.
* Maps Anthropic streaming events to the CompletionEvent format.
*
* Note: Currently reserved for future direct-completion use. The Pi SDK
* integration routes completions through ModelRegistry / AgentSession.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
throw new Error('AnthropicAdapter: ANTHROPIC_API_KEY not configured');
}
const client = this.client ?? new Anthropic({ apiKey });
// Separate system messages from user/assistant messages
const systemMessages = params.messages.filter((m) => m.role === 'system');
const conversationMessages = params.messages.filter((m) => m.role !== 'system');
const systemPrompt =
systemMessages.length > 0 ? systemMessages.map((m) => m.content).join('\n') : undefined;
const stream = await client.messages.stream({
model: params.model,
max_tokens: params.maxTokens ?? 1024,
...(systemPrompt !== undefined ? { system: systemPrompt } : {}),
messages: conversationMessages.map((m) => ({
role: m.role as 'user' | 'assistant',
content: m.content,
})),
...(params.temperature !== undefined ? { temperature: params.temperature } : {}),
...(params.tools && params.tools.length > 0
? {
tools: params.tools.map((t) => ({
name: t.name,
description: t.description,
input_schema: t.parameters as Anthropic.Tool['input_schema'],
})),
}
: {}),
});
for await (const event of stream) {
if (event.type === 'content_block_delta' && event.delta.type === 'text_delta') {
yield { type: 'text_delta', content: event.delta.text };
} else if (event.type === 'content_block_delta' && event.delta.type === 'input_json_delta') {
yield { type: 'tool_call', name: '', arguments: event.delta.partial_json };
} else if (event.type === 'message_delta' && event.usage) {
yield {
type: 'done',
usage: {
inputTokens:
(event as { usage: { input_tokens?: number; output_tokens: number } }).usage
.input_tokens ?? 0,
outputTokens: event.usage.output_tokens,
},
};
}
}
// Emit final done event with full usage from the completed message
const finalMessage = await stream.finalMessage();
yield {
type: 'done',
usage: {
inputTokens: finalMessage.usage.input_tokens,
outputTokens: finalMessage.usage.output_tokens,
},
};
}
}

5
apps/gateway/src/agent/adapters/index.ts
View File

@@ -1,5 +0,0 @@
export { OllamaAdapter } from './ollama.adapter.js';
export { AnthropicAdapter } from './anthropic.adapter.js';
export { OpenAIAdapter } from './openai.adapter.js';
export { OpenRouterAdapter } from './openrouter.adapter.js';
export { ZaiAdapter } from './zai.adapter.js';

197
apps/gateway/src/agent/adapters/ollama.adapter.ts
View File

@@ -1,197 +0,0 @@
import { Logger } from '@nestjs/common';
import type { ModelRegistry } from '@mariozechner/pi-coding-agent';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
/** Embedding models that Ollama ships with out of the box */
const OLLAMA_EMBEDDING_MODELS: ReadonlyArray<{
id: string;
contextWindow: number;
dimensions: number;
}> = [
{ id: 'nomic-embed-text', contextWindow: 8192, dimensions: 768 },
{ id: 'mxbai-embed-large', contextWindow: 512, dimensions: 1024 },
];
interface OllamaEmbeddingResponse {
embedding?: number[];
}
/**
* Ollama provider adapter.
*
* Registers local Ollama models with the Pi ModelRegistry via the OpenAI-compatible
* completions API. Also exposes embedding models and an `embed()` method for
* vector generation (used by EmbeddingService / M3-009).
*
* Configuration is driven by environment variables:
* OLLAMA_BASE_URL or OLLAMA_HOST — base URL of the Ollama instance
* OLLAMA_MODELS — comma-separated list of model IDs (default: llama3.2,codellama,mistral)
*/
export class OllamaAdapter implements IProviderAdapter {
readonly name = 'ollama';
private readonly logger = new Logger(OllamaAdapter.name);
private registeredModels: ModelInfo[] = [];
constructor(private readonly registry: ModelRegistry) {}
async register(): Promise<void> {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) {
this.logger.debug('Skipping Ollama provider registration: OLLAMA_BASE_URL not set');
return;
}
const modelsEnv = process.env['OLLAMA_MODELS'] ?? 'llama3.2,codellama,mistral';
const modelIds = modelsEnv
.split(',')
.map((id: string) => id.trim())
.filter(Boolean);
this.registry.registerProvider('ollama', {
baseUrl: `${ollamaUrl}/v1`,
apiKey: 'ollama',
api: 'openai-completions' as never,
models: modelIds.map((id) => ({
id,
name: id,
reasoning: false,
input: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
contextWindow: 8192,
maxTokens: 4096,
})),
});
// Chat / completion models
const completionModels: ModelInfo[] = modelIds.map((id) => ({
id,
provider: 'ollama',
name: id,
reasoning: false,
contextWindow: 8192,
maxTokens: 4096,
inputTypes: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
}));
// Embedding models (tracked in registeredModels but not in Pi registry,
// which only handles completion models)
const embeddingModels: ModelInfo[] = OLLAMA_EMBEDDING_MODELS.map((em) => ({
id: em.id,
provider: 'ollama',
name: em.id,
reasoning: false,
contextWindow: em.contextWindow,
maxTokens: 0,
inputTypes: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
}));
this.registeredModels = [...completionModels, ...embeddingModels];
this.logger.log(
`Ollama provider registered at ${ollamaUrl} with models: ${modelIds.join(', ')} ` +
`and embedding models: ${OLLAMA_EMBEDDING_MODELS.map((em) => em.id).join(', ')}`,
);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'OLLAMA_BASE_URL not configured',
};
}
const checkUrl = `${ollamaUrl}/v1/models`;
const start = Date.now();
try {
const res = await fetch(checkUrl, {
method: 'GET',
headers: { Accept: 'application/json' },
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Generate an embedding vector for the given text using Ollama's /api/embeddings endpoint.
*
* Defaults to 'nomic-embed-text' when no model is specified.
* Intended for use by EmbeddingService (M3-009).
*
* @param text - The input text to embed.
* @param model - Optional embedding model ID (default: 'nomic-embed-text').
* @returns A float array representing the embedding vector.
*/
async embed(text: string, model = 'nomic-embed-text'): Promise<number[]> {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) {
throw new Error('OllamaAdapter: OLLAMA_BASE_URL not configured');
}
const embeddingUrl = `${ollamaUrl}/api/embeddings`;
const res = await fetch(embeddingUrl, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ model, prompt: text }),
signal: AbortSignal.timeout(30000),
});
if (!res.ok) {
throw new Error(`OllamaAdapter.embed: request failed with HTTP ${res.status}`);
}
const json = (await res.json()) as OllamaEmbeddingResponse;
if (!Array.isArray(json.embedding)) {
throw new Error('OllamaAdapter.embed: unexpected response — missing embedding array');
}
return json.embedding;
}
/**
* createCompletion is reserved for future direct-completion use.
* The current integration routes completions through Pi SDK's ModelRegistry/AgentSession.
*/
async *createCompletion(_params: CompletionParams): AsyncIterable<CompletionEvent> {
throw new Error(
'OllamaAdapter.createCompletion is not yet implemented. ' +
'Use Pi SDK AgentSession for completions.',
);
// Satisfy the AsyncGenerator return type — unreachable but required for TypeScript.
yield undefined as never;
}
}

201
apps/gateway/src/agent/adapters/openai.adapter.ts
View File

@@ -1,201 +0,0 @@
import { Logger } from '@nestjs/common';
import OpenAI from 'openai';
import type { ModelRegistry } from '@mariozechner/pi-coding-agent';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
/**
* OpenAI provider adapter.
*
* Registers OpenAI models (including Codex gpt-5.4) with the Pi ModelRegistry.
* Configuration is driven by environment variables:
* OPENAI_API_KEY — OpenAI API key (required; adapter skips registration when absent)
*/
export class OpenAIAdapter implements IProviderAdapter {
readonly name = 'openai';
private readonly logger = new Logger(OpenAIAdapter.name);
private registeredModels: ModelInfo[] = [];
private client: OpenAI | null = null;
/** Model ID used for Codex gpt-5.4 in the Pi registry. */
static readonly CODEX_MODEL_ID = 'codex-gpt-5-4';
constructor(private readonly registry: ModelRegistry) {}
async register(): Promise<void> {
const apiKey = process.env['OPENAI_API_KEY'];
if (!apiKey) {
this.logger.debug('Skipping OpenAI provider registration: OPENAI_API_KEY not set');
return;
}
this.client = new OpenAI({ apiKey });
const codexModel = {
id: OpenAIAdapter.CODEX_MODEL_ID,
name: 'Codex gpt-5.4',
/** OpenAI-compatible completions API */
api: 'openai-completions' as never,
reasoning: false,
input: ['text', 'image'] as ('text' | 'image')[],
cost: { input: 0.003, output: 0.012, cacheRead: 0.0015, cacheWrite: 0 },
contextWindow: 128_000,
maxTokens: 16_384,
};
this.registry.registerProvider('openai', {
apiKey,
baseUrl: 'https://api.openai.com/v1',
models: [codexModel],
});
this.registeredModels = [
{
id: OpenAIAdapter.CODEX_MODEL_ID,
provider: 'openai',
name: 'Codex gpt-5.4',
reasoning: false,
contextWindow: 128_000,
maxTokens: 16_384,
inputTypes: ['text', 'image'] as ('text' | 'image')[],
cost: { input: 0.003, output: 0.012, cacheRead: 0.0015, cacheWrite: 0 },
},
];
this.logger.log(`OpenAI provider registered with model: ${OpenAIAdapter.CODEX_MODEL_ID}`);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['OPENAI_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'OPENAI_API_KEY not configured',
};
}
const start = Date.now();
try {
// Lightweight call — list models to verify key validity
const res = await fetch('https://api.openai.com/v1/models', {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion from OpenAI using the chat completions API.
*
* Maps OpenAI streaming chunks to the Mosaic CompletionEvent format.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
if (!this.client) {
throw new Error(
'OpenAIAdapter: client not initialized. ' +
'Ensure OPENAI_API_KEY is set and register() was called.',
);
}
const stream = await this.client.chat.completions.create({
model: params.model,
messages: params.messages.map((m) => ({
role: m.role,
content: m.content,
})),
...(params.temperature !== undefined && { temperature: params.temperature }),
...(params.maxTokens !== undefined && { max_tokens: params.maxTokens }),
...(params.tools &&
params.tools.length > 0 && {
tools: params.tools.map((t) => ({
type: 'function' as const,
function: {
name: t.name,
description: t.description,
parameters: t.parameters,
},
})),
}),
stream: true,
stream_options: { include_usage: true },
});
let inputTokens = 0;
let outputTokens = 0;
for await (const chunk of stream) {
const choice = chunk.choices[0];
// Accumulate usage when present (final chunk with stream_options.include_usage)
if (chunk.usage) {
inputTokens = chunk.usage.prompt_tokens;
outputTokens = chunk.usage.completion_tokens;
}
if (!choice) continue;
const delta = choice.delta;
// Text content delta
if (delta.content) {
yield { type: 'text_delta', content: delta.content };
}
// Tool call delta — emit when arguments are complete
if (delta.tool_calls) {
for (const toolCallDelta of delta.tool_calls) {
if (toolCallDelta.function?.name && toolCallDelta.function.arguments !== undefined) {
yield {
type: 'tool_call',
name: toolCallDelta.function.name,
arguments: toolCallDelta.function.arguments,
};
}
}
}
// Stream finished
if (choice.finish_reason === 'stop' || choice.finish_reason === 'tool_calls') {
yield {
type: 'done',
usage: { inputTokens, outputTokens },
};
return;
}
}
// Fallback done event when stream ends without explicit finish_reason
yield { type: 'done', usage: { inputTokens, outputTokens } };
}
}

212
apps/gateway/src/agent/adapters/openrouter.adapter.ts
View File

@@ -1,212 +0,0 @@
import { Logger } from '@nestjs/common';
import OpenAI from 'openai';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
const OPENROUTER_BASE_URL = 'https://openrouter.ai/api/v1';
interface OpenRouterModel {
id: string;
name?: string;
context_length?: number;
top_provider?: {
max_completion_tokens?: number;
};
pricing?: {
prompt?: string | number;
completion?: string | number;
};
architecture?: {
input_modalities?: string[];
};
}
interface OpenRouterModelsResponse {
data?: OpenRouterModel[];
}
/**
* OpenRouter provider adapter.
*
* Routes completions through OpenRouter's OpenAI-compatible API.
* Configuration is driven by the OPENROUTER_API_KEY environment variable.
*/
export class OpenRouterAdapter implements IProviderAdapter {
readonly name = 'openrouter';
private readonly logger = new Logger(OpenRouterAdapter.name);
private client: OpenAI | null = null;
private registeredModels: ModelInfo[] = [];
async register(): Promise<void> {
const apiKey = process.env['OPENROUTER_API_KEY'];
if (!apiKey) {
this.logger.debug('Skipping OpenRouter provider registration: OPENROUTER_API_KEY not set');
return;
}
this.client = new OpenAI({
apiKey,
baseURL: OPENROUTER_BASE_URL,
defaultHeaders: {
'HTTP-Referer': 'https://mosaic.ai',
'X-Title': 'Mosaic',
},
});
try {
this.registeredModels = await this.fetchModels(apiKey);
this.logger.log(`OpenRouter provider registered with ${this.registeredModels.length} models`);
} catch (err) {
this.logger.warn(
`OpenRouter model discovery failed: ${err instanceof Error ? err.message : String(err)}. Registering with empty model list.`,
);
this.registeredModels = [];
}
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['OPENROUTER_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'OPENROUTER_API_KEY not configured',
};
}
const start = Date.now();
try {
const res = await fetch(`${OPENROUTER_BASE_URL}/models`, {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: 'application/json',
},
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion through OpenRouter's OpenAI-compatible API.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
if (!this.client) {
throw new Error('OpenRouterAdapter is not initialized. Ensure OPENROUTER_API_KEY is set.');
}
const stream = await this.client.chat.completions.create({
model: params.model,
messages: params.messages.map((m) => ({ role: m.role, content: m.content })),
temperature: params.temperature,
max_tokens: params.maxTokens,
stream: true,
});
let inputTokens = 0;
let outputTokens = 0;
for await (const chunk of stream) {
const choice = chunk.choices[0];
if (!choice) continue;
const delta = choice.delta;
if (delta.content) {
yield { type: 'text_delta', content: delta.content };
}
if (choice.finish_reason === 'stop') {
const usage = (chunk as { usage?: { prompt_tokens?: number; completion_tokens?: number } })
.usage;
if (usage) {
inputTokens = usage.prompt_tokens ?? 0;
outputTokens = usage.completion_tokens ?? 0;
}
}
}
yield {
type: 'done',
usage: { inputTokens, outputTokens },
};
}
// ---------------------------------------------------------------------------
// Private helpers
// ---------------------------------------------------------------------------
private async fetchModels(apiKey: string): Promise<ModelInfo[]> {
const res = await fetch(`${OPENROUTER_BASE_URL}/models`, {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: 'application/json',
},
signal: AbortSignal.timeout(10000),
});
if (!res.ok) {
throw new Error(`OpenRouter models endpoint returned HTTP ${res.status}`);
}
const json = (await res.json()) as OpenRouterModelsResponse;
const data = json.data ?? [];
return data.map((model): ModelInfo => {
const inputPrice = model.pricing?.prompt
? parseFloat(String(model.pricing.prompt)) * 1000
: 0;
const outputPrice = model.pricing?.completion
? parseFloat(String(model.pricing.completion)) * 1000
: 0;
const inputModalities = model.architecture?.input_modalities ?? ['text'];
const inputTypes = inputModalities.includes('image')
? (['text', 'image'] as const)
: (['text'] as const);
return {
id: model.id,
provider: 'openrouter',
name: model.name ?? model.id,
reasoning: false,
contextWindow: model.context_length ?? 4096,
maxTokens: model.top_provider?.max_completion_tokens ?? 4096,
inputTypes: [...inputTypes],
cost: {
input: inputPrice,
output: outputPrice,
cacheRead: 0,
cacheWrite: 0,
},
};
});
}
}

187
apps/gateway/src/agent/adapters/zai.adapter.ts
View File

@@ -1,187 +0,0 @@
import { Logger } from '@nestjs/common';
import OpenAI from 'openai';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
import { getModelCapability } from '../model-capabilities.js';
/**
* Default Z.ai API base URL.
* Z.ai (BigModel / Zhipu AI) exposes an OpenAI-compatible API at this endpoint.
* Can be overridden via the ZAI_BASE_URL environment variable.
*/
const DEFAULT_ZAI_BASE_URL = 'https://open.bigmodel.cn/api/paas/v4';
/**
* GLM-5 model identifier on the Z.ai platform.
*/
const GLM5_MODEL_ID = 'glm-5';
/**
* Z.ai (Zhipu AI / BigModel) provider adapter.
*
* Z.ai exposes an OpenAI-compatible REST API. This adapter uses the `openai`
* SDK with a custom base URL and the ZAI_API_KEY environment variable.
*
* Configuration:
* ZAI_API_KEY — required; Z.ai API key
* ZAI_BASE_URL — optional; override the default API base URL
*/
export class ZaiAdapter implements IProviderAdapter {
readonly name = 'zai';
private readonly logger = new Logger(ZaiAdapter.name);
private client: OpenAI | null = null;
private registeredModels: ModelInfo[] = [];
async register(): Promise<void> {
const apiKey = process.env['ZAI_API_KEY'];
if (!apiKey) {
this.logger.debug('Skipping Z.ai provider registration: ZAI_API_KEY not set');
return;
}
const baseURL = process.env['ZAI_BASE_URL'] ?? DEFAULT_ZAI_BASE_URL;
this.client = new OpenAI({ apiKey, baseURL });
this.registeredModels = this.buildModelList();
this.logger.log(`Z.ai provider registered with ${this.registeredModels.length} model(s)`);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['ZAI_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'ZAI_API_KEY not configured',
};
}
const baseURL = process.env['ZAI_BASE_URL'] ?? DEFAULT_ZAI_BASE_URL;
const start = Date.now();
try {
const res = await fetch(`${baseURL}/models`, {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: 'application/json',
},
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion through Z.ai's OpenAI-compatible API.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
if (!this.client) {
throw new Error('ZaiAdapter is not initialized. Ensure ZAI_API_KEY is set.');
}
const stream = await this.client.chat.completions.create({
model: params.model,
messages: params.messages.map((m) => ({ role: m.role, content: m.content })),
temperature: params.temperature,
max_tokens: params.maxTokens,
stream: true,
});
let inputTokens = 0;
let outputTokens = 0;
for await (const chunk of stream) {
const choice = chunk.choices[0];
if (!choice) continue;
const delta = choice.delta;
if (delta.content) {
yield { type: 'text_delta', content: delta.content };
}
if (choice.finish_reason === 'stop') {
const usage = (chunk as { usage?: { prompt_tokens?: number; completion_tokens?: number } })
.usage;
if (usage) {
inputTokens = usage.prompt_tokens ?? 0;
outputTokens = usage.completion_tokens ?? 0;
}
}
}
yield {
type: 'done',
usage: { inputTokens, outputTokens },
};
}
// ---------------------------------------------------------------------------
// Private helpers
// ---------------------------------------------------------------------------
private buildModelList(): ModelInfo[] {
const capability = getModelCapability(GLM5_MODEL_ID);
if (!capability) {
this.logger.warn(`Model capability entry not found for '${GLM5_MODEL_ID}'; using defaults`);
return [
{
id: GLM5_MODEL_ID,
provider: 'zai',
name: 'GLM-5',
reasoning: false,
contextWindow: 128000,
maxTokens: 8192,
inputTypes: ['text'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
];
}
return [
{
id: capability.id,
provider: 'zai',
name: capability.displayName,
reasoning: capability.capabilities.reasoning,
contextWindow: capability.contextWindow,
maxTokens: capability.maxOutputTokens,
inputTypes: capability.capabilities.vision ? ['text', 'image'] : ['text'],
cost: {
input: capability.costPer1kInput ?? 0,
output: capability.costPer1kOutput ?? 0,
cacheRead: 0,
cacheWrite: 0,
},
},
];
}
}

100
apps/gateway/src/agent/agent-config.dto.ts
View File

@@ -11,51 +11,6 @@ import {
const agentStatuses = ['idle', 'active', 'error', 'offline'] as const;
// ─── Agent Capability Declarations (M4-011) ───────────────────────────────────
/**
* Agent specialization capability fields.
* Stored inside the agent's `config` JSON as `capabilities`.
*/
export class AgentCapabilitiesDto {
/**
* Domains this agent specializes in, e.g. ['frontend', 'backend', 'devops'].
* Used by the routing engine to bias toward this agent for matching domains.
*/
@IsOptional()
@IsArray()
@IsString({ each: true })
domains?: string[];
/**
* Default model identifier for this agent.
* Influences routing when no explicit rule overrides the choice.
*/
@IsOptional()
@IsString()
@MaxLength(255)
preferredModel?: string;
/**
* Default provider for this agent.
* Influences routing when no explicit rule overrides the choice.
*/
@IsOptional()
@IsString()
@MaxLength(255)
preferredProvider?: string;
/**
* Tool categories this agent has access to, e.g. ['web-search', 'code-exec'].
*/
@IsOptional()
@IsArray()
@IsString({ each: true })
toolSets?: string[];
}
// ─── Create DTO ───────────────────────────────────────────────────────────────
export class CreateAgentConfigDto {
@IsString()
@MaxLength(255)
@@ -94,40 +49,11 @@ export class CreateAgentConfigDto {
@IsBoolean()
isSystem?: boolean;
/**
* General config blob. May include `capabilities` (AgentCapabilitiesDto)
* for agent specialization declarations (M4-011).
*/
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
// ─── Capability shorthand fields (M4-011) ──────────────────────────────────
// These are convenience top-level fields that get merged into config.capabilities.
@IsOptional()
@IsArray()
@IsString({ each: true })
domains?: string[];
@IsOptional()
@IsString()
@MaxLength(255)
preferredModel?: string;
@IsOptional()
@IsString()
@MaxLength(255)
preferredProvider?: string;
@IsOptional()
@IsArray()
@IsString({ each: true })
toolSets?: string[];
}
// ─── Update DTO ───────────────────────────────────────────────────────────────
export class UpdateAgentConfigDto {
@IsOptional()
@IsString()
@@ -165,33 +91,7 @@ export class UpdateAgentConfigDto {
@IsArray()
skills?: string[] | null;
/**
* General config blob. May include `capabilities` (AgentCapabilitiesDto)
* for agent specialization declarations (M4-011).
*/
@IsOptional()
@IsObject()
config?: Record<string, unknown> | null;
// ─── Capability shorthand fields (M4-011) ──────────────────────────────────
@IsOptional()
@IsArray()
@IsString({ each: true })
domains?: string[] | null;
@IsOptional()
@IsString()
@MaxLength(255)
preferredModel?: string | null;
@IsOptional()
@IsString()
@MaxLength(255)
preferredProvider?: string | null;
@IsOptional()
@IsArray()
@IsString({ each: true })
toolSets?: string[] | null;
}

96
apps/gateway/src/agent/agent-configs.controller.ts
View File

@@ -13,59 +13,12 @@ import {
Post,
UseGuards,
} from '@nestjs/common';
import type { Brain } from '@mosaicstack/brain';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { CreateAgentConfigDto, UpdateAgentConfigDto } from './agent-config.dto.js';
// ─── M4-011 helpers ──────────────────────────────────────────────────────────
type CapabilityFields = {
domains?: string[] | null;
preferredModel?: string | null;
preferredProvider?: string | null;
toolSets?: string[] | null;
};
/** Extract capability shorthand fields from the DTO (undefined if none provided). */
function buildCapabilities(dto: CapabilityFields): Record<string, unknown> | undefined {
const hasAny =
dto.domains !== undefined ||
dto.preferredModel !== undefined ||
dto.preferredProvider !== undefined ||
dto.toolSets !== undefined;
if (!hasAny) return undefined;
const cap: Record<string, unknown> = {};
if (dto.domains !== undefined) cap['domains'] = dto.domains;
if (dto.preferredModel !== undefined) cap['preferredModel'] = dto.preferredModel;
if (dto.preferredProvider !== undefined) cap['preferredProvider'] = dto.preferredProvider;
if (dto.toolSets !== undefined) cap['toolSets'] = dto.toolSets;
return cap;
}
/** Merge capabilities into the config object, preserving other config keys. */
function mergeCapabilities(
existing: Record<string, unknown> | null | undefined,
capabilities: Record<string, unknown> | undefined,
): Record<string, unknown> | undefined {
if (capabilities === undefined && existing === undefined) return undefined;
if (capabilities === undefined) return existing ?? undefined;
const base = existing ?? {};
const existingCap =
typeof base['capabilities'] === 'object' && base['capabilities'] !== null
? (base['capabilities'] as Record<string, unknown>)
: {};
return {
...base,
capabilities: { ...existingCap, ...capabilities },
};
}
@Controller('api/agents')
@UseGuards(AuthGuard)
export class AgentConfigsController {
@@ -88,22 +41,10 @@ export class AgentConfigsController {
@Post()
async create(@Body() dto: CreateAgentConfigDto, @CurrentUser() user: { id: string }) {
// Merge capability shorthand fields into config.capabilities (M4-011)
const capabilities = buildCapabilities(dto);
const config = mergeCapabilities(dto.config, capabilities);
return this.brain.agents.create({
name: dto.name,
provider: dto.provider,
model: dto.model,
status: dto.status,
projectId: dto.projectId,
systemPrompt: dto.systemPrompt,
allowedTools: dto.allowedTools,
skills: dto.skills,
isSystem: false,
config,
...dto,
ownerId: user.id,
isSystem: false,
});
}
@@ -121,33 +62,7 @@ export class AgentConfigsController {
if (!agent.isSystem && agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
// Merge capability shorthand fields into config.capabilities (M4-011)
const capabilities = buildCapabilities(dto);
const baseConfig =
dto.config !== undefined
? dto.config
: (agent.config as Record<string, unknown> | null | undefined);
const config = mergeCapabilities(baseConfig ?? undefined, capabilities);
// Pass ownerId for user agents so the repo WHERE clause enforces ownership.
// For system agents (admin path) pass undefined so the WHERE matches only on id.
const ownerId = agent.isSystem ? undefined : user.id;
const updated = await this.brain.agents.update(
id,
{
name: dto.name,
provider: dto.provider,
model: dto.model,
status: dto.status,
projectId: dto.projectId,
systemPrompt: dto.systemPrompt,
allowedTools: dto.allowedTools,
skills: dto.skills,
config: capabilities !== undefined || dto.config !== undefined ? config : undefined,
},
ownerId,
);
const updated = await this.brain.agents.update(id, dto);
if (!updated) throw new NotFoundException('Agent not found');
return updated;
}
@@ -163,8 +78,7 @@ export class AgentConfigsController {
if (agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
// Pass ownerId so the repo WHERE clause enforces ownership at the DB level.
const deleted = await this.brain.agents.remove(id, user.id);
const deleted = await this.brain.agents.remove(id);
if (!deleted) throw new NotFoundException('Agent not found');
}
}

23
apps/gateway/src/agent/agent.module.ts
View File

@@ -1,14 +1,11 @@
import { Global, Module } from '@nestjs/common';
import { AgentService } from './agent.service.js';
import { ProviderService } from './provider.service.js';
import { ProviderCredentialsService } from './provider-credentials.service.js';
import { RoutingService } from './routing.service.js';
import { RoutingEngineService } from './routing/routing-engine.service.js';
import { SkillLoaderService } from './skill-loader.service.js';
import { ProvidersController } from './providers.controller.js';
import { SessionsController } from './sessions.controller.js';
import { AgentConfigsController } from './agent-configs.controller.js';
import { RoutingController } from './routing/routing.controller.js';
import { CoordModule } from '../coord/coord.module.js';
import { McpClientModule } from '../mcp-client/mcp-client.module.js';
import { SkillsModule } from '../skills/skills.module.js';
@@ -17,22 +14,8 @@ import { GCModule } from '../gc/gc.module.js';
@Global()
@Module({
imports: [CoordModule, McpClientModule, SkillsModule, GCModule],
providers: [
ProviderService,
ProviderCredentialsService,
RoutingService,
RoutingEngineService,
SkillLoaderService,
AgentService,
],
controllers: [ProvidersController, SessionsController, AgentConfigsController, RoutingController],
exports: [
AgentService,
ProviderService,
ProviderCredentialsService,
RoutingService,
RoutingEngineService,
SkillLoaderService,
],
providers: [ProviderService, RoutingService, SkillLoaderService, AgentService],
controllers: [ProvidersController, SessionsController, AgentConfigsController],
exports: [AgentService, ProviderService, RoutingService, SkillLoaderService],
})
export class AgentModule {}

243
apps/gateway/src/agent/agent.service.ts
View File

@@ -7,8 +7,8 @@ import {
type AgentSessionEvent,
type ToolDefinition,
} from '@mariozechner/pi-coding-agent';
import type { Brain } from '@mosaicstack/brain';
import type { Memory } from '@mosaicstack/memory';
import type { Brain } from '@mosaic/brain';
import type { Memory } from '@mosaic/memory';
import { BRAIN } from '../brain/brain.tokens.js';
import { MEMORY } from '../memory/memory.tokens.js';
import { EmbeddingService } from '../memory/embedding.service.js';
@@ -23,19 +23,11 @@ import { createFileTools } from './tools/file-tools.js';
import { createGitTools } from './tools/git-tools.js';
import { createShellTools } from './tools/shell-tools.js';
import { createWebTools } from './tools/web-tools.js';
import { createSearchTools } from './tools/search-tools.js';
import type { SessionInfoDto, SessionMetrics } from './session.dto.js';
import type { SessionInfoDto } from './session.dto.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { PreferencesService } from '../preferences/preferences.service.js';
import { SessionGCService } from '../gc/session-gc.service.js';
/** A single message from DB conversation history, used for context injection. */
export interface ConversationHistoryMessage {
role: 'user' | 'assistant' | 'system';
content: string;
createdAt: Date;
}
export interface AgentSessionOptions {
provider?: string;
modelId?: string;
@@ -68,12 +60,6 @@ export interface AgentSessionOptions {
agentConfigId?: string;
/** ID of the user who owns this session. Used for preferences and system override lookups. */
userId?: string;
/**
* Prior conversation messages to inject as context when resuming a session.
* These messages are formatted and prepended to the system prompt so the
* agent is aware of what was discussed in previous sessions.
*/
conversationHistory?: ConversationHistoryMessage[];
}
export interface AgentSession {
@@ -94,12 +80,6 @@ export interface AgentSession {
allowedTools: string[] | null;
/** User ID that owns this session, used for preference lookups. */
userId?: string;
/** Agent config ID applied to this session, if any (M5-001). */
agentConfigId?: string;
/** Human-readable agent name applied to this session, if any (M5-001). */
agentName?: string;
/** M5-007: per-session metrics. */
metrics: SessionMetrics;
}
@Injectable()
@@ -126,28 +106,22 @@ export class AgentService implements OnModuleDestroy {
) {}
/**
* Build the full set of custom tools scoped to the given sandbox directory and session user.
* Build the full set of custom tools scoped to the given sandbox directory.
* Brain/coord/memory/web tools are stateless with respect to cwd; file/git/shell
* tools receive the resolved sandboxDir so they operate within the sandbox.
* Memory tools are bound to sessionUserId so the LLM cannot access another user's data.
*/
private buildToolsForSandbox(
sandboxDir: string,
sessionUserId: string | undefined,
): ToolDefinition[] {
private buildToolsForSandbox(sandboxDir: string): ToolDefinition[] {
return [
...createBrainTools(this.brain),
...createCoordTools(this.coordService),
...createMemoryTools(
this.memory,
this.embeddingService.available ? this.embeddingService : null,
sessionUserId,
),
...createFileTools(sandboxDir),
...createGitTools(sandboxDir),
...createShellTools(sandboxDir),
...createWebTools(),
...createSearchTools(),
];
}
@@ -192,13 +166,11 @@ export class AgentService implements OnModuleDestroy {
sessionId: string,
options?: AgentSessionOptions,
): Promise<AgentSession> {
// Merge DB agent config when agentConfigId is provided (M5-001)
// Merge DB agent config when agentConfigId is provided
let mergedOptions = options;
let resolvedAgentName: string | undefined;
if (options?.agentConfigId) {
const agentConfig = await this.brain.agents.findById(options.agentConfigId);
if (agentConfig) {
resolvedAgentName = agentConfig.name;
mergedOptions = {
provider: options.provider ?? agentConfig.provider,
modelId: options.modelId ?? agentConfig.model,
@@ -207,8 +179,6 @@ export class AgentService implements OnModuleDestroy {
sandboxDir: options.sandboxDir,
isAdmin: options.isAdmin,
agentConfigId: options.agentConfigId,
userId: options.userId,
conversationHistory: options.conversationHistory,
};
this.logger.log(
`Merged agent config "${agentConfig.name}" (${agentConfig.id}) into session ${sessionId}`,
@@ -246,8 +216,8 @@ export class AgentService implements OnModuleDestroy {
);
}
// Build per-session tools scoped to the sandbox directory and authenticated user
const sandboxTools = this.buildToolsForSandbox(sandboxDir, mergedOptions?.userId);
// Build per-session tools scoped to the sandbox directory
const sandboxTools = this.buildToolsForSandbox(sandboxDir);
// Combine static tools with dynamically discovered MCP client tools and skill tools
const mcpTools = this.mcpClientService.getToolDefinitions();
@@ -269,20 +239,8 @@ export class AgentService implements OnModuleDestroy {
// Build system prompt: platform prompt + skill additions appended
const platformPrompt =
mergedOptions?.systemPrompt ?? process.env['AGENT_SYSTEM_PROMPT'] ?? undefined;
// Format conversation history for context injection (M1-004 / M1-005)
const historyPromptSection = mergedOptions?.conversationHistory?.length
? this.buildHistoryPromptSection(
mergedOptions.conversationHistory,
model?.contextWindow ?? 8192,
sessionId,
)
: undefined;
const appendParts: string[] = [];
if (promptAdditions.length > 0) appendParts.push(promptAdditions.join('\n\n'));
if (historyPromptSection) appendParts.push(historyPromptSection);
const appendSystemPrompt = appendParts.length > 0 ? appendParts.join('\n\n') : undefined;
const appendSystemPrompt =
promptAdditions.length > 0 ? promptAdditions.join('\n\n') : undefined;
// Construct a resource loader that injects the configured system prompt
const resourceLoader = new DefaultResourceLoader({
@@ -342,113 +300,14 @@ export class AgentService implements OnModuleDestroy {
sandboxDir,
allowedTools,
userId: mergedOptions?.userId,
agentConfigId: mergedOptions?.agentConfigId,
agentName: resolvedAgentName,
metrics: {
tokens: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
modelSwitches: 0,
messageCount: 0,
lastActivityAt: new Date().toISOString(),
},
};
this.sessions.set(sessionId, session);
this.logger.log(`Agent session ${sessionId} ready (${providerName}/${modelId})`);
if (resolvedAgentName) {
this.logger.log(
`Agent session ${sessionId} using agent config "${resolvedAgentName}" (M5-001)`,
);
}
return session;
}
/**
* Estimate token count for a string using a rough 4-chars-per-token heuristic.
*/
private estimateTokens(text: string): number {
return Math.ceil(text.length / 4);
}
/**
* Build a conversation history section for injection into the system prompt.
* Implements M1-004 (history loading) and M1-005 (context window management).
*
* - Formats messages as a readable conversation transcript.
* - If the full history exceeds 80% of the model's context window, older messages
* are summarized and only the most recent messages are kept verbatim.
* - Summarization is a simple extractive approach (no LLM required).
*/
private buildHistoryPromptSection(
history: ConversationHistoryMessage[],
contextWindow: number,
sessionId: string,
): string {
const TOKEN_BUDGET = Math.floor(contextWindow * 0.8);
const HISTORY_HEADER = '## Conversation History (resumed session)\n\n';
const formatMessage = (msg: ConversationHistoryMessage): string => {
const roleLabel =
msg.role === 'user' ? 'User' : msg.role === 'assistant' ? 'Assistant' : 'System';
return `**${roleLabel}:** ${msg.content}`;
};
const formatted = history.map((msg) => formatMessage(msg));
const fullHistory = formatted.join('\n\n');
const fullTokens = this.estimateTokens(HISTORY_HEADER + fullHistory);
if (fullTokens <= TOKEN_BUDGET) {
this.logger.debug(
`Session ${sessionId}: injecting full history (${history.length} msgs, ~${fullTokens} tokens)`,
);
return HISTORY_HEADER + fullHistory;
}
// History exceeds budget — summarize oldest messages, keep recent verbatim
this.logger.log(
`Session ${sessionId}: history (~${fullTokens} tokens) exceeds ${TOKEN_BUDGET} token budget; summarizing oldest messages`,
);
// Reserve 20% of the budget for the summary prefix, rest for verbatim messages
const SUMMARY_RESERVE = Math.floor(TOKEN_BUDGET * 0.2);
const verbatimBudget = TOKEN_BUDGET - SUMMARY_RESERVE;
let verbatimTokens = 0;
let verbatimCutIndex = history.length;
for (let i = history.length - 1; i >= 0; i--) {
const t = this.estimateTokens(formatted[i]!);
if (verbatimTokens + t > verbatimBudget) break;
verbatimTokens += t;
verbatimCutIndex = i;
}
const summarizedMessages = history.slice(0, verbatimCutIndex);
const verbatimMessages = history.slice(verbatimCutIndex);
let summaryText = '';
if (summarizedMessages.length > 0) {
const topics = summarizedMessages
.filter((m) => m.role === 'user')
.map((m) => m.content.slice(0, 120).replace(/\n/g, ' '))
.join('; ');
summaryText =
`**Previous conversation summary** (${summarizedMessages.length} messages omitted for brevity):\n` +
`Topics discussed: ${topics || '(no user messages in summarized portion)'}`;
}
const verbatimSection = verbatimMessages.map((m) => formatMessage(m)).join('\n\n');
const parts: string[] = [HISTORY_HEADER];
if (summaryText) parts.push(summaryText);
if (verbatimSection) parts.push(verbatimSection);
const result = parts.join('\n\n');
this.logger.log(
`Session ${sessionId}: summarized ${summarizedMessages.length} messages, kept ${verbatimMessages.length} verbatim (~${this.estimateTokens(result)} tokens)`,
);
return result;
}
private resolveModel(options?: AgentSessionOptions) {
if (!options?.provider && !options?.modelId) {
return this.providerService.getDefaultModel() ?? null;
@@ -483,12 +342,10 @@ export class AgentService implements OnModuleDestroy {
id: s.id,
provider: s.provider,
modelId: s.modelId,
...(s.agentName ? { agentName: s.agentName } : {}),
createdAt: new Date(s.createdAt).toISOString(),
promptCount: s.promptCount,
channels: Array.from(s.channels),
durationMs: now - s.createdAt,
metrics: { ...s.metrics },
}));
}
@@ -499,93 +356,13 @@ export class AgentService implements OnModuleDestroy {
id: s.id,
provider: s.provider,
modelId: s.modelId,
...(s.agentName ? { agentName: s.agentName } : {}),
createdAt: new Date(s.createdAt).toISOString(),
promptCount: s.promptCount,
channels: Array.from(s.channels),
durationMs: Date.now() - s.createdAt,
metrics: { ...s.metrics },
};
}
/**
* Record token usage for a session turn (M5-007).
* Accumulates tokens across the session lifetime.
*/
recordTokenUsage(
sessionId: string,
tokens: { input: number; output: number; cacheRead: number; cacheWrite: number; total: number },
): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.metrics.tokens.input += tokens.input;
session.metrics.tokens.output += tokens.output;
session.metrics.tokens.cacheRead += tokens.cacheRead;
session.metrics.tokens.cacheWrite += tokens.cacheWrite;
session.metrics.tokens.total += tokens.total;
session.metrics.lastActivityAt = new Date().toISOString();
}
/**
* Record a model switch event for a session (M5-007).
*/
recordModelSwitch(sessionId: string): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.metrics.modelSwitches += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
/**
* Increment message count for a session (M5-007).
*/
recordMessage(sessionId: string): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.metrics.messageCount += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
/**
* Update the model tracked on a live session (M5-002).
* This records the model change in the session metadata so subsequent
* session:info emissions reflect the new model. The Pi session itself is
* not reconstructed — the model is used on the next createSession call for
* the same conversationId when the session is torn down or a new one is created.
*/
updateSessionModel(sessionId: string, modelId: string): void {
const session = this.sessions.get(sessionId);
if (!session) return;
const prev = session.modelId;
session.modelId = modelId;
this.recordModelSwitch(sessionId);
this.logger.log(`Session ${sessionId}: model updated ${prev}${modelId} (M5-002)`);
}
/**
* Apply a new agent config to a live session mid-conversation (M5-003).
* Updates agentName, agentConfigId, and modelId on the session object.
* System prompt and tools take effect when the next session is created for
* this conversationId (they are baked in at session creation time).
*/
applyAgentConfig(
sessionId: string,
agentConfigId: string,
agentName: string,
modelId?: string,
): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.agentConfigId = agentConfigId;
session.agentName = agentName;
if (modelId) {
this.updateSessionModel(sessionId, modelId);
}
this.logger.log(
`Session ${sessionId}: agent switched to "${agentName}" (${agentConfigId}) (M5-003)`,
);
}
addChannel(sessionId: string, channel: string): void {
const session = this.sessions.get(sessionId);
if (session) {

