mosaicstack/stack
1
0
Fork 0
Code Issues 21 Pull Requests Actions Packages Projects Releases 14 Wiki Activity

Compare commits

base: mosaicstack:fix/pi-token-lean-skills
Branches Tags
mosaicstack:main mosaicstack:docs/merge-authority-rule mosaicstack:feat/mosaic-as-provisioning mosaicstack:fix/pr-ci-wait-stdin-collision mosaicstack:fix/t_301e4e3b-pr-merge-gitea-empty-uid mosaicstack:ci/publish-appservice-image mosaicstack:feat/mosaic-as-daemon mosaicstack:feat/mosaic-as-m4a mosaicstack:fix/pi-token-lean-skills mosaicstack:fix/git-wrapper-rollup-20260526 mosaicstack:fix/git-wrapper-repo-detection mosaicstack:fix/woodpecker-wrapper-legacy-mosaic mosaicstack:fix/t-a292e96f-gitea-pr-metadata mosaicstack:fix/gitea-pr-metadata-login-t-a292e96f mosaicstack:fix/t_a292e96f-pr-metadata-gitea mosaicstack:fix/t_3a368a52-gitea-usc-login mosaicstack:fix/bootstrap-hotfix mosaicstack:fix/populate-known-packages-list mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.31 mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4
..
compare: mosaicstack:fix/t_a292e96f-pr-metadata-gitea
Branches Tags
mosaicstack:main mosaicstack:docs/merge-authority-rule mosaicstack:feat/mosaic-as-provisioning mosaicstack:fix/pr-ci-wait-stdin-collision mosaicstack:fix/t_301e4e3b-pr-merge-gitea-empty-uid mosaicstack:ci/publish-appservice-image mosaicstack:feat/mosaic-as-daemon mosaicstack:feat/mosaic-as-m4a mosaicstack:fix/pi-token-lean-skills mosaicstack:fix/git-wrapper-rollup-20260526 mosaicstack:fix/git-wrapper-repo-detection mosaicstack:fix/woodpecker-wrapper-legacy-mosaic mosaicstack:fix/t-a292e96f-gitea-pr-metadata mosaicstack:fix/gitea-pr-metadata-login-t-a292e96f mosaicstack:fix/t_a292e96f-pr-metadata-gitea mosaicstack:fix/t_3a368a52-gitea-usc-login mosaicstack:fix/bootstrap-hotfix mosaicstack:fix/populate-known-packages-list mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.31 mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4

1 Commits
fix/pi-tok ... fix/t_a292

Author SHA1 Message Date
Hermes Agent
06783958f7 fix(git): harden Gitea PR metadata lookup
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details
ci/woodpecker/pr/ci Pipeline failed
Details
2026-05-22 10:28:09 -05:00
8 changed files with 71 additions and 92 deletions
Expand all files Collapse all files

2
README.md
View File

@@ -58,8 +58,6 @@ mosaic yolo pi # Pi in yolo mode
The launcher verifies your config, checks for `SOUL.md`, injects your `AGENTS.md` standards into the runtime, and forwards all arguments. The launcher verifies your config, checks for `SOUL.md`, injects your `AGENTS.md` standards into the runtime, and forwards all arguments.
Pi launches default to a token-lean skill posture: `mosaic pi` passes `--no-skills` so Pi does not preload every global skill description into the system prompt. Use `MOSAIC_PI_SKILL_MODE=all mosaic pi` for the legacy all-skills catalog, or `MOSAIC_PI_SKILL_MODE=discover mosaic pi` to let Pi use its native settings/project skill discovery.
### TUI & Gateway ### TUI & Gateway
```bash ```bash

6
docs/scratchpads/mvp-20260312.md
View File

@@ -653,3 +653,9 @@ Independent security review surfaced three high-impact and four medium findings;
2. After merge, kickoff M3-01 (DTOs) on `feat/federation-m3-types` with sonnet subagent in worktree 2. After merge, kickoff M3-01 (DTOs) on `feat/federation-m3-types` with sonnet subagent in worktree
3. Once M3-01 lands, fan out: M3-02 (harness) || M3-03 (AuthGuard) → M3-04 (ScopeService) || M3-08 (FederationClient) 3. Once M3-01 lands, fan out: M3-02 (harness) || M3-03 (AuthGuard) → M3-04 (ScopeService) || M3-08 (FederationClient)
4. Re-converge at M3-10 (Integration) → M3-11 (E2E) 4. Re-converge at M3-10 (Integration) → M3-11 (E2E)
### Session 24 — 2026-05-22 — Gitea PR metadata wrapper hardening
- Fixed `packages/mosaic/framework/tools/git/pr-metadata.sh` Gitea path to fail closed on non-2xx API responses instead of normalizing API error JSON into null/empty PR metadata.
