mosaicstack/stack
1
0
Fork 0
Code Issues 22 Pull Requests 7 Actions Packages Projects Releases 13 Wiki Activity

Compare commits

base: mosaicstack:fix/t_a292e96f-pr-metadata-gitea
Branches Tags
mosaicstack:main mosaicstack:fix/git-wrapper-rollup-20260526 mosaicstack:fix/git-wrapper-repo-detection mosaicstack:fix/woodpecker-wrapper-legacy-mosaic mosaicstack:fix/t_301e4e3b-pr-merge-gitea-empty-uid mosaicstack:chore/canonize-vault-secrets-policy mosaicstack:fix/t-a292e96f-gitea-pr-metadata mosaicstack:fix/gitea-pr-metadata-login-t-a292e96f mosaicstack:fix/t_a292e96f-pr-metadata-gitea mosaicstack:fix/t_3a368a52-gitea-usc-login mosaicstack:fix/pr-ci-wait-stdin-collision mosaicstack:docs/mission-control-resilience mosaicstack:fix/bootstrap-hotfix mosaicstack:fix/populate-known-packages-list mosaicstack:fix/idempotent-init
mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4
..
compare: mosaicstack:9f44a390ba1cf64d315076d169cef477e43a848e
Branches Tags
mosaicstack:main mosaicstack:fix/git-wrapper-rollup-20260526 mosaicstack:fix/git-wrapper-repo-detection mosaicstack:fix/woodpecker-wrapper-legacy-mosaic mosaicstack:fix/t_301e4e3b-pr-merge-gitea-empty-uid mosaicstack:chore/canonize-vault-secrets-policy mosaicstack:fix/t-a292e96f-gitea-pr-metadata mosaicstack:fix/gitea-pr-metadata-login-t-a292e96f mosaicstack:fix/t_a292e96f-pr-metadata-gitea mosaicstack:fix/t_3a368a52-gitea-usc-login mosaicstack:fix/pr-ci-wait-stdin-collision mosaicstack:docs/mission-control-resilience mosaicstack:fix/bootstrap-hotfix mosaicstack:fix/populate-known-packages-list mosaicstack:fix/idempotent-init
mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4

4 Commits
fix/t_a292 ... 9f44a390ba

Author SHA1 Message Date
Jason Woltje
9f44a390ba fix(web): add jsdom dependency and exclude e2e from vitest
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
- Add missing jsdom dev dependency for vitest jsdom environment
- Exclude e2e/ directory from vitest (Playwright tests run separately)
- Fixes CI test step failure on pipeline #163

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-15 15:00:05 -05:00
Jason Woltje
95e8c0ce2b chore(orchestrator): Phase 7 complete — all 17 tasks + 2 fixes verified
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Typecheck 32/32, lint 18/18, format clean. 19 PRs merged (#136-#153).
Phase 7: Feature Completion (v0.0.8) delivered.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-15 14:49:15 -05:00
Jason Woltje
a7804e689d feat(web): add Playwright E2E test suite for critical paths (#55)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details 
Sets up @playwright/test in apps/web with playwright.config.ts
targeting localhost:3000. Adds E2E test coverage for all critical paths:
auth (login/register/validation), chat (page load, new conversation),
projects (list, empty state), settings (4 tab switches), admin (tab
switching, role guard), and navigation (sidebar links, route transitions).

Includes auth helper, separate tsconfig.e2e.json, and allowDefaultProject
ESLint config so e2e files pass the pre-commit hook. Adds pnpm test:e2e script.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-15 14:34:31 -05:00
Jason Woltje
75a844ca92 docs: add user, admin, and developer guides (closes #57)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details 
Create docs/guides/ with three comprehensive guides covering end-user
workflows, admin operations and environment reference, and developer
architecture, local setup, tool extension, schema, and API reference.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-15 14:33:35 -05:00
951 changed files with 3170 additions and 152381 deletions
Expand all files Collapse all files

153
.env.example
View File

@@ -1,154 +1,35 @@
# ───────────────────────────────────────────────────────────────────────────── # Database (port 5433 avoids conflict with host PostgreSQL)
# Mosaic — Environment Variables Reference
# Copy this file to .env and fill in the values for your deployment.
# Lines beginning with # are comments; optional vars are commented out.
# ─────────────────────────────────────────────────────────────────────────────
# ─── Database (PostgreSQL 17 + pgvector) ─────────────────────────────────────
# Full connection string used by the gateway, ORM, and migration runner.
# Port 5433 avoids conflict with a host-side PostgreSQL instance.
DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic
# Docker Compose host-port override for the PostgreSQL container (default: 5433) # Valkey (Redis-compatible, port 6380 avoids conflict with host Redis/Valkey)
# PG_HOST_PORT=5433
# ─── Queue (Valkey 8 / Redis-compatible) ─────────────────────────────────────
# Port 6380 avoids conflict with a host-side Redis/Valkey instance.
VALKEY_URL=redis://localhost:6380 VALKEY_URL=redis://localhost:6380
# Docker Compose host-port override for the Valkey container (default: 6380) # Docker Compose host port overrides (optional)
# PG_HOST_PORT=5433
# VALKEY_HOST_PORT=6380 # VALKEY_HOST_PORT=6380
# OpenTelemetry
# ─── Gateway ─────────────────────────────────────────────────────────────────
# TCP port the NestJS/Fastify gateway listens on (default: 14242)
GATEWAY_PORT=14242
# Comma-separated list of allowed CORS origins.
# Must include the web app origin in production.
GATEWAY_CORS_ORIGIN=http://localhost:3000
# ─── Auth (BetterAuth) ───────────────────────────────────────────────────────
# REQUIRED — random secret used to sign sessions and tokens.
# Generate with: openssl rand -base64 32
BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
# Public base URL of the gateway (used by BetterAuth for callback URLs)
BETTER_AUTH_URL=http://localhost:14242
# ─── Web App (Next.js) ───────────────────────────────────────────────────────
# Public gateway URL — accessible from the browser, not just the server.
NEXT_PUBLIC_GATEWAY_URL=http://localhost:14242
# ─── OpenTelemetry ───────────────────────────────────────────────────────────
# OTLP HTTP endpoint (otel-collector or any OpenTelemetry-compatible backend)
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318 OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
# Service name shown in traces
OTEL_SERVICE_NAME=mosaic-gateway OTEL_SERVICE_NAME=mosaic-gateway
# Auth (BetterAuth)
BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
BETTER_AUTH_URL=http://localhost:4000
# ─── AI Providers ──────────────────────────────────────────────────────────── # Gateway
GATEWAY_PORT=4000
GATEWAY_CORS_ORIGIN=http://localhost:3000
# Ollama (local models — set OLLAMA_BASE_URL to enable) # Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable)
# OLLAMA_BASE_URL=http://localhost:11434
# OLLAMA_HOST is a legacy alias for OLLAMA_BASE_URL
# OLLAMA_HOST=http://localhost:11434
# Comma-separated list of Ollama model IDs to register (default: llama3.2,codellama,mistral)
# OLLAMA_MODELS=llama3.2,codellama,mistral
# Anthropic (claude-sonnet-4-6, claude-opus-4-6, claude-haiku-4-5)
# ANTHROPIC_API_KEY=sk-ant-...
# OpenAI (gpt-4o, gpt-4o-mini, o3-mini)
# OPENAI_API_KEY=sk-...
# Z.ai / GLM (glm-4.5, glm-4.5-air, glm-4.5-flash)
# ZAI_API_KEY=...
# Custom providers — JSON array of provider configs
# Format: [{"id":"<id>","baseUrl":"<url>","apiKey":"<key>","models":[{"id":"<model-id>","name":"<label>"}]}]
# MOSAIC_CUSTOM_PROVIDERS=
# ─── Embedding Service ───────────────────────────────────────────────────────
# OpenAI-compatible embeddings endpoint (default: OpenAI)
# EMBEDDING_API_URL=https://api.openai.com/v1
# EMBEDDING_MODEL=text-embedding-3-small
# ─── Log Summarization Service ───────────────────────────────────────────────
# OpenAI-compatible chat completions endpoint for log summarization (default: OpenAI)
# SUMMARIZATION_API_URL=https://api.openai.com/v1
# SUMMARIZATION_MODEL=gpt-4o-mini
# Cron schedule for summarization job (default: every 6 hours)
# SUMMARIZATION_CRON=0 */6 * * *
# Cron schedule for log tier management (default: daily at 03:00)
# TIER_MANAGEMENT_CRON=0 3 * * *
# ─── Agent ───────────────────────────────────────────────────────────────────
# Filesystem sandbox root for agent file tools (default: process.cwd())
# AGENT_FILE_SANDBOX_DIR=/var/lib/mosaic/sandbox
# Comma-separated list of tool names available to non-admin users.
# Leave unset to allow all tools for all authenticated users.
# AGENT_USER_TOOLS=read_file,list_directory,search_files
# System prompt injected into every agent session (optional)
# AGENT_SYSTEM_PROMPT=You are a helpful assistant.
# ─── MCP Servers ─────────────────────────────────────────────────────────────
# JSON array of MCP server configs — set to enable MCP tool integration.
# Each entry: {"name":"<id>","url":"<http-or-sse-url>"}
# MCP_SERVERS=[{"name":"my-mcp","url":"http://localhost:3100/sse"}]
# ─── Coordinator ─────────────────────────────────────────────────────────────
# Root directory used to scope coordinator (worktree/repo) operations.
# Defaults to the monorepo root auto-detected from process.cwd().
# MOSAIC_WORKSPACE_ROOT=/home/user/projects/mosaic
# ─── Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable) ─────────────
# DISCORD_BOT_TOKEN= # DISCORD_BOT_TOKEN=
# DISCORD_GUILD_ID= # DISCORD_GUILD_ID=
# DISCORD_GATEWAY_URL=http://localhost:14242 # DISCORD_GATEWAY_URL=http://localhost:4000
# Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable)
# ─── Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable) ───────────
# TELEGRAM_BOT_TOKEN= # TELEGRAM_BOT_TOKEN=
# TELEGRAM_GATEWAY_URL=http://localhost:14242 # TELEGRAM_GATEWAY_URL=http://localhost:4000
# Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable)
# ─── SSO Providers (add credentials to enable) ─────────────────────────────── # AUTHENTIK_ISSUER=https://auth.example.com
# --- Authentik (optional — set AUTHENTIK_CLIENT_ID to enable) ---
# AUTHENTIK_ISSUER=https://auth.example.com/application/o/mosaic/
# AUTHENTIK_CLIENT_ID= # AUTHENTIK_CLIENT_ID=
# AUTHENTIK_CLIENT_SECRET= # AUTHENTIK_CLIENT_SECRET=
# --- WorkOS (optional — set WORKOS_CLIENT_ID to enable) ---
# WORKOS_ISSUER=https://your-company.authkit.app
# WORKOS_CLIENT_ID=client_...
# WORKOS_CLIENT_SECRET=sk_live_...
# --- Keycloak (optional — set KEYCLOAK_CLIENT_ID to enable) ---
# KEYCLOAK_ISSUER=https://auth.example.com/realms/master
# Legacy alternative if you prefer to compose the issuer from separate vars:
# KEYCLOAK_URL=https://auth.example.com
# KEYCLOAK_REALM=master
# KEYCLOAK_CLIENT_ID=mosaic
# KEYCLOAK_CLIENT_SECRET=
# Feature flags — set to true alongside provider credentials to show SSO buttons in the UI
# NEXT_PUBLIC_WORKOS_ENABLED=true
# NEXT_PUBLIC_KEYCLOAK_ENABLED=true

3
.gitignore vendored
View File

@@ -9,6 +9,3 @@ coverage
*.tsbuildinfo *.tsbuildinfo
.pnpm-store .pnpm-store
docs/reports/ docs/reports/
# Step-CA dev password — real file is gitignored; commit only the .example
infra/step-ca/dev-password

2
.npmrc
View File

@@ -1 +1 @@
@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/ @mosaic:registry=https://git.mosaicstack.dev/api/packages/mosaic/npm/

54
.woodpecker/ci.yml
View File

@@ -5,21 +5,24 @@ variables:
when: when:
- event: [push, pull_request, manual] - event: [push, pull_request, manual]
# Turbo remote cache (turbo.mosaicstack.dev) is configured via Woodpecker # Turbo remote cache is at turbo.mosaicstack.dev (ducktors/turborepo-remote-cache).
# repository-level environment variables (TURBO_API, TURBO_TEAM, TURBO_TOKEN). # TURBO_TOKEN is a Woodpecker secret injected via from_secret into the environment.
# This avoids from_secret which is blocked on pull_request events. # Turbo picks up TURBO_API, TURBO_TOKEN, and TURBO_TEAM automatically.
# If the env vars aren't set, turbo falls back to local cache only.
steps: steps:
install: install:
image: *node_image image: *node_image
commands: commands:
- corepack enable - corepack enable
- apk add --no-cache python3 make g++
- pnpm install --frozen-lockfile - pnpm install --frozen-lockfile
typecheck: typecheck:
image: *node_image image: *node_image
environment:
TURBO_API: https://turbo.mosaicstack.dev
TURBO_TEAM: mosaic
TURBO_TOKEN:
from_secret: turbo_token
commands: commands:
- *enable_pnpm - *enable_pnpm
- pnpm typecheck - pnpm typecheck
@@ -29,6 +32,11 @@ steps:
# lint, format, and test are independent — run in parallel after typecheck # lint, format, and test are independent — run in parallel after typecheck
lint: lint:
image: *node_image image: *node_image
environment:
TURBO_API: https://turbo.mosaicstack.dev
TURBO_TEAM: mosaic
TURBO_TOKEN:
from_secret: turbo_token
commands: commands:
- *enable_pnpm - *enable_pnpm
- pnpm lint - pnpm lint
@@ -46,29 +54,27 @@ steps:
test: test:
image: *node_image image: *node_image
environment: environment:
DATABASE_URL: postgresql://mosaic:mosaic@postgres:5432/mosaic TURBO_API: https://turbo.mosaicstack.dev
TURBO_TEAM: mosaic
TURBO_TOKEN:
from_secret: turbo_token
commands: commands:
- *enable_pnpm - *enable_pnpm
# Install postgresql-client for pg_isready
- apk add --no-cache postgresql-client
# Wait up to 30s for postgres to be ready
- |
for i in $(seq 1 30); do
pg_isready -h postgres -p 5432 -U mosaic && break
echo "Waiting for postgres ($i/30)..."
sleep 1
done
# Run migrations (DATABASE_URL is set in environment above)
- pnpm --filter @mosaicstack/db run db:migrate
# Run all tests
- pnpm test - pnpm test
depends_on: depends_on:
- typecheck - typecheck
services: build:
postgres: image: *node_image
image: pgvector/pgvector:pg17
environment: environment:
POSTGRES_USER: mosaic TURBO_API: https://turbo.mosaicstack.dev
POSTGRES_PASSWORD: mosaic TURBO_TEAM: mosaic
POSTGRES_DB: mosaic TURBO_TOKEN:
from_secret: turbo_token
commands:
- *enable_pnpm
- pnpm build
depends_on:
- lint
- format
- test

140
.woodpecker/publish.yml
View File

@@ -1,140 +0,0 @@
# Build, publish npm packages, and push Docker images
# Runs only on main branch push/tag
variables:
- &node_image 'node:22-alpine'
- &enable_pnpm 'corepack enable'
when:
- branch: [main]
event: [push, manual, tag]
steps:
install:
image: *node_image
commands:
- corepack enable
- pnpm install --frozen-lockfile
build:
image: *node_image
commands:
- *enable_pnpm
- pnpm build
depends_on:
- install
publish-npm:
image: *node_image
environment:
NPM_TOKEN:
from_secret: gitea_token
commands:
- *enable_pnpm
# Configure auth for Gitea npm registry
- |
echo "//git.mosaicstack.dev/api/packages/mosaicstack/npm/:_authToken=$NPM_TOKEN" > ~/.npmrc
echo "@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/" >> ~/.npmrc
# Publish non-private packages to Gitea.
#
# The only publish failure we tolerate is "version already exists" —
# that legitimately happens when only some packages were bumped in
# the merge. Any other failure (registry 404, auth error, network
# error) MUST fail the pipeline loudly: the previous
# `|| echo "... continuing"` fallback silently hid a 404 from the
# Gitea org rename and caused every @mosaicstack/* publish to fall
# on the floor while CI still reported green.
- |
# Portable sh (Alpine ash) — avoid bashisms like PIPESTATUS.
set +e
pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public >/tmp/publish.log 2>&1
EXIT=$?
set -e
cat /tmp/publish.log
if [ "$EXIT" -eq 0 ]; then
echo "[publish] all packages published successfully"
exit 0
fi
# Hard registry / auth / network errors → fatal. Match npm's own
# error lines specifically to avoid false positives on arbitrary
# log text that happens to contain "E404" etc.
if grep -qE "npm (error|ERR!) code (E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND)" /tmp/publish.log; then
echo "[publish] FATAL: registry/auth/network error detected — failing pipeline" >&2
exit 1
fi
# Only tolerate the explicit "version already published" case.
# npm returns this as E403 with body "You cannot publish over..."
# or EPUBLISHCONFLICT depending on version.
if grep -qE "EPUBLISHCONFLICT|You cannot publish over|previously published" /tmp/publish.log; then
echo "[publish] some packages already at this version — continuing (non-fatal)"
exit 0
fi
echo "[publish] FATAL: publish failed with unrecognized error — failing pipeline" >&2
exit 1
depends_on:
- build
# TODO: Uncomment when ready to publish to npmjs.org
# publish-npmjs:
# image: *node_image
# environment:
# NPM_TOKEN:
# from_secret: npmjs_token
# commands:
# - *enable_pnpm
# - apk add --no-cache jq bash
# - bash scripts/publish-npmjs.sh
# depends_on:
# - build
# when:
# - event: [tag]
build-gateway:
image: gcr.io/kaniko-project/executor:debug
environment:
REGISTRY_USER:
from_secret: gitea_username
REGISTRY_PASS:
from_secret: gitea_password
CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
CI_COMMIT_TAG: ${CI_COMMIT_TAG}
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
commands:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
- |
DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/gateway:sha-${CI_COMMIT_SHA:0:7}"
if [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/gateway:latest"
fi
if [ -n "$CI_COMMIT_TAG" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/gateway:$CI_COMMIT_TAG"
fi
/kaniko/executor --context . --dockerfile docker/gateway.Dockerfile $DESTINATIONS
depends_on:
- build
build-web:
image: gcr.io/kaniko-project/executor:debug
environment:
REGISTRY_USER:
from_secret: gitea_username
REGISTRY_PASS:
from_secret: gitea_password
CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
CI_COMMIT_TAG: ${CI_COMMIT_TAG}
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
commands:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
- |
DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/web:sha-${CI_COMMIT_SHA:0:7}"
if [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/web:latest"
fi
if [ -n "$CI_COMMIT_TAG" ]; then
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/web:$CI_COMMIT_TAG"
fi
/kaniko/executor --context . --dockerfile docker/web.Dockerfile $DESTINATIONS
depends_on:
- build

37
AGENTS.md
View File

@@ -21,11 +21,11 @@ Mosaic Stack is a self-hosted, multi-user AI agent platform. TypeScript monorepo
| `apps/web` | Next.js dashboard | React 19, Tailwind | | `apps/web` | Next.js dashboard | React 19, Tailwind |
| `packages/types` | Shared TypeScript contracts | class-validator | | `packages/types` | Shared TypeScript contracts | class-validator |
| `packages/db` | Drizzle ORM schema + migrations | drizzle-orm, postgres | | `packages/db` | Drizzle ORM schema + migrations | drizzle-orm, postgres |
| `packages/auth` | BetterAuth configuration | better-auth, @mosaicstack/db | | `packages/auth` | BetterAuth configuration | better-auth, @mosaic/db |
| `packages/brain` | Data layer (PG-backed) | @mosaicstack/db | | `packages/brain` | Data layer (PG-backed) | @mosaic/db |
| `packages/queue` | Valkey task queue + MCP | ioredis | | `packages/queue` | Valkey task queue + MCP | ioredis |
| `packages/coord` | Mission coordination | @mosaicstack/queue | | `packages/coord` | Mission coordination | @mosaic/queue |
| `packages/mosaic` | Unified `mosaic` CLI + TUI | Ink, Pi SDK, commander | | `packages/cli` | Unified CLI + Pi TUI | Ink, Pi SDK |
| `plugins/discord` | Discord channel plugin | discord.js | | `plugins/discord` | Discord channel plugin | discord.js |
| `plugins/telegram` | Telegram channel plugin | Telegraf | | `plugins/telegram` | Telegram channel plugin | Telegraf |
@@ -33,9 +33,9 @@ Mosaic Stack is a self-hosted, multi-user AI agent platform. TypeScript monorepo
1. Gateway is the single API surface — all clients connect through it 1. Gateway is the single API surface — all clients connect through it
2. Pi SDK is ESM-only — gateway and CLI must use ESM 2. Pi SDK is ESM-only — gateway and CLI must use ESM
3. Socket.IO typed events defined in `@mosaicstack/types` enforce compile-time contracts 3. Socket.IO typed events defined in `@mosaic/types` enforce compile-time contracts
4. OTEL auto-instrumentation loads before NestJS bootstrap 4. OTEL auto-instrumentation loads before NestJS bootstrap
5. BetterAuth manages auth tables; schema defined in `@mosaicstack/db` 5. BetterAuth manages auth tables; schema defined in `@mosaic/db`
6. Docker Compose provides PG (5433), Valkey (6380), OTEL Collector (4317/4318), Jaeger (16686) 6. Docker Compose provides PG (5433), Valkey (6380), OTEL Collector (4317/4318), Jaeger (16686)
7. Explicit `@Inject()` decorators required in NestJS (tsx/esbuild doesn't emit decorator metadata) 7. Explicit `@Inject()` decorators required in NestJS (tsx/esbuild doesn't emit decorator metadata)
@@ -53,28 +53,3 @@ pnpm typecheck && pnpm lint && pnpm format:check # Quality gates
- ESM everywhere (`"type": "module"`, `.js` extensions in imports) - ESM everywhere (`"type": "module"`, `.js` extensions in imports)
- NodeNext module resolution in all tsconfigs - NodeNext module resolution in all tsconfigs
- Scratchpads are mandatory for non-trivial tasks - Scratchpads are mandatory for non-trivial tasks
## docs/TASKS.md — Schema (CANONICAL)
The `agent` column specifies the required model for each task. **This is set at task creation by the orchestrator and must not be changed by workers.**
| Value | When to use | Budget |
| --------- | ----------------------------------------------------------- | -------------------------- |
| `codex` | All coding tasks (default for implementation) | OpenAI credits — preferred |
| `glm-5.1` | Cost-sensitive coding where Codex is unavailable | Z.ai credits |
| `haiku` | Review gates, verify tasks, status checks, docs-only | Cheapest Claude tier |
| `sonnet` | Complex planning, multi-file reasoning, architecture review | Claude quota |
| `opus` | Major cross-cutting architecture decisions ONLY | Most expensive — minimize |
| `—` | No preference / auto-select cheapest capable | Pipeline decides |
Pipeline crons read this column and spawn accordingly. Workers never modify `docs/TASKS.md` — only the orchestrator writes it.
**Full schema:**
```
| id | status | description | issue | agent | repo | branch | depends_on | estimate | notes |
```
- `status`: `not-started` | `in-progress` | `done` | `failed` | `blocked` | `needs-qa`
- `agent`: model value from table above (set before spawning)
- `estimate`: token budget e.g. `8K`, `25K`