204
apps/gateway/src/agent/model-capabilities.ts
View File

@@ -1,204 +0,0 @@
import type { ModelCapability } from '@mosaicstack/types';
/**
* Comprehensive capability matrix for all target models.
* Cost fields are optional and will be filled in when real pricing data is available.
*/
export const MODEL_CAPABILITIES: ModelCapability[] = [
{
id: 'claude-opus-4-6',
provider: 'anthropic',
displayName: 'Claude Opus 4.6',
tier: 'premium',
contextWindow: 200000,
maxOutputTokens: 32000,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: true,
embedding: false,
},
},
{
id: 'claude-sonnet-4-6',
provider: 'anthropic',
displayName: 'Claude Sonnet 4.6',
tier: 'standard',
contextWindow: 200000,
maxOutputTokens: 16000,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: true,
embedding: false,
},
},
{
id: 'claude-haiku-4-5',
provider: 'anthropic',
displayName: 'Claude Haiku 4.5',
tier: 'cheap',
contextWindow: 200000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'codex-gpt-5.4',
provider: 'openai',
displayName: 'Codex gpt-5.4',
tier: 'premium',
contextWindow: 128000,
maxOutputTokens: 16384,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: true,
embedding: false,
},
},
{
id: 'glm-5',
provider: 'zai',
displayName: 'GLM-5',
tier: 'standard',
contextWindow: 128000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'llama3.2',
provider: 'ollama',
displayName: 'llama3.2',
tier: 'local',
contextWindow: 128000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'codellama',
provider: 'ollama',
displayName: 'codellama',
tier: 'local',
contextWindow: 16000,
maxOutputTokens: 4096,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'mistral',
provider: 'ollama',
displayName: 'mistral',
tier: 'local',
contextWindow: 32000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'nomic-embed-text',
provider: 'ollama',
displayName: 'nomic-embed-text',
tier: 'local',
contextWindow: 8192,
maxOutputTokens: 0,
capabilities: {
tools: false,
vision: false,
streaming: false,
reasoning: false,
embedding: true,
},
},
{
id: 'mxbai-embed-large',
provider: 'ollama',
displayName: 'mxbai-embed-large',
tier: 'local',
contextWindow: 8192,
maxOutputTokens: 0,
capabilities: {
tools: false,
vision: false,
streaming: false,
reasoning: false,
embedding: true,
},
},
];
/**
* Look up a model by its ID.
* Returns undefined if the model is not found.
*/
export function getModelCapability(modelId: string): ModelCapability | undefined {
return MODEL_CAPABILITIES.find((m) => m.id === modelId);
}
/**
* Find models matching a partial capability filter.
* All provided filter keys must match for a model to be included.
*/
export function findModelsByCapability(
filter: Partial<Pick<ModelCapability, 'tier' | 'provider'>> & {
capabilities?: Partial<ModelCapability['capabilities']>;
},
): ModelCapability[] {
return MODEL_CAPABILITIES.filter((model) => {
if (filter.tier !== undefined && model.tier !== filter.tier) return false;
if (filter.provider !== undefined && model.provider !== filter.provider) return false;
if (filter.capabilities) {
for (const [key, value] of Object.entries(filter.capabilities) as [
keyof ModelCapability['capabilities'],
boolean,
][]) {
if (model.capabilities[key] !== value) return false;
}
}
return true;
});
}
/**
* Get all models for a specific provider.
*/
export function getModelsByProvider(provider: string): ModelCapability[] {
return MODEL_CAPABILITIES.filter((m) => m.provider === provider);
}
/**
* Get the full list of all known models.
*/
export function getAllModels(): ModelCapability[] {
return MODEL_CAPABILITIES;
}

23
apps/gateway/src/agent/provider-credentials.dto.ts
View File

@@ -1,23 +0,0 @@
/** DTO for storing a provider credential. */
export interface StoreCredentialDto {
/** Provider identifier (e.g., 'anthropic', 'openai', 'openrouter', 'zai') */
provider: string;
/** Credential type */
type: 'api_key' | 'oauth_token';
/** Plain-text credential value — will be encrypted before storage */
value: string;
/** Optional extra config (e.g., base URL overrides) */
metadata?: Record<string, unknown>;
}
/** DTO returned in list/existence responses — never contains decrypted values. */
export interface ProviderCredentialSummaryDto {
provider: string;
credentialType: 'api_key' | 'oauth_token';
/** Whether a credential is stored for this provider */
exists: boolean;
expiresAt?: string | null;
metadata?: Record<string, unknown> | null;
createdAt: string;
updatedAt: string;
}

123
apps/gateway/src/agent/provider-credentials.service.ts
View File

@@ -1,123 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { seal, unseal } from '@mosaicstack/auth';
import type { Db } from '@mosaicstack/db';
import { providerCredentials, eq, and } from '@mosaicstack/db';
import { DB } from '../database/database.module.js';
import type { ProviderCredentialSummaryDto } from './provider-credentials.dto.js';
@Injectable()
export class ProviderCredentialsService {
private readonly logger = new Logger(ProviderCredentialsService.name);
constructor(@Inject(DB) private readonly db: Db) {}
/**
* Encrypt and store (or update) a credential for the given user + provider.
* Uses an upsert pattern: one row per (userId, provider).
*/
async store(
userId: string,
provider: string,
type: 'api_key' | 'oauth_token',
value: string,
metadata?: Record<string, unknown>,
): Promise<void> {
const encryptedValue = seal(value);
await this.db
.insert(providerCredentials)
.values({
userId,
provider,
credentialType: type,
encryptedValue,
metadata: metadata ?? null,
})
.onConflictDoUpdate({
target: [providerCredentials.userId, providerCredentials.provider],
set: {
credentialType: type,
encryptedValue,
metadata: metadata ?? null,
updatedAt: new Date(),
},
});
this.logger.log(`Credential stored for user=${userId} provider=${provider}`);
}
/**
* Decrypt and return the plain-text credential value for the given user + provider.
* Returns null if no credential is stored.
*/
async retrieve(userId: string, provider: string): Promise<string | null> {
const rows = await this.db
.select()
.from(providerCredentials)
.where(
and(eq(providerCredentials.userId, userId), eq(providerCredentials.provider, provider)),
)
.limit(1);
if (rows.length === 0) return null;
const row = rows[0]!;
// Skip expired OAuth tokens
if (row.expiresAt && row.expiresAt < new Date()) {
this.logger.warn(`Credential for user=${userId} provider=${provider} has expired`);
return null;
}
try {
return unseal(row.encryptedValue);
} catch (err) {
this.logger.error(
`Failed to decrypt credential for user=${userId} provider=${provider}`,
err instanceof Error ? err.message : String(err),
);
return null;
}
}
/**
* Delete the stored credential for the given user + provider.
*/
async remove(userId: string, provider: string): Promise<void> {
await this.db
.delete(providerCredentials)
.where(
and(eq(providerCredentials.userId, userId), eq(providerCredentials.provider, provider)),
);
this.logger.log(`Credential removed for user=${userId} provider=${provider}`);
}
/**
* List all providers for which the user has stored credentials.
* Never returns decrypted values.
*/
async listProviders(userId: string): Promise<ProviderCredentialSummaryDto[]> {
const rows = await this.db
.select({
provider: providerCredentials.provider,
credentialType: providerCredentials.credentialType,
expiresAt: providerCredentials.expiresAt,
metadata: providerCredentials.metadata,
createdAt: providerCredentials.createdAt,
updatedAt: providerCredentials.updatedAt,
})
.from(providerCredentials)
.where(eq(providerCredentials.userId, userId));
return rows.map((row) => ({
provider: row.provider,
credentialType: row.credentialType,
exists: true,
expiresAt: row.expiresAt?.toISOString() ?? null,
metadata: row.metadata as Record<string, unknown> | null,
createdAt: row.createdAt.toISOString(),
updatedAt: row.updatedAt.toISOString(),
}));
}
}

303
apps/gateway/src/agent/provider.service.ts
View File

@@ -1,234 +1,25 @@
import {
Inject,
Injectable,
Logger,
Optional,
type OnModuleDestroy,
type OnModuleInit,
} from '@nestjs/common';
import { Injectable, Logger, type OnModuleInit } from '@nestjs/common';
import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent';
import { getModel, type Model, type Api } from '@mariozechner/pi-ai';
import type {
CustomProviderConfig,
IProviderAdapter,
ModelInfo,
ProviderHealth,
ProviderInfo,
} from '@mosaicstack/types';
import {
AnthropicAdapter,
OllamaAdapter,
OpenAIAdapter,
OpenRouterAdapter,
ZaiAdapter,
} from './adapters/index.js';
import type { Model, Api } from '@mariozechner/pi-ai';
import type { ModelInfo, ProviderInfo, CustomProviderConfig } from '@mosaic/types';
import type { TestConnectionResultDto } from './provider.dto.js';
import { ProviderCredentialsService } from './provider-credentials.service.js';
/** Default health check interval in seconds */
const DEFAULT_HEALTH_INTERVAL_SECS = 60;
/** DI injection token for the provider adapter array. */
export const PROVIDER_ADAPTERS = Symbol('PROVIDER_ADAPTERS');
/** Environment variable names for well-known providers */
const PROVIDER_ENV_KEYS: Record<string, string> = {
anthropic: 'ANTHROPIC_API_KEY',
openai: 'OPENAI_API_KEY',
openrouter: 'OPENROUTER_API_KEY',
zai: 'ZAI_API_KEY',
};
@Injectable()
export class ProviderService implements OnModuleInit, OnModuleDestroy {
export class ProviderService implements OnModuleInit {
private readonly logger = new Logger(ProviderService.name);
private registry!: ModelRegistry;
constructor(
@Optional()
@Inject(ProviderCredentialsService)
private readonly credentialsService: ProviderCredentialsService | null,
) {}
/**
* Adapters registered with this service.
* Built-in adapters (Ollama) are always present; additional adapters can be
* supplied via the PROVIDER_ADAPTERS injection token in the future.
*/
private adapters: IProviderAdapter[] = [];
/**
* Cached health status per provider, updated by the health check scheduler.
*/
private healthCache: Map<string, ProviderHealth & { modelCount: number }> = new Map();
/** Timer handle for the periodic health check scheduler */
private healthCheckTimer: ReturnType<typeof setInterval> | null = null;
async onModuleInit(): Promise<void> {
onModuleInit(): void {
const authStorage = AuthStorage.inMemory();
this.registry = ModelRegistry.inMemory(authStorage);
this.registry = new ModelRegistry(authStorage);
// Build the default set of adapters that rely on the registry
this.adapters = [
new OllamaAdapter(this.registry),
new AnthropicAdapter(this.registry),
new OpenAIAdapter(this.registry),
new OpenRouterAdapter(),
new ZaiAdapter(),
];
// Run all adapter registrations first (Ollama, Anthropic, OpenAI, OpenRouter, Z.ai)
await this.registerAll();
// Register API-key providers directly (custom)
this.registerOllamaProvider();
this.registerCustomProviders();
const available = this.registry.getAvailable();
this.logger.log(`Providers initialized: ${available.length} models available`);
// Kick off the health check scheduler
this.startHealthCheckScheduler();
}
onModuleDestroy(): void {
if (this.healthCheckTimer !== null) {
clearInterval(this.healthCheckTimer);
this.healthCheckTimer = null;
}
}
// ---------------------------------------------------------------------------
// Health check scheduler
// ---------------------------------------------------------------------------
/**
* Start periodic health checks on all adapters.
* Interval is configurable via PROVIDER_HEALTH_INTERVAL env (seconds, default 60).
*/
private startHealthCheckScheduler(): void {
const intervalSecs =
parseInt(process.env['PROVIDER_HEALTH_INTERVAL'] ?? '', 10) || DEFAULT_HEALTH_INTERVAL_SECS;
const intervalMs = intervalSecs * 1000;
// Run an initial check immediately (non-blocking)
void this.runScheduledHealthChecks();
this.healthCheckTimer = setInterval(() => {
void this.runScheduledHealthChecks();
}, intervalMs);
this.logger.log(`Provider health check scheduler started (interval: ${intervalSecs}s)`);
}
private async runScheduledHealthChecks(): Promise<void> {
for (const adapter of this.adapters) {
try {
const health = await adapter.healthCheck();
const modelCount = adapter.listModels().length;
this.healthCache.set(adapter.name, { ...health, modelCount });
this.logger.debug(
`Health check [${adapter.name}]: ${health.status} (${health.latencyMs ?? 'n/a'}ms)`,
);
} catch (err) {
const modelCount = adapter.listModels().length;
this.healthCache.set(adapter.name, {
status: 'down',
lastChecked: new Date().toISOString(),
error: err instanceof Error ? err.message : String(err),
modelCount,
});
}
}
}
/**
* Return the cached health status for all adapters.
* Format: array of { name, status, latencyMs, lastChecked, modelCount }
*/
getProvidersHealth(): Array<{
name: string;
status: string;
latencyMs?: number;
lastChecked: string;
modelCount: number;
error?: string;
}> {
return this.adapters.map((adapter) => {
const cached = this.healthCache.get(adapter.name);
if (cached) {
return {
name: adapter.name,
status: cached.status,
latencyMs: cached.latencyMs,
lastChecked: cached.lastChecked,
modelCount: cached.modelCount,
error: cached.error,
};
}
// Not yet checked — return a pending placeholder
return {
name: adapter.name,
status: 'unknown',
lastChecked: new Date().toISOString(),
modelCount: adapter.listModels().length,
};
});
}
// ---------------------------------------------------------------------------
// Adapter-pattern API
// ---------------------------------------------------------------------------
/**
* Call register() on each adapter in order.
* Errors from individual adapters are logged and do not abort the others.
*/
async registerAll(): Promise<void> {
for (const adapter of this.adapters) {
try {
await adapter.register();
} catch (err) {
this.logger.error(
`Adapter "${adapter.name}" registration failed`,
err instanceof Error ? err.stack : String(err),
);
}
}
}
/**
* Return the adapter registered under the given provider name, or undefined.
*/
getAdapter(providerName: string): IProviderAdapter | undefined {
return this.adapters.find((a) => a.name === providerName);
}
/**
* Run healthCheck() on all adapters and return results keyed by provider name.
*/
async healthCheckAll(): Promise<Record<string, ProviderHealth>> {
const results: Record<string, ProviderHealth> = {};
await Promise.all(
this.adapters.map(async (adapter) => {
try {
results[adapter.name] = await adapter.healthCheck();
} catch (err) {
results[adapter.name] = {
status: 'down',
lastChecked: new Date().toISOString(),
error: err instanceof Error ? err.message : String(err),
};
}
}),
);
return results;
}
// ---------------------------------------------------------------------------
// Legacy / Pi-SDK-facing API (preserved for AgentService and RoutingService)
// ---------------------------------------------------------------------------
getRegistry(): ModelRegistry {
return this.registry;
}
@@ -275,18 +66,6 @@ export class ProviderService implements OnModuleInit, OnModuleDestroy {
}
async testConnection(providerId: string, baseUrl?: string): Promise<TestConnectionResultDto> {
// Delegate to the adapter when one exists and no URL override is given
const adapter = this.getAdapter(providerId);
if (adapter && !baseUrl) {
const health = await adapter.healthCheck();
return {
providerId,
reachable: health.status !== 'down',
latencyMs: health.latencyMs,
error: health.error,
};
}
// Resolve baseUrl: explicit override > registered provider > ollama env
let resolvedUrl = baseUrl;
@@ -361,9 +140,35 @@ export class ProviderService implements OnModuleInit, OnModuleDestroy {
this.logger.log(`Registered custom provider: ${config.id} (${config.models.length} models)`);
}
// ---------------------------------------------------------------------------
// Private helpers
// ---------------------------------------------------------------------------
private registerOllamaProvider(): void {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) return;
const modelsEnv = process.env['OLLAMA_MODELS'] ?? 'llama3.2,codellama,mistral';
const modelIds = modelsEnv
.split(',')
.map((modelId: string) => modelId.trim())
.filter(Boolean);
this.registry.registerProvider('ollama', {
baseUrl: `${ollamaUrl}/v1`,
apiKey: 'ollama',
api: 'openai-completions' as never,
models: modelIds.map((id) => ({
id,
name: id,
reasoning: false,
input: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
contextWindow: 8192,
maxTokens: 4096,
})),
});
this.logger.log(
`Ollama provider registered at ${ollamaUrl} with models: ${modelIds.join(', ')}`,
);
}
private registerCustomProviders(): void {
const customJson = process.env['MOSAIC_CUSTOM_PROVIDERS'];
@@ -379,42 +184,6 @@ export class ProviderService implements OnModuleInit, OnModuleDestroy {
}
}
/**
* Resolve an API key for a provider, scoped to a specific user.
* User-stored credentials take precedence over environment variables.
* Returns null if no key is available from either source.
*/
async resolveApiKey(userId: string, provider: string): Promise<string | null> {
if (this.credentialsService) {
const userKey = await this.credentialsService.retrieve(userId, provider);
if (userKey) {
this.logger.debug(`Using user-scoped credential for user=${userId} provider=${provider}`);
return userKey;
}
}
// Fall back to environment variable
const envVar = PROVIDER_ENV_KEYS[provider];
const envKey = envVar ? (process.env[envVar] ?? null) : null;
if (envKey) {
this.logger.debug(`Using env-var credential for provider=${provider}`);
}
return envKey;
}
private cloneBuiltInModel(
provider: string,
modelId: string,
overrides: Partial<Model<Api>> = {},
): Model<Api> {
const model = getModel(provider as never, modelId as never) as Model<Api> | undefined;
if (!model) {
throw new Error(`Built-in model not found: ${provider}:${modelId}`);
}
return { ...model, ...overrides };
}
private toModelInfo(model: Model<Api>): ModelInfo {
return {
id: model.id,

62
apps/gateway/src/agent/providers.controller.ts
View File

@@ -1,23 +1,15 @@
import { Body, Controller, Delete, Get, Inject, Param, Post, UseGuards } from '@nestjs/common';
import type { RoutingCriteria } from '@mosaicstack/types';
import { Body, Controller, Get, Inject, Post, UseGuards } from '@nestjs/common';
import type { RoutingCriteria } from '@mosaic/types';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { ProviderService } from './provider.service.js';
import { ProviderCredentialsService } from './provider-credentials.service.js';
import { RoutingService } from './routing.service.js';
import type { TestConnectionDto, TestConnectionResultDto } from './provider.dto.js';
import type {
StoreCredentialDto,
ProviderCredentialSummaryDto,
} from './provider-credentials.dto.js';
@Controller('api/providers')
@UseGuards(AuthGuard)
export class ProvidersController {
constructor(
@Inject(ProviderService) private readonly providerService: ProviderService,
@Inject(ProviderCredentialsService)
private readonly credentialsService: ProviderCredentialsService,
@Inject(RoutingService) private readonly routingService: RoutingService,
) {}
@@ -31,11 +23,6 @@ export class ProvidersController {
return this.providerService.listAvailableModels();
}
@Get('health')
health() {
return { providers: this.providerService.getProvidersHealth() };
}
@Post('test')
testConnection(@Body() body: TestConnectionDto): Promise<TestConnectionResultDto> {
return this.providerService.testConnection(body.providerId, body.baseUrl);
@@ -50,49 +37,4 @@ export class ProvidersController {
rank(@Body() criteria: RoutingCriteria) {
return this.routingService.rank(criteria);
}
// ── Credential CRUD ──────────────────────────────────────────────────────
/**
* GET /api/providers/credentials
* List all provider credentials for the authenticated user.
* Returns provider names, types, and metadata — never decrypted values.
*/
@Get('credentials')
listCredentials(@CurrentUser() user: { id: string }): Promise<ProviderCredentialSummaryDto[]> {
return this.credentialsService.listProviders(user.id);
}
/**
* POST /api/providers/credentials
* Store or update a provider credential for the authenticated user.
* The value is encrypted before storage and never returned.
*/
@Post('credentials')
async storeCredential(
@CurrentUser() user: { id: string },
@Body() body: StoreCredentialDto,
): Promise<{ success: boolean; provider: string }> {
await this.credentialsService.store(
user.id,
body.provider,
body.type,
body.value,
body.metadata,
);
return { success: true, provider: body.provider };
}
/**
* DELETE /api/providers/credentials/:provider
* Remove a stored credential for the authenticated user.
*/
@Delete('credentials/:provider')
async removeCredential(
@CurrentUser() user: { id: string },
@Param('provider') provider: string,
): Promise<{ success: boolean; provider: string }> {
await this.credentialsService.remove(user.id, provider);
return { success: true, provider };
}
}

6
apps/gateway/src/agent/routing.service.ts
View File

@@ -1,6 +1,6 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import type { ModelInfo } from '@mosaicstack/types';
import type { RoutingCriteria, RoutingResult, CostTier } from '@mosaicstack/types';
import type { ModelInfo } from '@mosaic/types';
import type { RoutingCriteria, RoutingResult, CostTier } from '@mosaic/types';
import { ProviderService } from './provider.service.js';
/** Per-million-token cost thresholds for tier classification */
@@ -8,8 +8,6 @@ const COST_TIER_THRESHOLDS: Record<CostTier, { maxInput: number }> = {
cheap: { maxInput: 1 },
standard: { maxInput: 10 },
premium: { maxInput: Infinity },
// local = self-hosted; treat as cheapest tier for cost scoring purposes
local: { maxInput: 0 },
};
@Injectable()

138
apps/gateway/src/agent/routing/default-rules.ts
View File

@@ -1,138 +0,0 @@
import { Inject, Injectable, Logger, type OnModuleInit } from '@nestjs/common';
import { routingRules, type Db, sql } from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import type { RoutingCondition, RoutingAction } from './routing.types.js';
/** Seed-time routing rule descriptor */
interface RoutingRuleSeed {
name: string;
priority: number;
conditions: RoutingCondition[];
action: RoutingAction;
}
export const DEFAULT_ROUTING_RULES: RoutingRuleSeed[] = [
{
name: 'Complex coding → Opus',
priority: 1,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'complex' },
],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
},
{
name: 'Moderate coding → Sonnet',
priority: 2,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'moderate' },
],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Simple coding → Codex',
priority: 3,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'simple' },
],
action: { provider: 'openai', model: 'codex-gpt-5-4' },
},
{
name: 'Research → Codex',
priority: 4,
conditions: [{ field: 'taskType', operator: 'eq', value: 'research' }],
action: { provider: 'openai', model: 'codex-gpt-5-4' },
},
{
name: 'Summarization → GLM-5',
priority: 5,
conditions: [{ field: 'taskType', operator: 'eq', value: 'summarization' }],
action: { provider: 'zai', model: 'glm-5' },
},
{
name: 'Analysis with reasoning → Opus',
priority: 6,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'analysis' },
{ field: 'requiredCapabilities', operator: 'includes', value: 'reasoning' },
],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
},
{
name: 'Conversation → Sonnet',
priority: 7,
conditions: [{ field: 'taskType', operator: 'eq', value: 'conversation' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Creative → Sonnet',
priority: 8,
conditions: [{ field: 'taskType', operator: 'eq', value: 'creative' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Cheap/general → Haiku',
priority: 9,
conditions: [{ field: 'costTier', operator: 'eq', value: 'cheap' }],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
},
{
name: 'Fallback → Sonnet',
priority: 10,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Offline → Ollama',
priority: 99,
conditions: [{ field: 'costTier', operator: 'eq', value: 'local' }],
action: { provider: 'ollama', model: 'llama3.2' },
},
];
@Injectable()
export class DefaultRoutingRulesSeed implements OnModuleInit {
private readonly logger = new Logger(DefaultRoutingRulesSeed.name);
constructor(@Inject(DB) private readonly db: Db) {}
async onModuleInit(): Promise<void> {
await this.seedDefaultRules();
}
/**
* Insert default routing rules into the database if the table is empty.
* Skips seeding if any system-scoped rules already exist.
*/
async seedDefaultRules(): Promise<void> {
const rows = await this.db
.select({ count: sql<number>`count(*)::int` })
.from(routingRules)
.where(sql`scope = 'system'`);
const count = rows[0]?.count ?? 0;
if (count > 0) {
this.logger.debug(
`Skipping default routing rules seed — ${count} system rule(s) already exist`,
);
return;
}
this.logger.log(`Seeding ${DEFAULT_ROUTING_RULES.length} default routing rules`);
await this.db.insert(routingRules).values(
DEFAULT_ROUTING_RULES.map((rule) => ({
name: rule.name,
priority: rule.priority,
scope: 'system' as const,
conditions: rule.conditions as unknown as Record<string, unknown>[],
action: rule.action as unknown as Record<string, unknown>,
enabled: true,
})),
);
this.logger.log('Default routing rules seeded successfully');
}
}

260
apps/gateway/src/agent/routing/routing-e2e.test.ts
View File

@@ -1,260 +0,0 @@
/**
* M4-013: Routing end-to-end integration tests.
*
* These tests exercise the full pipeline:
* classifyTask (task-classifier) → matchConditions (routing-engine) → RoutingDecision
*
* All tests use a mocked DB (rule store) and mocked ProviderService (health map)
* to avoid real I/O — they verify the complete classify → match → decide path.
*/
import { describe, it, expect, vi } from 'vitest';
import { RoutingEngineService } from './routing-engine.service.js';
import { DEFAULT_ROUTING_RULES } from '../routing/default-rules.js';
import type { RoutingRule } from './routing.types.js';
// ─── Test helpers ─────────────────────────────────────────────────────────────
/** Build a RoutingEngineService backed by the given rule set and health map. */
function makeService(
rules: RoutingRule[],
healthMap: Record<string, { status: string }>,
): RoutingEngineService {
const mockDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(
rules.map((r) => ({
id: r.id,
name: r.name,
priority: r.priority,
scope: r.scope,
userId: r.userId ?? null,
conditions: r.conditions,
action: r.action,
enabled: r.enabled,
createdAt: new Date(),
updatedAt: new Date(),
})),
),
}),
}),
}),
};
const mockProviderService = {
healthCheckAll: vi.fn().mockResolvedValue(healthMap),
};
return new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
}
/**
* Convert DEFAULT_ROUTING_RULES (seed format, no id) to RoutingRule objects
* so we can use them in tests.
*/
function defaultRules(): RoutingRule[] {
return DEFAULT_ROUTING_RULES.map((r, i) => ({
id: `rule-${i + 1}`,
scope: 'system' as const,
userId: undefined,
enabled: true,
...r,
}));
}
/** A health map where anthropic, openai, and zai are all healthy. */
const allHealthy: Record<string, { status: string }> = {
anthropic: { status: 'up' },
openai: { status: 'up' },
zai: { status: 'up' },
ollama: { status: 'up' },
};
// ─── M4-013 E2E tests ─────────────────────────────────────────────────────────
describe('M4-013: routing end-to-end pipeline', () => {
// Test 1: coding message → should route to Opus (complex coding rule)
it('coding message routes to Opus via task classifier + routing rules', async () => {
// Use a message that classifies as coding + complex
// "architecture" triggers complex; "implement" triggers coding
const message =
'Implement an architecture for a multi-tenant system with database isolation and role-based access control. The system needs to support multiple organizations.';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// Classifier should detect: taskType=coding, complexity=complex
// That matches "Complex coding → Opus" rule at priority 1
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-opus-4-6');
expect(decision.ruleName).toBe('Complex coding → Opus');
});
// Test 2: "Summarize this" → routes to GLM-5
it('"Summarize this" routes to GLM-5 via summarization rule', async () => {
const message = 'Summarize this document for me please';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// Classifier should detect: taskType=summarization
// Matches "Summarization → GLM-5" rule (priority 5)
expect(decision.provider).toBe('zai');
expect(decision.model).toBe('glm-5');
expect(decision.ruleName).toBe('Summarization → GLM-5');
});
// Test 3: simple question → routes to cheap tier (Haiku)
// Note: the "Cheap/general → Haiku" rule uses costTier=cheap condition.
// Since costTier is not part of TaskClassification (it's a request-level field),
// it won't auto-match. Instead we test that a simple conversation falls through
// to the "Conversation → Sonnet" rule — which IS the cheap-tier routing path
// for simple conversational questions.
// We also verify that routing using a user-scoped cheap-tier rule overrides correctly.
it('simple conversational question routes to Sonnet (conversation rule)', async () => {
const message = 'What time is it?';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// Classifier: taskType=conversation (no strong signals), complexity=simple
// Matches "Conversation → Sonnet" rule (priority 7)
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
expect(decision.ruleName).toBe('Conversation → Sonnet');
});
// Test 3b: explicit cheap-tier rule via user-scoped override
it('cheap-tier rule routes to Haiku when costTier=cheap condition matches', async () => {
// Build a cheap-tier user rule that has a conversation condition overlapping
// with what we send, but give it lower priority so we can test explicitly
const cheapRule: RoutingRule = {
id: 'cheap-rule-1',
name: 'Cheap/general → Haiku',
priority: 1,
scope: 'system',
enabled: true,
// This rule matches any simple conversation when costTier is set by the resolver.
// We test the rule condition matching directly here:
conditions: [{ field: 'taskType', operator: 'eq', value: 'conversation' }],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
};
const service = makeService([cheapRule], allHealthy);
const decision = await service.resolve('Hello, how are you doing today?');
// Simple greeting → conversation → matches cheapRule → Haiku
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-haiku-4-5');
expect(decision.ruleName).toBe('Cheap/general → Haiku');
});
// Test 4: /model override bypasses routing
// This test verifies that when a model override is set (stored in chatGateway.modelOverrides),
// the routing engine is NOT called. We simulate this by verifying that the routing engine
// service is not consulted when the override path is taken.
it('/model override bypasses routing engine (no classify → route call)', async () => {
// Build a service that would route to Opus for a coding message
const mockHealthCheckAll = vi.fn().mockResolvedValue(allHealthy);
const mockSelect = vi.fn();
const mockDb = {
select: mockSelect.mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(defaultRules()),
}),
}),
}),
};
const mockProviderService = { healthCheckAll: mockHealthCheckAll };
const service = new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
// Simulate the ChatGateway model-override logic:
// When a /model override exists, the gateway skips calling routingEngine.resolve().
// We verify this by checking that if we do NOT call resolve(), the DB is never queried.
// (This is the same guarantee the ChatGateway code provides.)
expect(mockSelect).not.toHaveBeenCalled();
expect(mockHealthCheckAll).not.toHaveBeenCalled();
// Now if we DO call resolve (no override), it hits the DB and health check
await service.resolve('implement a function');
expect(mockSelect).toHaveBeenCalled();
expect(mockHealthCheckAll).toHaveBeenCalled();
});
// Test 5: full pipeline classification accuracy — "Summarize this" message
it('full pipeline: classify → match rules → summarization decision', async () => {
const message = 'Can you give me a brief summary of the last meeting notes?';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// "brief" keyword → summarization; "brief" is < 100 chars... check length
// message length is ~68 chars → simple complexity but summarization type wins
expect(decision.ruleName).toBe('Summarization → GLM-5');
expect(decision.provider).toBe('zai');
expect(decision.model).toBe('glm-5');
expect(decision.reason).toContain('Summarization → GLM-5');
});
// Test 6: pipeline with unhealthy provider — falls through to fallback
it('when all matched rule providers are unhealthy, falls through to openai fallback', async () => {
// The message classifies as: taskType=coding, complexity=moderate (implement + no architecture keyword,
// moderate length ~60 chars → simple threshold is < 100 → actually simple since it is < 100 chars)
// Let's use a simple coding message to target Simple coding → Codex (openai)
const message = 'implement a sort function';
const unhealthyHealth = {
anthropic: { status: 'down' },
openai: { status: 'up' },
zai: { status: 'up' },
ollama: { status: 'down' },
};
const service = makeService(defaultRules(), unhealthyHealth);
const decision = await service.resolve(message);
// "implement" → coding; 26 chars → simple; so: coding+simple → "Simple coding → Codex" (openai)
// openai is up → should match
expect(decision.provider).toBe('openai');
expect(decision.model).toBe('codex-gpt-5-4');
});
// Test 7: research message routing
it('research message routes to Codex via research rule', async () => {
const message = 'Research the best approaches for distributed caching systems';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// "research" keyword → taskType=research → "Research → Codex" rule (priority 4)
expect(decision.ruleName).toBe('Research → Codex');
expect(decision.provider).toBe('openai');
expect(decision.model).toBe('codex-gpt-5-4');
});
// Test 8: full pipeline integrity — decision includes all required fields
it('routing decision includes provider, model, ruleName, and reason', async () => {
const message = 'implement a new feature';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
expect(decision).toHaveProperty('provider');
expect(decision).toHaveProperty('model');
expect(decision).toHaveProperty('ruleName');
expect(decision).toHaveProperty('reason');
expect(typeof decision.provider).toBe('string');
expect(typeof decision.model).toBe('string');
expect(typeof decision.ruleName).toBe('string');
expect(typeof decision.reason).toBe('string');
});
});