- Added token fallback behavior: try explicit `GITEA_TOKEN`, Mosaic credential-loader token, then matching `~/.git-credentials` HTTPS token; this handles stale host-scoped credential-loader entries while preserving existing credential sources.
- Confirmed real U-Connect Gitea PRs #1905 and #1908 now return `number`, `headRefName`, `baseRefName`, `state`, `author`, `url`, and `mergeable` correctly, restoring `pr-merge.sh` base branch detection.

4
packages/mosaic/framework/tools/git/ci-queue-wait.sh
View File

@@ -137,7 +137,7 @@ gitea_get_branch_head_sha() {
local branch="$3" local branch="$3"
local token="$4" local token="$4"
local url="https://${host}/api/v1/repos/${repo}/branches/${branch}" local url="https://${host}/api/v1/repos/${repo}/branches/${branch}"
curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c ' curl -fsS -H "Authorization: token ${token}" "$url" | python3 -c '
import json, sys import json, sys
data = json.load(sys.stdin) data = json.load(sys.stdin)
commit = data.get("commit") or {} commit = data.get("commit") or {}
@@ -151,7 +151,7 @@ gitea_get_commit_status_json() {
local sha="$3" local sha="$3"
local token="$4" local token="$4"
local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status" local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
curl -fsSL -H "Authorization: token ${token}" "$url" curl -fsS -H "Authorization: token ${token}" "$url"
} }
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do

4
packages/mosaic/framework/tools/git/pr-ci-wait.sh
View File

@@ -110,7 +110,7 @@ gitea_get_pr_head_sha() {
local repo="$2" local repo="$2"
local token="$3" local token="$3"
local url="https://${host}/api/v1/repos/${repo}/pulls/${PR_NUMBER}" local url="https://${host}/api/v1/repos/${repo}/pulls/${PR_NUMBER}"
curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c ' curl -fsS -H "Authorization: token ${token}" "$url" | python3 -c '
import json, sys import json, sys
data = json.load(sys.stdin) data = json.load(sys.stdin)
print((data.get("head") or {}).get("sha", "")) print((data.get("head") or {}).get("sha", ""))
@@ -123,7 +123,7 @@ gitea_get_commit_status_json() {
local token="$3" local token="$3"
local sha="$4" local sha="$4"
local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status" local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
curl -fsSL -H "Authorization: token ${token}" "$url" curl -fsS -H "Authorization: token ${token}" "$url"
} }
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do

69
packages/mosaic/framework/tools/git/pr-metadata.sh
View File

@@ -69,32 +69,81 @@ elif [[ "$PLATFORM" == "gitea" ]]; then
API_URL="https://${HOST}/api/v1/repos/${OWNER}/${REPO}/pulls/${PR_NUMBER}" API_URL="https://${HOST}/api/v1/repos/${OWNER}/${REPO}/pulls/${PR_NUMBER}"
GITEA_API_TOKEN=$(get_gitea_token "$HOST" || true) declare -a TOKEN_CANDIDATES=()
add_token_candidate() {
local candidate="$1"
[[ -z "$candidate" ]] && return 0
local existing
for existing in "${TOKEN_CANDIDATES[@]:-}"; do
[[ "$existing" == "$candidate" ]] && return 0
done
TOKEN_CANDIDATES+=("$candidate")
}
if [[ -n "$GITEA_API_TOKEN" ]]; then add_token_candidate "${GITEA_TOKEN:-}"
RAW=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" "$API_URL") add_token_candidate "$(get_gitea_token "$HOST" || true)"
else
RAW=$(curl -sS "$API_URL") # Git HTTPS credentials often contain a valid Gitea API token even when a