10
CLAUDE.md
View File

@@ -10,7 +10,7 @@ Self-hosted, multi-user AI agent platform. TypeScript monorepo.
- **Web**: Next.js 16 + React 19 (`apps/web`) - **Web**: Next.js 16 + React 19 (`apps/web`)
- **ORM**: Drizzle ORM + PostgreSQL 17 + pgvector (`packages/db`) - **ORM**: Drizzle ORM + PostgreSQL 17 + pgvector (`packages/db`)
- **Auth**: BetterAuth (`packages/auth`) - **Auth**: BetterAuth (`packages/auth`)
- **Agent**: Pi SDK (`packages/agent`, `packages/mosaic`) - **Agent**: Pi SDK (`packages/agent`, `packages/cli`)
- **Queue**: Valkey 8 (`packages/queue`) - **Queue**: Valkey 8 (`packages/queue`)
- **Build**: pnpm workspaces + Turborepo - **Build**: pnpm workspaces + Turborepo
- **CI**: Woodpecker CI - **CI**: Woodpecker CI
@@ -26,13 +26,13 @@ pnpm test # Vitest (all packages)
pnpm build # Build all packages pnpm build # Build all packages
# Database # Database
pnpm --filter @mosaicstack/db db:push # Push schema to PG (dev) pnpm --filter @mosaic/db db:push # Push schema to PG (dev)
pnpm --filter @mosaicstack/db db:generate # Generate migrations pnpm --filter @mosaic/db db:generate # Generate migrations
pnpm --filter @mosaicstack/db db:migrate # Run migrations pnpm --filter @mosaic/db db:migrate # Run migrations
# Dev # Dev
docker compose up -d # Start PG, Valkey, OTEL, Jaeger docker compose up -d # Start PG, Valkey, OTEL, Jaeger
pnpm --filter @mosaicstack/gateway exec tsx src/main.ts # Start gateway pnpm --filter @mosaic/gateway exec tsx src/main.ts # Start gateway
``` ```
## Conventions ## Conventions

362
README.md
View File

@@ -1,362 +0,0 @@
# Mosaic Stack
Self-hosted, multi-user AI agent platform. One config, every runtime, same standards.
Mosaic gives you a unified launcher for Claude Code, Codex, OpenCode, and Pi — injecting consistent system prompts, guardrails, skills, and mission context into every session. A NestJS gateway provides the API surface, a Next.js dashboard gives you the UI, and a plugin system connects Discord, Telegram, and more.
## Quick Install
```bash
curl -fsSL https://mosaicstack.dev/install.sh | bash
```
Or use the direct URL:
```bash
bash <(curl -fsSL https://git.mosaicstack.dev/mosaicstack/stack/raw/branch/main/tools/install.sh)
```
The installer auto-launches the setup wizard, which walks you through gateway install and verification. Flags for non-interactive use:
```bash
bash <(curl -fsSL …) --yes # Accept all defaults
bash <(curl -fsSL …) --yes --no-auto-launch # Install only, skip wizard
```
This installs both components:
| Component | What | Where |
| ----------------------- | ---------------------------------------------------------------- | -------------------- |
| **Framework** | Bash launcher, guides, runtime configs, tools, skills | `~/.config/mosaic/` |
| **@mosaicstack/mosaic** | Unified `mosaic` CLI — TUI, gateway client, wizard, auto-updater | `~/.npm-global/bin/` |
After install, the wizard runs automatically or you can invoke it manually:
```bash
mosaic wizard # Full guided setup (gateway install → verify)
```
### Requirements
- Node.js ≥ 20
- npm (for global @mosaicstack/mosaic install)
- One or more runtimes: [Claude Code](https://docs.anthropic.com/en/docs/claude-code), [Codex](https://github.com/openai/codex), [OpenCode](https://opencode.ai), or [Pi](https://github.com/mariozechner/pi-coding-agent)
## Usage
### Launching Agent Sessions
```bash
mosaic pi # Launch Pi with Mosaic injection
mosaic claude # Launch Claude Code with Mosaic injection
mosaic codex # Launch Codex with Mosaic injection
mosaic opencode # Launch OpenCode with Mosaic injection
mosaic yolo claude # Claude with dangerous-permissions mode
mosaic yolo pi # Pi in yolo mode
```
The launcher verifies your config, checks for `SOUL.md`, injects your `AGENTS.md` standards into the runtime, and forwards all arguments.
### TUI & Gateway
```bash
mosaic tui # Interactive TUI connected to the gateway
mosaic gateway login # Authenticate with a gateway instance
mosaic sessions list # List active agent sessions
```
### Gateway Management
```bash
mosaic gateway install # Install and configure the gateway service
mosaic gateway verify # Post-install health check
mosaic gateway login # Authenticate and store a session token
mosaic gateway config rotate-token # Rotate your API token
mosaic gateway config recover-token # Recover a token via BetterAuth cookie
```
If you already have a gateway account but no token, use `mosaic gateway config recover-token` to retrieve one without recreating your account.
### Configuration
Mosaic supports three storage tiers: `local` (PGlite, single-host), `standalone` (PostgreSQL, single-host), and `federated` (PostgreSQL + pgvector + Valkey, multi-host). See [Federated Tier Setup](docs/federation/SETUP.md) for multi-user and production deployments, or [Migrating to Federated](docs/guides/migrate-tier.md) to upgrade from existing tiers.
```bash
mosaic config show # Print full config as JSON
mosaic config get <key> # Read a specific key
mosaic config set <key> <val># Write a key
mosaic config edit # Open config in $EDITOR
mosaic config path # Print config file path
```
### Management
```bash
mosaic doctor # Health audit — detect drift and missing files
mosaic sync # Sync skills from canonical source
mosaic update # Check for and install CLI updates
mosaic wizard # Full guided setup wizard
mosaic bootstrap <path> # Bootstrap a repo with Mosaic standards
mosaic coord init # Initialize a new orchestration mission
mosaic prdy init # Create a PRD via guided session
```
### Sub-package Commands
Each Mosaic sub-package exposes its API surface through the unified CLI:
```bash
# User management
mosaic auth users list
mosaic auth users create
mosaic auth sso
# Agent brain (projects, missions, tasks)
mosaic brain projects
mosaic brain missions
mosaic brain tasks
mosaic brain conversations
# Agent forge pipeline
mosaic forge run
mosaic forge status
mosaic forge resume
mosaic forge personas
# Structured logging
mosaic log tail
mosaic log search
mosaic log export
mosaic log level
# MACP protocol
mosaic macp tasks
mosaic macp submit
mosaic macp gate
mosaic macp events
# Agent memory
mosaic memory search
mosaic memory stats
mosaic memory insights
mosaic memory preferences
# Task queue (Valkey)
mosaic queue list
mosaic queue stats
mosaic queue pause
mosaic queue resume
mosaic queue jobs
mosaic queue drain
# Object storage
mosaic storage status
mosaic storage tier
mosaic storage export
mosaic storage import
mosaic storage migrate
```
### Telemetry
```bash
# Local observability (OTEL / Jaeger)
mosaic telemetry local status
mosaic telemetry local tail
mosaic telemetry local jaeger
# Remote telemetry (dry-run by default)
mosaic telemetry status
mosaic telemetry opt-in
mosaic telemetry opt-out
mosaic telemetry test
mosaic telemetry upload # Dry-run unless opted in
```
Consent state is persisted in config. Remote upload is a no-op until you run `mosaic telemetry opt-in`.
## Development
### Prerequisites
- Node.js ≥ 20
- pnpm 10.6+
- Docker & Docker Compose
### Setup
```bash
git clone git@git.mosaicstack.dev:mosaicstack/stack.git
cd stack
# Start infrastructure (Postgres, Valkey, Jaeger)
docker compose up -d
# Install dependencies
pnpm install
# Run migrations
pnpm --filter @mosaicstack/db run db:migrate
# Start all services in dev mode
pnpm dev
```
### Infrastructure
Docker Compose provides:
| Service | Port | Purpose |
| --------------------- | --------- | ---------------------- |
| PostgreSQL (pgvector) | 5433 | Primary database |
| Valkey | 6380 | Task queue + caching |
| Jaeger | 16686 | Distributed tracing UI |
| OTEL Collector | 4317/4318 | Telemetry ingestion |
### Quality Gates
```bash
pnpm typecheck # TypeScript type checking (all packages)
pnpm lint # ESLint (all packages)
pnpm test # Vitest (all packages)
pnpm format:check # Prettier check
pnpm format # Prettier auto-fix
```
### CI
Woodpecker CI runs on every push:
- `pnpm install --frozen-lockfile`
- Database migration against a fresh Postgres
- `pnpm test` (Turbo-orchestrated across all packages)
npm packages are published to the Gitea package registry on main merges.
## Architecture
```
stack/
├── apps/
│ ├── gateway/ NestJS API + WebSocket hub (Fastify, Socket.IO, OTEL)
│ └── web/ Next.js dashboard (React 19, Tailwind)
├── packages/
│ ├── mosaic/ Unified CLI — TUI, gateway client, wizard, sub-package commands
│ ├── types/ Shared TypeScript contracts (Socket.IO typed events)
│ ├── db/ Drizzle ORM schema + migrations (pgvector)
│ ├── auth/ BetterAuth configuration
│ ├── brain/ Data layer (PG-backed)
│ ├── queue/ Valkey task queue + MCP
│ ├── coord/ Mission coordination
│ ├── forge/ Multi-stage AI pipeline (intake → board → plan → code → review)
│ ├── macp/ MACP protocol — credential resolution, gate runner, events
│ ├── agent/ Agent session management
│ ├── memory/ Agent memory layer
│ ├── log/ Structured logging
│ ├── prdy/ PRD creation and validation
│ ├── quality-rails/ Quality templates (TypeScript, Next.js, monorepo)
│ └── design-tokens/ Shared design tokens
├── plugins/
│ ├── discord/ Discord channel plugin (discord.js)
│ ├── telegram/ Telegram channel plugin (Telegraf)
│ ├── macp/ OpenClaw MACP runtime plugin
│ └── mosaic-framework/ OpenClaw framework injection plugin
├── tools/
│ └── install.sh Unified installer (framework + npm CLI, --yes / --no-auto-launch)
├── scripts/agent/ Agent session lifecycle scripts
├── docker-compose.yml Dev infrastructure
└── .woodpecker/ CI pipeline configs
```
### Key Design Decisions
- **Gateway is the single API surface** — all clients (TUI, web, Discord, Telegram) connect through it
- **ESM everywhere** — `"type": "module"`, `.js` extensions in imports, NodeNext resolution
- **Socket.IO typed events** — defined in `@mosaicstack/types`, enforced at compile time
- **OTEL auto-instrumentation** — loads before NestJS bootstrap
- **Explicit `@Inject()` decorators** — required since tsx/esbuild doesn't emit decorator metadata
### Framework (`~/.config/mosaic/`)
The framework is the bash-based standards layer installed to every developer machine:
```
~/.config/mosaic/
├── AGENTS.md ← Central standards (loaded into every runtime)
├── SOUL.md ← Agent identity (name, style, guardrails)
├── USER.md ← User profile (name, timezone, preferences)
├── TOOLS.md ← Machine-level tool reference
├── bin/mosaic ← Unified launcher (claude, codex, opencode, pi, yolo)
├── guides/ ← E2E delivery, orchestrator protocol, PRD, etc.
├── runtime/ ← Per-runtime configs (claude/, codex/, opencode/, pi/)
├── skills/ ← Universal skills (synced from agent-skills repo)
├── tools/ ← Tool suites (orchestrator, git, quality, prdy, etc.)
└── memory/ ← Persistent agent memory (preserved across upgrades)
```
### Forge Pipeline
Forge is a multi-stage AI pipeline for autonomous feature delivery:
```
Intake → Discovery → Board Review → Planning (3 stages) → Coding → Review → Remediation → Test → Deploy
```
Each stage has a dispatch mode (`exec` for research/review, `yolo` for coding), quality gates, and timeouts. The board review uses multiple AI personas (CEO, CTO, CFO, COO + specialists) to evaluate briefs before committing resources.
## Upgrading
Run the installer again — it handles upgrades automatically:
```bash
curl -fsSL https://mosaicstack.dev/install.sh | bash
```
Or use the direct URL:
```bash
bash <(curl -fsSL https://git.mosaicstack.dev/mosaicstack/stack/raw/branch/main/tools/install.sh)
```
Or use the CLI:
```bash
mosaic update # Check + install CLI updates
mosaic update --check # Check only, don't install
```
The CLI also performs a background update check on every invocation (cached for 1 hour).
### Installer Flags
```bash
bash tools/install.sh --check # Version check only
bash tools/install.sh --framework # Framework only (skip npm CLI)
bash tools/install.sh --cli # npm CLI only (skip framework)
bash tools/install.sh --ref v1.0 # Install from a specific git ref
bash tools/install.sh --yes # Non-interactive, accept all defaults
bash tools/install.sh --no-auto-launch # Skip auto-launch of wizard
```
## Contributing
```bash
# Create a feature branch
git checkout -b feat/my-feature
# Make changes, then verify
pnpm typecheck && pnpm lint && pnpm test && pnpm format:check
# Commit (husky runs lint-staged automatically)
git commit -m "feat: description of change"
# Push and create PR
git push -u origin feat/my-feature
```
DTOs go in `*.dto.ts` files at module boundaries. Scratchpads (`docs/scratchpads/`) are mandatory for non-trivial tasks. See `AGENTS.md` for the full standards reference.
## License
Proprietary — all rights reserved.

62
apps/gateway/package.json
View File

@@ -1,23 +1,9 @@
{ {
"name": "@mosaicstack/gateway", "name": "@mosaic/gateway",
"version": "0.0.6", "version": "0.0.0",
"repository": { "private": true,
"type": "git",
"url": "https://git.mosaicstack.dev/mosaicstack/stack.git",
"directory": "apps/gateway"
},
"type": "module", "type": "module",
"main": "dist/main.js", "main": "dist/main.js",
"bin": {
"mosaic-gateway": "dist/main.js"
},
"files": [
"dist"
],
"publishConfig": {
"registry": "https://git.mosaicstack.dev/api/packages/mosaicstack/npm/",
"access": "public"
},
"scripts": { "scripts": {
"build": "tsc", "build": "tsc",
"dev": "tsx watch src/main.ts", "dev": "tsx watch src/main.ts",
@@ -26,68 +12,52 @@
"test": "vitest run --passWithNoTests" "test": "vitest run --passWithNoTests"
}, },
"dependencies": { "dependencies": {
"@anthropic-ai/sdk": "^0.80.0",
"@fastify/helmet": "^13.0.2", "@fastify/helmet": "^13.0.2",
"@mariozechner/pi-ai": "^0.65.0", "@mariozechner/pi-ai": "~0.57.1",
"@mariozechner/pi-coding-agent": "^0.65.0", "@mariozechner/pi-coding-agent": "~0.57.1",
"@modelcontextprotocol/sdk": "^1.27.1", "@modelcontextprotocol/sdk": "^1.27.1",
"@mosaicstack/auth": "workspace:^", "@mosaic/auth": "workspace:^",
"@mosaicstack/brain": "workspace:^", "@mosaic/queue": "workspace:^",
"@mosaicstack/config": "workspace:^", "@mosaic/brain": "workspace:^",
"@mosaicstack/coord": "workspace:^", "@mosaic/coord": "workspace:^",
"@mosaicstack/db": "workspace:^", "@mosaic/db": "workspace:^",
"@mosaicstack/discord-plugin": "workspace:^", "@mosaic/discord-plugin": "workspace:^",
"@mosaicstack/log": "workspace:^", "@mosaic/log": "workspace:^",
"@mosaicstack/memory": "workspace:^", "@mosaic/memory": "workspace:^",
"@mosaicstack/queue": "workspace:^", "@mosaic/telegram-plugin": "workspace:^",
"@mosaicstack/storage": "workspace:^", "@mosaic/types": "workspace:^",
"@mosaicstack/telegram-plugin": "workspace:^",
"@mosaicstack/types": "workspace:^",
"@nestjs/common": "^11.0.0", "@nestjs/common": "^11.0.0",
"@nestjs/core": "^11.0.0", "@nestjs/core": "^11.0.0",
"@nestjs/platform-fastify": "^11.0.0", "@nestjs/platform-fastify": "^11.0.0",
"@nestjs/platform-socket.io": "^11.0.0", "@nestjs/platform-socket.io": "^11.0.0",
"@nestjs/throttler": "^6.5.0", "@nestjs/throttler": "^6.5.0",
"@nestjs/websockets": "^11.0.0", "@nestjs/websockets": "^11.0.0",
"@opentelemetry/auto-instrumentations-node": "^0.72.0", "@opentelemetry/auto-instrumentations-node": "^0.71.0",
"@opentelemetry/exporter-metrics-otlp-http": "^0.213.0", "@opentelemetry/exporter-metrics-otlp-http": "^0.213.0",
"@opentelemetry/exporter-trace-otlp-http": "^0.213.0", "@opentelemetry/exporter-trace-otlp-http": "^0.213.0",
"@opentelemetry/resources": "^2.6.0", "@opentelemetry/resources": "^2.6.0",
"@opentelemetry/sdk-metrics": "^2.6.0", "@opentelemetry/sdk-metrics": "^2.6.0",
"@opentelemetry/sdk-node": "^0.213.0", "@opentelemetry/sdk-node": "^0.213.0",
"@opentelemetry/semantic-conventions": "^1.40.0", "@opentelemetry/semantic-conventions": "^1.40.0",
"@peculiar/x509": "^2.0.0",
"@sinclair/typebox": "^0.34.48", "@sinclair/typebox": "^0.34.48",
"better-auth": "^1.5.5", "better-auth": "^1.5.5",
"bullmq": "^5.71.0",
"class-transformer": "^0.5.1", "class-transformer": "^0.5.1",
"class-validator": "^0.15.1", "class-validator": "^0.15.1",
"dotenv": "^17.3.1", "dotenv": "^17.3.1",
"fastify": "^5.0.0", "fastify": "^5.0.0",
"ioredis": "^5.10.0",
"jose": "^6.2.2",
"node-cron": "^4.2.1", "node-cron": "^4.2.1",
"openai": "^6.32.0",
"postgres": "^3.4.8",
"reflect-metadata": "^0.2.0", "reflect-metadata": "^0.2.0",
"rxjs": "^7.8.0", "rxjs": "^7.8.0",
"socket.io": "^4.8.0", "socket.io": "^4.8.0",
"uuid": "^11.0.0", "uuid": "^11.0.0",
"undici": "^7.24.6",
"zod": "^4.3.6" "zod": "^4.3.6"
}, },
"devDependencies": { "devDependencies": {
"@nestjs/testing": "^11.1.18",
"@swc/core": "^1.15.24",
"@swc/helpers": "^0.5.21",
"@types/node": "^22.0.0", "@types/node": "^22.0.0",
"@types/node-cron": "^3.0.11", "@types/node-cron": "^3.0.11",
"@types/supertest": "^7.2.0",
"@types/uuid": "^10.0.0", "@types/uuid": "^10.0.0",
"supertest": "^7.2.2",
"tsx": "^4.0.0", "tsx": "^4.0.0",
"typescript": "^5.8.0", "typescript": "^5.8.0",
"unplugin-swc": "^1.5.9",
"vitest": "^2.0.0" "vitest": "^2.0.0"
} }
} }

605
apps/gateway/src/__tests__/conversation-persistence.test.ts
View File

@@ -1,605 +0,0 @@
/**
* Integration tests for conversation persistence and context resume (M1-008).
*
* Verifies the full flow end-to-end using in-memory mocks:
* 1. User messages are persisted when sent via ChatGateway.
* 2. Assistant responses are persisted with metadata on agent:end.
* 3. Conversation history is loaded and injected into context on session resume.
* 4. The search endpoint returns matching messages.
*/
import { BadRequestException, NotFoundException } from '@nestjs/common';
import { describe, expect, it, vi, beforeEach } from 'vitest';
import type { ConversationHistoryMessage } from '../agent/agent.service.js';
import { ConversationsController } from '../conversations/conversations.controller.js';
import type { Message } from '@mosaicstack/brain';
// ---------------------------------------------------------------------------
// Shared test data
// ---------------------------------------------------------------------------
const USER_ID = 'user-test-001';
const CONV_ID = 'conv-test-001';
function makeConversation(overrides?: Record<string, unknown>) {
return {
id: CONV_ID,
userId: USER_ID,
title: null,
projectId: null,
archived: false,
createdAt: new Date('2026-01-01T00:00:00Z'),
updatedAt: new Date('2026-01-01T00:00:00Z'),
...overrides,
};
}
function makeMessage(
role: 'user' | 'assistant' | 'system',
content: string,
overrides?: Record<string, unknown>,
) {
return {
id: `msg-${role}-${Math.random().toString(36).slice(2)}`,
conversationId: CONV_ID,
role,
content,
metadata: null,
createdAt: new Date('2026-01-01T00:01:00Z'),
...overrides,
};
}
// ---------------------------------------------------------------------------
// Helper: build a mock ConversationsRepo
// ---------------------------------------------------------------------------
function createMockBrain(options?: {
conversation?: ReturnType<typeof makeConversation> | undefined;
messages?: ReturnType<typeof makeMessage>[];
searchResults?: Array<{
messageId: string;
conversationId: string;
conversationTitle: string | null;
role: 'user' | 'assistant' | 'system';
content: string;
createdAt: Date;
}>;
}) {
const conversation = options?.conversation;
const messages = options?.messages ?? [];
const searchResults = options?.searchResults ?? [];
return {
conversations: {
findAll: vi.fn().mockResolvedValue(conversation ? [conversation] : []),
findById: vi.fn().mockResolvedValue(conversation),
create: vi.fn().mockResolvedValue(conversation ?? makeConversation()),
update: vi.fn().mockResolvedValue(conversation),
remove: vi.fn().mockResolvedValue(true),
findMessages: vi.fn().mockResolvedValue(messages),
addMessage: vi.fn().mockImplementation((data: unknown) => {
const d = data as {
conversationId: string;
role: 'user' | 'assistant' | 'system';
content: string;
metadata?: Record<string, unknown>;
};
return Promise.resolve(makeMessage(d.role, d.content, { metadata: d.metadata ?? null }));
}),
searchMessages: vi.fn().mockResolvedValue(searchResults),
},
};
}
// ---------------------------------------------------------------------------
// 1. ConversationsRepo: addMessage persists user message
// ---------------------------------------------------------------------------
describe('ConversationsRepo.addMessage — user message persistence', () => {
it('persists a user message and returns the saved record', async () => {
const brain = createMockBrain({ conversation: makeConversation() });
const result = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'user',
content: 'Hello, agent!',
metadata: { timestamp: '2026-01-01T00:01:00.000Z' },
},
USER_ID,
);
expect(brain.conversations.addMessage).toHaveBeenCalledOnce();
expect(result).toBeDefined();
expect(result!.role).toBe('user');
expect(result!.content).toBe('Hello, agent!');
expect(result!.conversationId).toBe(CONV_ID);
});
it('returns undefined when conversation does not belong to the user', async () => {
// Simulate the repo enforcement: ownership mismatch returns undefined
const brain = createMockBrain({ conversation: undefined });
brain.conversations.addMessage = vi.fn().mockResolvedValue(undefined);
const result = await brain.conversations.addMessage(
{ conversationId: CONV_ID, role: 'user', content: 'Hello' },
'other-user',
);
expect(result).toBeUndefined();
});
});
// ---------------------------------------------------------------------------
// 2. ConversationsRepo.addMessage — assistant response with metadata
// ---------------------------------------------------------------------------
describe('ConversationsRepo.addMessage — assistant response metadata', () => {
it('persists assistant message with model, provider, tokens and toolCalls metadata', async () => {
const assistantMetadata = {
timestamp: '2026-01-01T00:02:00.000Z',
model: 'claude-3-5-sonnet-20241022',
provider: 'anthropic',
toolCalls: [
{
toolCallId: 'tc-001',
toolName: 'read_file',
args: { path: '/foo/bar.ts' },
isError: false,
},
],
tokenUsage: {
input: 1000,
output: 250,
cacheRead: 0,
cacheWrite: 0,
total: 1250,
},
};
const brain = createMockBrain({ conversation: makeConversation() });
const result = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'assistant',
content: 'Here is the file content you requested.',
metadata: assistantMetadata,
},
USER_ID,
);
expect(result).toBeDefined();
expect(result!.role).toBe('assistant');
expect(result!.content).toBe('Here is the file content you requested.');
expect(result!.metadata).toMatchObject({
model: 'claude-3-5-sonnet-20241022',
provider: 'anthropic',
tokenUsage: { input: 1000, output: 250, total: 1250 },
});
expect((result!.metadata as Record<string, unknown>)['toolCalls']).toHaveLength(1);
expect(
(
(result!.metadata as Record<string, unknown>)['toolCalls'] as Array<Record<string, unknown>>
)[0]!['toolName'],
).toBe('read_file');
});
});
// ---------------------------------------------------------------------------
// 3. ChatGateway.loadConversationHistory — session resume loads history
// ---------------------------------------------------------------------------
describe('Conversation resume — history loading', () => {
it('maps DB messages to ConversationHistoryMessage shape', () => {
// Simulate what ChatGateway.loadConversationHistory does:
// convert DB Message rows to ConversationHistoryMessage for context injection.
const dbMessages = [
makeMessage('user', 'What is the capital of France?', {
createdAt: new Date('2026-01-01T00:01:00Z'),
}),
makeMessage('assistant', 'The capital of France is Paris.', {
createdAt: new Date('2026-01-01T00:01:05Z'),
}),
makeMessage('user', 'And Germany?', { createdAt: new Date('2026-01-01T00:02:00Z') }),
makeMessage('assistant', 'The capital of Germany is Berlin.', {
createdAt: new Date('2026-01-01T00:02:05Z'),
}),
];
// Replicate the mapping logic from ChatGateway
const history: ConversationHistoryMessage[] = dbMessages.map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
expect(history).toHaveLength(4);
expect(history[0]).toEqual({
role: 'user',
content: 'What is the capital of France?',
createdAt: new Date('2026-01-01T00:01:00Z'),
});
expect(history[1]).toEqual({
role: 'assistant',
content: 'The capital of France is Paris.',
createdAt: new Date('2026-01-01T00:01:05Z'),
});
expect(history[2]!.role).toBe('user');
expect(history[3]!.role).toBe('assistant');
});
it('returns empty array when conversation has no messages', async () => {
const brain = createMockBrain({ conversation: makeConversation(), messages: [] });
const messages = await brain.conversations.findMessages(CONV_ID, USER_ID);
expect(messages).toHaveLength(0);
// Gateway produces empty history → no context injection
const history: ConversationHistoryMessage[] = (messages as Message[]).map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
expect(history).toHaveLength(0);
});
it('returns empty array when conversation does not belong to the user', async () => {
const brain = createMockBrain({ conversation: undefined });
brain.conversations.findMessages = vi.fn().mockResolvedValue([]);
const messages = await brain.conversations.findMessages(CONV_ID, 'other-user');
expect(messages).toHaveLength(0);
});
it('preserves message order (ascending by createdAt)', async () => {
const ordered = [
makeMessage('user', 'First', { createdAt: new Date('2026-01-01T00:01:00Z') }),
makeMessage('assistant', 'Second', { createdAt: new Date('2026-01-01T00:01:05Z') }),
makeMessage('user', 'Third', { createdAt: new Date('2026-01-01T00:02:00Z') }),
];
const brain = createMockBrain({ conversation: makeConversation(), messages: ordered });
const messages = await brain.conversations.findMessages(CONV_ID, USER_ID);
expect(messages[0]!.content).toBe('First');
expect(messages[1]!.content).toBe('Second');
expect(messages[2]!.content).toBe('Third');
});
});
// ---------------------------------------------------------------------------
// 4. AgentService.buildHistoryPromptSection — context injection format
// ---------------------------------------------------------------------------
describe('AgentService — buildHistoryPromptSection (context injection)', () => {
/**
* Replicate the private method logic to test it in isolation.
* The real method lives in AgentService but is private; we mirror the
* exact logic here so the test is independent of the service's constructor.
*/
function buildHistoryPromptSection(
history: ConversationHistoryMessage[],
contextWindow: number,
_sessionId: string,
): string {
const TOKEN_BUDGET = Math.floor(contextWindow * 0.8);
const HISTORY_HEADER = '## Conversation History (resumed session)\n\n';
const formatMessage = (msg: ConversationHistoryMessage): string => {
const roleLabel =
msg.role === 'user' ? 'User' : msg.role === 'assistant' ? 'Assistant' : 'System';
return `**${roleLabel}:** ${msg.content}`;
};
const estimateTokens = (text: string) => Math.ceil(text.length / 4);
const formatted = history.map((msg) => formatMessage(msg));
const fullHistory = formatted.join('\n\n');
const fullTokens = estimateTokens(HISTORY_HEADER + fullHistory);
if (fullTokens <= TOKEN_BUDGET) {
return HISTORY_HEADER + fullHistory;
}
// History exceeds budget — summarize oldest messages, keep recent verbatim
const SUMMARY_RESERVE = Math.floor(TOKEN_BUDGET * 0.2);
const verbatimBudget = TOKEN_BUDGET - SUMMARY_RESERVE;
let verbatimTokens = 0;
let verbatimCutIndex = history.length;
for (let i = history.length - 1; i >= 0; i--) {
const t = estimateTokens(formatted[i]!);
if (verbatimTokens + t > verbatimBudget) break;
verbatimTokens += t;
verbatimCutIndex = i;
}
const summarizedMessages = history.slice(0, verbatimCutIndex);
const verbatimMessages = history.slice(verbatimCutIndex);
let summaryText = '';
if (summarizedMessages.length > 0) {
const topics = summarizedMessages
.filter((m) => m.role === 'user')
.map((m) => m.content.slice(0, 120).replace(/\n/g, ' '))
.join('; ');
summaryText =
`**Previous conversation summary** (${summarizedMessages.length} messages omitted for brevity):\n` +
`Topics discussed: ${topics || '(no user messages in summarized portion)'}`;
}
const verbatimSection = verbatimMessages.map((m) => formatMessage(m)).join('\n\n');
const parts: string[] = [HISTORY_HEADER];
if (summaryText) parts.push(summaryText);
if (verbatimSection) parts.push(verbatimSection);
return parts.join('\n\n');
}
it('includes header and all messages when history fits within context budget', () => {
const history: ConversationHistoryMessage[] = [
{ role: 'user', content: 'Hello', createdAt: new Date() },
{ role: 'assistant', content: 'Hi there!', createdAt: new Date() },
];
const result = buildHistoryPromptSection(history, 8192, 'session-1');
expect(result).toContain('## Conversation History (resumed session)');
expect(result).toContain('**User:** Hello');
expect(result).toContain('**Assistant:** Hi there!');
});
it('labels roles correctly (user, assistant, system)', () => {
const history: ConversationHistoryMessage[] = [
{ role: 'system', content: 'You are helpful.', createdAt: new Date() },
{ role: 'user', content: 'Ping', createdAt: new Date() },
{ role: 'assistant', content: 'Pong', createdAt: new Date() },
];
const result = buildHistoryPromptSection(history, 8192, 'session-2');
expect(result).toContain('**System:** You are helpful.');
expect(result).toContain('**User:** Ping');
expect(result).toContain('**Assistant:** Pong');
});
it('summarizes old messages when history exceeds 80% of context window', () => {
// Create enough messages to exceed a tiny context window budget
const longContent = 'A'.repeat(200);
const history: ConversationHistoryMessage[] = Array.from({ length: 20 }, (_, i) => ({
role: (i % 2 === 0 ? 'user' : 'assistant') as 'user' | 'assistant',
content: `${longContent} message ${i}`,
createdAt: new Date(),
}));
// Use a small context window so history definitely exceeds 80%
const result = buildHistoryPromptSection(history, 512, 'session-3');
// Should contain the summary prefix
expect(result).toContain('messages omitted for brevity');
expect(result).toContain('Topics discussed:');
});
it('returns only header for empty history', () => {
const result = buildHistoryPromptSection([], 8192, 'session-4');
// With empty history, the full history join is '' and the section is just the header
expect(result).toContain('## Conversation History (resumed session)');
});
});
// ---------------------------------------------------------------------------
// 5. ConversationsController.search — GET /api/conversations/search
// ---------------------------------------------------------------------------
describe('ConversationsController — search endpoint', () => {
let brain: ReturnType<typeof createMockBrain>;
let controller: ConversationsController;
beforeEach(() => {
const searchResults = [
{
messageId: 'msg-001',
conversationId: CONV_ID,
conversationTitle: 'Test Chat',
role: 'user' as const,
content: 'What is the capital of France?',
createdAt: new Date('2026-01-01T00:01:00Z'),
},
{
messageId: 'msg-002',
conversationId: CONV_ID,
conversationTitle: 'Test Chat',
role: 'assistant' as const,
content: 'The capital of France is Paris.',
createdAt: new Date('2026-01-01T00:01:05Z'),
},
];
brain = createMockBrain({ searchResults });
controller = new ConversationsController(brain as never);
});
it('returns matching messages for a valid search query', async () => {
const results = await controller.search({ q: 'France' }, { id: USER_ID });
expect(brain.conversations.searchMessages).toHaveBeenCalledWith(USER_ID, 'France', 20, 0);
expect(results).toHaveLength(2);
expect(results[0]).toMatchObject({
messageId: 'msg-001',
role: 'user',
content: 'What is the capital of France?',
});
expect(results[1]).toMatchObject({
messageId: 'msg-002',
role: 'assistant',
content: 'The capital of France is Paris.',
});
});
it('uses custom limit and offset when provided', async () => {
await controller.search({ q: 'Paris', limit: 5, offset: 10 }, { id: USER_ID });
expect(brain.conversations.searchMessages).toHaveBeenCalledWith(USER_ID, 'Paris', 5, 10);
});
it('throws BadRequestException when query is empty', async () => {
await expect(controller.search({ q: '' }, { id: USER_ID })).rejects.toBeInstanceOf(
BadRequestException,
);
await expect(controller.search({ q: ' ' }, { id: USER_ID })).rejects.toBeInstanceOf(
BadRequestException,
);
});
it('trims whitespace from query before passing to repo', async () => {
await controller.search({ q: ' Berlin ' }, { id: USER_ID });
expect(brain.conversations.searchMessages).toHaveBeenCalledWith(
USER_ID,
'Berlin',
expect.any(Number),
expect.any(Number),
);
});
it('returns empty array when no messages match', async () => {
brain.conversations.searchMessages = vi.fn().mockResolvedValue([]);
const results = await controller.search({ q: 'xyzzy-no-match' }, { id: USER_ID });
expect(results).toHaveLength(0);
});
});
// ---------------------------------------------------------------------------
// 6. ConversationsController — messages CRUD
// ---------------------------------------------------------------------------
describe('ConversationsController — message CRUD', () => {
it('listMessages returns 404 when conversation is not owned by user', async () => {
const brain = createMockBrain({ conversation: undefined });
const controller = new ConversationsController(brain as never);
await expect(controller.listMessages(CONV_ID, { id: USER_ID })).rejects.toBeInstanceOf(
NotFoundException,
);
});
it('listMessages returns the messages for an owned conversation', async () => {
const msgs = [makeMessage('user', 'Test message'), makeMessage('assistant', 'Test reply')];
const brain = createMockBrain({ conversation: makeConversation(), messages: msgs });
const controller = new ConversationsController(brain as never);
const result = await controller.listMessages(CONV_ID, { id: USER_ID });
expect(result).toHaveLength(2);
expect(result[0]!.role).toBe('user');
expect(result[1]!.role).toBe('assistant');
});
it('addMessage returns the persisted message', async () => {
const brain = createMockBrain({ conversation: makeConversation() });
const controller = new ConversationsController(brain as never);
const result = await controller.addMessage(
CONV_ID,
{ role: 'user', content: 'Persisted content' },
{ id: USER_ID },
);
expect(result).toBeDefined();
expect(result.role).toBe('user');
expect(result.content).toBe('Persisted content');
});
});
// ---------------------------------------------------------------------------
// 7. End-to-end persistence flow simulation
// ---------------------------------------------------------------------------
describe('End-to-end persistence flow', () => {
it('simulates a full conversation: persist user message → persist assistant response → resume with history', async () => {
// ── Step 1: Conversation is created ────────────────────────────────────
const brain = createMockBrain({ conversation: makeConversation() });
await brain.conversations.create({ id: CONV_ID, userId: USER_ID });
expect(brain.conversations.create).toHaveBeenCalledOnce();
// ── Step 2: User message is persisted ──────────────────────────────────
const userMsg = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'user',
content: 'Explain monads in simple terms.',
metadata: { timestamp: '2026-01-01T00:01:00.000Z' },
},
USER_ID,
);
expect(userMsg).toBeDefined();
expect(userMsg!.role).toBe('user');
// ── Step 3: Assistant response is persisted with metadata ───────────────
const assistantMeta = {
timestamp: '2026-01-01T00:01:10.000Z',
model: 'claude-3-5-sonnet-20241022',
provider: 'anthropic',
toolCalls: [],
tokenUsage: { input: 500, output: 120, cacheRead: 0, cacheWrite: 0, total: 620 },
};
const assistantMsg = await brain.conversations.addMessage(
{
conversationId: CONV_ID,
role: 'assistant',
content: 'A monad is a design pattern that wraps values in a context...',
metadata: assistantMeta,
},
USER_ID,
);
expect(assistantMsg).toBeDefined();
expect(assistantMsg!.role).toBe('assistant');
// ── Step 4: On session resume, history is loaded ────────────────────────
const storedMessages = [
makeMessage('user', 'Explain monads in simple terms.', {
createdAt: new Date('2026-01-01T00:01:00Z'),
metadata: { timestamp: '2026-01-01T00:01:00.000Z' },
}),
makeMessage('assistant', 'A monad is a design pattern that wraps values in a context...', {
createdAt: new Date('2026-01-01T00:01:10Z'),
metadata: assistantMeta,
}),
];
brain.conversations.findMessages = vi.fn().mockResolvedValue(storedMessages);
const dbMessages = await brain.conversations.findMessages(CONV_ID, USER_ID);
expect(dbMessages).toHaveLength(2);
// ── Step 5: History is mapped for context injection ─────────────────────
const history: ConversationHistoryMessage[] = (dbMessages as Message[]).map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
expect(history[0]).toMatchObject({
role: 'user',
content: 'Explain monads in simple terms.',
});
expect(history[1]).toMatchObject({
role: 'assistant',
content: 'A monad is a design pattern that wraps values in a context...',
});
// ── Step 6: History roles are valid for injection ───────────────────────
for (const msg of history) {
expect(['user', 'assistant', 'system']).toContain(msg.role);
expect(typeof msg.content).toBe('string');
expect(msg.createdAt).toBeInstanceOf(Date);
}
});
});

485
apps/gateway/src/__tests__/cross-user-isolation.test.ts
View File

@@ -1,485 +0,0 @@
/**
* Integration test: Cross-user data isolation (M2-007)
*
* Verifies that every repository query path is scoped to the requesting user —
* no user can read, write, or enumerate another user's records.
*
* Test strategy:
* - Two real users (User A, User B) are inserted directly into the database.
* - Realistic data (conversations + messages, agent configs, preferences,
* insights) is created for each user.
* - A shared system agent is inserted so both users can see it via
* findAccessible().
* - All assertions are made against the live database (no mocks).
* - All inserted rows are cleaned up in the afterAll hook.
*
* Requires: DATABASE_URL pointing at a running PostgreSQL instance with
* pgvector enabled and the Mosaic schema already applied.
*/
import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
import { createDb } from '@mosaicstack/db';
import { createConversationsRepo } from '@mosaicstack/brain';
import { createAgentsRepo } from '@mosaicstack/brain';
import { createPreferencesRepo, createInsightsRepo } from '@mosaicstack/memory';
import { users, conversations, messages, agents, preferences, insights } from '@mosaicstack/db';
import { eq } from '@mosaicstack/db';
import type { DbHandle } from '@mosaicstack/db';
// ─── Fixed IDs so the afterAll cleanup is deterministic ──────────────────────
const USER_A_ID = 'test-iso-user-a';
const USER_B_ID = 'test-iso-user-b';
const CONV_A_ID = 'aaaaaaaa-0000-0000-0000-000000000001';
const CONV_B_ID = 'bbbbbbbb-0000-0000-0000-000000000001';
const MSG_A_ID = 'aaaaaaaa-0000-0000-0000-000000000002';
const MSG_B_ID = 'bbbbbbbb-0000-0000-0000-000000000002';
const AGENT_A_ID = 'aaaaaaaa-0000-0000-0000-000000000003';
const AGENT_B_ID = 'bbbbbbbb-0000-0000-0000-000000000003';
const AGENT_SYS_ID = 'ffffffff-0000-0000-0000-000000000001';
const PREF_A_ID = 'aaaaaaaa-0000-0000-0000-000000000004';
const PREF_B_ID = 'bbbbbbbb-0000-0000-0000-000000000004';
const INSIGHT_A_ID = 'aaaaaaaa-0000-0000-0000-000000000005';
const INSIGHT_B_ID = 'bbbbbbbb-0000-0000-0000-000000000005';
// ─── Test fixture ─────────────────────────────────────────────────────────────
let handle: DbHandle;
let dbAvailable = false;
beforeAll(async () => {
try {
handle = createDb();
const db = handle.db;
// Insert two users
await db
.insert(users)
.values([
{
id: USER_A_ID,
name: 'Isolation Test User A',
email: 'test-iso-user-a@example.invalid',
emailVerified: false,
},
{
id: USER_B_ID,
name: 'Isolation Test User B',
email: 'test-iso-user-b@example.invalid',
emailVerified: false,
},
])
.onConflictDoNothing();
// Conversations — one per user
await db
.insert(conversations)
.values([
{ id: CONV_A_ID, userId: USER_A_ID, title: 'User A conversation' },
{ id: CONV_B_ID, userId: USER_B_ID, title: 'User B conversation' },
])
.onConflictDoNothing();
// Messages — one per conversation
await db
.insert(messages)
.values([
{
id: MSG_A_ID,
conversationId: CONV_A_ID,
role: 'user',
content: 'Hello from User A',
},
{
id: MSG_B_ID,
conversationId: CONV_B_ID,
role: 'user',
content: 'Hello from User B',
},
])
.onConflictDoNothing();
// Agent configs — private agents (one per user) + one system agent
await db
.insert(agents)
.values([
{
id: AGENT_A_ID,
name: 'Agent A (private)',
provider: 'test',
model: 'test-model',
ownerId: USER_A_ID,
isSystem: false,
},
{
id: AGENT_B_ID,
name: 'Agent B (private)',
provider: 'test',
model: 'test-model',
ownerId: USER_B_ID,
isSystem: false,
},
{
id: AGENT_SYS_ID,
name: 'Shared System Agent',
provider: 'test',
model: 'test-model',
ownerId: null,
isSystem: true,
},
])
.onConflictDoNothing();
// Preferences — one per user (same key, different values)
await db
.insert(preferences)
.values([
{
id: PREF_A_ID,
userId: USER_A_ID,
key: 'theme',
value: 'dark',
category: 'appearance',
},
{
id: PREF_B_ID,
userId: USER_B_ID,
key: 'theme',
value: 'light',
category: 'appearance',
},
])
.onConflictDoNothing();
// Insights — no embedding to keep the fixture simple; embedding-based search
// is tested separately with a zero-vector that falls outside maxDistance
await db
.insert(insights)
.values([
{
id: INSIGHT_A_ID,
userId: USER_A_ID,
content: 'User A insight',
source: 'user',
category: 'general',
relevanceScore: 1.0,
},
{
id: INSIGHT_B_ID,
userId: USER_B_ID,
content: 'User B insight',
source: 'user',
category: 'general',
relevanceScore: 1.0,
},
])
.onConflictDoNothing();
dbAvailable = true;
} catch {
// Database is not reachable (e.g., CI environment without Postgres on port 5433).
// All tests in this suite will be skipped.
}
});
// Skip all tests in this file when the database is not reachable (e.g., CI without Postgres).
beforeEach((ctx) => {
if (!dbAvailable) {
ctx.skip();
}
});
afterAll(async () => {
if (!handle) return;
const db = handle.db;
// Delete in dependency order (FK constraints)
await db.delete(messages).where(eq(messages.id, MSG_A_ID));
await db.delete(messages).where(eq(messages.id, MSG_B_ID));
await db.delete(conversations).where(eq(conversations.id, CONV_A_ID));
await db.delete(conversations).where(eq(conversations.id, CONV_B_ID));
await db.delete(agents).where(eq(agents.id, AGENT_A_ID));
await db.delete(agents).where(eq(agents.id, AGENT_B_ID));
await db.delete(agents).where(eq(agents.id, AGENT_SYS_ID));
await db.delete(preferences).where(eq(preferences.id, PREF_A_ID));
await db.delete(preferences).where(eq(preferences.id, PREF_B_ID));
await db.delete(insights).where(eq(insights.id, INSIGHT_A_ID));
await db.delete(insights).where(eq(insights.id, INSIGHT_B_ID));
await db.delete(users).where(eq(users.id, USER_A_ID));
await db.delete(users).where(eq(users.id, USER_B_ID));
await handle.close();
});
// ─── Conversations isolation ──────────────────────────────────────────────────
describe('ConversationsRepo — cross-user isolation', () => {
it('User A can find their own conversation by id', async () => {
const repo = createConversationsRepo(handle.db);
const conv = await repo.findById(CONV_A_ID, USER_A_ID);
expect(conv).toBeDefined();
expect(conv!.id).toBe(CONV_A_ID);
});
it('User B cannot find User A conversation by id (returns undefined)', async () => {
const repo = createConversationsRepo(handle.db);
const conv = await repo.findById(CONV_A_ID, USER_B_ID);
expect(conv).toBeUndefined();
});
it('User A cannot find User B conversation by id (returns undefined)', async () => {
const repo = createConversationsRepo(handle.db);
const conv = await repo.findById(CONV_B_ID, USER_A_ID);
expect(conv).toBeUndefined();
});
it('findAll returns only own conversations for User A', async () => {
const repo = createConversationsRepo(handle.db);
const convs = await repo.findAll(USER_A_ID);
const ids = convs.map((c) => c.id);
expect(ids).toContain(CONV_A_ID);
expect(ids).not.toContain(CONV_B_ID);
});
it('findAll returns only own conversations for User B', async () => {
const repo = createConversationsRepo(handle.db);
const convs = await repo.findAll(USER_B_ID);
const ids = convs.map((c) => c.id);
expect(ids).toContain(CONV_B_ID);
expect(ids).not.toContain(CONV_A_ID);
});
});
// ─── Messages isolation ───────────────────────────────────────────────────────
describe('ConversationsRepo.findMessages — cross-user isolation', () => {
it('User A can read messages from their own conversation', async () => {
const repo = createConversationsRepo(handle.db);
const msgs = await repo.findMessages(CONV_A_ID, USER_A_ID);
const ids = msgs.map((m) => m.id);
expect(ids).toContain(MSG_A_ID);
});
it('User B cannot read messages from User A conversation (returns empty array)', async () => {
const repo = createConversationsRepo(handle.db);
const msgs = await repo.findMessages(CONV_A_ID, USER_B_ID);
expect(msgs).toHaveLength(0);
});
it('User A cannot read messages from User B conversation (returns empty array)', async () => {
const repo = createConversationsRepo(handle.db);
const msgs = await repo.findMessages(CONV_B_ID, USER_A_ID);
expect(msgs).toHaveLength(0);
});
it('addMessage is rejected when user does not own the conversation', async () => {
const repo = createConversationsRepo(handle.db);
const result = await repo.addMessage(
{
conversationId: CONV_A_ID,
role: 'user',
content: 'Attempted injection by User B',
},
USER_B_ID,
);
expect(result).toBeUndefined();
});
});
// ─── Agent configs isolation ──────────────────────────────────────────────────
describe('AgentsRepo.findAccessible — cross-user isolation', () => {
it('User A sees their own private agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessible = await repo.findAccessible(USER_A_ID);
const ids = accessible.map((a) => a.id);
expect(ids).toContain(AGENT_A_ID);
});
it('User A does NOT see User B private agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessible = await repo.findAccessible(USER_A_ID);
const ids = accessible.map((a) => a.id);
expect(ids).not.toContain(AGENT_B_ID);
});
it('User B does NOT see User A private agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessible = await repo.findAccessible(USER_B_ID);
const ids = accessible.map((a) => a.id);
expect(ids).not.toContain(AGENT_A_ID);
});
it('Both users can see the shared system agent', async () => {
const repo = createAgentsRepo(handle.db);
const accessibleA = await repo.findAccessible(USER_A_ID);
const accessibleB = await repo.findAccessible(USER_B_ID);
expect(accessibleA.map((a) => a.id)).toContain(AGENT_SYS_ID);
expect(accessibleB.map((a) => a.id)).toContain(AGENT_SYS_ID);
});
it('findSystem returns the system agent for any caller', async () => {
const repo = createAgentsRepo(handle.db);
const system = await repo.findSystem();
const ids = system.map((a) => a.id);
expect(ids).toContain(AGENT_SYS_ID);
});
it('update with ownerId prevents User B from modifying User A agent', async () => {
const repo = createAgentsRepo(handle.db);
const result = await repo.update(AGENT_A_ID, { model: 'hacked' }, USER_B_ID);
expect(result).toBeUndefined();
// Verify the agent was not actually mutated
const unchanged = await repo.findById(AGENT_A_ID);
expect(unchanged?.model).toBe('test-model');
});
it('remove prevents User B from deleting User A agent', async () => {
const repo = createAgentsRepo(handle.db);
const deleted = await repo.remove(AGENT_A_ID, USER_B_ID);
expect(deleted).toBe(false);
// Verify the agent still exists
const still = await repo.findById(AGENT_A_ID);
expect(still).toBeDefined();
});
});
// ─── Preferences isolation ────────────────────────────────────────────────────
describe('PreferencesRepo — cross-user isolation', () => {
it('User A can retrieve their own preferences', async () => {
const repo = createPreferencesRepo(handle.db);
const prefs = await repo.findByUser(USER_A_ID);
const ids = prefs.map((p) => p.id);
expect(ids).toContain(PREF_A_ID);
});
it('User A preferences do not contain User B preferences', async () => {
const repo = createPreferencesRepo(handle.db);
const prefs = await repo.findByUser(USER_A_ID);
const ids = prefs.map((p) => p.id);
expect(ids).not.toContain(PREF_B_ID);
});
it('User B preferences do not contain User A preferences', async () => {
const repo = createPreferencesRepo(handle.db);
const prefs = await repo.findByUser(USER_B_ID);
const ids = prefs.map((p) => p.id);
expect(ids).not.toContain(PREF_A_ID);
});
it('findByUserAndKey is scoped to the requesting user', async () => {
const repo = createPreferencesRepo(handle.db);
// Both users have key "theme" — each should only see their own value
const prefA = await repo.findByUserAndKey(USER_A_ID, 'theme');
const prefB = await repo.findByUserAndKey(USER_B_ID, 'theme');
expect(prefA).toBeDefined();
// Drizzle returns JSONB values as parsed JS values; '"dark"' (JSON string) → 'dark'
expect(prefA!.value).toBe('dark');
expect(prefB).toBeDefined();
expect(prefB!.value).toBe('light');
});
it('remove is scoped to the requesting user (cannot delete another user pref)', async () => {
const repo = createPreferencesRepo(handle.db);
// User B tries to delete User A's "theme" preference — should silently fail
const deleted = await repo.remove(USER_B_ID, 'theme');
// This only deletes USER_B's own "theme" row; re-insert it for afterAll cleanup
expect(deleted).toBe(true); // deletes User B's OWN theme pref
// User A's theme pref must be untouched
const prefA = await repo.findByUserAndKey(USER_A_ID, 'theme');
expect(prefA).toBeDefined();
// Re-insert User B's preference so afterAll cleanup still finds it
await repo.upsert({
id: PREF_B_ID,
userId: USER_B_ID,
key: 'theme',
value: 'light',
category: 'appearance',
});
});
});
// ─── Insights isolation ───────────────────────────────────────────────────────
describe('InsightsRepo — cross-user isolation', () => {
it('User A can retrieve their own insights', async () => {
const repo = createInsightsRepo(handle.db);
const list = await repo.findByUser(USER_A_ID);
const ids = list.map((i) => i.id);
expect(ids).toContain(INSIGHT_A_ID);
});
it('User A insights do not contain User B insights', async () => {
const repo = createInsightsRepo(handle.db);
const list = await repo.findByUser(USER_A_ID);
const ids = list.map((i) => i.id);
expect(ids).not.toContain(INSIGHT_B_ID);
});
it('User B insights do not contain User A insights', async () => {
const repo = createInsightsRepo(handle.db);
const list = await repo.findByUser(USER_B_ID);
const ids = list.map((i) => i.id);
expect(ids).not.toContain(INSIGHT_A_ID);
});
it('findById is scoped to the requesting user', async () => {
const repo = createInsightsRepo(handle.db);
const own = await repo.findById(INSIGHT_A_ID, USER_A_ID);
const cross = await repo.findById(INSIGHT_A_ID, USER_B_ID);
expect(own).toBeDefined();
expect(cross).toBeUndefined();
});
it('searchByEmbedding returns only own insights', async () => {
const repo = createInsightsRepo(handle.db);
// Our test insights have no embedding — the query filters WHERE embedding IS NOT NULL
// so the result set is empty, which already proves no cross-user leakage.
// Using a 1536-dimension zero vector as the query embedding.
const zeroVector = Array<number>(1536).fill(0);
const resultsA = await repo.searchByEmbedding(USER_A_ID, zeroVector, 50, 2.0);
const resultsB = await repo.searchByEmbedding(USER_B_ID, zeroVector, 50, 2.0);
// The raw SQL query returns row objects directly (not wrapped in { insight }).
// Cast via unknown to extract id safely regardless of the return shape.
const toId = (r: unknown): string =>
((r as Record<string, unknown>)['id'] as string | undefined) ??
((r as Record<string, Record<string, unknown>>)['insight']?.['id'] as string | undefined) ??
'';
const idsInA = resultsA.map(toId);
const idsInB = resultsB.map(toId);
// User B's insight must never appear in User A's search results
expect(idsInA).not.toContain(INSIGHT_B_ID);
// User A's insight must never appear in User B's search results
expect(idsInB).not.toContain(INSIGHT_A_ID);
});
it('update is scoped to the requesting user', async () => {
const repo = createInsightsRepo(handle.db);
const result = await repo.update(INSIGHT_A_ID, USER_B_ID, { content: 'hacked' });
expect(result).toBeUndefined();
// Verify the insight was not mutated
const unchanged = await repo.findById(INSIGHT_A_ID, USER_A_ID);
expect(unchanged?.content).toBe('User A insight');
});
it('remove is scoped to the requesting user', async () => {
const repo = createInsightsRepo(handle.db);
const deleted = await repo.remove(INSIGHT_A_ID, USER_B_ID);
expect(deleted).toBe(false);
// Verify the insight still exists
const still = await repo.findById(INSIGHT_A_ID, USER_A_ID);
expect(still).toBeDefined();
});
});

64
apps/gateway/src/__tests__/integration/federated-boot.pg-unreachable.integration.test.ts
View File

@@ -1,64 +0,0 @@
/**
* Test B — Gateway boot refuses (fail-fast) when PG is unreachable.
*
* Prereq: docker compose -f docker-compose.federated.yml --profile federated up -d
* (Valkey must be running; only PG is intentionally misconfigured.)
* Run: FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federated-boot.pg-unreachable.integration.test.ts
*
* Skipped when FEDERATED_INTEGRATION !== '1'.
*/
import net from 'node:net';
import { beforeAll, describe, expect, it } from 'vitest';
import { TierDetectionError, detectAndAssertTier } from '@mosaicstack/storage';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const VALKEY_URL = 'redis://localhost:6380';
/**
* Reserves a guaranteed-closed port at runtime by binding to an ephemeral OS
* port (port 0) and immediately releasing it. The OS will not reassign the
* port during the TIME_WAIT window, so it remains closed for the duration of
* this test.
*/
async function reserveClosedPort(): Promise<number> {
return new Promise((resolve, reject) => {
const server = net.createServer();
server.listen(0, '127.0.0.1', () => {
const addr = server.address();
if (typeof addr !== 'object' || !addr) return reject(new Error('no addr'));
const port = addr.port;
server.close(() => resolve(port));
});
server.on('error', reject);
});
}
describe.skipIf(!run)('federated boot — PG unreachable', () => {
let badPgUrl: string;
beforeAll(async () => {
const closedPort = await reserveClosedPort();