216
apps/gateway/src/agent/routing/routing-engine.service.ts
View File

@@ -1,216 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { routingRules, type Db, and, asc, eq, or } from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import { ProviderService } from '../provider.service.js';
import { classifyTask } from './task-classifier.js';
import type {
RoutingCondition,
RoutingRule,
RoutingDecision,
TaskClassification,
} from './routing.types.js';
// ─── Injection tokens ────────────────────────────────────────────────────────
export const PROVIDER_SERVICE = Symbol('ProviderService');
// ─── Fallback chain ──────────────────────────────────────────────────────────
/**
* Ordered fallback providers tried when no rule matches or all matched
* providers are unhealthy.
*/
const FALLBACK_CHAIN: Array<{ provider: string; model: string }> = [
{ provider: 'anthropic', model: 'claude-sonnet-4-6' },
{ provider: 'anthropic', model: 'claude-haiku-4-5' },
{ provider: 'ollama', model: 'llama3.2' },
];
// ─── Service ─────────────────────────────────────────────────────────────────
@Injectable()
export class RoutingEngineService {
private readonly logger = new Logger(RoutingEngineService.name);
constructor(
@Inject(DB) private readonly db: Db,
@Inject(ProviderService) private readonly providerService: ProviderService,
) {}
/**
* Classify the message, evaluate routing rules in priority order, and return
* the best routing decision.
*
* @param message - Raw user message text used for classification.
* @param userId - Optional user ID for loading user-scoped rules.
* @param availableProviders - Optional pre-fetched provider health map to
* avoid redundant health checks inside tight loops.
*/
async resolve(
message: string,
userId?: string,
availableProviders?: Record<string, { status: string }>,
): Promise<RoutingDecision> {
const classification = classifyTask(message);
this.logger.debug(
`Classification: taskType=${classification.taskType} complexity=${classification.complexity} domain=${classification.domain}`,
);
// Load health data once (re-use caller-supplied map if provided)
const health = availableProviders ?? (await this.providerService.healthCheckAll());
// Load all applicable rules ordered by priority
const rules = await this.loadRules(userId);
// Evaluate rules in priority order
for (const rule of rules) {
if (!rule.enabled) continue;
if (!this.matchConditions(rule, classification)) continue;
const providerStatus = health[rule.action.provider]?.status;
const isHealthy = providerStatus === 'up' || providerStatus === 'ok';
if (!isHealthy) {
this.logger.debug(
`Rule "${rule.name}" matched but provider "${rule.action.provider}" is unhealthy (status: ${providerStatus ?? 'unknown'})`,
);
continue;
}
this.logger.debug(
`Rule matched: "${rule.name}" → ${rule.action.provider}/${rule.action.model}`,
);
return {
provider: rule.action.provider,
model: rule.action.model,
agentConfigId: rule.action.agentConfigId,
ruleName: rule.name,
reason: `Matched routing rule "${rule.name}"`,
};
}
// No rule matched (or all matched providers were unhealthy) — apply fallback chain
this.logger.debug('No rule matched; applying fallback chain');
return this.applyFallbackChain(health);
}
/**
* Check whether all conditions of a rule match the given task classification.
* An empty conditions array always matches (catch-all / fallback rule).
*/
matchConditions(
rule: Pick<RoutingRule, 'conditions'>,
classification: TaskClassification,
): boolean {
if (rule.conditions.length === 0) return true;
return rule.conditions.every((condition) => this.evaluateCondition(condition, classification));
}
// ─── Private helpers ───────────────────────────────────────────────────────
private evaluateCondition(
condition: RoutingCondition,
classification: TaskClassification,
): boolean {
// `costTier` is a valid condition field but is not part of TaskClassification
// (it is supplied via userOverrides / request context). Treat unknown fields as
// undefined so conditions referencing them simply do not match.
const fieldValue = (classification as unknown as Record<string, unknown>)[condition.field];
switch (condition.operator) {
case 'eq': {
// Scalar equality: field value must equal condition value (string)
if (typeof condition.value !== 'string') return false;
return fieldValue === condition.value;
}
case 'in': {
// Set membership: condition value (array) contains field value
if (!Array.isArray(condition.value)) return false;
return condition.value.includes(fieldValue as string);
}
case 'includes': {
// Array containment: field value (array) includes condition value (string)
if (!Array.isArray(fieldValue)) return false;
if (typeof condition.value !== 'string') return false;
return (fieldValue as string[]).includes(condition.value);
}
default:
return false;
}
}
/**
* Load routing rules from the database.
* System rules + user-scoped rules (when userId is provided) are returned,
* ordered by priority ascending.
*/
private async loadRules(userId?: string): Promise<RoutingRule[]> {
const whereClause = userId
? or(
eq(routingRules.scope, 'system'),
and(eq(routingRules.scope, 'user'), eq(routingRules.userId, userId)),
)
: eq(routingRules.scope, 'system');
const rows = await this.db
.select()
.from(routingRules)
.where(whereClause)
.orderBy(asc(routingRules.priority));
return rows.map((row) => ({
id: row.id,
name: row.name,
priority: row.priority,
scope: row.scope as 'system' | 'user',
userId: row.userId ?? undefined,
conditions: (row.conditions as unknown as RoutingCondition[]) ?? [],
action: row.action as unknown as {
provider: string;
model: string;
agentConfigId?: string;
systemPromptOverride?: string;
toolAllowlist?: string[];
},
enabled: row.enabled,
}));
}
/**
* Walk the fallback chain and return the first healthy provider/model pair.
* If none are healthy, return the first entry unconditionally (last resort).
*/
private applyFallbackChain(health: Record<string, { status: string }>): RoutingDecision {
for (const candidate of FALLBACK_CHAIN) {
const providerStatus = health[candidate.provider]?.status;
const isHealthy = providerStatus === 'up' || providerStatus === 'ok';
if (isHealthy) {
this.logger.debug(`Fallback resolved: ${candidate.provider}/${candidate.model}`);
return {
provider: candidate.provider,
model: candidate.model,
ruleName: 'fallback',
reason: `Fallback chain — no matching rule; selected ${candidate.provider}/${candidate.model}`,
};
}
}
// All providers in the fallback chain are unhealthy — use the first entry
const lastResort = FALLBACK_CHAIN[0]!;
this.logger.warn(
`All fallback providers unhealthy; using last resort: ${lastResort.provider}/${lastResort.model}`,
);
return {
provider: lastResort.provider,
model: lastResort.model,
ruleName: 'fallback',
reason: `Fallback chain exhausted (all providers unhealthy); using ${lastResort.provider}/${lastResort.model}`,
};
}
}

460
apps/gateway/src/agent/routing/routing-engine.test.ts
View File

@@ -1,460 +0,0 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { RoutingEngineService } from './routing-engine.service.js';
import type { RoutingRule, TaskClassification } from './routing.types.js';
// ─── Helpers ─────────────────────────────────────────────────────────────────
function makeRule(
overrides: Partial<RoutingRule> &
Pick<RoutingRule, 'name' | 'priority' | 'conditions' | 'action'>,
): RoutingRule {
return {
id: overrides.id ?? crypto.randomUUID(),
scope: 'system',
enabled: true,
...overrides,
};
}
function makeClassification(overrides: Partial<TaskClassification> = {}): TaskClassification {
return {
taskType: 'conversation',
complexity: 'simple',
domain: 'general',
requiredCapabilities: [],
...overrides,
};
}
/** Build a minimal RoutingEngineService with mocked DB and ProviderService. */
function makeService(
rules: RoutingRule[] = [],
healthMap: Record<string, { status: string }> = {},
): RoutingEngineService {
const mockDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(
rules.map((r) => ({
id: r.id,
name: r.name,
priority: r.priority,
scope: r.scope,
userId: r.userId ?? null,
conditions: r.conditions,
action: r.action,
enabled: r.enabled,
createdAt: new Date(),
updatedAt: new Date(),
})),
),
}),
}),
}),
};
const mockProviderService = {
healthCheckAll: vi.fn().mockResolvedValue(healthMap),
};
// Inject mocked dependencies directly (bypass NestJS DI for unit tests)
const service = new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
return service;
}
// ─── matchConditions ──────────────────────────────────────────────────────────
describe('RoutingEngineService.matchConditions', () => {
let service: RoutingEngineService;
beforeEach(() => {
service = makeService();
});
it('returns true for empty conditions array (catch-all rule)', () => {
const rule = makeRule({
name: 'fallback',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
});
expect(service.matchConditions(rule, makeClassification())).toBe(true);
});
it('matches eq operator on scalar field', () => {
const rule = makeRule({
name: 'coding',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
});
expect(service.matchConditions(rule, makeClassification({ taskType: 'coding' }))).toBe(true);
expect(service.matchConditions(rule, makeClassification({ taskType: 'conversation' }))).toBe(
false,
);
});
it('matches in operator: field value is in the condition array', () => {
const rule = makeRule({
name: 'simple or moderate',
priority: 2,
conditions: [{ field: 'complexity', operator: 'in', value: ['simple', 'moderate'] }],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
});
expect(service.matchConditions(rule, makeClassification({ complexity: 'simple' }))).toBe(true);
expect(service.matchConditions(rule, makeClassification({ complexity: 'moderate' }))).toBe(
true,
);
expect(service.matchConditions(rule, makeClassification({ complexity: 'complex' }))).toBe(
false,
);
});
it('matches includes operator: field array includes the condition value', () => {
const rule = makeRule({
name: 'reasoning required',
priority: 3,
conditions: [{ field: 'requiredCapabilities', operator: 'includes', value: 'reasoning' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
});
expect(
service.matchConditions(rule, makeClassification({ requiredCapabilities: ['reasoning'] })),
).toBe(true);
expect(
service.matchConditions(
rule,
makeClassification({ requiredCapabilities: ['tools', 'reasoning'] }),
),
).toBe(true);
expect(
service.matchConditions(rule, makeClassification({ requiredCapabilities: ['tools'] })),
).toBe(false);
expect(service.matchConditions(rule, makeClassification({ requiredCapabilities: [] }))).toBe(
false,
);
});
it('requires ALL conditions to match (AND logic)', () => {
const rule = makeRule({
name: 'complex coding',
priority: 1,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'complex' },
],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
});
// Both match
expect(
service.matchConditions(
rule,
makeClassification({ taskType: 'coding', complexity: 'complex' }),
),
).toBe(true);
// Only one matches
expect(
service.matchConditions(
rule,
makeClassification({ taskType: 'coding', complexity: 'simple' }),
),
).toBe(false);
// Neither matches
expect(
service.matchConditions(
rule,
makeClassification({ taskType: 'conversation', complexity: 'simple' }),
),
).toBe(false);
});
it('returns false for eq when condition value is an array (type mismatch)', () => {
const rule = makeRule({
name: 'bad eq',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: ['coding', 'research'] }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
});
expect(service.matchConditions(rule, makeClassification({ taskType: 'coding' }))).toBe(false);
});
it('returns false for includes when field is not an array', () => {
const rule = makeRule({
name: 'bad includes',
priority: 1,
conditions: [{ field: 'taskType', operator: 'includes', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
});
// taskType is a string, not an array — should be false
expect(service.matchConditions(rule, makeClassification({ taskType: 'coding' }))).toBe(false);
});
});
// ─── resolve — priority ordering ─────────────────────────────────────────────
describe('RoutingEngineService.resolve — priority ordering', () => {
it('selects the highest-priority matching rule', async () => {
// Rules are supplied in priority-ascending order, as the DB would return them.
const rules = [
makeRule({
name: 'high priority',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'low priority',
priority: 10,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'openai', model: 'gpt-4o' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' }, openai: { status: 'up' } });
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('high priority');
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-opus-4-6');
});
it('skips non-matching rules and picks first match', async () => {
const rules = [
makeRule({
name: 'research rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'research' }],
action: { provider: 'openai', model: 'gpt-4o' },
}),
makeRule({
name: 'coding rule',
priority: 2,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' }, openai: { status: 'up' } });
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('coding rule');
expect(decision.provider).toBe('anthropic');
});
});
// ─── resolve — unhealthy provider fallback ────────────────────────────────────
describe('RoutingEngineService.resolve — unhealthy provider handling', () => {
it('skips matched rule when provider is unhealthy, tries next rule', async () => {
const rules = [
makeRule({
name: 'primary rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'secondary rule',
priority: 2,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'openai', model: 'gpt-4o' },
}),
];
const service = makeService(rules, {
anthropic: { status: 'down' }, // primary is unhealthy
openai: { status: 'up' },
});
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('secondary rule');
expect(decision.provider).toBe('openai');
});
it('falls back to Sonnet when all rules have unhealthy providers', async () => {
// Override the rule's provider to something unhealthy but keep anthropic up for fallback
const unhealthyRules = [
makeRule({
name: 'only rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'openai', model: 'gpt-4o' }, // openai is unhealthy
}),
];
const service2 = makeService(unhealthyRules, {
anthropic: { status: 'up' },
openai: { status: 'down' },
});
const decision = await service2.resolve('implement a function');
// Should fall through to Sonnet fallback on anthropic
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
expect(decision.ruleName).toBe('fallback');
});
it('falls back to Haiku when Sonnet provider is also down', async () => {
const rules: RoutingRule[] = []; // no rules
const service = makeService(rules, {
anthropic: { status: 'down' }, // Sonnet is on anthropic — down
ollama: { status: 'up' }, // Haiku is also on anthropic — use Ollama as next
});
const decision = await service.resolve('hello there');
// Sonnet (anthropic) is down, Haiku (anthropic) is down, Ollama is up
expect(decision.provider).toBe('ollama');
expect(decision.model).toBe('llama3.2');
expect(decision.ruleName).toBe('fallback');
});
it('uses last resort (Sonnet) when all fallback providers are unhealthy', async () => {
const rules: RoutingRule[] = [];
const service = makeService(rules, {
anthropic: { status: 'down' },
ollama: { status: 'down' },
});
const decision = await service.resolve('hello');
// All unhealthy — still returns first fallback entry as last resort
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
expect(decision.ruleName).toBe('fallback');
});
});
// ─── resolve — empty conditions (catch-all rule) ──────────────────────────────
describe('RoutingEngineService.resolve — empty conditions (fallback rule)', () => {
it('matches catch-all rule for any message', async () => {
const rules = [
makeRule({
name: 'catch-all',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' } });
const decision = await service.resolve('completely unrelated message xyz');
expect(decision.ruleName).toBe('catch-all');
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
});
it('catch-all is overridden by a higher-priority specific rule', async () => {
const rules = [
makeRule({
name: 'specific coding rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'catch-all',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' } });
const codingDecision = await service.resolve('implement a function');
expect(codingDecision.ruleName).toBe('specific coding rule');
expect(codingDecision.model).toBe('claude-opus-4-6');
const conversationDecision = await service.resolve('hello how are you');
expect(conversationDecision.ruleName).toBe('catch-all');
expect(conversationDecision.model).toBe('claude-haiku-4-5');
});
});
// ─── resolve — disabled rules ─────────────────────────────────────────────────
describe('RoutingEngineService.resolve — disabled rules', () => {
it('skips disabled rules', async () => {
const rules = [
makeRule({
name: 'disabled rule',
priority: 1,
enabled: false,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'enabled fallback',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' } });
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('enabled fallback');
expect(decision.model).toBe('claude-sonnet-4-6');
});
});
// ─── resolve — pre-fetched health map ────────────────────────────────────────
describe('RoutingEngineService.resolve — availableProviders override', () => {
it('uses the provided health map instead of calling healthCheckAll', async () => {
const rules = [
makeRule({
name: 'coding rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
];
const mockHealthCheckAll = vi.fn().mockResolvedValue({});
const mockDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(
rules.map((r) => ({
id: r.id,
name: r.name,
priority: r.priority,
scope: r.scope,
userId: r.userId ?? null,
conditions: r.conditions,
action: r.action,
enabled: r.enabled,
createdAt: new Date(),
updatedAt: new Date(),
})),
),
}),
}),
}),
};
const mockProviderService = { healthCheckAll: mockHealthCheckAll };
const service = new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
const preSupplied = { anthropic: { status: 'up' } };
await service.resolve('implement a function', undefined, preSupplied);
expect(mockHealthCheckAll).not.toHaveBeenCalled();
});
});

234
apps/gateway/src/agent/routing/routing.controller.ts
View File

@@ -1,234 +0,0 @@
import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
UseGuards,
} from '@nestjs/common';
import { routingRules, type Db, and, asc, eq, or, inArray } from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import { AuthGuard } from '../../auth/auth.guard.js';
import { CurrentUser } from '../../auth/current-user.decorator.js';
import {
CreateRoutingRuleDto,
UpdateRoutingRuleDto,
ReorderRoutingRulesDto,
} from './routing.dto.js';
@Controller('api/routing/rules')
@UseGuards(AuthGuard)
export class RoutingController {
constructor(@Inject(DB) private readonly db: Db) {}
/**
* GET /api/routing/rules
* List all rules visible to the authenticated user:
* - All system rules
* - User's own rules
* Ordered by priority ascending (lower number = higher priority).
*/
@Get()
async list(@CurrentUser() user: { id: string }) {
const rows = await this.db
.select()
.from(routingRules)
.where(
or(
eq(routingRules.scope, 'system'),
and(eq(routingRules.scope, 'user'), eq(routingRules.userId, user.id)),
),
)
.orderBy(asc(routingRules.priority));
return rows;
}
/**
* GET /api/routing/rules/effective
* Return the merged rule set in priority order.
* User-scoped rules are checked before system rules at the same priority
* (achieved by ordering: priority ASC, then scope='user' first).
*/
@Get('effective')
async effective(@CurrentUser() user: { id: string }) {
const rows = await this.db
.select()
.from(routingRules)
.where(
and(
eq(routingRules.enabled, true),
or(
eq(routingRules.scope, 'system'),
and(eq(routingRules.scope, 'user'), eq(routingRules.userId, user.id)),
),
),
)
.orderBy(asc(routingRules.priority));
// For rules with the same priority: user rules beat system rules.
// Group by priority then stable-sort each group: user before system.
const grouped = new Map<number, typeof rows>();
for (const row of rows) {
const bucket = grouped.get(row.priority) ?? [];
bucket.push(row);
grouped.set(row.priority, bucket);
}
const effective: typeof rows = [];
for (const [, bucket] of [...grouped.entries()].sort(([a], [b]) => a - b)) {
// user-scoped rules first within the same priority bucket
const userRules = bucket.filter((r) => r.scope === 'user');
const systemRules = bucket.filter((r) => r.scope === 'system');
effective.push(...userRules, ...systemRules);
}
return effective;
}
/**
* POST /api/routing/rules
* Create a new routing rule. Scope is forced to 'user' (users cannot create
* system rules). The authenticated user's ID is attached automatically.
*/
@Post()
async create(@Body() dto: CreateRoutingRuleDto, @CurrentUser() user: { id: string }) {
const [created] = await this.db
.insert(routingRules)
.values({
name: dto.name,
priority: dto.priority,
scope: 'user',
userId: user.id,
conditions: dto.conditions as unknown as Record<string, unknown>[],
action: dto.action as unknown as Record<string, unknown>,
enabled: dto.enabled ?? true,
})
.returning();
return created;
}
/**
* PATCH /api/routing/rules/reorder
* Reassign priorities so that the order of `ruleIds` reflects ascending
* priority (index 0 = priority 0, index 1 = priority 1, …).
* Only the authenticated user's own rules can be reordered.
*/
@Patch('reorder')
async reorder(@Body() dto: ReorderRoutingRulesDto, @CurrentUser() user: { id: string }) {
// Verify all supplied IDs belong to this user
const owned = await this.db
.select({ id: routingRules.id })
.from(routingRules)
.where(
and(
inArray(routingRules.id, dto.ruleIds),
eq(routingRules.scope, 'user'),
eq(routingRules.userId, user.id),
),
);
const ownedIds = new Set(owned.map((r) => r.id));
const unowned = dto.ruleIds.filter((id) => !ownedIds.has(id));
if (unowned.length > 0) {
throw new ForbiddenException(
`Cannot reorder rules that do not belong to you: ${unowned.join(', ')}`,
);
}
// Apply new priorities in transaction
const updates = await this.db.transaction(async (tx) => {
const results = [];
for (let i = 0; i < dto.ruleIds.length; i++) {
const [updated] = await tx
.update(routingRules)
.set({ priority: i, updatedAt: new Date() })
.where(and(eq(routingRules.id, dto.ruleIds[i]!), eq(routingRules.userId, user.id)))
.returning();
if (updated) results.push(updated);
}
return results;
});
return updates;
}
/**
* PATCH /api/routing/rules/:id
* Update a user-owned rule. System rules cannot be modified by regular users.
*/
@Patch(':id')
async update(
@Param('id') id: string,
@Body() dto: UpdateRoutingRuleDto,
@CurrentUser() user: { id: string },
) {
const [existing] = await this.db.select().from(routingRules).where(eq(routingRules.id, id));
if (!existing) throw new NotFoundException('Routing rule not found');
if (existing.scope === 'system') {
throw new ForbiddenException('System routing rules cannot be modified');
}
if (existing.userId !== user.id) {
throw new ForbiddenException('Routing rule does not belong to the current user');
}
const updatePayload: Partial<typeof routingRules.$inferInsert> = {
updatedAt: new Date(),
};
if (dto.name !== undefined) updatePayload.name = dto.name;
if (dto.priority !== undefined) updatePayload.priority = dto.priority;
if (dto.conditions !== undefined)
updatePayload.conditions = dto.conditions as unknown as Record<string, unknown>[];
if (dto.action !== undefined)
updatePayload.action = dto.action as unknown as Record<string, unknown>;
if (dto.enabled !== undefined) updatePayload.enabled = dto.enabled;
const [updated] = await this.db
.update(routingRules)
.set(updatePayload)
.where(and(eq(routingRules.id, id), eq(routingRules.userId, user.id)))
.returning();
if (!updated) throw new NotFoundException('Routing rule not found');
return updated;
}
/**
* DELETE /api/routing/rules/:id
* Delete a user-owned routing rule. System rules cannot be deleted.
*/
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const [existing] = await this.db.select().from(routingRules).where(eq(routingRules.id, id));
if (!existing) throw new NotFoundException('Routing rule not found');
if (existing.scope === 'system') {
throw new ForbiddenException('System routing rules cannot be deleted');
}
if (existing.userId !== user.id) {
throw new ForbiddenException('Routing rule does not belong to the current user');
}
const [deleted] = await this.db
.delete(routingRules)
.where(and(eq(routingRules.id, id), eq(routingRules.userId, user.id)))
.returning();
if (!deleted) throw new NotFoundException('Routing rule not found');
}
}

135
apps/gateway/src/agent/routing/routing.dto.ts
View File

@@ -1,135 +0,0 @@
import {
IsArray,
IsBoolean,
IsInt,
IsIn,
IsObject,
IsOptional,
IsString,
IsUUID,
MaxLength,
Min,
ValidateNested,
ArrayNotEmpty,
} from 'class-validator';
import { Type } from 'class-transformer';
// ─── Condition DTO ────────────────────────────────────────────────────────────
const conditionFields = [
'taskType',
'complexity',
'domain',
'costTier',
'requiredCapabilities',
] as const;
const conditionOperators = ['eq', 'in', 'includes'] as const;
export class RoutingConditionDto {
@IsString()
@IsIn(conditionFields)
field!: (typeof conditionFields)[number];
@IsString()
@IsIn(conditionOperators)
operator!: (typeof conditionOperators)[number];
// value can be string or string[] — keep as unknown and validate at runtime
value!: string | string[];
}
// ─── Action DTO ───────────────────────────────────────────────────────────────
export class RoutingActionDto {
@IsString()
@MaxLength(255)
provider!: string;
@IsString()
@MaxLength(255)
model!: string;
@IsOptional()
@IsUUID()
agentConfigId?: string;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPromptOverride?: string;
@IsOptional()
@IsArray()
toolAllowlist?: string[];
}
// ─── Create DTO ───────────────────────────────────────────────────────────────
const scopeValues = ['system', 'user'] as const;
export class CreateRoutingRuleDto {
@IsString()
@MaxLength(255)
name!: string;
@IsInt()
@Min(0)
priority!: number;
@IsOptional()
@IsIn(scopeValues)
scope?: 'system' | 'user';
@IsArray()
@ValidateNested({ each: true })
@Type(() => RoutingConditionDto)
conditions!: RoutingConditionDto[];
@IsObject()
@ValidateNested()
@Type(() => RoutingActionDto)
action!: RoutingActionDto;
@IsOptional()
@IsBoolean()
enabled?: boolean;
}
// ─── Update DTO ───────────────────────────────────────────────────────────────
export class UpdateRoutingRuleDto {
@IsOptional()
@IsString()
@MaxLength(255)
name?: string;
@IsOptional()
@IsInt()
@Min(0)
priority?: number;
@IsOptional()
@IsArray()
@ValidateNested({ each: true })
@Type(() => RoutingConditionDto)
conditions?: RoutingConditionDto[];
@IsOptional()
@IsObject()
@ValidateNested()
@Type(() => RoutingActionDto)
action?: RoutingActionDto;
@IsOptional()
@IsBoolean()
enabled?: boolean;
}
// ─── Reorder DTO ──────────────────────────────────────────────────────────────
export class ReorderRoutingRulesDto {
@IsArray()
@ArrayNotEmpty()
@IsUUID(undefined, { each: true })
ruleIds!: string[];
}

118
apps/gateway/src/agent/routing/routing.types.ts
View File

@@ -1,118 +0,0 @@
/**
* Routing engine types — M4-002 (condition types) and M4-003 (action types).
*
* These types are re-exported from `@mosaicstack/types` for shared use across packages.
*/
// ─── Classification primitives ───────────────────────────────────────────────
/** Category of work the agent is being asked to perform */
export type TaskType =
| 'coding'
| 'research'
| 'summarization'
| 'conversation'
| 'analysis'
| 'creative';
/** Estimated complexity of the task, used to bias toward cheaper or more capable models */
export type Complexity = 'simple' | 'moderate' | 'complex';
/** Primary knowledge domain of the task */
export type Domain = 'frontend' | 'backend' | 'devops' | 'docs' | 'general';
/**
* Cost tier for model selection.
* Extends the existing `CostTier` in `@mosaicstack/types` with `local` for self-hosted models.
*/
export type CostTier = 'cheap' | 'standard' | 'premium' | 'local';
/** Special model capability required by the task */
export type Capability = 'tools' | 'vision' | 'long-context' | 'reasoning' | 'embedding';
// ─── Condition types ─────────────────────────────────────────────────────────
/**
* A single predicate that must be satisfied for a routing rule to match.
*
* - `eq` — scalar equality: `field === value`
* - `in` — set membership: `value` contains `field`
* - `includes` — array containment: `field` (array) includes `value`
*/
export interface RoutingCondition {
/** The task-classification field to test */
field: 'taskType' | 'complexity' | 'domain' | 'costTier' | 'requiredCapabilities';
/** Comparison operator */
operator: 'eq' | 'in' | 'includes';
/** Expected value or set of values */
value: string | string[];
}
// ─── Action types ────────────────────────────────────────────────────────────
/**
* The routing action to execute when all conditions in a rule are satisfied.
*/
export interface RoutingAction {
/** LLM provider identifier, e.g. `'anthropic'`, `'openai'`, `'ollama'` */
provider: string;
/** Model identifier, e.g. `'claude-opus-4-6'`, `'gpt-4o'` */
model: string;
/** Optional: use a specific pre-configured agent config from the agent registry */
agentConfigId?: string;
/** Optional: override the agent's default system prompt for this route */
systemPromptOverride?: string;
/** Optional: restrict the tool set available to the agent for this route */
toolAllowlist?: string[];
}
// ─── Rule and decision types ─────────────────────────────────────────────────
/**
* Full routing rule as stored in the database and used at runtime.
*/
export interface RoutingRule {
/** UUID primary key */
id: string;
/** Human-readable rule name */
name: string;
/** Lower number = evaluated first; unique per scope */
priority: number;
/** `'system'` rules apply globally; `'user'` rules override for a specific user */
scope: 'system' | 'user';
/** Present only for `'user'`-scoped rules */
userId?: string;
/** All conditions must match for the rule to fire */
conditions: RoutingCondition[];
/** Action to take when all conditions are met */
action: RoutingAction;
/** Whether this rule is active */
enabled: boolean;
}
/**
* Structured representation of what an agent has been asked to do,
* produced by the task classifier and consumed by the routing engine.
*/
export interface TaskClassification {
taskType: TaskType;
complexity: Complexity;
domain: Domain;
requiredCapabilities: Capability[];
}
/**
* Output of the routing engine — which model to use and why.
*/
export interface RoutingDecision {
/** LLM provider identifier */
provider: string;
/** Model identifier */
model: string;
/** Optional agent config to apply */
agentConfigId?: string;
/** Name of the rule that matched, for observability */
ruleName: string;
/** Human-readable explanation of why this rule was selected */
reason: string;
}

366
apps/gateway/src/agent/routing/task-classifier.test.ts
View File

@@ -1,366 +0,0 @@
import { describe, it, expect } from 'vitest';
import { classifyTask } from './task-classifier.js';
// ─── Task Type Detection ──────────────────────────────────────────────────────
describe('classifyTask — taskType', () => {
it('detects coding from "code" keyword', () => {
expect(classifyTask('Can you write some code for me?').taskType).toBe('coding');
});
it('detects coding from "implement" keyword', () => {
expect(classifyTask('Implement a binary search algorithm').taskType).toBe('coding');
});
it('detects coding from "function" keyword', () => {
expect(classifyTask('Write a function that reverses a string').taskType).toBe('coding');
});
it('detects coding from "debug" keyword', () => {
expect(classifyTask('Help me debug this error').taskType).toBe('coding');
});
it('detects coding from "fix" keyword', () => {
expect(classifyTask('fix the broken test').taskType).toBe('coding');
});
it('detects coding from "refactor" keyword', () => {
expect(classifyTask('Please refactor this module').taskType).toBe('coding');
});
it('detects coding from "typescript" keyword', () => {
expect(classifyTask('How do I use generics in TypeScript?').taskType).toBe('coding');
});
it('detects coding from "javascript" keyword', () => {
expect(classifyTask('JavaScript promises explained').taskType).toBe('coding');
});
it('detects coding from "python" keyword', () => {
expect(classifyTask('Write a Python script to parse CSV').taskType).toBe('coding');
});
it('detects coding from "SQL" keyword', () => {
expect(classifyTask('Write a SQL query to join these tables').taskType).toBe('coding');
});
it('detects coding from "API" keyword', () => {
expect(classifyTask('Design an API for user management').taskType).toBe('coding');
});
it('detects coding from "endpoint" keyword', () => {
expect(classifyTask('Add a new endpoint for user profiles').taskType).toBe('coding');
});
it('detects coding from "class" keyword', () => {
expect(classifyTask('Create a class for handling payments').taskType).toBe('coding');
});
it('detects coding from "method" keyword', () => {
expect(classifyTask('Add a method to validate emails').taskType).toBe('coding');
});
it('detects coding from inline backtick code', () => {
expect(classifyTask('What does `Array.prototype.reduce` do?').taskType).toBe('coding');
});
it('detects summarization from "summarize"', () => {
expect(classifyTask('Please summarize this document').taskType).toBe('summarization');
});
it('detects summarization from "summary"', () => {
expect(classifyTask('Give me a summary of the meeting').taskType).toBe('summarization');
});
it('detects summarization from "tldr"', () => {
expect(classifyTask('TLDR this article for me').taskType).toBe('summarization');
});
it('detects summarization from "condense"', () => {
expect(classifyTask('Condense this into 3 bullet points').taskType).toBe('summarization');
});
it('detects summarization from "brief"', () => {
expect(classifyTask('Give me a brief overview of this topic').taskType).toBe('summarization');
});
it('detects creative from "write"', () => {
expect(classifyTask('Write a short story about a dragon').taskType).toBe('creative');
});
it('detects creative from "story"', () => {
expect(classifyTask('Tell me a story about space exploration').taskType).toBe('creative');
});
it('detects creative from "poem"', () => {
expect(classifyTask('Write a poem about autumn').taskType).toBe('creative');
});
it('detects creative from "generate"', () => {
expect(classifyTask('Generate some creative marketing copy').taskType).toBe('creative');
});
it('detects creative from "create content"', () => {
expect(classifyTask('Help me create content for my website').taskType).toBe('creative');
});
it('detects creative from "blog post"', () => {
expect(classifyTask('Write a blog post about productivity habits').taskType).toBe('creative');
});
it('detects analysis from "analyze"', () => {
expect(classifyTask('Analyze the performance of this system').taskType).toBe('analysis');
});
it('detects analysis from "review"', () => {
expect(classifyTask('Please review my pull request changes').taskType).toBe('analysis');
});
it('detects analysis from "evaluate"', () => {
expect(classifyTask('Evaluate the pros and cons of this approach').taskType).toBe('analysis');
});
it('detects analysis from "assess"', () => {
expect(classifyTask('Assess the security risks here').taskType).toBe('analysis');
});
it('detects analysis from "audit"', () => {
expect(classifyTask('Audit this codebase for vulnerabilities').taskType).toBe('analysis');
});
it('detects research from "research"', () => {
expect(classifyTask('Research the best state management libraries').taskType).toBe('research');
});
it('detects research from "find"', () => {
expect(classifyTask('Find all open issues in our backlog').taskType).toBe('research');
});
it('detects research from "search"', () => {
expect(classifyTask('Search for papers on transformer architectures').taskType).toBe(
'research',
);
});
it('detects research from "what is"', () => {
expect(classifyTask('What is the difference between REST and GraphQL?').taskType).toBe(
'research',
);
});
it('detects research from "explain"', () => {
expect(classifyTask('Explain how OAuth2 works').taskType).toBe('research');
});
it('detects research from "how does"', () => {
expect(classifyTask('How does garbage collection work in V8?').taskType).toBe('research');
});
it('detects research from "compare"', () => {
expect(classifyTask('Compare Postgres and MySQL for this use case').taskType).toBe('research');
});
it('falls back to conversation with no strong signal', () => {
expect(classifyTask('Hello, how are you?').taskType).toBe('conversation');
});
it('falls back to conversation for generic greetings', () => {
expect(classifyTask('Good morning!').taskType).toBe('conversation');
});
// Priority: coding wins over research when both keywords present
it('coding takes priority over research', () => {
expect(classifyTask('find a code example for sorting').taskType).toBe('coding');
});
// Priority: summarization wins over creative
it('summarization takes priority over creative', () => {
expect(classifyTask('write a summary of this article').taskType).toBe('summarization');
});
});
// ─── Complexity Estimation ────────────────────────────────────────────────────
describe('classifyTask — complexity', () => {
it('classifies short message as simple', () => {
expect(classifyTask('Fix typo').complexity).toBe('simple');
});
it('classifies single question as simple', () => {
expect(classifyTask('What is a closure?').complexity).toBe('simple');
});
it('classifies message > 500 chars as complex', () => {
const long = 'a'.repeat(501);
expect(classifyTask(long).complexity).toBe('complex');
});
it('classifies message with "architecture" keyword as complex', () => {
expect(
classifyTask('Can you help me think through the architecture of this system?').complexity,
).toBe('complex');
});
it('classifies message with "design" keyword as complex', () => {
expect(classifyTask('Design a data model for this feature').complexity).toBe('complex');
});
it('classifies message with "complex" keyword as complex', () => {
expect(classifyTask('This is a complex problem involving multiple services').complexity).toBe(
'complex',
);
});
it('classifies message with "system" keyword as complex', () => {
expect(classifyTask('Explain the whole system behavior').complexity).toBe('complex');
});
it('classifies message with multiple code blocks as complex', () => {
const msg = '```\nconst a = 1;\n```\n\nAlso look at\n\n```\nconst b = 2;\n```';
expect(classifyTask(msg).complexity).toBe('complex');
});
it('classifies moderate-length message as moderate', () => {
const msg =
'Please help me implement a small utility function that parses query strings. It should handle arrays and nested objects properly.';
expect(classifyTask(msg).complexity).toBe('moderate');
});
});
// ─── Domain Detection ─────────────────────────────────────────────────────────
describe('classifyTask — domain', () => {
it('detects frontend from "react"', () => {
expect(classifyTask('How do I use React hooks?').domain).toBe('frontend');
});
it('detects frontend from "css"', () => {
expect(classifyTask('Fix the CSS layout issue').domain).toBe('frontend');
});
it('detects frontend from "html"', () => {
expect(classifyTask('Add an HTML form element').domain).toBe('frontend');
});
it('detects frontend from "component"', () => {
expect(classifyTask('Create a reusable component').domain).toBe('frontend');
});
it('detects frontend from "UI"', () => {
expect(classifyTask('Update the UI spacing').domain).toBe('frontend');
});
it('detects frontend from "tailwind"', () => {
expect(classifyTask('Style this button with Tailwind').domain).toBe('frontend');
});
it('detects frontend from "next.js"', () => {
expect(classifyTask('Configure Next.js routing').domain).toBe('frontend');
});
it('detects backend from "server"', () => {
expect(classifyTask('Set up the server to handle requests').domain).toBe('backend');
});
it('detects backend from "database"', () => {
expect(classifyTask('Optimize this database query').domain).toBe('backend');
});
it('detects backend from "endpoint"', () => {
expect(classifyTask('Add an endpoint for authentication').domain).toBe('backend');
});
it('detects backend from "nest"', () => {
expect(classifyTask('Add a NestJS guard for this route').domain).toBe('backend');
});
it('detects backend from "express"', () => {
expect(classifyTask('Middleware in Express explained').domain).toBe('backend');
});
it('detects devops from "docker"', () => {
expect(classifyTask('Write a Dockerfile for this app').domain).toBe('devops');
});
it('detects devops from "deploy"', () => {
expect(classifyTask('Deploy this service to production').domain).toBe('devops');
});
it('detects devops from "pipeline"', () => {
expect(classifyTask('Set up a CI pipeline').domain).toBe('devops');
});
it('detects devops from "kubernetes"', () => {
expect(classifyTask('Configure a Kubernetes deployment').domain).toBe('devops');
});
it('detects docs from "documentation"', () => {
expect(classifyTask('Write documentation for this module').domain).toBe('docs');
});
it('detects docs from "readme"', () => {
expect(classifyTask('Update the README').domain).toBe('docs');
});
it('detects docs from "guide"', () => {
expect(classifyTask('Create a user guide for this feature').domain).toBe('docs');
});
it('falls back to general domain', () => {
expect(classifyTask('What time is it?').domain).toBe('general');
});
// devops takes priority over backend when both match
it('devops takes priority over backend (both keywords)', () => {
expect(classifyTask('Deploy the API server using Docker').domain).toBe('devops');
});
// docs takes priority over frontend when both match
it('docs takes priority over frontend (both keywords)', () => {
expect(classifyTask('Write documentation for React components').domain).toBe('docs');
});
});
// ─── Combined Classification ──────────────────────────────────────────────────
describe('classifyTask — combined', () => {
it('returns full classification object', () => {
const result = classifyTask('Fix the bug?');
expect(result).toHaveProperty('taskType');
expect(result).toHaveProperty('complexity');
expect(result).toHaveProperty('domain');
});
it('classifies complex TypeScript architecture request', () => {
const msg =
'Design the architecture for a multi-tenant TypeScript system using NestJS with proper database isolation and role-based access control. The system needs to support multiple organizations each with their own data namespace.';
const result = classifyTask(msg);
expect(result.taskType).toBe('coding');
expect(result.complexity).toBe('complex');
expect(result.domain).toBe('backend');
});
it('classifies simple frontend question', () => {
const result = classifyTask('How do I center a div in CSS?');
expect(result.taskType).toBe('research');
expect(result.domain).toBe('frontend');
});
it('classifies a DevOps pipeline task as complex', () => {
const msg =
'Design a complete CI/CD pipeline architecture using Docker and Kubernetes with blue-green deployments and automatic rollback capabilities for a complex microservices system.';
const result = classifyTask(msg);
expect(result.domain).toBe('devops');
expect(result.complexity).toBe('complex');
});
it('classifies summarization task correctly', () => {
const result = classifyTask('Summarize the key points from this document');
expect(result.taskType).toBe('summarization');
});
it('classifies creative writing task correctly', () => {
const result = classifyTask('Write a poem about the ocean');
expect(result.taskType).toBe('creative');
});
});