# Mosaic credential-source entry is stale. Try them as a fallback before
# falling back to an unauthenticated request.
CREDS_FILE="$HOME/.git-credentials"
if [[ -f "$CREDS_FILE" ]]; then
while IFS= read -r credential_token; do
add_token_candidate "$credential_token"
done < <(grep -F "$HOST" "$CREDS_FILE" 2>/dev/null | sed -n 's#https\?://[^@]*:\([^@/]*\)@.*#\1#p')
fi
RAW=""
HTTP_STATUS=""
if [[ ${#TOKEN_CANDIDATES[@]} -gt 0 ]]; then
for GITEA_API_TOKEN in "${TOKEN_CANDIDATES[@]}"; do
RESPONSE_FILE=$(mktemp)
HTTP_STATUS=$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' -H "Authorization: token $GITEA_API_TOKEN" "$API_URL" || true)
RAW=$(cat "$RESPONSE_FILE")
rm -f "$RESPONSE_FILE"
[[ "$HTTP_STATUS" =~ ^2 ]] && break
done
fi
if [[ ! "$HTTP_STATUS" =~ ^2 ]]; then
RESPONSE_FILE=$(mktemp)
HTTP_STATUS=$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' "$API_URL" || true)
RAW=$(cat "$RESPONSE_FILE")
rm -f "$RESPONSE_FILE"
fi
if [[ ! "$HTTP_STATUS" =~ ^2 ]]; then
ERROR_MESSAGE=$(printf '%s' "$RAW" | python3 -c 'import json, sys
try:
data=json.load(sys.stdin)
except Exception:
data={}
print(data.get("message") or data.get("error") or "unknown error")')
echo "Error: failed to fetch Gitea PR #$PR_NUMBER from $HOST/$OWNER/$REPO (HTTP $HTTP_STATUS): $ERROR_MESSAGE" >&2
exit 1
fi fi
# Normalize Gitea response to match our expected schema # Normalize Gitea response to match our expected schema
METADATA=$(echo "$RAW" | python3 -c " METADATA=$(echo "$RAW" | python3 -c "
import json, sys import json, sys
data = json.load(sys.stdin) data = json.load(sys.stdin)
head = data.get('head') or {}
base = data.get('base') or {}
user = data.get('user') or {}
normalized = { normalized = {
'number': data.get('number'), 'number': data.get('number') or data.get('index'),
'title': data.get('title'), 'title': data.get('title'),
'body': data.get('body', ''), 'body': data.get('body', ''),
'state': data.get('state'), 'state': data.get('state'),
'author': data.get('user', {}).get('login', ''), 'author': user.get('login', ''),
'headRefName': data.get('head', {}).get('ref', ''), 'headRefName': head.get('ref') or head.get('label', '').split(':')[-1],
'baseRefName': data.get('base', {}).get('ref', ''), 'baseRefName': base.get('ref') or base.get('label', '').split(':')[-1],
'labels': [l.get('name', '') for l in data.get('labels', [])], 'labels': [l.get('name', '') for l in data.get('labels', [])],
'assignees': [a.get('login', '') for a in data.get('assignees', [])], 'assignees': [a.get('login', '') for a in data.get('assignees', [])],
'milestone': data.get('milestone', {}).get('title', '') if data.get('milestone') else '', 'milestone': data.get('milestone', {}).get('title', '') if data.get('milestone') else '',
'createdAt': data.get('created_at', ''), 'createdAt': data.get('created_at', ''),
'updatedAt': data.get('updated_at', ''), 'updatedAt': data.get('updated_at', ''),
'url': data.get('html_url', ''), 'url': data.get('html_url') or data.get('url', ''),
'isDraft': data.get('draft', False), 'isDraft': data.get('draft', False),
'mergeable': data.get('mergeable'), 'mergeable': data.get('mergeable'),
'diffUrl': data.get('diff_url', ''), 'diffUrl': data.get('diff_url', ''),

22
packages/mosaic/src/commands/git-wrapper-redirects.spec.ts
View File

@@ -1,22 +0,0 @@
import { readFileSync } from 'node:fs';
import { join } from 'node:path';
import { describe, expect, it } from 'vitest';
const packageRoot = join(import.meta.dirname, '..', '..');
const gitToolsDir = join(packageRoot, 'framework', 'tools', 'git');
function readGitTool(scriptName: string): string {
return readFileSync(join(gitToolsDir, scriptName), 'utf-8');
}
describe('Gitea git wrapper API calls', () => {
it.each(['ci-queue-wait.sh', 'pr-ci-wait.sh'])(
'%s follows Gitea API redirects before parsing JSON',
(scriptName) => {
const script = readGitTool(scriptName);
expect(script).not.toContain('curl -fsS -H "Authorization: token');
expect(script).toContain('curl -fsSL -H "Authorization: token');
},
);
});

28
packages/mosaic/src/commands/launch.spec.ts
View File

@@ -1,6 +1,6 @@
import { describe, it, expect, vi, beforeEach, afterEach, type MockInstance } from 'vitest'; import { describe, it, expect, vi, beforeEach, afterEach, type MockInstance } from 'vitest';
import { Command } from 'commander'; import { Command } from 'commander';
import { buildPiSkillArgs, registerRuntimeLaunchers, type RuntimeLaunchHandler } from './launch.js'; import { registerRuntimeLaunchers, type RuntimeLaunchHandler } from './launch.js';
/** /**
* Tests for the commander wiring between `mosaic <runtime>` / `mosaic yolo <runtime>` * Tests for the commander wiring between `mosaic <runtime>` / `mosaic yolo <runtime>`
@@ -22,8 +22,6 @@ function buildProgram(handler: RuntimeLaunchHandler): Command {
return program; return program;
} }
const fakeSkills = ['--skill', '/skills/test-driven-development', '--skill', '/skills/pdf'];
// `process.exit` returns `never`, so vi.spyOn demands a replacement with the // `process.exit` returns `never`, so vi.spyOn demands a replacement with the
// same signature. We throw from the mock to short-circuit into test-land. // same signature. We throw from the mock to short-circuit into test-land.