badPgUrl = `postgresql://mosaic:mosaic@localhost:${closedPort}/mosaic`;
});
it('detectAndAssertTier throws TierDetectionError with service: postgres when PG is down', async () => {
const brokenConfig = {
tier: 'federated' as const,
storage: {
type: 'postgres' as const,
url: badPgUrl,
enableVector: true,
},
queue: {
type: 'bullmq',
url: VALKEY_URL,
},
};
await expect(detectAndAssertTier(brokenConfig)).rejects.toSatisfy(
(err: unknown) => err instanceof TierDetectionError && err.service === 'postgres',
);
}, 10_000);
});

50
apps/gateway/src/__tests__/integration/federated-boot.success.integration.test.ts
View File

@@ -1,50 +0,0 @@
/**
* Test A — Gateway boot succeeds when federated services are up.
*
* Prereq: docker compose -f docker-compose.federated.yml --profile federated up -d
* Run: FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federated-boot.success.integration.test.ts
*
* Skipped when FEDERATED_INTEGRATION !== '1'.
*/
import postgres from 'postgres';
import { afterAll, describe, expect, it } from 'vitest';
import { detectAndAssertTier } from '@mosaicstack/storage';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
const VALKEY_URL = 'redis://localhost:6380';
const federatedConfig = {
tier: 'federated' as const,
storage: {
type: 'postgres' as const,
url: PG_URL,
enableVector: true,
},
queue: {
type: 'bullmq',
url: VALKEY_URL,
},
};
describe.skipIf(!run)('federated boot — success path', () => {
let sql: ReturnType<typeof postgres> | undefined;
afterAll(async () => {
if (sql) {
await sql.end({ timeout: 2 }).catch(() => {});
}
});
it('detectAndAssertTier resolves without throwing when federated services are up', async () => {
await expect(detectAndAssertTier(federatedConfig)).resolves.toBeUndefined();
}, 10_000);
it('pgvector extension is registered (pg_extension row exists)', async () => {
sql = postgres(PG_URL, { max: 1, connect_timeout: 5, idle_timeout: 5 });
const rows = await sql`SELECT * FROM pg_extension WHERE extname = 'vector'`;
expect(rows).toHaveLength(1);
}, 10_000);
});

43
apps/gateway/src/__tests__/integration/federated-pgvector.integration.test.ts
View File

@@ -1,43 +0,0 @@
/**
* Test C — pgvector extension is functional end-to-end.
*
* Creates a temp table with a vector(3) column, inserts a row, and queries it
* back — confirming the extension is not just registered but operational.
*
* Prereq: docker compose -f docker-compose.federated.yml --profile federated up -d
* Run: FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federated-pgvector.integration.test.ts
*
* Skipped when FEDERATED_INTEGRATION !== '1'.
*/
import postgres from 'postgres';
import { afterAll, describe, expect, it } from 'vitest';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
let sql: ReturnType<typeof postgres> | undefined;
afterAll(async () => {
if (sql) {
await sql.end({ timeout: 2 }).catch(() => {});
}
});
describe.skipIf(!run)('federated pgvector — functional end-to-end', () => {
it('vector ops round-trip: INSERT [1,2,3] and SELECT returns [1,2,3]', async () => {
sql = postgres(PG_URL, { max: 1, connect_timeout: 5, idle_timeout: 5 });
await sql`CREATE TEMP TABLE t (id int, embedding vector(3))`;
await sql`INSERT INTO t VALUES (1, '[1,2,3]')`;
const rows = await sql`SELECT embedding FROM t`;
expect(rows).toHaveLength(1);
// The postgres driver returns vector columns as strings like '[1,2,3]'.
// Normalise by parsing the string representation.
const raw = rows[0]?.['embedding'] as string;
const parsed = JSON.parse(raw) as number[];
expect(parsed).toEqual([1, 2, 3]);
}, 10_000);
});

243
apps/gateway/src/__tests__/integration/federation-m2-e2e.integration.test.ts
View File

@@ -1,243 +0,0 @@
/**
* Federation M2 E2E test — peer-add enrollment flow (FED-M2-10).
*
* Covers MILESTONES.md acceptance test #6:
* "`peer add <url>` on Server A yields an `active` peer record with a valid cert + key"
*
* This test simulates two gateways using a single bootstrapped NestJS app:
* - "Server A": the admin API that generates a keypair and stores the cert
* - "Server B": the enrollment endpoint that signs the CSR
* Both share the same DB + Step-CA in the test environment.
*
* Prerequisites:
* docker compose -f docker-compose.federated.yml --profile federated up -d
*
* Run:
* FEDERATED_INTEGRATION=1 STEP_CA_AVAILABLE=1 \
* STEP_CA_URL=https://localhost:9000 \
* STEP_CA_PROVISIONER_KEY_JSON="$(docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json)" \
* STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt \
* pnpm --filter @mosaicstack/gateway test \
* src/__tests__/integration/federation-m2-e2e.integration.test.ts
*
* Obtaining Step-CA credentials:
* # Extract provisioner key from running container:
* # docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json
* # Copy root cert from container:
* # docker cp $(docker ps -qf name=step-ca):/home/step/certs/root_ca.crt /tmp/step-ca-root.crt
* # Then: export STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt
*
* Skipped unless both FEDERATED_INTEGRATION=1 and STEP_CA_AVAILABLE=1 are set.
*/
import * as crypto from 'node:crypto';
import { afterAll, beforeAll, describe, expect, it } from 'vitest';
import { Test } from '@nestjs/testing';
import { ValidationPipe } from '@nestjs/common';
import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
import supertest from 'supertest';
import {
createDb,
type Db,
type DbHandle,
federationPeers,
federationGrants,
federationEnrollmentTokens,
inArray,
eq,
} from '@mosaicstack/db';
import * as schema from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import { AdminGuard } from '../../admin/admin.guard.js';
import { FederationModule } from '../../federation/federation.module.js';
import { GrantsService } from '../../federation/grants.service.js';
import { EnrollmentService } from '../../federation/enrollment.service.js';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const stepCaRun =
run &&
process.env['STEP_CA_AVAILABLE'] === '1' &&
!!process.env['STEP_CA_URL'] &&
!!process.env['STEP_CA_PROVISIONER_KEY_JSON'] &&
!!process.env['STEP_CA_ROOT_CERT_PATH'];
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
const RUN_ID = crypto.randomUUID();
describe.skipIf(!stepCaRun)('federation M2 E2E — peer add enrollment flow', () => {
let handle: DbHandle;
let db: Db;
let app: NestFastifyApplication;
let agent: ReturnType<typeof supertest>;
let grantsService: GrantsService;
let enrollmentService: EnrollmentService;
const createdTokenGrantIds: string[] = [];
const createdGrantIds: string[] = [];
const createdPeerIds: string[] = [];
const createdUserIds: string[] = [];
beforeAll(async () => {
process.env['BETTER_AUTH_SECRET'] ??= 'test-e2e-sealing-key';
handle = createDb(PG_URL);
db = handle.db;
const moduleRef = await Test.createTestingModule({
imports: [FederationModule],
providers: [{ provide: DB, useValue: db }],
})
.overrideGuard(AdminGuard)
.useValue({ canActivate: () => true })
.compile();
app = moduleRef.createNestApplication<NestFastifyApplication>(new FastifyAdapter());
app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
await app.init();
await app.getHttpAdapter().getInstance().ready();
agent = supertest(app.getHttpServer());
grantsService = moduleRef.get(GrantsService);
enrollmentService = moduleRef.get(EnrollmentService);
}, 30_000);
afterAll(async () => {
if (db && createdTokenGrantIds.length > 0) {
await db
.delete(federationEnrollmentTokens)
.where(inArray(federationEnrollmentTokens.grantId, createdTokenGrantIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (db && createdGrantIds.length > 0) {
await db
.delete(federationGrants)
.where(inArray(federationGrants.id, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (db && createdPeerIds.length > 0) {
await db
.delete(federationPeers)
.where(inArray(federationPeers.id, createdPeerIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (db && createdUserIds.length > 0) {
await db
.delete(schema.users)
.where(inArray(schema.users.id, createdUserIds))
.catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
}
if (app)
await app.close().catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
if (handle)
await handle.close().catch((e: unknown) => console.error('[federation-m2-e2e cleanup]', e));
});
// -------------------------------------------------------------------------
// #6 — peer add: keypair → enrollment → cert storage → active peer record
// -------------------------------------------------------------------------
it('#6 — peer add flow: keypair → enrollment → cert storage → active peer record', async () => {
// Create a subject user to satisfy FK on federation_grants.subject_user_id
const userId = crypto.randomUUID();
await db
.insert(schema.users)
.values({
id: userId,
name: `e2e-user-${RUN_ID}`,
email: `e2e-${RUN_ID}@federation-test.invalid`,
emailVerified: false,
})
.onConflictDoNothing();
createdUserIds.push(userId);
// ── Step A: "Server B" setup ─────────────────────────────────────────
// Server B admin creates a grant and generates an enrollment token to
// share out-of-band with Server A's operator.
// Insert a placeholder peer on "Server B" to satisfy the grant FK
const serverBPeerId = crypto.randomUUID();
await db
.insert(federationPeers)
.values({
id: serverBPeerId,
commonName: `server-b-peer-${RUN_ID}`,
displayName: 'Server B Placeholder',
certPem: '-----BEGIN CERTIFICATE-----\nMOCK\n-----END CERTIFICATE-----\n',
certSerial: `serial-b-${serverBPeerId}`,
certNotAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
state: 'pending',
})
.onConflictDoNothing();
createdPeerIds.push(serverBPeerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: { resources: ['tasks'], excluded_resources: [], max_rows_per_query: 100 },
peerId: serverBPeerId,
});
createdGrantIds.push(grant.id);
createdTokenGrantIds.push(grant.id);
const { token } = await enrollmentService.createToken({
grantId: grant.id,
peerId: serverBPeerId,
ttlSeconds: 900,
});
// ── Step B: "Server A" generates keypair ─────────────────────────────
const keypairRes = await agent
.post('/api/admin/federation/peers/keypair')
.send({
commonName: `e2e-peer-${RUN_ID.slice(0, 8)}`,
displayName: 'E2E Test Peer',
endpointUrl: 'https://test.invalid',
})
.set('Content-Type', 'application/json');
expect(keypairRes.status).toBe(201);
const { peerId, csrPem } = keypairRes.body as { peerId: string; csrPem: string };
expect(typeof peerId).toBe('string');
expect(csrPem).toContain('-----BEGIN CERTIFICATE REQUEST-----');
createdPeerIds.push(peerId);
// ── Step C: Enrollment (simulates Server A sending CSR to Server B) ──
const enrollRes = await agent
.post(`/api/federation/enrollment/${token}`)
.send({ csrPem })
.set('Content-Type', 'application/json');
expect(enrollRes.status).toBe(200);
const { certPem, certChainPem } = enrollRes.body as {
certPem: string;
certChainPem: string;
};
expect(certPem).toContain('-----BEGIN CERTIFICATE-----');
expect(certChainPem).toContain('-----BEGIN CERTIFICATE-----');
// ── Step D: "Server A" stores the cert ───────────────────────────────
const storeRes = await agent
.patch(`/api/admin/federation/peers/${peerId}/cert`)
.send({ certPem })
.set('Content-Type', 'application/json');
expect(storeRes.status).toBe(200);
// ── Step E: Verify peer record in DB ─────────────────────────────────
const [peer] = await db
.select()
.from(federationPeers)
.where(eq(federationPeers.id, peerId))
.limit(1);
expect(peer).toBeDefined();
expect(peer?.state).toBe('active');
expect(peer?.certPem).toContain('-----BEGIN CERTIFICATE-----');
expect(typeof peer?.certSerial).toBe('string');
expect((peer?.certSerial ?? '').length).toBeGreaterThan(0);
// clientKeyPem is a sealed ciphertext — must not be a raw PEM
expect(peer?.clientKeyPem?.startsWith('-----BEGIN')).toBe(false);
// certNotAfter must be in the future
expect(peer?.certNotAfter?.getTime()).toBeGreaterThan(Date.now());
}, 60_000);
});

483
apps/gateway/src/__tests__/integration/federation-m2.integration.test.ts
View File

@@ -1,483 +0,0 @@
/**
* Federation M2 integration tests (FED-M2-09).
*
* Covers MILESTONES.md acceptance tests #1, #2, #3, #5, #7, #8.
*
* Prerequisites:
* docker compose -f docker-compose.federated.yml --profile federated up -d
*
* Run DB-only tests (no Step-CA):
* FEDERATED_INTEGRATION=1 BETTER_AUTH_SECRET=test-secret pnpm --filter @mosaicstack/gateway test \
* src/__tests__/integration/federation-m2.integration.test.ts
*
* Run all tests including Step-CA-dependent ones:
* FEDERATED_INTEGRATION=1 STEP_CA_AVAILABLE=1 \
* STEP_CA_URL=https://localhost:9000 \
* STEP_CA_PROVISIONER_KEY_JSON="$(docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json)" \
* STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt \
* pnpm --filter @mosaicstack/gateway test \
* src/__tests__/integration/federation-m2.integration.test.ts
*
* Obtaining Step-CA credentials:
* # Extract provisioner key from running container:
* # docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json
* # Copy root cert from container:
* # docker cp $(docker ps -qf name=step-ca):/home/step/certs/root_ca.crt /tmp/step-ca-root.crt
* # Then: export STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt
*/
import * as crypto from 'node:crypto';
import { afterAll, beforeAll, describe, expect, it } from 'vitest';
import { Test } from '@nestjs/testing';
import { GoneException } from '@nestjs/common';
import { Pkcs10CertificateRequestGenerator, X509Certificate as PeculiarX509 } from '@peculiar/x509';
import {
createDb,
type Db,
type DbHandle,
federationPeers,
federationGrants,
federationEnrollmentTokens,
inArray,
eq,
} from '@mosaicstack/db';
import * as schema from '@mosaicstack/db';
import { seal } from '@mosaicstack/auth';
import { DB } from '../../database/database.module.js';
import { GrantsService } from '../../federation/grants.service.js';
import { EnrollmentService } from '../../federation/enrollment.service.js';
import { CaService } from '../../federation/ca.service.js';
import { FederationScopeError } from '../../federation/scope-schema.js';
const run = process.env['FEDERATED_INTEGRATION'] === '1';
const stepCaRun = run && process.env['STEP_CA_AVAILABLE'] === '1';
const PG_URL = 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
// ---------------------------------------------------------------------------
// Helpers for test data isolation
// ---------------------------------------------------------------------------
/** Unique run prefix to identify rows created by this test run. */
const RUN_ID = crypto.randomUUID();
/** Insert a minimal user row to satisfy the FK on federation_grants.subject_user_id. */
async function insertTestUser(db: Db, id: string): Promise<void> {
await db
.insert(schema.users)
.values({
id,
name: `test-user-${id}`,
email: `test-${id}@federation-test.invalid`,
emailVerified: false,
})
.onConflictDoNothing();
}
/** Insert a minimal peer row to satisfy the FK on federation_grants.peer_id. */
async function insertTestPeer(db: Db, id: string, suffix: string = ''): Promise<void> {
await db
.insert(federationPeers)
.values({
id,
commonName: `test-peer-${RUN_ID}-${suffix}`,
displayName: `Test Peer ${suffix}`,
certPem: '-----BEGIN CERTIFICATE-----\nMOCK\n-----END CERTIFICATE-----\n',
certSerial: `test-serial-${id}`,
certNotAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
state: 'pending',
})
.onConflictDoNothing();
}
// ---------------------------------------------------------------------------
// DB-only test module (CaService mocked so env vars not required)
// ---------------------------------------------------------------------------
function buildDbModule(db: Db) {
return Test.createTestingModule({
providers: [
{ provide: DB, useValue: db },
GrantsService,
{
provide: CaService,
useValue: {
issueCert: async () => {
throw new Error('CaService.issueCert should not be called in DB-only tests');
},
},
},
EnrollmentService,
],
}).compile();
}
// ---------------------------------------------------------------------------
// Test suite — DB-only (no Step-CA)
// ---------------------------------------------------------------------------
describe.skipIf(!run)('federation M2 — DB-only tests', () => {
let handle: DbHandle;
let db: Db;
let grantsService: GrantsService;
/** IDs created during this run — cleaned up in afterAll. */
const createdGrantIds: string[] = [];
const createdPeerIds: string[] = [];
const createdUserIds: string[] = [];
beforeAll(async () => {
process.env['BETTER_AUTH_SECRET'] ??= 'test-integration-sealing-key-not-for-prod';
handle = createDb(PG_URL);
db = handle.db;
const moduleRef = await buildDbModule(db);
grantsService = moduleRef.get(GrantsService);
});
afterAll(async () => {
// Clean up in FK-safe order: tokens → grants → peers → users
if (db && createdGrantIds.length > 0) {
await db
.delete(federationEnrollmentTokens)
.where(inArray(federationEnrollmentTokens.grantId, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
await db
.delete(federationGrants)
.where(inArray(federationGrants.id, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdPeerIds.length > 0) {
await db
.delete(federationPeers)
.where(inArray(federationPeers.id, createdPeerIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdUserIds.length > 0) {
await db
.delete(schema.users)
.where(inArray(schema.users.id, createdUserIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (handle)
await handle.close().catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
});
// -------------------------------------------------------------------------
// #1 — grant create writes a pending row
// -------------------------------------------------------------------------
it('#1 — createGrant writes a pending row to DB', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['tasks'],
excluded_resources: [],
max_rows_per_query: 100,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'test1');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
createdGrantIds.push(grant.id);
// Verify the row exists in DB with correct shape
const [row] = await db
.select()
.from(federationGrants)
.where(eq(federationGrants.id, grant.id))
.limit(1);
expect(row).toBeDefined();
expect(row?.status).toBe('pending');
expect(row?.peerId).toBe(peerId);
expect(row?.subjectUserId).toBe(userId);
const storedScope = row?.scope as Record<string, unknown>;
expect(storedScope['resources']).toEqual(['tasks']);
expect(storedScope['max_rows_per_query']).toBe(100);
}, 15_000);
// -------------------------------------------------------------------------
// #7 — scope with unknown resource type rejected
// -------------------------------------------------------------------------
it('#7 — createGrant rejects scope with unknown resource type', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const invalidScope = {
resources: ['totally_unknown_resource'],
excluded_resources: [],
max_rows_per_query: 100,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'test7');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
await expect(
grantsService.createGrant({
subjectUserId: userId,
scope: invalidScope,
peerId,
}),
).rejects.toThrow(FederationScopeError);
}, 15_000);
// -------------------------------------------------------------------------
// #8 — listGrants returns accurate status for grants in various states
// -------------------------------------------------------------------------
it('#8 — listGrants returns accurate status for grants in various states', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['notes'],
excluded_resources: [],
max_rows_per_query: 50,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'test8');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
// Create two pending grants via GrantsService
const grantA = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
const grantB = await grantsService.createGrant({
subjectUserId: userId,
scope: { resources: ['tasks'], excluded_resources: [], max_rows_per_query: 50 },
peerId,
});
createdGrantIds.push(grantA.id, grantB.id);
// Insert a third grant directly in 'revoked' state to test status variety
const [grantC] = await db
.insert(federationGrants)
.values({
id: crypto.randomUUID(),
subjectUserId: userId,
peerId,
scope: validScope,
status: 'revoked',
revokedAt: new Date(),
})
.returning();
createdGrantIds.push(grantC!.id);
// List all grants for this peer
const allForPeer = await grantsService.listGrants({ peerId });
const ourGrantIds = new Set([grantA.id, grantB.id, grantC!.id]);
const ourGrants = allForPeer.filter((g) => ourGrantIds.has(g.id));
expect(ourGrants).toHaveLength(3);
const pendingGrants = ourGrants.filter((g) => g.status === 'pending');
const revokedGrants = ourGrants.filter((g) => g.status === 'revoked');
expect(pendingGrants).toHaveLength(2);
expect(revokedGrants).toHaveLength(1);
// Status-filtered query
const pendingOnly = await grantsService.listGrants({ peerId, status: 'pending' });
const ourPending = pendingOnly.filter((g) => ourGrantIds.has(g.id));
expect(ourPending.every((g) => g.status === 'pending')).toBe(true);
// Verify peer list from DB also shows the peer rows with correct state
const peers = await db.select().from(federationPeers).where(eq(federationPeers.id, peerId));
expect(peers).toHaveLength(1);
expect(peers[0]?.state).toBe('pending');
}, 15_000);
// -------------------------------------------------------------------------
// #5 — client_key_pem encrypted at rest
// -------------------------------------------------------------------------
it('#5 — clientKeyPem stored in DB is a sealed ciphertext (not a valid PEM)', async () => {
const peerId = crypto.randomUUID();
const rawPem = '-----BEGIN PRIVATE KEY-----\nMOCK\n-----END PRIVATE KEY-----\n';
const sealed = seal(rawPem);
await db.insert(federationPeers).values({
id: peerId,
commonName: `test-peer-${RUN_ID}-sealed`,
displayName: 'Sealed Key Test Peer',
certPem: '-----BEGIN CERTIFICATE-----\nMOCK\n-----END CERTIFICATE-----\n',
certSerial: `test-serial-sealed-${peerId}`,
certNotAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
state: 'pending',
clientKeyPem: sealed,
});
createdPeerIds.push(peerId);
const [row] = await db
.select()
.from(federationPeers)
.where(eq(federationPeers.id, peerId))
.limit(1);
expect(row).toBeDefined();
// The stored value must NOT be a valid PEM — it's a sealed ciphertext blob
expect(row?.clientKeyPem).toBeDefined();
expect(row?.clientKeyPem?.startsWith('-----BEGIN')).toBe(false);
// The sealed value should be non-trivial (at least 20 chars)
expect((row?.clientKeyPem ?? '').length).toBeGreaterThan(20);
}, 15_000);
});
// ---------------------------------------------------------------------------
// Test suite — Step-CA gated
// ---------------------------------------------------------------------------
describe.skipIf(!stepCaRun)('federation M2 — Step-CA tests', () => {
let handle: DbHandle;
let db: Db;
let grantsService: GrantsService;
let enrollmentService: EnrollmentService;
const createdGrantIds: string[] = [];
const createdPeerIds: string[] = [];
const createdUserIds: string[] = [];
beforeAll(async () => {
handle = createDb(PG_URL);
db = handle.db;
// Use real CaService — env vars (STEP_CA_URL, STEP_CA_PROVISIONER_KEY_JSON,
// STEP_CA_ROOT_CERT_PATH) must be set when STEP_CA_AVAILABLE=1
const moduleRef = await Test.createTestingModule({
providers: [{ provide: DB, useValue: db }, CaService, GrantsService, EnrollmentService],
}).compile();
grantsService = moduleRef.get(GrantsService);
enrollmentService = moduleRef.get(EnrollmentService);
});
afterAll(async () => {
if (db && createdGrantIds.length > 0) {
await db
.delete(federationEnrollmentTokens)
.where(inArray(federationEnrollmentTokens.grantId, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
await db
.delete(federationGrants)
.where(inArray(federationGrants.id, createdGrantIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdPeerIds.length > 0) {
await db
.delete(federationPeers)
.where(inArray(federationPeers.id, createdPeerIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (db && createdUserIds.length > 0) {
await db
.delete(schema.users)
.where(inArray(schema.users.id, createdUserIds))
.catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
}
if (handle)
await handle.close().catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
});
/** Generate a P-256 key pair and PKCS#10 CSR, returning the CSR as PEM. */
async function generateCsrPem(cn: string): Promise<string> {
const alg = { name: 'ECDSA', namedCurve: 'P-256', hash: 'SHA-256' };
const keyPair = await crypto.subtle.generateKey(alg, true, ['sign', 'verify']);
const csr = await Pkcs10CertificateRequestGenerator.create({
name: `CN=${cn}`,
keys: keyPair,
signingAlgorithm: alg,
});
return csr.toString('pem');
}
// -------------------------------------------------------------------------
// #2 — enrollment signs CSR and returns cert
// -------------------------------------------------------------------------
it('#2 — redeem returns a certPem containing a valid PEM certificate', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['tasks'],
excluded_resources: [],
max_rows_per_query: 100,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'ca-test2');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
createdGrantIds.push(grant.id);
const { token } = await enrollmentService.createToken({
grantId: grant.id,
peerId,
ttlSeconds: 900,
});
const csrPem = await generateCsrPem(`gateway-test-${RUN_ID.slice(0, 8)}`);
const result = await enrollmentService.redeem(token, csrPem);
expect(result.certPem).toContain('-----BEGIN CERTIFICATE-----');
expect(result.certChainPem).toContain('-----BEGIN CERTIFICATE-----');
// Verify the issued cert parses cleanly
const cert = new PeculiarX509(result.certPem);
expect(cert.serialNumber).toBeTruthy();
}, 30_000);
// -------------------------------------------------------------------------
// #3 — token single-use; second attempt returns GoneException
// -------------------------------------------------------------------------
it('#3 — second redeem of the same token throws GoneException', async () => {
const userId = crypto.randomUUID();
const peerId = crypto.randomUUID();
const validScope = {
resources: ['notes'],
excluded_resources: [],
max_rows_per_query: 50,
};
await insertTestUser(db, userId);
await insertTestPeer(db, peerId, 'ca-test3');
createdUserIds.push(userId);
createdPeerIds.push(peerId);
const grant = await grantsService.createGrant({
subjectUserId: userId,
scope: validScope,
peerId,
});
createdGrantIds.push(grant.id);
const { token } = await enrollmentService.createToken({
grantId: grant.id,
peerId,
ttlSeconds: 900,
});
const csrPem = await generateCsrPem(`gateway-test-replay-${RUN_ID.slice(0, 8)}`);
// First redeem must succeed
const result = await enrollmentService.redeem(token, csrPem);
expect(result.certPem).toContain('-----BEGIN CERTIFICATE-----');
// Second redeem with the same token must be rejected
await expect(enrollmentService.redeem(token, csrPem)).rejects.toThrow(GoneException);
}, 30_000);
});

29
apps/gateway/src/__tests__/resource-ownership.test.ts
View File

@@ -1,4 +1,4 @@
import { ForbiddenException, NotFoundException } from '@nestjs/common'; import { ForbiddenException } from '@nestjs/common';
import { describe, expect, it, vi } from 'vitest'; import { describe, expect, it, vi } from 'vitest';
import { ConversationsController } from '../conversations/conversations.controller.js'; import { ConversationsController } from '../conversations/conversations.controller.js';
import { MissionsController } from '../missions/missions.controller.js'; import { MissionsController } from '../missions/missions.controller.js';
@@ -18,7 +18,6 @@ function createBrain() {
}, },
projects: { projects: {
findAll: vi.fn(), findAll: vi.fn(),
findAllForUser: vi.fn(),
findById: vi.fn(), findById: vi.fn(),
create: vi.fn(), create: vi.fn(),
update: vi.fn(), update: vi.fn(),
@@ -26,21 +25,12 @@ function createBrain() {
}, },
missions: { missions: {
findAll: vi.fn(), findAll: vi.fn(),
findAllByUser: vi.fn(),
findById: vi.fn(), findById: vi.fn(),
findByIdAndUser: vi.fn(),
findByProject: vi.fn(), findByProject: vi.fn(),
create: vi.fn(), create: vi.fn(),
update: vi.fn(), update: vi.fn(),
remove: vi.fn(), remove: vi.fn(),
}, },
missionTasks: {
findByMissionAndUser: vi.fn(),
findByIdAndUser: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
},
tasks: { tasks: {
findAll: vi.fn(), findAll: vi.fn(),
findById: vi.fn(), findById: vi.fn(),
@@ -57,35 +47,32 @@ function createBrain() {
describe('Resource ownership checks', () => { describe('Resource ownership checks', () => {
it('forbids access to another user conversation', async () => { it('forbids access to another user conversation', async () => {
const brain = createBrain(); const brain = createBrain();
// The repo enforces ownership via the WHERE clause; it returns undefined when the brain.conversations.findById.mockResolvedValue({ id: 'conv-1', userId: 'user-2' });
// conversation does not belong to the requesting user.
brain.conversations.findById.mockResolvedValue(undefined);
const controller = new ConversationsController(brain as never); const controller = new ConversationsController(brain as never);
await expect(controller.findOne('conv-1', { id: 'user-1' })).rejects.toBeInstanceOf( await expect(controller.findOne('conv-1', { id: 'user-1' })).rejects.toBeInstanceOf(
NotFoundException, ForbiddenException,
); );
}); });
it('forbids access to another user project', async () => { it('forbids access to another user project', async () => {
const brain = createBrain(); const brain = createBrain();
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' }); brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const teamsService = { canAccessProject: vi.fn().mockResolvedValue(false) }; const controller = new ProjectsController(brain as never);
const controller = new ProjectsController(brain as never, teamsService as never);
await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf( await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException, ForbiddenException,
); );
}); });
it('forbids access to a mission owned by another user', async () => { it('forbids access to a mission owned by another project owner', async () => {
const brain = createBrain(); const brain = createBrain();
// findByIdAndUser returns undefined when the mission doesn't belong to the user brain.missions.findById.mockResolvedValue({ id: 'mission-1', projectId: 'project-1' });
brain.missions.findByIdAndUser.mockResolvedValue(undefined); brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new MissionsController(brain as never); const controller = new MissionsController(brain as never);
await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf( await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf(
NotFoundException, ForbiddenException,
); );
}); });

377
apps/gateway/src/__tests__/session-hardening.test.ts
View File

@@ -1,377 +0,0 @@
/**
* M5-008: Session hardening verification tests.
*
* Verifies:
* 1. /model command switches model → session:info reflects updated modelId
* 2. /agent command switches agent config → system prompt / agentName changes
* 3. Session resume binds to a conversation (history injected via conversationHistory option)
* 4. Session metrics track token usage and message count correctly
*/
import { describe, it, expect, vi, beforeEach } from 'vitest';
import type {
AgentSession,
AgentSessionOptions,
ConversationHistoryMessage,
} from '../agent/agent.service.js';
import type { SessionInfoDto, SessionMetrics, SessionTokenMetrics } from '../agent/session.dto.js';
// ---------------------------------------------------------------------------
// Helpers — minimal AgentSession fixture
// ---------------------------------------------------------------------------
function makeMetrics(overrides?: Partial<SessionMetrics>): SessionMetrics {
return {
tokens: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
modelSwitches: 0,
messageCount: 0,
lastActivityAt: new Date().toISOString(),
...overrides,
};
}
function makeSession(overrides?: Partial<AgentSession>): AgentSession {
return {
id: 'session-001',
provider: 'anthropic',
modelId: 'claude-3-5-sonnet-20241022',
piSession: {} as AgentSession['piSession'],
listeners: new Set(),
unsubscribe: vi.fn(),
createdAt: Date.now(),
promptCount: 0,
channels: new Set(),
skillPromptAdditions: [],
sandboxDir: '/tmp',
allowedTools: null,
metrics: makeMetrics(),
...overrides,
};
}
function sessionToInfo(session: AgentSession): SessionInfoDto {
return {
id: session.id,
provider: session.provider,
modelId: session.modelId,
...(session.agentName ? { agentName: session.agentName } : {}),
createdAt: new Date(session.createdAt).toISOString(),
promptCount: session.promptCount,
channels: Array.from(session.channels),
durationMs: Date.now() - session.createdAt,
metrics: { ...session.metrics },
};
}
// ---------------------------------------------------------------------------
// Replicated AgentService methods (tested in isolation without full DI setup)
// ---------------------------------------------------------------------------
function updateSessionModel(session: AgentSession, modelId: string): void {
session.modelId = modelId;
session.metrics.modelSwitches += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
function applyAgentConfig(
session: AgentSession,
agentConfigId: string,
agentName: string,
modelId?: string,
): void {
session.agentConfigId = agentConfigId;
session.agentName = agentName;
if (modelId) {
updateSessionModel(session, modelId);
}
}
function recordTokenUsage(session: AgentSession, tokens: SessionTokenMetrics): void {
session.metrics.tokens.input += tokens.input;
session.metrics.tokens.output += tokens.output;
session.metrics.tokens.cacheRead += tokens.cacheRead;
session.metrics.tokens.cacheWrite += tokens.cacheWrite;
session.metrics.tokens.total += tokens.total;
session.metrics.lastActivityAt = new Date().toISOString();
}
function recordMessage(session: AgentSession): void {
session.metrics.messageCount += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
// ---------------------------------------------------------------------------
// 1. /model command — switches model → session:info updated
// ---------------------------------------------------------------------------
describe('/model command — model switch reflected in session:info', () => {
let session: AgentSession;
beforeEach(() => {
session = makeSession();
});
it('updates modelId when /model is called with a model name', () => {
updateSessionModel(session, 'claude-opus-4-5-20251001');
expect(session.modelId).toBe('claude-opus-4-5-20251001');
});
it('increments modelSwitches metric after /model command', () => {
expect(session.metrics.modelSwitches).toBe(0);
updateSessionModel(session, 'gpt-4o');
expect(session.metrics.modelSwitches).toBe(1);
updateSessionModel(session, 'claude-3-5-sonnet-20241022');
expect(session.metrics.modelSwitches).toBe(2);
});
it('session:info DTO reflects the new modelId after switch', () => {
updateSessionModel(session, 'claude-haiku-3-5-20251001');
const info = sessionToInfo(session);
expect(info.modelId).toBe('claude-haiku-3-5-20251001');
expect(info.metrics.modelSwitches).toBe(1);
});
it('lastActivityAt is updated after model switch', () => {
const before = session.metrics.lastActivityAt;
// Ensure at least 1ms passes
vi.setSystemTime(Date.now() + 1);
updateSessionModel(session, 'new-model');
vi.useRealTimers();
expect(session.metrics.lastActivityAt).not.toBe(before);
});
});
// ---------------------------------------------------------------------------
// 2. /agent command — switches agent config → system prompt / agentName updated
// ---------------------------------------------------------------------------
describe('/agent command — agent config applied to session', () => {
let session: AgentSession;
beforeEach(() => {
session = makeSession();
});
it('sets agentConfigId and agentName on the session', () => {
applyAgentConfig(session, 'agent-uuid-001', 'CodeReviewer');
expect(session.agentConfigId).toBe('agent-uuid-001');
expect(session.agentName).toBe('CodeReviewer');
});
it('also updates modelId when agent config carries a model', () => {
applyAgentConfig(session, 'agent-uuid-002', 'DataAnalyst', 'gpt-4o-mini');
expect(session.agentName).toBe('DataAnalyst');
expect(session.modelId).toBe('gpt-4o-mini');
expect(session.metrics.modelSwitches).toBe(1);
});
it('does NOT update modelId when agent config has no model', () => {
const originalModel = session.modelId;
applyAgentConfig(session, 'agent-uuid-003', 'Planner', undefined);
expect(session.modelId).toBe(originalModel);
expect(session.metrics.modelSwitches).toBe(0);
});
it('session:info DTO reflects agentName after /agent switch', () => {
applyAgentConfig(session, 'agent-uuid-004', 'DevBot');
const info = sessionToInfo(session);
expect(info.agentName).toBe('DevBot');
});
it('multiple /agent calls update to the latest agent', () => {
applyAgentConfig(session, 'agent-001', 'FirstAgent');
applyAgentConfig(session, 'agent-002', 'SecondAgent');
expect(session.agentConfigId).toBe('agent-002');
expect(session.agentName).toBe('SecondAgent');
});
});
// ---------------------------------------------------------------------------
// 3. Session resume — binds to conversation via conversationHistory
// ---------------------------------------------------------------------------
describe('Session resume — binds to conversation', () => {
it('conversationHistory option is preserved in session options', () => {
const history: ConversationHistoryMessage[] = [
{
role: 'user',
content: 'Hello, what is TypeScript?',
createdAt: new Date('2026-01-01T00:01:00Z'),
},
{
role: 'assistant',
content: 'TypeScript is a typed superset of JavaScript.',
createdAt: new Date('2026-01-01T00:01:05Z'),
},
];
const options: AgentSessionOptions = {
conversationHistory: history,
provider: 'anthropic',
modelId: 'claude-3-5-sonnet-20241022',
};
expect(options.conversationHistory).toHaveLength(2);
expect(options.conversationHistory![0]!.role).toBe('user');
expect(options.conversationHistory![1]!.role).toBe('assistant');
});
it('session with conversationHistory option carries the conversation binding', () => {
const CONV_ID = 'conv-resume-001';
const history: ConversationHistoryMessage[] = [
{ role: 'user', content: 'Prior question', createdAt: new Date('2026-01-01T00:01:00Z') },
];
// Simulate what ChatGateway does: pass conversationId + history to createSession
const options: AgentSessionOptions = {
conversationHistory: history,
};
// The session ID is the conversationId in the gateway
const session = makeSession({ id: CONV_ID });
expect(session.id).toBe(CONV_ID);
expect(options.conversationHistory).toHaveLength(1);
});
it('empty conversationHistory is valid (new conversation)', () => {
const options: AgentSessionOptions = {
conversationHistory: [],
};
expect(options.conversationHistory).toHaveLength(0);
});
it('resumed session preserves all message roles', () => {
const history: ConversationHistoryMessage[] = [
{ role: 'system', content: 'You are a helpful assistant.', createdAt: new Date() },
{ role: 'user', content: 'Question 1', createdAt: new Date() },
{ role: 'assistant', content: 'Answer 1', createdAt: new Date() },
{ role: 'user', content: 'Question 2', createdAt: new Date() },
];
const roles = history.map((m) => m.role);
expect(roles).toEqual(['system', 'user', 'assistant', 'user']);
});
});
// ---------------------------------------------------------------------------
// 4. Session metrics — token usage and message count
// ---------------------------------------------------------------------------
describe('Session metrics — token usage and message count', () => {
let session: AgentSession;
beforeEach(() => {
session = makeSession();
});
it('starts with zero metrics', () => {
expect(session.metrics.tokens.input).toBe(0);
expect(session.metrics.tokens.output).toBe(0);
expect(session.metrics.tokens.total).toBe(0);
expect(session.metrics.messageCount).toBe(0);
expect(session.metrics.modelSwitches).toBe(0);
});
it('accumulates token usage across multiple turns', () => {
recordTokenUsage(session, {
input: 100,
output: 50,
cacheRead: 0,
cacheWrite: 0,
total: 150,
});
recordTokenUsage(session, {
input: 200,
output: 80,
cacheRead: 10,
cacheWrite: 5,
total: 295,
});
expect(session.metrics.tokens.input).toBe(300);
expect(session.metrics.tokens.output).toBe(130);
expect(session.metrics.tokens.cacheRead).toBe(10);
expect(session.metrics.tokens.cacheWrite).toBe(5);
expect(session.metrics.tokens.total).toBe(445);
});
it('increments message count with each recordMessage call', () => {
expect(session.metrics.messageCount).toBe(0);
recordMessage(session);
expect(session.metrics.messageCount).toBe(1);
recordMessage(session);
recordMessage(session);
expect(session.metrics.messageCount).toBe(3);
});
it('session:info DTO exposes correct metrics snapshot', () => {
recordTokenUsage(session, {
input: 500,
output: 100,
cacheRead: 20,
cacheWrite: 10,
total: 630,
});
recordMessage(session);
recordMessage(session);
updateSessionModel(session, 'claude-haiku-3-5-20251001');
const info = sessionToInfo(session);
expect(info.metrics.tokens.input).toBe(500);
expect(info.metrics.tokens.output).toBe(100);
expect(info.metrics.tokens.total).toBe(630);
expect(info.metrics.messageCount).toBe(2);
expect(info.metrics.modelSwitches).toBe(1);
});
it('metrics are independent per session', () => {
const sessionA = makeSession({ id: 'session-A' });
const sessionB = makeSession({ id: 'session-B' });
recordTokenUsage(sessionA, { input: 100, output: 50, cacheRead: 0, cacheWrite: 0, total: 150 });
recordMessage(sessionA);
// Session B should remain at zero
expect(sessionB.metrics.tokens.input).toBe(0);
expect(sessionB.metrics.messageCount).toBe(0);
// Session A should have updated values
expect(sessionA.metrics.tokens.input).toBe(100);
expect(sessionA.metrics.messageCount).toBe(1);
});
it('lastActivityAt is updated after recording tokens', () => {
const before = session.metrics.lastActivityAt;
vi.setSystemTime(new Date(Date.now() + 100));
recordTokenUsage(session, { input: 10, output: 5, cacheRead: 0, cacheWrite: 0, total: 15 });
vi.useRealTimers();
expect(session.metrics.lastActivityAt).not.toBe(before);
});
it('lastActivityAt is updated after recording a message', () => {
const before = session.metrics.lastActivityAt;
vi.setSystemTime(new Date(Date.now() + 100));
recordMessage(session);
vi.useRealTimers();
expect(session.metrics.lastActivityAt).not.toBe(before);
});
});

4
apps/gateway/src/admin/admin-health.controller.ts
View File

@@ -1,6 +1,6 @@
import { Controller, Get, Inject, UseGuards } from '@nestjs/common'; import { Controller, Get, Inject, UseGuards } from '@nestjs/common';
import { sql, type Db } from '@mosaicstack/db'; import { sql, type Db } from '@mosaic/db';
import { createQueue } from '@mosaicstack/queue'; import { createQueue } from '@mosaic/queue';
import { DB } from '../database/database.module.js'; import { DB } from '../database/database.module.js';
import { AgentService } from '../agent/agent.service.js'; import { AgentService } from '../agent/agent.service.js';
import { ProviderService } from '../agent/provider.service.js'; import { ProviderService } from '../agent/provider.service.js';

128
apps/gateway/src/admin/admin-jobs.controller.ts
View File

@@ -1,128 +0,0 @@
import {
Controller,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Optional,
Param,
Post,
Query,
UseGuards,
} from '@nestjs/common';
import { AdminGuard } from './admin.guard.js';
import { QueueService } from '../queue/queue.service.js';
import type { JobDto, JobListDto, JobStatus, QueueListDto } from '../queue/queue-admin.dto.js';
@Controller('api/admin/jobs')
@UseGuards(AdminGuard)
export class AdminJobsController {
constructor(
@Optional()
@Inject(QueueService)
private readonly queueService: QueueService | null,
) {}
/**
* GET /api/admin/jobs
* List jobs across all queues. Optional ?status=active|completed|failed|waiting|delayed
*/
@Get()
async listJobs(@Query('status') status?: string): Promise<JobListDto> {
if (!this.queueService) {
return { jobs: [], total: 0 };
}
const validStatuses: JobStatus[] = ['active', 'completed', 'failed', 'waiting', 'delayed'];
const normalised = status as JobStatus | undefined;
if (normalised && !validStatuses.includes(normalised)) {
return { jobs: [], total: 0 };
}
const jobs: JobDto[] = await this.queueService.listJobs(normalised);
return { jobs, total: jobs.length };
}
/**
* POST /api/admin/jobs/:id/retry
* Retry a specific failed job. The id is "<queue>__<bullmq-job-id>".
*/
@Post(':id/retry')
@HttpCode(HttpStatus.OK)
async retryJob(@Param('id') id: string): Promise<{ ok: boolean; message: string }> {
if (!this.queueService) {
throw new NotFoundException('Queue service is not available');
}
const result = await this.queueService.retryJob(id);
if (!result.ok) {
throw new NotFoundException(result.message);
}
return result;
}
/**
* GET /api/admin/jobs/queues
* Return status for all managed queues.
*/
@Get('queues')
async listQueues(): Promise<QueueListDto> {
if (!this.queueService) {
return { queues: [] };
}
const health = await this.queueService.getHealthStatus();
const queues = Object.entries(health.queues).map(([name, stats]) => ({
name,
waiting: stats.waiting,
active: stats.active,
completed: stats.completed,
failed: stats.failed,
delayed: 0,
paused: stats.paused,
}));
return { queues };
}
/**
* POST /api/admin/jobs/queues/:name/pause
* Pause the named queue.
*/
@Post('queues/:name/pause')
@HttpCode(HttpStatus.OK)
async pauseQueue(@Param('name') name: string): Promise<{ ok: boolean; message: string }> {
if (!this.queueService) {
throw new NotFoundException('Queue service is not available');
}
const result = await this.queueService.pauseQueue(name);
if (!result.ok) {
throw new NotFoundException(result.message);
}
return result;
}
/**
* POST /api/admin/jobs/queues/:name/resume
* Resume the named queue.
*/
@Post('queues/:name/resume')
@HttpCode(HttpStatus.OK)
async resumeQueue(@Param('name') name: string): Promise<{ ok: boolean; message: string }> {
if (!this.queueService) {
throw new NotFoundException('Queue service is not available');
}
const result = await this.queueService.resumeQueue(name);
if (!result.ok) {
throw new NotFoundException(result.message);
}
return result;
}
}

90
apps/gateway/src/admin/admin-tokens.controller.ts
View File

@@ -1,90 +0,0 @@
import {
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
Param,
Post,
UseGuards,
} from '@nestjs/common';
import { randomBytes, createHash } from 'node:crypto';
import { eq, type Db, adminTokens } from '@mosaicstack/db';
import { v4 as uuid } from 'uuid';
import { DB } from '../database/database.module.js';
import { AdminGuard } from './admin.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import type {
CreateTokenDto,
TokenCreatedDto,
TokenDto,
TokenListDto,
} from './admin-tokens.dto.js';
function hashToken(plaintext: string): string {
return createHash('sha256').update(plaintext).digest('hex');
}
function toTokenDto(row: typeof adminTokens.$inferSelect): TokenDto {
return {
id: row.id,
label: row.label,
scope: row.scope,
expiresAt: row.expiresAt?.toISOString() ?? null,
lastUsedAt: row.lastUsedAt?.toISOString() ?? null,
createdAt: row.createdAt.toISOString(),
};
}
@Controller('api/admin/tokens')
@UseGuards(AdminGuard)
export class AdminTokensController {
constructor(@Inject(DB) private readonly db: Db) {}
@Post()
async create(
@Body() dto: CreateTokenDto,
@CurrentUser() user: { id: string },
): Promise<TokenCreatedDto> {
const plaintext = randomBytes(32).toString('hex');
const tokenHash = hashToken(plaintext);
const id = uuid();
const expiresAt = dto.expiresInDays
? new Date(Date.now() + dto.expiresInDays * 24 * 60 * 60 * 1000)
: null;
const [row] = await this.db
.insert(adminTokens)
.values({
id,
userId: user.id,
tokenHash,
label: dto.label ?? 'CLI token',
scope: dto.scope ?? 'admin',
expiresAt,
})
.returning();
return { ...toTokenDto(row!), plaintext };
}
@Get()
async list(@CurrentUser() user: { id: string }): Promise<TokenListDto> {
const rows = await this.db
.select()
.from(adminTokens)
.where(eq(adminTokens.userId, user.id))
.orderBy(adminTokens.createdAt);
return { tokens: rows.map(toTokenDto), total: rows.length };
}
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async revoke(@Param('id') id: string, @CurrentUser() _user: { id: string }): Promise<void> {
await this.db.delete(adminTokens).where(eq(adminTokens.id, id));
}
}

33
apps/gateway/src/admin/admin-tokens.dto.ts
View File

@@ -1,33 +0,0 @@
import { IsString, IsOptional, IsInt, Min } from 'class-validator';
export class CreateTokenDto {
@IsString()
label!: string;
@IsOptional()
@IsString()
scope?: string;
@IsOptional()
@IsInt()
@Min(1)
expiresInDays?: number;
}
export interface TokenDto {
id: string;
label: string;
scope: string;
expiresAt: string | null;
lastUsedAt: string | null;
createdAt: string;
}
export interface TokenCreatedDto extends TokenDto {
plaintext: string;
}
export interface TokenListDto {
tokens: TokenDto[];
total: number;
}

4
apps/gateway/src/admin/admin.controller.ts
View File

@@ -13,8 +13,8 @@ import {
Post, Post,
UseGuards, UseGuards,
} from '@nestjs/common'; } from '@nestjs/common';
import { eq, type Db, users as usersTable } from '@mosaicstack/db'; import { eq, type Db, users as usersTable } from '@mosaic/db';
import type { Auth } from '@mosaicstack/auth'; import type { Auth } from '@mosaic/auth';
import { AUTH } from '../auth/auth.tokens.js'; import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js'; import { DB } from '../database/database.module.js';
import { AdminGuard } from './admin.guard.js'; import { AdminGuard } from './admin.guard.js';

89
apps/gateway/src/admin/admin.guard.ts
View File

@@ -6,89 +6,24 @@ import {
Injectable, Injectable,
UnauthorizedException, UnauthorizedException,
} from '@nestjs/common'; } from '@nestjs/common';
import { createHash } from 'node:crypto';
import { fromNodeHeaders } from 'better-auth/node'; import { fromNodeHeaders } from 'better-auth/node';
import type { Auth } from '@mosaicstack/auth'; import type { Auth } from '@mosaic/auth';
import type { Db } from '@mosaicstack/db';
import { eq, adminTokens, users as usersTable } from '@mosaicstack/db';
import type { FastifyRequest } from 'fastify'; import type { FastifyRequest } from 'fastify';
import { AUTH } from '../auth/auth.tokens.js'; import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
interface UserWithRole { interface UserWithRole {
id: string; id: string;
role?: string; role?: string;
} }
type AuthenticatedRequest = FastifyRequest & { user: unknown; session: unknown };
@Injectable() @Injectable()
export class AdminGuard implements CanActivate { export class AdminGuard implements CanActivate {
constructor( constructor(@Inject(AUTH) private readonly auth: Auth) {}
@Inject(AUTH) private readonly auth: Auth,
@Inject(DB) private readonly db: Db,
) {}
async canActivate(context: ExecutionContext): Promise<boolean> { async canActivate(context: ExecutionContext): Promise<boolean> {
const request = context.switchToHttp().getRequest<FastifyRequest>(); const request = context.switchToHttp().getRequest<FastifyRequest>();
// Try bearer token auth first
const authHeader = request.raw.headers['authorization'];
if (authHeader?.startsWith('Bearer ')) {
return this.validateBearerToken(request, authHeader.slice(7));
}
// Fall back to BetterAuth session
return this.validateSession(request);
}
private async validateBearerToken(request: FastifyRequest, plaintext: string): Promise<boolean> {
const tokenHash = createHash('sha256').update(plaintext).digest('hex');
const [row] = await this.db
.select({
tokenId: adminTokens.id,
userId: adminTokens.userId,
scope: adminTokens.scope,
expiresAt: adminTokens.expiresAt,
userName: usersTable.name,
userEmail: usersTable.email,
userRole: usersTable.role,
})
.from(adminTokens)
.innerJoin(usersTable, eq(adminTokens.userId, usersTable.id))
.where(eq(adminTokens.tokenHash, tokenHash))
.limit(1);
if (!row) {
throw new UnauthorizedException('Invalid API token');
}
if (row.expiresAt && row.expiresAt < new Date()) {
throw new UnauthorizedException('API token expired');
}
if (row.userRole !== 'admin') {
throw new ForbiddenException('Admin access required');
}
// Update last-used timestamp (fire-and-forget)
this.db
.update(adminTokens)
.set({ lastUsedAt: new Date() })
.where(eq(adminTokens.id, row.tokenId))
.then(() => {})
.catch(() => {});
const req = request as AuthenticatedRequest;
req.user = { id: row.userId, name: row.userName, email: row.userEmail, role: row.userRole };
req.session = { id: `token:${row.tokenId}`, userId: row.userId };
return true;
}
private async validateSession(request: FastifyRequest): Promise<boolean> {
const headers = fromNodeHeaders(request.raw.headers); const headers = fromNodeHeaders(request.raw.headers);
const result = await this.auth.api.getSession({ headers }); const result = await this.auth.api.getSession({ headers });
if (!result) { if (!result) {
@@ -97,24 +32,12 @@ export class AdminGuard implements CanActivate {
const user = result.user as UserWithRole; const user = result.user as UserWithRole;
let userRole = user.role; if (user.role !== 'admin') {
if (!userRole) {
const [dbUser] = await this.db
.select({ role: usersTable.role })
.from(usersTable)
.where(eq(usersTable.id, user.id))
.limit(1);
userRole = dbUser?.role ?? 'member';
(user as UserWithRole).role = userRole;
}
if (userRole !== 'admin') {
throw new ForbiddenException('Admin access required'); throw new ForbiddenException('Admin access required');
} }
const req = request as AuthenticatedRequest; (request as FastifyRequest & { user: unknown; session: unknown }).user = result.user;
req.user = result.user; (request as FastifyRequest & { user: unknown; session: unknown }).session = result.session;
req.session = result.session;
return true; return true;
} }

11
apps/gateway/src/admin/admin.module.ts
View File

@@ -1,19 +1,10 @@
import { Module } from '@nestjs/common'; import { Module } from '@nestjs/common';
import { AdminController } from './admin.controller.js'; import { AdminController } from './admin.controller.js';