159
apps/gateway/src/agent/routing/task-classifier.ts
View File

@@ -1,159 +0,0 @@
import type { TaskType, Complexity, Domain, TaskClassification } from './routing.types.js';
// ─── Pattern Banks ──────────────────────────────────────────────────────────
const CODING_PATTERNS: RegExp[] = [
/\bcode\b/i,
/\bfunction\b/i,
/\bimplement\b/i,
/\bdebug\b/i,
/\bfix\b/i,
/\brefactor\b/i,
/\btypescript\b/i,
/\bjavascript\b/i,
/\bpython\b/i,
/\bSQL\b/i,
/\bAPI\b/i,
/\bendpoint\b/i,
/\bclass\b/i,
/\bmethod\b/i,
/`[^`]*`/,
];
const RESEARCH_PATTERNS: RegExp[] = [
/\bresearch\b/i,
/\bfind\b/i,
/\bsearch\b/i,
/\bwhat is\b/i,
/\bexplain\b/i,
/\bhow do(es)?\b/i,
/\bcompare\b/i,
/\banalyze\b/i,
];
const SUMMARIZATION_PATTERNS: RegExp[] = [
/\bsummariz(e|ation)\b/i,
/\bsummary\b/i,
/\btldr\b/i,
/\bcondense\b/i,
/\bbrief\b/i,
];
const CREATIVE_PATTERNS: RegExp[] = [
/\bwrite\b/i,
/\bstory\b/i,
/\bpoem\b/i,
/\bgenerate\b/i,
/\bcreate content\b/i,
/\bblog post\b/i,
];
const ANALYSIS_PATTERNS: RegExp[] = [
/\banalyze\b/i,
/\breview\b/i,
/\bevaluate\b/i,
/\bassess\b/i,
/\baudit\b/i,
];
// ─── Complexity Indicators ───────────────────────────────────────────────────
const COMPLEX_KEYWORDS: RegExp[] = [
/\barchitecture\b/i,
/\bdesign\b/i,
/\bcomplex\b/i,
/\bsystem\b/i,
];
const SIMPLE_QUESTION_PATTERN = /^[^.!?]+[?]$/;
/** Counts occurrences of triple-backtick code fences in the message */
function countCodeBlocks(message: string): number {
return (message.match(/```/g) ?? []).length / 2;
}
// ─── Domain Indicators ───────────────────────────────────────────────────────
const FRONTEND_PATTERNS: RegExp[] = [
/\breact\b/i,
/\bcss\b/i,
/\bhtml\b/i,
/\bcomponent\b/i,
/\bUI\b/,
/\btailwind\b/i,
/\bnext\.js\b/i,
];
const BACKEND_PATTERNS: RegExp[] = [
/\bAPI\b/i,
/\bserver\b/i,
/\bdatabase\b/i,
/\bendpoint\b/i,
/\bnest(js)?\b/i,
/\bexpress\b/i,
];
const DEVOPS_PATTERNS: RegExp[] = [
/\bdocker(file|compose|hub)?\b/i,
/\bCI\b/,
/\bdeploy\b/i,
/\bpipeline\b/i,
/\bkubernetes\b/i,
];
const DOCS_PATTERNS: RegExp[] = [/\bdocumentation\b/i, /\breadme\b/i, /\bguide\b/i];
// ─── Helpers ─────────────────────────────────────────────────────────────────
function matchesAny(message: string, patterns: RegExp[]): boolean {
return patterns.some((p) => p.test(message));
}
// ─── Classifier ──────────────────────────────────────────────────────────────
/**
* Classify a task based on the user's message using deterministic regex/keyword matching.
* No LLM calls are made — this is a pure, fast, synchronous classification.
*/
export function classifyTask(message: string): TaskClassification {
return {
taskType: detectTaskType(message),
complexity: estimateComplexity(message),
domain: detectDomain(message),
requiredCapabilities: [],
};
}
function detectTaskType(message: string): TaskType {
if (matchesAny(message, CODING_PATTERNS)) return 'coding';
if (matchesAny(message, SUMMARIZATION_PATTERNS)) return 'summarization';
if (matchesAny(message, CREATIVE_PATTERNS)) return 'creative';
if (matchesAny(message, ANALYSIS_PATTERNS)) return 'analysis';
if (matchesAny(message, RESEARCH_PATTERNS)) return 'research';
return 'conversation';
}
function estimateComplexity(message: string): Complexity {
const trimmed = message.trim();
const codeBlocks = countCodeBlocks(trimmed);
// Complex: long messages, multiple code blocks, or complexity keywords
if (trimmed.length > 500 || codeBlocks > 1 || matchesAny(trimmed, COMPLEX_KEYWORDS)) {
return 'complex';
}
// Simple: short messages or a single direct question
if (trimmed.length < 100 || SIMPLE_QUESTION_PATTERN.test(trimmed)) {
return 'simple';
}
return 'moderate';
}
function detectDomain(message: string): Domain {
if (matchesAny(message, DEVOPS_PATTERNS)) return 'devops';
if (matchesAny(message, DOCS_PATTERNS)) return 'docs';
if (matchesAny(message, FRONTEND_PATTERNS)) return 'frontend';
if (matchesAny(message, BACKEND_PATTERNS)) return 'backend';
return 'general';
}

21
apps/gateway/src/agent/session.dto.ts
View File

@@ -1,32 +1,11 @@
/** Token usage metrics for a session (M5-007). */
export interface SessionTokenMetrics {
input: number;
output: number;
cacheRead: number;
cacheWrite: number;
total: number;
}
/** Per-session metrics tracked throughout the session lifetime (M5-007). */
export interface SessionMetrics {
tokens: SessionTokenMetrics;
modelSwitches: number;
messageCount: number;
lastActivityAt: string;
}
export interface SessionInfoDto {
id: string;
provider: string;
modelId: string;
/** M5-005: human-readable agent name when an agent config is applied. */
agentName?: string;
createdAt: string;
promptCount: number;
channels: string[];
durationMs: number;
/** M5-007: per-session metrics (token usage, model switches, etc.) */
metrics: SessionMetrics;
}
export interface SessionListDto {

2
apps/gateway/src/agent/tools/brain-tools.ts
View File

@@ -1,6 +1,6 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import type { Brain } from '@mosaicstack/brain';
import type { Brain } from '@mosaic/brain';
export function createBrainTools(brain: Brain): ToolDefinition[] {
const listProjects: ToolDefinition = {

166
apps/gateway/src/agent/tools/file-tools.ts
View File

@@ -190,169 +190,5 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
},
};
const editFileTool: ToolDefinition = {
name: 'fs_edit_file',
label: 'Edit File',
description:
'Make targeted text replacements in a file. Each edit replaces an exact match of oldText with newText. ' +
'All edits are matched against the original file content (not incrementally). ' +
'Each oldText must be unique in the file and edits must not overlap.',
parameters: Type.Object({
path: Type.String({
description: 'File path (relative to sandbox base or absolute within it)',
}),
edits: Type.Array(
Type.Object({
oldText: Type.String({
description: 'Exact text to find and replace (must be unique in the file)',
}),
newText: Type.String({ description: 'Replacement text' }),
}),
{ description: 'One or more targeted replacements', minItems: 1 },
),
}),
async execute(_toolCallId, params) {
const { path, edits } = params as {
path: string;
edits: Array<{ oldText: string; newText: string }>;
};
let safePath: string;
try {
safePath = guardPath(path, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
try {
const info = await stat(safePath);
if (!info.isFile()) {
return {
content: [{ type: 'text' as const, text: `Error: path is not a file: ${path}` }],
details: undefined,
};
}
if (info.size > MAX_READ_BYTES) {
return {
content: [
{
type: 'text' as const,
text: `Error: file too large for editing (${info.size} bytes, limit ${MAX_READ_BYTES} bytes)`,
},
],
details: undefined,
};
}
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
details: undefined,
};
}
let content: string;
try {
content = await readFile(safePath, { encoding: 'utf8' });
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
details: undefined,
};
}
// Validate all edits before applying any
const errors: string[] = [];
for (let i = 0; i < edits.length; i++) {
const edit = edits[i]!;
const occurrences = content.split(edit.oldText).length - 1;
if (occurrences === 0) {
errors.push(`Edit ${i + 1}: oldText not found in file`);
} else if (occurrences > 1) {
errors.push(`Edit ${i + 1}: oldText matches ${occurrences} locations (must be unique)`);
}
}
// Check for overlapping edits
if (errors.length === 0) {
const positions = edits.map((edit, i) => ({
index: i,
start: content.indexOf(edit.oldText),
end: content.indexOf(edit.oldText) + edit.oldText.length,
}));
positions.sort((a, b) => a.start - b.start);
for (let i = 1; i < positions.length; i++) {
if (positions[i]!.start < positions[i - 1]!.end) {
errors.push(
`Edits ${positions[i - 1]!.index + 1} and ${positions[i]!.index + 1} overlap`,
);
}
}
}
if (errors.length > 0) {
return {
content: [
{
type: 'text' as const,
text: `Edit validation failed:\n${errors.join('\n')}`,
},
],
details: undefined,
};
}
// Apply edits: process from end to start to preserve positions
const positions = edits.map((edit) => ({
edit,
start: content.indexOf(edit.oldText),
}));
positions.sort((a, b) => b.start - a.start); // reverse order
let result = content;
for (const { edit } of positions) {
result = result.replace(edit.oldText, edit.newText);
}
if (Buffer.byteLength(result, 'utf8') > MAX_WRITE_BYTES) {
return {
content: [
{
type: 'text' as const,
text: `Error: resulting file too large (limit ${MAX_WRITE_BYTES} bytes)`,
},
],
details: undefined,
};
}
try {
await writeFile(safePath, result, { encoding: 'utf8' });
return {
content: [
{
type: 'text' as const,
text: `File edited successfully: ${path} (${edits.length} edit(s) applied)`,
},
],
details: undefined,
};
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error writing file: ${String(err)}` }],
details: undefined,
};
}
},
};
return [readFileTool, writeFileTool, listDirectoryTool, editFileTool];
return [readFileTool, writeFileTool, listDirectoryTool];
}

1
apps/gateway/src/agent/tools/index.ts
View File

@@ -2,7 +2,6 @@ export { createBrainTools } from './brain-tools.js';
export { createCoordTools } from './coord-tools.js';
export { createFileTools } from './file-tools.js';
export { createGitTools } from './git-tools.js';
export { createSearchTools } from './search-tools.js';
export { createShellTools } from './shell-tools.js';
export { createWebTools } from './web-tools.js';
export { createSkillTools } from './skill-tools.js';

61
apps/gateway/src/agent/tools/memory-tools.ts
View File

@@ -1,47 +1,25 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import type { Memory } from '@mosaicstack/memory';
import type { EmbeddingProvider } from '@mosaicstack/memory';
import type { Memory } from '@mosaic/memory';
import type { EmbeddingProvider } from '@mosaic/memory';
/**
* Create memory tools bound to the session's authenticated userId.
*
* SECURITY: userId is resolved from the authenticated session at tool-creation
* time and is never accepted as a user-supplied or LLM-supplied parameter.
* This prevents cross-user data access via parameter injection.
*/
export function createMemoryTools(
memory: Memory,
embeddingProvider: EmbeddingProvider | null,
/** Authenticated user ID from the session. All memory operations are scoped to this user. */
sessionUserId: string | undefined,
): ToolDefinition[] {
/** Return an error result when no session user is bound. */
function noUserError() {
return {
content: [
{
type: 'text' as const,
text: 'Memory tools unavailable — no authenticated user bound to this session',
},
],
details: undefined,
};
}
const searchMemory: ToolDefinition = {
name: 'memory_search',
label: 'Search Memory',
description:
'Search across stored insights and knowledge using natural language. Returns semantically similar results.',
parameters: Type.Object({
userId: Type.String({ description: 'User ID to search memory for' }),
query: Type.String({ description: 'Natural language search query' }),
limit: Type.Optional(Type.Number({ description: 'Max results (default 5)' })),
}),
async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError();
const { query, limit } = params as {
const { userId, query, limit } = params as {
userId: string;
query: string;
limit?: number;
};
@@ -59,7 +37,7 @@ export function createMemoryTools(
}
const embedding = await embeddingProvider.embed(query);
const results = await memory.insights.searchByEmbedding(sessionUserId, embedding, limit ?? 5);
const results = await memory.insights.searchByEmbedding(userId, embedding, limit ?? 5);
return {
content: [{ type: 'text' as const, text: JSON.stringify(results, null, 2) }],
details: undefined,
@@ -70,8 +48,9 @@ export function createMemoryTools(
const getPreferences: ToolDefinition = {
name: 'memory_get_preferences',
label: 'Get User Preferences',
description: 'Retrieve stored preferences for the current session user.',
description: 'Retrieve stored preferences for a user.',
parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
category: Type.Optional(
Type.String({
description: 'Filter by category: communication, coding, workflow, appearance, general',
@@ -79,13 +58,11 @@ export function createMemoryTools(
),
}),
async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError();
const { category } = params as { category?: string };
const { userId, category } = params as { userId: string; category?: string };
type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
const prefs = category
? await memory.preferences.findByUserAndCategory(sessionUserId, category as Cat)
: await memory.preferences.findByUser(sessionUserId);
? await memory.preferences.findByUserAndCategory(userId, category as Cat)
: await memory.preferences.findByUser(userId);
return {
content: [{ type: 'text' as const, text: JSON.stringify(prefs, null, 2) }],
details: undefined,
@@ -99,6 +76,7 @@ export function createMemoryTools(
description:
'Store a learned user preference (e.g., "prefers tables over paragraphs", "timezone: America/Chicago").',
parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
key: Type.String({ description: 'Preference key' }),
value: Type.String({ description: 'Preference value (JSON string)' }),
category: Type.Optional(
@@ -108,9 +86,8 @@ export function createMemoryTools(
),
}),
async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError();
const { key, value, category } = params as {
const { userId, key, value, category } = params as {
userId: string;
key: string;
value: string;
category?: string;
@@ -123,7 +100,7 @@ export function createMemoryTools(
parsedValue = value;
}
const pref = await memory.preferences.upsert({
userId: sessionUserId,
userId,
key,
value: parsedValue,
category: (category as Cat) ?? 'general',
@@ -142,6 +119,7 @@ export function createMemoryTools(
description:
'Store a learned insight, decision, or knowledge extracted from the current interaction.',
parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
content: Type.String({ description: 'The insight or knowledge to store' }),
category: Type.Optional(
Type.String({
@@ -150,9 +128,8 @@ export function createMemoryTools(
),
}),
async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError();
const { content, category } = params as {
const { userId, content, category } = params as {
userId: string;
content: string;
category?: string;
};
@@ -164,7 +141,7 @@ export function createMemoryTools(
}
const insight = await memory.insights.create({
userId: sessionUserId,
userId,
content,
embedding,
source: 'agent',

496
apps/gateway/src/agent/tools/search-tools.ts
View File

@@ -1,496 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
const DEFAULT_TIMEOUT_MS = 15_000;
const MAX_RESULTS = 10;
const MAX_RESPONSE_BYTES = 256 * 1024; // 256 KB
// ─── Provider helpers ────────────────────────────────────────────────────────
interface SearchResult {
title: string;
url: string;
snippet: string;
}
interface SearchResponse {
provider: string;
query: string;
results: SearchResult[];
error?: string;
}
async function fetchWithTimeout(
url: string,
init: RequestInit,
timeoutMs: number,
): Promise<Response> {
const controller = new AbortController();
const timer = setTimeout(() => controller.abort(), timeoutMs);
try {
return await fetch(url, { ...init, signal: controller.signal });
} finally {
clearTimeout(timer);
}
}
async function readLimited(response: Response): Promise<string> {
const reader = response.body?.getReader();
if (!reader) return '';
const chunks: Uint8Array[] = [];
let total = 0;
while (true) {
const { done, value } = await reader.read();
if (done) break;
total += value.length;
if (total > MAX_RESPONSE_BYTES) {
chunks.push(value.subarray(0, MAX_RESPONSE_BYTES - (total - value.length)));
reader.cancel();
break;
}
chunks.push(value);
}
const combined = new Uint8Array(chunks.reduce((a, c) => a + c.length, 0));
let offset = 0;
for (const chunk of chunks) {
combined.set(chunk, offset);
offset += chunk.length;
}
return new TextDecoder().decode(combined);
}
// ─── Brave Search ────────────────────────────────────────────────────────────
async function searchBrave(query: string, limit: number): Promise<SearchResponse> {
const apiKey = process.env['BRAVE_API_KEY'];
if (!apiKey) return { provider: 'brave', query, results: [], error: 'BRAVE_API_KEY not set' };
try {
const params = new URLSearchParams({
q: query,
count: String(Math.min(limit, 20)),
});
const res = await fetchWithTimeout(
`https://api.search.brave.com/res/v1/web/search?${params}`,
{ headers: { 'X-Subscription-Token': apiKey, Accept: 'application/json' } },
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
const body = await res.text().catch(() => '');
return { provider: 'brave', query, results: [], error: `HTTP ${res.status}: ${body}` };
}
const data = (await res.json()) as {
web?: { results?: Array<{ title: string; url: string; description: string }> };
};
const results: SearchResult[] = (data.web?.results ?? []).slice(0, limit).map((r) => ({
title: r.title,
url: r.url,
snippet: r.description,
}));
return { provider: 'brave', query, results };
} catch (err) {
return {
provider: 'brave',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── Tavily Search ───────────────────────────────────────────────────────────
async function searchTavily(query: string, limit: number): Promise<SearchResponse> {
const apiKey = process.env['TAVILY_API_KEY'];
if (!apiKey) return { provider: 'tavily', query, results: [], error: 'TAVILY_API_KEY not set' };
try {
const res = await fetchWithTimeout(
'https://api.tavily.com/search',
{
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
api_key: apiKey,
query,
max_results: Math.min(limit, 10),
include_answer: false,
}),
},
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
const body = await res.text().catch(() => '');
return { provider: 'tavily', query, results: [], error: `HTTP ${res.status}: ${body}` };
}
const data = (await res.json()) as {
results?: Array<{ title: string; url: string; content: string }>;
};
const results: SearchResult[] = (data.results ?? []).slice(0, limit).map((r) => ({
title: r.title,
url: r.url,
snippet: r.content,
}));
return { provider: 'tavily', query, results };
} catch (err) {
return {
provider: 'tavily',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── SearXNG (self-hosted) ───────────────────────────────────────────────────
async function searchSearxng(query: string, limit: number): Promise<SearchResponse> {
const baseUrl = process.env['SEARXNG_URL'];
if (!baseUrl) return { provider: 'searxng', query, results: [], error: 'SEARXNG_URL not set' };
try {
const params = new URLSearchParams({
q: query,
format: 'json',
pageno: '1',
});
const res = await fetchWithTimeout(
`${baseUrl.replace(/\/$/, '')}/search?${params}`,
{ headers: { Accept: 'application/json' } },
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
const body = await res.text().catch(() => '');
return { provider: 'searxng', query, results: [], error: `HTTP ${res.status}: ${body}` };
}
const data = (await res.json()) as {
results?: Array<{ title: string; url: string; content: string }>;
};
const results: SearchResult[] = (data.results ?? []).slice(0, limit).map((r) => ({
title: r.title,
url: r.url,
snippet: r.content,
}));
return { provider: 'searxng', query, results };
} catch (err) {
return {
provider: 'searxng',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── DuckDuckGo (lite HTML endpoint) ─────────────────────────────────────────
async function searchDuckDuckGo(query: string, limit: number): Promise<SearchResponse> {
try {
// Use the DuckDuckGo Instant Answer API (JSON, free, no key)
const params = new URLSearchParams({
q: query,
format: 'json',
no_html: '1',
skip_disambig: '1',
});
const res = await fetchWithTimeout(
`https://api.duckduckgo.com/?${params}`,
{ headers: { Accept: 'application/json' } },
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
return {
provider: 'duckduckgo',
query,
results: [],
error: `HTTP ${res.status}`,
};
}
const text = await readLimited(res);
const data = JSON.parse(text) as {
AbstractText?: string;
AbstractURL?: string;
AbstractSource?: string;
RelatedTopics?: Array<{
Text?: string;
FirstURL?: string;
Result?: string;
Topics?: Array<{ Text?: string; FirstURL?: string }>;
}>;
};
const results: SearchResult[] = [];
// Main abstract result
if (data.AbstractText && data.AbstractURL) {
results.push({
title: data.AbstractSource ?? 'DuckDuckGo Abstract',
url: data.AbstractURL,
snippet: data.AbstractText,
});
}
// Related topics
for (const topic of data.RelatedTopics ?? []) {
if (results.length >= limit) break;
if (topic.Text && topic.FirstURL) {
results.push({
title: topic.Text.slice(0, 120),
url: topic.FirstURL,
snippet: topic.Text,
});
}
// Sub-topics
for (const sub of topic.Topics ?? []) {
if (results.length >= limit) break;
if (sub.Text && sub.FirstURL) {
results.push({
title: sub.Text.slice(0, 120),
url: sub.FirstURL,
snippet: sub.Text,
});
}
}
}
return { provider: 'duckduckgo', query, results: results.slice(0, limit) };
} catch (err) {
return {
provider: 'duckduckgo',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── Provider resolution ─────────────────────────────────────────────────────
type SearchProvider = 'brave' | 'tavily' | 'searxng' | 'duckduckgo' | 'auto';
function getAvailableProviders(): SearchProvider[] {
const available: SearchProvider[] = [];
if (process.env['BRAVE_API_KEY']) available.push('brave');
if (process.env['TAVILY_API_KEY']) available.push('tavily');
if (process.env['SEARXNG_URL']) available.push('searxng');
// DuckDuckGo is always available (no API key needed)
available.push('duckduckgo');
return available;
}
async function executeSearch(
provider: SearchProvider,
query: string,
limit: number,
): Promise<SearchResponse> {
switch (provider) {
case 'brave':
return searchBrave(query, limit);
case 'tavily':
return searchTavily(query, limit);
case 'searxng':
return searchSearxng(query, limit);
case 'duckduckgo':
return searchDuckDuckGo(query, limit);
case 'auto': {
// Try providers in priority order: Brave > Tavily > SearXNG > DuckDuckGo
const available = getAvailableProviders();
for (const p of available) {
const result = await executeSearch(p, query, limit);
if (!result.error && result.results.length > 0) return result;
}
// Fall back to DuckDuckGo if everything failed
return searchDuckDuckGo(query, limit);
}
}
}
function formatSearchResults(response: SearchResponse): string {
const lines: string[] = [];
lines.push(`Search provider: ${response.provider}`);
lines.push(`Query: "${response.query}"`);
if (response.error) {
lines.push(`Error: ${response.error}`);
}
if (response.results.length === 0) {
lines.push('No results found.');
} else {
lines.push(`Results (${response.results.length}):\n`);
for (let i = 0; i < response.results.length; i++) {
const r = response.results[i]!;
lines.push(`${i + 1}. ${r.title}`);
lines.push(` URL: ${r.url}`);
lines.push(` ${r.snippet}`);
lines.push('');
}
}
return lines.join('\n');
}
// ─── Tool exports ────────────────────────────────────────────────────────────
export function createSearchTools(): ToolDefinition[] {
const webSearch: ToolDefinition = {
name: 'web_search',
label: 'Web Search',
description:
'Search the web using configured search providers. ' +
'Supports Brave, Tavily, SearXNG, and DuckDuckGo. ' +
'Use "auto" provider to pick the best available. ' +
'DuckDuckGo is always available as a fallback (no API key needed).',
parameters: Type.Object({
query: Type.String({ description: 'Search query' }),
provider: Type.Optional(
Type.String({
description:
'Search provider: "auto" (default), "brave", "tavily", "searxng", or "duckduckgo"',
}),
),
limit: Type.Optional(
Type.Number({ description: `Max results to return (default 5, max ${MAX_RESULTS})` }),
),
}),
async execute(_toolCallId, params) {
const { query, provider, limit } = params as {
query: string;
provider?: string;
limit?: number;
};
const effectiveProvider = (provider ?? 'auto') as SearchProvider;
const validProviders = ['auto', 'brave', 'tavily', 'searxng', 'duckduckgo'];
if (!validProviders.includes(effectiveProvider)) {
return {
content: [
{
type: 'text' as const,
text: `Invalid provider "${provider}". Valid: ${validProviders.join(', ')}`,
},
],
details: undefined,
};
}
const effectiveLimit = Math.min(Math.max(limit ?? 5, 1), MAX_RESULTS);
try {
const response = await executeSearch(effectiveProvider, query, effectiveLimit);
return {
content: [{ type: 'text' as const, text: formatSearchResults(response) }],
details: undefined,
};
} catch (err) {
return {
content: [
{
type: 'text' as const,
text: `Search failed: ${err instanceof Error ? err.message : String(err)}`,
},
],
details: undefined,
};
}
},
};
const webSearchNews: ToolDefinition = {
name: 'web_search_news',
label: 'Web Search (News)',
description:
'Search for recent news articles. Uses Brave News API if available, falls back to standard search with news keywords.',
parameters: Type.Object({
query: Type.String({ description: 'News search query' }),
limit: Type.Optional(
Type.Number({ description: `Max results (default 5, max ${MAX_RESULTS})` }),
),
}),
async execute(_toolCallId, params) {
const { query, limit } = params as { query: string; limit?: number };
const effectiveLimit = Math.min(Math.max(limit ?? 5, 1), MAX_RESULTS);
// Try Brave News API first (dedicated news endpoint)
const braveKey = process.env['BRAVE_API_KEY'];
if (braveKey) {
try {
const newsParams = new URLSearchParams({
q: query,
count: String(effectiveLimit),
});
const res = await fetchWithTimeout(
`https://api.search.brave.com/res/v1/news/search?${newsParams}`,
{
headers: {
'X-Subscription-Token': braveKey,
Accept: 'application/json',
},
},
DEFAULT_TIMEOUT_MS,
);
if (res.ok) {
const data = (await res.json()) as {
results?: Array<{
title: string;
url: string;
description: string;
age?: string;
}>;
};
const results: SearchResult[] = (data.results ?? [])
.slice(0, effectiveLimit)
.map((r) => ({
title: r.title + (r.age ? ` (${r.age})` : ''),
url: r.url,
snippet: r.description,
}));
const response: SearchResponse = { provider: 'brave-news', query, results };
return {
content: [{ type: 'text' as const, text: formatSearchResults(response) }],
details: undefined,
};
}
} catch {
// Fall through to generic search
}
}
// Fallback: standard search with "news" appended
const newsQuery = `${query} news latest`;
const response = await executeSearch('auto', newsQuery, effectiveLimit);
return {
content: [{ type: 'text' as const, text: formatSearchResults(response) }],
details: undefined,
};
},
};
const searchProviders: ToolDefinition = {
name: 'web_search_providers',
label: 'List Search Providers',
description: 'List the currently available and configured web search providers.',
parameters: Type.Object({}),
async execute() {
const available = getAvailableProviders();
const allProviders = [
{ name: 'brave', configured: !!process.env['BRAVE_API_KEY'], envVar: 'BRAVE_API_KEY' },
{ name: 'tavily', configured: !!process.env['TAVILY_API_KEY'], envVar: 'TAVILY_API_KEY' },
{ name: 'searxng', configured: !!process.env['SEARXNG_URL'], envVar: 'SEARXNG_URL' },
{ name: 'duckduckgo', configured: true, envVar: '(none — always available)' },
];
const lines = ['Search providers:\n'];
for (const p of allProviders) {
const status = p.configured ? '✓ configured' : '✗ not configured';
lines.push(` ${p.name}: ${status} (${p.envVar})`);
}
lines.push(`\nActive providers for "auto" mode: ${available.join(', ')}`);
return {
content: [{ type: 'text' as const, text: lines.join('\n') }],
details: undefined,
};
},
};
return [webSearch, webSearchNews, searchProviders];
}

6
apps/gateway/src/app.module.ts
View File

@@ -1,7 +1,6 @@
import { Module } from '@nestjs/common';
import { APP_GUARD } from '@nestjs/core';
import { HealthController } from './health/health.controller.js';
import { ConfigModule } from './config/config.module.js';
import { DatabaseModule } from './database/database.module.js';
import { AuthModule } from './auth/auth.module.js';
import { BrainModule } from './brain/brain.module.js';
@@ -23,14 +22,11 @@ import { PreferencesModule } from './preferences/preferences.module.js';
import { GCModule } from './gc/gc.module.js';
import { ReloadModule } from './reload/reload.module.js';
import { WorkspaceModule } from './workspace/workspace.module.js';
import { QueueModule } from './queue/queue.module.js';
import { FederationModule } from './federation/federation.module.js';
import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
@Module({
imports: [
ThrottlerModule.forRoot([{ name: 'default', ttl: 60_000, limit: 60 }]),
ConfigModule,
DatabaseModule,
AuthModule,
BrainModule,
@@ -50,10 +46,8 @@ import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
PreferencesModule,
CommandsModule,
GCModule,
QueueModule,
ReloadModule,
WorkspaceModule,
FederationModule,
],
controllers: [HealthController],
providers: [

2
apps/gateway/src/auth/auth.controller.ts
View File

@@ -1,6 +1,6 @@
import type { IncomingMessage, ServerResponse } from 'node:http';
import { toNodeHandler } from 'better-auth/node';
import type { Auth } from '@mosaicstack/auth';
import type { Auth } from '@mosaic/auth';
import type { NestFastifyApplication } from '@nestjs/platform-fastify';
import { AUTH } from './auth.tokens.js';

2
apps/gateway/src/auth/auth.guard.ts
View File

@@ -6,7 +6,7 @@ import {
UnauthorizedException,
} from '@nestjs/common';
import { fromNodeHeaders } from 'better-auth/node';
import type { Auth } from '@mosaicstack/auth';
import type { Auth } from '@mosaic/auth';
import type { FastifyRequest } from 'fastify';
import { AUTH } from './auth.tokens.js';

8
apps/gateway/src/auth/auth.module.ts
View File

@@ -1,20 +1,18 @@
import { Global, Module } from '@nestjs/common';
import { createAuth, type Auth } from '@mosaicstack/auth';
import type { Db } from '@mosaicstack/db';
import { createAuth, type Auth } from '@mosaic/auth';
import type { Db } from '@mosaic/db';
import { DB } from '../database/database.module.js';
import { AUTH } from './auth.tokens.js';
import { SsoController } from './sso.controller.js';
@Global()
@Module({
controllers: [SsoController],
providers: [
{
provide: AUTH,
useFactory: (db: Db): Auth =>
createAuth({
db,
baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:14242',
baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
secret: process.env['BETTER_AUTH_SECRET'],
}),
inject: [DB],

40
apps/gateway/src/auth/sso.controller.spec.ts
View File

@@ -1,40 +0,0 @@
import { afterEach, describe, expect, it, vi } from 'vitest';
import { SsoController } from './sso.controller.js';
describe('SsoController', () => {
afterEach(() => {
vi.unstubAllEnvs();
});
it('lists configured OIDC providers', () => {
vi.stubEnv('WORKOS_CLIENT_ID', 'workos-client');
vi.stubEnv('WORKOS_CLIENT_SECRET', 'workos-secret');
vi.stubEnv('WORKOS_ISSUER', 'https://auth.workos.com/sso/client_123');
const controller = new SsoController();
const providers = controller.list();
expect(providers.find((provider) => provider.id === 'workos')).toMatchObject({
configured: true,
loginMode: 'oidc',
callbackPath: '/api/auth/oauth2/callback/workos',
teamSync: { enabled: true, claim: 'organization_id' },
});
});
it('prefers SAML fallback for Keycloak when only the SAML login URL is configured', () => {
vi.stubEnv('KEYCLOAK_SAML_LOGIN_URL', 'https://sso.example.com/realms/mosaic/protocol/saml');
const controller = new SsoController();
const providers = controller.list();
expect(providers.find((provider) => provider.id === 'keycloak')).toMatchObject({
configured: true,
loginMode: 'saml',
samlFallback: {
configured: true,
loginUrl: 'https://sso.example.com/realms/mosaic/protocol/saml',
},
});
});
});

10
apps/gateway/src/auth/sso.controller.ts
View File

@@ -1,10 +0,0 @@
import { Controller, Get } from '@nestjs/common';
import { buildSsoDiscovery, type SsoProviderDiscovery } from '@mosaicstack/auth';
@Controller('api/sso/providers')
export class SsoController {
@Get()
list(): SsoProviderDiscovery[] {
return buildSsoDiscovery();
}
}

4
apps/gateway/src/brain/brain.module.ts
View File

@@ -1,6 +1,6 @@
import { Global, Module } from '@nestjs/common';
import { createBrain, type Brain } from '@mosaicstack/brain';
import type { Db } from '@mosaicstack/db';
import { createBrain, type Brain } from '@mosaic/brain';
import type { Db } from '@mosaic/db';
import { DB } from '../database/database.module.js';
import { BRAIN } from './brain.tokens.js';

1
apps/gateway/src/chat/__tests__/chat-security.test.ts
View File

@@ -1,4 +1,3 @@
import 'reflect-metadata';
import { readFileSync } from 'node:fs';
import { resolve } from 'node:path';
import { validateSync } from 'class-validator';