const exitThrows = (): never => { const exitThrows = (): never => {
@@ -65,30 +63,6 @@ describe('registerRuntimeLaunchers — non-yolo subcommands', () => {
}); });
}); });
describe('buildPiSkillArgs', () => {
it('defaults to disabling Pi skill discovery to keep startup context small', () => {
expect(buildPiSkillArgs([], {}, fakeSkills)).toEqual(['--no-skills']);
});
it('keeps explicit user skills while disabling automatic discovery', () => {
expect(buildPiSkillArgs(['--skill', '/tmp/custom'], {}, fakeSkills)).toEqual(['--no-skills']);
});
it('supports legacy all-skills mode without double-loading settings skills', () => {
expect(buildPiSkillArgs([], { MOSAIC_PI_SKILL_MODE: 'all' }, fakeSkills)).toEqual([
'--no-skills',
'--skill',
'/skills/test-driven-development',
'--skill',
'/skills/pdf',
]);
});
it('supports native Pi discovery when explicitly requested', () => {
expect(buildPiSkillArgs([], { MOSAIC_PI_SKILL_MODE: 'discover' }, fakeSkills)).toEqual([]);
});
});
describe('registerRuntimeLaunchers — yolo <runtime>', () => { describe('registerRuntimeLaunchers — yolo <runtime>', () => {
let mockExit: MockInstance<typeof process.exit>; let mockExit: MockInstance<typeof process.exit>;
let mockError: MockInstance<typeof console.error>; let mockError: MockInstance<typeof console.error>;

28
packages/mosaic/src/commands/launch.ts
View File

@@ -447,32 +447,6 @@ function discoverPiSkills(): string[] {
return args; return args;
} }
type PiSkillMode = 'none' | 'all' | 'discover';
function normalizePiSkillMode(env: NodeJS.ProcessEnv): PiSkillMode {
const value = env['MOSAIC_PI_SKILL_MODE']?.trim().toLowerCase();
if (value === 'all' || value === 'discover') return value;
return 'none';
}
export function buildPiSkillArgs(
_runtimeArgs: string[],
env: NodeJS.ProcessEnv = process.env,
discoveredSkillArgs: string[] = discoverPiSkills(),
): string[] {
const mode = normalizePiSkillMode(env);
if (mode === 'discover') {
return [];
}
if (mode === 'all') {
return ['--no-skills', ...discoveredSkillArgs];
}
return ['--no-skills'];
}
function discoverPiExtension(): string[] { function discoverPiExtension(): string[] {
const ext = join(MOSAIC_HOME, 'runtime', 'pi', 'mosaic-extension.ts'); const ext = join(MOSAIC_HOME, 'runtime', 'pi', 'mosaic-extension.ts');
return existsSync(ext) ? ['--extension', ext] : []; return existsSync(ext) ? ['--extension', ext] : [];
@@ -549,7 +523,7 @@ function launchRuntime(runtime: RuntimeName, args: string[], yolo: boolean): nev
case 'pi': { case 'pi': {
const prompt = buildRuntimePrompt('pi'); const prompt = buildRuntimePrompt('pi');
const cliArgs = ['--append-system-prompt', prompt]; const cliArgs = ['--append-system-prompt', prompt];
cliArgs.push(...buildPiSkillArgs(args)); cliArgs.push(...discoverPiSkills());
cliArgs.push(...discoverPiExtension()); cliArgs.push(...discoverPiExtension());
if (hasMissionNoArgs) { if (hasMissionNoArgs) {
cliArgs.push(missionPrompt); cliArgs.push(missionPrompt);