import { AdminHealthController } from './admin-health.controller.js'; import { AdminHealthController } from './admin-health.controller.js';
import { AdminJobsController } from './admin-jobs.controller.js';
import { AdminTokensController } from './admin-tokens.controller.js';
import { BootstrapController } from './bootstrap.controller.js';
import { AdminGuard } from './admin.guard.js'; import { AdminGuard } from './admin.guard.js';
@Module({ @Module({
controllers: [ controllers: [AdminController, AdminHealthController],
AdminController,
AdminHealthController,
AdminJobsController,
AdminTokensController,
BootstrapController,
],
providers: [AdminGuard], providers: [AdminGuard],
}) })
export class AdminModule {} export class AdminModule {}

102
apps/gateway/src/admin/bootstrap.controller.ts
View File

@@ -1,102 +0,0 @@
import {
Body,
Controller,
ForbiddenException,
Get,
Inject,
InternalServerErrorException,
Post,
} from '@nestjs/common';
import { randomBytes, createHash } from 'node:crypto';
import { count, eq, type Db, users as usersTable, adminTokens } from '@mosaicstack/db';
import type { Auth } from '@mosaicstack/auth';
import { v4 as uuid } from 'uuid';
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
import { BootstrapSetupDto } from './bootstrap.dto.js';
import type { BootstrapStatusDto, BootstrapResultDto } from './bootstrap.dto.js';
@Controller('api/bootstrap')
export class BootstrapController {
constructor(
@Inject(AUTH) private readonly auth: Auth,
@Inject(DB) private readonly db: Db,
) {}
@Get('status')
async status(): Promise<BootstrapStatusDto> {
const [result] = await this.db.select({ total: count() }).from(usersTable);
return { needsSetup: (result?.total ?? 0) === 0 };
}
@Post('setup')
async setup(@Body() dto: BootstrapSetupDto): Promise<BootstrapResultDto> {
// Only allow setup when zero users exist
const [result] = await this.db.select({ total: count() }).from(usersTable);
if ((result?.total ?? 0) > 0) {
throw new ForbiddenException('Setup already completed — users exist');
}
// Create admin user via BetterAuth API
const authApi = this.auth.api as unknown as {
createUser: (opts: {
body: { name: string; email: string; password: string; role?: string };
}) => Promise<{
user: { id: string; name: string; email: string };
}>;
};
const created = await authApi.createUser({
body: {
name: dto.name,
email: dto.email,
password: dto.password,
role: 'admin',
},
});
// Verify user was created
const [user] = await this.db
.select()
.from(usersTable)
.where(eq(usersTable.id, created.user.id))
.limit(1);
if (!user) throw new InternalServerErrorException('User created but not found');
// Ensure role is admin (createUser may not set it via BetterAuth)
if (user.role !== 'admin') {
await this.db.update(usersTable).set({ role: 'admin' }).where(eq(usersTable.id, user.id));
}
// Generate admin API token
const plaintext = randomBytes(32).toString('hex');
const tokenHash = createHash('sha256').update(plaintext).digest('hex');
const tokenId = uuid();
const [token] = await this.db
.insert(adminTokens)
.values({
id: tokenId,
userId: user.id,
tokenHash,
label: 'Initial setup token',
scope: 'admin',
})
.returning();
return {
user: {
id: user.id,
name: user.name,
email: user.email,
role: 'admin',
},
token: {
id: token!.id,
plaintext,
label: token!.label,
},
};
}
}

31
apps/gateway/src/admin/bootstrap.dto.ts
View File

@@ -1,31 +0,0 @@
import { IsString, IsEmail, MinLength } from 'class-validator';
export class BootstrapSetupDto {
@IsString()
name!: string;
@IsEmail()
email!: string;
@IsString()
@MinLength(8)
password!: string;
}
export interface BootstrapStatusDto {
needsSetup: boolean;
}
export interface BootstrapResultDto {
user: {
id: string;
name: string;
email: string;
role: string;
};
token: {
id: string;
plaintext: string;
label: string;
};
}

190
apps/gateway/src/admin/bootstrap.e2e.spec.ts
View File

@@ -1,190 +0,0 @@
/**
* E2E integration test — POST /api/bootstrap/setup
*
* Regression guard for the `import type { BootstrapSetupDto }` class-erasure
* bug (IUV-M01, issue #436).
*
* When `BootstrapSetupDto` is imported with `import type`, TypeScript erases
* the class at compile time. NestJS then sees `Object` as the `@Body()`
* metatype, and ValidationPipe with `whitelist:true + forbidNonWhitelisted:true`
* treats every property as non-whitelisted, returning:
*
* 400 { message: ["property email should not exist", "property password should not exist"] }
*
* The fix is a plain value import (`import { BootstrapSetupDto }`), which
* preserves the class reference so Nest can read the class-validator decorators.
*
* This test MUST fail if `import type` is re-introduced on `BootstrapSetupDto`.
* A controller unit test that constructs ValidationPipe manually won't catch
* this — only the real DI binding path exercises the metatype lookup.
*/
import 'reflect-metadata';
import { describe, it, expect, afterAll, beforeAll } from 'vitest';
import { Test } from '@nestjs/testing';
import { ValidationPipe, type INestApplication } from '@nestjs/common';
import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
import request from 'supertest';
import { BootstrapController } from './bootstrap.controller.js';
import type { BootstrapResultDto } from './bootstrap.dto.js';
// ─── Minimal mock dependencies ───────────────────────────────────────────────
/**
* We use explicit `@Inject(AUTH)` / `@Inject(DB)` in the controller so we
* can provide mock values by token without spinning up the real DB or Auth.
*/
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
const MOCK_USER_ID = 'mock-user-id-001';
const mockAuth = {
api: {
createUser: () =>
Promise.resolve({
user: {
id: MOCK_USER_ID,
name: 'Admin',
email: 'admin@example.com',
},
}),
},
};
// Override db.select() so the second query (verify user exists) returns a user.
// The bootstrap controller calls select().from() twice:
// 1. count() to check zero users → returns [{total: 0}]
// 2. select().where().limit() → returns [the created user]
let selectCallCount = 0;
const mockDbWithUser = {
select: () => {
selectCallCount++;
return {
from: () => {
if (selectCallCount === 1) {
// First call: count — zero users
return Promise.resolve([{ total: 0 }]);
}
// Subsequent calls: return a mock user row
return {
where: () => ({
limit: () =>
Promise.resolve([
{
id: MOCK_USER_ID,
name: 'Admin',
email: 'admin@example.com',
role: 'admin',
},
]),
}),
};
},
};
},
update: () => ({
set: () => ({
where: () => Promise.resolve([]),
}),
}),
insert: () => ({
values: () => ({
returning: () =>
Promise.resolve([
{
id: 'token-id-001',
label: 'Initial setup token',
},
]),
}),
}),
};
// ─── Test suite ───────────────────────────────────────────────────────────────
describe('POST /api/bootstrap/setup — ValidationPipe DTO binding', () => {
let app: INestApplication;
beforeAll(async () => {
selectCallCount = 0;
const moduleRef = await Test.createTestingModule({
controllers: [BootstrapController],
providers: [
{ provide: AUTH, useValue: mockAuth },
{ provide: DB, useValue: mockDbWithUser },
],
}).compile();
app = moduleRef.createNestApplication<NestFastifyApplication>(new FastifyAdapter());
// Mirror main.ts configuration exactly — this is what reproduced the 400.
app.useGlobalPipes(
new ValidationPipe({
whitelist: true,
forbidNonWhitelisted: true,
transform: true,
}),
);
await app.init();
// Fastify requires waiting for the adapter to be ready
await app.getHttpAdapter().getInstance().ready();
});
afterAll(async () => {
await app.close();
});
it('returns 201 (not 400) when a valid {name, email, password} body is sent', async () => {
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({ name: 'Admin', email: 'admin@example.com', password: 'password123' })
.set('Content-Type', 'application/json');
// Before the fix (import type), Nest ValidationPipe returned 400 with
// "property email should not exist" / "property password should not exist"
// because the DTO class was erased and every field looked non-whitelisted.
expect(res.status).not.toBe(400);
expect(res.status).toBe(201);
const body = res.body as BootstrapResultDto;
expect(body.user).toBeDefined();
expect(body.user.email).toBe('admin@example.com');
expect(body.token).toBeDefined();
expect(body.token.plaintext).toBeDefined();
});
it('returns 400 when extra forbidden properties are sent', async () => {
// This proves ValidationPipe IS active and working (forbidNonWhitelisted).
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({
name: 'Admin',
email: 'admin@example.com',
password: 'password123',
extraField: 'should-be-rejected',
})
.set('Content-Type', 'application/json');
expect(res.status).toBe(400);
});
it('returns 400 when email is invalid', async () => {
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({ name: 'Admin', email: 'not-an-email', password: 'password123' })
.set('Content-Type', 'application/json');
expect(res.status).toBe(400);
});
it('returns 400 when password is too short', async () => {
const res = await request(app.getHttpServer())
.post('/api/bootstrap/setup')
.send({ name: 'Admin', email: 'admin@example.com', password: 'short' })
.set('Content-Type', 'application/json');
expect(res.status).toBe(400);
});
});

770
apps/gateway/src/agent/__tests__/provider-adapters.test.ts
View File

@@ -1,770 +0,0 @@
/**
* Provider Adapter Integration Tests — M3-012
*
* Verifies that all five provider adapters (Anthropic, OpenAI, OpenRouter, Z.ai, Ollama)
* are properly integrated: registration, model listing, graceful degradation without
* API keys, capability matrix correctness, and ProviderCredentialsService behaviour.
*
* These tests are designed to run in CI with no real API keys; they test graceful
* degradation and static configuration rather than live network calls.
*/
import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent';
import { AnthropicAdapter } from '../adapters/anthropic.adapter.js';
import { OpenAIAdapter } from '../adapters/openai.adapter.js';
import { OpenRouterAdapter } from '../adapters/openrouter.adapter.js';
import { ZaiAdapter } from '../adapters/zai.adapter.js';
import { OllamaAdapter } from '../adapters/ollama.adapter.js';
import { ProviderService } from '../provider.service.js';
import {
getModelCapability,
MODEL_CAPABILITIES,
findModelsByCapability,
} from '../model-capabilities.js';
// ---------------------------------------------------------------------------
// Environment helpers
// ---------------------------------------------------------------------------
const ALL_PROVIDER_KEYS = [
'ANTHROPIC_API_KEY',
'OPENAI_API_KEY',
'OPENROUTER_API_KEY',
'ZAI_API_KEY',
'ZAI_BASE_URL',
'OLLAMA_BASE_URL',
'OLLAMA_HOST',
'OLLAMA_MODELS',
'BETTER_AUTH_SECRET',
] as const;
type EnvKey = (typeof ALL_PROVIDER_KEYS)[number];
function saveAndClearEnv(): Map<EnvKey, string | undefined> {
const saved = new Map<EnvKey, string | undefined>();
for (const key of ALL_PROVIDER_KEYS) {
saved.set(key, process.env[key]);
delete process.env[key];
}
return saved;
}
function restoreEnv(saved: Map<EnvKey, string | undefined>): void {
for (const key of ALL_PROVIDER_KEYS) {
const value = saved.get(key);
if (value === undefined) {
delete process.env[key];
} else {
process.env[key] = value;
}
}
}
function makeRegistry(): ModelRegistry {
return ModelRegistry.inMemory(AuthStorage.inMemory());
}
// ---------------------------------------------------------------------------
// 1. Adapter registration tests
// ---------------------------------------------------------------------------
describe('AnthropicAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when ANTHROPIC_API_KEY is missing', async () => {
const adapter = new AnthropicAdapter(makeRegistry());
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns expected models when ANTHROPIC_API_KEY is set', async () => {
process.env['ANTHROPIC_API_KEY'] = 'sk-ant-test';
const adapter = new AnthropicAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const ids = models.map((m) => m.id);
expect(ids).toContain('claude-opus-4-6');
expect(ids).toContain('claude-sonnet-4-6');
expect(ids).toContain('claude-haiku-4-5');
for (const model of models) {
expect(model.provider).toBe('anthropic');
expect(model.contextWindow).toBe(200000);
}
});
it('healthCheck returns down with error when ANTHROPIC_API_KEY is missing', async () => {
const adapter = new AnthropicAdapter(makeRegistry());
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/ANTHROPIC_API_KEY/);
expect(health.lastChecked).toBeTruthy();
});
it('adapter name is "anthropic"', () => {
expect(new AnthropicAdapter(makeRegistry()).name).toBe('anthropic');
});
});
describe('OpenAIAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when OPENAI_API_KEY is missing', async () => {
const adapter = new OpenAIAdapter(makeRegistry());
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns Codex model when OPENAI_API_KEY is set', async () => {
process.env['OPENAI_API_KEY'] = 'sk-openai-test';
const adapter = new OpenAIAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const ids = models.map((m) => m.id);
expect(ids).toContain(OpenAIAdapter.CODEX_MODEL_ID);
const codex = models.find((m) => m.id === OpenAIAdapter.CODEX_MODEL_ID)!;
expect(codex.provider).toBe('openai');
expect(codex.contextWindow).toBe(128_000);
expect(codex.maxTokens).toBe(16_384);
});
it('healthCheck returns down with error when OPENAI_API_KEY is missing', async () => {
const adapter = new OpenAIAdapter(makeRegistry());
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/OPENAI_API_KEY/);
});
it('adapter name is "openai"', () => {
expect(new OpenAIAdapter(makeRegistry()).name).toBe('openai');
});
});
describe('OpenRouterAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
// Prevent real network calls during registration — stub global fetch
vi.stubGlobal(
'fetch',
vi.fn().mockResolvedValue({
ok: true,
json: () =>
Promise.resolve({
data: [
{
id: 'openai/gpt-4o',
name: 'GPT-4o',
context_length: 128000,
top_provider: { max_completion_tokens: 4096 },
pricing: { prompt: '0.000005', completion: '0.000015' },
architecture: { input_modalities: ['text', 'image'] },
},
],
}),
}),
);
});
afterEach(() => {
restoreEnv(savedEnv);
vi.unstubAllGlobals();
});
it('skips registration gracefully when OPENROUTER_API_KEY is missing', async () => {
vi.unstubAllGlobals(); // no fetch call expected
const adapter = new OpenRouterAdapter();
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns models when OPENROUTER_API_KEY is set', async () => {
process.env['OPENROUTER_API_KEY'] = 'sk-or-test';
const adapter = new OpenRouterAdapter();
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const first = models[0]!;
expect(first.provider).toBe('openrouter');
expect(first.id).toBe('openai/gpt-4o');
expect(first.inputTypes).toContain('image');
});
it('healthCheck returns down with error when OPENROUTER_API_KEY is missing', async () => {
vi.unstubAllGlobals(); // no fetch call expected
const adapter = new OpenRouterAdapter();
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/OPENROUTER_API_KEY/);
});
it('continues registration with empty model list when model fetch fails', async () => {
process.env['OPENROUTER_API_KEY'] = 'sk-or-test';
vi.stubGlobal(
'fetch',
vi.fn().mockResolvedValue({
ok: false,
status: 500,
}),
);
const adapter = new OpenRouterAdapter();
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('adapter name is "openrouter"', () => {
expect(new OpenRouterAdapter().name).toBe('openrouter');
});
});
describe('ZaiAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when ZAI_API_KEY is missing', async () => {
const adapter = new ZaiAdapter();
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers and listModels returns glm-5 when ZAI_API_KEY is set', async () => {
process.env['ZAI_API_KEY'] = 'zai-test-key';
const adapter = new ZaiAdapter();
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
const ids = models.map((m) => m.id);
expect(ids).toContain('glm-5');
const glm = models.find((m) => m.id === 'glm-5')!;
expect(glm.provider).toBe('zai');
});
it('healthCheck returns down with error when ZAI_API_KEY is missing', async () => {
const adapter = new ZaiAdapter();
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/ZAI_API_KEY/);
});
it('adapter name is "zai"', () => {
expect(new ZaiAdapter().name).toBe('zai');
});
});
describe('OllamaAdapter', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('skips registration gracefully when OLLAMA_BASE_URL is missing', async () => {
const adapter = new OllamaAdapter(makeRegistry());
await expect(adapter.register()).resolves.toBeUndefined();
expect(adapter.listModels()).toEqual([]);
});
it('registers via OLLAMA_HOST fallback when OLLAMA_BASE_URL is absent', async () => {
process.env['OLLAMA_HOST'] = 'http://localhost:11434';
const adapter = new OllamaAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
expect(models.length).toBeGreaterThan(0);
});
it('registers default models (llama3.2, codellama, mistral) + embedding models', async () => {
process.env['OLLAMA_BASE_URL'] = 'http://localhost:11434';
const adapter = new OllamaAdapter(makeRegistry());
await adapter.register();
const models = adapter.listModels();
const ids = models.map((m) => m.id);
// Default completion models
expect(ids).toContain('llama3.2');
expect(ids).toContain('codellama');
expect(ids).toContain('mistral');
// Embedding models
expect(ids).toContain('nomic-embed-text');
expect(ids).toContain('mxbai-embed-large');
for (const model of models) {
expect(model.provider).toBe('ollama');
}
});
it('registers custom OLLAMA_MODELS list', async () => {
process.env['OLLAMA_BASE_URL'] = 'http://localhost:11434';
process.env['OLLAMA_MODELS'] = 'phi3,gemma2';
const adapter = new OllamaAdapter(makeRegistry());
await adapter.register();
const completionIds = adapter.listModels().map((m) => m.id);
expect(completionIds).toContain('phi3');
expect(completionIds).toContain('gemma2');
expect(completionIds).not.toContain('llama3.2');
});
it('healthCheck returns down with error when OLLAMA_BASE_URL is missing', async () => {
const adapter = new OllamaAdapter(makeRegistry());
const health = await adapter.healthCheck();
expect(health.status).toBe('down');
expect(health.error).toMatch(/OLLAMA_BASE_URL/);
});
it('adapter name is "ollama"', () => {
expect(new OllamaAdapter(makeRegistry()).name).toBe('ollama');
});
});
// ---------------------------------------------------------------------------
// 2. ProviderService integration
// ---------------------------------------------------------------------------
describe('ProviderService — adapter array integration', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
it('contains all 5 adapters (ollama, anthropic, openai, openrouter, zai)', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
// Exercise getAdapter for all five known provider names
const expectedProviders = ['ollama', 'anthropic', 'openai', 'openrouter', 'zai'];
for (const name of expectedProviders) {
const adapter = service.getAdapter(name);
expect(adapter, `Expected adapter "${name}" to be registered`).toBeDefined();
expect(adapter!.name).toBe(name);
}
});
it('healthCheckAll runs without crashing and returns status for all 5 providers', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
const results = await service.healthCheckAll();
expect(typeof results).toBe('object');
const expectedProviders = ['ollama', 'anthropic', 'openai', 'openrouter', 'zai'];
for (const name of expectedProviders) {
const health = results[name];
expect(health, `Expected health result for provider "${name}"`).toBeDefined();
expect(['healthy', 'degraded', 'down']).toContain(health!.status);
expect(health!.lastChecked).toBeTruthy();
}
});
it('healthCheckAll reports "down" for all providers when no keys are set', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
const results = await service.healthCheckAll();
// All unconfigured providers should be down (not healthy)
for (const [, health] of Object.entries(results)) {
expect(['down', 'degraded']).toContain(health.status);
}
});
it('getProvidersHealth returns entries for all 5 providers', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
const healthList = service.getProvidersHealth();
const names = healthList.map((h) => h.name);
for (const expected of ['ollama', 'anthropic', 'openai', 'openrouter', 'zai']) {
expect(names).toContain(expected);
}
for (const entry of healthList) {
expect(entry).toHaveProperty('name');
expect(entry).toHaveProperty('status');
expect(entry).toHaveProperty('lastChecked');
expect(typeof entry.modelCount).toBe('number');
}
});
it('service initialises without error when all env keys are absent', async () => {
const service = new ProviderService(null);
await expect(service.onModuleInit()).resolves.toBeUndefined();
service.onModuleDestroy();
});
});
// ---------------------------------------------------------------------------
// 3. Model capability matrix
// ---------------------------------------------------------------------------
describe('Model capability matrix', () => {
const expectedModels: Array<{
id: string;
provider: string;
tier: string;
contextWindow: number;
reasoning?: boolean;
vision?: boolean;
embedding?: boolean;
}> = [
{
id: 'claude-opus-4-6',
provider: 'anthropic',
tier: 'premium',
contextWindow: 200000,
reasoning: true,
vision: true,
},
{
id: 'claude-sonnet-4-6',
provider: 'anthropic',
tier: 'standard',
contextWindow: 200000,
reasoning: true,
vision: true,
},
{
id: 'claude-haiku-4-5',
provider: 'anthropic',
tier: 'cheap',
contextWindow: 200000,
reasoning: false,
vision: true,
},
{
id: 'codex-gpt-5.4',
provider: 'openai',
tier: 'premium',
contextWindow: 128000,
},
{
id: 'glm-5',
provider: 'zai',
tier: 'standard',
contextWindow: 128000,
},
{
id: 'llama3.2',
provider: 'ollama',
tier: 'local',
contextWindow: 128000,
},
{
id: 'codellama',
provider: 'ollama',
tier: 'local',
contextWindow: 16000,
},
{
id: 'mistral',
provider: 'ollama',
tier: 'local',
contextWindow: 32000,
},
{
id: 'nomic-embed-text',
provider: 'ollama',
tier: 'local',
contextWindow: 8192,
embedding: true,
},
{
id: 'mxbai-embed-large',
provider: 'ollama',
tier: 'local',
contextWindow: 8192,
embedding: true,
},
];
it('MODEL_CAPABILITIES contains all expected model IDs', () => {
const allIds = MODEL_CAPABILITIES.map((m) => m.id);
for (const { id } of expectedModels) {
expect(allIds, `Expected model "${id}" in capability matrix`).toContain(id);
}
});
it('getModelCapability() returns correct tier and context window for each model', () => {
for (const expected of expectedModels) {
const cap = getModelCapability(expected.id);
expect(cap, `getModelCapability("${expected.id}") should be defined`).toBeDefined();
expect(cap!.provider).toBe(expected.provider);
expect(cap!.tier).toBe(expected.tier);
expect(cap!.contextWindow).toBe(expected.contextWindow);
}
});
it('Anthropic models have correct capability flags (tools, streaming, vision, reasoning)', () => {
for (const expected of expectedModels.filter((m) => m.provider === 'anthropic')) {
const cap = getModelCapability(expected.id)!;
expect(cap.capabilities.tools).toBe(true);
expect(cap.capabilities.streaming).toBe(true);
if (expected.vision !== undefined) {
expect(cap.capabilities.vision).toBe(expected.vision);
}
if (expected.reasoning !== undefined) {
expect(cap.capabilities.reasoning).toBe(expected.reasoning);
}
}
});
it('Embedding models have embedding flag=true and other flags=false', () => {
for (const expected of expectedModels.filter((m) => m.embedding)) {
const cap = getModelCapability(expected.id)!;
expect(cap.capabilities.embedding).toBe(true);
expect(cap.capabilities.tools).toBe(false);
expect(cap.capabilities.streaming).toBe(false);
expect(cap.capabilities.reasoning).toBe(false);
}
});
it('findModelsByCapability filters by tier correctly', () => {
const premiumModels = findModelsByCapability({ tier: 'premium' });
expect(premiumModels.length).toBeGreaterThan(0);
for (const m of premiumModels) {
expect(m.tier).toBe('premium');
}
});
it('findModelsByCapability filters by provider correctly', () => {
const anthropicModels = findModelsByCapability({ provider: 'anthropic' });
expect(anthropicModels.length).toBe(3);
for (const m of anthropicModels) {
expect(m.provider).toBe('anthropic');
}
});
it('findModelsByCapability filters by capability flags correctly', () => {
const reasoningModels = findModelsByCapability({ capabilities: { reasoning: true } });
expect(reasoningModels.length).toBeGreaterThan(0);
for (const m of reasoningModels) {
expect(m.capabilities.reasoning).toBe(true);
}
const embeddingModels = findModelsByCapability({ capabilities: { embedding: true } });
expect(embeddingModels.length).toBeGreaterThan(0);
for (const m of embeddingModels) {
expect(m.capabilities.embedding).toBe(true);
}
});
it('getModelCapability returns undefined for unknown model IDs', () => {
expect(getModelCapability('not-a-real-model')).toBeUndefined();
expect(getModelCapability('')).toBeUndefined();
});
it('all Anthropic models have maxOutputTokens > 0', () => {
const anthropicModels = MODEL_CAPABILITIES.filter((m) => m.provider === 'anthropic');
for (const m of anthropicModels) {
expect(m.maxOutputTokens).toBeGreaterThan(0);
}
});
});
// ---------------------------------------------------------------------------
// 4. ProviderCredentialsService — unit-level tests (encrypt/decrypt logic)
// ---------------------------------------------------------------------------
describe('ProviderCredentialsService — encryption helpers', () => {
let savedEnv: Map<EnvKey, string | undefined>;
beforeEach(() => {
savedEnv = saveAndClearEnv();
});
afterEach(() => {
restoreEnv(savedEnv);
});
/**
* The service uses module-level functions (encrypt/decrypt) that depend on
* BETTER_AUTH_SECRET. We test the behaviour through the service's public API
* using an in-memory mock DB so no real Postgres connection is needed.
*/
it('store/retrieve/remove work correctly with mock DB and BETTER_AUTH_SECRET set', async () => {
process.env['BETTER_AUTH_SECRET'] = 'test-secret-for-unit-tests-only';
// Build a minimal in-memory DB mock
const rows = new Map<
string,
{
encryptedValue: string;
credentialType: string;
expiresAt: Date | null;
metadata: null;
createdAt: Date;
updatedAt: Date;
}
>();
// We import the service but mock its DB dependency manually
// by testing the encrypt/decrypt indirectly — using the real module.
const { ProviderCredentialsService } = await import('../provider-credentials.service.js');
// Capture stored value from upsert call
let storedEncryptedValue = '';
let storedCredentialType = '';
const captureInsert = vi.fn().mockImplementation(() => ({
values: vi
.fn()
.mockImplementation((data: { encryptedValue: string; credentialType: string }) => {
storedEncryptedValue = data.encryptedValue;
storedCredentialType = data.credentialType;
rows.set('user1:anthropic', {
encryptedValue: data.encryptedValue,
credentialType: data.credentialType,
expiresAt: null,
metadata: null,
createdAt: new Date(),
updatedAt: new Date(),
});
return {
onConflictDoUpdate: vi.fn().mockResolvedValue(undefined),
};
}),
}));
const captureSelect = vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
limit: vi.fn().mockImplementation(() => {
const row = rows.get('user1:anthropic');
return Promise.resolve(row ? [row] : []);
}),
}),
}),
});
const captureDelete = vi.fn().mockReturnValue({
where: vi.fn().mockResolvedValue(undefined),
});
const db = {
insert: captureInsert,
select: captureSelect,
delete: captureDelete,
};
const service = new ProviderCredentialsService(db as never);
// store
await service.store('user1', 'anthropic', 'api_key', 'sk-ant-secret-value');
// verify encrypted value is not plain text
expect(storedEncryptedValue).not.toBe('sk-ant-secret-value');
expect(storedEncryptedValue.length).toBeGreaterThan(0);
expect(storedCredentialType).toBe('api_key');
// retrieve
const retrieved = await service.retrieve('user1', 'anthropic');
expect(retrieved).toBe('sk-ant-secret-value');
// remove (clears the row)
rows.delete('user1:anthropic');
const afterRemove = await service.retrieve('user1', 'anthropic');
expect(afterRemove).toBeNull();
});
it('retrieve returns null when no credential is stored', async () => {
process.env['BETTER_AUTH_SECRET'] = 'test-secret-for-unit-tests-only';
const { ProviderCredentialsService } = await import('../provider-credentials.service.js');
const emptyDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
limit: vi.fn().mockResolvedValue([]),
}),
}),
}),
};
const service = new ProviderCredentialsService(emptyDb as never);
const result = await service.retrieve('user-nobody', 'anthropic');
expect(result).toBeNull();
});
it('listProviders returns only metadata, never decrypted values', async () => {
process.env['BETTER_AUTH_SECRET'] = 'test-secret-for-unit-tests-only';
const { ProviderCredentialsService } = await import('../provider-credentials.service.js');
const fakeRow = {
provider: 'anthropic',
credentialType: 'api_key',
expiresAt: null,
metadata: null,
createdAt: new Date(),
updatedAt: new Date(),
};
const listDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockResolvedValue([fakeRow]),
}),
}),
};
const service = new ProviderCredentialsService(listDb as never);
const providers = await service.listProviders('user1');
expect(providers).toHaveLength(1);
expect(providers[0]!.provider).toBe('anthropic');
expect(providers[0]!.credentialType).toBe('api_key');
expect(providers[0]!.exists).toBe(true);
// Critically: no encrypted or plain-text value is exposed
expect(providers[0]).not.toHaveProperty('encryptedValue');
expect(providers[0]).not.toHaveProperty('value');
expect(providers[0]).not.toHaveProperty('apiKey');
});
});

142
apps/gateway/src/agent/__tests__/provider.service.test.ts
View File

@@ -1,142 +0,0 @@
import { beforeEach, afterEach, describe, expect, it } from 'vitest';
import { ProviderService } from '../provider.service.js';
const ENV_KEYS = [
'ANTHROPIC_API_KEY',
'OPENAI_API_KEY',
'ZAI_API_KEY',
'OLLAMA_BASE_URL',
'OLLAMA_HOST',
'OLLAMA_MODELS',
'MOSAIC_CUSTOM_PROVIDERS',
] as const;
type EnvKey = (typeof ENV_KEYS)[number];
describe('ProviderService', () => {
const savedEnv = new Map<EnvKey, string | undefined>();
beforeEach(() => {
for (const key of ENV_KEYS) {
savedEnv.set(key, process.env[key]);
delete process.env[key];
}
});
afterEach(() => {
for (const key of ENV_KEYS) {
const value = savedEnv.get(key);
if (value === undefined) {
delete process.env[key];
} else {
process.env[key] = value;
}
}
});
it('skips API-key providers when env vars are missing (no models become available)', async () => {
const service = new ProviderService(null);
await service.onModuleInit();
// Pi's built-in registry may include model definitions for all providers, but
// without API keys none of them should be available (usable).
const availableModels = service.listAvailableModels();
const availableProviderIds = new Set(availableModels.map((m) => m.provider));
expect(availableProviderIds).not.toContain('anthropic');
expect(availableProviderIds).not.toContain('openai');
expect(availableProviderIds).not.toContain('zai');
// Providers list may show built-in providers, but they should not be marked available
const providers = service.listProviders();
for (const p of providers.filter((p) => ['anthropic', 'openai', 'zai'].includes(p.id))) {
expect(p.available).toBe(false);
}
});
it('registers Anthropic provider with correct models when ANTHROPIC_API_KEY is set', async () => {
process.env['ANTHROPIC_API_KEY'] = 'test-anthropic';
const service = new ProviderService(null);
await service.onModuleInit();
const providers = service.listProviders();
const anthropic = providers.find((p) => p.id === 'anthropic');
expect(anthropic).toBeDefined();
expect(anthropic!.available).toBe(true);
expect(anthropic!.models.map((m) => m.id)).toEqual([
'claude-opus-4-6',
'claude-sonnet-4-6',
'claude-haiku-4-5',
]);
// All Anthropic models have 200k context window
for (const m of anthropic!.models) {
expect(m.contextWindow).toBe(200000);
}
});
it('registers OpenAI provider with correct models when OPENAI_API_KEY is set', async () => {
process.env['OPENAI_API_KEY'] = 'test-openai';
const service = new ProviderService(null);
await service.onModuleInit();
const providers = service.listProviders();
const openai = providers.find((p) => p.id === 'openai');
expect(openai).toBeDefined();
expect(openai!.available).toBe(true);
expect(openai!.models.map((m) => m.id)).toEqual(['codex-gpt-5-4']);
});
it('registers Z.ai provider with correct models when ZAI_API_KEY is set', async () => {
process.env['ZAI_API_KEY'] = 'test-zai';
const service = new ProviderService(null);
await service.onModuleInit();
const providers = service.listProviders();
const zai = providers.find((p) => p.id === 'zai');
expect(zai).toBeDefined();
expect(zai!.available).toBe(true);
// Pi's registry may include additional glm variants; verify our registered model is present
expect(zai!.models.map((m) => m.id)).toContain('glm-5');
});
it('registers all three providers when all keys are set', async () => {
process.env['ANTHROPIC_API_KEY'] = 'test-anthropic';
process.env['OPENAI_API_KEY'] = 'test-openai';
process.env['ZAI_API_KEY'] = 'test-zai';
const service = new ProviderService(null);
await service.onModuleInit();
const providerIds = service.listProviders().map((p) => p.id);
expect(providerIds).toContain('anthropic');
expect(providerIds).toContain('openai');
expect(providerIds).toContain('zai');
});
it('can find registered Anthropic models by provider+id', async () => {
process.env['ANTHROPIC_API_KEY'] = 'test-anthropic';
const service = new ProviderService(null);
await service.onModuleInit();
const sonnet = service.findModel('anthropic', 'claude-sonnet-4-6');
expect(sonnet).toBeDefined();
expect(sonnet!.provider).toBe('anthropic');
expect(sonnet!.id).toBe('claude-sonnet-4-6');
});
it('can find registered Z.ai models by provider+id', async () => {
process.env['ZAI_API_KEY'] = 'test-zai';
const service = new ProviderService(null);
await service.onModuleInit();
const glm = service.findModel('zai', 'glm-4.5');
expect(glm).toBeDefined();
expect(glm!.provider).toBe('zai');
expect(glm!.id).toBe('glm-4.5');
});
});

2
apps/gateway/src/agent/__tests__/routing.service.test.ts
View File

@@ -1,6 +1,6 @@
import { describe, it, expect, beforeEach, vi } from 'vitest'; import { describe, it, expect, beforeEach, vi } from 'vitest';
import { RoutingService } from '../routing.service.js'; import { RoutingService } from '../routing.service.js';
import type { ModelInfo } from '@mosaicstack/types'; import type { ModelInfo } from '@mosaic/types';
const mockModels: ModelInfo[] = [ const mockModels: ModelInfo[] = [
{ {

191
apps/gateway/src/agent/adapters/anthropic.adapter.ts
View File

@@ -1,191 +0,0 @@
import { Logger } from '@nestjs/common';
import Anthropic from '@anthropic-ai/sdk';
import type { ModelRegistry } from '@mariozechner/pi-coding-agent';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
/**
* Anthropic provider adapter.
*
* Registers Claude models with the Pi ModelRegistry via the Anthropic SDK.
* Configuration is driven by environment variables:
* ANTHROPIC_API_KEY — Anthropic API key (required)
*/
export class AnthropicAdapter implements IProviderAdapter {
readonly name = 'anthropic';
private readonly logger = new Logger(AnthropicAdapter.name);
private client: Anthropic | null = null;
private registeredModels: ModelInfo[] = [];
constructor(private readonly registry: ModelRegistry) {}
async register(): Promise<void> {
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
this.logger.warn('Skipping Anthropic provider registration: ANTHROPIC_API_KEY not set');
return;
}
this.client = new Anthropic({ apiKey });
const models: ModelInfo[] = [
{
id: 'claude-opus-4-6',
provider: 'anthropic',
name: 'Claude Opus 4.6',
reasoning: true,
contextWindow: 200000,
maxTokens: 32000,
inputTypes: ['text', 'image'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
{
id: 'claude-sonnet-4-6',
provider: 'anthropic',
name: 'Claude Sonnet 4.6',
reasoning: true,
contextWindow: 200000,
maxTokens: 16000,
inputTypes: ['text', 'image'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
{
id: 'claude-haiku-4-5',
provider: 'anthropic',
name: 'Claude Haiku 4.5',
reasoning: false,
contextWindow: 200000,
maxTokens: 8192,
inputTypes: ['text', 'image'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
];
this.registry.registerProvider('anthropic', {
apiKey,
baseUrl: 'https://api.anthropic.com',
api: 'anthropic' as never,
models: models.map((m) => ({
id: m.id,
name: m.name,
reasoning: m.reasoning,
input: m.inputTypes as ('text' | 'image')[],
cost: m.cost,
contextWindow: m.contextWindow,
maxTokens: m.maxTokens,
})),
});
this.registeredModels = models;
this.logger.log(
`Anthropic provider registered with models: ${models.map((m) => m.id).join(', ')}`,
);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'ANTHROPIC_API_KEY not configured',
};
}
const start = Date.now();
try {
const client = this.client ?? new Anthropic({ apiKey });
await client.models.list({ limit: 1 });
const latencyMs = Date.now() - start;
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
const status = error.includes('401') || error.includes('403') ? 'degraded' : 'down';
return { status, latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion from Anthropic using the messages API.
* Maps Anthropic streaming events to the CompletionEvent format.
*
* Note: Currently reserved for future direct-completion use. The Pi SDK
* integration routes completions through ModelRegistry / AgentSession.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
throw new Error('AnthropicAdapter: ANTHROPIC_API_KEY not configured');
}
const client = this.client ?? new Anthropic({ apiKey });
// Separate system messages from user/assistant messages
const systemMessages = params.messages.filter((m) => m.role === 'system');
const conversationMessages = params.messages.filter((m) => m.role !== 'system');
const systemPrompt =
systemMessages.length > 0 ? systemMessages.map((m) => m.content).join('\n') : undefined;
const stream = await client.messages.stream({
model: params.model,
max_tokens: params.maxTokens ?? 1024,
...(systemPrompt !== undefined ? { system: systemPrompt } : {}),
messages: conversationMessages.map((m) => ({
role: m.role as 'user' | 'assistant',
content: m.content,
})),
...(params.temperature !== undefined ? { temperature: params.temperature } : {}),
...(params.tools && params.tools.length > 0
? {
tools: params.tools.map((t) => ({
name: t.name,
description: t.description,
input_schema: t.parameters as Anthropic.Tool['input_schema'],
})),
}
: {}),
});
for await (const event of stream) {
if (event.type === 'content_block_delta' && event.delta.type === 'text_delta') {
yield { type: 'text_delta', content: event.delta.text };
} else if (event.type === 'content_block_delta' && event.delta.type === 'input_json_delta') {
yield { type: 'tool_call', name: '', arguments: event.delta.partial_json };
} else if (event.type === 'message_delta' && event.usage) {
yield {
type: 'done',
usage: {
inputTokens:
(event as { usage: { input_tokens?: number; output_tokens: number } }).usage
.input_tokens ?? 0,
outputTokens: event.usage.output_tokens,
},
};
}
}
// Emit final done event with full usage from the completed message
const finalMessage = await stream.finalMessage();
yield {
type: 'done',
usage: {
inputTokens: finalMessage.usage.input_tokens,
outputTokens: finalMessage.usage.output_tokens,
},
};
}
}

5
apps/gateway/src/agent/adapters/index.ts
View File

@@ -1,5 +0,0 @@
export { OllamaAdapter } from './ollama.adapter.js';
export { AnthropicAdapter } from './anthropic.adapter.js';
export { OpenAIAdapter } from './openai.adapter.js';
export { OpenRouterAdapter } from './openrouter.adapter.js';
export { ZaiAdapter } from './zai.adapter.js';

197
apps/gateway/src/agent/adapters/ollama.adapter.ts
View File

@@ -1,197 +0,0 @@
import { Logger } from '@nestjs/common';
import type { ModelRegistry } from '@mariozechner/pi-coding-agent';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
/** Embedding models that Ollama ships with out of the box */
const OLLAMA_EMBEDDING_MODELS: ReadonlyArray<{
id: string;
contextWindow: number;
dimensions: number;
}> = [
{ id: 'nomic-embed-text', contextWindow: 8192, dimensions: 768 },
{ id: 'mxbai-embed-large', contextWindow: 512, dimensions: 1024 },
];
interface OllamaEmbeddingResponse {
embedding?: number[];
}
/**
* Ollama provider adapter.
*
* Registers local Ollama models with the Pi ModelRegistry via the OpenAI-compatible
* completions API. Also exposes embedding models and an `embed()` method for
* vector generation (used by EmbeddingService / M3-009).
*
* Configuration is driven by environment variables:
* OLLAMA_BASE_URL or OLLAMA_HOST — base URL of the Ollama instance
* OLLAMA_MODELS — comma-separated list of model IDs (default: llama3.2,codellama,mistral)
*/
export class OllamaAdapter implements IProviderAdapter {
readonly name = 'ollama';
private readonly logger = new Logger(OllamaAdapter.name);
private registeredModels: ModelInfo[] = [];
constructor(private readonly registry: ModelRegistry) {}
async register(): Promise<void> {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) {
this.logger.debug('Skipping Ollama provider registration: OLLAMA_BASE_URL not set');
return;
}
const modelsEnv = process.env['OLLAMA_MODELS'] ?? 'llama3.2,codellama,mistral';
const modelIds = modelsEnv
.split(',')
.map((id: string) => id.trim())
.filter(Boolean);
this.registry.registerProvider('ollama', {
baseUrl: `${ollamaUrl}/v1`,
apiKey: 'ollama',
api: 'openai-completions' as never,
models: modelIds.map((id) => ({
id,
name: id,
reasoning: false,
input: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
contextWindow: 8192,
maxTokens: 4096,
})),
});
// Chat / completion models
const completionModels: ModelInfo[] = modelIds.map((id) => ({
id,
provider: 'ollama',
name: id,
reasoning: false,
contextWindow: 8192,
maxTokens: 4096,
inputTypes: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
}));
// Embedding models (tracked in registeredModels but not in Pi registry,
// which only handles completion models)
const embeddingModels: ModelInfo[] = OLLAMA_EMBEDDING_MODELS.map((em) => ({
id: em.id,
provider: 'ollama',
name: em.id,
reasoning: false,
contextWindow: em.contextWindow,
maxTokens: 0,
inputTypes: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
}));
this.registeredModels = [...completionModels, ...embeddingModels];
this.logger.log(
`Ollama provider registered at ${ollamaUrl} with models: ${modelIds.join(', ')} ` +
`and embedding models: ${OLLAMA_EMBEDDING_MODELS.map((em) => em.id).join(', ')}`,
);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'OLLAMA_BASE_URL not configured',
};
}
const checkUrl = `${ollamaUrl}/v1/models`;
const start = Date.now();
try {
const res = await fetch(checkUrl, {
method: 'GET',
headers: { Accept: 'application/json' },
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Generate an embedding vector for the given text using Ollama's /api/embeddings endpoint.
*
* Defaults to 'nomic-embed-text' when no model is specified.
* Intended for use by EmbeddingService (M3-009).
*
* @param text - The input text to embed.
* @param model - Optional embedding model ID (default: 'nomic-embed-text').
* @returns A float array representing the embedding vector.
*/
async embed(text: string, model = 'nomic-embed-text'): Promise<number[]> {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) {
throw new Error('OllamaAdapter: OLLAMA_BASE_URL not configured');
}
const embeddingUrl = `${ollamaUrl}/api/embeddings`;
const res = await fetch(embeddingUrl, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ model, prompt: text }),
signal: AbortSignal.timeout(30000),
});
if (!res.ok) {
throw new Error(`OllamaAdapter.embed: request failed with HTTP ${res.status}`);
}
const json = (await res.json()) as OllamaEmbeddingResponse;
if (!Array.isArray(json.embedding)) {
throw new Error('OllamaAdapter.embed: unexpected response — missing embedding array');
}
return json.embedding;
}
/**
* createCompletion is reserved for future direct-completion use.
* The current integration routes completions through Pi SDK's ModelRegistry/AgentSession.
*/
async *createCompletion(_params: CompletionParams): AsyncIterable<CompletionEvent> {
throw new Error(
'OllamaAdapter.createCompletion is not yet implemented. ' +
'Use Pi SDK AgentSession for completions.',
);
// Satisfy the AsyncGenerator return type — unreachable but required for TypeScript.
yield undefined as never;
}
}

201
apps/gateway/src/agent/adapters/openai.adapter.ts
View File

@@ -1,201 +0,0 @@
import { Logger } from '@nestjs/common';
import OpenAI from 'openai';
import type { ModelRegistry } from '@mariozechner/pi-coding-agent';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
/**
* OpenAI provider adapter.
*
* Registers OpenAI models (including Codex gpt-5.4) with the Pi ModelRegistry.
* Configuration is driven by environment variables:
* OPENAI_API_KEY — OpenAI API key (required; adapter skips registration when absent)
*/
export class OpenAIAdapter implements IProviderAdapter {
readonly name = 'openai';
private readonly logger = new Logger(OpenAIAdapter.name);
private registeredModels: ModelInfo[] = [];
private client: OpenAI | null = null;
/** Model ID used for Codex gpt-5.4 in the Pi registry. */
static readonly CODEX_MODEL_ID = 'codex-gpt-5-4';
constructor(private readonly registry: ModelRegistry) {}
async register(): Promise<void> {
const apiKey = process.env['OPENAI_API_KEY'];
if (!apiKey) {
this.logger.debug('Skipping OpenAI provider registration: OPENAI_API_KEY not set');
return;
}
this.client = new OpenAI({ apiKey });
const codexModel = {
id: OpenAIAdapter.CODEX_MODEL_ID,
name: 'Codex gpt-5.4',
/** OpenAI-compatible completions API */
api: 'openai-completions' as never,
reasoning: false,
input: ['text', 'image'] as ('text' | 'image')[],
cost: { input: 0.003, output: 0.012, cacheRead: 0.0015, cacheWrite: 0 },
contextWindow: 128_000,
maxTokens: 16_384,
};
this.registry.registerProvider('openai', {
apiKey,
baseUrl: 'https://api.openai.com/v1',
models: [codexModel],
});
this.registeredModels = [
{
id: OpenAIAdapter.CODEX_MODEL_ID,
provider: 'openai',
name: 'Codex gpt-5.4',
reasoning: false,
contextWindow: 128_000,
maxTokens: 16_384,
inputTypes: ['text', 'image'] as ('text' | 'image')[],
cost: { input: 0.003, output: 0.012, cacheRead: 0.0015, cacheWrite: 0 },
},
];
this.logger.log(`OpenAI provider registered with model: ${OpenAIAdapter.CODEX_MODEL_ID}`);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['OPENAI_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'OPENAI_API_KEY not configured',
};
}
const start = Date.now();
try {
// Lightweight call — list models to verify key validity
const res = await fetch('https://api.openai.com/v1/models', {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion from OpenAI using the chat completions API.
*
* Maps OpenAI streaming chunks to the Mosaic CompletionEvent format.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
if (!this.client) {
throw new Error(
'OpenAIAdapter: client not initialized. ' +
'Ensure OPENAI_API_KEY is set and register() was called.',
);
}
const stream = await this.client.chat.completions.create({
model: params.model,
messages: params.messages.map((m) => ({
role: m.role,
content: m.content,
})),
...(params.temperature !== undefined && { temperature: params.temperature }),
...(params.maxTokens !== undefined && { max_tokens: params.maxTokens }),
...(params.tools &&
params.tools.length > 0 && {
tools: params.tools.map((t) => ({
type: 'function' as const,
function: {
name: t.name,
description: t.description,
parameters: t.parameters,
},
})),
}),
stream: true,
stream_options: { include_usage: true },
});
let inputTokens = 0;
let outputTokens = 0;
for await (const chunk of stream) {
const choice = chunk.choices[0];
// Accumulate usage when present (final chunk with stream_options.include_usage)
if (chunk.usage) {
inputTokens = chunk.usage.prompt_tokens;
outputTokens = chunk.usage.completion_tokens;
}
if (!choice) continue;
const delta = choice.delta;
// Text content delta
if (delta.content) {
yield { type: 'text_delta', content: delta.content };
}
// Tool call delta — emit when arguments are complete
if (delta.tool_calls) {
for (const toolCallDelta of delta.tool_calls) {
if (toolCallDelta.function?.name && toolCallDelta.function.arguments !== undefined) {
yield {
type: 'tool_call',
name: toolCallDelta.function.name,
arguments: toolCallDelta.function.arguments,
};
}
}
}
// Stream finished
if (choice.finish_reason === 'stop' || choice.finish_reason === 'tool_calls') {
yield {
type: 'done',
usage: { inputTokens, outputTokens },
};
return;
}
}
// Fallback done event when stream ends without explicit finish_reason
yield { type: 'done', usage: { inputTokens, outputTokens } };
}
}

212
apps/gateway/src/agent/adapters/openrouter.adapter.ts
View File

@@ -1,212 +0,0 @@
import { Logger } from '@nestjs/common';
import OpenAI from 'openai';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
const OPENROUTER_BASE_URL = 'https://openrouter.ai/api/v1';
interface OpenRouterModel {
id: string;
name?: string;
context_length?: number;
top_provider?: {
max_completion_tokens?: number;
};
pricing?: {
prompt?: string | number;
completion?: string | number;
};
architecture?: {
input_modalities?: string[];
};
}
interface OpenRouterModelsResponse {
data?: OpenRouterModel[];
}
/**
* OpenRouter provider adapter.
*
* Routes completions through OpenRouter's OpenAI-compatible API.
* Configuration is driven by the OPENROUTER_API_KEY environment variable.
*/
export class OpenRouterAdapter implements IProviderAdapter {
readonly name = 'openrouter';
private readonly logger = new Logger(OpenRouterAdapter.name);
private client: OpenAI | null = null;
private registeredModels: ModelInfo[] = [];
async register(): Promise<void> {
const apiKey = process.env['OPENROUTER_API_KEY'];
if (!apiKey) {
this.logger.debug('Skipping OpenRouter provider registration: OPENROUTER_API_KEY not set');
return;
}
this.client = new OpenAI({
apiKey,
baseURL: OPENROUTER_BASE_URL,
defaultHeaders: {
'HTTP-Referer': 'https://mosaic.ai',
'X-Title': 'Mosaic',
},
});
try {
this.registeredModels = await this.fetchModels(apiKey);
this.logger.log(`OpenRouter provider registered with ${this.registeredModels.length} models`);
} catch (err) {
this.logger.warn(
`OpenRouter model discovery failed: ${err instanceof Error ? err.message : String(err)}. Registering with empty model list.`,
);
this.registeredModels = [];
}
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['OPENROUTER_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'OPENROUTER_API_KEY not configured',
};
}
const start = Date.now();
try {
const res = await fetch(`${OPENROUTER_BASE_URL}/models`, {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: 'application/json',
},
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion through OpenRouter's OpenAI-compatible API.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
if (!this.client) {
throw new Error('OpenRouterAdapter is not initialized. Ensure OPENROUTER_API_KEY is set.');
}
const stream = await this.client.chat.completions.create({
model: params.model,
messages: params.messages.map((m) => ({ role: m.role, content: m.content })),
temperature: params.temperature,
max_tokens: params.maxTokens,
stream: true,
});
let inputTokens = 0;
let outputTokens = 0;
for await (const chunk of stream) {
const choice = chunk.choices[0];
if (!choice) continue;
const delta = choice.delta;
if (delta.content) {
yield { type: 'text_delta', content: delta.content };
}
if (choice.finish_reason === 'stop') {
const usage = (chunk as { usage?: { prompt_tokens?: number; completion_tokens?: number } })
.usage;
if (usage) {
inputTokens = usage.prompt_tokens ?? 0;
outputTokens = usage.completion_tokens ?? 0;
}
}
}
yield {
type: 'done',
usage: { inputTokens, outputTokens },
};
}
// ---------------------------------------------------------------------------
// Private helpers
// ---------------------------------------------------------------------------
private async fetchModels(apiKey: string): Promise<ModelInfo[]> {
const res = await fetch(`${OPENROUTER_BASE_URL}/models`, {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: 'application/json',
},
signal: AbortSignal.timeout(10000),
});
if (!res.ok) {
throw new Error(`OpenRouter models endpoint returned HTTP ${res.status}`);
}
const json = (await res.json()) as OpenRouterModelsResponse;
const data = json.data ?? [];
return data.map((model): ModelInfo => {
const inputPrice = model.pricing?.prompt
? parseFloat(String(model.pricing.prompt)) * 1000
: 0;
const outputPrice = model.pricing?.completion
? parseFloat(String(model.pricing.completion)) * 1000
: 0;
const inputModalities = model.architecture?.input_modalities ?? ['text'];
const inputTypes = inputModalities.includes('image')
? (['text', 'image'] as const)
: (['text'] as const);
return {
id: model.id,
provider: 'openrouter',
name: model.name ?? model.id,
reasoning: false,
contextWindow: model.context_length ?? 4096,
maxTokens: model.top_provider?.max_completion_tokens ?? 4096,
inputTypes: [...inputTypes],
cost: {
input: inputPrice,
output: outputPrice,
cacheRead: 0,
cacheWrite: 0,
},
};
});
}
}

187
apps/gateway/src/agent/adapters/zai.adapter.ts
View File

@@ -1,187 +0,0 @@
import { Logger } from '@nestjs/common';
import OpenAI from 'openai';
import type {
CompletionEvent,
CompletionParams,
IProviderAdapter,
ModelInfo,
ProviderHealth,
} from '@mosaicstack/types';
import { getModelCapability } from '../model-capabilities.js';
/**
* Default Z.ai API base URL.
* Z.ai (BigModel / Zhipu AI) exposes an OpenAI-compatible API at this endpoint.
* Can be overridden via the ZAI_BASE_URL environment variable.
*/
const DEFAULT_ZAI_BASE_URL = 'https://open.bigmodel.cn/api/paas/v4';
/**
* GLM-5 model identifier on the Z.ai platform.
*/
const GLM5_MODEL_ID = 'glm-5';
/**
* Z.ai (Zhipu AI / BigModel) provider adapter.
*
* Z.ai exposes an OpenAI-compatible REST API. This adapter uses the `openai`
* SDK with a custom base URL and the ZAI_API_KEY environment variable.
*
* Configuration:
* ZAI_API_KEY — required; Z.ai API key
* ZAI_BASE_URL — optional; override the default API base URL
*/