469
apps/gateway/src/chat/chat.gateway.ts
View File

@@ -11,45 +11,16 @@ import {
} from '@nestjs/websockets';
import { Server, Socket } from 'socket.io';
import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
import type { Auth } from '@mosaicstack/auth';
import type { Brain } from '@mosaicstack/brain';
import type {
SetThinkingPayload,
SlashCommandPayload,
SystemReloadPayload,
RoutingDecisionInfo,
AbortPayload,
} from '@mosaicstack/types';
import { AgentService, type ConversationHistoryMessage } from '../agent/agent.service.js';
import type { Auth } from '@mosaic/auth';
import type { SetThinkingPayload, SlashCommandPayload, SystemReloadPayload } from '@mosaic/types';
import { AgentService } from '../agent/agent.service.js';
import { AUTH } from '../auth/auth.tokens.js';
import { BRAIN } from '../brain/brain.tokens.js';
import { CommandRegistryService } from '../commands/command-registry.service.js';
import { CommandExecutorService } from '../commands/command-executor.service.js';
import { RoutingEngineService } from '../agent/routing/routing-engine.service.js';
import { v4 as uuid } from 'uuid';
import { ChatSocketMessageDto } from './chat.dto.js';
import { validateSocketSession } from './chat.gateway-auth.js';
/** Per-client state tracking streaming accumulation for persistence. */
interface ClientSession {
conversationId: string;
cleanup: () => void;
/** Accumulated assistant response text for the current turn. */
assistantText: string;
/** Tool calls observed during the current turn. */
toolCalls: Array<{ toolCallId: string; toolName: string; args: unknown; isError: boolean }>;
/** Tool calls in-flight (started but not ended yet). */
pendingToolCalls: Map<string, { toolName: string; args: unknown }>;
/** Last routing decision made for this session (M4-008) */
lastRoutingDecision?: RoutingDecisionInfo;
}
/**
* Per-conversation model overrides set via /model command (M4-007).
* Keyed by conversationId, value is the model name to use.
*/
const modelOverrides = new Map<string, string>();
@WebSocketGateway({
cors: {
origin: process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000',
@@ -61,15 +32,16 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
server!: Server;
private readonly logger = new Logger(ChatGateway.name);
private readonly clientSessions = new Map<string, ClientSession>();
private readonly clientSessions = new Map<
string,
{ conversationId: string; cleanup: () => void }
>();
constructor(
@Inject(AgentService) private readonly agentService: AgentService,
@Inject(AUTH) private readonly auth: Auth,
@Inject(BRAIN) private readonly brain: Brain,
@Inject(CommandRegistryService) private readonly commandRegistry: CommandRegistryService,
@Inject(CommandExecutorService) private readonly commandExecutor: CommandExecutorService,
@Inject(RoutingEngineService) private readonly routingEngine: RoutingEngineService,
) {}
afterInit(): void {
@@ -108,78 +80,20 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
@MessageBody() data: ChatSocketMessageDto,
): Promise<void> {
const conversationId = data.conversationId ?? uuid();
const userId = (client.data.user as { id: string } | undefined)?.id;
this.logger.log(`Message from ${client.id} in conversation ${conversationId}`);
// Ensure agent session exists for this conversation
let sessionRoutingDecision: RoutingDecisionInfo | undefined;
try {
let agentSession = this.agentService.getSession(conversationId);
if (!agentSession) {
// When resuming an existing conversation, load prior messages to inject as context (M1-004)
const conversationHistory = await this.loadConversationHistory(conversationId, userId);
// M5-004: Check if there's an existing sessionId bound to this conversation
let existingSessionId: string | undefined;
if (userId) {
existingSessionId = await this.getConversationSessionId(conversationId, userId);
if (existingSessionId) {
this.logger.log(
`Resuming existing sessionId=${existingSessionId} for conversation=${conversationId}`,
);
}
}
// Determine provider/model via routing engine or per-session /model override (M4-012 / M4-007)
let resolvedProvider = data.provider;
let resolvedModelId = data.modelId;
const modelOverride = modelOverrides.get(conversationId);
if (modelOverride) {
// /model override bypasses routing engine (M4-007)
resolvedModelId = modelOverride;
this.logger.log(
`Using /model override "${modelOverride}" for conversation=${conversationId}`,
);
} else if (!resolvedProvider && !resolvedModelId) {
// No explicit provider/model from client — use routing engine (M4-012)
try {
const routingDecision = await this.routingEngine.resolve(data.content, userId);
resolvedProvider = routingDecision.provider;
resolvedModelId = routingDecision.model;
sessionRoutingDecision = {
model: routingDecision.model,
provider: routingDecision.provider,
ruleName: routingDecision.ruleName,
reason: routingDecision.reason,
};
this.logger.log(
`Routing decision for conversation=${conversationId}: ${routingDecision.provider}/${routingDecision.model} (rule="${routingDecision.ruleName}")`,
);
} catch (routingErr) {
this.logger.warn(
`Routing engine failed for conversation=${conversationId}, using defaults`,
routingErr instanceof Error ? routingErr.message : String(routingErr),
);
}
}
// M5-004: Use existingSessionId as sessionId when available (session reuse)
const sessionIdToCreate = existingSessionId ?? conversationId;
agentSession = await this.agentService.createSession(sessionIdToCreate, {
provider: resolvedProvider,
modelId: resolvedModelId,
const userId = (client.data.user as { id: string } | undefined)?.id;
agentSession = await this.agentService.createSession(conversationId, {
provider: data.provider,
modelId: data.modelId,
agentConfigId: data.agentId,
userId,
conversationHistory: conversationHistory.length > 0 ? conversationHistory : undefined,
});
if (conversationHistory.length > 0) {
this.logger.log(
`Loaded ${conversationHistory.length} prior messages for conversation=${conversationId}`,
);
}
}
} catch (err) {
this.logger.error(
@@ -193,38 +107,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
return;
}
// Ensure conversation record exists in the DB before persisting messages
// M5-004: Also bind the sessionId to the conversation record
if (userId) {
await this.ensureConversation(conversationId, userId);
await this.bindSessionToConversation(conversationId, userId, conversationId);
}
// M5-007: Count the user message
this.agentService.recordMessage(conversationId);
// Persist the user message
if (userId) {
try {
await this.brain.conversations.addMessage(
{
conversationId,
role: 'user',
content: data.content,
metadata: {
timestamp: new Date().toISOString(),
},
},
userId,
);
} catch (err) {
this.logger.error(
`Failed to persist user message for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
}
}
// Always clean up previous listener to prevent leak
const existing = this.clientSessions.get(client.id);
if (existing) {
@@ -236,24 +118,12 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
this.relayEvent(client, conversationId, event);
});
// Preserve routing decision from the existing client session if we didn't get a new one
const prevClientSession = this.clientSessions.get(client.id);
const routingDecisionToStore = sessionRoutingDecision ?? prevClientSession?.lastRoutingDecision;
this.clientSessions.set(client.id, {
conversationId,
cleanup,
assistantText: '',
toolCalls: [],
pendingToolCalls: new Map(),
lastRoutingDecision: routingDecisionToStore,
});
this.clientSessions.set(client.id, { conversationId, cleanup });
// Track channel connection
this.agentService.addChannel(conversationId, `websocket:${client.id}`);
// Send session info so the client knows the model/provider (M4-008: include routing decision)
// Include agentName when a named agent config is active (M5-001)
// Send session info so the client knows the model/provider
{
const agentSession = this.agentService.getSession(conversationId);
if (agentSession) {
@@ -264,8 +134,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
modelId: agentSession.modelId,
thinkingLevel: piSession.thinkingLevel,
availableThinkingLevels: piSession.getAvailableThinkingLevels(),
...(agentSession.agentName ? { agentName: agentSession.agentName } : {}),
...(routingDecisionToStore ? { routingDecision: routingDecisionToStore } : {}),
});
}
}
@@ -322,42 +190,9 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
modelId: session.modelId,
thinkingLevel: session.piSession.thinkingLevel,
availableThinkingLevels: session.piSession.getAvailableThinkingLevels(),
...(session.agentName ? { agentName: session.agentName } : {}),
});
}
@SubscribeMessage('abort')
async handleAbort(
@ConnectedSocket() client: Socket,
@MessageBody() data: AbortPayload,
): Promise<void> {
const conversationId = data.conversationId;
this.logger.log(`Abort requested by ${client.id} for conversation ${conversationId}`);
const session = this.agentService.getSession(conversationId);
if (!session) {
client.emit('error', {
conversationId,
error: 'No active session to abort.',
});
return;
}
try {
await session.piSession.abort();
this.logger.log(`Agent session ${conversationId} aborted successfully`);
} catch (err) {
this.logger.error(
`Failed to abort session ${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
client.emit('error', {
conversationId,
error: 'Failed to abort the agent operation.',
});
}
}
@SubscribeMessage('command:execute')
async handleCommandExecute(
@ConnectedSocket() client: Socket,
@@ -373,160 +208,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
this.logger.log('Broadcasted system:reload to all connected clients');
}
/**
* Set a per-conversation model override (M4-007 / M5-002).
* When set, the routing engine is bypassed and the specified model is used.
* Pass null to clear the override and resume automatic routing.
* M5-005: Emits session:info to clients subscribed to this conversation when a model is set.
* M5-007: Records a model switch in session metrics.
*/
setModelOverride(conversationId: string, modelName: string | null): void {
if (modelName) {
modelOverrides.set(conversationId, modelName);
this.logger.log(`Model override set: conversation=${conversationId} model="${modelName}"`);
// M5-002: Update the live session's modelId so session:info reflects the new model immediately
this.agentService.updateSessionModel(conversationId, modelName);
// M5-005: Broadcast session:info to all clients subscribed to this conversation
this.broadcastSessionInfo(conversationId);
} else {
modelOverrides.delete(conversationId);
this.logger.log(`Model override cleared: conversation=${conversationId}`);
}
}
/**
* Return the active model override for a conversation, or undefined if none.
*/
getModelOverride(conversationId: string): string | undefined {
return modelOverrides.get(conversationId);
}
/**
* M5-005: Broadcast session:info to all clients currently subscribed to a conversation.
* Called on model or agent switch to ensure the TUI TopBar updates immediately.
*/
broadcastSessionInfo(
conversationId: string,
extra?: { agentName?: string; routingDecision?: RoutingDecisionInfo },
): void {
const agentSession = this.agentService.getSession(conversationId);
if (!agentSession) return;
const piSession = agentSession.piSession;
const resolvedAgentName = extra?.agentName ?? agentSession.agentName;
const payload = {
conversationId,
provider: agentSession.provider,
modelId: agentSession.modelId,
thinkingLevel: piSession.thinkingLevel,
availableThinkingLevels: piSession.getAvailableThinkingLevels(),
...(resolvedAgentName ? { agentName: resolvedAgentName } : {}),
...(extra?.routingDecision ? { routingDecision: extra.routingDecision } : {}),
};
// Emit to all clients currently subscribed to this conversation
for (const [clientId, session] of this.clientSessions) {
if (session.conversationId === conversationId) {
const socket = this.server.sockets.sockets.get(clientId);
if (socket?.connected) {
socket.emit('session:info', payload);
}
}
}
}
/**
* Ensure a conversation record exists in the DB.
* Creates it if absent — safe to call concurrently since a duplicate insert
* would fail on the PK constraint and be caught here.
*/
private async ensureConversation(conversationId: string, userId: string): Promise<void> {
try {
const existing = await this.brain.conversations.findById(conversationId, userId);
if (!existing) {
await this.brain.conversations.create({
id: conversationId,
userId,
});
}
} catch (err) {
this.logger.error(
`Failed to ensure conversation record for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
}
}
/**
* M5-004: Bind the agent sessionId to the conversation record in the DB.
* Updates the sessionId column so future resumes can reuse the session.
*/
private async bindSessionToConversation(
conversationId: string,
userId: string,
sessionId: string,
): Promise<void> {
try {
await this.brain.conversations.update(conversationId, userId, { sessionId });
} catch (err) {
this.logger.error(
`Failed to bind sessionId=${sessionId} to conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
}
}
/**
* M5-004: Retrieve the sessionId bound to a conversation, if any.
* Returns undefined when the conversation does not exist or has no bound session.
*/
private async getConversationSessionId(
conversationId: string,
userId: string,
): Promise<string | undefined> {
try {
const conv = await this.brain.conversations.findById(conversationId, userId);
return conv?.sessionId ?? undefined;
} catch (err) {
this.logger.error(
`Failed to get sessionId for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
return undefined;
}
}
/**
* Load prior conversation messages from DB for context injection on session resume (M1-004).
* Returns an empty array when no history exists, the conversation is not owned by the user,
* or userId is not provided.
*/
private async loadConversationHistory(
conversationId: string,
userId: string | undefined,
): Promise<ConversationHistoryMessage[]> {
if (!userId) return [];
try {
const messages = await this.brain.conversations.findMessages(conversationId, userId);
if (messages.length === 0) return [];
return messages.map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
} catch (err) {
this.logger.error(
`Failed to load conversation history for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
return [];
}
}
private relayEvent(client: Socket, conversationId: string, event: AgentSessionEvent): void {
if (!client.connected) {
this.logger.warn(
@@ -536,17 +217,9 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
}
switch (event.type) {
case 'agent_start': {
// Reset accumulation buffers for the new turn
const cs = this.clientSessions.get(client.id);
if (cs) {
cs.assistantText = '';
cs.toolCalls = [];
cs.pendingToolCalls.clear();
}
case 'agent_start':
client.emit('agent:start', { conversationId });
break;
}
case 'agent_end': {
// Gather usage stats from the Pi session
@@ -555,90 +228,28 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
const stats = piSession?.getSessionStats();
const contextUsage = piSession?.getContextUsage();
const usagePayload = stats
? {
provider: agentSession?.provider ?? 'unknown',
modelId: agentSession?.modelId ?? 'unknown',
thinkingLevel: piSession?.thinkingLevel ?? 'off',
tokens: stats.tokens,
cost: stats.cost,
context: {
percent: contextUsage?.percent ?? null,
window: contextUsage?.contextWindow ?? 0,
},
}
: undefined;
client.emit('agent:end', {
conversationId,
usage: usagePayload,
usage: stats
? {
provider: agentSession?.provider ?? 'unknown',
modelId: agentSession?.modelId ?? 'unknown',
thinkingLevel: piSession?.thinkingLevel ?? 'off',
tokens: stats.tokens,
cost: stats.cost,
context: {
percent: contextUsage?.percent ?? null,
window: contextUsage?.contextWindow ?? 0,
},
}
: undefined,
});
// M5-007: Accumulate token usage in session metrics
if (stats?.tokens) {
this.agentService.recordTokenUsage(conversationId, {
input: stats.tokens.input ?? 0,
output: stats.tokens.output ?? 0,
cacheRead: stats.tokens.cacheRead ?? 0,
cacheWrite: stats.tokens.cacheWrite ?? 0,
total: stats.tokens.total ?? 0,
});
}
// Persist the assistant message with metadata
const cs = this.clientSessions.get(client.id);
const userId = (client.data.user as { id: string } | undefined)?.id;
if (cs && userId && cs.assistantText.trim().length > 0) {
const metadata: Record<string, unknown> = {
timestamp: new Date().toISOString(),
model: agentSession?.modelId ?? 'unknown',
provider: agentSession?.provider ?? 'unknown',
toolCalls: cs.toolCalls,
};
if (stats?.tokens) {
metadata['tokenUsage'] = {
input: stats.tokens.input,
output: stats.tokens.output,
cacheRead: stats.tokens.cacheRead,
cacheWrite: stats.tokens.cacheWrite,
total: stats.tokens.total,
};
}
this.brain.conversations
.addMessage(
{
conversationId,
role: 'assistant',
content: cs.assistantText,
metadata,
},
userId,
)
.catch((err: unknown) => {
this.logger.error(
`Failed to persist assistant message for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
});
// Reset accumulation
cs.assistantText = '';
cs.toolCalls = [];
cs.pendingToolCalls.clear();
}
break;
}
case 'message_update': {
const assistantEvent = event.assistantMessageEvent;
if (assistantEvent.type === 'text_delta') {
// Accumulate assistant text for persistence
const cs = this.clientSessions.get(client.id);
if (cs) {
cs.assistantText += assistantEvent.delta;
}
client.emit('agent:text', {
conversationId,
text: assistantEvent.delta,
@@ -652,36 +263,15 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
break;
}
case 'tool_execution_start': {
// Track pending tool call for later recording
const cs = this.clientSessions.get(client.id);
if (cs) {
cs.pendingToolCalls.set(event.toolCallId, {
toolName: event.toolName,
args: event.args,
});
}
case 'tool_execution_start':
client.emit('agent:tool:start', {
conversationId,
toolCallId: event.toolCallId,
toolName: event.toolName,
});
break;
}
case 'tool_execution_end': {
// Finalise tool call record
const cs = this.clientSessions.get(client.id);
if (cs) {
const pending = cs.pendingToolCalls.get(event.toolCallId);
cs.toolCalls.push({
toolCallId: event.toolCallId,
toolName: event.toolName,
args: pending?.args ?? null,
isError: event.isError,
});
cs.pendingToolCalls.delete(event.toolCallId);
}
case 'tool_execution_end':
client.emit('agent:tool:end', {
conversationId,
toolCallId: event.toolCallId,
@@ -689,7 +279,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
isError: event.isError,
});
break;
}
}
}
}

38
apps/gateway/src/commands/command-executor-p8012.spec.ts
View File

@@ -1,6 +1,6 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaicstack/types';
import type { SlashCommandPayload } from '@mosaic/types';
// Minimal mock implementations
const mockRegistry = {
@@ -19,8 +19,6 @@ const mockRegistry = {
const mockAgentService = {
getSession: vi.fn(() => undefined),
applyAgentConfig: vi.fn(),
updateSessionModel: vi.fn(),
};
const mockSystemOverride = {
@@ -40,38 +38,6 @@ const mockRedis = {
del: vi.fn(),
};
// Mock agent config returned by brain.agents.findByName for "my-agent-id"
const mockAgentConfig = {
id: 'my-agent-id',
name: 'my-agent-id',
model: 'claude-sonnet-4-6',
provider: 'anthropic',
systemPrompt: null,
allowedTools: null,
isSystem: false,
ownerId: 'user-123',
status: 'idle',
createdAt: new Date(),
updatedAt: new Date(),
};
const mockBrain = {
agents: {
// findByName resolves with the agent when name matches, undefined otherwise
findByName: vi.fn((name: string) =>
Promise.resolve(name === 'my-agent-id' ? mockAgentConfig : undefined),
),
findById: vi.fn((id: string) =>
Promise.resolve(id === 'my-agent-id' ? mockAgentConfig : undefined),
),
create: vi.fn(),
},
};
const mockChatGateway = {
broadcastSessionInfo: vi.fn(),
};
function buildService(): CommandExecutorService {
return new CommandExecutorService(
mockRegistry as never,
@@ -79,9 +45,7 @@ function buildService(): CommandExecutorService {
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
mockBrain as never,
null,
mockChatGateway as never,
null,
);
}

251
apps/gateway/src/commands/command-executor.service.ts
View File

@@ -1,14 +1,11 @@
import { forwardRef, Inject, Injectable, Logger, Optional } from '@nestjs/common';
import type { QueueHandle } from '@mosaicstack/queue';
import type { Brain } from '@mosaicstack/brain';
import type { SlashCommandPayload, SlashCommandResultPayload } from '@mosaicstack/types';
import type { QueueHandle } from '@mosaic/queue';
import type { SlashCommandPayload, SlashCommandResultPayload } from '@mosaic/types';
import { AgentService } from '../agent/agent.service.js';
import { ChatGateway } from '../chat/chat.gateway.js';
import { SessionGCService } from '../gc/session-gc.service.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { ReloadService } from '../reload/reload.service.js';
import { McpClientService } from '../mcp-client/mcp-client.service.js';
import { BRAIN } from '../brain/brain.tokens.js';
import { COMMANDS_REDIS } from './commands.tokens.js';
import { CommandRegistryService } from './command-registry.service.js';
@@ -22,16 +19,12 @@ export class CommandExecutorService {
@Inject(SystemOverrideService) private readonly systemOverride: SystemOverrideService,
@Inject(SessionGCService) private readonly sessionGC: SessionGCService,
@Inject(COMMANDS_REDIS) private readonly redis: QueueHandle['redis'],
@Inject(BRAIN) private readonly brain: Brain,
@Optional()
@Inject(forwardRef(() => ReloadService))
private readonly reloadService: ReloadService | null,
@Optional()
@Inject(forwardRef(() => ChatGateway))
private readonly chatGateway: ChatGateway | null,
@Optional()
@Inject(McpClientService)
private readonly mcpClient: McpClientService | null,
) {}
async execute(payload: SlashCommandPayload, userId: string): Promise<SlashCommandResultPayload> {
@@ -84,8 +77,8 @@ export class CommandExecutorService {
message: 'Retry last message requested.',
};
case 'gc': {
// Admin-only: system-wide GC sweep across all sessions
const result = await this.sessionGC.sweepOrphans();
// User-scoped sweep for non-admin; system-wide for admin
const result = await this.sessionGC.sweepOrphans(userId);
return {
command: 'gc',
success: true,
@@ -94,7 +87,7 @@ export class CommandExecutorService {
};
}
case 'agent':
return await this.handleAgent(args ?? null, conversationId, userId);
return await this.handleAgent(args ?? null, conversationId);
case 'provider':
return await this.handleProvider(args ?? null, userId, conversationId);
case 'mission':
@@ -109,8 +102,6 @@ export class CommandExecutorService {
};
case 'tools':
return await this.handleTools(conversationId, userId);
case 'mcp':
return await this.handleMcp(args ?? null, conversationId);
case 'reload': {
if (!this.reloadService) {
return {
@@ -147,56 +138,30 @@ export class CommandExecutorService {
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args.trim().length === 0) {
// Show current override or usage hint
const currentOverride = this.chatGateway?.getModelOverride(conversationId);
if (currentOverride) {
return {
command: 'model',
conversationId,
success: true,
message: `Current model override: "${currentOverride}". Use /model <name> to change or /model clear to reset.`,
};
}
if (!args) {
return {
command: 'model',
conversationId,
success: true,
message:
'Usage: /model <model-name> — sets a per-session model override (bypasses routing). Use /model clear to reset.',
message: 'Usage: /model <model-name>',
};
}
const modelName = args.trim();
// /model clear removes the override and re-enables automatic routing
if (modelName === 'clear') {
this.chatGateway?.setModelOverride(conversationId, null);
return {
command: 'model',
conversationId,
success: true,
message: 'Model override cleared. Automatic routing will be used for new sessions.',
};
}
// Set the sticky per-session override (M4-007)
this.chatGateway?.setModelOverride(conversationId, modelName);
// Update agent session model if session is active
// For now, acknowledge the request — full wiring done in P8-012
const session = this.agentService.getSession(conversationId);
if (!session) {
return {
command: 'model',
conversationId,
success: true,
message: `Model override set to "${modelName}". Will apply when a new session starts for this conversation.`,
message: `Model switch to "${args}" requested. No active session for this conversation.`,
};
}
return {
command: 'model',
conversationId,
success: true,
message: `Model override set to "${modelName}". The override is active for this conversation and will be used on the next message if a new session is needed.`,
message: `Model switch to "${args}" requested.`,
};
}
@@ -248,14 +213,12 @@ export class CommandExecutorService {
private async handleAgent(
args: string | null,
conversationId: string,
userId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'agent',
success: true,
message:
'Usage: /agent <agent-id> | /agent list | /agent new <name> to create a new agent.',
message: 'Usage: /agent <agent-id> to switch, or /agent list to see available agents.',
conversationId,
};
}
@@ -269,101 +232,13 @@ export class CommandExecutorService {
};
}
// M5-006: /agent new <name> — create a new agent config via brain.agents.create()
if (args.startsWith('new')) {
const namePart = args.slice(3).trim();
if (!namePart) {
return {
command: 'agent',
success: false,
message: 'Usage: /agent new <name> — provide a name for the new agent.',
conversationId,
};
}
try {
const defaultProvider = process.env['DEFAULT_PROVIDER'] ?? 'anthropic';
const defaultModel = process.env['DEFAULT_MODEL'] ?? 'claude-sonnet-4-5-20251001';
const newAgent = await this.brain.agents.create({
name: namePart,
provider: defaultProvider,
model: defaultModel,
status: 'idle',
ownerId: userId,
isSystem: false,
});
this.logger.log(`Created new agent "${newAgent.name}" (${newAgent.id}) for user ${userId}`);
return {
command: 'agent',
success: true,
message: `Agent "${newAgent.name}" created with ID: ${newAgent.id}. Configure it via the web dashboard.`,
conversationId,
data: { agentId: newAgent.id, agentName: newAgent.name },
};
} catch (err) {
this.logger.error(`Failed to create agent: ${err}`);
return {
command: 'agent',
success: false,
message: `Failed to create agent: ${String(err)}`,
conversationId,
};
}
}
// M5-003: Look up agent by name (or ID) and apply to session mid-conversation
const agentName = args.trim();
try {
// Try lookup by name first; fall back to ID-based lookup
let agentConfig = await this.brain.agents.findByName(agentName);
if (!agentConfig) {
// Try by ID (UUID-style input)
agentConfig = await this.brain.agents.findById(agentName);
}
if (!agentConfig) {
return {
command: 'agent',
success: false,
message: `Agent "${agentName}" not found. Use /agent list to see available agents.`,
conversationId,
};
}
// Apply the agent config to the live session and emit session:info (M5-003)
this.agentService.applyAgentConfig(
conversationId,
agentConfig.id,
agentConfig.name,
agentConfig.model ?? undefined,
);
// Broadcast updated session:info so TUI TopBar reflects new agent/model
this.chatGateway?.broadcastSessionInfo(conversationId, { agentName: agentConfig.name });
this.logger.log(
`Agent switched to "${agentConfig.name}" (${agentConfig.id}) for conversation ${conversationId} (M5-003)`,
);
return {
command: 'agent',
success: true,
message: `Switched to agent "${agentConfig.name}". System prompt and tools applied. Model: ${agentConfig.model ?? 'default'}.`,
conversationId,
data: { agentId: agentConfig.id, agentName: agentConfig.name, model: agentConfig.model },
};
} catch (err) {
this.logger.error(`Failed to switch agent "${agentName}": ${err}`);
return {
command: 'agent',
success: false,
message: `Failed to switch agent: ${String(err)}`,
conversationId,
};
}
// Switch agent — stub for now (full implementation in P8-015)
return {
command: 'agent',
success: true,
message: `Agent switch to "${args}" requested. Restart conversation to apply.`,
conversationId,
};
}
private async handleProvider(
@@ -495,92 +370,4 @@ export class CommandExecutorService {
conversationId,
};
}
private async handleMcp(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!this.mcpClient) {
return {
command: 'mcp',
conversationId,
success: false,
message: 'MCP client service is not available.',
};
}
const action = args?.trim().split(/\s+/)[0] ?? 'status';
switch (action) {
case 'status':
case 'servers': {
const statuses = this.mcpClient.getServerStatuses();
if (statuses.length === 0) {
return {
command: 'mcp',
conversationId,
success: true,
message:
'No MCP servers configured. Set MCP_SERVERS env var to connect external tool servers.',
};
}
const lines = ['MCP Server Status:\n'];
for (const s of statuses) {
const status = s.connected ? '✓ connected' : '✗ disconnected';
lines.push(` ${s.name}: ${status}`);
lines.push(` URL: ${s.url}`);
lines.push(` Tools: ${s.toolCount}`);
if (s.error) lines.push(` Error: ${s.error}`);
lines.push('');
}
const tools = this.mcpClient.getToolDefinitions();
if (tools.length > 0) {
lines.push(`Total bridged tools: ${tools.length}`);
lines.push(`Tool names: ${tools.map((t) => t.name).join(', ')}`);
}
return {
command: 'mcp',
conversationId,
success: true,
message: lines.join('\n'),
};
}
case 'reconnect': {
const serverName = args?.trim().split(/\s+/).slice(1).join(' ');
if (!serverName) {
return {
command: 'mcp',
conversationId,
success: false,
message: 'Usage: /mcp reconnect <server-name>',
};
}
try {
await this.mcpClient.reconnectServer(serverName);
return {
command: 'mcp',
conversationId,
success: true,
message: `MCP server "${serverName}" reconnected successfully.`,
};
} catch (err) {
return {
command: 'mcp',
conversationId,
success: false,
message: `Failed to reconnect MCP server "${serverName}": ${err instanceof Error ? err.message : String(err)}`,
};
}
}
default:
return {
command: 'mcp',
conversationId,
success: false,
message: `Unknown MCP action: "${action}". Use: /mcp status, /mcp servers, /mcp reconnect <name>`,
};
}
}
}

2
apps/gateway/src/commands/command-registry.service.spec.ts
View File

@@ -1,6 +1,6 @@
import { describe, it, expect, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import type { CommandDef } from '@mosaicstack/types';
import type { CommandDef } from '@mosaic/types';
const mockCmd: CommandDef = {
name: 'test',

23
apps/gateway/src/commands/command-registry.service.ts
View File

@@ -1,5 +1,5 @@
import { Injectable, type OnModuleInit } from '@nestjs/common';
import type { CommandDef, CommandManifest } from '@mosaicstack/types';
import type { CommandDef, CommandManifest } from '@mosaic/types';
@Injectable()
export class CommandRegistryService implements OnModuleInit {
@@ -190,9 +190,9 @@ export class CommandRegistryService implements OnModuleInit {
},
{
name: 'gc',
description: 'Trigger garbage collection sweep (admin only — system-wide)',
description: 'Trigger garbage collection sweep (user-scoped)',
aliases: [],
scope: 'admin',
scope: 'core',
execution: 'socket',
available: true,
},
@@ -260,23 +260,6 @@ export class CommandRegistryService implements OnModuleInit {
execution: 'socket',
available: true,
},
{
name: 'mcp',
description: 'Manage MCP server connections (status/reconnect/servers)',
aliases: [],
args: [
{
name: 'action',
type: 'enum',
optional: true,
values: ['status', 'reconnect', 'servers'],
description: 'Action: status (default), reconnect <name>, servers',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'reload',
description: 'Soft-reload gateway plugins and command manifest (admin)',

18
apps/gateway/src/commands/commands.integration.spec.ts
View File

@@ -13,7 +13,7 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaicstack/types';
import type { SlashCommandPayload } from '@mosaic/types';
// ─── Mocks ───────────────────────────────────────────────────────────────────
@@ -39,14 +39,6 @@ const mockRedis = {
keys: vi.fn().mockResolvedValue([]),
};
const mockBrain = {
agents: {
findByName: vi.fn().mockResolvedValue(undefined),
findById: vi.fn().mockResolvedValue(undefined),
create: vi.fn(),
},
};
// ─── Helpers ─────────────────────────────────────────────────────────────────
function buildRegistry(): CommandRegistryService {
@@ -62,10 +54,8 @@ function buildExecutor(registry: CommandRegistryService): CommandExecutorService
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
mockBrain as never,
null, // reloadService (optional)
null, // chatGateway (optional)
null, // mcpClient (optional)
);
}
@@ -176,11 +166,11 @@ describe('CommandExecutorService — integration', () => {
expect(result.command).toBe('nonexistent');
});
// /gc handler calls SessionGCService.sweepOrphans (admin-only, no userId arg)
it('/gc calls SessionGCService.sweepOrphans without arguments', async () => {
// /gc handler calls SessionGCService.sweepOrphans
it('/gc calls SessionGCService.sweepOrphans with userId', async () => {
const payload: SlashCommandPayload = { command: 'gc', conversationId };
const result = await executor.execute(payload, userId);
expect(mockSessionGC.sweepOrphans).toHaveBeenCalledWith();
expect(mockSessionGC.sweepOrphans).toHaveBeenCalledWith(userId);
expect(result.success).toBe(true);
expect(result.message).toContain('GC sweep complete');
expect(result.message).toContain('3 orphaned sessions');

2
apps/gateway/src/commands/commands.module.ts
View File

@@ -1,5 +1,5 @@
import { forwardRef, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaicstack/queue';
import { createQueue, type QueueHandle } from '@mosaic/queue';
import { ChatModule } from '../chat/chat.module.js';
import { GCModule } from '../gc/gc.module.js';
import { ReloadModule } from '../reload/reload.module.js';

16
apps/gateway/src/config/config.module.ts
View File

@@ -1,16 +0,0 @@
import { Global, Module } from '@nestjs/common';
import { loadConfig, type MosaicConfig } from '@mosaicstack/config';
export const MOSAIC_CONFIG = 'MOSAIC_CONFIG';
@Global()
@Module({
providers: [
{
provide: MOSAIC_CONFIG,
useFactory: (): MosaicConfig => loadConfig(),
},
],
exports: [MOSAIC_CONFIG],
})
export class ConfigModule {}

58
apps/gateway/src/conversations/conversations.controller.ts
View File

@@ -1,9 +1,7 @@
import {
BadRequestException,
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
@@ -12,18 +10,17 @@ import {
Param,
Patch,
Post,
Query,
UseGuards,
} from '@nestjs/common';
import type { Brain } from '@mosaicstack/brain';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { assertOwner } from '../auth/resource-ownership.js';
import {
CreateConversationDto,
UpdateConversationDto,
SendMessageDto,
SearchMessagesDto,
} from './conversations.dto.js';
@Controller('api/conversations')
@@ -36,21 +33,9 @@ export class ConversationsController {
return this.brain.conversations.findAll(user.id);
}
@Get('search')
async search(@Query() dto: SearchMessagesDto, @CurrentUser() user: { id: string }) {
if (!dto.q || dto.q.trim().length === 0) {
throw new BadRequestException('Query parameter "q" is required and must not be empty');
}
const limit = dto.limit ?? 20;
const offset = dto.offset ?? 0;
return this.brain.conversations.searchMessages(user.id, dto.q.trim(), limit, offset);
}
@Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const conversation = await this.brain.conversations.findById(id, user.id);
if (!conversation) throw new NotFoundException('Conversation not found');
return conversation;
return this.getOwnedConversation(id, user.id);
}
@Post()
@@ -68,7 +53,8 @@ export class ConversationsController {
@Body() dto: UpdateConversationDto,
@CurrentUser() user: { id: string },
) {
const conversation = await this.brain.conversations.update(id, user.id, dto);
await this.getOwnedConversation(id, user.id);
const conversation = await this.brain.conversations.update(id, dto);
if (!conversation) throw new NotFoundException('Conversation not found');
return conversation;
}
@@ -76,16 +62,15 @@ export class ConversationsController {
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const deleted = await this.brain.conversations.remove(id, user.id);
await this.getOwnedConversation(id, user.id);
const deleted = await this.brain.conversations.remove(id);
if (!deleted) throw new NotFoundException('Conversation not found');
}
@Get(':id/messages')
async listMessages(@Param('id') id: string, @CurrentUser() user: { id: string }) {
// Verify ownership explicitly to return a clear 404 rather than an empty list.
const conversation = await this.brain.conversations.findById(id, user.id);
if (!conversation) throw new NotFoundException('Conversation not found');
return this.brain.conversations.findMessages(id, user.id);
await this.getOwnedConversation(id, user.id);
return this.brain.conversations.findMessages(id);
}
@Post(':id/messages')
@@ -94,16 +79,19 @@ export class ConversationsController {
@Body() dto: SendMessageDto,
@CurrentUser() user: { id: string },
) {
const message = await this.brain.conversations.addMessage(
{
conversationId: id,
role: dto.role,
content: dto.content,
metadata: dto.metadata,
},
user.id,
);
if (!message) throw new ForbiddenException('Conversation not found or access denied');
return message;
await this.getOwnedConversation(id, user.id);
return this.brain.conversations.addMessage({
conversationId: id,
role: dto.role,
content: dto.content,
metadata: dto.metadata,
});
}
private async getOwnedConversation(id: string, userId: string) {
const conversation = await this.brain.conversations.findById(id);
if (!conversation) throw new NotFoundException('Conversation not found');
assertOwner(conversation.userId, userId, 'Conversation');
return conversation;
}
}

23
apps/gateway/src/conversations/conversations.dto.ts
View File

@@ -1,35 +1,12 @@
import {
IsBoolean,
IsIn,
IsInt,
IsObject,
IsOptional,
IsString,
IsUUID,
Max,
MaxLength,
Min,
} from 'class-validator';
import { Type } from 'class-transformer';
export class SearchMessagesDto {
@IsString()
@MaxLength(500)
q!: string;
@IsOptional()
@Type(() => Number)
@IsInt()
@Min(1)
@Max(100)
limit?: number = 20;
@IsOptional()
@Type(() => Number)
@IsInt()
@Min(0)
offset?: number = 0;
}
export class CreateConversationDto {
@IsOptional()

2
apps/gateway/src/coord/coord.service.ts
View File

@@ -8,7 +8,7 @@ import {
type MissionStatusSummary,
type MissionTask,
type TaskDetail,
} from '@mosaicstack/coord';
} from '@mosaic/coord';
import { promises as fs } from 'node:fs';
import path from 'node:path';