export class ZaiAdapter implements IProviderAdapter {
readonly name = 'zai';
private readonly logger = new Logger(ZaiAdapter.name);
private client: OpenAI | null = null;
private registeredModels: ModelInfo[] = [];
async register(): Promise<void> {
const apiKey = process.env['ZAI_API_KEY'];
if (!apiKey) {
this.logger.debug('Skipping Z.ai provider registration: ZAI_API_KEY not set');
return;
}
const baseURL = process.env['ZAI_BASE_URL'] ?? DEFAULT_ZAI_BASE_URL;
this.client = new OpenAI({ apiKey, baseURL });
this.registeredModels = this.buildModelList();
this.logger.log(`Z.ai provider registered with ${this.registeredModels.length} model(s)`);
}
listModels(): ModelInfo[] {
return this.registeredModels;
}
async healthCheck(): Promise<ProviderHealth> {
const apiKey = process.env['ZAI_API_KEY'];
if (!apiKey) {
return {
status: 'down',
lastChecked: new Date().toISOString(),
error: 'ZAI_API_KEY not configured',
};
}
const baseURL = process.env['ZAI_BASE_URL'] ?? DEFAULT_ZAI_BASE_URL;
const start = Date.now();
try {
const res = await fetch(`${baseURL}/models`, {
method: 'GET',
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: 'application/json',
},
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return {
status: 'degraded',
latencyMs,
lastChecked: new Date().toISOString(),
error: `HTTP ${res.status}`,
};
}
return { status: 'healthy', latencyMs, lastChecked: new Date().toISOString() };
} catch (err) {
const latencyMs = Date.now() - start;
const error = err instanceof Error ? err.message : String(err);
return { status: 'down', latencyMs, lastChecked: new Date().toISOString(), error };
}
}
/**
* Stream a completion through Z.ai's OpenAI-compatible API.
*/
async *createCompletion(params: CompletionParams): AsyncIterable<CompletionEvent> {
if (!this.client) {
throw new Error('ZaiAdapter is not initialized. Ensure ZAI_API_KEY is set.');
}
const stream = await this.client.chat.completions.create({
model: params.model,
messages: params.messages.map((m) => ({ role: m.role, content: m.content })),
temperature: params.temperature,
max_tokens: params.maxTokens,
stream: true,
});
let inputTokens = 0;
let outputTokens = 0;
for await (const chunk of stream) {
const choice = chunk.choices[0];
if (!choice) continue;
const delta = choice.delta;
if (delta.content) {
yield { type: 'text_delta', content: delta.content };
}
if (choice.finish_reason === 'stop') {
const usage = (chunk as { usage?: { prompt_tokens?: number; completion_tokens?: number } })
.usage;
if (usage) {
inputTokens = usage.prompt_tokens ?? 0;
outputTokens = usage.completion_tokens ?? 0;
}
}
}
yield {
type: 'done',
usage: { inputTokens, outputTokens },
};
}
// ---------------------------------------------------------------------------
// Private helpers
// ---------------------------------------------------------------------------
private buildModelList(): ModelInfo[] {
const capability = getModelCapability(GLM5_MODEL_ID);
if (!capability) {
this.logger.warn(`Model capability entry not found for '${GLM5_MODEL_ID}'; using defaults`);
return [
{
id: GLM5_MODEL_ID,
provider: 'zai',
name: 'GLM-5',
reasoning: false,
contextWindow: 128000,
maxTokens: 8192,
inputTypes: ['text'],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
},
];
}
return [
{
id: capability.id,
provider: 'zai',
name: capability.displayName,
reasoning: capability.capabilities.reasoning,
contextWindow: capability.contextWindow,
maxTokens: capability.maxOutputTokens,
inputTypes: capability.capabilities.vision ? ['text', 'image'] : ['text'],
cost: {
input: capability.costPer1kInput ?? 0,
output: capability.costPer1kOutput ?? 0,
cacheRead: 0,
cacheWrite: 0,
},
},
];
}
}

197
apps/gateway/src/agent/agent-config.dto.ts
View File

@@ -1,197 +0,0 @@
import {
IsArray,
IsBoolean,
IsIn,
IsObject,
IsOptional,
IsString,
IsUUID,
MaxLength,
} from 'class-validator';
const agentStatuses = ['idle', 'active', 'error', 'offline'] as const;
// ─── Agent Capability Declarations (M4-011) ───────────────────────────────────
/**
* Agent specialization capability fields.
* Stored inside the agent's `config` JSON as `capabilities`.
*/
export class AgentCapabilitiesDto {
/**
* Domains this agent specializes in, e.g. ['frontend', 'backend', 'devops'].
* Used by the routing engine to bias toward this agent for matching domains.
*/
@IsOptional()
@IsArray()
@IsString({ each: true })
domains?: string[];
/**
* Default model identifier for this agent.
* Influences routing when no explicit rule overrides the choice.
*/
@IsOptional()
@IsString()
@MaxLength(255)
preferredModel?: string;
/**
* Default provider for this agent.
* Influences routing when no explicit rule overrides the choice.
*/
@IsOptional()
@IsString()
@MaxLength(255)
preferredProvider?: string;
/**
* Tool categories this agent has access to, e.g. ['web-search', 'code-exec'].
*/
@IsOptional()
@IsArray()
@IsString({ each: true })
toolSets?: string[];
}
// ─── Create DTO ───────────────────────────────────────────────────────────────
export class CreateAgentConfigDto {
@IsString()
@MaxLength(255)
name!: string;
@IsString()
@MaxLength(255)
provider!: string;
@IsString()
@MaxLength(255)
model!: string;
@IsOptional()
@IsIn(agentStatuses)
status?: 'idle' | 'active' | 'error' | 'offline';
@IsOptional()
@IsUUID()
projectId?: string;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPrompt?: string;
@IsOptional()
@IsArray()
allowedTools?: string[];
@IsOptional()
@IsArray()
skills?: string[];
@IsOptional()
@IsBoolean()
isSystem?: boolean;
/**
* General config blob. May include `capabilities` (AgentCapabilitiesDto)
* for agent specialization declarations (M4-011).
*/
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
// ─── Capability shorthand fields (M4-011) ──────────────────────────────────
// These are convenience top-level fields that get merged into config.capabilities.
@IsOptional()
@IsArray()
@IsString({ each: true })
domains?: string[];
@IsOptional()
@IsString()
@MaxLength(255)
preferredModel?: string;
@IsOptional()
@IsString()
@MaxLength(255)
preferredProvider?: string;
@IsOptional()
@IsArray()
@IsString({ each: true })
toolSets?: string[];
}
// ─── Update DTO ───────────────────────────────────────────────────────────────
export class UpdateAgentConfigDto {
@IsOptional()
@IsString()
@MaxLength(255)
name?: string;
@IsOptional()
@IsString()
@MaxLength(255)
provider?: string;
@IsOptional()
@IsString()
@MaxLength(255)
model?: string;
@IsOptional()
@IsIn(agentStatuses)
status?: 'idle' | 'active' | 'error' | 'offline';
@IsOptional()
@IsUUID()
projectId?: string | null;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPrompt?: string | null;
@IsOptional()
@IsArray()
allowedTools?: string[] | null;
@IsOptional()
@IsArray()
skills?: string[] | null;
/**
* General config blob. May include `capabilities` (AgentCapabilitiesDto)
* for agent specialization declarations (M4-011).
*/
@IsOptional()
@IsObject()
config?: Record<string, unknown> | null;
// ─── Capability shorthand fields (M4-011) ──────────────────────────────────
@IsOptional()
@IsArray()
@IsString({ each: true })
domains?: string[] | null;
@IsOptional()
@IsString()
@MaxLength(255)
preferredModel?: string | null;
@IsOptional()
@IsString()
@MaxLength(255)
preferredProvider?: string | null;
@IsOptional()
@IsArray()
@IsString({ each: true })
toolSets?: string[] | null;
}

170
apps/gateway/src/agent/agent-configs.controller.ts
View File

@@ -1,170 +0,0 @@
import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
UseGuards,
} from '@nestjs/common';
import type { Brain } from '@mosaicstack/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { CreateAgentConfigDto, UpdateAgentConfigDto } from './agent-config.dto.js';
// ─── M4-011 helpers ──────────────────────────────────────────────────────────
type CapabilityFields = {
domains?: string[] | null;
preferredModel?: string | null;
preferredProvider?: string | null;
toolSets?: string[] | null;
};
/** Extract capability shorthand fields from the DTO (undefined if none provided). */
function buildCapabilities(dto: CapabilityFields): Record<string, unknown> | undefined {
const hasAny =
dto.domains !== undefined ||
dto.preferredModel !== undefined ||
dto.preferredProvider !== undefined ||
dto.toolSets !== undefined;
if (!hasAny) return undefined;
const cap: Record<string, unknown> = {};
if (dto.domains !== undefined) cap['domains'] = dto.domains;
if (dto.preferredModel !== undefined) cap['preferredModel'] = dto.preferredModel;
if (dto.preferredProvider !== undefined) cap['preferredProvider'] = dto.preferredProvider;
if (dto.toolSets !== undefined) cap['toolSets'] = dto.toolSets;
return cap;
}
/** Merge capabilities into the config object, preserving other config keys. */
function mergeCapabilities(
existing: Record<string, unknown> | null | undefined,
capabilities: Record<string, unknown> | undefined,
): Record<string, unknown> | undefined {
if (capabilities === undefined && existing === undefined) return undefined;
if (capabilities === undefined) return existing ?? undefined;
const base = existing ?? {};
const existingCap =
typeof base['capabilities'] === 'object' && base['capabilities'] !== null
? (base['capabilities'] as Record<string, unknown>)
: {};
return {
...base,
capabilities: { ...existingCap, ...capabilities },
};
}
@Controller('api/agents')
@UseGuards(AuthGuard)
export class AgentConfigsController {
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
@Get()
async list(@CurrentUser() user: { id: string; role?: string }) {
return this.brain.agents.findAccessible(user.id);
}
@Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (!agent.isSystem && agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
return agent;
}
@Post()
async create(@Body() dto: CreateAgentConfigDto, @CurrentUser() user: { id: string }) {
// Merge capability shorthand fields into config.capabilities (M4-011)
const capabilities = buildCapabilities(dto);
const config = mergeCapabilities(dto.config, capabilities);
return this.brain.agents.create({
name: dto.name,
provider: dto.provider,
model: dto.model,
status: dto.status,
projectId: dto.projectId,
systemPrompt: dto.systemPrompt,
allowedTools: dto.allowedTools,
skills: dto.skills,
isSystem: false,
config,
ownerId: user.id,
});
}
@Patch(':id')
async update(
@Param('id') id: string,
@Body() dto: UpdateAgentConfigDto,
@CurrentUser() user: { id: string; role?: string },
) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (agent.isSystem && user.role !== 'admin') {
throw new ForbiddenException('Only admins can update system agents');
}
if (!agent.isSystem && agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
// Merge capability shorthand fields into config.capabilities (M4-011)
const capabilities = buildCapabilities(dto);
const baseConfig =
dto.config !== undefined
? dto.config
: (agent.config as Record<string, unknown> | null | undefined);
const config = mergeCapabilities(baseConfig ?? undefined, capabilities);
// Pass ownerId for user agents so the repo WHERE clause enforces ownership.
// For system agents (admin path) pass undefined so the WHERE matches only on id.
const ownerId = agent.isSystem ? undefined : user.id;
const updated = await this.brain.agents.update(
id,
{
name: dto.name,
provider: dto.provider,
model: dto.model,
status: dto.status,
projectId: dto.projectId,
systemPrompt: dto.systemPrompt,
allowedTools: dto.allowedTools,
skills: dto.skills,
config: capabilities !== undefined || dto.config !== undefined ? config : undefined,
},
ownerId,
);
if (!updated) throw new NotFoundException('Agent not found');
return updated;
}
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string; role?: string }) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (agent.isSystem) {
throw new ForbiddenException('Cannot delete system agents');
}
if (agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
// Pass ownerId so the repo WHERE clause enforces ownership at the DB level.
const deleted = await this.brain.agents.remove(id, user.id);
if (!deleted) throw new NotFoundException('Agent not found');
}
}

27
apps/gateway/src/agent/agent.module.ts
View File

@@ -1,38 +1,19 @@
import { Global, Module } from '@nestjs/common'; import { Global, Module } from '@nestjs/common';
import { AgentService } from './agent.service.js'; import { AgentService } from './agent.service.js';
import { ProviderService } from './provider.service.js'; import { ProviderService } from './provider.service.js';
import { ProviderCredentialsService } from './provider-credentials.service.js';
import { RoutingService } from './routing.service.js'; import { RoutingService } from './routing.service.js';
import { RoutingEngineService } from './routing/routing-engine.service.js';
import { SkillLoaderService } from './skill-loader.service.js'; import { SkillLoaderService } from './skill-loader.service.js';
import { ProvidersController } from './providers.controller.js'; import { ProvidersController } from './providers.controller.js';
import { SessionsController } from './sessions.controller.js'; import { SessionsController } from './sessions.controller.js';
import { AgentConfigsController } from './agent-configs.controller.js';
import { RoutingController } from './routing/routing.controller.js';
import { CoordModule } from '../coord/coord.module.js'; import { CoordModule } from '../coord/coord.module.js';
import { McpClientModule } from '../mcp-client/mcp-client.module.js'; import { McpClientModule } from '../mcp-client/mcp-client.module.js';
import { SkillsModule } from '../skills/skills.module.js'; import { SkillsModule } from '../skills/skills.module.js';
import { GCModule } from '../gc/gc.module.js';
@Global() @Global()
@Module({ @Module({
imports: [CoordModule, McpClientModule, SkillsModule, GCModule], imports: [CoordModule, McpClientModule, SkillsModule],
providers: [ providers: [ProviderService, RoutingService, SkillLoaderService, AgentService],
ProviderService, controllers: [ProvidersController, SessionsController],
ProviderCredentialsService, exports: [AgentService, ProviderService, RoutingService, SkillLoaderService],
RoutingService,
RoutingEngineService,
SkillLoaderService,
AgentService,
],
controllers: [ProvidersController, SessionsController, AgentConfigsController, RoutingController],
exports: [
AgentService,
ProviderService,
ProviderCredentialsService,
RoutingService,
RoutingEngineService,
SkillLoaderService,
],
}) })
export class AgentModule {} export class AgentModule {}

318
apps/gateway/src/agent/agent.service.ts
View File

@@ -1,4 +1,4 @@
import { Inject, Injectable, Logger, Optional, type OnModuleDestroy } from '@nestjs/common'; import { Inject, Injectable, Logger, type OnModuleDestroy } from '@nestjs/common';
import { import {
createAgentSession, createAgentSession,
DefaultResourceLoader, DefaultResourceLoader,
@@ -7,8 +7,8 @@ import {
type AgentSessionEvent, type AgentSessionEvent,
type ToolDefinition, type ToolDefinition,
} from '@mariozechner/pi-coding-agent'; } from '@mariozechner/pi-coding-agent';
import type { Brain } from '@mosaicstack/brain'; import type { Brain } from '@mosaic/brain';
import type { Memory } from '@mosaicstack/memory'; import type { Memory } from '@mosaic/memory';
import { BRAIN } from '../brain/brain.tokens.js'; import { BRAIN } from '../brain/brain.tokens.js';
import { MEMORY } from '../memory/memory.tokens.js'; import { MEMORY } from '../memory/memory.tokens.js';
import { EmbeddingService } from '../memory/embedding.service.js'; import { EmbeddingService } from '../memory/embedding.service.js';
@@ -23,18 +23,7 @@ import { createFileTools } from './tools/file-tools.js';
import { createGitTools } from './tools/git-tools.js'; import { createGitTools } from './tools/git-tools.js';
import { createShellTools } from './tools/shell-tools.js'; import { createShellTools } from './tools/shell-tools.js';
import { createWebTools } from './tools/web-tools.js'; import { createWebTools } from './tools/web-tools.js';
import { createSearchTools } from './tools/search-tools.js'; import type { SessionInfoDto } from './session.dto.js';
import type { SessionInfoDto, SessionMetrics } from './session.dto.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { PreferencesService } from '../preferences/preferences.service.js';
import { SessionGCService } from '../gc/session-gc.service.js';
/** A single message from DB conversation history, used for context injection. */
export interface ConversationHistoryMessage {
role: 'user' | 'assistant' | 'system';
content: string;
createdAt: Date;
}
export interface AgentSessionOptions { export interface AgentSessionOptions {
provider?: string; provider?: string;
@@ -60,20 +49,6 @@ export interface AgentSessionOptions {
allowedTools?: string[]; allowedTools?: string[];
/** Whether the requesting user has admin privileges. Controls default tool access. */ /** Whether the requesting user has admin privileges. Controls default tool access. */
isAdmin?: boolean; isAdmin?: boolean;
/**
* DB agent config ID. When provided, loads agent config from DB and merges
* provider, model, systemPrompt, and allowedTools. Explicit call-site options
* take precedence over config values.
*/
agentConfigId?: string;
/** ID of the user who owns this session. Used for preferences and system override lookups. */
userId?: string;
/**
* Prior conversation messages to inject as context when resuming a session.
* These messages are formatted and prepended to the system prompt so the
* agent is aware of what was discussed in previous sessions.
*/
conversationHistory?: ConversationHistoryMessage[];
} }
export interface AgentSession { export interface AgentSession {
@@ -92,14 +67,6 @@ export interface AgentSession {
sandboxDir: string; sandboxDir: string;
/** Tool names available in this session, or null when all tools are available. */ /** Tool names available in this session, or null when all tools are available. */
allowedTools: string[] | null; allowedTools: string[] | null;
/** User ID that owns this session, used for preference lookups. */
userId?: string;
/** Agent config ID applied to this session, if any (M5-001). */
agentConfigId?: string;
/** Human-readable agent name applied to this session, if any (M5-001). */
agentName?: string;
/** M5-007: per-session metrics. */
metrics: SessionMetrics;
} }
@Injectable() @Injectable()
@@ -116,38 +83,25 @@ export class AgentService implements OnModuleDestroy {
@Inject(CoordService) private readonly coordService: CoordService, @Inject(CoordService) private readonly coordService: CoordService,
@Inject(McpClientService) private readonly mcpClientService: McpClientService, @Inject(McpClientService) private readonly mcpClientService: McpClientService,
@Inject(SkillLoaderService) private readonly skillLoaderService: SkillLoaderService, @Inject(SkillLoaderService) private readonly skillLoaderService: SkillLoaderService,
@Optional()
@Inject(SystemOverrideService)
private readonly systemOverride: SystemOverrideService | null,
@Optional()
@Inject(PreferencesService)
private readonly preferencesService: PreferencesService | null,
@Inject(SessionGCService) private readonly gc: SessionGCService,
) {} ) {}
/** /**
* Build the full set of custom tools scoped to the given sandbox directory and session user. * Build the full set of custom tools scoped to the given sandbox directory.
* Brain/coord/memory/web tools are stateless with respect to cwd; file/git/shell * Brain/coord/memory/web tools are stateless with respect to cwd; file/git/shell
* tools receive the resolved sandboxDir so they operate within the sandbox. * tools receive the resolved sandboxDir so they operate within the sandbox.
* Memory tools are bound to sessionUserId so the LLM cannot access another user's data.
*/ */
private buildToolsForSandbox( private buildToolsForSandbox(sandboxDir: string): ToolDefinition[] {
sandboxDir: string,
sessionUserId: string | undefined,
): ToolDefinition[] {
return [ return [
...createBrainTools(this.brain), ...createBrainTools(this.brain),
...createCoordTools(this.coordService), ...createCoordTools(this.coordService),
...createMemoryTools( ...createMemoryTools(
this.memory, this.memory,
this.embeddingService.available ? this.embeddingService : null, this.embeddingService.available ? this.embeddingService : null,
sessionUserId,
), ),
...createFileTools(sandboxDir), ...createFileTools(sandboxDir),
...createGitTools(sandboxDir), ...createGitTools(sandboxDir),
...createShellTools(sandboxDir), ...createShellTools(sandboxDir),
...createWebTools(), ...createWebTools(),
...createSearchTools(),
]; ];
} }
@@ -192,43 +146,16 @@ export class AgentService implements OnModuleDestroy {
sessionId: string, sessionId: string,
options?: AgentSessionOptions, options?: AgentSessionOptions,
): Promise<AgentSession> { ): Promise<AgentSession> {
// Merge DB agent config when agentConfigId is provided (M5-001) const model = this.resolveModel(options);
let mergedOptions = options;
let resolvedAgentName: string | undefined;
if (options?.agentConfigId) {
const agentConfig = await this.brain.agents.findById(options.agentConfigId);
if (agentConfig) {
resolvedAgentName = agentConfig.name;
mergedOptions = {
provider: options.provider ?? agentConfig.provider,
modelId: options.modelId ?? agentConfig.model,
systemPrompt: options.systemPrompt ?? agentConfig.systemPrompt ?? undefined,
allowedTools: options.allowedTools ?? agentConfig.allowedTools ?? undefined,
sandboxDir: options.sandboxDir,
isAdmin: options.isAdmin,
agentConfigId: options.agentConfigId,
userId: options.userId,
conversationHistory: options.conversationHistory,
};
this.logger.log(
`Merged agent config "${agentConfig.name}" (${agentConfig.id}) into session ${sessionId}`,
);
}
}
const model = this.resolveModel(mergedOptions);
const providerName = model?.provider ?? 'default'; const providerName = model?.provider ?? 'default';
const modelId = model?.id ?? 'default'; const modelId = model?.id ?? 'default';
// Resolve sandbox directory: option > env var > process.cwd() // Resolve sandbox directory: option > env var > process.cwd()
const sandboxDir = const sandboxDir =
mergedOptions?.sandboxDir ?? process.env['AGENT_FILE_SANDBOX_DIR'] ?? process.cwd(); options?.sandboxDir ?? process.env['AGENT_FILE_SANDBOX_DIR'] ?? process.cwd();
// Resolve allowed tool set // Resolve allowed tool set
const allowedTools = this.resolveAllowedTools( const allowedTools = this.resolveAllowedTools(options?.isAdmin ?? false, options?.allowedTools);
mergedOptions?.isAdmin ?? false,
mergedOptions?.allowedTools,
);
this.logger.log( this.logger.log(
`Creating agent session: ${sessionId} (provider=${providerName}, model=${modelId}, sandbox=${sandboxDir}, tools=${allowedTools === null ? 'all' : allowedTools.join(',') || 'none'})`, `Creating agent session: ${sessionId} (provider=${providerName}, model=${modelId}, sandbox=${sandboxDir}, tools=${allowedTools === null ? 'all' : allowedTools.join(',') || 'none'})`,
@@ -246,8 +173,8 @@ export class AgentService implements OnModuleDestroy {
); );
} }
// Build per-session tools scoped to the sandbox directory and authenticated user // Build per-session tools scoped to the sandbox directory
const sandboxTools = this.buildToolsForSandbox(sandboxDir, mergedOptions?.userId); const sandboxTools = this.buildToolsForSandbox(sandboxDir);
// Combine static tools with dynamically discovered MCP client tools and skill tools // Combine static tools with dynamically discovered MCP client tools and skill tools
const mcpTools = this.mcpClientService.getToolDefinitions(); const mcpTools = this.mcpClientService.getToolDefinitions();
@@ -267,22 +194,9 @@ export class AgentService implements OnModuleDestroy {
} }
// Build system prompt: platform prompt + skill additions appended // Build system prompt: platform prompt + skill additions appended
const platformPrompt = const platformPrompt = options?.systemPrompt ?? process.env['AGENT_SYSTEM_PROMPT'] ?? undefined;
mergedOptions?.systemPrompt ?? process.env['AGENT_SYSTEM_PROMPT'] ?? undefined; const appendSystemPrompt =
promptAdditions.length > 0 ? promptAdditions.join('\n\n') : undefined;
// Format conversation history for context injection (M1-004 / M1-005)
const historyPromptSection = mergedOptions?.conversationHistory?.length
? this.buildHistoryPromptSection(
mergedOptions.conversationHistory,
model?.contextWindow ?? 8192,
sessionId,
)
: undefined;
const appendParts: string[] = [];
if (promptAdditions.length > 0) appendParts.push(promptAdditions.join('\n\n'));
if (historyPromptSection) appendParts.push(historyPromptSection);
const appendSystemPrompt = appendParts.length > 0 ? appendParts.join('\n\n') : undefined;
// Construct a resource loader that injects the configured system prompt // Construct a resource loader that injects the configured system prompt
const resourceLoader = new DefaultResourceLoader({ const resourceLoader = new DefaultResourceLoader({
@@ -341,114 +255,14 @@ export class AgentService implements OnModuleDestroy {
skillPromptAdditions: promptAdditions, skillPromptAdditions: promptAdditions,
sandboxDir, sandboxDir,
allowedTools, allowedTools,
userId: mergedOptions?.userId,
agentConfigId: mergedOptions?.agentConfigId,
agentName: resolvedAgentName,
metrics: {
tokens: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
modelSwitches: 0,
messageCount: 0,
lastActivityAt: new Date().toISOString(),
},
}; };
this.sessions.set(sessionId, session); this.sessions.set(sessionId, session);
this.logger.log(`Agent session ${sessionId} ready (${providerName}/${modelId})`); this.logger.log(`Agent session ${sessionId} ready (${providerName}/${modelId})`);
if (resolvedAgentName) {
this.logger.log(
`Agent session ${sessionId} using agent config "${resolvedAgentName}" (M5-001)`,
);
}
return session; return session;
} }
/**
* Estimate token count for a string using a rough 4-chars-per-token heuristic.
*/
private estimateTokens(text: string): number {
return Math.ceil(text.length / 4);
}
/**
* Build a conversation history section for injection into the system prompt.
* Implements M1-004 (history loading) and M1-005 (context window management).
*
* - Formats messages as a readable conversation transcript.
* - If the full history exceeds 80% of the model's context window, older messages
* are summarized and only the most recent messages are kept verbatim.
* - Summarization is a simple extractive approach (no LLM required).
*/
private buildHistoryPromptSection(
history: ConversationHistoryMessage[],
contextWindow: number,
sessionId: string,
): string {
const TOKEN_BUDGET = Math.floor(contextWindow * 0.8);
const HISTORY_HEADER = '## Conversation History (resumed session)\n\n';
const formatMessage = (msg: ConversationHistoryMessage): string => {
const roleLabel =
msg.role === 'user' ? 'User' : msg.role === 'assistant' ? 'Assistant' : 'System';
return `**${roleLabel}:** ${msg.content}`;
};
const formatted = history.map((msg) => formatMessage(msg));
const fullHistory = formatted.join('\n\n');
const fullTokens = this.estimateTokens(HISTORY_HEADER + fullHistory);
if (fullTokens <= TOKEN_BUDGET) {
this.logger.debug(
`Session ${sessionId}: injecting full history (${history.length} msgs, ~${fullTokens} tokens)`,
);
return HISTORY_HEADER + fullHistory;
}
// History exceeds budget — summarize oldest messages, keep recent verbatim
this.logger.log(
`Session ${sessionId}: history (~${fullTokens} tokens) exceeds ${TOKEN_BUDGET} token budget; summarizing oldest messages`,
);
// Reserve 20% of the budget for the summary prefix, rest for verbatim messages
const SUMMARY_RESERVE = Math.floor(TOKEN_BUDGET * 0.2);
const verbatimBudget = TOKEN_BUDGET - SUMMARY_RESERVE;
let verbatimTokens = 0;
let verbatimCutIndex = history.length;
for (let i = history.length - 1; i >= 0; i--) {
const t = this.estimateTokens(formatted[i]!);
if (verbatimTokens + t > verbatimBudget) break;
verbatimTokens += t;
verbatimCutIndex = i;
}
const summarizedMessages = history.slice(0, verbatimCutIndex);
const verbatimMessages = history.slice(verbatimCutIndex);
let summaryText = '';
if (summarizedMessages.length > 0) {
const topics = summarizedMessages
.filter((m) => m.role === 'user')
.map((m) => m.content.slice(0, 120).replace(/\n/g, ' '))
.join('; ');
summaryText =
`**Previous conversation summary** (${summarizedMessages.length} messages omitted for brevity):\n` +
`Topics discussed: ${topics || '(no user messages in summarized portion)'}`;
}
const verbatimSection = verbatimMessages.map((m) => formatMessage(m)).join('\n\n');
const parts: string[] = [HISTORY_HEADER];
if (summaryText) parts.push(summaryText);
if (verbatimSection) parts.push(verbatimSection);
const result = parts.join('\n\n');
this.logger.log(
`Session ${sessionId}: summarized ${summarizedMessages.length} messages, kept ${verbatimMessages.length} verbatim (~${this.estimateTokens(result)} tokens)`,
);
return result;
}
private resolveModel(options?: AgentSessionOptions) { private resolveModel(options?: AgentSessionOptions) {
if (!options?.provider && !options?.modelId) { if (!options?.provider && !options?.modelId) {
return this.providerService.getDefaultModel() ?? null; return this.providerService.getDefaultModel() ?? null;
@@ -483,12 +297,10 @@ export class AgentService implements OnModuleDestroy {
id: s.id, id: s.id,
provider: s.provider, provider: s.provider,
modelId: s.modelId, modelId: s.modelId,
...(s.agentName ? { agentName: s.agentName } : {}),
createdAt: new Date(s.createdAt).toISOString(), createdAt: new Date(s.createdAt).toISOString(),
promptCount: s.promptCount, promptCount: s.promptCount,
channels: Array.from(s.channels), channels: Array.from(s.channels),
durationMs: now - s.createdAt, durationMs: now - s.createdAt,
metrics: { ...s.metrics },
})); }));
} }
@@ -499,93 +311,13 @@ export class AgentService implements OnModuleDestroy {
id: s.id, id: s.id,
provider: s.provider, provider: s.provider,
modelId: s.modelId, modelId: s.modelId,
...(s.agentName ? { agentName: s.agentName } : {}),
createdAt: new Date(s.createdAt).toISOString(), createdAt: new Date(s.createdAt).toISOString(),
promptCount: s.promptCount, promptCount: s.promptCount,
channels: Array.from(s.channels), channels: Array.from(s.channels),
durationMs: Date.now() - s.createdAt, durationMs: Date.now() - s.createdAt,
metrics: { ...s.metrics },
}; };
} }
/**
* Record token usage for a session turn (M5-007).
* Accumulates tokens across the session lifetime.
*/
recordTokenUsage(
sessionId: string,
tokens: { input: number; output: number; cacheRead: number; cacheWrite: number; total: number },
): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.metrics.tokens.input += tokens.input;
session.metrics.tokens.output += tokens.output;
session.metrics.tokens.cacheRead += tokens.cacheRead;
session.metrics.tokens.cacheWrite += tokens.cacheWrite;
session.metrics.tokens.total += tokens.total;
session.metrics.lastActivityAt = new Date().toISOString();
}
/**
* Record a model switch event for a session (M5-007).
*/
recordModelSwitch(sessionId: string): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.metrics.modelSwitches += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
/**
* Increment message count for a session (M5-007).
*/
recordMessage(sessionId: string): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.metrics.messageCount += 1;
session.metrics.lastActivityAt = new Date().toISOString();
}
/**
* Update the model tracked on a live session (M5-002).
* This records the model change in the session metadata so subsequent
* session:info emissions reflect the new model. The Pi session itself is
* not reconstructed — the model is used on the next createSession call for
* the same conversationId when the session is torn down or a new one is created.
*/
updateSessionModel(sessionId: string, modelId: string): void {
const session = this.sessions.get(sessionId);
if (!session) return;
const prev = session.modelId;
session.modelId = modelId;
this.recordModelSwitch(sessionId);
this.logger.log(`Session ${sessionId}: model updated ${prev}${modelId} (M5-002)`);
}
/**
* Apply a new agent config to a live session mid-conversation (M5-003).
* Updates agentName, agentConfigId, and modelId on the session object.
* System prompt and tools take effect when the next session is created for
* this conversationId (they are baked in at session creation time).
*/
applyAgentConfig(
sessionId: string,
agentConfigId: string,
agentName: string,
modelId?: string,
): void {
const session = this.sessions.get(sessionId);
if (!session) return;
session.agentConfigId = agentConfigId;
session.agentName = agentName;
if (modelId) {
this.updateSessionModel(sessionId, modelId);
}
this.logger.log(
`Session ${sessionId}: agent switched to "${agentName}" (${agentConfigId}) (M5-003)`,
);
}
addChannel(sessionId: string, channel: string): void { addChannel(sessionId: string, channel: string): void {
const session = this.sessions.get(sessionId); const session = this.sessions.get(sessionId);
if (session) { if (session) {
@@ -606,20 +338,8 @@ export class AgentService implements OnModuleDestroy {
throw new Error(`No agent session found: ${sessionId}`); throw new Error(`No agent session found: ${sessionId}`);
} }
session.promptCount += 1; session.promptCount += 1;
// Prepend session-scoped system override if present (renew TTL on each turn)
let effectiveMessage = message;
if (this.systemOverride) {
const override = await this.systemOverride.get(sessionId);
if (override) {
effectiveMessage = `[System Override]\n${override}\n\n${message}`;
await this.systemOverride.renew(sessionId);
this.logger.debug(`Applied system override for session ${sessionId}`);
}
}
try { try {
await session.piSession.prompt(effectiveMessage); await session.piSession.prompt(message);
} catch (err) { } catch (err) {
this.logger.error( this.logger.error(
`Prompt failed for session=${sessionId}, messageLength=${message.length}`, `Prompt failed for session=${sessionId}, messageLength=${message.length}`,
@@ -655,14 +375,6 @@ export class AgentService implements OnModuleDestroy {
session.listeners.clear(); session.listeners.clear();
session.channels.clear(); session.channels.clear();
this.sessions.delete(sessionId); this.sessions.delete(sessionId);
// Run GC cleanup for this session (fire and forget, errors are logged)
this.gc.collect(sessionId).catch((err: unknown) => {
this.logger.error(
`GC collect failed for session ${sessionId}`,
err instanceof Error ? err.stack : String(err),
);
});
} }
async onModuleDestroy(): Promise<void> { async onModuleDestroy(): Promise<void> {

204
apps/gateway/src/agent/model-capabilities.ts
View File

@@ -1,204 +0,0 @@
import type { ModelCapability } from '@mosaicstack/types';
/**
* Comprehensive capability matrix for all target models.
* Cost fields are optional and will be filled in when real pricing data is available.
*/
export const MODEL_CAPABILITIES: ModelCapability[] = [
{
id: 'claude-opus-4-6',
provider: 'anthropic',
displayName: 'Claude Opus 4.6',
tier: 'premium',
contextWindow: 200000,
maxOutputTokens: 32000,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: true,
embedding: false,
},
},
{
id: 'claude-sonnet-4-6',
provider: 'anthropic',
displayName: 'Claude Sonnet 4.6',
tier: 'standard',
contextWindow: 200000,
maxOutputTokens: 16000,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: true,
embedding: false,
},
},
{
id: 'claude-haiku-4-5',
provider: 'anthropic',
displayName: 'Claude Haiku 4.5',
tier: 'cheap',
contextWindow: 200000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'codex-gpt-5.4',
provider: 'openai',
displayName: 'Codex gpt-5.4',
tier: 'premium',
contextWindow: 128000,
maxOutputTokens: 16384,
capabilities: {
tools: true,
vision: true,
streaming: true,
reasoning: true,
embedding: false,
},
},
{
id: 'glm-5',
provider: 'zai',
displayName: 'GLM-5',
tier: 'standard',
contextWindow: 128000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'llama3.2',
provider: 'ollama',
displayName: 'llama3.2',
tier: 'local',
contextWindow: 128000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'codellama',
provider: 'ollama',
displayName: 'codellama',
tier: 'local',
contextWindow: 16000,
maxOutputTokens: 4096,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'mistral',
provider: 'ollama',
displayName: 'mistral',
tier: 'local',
contextWindow: 32000,
maxOutputTokens: 8192,
capabilities: {
tools: true,
vision: false,
streaming: true,
reasoning: false,
embedding: false,
},
},
{
id: 'nomic-embed-text',
provider: 'ollama',
displayName: 'nomic-embed-text',
tier: 'local',
contextWindow: 8192,
maxOutputTokens: 0,
capabilities: {
tools: false,
vision: false,
streaming: false,
reasoning: false,
embedding: true,
},
},
{
id: 'mxbai-embed-large',
provider: 'ollama',
displayName: 'mxbai-embed-large',
tier: 'local',
contextWindow: 8192,
maxOutputTokens: 0,
capabilities: {
tools: false,
vision: false,
streaming: false,
reasoning: false,
embedding: true,
},
},
];
/**
* Look up a model by its ID.
* Returns undefined if the model is not found.
*/
export function getModelCapability(modelId: string): ModelCapability | undefined {
return MODEL_CAPABILITIES.find((m) => m.id === modelId);
}
/**
* Find models matching a partial capability filter.
* All provided filter keys must match for a model to be included.
*/
export function findModelsByCapability(
filter: Partial<Pick<ModelCapability, 'tier' | 'provider'>> & {
capabilities?: Partial<ModelCapability['capabilities']>;
},
): ModelCapability[] {
return MODEL_CAPABILITIES.filter((model) => {
if (filter.tier !== undefined && model.tier !== filter.tier) return false;
if (filter.provider !== undefined && model.provider !== filter.provider) return false;
if (filter.capabilities) {
for (const [key, value] of Object.entries(filter.capabilities) as [
keyof ModelCapability['capabilities'],
boolean,
][]) {
if (model.capabilities[key] !== value) return false;
}
}
return true;
});
}
/**
* Get all models for a specific provider.
*/
export function getModelsByProvider(provider: string): ModelCapability[] {
return MODEL_CAPABILITIES.filter((m) => m.provider === provider);
}
/**
* Get the full list of all known models.
*/
export function getAllModels(): ModelCapability[] {
return MODEL_CAPABILITIES;
}

23
apps/gateway/src/agent/provider-credentials.dto.ts
View File

@@ -1,23 +0,0 @@
/** DTO for storing a provider credential. */
export interface StoreCredentialDto {
/** Provider identifier (e.g., 'anthropic', 'openai', 'openrouter', 'zai') */
provider: string;
/** Credential type */
type: 'api_key' | 'oauth_token';
/** Plain-text credential value — will be encrypted before storage */
value: string;
/** Optional extra config (e.g., base URL overrides) */
metadata?: Record<string, unknown>;
}
/** DTO returned in list/existence responses — never contains decrypted values. */
export interface ProviderCredentialSummaryDto {
provider: string;
credentialType: 'api_key' | 'oauth_token';
/** Whether a credential is stored for this provider */
exists: boolean;
expiresAt?: string | null;
metadata?: Record<string, unknown> | null;
createdAt: string;
updatedAt: string;
}

123
apps/gateway/src/agent/provider-credentials.service.ts
View File

@@ -1,123 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { seal, unseal } from '@mosaicstack/auth';
import type { Db } from '@mosaicstack/db';
import { providerCredentials, eq, and } from '@mosaicstack/db';
import { DB } from '../database/database.module.js';
import type { ProviderCredentialSummaryDto } from './provider-credentials.dto.js';
@Injectable()
export class ProviderCredentialsService {
private readonly logger = new Logger(ProviderCredentialsService.name);
constructor(@Inject(DB) private readonly db: Db) {}
/**
* Encrypt and store (or update) a credential for the given user + provider.
* Uses an upsert pattern: one row per (userId, provider).
*/
async store(
userId: string,
provider: string,
type: 'api_key' | 'oauth_token',
value: string,
metadata?: Record<string, unknown>,
): Promise<void> {
const encryptedValue = seal(value);
await this.db
.insert(providerCredentials)
.values({
userId,
provider,
credentialType: type,
encryptedValue,
metadata: metadata ?? null,
})
.onConflictDoUpdate({
target: [providerCredentials.userId, providerCredentials.provider],
set: {
credentialType: type,
encryptedValue,
metadata: metadata ?? null,
updatedAt: new Date(),
},
});
this.logger.log(`Credential stored for user=${userId} provider=${provider}`);
}
/**
* Decrypt and return the plain-text credential value for the given user + provider.
* Returns null if no credential is stored.
*/
async retrieve(userId: string, provider: string): Promise<string | null> {
const rows = await this.db
.select()
.from(providerCredentials)
.where(
and(eq(providerCredentials.userId, userId), eq(providerCredentials.provider, provider)),
)
.limit(1);
if (rows.length === 0) return null;
const row = rows[0]!;
// Skip expired OAuth tokens
if (row.expiresAt && row.expiresAt < new Date()) {
this.logger.warn(`Credential for user=${userId} provider=${provider} has expired`);
return null;
}
try {
return unseal(row.encryptedValue);
} catch (err) {
this.logger.error(
`Failed to decrypt credential for user=${userId} provider=${provider}`,
err instanceof Error ? err.message : String(err),
);
return null;
}
}
/**
* Delete the stored credential for the given user + provider.
*/
async remove(userId: string, provider: string): Promise<void> {
await this.db
.delete(providerCredentials)
.where(
and(eq(providerCredentials.userId, userId), eq(providerCredentials.provider, provider)),
);
this.logger.log(`Credential removed for user=${userId} provider=${provider}`);
}
/**
* List all providers for which the user has stored credentials.
* Never returns decrypted values.
*/
async listProviders(userId: string): Promise<ProviderCredentialSummaryDto[]> {
const rows = await this.db
.select({
provider: providerCredentials.provider,
credentialType: providerCredentials.credentialType,
expiresAt: providerCredentials.expiresAt,
metadata: providerCredentials.metadata,
createdAt: providerCredentials.createdAt,
updatedAt: providerCredentials.updatedAt,
})
.from(providerCredentials)
.where(eq(providerCredentials.userId, userId));
return rows.map((row) => ({
provider: row.provider,
credentialType: row.credentialType,
exists: true,
expiresAt: row.expiresAt?.toISOString() ?? null,
metadata: row.metadata as Record<string, unknown> | null,
createdAt: row.createdAt.toISOString(),
updatedAt: row.updatedAt.toISOString(),
}));
}
}

303
apps/gateway/src/agent/provider.service.ts
View File

@@ -1,234 +1,25 @@
import { import { Injectable, Logger, type OnModuleInit } from '@nestjs/common';
Inject,
Injectable,
Logger,
Optional,
type OnModuleDestroy,
type OnModuleInit,
} from '@nestjs/common';
import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent'; import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent';
import { getModel, type Model, type Api } from '@mariozechner/pi-ai'; import type { Model, Api } from '@mariozechner/pi-ai';
import type { import type { ModelInfo, ProviderInfo, CustomProviderConfig } from '@mosaic/types';
CustomProviderConfig,
IProviderAdapter,
ModelInfo,
ProviderHealth,
ProviderInfo,
} from '@mosaicstack/types';
import {
AnthropicAdapter,
OllamaAdapter,
OpenAIAdapter,
OpenRouterAdapter,
ZaiAdapter,
} from './adapters/index.js';
import type { TestConnectionResultDto } from './provider.dto.js'; import type { TestConnectionResultDto } from './provider.dto.js';
import { ProviderCredentialsService } from './provider-credentials.service.js';
/** Default health check interval in seconds */
const DEFAULT_HEALTH_INTERVAL_SECS = 60;
/** DI injection token for the provider adapter array. */
export const PROVIDER_ADAPTERS = Symbol('PROVIDER_ADAPTERS');
/** Environment variable names for well-known providers */
const PROVIDER_ENV_KEYS: Record<string, string> = {
anthropic: 'ANTHROPIC_API_KEY',
openai: 'OPENAI_API_KEY',
openrouter: 'OPENROUTER_API_KEY',
zai: 'ZAI_API_KEY',
};
@Injectable() @Injectable()
export class ProviderService implements OnModuleInit, OnModuleDestroy { export class ProviderService implements OnModuleInit {
private readonly logger = new Logger(ProviderService.name); private readonly logger = new Logger(ProviderService.name);
private registry!: ModelRegistry; private registry!: ModelRegistry;
constructor( onModuleInit(): void {
@Optional()
@Inject(ProviderCredentialsService)
private readonly credentialsService: ProviderCredentialsService | null,
) {}
/**
* Adapters registered with this service.
* Built-in adapters (Ollama) are always present; additional adapters can be
* supplied via the PROVIDER_ADAPTERS injection token in the future.
*/
private adapters: IProviderAdapter[] = [];
/**
* Cached health status per provider, updated by the health check scheduler.
*/
private healthCache: Map<string, ProviderHealth & { modelCount: number }> = new Map();
/** Timer handle for the periodic health check scheduler */
private healthCheckTimer: ReturnType<typeof setInterval> | null = null;
async onModuleInit(): Promise<void> {
const authStorage = AuthStorage.inMemory(); const authStorage = AuthStorage.inMemory();
this.registry = ModelRegistry.inMemory(authStorage); this.registry = new ModelRegistry(authStorage);
// Build the default set of adapters that rely on the registry this.registerOllamaProvider();
this.adapters = [
new OllamaAdapter(this.registry),
new AnthropicAdapter(this.registry),
new OpenAIAdapter(this.registry),
new OpenRouterAdapter(),
new ZaiAdapter(),
];
// Run all adapter registrations first (Ollama, Anthropic, OpenAI, OpenRouter, Z.ai)
await this.registerAll();
// Register API-key providers directly (custom)
this.registerCustomProviders(); this.registerCustomProviders();
const available = this.registry.getAvailable(); const available = this.registry.getAvailable();
this.logger.log(`Providers initialized: ${available.length} models available`); this.logger.log(`Providers initialized: ${available.length} models available`);
// Kick off the health check scheduler
this.startHealthCheckScheduler();
} }
onModuleDestroy(): void {
if (this.healthCheckTimer !== null) {
clearInterval(this.healthCheckTimer);
this.healthCheckTimer = null;
}
}
// ---------------------------------------------------------------------------
// Health check scheduler
// ---------------------------------------------------------------------------
/**
* Start periodic health checks on all adapters.
* Interval is configurable via PROVIDER_HEALTH_INTERVAL env (seconds, default 60).
*/
private startHealthCheckScheduler(): void {
const intervalSecs =
parseInt(process.env['PROVIDER_HEALTH_INTERVAL'] ?? '', 10) || DEFAULT_HEALTH_INTERVAL_SECS;
const intervalMs = intervalSecs * 1000;
// Run an initial check immediately (non-blocking)
void this.runScheduledHealthChecks();
this.healthCheckTimer = setInterval(() => {
void this.runScheduledHealthChecks();
}, intervalMs);
this.logger.log(`Provider health check scheduler started (interval: ${intervalSecs}s)`);
}
private async runScheduledHealthChecks(): Promise<void> {
for (const adapter of this.adapters) {
try {
const health = await adapter.healthCheck();
const modelCount = adapter.listModels().length;
this.healthCache.set(adapter.name, { ...health, modelCount });
this.logger.debug(
`Health check [${adapter.name}]: ${health.status} (${health.latencyMs ?? 'n/a'}ms)`,
);
} catch (err) {
const modelCount = adapter.listModels().length;
this.healthCache.set(adapter.name, {
status: 'down',
lastChecked: new Date().toISOString(),
error: err instanceof Error ? err.message : String(err),
modelCount,
});
}
}
}
/**
* Return the cached health status for all adapters.
* Format: array of { name, status, latencyMs, lastChecked, modelCount }
*/
getProvidersHealth(): Array<{
name: string;
status: string;
latencyMs?: number;
lastChecked: string;
modelCount: number;
error?: string;
}> {
return this.adapters.map((adapter) => {
const cached = this.healthCache.get(adapter.name);
if (cached) {
return {
name: adapter.name,
status: cached.status,
latencyMs: cached.latencyMs,
lastChecked: cached.lastChecked,
modelCount: cached.modelCount,
error: cached.error,
};
}
// Not yet checked — return a pending placeholder
return {
name: adapter.name,
status: 'unknown',
lastChecked: new Date().toISOString(),
modelCount: adapter.listModels().length,
};
});
}
// ---------------------------------------------------------------------------
// Adapter-pattern API
// ---------------------------------------------------------------------------
/**
* Call register() on each adapter in order.
* Errors from individual adapters are logged and do not abort the others.
*/
async registerAll(): Promise<void> {
for (const adapter of this.adapters) {
try {
await adapter.register();
} catch (err) {
this.logger.error(
`Adapter "${adapter.name}" registration failed`,
err instanceof Error ? err.stack : String(err),
);
}
}
}
/**
* Return the adapter registered under the given provider name, or undefined.
*/
getAdapter(providerName: string): IProviderAdapter | undefined {
return this.adapters.find((a) => a.name === providerName);
}
/**
* Run healthCheck() on all adapters and return results keyed by provider name.
*/
async healthCheckAll(): Promise<Record<string, ProviderHealth>> {
const results: Record<string, ProviderHealth> = {};
await Promise.all(
this.adapters.map(async (adapter) => {
try {
results[adapter.name] = await adapter.healthCheck();
} catch (err) {
results[adapter.name] = {
status: 'down',
lastChecked: new Date().toISOString(),
error: err instanceof Error ? err.message : String(err),
};
}
}),
);
return results;
}
// ---------------------------------------------------------------------------
// Legacy / Pi-SDK-facing API (preserved for AgentService and RoutingService)
// ---------------------------------------------------------------------------
getRegistry(): ModelRegistry { getRegistry(): ModelRegistry {
return this.registry; return this.registry;
} }
@@ -275,18 +66,6 @@ export class ProviderService implements OnModuleInit, OnModuleDestroy {
} }
async testConnection(providerId: string, baseUrl?: string): Promise<TestConnectionResultDto> { async testConnection(providerId: string, baseUrl?: string): Promise<TestConnectionResultDto> {
// Delegate to the adapter when one exists and no URL override is given
const adapter = this.getAdapter(providerId);
if (adapter && !baseUrl) {
const health = await adapter.healthCheck();
return {
providerId,
reachable: health.status !== 'down',
latencyMs: health.latencyMs,
error: health.error,
};
}
// Resolve baseUrl: explicit override > registered provider > ollama env // Resolve baseUrl: explicit override > registered provider > ollama env
let resolvedUrl = baseUrl; let resolvedUrl = baseUrl;
@@ -361,9 +140,35 @@ export class ProviderService implements OnModuleInit, OnModuleDestroy {
this.logger.log(`Registered custom provider: ${config.id} (${config.models.length} models)`); this.logger.log(`Registered custom provider: ${config.id} (${config.models.length} models)`);
} }
// --------------------------------------------------------------------------- private registerOllamaProvider(): void {
// Private helpers const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
// --------------------------------------------------------------------------- if (!ollamaUrl) return;
const modelsEnv = process.env['OLLAMA_MODELS'] ?? 'llama3.2,codellama,mistral';
const modelIds = modelsEnv
.split(',')
.map((modelId: string) => modelId.trim())
.filter(Boolean);
this.registry.registerProvider('ollama', {
baseUrl: `${ollamaUrl}/v1`,
apiKey: 'ollama',
api: 'openai-completions' as never,
models: modelIds.map((id) => ({
id,
name: id,
reasoning: false,
input: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
contextWindow: 8192,
maxTokens: 4096,
})),
});
this.logger.log(
`Ollama provider registered at ${ollamaUrl} with models: ${modelIds.join(', ')}`,
);
}
private registerCustomProviders(): void { private registerCustomProviders(): void {
const customJson = process.env['MOSAIC_CUSTOM_PROVIDERS']; const customJson = process.env['MOSAIC_CUSTOM_PROVIDERS'];
@@ -379,42 +184,6 @@ export class ProviderService implements OnModuleInit, OnModuleDestroy {
} }
} }
/**
* Resolve an API key for a provider, scoped to a specific user.
* User-stored credentials take precedence over environment variables.
* Returns null if no key is available from either source.
*/
async resolveApiKey(userId: string, provider: string): Promise<string | null> {
if (this.credentialsService) {
const userKey = await this.credentialsService.retrieve(userId, provider);
if (userKey) {
this.logger.debug(`Using user-scoped credential for user=${userId} provider=${provider}`);
return userKey;
}
}
// Fall back to environment variable
const envVar = PROVIDER_ENV_KEYS[provider];
const envKey = envVar ? (process.env[envVar] ?? null) : null;
if (envKey) {
this.logger.debug(`Using env-var credential for provider=${provider}`);
}
return envKey;
}
private cloneBuiltInModel(
provider: string,
modelId: string,
overrides: Partial<Model<Api>> = {},
): Model<Api> {
const model = getModel(provider as never, modelId as never) as Model<Api> | undefined;
if (!model) {
throw new Error(`Built-in model not found: ${provider}:${modelId}`);
}
return { ...model, ...overrides };
}
private toModelInfo(model: Model<Api>): ModelInfo { private toModelInfo(model: Model<Api>): ModelInfo {
return { return {
id: model.id, id: model.id,

62
apps/gateway/src/agent/providers.controller.ts
View File

@@ -1,23 +1,15 @@
import { Body, Controller, Delete, Get, Inject, Param, Post, UseGuards } from '@nestjs/common'; import { Body, Controller, Get, Inject, Post, UseGuards } from '@nestjs/common';
import type { RoutingCriteria } from '@mosaicstack/types'; import type { RoutingCriteria } from '@mosaic/types';
import { AuthGuard } from '../auth/auth.guard.js'; import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { ProviderService } from './provider.service.js'; import { ProviderService } from './provider.service.js';
import { ProviderCredentialsService } from './provider-credentials.service.js';
import { RoutingService } from './routing.service.js'; import { RoutingService } from './routing.service.js';
import type { TestConnectionDto, TestConnectionResultDto } from './provider.dto.js'; import type { TestConnectionDto, TestConnectionResultDto } from './provider.dto.js';
import type {
StoreCredentialDto,
ProviderCredentialSummaryDto,
} from './provider-credentials.dto.js';
@Controller('api/providers') @Controller('api/providers')
@UseGuards(AuthGuard) @UseGuards(AuthGuard)
export class ProvidersController { export class ProvidersController {
constructor( constructor(
@Inject(ProviderService) private readonly providerService: ProviderService, @Inject(ProviderService) private readonly providerService: ProviderService,
@Inject(ProviderCredentialsService)
private readonly credentialsService: ProviderCredentialsService,
@Inject(RoutingService) private readonly routingService: RoutingService, @Inject(RoutingService) private readonly routingService: RoutingService,
) {} ) {}
@@ -31,11 +23,6 @@ export class ProvidersController {
return this.providerService.listAvailableModels(); return this.providerService.listAvailableModels();
} }
@Get('health')
health() {
return { providers: this.providerService.getProvidersHealth() };
}
@Post('test') @Post('test')
testConnection(@Body() body: TestConnectionDto): Promise<TestConnectionResultDto> { testConnection(@Body() body: TestConnectionDto): Promise<TestConnectionResultDto> {
return this.providerService.testConnection(body.providerId, body.baseUrl); return this.providerService.testConnection(body.providerId, body.baseUrl);
@@ -50,49 +37,4 @@ export class ProvidersController {
rank(@Body() criteria: RoutingCriteria) { rank(@Body() criteria: RoutingCriteria) {
return this.routingService.rank(criteria); return this.routingService.rank(criteria);
} }
// ── Credential CRUD ──────────────────────────────────────────────────────
/**
* GET /api/providers/credentials
* List all provider credentials for the authenticated user.
* Returns provider names, types, and metadata — never decrypted values.
*/
@Get('credentials')
listCredentials(@CurrentUser() user: { id: string }): Promise<ProviderCredentialSummaryDto[]> {
return this.credentialsService.listProviders(user.id);
}
/**
* POST /api/providers/credentials
* Store or update a provider credential for the authenticated user.
* The value is encrypted before storage and never returned.
*/
@Post('credentials')
async storeCredential(
@CurrentUser() user: { id: string },
@Body() body: StoreCredentialDto,
): Promise<{ success: boolean; provider: string }> {
await this.credentialsService.store(
user.id,
body.provider,
body.type,
body.value,
body.metadata,
);
return { success: true, provider: body.provider };
}
/**
* DELETE /api/providers/credentials/:provider
* Remove a stored credential for the authenticated user.
*/
@Delete('credentials/:provider')
async removeCredential(
@CurrentUser() user: { id: string },
@Param('provider') provider: string,
): Promise<{ success: boolean; provider: string }> {
await this.credentialsService.remove(user.id, provider);
return { success: true, provider };
}
} }

6
apps/gateway/src/agent/routing.service.ts
View File

@@ -1,6 +1,6 @@
import { Inject, Injectable, Logger } from '@nestjs/common'; import { Inject, Injectable, Logger } from '@nestjs/common';
import type { ModelInfo } from '@mosaicstack/types'; import type { ModelInfo } from '@mosaic/types';
import type { RoutingCriteria, RoutingResult, CostTier } from '@mosaicstack/types'; import type { RoutingCriteria, RoutingResult, CostTier } from '@mosaic/types';
import { ProviderService } from './provider.service.js'; import { ProviderService } from './provider.service.js';
/** Per-million-token cost thresholds for tier classification */ /** Per-million-token cost thresholds for tier classification */
@@ -8,8 +8,6 @@ const COST_TIER_THRESHOLDS: Record<CostTier, { maxInput: number }> = {
cheap: { maxInput: 1 }, cheap: { maxInput: 1 },
standard: { maxInput: 10 }, standard: { maxInput: 10 },
premium: { maxInput: Infinity }, premium: { maxInput: Infinity },
// local = self-hosted; treat as cheapest tier for cost scoring purposes
local: { maxInput: 0 },
}; };
@Injectable() @Injectable()

138
apps/gateway/src/agent/routing/default-rules.ts
View File

@@ -1,138 +0,0 @@
import { Inject, Injectable, Logger, type OnModuleInit } from '@nestjs/common';
import { routingRules, type Db, sql } from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import type { RoutingCondition, RoutingAction } from './routing.types.js';
/** Seed-time routing rule descriptor */
interface RoutingRuleSeed {
name: string;
priority: number;
conditions: RoutingCondition[];
action: RoutingAction;
}
export const DEFAULT_ROUTING_RULES: RoutingRuleSeed[] = [
{
name: 'Complex coding → Opus',
priority: 1,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'complex' },
],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
},
{
name: 'Moderate coding → Sonnet',
priority: 2,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'moderate' },
],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Simple coding → Codex',
priority: 3,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'simple' },
],
action: { provider: 'openai', model: 'codex-gpt-5-4' },
},
{
name: 'Research → Codex',
priority: 4,
conditions: [{ field: 'taskType', operator: 'eq', value: 'research' }],
action: { provider: 'openai', model: 'codex-gpt-5-4' },
},
{
name: 'Summarization → GLM-5',
priority: 5,
conditions: [{ field: 'taskType', operator: 'eq', value: 'summarization' }],
action: { provider: 'zai', model: 'glm-5' },
},
{
name: 'Analysis with reasoning → Opus',
priority: 6,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'analysis' },
{ field: 'requiredCapabilities', operator: 'includes', value: 'reasoning' },
],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
},
{
name: 'Conversation → Sonnet',
priority: 7,
conditions: [{ field: 'taskType', operator: 'eq', value: 'conversation' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Creative → Sonnet',
priority: 8,
conditions: [{ field: 'taskType', operator: 'eq', value: 'creative' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Cheap/general → Haiku',
priority: 9,
conditions: [{ field: 'costTier', operator: 'eq', value: 'cheap' }],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
},
{
name: 'Fallback → Sonnet',
priority: 10,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
},
{
name: 'Offline → Ollama',
priority: 99,
conditions: [{ field: 'costTier', operator: 'eq', value: 'local' }],
action: { provider: 'ollama', model: 'llama3.2' },
},
];
@Injectable()
export class DefaultRoutingRulesSeed implements OnModuleInit {
private readonly logger = new Logger(DefaultRoutingRulesSeed.name);
constructor(@Inject(DB) private readonly db: Db) {}
async onModuleInit(): Promise<void> {
await this.seedDefaultRules();
}
/**
* Insert default routing rules into the database if the table is empty.
* Skips seeding if any system-scoped rules already exist.
*/
async seedDefaultRules(): Promise<void> {
const rows = await this.db
.select({ count: sql<number>`count(*)::int` })
.from(routingRules)
.where(sql`scope = 'system'`);
const count = rows[0]?.count ?? 0;
if (count > 0) {
this.logger.debug(
`Skipping default routing rules seed — ${count} system rule(s) already exist`,
);
return;
}
this.logger.log(`Seeding ${DEFAULT_ROUTING_RULES.length} default routing rules`);
await this.db.insert(routingRules).values(
DEFAULT_ROUTING_RULES.map((rule) => ({
name: rule.name,
priority: rule.priority,
scope: 'system' as const,
conditions: rule.conditions as unknown as Record<string, unknown>[],
action: rule.action as unknown as Record<string, unknown>,
enabled: true,
})),
);
this.logger.log('Default routing rules seeded successfully');
}
}

260
apps/gateway/src/agent/routing/routing-e2e.test.ts
View File

@@ -1,260 +0,0 @@
/**
* M4-013: Routing end-to-end integration tests.
*
* These tests exercise the full pipeline:
* classifyTask (task-classifier) → matchConditions (routing-engine) → RoutingDecision
*
* All tests use a mocked DB (rule store) and mocked ProviderService (health map)
* to avoid real I/O — they verify the complete classify → match → decide path.
*/
import { describe, it, expect, vi } from 'vitest';
import { RoutingEngineService } from './routing-engine.service.js';
import { DEFAULT_ROUTING_RULES } from '../routing/default-rules.js';
import type { RoutingRule } from './routing.types.js';
// ─── Test helpers ─────────────────────────────────────────────────────────────
/** Build a RoutingEngineService backed by the given rule set and health map. */
function makeService(
rules: RoutingRule[],
healthMap: Record<string, { status: string }>,
): RoutingEngineService {
const mockDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(
rules.map((r) => ({
id: r.id,
name: r.name,
priority: r.priority,
scope: r.scope,
userId: r.userId ?? null,
conditions: r.conditions,
action: r.action,
enabled: r.enabled,
createdAt: new Date(),
updatedAt: new Date(),
})),
),
}),
}),
}),
};
const mockProviderService = {
healthCheckAll: vi.fn().mockResolvedValue(healthMap),
};
return new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
}
/**
* Convert DEFAULT_ROUTING_RULES (seed format, no id) to RoutingRule objects
* so we can use them in tests.
*/
function defaultRules(): RoutingRule[] {
return DEFAULT_ROUTING_RULES.map((r, i) => ({
id: `rule-${i + 1}`,
scope: 'system' as const,
userId: undefined,
enabled: true,
...r,
}));
}
/** A health map where anthropic, openai, and zai are all healthy. */
const allHealthy: Record<string, { status: string }> = {
anthropic: { status: 'up' },
openai: { status: 'up' },
zai: { status: 'up' },
ollama: { status: 'up' },
};
// ─── M4-013 E2E tests ─────────────────────────────────────────────────────────
describe('M4-013: routing end-to-end pipeline', () => {
// Test 1: coding message → should route to Opus (complex coding rule)
it('coding message routes to Opus via task classifier + routing rules', async () => {
// Use a message that classifies as coding + complex
// "architecture" triggers complex; "implement" triggers coding
const message =
'Implement an architecture for a multi-tenant system with database isolation and role-based access control. The system needs to support multiple organizations.';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// Classifier should detect: taskType=coding, complexity=complex
// That matches "Complex coding → Opus" rule at priority 1
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-opus-4-6');
expect(decision.ruleName).toBe('Complex coding → Opus');
});
// Test 2: "Summarize this" → routes to GLM-5
it('"Summarize this" routes to GLM-5 via summarization rule', async () => {
const message = 'Summarize this document for me please';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// Classifier should detect: taskType=summarization
// Matches "Summarization → GLM-5" rule (priority 5)
expect(decision.provider).toBe('zai');
expect(decision.model).toBe('glm-5');
expect(decision.ruleName).toBe('Summarization → GLM-5');
});
// Test 3: simple question → routes to cheap tier (Haiku)
// Note: the "Cheap/general → Haiku" rule uses costTier=cheap condition.
// Since costTier is not part of TaskClassification (it's a request-level field),
// it won't auto-match. Instead we test that a simple conversation falls through
// to the "Conversation → Sonnet" rule — which IS the cheap-tier routing path
// for simple conversational questions.
// We also verify that routing using a user-scoped cheap-tier rule overrides correctly.
it('simple conversational question routes to Sonnet (conversation rule)', async () => {
const message = 'What time is it?';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// Classifier: taskType=conversation (no strong signals), complexity=simple
// Matches "Conversation → Sonnet" rule (priority 7)
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
expect(decision.ruleName).toBe('Conversation → Sonnet');
});
// Test 3b: explicit cheap-tier rule via user-scoped override
it('cheap-tier rule routes to Haiku when costTier=cheap condition matches', async () => {
// Build a cheap-tier user rule that has a conversation condition overlapping
// with what we send, but give it lower priority so we can test explicitly
const cheapRule: RoutingRule = {
id: 'cheap-rule-1',
name: 'Cheap/general → Haiku',
priority: 1,
scope: 'system',
enabled: true,
// This rule matches any simple conversation when costTier is set by the resolver.
// We test the rule condition matching directly here:
conditions: [{ field: 'taskType', operator: 'eq', value: 'conversation' }],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
};
const service = makeService([cheapRule], allHealthy);
const decision = await service.resolve('Hello, how are you doing today?');
// Simple greeting → conversation → matches cheapRule → Haiku
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-haiku-4-5');
expect(decision.ruleName).toBe('Cheap/general → Haiku');
});
// Test 4: /model override bypasses routing
// This test verifies that when a model override is set (stored in chatGateway.modelOverrides),
// the routing engine is NOT called. We simulate this by verifying that the routing engine
// service is not consulted when the override path is taken.
it('/model override bypasses routing engine (no classify → route call)', async () => {
// Build a service that would route to Opus for a coding message
const mockHealthCheckAll = vi.fn().mockResolvedValue(allHealthy);
const mockSelect = vi.fn();
const mockDb = {
select: mockSelect.mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(defaultRules()),
}),
}),
}),
};
const mockProviderService = { healthCheckAll: mockHealthCheckAll };
const service = new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
// Simulate the ChatGateway model-override logic:
// When a /model override exists, the gateway skips calling routingEngine.resolve().
// We verify this by checking that if we do NOT call resolve(), the DB is never queried.
// (This is the same guarantee the ChatGateway code provides.)
expect(mockSelect).not.toHaveBeenCalled();
expect(mockHealthCheckAll).not.toHaveBeenCalled();
// Now if we DO call resolve (no override), it hits the DB and health check
await service.resolve('implement a function');
expect(mockSelect).toHaveBeenCalled();
expect(mockHealthCheckAll).toHaveBeenCalled();
});
// Test 5: full pipeline classification accuracy — "Summarize this" message
it('full pipeline: classify → match rules → summarization decision', async () => {
const message = 'Can you give me a brief summary of the last meeting notes?';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// "brief" keyword → summarization; "brief" is < 100 chars... check length
// message length is ~68 chars → simple complexity but summarization type wins
expect(decision.ruleName).toBe('Summarization → GLM-5');
expect(decision.provider).toBe('zai');
expect(decision.model).toBe('glm-5');
expect(decision.reason).toContain('Summarization → GLM-5');
});
// Test 6: pipeline with unhealthy provider — falls through to fallback
it('when all matched rule providers are unhealthy, falls through to openai fallback', async () => {
// The message classifies as: taskType=coding, complexity=moderate (implement + no architecture keyword,
// moderate length ~60 chars → simple threshold is < 100 → actually simple since it is < 100 chars)
// Let's use a simple coding message to target Simple coding → Codex (openai)
const message = 'implement a sort function';
const unhealthyHealth = {
anthropic: { status: 'down' },
openai: { status: 'up' },
zai: { status: 'up' },
ollama: { status: 'down' },
};
const service = makeService(defaultRules(), unhealthyHealth);
const decision = await service.resolve(message);
// "implement" → coding; 26 chars → simple; so: coding+simple → "Simple coding → Codex" (openai)
// openai is up → should match
expect(decision.provider).toBe('openai');
expect(decision.model).toBe('codex-gpt-5-4');
});
// Test 7: research message routing
it('research message routes to Codex via research rule', async () => {
const message = 'Research the best approaches for distributed caching systems';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
// "research" keyword → taskType=research → "Research → Codex" rule (priority 4)
expect(decision.ruleName).toBe('Research → Codex');
expect(decision.provider).toBe('openai');
expect(decision.model).toBe('codex-gpt-5-4');
});
// Test 8: full pipeline integrity — decision includes all required fields
it('routing decision includes provider, model, ruleName, and reason', async () => {
const message = 'implement a new feature';
const service = makeService(defaultRules(), allHealthy);
const decision = await service.resolve(message);
expect(decision).toHaveProperty('provider');
expect(decision).toHaveProperty('model');
expect(decision).toHaveProperty('ruleName');
expect(decision).toHaveProperty('reason');
expect(typeof decision.provider).toBe('string');
expect(typeof decision.model).toBe('string');
expect(typeof decision.ruleName).toBe('string');
expect(typeof decision.reason).toBe('string');
});
});

216
apps/gateway/src/agent/routing/routing-engine.service.ts
View File

@@ -1,216 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { routingRules, type Db, and, asc, eq, or } from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import { ProviderService } from '../provider.service.js';
import { classifyTask } from './task-classifier.js';
import type {
RoutingCondition,
RoutingRule,
RoutingDecision,
TaskClassification,
} from './routing.types.js';
// ─── Injection tokens ────────────────────────────────────────────────────────
export const PROVIDER_SERVICE = Symbol('ProviderService');
// ─── Fallback chain ──────────────────────────────────────────────────────────
/**
* Ordered fallback providers tried when no rule matches or all matched
* providers are unhealthy.
*/
const FALLBACK_CHAIN: Array<{ provider: string; model: string }> = [
{ provider: 'anthropic', model: 'claude-sonnet-4-6' },
{ provider: 'anthropic', model: 'claude-haiku-4-5' },
{ provider: 'ollama', model: 'llama3.2' },
];
// ─── Service ─────────────────────────────────────────────────────────────────
@Injectable()
export class RoutingEngineService {
private readonly logger = new Logger(RoutingEngineService.name);
constructor(
@Inject(DB) private readonly db: Db,
@Inject(ProviderService) private readonly providerService: ProviderService,
) {}
/**
* Classify the message, evaluate routing rules in priority order, and return
* the best routing decision.
*
* @param message - Raw user message text used for classification.
* @param userId - Optional user ID for loading user-scoped rules.
* @param availableProviders - Optional pre-fetched provider health map to
* avoid redundant health checks inside tight loops.
*/
async resolve(
message: string,
userId?: string,
availableProviders?: Record<string, { status: string }>,
): Promise<RoutingDecision> {
const classification = classifyTask(message);
this.logger.debug(
`Classification: taskType=${classification.taskType} complexity=${classification.complexity} domain=${classification.domain}`,
);
// Load health data once (re-use caller-supplied map if provided)
const health = availableProviders ?? (await this.providerService.healthCheckAll());
// Load all applicable rules ordered by priority
const rules = await this.loadRules(userId);
// Evaluate rules in priority order
for (const rule of rules) {
if (!rule.enabled) continue;
if (!this.matchConditions(rule, classification)) continue;
const providerStatus = health[rule.action.provider]?.status;
const isHealthy = providerStatus === 'up' || providerStatus === 'ok';
if (!isHealthy) {
this.logger.debug(
`Rule "${rule.name}" matched but provider "${rule.action.provider}" is unhealthy (status: ${providerStatus ?? 'unknown'})`,
);
continue;
}
this.logger.debug(
`Rule matched: "${rule.name}" → ${rule.action.provider}/${rule.action.model}`,
);
return {
provider: rule.action.provider,
model: rule.action.model,
agentConfigId: rule.action.agentConfigId,
ruleName: rule.name,
reason: `Matched routing rule "${rule.name}"`,
};
}
// No rule matched (or all matched providers were unhealthy) — apply fallback chain
this.logger.debug('No rule matched; applying fallback chain');
return this.applyFallbackChain(health);
}
/**
* Check whether all conditions of a rule match the given task classification.
* An empty conditions array always matches (catch-all / fallback rule).
*/
matchConditions(
rule: Pick<RoutingRule, 'conditions'>,
classification: TaskClassification,
): boolean {
if (rule.conditions.length === 0) return true;
return rule.conditions.every((condition) => this.evaluateCondition(condition, classification));
}
// ─── Private helpers ───────────────────────────────────────────────────────
private evaluateCondition(
condition: RoutingCondition,
classification: TaskClassification,
): boolean {
// `costTier` is a valid condition field but is not part of TaskClassification
// (it is supplied via userOverrides / request context). Treat unknown fields as
// undefined so conditions referencing them simply do not match.
const fieldValue = (classification as unknown as Record<string, unknown>)[condition.field];
switch (condition.operator) {
case 'eq': {
// Scalar equality: field value must equal condition value (string)
if (typeof condition.value !== 'string') return false;
return fieldValue === condition.value;
}
case 'in': {
// Set membership: condition value (array) contains field value
if (!Array.isArray(condition.value)) return false;
return condition.value.includes(fieldValue as string);
}
case 'includes': {
// Array containment: field value (array) includes condition value (string)
if (!Array.isArray(fieldValue)) return false;
if (typeof condition.value !== 'string') return false;
return (fieldValue as string[]).includes(condition.value);
}
default:
return false;
}
}
/**
* Load routing rules from the database.
* System rules + user-scoped rules (when userId is provided) are returned,
* ordered by priority ascending.
*/
private async loadRules(userId?: string): Promise<RoutingRule[]> {
const whereClause = userId
? or(
eq(routingRules.scope, 'system'),
and(eq(routingRules.scope, 'user'), eq(routingRules.userId, userId)),
)
: eq(routingRules.scope, 'system');
const rows = await this.db
.select()
.from(routingRules)
.where(whereClause)
.orderBy(asc(routingRules.priority));
return rows.map((row) => ({
id: row.id,
name: row.name,
priority: row.priority,
scope: row.scope as 'system' | 'user',
userId: row.userId ?? undefined,
conditions: (row.conditions as unknown as RoutingCondition[]) ?? [],
action: row.action as unknown as {
provider: string;
model: string;
agentConfigId?: string;
systemPromptOverride?: string;
toolAllowlist?: string[];
},
enabled: row.enabled,
}));
}
/**
* Walk the fallback chain and return the first healthy provider/model pair.
* If none are healthy, return the first entry unconditionally (last resort).
*/
private applyFallbackChain(health: Record<string, { status: string }>): RoutingDecision {
for (const candidate of FALLBACK_CHAIN) {
const providerStatus = health[candidate.provider]?.status;
const isHealthy = providerStatus === 'up' || providerStatus === 'ok';
if (isHealthy) {
this.logger.debug(`Fallback resolved: ${candidate.provider}/${candidate.model}`);
return {
provider: candidate.provider,
model: candidate.model,
ruleName: 'fallback',
reason: `Fallback chain — no matching rule; selected ${candidate.provider}/${candidate.model}`,
};
}
}
// All providers in the fallback chain are unhealthy — use the first entry
const lastResort = FALLBACK_CHAIN[0]!;
this.logger.warn(
`All fallback providers unhealthy; using last resort: ${lastResort.provider}/${lastResort.model}`,
);
return {
provider: lastResort.provider,
model: lastResort.model,
ruleName: 'fallback',
reason: `Fallback chain exhausted (all providers unhealthy); using ${lastResort.provider}/${lastResort.model}`,
};
}
}

460
apps/gateway/src/agent/routing/routing-engine.test.ts
View File

@@ -1,460 +0,0 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { RoutingEngineService } from './routing-engine.service.js';
import type { RoutingRule, TaskClassification } from './routing.types.js';
// ─── Helpers ─────────────────────────────────────────────────────────────────
function makeRule(
overrides: Partial<RoutingRule> &
Pick<RoutingRule, 'name' | 'priority' | 'conditions' | 'action'>,
): RoutingRule {
return {
id: overrides.id ?? crypto.randomUUID(),
scope: 'system',
enabled: true,
...overrides,
};
}
function makeClassification(overrides: Partial<TaskClassification> = {}): TaskClassification {
return {
taskType: 'conversation',
complexity: 'simple',
domain: 'general',
requiredCapabilities: [],
...overrides,
};
}
/** Build a minimal RoutingEngineService with mocked DB and ProviderService. */
function makeService(
rules: RoutingRule[] = [],
healthMap: Record<string, { status: string }> = {},
): RoutingEngineService {
const mockDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(
rules.map((r) => ({
id: r.id,
name: r.name,
priority: r.priority,
scope: r.scope,
userId: r.userId ?? null,
conditions: r.conditions,
action: r.action,
enabled: r.enabled,
createdAt: new Date(),
updatedAt: new Date(),
})),
),
}),
}),
}),
};
const mockProviderService = {
healthCheckAll: vi.fn().mockResolvedValue(healthMap),
};
// Inject mocked dependencies directly (bypass NestJS DI for unit tests)
const service = new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
return service;
}
// ─── matchConditions ──────────────────────────────────────────────────────────
describe('RoutingEngineService.matchConditions', () => {
let service: RoutingEngineService;
beforeEach(() => {
service = makeService();
});
it('returns true for empty conditions array (catch-all rule)', () => {
const rule = makeRule({
name: 'fallback',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
});
expect(service.matchConditions(rule, makeClassification())).toBe(true);
});
it('matches eq operator on scalar field', () => {
const rule = makeRule({
name: 'coding',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
});
expect(service.matchConditions(rule, makeClassification({ taskType: 'coding' }))).toBe(true);
expect(service.matchConditions(rule, makeClassification({ taskType: 'conversation' }))).toBe(
false,
);
});
it('matches in operator: field value is in the condition array', () => {
const rule = makeRule({
name: 'simple or moderate',
priority: 2,
conditions: [{ field: 'complexity', operator: 'in', value: ['simple', 'moderate'] }],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
});
expect(service.matchConditions(rule, makeClassification({ complexity: 'simple' }))).toBe(true);
expect(service.matchConditions(rule, makeClassification({ complexity: 'moderate' }))).toBe(
true,
);
expect(service.matchConditions(rule, makeClassification({ complexity: 'complex' }))).toBe(
false,
);
});
it('matches includes operator: field array includes the condition value', () => {
const rule = makeRule({
name: 'reasoning required',
priority: 3,
conditions: [{ field: 'requiredCapabilities', operator: 'includes', value: 'reasoning' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
});
expect(
service.matchConditions(rule, makeClassification({ requiredCapabilities: ['reasoning'] })),
).toBe(true);
expect(
service.matchConditions(
rule,
makeClassification({ requiredCapabilities: ['tools', 'reasoning'] }),
),
).toBe(true);
expect(
service.matchConditions(rule, makeClassification({ requiredCapabilities: ['tools'] })),
).toBe(false);
expect(service.matchConditions(rule, makeClassification({ requiredCapabilities: [] }))).toBe(
false,
);
});
it('requires ALL conditions to match (AND logic)', () => {
const rule = makeRule({
name: 'complex coding',
priority: 1,
conditions: [
{ field: 'taskType', operator: 'eq', value: 'coding' },
{ field: 'complexity', operator: 'eq', value: 'complex' },
],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
});
// Both match
expect(
service.matchConditions(
rule,
makeClassification({ taskType: 'coding', complexity: 'complex' }),
),
).toBe(true);
// Only one matches
expect(
service.matchConditions(
rule,
makeClassification({ taskType: 'coding', complexity: 'simple' }),
),
).toBe(false);
// Neither matches
expect(
service.matchConditions(
rule,
makeClassification({ taskType: 'conversation', complexity: 'simple' }),
),
).toBe(false);
});
it('returns false for eq when condition value is an array (type mismatch)', () => {
const rule = makeRule({
name: 'bad eq',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: ['coding', 'research'] }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
});
expect(service.matchConditions(rule, makeClassification({ taskType: 'coding' }))).toBe(false);
});
it('returns false for includes when field is not an array', () => {
const rule = makeRule({
name: 'bad includes',
priority: 1,
conditions: [{ field: 'taskType', operator: 'includes', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
});
// taskType is a string, not an array — should be false
expect(service.matchConditions(rule, makeClassification({ taskType: 'coding' }))).toBe(false);
});
});
// ─── resolve — priority ordering ─────────────────────────────────────────────
describe('RoutingEngineService.resolve — priority ordering', () => {
it('selects the highest-priority matching rule', async () => {
// Rules are supplied in priority-ascending order, as the DB would return them.
const rules = [
makeRule({
name: 'high priority',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'low priority',
priority: 10,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'openai', model: 'gpt-4o' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' }, openai: { status: 'up' } });
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('high priority');
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-opus-4-6');
});
it('skips non-matching rules and picks first match', async () => {
const rules = [
makeRule({
name: 'research rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'research' }],
action: { provider: 'openai', model: 'gpt-4o' },
}),
makeRule({
name: 'coding rule',
priority: 2,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' }, openai: { status: 'up' } });
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('coding rule');
expect(decision.provider).toBe('anthropic');
});
});
// ─── resolve — unhealthy provider fallback ────────────────────────────────────
describe('RoutingEngineService.resolve — unhealthy provider handling', () => {
it('skips matched rule when provider is unhealthy, tries next rule', async () => {
const rules = [
makeRule({
name: 'primary rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'secondary rule',
priority: 2,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'openai', model: 'gpt-4o' },
}),
];
const service = makeService(rules, {
anthropic: { status: 'down' }, // primary is unhealthy
openai: { status: 'up' },
});
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('secondary rule');
expect(decision.provider).toBe('openai');
});
it('falls back to Sonnet when all rules have unhealthy providers', async () => {
// Override the rule's provider to something unhealthy but keep anthropic up for fallback
const unhealthyRules = [
makeRule({
name: 'only rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'openai', model: 'gpt-4o' }, // openai is unhealthy
}),
];
const service2 = makeService(unhealthyRules, {
anthropic: { status: 'up' },
openai: { status: 'down' },
});
const decision = await service2.resolve('implement a function');
// Should fall through to Sonnet fallback on anthropic
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
expect(decision.ruleName).toBe('fallback');
});
it('falls back to Haiku when Sonnet provider is also down', async () => {
const rules: RoutingRule[] = []; // no rules
const service = makeService(rules, {
anthropic: { status: 'down' }, // Sonnet is on anthropic — down
ollama: { status: 'up' }, // Haiku is also on anthropic — use Ollama as next
});
const decision = await service.resolve('hello there');
// Sonnet (anthropic) is down, Haiku (anthropic) is down, Ollama is up
expect(decision.provider).toBe('ollama');
expect(decision.model).toBe('llama3.2');
expect(decision.ruleName).toBe('fallback');
});
it('uses last resort (Sonnet) when all fallback providers are unhealthy', async () => {
const rules: RoutingRule[] = [];
const service = makeService(rules, {
anthropic: { status: 'down' },
ollama: { status: 'down' },
});
const decision = await service.resolve('hello');
// All unhealthy — still returns first fallback entry as last resort
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
expect(decision.ruleName).toBe('fallback');
});
});
// ─── resolve — empty conditions (catch-all rule) ──────────────────────────────
describe('RoutingEngineService.resolve — empty conditions (fallback rule)', () => {
it('matches catch-all rule for any message', async () => {
const rules = [
makeRule({
name: 'catch-all',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' } });
const decision = await service.resolve('completely unrelated message xyz');
expect(decision.ruleName).toBe('catch-all');
expect(decision.provider).toBe('anthropic');
expect(decision.model).toBe('claude-sonnet-4-6');
});
it('catch-all is overridden by a higher-priority specific rule', async () => {
const rules = [
makeRule({
name: 'specific coding rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'catch-all',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-haiku-4-5' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' } });
const codingDecision = await service.resolve('implement a function');
expect(codingDecision.ruleName).toBe('specific coding rule');
expect(codingDecision.model).toBe('claude-opus-4-6');
const conversationDecision = await service.resolve('hello how are you');
expect(conversationDecision.ruleName).toBe('catch-all');
expect(conversationDecision.model).toBe('claude-haiku-4-5');
});
});
// ─── resolve — disabled rules ─────────────────────────────────────────────────
describe('RoutingEngineService.resolve — disabled rules', () => {
it('skips disabled rules', async () => {
const rules = [
makeRule({
name: 'disabled rule',
priority: 1,
enabled: false,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
makeRule({
name: 'enabled fallback',
priority: 99,
conditions: [],
action: { provider: 'anthropic', model: 'claude-sonnet-4-6' },
}),
];
const service = makeService(rules, { anthropic: { status: 'up' } });
const decision = await service.resolve('implement a function');
expect(decision.ruleName).toBe('enabled fallback');
expect(decision.model).toBe('claude-sonnet-4-6');
});
});
// ─── resolve — pre-fetched health map ────────────────────────────────────────
describe('RoutingEngineService.resolve — availableProviders override', () => {
it('uses the provided health map instead of calling healthCheckAll', async () => {
const rules = [
makeRule({
name: 'coding rule',
priority: 1,
conditions: [{ field: 'taskType', operator: 'eq', value: 'coding' }],
action: { provider: 'anthropic', model: 'claude-opus-4-6' },
}),
];
const mockHealthCheckAll = vi.fn().mockResolvedValue({});
const mockDb = {
select: vi.fn().mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockReturnValue({
orderBy: vi.fn().mockResolvedValue(
rules.map((r) => ({
id: r.id,
name: r.name,
priority: r.priority,
scope: r.scope,
userId: r.userId ?? null,
conditions: r.conditions,
action: r.action,
enabled: r.enabled,
createdAt: new Date(),
updatedAt: new Date(),
})),
),
}),
}),
}),
};
const mockProviderService = { healthCheckAll: mockHealthCheckAll };
const service = new (RoutingEngineService as unknown as new (
db: unknown,
ps: unknown,
) => RoutingEngineService)(mockDb, mockProviderService);
const preSupplied = { anthropic: { status: 'up' } };
await service.resolve('implement a function', undefined, preSupplied);
expect(mockHealthCheckAll).not.toHaveBeenCalled();
});
});

234
apps/gateway/src/agent/routing/routing.controller.ts
View File

@@ -1,234 +0,0 @@
import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
UseGuards,
} from '@nestjs/common';
import { routingRules, type Db, and, asc, eq, or, inArray } from '@mosaicstack/db';
import { DB } from '../../database/database.module.js';
import { AuthGuard } from '../../auth/auth.guard.js';
import { CurrentUser } from '../../auth/current-user.decorator.js';
import {
CreateRoutingRuleDto,
UpdateRoutingRuleDto,
ReorderRoutingRulesDto,
} from './routing.dto.js';
@Controller('api/routing/rules')
@UseGuards(AuthGuard)
export class RoutingController {
constructor(@Inject(DB) private readonly db: Db) {}
/**
* GET /api/routing/rules
* List all rules visible to the authenticated user:
* - All system rules
* - User's own rules
* Ordered by priority ascending (lower number = higher priority).
*/
@Get()
async list(@CurrentUser() user: { id: string }) {
const rows = await this.db
.select()
.from(routingRules)
.where(
or(
eq(routingRules.scope, 'system'),
and(eq(routingRules.scope, 'user'), eq(routingRules.userId, user.id)),
),
)
.orderBy(asc(routingRules.priority));
return rows;
}
/**
* GET /api/routing/rules/effective
* Return the merged rule set in priority order.
* User-scoped rules are checked before system rules at the same priority
* (achieved by ordering: priority ASC, then scope='user' first).
*/
@Get('effective')
async effective(@CurrentUser() user: { id: string }) {
const rows = await this.db
.select()
.from(routingRules)
.where(
and(
eq(routingRules.enabled, true),
or(
eq(routingRules.scope, 'system'),
and(eq(routingRules.scope, 'user'), eq(routingRules.userId, user.id)),
),
),
)
.orderBy(asc(routingRules.priority));
// For rules with the same priority: user rules beat system rules.
// Group by priority then stable-sort each group: user before system.
const grouped = new Map<number, typeof rows>();
for (const row of rows) {
const bucket = grouped.get(row.priority) ?? [];
bucket.push(row);
grouped.set(row.priority, bucket);
}
const effective: typeof rows = [];
for (const [, bucket] of [...grouped.entries()].sort(([a], [b]) => a - b)) {
// user-scoped rules first within the same priority bucket
const userRules = bucket.filter((r) => r.scope === 'user');
const systemRules = bucket.filter((r) => r.scope === 'system');
effective.push(...userRules, ...systemRules);
}
return effective;
}
/**
* POST /api/routing/rules
* Create a new routing rule. Scope is forced to 'user' (users cannot create
* system rules). The authenticated user's ID is attached automatically.
*/
@Post()
async create(@Body() dto: CreateRoutingRuleDto, @CurrentUser() user: { id: string }) {
const [created] = await this.db
.insert(routingRules)
.values({
name: dto.name,
priority: dto.priority,
scope: 'user',
userId: user.id,
conditions: dto.conditions as unknown as Record<string, unknown>[],
action: dto.action as unknown as Record<string, unknown>,
enabled: dto.enabled ?? true,
})
.returning();
return created;
}
/**
* PATCH /api/routing/rules/reorder
* Reassign priorities so that the order of `ruleIds` reflects ascending
* priority (index 0 = priority 0, index 1 = priority 1, …).
* Only the authenticated user's own rules can be reordered.
*/
@Patch('reorder')
async reorder(@Body() dto: ReorderRoutingRulesDto, @CurrentUser() user: { id: string }) {
// Verify all supplied IDs belong to this user
const owned = await this.db
.select({ id: routingRules.id })
.from(routingRules)
.where(
and(
inArray(routingRules.id, dto.ruleIds),
eq(routingRules.scope, 'user'),
eq(routingRules.userId, user.id),
),
);
const ownedIds = new Set(owned.map((r) => r.id));
const unowned = dto.ruleIds.filter((id) => !ownedIds.has(id));
if (unowned.length > 0) {
throw new ForbiddenException(
`Cannot reorder rules that do not belong to you: ${unowned.join(', ')}`,
);
}
// Apply new priorities in transaction
const updates = await this.db.transaction(async (tx) => {
const results = [];
for (let i = 0; i < dto.ruleIds.length; i++) {
const [updated] = await tx
.update(routingRules)
.set({ priority: i, updatedAt: new Date() })
.where(and(eq(routingRules.id, dto.ruleIds[i]!), eq(routingRules.userId, user.id)))
.returning();
if (updated) results.push(updated);
}
return results;
});
return updates;
}
/**
* PATCH /api/routing/rules/:id
* Update a user-owned rule. System rules cannot be modified by regular users.
*/
@Patch(':id')
async update(
@Param('id') id: string,
@Body() dto: UpdateRoutingRuleDto,
@CurrentUser() user: { id: string },
) {
const [existing] = await this.db.select().from(routingRules).where(eq(routingRules.id, id));
if (!existing) throw new NotFoundException('Routing rule not found');
if (existing.scope === 'system') {
throw new ForbiddenException('System routing rules cannot be modified');
}
if (existing.userId !== user.id) {
throw new ForbiddenException('Routing rule does not belong to the current user');
}
const updatePayload: Partial<typeof routingRules.$inferInsert> = {
updatedAt: new Date(),
};
if (dto.name !== undefined) updatePayload.name = dto.name;
if (dto.priority !== undefined) updatePayload.priority = dto.priority;
if (dto.conditions !== undefined)
updatePayload.conditions = dto.conditions as unknown as Record<string, unknown>[];
if (dto.action !== undefined)
updatePayload.action = dto.action as unknown as Record<string, unknown>;
if (dto.enabled !== undefined) updatePayload.enabled = dto.enabled;
const [updated] = await this.db
.update(routingRules)
.set(updatePayload)
.where(and(eq(routingRules.id, id), eq(routingRules.userId, user.id)))
.returning();
if (!updated) throw new NotFoundException('Routing rule not found');
return updated;
}
/**
* DELETE /api/routing/rules/:id
* Delete a user-owned routing rule. System rules cannot be deleted.
*/
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const [existing] = await this.db.select().from(routingRules).where(eq(routingRules.id, id));
if (!existing) throw new NotFoundException('Routing rule not found');
if (existing.scope === 'system') {
throw new ForbiddenException('System routing rules cannot be deleted');
}
if (existing.userId !== user.id) {
throw new ForbiddenException('Routing rule does not belong to the current user');
}
const [deleted] = await this.db
.delete(routingRules)
.where(and(eq(routingRules.id, id), eq(routingRules.userId, user.id)))
.returning();
if (!deleted) throw new NotFoundException('Routing rule not found');
}
}

135
apps/gateway/src/agent/routing/routing.dto.ts
View File

@@ -1,135 +0,0 @@
import {
IsArray,
IsBoolean,
IsInt,
IsIn,
IsObject,
IsOptional,
IsString,
IsUUID,
MaxLength,
Min,
ValidateNested,
ArrayNotEmpty,
} from 'class-validator';
import { Type } from 'class-transformer';
// ─── Condition DTO ────────────────────────────────────────────────────────────
const conditionFields = [
'taskType',
'complexity',
'domain',
'costTier',
'requiredCapabilities',
] as const;
const conditionOperators = ['eq', 'in', 'includes'] as const;
export class RoutingConditionDto {
@IsString()
@IsIn(conditionFields)
field!: (typeof conditionFields)[number];
@IsString()
@IsIn(conditionOperators)
operator!: (typeof conditionOperators)[number];
// value can be string or string[] — keep as unknown and validate at runtime
value!: string | string[];
}
// ─── Action DTO ───────────────────────────────────────────────────────────────
export class RoutingActionDto {
@IsString()
@MaxLength(255)
provider!: string;
@IsString()
@MaxLength(255)
model!: string;
@IsOptional()
@IsUUID()
agentConfigId?: string;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPromptOverride?: string;
@IsOptional()
@IsArray()
toolAllowlist?: string[];
}
// ─── Create DTO ───────────────────────────────────────────────────────────────
const scopeValues = ['system', 'user'] as const;
export class CreateRoutingRuleDto {
@IsString()
@MaxLength(255)
name!: string;
@IsInt()
@Min(0)
priority!: number;
@IsOptional()
@IsIn(scopeValues)
scope?: 'system' | 'user';
@IsArray()
@ValidateNested({ each: true })
@Type(() => RoutingConditionDto)
conditions!: RoutingConditionDto[];
@IsObject()
@ValidateNested()
@Type(() => RoutingActionDto)
action!: RoutingActionDto;
@IsOptional()
@IsBoolean()
enabled?: boolean;
}
// ─── Update DTO ───────────────────────────────────────────────────────────────
export class UpdateRoutingRuleDto {
@IsOptional()
@IsString()
@MaxLength(255)
name?: string;
@IsOptional()
@IsInt()
@Min(0)
priority?: number;
@IsOptional()
@IsArray()
@ValidateNested({ each: true })
@Type(() => RoutingConditionDto)
conditions?: RoutingConditionDto[];
@IsOptional()
@IsObject()
@ValidateNested()
@Type(() => RoutingActionDto)
action?: RoutingActionDto;
@IsOptional()
@IsBoolean()
enabled?: boolean;
}
// ─── Reorder DTO ──────────────────────────────────────────────────────────────
export class ReorderRoutingRulesDto {
@IsArray()
@ArrayNotEmpty()
@IsUUID(undefined, { each: true })
ruleIds!: string[];
}

118
apps/gateway/src/agent/routing/routing.types.ts
View File

@@ -1,118 +0,0 @@
/**
* Routing engine types — M4-002 (condition types) and M4-003 (action types).
*
* These types are re-exported from `@mosaicstack/types` for shared use across packages.
*/
// ─── Classification primitives ───────────────────────────────────────────────
/** Category of work the agent is being asked to perform */
export type TaskType =
| 'coding'
| 'research'
| 'summarization'
| 'conversation'
| 'analysis'
| 'creative';
/** Estimated complexity of the task, used to bias toward cheaper or more capable models */
export type Complexity = 'simple' | 'moderate' | 'complex';
/** Primary knowledge domain of the task */
export type Domain = 'frontend' | 'backend' | 'devops' | 'docs' | 'general';
/**
* Cost tier for model selection.
* Extends the existing `CostTier` in `@mosaicstack/types` with `local` for self-hosted models.
*/
export type CostTier = 'cheap' | 'standard' | 'premium' | 'local';
/** Special model capability required by the task */
export type Capability = 'tools' | 'vision' | 'long-context' | 'reasoning' | 'embedding';
// ─── Condition types ─────────────────────────────────────────────────────────
/**
* A single predicate that must be satisfied for a routing rule to match.
*
* - `eq` — scalar equality: `field === value`
* - `in` — set membership: `value` contains `field`
* - `includes` — array containment: `field` (array) includes `value`
*/
export interface RoutingCondition {
/** The task-classification field to test */
field: 'taskType' | 'complexity' | 'domain' | 'costTier' | 'requiredCapabilities';
/** Comparison operator */
operator: 'eq' | 'in' | 'includes';
/** Expected value or set of values */
value: string | string[];
}
// ─── Action types ────────────────────────────────────────────────────────────
/**
* The routing action to execute when all conditions in a rule are satisfied.
*/
export interface RoutingAction {
/** LLM provider identifier, e.g. `'anthropic'`, `'openai'`, `'ollama'` */
provider: string;
/** Model identifier, e.g. `'claude-opus-4-6'`, `'gpt-4o'` */
model: string;
/** Optional: use a specific pre-configured agent config from the agent registry */
agentConfigId?: string;
/** Optional: override the agent's default system prompt for this route */
systemPromptOverride?: string;
/** Optional: restrict the tool set available to the agent for this route */
toolAllowlist?: string[];
}
// ─── Rule and decision types ─────────────────────────────────────────────────
/**
* Full routing rule as stored in the database and used at runtime.
*/
export interface RoutingRule {
/** UUID primary key */
id: string;
/** Human-readable rule name */
name: string;
/** Lower number = evaluated first; unique per scope */
priority: number;
/** `'system'` rules apply globally; `'user'` rules override for a specific user */
scope: 'system' | 'user';
/** Present only for `'user'`-scoped rules */
userId?: string;
/** All conditions must match for the rule to fire */
conditions: RoutingCondition[];
/** Action to take when all conditions are met */
action: RoutingAction;
/** Whether this rule is active */
enabled: boolean;
}
/**
* Structured representation of what an agent has been asked to do,
* produced by the task classifier and consumed by the routing engine.
*/
export interface TaskClassification {
taskType: TaskType;
complexity: Complexity;
domain: Domain;
requiredCapabilities: Capability[];
}
/**
* Output of the routing engine — which model to use and why.
*/
export interface RoutingDecision {
/** LLM provider identifier */
provider: string;
/** Model identifier */
model: string;
/** Optional agent config to apply */
agentConfigId?: string;
/** Name of the rule that matched, for observability */
ruleName: string;
/** Human-readable explanation of why this rule was selected */
reason: string;
}

366
apps/gateway/src/agent/routing/task-classifier.test.ts
View File

@@ -1,366 +0,0 @@
import { describe, it, expect } from 'vitest';
import { classifyTask } from './task-classifier.js';
// ─── Task Type Detection ──────────────────────────────────────────────────────
describe('classifyTask — taskType', () => {
it('detects coding from "code" keyword', () => {
expect(classifyTask('Can you write some code for me?').taskType).toBe('coding');
});
it('detects coding from "implement" keyword', () => {
expect(classifyTask('Implement a binary search algorithm').taskType).toBe('coding');
});
it('detects coding from "function" keyword', () => {
expect(classifyTask('Write a function that reverses a string').taskType).toBe('coding');
});
it('detects coding from "debug" keyword', () => {
expect(classifyTask('Help me debug this error').taskType).toBe('coding');
});
it('detects coding from "fix" keyword', () => {
expect(classifyTask('fix the broken test').taskType).toBe('coding');
});
it('detects coding from "refactor" keyword', () => {
expect(classifyTask('Please refactor this module').taskType).toBe('coding');
});
it('detects coding from "typescript" keyword', () => {
expect(classifyTask('How do I use generics in TypeScript?').taskType).toBe('coding');
});
it('detects coding from "javascript" keyword', () => {
expect(classifyTask('JavaScript promises explained').taskType).toBe('coding');
});
it('detects coding from "python" keyword', () => {
expect(classifyTask('Write a Python script to parse CSV').taskType).toBe('coding');
});
it('detects coding from "SQL" keyword', () => {
expect(classifyTask('Write a SQL query to join these tables').taskType).toBe('coding');
});
it('detects coding from "API" keyword', () => {
expect(classifyTask('Design an API for user management').taskType).toBe('coding');
});
it('detects coding from "endpoint" keyword', () => {
expect(classifyTask('Add a new endpoint for user profiles').taskType).toBe('coding');
});
it('detects coding from "class" keyword', () => {
expect(classifyTask('Create a class for handling payments').taskType).toBe('coding');
});
it('detects coding from "method" keyword', () => {
expect(classifyTask('Add a method to validate emails').taskType).toBe('coding');
});
it('detects coding from inline backtick code', () => {
expect(classifyTask('What does `Array.prototype.reduce` do?').taskType).toBe('coding');
});
it('detects summarization from "summarize"', () => {
expect(classifyTask('Please summarize this document').taskType).toBe('summarization');
});
it('detects summarization from "summary"', () => {
expect(classifyTask('Give me a summary of the meeting').taskType).toBe('summarization');
});
it('detects summarization from "tldr"', () => {
expect(classifyTask('TLDR this article for me').taskType).toBe('summarization');
});
it('detects summarization from "condense"', () => {
expect(classifyTask('Condense this into 3 bullet points').taskType).toBe('summarization');
});
it('detects summarization from "brief"', () => {
expect(classifyTask('Give me a brief overview of this topic').taskType).toBe('summarization');
});
it('detects creative from "write"', () => {
expect(classifyTask('Write a short story about a dragon').taskType).toBe('creative');
});
it('detects creative from "story"', () => {
expect(classifyTask('Tell me a story about space exploration').taskType).toBe('creative');
});
it('detects creative from "poem"', () => {
expect(classifyTask('Write a poem about autumn').taskType).toBe('creative');
});
it('detects creative from "generate"', () => {
expect(classifyTask('Generate some creative marketing copy').taskType).toBe('creative');
});
it('detects creative from "create content"', () => {
expect(classifyTask('Help me create content for my website').taskType).toBe('creative');
});
it('detects creative from "blog post"', () => {
expect(classifyTask('Write a blog post about productivity habits').taskType).toBe('creative');
});
it('detects analysis from "analyze"', () => {
expect(classifyTask('Analyze the performance of this system').taskType).toBe('analysis');
});
it('detects analysis from "review"', () => {
expect(classifyTask('Please review my pull request changes').taskType).toBe('analysis');
});
it('detects analysis from "evaluate"', () => {
expect(classifyTask('Evaluate the pros and cons of this approach').taskType).toBe('analysis');
});
it('detects analysis from "assess"', () => {
expect(classifyTask('Assess the security risks here').taskType).toBe('analysis');
});
it('detects analysis from "audit"', () => {
expect(classifyTask('Audit this codebase for vulnerabilities').taskType).toBe('analysis');
});
it('detects research from "research"', () => {
expect(classifyTask('Research the best state management libraries').taskType).toBe('research');
});
it('detects research from "find"', () => {
expect(classifyTask('Find all open issues in our backlog').taskType).toBe('research');
});
it('detects research from "search"', () => {
expect(classifyTask('Search for papers on transformer architectures').taskType).toBe(
'research',
);
});
it('detects research from "what is"', () => {
expect(classifyTask('What is the difference between REST and GraphQL?').taskType).toBe(
'research',
);
});
it('detects research from "explain"', () => {
expect(classifyTask('Explain how OAuth2 works').taskType).toBe('research');
});
it('detects research from "how does"', () => {
expect(classifyTask('How does garbage collection work in V8?').taskType).toBe('research');