33
apps/gateway/src/database/database.module.ts
View File

@@ -1,51 +1,28 @@
import { mkdirSync } from 'node:fs';
import { homedir } from 'node:os';
import { join } from 'node:path';
import { Global, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
import { createDb, createPgliteDb, type Db, type DbHandle } from '@mosaicstack/db';
import { createStorageAdapter, type StorageAdapter } from '@mosaicstack/storage';
import type { MosaicConfig } from '@mosaicstack/config';
import { MOSAIC_CONFIG } from '../config/config.module.js';
import { createDb, type Db, type DbHandle } from '@mosaic/db';
export const DB_HANDLE = 'DB_HANDLE';
export const DB = 'DB';
export const STORAGE_ADAPTER = 'STORAGE_ADAPTER';
@Global()
@Module({
providers: [
{
provide: DB_HANDLE,
useFactory: (config: MosaicConfig): DbHandle => {
if (config.tier === 'local') {
const dataDir = join(homedir(), '.config', 'mosaic', 'gateway', 'pglite');
mkdirSync(dataDir, { recursive: true });
return createPgliteDb(dataDir);
}
return createDb(config.storage.type === 'postgres' ? config.storage.url : undefined);
},
inject: [MOSAIC_CONFIG],
useFactory: (): DbHandle => createDb(),
},
{
provide: DB,
useFactory: (handle: DbHandle): Db => handle.db,
inject: [DB_HANDLE],
},
{
provide: STORAGE_ADAPTER,
useFactory: (config: MosaicConfig): StorageAdapter => createStorageAdapter(config.storage),
inject: [MOSAIC_CONFIG],
},
],
exports: [DB, STORAGE_ADAPTER],
exports: [DB],
})
export class DatabaseModule implements OnApplicationShutdown {
constructor(
@Inject(DB_HANDLE) private readonly handle: DbHandle,
@Inject(STORAGE_ADAPTER) private readonly storageAdapter: StorageAdapter,
) {}
constructor(@Inject(DB_HANDLE) private readonly handle: DbHandle) {}
async onApplicationShutdown(): Promise<void> {
await Promise.all([this.handle.close(), this.storageAdapter.close()]);
await this.handle.close();
}
}

373
apps/gateway/src/federation/__tests__/enrollment.service.spec.ts
View File

@@ -1,373 +0,0 @@
/**
* Unit tests for EnrollmentService — federation enrollment token flow (FED-M2-07).
*
* Coverage:
* createToken:
* - inserts token row with correct grantId, peerId, and future expiresAt
* - returns { token, expiresAt } with a 64-char hex token
* - clamps ttlSeconds to 900
*
* redeem — error paths:
* - NotFoundException when token row not found
* - GoneException when token already used (usedAt set)
* - GoneException when token expired (expiresAt < now)
* - GoneException when grant status is not pending
*
* redeem — success path:
* - atomically claims token BEFORE cert issuance (claim → issueCert → tx)
* - calls CaService.issueCert with correct args
* - activates grant + updates peer + writes audit log inside a transaction
* - returns { certPem, certChainPem }
*
* redeem — replay protection:
* - GoneException when claim UPDATE returns empty array (concurrent request won)
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { GoneException, NotFoundException } from '@nestjs/common';
import type { Db } from '@mosaicstack/db';
import { EnrollmentService } from '../enrollment.service.js';
// ---------------------------------------------------------------------------
// Test constants
// ---------------------------------------------------------------------------
const GRANT_ID = 'g1111111-1111-1111-1111-111111111111';
const PEER_ID = 'p2222222-2222-2222-2222-222222222222';
const USER_ID = 'u3333333-3333-3333-3333-333333333333';
const TOKEN = 'a'.repeat(64); // 64-char hex
const MOCK_CERT_PEM = '-----BEGIN CERTIFICATE-----\nMOCK\n-----END CERTIFICATE-----\n';
const MOCK_CHAIN_PEM = MOCK_CERT_PEM + MOCK_CERT_PEM;
const MOCK_SERIAL = 'ABCD1234';
// ---------------------------------------------------------------------------
// Factory helpers
// ---------------------------------------------------------------------------
function makeTokenRow(overrides: Partial<Record<string, unknown>> = {}) {
return {
token: TOKEN,
grantId: GRANT_ID,
peerId: PEER_ID,
expiresAt: new Date(Date.now() + 60_000), // 1 min from now
usedAt: null,
createdAt: new Date(),
...overrides,
};
}
function makeGrant(overrides: Partial<Record<string, unknown>> = {}) {
return {
id: GRANT_ID,
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: { resources: ['tasks'], excluded_resources: [], max_rows_per_query: 100 },
status: 'pending',
expiresAt: null,
createdAt: new Date(),
revokedAt: null,
revokedReason: null,
...overrides,
};
}
// ---------------------------------------------------------------------------
// Mock DB builder
// ---------------------------------------------------------------------------
function makeDb({
tokenRows = [makeTokenRow()],
// claimedRows is returned by the .returning() on the token-claim UPDATE.
// Empty array = concurrent request won the race (GoneException).
claimedRows = [{ token: TOKEN }],
}: {
tokenRows?: unknown[];
claimedRows?: unknown[];
} = {}) {
// insert().values() — for createToken (outer db, not tx)
const insertValues = vi.fn().mockResolvedValue(undefined);
const insertMock = vi.fn().mockReturnValue({ values: insertValues });
// select().from().where().limit() — for fetching the token row
const limitSelect = vi.fn().mockResolvedValue(tokenRows);
const whereSelect = vi.fn().mockReturnValue({ limit: limitSelect });
const fromSelect = vi.fn().mockReturnValue({ where: whereSelect });
const selectMock = vi.fn().mockReturnValue({ from: fromSelect });
// update().set().where().returning() — for the atomic token claim (outer db)
const returningMock = vi.fn().mockResolvedValue(claimedRows);
const whereClaimUpdate = vi.fn().mockReturnValue({ returning: returningMock });
const setClaimMock = vi.fn().mockReturnValue({ where: whereClaimUpdate });
const claimUpdateMock = vi.fn().mockReturnValue({ set: setClaimMock });
// transaction(cb) — cb receives txMock; txMock has update + insert
const txInsertValues = vi.fn().mockResolvedValue(undefined);
const txInsertMock = vi.fn().mockReturnValue({ values: txInsertValues });
const txWhereUpdate = vi.fn().mockResolvedValue(undefined);
const txSetMock = vi.fn().mockReturnValue({ where: txWhereUpdate });
const txUpdateMock = vi.fn().mockReturnValue({ set: txSetMock });
const txMock = { update: txUpdateMock, insert: txInsertMock };
const transactionMock = vi
.fn()
.mockImplementation(async (cb: (tx: typeof txMock) => Promise<void>) => cb(txMock));
return {
insert: insertMock,
select: selectMock,
update: claimUpdateMock,
transaction: transactionMock,
_mocks: {
insertValues,
insertMock,
limitSelect,
whereSelect,
fromSelect,
selectMock,
returningMock,
whereClaimUpdate,
setClaimMock,
claimUpdateMock,
txInsertValues,
txInsertMock,
txWhereUpdate,
txSetMock,
txUpdateMock,
txMock,
transactionMock,
},
};
}
// ---------------------------------------------------------------------------
// Mock CaService
// ---------------------------------------------------------------------------
function makeCaService() {
return {
issueCert: vi.fn().mockResolvedValue({
certPem: MOCK_CERT_PEM,
certChainPem: MOCK_CHAIN_PEM,
serialNumber: MOCK_SERIAL,
}),
};
}
// ---------------------------------------------------------------------------
// Mock GrantsService
// ---------------------------------------------------------------------------
function makeGrantsService(grantOverrides: Partial<Record<string, unknown>> = {}) {
return {
getGrant: vi.fn().mockResolvedValue(makeGrant(grantOverrides)),
activateGrant: vi.fn().mockResolvedValue(makeGrant({ status: 'active' })),
};
}
// ---------------------------------------------------------------------------
// Helper: build service under test
// ---------------------------------------------------------------------------
function buildService({
db = makeDb(),
caService = makeCaService(),
grantsService = makeGrantsService(),
}: {
db?: ReturnType<typeof makeDb>;
caService?: ReturnType<typeof makeCaService>;
grantsService?: ReturnType<typeof makeGrantsService>;
} = {}) {
return new EnrollmentService(db as unknown as Db, caService as never, grantsService as never);
}
// ---------------------------------------------------------------------------
// Tests: createToken
// ---------------------------------------------------------------------------
describe('EnrollmentService.createToken', () => {
it('inserts a token row and returns { token, expiresAt }', async () => {
const db = makeDb();
const service = buildService({ db });
const result = await service.createToken({
grantId: GRANT_ID,
peerId: PEER_ID,
ttlSeconds: 900,
});
expect(result.token).toHaveLength(64); // 32 bytes hex
expect(result.expiresAt).toBeDefined();
expect(new Date(result.expiresAt).getTime()).toBeGreaterThan(Date.now());
expect(db._mocks.insertValues).toHaveBeenCalledWith(
expect.objectContaining({ grantId: GRANT_ID, peerId: PEER_ID }),
);
});
it('clamps ttlSeconds to 900', async () => {
const db = makeDb();
const service = buildService({ db });
const before = Date.now();
const result = await service.createToken({
grantId: GRANT_ID,
peerId: PEER_ID,
ttlSeconds: 9999,
});
const after = Date.now();
const expiresMs = new Date(result.expiresAt).getTime();
// Should be at most 900s from now
expect(expiresMs - before).toBeLessThanOrEqual(900_000 + 100);
expect(expiresMs - after).toBeGreaterThanOrEqual(0);
});
});
// ---------------------------------------------------------------------------
// Tests: redeem — error paths
// ---------------------------------------------------------------------------
describe('EnrollmentService.redeem — error paths', () => {
it('throws NotFoundException when token row not found', async () => {
const db = makeDb({ tokenRows: [] });
const service = buildService({ db });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(NotFoundException);
});
it('throws GoneException when usedAt is set (already redeemed)', async () => {
const db = makeDb({ tokenRows: [makeTokenRow({ usedAt: new Date(Date.now() - 1000) })] });
const service = buildService({ db });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('throws GoneException when token has expired', async () => {
const db = makeDb({ tokenRows: [makeTokenRow({ expiresAt: new Date(Date.now() - 1000) })] });
const service = buildService({ db });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('throws GoneException when grant status is not pending', async () => {
const db = makeDb();
const grantsService = makeGrantsService({ status: 'active' });
const service = buildService({ db, grantsService });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('throws GoneException when token claim UPDATE returns empty array (concurrent replay)', async () => {
const db = makeDb({ claimedRows: [] });
const caService = makeCaService();
const grantsService = makeGrantsService();
const service = buildService({ db, caService, grantsService });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('does NOT call issueCert when token claim fails (no double minting)', async () => {
const db = makeDb({ claimedRows: [] });
const caService = makeCaService();
const service = buildService({ db, caService });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
expect(caService.issueCert).not.toHaveBeenCalled();
});
});
// ---------------------------------------------------------------------------
// Tests: redeem — success path
// ---------------------------------------------------------------------------
describe('EnrollmentService.redeem — success path', () => {
let db: ReturnType<typeof makeDb>;
let caService: ReturnType<typeof makeCaService>;
let grantsService: ReturnType<typeof makeGrantsService>;
let service: EnrollmentService;
beforeEach(() => {
db = makeDb();
caService = makeCaService();
grantsService = makeGrantsService();
service = buildService({ db, caService, grantsService });
});
it('claims token BEFORE calling issueCert (prevents double minting)', async () => {
const callOrder: string[] = [];
db._mocks.returningMock.mockImplementation(async () => {
callOrder.push('claim');
return [{ token: TOKEN }];
});
caService.issueCert.mockImplementation(async () => {
callOrder.push('issueCert');
return { certPem: MOCK_CERT_PEM, certChainPem: MOCK_CHAIN_PEM, serialNumber: MOCK_SERIAL };
});
await service.redeem(TOKEN, MOCK_CERT_PEM);
expect(callOrder).toEqual(['claim', 'issueCert']);
});
it('calls CaService.issueCert with grantId, subjectUserId, csrPem, ttlSeconds=300', async () => {
await service.redeem(TOKEN, MOCK_CERT_PEM);
expect(caService.issueCert).toHaveBeenCalledWith(
expect.objectContaining({
grantId: GRANT_ID,
subjectUserId: USER_ID,
csrPem: MOCK_CERT_PEM,
ttlSeconds: 300,
}),
);
});
it('runs activate grant + peer update + audit inside a transaction', async () => {
await service.redeem(TOKEN, MOCK_CERT_PEM);
expect(db._mocks.transactionMock).toHaveBeenCalledOnce();
// tx.update called twice: activate grant + update peer
expect(db._mocks.txUpdateMock).toHaveBeenCalledTimes(2);
// tx.insert called once: audit log
expect(db._mocks.txInsertMock).toHaveBeenCalledOnce();
});
it('activates grant (sets status=active) inside the transaction', async () => {
await service.redeem(TOKEN, MOCK_CERT_PEM);
expect(db._mocks.txSetMock).toHaveBeenCalledWith(expect.objectContaining({ status: 'active' }));
});
it('updates the federationPeers row with certPem, certSerial, state=active inside the transaction', async () => {
await service.redeem(TOKEN, MOCK_CERT_PEM);
expect(db._mocks.txSetMock).toHaveBeenCalledWith(
expect.objectContaining({
certPem: MOCK_CERT_PEM,
certSerial: MOCK_SERIAL,
state: 'active',
}),
);
});
it('inserts an audit log row inside the transaction', async () => {
await service.redeem(TOKEN, MOCK_CERT_PEM);
expect(db._mocks.txInsertValues).toHaveBeenCalledWith(
expect.objectContaining({
peerId: PEER_ID,
grantId: GRANT_ID,
verb: 'enrollment',
}),
);
});
it('returns { certPem, certChainPem } from CaService', async () => {
const result = await service.redeem(TOKEN, MOCK_CERT_PEM);
expect(result).toEqual({
certPem: MOCK_CERT_PEM,
certChainPem: MOCK_CHAIN_PEM,
});
});
});

212
apps/gateway/src/federation/__tests__/federation.controller.spec.ts
View File

@@ -1,212 +0,0 @@
/**
* Unit tests for FederationController (FED-M2-08).
*
* Coverage:
* - listGrants: delegates to GrantsService with query params
* - createGrant: delegates to GrantsService, validates body
* - generateToken: returns enrollmentUrl containing the token
* - listPeers: returns DB rows
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { NotFoundException } from '@nestjs/common';
import type { Db } from '@mosaicstack/db';
import { FederationController } from '../federation.controller.js';
import type { GrantsService } from '../grants.service.js';
import type { EnrollmentService } from '../enrollment.service.js';
// ---------------------------------------------------------------------------
// Constants
// ---------------------------------------------------------------------------
const GRANT_ID = 'g1111111-1111-1111-1111-111111111111';
const PEER_ID = 'p2222222-2222-2222-2222-222222222222';
const USER_ID = 'u3333333-3333-3333-3333-333333333333';
const MOCK_GRANT = {
id: GRANT_ID,
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: { resources: ['tasks'], operations: ['list'] },
status: 'pending' as const,
expiresAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
revokedReason: null,
};
const MOCK_PEER = {
id: PEER_ID,
commonName: 'test-peer',
displayName: 'Test Peer',
certPem: '',
certSerial: 'pending',
certNotAfter: new Date(0),
clientKeyPem: null,
state: 'pending' as const,
endpointUrl: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
updatedAt: new Date('2026-01-01T00:00:00Z'),
};
// ---------------------------------------------------------------------------
// DB mock builder
// ---------------------------------------------------------------------------
function makeDbMock(rows: unknown[] = []) {
const orderBy = vi.fn().mockResolvedValue(rows);
const where = vi.fn().mockReturnValue({ orderBy });
const from = vi.fn().mockReturnValue({ where, orderBy });
const select = vi.fn().mockReturnValue({ from });
return {
select,
from,
where,
orderBy,
insert: vi.fn(),
update: vi.fn(),
delete: vi.fn(),
} as unknown as Db;
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('FederationController', () => {
let db: Db;
let grantsService: GrantsService;
let enrollmentService: EnrollmentService;
let controller: FederationController;
beforeEach(() => {
db = makeDbMock([MOCK_PEER]);
grantsService = {
createGrant: vi.fn().mockResolvedValue(MOCK_GRANT),
getGrant: vi.fn().mockResolvedValue(MOCK_GRANT),
listGrants: vi.fn().mockResolvedValue([MOCK_GRANT]),
revokeGrant: vi.fn().mockResolvedValue({ ...MOCK_GRANT, status: 'revoked' }),
activateGrant: vi.fn(),
expireGrant: vi.fn(),
} as unknown as GrantsService;
enrollmentService = {
createToken: vi.fn().mockResolvedValue({
token: 'abc123def456abc123def456abc123def456abc123def456abc123def456ab12',
expiresAt: '2026-01-01T00:15:00.000Z',
}),
redeem: vi.fn(),
} as unknown as EnrollmentService;
controller = new FederationController(db, grantsService, enrollmentService);
});
// ─── Grant management ──────────────────────────────────────────────────
describe('listGrants', () => {
it('delegates to GrantsService with provided query params', async () => {
const query = { peerId: PEER_ID, status: 'pending' as const };
const result = await controller.listGrants(query);
expect(grantsService.listGrants).toHaveBeenCalledWith(query);
expect(result).toEqual([MOCK_GRANT]);
});
it('delegates to GrantsService with empty filters', async () => {
const result = await controller.listGrants({});
expect(grantsService.listGrants).toHaveBeenCalledWith({});
expect(result).toEqual([MOCK_GRANT]);
});
});
describe('createGrant', () => {
it('delegates to GrantsService and returns created grant', async () => {
const body = {
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: { resources: ['tasks'], operations: ['list'] },
};
const result = await controller.createGrant(body);
expect(grantsService.createGrant).toHaveBeenCalledWith(body);
expect(result).toEqual(MOCK_GRANT);
});
});
describe('getGrant', () => {
it('delegates to GrantsService with provided ID', async () => {
const result = await controller.getGrant(GRANT_ID);
expect(grantsService.getGrant).toHaveBeenCalledWith(GRANT_ID);
expect(result).toEqual(MOCK_GRANT);
});
});
describe('revokeGrant', () => {
it('delegates to GrantsService with id and reason', async () => {
const result = await controller.revokeGrant(GRANT_ID, { reason: 'test reason' });
expect(grantsService.revokeGrant).toHaveBeenCalledWith(GRANT_ID, 'test reason');
expect(result).toMatchObject({ status: 'revoked' });
});
it('delegates without reason when omitted', async () => {
await controller.revokeGrant(GRANT_ID, {});
expect(grantsService.revokeGrant).toHaveBeenCalledWith(GRANT_ID, undefined);
});
});
describe('generateToken', () => {
it('returns enrollmentUrl containing the token', async () => {
const token = 'abc123def456abc123def456abc123def456abc123def456abc123def456ab12';
vi.mocked(enrollmentService.createToken).mockResolvedValueOnce({
token,
expiresAt: '2026-01-01T00:15:00.000Z',
});
const result = await controller.generateToken(GRANT_ID, { ttlSeconds: 900 });
expect(result.token).toBe(token);
expect(result.enrollmentUrl).toContain(token);
expect(result.enrollmentUrl).toContain('/api/federation/enrollment/');
});
it('creates token via EnrollmentService with correct grantId and peerId', async () => {
await controller.generateToken(GRANT_ID, { ttlSeconds: 300 });
expect(enrollmentService.createToken).toHaveBeenCalledWith({
grantId: GRANT_ID,
peerId: PEER_ID,
ttlSeconds: 300,
});
});
it('throws NotFoundException when grant does not exist', async () => {
vi.mocked(grantsService.getGrant).mockRejectedValueOnce(
new NotFoundException(`Grant ${GRANT_ID} not found`),
);
await expect(controller.generateToken(GRANT_ID, { ttlSeconds: 900 })).rejects.toThrow(
NotFoundException,
);
});
});
// ─── Peer management ───────────────────────────────────────────────────
describe('listPeers', () => {
it('returns DB rows ordered by commonName', async () => {
const result = await controller.listPeers();
expect(db.select).toHaveBeenCalled();
// The DB mock resolves with [MOCK_PEER]
expect(result).toEqual([MOCK_PEER]);
});
});
});

351
apps/gateway/src/federation/__tests__/grants.service.spec.ts
View File

@@ -1,351 +0,0 @@
/**
* Unit tests for GrantsService — federation grants CRUD + status transitions (FED-M2-06).
*
* Coverage:
* - createGrant: validates scope via parseFederationScope
* - createGrant: inserts with status 'pending'
* - getGrant: returns grant when found
* - getGrant: throws NotFoundException when not found
* - listGrants: no filters returns all grants
* - listGrants: filters by peerId
* - listGrants: filters by subjectUserId
* - listGrants: filters by status
* - listGrants: multiple filters combined
* - activateGrant: pending → active works
* - activateGrant: non-pending throws ConflictException
* - revokeGrant: active → revoked works, sets revokedAt
* - revokeGrant: non-active throws ConflictException
* - expireGrant: active → expired works
* - expireGrant: non-active throws ConflictException
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { ConflictException, NotFoundException } from '@nestjs/common';
import type { Db } from '@mosaicstack/db';
import { GrantsService } from '../grants.service.js';
import { FederationScopeError } from '../scope-schema.js';
// ---------------------------------------------------------------------------
// Minimal valid federation scope for testing
// ---------------------------------------------------------------------------
const VALID_SCOPE = {
resources: ['tasks'] as const,
excluded_resources: [],
max_rows_per_query: 100,
};
const PEER_ID = 'a1111111-1111-1111-1111-111111111111';
const USER_ID = 'u2222222-2222-2222-2222-222222222222';
const GRANT_ID = 'g3333333-3333-3333-3333-333333333333';
// ---------------------------------------------------------------------------
// Build a mock DB that mimics chained Drizzle query builder calls
// ---------------------------------------------------------------------------
function makeMockGrant(overrides: Partial<Record<string, unknown>> = {}) {
return {
id: GRANT_ID,
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: VALID_SCOPE,
status: 'pending',
expiresAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
revokedReason: null,
...overrides,
};
}
function makeDb(
overrides: {
insertReturning?: unknown[];
selectRows?: unknown[];
updateReturning?: unknown[];
} = {},
) {
const insertReturning = overrides.insertReturning ?? [makeMockGrant()];
const selectRows = overrides.selectRows ?? [makeMockGrant()];
const updateReturning = overrides.updateReturning ?? [makeMockGrant({ status: 'active' })];
// Drizzle returns a chainable builder; we need to mock the full chain.
const returningInsert = vi.fn().mockResolvedValue(insertReturning);
const valuesInsert = vi.fn().mockReturnValue({ returning: returningInsert });
const insertMock = vi.fn().mockReturnValue({ values: valuesInsert });
// select().from().where().limit()
const limitSelect = vi.fn().mockResolvedValue(selectRows);
const whereSelect = vi.fn().mockReturnValue({ limit: limitSelect });
// from returns something that is both thenable (for full-table select) and has .where()
const fromSelect = vi.fn().mockReturnValue({
where: whereSelect,
limit: limitSelect,
// Make it thenable for listGrants with no filters (await db.select().from(federationGrants))
then: (resolve: (v: unknown) => unknown) => resolve(selectRows),
});
const selectMock = vi.fn().mockReturnValue({ from: fromSelect });
const returningUpdate = vi.fn().mockResolvedValue(updateReturning);
const whereUpdate = vi.fn().mockReturnValue({ returning: returningUpdate });
const setMock = vi.fn().mockReturnValue({ where: whereUpdate });
const updateMock = vi.fn().mockReturnValue({ set: setMock });
return {
insert: insertMock,
select: selectMock,
update: updateMock,
// Expose internals for assertions
_mocks: {
insertReturning,
valuesInsert,
insertMock,
limitSelect,
whereSelect,
fromSelect,
selectMock,
returningUpdate,
whereUpdate,
setMock,
updateMock,
},
};
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('GrantsService', () => {
let db: ReturnType<typeof makeDb>;
let service: GrantsService;
beforeEach(() => {
db = makeDb();
service = new GrantsService(db as unknown as Db);
});
// ─── createGrant ──────────────────────────────────────────────────────────
describe('createGrant', () => {
it('calls parseFederationScope — rejects an invalid scope', async () => {
const invalidScope = { resources: [], max_rows_per_query: 0 };
await expect(
service.createGrant({ peerId: PEER_ID, subjectUserId: USER_ID, scope: invalidScope }),
).rejects.toBeInstanceOf(FederationScopeError);
});
it('inserts a grant with status pending and returns it', async () => {
const result = await service.createGrant({
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: VALID_SCOPE,
});
expect(db._mocks.valuesInsert).toHaveBeenCalledWith(
expect.objectContaining({ status: 'pending', peerId: PEER_ID, subjectUserId: USER_ID }),
);
expect(result.status).toBe('pending');
});
it('passes expiresAt as a Date when provided', async () => {
await service.createGrant({
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: VALID_SCOPE,
expiresAt: '2027-01-01T00:00:00Z',
});
expect(db._mocks.valuesInsert).toHaveBeenCalledWith(
expect.objectContaining({ expiresAt: expect.any(Date) }),
);
});
it('sets expiresAt to null when not provided', async () => {
await service.createGrant({ peerId: PEER_ID, subjectUserId: USER_ID, scope: VALID_SCOPE });
expect(db._mocks.valuesInsert).toHaveBeenCalledWith(
expect.objectContaining({ expiresAt: null }),
);
});
});
// ─── getGrant ─────────────────────────────────────────────────────────────
describe('getGrant', () => {
it('returns the grant when found', async () => {
const result = await service.getGrant(GRANT_ID);
expect(result.id).toBe(GRANT_ID);
});
it('throws NotFoundException when no rows returned', async () => {
db = makeDb({ selectRows: [] });
service = new GrantsService(db as unknown as Db);
await expect(service.getGrant(GRANT_ID)).rejects.toBeInstanceOf(NotFoundException);
});
});
// ─── listGrants ───────────────────────────────────────────────────────────
describe('listGrants', () => {
it('queries without where clause when no filters provided', async () => {
const result = await service.listGrants({});
expect(Array.isArray(result)).toBe(true);
});
it('applies peerId filter', async () => {
await service.listGrants({ peerId: PEER_ID });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
it('applies subjectUserId filter', async () => {
await service.listGrants({ subjectUserId: USER_ID });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
it('applies status filter', async () => {
await service.listGrants({ status: 'active' });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
it('applies multiple filters combined', async () => {
await service.listGrants({ peerId: PEER_ID, status: 'pending' });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
});
// ─── activateGrant ────────────────────────────────────────────────────────
describe('activateGrant', () => {
it('transitions pending → active and returns updated grant', async () => {
db = makeDb({
selectRows: [makeMockGrant({ status: 'pending' })],
updateReturning: [makeMockGrant({ status: 'active' })],
});
service = new GrantsService(db as unknown as Db);
const result = await service.activateGrant(GRANT_ID);
expect(db._mocks.setMock).toHaveBeenCalledWith({ status: 'active' });
expect(result.status).toBe('active');
});
it('throws ConflictException when grant is already active', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'active' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.activateGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is revoked', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'revoked' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.activateGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is expired', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'expired' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.activateGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
});
// ─── revokeGrant ──────────────────────────────────────────────────────────
describe('revokeGrant', () => {
it('transitions active → revoked and sets revokedAt', async () => {
const revokedAt = new Date();
db = makeDb({
selectRows: [makeMockGrant({ status: 'active' })],
updateReturning: [makeMockGrant({ status: 'revoked', revokedAt })],
});
service = new GrantsService(db as unknown as Db);
const result = await service.revokeGrant(GRANT_ID, 'test reason');
expect(db._mocks.setMock).toHaveBeenCalledWith(
expect.objectContaining({
status: 'revoked',
revokedAt: expect.any(Date),
revokedReason: 'test reason',
}),
);
expect(result.status).toBe('revoked');
});
it('sets revokedReason to null when not provided', async () => {
db = makeDb({
selectRows: [makeMockGrant({ status: 'active' })],
updateReturning: [makeMockGrant({ status: 'revoked', revokedAt: new Date() })],
});
service = new GrantsService(db as unknown as Db);
await service.revokeGrant(GRANT_ID);
expect(db._mocks.setMock).toHaveBeenCalledWith(
expect.objectContaining({ revokedReason: null }),
);
});
it('throws ConflictException when grant is pending', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'pending' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.revokeGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is already revoked', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'revoked' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.revokeGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is expired', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'expired' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.revokeGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
});
// ─── expireGrant ──────────────────────────────────────────────────────────
describe('expireGrant', () => {
it('transitions active → expired and returns updated grant', async () => {
db = makeDb({
selectRows: [makeMockGrant({ status: 'active' })],
updateReturning: [makeMockGrant({ status: 'expired' })],
});
service = new GrantsService(db as unknown as Db);
const result = await service.expireGrant(GRANT_ID);
expect(db._mocks.setMock).toHaveBeenCalledWith({ status: 'expired' });
expect(result.status).toBe('expired');
});
it('throws ConflictException when grant is pending', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'pending' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.expireGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is already expired', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'expired' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.expireGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is revoked', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'revoked' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.expireGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
});
});

63
apps/gateway/src/federation/__tests__/peer-key.spec.ts
View File

@@ -1,63 +0,0 @@
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
import { sealClientKey, unsealClientKey } from '../peer-key.util.js';
const TEST_SECRET = 'test-secret-for-peer-key-unit-tests-only';
const TEST_PEM = `-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7o4qne60TB3wo
pCOW8QqstpxEBpnFo37JxLYEJbpE3gUlJajsHv9UWRQ7m5B7n+MBXwTCQqMEY8Wl
kHv9tGgz1YGwzBjNKxPJXE6pPTXQ1Oa0VB9l3qHdqF5HtZoJzE0c6dO8HJ5YUVL
-----END PRIVATE KEY-----`;
let savedSecret: string | undefined;
beforeEach(() => {
savedSecret = process.env['BETTER_AUTH_SECRET'];
process.env['BETTER_AUTH_SECRET'] = TEST_SECRET;
});
afterEach(() => {
if (savedSecret === undefined) {
delete process.env['BETTER_AUTH_SECRET'];
} else {
process.env['BETTER_AUTH_SECRET'] = savedSecret;
}
});
describe('peer-key seal/unseal', () => {
it('round-trip: unsealClientKey(sealClientKey(pem)) returns original pem', () => {
const sealed = sealClientKey(TEST_PEM);
const roundTripped = unsealClientKey(sealed);
expect(roundTripped).toBe(TEST_PEM);
});
it('non-determinism: sealClientKey produces different ciphertext each call', () => {
const sealed1 = sealClientKey(TEST_PEM);
const sealed2 = sealClientKey(TEST_PEM);
expect(sealed1).not.toBe(sealed2);
});
it('at-rest: sealed output does not contain plaintext PEM content', () => {
const sealed = sealClientKey(TEST_PEM);
expect(sealed).not.toContain('PRIVATE KEY');
expect(sealed).not.toContain(
'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7o4qne60TB3wo',
);
});
it('tamper: flipping a byte in the sealed payload causes unseal to throw', () => {
const sealed = sealClientKey(TEST_PEM);
const buf = Buffer.from(sealed, 'base64');
// Flip a byte in the middle of the buffer (past IV and authTag)
const midpoint = Math.floor(buf.length / 2);
buf[midpoint] = buf[midpoint]! ^ 0xff;
const tampered = buf.toString('base64');
expect(() => unsealClientKey(tampered)).toThrow();
});
it('missing secret: unsealClientKey throws when BETTER_AUTH_SECRET is unset', () => {
const sealed = sealClientKey(TEST_PEM);
delete process.env['BETTER_AUTH_SECRET'];
expect(() => unsealClientKey(sealed)).toThrow('BETTER_AUTH_SECRET is not set');
});
});

57
apps/gateway/src/federation/ca.dto.ts
View File

@@ -1,57 +0,0 @@
/**
* DTOs for the Step-CA client service (FED-M2-04).
*
* IssueCertRequestDto — input to CaService.issueCert()
* IssuedCertDto — output from CaService.issueCert()
*/
import { IsInt, IsNotEmpty, IsOptional, IsString, IsUUID, Max, Min } from 'class-validator';
export class IssueCertRequestDto {
/**
* PEM-encoded PKCS#10 Certificate Signing Request.
* The CSR must already include the desired SANs.
*/
@IsString()
@IsNotEmpty()
csrPem!: string;
/**
* UUID of the federation_grants row this certificate is being issued for.
* Embedded as the `mosaic_grant_id` custom OID extension.
*/
@IsUUID()
grantId!: string;
/**
* UUID of the local user on whose behalf the cert is being issued.
* Embedded as the `mosaic_subject_user_id` custom OID extension.
*/
@IsUUID()
subjectUserId!: string;
/**
* Requested certificate validity in seconds.
* Hard cap: 900 s (15 minutes). Default: 300 s (5 minutes).
* The service will always clamp to 900 s regardless of this value.
*/
@IsOptional()
@IsInt()
@Min(60)
@Max(15 * 60)
ttlSeconds: number = 300;
}
export class IssuedCertDto {
/** PEM-encoded leaf certificate returned by step-ca. */
certPem!: string;
/**
* PEM-encoded full certificate chain (leaf + intermediates + root).
* Falls back to `certPem` when step-ca returns no `certChain` field.
*/
certChainPem!: string;
/** Decimal serial number string of the issued certificate. */
serialNumber!: string;
}

577
apps/gateway/src/federation/ca.service.spec.ts
View File

@@ -1,577 +0,0 @@
/**
* Unit tests for CaService — Step-CA client (FED-M2-04).
*
* Coverage:
* - Happy path: returns IssuedCertDto with certPem, certChainPem, serialNumber
* - certChainPem fallback: falls back to certPem when certChain absent
* - certChainPem from ca field: uses crt+ca when certChain absent but ca present
* - HTTP 401: throws CaServiceError with cause + remediation
* - HTTP non-401 error: throws CaServiceError
* - Malformed CSR: throws before HTTP call (INVALID_CSR)
* - Non-JSON response: throws CaServiceError
* - HTTPS connection error: throws CaServiceError
* - JWT custom claims: mosaic_grant_id and mosaic_subject_user_id present in OTT payload
* verified with jose.jwtVerify (real signature check)
* - CaServiceError: has cause + remediation properties
* - Missing crt in response: throws CaServiceError
* - Real CSR validation: valid P-256 CSR passes; malformed CSR fails with INVALID_CSR
* - provisionerPassword never appears in CaServiceError messages
* - HTTPS-only enforcement: http:// URL throws in constructor
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach, type Mock } from 'vitest';
import { jwtVerify, exportJWK, generateKeyPair } from 'jose';
import { Pkcs10CertificateRequestGenerator } from '@peculiar/x509';
// ---------------------------------------------------------------------------
// Mock node:https BEFORE importing CaService so the mock is in place when
// the module is loaded. Vitest/ESM require vi.mock at the top level.
// ---------------------------------------------------------------------------
vi.mock('node:https', () => {
const mockRequest = vi.fn();
const mockAgent = vi.fn().mockImplementation(() => ({}));
return {
default: { request: mockRequest, Agent: mockAgent },
request: mockRequest,
Agent: mockAgent,
};
});
vi.mock('node:fs', () => {
const mockReadFileSync = vi
.fn()
.mockReturnValue('-----BEGIN CERTIFICATE-----\nFAKEROOT\n-----END CERTIFICATE-----\n');
return {
default: { readFileSync: mockReadFileSync },
readFileSync: mockReadFileSync,
};
});
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
// Real self-signed EC P-256 certificate generated with openssl for testing.
// openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -nodes -keyout /dev/null \
// -out /dev/stdout -subj "/CN=test" -days 1
const FAKE_CERT_PEM = `-----BEGIN CERTIFICATE-----
MIIBdDCCARmgAwIBAgIUM+iUJSayN+PwXkyVN6qwSY7sr6gwCgYIKoZIzj0EAwIw
DzENMAsGA1UEAwwEdGVzdDAeFw0yNjA0MjIwMzE5MTlaFw0yNjA0MjMwMzE5MTla
MA8xDTALBgNVBAMMBHRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR21kHL
n1GmFQ4TEBw3EA53pD+2McIBf5WcoHE+x0eMz5DpRKJe0ksHwOVN5Yev5d57kb+4
MvG1LhbHCB/uQo8So1MwUTAdBgNVHQ4EFgQUPq0pdIGiQ7pLBRXICS8GTliCrLsw
HwYDVR0jBBgwFoAUPq0pdIGiQ7pLBRXICS8GTliCrLswDwYDVR0TAQH/BAUwAwEB
/zAKBggqhkjOPQQDAgNJADBGAiEAypJqyC6S77aQ3eEXokM6sgAsD7Oa3tJbCbVm
zG3uJb0CIQC1w+GE+Ad0OTR5Quja46R1RjOo8ydpzZ7Fh4rouAiwEw==
-----END CERTIFICATE-----
`;
// Use a second copy of the same cert for the CA field in tests.
const FAKE_CA_PEM = FAKE_CERT_PEM;
const GRANT_ID = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11';
const SUBJECT_USER_ID = 'b1ffcd00-0d1c-5f09-cc7e-7cc0ce491b22';
// ---------------------------------------------------------------------------
// Generate a real EC P-256 key pair and CSR for integration-style tests
// ---------------------------------------------------------------------------
// We generate this once at module level so it's available to all tests.
// The key pair and CSR PEM are populated asynchronously in the test that needs them.
let realCsrPem: string;
async function generateRealCsr(): Promise<string> {
const { privateKey, publicKey } = await generateKeyPair('ES256');
// Export public key JWK for potential verification (not used here but confirms key is exportable)
await exportJWK(publicKey);
// Use @peculiar/x509 to build a proper CSR
const csr = await Pkcs10CertificateRequestGenerator.create({
name: 'CN=test.federation.local',
signingAlgorithm: { name: 'ECDSA', hash: 'SHA-256' },
keys: { privateKey, publicKey },
});
return csr.toString('pem');
}
// ---------------------------------------------------------------------------
// Setup env before importing service
// We use an EC P-256 key pair here so the JWK-based signing works.
// The key pair is generated once and stored in module-level vars.
// ---------------------------------------------------------------------------
// Real EC P-256 test JWK (test-only, never used in production).
// Generated with node webcrypto for use in unit tests.
const TEST_EC_PRIVATE_JWK = {
key_ops: ['sign'],
ext: true,
kty: 'EC',
x: 'Xq2RjZctcPcUMU14qfjs3MtZTmFk8z1lFGQyypgXZOU',
y: 't8w9Cbt4RVmR47Wnb_i5cLwefEnMcvwse049zu9Rl_E',
crv: 'P-256',
d: 'TM6N79w1HE-PiML5Td4mbXfJaLHEaZrVyVrrwlJv7q8',
kid: 'test-ec-kid',
};
const TEST_EC_PUBLIC_JWK = {
key_ops: ['verify'],
ext: true,
kty: 'EC',
x: 'Xq2RjZctcPcUMU14qfjs3MtZTmFk8z1lFGQyypgXZOU',
y: 't8w9Cbt4RVmR47Wnb_i5cLwefEnMcvwse049zu9Rl_E',
crv: 'P-256',
kid: 'test-ec-kid',
};
process.env['STEP_CA_URL'] = 'https://step-ca:9000';
process.env['STEP_CA_PROVISIONER_KEY_JSON'] = JSON.stringify(TEST_EC_PRIVATE_JWK);
process.env['STEP_CA_ROOT_CERT_PATH'] = '/fake/root.pem';
// Import AFTER env is set and mocks are registered
import * as httpsModule from 'node:https';
import { CaService, CaServiceError } from './ca.service.js';
import type { IssueCertRequestDto } from './ca.dto.js';
// ---------------------------------------------------------------------------
// Helper to build a mock https.request that simulates step-ca
// ---------------------------------------------------------------------------
function makeHttpsMock(statusCode: number, body: unknown, errorMsg?: string): void {
const mockReq = {
write: vi.fn(),
end: vi.fn(),
on: vi.fn(),
setTimeout: vi.fn(),
};
(httpsModule.request as unknown as Mock).mockImplementation(
(
_options: unknown,
callback: (res: {
statusCode: number;
on: (event: string, cb: (chunk?: Buffer) => void) => void;
}) => void,
) => {
const mockRes = {
statusCode,
on: (event: string, cb: (chunk?: Buffer) => void) => {
if (event === 'data') {
if (body !== undefined) {
cb(Buffer.from(typeof body === 'string' ? body : JSON.stringify(body)));
}
}
if (event === 'end') {
cb();
}
},
};
if (errorMsg) {
// Simulate a connection error via the req.on('error') handler
mockReq.on.mockImplementation((event: string, cb: (err: Error) => void) => {
if (event === 'error') {
setImmediate(() => cb(new Error(errorMsg)));
}
});
} else {
// Normal flow: call the response callback
setImmediate(() => callback(mockRes));
}
return mockReq;
},
);
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('CaService', () => {
let service: CaService;
beforeEach(() => {
vi.clearAllMocks();
service = new CaService();
});
function makeReq(overrides: Partial<IssueCertRequestDto> = {}): IssueCertRequestDto {
// Use a real CSR if available; fall back to a minimal placeholder
const defaultCsr = realCsrPem ?? makeFakeCsr();
return {
csrPem: defaultCsr,
grantId: GRANT_ID,
subjectUserId: SUBJECT_USER_ID,
ttlSeconds: 300,
...overrides,
};
}
function makeFakeCsr(): string {
// A structurally valid-looking CSR header/footer (body will fail crypto verify)
return `-----BEGIN CERTIFICATE REQUEST-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0000000000000000AAAA\n-----END CERTIFICATE REQUEST-----\n`;
}
// -------------------------------------------------------------------------
// Real CSR generation — runs once and populates realCsrPem
// -------------------------------------------------------------------------
it('generates a real P-256 CSR that passes validateCsr', async () => {
realCsrPem = await generateRealCsr();
expect(realCsrPem).toMatch(/BEGIN CERTIFICATE REQUEST/);
// Now test that the service's validateCsr accepts it.
// We call it indirectly via issueCert with a successful mock.
makeHttpsMock(200, { crt: FAKE_CERT_PEM, certChain: [FAKE_CERT_PEM, FAKE_CA_PEM] });
const result = await service.issueCert(makeReq({ csrPem: realCsrPem }));
expect(result.certPem).toBe(FAKE_CERT_PEM);
});
it('throws INVALID_CSR for a malformed PEM-shaped CSR', async () => {
const malformedCsr =
'-----BEGIN CERTIFICATE REQUEST-----\nTm90QVJlYWxDU1I=\n-----END CERTIFICATE REQUEST-----\n';
await expect(service.issueCert(makeReq({ csrPem: malformedCsr }))).rejects.toSatisfy(
(err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.code).toBe('INVALID_CSR');
return true;
},
);
});
// -------------------------------------------------------------------------
// Happy path
// -------------------------------------------------------------------------
it('returns IssuedCertDto on success (certChain present)', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, {
crt: FAKE_CERT_PEM,
certChain: [FAKE_CERT_PEM, FAKE_CA_PEM],
});
const result = await service.issueCert(makeReq());
expect(result.certPem).toBe(FAKE_CERT_PEM);
expect(result.certChainPem).toContain(FAKE_CERT_PEM);
expect(result.certChainPem).toContain(FAKE_CA_PEM);
expect(typeof result.serialNumber).toBe('string');
});
// -------------------------------------------------------------------------
// certChainPem fallback — certChain absent, ca field present
// -------------------------------------------------------------------------
it('builds certChainPem from crt+ca when certChain is absent', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, {
crt: FAKE_CERT_PEM,
ca: FAKE_CA_PEM,
});
const result = await service.issueCert(makeReq());
expect(result.certPem).toBe(FAKE_CERT_PEM);
expect(result.certChainPem).toContain(FAKE_CERT_PEM);
expect(result.certChainPem).toContain(FAKE_CA_PEM);
});
// -------------------------------------------------------------------------
// certChainPem fallback — no certChain, no ca field
// -------------------------------------------------------------------------
it('falls back to certPem alone when certChain and ca are absent', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, { crt: FAKE_CERT_PEM });
const result = await service.issueCert(makeReq());
expect(result.certPem).toBe(FAKE_CERT_PEM);
expect(result.certChainPem).toBe(FAKE_CERT_PEM);
});
// -------------------------------------------------------------------------
// HTTP 401
// -------------------------------------------------------------------------
it('throws CaServiceError on HTTP 401', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(401, { message: 'Unauthorized' });
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/401/);
expect(err.remediation).toBeTruthy();
return true;
});
});
// -------------------------------------------------------------------------
// HTTP non-401 error (e.g. 422)
// -------------------------------------------------------------------------
it('throws CaServiceError on HTTP 422', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(422, { message: 'Unprocessable Entity' });
await expect(service.issueCert(makeReq())).rejects.toBeInstanceOf(CaServiceError);
});
// -------------------------------------------------------------------------
// Malformed CSR — throws before HTTP call
// -------------------------------------------------------------------------
it('throws CaServiceError for malformed CSR without making HTTP call', async () => {
const requestSpy = vi.spyOn(httpsModule, 'request');
await expect(service.issueCert(makeReq({ csrPem: 'not-a-valid-csr' }))).rejects.toBeInstanceOf(
CaServiceError,
);
expect(requestSpy).not.toHaveBeenCalled();
});
// -------------------------------------------------------------------------
// Non-JSON response
// -------------------------------------------------------------------------
it('throws CaServiceError when step-ca returns non-JSON', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, 'this is not json');
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/non-JSON/);
return true;
});
});
// -------------------------------------------------------------------------
// HTTPS connection error
// -------------------------------------------------------------------------
it('throws CaServiceError on HTTPS connection error', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(0, undefined, 'connect ECONNREFUSED 127.0.0.1:9000');
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/HTTPS connection/);
expect(err.cause).toBeInstanceOf(Error);
return true;
});
});
// -------------------------------------------------------------------------
// JWT custom claims: mosaic_grant_id and mosaic_subject_user_id
// Verified with jose.jwtVerify for real signature verification (M6)
// -------------------------------------------------------------------------
it('OTT contains mosaic_grant_id, mosaic_subject_user_id, and jti; signature verifies with jose', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
let capturedBody: Record<string, unknown> | undefined;
const mockReq = {
write: vi.fn((data: string) => {
capturedBody = JSON.parse(data) as Record<string, unknown>;
}),
end: vi.fn(),
on: vi.fn(),
setTimeout: vi.fn(),
};
(httpsModule.request as unknown as Mock).mockImplementation(
(
_options: unknown,
callback: (res: {
statusCode: number;
on: (event: string, cb: (chunk?: Buffer) => void) => void;
}) => void,
) => {
const mockRes = {
statusCode: 200,
on: (event: string, cb: (chunk?: Buffer) => void) => {
if (event === 'data') {
cb(Buffer.from(JSON.stringify({ crt: FAKE_CERT_PEM })));
}
if (event === 'end') {
cb();
}
},
};
setImmediate(() => callback(mockRes));
return mockReq;
},
);
await service.issueCert(makeReq({ csrPem: realCsrPem }));
expect(capturedBody).toBeDefined();
const ott = capturedBody!['ott'] as string;
expect(typeof ott).toBe('string');
// Verify JWT structure
const parts = ott.split('.');
expect(parts).toHaveLength(3);
// Decode payload without signature check first
const payloadJson = Buffer.from(parts[1]!, 'base64url').toString('utf8');
const payload = JSON.parse(payloadJson) as Record<string, unknown>;
expect(payload['mosaic_grant_id']).toBe(GRANT_ID);
expect(payload['mosaic_subject_user_id']).toBe(SUBJECT_USER_ID);
expect(typeof payload['jti']).toBe('string'); // M2: jti present
expect(payload['jti']).toMatch(/^[0-9a-f-]{36}$/); // UUID format
// M3: top-level sha should NOT be present; step.sha should be present
expect(payload['sha']).toBeUndefined();
const step = payload['step'] as Record<string, unknown> | undefined;
expect(step?.['sha']).toBeDefined();
// M6: Verify signature with jose.jwtVerify using the public key
const { importJWK: importJose } = await import('jose');
const publicKey = await importJose(TEST_EC_PUBLIC_JWK, 'ES256');
const verified = await jwtVerify(ott, publicKey);
expect(verified.payload['mosaic_grant_id']).toBe(GRANT_ID);
});
// -------------------------------------------------------------------------
// CaServiceError has cause + remediation
// -------------------------------------------------------------------------
it('CaServiceError carries cause and remediation', () => {
const cause = new Error('original error');
const err = new CaServiceError('something went wrong', 'fix it like this', cause);
expect(err).toBeInstanceOf(Error);
expect(err).toBeInstanceOf(CaServiceError);
expect(err.message).toBe('something went wrong');
expect(err.remediation).toBe('fix it like this');
expect(err.cause).toBe(cause);
expect(err.name).toBe('CaServiceError');
});
// -------------------------------------------------------------------------
// Missing crt in response
// -------------------------------------------------------------------------
it('throws CaServiceError when response is missing the crt field', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, { ca: FAKE_CA_PEM });
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/missing the "crt" field/);
return true;
});
});
// -------------------------------------------------------------------------
// M6: provisionerPassword must never appear in CaServiceError messages
// -------------------------------------------------------------------------
it('provisionerPassword does not appear in any CaServiceError message', async () => {
// Temporarily set a recognizable password to test against
const originalPassword = process.env['STEP_CA_PROVISIONER_PASSWORD'];
process.env['STEP_CA_PROVISIONER_PASSWORD'] = 'super-secret-password-12345';
// Generate a bad CSR to trigger an error path
const caughtErrors: CaServiceError[] = [];
try {
await service.issueCert(makeReq({ csrPem: 'not-a-csr' }));
} catch (err) {
if (err instanceof CaServiceError) {
caughtErrors.push(err);
}
}
// Also try HTTP 401 path
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(401, { message: 'Unauthorized' });
try {
await service.issueCert(makeReq({ csrPem: realCsrPem }));
} catch (err) {
if (err instanceof CaServiceError) {
caughtErrors.push(err);
}
}
for (const err of caughtErrors) {
expect(err.message).not.toContain('super-secret-password-12345');
if (err.remediation) {
expect(err.remediation).not.toContain('super-secret-password-12345');
}
}
process.env['STEP_CA_PROVISIONER_PASSWORD'] = originalPassword;
});
// -------------------------------------------------------------------------
// M7: HTTPS-only enforcement in constructor
// -------------------------------------------------------------------------
it('throws in constructor if STEP_CA_URL uses http://', () => {
const originalUrl = process.env['STEP_CA_URL'];
process.env['STEP_CA_URL'] = 'http://step-ca:9000';
expect(() => new CaService()).toThrow(CaServiceError);
process.env['STEP_CA_URL'] = originalUrl;
});
// -------------------------------------------------------------------------
// TTL clamp: ttlSeconds is clamped to 900 s (15 min) maximum
// -------------------------------------------------------------------------
it('clamps ttlSeconds to 900 s regardless of input', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
let capturedBody: Record<string, unknown> | undefined;
const mockReq = {
write: vi.fn((data: string) => {
capturedBody = JSON.parse(data) as Record<string, unknown>;
}),
end: vi.fn(),
on: vi.fn(),
setTimeout: vi.fn(),
};
(httpsModule.request as unknown as Mock).mockImplementation(
(
_options: unknown,
callback: (res: {
statusCode: number;
on: (event: string, cb: (chunk?: Buffer) => void) => void;
}) => void,
) => {
const mockRes = {
statusCode: 200,
on: (event: string, cb: (chunk?: Buffer) => void) => {
if (event === 'data') {
cb(Buffer.from(JSON.stringify({ crt: FAKE_CERT_PEM })));
}
if (event === 'end') {
cb();
}
},
};
setImmediate(() => callback(mockRes));
return mockReq;
},
);
// Request 86400 s — should be clamped to 900
await service.issueCert(makeReq({ ttlSeconds: 86400 }));
expect(capturedBody).toBeDefined();
const validity = capturedBody!['validity'] as Record<string, unknown>;
expect(validity['duration']).toBe('900s');
});
});

680
apps/gateway/src/federation/ca.service.ts
View File

@@ -1,680 +0,0 @@
/**
* CaService — Step-CA client for federation grant certificate issuance.
*
* Responsibilities:
* 1. Build a JWK-provisioner One-Time Token (OTT) signed with the provisioner
* private key (ES256/ES384/RS256 per JWK kty/crv) carrying Mosaic-specific
* claims (`mosaic_grant_id`, `mosaic_subject_user_id`, `step.sha`) per the
* step-ca JWK provisioner protocol.
* 2. POST the CSR + OTT to the step-ca `/1.0/sign` endpoint over HTTPS,
* pinning the trust to the CA root cert supplied via env.
* 3. Return an IssuedCertDto containing the leaf cert, full chain, and
* serial number.
*
* Environment variables (all required at runtime — validated in constructor):
* STEP_CA_URL https://step-ca:9000
* STEP_CA_PROVISIONER_KEY_JSON JWK provisioner private key (JSON)
* STEP_CA_ROOT_CERT_PATH Absolute path to the CA root PEM
*
* Optional (only used for JWK PBES2 decrypt at startup if key is encrypted):
* STEP_CA_PROVISIONER_PASSWORD JWK provisioner password (raw string)
*
* Custom OID registry (PRD §6, docs/federation/SETUP.md):
* 1.3.6.1.4.1.99999.1 — mosaic_grant_id
* 1.3.6.1.4.1.99999.2 — mosaic_subject_user_id
*
* Fail-loud contract:
* Every error path throws CaServiceError with a human-readable `remediation`
* field. Silent OID-stripping is NEVER allowed — if the sign response does
* not include the cert, we throw rather than return a cert that may be
* missing the custom extensions.
*/
import { Injectable, Logger } from '@nestjs/common';
import * as crypto from 'node:crypto';
import * as fs from 'node:fs';
import * as https from 'node:https';
import { SignJWT, importJWK } from 'jose';
import { Pkcs10CertificateRequest, X509Certificate } from '@peculiar/x509';
import type { IssueCertRequestDto } from './ca.dto.js';
import { IssuedCertDto } from './ca.dto.js';
// ---------------------------------------------------------------------------
// Custom error class
// ---------------------------------------------------------------------------
export class CaServiceError extends Error {
readonly cause: unknown;
readonly remediation: string;
readonly code?: string;
constructor(message: string, remediation: string, cause?: unknown, code?: string) {
super(message);
this.name = 'CaServiceError';
this.cause = cause;
this.remediation = remediation;
this.code = code;
}
}
// ---------------------------------------------------------------------------
// Internal types
// ---------------------------------------------------------------------------
interface StepSignResponse {
crt: string;
ca?: string;
certChain?: string[];
}
interface JwkKey {
kty: string;
kid?: string;
use?: string;
alg?: string;
k?: string; // symmetric
n?: string; // RSA
e?: string;
d?: string;
x?: string; // EC
y?: string;
crv?: string;
[key: string]: unknown;
}
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
/** UUID regex for validation */
const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
/**
* Derive the JWT algorithm string from a JWK's kty/crv fields.
* EC P-256 → ES256, EC P-384 → ES384, RSA → RS256.
*/
function algFromJwk(jwk: JwkKey): string {
if (jwk.alg) return jwk.alg;
if (jwk.kty === 'EC') {
if (jwk.crv === 'P-384') return 'ES384';
return 'ES256'; // default for P-256 and Ed25519-style EC keys
}
if (jwk.kty === 'RSA') return 'RS256';
throw new CaServiceError(
`Unsupported JWK kty: ${jwk.kty}`,
'STEP_CA_PROVISIONER_KEY_JSON must be an EC (P-256/P-384) or RSA JWK private key.',
);
}
/**
* Compute SHA-256 fingerprint of the DER-encoded CSR body.
* step-ca uses this as the `step.sha` claim to bind the OTT to a specific CSR.
*/
function csrFingerprint(csrPem: string): string {
// Strip PEM headers and decode base64 body
const b64 = csrPem
.replace(/-----BEGIN CERTIFICATE REQUEST-----/, '')
.replace(/-----END CERTIFICATE REQUEST-----/, '')
.replace(/\s+/g, '');
let derBuf: Buffer;
try {
derBuf = Buffer.from(b64, 'base64');
} catch (err) {
throw new CaServiceError(
'Failed to base64-decode the CSR PEM body',
'Verify that csrPem is a valid PKCS#10 PEM-encoded certificate request.',
err,
);
}
if (derBuf.length === 0) {
throw new CaServiceError(
'CSR PEM decoded to empty buffer — malformed input',
'Provide a valid non-empty PKCS#10 PEM-encoded certificate request.',
);
}
return crypto.createHash('sha256').update(derBuf).digest('hex');
}
/**
* Send a JSON POST to the step-ca sign endpoint.
* Returns the parsed response body or throws CaServiceError.
*/
function httpsPost(url: string, body: unknown, agent: https.Agent): Promise<StepSignResponse> {
return new Promise((resolve, reject) => {
const bodyStr = JSON.stringify(body);
const parsed = new URL(url);
const options: https.RequestOptions = {
hostname: parsed.hostname,
port: parsed.port ? parseInt(parsed.port, 10) : 443,
path: parsed.pathname,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(bodyStr),
},
agent,
timeout: 5000,
};
const req = https.request(options, (res) => {
const chunks: Buffer[] = [];
res.on('data', (chunk: Buffer) => chunks.push(chunk));
res.on('end', () => {
const raw = Buffer.concat(chunks).toString('utf8');
if (res.statusCode === 401) {
reject(
new CaServiceError(
`step-ca returned HTTP 401 — invalid or expired OTT`,
'Check STEP_CA_PROVISIONER_KEY_JSON. Ensure the mosaic-fed provisioner is configured in the CA.',
),
);
return;
}
if (res.statusCode && res.statusCode >= 400) {
reject(
new CaServiceError(
`step-ca returned HTTP ${res.statusCode}: ${raw.slice(0, 256)}`,
`Review the step-ca logs. Status ${res.statusCode} may indicate a CSR policy violation or misconfigured provisioner.`,
),
);
return;
}
let parsed: unknown;
try {
parsed = JSON.parse(raw) as unknown;
} catch (err) {
reject(
new CaServiceError(
'step-ca returned a non-JSON response',
'Verify STEP_CA_URL points to a running step-ca instance and that TLS is properly configured.',
err,
),
);
return;
}
resolve(parsed as StepSignResponse);
});
});
req.setTimeout(5000, () => {
req.destroy(new Error('Request timed out after 5000ms'));
});
req.on('error', (err: Error) => {
reject(
new CaServiceError(
`HTTPS connection to step-ca failed: ${err.message}`,
'Ensure STEP_CA_URL is reachable and STEP_CA_ROOT_CERT_PATH points to the correct CA root certificate.',
err,
),
);
});
req.write(bodyStr);
req.end();
});
}
/**
* Extract a decimal serial number from a PEM certificate.
* Throws CaServiceError on failure — never silently returns 'unknown'.
*/
function extractSerial(certPem: string): string {
let cert: crypto.X509Certificate;
try {
cert = new crypto.X509Certificate(certPem);
} catch (err) {
throw new CaServiceError(
'Failed to parse the issued certificate PEM',
'The certificate returned by step-ca could not be parsed. Check that step-ca is returning a valid PEM certificate.',
err,
'CERT_PARSE',
);
}
return cert.serialNumber;
}
// ---------------------------------------------------------------------------
// Service
// ---------------------------------------------------------------------------
@Injectable()
export class CaService {
private readonly logger = new Logger(CaService.name);
private readonly caUrl: string;
private readonly rootCertPath: string;
private readonly httpsAgent: https.Agent;
private readonly jwk: JwkKey;
private cachedPrivateKey: crypto.KeyObject | null = null;
private readonly jwtAlg: string;
private readonly kid: string;
constructor() {
const caUrl = process.env['STEP_CA_URL'];
const provisionerKeyJson = process.env['STEP_CA_PROVISIONER_KEY_JSON'];
const rootCertPath = process.env['STEP_CA_ROOT_CERT_PATH'];
if (!caUrl) {
throw new CaServiceError(
'STEP_CA_URL is not set',
'Set STEP_CA_URL to the base URL of the step-ca instance, e.g. https://step-ca:9000',
);
}
// Enforce HTTPS-only URL
let parsedUrl: URL;
try {
parsedUrl = new URL(caUrl);
} catch (err) {
throw new CaServiceError(
`STEP_CA_URL is not a valid URL: ${caUrl}`,
'Set STEP_CA_URL to a valid HTTPS URL, e.g. https://step-ca:9000',
err,
);
}
if (parsedUrl.protocol !== 'https:') {
throw new CaServiceError(
`STEP_CA_URL must use HTTPS — got: ${parsedUrl.protocol}`,
'Set STEP_CA_URL to an https:// URL. Unencrypted connections to the CA are not permitted.',
);
}
if (!provisionerKeyJson) {
throw new CaServiceError(
'STEP_CA_PROVISIONER_KEY_JSON is not set',
'Set STEP_CA_PROVISIONER_KEY_JSON to the JSON-encoded JWK for the mosaic-fed provisioner.',
);
}
if (!rootCertPath) {
throw new CaServiceError(
'STEP_CA_ROOT_CERT_PATH is not set',
'Set STEP_CA_ROOT_CERT_PATH to the absolute path of the step-ca root CA certificate PEM file.',
);
}
// Parse JWK once — do NOT store the raw JSON string as a class field
let jwk: JwkKey;
try {
jwk = JSON.parse(provisionerKeyJson) as JwkKey;
} catch (err) {
throw new CaServiceError(
'STEP_CA_PROVISIONER_KEY_JSON is not valid JSON',
'Set STEP_CA_PROVISIONER_KEY_JSON to the JSON-serialised JWK object for the mosaic-fed provisioner.',
err,
);
}
// Derive algorithm from JWK metadata
const jwtAlg = algFromJwk(jwk);
const kid = jwk.kid ?? 'mosaic-fed';
// Import the JWK into a native KeyObject — fail loudly if it cannot be loaded.
// We do this synchronously here by calling the async importJWK via a blocking workaround.
// Actually importJWK is async, so we store it for use during token building.
// We keep the raw jwk object for later async import inside buildOtt.
// NOTE: We do NOT store provisionerKeyJson string as a class field.
this.jwk = jwk;
this.jwtAlg = jwtAlg;
this.kid = kid;
this.caUrl = caUrl;
this.rootCertPath = rootCertPath;
// Read the root cert and pin it for all HTTPS connections.
let rootCert: string;
try {
rootCert = fs.readFileSync(this.rootCertPath, 'utf8');
} catch (err) {
throw new CaServiceError(
`Cannot read STEP_CA_ROOT_CERT_PATH: ${rootCertPath}`,
'Ensure the file exists and is readable by the gateway process.',
err,
);
}
this.httpsAgent = new https.Agent({
ca: rootCert,
rejectUnauthorized: true,
});
this.logger.log(`CaService initialised — CA URL: ${this.caUrl}`);
}
/**
* Lazily import the private key from JWK on first use.
* The key is cached in cachedPrivateKey after first import.
*/
private async getPrivateKey(): Promise<crypto.KeyObject> {
if (this.cachedPrivateKey !== null) return this.cachedPrivateKey;
try {
const key = await importJWK(this.jwk, this.jwtAlg);
// importJWK returns KeyLike (crypto.KeyObject | Uint8Array) — in Node.js it's KeyObject
this.cachedPrivateKey = key as unknown as crypto.KeyObject;
return this.cachedPrivateKey;
} catch (err) {
throw new CaServiceError(
'Failed to import STEP_CA_PROVISIONER_KEY_JSON as a cryptographic key',
'Ensure STEP_CA_PROVISIONER_KEY_JSON contains a valid JWK private key (EC P-256/P-384 or RSA).',
err,
);
}
}
/**
* Build the JWK-provisioner OTT signed with the provisioner private key.
* Algorithm is derived from the JWK kty/crv fields.
*/
private async buildOtt(params: {
csrPem: string;
grantId: string;
subjectUserId: string;
ttlSeconds: number;
csrCn: string;
}): Promise<string> {
const { csrPem, grantId, subjectUserId, ttlSeconds, csrCn } = params;
// Validate UUID shape for grant id and subject user id
if (!UUID_RE.test(grantId)) {
throw new CaServiceError(
`grantId is not a valid UUID: ${grantId}`,
'Provide a valid UUID (RFC 4122) for grantId.',
undefined,
'INVALID_GRANT_ID',
);
}
if (!UUID_RE.test(subjectUserId)) {
throw new CaServiceError(
`subjectUserId is not a valid UUID: ${subjectUserId}`,
'Provide a valid UUID (RFC 4122) for subjectUserId.',
undefined,
'INVALID_GRANT_ID',
);
}
const sha = csrFingerprint(csrPem);
const now = Math.floor(Date.now() / 1000);
const privateKey = await this.getPrivateKey();
const ott = await new SignJWT({
iss: this.kid,
sub: csrCn, // M1: set sub to identity from CSR CN
aud: [`${this.caUrl}/1.0/sign`],
iat: now,
nbf: now - 30, // 30 s clock-skew tolerance
exp: now + Math.min(ttlSeconds, 3600), // OTT validity ≤ 1 h
jti: crypto.randomUUID(), // M2: unique token ID
// step.sha is the canonical field name used in the template — M3: keep only step.sha
step: { sha },
// Mosaic custom claims consumed by federation.tpl
mosaic_grant_id: grantId,
mosaic_subject_user_id: subjectUserId,
})
.setProtectedHeader({ alg: this.jwtAlg, typ: 'JWT', kid: this.kid })
.sign(privateKey);
return ott;
}
/**
* Validate a PEM-encoded CSR using @peculiar/x509.
* Verifies the self-signature, key type/size, and signature algorithm.
* Optionally verifies that the CSR's SANs match the expected set.
*
* Throws CaServiceError with code 'INVALID_CSR' on failure.
*/
private async validateCsr(pem: string, expectedSans?: string[]): Promise<string> {
let csr: Pkcs10CertificateRequest;
try {
csr = new Pkcs10CertificateRequest(pem);
} catch (err) {
throw new CaServiceError(
'Failed to parse CSR PEM as a valid PKCS#10 certificate request',
'Provide a valid PEM-encoded PKCS#10 CSR.',
err,
'INVALID_CSR',
);
}
// Verify self-signature
let valid: boolean;
try {
valid = await csr.verify();
} catch (err) {
throw new CaServiceError(
'CSR signature verification threw an error',
'The CSR self-signature could not be verified. Ensure the CSR is properly formed.',
err,
'INVALID_CSR',
);
}
if (!valid) {
throw new CaServiceError(
'CSR self-signature is invalid',
'The CSR must be self-signed with the corresponding private key.',
undefined,
'INVALID_CSR',
);
}
// Validate signature algorithm — reject MD5 and SHA-1
// signatureAlgorithm is HashedAlgorithm which extends Algorithm.
// Cast through unknown to access .name and .hash.name without DOM lib globals.
const sigAlgAny = csr.signatureAlgorithm as unknown as {
name?: string;
hash?: { name?: string };
};
const sigAlgName = (sigAlgAny.name ?? '').toLowerCase();
const hashName = (sigAlgAny.hash?.name ?? '').toLowerCase();
if (
sigAlgName.includes('md5') ||
sigAlgName.includes('sha1') ||
hashName === 'sha-1' ||
hashName === 'sha1'
) {
throw new CaServiceError(
`CSR uses a forbidden signature algorithm: ${sigAlgAny.name ?? 'unknown'}`,
'Use SHA-256 or stronger. MD5 and SHA-1 are not permitted.',
undefined,
'INVALID_CSR',
);
}
// Validate public key algorithm and strength via the algorithm descriptor on the key.
// csr.publicKey.algorithm is type Algorithm (WebCrypto) — use name-based checks.
// We cast to an extended interface to access curve/modulus info without DOM globals.
const pubKeyAlgo = csr.publicKey.algorithm as {
name: string;
namedCurve?: string;
modulusLength?: number;
};
const keyAlgoName = pubKeyAlgo.name;
if (keyAlgoName === 'RSASSA-PKCS1-v1_5' || keyAlgoName === 'RSA-PSS') {
const modulusLength = pubKeyAlgo.modulusLength ?? 0;
if (modulusLength < 2048) {
throw new CaServiceError(
`CSR RSA key is too short: ${modulusLength} bits (minimum 2048)`,
'Use an RSA key of at least 2048 bits.',
undefined,
'INVALID_CSR',
);
}
} else if (keyAlgoName === 'ECDSA') {
const namedCurve = pubKeyAlgo.namedCurve ?? '';
const allowedCurves = new Set(['P-256', 'P-384']);
if (!allowedCurves.has(namedCurve)) {
throw new CaServiceError(
`CSR EC key uses disallowed curve: ${namedCurve}`,
'Use EC P-256 or P-384. Other curves are not permitted.',
undefined,
'INVALID_CSR',
);
}
} else if (keyAlgoName === 'Ed25519') {
// Ed25519 is explicitly allowed
} else {
throw new CaServiceError(
`CSR uses unsupported key algorithm: ${keyAlgoName}`,
'Use EC (P-256/P-384), Ed25519, or RSA (≥2048 bit) keys.',
undefined,
'INVALID_CSR',
);
}
// Extract SANs if expectedSans provided
if (expectedSans && expectedSans.length > 0) {
// Get SANs from CSR extensions
const sanExtension = csr.extensions?.find(
(ext) => ext.type === '2.5.29.17', // Subject Alternative Name OID
);
const csrSans: string[] = [];
if (sanExtension) {
// Parse the raw SAN extension — store as stringified for comparison
// @peculiar/x509 exposes SANs through the parsed extension
const sanExt = sanExtension as { names?: Array<{ type: string; value: string }> };
if (sanExt.names) {
for (const name of sanExt.names) {
csrSans.push(name.value);
}
}
}
const csrSanSet = new Set(csrSans);
const expectedSanSet = new Set(expectedSans);
const missing = expectedSans.filter((s) => !csrSanSet.has(s));
const extra = csrSans.filter((s) => !expectedSanSet.has(s));
if (missing.length > 0 || extra.length > 0) {
throw new CaServiceError(
`CSR SANs do not match expected set. Missing: [${missing.join(', ')}], Extra: [${extra.join(', ')}]`,
'The CSR must include exactly the SANs specified in the issuance request.',
undefined,
'INVALID_CSR',
);
}
}
// Return the CN from the CSR subject for use as JWT sub
const cn = csr.subjectName.getField('CN')?.[0] ?? '';
return cn;
}
/**
* Submit a CSR to step-ca and return the issued certificate.
*
* Throws `CaServiceError` on any failure (network, auth, malformed input).
* Never silently swallows errors — fail-loud is a hard contract per M2-02 review.
*/
async issueCert(req: IssueCertRequestDto): Promise<IssuedCertDto> {
// Clamp TTL to 15-minute maximum (H2)
const ttl = Math.min(req.ttlSeconds ?? 300, 900);
this.logger.debug(
`issueCert — grantId=${req.grantId} subjectUserId=${req.subjectUserId} ttl=${ttl}s`,
);
// Validate CSR — real cryptographic validation (H3)
const csrCn = await this.validateCsr(req.csrPem);
const ott = await this.buildOtt({
csrPem: req.csrPem,
grantId: req.grantId,
subjectUserId: req.subjectUserId,
ttlSeconds: ttl,
csrCn,
});
const signUrl = `${this.caUrl}/1.0/sign`;
const requestBody = {
csr: req.csrPem,
ott,
validity: {
duration: `${ttl}s`,
},
};
this.logger.debug(`Posting CSR to ${signUrl}`);
const response = await httpsPost(signUrl, requestBody, this.httpsAgent);
if (!response.crt) {
throw new CaServiceError(
'step-ca sign response missing the "crt" field',
'This is unexpected — the step-ca instance may be misconfigured or running an incompatible version.',
);
}
// Build certChainPem: prefer certChain array, fall back to ca field, fall back to crt alone.
let certChainPem: string;
if (response.certChain && response.certChain.length > 0) {
certChainPem = response.certChain.join('\n');
} else if (response.ca) {
certChainPem = response.crt + '\n' + response.ca;
} else {
certChainPem = response.crt;
}
const serialNumber = extractSerial(response.crt);
// CRIT-1: Verify the issued certificate contains both Mosaic OID extensions
// with the correct values. Step-CA's federation.tpl encodes each as an ASN.1
// UTF8String TLV: tag 0x0C + 1-byte length + UUID bytes. We skip 2 bytes
// (tag + length) to extract the raw UUID string.
const issuedCert = new X509Certificate(response.crt);
const decoder = new TextDecoder();
const grantIdExt = issuedCert.getExtension('1.3.6.1.4.1.99999.1');
if (!grantIdExt) {
throw new CaServiceError(
'Issued certificate is missing required Mosaic OID: mosaic_grant_id',
'The Step-CA federation.tpl template did not embed OID 1.3.6.1.4.1.99999.1. Check the provisioner template configuration.',
undefined,
'OID_MISSING',
);
}
const grantIdInCert = decoder.decode(grantIdExt.value.slice(2));
if (grantIdInCert !== req.grantId) {
throw new CaServiceError(
`Issued certificate mosaic_grant_id mismatch: expected ${req.grantId}, got ${grantIdInCert}`,
'The Step-CA issued a certificate with a different grant ID than requested. This may indicate a provisioner misconfiguration or a MITM.',
undefined,
'OID_MISMATCH',
);
}
const subjectUserIdExt = issuedCert.getExtension('1.3.6.1.4.1.99999.2');
if (!subjectUserIdExt) {
throw new CaServiceError(
'Issued certificate is missing required Mosaic OID: mosaic_subject_user_id',
'The Step-CA federation.tpl template did not embed OID 1.3.6.1.4.1.99999.2. Check the provisioner template configuration.',
undefined,
'OID_MISSING',
);
}
const subjectUserIdInCert = decoder.decode(subjectUserIdExt.value.slice(2));
if (subjectUserIdInCert !== req.subjectUserId) {
throw new CaServiceError(
`Issued certificate mosaic_subject_user_id mismatch: expected ${req.subjectUserId}, got ${subjectUserIdInCert}`,
'The Step-CA issued a certificate with a different subject user ID than requested. This may indicate a provisioner misconfiguration or a MITM.',
undefined,
'OID_MISMATCH',
);
}
this.logger.log(`Certificate issued — serial=${serialNumber} grantId=${req.grantId}`);
const result = new IssuedCertDto();
result.certPem = response.crt;
result.certChainPem = certChainPem;
result.serialNumber = serialNumber;
return result;
}
}