});
it('detects research from "compare"', () => {
expect(classifyTask('Compare Postgres and MySQL for this use case').taskType).toBe('research');
});
it('falls back to conversation with no strong signal', () => {
expect(classifyTask('Hello, how are you?').taskType).toBe('conversation');
});
it('falls back to conversation for generic greetings', () => {
expect(classifyTask('Good morning!').taskType).toBe('conversation');
});
// Priority: coding wins over research when both keywords present
it('coding takes priority over research', () => {
expect(classifyTask('find a code example for sorting').taskType).toBe('coding');
});
// Priority: summarization wins over creative
it('summarization takes priority over creative', () => {
expect(classifyTask('write a summary of this article').taskType).toBe('summarization');
});
});
// ─── Complexity Estimation ────────────────────────────────────────────────────
describe('classifyTask — complexity', () => {
it('classifies short message as simple', () => {
expect(classifyTask('Fix typo').complexity).toBe('simple');
});
it('classifies single question as simple', () => {
expect(classifyTask('What is a closure?').complexity).toBe('simple');
});
it('classifies message > 500 chars as complex', () => {
const long = 'a'.repeat(501);
expect(classifyTask(long).complexity).toBe('complex');
});
it('classifies message with "architecture" keyword as complex', () => {
expect(
classifyTask('Can you help me think through the architecture of this system?').complexity,
).toBe('complex');
});
it('classifies message with "design" keyword as complex', () => {
expect(classifyTask('Design a data model for this feature').complexity).toBe('complex');
});
it('classifies message with "complex" keyword as complex', () => {
expect(classifyTask('This is a complex problem involving multiple services').complexity).toBe(
'complex',
);
});
it('classifies message with "system" keyword as complex', () => {
expect(classifyTask('Explain the whole system behavior').complexity).toBe('complex');
});
it('classifies message with multiple code blocks as complex', () => {
const msg = '```\nconst a = 1;\n```\n\nAlso look at\n\n```\nconst b = 2;\n```';
expect(classifyTask(msg).complexity).toBe('complex');
});
it('classifies moderate-length message as moderate', () => {
const msg =
'Please help me implement a small utility function that parses query strings. It should handle arrays and nested objects properly.';
expect(classifyTask(msg).complexity).toBe('moderate');
});
});
// ─── Domain Detection ─────────────────────────────────────────────────────────
describe('classifyTask — domain', () => {
it('detects frontend from "react"', () => {
expect(classifyTask('How do I use React hooks?').domain).toBe('frontend');
});
it('detects frontend from "css"', () => {
expect(classifyTask('Fix the CSS layout issue').domain).toBe('frontend');
});
it('detects frontend from "html"', () => {
expect(classifyTask('Add an HTML form element').domain).toBe('frontend');
});
it('detects frontend from "component"', () => {
expect(classifyTask('Create a reusable component').domain).toBe('frontend');
});
it('detects frontend from "UI"', () => {
expect(classifyTask('Update the UI spacing').domain).toBe('frontend');
});
it('detects frontend from "tailwind"', () => {
expect(classifyTask('Style this button with Tailwind').domain).toBe('frontend');
});
it('detects frontend from "next.js"', () => {
expect(classifyTask('Configure Next.js routing').domain).toBe('frontend');
});
it('detects backend from "server"', () => {
expect(classifyTask('Set up the server to handle requests').domain).toBe('backend');
});
it('detects backend from "database"', () => {
expect(classifyTask('Optimize this database query').domain).toBe('backend');
});
it('detects backend from "endpoint"', () => {
expect(classifyTask('Add an endpoint for authentication').domain).toBe('backend');
});
it('detects backend from "nest"', () => {
expect(classifyTask('Add a NestJS guard for this route').domain).toBe('backend');
});
it('detects backend from "express"', () => {
expect(classifyTask('Middleware in Express explained').domain).toBe('backend');
});
it('detects devops from "docker"', () => {
expect(classifyTask('Write a Dockerfile for this app').domain).toBe('devops');
});
it('detects devops from "deploy"', () => {
expect(classifyTask('Deploy this service to production').domain).toBe('devops');
});
it('detects devops from "pipeline"', () => {
expect(classifyTask('Set up a CI pipeline').domain).toBe('devops');
});
it('detects devops from "kubernetes"', () => {
expect(classifyTask('Configure a Kubernetes deployment').domain).toBe('devops');
});
it('detects docs from "documentation"', () => {
expect(classifyTask('Write documentation for this module').domain).toBe('docs');
});
it('detects docs from "readme"', () => {
expect(classifyTask('Update the README').domain).toBe('docs');
});
it('detects docs from "guide"', () => {
expect(classifyTask('Create a user guide for this feature').domain).toBe('docs');
});
it('falls back to general domain', () => {
expect(classifyTask('What time is it?').domain).toBe('general');
});
// devops takes priority over backend when both match
it('devops takes priority over backend (both keywords)', () => {
expect(classifyTask('Deploy the API server using Docker').domain).toBe('devops');
});
// docs takes priority over frontend when both match
it('docs takes priority over frontend (both keywords)', () => {
expect(classifyTask('Write documentation for React components').domain).toBe('docs');
});
});
// ─── Combined Classification ──────────────────────────────────────────────────
describe('classifyTask — combined', () => {
it('returns full classification object', () => {
const result = classifyTask('Fix the bug?');
expect(result).toHaveProperty('taskType');
expect(result).toHaveProperty('complexity');
expect(result).toHaveProperty('domain');
});
it('classifies complex TypeScript architecture request', () => {
const msg =
'Design the architecture for a multi-tenant TypeScript system using NestJS with proper database isolation and role-based access control. The system needs to support multiple organizations each with their own data namespace.';
const result = classifyTask(msg);
expect(result.taskType).toBe('coding');
expect(result.complexity).toBe('complex');
expect(result.domain).toBe('backend');
});
it('classifies simple frontend question', () => {
const result = classifyTask('How do I center a div in CSS?');
expect(result.taskType).toBe('research');
expect(result.domain).toBe('frontend');
});
it('classifies a DevOps pipeline task as complex', () => {
const msg =
'Design a complete CI/CD pipeline architecture using Docker and Kubernetes with blue-green deployments and automatic rollback capabilities for a complex microservices system.';
const result = classifyTask(msg);
expect(result.domain).toBe('devops');
expect(result.complexity).toBe('complex');
});
it('classifies summarization task correctly', () => {
const result = classifyTask('Summarize the key points from this document');
expect(result.taskType).toBe('summarization');
});
it('classifies creative writing task correctly', () => {
const result = classifyTask('Write a poem about the ocean');
expect(result.taskType).toBe('creative');
});
});

159
apps/gateway/src/agent/routing/task-classifier.ts
View File

@@ -1,159 +0,0 @@
import type { TaskType, Complexity, Domain, TaskClassification } from './routing.types.js';
// ─── Pattern Banks ──────────────────────────────────────────────────────────
const CODING_PATTERNS: RegExp[] = [
/\bcode\b/i,
/\bfunction\b/i,
/\bimplement\b/i,
/\bdebug\b/i,
/\bfix\b/i,
/\brefactor\b/i,
/\btypescript\b/i,
/\bjavascript\b/i,
/\bpython\b/i,
/\bSQL\b/i,
/\bAPI\b/i,
/\bendpoint\b/i,
/\bclass\b/i,
/\bmethod\b/i,
/`[^`]*`/,
];
const RESEARCH_PATTERNS: RegExp[] = [
/\bresearch\b/i,
/\bfind\b/i,
/\bsearch\b/i,
/\bwhat is\b/i,
/\bexplain\b/i,
/\bhow do(es)?\b/i,
/\bcompare\b/i,
/\banalyze\b/i,
];
const SUMMARIZATION_PATTERNS: RegExp[] = [
/\bsummariz(e|ation)\b/i,
/\bsummary\b/i,
/\btldr\b/i,
/\bcondense\b/i,
/\bbrief\b/i,
];
const CREATIVE_PATTERNS: RegExp[] = [
/\bwrite\b/i,
/\bstory\b/i,
/\bpoem\b/i,
/\bgenerate\b/i,
/\bcreate content\b/i,
/\bblog post\b/i,
];
const ANALYSIS_PATTERNS: RegExp[] = [
/\banalyze\b/i,
/\breview\b/i,
/\bevaluate\b/i,
/\bassess\b/i,
/\baudit\b/i,
];
// ─── Complexity Indicators ───────────────────────────────────────────────────
const COMPLEX_KEYWORDS: RegExp[] = [
/\barchitecture\b/i,
/\bdesign\b/i,
/\bcomplex\b/i,
/\bsystem\b/i,
];
const SIMPLE_QUESTION_PATTERN = /^[^.!?]+[?]$/;
/** Counts occurrences of triple-backtick code fences in the message */
function countCodeBlocks(message: string): number {
return (message.match(/```/g) ?? []).length / 2;
}
// ─── Domain Indicators ───────────────────────────────────────────────────────
const FRONTEND_PATTERNS: RegExp[] = [
/\breact\b/i,
/\bcss\b/i,
/\bhtml\b/i,
/\bcomponent\b/i,
/\bUI\b/,
/\btailwind\b/i,
/\bnext\.js\b/i,
];
const BACKEND_PATTERNS: RegExp[] = [
/\bAPI\b/i,
/\bserver\b/i,
/\bdatabase\b/i,
/\bendpoint\b/i,
/\bnest(js)?\b/i,
/\bexpress\b/i,
];
const DEVOPS_PATTERNS: RegExp[] = [
/\bdocker(file|compose|hub)?\b/i,
/\bCI\b/,
/\bdeploy\b/i,
/\bpipeline\b/i,
/\bkubernetes\b/i,
];
const DOCS_PATTERNS: RegExp[] = [/\bdocumentation\b/i, /\breadme\b/i, /\bguide\b/i];
// ─── Helpers ─────────────────────────────────────────────────────────────────
function matchesAny(message: string, patterns: RegExp[]): boolean {
return patterns.some((p) => p.test(message));
}
// ─── Classifier ──────────────────────────────────────────────────────────────
/**
* Classify a task based on the user's message using deterministic regex/keyword matching.
* No LLM calls are made — this is a pure, fast, synchronous classification.
*/
export function classifyTask(message: string): TaskClassification {
return {
taskType: detectTaskType(message),
complexity: estimateComplexity(message),
domain: detectDomain(message),
requiredCapabilities: [],
};
}
function detectTaskType(message: string): TaskType {
if (matchesAny(message, CODING_PATTERNS)) return 'coding';
if (matchesAny(message, SUMMARIZATION_PATTERNS)) return 'summarization';
if (matchesAny(message, CREATIVE_PATTERNS)) return 'creative';
if (matchesAny(message, ANALYSIS_PATTERNS)) return 'analysis';
if (matchesAny(message, RESEARCH_PATTERNS)) return 'research';
return 'conversation';
}
function estimateComplexity(message: string): Complexity {
const trimmed = message.trim();
const codeBlocks = countCodeBlocks(trimmed);
// Complex: long messages, multiple code blocks, or complexity keywords
if (trimmed.length > 500 || codeBlocks > 1 || matchesAny(trimmed, COMPLEX_KEYWORDS)) {
return 'complex';
}
// Simple: short messages or a single direct question
if (trimmed.length < 100 || SIMPLE_QUESTION_PATTERN.test(trimmed)) {
return 'simple';
}
return 'moderate';
}
function detectDomain(message: string): Domain {
if (matchesAny(message, DEVOPS_PATTERNS)) return 'devops';
if (matchesAny(message, DOCS_PATTERNS)) return 'docs';
if (matchesAny(message, FRONTEND_PATTERNS)) return 'frontend';
if (matchesAny(message, BACKEND_PATTERNS)) return 'backend';
return 'general';
}

21
apps/gateway/src/agent/session.dto.ts
View File

@@ -1,32 +1,11 @@
/** Token usage metrics for a session (M5-007). */
export interface SessionTokenMetrics {
input: number;
output: number;
cacheRead: number;
cacheWrite: number;
total: number;
}
/** Per-session metrics tracked throughout the session lifetime (M5-007). */
export interface SessionMetrics {
tokens: SessionTokenMetrics;
modelSwitches: number;
messageCount: number;
lastActivityAt: string;
}
export interface SessionInfoDto { export interface SessionInfoDto {
id: string; id: string;
provider: string; provider: string;
modelId: string; modelId: string;
/** M5-005: human-readable agent name when an agent config is applied. */
agentName?: string;
createdAt: string; createdAt: string;
promptCount: number; promptCount: number;
channels: string[]; channels: string[];
durationMs: number; durationMs: number;
/** M5-007: per-session metrics (token usage, model switches, etc.) */
metrics: SessionMetrics;
} }
export interface SessionListDto { export interface SessionListDto {

2
apps/gateway/src/agent/tools/brain-tools.ts
View File

@@ -1,6 +1,6 @@
import { Type } from '@sinclair/typebox'; import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent'; import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import type { Brain } from '@mosaicstack/brain'; import type { Brain } from '@mosaic/brain';
export function createBrainTools(brain: Brain): ToolDefinition[] { export function createBrainTools(brain: Brain): ToolDefinition[] {
const listProjects: ToolDefinition = { const listProjects: ToolDefinition = {

205
apps/gateway/src/agent/tools/file-tools.ts
View File

@@ -1,7 +1,20 @@
import { Type } from '@sinclair/typebox'; import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent'; import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { readFile, writeFile, readdir, stat } from 'node:fs/promises'; import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js'; import { resolve, relative, join } from 'node:path';
/**
* Safety constraint: all file operations are restricted to a base directory.
* Paths that escape the sandbox via ../ traversal are rejected.
*/
function resolveSafe(baseDir: string, inputPath: string): string {
const resolved = resolve(baseDir, inputPath);
const rel = relative(baseDir, resolved);
if (rel.startsWith('..') || resolve(resolved) !== resolve(join(baseDir, rel))) {
throw new Error(`Path escape detected: "${inputPath}" resolves outside base directory`);
}
return resolved;
}
const MAX_READ_BYTES = 512 * 1024; // 512 KB read limit const MAX_READ_BYTES = 512 * 1024; // 512 KB read limit
const MAX_WRITE_BYTES = 1024 * 1024; // 1 MB write limit const MAX_WRITE_BYTES = 1024 * 1024; // 1 MB write limit
@@ -24,14 +37,8 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
const { path, encoding } = params as { path: string; encoding?: string }; const { path, encoding } = params as { path: string; encoding?: string };
let safePath: string; let safePath: string;
try { try {
safePath = guardPath(path, baseDir); safePath = resolveSafe(baseDir, path);
} catch (err) { } catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return { return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }], content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined, details: undefined,
@@ -92,14 +99,8 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
}; };
let safePath: string; let safePath: string;
try { try {
safePath = guardPathUnsafe(path, baseDir); safePath = resolveSafe(baseDir, path);
} catch (err) { } catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return { return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }], content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined, details: undefined,
@@ -150,14 +151,8 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
const target = path ?? '.'; const target = path ?? '.';
let safePath: string; let safePath: string;
try { try {
safePath = guardPath(target, baseDir); safePath = resolveSafe(baseDir, target);
} catch (err) { } catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return { return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }], content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined, details: undefined,
@@ -190,169 +185,5 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
}, },
}; };
const editFileTool: ToolDefinition = { return [readFileTool, writeFileTool, listDirectoryTool];
name: 'fs_edit_file',
label: 'Edit File',
description:
'Make targeted text replacements in a file. Each edit replaces an exact match of oldText with newText. ' +
'All edits are matched against the original file content (not incrementally). ' +
'Each oldText must be unique in the file and edits must not overlap.',
parameters: Type.Object({
path: Type.String({
description: 'File path (relative to sandbox base or absolute within it)',
}),
edits: Type.Array(
Type.Object({
oldText: Type.String({
description: 'Exact text to find and replace (must be unique in the file)',
}),
newText: Type.String({ description: 'Replacement text' }),
}),
{ description: 'One or more targeted replacements', minItems: 1 },
),
}),
async execute(_toolCallId, params) {
const { path, edits } = params as {
path: string;
edits: Array<{ oldText: string; newText: string }>;
};
let safePath: string;
try {
safePath = guardPath(path, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
try {
const info = await stat(safePath);
if (!info.isFile()) {
return {
content: [{ type: 'text' as const, text: `Error: path is not a file: ${path}` }],
details: undefined,
};
}
if (info.size > MAX_READ_BYTES) {
return {
content: [
{
type: 'text' as const,
text: `Error: file too large for editing (${info.size} bytes, limit ${MAX_READ_BYTES} bytes)`,
},
],
details: undefined,
};
}
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
details: undefined,
};
}
let content: string;
try {
content = await readFile(safePath, { encoding: 'utf8' });
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
details: undefined,
};
}
// Validate all edits before applying any
const errors: string[] = [];
for (let i = 0; i < edits.length; i++) {
const edit = edits[i]!;
const occurrences = content.split(edit.oldText).length - 1;
if (occurrences === 0) {
errors.push(`Edit ${i + 1}: oldText not found in file`);
} else if (occurrences > 1) {
errors.push(`Edit ${i + 1}: oldText matches ${occurrences} locations (must be unique)`);
}
}
// Check for overlapping edits
if (errors.length === 0) {
const positions = edits.map((edit, i) => ({
index: i,
start: content.indexOf(edit.oldText),
end: content.indexOf(edit.oldText) + edit.oldText.length,
}));
positions.sort((a, b) => a.start - b.start);
for (let i = 1; i < positions.length; i++) {
if (positions[i]!.start < positions[i - 1]!.end) {
errors.push(
`Edits ${positions[i - 1]!.index + 1} and ${positions[i]!.index + 1} overlap`,
);
}
}
}
if (errors.length > 0) {
return {
content: [
{
type: 'text' as const,
text: `Edit validation failed:\n${errors.join('\n')}`,
},
],
details: undefined,
};
}
// Apply edits: process from end to start to preserve positions
const positions = edits.map((edit) => ({
edit,
start: content.indexOf(edit.oldText),
}));
positions.sort((a, b) => b.start - a.start); // reverse order
let result = content;
for (const { edit } of positions) {
result = result.replace(edit.oldText, edit.newText);
}
if (Buffer.byteLength(result, 'utf8') > MAX_WRITE_BYTES) {
return {
content: [
{
type: 'text' as const,
text: `Error: resulting file too large (limit ${MAX_WRITE_BYTES} bytes)`,
},
],
details: undefined,
};
}
try {
await writeFile(safePath, result, { encoding: 'utf8' });
return {
content: [
{
type: 'text' as const,
text: `File edited successfully: ${path} (${edits.length} edit(s) applied)`,
},
],
details: undefined,
};
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error writing file: ${String(err)}` }],
details: undefined,
};
}
},
};
return [readFileTool, writeFileTool, listDirectoryTool, editFileTool];
} }

85
apps/gateway/src/agent/tools/git-tools.ts
View File

@@ -2,13 +2,29 @@ import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent'; import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { exec } from 'node:child_process'; import { exec } from 'node:child_process';
import { promisify } from 'node:util'; import { promisify } from 'node:util';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js'; import { resolve, relative } from 'node:path';
const execAsync = promisify(exec); const execAsync = promisify(exec);
const GIT_TIMEOUT_MS = 15_000; const GIT_TIMEOUT_MS = 15_000;
const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
/**
* Clamp a user-supplied cwd to within the sandbox directory.
* If the resolved path escapes the sandbox (via ../ or absolute path outside),
* falls back to the sandbox directory itself.
*/
function clampCwd(sandboxDir: string, requestedCwd?: string): string {
if (!requestedCwd) return sandboxDir;
const resolved = resolve(sandboxDir, requestedCwd);
const rel = relative(sandboxDir, resolved);
if (rel.startsWith('..') || rel.startsWith('/')) {
// Escape attempt — fall back to sandbox root
return sandboxDir;
}
return resolved;
}
async function runGit( async function runGit(
args: string[], args: string[],
cwd?: string, cwd?: string,
@@ -58,21 +74,7 @@ export function createGitTools(sandboxDir?: string): ToolDefinition[] {
}), }),
async execute(_toolCallId, params) { async execute(_toolCallId, params) {
const { cwd } = params as { cwd?: string }; const { cwd } = params as { cwd?: string };
let safeCwd: string; const safeCwd = clampCwd(defaultCwd, cwd);
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const result = await runGit(['status', '--short', '--branch'], safeCwd); const result = await runGit(['status', '--short', '--branch'], safeCwd);
const text = result.error const text = result.error
? `Error: ${result.error}\n${result.stderr}` ? `Error: ${result.error}\n${result.stderr}`
@@ -105,21 +107,7 @@ export function createGitTools(sandboxDir?: string): ToolDefinition[] {
oneline?: boolean; oneline?: boolean;
cwd?: string; cwd?: string;
}; };
let safeCwd: string; const safeCwd = clampCwd(defaultCwd, cwd);
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const args = ['log', `--max-count=${limit ?? 20}`]; const args = ['log', `--max-count=${limit ?? 20}`];
if (oneline !== false) args.push('--oneline'); if (oneline !== false) args.push('--oneline');
const result = await runGit(args, safeCwd); const result = await runGit(args, safeCwd);
@@ -160,43 +148,12 @@ export function createGitTools(sandboxDir?: string): ToolDefinition[] {
path?: string; path?: string;
cwd?: string; cwd?: string;
}; };
let safeCwd: string; const safeCwd = clampCwd(defaultCwd, cwd);
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
let safePath: string | undefined;
if (path !== undefined) {
try {
safePath = guardPathUnsafe(path, defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
}
const args = ['diff']; const args = ['diff'];
if (staged) args.push('--cached'); if (staged) args.push('--cached');
if (ref) args.push(ref); if (ref) args.push(ref);
args.push('--'); args.push('--');
if (safePath !== undefined) args.push(safePath); if (path) args.push(path);
const result = await runGit(args, safeCwd); const result = await runGit(args, safeCwd);
const text = result.error const text = result.error
? `Error: ${result.error}\n${result.stderr}` ? `Error: ${result.error}\n${result.stderr}`

1
apps/gateway/src/agent/tools/index.ts
View File

@@ -2,7 +2,6 @@ export { createBrainTools } from './brain-tools.js';
export { createCoordTools } from './coord-tools.js'; export { createCoordTools } from './coord-tools.js';
export { createFileTools } from './file-tools.js'; export { createFileTools } from './file-tools.js';
export { createGitTools } from './git-tools.js'; export { createGitTools } from './git-tools.js';
export { createSearchTools } from './search-tools.js';
export { createShellTools } from './shell-tools.js'; export { createShellTools } from './shell-tools.js';
export { createWebTools } from './web-tools.js'; export { createWebTools } from './web-tools.js';
export { createSkillTools } from './skill-tools.js'; export { createSkillTools } from './skill-tools.js';

61
apps/gateway/src/agent/tools/memory-tools.ts
View File

@@ -1,47 +1,25 @@
import { Type } from '@sinclair/typebox'; import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent'; import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import type { Memory } from '@mosaicstack/memory'; import type { Memory } from '@mosaic/memory';
import type { EmbeddingProvider } from '@mosaicstack/memory'; import type { EmbeddingProvider } from '@mosaic/memory';
/**
* Create memory tools bound to the session's authenticated userId.
*
* SECURITY: userId is resolved from the authenticated session at tool-creation
* time and is never accepted as a user-supplied or LLM-supplied parameter.
* This prevents cross-user data access via parameter injection.
*/
export function createMemoryTools( export function createMemoryTools(
memory: Memory, memory: Memory,
embeddingProvider: EmbeddingProvider | null, embeddingProvider: EmbeddingProvider | null,
/** Authenticated user ID from the session. All memory operations are scoped to this user. */
sessionUserId: string | undefined,
): ToolDefinition[] { ): ToolDefinition[] {
/** Return an error result when no session user is bound. */
function noUserError() {
return {
content: [
{
type: 'text' as const,
text: 'Memory tools unavailable — no authenticated user bound to this session',
},
],
details: undefined,
};
}
const searchMemory: ToolDefinition = { const searchMemory: ToolDefinition = {
name: 'memory_search', name: 'memory_search',
label: 'Search Memory', label: 'Search Memory',
description: description:
'Search across stored insights and knowledge using natural language. Returns semantically similar results.', 'Search across stored insights and knowledge using natural language. Returns semantically similar results.',
parameters: Type.Object({ parameters: Type.Object({
userId: Type.String({ description: 'User ID to search memory for' }),
query: Type.String({ description: 'Natural language search query' }), query: Type.String({ description: 'Natural language search query' }),
limit: Type.Optional(Type.Number({ description: 'Max results (default 5)' })), limit: Type.Optional(Type.Number({ description: 'Max results (default 5)' })),
}), }),
async execute(_toolCallId, params) { async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError(); const { userId, query, limit } = params as {
userId: string;
const { query, limit } = params as {
query: string; query: string;
limit?: number; limit?: number;
}; };
@@ -59,7 +37,7 @@ export function createMemoryTools(
} }
const embedding = await embeddingProvider.embed(query); const embedding = await embeddingProvider.embed(query);
const results = await memory.insights.searchByEmbedding(sessionUserId, embedding, limit ?? 5); const results = await memory.insights.searchByEmbedding(userId, embedding, limit ?? 5);
return { return {
content: [{ type: 'text' as const, text: JSON.stringify(results, null, 2) }], content: [{ type: 'text' as const, text: JSON.stringify(results, null, 2) }],
details: undefined, details: undefined,
@@ -70,8 +48,9 @@ export function createMemoryTools(
const getPreferences: ToolDefinition = { const getPreferences: ToolDefinition = {
name: 'memory_get_preferences', name: 'memory_get_preferences',
label: 'Get User Preferences', label: 'Get User Preferences',
description: 'Retrieve stored preferences for the current session user.', description: 'Retrieve stored preferences for a user.',
parameters: Type.Object({ parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
category: Type.Optional( category: Type.Optional(
Type.String({ Type.String({
description: 'Filter by category: communication, coding, workflow, appearance, general', description: 'Filter by category: communication, coding, workflow, appearance, general',
@@ -79,13 +58,11 @@ export function createMemoryTools(
), ),
}), }),
async execute(_toolCallId, params) { async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError(); const { userId, category } = params as { userId: string; category?: string };
const { category } = params as { category?: string };
type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general'; type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
const prefs = category const prefs = category
? await memory.preferences.findByUserAndCategory(sessionUserId, category as Cat) ? await memory.preferences.findByUserAndCategory(userId, category as Cat)
: await memory.preferences.findByUser(sessionUserId); : await memory.preferences.findByUser(userId);
return { return {
content: [{ type: 'text' as const, text: JSON.stringify(prefs, null, 2) }], content: [{ type: 'text' as const, text: JSON.stringify(prefs, null, 2) }],
details: undefined, details: undefined,
@@ -99,6 +76,7 @@ export function createMemoryTools(
description: description:
'Store a learned user preference (e.g., "prefers tables over paragraphs", "timezone: America/Chicago").', 'Store a learned user preference (e.g., "prefers tables over paragraphs", "timezone: America/Chicago").',
parameters: Type.Object({ parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
key: Type.String({ description: 'Preference key' }), key: Type.String({ description: 'Preference key' }),
value: Type.String({ description: 'Preference value (JSON string)' }), value: Type.String({ description: 'Preference value (JSON string)' }),
category: Type.Optional( category: Type.Optional(
@@ -108,9 +86,8 @@ export function createMemoryTools(
), ),
}), }),
async execute(_toolCallId, params) { async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError(); const { userId, key, value, category } = params as {
userId: string;
const { key, value, category } = params as {
key: string; key: string;
value: string; value: string;
category?: string; category?: string;
@@ -123,7 +100,7 @@ export function createMemoryTools(
parsedValue = value; parsedValue = value;
} }
const pref = await memory.preferences.upsert({ const pref = await memory.preferences.upsert({
userId: sessionUserId, userId,
key, key,
value: parsedValue, value: parsedValue,
category: (category as Cat) ?? 'general', category: (category as Cat) ?? 'general',
@@ -142,6 +119,7 @@ export function createMemoryTools(
description: description:
'Store a learned insight, decision, or knowledge extracted from the current interaction.', 'Store a learned insight, decision, or knowledge extracted from the current interaction.',
parameters: Type.Object({ parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
content: Type.String({ description: 'The insight or knowledge to store' }), content: Type.String({ description: 'The insight or knowledge to store' }),
category: Type.Optional( category: Type.Optional(
Type.String({ Type.String({
@@ -150,9 +128,8 @@ export function createMemoryTools(
), ),
}), }),
async execute(_toolCallId, params) { async execute(_toolCallId, params) {
if (!sessionUserId) return noUserError(); const { userId, content, category } = params as {
userId: string;
const { content, category } = params as {
content: string; content: string;
category?: string; category?: string;
}; };
@@ -164,7 +141,7 @@ export function createMemoryTools(
} }
const insight = await memory.insights.create({ const insight = await memory.insights.create({
userId: sessionUserId, userId,
content, content,
embedding, embedding,
source: 'agent', source: 'agent',

104
apps/gateway/src/agent/tools/path-guard.test.ts
View File

@@ -1,104 +0,0 @@
import { describe, it, expect } from 'vitest';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js';
import path from 'node:path';
import os from 'node:os';
import fs from 'node:fs';
describe('guardPathUnsafe', () => {
const sandbox = '/tmp/test-sandbox';
it('allows paths inside sandbox', () => {
const result = guardPathUnsafe('foo/bar.txt', sandbox);
expect(result).toBe(path.resolve(sandbox, 'foo/bar.txt'));
});
it('allows sandbox root itself', () => {
const result = guardPathUnsafe('.', sandbox);
expect(result).toBe(path.resolve(sandbox));
});
it('rejects path traversal with ../', () => {
expect(() => guardPathUnsafe('../escape.txt', sandbox)).toThrow(SandboxEscapeError);
});
it('rejects absolute path outside sandbox', () => {
expect(() => guardPathUnsafe('/etc/passwd', sandbox)).toThrow(SandboxEscapeError);
});
it('rejects deeply nested traversal', () => {
expect(() => guardPathUnsafe('a/b/../../../../../../etc/passwd', sandbox)).toThrow(
SandboxEscapeError,
);
});
it('rejects path that starts with sandbox name but is sibling', () => {
expect(() => guardPathUnsafe('/tmp/test-sandbox-evil/file.txt', sandbox)).toThrow(
SandboxEscapeError,
);
});
it('returns the resolved absolute path for nested paths', () => {
const result = guardPathUnsafe('deep/nested/file.ts', sandbox);
expect(result).toBe('/tmp/test-sandbox/deep/nested/file.ts');
});
it('SandboxEscapeError includes the user path and sandbox in message', () => {
let caught: unknown;
try {
guardPathUnsafe('../escape.txt', sandbox);
} catch (err) {
caught = err;
}
expect(caught).toBeInstanceOf(SandboxEscapeError);
const e = caught as SandboxEscapeError;
expect(e.userPath).toBe('../escape.txt');
expect(e.sandboxDir).toBe(sandbox);
expect(e.message).toContain('Path escape attempt blocked');
});
});
describe('guardPath', () => {
let tmpDir: string;
it('allows an existing path inside a real temp sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
const subdir = path.join(tmpDir, 'subdir');
fs.mkdirSync(subdir);
const result = guardPath('subdir', tmpDir);
expect(result).toBe(subdir);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('allows sandbox root itself', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
const result = guardPath('.', tmpDir);
// realpathSync resolves the tmpdir symlinks (macOS /var -> /private/var)
const realTmp = fs.realpathSync.native(tmpDir);
expect(result).toBe(realTmp);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects path traversal with ../ on existing sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
expect(() => guardPath('../escape', tmpDir)).toThrow(SandboxEscapeError);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects absolute path outside sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
expect(() => guardPath('/etc/passwd', tmpDir)).toThrow(SandboxEscapeError);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
});

58
apps/gateway/src/agent/tools/path-guard.ts
View File

@@ -1,58 +0,0 @@
import path from 'node:path';
import fs from 'node:fs';
/**
* Resolves a user-provided path and verifies it is inside the allowed sandbox directory.
* Throws SandboxEscapeError if the resolved path is outside the sandbox.
*
* Uses realpathSync to resolve symlinks in the sandbox root. The user-supplied path
* is checked for containment AFTER lexical resolution but BEFORE resolving any symlinks
* within the user path — so symlink escape attempts are caught too.
*
* @param userPath - The path provided by the agent (may be relative or absolute)
* @param sandboxDir - The allowed root directory (already validated on session creation)
* @returns The resolved absolute path, guaranteed to be within sandboxDir
*/
export function guardPath(userPath: string, sandboxDir: string): string {
const resolved = path.resolve(sandboxDir, userPath);
const sandboxResolved = fs.realpathSync.native(sandboxDir);
// Normalize both paths to resolve any symlinks in the sandbox root itself.
// For the user path, we check containment BEFORE resolving symlinks in the path
// (so we catch symlink escape attempts too — the resolved path must still be under sandbox)
if (!resolved.startsWith(sandboxResolved + path.sep) && resolved !== sandboxResolved) {
throw new SandboxEscapeError(userPath, sandboxDir, resolved);
}
return resolved;
}
/**
* Validates a path without resolving symlinks in the user-provided portion.
* Use for paths that may not exist yet (creates, writes).
*
* Performs a lexical containment check only using path.resolve.
*/
export function guardPathUnsafe(userPath: string, sandboxDir: string): string {
const resolved = path.resolve(sandboxDir, userPath);
const sandboxAbs = path.resolve(sandboxDir);
if (!resolved.startsWith(sandboxAbs + path.sep) && resolved !== sandboxAbs) {
throw new SandboxEscapeError(userPath, sandboxDir, resolved);
}
return resolved;
}
export class SandboxEscapeError extends Error {
constructor(
public readonly userPath: string,
public readonly sandboxDir: string,
public readonly resolvedPath: string,
) {
super(
`Path escape attempt blocked: "${userPath}" resolves to "${resolvedPath}" which is outside sandbox "${sandboxDir}"`,
);
this.name = 'SandboxEscapeError';
}
}

496
apps/gateway/src/agent/tools/search-tools.ts
View File

@@ -1,496 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
const DEFAULT_TIMEOUT_MS = 15_000;
const MAX_RESULTS = 10;
const MAX_RESPONSE_BYTES = 256 * 1024; // 256 KB
// ─── Provider helpers ────────────────────────────────────────────────────────
interface SearchResult {
title: string;
url: string;
snippet: string;
}
interface SearchResponse {
provider: string;
query: string;
results: SearchResult[];
error?: string;
}
async function fetchWithTimeout(
url: string,
init: RequestInit,
timeoutMs: number,
): Promise<Response> {
const controller = new AbortController();
const timer = setTimeout(() => controller.abort(), timeoutMs);
try {
return await fetch(url, { ...init, signal: controller.signal });
} finally {
clearTimeout(timer);
}
}
async function readLimited(response: Response): Promise<string> {
const reader = response.body?.getReader();
if (!reader) return '';
const chunks: Uint8Array[] = [];
let total = 0;
while (true) {
const { done, value } = await reader.read();
if (done) break;
total += value.length;
if (total > MAX_RESPONSE_BYTES) {
chunks.push(value.subarray(0, MAX_RESPONSE_BYTES - (total - value.length)));
reader.cancel();
break;
}
chunks.push(value);
}
const combined = new Uint8Array(chunks.reduce((a, c) => a + c.length, 0));
let offset = 0;
for (const chunk of chunks) {
combined.set(chunk, offset);
offset += chunk.length;
}
return new TextDecoder().decode(combined);
}
// ─── Brave Search ────────────────────────────────────────────────────────────
async function searchBrave(query: string, limit: number): Promise<SearchResponse> {
const apiKey = process.env['BRAVE_API_KEY'];
if (!apiKey) return { provider: 'brave', query, results: [], error: 'BRAVE_API_KEY not set' };
try {
const params = new URLSearchParams({
q: query,
count: String(Math.min(limit, 20)),
});
const res = await fetchWithTimeout(
`https://api.search.brave.com/res/v1/web/search?${params}`,
{ headers: { 'X-Subscription-Token': apiKey, Accept: 'application/json' } },
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
const body = await res.text().catch(() => '');
return { provider: 'brave', query, results: [], error: `HTTP ${res.status}: ${body}` };
}
const data = (await res.json()) as {
web?: { results?: Array<{ title: string; url: string; description: string }> };
};
const results: SearchResult[] = (data.web?.results ?? []).slice(0, limit).map((r) => ({
title: r.title,
url: r.url,
snippet: r.description,
}));
return { provider: 'brave', query, results };
} catch (err) {
return {
provider: 'brave',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── Tavily Search ───────────────────────────────────────────────────────────
async function searchTavily(query: string, limit: number): Promise<SearchResponse> {
const apiKey = process.env['TAVILY_API_KEY'];
if (!apiKey) return { provider: 'tavily', query, results: [], error: 'TAVILY_API_KEY not set' };
try {
const res = await fetchWithTimeout(
'https://api.tavily.com/search',
{
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
api_key: apiKey,
query,
max_results: Math.min(limit, 10),
include_answer: false,
}),
},
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
const body = await res.text().catch(() => '');
return { provider: 'tavily', query, results: [], error: `HTTP ${res.status}: ${body}` };
}
const data = (await res.json()) as {
results?: Array<{ title: string; url: string; content: string }>;
};
const results: SearchResult[] = (data.results ?? []).slice(0, limit).map((r) => ({
title: r.title,
url: r.url,
snippet: r.content,
}));
return { provider: 'tavily', query, results };
} catch (err) {
return {
provider: 'tavily',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── SearXNG (self-hosted) ───────────────────────────────────────────────────
async function searchSearxng(query: string, limit: number): Promise<SearchResponse> {
const baseUrl = process.env['SEARXNG_URL'];
if (!baseUrl) return { provider: 'searxng', query, results: [], error: 'SEARXNG_URL not set' };
try {
const params = new URLSearchParams({
q: query,
format: 'json',
pageno: '1',
});
const res = await fetchWithTimeout(
`${baseUrl.replace(/\/$/, '')}/search?${params}`,
{ headers: { Accept: 'application/json' } },
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
const body = await res.text().catch(() => '');
return { provider: 'searxng', query, results: [], error: `HTTP ${res.status}: ${body}` };
}
const data = (await res.json()) as {
results?: Array<{ title: string; url: string; content: string }>;
};
const results: SearchResult[] = (data.results ?? []).slice(0, limit).map((r) => ({
title: r.title,
url: r.url,
snippet: r.content,
}));
return { provider: 'searxng', query, results };
} catch (err) {
return {
provider: 'searxng',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── DuckDuckGo (lite HTML endpoint) ─────────────────────────────────────────
async function searchDuckDuckGo(query: string, limit: number): Promise<SearchResponse> {
try {
// Use the DuckDuckGo Instant Answer API (JSON, free, no key)
const params = new URLSearchParams({
q: query,
format: 'json',
no_html: '1',
skip_disambig: '1',
});
const res = await fetchWithTimeout(
`https://api.duckduckgo.com/?${params}`,
{ headers: { Accept: 'application/json' } },
DEFAULT_TIMEOUT_MS,
);
if (!res.ok) {
return {
provider: 'duckduckgo',
query,
results: [],
error: `HTTP ${res.status}`,
};
}
const text = await readLimited(res);
const data = JSON.parse(text) as {
AbstractText?: string;
AbstractURL?: string;
AbstractSource?: string;
RelatedTopics?: Array<{
Text?: string;
FirstURL?: string;
Result?: string;
Topics?: Array<{ Text?: string; FirstURL?: string }>;
}>;
};
const results: SearchResult[] = [];
// Main abstract result
if (data.AbstractText && data.AbstractURL) {
results.push({
title: data.AbstractSource ?? 'DuckDuckGo Abstract',
url: data.AbstractURL,
snippet: data.AbstractText,
});
}
// Related topics
for (const topic of data.RelatedTopics ?? []) {
if (results.length >= limit) break;
if (topic.Text && topic.FirstURL) {
results.push({
title: topic.Text.slice(0, 120),
url: topic.FirstURL,
snippet: topic.Text,
});
}
// Sub-topics
for (const sub of topic.Topics ?? []) {
if (results.length >= limit) break;
if (sub.Text && sub.FirstURL) {
results.push({
title: sub.Text.slice(0, 120),
url: sub.FirstURL,
snippet: sub.Text,
});
}
}
}
return { provider: 'duckduckgo', query, results: results.slice(0, limit) };
} catch (err) {
return {
provider: 'duckduckgo',
query,
results: [],
error: err instanceof Error ? err.message : String(err),
};
}
}
// ─── Provider resolution ─────────────────────────────────────────────────────
type SearchProvider = 'brave' | 'tavily' | 'searxng' | 'duckduckgo' | 'auto';
function getAvailableProviders(): SearchProvider[] {
const available: SearchProvider[] = [];
if (process.env['BRAVE_API_KEY']) available.push('brave');
if (process.env['TAVILY_API_KEY']) available.push('tavily');
if (process.env['SEARXNG_URL']) available.push('searxng');
// DuckDuckGo is always available (no API key needed)
available.push('duckduckgo');
return available;
}
async function executeSearch(
provider: SearchProvider,
query: string,
limit: number,
): Promise<SearchResponse> {
switch (provider) {
case 'brave':
return searchBrave(query, limit);
case 'tavily':
return searchTavily(query, limit);
case 'searxng':
return searchSearxng(query, limit);
case 'duckduckgo':
return searchDuckDuckGo(query, limit);
case 'auto': {
// Try providers in priority order: Brave > Tavily > SearXNG > DuckDuckGo
const available = getAvailableProviders();
for (const p of available) {
const result = await executeSearch(p, query, limit);
if (!result.error && result.results.length > 0) return result;
}
// Fall back to DuckDuckGo if everything failed
return searchDuckDuckGo(query, limit);
}
}
}
function formatSearchResults(response: SearchResponse): string {
const lines: string[] = [];
lines.push(`Search provider: ${response.provider}`);
lines.push(`Query: "${response.query}"`);
if (response.error) {
lines.push(`Error: ${response.error}`);
}
if (response.results.length === 0) {
lines.push('No results found.');
} else {
lines.push(`Results (${response.results.length}):\n`);
for (let i = 0; i < response.results.length; i++) {
const r = response.results[i]!;
lines.push(`${i + 1}. ${r.title}`);
lines.push(` URL: ${r.url}`);
lines.push(` ${r.snippet}`);
lines.push('');
}
}
return lines.join('\n');
}
// ─── Tool exports ────────────────────────────────────────────────────────────
export function createSearchTools(): ToolDefinition[] {
const webSearch: ToolDefinition = {
name: 'web_search',
label: 'Web Search',
description:
'Search the web using configured search providers. ' +
'Supports Brave, Tavily, SearXNG, and DuckDuckGo. ' +
'Use "auto" provider to pick the best available. ' +
'DuckDuckGo is always available as a fallback (no API key needed).',
parameters: Type.Object({
query: Type.String({ description: 'Search query' }),
provider: Type.Optional(
Type.String({
description:
'Search provider: "auto" (default), "brave", "tavily", "searxng", or "duckduckgo"',
}),
),
limit: Type.Optional(
Type.Number({ description: `Max results to return (default 5, max ${MAX_RESULTS})` }),
),
}),
async execute(_toolCallId, params) {
const { query, provider, limit } = params as {
query: string;
provider?: string;
limit?: number;
};
const effectiveProvider = (provider ?? 'auto') as SearchProvider;
const validProviders = ['auto', 'brave', 'tavily', 'searxng', 'duckduckgo'];
if (!validProviders.includes(effectiveProvider)) {
return {
content: [
{
type: 'text' as const,
text: `Invalid provider "${provider}". Valid: ${validProviders.join(', ')}`,
},
],
details: undefined,
};
}
const effectiveLimit = Math.min(Math.max(limit ?? 5, 1), MAX_RESULTS);
try {
const response = await executeSearch(effectiveProvider, query, effectiveLimit);
return {
content: [{ type: 'text' as const, text: formatSearchResults(response) }],
details: undefined,
};
} catch (err) {
return {
content: [
{
type: 'text' as const,
text: `Search failed: ${err instanceof Error ? err.message : String(err)}`,
},
],
details: undefined,
};
}
},
};
const webSearchNews: ToolDefinition = {
name: 'web_search_news',
label: 'Web Search (News)',
description:
'Search for recent news articles. Uses Brave News API if available, falls back to standard search with news keywords.',
parameters: Type.Object({
query: Type.String({ description: 'News search query' }),
limit: Type.Optional(
Type.Number({ description: `Max results (default 5, max ${MAX_RESULTS})` }),
),
}),
async execute(_toolCallId, params) {
const { query, limit } = params as { query: string; limit?: number };
const effectiveLimit = Math.min(Math.max(limit ?? 5, 1), MAX_RESULTS);
// Try Brave News API first (dedicated news endpoint)
const braveKey = process.env['BRAVE_API_KEY'];
if (braveKey) {
try {
const newsParams = new URLSearchParams({
q: query,
count: String(effectiveLimit),
});
const res = await fetchWithTimeout(
`https://api.search.brave.com/res/v1/news/search?${newsParams}`,
{
headers: {
'X-Subscription-Token': braveKey,
Accept: 'application/json',
},
},
DEFAULT_TIMEOUT_MS,
);
if (res.ok) {
const data = (await res.json()) as {
results?: Array<{
title: string;
url: string;
description: string;
age?: string;
}>;
};
const results: SearchResult[] = (data.results ?? [])
.slice(0, effectiveLimit)
.map((r) => ({
title: r.title + (r.age ? ` (${r.age})` : ''),
url: r.url,
snippet: r.description,
}));
const response: SearchResponse = { provider: 'brave-news', query, results };
return {
content: [{ type: 'text' as const, text: formatSearchResults(response) }],
details: undefined,
};
}
} catch {
// Fall through to generic search
}
}
// Fallback: standard search with "news" appended
const newsQuery = `${query} news latest`;
const response = await executeSearch('auto', newsQuery, effectiveLimit);
return {
content: [{ type: 'text' as const, text: formatSearchResults(response) }],
details: undefined,
};
},
};
const searchProviders: ToolDefinition = {
name: 'web_search_providers',
label: 'List Search Providers',
description: 'List the currently available and configured web search providers.',
parameters: Type.Object({}),
async execute() {
const available = getAvailableProviders();
const allProviders = [
{ name: 'brave', configured: !!process.env['BRAVE_API_KEY'], envVar: 'BRAVE_API_KEY' },
{ name: 'tavily', configured: !!process.env['TAVILY_API_KEY'], envVar: 'TAVILY_API_KEY' },
{ name: 'searxng', configured: !!process.env['SEARXNG_URL'], envVar: 'SEARXNG_URL' },
{ name: 'duckduckgo', configured: true, envVar: '(none — always available)' },
];
const lines = ['Search providers:\n'];
for (const p of allProviders) {
const status = p.configured ? '✓ configured' : '✗ not configured';
lines.push(` ${p.name}: ${status} (${p.envVar})`);
}
lines.push(`\nActive providers for "auto" mode: ${available.join(', ')}`);
return {
content: [{ type: 'text' as const, text: lines.join('\n') }],
details: undefined,
};
},
};
return [webSearch, webSearchNews, searchProviders];
}

34
apps/gateway/src/agent/tools/shell-tools.ts
View File

@@ -1,7 +1,7 @@
import { Type } from '@sinclair/typebox'; import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent'; import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { spawn } from 'node:child_process'; import { spawn } from 'node:child_process';
import { guardPath, SandboxEscapeError } from './path-guard.js'; import { resolve, relative } from 'node:path';
const DEFAULT_TIMEOUT_MS = 30_000; const DEFAULT_TIMEOUT_MS = 30_000;
const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
@@ -68,6 +68,22 @@ function extractBaseCommand(command: string): string {
return firstToken.split('/').pop() ?? firstToken; return firstToken.split('/').pop() ?? firstToken;
} }
/**
* Clamp a user-supplied cwd to within the sandbox directory.
* If the resolved path escapes the sandbox (via ../ or absolute path outside),
* falls back to the sandbox directory itself.
*/
function clampCwd(sandboxDir: string, requestedCwd?: string): string {
if (!requestedCwd) return sandboxDir;
const resolved = resolve(sandboxDir, requestedCwd);
const rel = relative(sandboxDir, resolved);
if (rel.startsWith('..') || rel.startsWith('/')) {
// Escape attempt — fall back to sandbox root
return sandboxDir;
}
return resolved;
}
function runCommand( function runCommand(
command: string, command: string,
options: { timeoutMs: number; cwd?: string }, options: { timeoutMs: number; cwd?: string },
@@ -169,21 +185,7 @@ export function createShellTools(sandboxDir?: string): ToolDefinition[] {
} }
const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 60_000); const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 60_000);
let safeCwd: string; const safeCwd = clampCwd(defaultCwd, cwd);
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const result = await runCommand(command, { const result = await runCommand(command, {
timeoutMs, timeoutMs,

16
apps/gateway/src/app.module.ts
View File

@@ -1,7 +1,6 @@
import { Module } from '@nestjs/common'; import { Module } from '@nestjs/common';
import { APP_GUARD } from '@nestjs/core'; import { APP_GUARD } from '@nestjs/core';
import { HealthController } from './health/health.controller.js'; import { HealthController } from './health/health.controller.js';
import { ConfigModule } from './config/config.module.js';
import { DatabaseModule } from './database/database.module.js'; import { DatabaseModule } from './database/database.module.js';
import { AuthModule } from './auth/auth.module.js'; import { AuthModule } from './auth/auth.module.js';
import { BrainModule } from './brain/brain.module.js'; import { BrainModule } from './brain/brain.module.js';
@@ -18,19 +17,11 @@ import { SkillsModule } from './skills/skills.module.js';
import { PluginModule } from './plugin/plugin.module.js'; import { PluginModule } from './plugin/plugin.module.js';
import { McpModule } from './mcp/mcp.module.js'; import { McpModule } from './mcp/mcp.module.js';
import { AdminModule } from './admin/admin.module.js'; import { AdminModule } from './admin/admin.module.js';
import { CommandsModule } from './commands/commands.module.js';
import { PreferencesModule } from './preferences/preferences.module.js';
import { GCModule } from './gc/gc.module.js';
import { ReloadModule } from './reload/reload.module.js';
import { WorkspaceModule } from './workspace/workspace.module.js';
import { QueueModule } from './queue/queue.module.js';
import { FederationModule } from './federation/federation.module.js';
import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler'; import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
@Module({ @Module({
imports: [ imports: [
ThrottlerModule.forRoot([{ name: 'default', ttl: 60_000, limit: 60 }]), ThrottlerModule.forRoot([{ name: 'default', ttl: 60_000, limit: 60 }]),
ConfigModule,
DatabaseModule, DatabaseModule,
AuthModule, AuthModule,
BrainModule, BrainModule,
@@ -47,13 +38,6 @@ import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
PluginModule, PluginModule,
McpModule, McpModule,
AdminModule, AdminModule,
PreferencesModule,
CommandsModule,
GCModule,
QueueModule,
ReloadModule,
WorkspaceModule,
FederationModule,
], ],
controllers: [HealthController], controllers: [HealthController],
providers: [ providers: [

2
apps/gateway/src/auth/auth.controller.ts
View File

@@ -1,6 +1,6 @@
import type { IncomingMessage, ServerResponse } from 'node:http'; import type { IncomingMessage, ServerResponse } from 'node:http';
import { toNodeHandler } from 'better-auth/node'; import { toNodeHandler } from 'better-auth/node';
import type { Auth } from '@mosaicstack/auth'; import type { Auth } from '@mosaic/auth';
import type { NestFastifyApplication } from '@nestjs/platform-fastify'; import type { NestFastifyApplication } from '@nestjs/platform-fastify';
import { AUTH } from './auth.tokens.js'; import { AUTH } from './auth.tokens.js';

2
apps/gateway/src/auth/auth.guard.ts
View File

@@ -6,7 +6,7 @@ import {
UnauthorizedException, UnauthorizedException,