54
apps/gateway/src/federation/enrollment.controller.ts
View File

@@ -1,54 +0,0 @@
/**
* EnrollmentController — federation enrollment HTTP layer (FED-M2-07).
*
* Routes:
* POST /api/federation/enrollment/tokens — admin creates a single-use token
* POST /api/federation/enrollment/:token — unauthenticated; token IS the auth
*/
import {
Body,
Controller,
HttpCode,
HttpStatus,
Inject,
Param,
Post,
UseGuards,
} from '@nestjs/common';
import { AdminGuard } from '../admin/admin.guard.js';
import { EnrollmentService } from './enrollment.service.js';
import { CreateEnrollmentTokenDto, RedeemEnrollmentTokenDto } from './enrollment.dto.js';
@Controller('api/federation/enrollment')
export class EnrollmentController {
constructor(@Inject(EnrollmentService) private readonly enrollmentService: EnrollmentService) {}
/**
* Admin-only: generate a single-use enrollment token for a pending grant.
* The token should be distributed out-of-band to the remote peer operator.
*
* POST /api/federation/enrollment/tokens
*/
@Post('tokens')
@UseGuards(AdminGuard)
@HttpCode(HttpStatus.CREATED)
async createToken(@Body() dto: CreateEnrollmentTokenDto) {
return this.enrollmentService.createToken(dto);
}
/**
* Unauthenticated: remote peer redeems a token by submitting its CSR.
* The token itself is the credential — no session or bearer token required.
*
* POST /api/federation/enrollment/:token
*
* Returns the signed leaf cert and full chain PEM on success.
* Returns 410 Gone if the token was already used or has expired.
*/
@Post(':token')
@HttpCode(HttpStatus.OK)
async redeem(@Param('token') token: string, @Body() dto: RedeemEnrollmentTokenDto) {
return this.enrollmentService.redeem(token, dto.csrPem);
}
}

35
apps/gateway/src/federation/enrollment.dto.ts
View File

@@ -1,35 +0,0 @@
/**
* DTOs for the federation enrollment flow (FED-M2-07).
*
* CreateEnrollmentTokenDto — admin generates a single-use enrollment token
* RedeemEnrollmentTokenDto — remote peer submits CSR to redeem the token
*/
import { IsInt, IsNotEmpty, IsOptional, IsString, IsUUID, Max, Min } from 'class-validator';
export class CreateEnrollmentTokenDto {
/** UUID of the federation grant this token will activate on redemption. */
@IsUUID()
grantId!: string;
/** UUID of the peer record that will receive the issued cert on redemption. */
@IsUUID()
peerId!: string;
/**
* Token lifetime in seconds. Default 900 (15 min). Min 60. Max 900.
* After this time the token is rejected even if unused.
*/
@IsOptional()
@IsInt()
@Min(60)
@Max(900)
ttlSeconds: number = 900;
}
export class RedeemEnrollmentTokenDto {
/** PEM-encoded PKCS#10 Certificate Signing Request from the remote peer. */
@IsString()
@IsNotEmpty()
csrPem!: string;
}

281
apps/gateway/src/federation/enrollment.service.ts
View File

@@ -1,281 +0,0 @@
/**
* EnrollmentService — single-use enrollment token lifecycle (FED-M2-07).
*
* Responsibilities:
* 1. Generate time-limited single-use enrollment tokens (admin action).
* 2. Redeem a token: validate → atomically claim token → issue cert via
* CaService → transactionally activate grant + update peer + write audit.
*
* Replay protection: the token is claimed (UPDATE WHERE used_at IS NULL) BEFORE
* cert issuance. This prevents double cert minting on concurrent requests.
* If cert issuance fails after claim, the token is consumed and the grant
* stays pending — admin must create a new grant.
*/
import {
BadRequestException,
ConflictException,
GoneException,
Inject,
Injectable,
Logger,
NotFoundException,
} from '@nestjs/common';
import * as crypto from 'node:crypto';
// X509Certificate is available as a named export in Node.js ≥ 15.6
const { X509Certificate } = crypto;
import {
type Db,
and,
eq,
isNull,
sql,
federationEnrollmentTokens,
federationGrants,
federationPeers,
federationAuditLog,
} from '@mosaicstack/db';
import { DB } from '../database/database.module.js';
import { CaService } from './ca.service.js';
import { GrantsService } from './grants.service.js';
import { FederationScopeError } from './scope-schema.js';
import type { CreateEnrollmentTokenDto } from './enrollment.dto.js';
export interface EnrollmentTokenResult {
token: string;
expiresAt: string;
}
export interface RedeemResult {
certPem: string;
certChainPem: string;
}
@Injectable()
export class EnrollmentService {
private readonly logger = new Logger(EnrollmentService.name);
constructor(
@Inject(DB) private readonly db: Db,
private readonly caService: CaService,
private readonly grantsService: GrantsService,
) {}
/**
* Generate a single-use enrollment token for an admin to distribute
* out-of-band to the remote peer operator.
*/
async createToken(dto: CreateEnrollmentTokenDto): Promise<EnrollmentTokenResult> {
const ttl = Math.min(dto.ttlSeconds, 900);
// MED-3: Verify the grantId ↔ peerId binding — prevents attacker from
// cross-wiring grants to attacker-controlled peers.
const [grant] = await this.db
.select({ peerId: federationGrants.peerId })
.from(federationGrants)
.where(eq(federationGrants.id, dto.grantId))
.limit(1);
if (!grant) {
throw new NotFoundException(`Grant ${dto.grantId} not found`);
}
if (grant.peerId !== dto.peerId) {
throw new BadRequestException(`peerId does not match the grant's registered peer`);
}
const token = crypto.randomBytes(32).toString('hex');
const expiresAt = new Date(Date.now() + ttl * 1000);
await this.db.insert(federationEnrollmentTokens).values({
token,
grantId: dto.grantId,
peerId: dto.peerId,
expiresAt,
});
this.logger.log(
`Enrollment token created — grantId=${dto.grantId} peerId=${dto.peerId} expiresAt=${expiresAt.toISOString()}`,
);
return { token, expiresAt: expiresAt.toISOString() };
}
/**
* Redeem an enrollment token.
*
* Full flow:
* 1. Fetch token row — NotFoundException if not found
* 2. usedAt set → GoneException (already used)
* 3. expiresAt < now → GoneException (expired)
* 4. Load grant — verify status is 'pending'
* 5. Atomically claim token (UPDATE WHERE used_at IS NULL RETURNING token)
* — if no rows returned, concurrent request won → GoneException
* 6. Issue cert via CaService (network call, outside transaction)
* — if this fails, token is consumed; grant stays pending; admin must recreate
* 7. Transaction: activate grant + update peer record + write audit log
* 8. Return { certPem, certChainPem }
*/
async redeem(token: string, csrPem: string): Promise<RedeemResult> {
// HIGH-5: Track outcome so we can write a failure audit row on any error.
let outcome: 'allowed' | 'denied' = 'denied';
// row may be undefined if the token is not found — used defensively in catch.
let row: typeof federationEnrollmentTokens.$inferSelect | undefined;
try {
// 1. Fetch token row
const [fetchedRow] = await this.db
.select()
.from(federationEnrollmentTokens)
.where(eq(federationEnrollmentTokens.token, token))
.limit(1);
if (!fetchedRow) {
throw new NotFoundException('Enrollment token not found');
}
row = fetchedRow;
// 2. Already used?
if (row.usedAt !== null) {
throw new GoneException('Enrollment token has already been used');
}
// 3. Expired?
if (row.expiresAt < new Date()) {
throw new GoneException('Enrollment token has expired');
}
// 4. Load grant and verify it is still pending
let grant;
try {
grant = await this.grantsService.getGrant(row.grantId);
} catch (err) {
if (err instanceof FederationScopeError) {
throw new BadRequestException(err.message);
}
throw err;
}
if (grant.status !== 'pending') {
throw new GoneException(
`Grant ${row.grantId} is no longer pending (status: ${grant.status})`,
);
}
// 5. Atomically claim the token BEFORE cert issuance to prevent double-minting.
// WHERE used_at IS NULL ensures only one concurrent request wins.
// Using .returning() works on both node-postgres and PGlite without rowCount inspection.
const claimed = await this.db
.update(federationEnrollmentTokens)
.set({ usedAt: sql`NOW()` })
.where(
and(
eq(federationEnrollmentTokens.token, token),
isNull(federationEnrollmentTokens.usedAt),
),
)
.returning({ token: federationEnrollmentTokens.token });
if (claimed.length === 0) {
throw new GoneException('Enrollment token has already been used (concurrent request)');
}
// 6. Issue certificate via CaService (network call — outside any transaction).
// If this throws, the token is already consumed. The grant stays pending.
// Admin must revoke the grant and create a new one.
let issued;
try {
issued = await this.caService.issueCert({
csrPem,
grantId: row.grantId,
subjectUserId: grant.subjectUserId,
ttlSeconds: 300,
});
} catch (err) {
// HIGH-4: Log only the first 8 hex chars of the token for correlation — never log the full token.
this.logger.error(
`issueCert failed after token ${token.slice(0, 8)}... was claimed — grant ${row.grantId} is stranded pending`,
err instanceof Error ? err.stack : String(err),
);
if (err instanceof FederationScopeError) {
throw new BadRequestException((err as Error).message);
}
throw err;
}
// 7. Atomically activate grant, update peer record, and write audit log.
const certNotAfter = this.extractCertNotAfter(issued.certPem);
await this.db.transaction(async (tx) => {
// CRIT-2: Guard activation with WHERE status='pending' to prevent double-activation.
const [activated] = await tx
.update(federationGrants)
.set({ status: 'active' })
.where(and(eq(federationGrants.id, row!.grantId), eq(federationGrants.status, 'pending')))
.returning({ id: federationGrants.id });
if (!activated) {
throw new ConflictException(
`Grant ${row!.grantId} is no longer pending — cannot activate`,
);
}
// CRIT-2: Guard peer update with WHERE state='pending'.
await tx
.update(federationPeers)
.set({
certPem: issued.certPem,
certSerial: issued.serialNumber,
certNotAfter,
state: 'active',
})
.where(and(eq(federationPeers.id, row!.peerId), eq(federationPeers.state, 'pending')));
await tx.insert(federationAuditLog).values({
requestId: crypto.randomUUID(),
peerId: row!.peerId,
grantId: row!.grantId,
verb: 'enrollment',
resource: 'federation_grant',
statusCode: 200,
outcome: 'allowed',
});
});
this.logger.log(
`Enrollment complete — peerId=${row.peerId} grantId=${row.grantId} serial=${issued.serialNumber}`,
);
outcome = 'allowed';
// 8. Return cert material
return {
certPem: issued.certPem,
certChainPem: issued.certChainPem,
};
} catch (err) {
// HIGH-5: Best-effort audit write on failure — do not let this throw.
if (outcome === 'denied') {
await this.db
.insert(federationAuditLog)
.values({
requestId: crypto.randomUUID(),
peerId: row?.peerId ?? null,
grantId: row?.grantId ?? null,
verb: 'enrollment',
resource: 'federation_grant',
statusCode:
err instanceof GoneException ? 410 : err instanceof NotFoundException ? 404 : 500,
outcome: 'denied',
})
.catch(() => {});
}
throw err;
}
}
/**
* Extract the notAfter date from a PEM certificate.
* HIGH-2: No silent fallback — a cert that cannot be parsed should fail loud.
*/
private extractCertNotAfter(certPem: string): Date {
const cert = new X509Certificate(certPem);
return new Date(cert.validTo);
}
}

39
apps/gateway/src/federation/federation-admin.dto.ts
View File

@@ -1,39 +0,0 @@
/**
* DTOs for the federation admin controller (FED-M2-08).
*/
import { IsInt, IsNotEmpty, IsOptional, IsString, IsUrl, Max, Min } from 'class-validator';
export class CreatePeerKeypairDto {
@IsString()
@IsNotEmpty()
commonName!: string;
@IsString()
@IsNotEmpty()
displayName!: string;
@IsOptional()
@IsUrl()
endpointUrl?: string;
}
export class StorePeerCertDto {
@IsString()
@IsNotEmpty()
certPem!: string;
}
export class GenerateEnrollmentTokenDto {
@IsOptional()
@IsInt()
@Min(60)
@Max(900)
ttlSeconds: number = 900;
}
export class RevokeGrantBodyDto {
@IsOptional()
@IsString()
reason?: string;
}

266
apps/gateway/src/federation/federation.controller.ts
View File

@@ -1,266 +0,0 @@
/**
* FederationController — admin REST API for federation management (FED-M2-08).
*
* Routes (all under /api/admin/federation, all require AdminGuard):
*
* Grant management:
* POST /api/admin/federation/grants
* GET /api/admin/federation/grants
* GET /api/admin/federation/grants/:id
* PATCH /api/admin/federation/grants/:id/revoke
* POST /api/admin/federation/grants/:id/tokens
*
* Peer management:
* GET /api/admin/federation/peers
* POST /api/admin/federation/peers/keypair
* PATCH /api/admin/federation/peers/:id/cert
*
* NOTE: The enrollment REDEMPTION endpoint (POST /api/federation/enrollment/:token)
* is handled by EnrollmentController — not duplicated here.
*/
import {
Body,
Controller,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
Query,
UseGuards,
} from '@nestjs/common';
import { webcrypto } from 'node:crypto';
import { X509Certificate } from 'node:crypto';
import { Pkcs10CertificateRequestGenerator } from '@peculiar/x509';
import { type Db, eq, federationPeers } from '@mosaicstack/db';
import { DB } from '../database/database.module.js';
import { AdminGuard } from '../admin/admin.guard.js';
import { GrantsService } from './grants.service.js';
import { EnrollmentService } from './enrollment.service.js';
import { sealClientKey } from './peer-key.util.js';
import { CreateGrantDto, ListGrantsDto } from './grants.dto.js';
import {
CreatePeerKeypairDto,
GenerateEnrollmentTokenDto,
RevokeGrantBodyDto,
StorePeerCertDto,
} from './federation-admin.dto.js';
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
/**
* Convert an ArrayBuffer to a Base64 string (for PEM encoding).
*/
function arrayBufferToBase64(buf: ArrayBuffer): string {
const bytes = new Uint8Array(buf);
let binary = '';
for (const b of bytes) {
binary += String.fromCharCode(b);
}
return Buffer.from(binary, 'binary').toString('base64');
}
/**
* Wrap a Base64 string in PEM armour.
*/
function toPem(label: string, b64: string): string {
const lines = b64.match(/.{1,64}/g) ?? [];
return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
}
// ---------------------------------------------------------------------------
// Controller
// ---------------------------------------------------------------------------
@Controller('api/admin/federation')
@UseGuards(AdminGuard)
export class FederationController {
constructor(
@Inject(DB) private readonly db: Db,
@Inject(GrantsService) private readonly grantsService: GrantsService,
@Inject(EnrollmentService) private readonly enrollmentService: EnrollmentService,
) {}
// ─── Grant management ────────────────────────────────────────────────────
/**
* POST /api/admin/federation/grants
* Create a new grant in pending state.
*/
@Post('grants')
@HttpCode(HttpStatus.CREATED)
async createGrant(@Body() body: CreateGrantDto) {
return this.grantsService.createGrant(body);
}
/**
* GET /api/admin/federation/grants
* List grants with optional filters.
*/
@Get('grants')
async listGrants(@Query() query: ListGrantsDto) {
return this.grantsService.listGrants(query);
}
/**
* GET /api/admin/federation/grants/:id
* Get a single grant by ID.
*/
@Get('grants/:id')
async getGrant(@Param('id') id: string) {
return this.grantsService.getGrant(id);
}
/**
* PATCH /api/admin/federation/grants/:id/revoke
* Revoke an active grant.
*/
@Patch('grants/:id/revoke')
async revokeGrant(@Param('id') id: string, @Body() body: RevokeGrantBodyDto) {
return this.grantsService.revokeGrant(id, body.reason);
}
/**
* POST /api/admin/federation/grants/:id/tokens
* Generate a single-use enrollment token for a pending grant.
* Returns the token plus an enrollmentUrl the operator shares out-of-band.
*/
@Post('grants/:id/tokens')
@HttpCode(HttpStatus.CREATED)
async generateToken(@Param('id') id: string, @Body() body: GenerateEnrollmentTokenDto) {
const grant = await this.grantsService.getGrant(id);
const result = await this.enrollmentService.createToken({
grantId: id,
peerId: grant.peerId,
ttlSeconds: body.ttlSeconds ?? 900,
});
const baseUrl = process.env['BETTER_AUTH_URL'] ?? 'http://localhost:14242';
const enrollmentUrl = `${baseUrl}/api/federation/enrollment/${result.token}`;
return {
token: result.token,
expiresAt: result.expiresAt,
enrollmentUrl,
};
}
// ─── Peer management ─────────────────────────────────────────────────────
/**
* GET /api/admin/federation/peers
* List all federation peer rows.
*/
@Get('peers')
async listPeers() {
return this.db.select().from(federationPeers).orderBy(federationPeers.commonName);
}
/**
* POST /api/admin/federation/peers/keypair
* Generate a new peer entry with EC P-256 key pair and a PKCS#10 CSR.
*
* Flow:
* 1. Generate EC P-256 key pair via webcrypto
* 2. Generate a self-signed CSR via @peculiar/x509
* 3. Export private key as PEM
* 4. sealClientKey(privatePem) → sealed blob
* 5. Insert pending peer row
* 6. Return { peerId, csrPem }
*/
@Post('peers/keypair')
@HttpCode(HttpStatus.CREATED)
async createPeerKeypair(@Body() body: CreatePeerKeypairDto) {
// 1. Generate EC P-256 key pair via Web Crypto
const keyPair = await webcrypto.subtle.generateKey(
{ name: 'ECDSA', namedCurve: 'P-256' },
true, // extractable
['sign', 'verify'],
);
// 2. Generate PKCS#10 CSR
const csr = await Pkcs10CertificateRequestGenerator.create({
name: `CN=${body.commonName}`,
keys: keyPair,
signingAlgorithm: { name: 'ECDSA', hash: 'SHA-256' },
});
const csrPem = csr.toString('pem');
// 3. Export private key as PKCS#8 PEM
const pkcs8Der = await webcrypto.subtle.exportKey('pkcs8', keyPair.privateKey);
const privatePem = toPem('PRIVATE KEY', arrayBufferToBase64(pkcs8Der));
// 4. Seal the private key
const sealed = sealClientKey(privatePem);
// 5. Insert pending peer row
const [peer] = await this.db
.insert(federationPeers)
.values({
commonName: body.commonName,
displayName: body.displayName,
certPem: '',
certSerial: 'pending',
certNotAfter: new Date(0),
clientKeyPem: sealed,
state: 'pending',
endpointUrl: body.endpointUrl,
})
.returning();
return {
peerId: peer!.id,
csrPem,
};
}
/**
* PATCH /api/admin/federation/peers/:id/cert
* Store a signed certificate after enrollment completes.
*
* Flow:
* 1. Parse the cert to extract serial and notAfter
* 2. Update the peer row with cert data + state='active'
* 3. Return the updated peer row
*/
@Patch('peers/:id/cert')
async storePeerCert(@Param('id') id: string, @Body() body: StorePeerCertDto) {
// Ensure peer exists
const [existing] = await this.db
.select({ id: federationPeers.id })
.from(federationPeers)
.where(eq(federationPeers.id, id))
.limit(1);
if (!existing) {
throw new NotFoundException(`Peer ${id} not found`);
}
// 1. Parse cert
const x509 = new X509Certificate(body.certPem);
const certSerial = x509.serialNumber;
const certNotAfter = new Date(x509.validTo);
// 2. Update peer
const [updated] = await this.db
.update(federationPeers)
.set({
certPem: body.certPem,
certSerial,
certNotAfter,
state: 'active',
})
.where(eq(federationPeers.id, id))
.returning();
return updated;
}
}

14
apps/gateway/src/federation/federation.module.ts
View File

@@ -1,14 +0,0 @@
import { Module } from '@nestjs/common';
import { AdminGuard } from '../admin/admin.guard.js';
import { CaService } from './ca.service.js';
import { EnrollmentController } from './enrollment.controller.js';
import { EnrollmentService } from './enrollment.service.js';
import { FederationController } from './federation.controller.js';
import { GrantsService } from './grants.service.js';
@Module({
controllers: [EnrollmentController, FederationController],
providers: [AdminGuard, CaService, EnrollmentService, GrantsService],
exports: [CaService, EnrollmentService, GrantsService],
})
export class FederationModule {}

36
apps/gateway/src/federation/grants.dto.ts
View File

@@ -1,36 +0,0 @@
import { IsDateString, IsIn, IsObject, IsOptional, IsString, IsUUID } from 'class-validator';
export class CreateGrantDto {
@IsUUID()
peerId!: string;
@IsUUID()
subjectUserId!: string;
@IsObject()
scope!: Record<string, unknown>;
@IsOptional()
@IsDateString()
expiresAt?: string;
}
export class ListGrantsDto {
@IsOptional()
@IsUUID()
peerId?: string;
@IsOptional()
@IsUUID()
subjectUserId?: string;
@IsOptional()
@IsIn(['pending', 'active', 'revoked', 'expired'])
status?: 'pending' | 'active' | 'revoked' | 'expired';
}
export class RevokeGrantDto {
@IsOptional()
@IsString()
reason?: string;
}

161
apps/gateway/src/federation/grants.service.ts
View File

@@ -1,161 +0,0 @@
/**
* Federation grants service — CRUD + status transitions (FED-M2-06).
*
* Business logic only. CSR/cert work is handled by M2-07.
*
* Status lifecycle:
* pending → active (activateGrant, called by M2-07 enrollment controller after cert signed)
* active → revoked (revokeGrant)
* active → expired (expireGrant, called by M6 scheduler)
*/
import { ConflictException, Inject, Injectable, NotFoundException } from '@nestjs/common';
import { type Db, and, eq, federationGrants } from '@mosaicstack/db';
import { DB } from '../database/database.module.js';
import { parseFederationScope } from './scope-schema.js';
import type { CreateGrantDto, ListGrantsDto } from './grants.dto.js';
export type Grant = typeof federationGrants.$inferSelect;
@Injectable()
export class GrantsService {
constructor(@Inject(DB) private readonly db: Db) {}
/**
* Create a new grant in `pending` state.
* Validates the scope against the federation scope JSON schema before inserting.
*/
async createGrant(dto: CreateGrantDto): Promise<Grant> {
// Throws FederationScopeError (a plain Error subclass) on invalid scope.
parseFederationScope(dto.scope);
const [grant] = await this.db
.insert(federationGrants)
.values({
peerId: dto.peerId,
subjectUserId: dto.subjectUserId,
scope: dto.scope,
status: 'pending',
expiresAt: dto.expiresAt != null ? new Date(dto.expiresAt) : null,
})
.returning();
return grant!;
}
/**
* Fetch a single grant by ID. Throws NotFoundException if not found.
*/
async getGrant(id: string): Promise<Grant> {
const [grant] = await this.db
.select()
.from(federationGrants)
.where(eq(federationGrants.id, id))
.limit(1);
if (!grant) {
throw new NotFoundException(`Grant ${id} not found`);
}
return grant;
}
/**
* List grants with optional filters for peerId, subjectUserId, and status.
*/
async listGrants(filters: ListGrantsDto): Promise<Grant[]> {
const conditions = [];
if (filters.peerId != null) {
conditions.push(eq(federationGrants.peerId, filters.peerId));
}
if (filters.subjectUserId != null) {
conditions.push(eq(federationGrants.subjectUserId, filters.subjectUserId));
}
if (filters.status != null) {
conditions.push(eq(federationGrants.status, filters.status));
}
if (conditions.length === 0) {
return this.db.select().from(federationGrants);
}
return this.db
.select()
.from(federationGrants)
.where(and(...conditions));
}
/**
* Transition a grant from `pending` → `active`.
* Called by M2-07 enrollment controller after cert is signed.
* Throws ConflictException if the grant is not in `pending` state.
*/
async activateGrant(id: string): Promise<Grant> {
const grant = await this.getGrant(id);
if (grant.status !== 'pending') {
throw new ConflictException(
`Grant ${id} cannot be activated: expected status 'pending', got '${grant.status}'`,
);
}
const [updated] = await this.db
.update(federationGrants)
.set({ status: 'active' })
.where(eq(federationGrants.id, id))
.returning();
return updated!;
}
/**
* Transition a grant from `active` → `revoked`.
* Sets revokedAt and optionally revokedReason.
* Throws ConflictException if the grant is not in `active` state.
*/
async revokeGrant(id: string, reason?: string): Promise<Grant> {
const grant = await this.getGrant(id);
if (grant.status !== 'active') {
throw new ConflictException(
`Grant ${id} cannot be revoked: expected status 'active', got '${grant.status}'`,
);
}
const [updated] = await this.db
.update(federationGrants)
.set({
status: 'revoked',
revokedAt: new Date(),
revokedReason: reason ?? null,
})
.where(eq(federationGrants.id, id))
.returning();
return updated!;
}
/**
* Transition a grant from `active` → `expired`.
* Intended for use by the M6 scheduler.
* Throws ConflictException if the grant is not in `active` state.
*/
async expireGrant(id: string): Promise<Grant> {
const grant = await this.getGrant(id);
if (grant.status !== 'active') {
throw new ConflictException(
`Grant ${id} cannot be expired: expected status 'active', got '${grant.status}'`,
);
}
const [updated] = await this.db
.update(federationGrants)
.set({ status: 'expired' })
.where(eq(federationGrants.id, id))
.returning();
return updated!;
}
}

9
apps/gateway/src/federation/peer-key.util.ts
View File

@@ -1,9 +0,0 @@
import { seal, unseal } from '@mosaicstack/auth';
export function sealClientKey(privateKeyPem: string): string {
return seal(privateKeyPem);
}
export function unsealClientKey(sealedKey: string): string {
return unseal(sealedKey);
}

187
apps/gateway/src/federation/scope-schema.spec.ts
View File

@@ -1,187 +0,0 @@
/**
* Unit tests for FederationScopeSchema and parseFederationScope.
*
* Coverage:
* - Valid: minimal scope
* - Valid: full PRD §8.1 example
* - Valid: resources + excluded_resources (no overlap)
* - Invalid: empty resources
* - Invalid: unknown resource value
* - Invalid: resources / excluded_resources intersection
* - Invalid: filter key not in resources
* - Invalid: max_rows_per_query = 0
* - Invalid: max_rows_per_query = 10001
* - Invalid: not an object / null
* - Defaults: include_personal defaults to true; excluded_resources defaults to []
* - Sentinel: console.warn fires for sensitive resources
*/
import { describe, it, expect, vi, afterEach } from 'vitest';
import {
parseFederationScope,
FederationScopeError,
FederationScopeSchema,
} from './scope-schema.js';
afterEach(() => {
vi.restoreAllMocks();
});
describe('parseFederationScope — valid inputs', () => {
it('accepts a minimal scope (resources + max_rows_per_query only)', () => {
const scope = parseFederationScope({
resources: ['tasks'],
max_rows_per_query: 100,
});
expect(scope.resources).toEqual(['tasks']);
expect(scope.max_rows_per_query).toBe(100);
expect(scope.excluded_resources).toEqual([]);
expect(scope.filters).toBeUndefined();
});
it('accepts the full PRD §8.1 example', () => {
const scope = parseFederationScope({
resources: ['tasks', 'notes', 'memory'],
filters: {
tasks: { include_teams: ['team_uuid_1', 'team_uuid_2'], include_personal: true },
notes: { include_personal: true, include_teams: [] },
memory: { include_personal: true },
},
excluded_resources: ['credentials', 'api_keys'],
max_rows_per_query: 500,
});
expect(scope.resources).toEqual(['tasks', 'notes', 'memory']);
expect(scope.excluded_resources).toEqual(['credentials', 'api_keys']);
expect(scope.filters?.tasks?.include_teams).toEqual(['team_uuid_1', 'team_uuid_2']);
expect(scope.max_rows_per_query).toBe(500);
});
it('accepts a scope with excluded_resources and no filter overlap', () => {
const scope = parseFederationScope({
resources: ['tasks', 'notes'],
excluded_resources: ['memory'],
max_rows_per_query: 250,
});
expect(scope.resources).toEqual(['tasks', 'notes']);
expect(scope.excluded_resources).toEqual(['memory']);
});
});
describe('parseFederationScope — defaults', () => {
it('defaults excluded_resources to []', () => {
const scope = parseFederationScope({ resources: ['tasks'], max_rows_per_query: 1 });
expect(scope.excluded_resources).toEqual([]);
});
it('defaults include_personal to true when filter is provided without it', () => {
const scope = parseFederationScope({
resources: ['tasks'],
filters: { tasks: { include_teams: ['t1'] } },
max_rows_per_query: 10,
});
expect(scope.filters?.tasks?.include_personal).toBe(true);
});
});
describe('parseFederationScope — invalid inputs', () => {
it('throws FederationScopeError for empty resources array', () => {
expect(() => parseFederationScope({ resources: [], max_rows_per_query: 100 })).toThrow(
FederationScopeError,
);
});
it('throws for unknown resource value in resources', () => {
expect(() =>
parseFederationScope({ resources: ['unknown_resource'], max_rows_per_query: 100 }),
).toThrow(FederationScopeError);
});
it('throws when resources and excluded_resources intersect', () => {
expect(() =>
parseFederationScope({
resources: ['tasks', 'memory'],
excluded_resources: ['memory'],
max_rows_per_query: 100,
}),
).toThrow(FederationScopeError);
});
it('throws when filters references a resource not in resources', () => {
expect(() =>
parseFederationScope({
resources: ['tasks'],
filters: { notes: { include_personal: true } },
max_rows_per_query: 100,
}),
).toThrow(FederationScopeError);
});
it('throws for max_rows_per_query = 0', () => {
expect(() => parseFederationScope({ resources: ['tasks'], max_rows_per_query: 0 })).toThrow(
FederationScopeError,
);
});
it('throws for max_rows_per_query = 10001', () => {
expect(() => parseFederationScope({ resources: ['tasks'], max_rows_per_query: 10001 })).toThrow(
FederationScopeError,
);
});
it('throws for null input', () => {
expect(() => parseFederationScope(null)).toThrow(FederationScopeError);
});
it('throws for non-object input (string)', () => {
expect(() => parseFederationScope('not-an-object')).toThrow(FederationScopeError);
});
});
describe('parseFederationScope — sentinel warning', () => {
it('emits console.warn when resources includes "credentials"', () => {
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
parseFederationScope({
resources: ['tasks', 'credentials'],
max_rows_per_query: 100,
});
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining(
'[FederationScope] WARNING: scope grants sensitive resource "credentials"',
),
);
});
it('emits console.warn when resources includes "api_keys"', () => {
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
parseFederationScope({
resources: ['tasks', 'api_keys'],
max_rows_per_query: 100,
});
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining(
'[FederationScope] WARNING: scope grants sensitive resource "api_keys"',
),
);
});
it('does NOT emit console.warn for non-sensitive resources', () => {
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
parseFederationScope({ resources: ['tasks', 'notes', 'memory'], max_rows_per_query: 100 });
expect(warnSpy).not.toHaveBeenCalled();
});
});
describe('FederationScopeSchema — boundary values', () => {
it('accepts max_rows_per_query = 1 (lower bound)', () => {
const result = FederationScopeSchema.safeParse({ resources: ['tasks'], max_rows_per_query: 1 });
expect(result.success).toBe(true);
});
it('accepts max_rows_per_query = 10000 (upper bound)', () => {
const result = FederationScopeSchema.safeParse({
resources: ['tasks'],
max_rows_per_query: 10000,
});
expect(result.success).toBe(true);
});
});

147
apps/gateway/src/federation/scope-schema.ts
View File

@@ -1,147 +0,0 @@
/**
* Federation grant scope schema and validator.
*
* Source of truth: docs/federation/PRD.md §8.1
*
* This module is intentionally pure — no DB, no NestJS, no CA wiring.
* It is reusable from grant CRUD (M2-06) and scope enforcement (M3+).
*/
import { z } from 'zod';
// ---------------------------------------------------------------------------
// Allowlist of federation resources (canonical — M3+ will extend this list)
// ---------------------------------------------------------------------------
export const FEDERATION_RESOURCE_VALUES = [
'tasks',
'notes',
'memory',
'credentials',
'api_keys',
] as const;
export type FederationResource = (typeof FEDERATION_RESOURCE_VALUES)[number];
/**
* Sensitive resources require explicit admin approval (PRD §8.4).
* The parser warns when these appear in `resources`; M2-06 grant CRUD
* will add a hard gate on top of this warning.
*/
const SENSITIVE_RESOURCES: ReadonlySet<FederationResource> = new Set(['credentials', 'api_keys']);
// ---------------------------------------------------------------------------
// Sub-schemas
// ---------------------------------------------------------------------------
const ResourceArraySchema = z
.array(z.enum(FEDERATION_RESOURCE_VALUES))
.nonempty({ message: 'resources must contain at least one value' })
.refine((arr) => new Set(arr).size === arr.length, {
message: 'resources must not contain duplicate values',
});
const ResourceFilterSchema = z.object({
include_teams: z.array(z.string()).optional(),
include_personal: z.boolean().default(true),
});
// ---------------------------------------------------------------------------
// Top-level schema
// ---------------------------------------------------------------------------
export const FederationScopeSchema = z
.object({
resources: ResourceArraySchema,
excluded_resources: z
.array(z.enum(FEDERATION_RESOURCE_VALUES))
.default([])
.refine((arr) => new Set(arr).size === arr.length, {
message: 'excluded_resources must not contain duplicate values',
}),
filters: z.record(z.string(), ResourceFilterSchema).optional(),
max_rows_per_query: z
.number()
.int({ message: 'max_rows_per_query must be an integer' })
.min(1, { message: 'max_rows_per_query must be at least 1' })
.max(10000, { message: 'max_rows_per_query must be at most 10000' }),
})
.superRefine((data, ctx) => {
const resourceSet = new Set(data.resources);
// Intersection guard: a resource cannot be both granted and excluded
for (const r of data.excluded_resources) {
if (resourceSet.has(r)) {
ctx.addIssue({
code: z.ZodIssueCode.custom,
message: `Resource "${r}" appears in both resources and excluded_resources`,
path: ['excluded_resources'],
});
}
}
// Filter keys must be a subset of resources
if (data.filters) {
for (const key of Object.keys(data.filters)) {
if (!resourceSet.has(key as FederationResource)) {
ctx.addIssue({
code: z.ZodIssueCode.custom,
message: `filters key "${key}" references a resource not present in resources`,
path: ['filters', key],
});
}
}
}
});
export type FederationScope = z.infer<typeof FederationScopeSchema>;
// ---------------------------------------------------------------------------
// Error class
// ---------------------------------------------------------------------------
export class FederationScopeError extends Error {
constructor(message: string) {
super(message);
this.name = 'FederationScopeError';
}
}
// ---------------------------------------------------------------------------
// Typed parser
// ---------------------------------------------------------------------------
/**
* Parse and validate an unknown value as a FederationScope.
*
* Throws `FederationScopeError` with aggregated Zod issues on failure.
*
* Emits `console.warn` when sensitive resources (`credentials`, `api_keys`)
* are present in `resources` — per PRD §8.4, these require explicit admin
* approval. M2-06 grant CRUD will add a hard gate on top of this warning.
*/
export function parseFederationScope(input: unknown): FederationScope {
const result = FederationScopeSchema.safeParse(input);
if (!result.success) {
const issues = result.error.issues
.map((e) => ` - [${e.path.join('.') || 'root'}] ${e.message}`)
.join('\n');
throw new FederationScopeError(`Invalid federation scope:\n${issues}`);
}
const scope = result.data;
// Sentinel warning for sensitive resources (PRD §8.4)
for (const resource of scope.resources) {
if (SENSITIVE_RESOURCES.has(resource)) {
console.warn(
`[FederationScope] WARNING: scope grants sensitive resource "${resource}". Per PRD §8.4 this requires explicit admin approval and is logged.`,
);
}
}
return scope;
}

Some files were not shown because too many files have changed in this diff Show More