} from '@nestjs/common'; } from '@nestjs/common';
import { fromNodeHeaders } from 'better-auth/node'; import { fromNodeHeaders } from 'better-auth/node';
import type { Auth } from '@mosaicstack/auth'; import type { Auth } from '@mosaic/auth';
import type { FastifyRequest } from 'fastify'; import type { FastifyRequest } from 'fastify';
import { AUTH } from './auth.tokens.js'; import { AUTH } from './auth.tokens.js';

8
apps/gateway/src/auth/auth.module.ts
View File

@@ -1,20 +1,18 @@
import { Global, Module } from '@nestjs/common'; import { Global, Module } from '@nestjs/common';
import { createAuth, type Auth } from '@mosaicstack/auth'; import { createAuth, type Auth } from '@mosaic/auth';
import type { Db } from '@mosaicstack/db'; import type { Db } from '@mosaic/db';
import { DB } from '../database/database.module.js'; import { DB } from '../database/database.module.js';
import { AUTH } from './auth.tokens.js'; import { AUTH } from './auth.tokens.js';
import { SsoController } from './sso.controller.js';
@Global() @Global()
@Module({ @Module({
controllers: [SsoController],
providers: [ providers: [
{ {
provide: AUTH, provide: AUTH,
useFactory: (db: Db): Auth => useFactory: (db: Db): Auth =>
createAuth({ createAuth({
db, db,
baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:14242', baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
secret: process.env['BETTER_AUTH_SECRET'], secret: process.env['BETTER_AUTH_SECRET'],
}), }),
inject: [DB], inject: [DB],

40
apps/gateway/src/auth/sso.controller.spec.ts
View File

@@ -1,40 +0,0 @@
import { afterEach, describe, expect, it, vi } from 'vitest';
import { SsoController } from './sso.controller.js';
describe('SsoController', () => {
afterEach(() => {
vi.unstubAllEnvs();
});
it('lists configured OIDC providers', () => {
vi.stubEnv('WORKOS_CLIENT_ID', 'workos-client');
vi.stubEnv('WORKOS_CLIENT_SECRET', 'workos-secret');
vi.stubEnv('WORKOS_ISSUER', 'https://auth.workos.com/sso/client_123');
const controller = new SsoController();
const providers = controller.list();
expect(providers.find((provider) => provider.id === 'workos')).toMatchObject({
configured: true,
loginMode: 'oidc',
callbackPath: '/api/auth/oauth2/callback/workos',
teamSync: { enabled: true, claim: 'organization_id' },
});
});
it('prefers SAML fallback for Keycloak when only the SAML login URL is configured', () => {
vi.stubEnv('KEYCLOAK_SAML_LOGIN_URL', 'https://sso.example.com/realms/mosaic/protocol/saml');
const controller = new SsoController();
const providers = controller.list();
expect(providers.find((provider) => provider.id === 'keycloak')).toMatchObject({
configured: true,
loginMode: 'saml',
samlFallback: {
configured: true,
loginUrl: 'https://sso.example.com/realms/mosaic/protocol/saml',
},
});
});
});

10
apps/gateway/src/auth/sso.controller.ts
View File

@@ -1,10 +0,0 @@
import { Controller, Get } from '@nestjs/common';
import { buildSsoDiscovery, type SsoProviderDiscovery } from '@mosaicstack/auth';
@Controller('api/sso/providers')
export class SsoController {
@Get()
list(): SsoProviderDiscovery[] {
return buildSsoDiscovery();
}
}

4
apps/gateway/src/brain/brain.module.ts
View File

@@ -1,6 +1,6 @@
import { Global, Module } from '@nestjs/common'; import { Global, Module } from '@nestjs/common';
import { createBrain, type Brain } from '@mosaicstack/brain'; import { createBrain, type Brain } from '@mosaic/brain';
import type { Db } from '@mosaicstack/db'; import type { Db } from '@mosaic/db';
import { DB } from '../database/database.module.js'; import { DB } from '../database/database.module.js';
import { BRAIN } from './brain.tokens.js'; import { BRAIN } from './brain.tokens.js';

1
apps/gateway/src/chat/__tests__/chat-security.test.ts
View File

@@ -1,4 +1,3 @@
import 'reflect-metadata';
import { readFileSync } from 'node:fs'; import { readFileSync } from 'node:fs';
import { resolve } from 'node:path'; import { resolve } from 'node:path';
import { validateSync } from 'class-validator'; import { validateSync } from 'class-validator';

4
apps/gateway/src/chat/chat.dto.ts
View File

@@ -28,8 +28,4 @@ export class ChatSocketMessageDto {
@IsString() @IsString()
@MaxLength(255) @MaxLength(255)
modelId?: string; modelId?: string;
@IsOptional()
@IsUUID()
agentId?: string;
} }

541
apps/gateway/src/chat/chat.gateway.ts
View File

@@ -11,45 +11,13 @@ import {
} from '@nestjs/websockets'; } from '@nestjs/websockets';
import { Server, Socket } from 'socket.io'; import { Server, Socket } from 'socket.io';
import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent'; import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
import type { Auth } from '@mosaicstack/auth'; import type { Auth } from '@mosaic/auth';
import type { Brain } from '@mosaicstack/brain'; import { AgentService } from '../agent/agent.service.js';
import type {
SetThinkingPayload,
SlashCommandPayload,
SystemReloadPayload,
RoutingDecisionInfo,
AbortPayload,
} from '@mosaicstack/types';
import { AgentService, type ConversationHistoryMessage } from '../agent/agent.service.js';
import { AUTH } from '../auth/auth.tokens.js'; import { AUTH } from '../auth/auth.tokens.js';
import { BRAIN } from '../brain/brain.tokens.js';
import { CommandRegistryService } from '../commands/command-registry.service.js';
import { CommandExecutorService } from '../commands/command-executor.service.js';
import { RoutingEngineService } from '../agent/routing/routing-engine.service.js';
import { v4 as uuid } from 'uuid'; import { v4 as uuid } from 'uuid';
import { ChatSocketMessageDto } from './chat.dto.js'; import { ChatSocketMessageDto } from './chat.dto.js';
import { validateSocketSession } from './chat.gateway-auth.js'; import { validateSocketSession } from './chat.gateway-auth.js';
/** Per-client state tracking streaming accumulation for persistence. */
interface ClientSession {
conversationId: string;
cleanup: () => void;
/** Accumulated assistant response text for the current turn. */
assistantText: string;
/** Tool calls observed during the current turn. */
toolCalls: Array<{ toolCallId: string; toolName: string; args: unknown; isError: boolean }>;
/** Tool calls in-flight (started but not ended yet). */
pendingToolCalls: Map<string, { toolName: string; args: unknown }>;
/** Last routing decision made for this session (M4-008) */
lastRoutingDecision?: RoutingDecisionInfo;
}
/**
* Per-conversation model overrides set via /model command (M4-007).
* Keyed by conversationId, value is the model name to use.
*/
const modelOverrides = new Map<string, string>();
@WebSocketGateway({ @WebSocketGateway({
cors: { cors: {
origin: process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000', origin: process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000',
@@ -61,15 +29,14 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
server!: Server; server!: Server;
private readonly logger = new Logger(ChatGateway.name); private readonly logger = new Logger(ChatGateway.name);
private readonly clientSessions = new Map<string, ClientSession>(); private readonly clientSessions = new Map<
string,
{ conversationId: string; cleanup: () => void }
>();
constructor( constructor(
@Inject(AgentService) private readonly agentService: AgentService, @Inject(AgentService) private readonly agentService: AgentService,
@Inject(AUTH) private readonly auth: Auth, @Inject(AUTH) private readonly auth: Auth,
@Inject(BRAIN) private readonly brain: Brain,
@Inject(CommandRegistryService) private readonly commandRegistry: CommandRegistryService,
@Inject(CommandExecutorService) private readonly commandExecutor: CommandExecutorService,
@Inject(RoutingEngineService) private readonly routingEngine: RoutingEngineService,
) {} ) {}
afterInit(): void { afterInit(): void {
@@ -87,9 +54,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
client.data.user = session.user; client.data.user = session.user;
client.data.session = session.session; client.data.session = session.session;
this.logger.log(`Client connected: ${client.id}`); this.logger.log(`Client connected: ${client.id}`);
// Broadcast command manifest to the newly connected client
client.emit('commands:manifest', { manifest: this.commandRegistry.getManifest() });
} }
handleDisconnect(client: Socket): void { handleDisconnect(client: Socket): void {
@@ -108,78 +72,17 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
@MessageBody() data: ChatSocketMessageDto, @MessageBody() data: ChatSocketMessageDto,
): Promise<void> { ): Promise<void> {
const conversationId = data.conversationId ?? uuid(); const conversationId = data.conversationId ?? uuid();
const userId = (client.data.user as { id: string } | undefined)?.id;
this.logger.log(`Message from ${client.id} in conversation ${conversationId}`); this.logger.log(`Message from ${client.id} in conversation ${conversationId}`);
// Ensure agent session exists for this conversation // Ensure agent session exists for this conversation
let sessionRoutingDecision: RoutingDecisionInfo | undefined;
try { try {
let agentSession = this.agentService.getSession(conversationId); let agentSession = this.agentService.getSession(conversationId);
if (!agentSession) { if (!agentSession) {
// When resuming an existing conversation, load prior messages to inject as context (M1-004) agentSession = await this.agentService.createSession(conversationId, {
const conversationHistory = await this.loadConversationHistory(conversationId, userId); provider: data.provider,
modelId: data.modelId,
// M5-004: Check if there's an existing sessionId bound to this conversation
let existingSessionId: string | undefined;
if (userId) {
existingSessionId = await this.getConversationSessionId(conversationId, userId);
if (existingSessionId) {
this.logger.log(
`Resuming existing sessionId=${existingSessionId} for conversation=${conversationId}`,
);
}
}
// Determine provider/model via routing engine or per-session /model override (M4-012 / M4-007)
let resolvedProvider = data.provider;
let resolvedModelId = data.modelId;
const modelOverride = modelOverrides.get(conversationId);
if (modelOverride) {
// /model override bypasses routing engine (M4-007)
resolvedModelId = modelOverride;
this.logger.log(
`Using /model override "${modelOverride}" for conversation=${conversationId}`,
);
} else if (!resolvedProvider && !resolvedModelId) {
// No explicit provider/model from client — use routing engine (M4-012)
try {
const routingDecision = await this.routingEngine.resolve(data.content, userId);
resolvedProvider = routingDecision.provider;
resolvedModelId = routingDecision.model;
sessionRoutingDecision = {
model: routingDecision.model,
provider: routingDecision.provider,
ruleName: routingDecision.ruleName,
reason: routingDecision.reason,
};
this.logger.log(
`Routing decision for conversation=${conversationId}: ${routingDecision.provider}/${routingDecision.model} (rule="${routingDecision.ruleName}")`,
);
} catch (routingErr) {
this.logger.warn(
`Routing engine failed for conversation=${conversationId}, using defaults`,
routingErr instanceof Error ? routingErr.message : String(routingErr),
);
}
}
// M5-004: Use existingSessionId as sessionId when available (session reuse)
const sessionIdToCreate = existingSessionId ?? conversationId;
agentSession = await this.agentService.createSession(sessionIdToCreate, {
provider: resolvedProvider,
modelId: resolvedModelId,
agentConfigId: data.agentId,
userId,
conversationHistory: conversationHistory.length > 0 ? conversationHistory : undefined,
}); });
if (conversationHistory.length > 0) {
this.logger.log(
`Loaded ${conversationHistory.length} prior messages for conversation=${conversationId}`,
);
}
} }
} catch (err) { } catch (err) {
this.logger.error( this.logger.error(
@@ -193,38 +96,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
return; return;
} }
// Ensure conversation record exists in the DB before persisting messages
// M5-004: Also bind the sessionId to the conversation record
if (userId) {
await this.ensureConversation(conversationId, userId);
await this.bindSessionToConversation(conversationId, userId, conversationId);
}
// M5-007: Count the user message
this.agentService.recordMessage(conversationId);
// Persist the user message
if (userId) {
try {
await this.brain.conversations.addMessage(
{
conversationId,
role: 'user',
content: data.content,
metadata: {
timestamp: new Date().toISOString(),
},
},
userId,
);
} catch (err) {
this.logger.error(
`Failed to persist user message for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
}
}
// Always clean up previous listener to prevent leak // Always clean up previous listener to prevent leak
const existing = this.clientSessions.get(client.id); const existing = this.clientSessions.get(client.id);
if (existing) { if (existing) {
@@ -236,40 +107,11 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
this.relayEvent(client, conversationId, event); this.relayEvent(client, conversationId, event);
}); });
// Preserve routing decision from the existing client session if we didn't get a new one this.clientSessions.set(client.id, { conversationId, cleanup });
const prevClientSession = this.clientSessions.get(client.id);
const routingDecisionToStore = sessionRoutingDecision ?? prevClientSession?.lastRoutingDecision;
this.clientSessions.set(client.id, {
conversationId,
cleanup,
assistantText: '',
toolCalls: [],
pendingToolCalls: new Map(),
lastRoutingDecision: routingDecisionToStore,
});
// Track channel connection // Track channel connection
this.agentService.addChannel(conversationId, `websocket:${client.id}`); this.agentService.addChannel(conversationId, `websocket:${client.id}`);
// Send session info so the client knows the model/provider (M4-008: include routing decision)
// Include agentName when a named agent config is active (M5-001)
{
const agentSession = this.agentService.getSession(conversationId);
if (agentSession) {
const piSession = agentSession.piSession;
client.emit('session:info', {
conversationId,
provider: agentSession.provider,
modelId: agentSession.modelId,
thinkingLevel: piSession.thinkingLevel,
availableThinkingLevels: piSession.getAvailableThinkingLevels(),
...(agentSession.agentName ? { agentName: agentSession.agentName } : {}),
...(routingDecisionToStore ? { routingDecision: routingDecisionToStore } : {}),
});
}
}
// Send acknowledgment // Send acknowledgment
client.emit('message:ack', { conversationId, messageId: uuid() }); client.emit('message:ack', { conversationId, messageId: uuid() });
@@ -288,245 +130,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
} }
} }
@SubscribeMessage('set:thinking')
handleSetThinking(
@ConnectedSocket() client: Socket,
@MessageBody() data: SetThinkingPayload,
): void {
const session = this.agentService.getSession(data.conversationId);
if (!session) {
client.emit('error', {
conversationId: data.conversationId,
error: 'No active session for this conversation.',
});
return;
}
const validLevels = session.piSession.getAvailableThinkingLevels();
if (!validLevels.includes(data.level as never)) {
client.emit('error', {
conversationId: data.conversationId,
error: `Invalid thinking level "${data.level}". Available: ${validLevels.join(', ')}`,
});
return;
}
session.piSession.setThinkingLevel(data.level as never);
this.logger.log(
`Thinking level set to "${data.level}" for conversation ${data.conversationId}`,
);
client.emit('session:info', {
conversationId: data.conversationId,
provider: session.provider,
modelId: session.modelId,
thinkingLevel: session.piSession.thinkingLevel,
availableThinkingLevels: session.piSession.getAvailableThinkingLevels(),
...(session.agentName ? { agentName: session.agentName } : {}),
});
}
@SubscribeMessage('abort')
async handleAbort(
@ConnectedSocket() client: Socket,
@MessageBody() data: AbortPayload,
): Promise<void> {
const conversationId = data.conversationId;
this.logger.log(`Abort requested by ${client.id} for conversation ${conversationId}`);
const session = this.agentService.getSession(conversationId);
if (!session) {
client.emit('error', {
conversationId,
error: 'No active session to abort.',
});
return;
}
try {
await session.piSession.abort();
this.logger.log(`Agent session ${conversationId} aborted successfully`);
} catch (err) {
this.logger.error(
`Failed to abort session ${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
client.emit('error', {
conversationId,
error: 'Failed to abort the agent operation.',
});
}
}
@SubscribeMessage('command:execute')
async handleCommandExecute(
@ConnectedSocket() client: Socket,
@MessageBody() payload: SlashCommandPayload,
): Promise<void> {
const userId = (client.data.user as { id: string } | undefined)?.id ?? 'unknown';
const result = await this.commandExecutor.execute(payload, userId);
client.emit('command:result', result);
}
broadcastReload(payload: SystemReloadPayload): void {
this.server.emit('system:reload', payload);
this.logger.log('Broadcasted system:reload to all connected clients');
}
/**
* Set a per-conversation model override (M4-007 / M5-002).
* When set, the routing engine is bypassed and the specified model is used.
* Pass null to clear the override and resume automatic routing.
* M5-005: Emits session:info to clients subscribed to this conversation when a model is set.
* M5-007: Records a model switch in session metrics.
*/
setModelOverride(conversationId: string, modelName: string | null): void {
if (modelName) {
modelOverrides.set(conversationId, modelName);
this.logger.log(`Model override set: conversation=${conversationId} model="${modelName}"`);
// M5-002: Update the live session's modelId so session:info reflects the new model immediately
this.agentService.updateSessionModel(conversationId, modelName);
// M5-005: Broadcast session:info to all clients subscribed to this conversation
this.broadcastSessionInfo(conversationId);
} else {
modelOverrides.delete(conversationId);
this.logger.log(`Model override cleared: conversation=${conversationId}`);
}
}
/**
* Return the active model override for a conversation, or undefined if none.
*/
getModelOverride(conversationId: string): string | undefined {
return modelOverrides.get(conversationId);
}
/**
* M5-005: Broadcast session:info to all clients currently subscribed to a conversation.
* Called on model or agent switch to ensure the TUI TopBar updates immediately.
*/
broadcastSessionInfo(
conversationId: string,
extra?: { agentName?: string; routingDecision?: RoutingDecisionInfo },
): void {
const agentSession = this.agentService.getSession(conversationId);
if (!agentSession) return;
const piSession = agentSession.piSession;
const resolvedAgentName = extra?.agentName ?? agentSession.agentName;
const payload = {
conversationId,
provider: agentSession.provider,
modelId: agentSession.modelId,
thinkingLevel: piSession.thinkingLevel,
availableThinkingLevels: piSession.getAvailableThinkingLevels(),
...(resolvedAgentName ? { agentName: resolvedAgentName } : {}),
...(extra?.routingDecision ? { routingDecision: extra.routingDecision } : {}),
};
// Emit to all clients currently subscribed to this conversation
for (const [clientId, session] of this.clientSessions) {
if (session.conversationId === conversationId) {
const socket = this.server.sockets.sockets.get(clientId);
if (socket?.connected) {
socket.emit('session:info', payload);
}
}
}
}
/**
* Ensure a conversation record exists in the DB.
* Creates it if absent — safe to call concurrently since a duplicate insert
* would fail on the PK constraint and be caught here.
*/
private async ensureConversation(conversationId: string, userId: string): Promise<void> {
try {
const existing = await this.brain.conversations.findById(conversationId, userId);
if (!existing) {
await this.brain.conversations.create({
id: conversationId,
userId,
});
}
} catch (err) {
this.logger.error(
`Failed to ensure conversation record for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
}
}
/**
* M5-004: Bind the agent sessionId to the conversation record in the DB.
* Updates the sessionId column so future resumes can reuse the session.
*/
private async bindSessionToConversation(
conversationId: string,
userId: string,
sessionId: string,
): Promise<void> {
try {
await this.brain.conversations.update(conversationId, userId, { sessionId });
} catch (err) {
this.logger.error(
`Failed to bind sessionId=${sessionId} to conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
}
}
/**
* M5-004: Retrieve the sessionId bound to a conversation, if any.
* Returns undefined when the conversation does not exist or has no bound session.
*/
private async getConversationSessionId(
conversationId: string,
userId: string,
): Promise<string | undefined> {
try {
const conv = await this.brain.conversations.findById(conversationId, userId);
return conv?.sessionId ?? undefined;
} catch (err) {
this.logger.error(
`Failed to get sessionId for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
return undefined;
}
}
/**
* Load prior conversation messages from DB for context injection on session resume (M1-004).
* Returns an empty array when no history exists, the conversation is not owned by the user,
* or userId is not provided.
*/
private async loadConversationHistory(
conversationId: string,
userId: string | undefined,
): Promise<ConversationHistoryMessage[]> {
if (!userId) return [];
try {
const messages = await this.brain.conversations.findMessages(conversationId, userId);
if (messages.length === 0) return [];
return messages.map((msg) => ({
role: msg.role as 'user' | 'assistant' | 'system',
content: msg.content,
createdAt: msg.createdAt,
}));
} catch (err) {
this.logger.error(
`Failed to load conversation history for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
return [];
}
}
private relayEvent(client: Socket, conversationId: string, event: AgentSessionEvent): void { private relayEvent(client: Socket, conversationId: string, event: AgentSessionEvent): void {
if (!client.connected) { if (!client.connected) {
this.logger.warn( this.logger.warn(
@@ -536,109 +139,17 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
} }
switch (event.type) { switch (event.type) {
case 'agent_start': { case 'agent_start':
// Reset accumulation buffers for the new turn
const cs = this.clientSessions.get(client.id);
if (cs) {
cs.assistantText = '';
cs.toolCalls = [];
cs.pendingToolCalls.clear();
}
client.emit('agent:start', { conversationId }); client.emit('agent:start', { conversationId });
break; break;
}
case 'agent_end': { case 'agent_end':
// Gather usage stats from the Pi session client.emit('agent:end', { conversationId });
const agentSession = this.agentService.getSession(conversationId);
const piSession = agentSession?.piSession;
const stats = piSession?.getSessionStats();
const contextUsage = piSession?.getContextUsage();
const usagePayload = stats
? {
provider: agentSession?.provider ?? 'unknown',
modelId: agentSession?.modelId ?? 'unknown',
thinkingLevel: piSession?.thinkingLevel ?? 'off',
tokens: stats.tokens,
cost: stats.cost,
context: {
percent: contextUsage?.percent ?? null,
window: contextUsage?.contextWindow ?? 0,
},
}
: undefined;
client.emit('agent:end', {
conversationId,
usage: usagePayload,
});
// M5-007: Accumulate token usage in session metrics
if (stats?.tokens) {
this.agentService.recordTokenUsage(conversationId, {
input: stats.tokens.input ?? 0,
output: stats.tokens.output ?? 0,
cacheRead: stats.tokens.cacheRead ?? 0,
cacheWrite: stats.tokens.cacheWrite ?? 0,
total: stats.tokens.total ?? 0,
});
}
// Persist the assistant message with metadata
const cs = this.clientSessions.get(client.id);
const userId = (client.data.user as { id: string } | undefined)?.id;
if (cs && userId && cs.assistantText.trim().length > 0) {
const metadata: Record<string, unknown> = {
timestamp: new Date().toISOString(),
model: agentSession?.modelId ?? 'unknown',
provider: agentSession?.provider ?? 'unknown',
toolCalls: cs.toolCalls,
};
if (stats?.tokens) {
metadata['tokenUsage'] = {
input: stats.tokens.input,
output: stats.tokens.output,
cacheRead: stats.tokens.cacheRead,
cacheWrite: stats.tokens.cacheWrite,
total: stats.tokens.total,
};
}
this.brain.conversations
.addMessage(
{
conversationId,
role: 'assistant',
content: cs.assistantText,
metadata,
},
userId,
)
.catch((err: unknown) => {
this.logger.error(
`Failed to persist assistant message for conversation=${conversationId}`,
err instanceof Error ? err.stack : String(err),
);
});
// Reset accumulation
cs.assistantText = '';
cs.toolCalls = [];
cs.pendingToolCalls.clear();
}
break; break;
}
case 'message_update': { case 'message_update': {
const assistantEvent = event.assistantMessageEvent; const assistantEvent = event.assistantMessageEvent;
if (assistantEvent.type === 'text_delta') { if (assistantEvent.type === 'text_delta') {
// Accumulate assistant text for persistence
const cs = this.clientSessions.get(client.id);
if (cs) {
cs.assistantText += assistantEvent.delta;
}
client.emit('agent:text', { client.emit('agent:text', {
conversationId, conversationId,
text: assistantEvent.delta, text: assistantEvent.delta,
@@ -652,36 +163,15 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
break; break;
} }
case 'tool_execution_start': { case 'tool_execution_start':
// Track pending tool call for later recording
const cs = this.clientSessions.get(client.id);
if (cs) {
cs.pendingToolCalls.set(event.toolCallId, {
toolName: event.toolName,
args: event.args,
});
}
client.emit('agent:tool:start', { client.emit('agent:tool:start', {
conversationId, conversationId,
toolCallId: event.toolCallId, toolCallId: event.toolCallId,
toolName: event.toolName, toolName: event.toolName,
}); });
break; break;
}
case 'tool_execution_end': { case 'tool_execution_end':
// Finalise tool call record
const cs = this.clientSessions.get(client.id);
if (cs) {
const pending = cs.pendingToolCalls.get(event.toolCallId);
cs.toolCalls.push({
toolCallId: event.toolCallId,
toolName: event.toolName,
args: pending?.args ?? null,
isError: event.isError,
});
cs.pendingToolCalls.delete(event.toolCallId);
}
client.emit('agent:tool:end', { client.emit('agent:tool:end', {
conversationId, conversationId,
toolCallId: event.toolCallId, toolCallId: event.toolCallId,
@@ -689,7 +179,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
isError: event.isError, isError: event.isError,
}); });
break; break;
}
} }
} }
} }

5
apps/gateway/src/chat/chat.module.ts
View File

@@ -1,12 +1,9 @@
import { forwardRef, Module } from '@nestjs/common'; import { Module } from '@nestjs/common';
import { CommandsModule } from '../commands/commands.module.js';
import { ChatGateway } from './chat.gateway.js'; import { ChatGateway } from './chat.gateway.js';
import { ChatController } from './chat.controller.js'; import { ChatController } from './chat.controller.js';
@Module({ @Module({
imports: [forwardRef(() => CommandsModule)],
controllers: [ChatController], controllers: [ChatController],
providers: [ChatGateway], providers: [ChatGateway],
exports: [ChatGateway],
}) })
export class ChatModule {} export class ChatModule {}

249
apps/gateway/src/commands/command-executor-p8012.spec.ts
View File

@@ -1,249 +0,0 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaicstack/types';
// Minimal mock implementations
const mockRegistry = {
getManifest: vi.fn(() => ({
version: 1,
commands: [
{ name: 'provider', aliases: [], scope: 'agent', execution: 'hybrid', available: true },
{ name: 'mission', aliases: [], scope: 'agent', execution: 'socket', available: true },
{ name: 'agent', aliases: ['a'], scope: 'agent', execution: 'socket', available: true },
{ name: 'prdy', aliases: [], scope: 'agent', execution: 'socket', available: true },
{ name: 'tools', aliases: [], scope: 'agent', execution: 'socket', available: true },
],
skills: [],
})),
};
const mockAgentService = {
getSession: vi.fn(() => undefined),
applyAgentConfig: vi.fn(),
updateSessionModel: vi.fn(),
};
const mockSystemOverride = {
set: vi.fn(),
get: vi.fn(),
clear: vi.fn(),
renew: vi.fn(),
};
const mockSessionGC = {
sweepOrphans: vi.fn(() => ({ orphanedSessions: 0, totalCleaned: [], duration: 0 })),
};
const mockRedis = {
set: vi.fn().mockResolvedValue('OK'),
get: vi.fn(),
del: vi.fn(),
};
// Mock agent config returned by brain.agents.findByName for "my-agent-id"
const mockAgentConfig = {
id: 'my-agent-id',
name: 'my-agent-id',
model: 'claude-sonnet-4-6',
provider: 'anthropic',
systemPrompt: null,
allowedTools: null,
isSystem: false,
ownerId: 'user-123',
status: 'idle',
createdAt: new Date(),
updatedAt: new Date(),
};
const mockBrain = {
agents: {
// findByName resolves with the agent when name matches, undefined otherwise
findByName: vi.fn((name: string) =>
Promise.resolve(name === 'my-agent-id' ? mockAgentConfig : undefined),
),
findById: vi.fn((id: string) =>
Promise.resolve(id === 'my-agent-id' ? mockAgentConfig : undefined),
),
create: vi.fn(),
},
};
const mockChatGateway = {
broadcastSessionInfo: vi.fn(),
};
function buildService(): CommandExecutorService {
return new CommandExecutorService(
mockRegistry as never,
mockAgentService as never,
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
mockBrain as never,
null,
mockChatGateway as never,
null,
);
}
describe('CommandExecutorService — P8-012 commands', () => {
let service: CommandExecutorService;
const userId = 'user-123';
const conversationId = 'conv-456';
beforeEach(() => {
vi.clearAllMocks();
service = buildService();
});
// /provider login — missing provider name
it('/provider login with no provider name returns usage error', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'login', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Usage: /provider login');
expect(result.command).toBe('provider');
});
// /provider login anthropic — success with URL containing poll token
it('/provider login <name> returns success with URL and poll token', async () => {
const payload: SlashCommandPayload = {
command: 'provider',
args: 'login anthropic',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('provider');
expect(result.message).toContain('anthropic');
expect(result.message).toContain('http');
// data should contain loginUrl and pollToken
expect(result.data).toBeDefined();
const data = result.data as Record<string, unknown>;
expect(typeof data['loginUrl']).toBe('string');
expect(typeof data['pollToken']).toBe('string');
expect(data['loginUrl'] as string).toContain('anthropic');
expect(data['loginUrl'] as string).toContain(data['pollToken'] as string);
// Verify Valkey was called
expect(mockRedis.set).toHaveBeenCalledOnce();
const [key, value, , ttl] = mockRedis.set.mock.calls[0] as [string, string, string, number];
expect(key).toContain('mosaic:auth:poll:');
const stored = JSON.parse(value) as { status: string; provider: string; userId: string };
expect(stored.status).toBe('pending');
expect(stored.provider).toBe('anthropic');
expect(stored.userId).toBe(userId);
expect(ttl).toBe(300);
});
// /provider with no args — returns usage
it('/provider with no args returns usage message', async () => {
const payload: SlashCommandPayload = { command: 'provider', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage: /provider');
});
// /provider list
it('/provider list returns success', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'list', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('provider');
});
// /provider logout with no name — usage error
it('/provider logout with no name returns error', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'logout', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Usage: /provider logout');
});
// /provider unknown subcommand
it('/provider unknown subcommand returns error', async () => {
const payload: SlashCommandPayload = {
command: 'provider',
args: 'unknown',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Unknown subcommand');
});
// /mission status
it('/mission status returns stub message', async () => {
const payload: SlashCommandPayload = { command: 'mission', args: 'status', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('mission');
expect(result.message).toContain('Mission status');
});
// /mission with no args
it('/mission with no args returns status stub', async () => {
const payload: SlashCommandPayload = { command: 'mission', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Mission status');
});
// /mission set <id>
it('/mission set <id> returns confirmation', async () => {
const payload: SlashCommandPayload = {
command: 'mission',
args: 'set my-mission-123',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('my-mission-123');
});
// /agent list
it('/agent list returns stub message', async () => {
const payload: SlashCommandPayload = { command: 'agent', args: 'list', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('agent');
expect(result.message).toContain('agent');
});
// /agent with no args
it('/agent with no args returns usage', async () => {
const payload: SlashCommandPayload = { command: 'agent', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage: /agent');
});
// /agent <id> — switch
it('/agent <id> returns switch confirmation', async () => {
const payload: SlashCommandPayload = {
command: 'agent',
args: 'my-agent-id',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('my-agent-id');
});
// /prdy
it('/prdy returns PRD wizard message', async () => {
const payload: SlashCommandPayload = { command: 'prdy', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('prdy');
expect(result.message).toContain('mosaic prdy');
});
// /tools
it('/tools returns tools stub message', async () => {
const payload: SlashCommandPayload = { command: 'tools', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('tools');
expect(result.message).toContain('tools');
});
});

586
apps/gateway/src/commands/command-executor.service.ts
View File

@@ -1,586 +0,0 @@
import { forwardRef, Inject, Injectable, Logger, Optional } from '@nestjs/common';
import type { QueueHandle } from '@mosaicstack/queue';
import type { Brain } from '@mosaicstack/brain';
import type { SlashCommandPayload, SlashCommandResultPayload } from '@mosaicstack/types';
import { AgentService } from '../agent/agent.service.js';
import { ChatGateway } from '../chat/chat.gateway.js';
import { SessionGCService } from '../gc/session-gc.service.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { ReloadService } from '../reload/reload.service.js';
import { McpClientService } from '../mcp-client/mcp-client.service.js';
import { BRAIN } from '../brain/brain.tokens.js';
import { COMMANDS_REDIS } from './commands.tokens.js';
import { CommandRegistryService } from './command-registry.service.js';
@Injectable()
export class CommandExecutorService {
private readonly logger = new Logger(CommandExecutorService.name);
constructor(
@Inject(CommandRegistryService) private readonly registry: CommandRegistryService,
@Inject(AgentService) private readonly agentService: AgentService,
@Inject(SystemOverrideService) private readonly systemOverride: SystemOverrideService,
@Inject(SessionGCService) private readonly sessionGC: SessionGCService,
@Inject(COMMANDS_REDIS) private readonly redis: QueueHandle['redis'],
@Inject(BRAIN) private readonly brain: Brain,
@Optional()
@Inject(forwardRef(() => ReloadService))
private readonly reloadService: ReloadService | null,
@Optional()
@Inject(forwardRef(() => ChatGateway))
private readonly chatGateway: ChatGateway | null,
@Optional()
@Inject(McpClientService)
private readonly mcpClient: McpClientService | null,
) {}
async execute(payload: SlashCommandPayload, userId: string): Promise<SlashCommandResultPayload> {
const { command, args, conversationId } = payload;
const def = this.registry.getManifest().commands.find((c) => c.name === command);
if (!def) {
return {
command,
conversationId,
success: false,
message: `Unknown command: /${command}`,
};
}
try {
switch (command) {
case 'model':
return await this.handleModel(args ?? null, conversationId);
case 'thinking':
return await this.handleThinking(args ?? null, conversationId);
case 'system':
return await this.handleSystem(args ?? null, conversationId);
case 'new':
return {
command,
conversationId,
success: true,
message: 'Start a new conversation by selecting New Conversation.',
};
case 'clear':
return {
command,
conversationId,
success: true,
message: 'Conversation display cleared.',
};
case 'compact':
return {
command,
conversationId,
success: true,
message: 'Context compaction requested.',
};
case 'retry':
return {
command,
conversationId,
success: true,
message: 'Retry last message requested.',
};
case 'gc': {
// Admin-only: system-wide GC sweep across all sessions
const result = await this.sessionGC.sweepOrphans();
return {
command: 'gc',
success: true,
message: `GC sweep complete: ${result.orphanedSessions} orphaned sessions cleaned in ${result.duration}ms.`,
conversationId,
};
}
case 'agent':
return await this.handleAgent(args ?? null, conversationId, userId);
case 'provider':
return await this.handleProvider(args ?? null, userId, conversationId);
case 'mission':
return await this.handleMission(args ?? null, conversationId, userId);
case 'prdy':
return {
command: 'prdy',
success: true,
message:
'PRD wizard: run `mosaic prdy` in your project workspace to create or update a PRD.',
conversationId,
};
case 'tools':
return await this.handleTools(conversationId, userId);
case 'mcp':
return await this.handleMcp(args ?? null, conversationId);
case 'reload': {
if (!this.reloadService) {
return {
command: 'reload',
conversationId,
success: false,
message: 'ReloadService is not available.',
};
}
const reloadResult = await this.reloadService.reload('command');
this.chatGateway?.broadcastReload(reloadResult);
return {
command: 'reload',
success: true,
message: reloadResult.message,
conversationId,
};
}
default:
return {
command,
conversationId,
success: false,
message: `Command /${command} is not yet implemented.`,
};
}
} catch (err) {
this.logger.error(`Command /${command} failed: ${err}`);
return { command, conversationId, success: false, message: String(err) };
}
}
private async handleModel(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args.trim().length === 0) {
// Show current override or usage hint
const currentOverride = this.chatGateway?.getModelOverride(conversationId);
if (currentOverride) {
return {
command: 'model',
conversationId,
success: true,
message: `Current model override: "${currentOverride}". Use /model <name> to change or /model clear to reset.`,
};
}
return {
command: 'model',
conversationId,
success: true,
message:
'Usage: /model <model-name> — sets a per-session model override (bypasses routing). Use /model clear to reset.',
};
}
const modelName = args.trim();
// /model clear removes the override and re-enables automatic routing
if (modelName === 'clear') {
this.chatGateway?.setModelOverride(conversationId, null);
return {
command: 'model',
conversationId,
success: true,
message: 'Model override cleared. Automatic routing will be used for new sessions.',
};
}
// Set the sticky per-session override (M4-007)
this.chatGateway?.setModelOverride(conversationId, modelName);
const session = this.agentService.getSession(conversationId);
if (!session) {
return {
command: 'model',
conversationId,
success: true,
message: `Model override set to "${modelName}". Will apply when a new session starts for this conversation.`,
};
}
return {
command: 'model',
conversationId,
success: true,
message: `Model override set to "${modelName}". The override is active for this conversation and will be used on the next message if a new session is needed.`,
};
}
private async handleThinking(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
const level = args?.toLowerCase();
if (!level || !['none', 'low', 'medium', 'high', 'auto'].includes(level)) {
return {
command: 'thinking',
conversationId,
success: true,
message: 'Usage: /thinking <none|low|medium|high|auto>',
};
}
return {
command: 'thinking',
conversationId,
success: true,
message: `Thinking level set to "${level}".`,
};
}
private async handleSystem(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args.trim().length === 0) {
// Clear the override when called with no args
await this.systemOverride.clear(conversationId);
return {
command: 'system',
conversationId,
success: true,
message: 'Session system prompt override cleared.',
};
}
await this.systemOverride.set(conversationId, args.trim());
return {
command: 'system',
conversationId,
success: true,
message: `Session system prompt override set (expires in 5 minutes of inactivity).`,
};
}
private async handleAgent(
args: string | null,
conversationId: string,
userId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'agent',
success: true,
message:
'Usage: /agent <agent-id> | /agent list | /agent new <name> to create a new agent.',
conversationId,
};
}
if (args === 'list') {
return {
command: 'agent',
success: true,
message: 'Agent listing: use the web dashboard for full agent management.',
conversationId,
};
}
// M5-006: /agent new <name> — create a new agent config via brain.agents.create()
if (args.startsWith('new')) {
const namePart = args.slice(3).trim();
if (!namePart) {
return {
command: 'agent',
success: false,
message: 'Usage: /agent new <name> — provide a name for the new agent.',
conversationId,
};
}
try {
const defaultProvider = process.env['DEFAULT_PROVIDER'] ?? 'anthropic';
const defaultModel = process.env['DEFAULT_MODEL'] ?? 'claude-sonnet-4-5-20251001';
const newAgent = await this.brain.agents.create({
name: namePart,
provider: defaultProvider,
model: defaultModel,
status: 'idle',
ownerId: userId,
isSystem: false,
});
this.logger.log(`Created new agent "${newAgent.name}" (${newAgent.id}) for user ${userId}`);
return {
command: 'agent',
success: true,
message: `Agent "${newAgent.name}" created with ID: ${newAgent.id}. Configure it via the web dashboard.`,
conversationId,
data: { agentId: newAgent.id, agentName: newAgent.name },
};
} catch (err) {
this.logger.error(`Failed to create agent: ${err}`);
return {
command: 'agent',
success: false,
message: `Failed to create agent: ${String(err)}`,
conversationId,
};
}
}
// M5-003: Look up agent by name (or ID) and apply to session mid-conversation
const agentName = args.trim();
try {
// Try lookup by name first; fall back to ID-based lookup
let agentConfig = await this.brain.agents.findByName(agentName);
if (!agentConfig) {
// Try by ID (UUID-style input)
agentConfig = await this.brain.agents.findById(agentName);
}
if (!agentConfig) {
return {
command: 'agent',
success: false,
message: `Agent "${agentName}" not found. Use /agent list to see available agents.`,
conversationId,
};
}
// Apply the agent config to the live session and emit session:info (M5-003)
this.agentService.applyAgentConfig(
conversationId,
agentConfig.id,
agentConfig.name,
agentConfig.model ?? undefined,
);
// Broadcast updated session:info so TUI TopBar reflects new agent/model
this.chatGateway?.broadcastSessionInfo(conversationId, { agentName: agentConfig.name });
this.logger.log(
`Agent switched to "${agentConfig.name}" (${agentConfig.id}) for conversation ${conversationId} (M5-003)`,
);
return {
command: 'agent',
success: true,
message: `Switched to agent "${agentConfig.name}". System prompt and tools applied. Model: ${agentConfig.model ?? 'default'}.`,
conversationId,
data: { agentId: agentConfig.id, agentName: agentConfig.name, model: agentConfig.model },
};
} catch (err) {
this.logger.error(`Failed to switch agent "${agentName}": ${err}`);
return {
command: 'agent',
success: false,
message: `Failed to switch agent: ${String(err)}`,
conversationId,
};
}
}
private async handleProvider(
args: string | null,
userId: string,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'provider',
success: true,
message: 'Usage: /provider list | /provider login <name> | /provider logout <name>',
conversationId,
};
}
const spaceIdx = args.indexOf(' ');
const subcommand = spaceIdx >= 0 ? args.slice(0, spaceIdx) : args;
const providerName = spaceIdx >= 0 ? args.slice(spaceIdx + 1).trim() : '';
switch (subcommand) {
case 'list':
return {
command: 'provider',
success: true,
message: 'Use the web dashboard to manage providers.',
conversationId,
};
case 'login': {
if (!providerName) {
return {
command: 'provider',
success: false,
message: 'Usage: /provider login <provider-name>',
conversationId,
};
}
const pollToken = crypto.randomUUID();
const key = `mosaic:auth:poll:${pollToken}`;
// Store pending state in Valkey (TTL 5 minutes)
await this.redis.set(
key,
JSON.stringify({ status: 'pending', provider: providerName, userId }),
'EX',
300,
);
// In production this would construct an OAuth URL
const loginUrl = `${process.env['MOSAIC_BASE_URL'] ?? 'http://localhost:3000'}/auth/provider/${providerName}?token=${pollToken}`;
return {
command: 'provider',
success: true,
message: `Open this URL to authenticate with ${providerName}:\n${loginUrl}`,
conversationId,
data: { loginUrl, pollToken, provider: providerName },
};
}
case 'logout': {
if (!providerName) {
return {
command: 'provider',
success: false,
message: 'Usage: /provider logout <provider-name>',
conversationId,
};
}
return {
command: 'provider',
success: true,
message: `Logout from ${providerName}: use the web dashboard to revoke provider tokens.`,
conversationId,
};
}
default:
return {
command: 'provider',
success: false,
message: `Unknown subcommand: ${subcommand}. Use list, login, or logout.`,
conversationId,
};
}
}
private async handleMission(
args: string | null,
conversationId: string,
_userId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args === 'status') {
// TODO: fetch active mission from DB when MissionsService is available
return {
command: 'mission',
success: true,
message: 'Mission status: use the web dashboard for full mission management.',
conversationId,
};
}
if (args.startsWith('set ')) {
const missionId = args.slice(4).trim();
return {
command: 'mission',
success: true,
message: `Mission set to ${missionId}. Session context updated.`,
conversationId,
};
}
return {
command: 'mission',
success: true,
message: 'Usage: /mission [status|set <id>|list|tasks]',
conversationId,
};
}
private async handleTools(
conversationId: string,
_userId: string,
): Promise<SlashCommandResultPayload> {
// TODO: fetch tool list from active agent session
return {
command: 'tools',
success: true,
message:
'Available tools depend on the active agent configuration. Use the web dashboard to configure tool access.',
conversationId,
};
}
private async handleMcp(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!this.mcpClient) {
return {
command: 'mcp',
conversationId,
success: false,
message: 'MCP client service is not available.',
};
}
const action = args?.trim().split(/\s+/)[0] ?? 'status';
switch (action) {
case 'status':
case 'servers': {
const statuses = this.mcpClient.getServerStatuses();
if (statuses.length === 0) {
return {
command: 'mcp',
conversationId,
success: true,
message:
'No MCP servers configured. Set MCP_SERVERS env var to connect external tool servers.',
};
}
const lines = ['MCP Server Status:\n'];
for (const s of statuses) {
const status = s.connected ? '✓ connected' : '✗ disconnected';
lines.push(` ${s.name}: ${status}`);
lines.push(` URL: ${s.url}`);
lines.push(` Tools: ${s.toolCount}`);
if (s.error) lines.push(` Error: ${s.error}`);
lines.push('');
}
const tools = this.mcpClient.getToolDefinitions();
if (tools.length > 0) {
lines.push(`Total bridged tools: ${tools.length}`);
lines.push(`Tool names: ${tools.map((t) => t.name).join(', ')}`);
}
return {
command: 'mcp',
conversationId,
success: true,
message: lines.join('\n'),
};
}
case 'reconnect': {
const serverName = args?.trim().split(/\s+/).slice(1).join(' ');
if (!serverName) {
return {
command: 'mcp',
conversationId,
success: false,
message: 'Usage: /mcp reconnect <server-name>',
};
}
try {
await this.mcpClient.reconnectServer(serverName);
return {
command: 'mcp',
conversationId,
success: true,
message: `MCP server "${serverName}" reconnected successfully.`,
};
} catch (err) {
return {
command: 'mcp',
conversationId,
success: false,
message: `Failed to reconnect MCP server "${serverName}": ${err instanceof Error ? err.message : String(err)}`,
};
}
}
default:
return {
command: 'mcp',
conversationId,
success: false,
message: `Unknown MCP action: "${action}". Use: /mcp status, /mcp servers, /mcp reconnect <name>`,
};
}
}
}

53
apps/gateway/src/commands/command-registry.service.spec.ts
View File

@@ -1,53 +0,0 @@
import { describe, it, expect, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import type { CommandDef } from '@mosaicstack/types';
const mockCmd: CommandDef = {
name: 'test',
description: 'Test command',
aliases: ['t'],
scope: 'core',
execution: 'local',
available: true,
};
describe('CommandRegistryService', () => {
let service: CommandRegistryService;
beforeEach(() => {
service = new CommandRegistryService();
});
it('starts with empty manifest', () => {
expect(service.getManifest().commands).toHaveLength(0);
});
it('registers a command', () => {
service.registerCommand(mockCmd);
expect(service.getManifest().commands).toHaveLength(1);
});
it('updates existing command by name', () => {
service.registerCommand(mockCmd);
service.registerCommand({ ...mockCmd, description: 'Updated' });
expect(service.getManifest().commands).toHaveLength(1);
expect(service.getManifest().commands[0]?.description).toBe('Updated');
});
it('onModuleInit registers core commands', () => {
service.onModuleInit();
const manifest = service.getManifest();
expect(manifest.commands.length).toBeGreaterThan(5);
expect(manifest.commands.some((c) => c.name === 'model')).toBe(true);
expect(manifest.commands.some((c) => c.name === 'help')).toBe(true);
});
it('manifest includes skills array', () => {
const manifest = service.getManifest();
expect(Array.isArray(manifest.skills)).toBe(true);
});
it('manifest version is 1', () => {
expect(service.getManifest().version).toBe(1);
});
});

290
apps/gateway/src/commands/command-registry.service.ts
View File

@@ -1,290 +0,0 @@
import { Injectable, type OnModuleInit } from '@nestjs/common';
import type { CommandDef, CommandManifest } from '@mosaicstack/types';
@Injectable()
export class CommandRegistryService implements OnModuleInit {
private readonly commands: CommandDef[] = [];
registerCommand(def: CommandDef): void {
const existing = this.commands.findIndex((c) => c.name === def.name);
if (existing >= 0) {
this.commands[existing] = def;
} else {
this.commands.push(def);
}
}
registerCommands(defs: CommandDef[]): void {
for (const def of defs) {
this.registerCommand(def);
}
}
getManifest(): CommandManifest {
return {
version: 1,
commands: [...this.commands],
skills: [],
};
}
onModuleInit(): void {
this.registerCommands([
{
name: 'model',
description: 'Switch the active model',
aliases: ['m'],
args: [
{
name: 'model-name',
type: 'string',
optional: false,
description: 'Model name to switch to',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'thinking',
description: 'Set thinking level (none/low/medium/high/auto)',
aliases: ['t'],
args: [
{
name: 'level',
type: 'enum',
optional: false,
values: ['none', 'low', 'medium', 'high', 'auto'],
description: 'Thinking level',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'new',
description: 'Start a new conversation',
aliases: ['n'],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'clear',
description: 'Clear conversation context and GC session artifacts',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'compact',
description: 'Request context compaction',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'retry',
description: 'Retry the last message',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'rename',
description: 'Rename current conversation',
aliases: [],
args: [
{ name: 'name', type: 'string', optional: false, description: 'New conversation name' },
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'history',
description: 'Show conversation history',
aliases: [],
args: [
{
name: 'limit',
type: 'string',
optional: true,
description: 'Number of messages to show',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'export',
description: 'Export conversation to markdown or JSON',
aliases: [],
args: [
{
name: 'format',
type: 'enum',
optional: true,
values: ['md', 'json'],
description: 'Export format',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'preferences',
description: 'View or set user preferences',
aliases: ['pref'],
args: [
{
name: 'action',
type: 'enum',
optional: true,
values: ['show', 'set', 'reset'],
description: 'Action to perform',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'system',
description: 'Set session-scoped system prompt override',
aliases: [],
args: [
{
name: 'override',
type: 'string',
optional: false,
description: 'System prompt text to inject for this session',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'status',
description: 'Show session and connection status',
aliases: ['s'],
scope: 'core',
execution: 'hybrid',
available: true,
},
{
name: 'help',
description: 'Show available commands',
aliases: ['h'],
scope: 'core',
execution: 'local',
available: true,
},
{
name: 'gc',
description: 'Trigger garbage collection sweep (admin only — system-wide)',
aliases: [],
scope: 'admin',
execution: 'socket',
available: true,
},
{
name: 'agent',
description: 'Switch or list available agents',
aliases: ['a'],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'list or <agent-id>',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'provider',
description: 'Manage LLM providers (list/login/logout)',
aliases: [],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'list | login <name> | logout <name>',
},
],
scope: 'agent',
execution: 'hybrid',
available: true,
},
{
name: 'mission',
description: 'View or set active mission',
aliases: [],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'status | set <id> | list | tasks',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'prdy',
description: 'Launch PRD wizard',
aliases: [],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'tools',
description: 'List available agent tools',
aliases: [],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'mcp',
description: 'Manage MCP server connections (status/reconnect/servers)',
aliases: [],
args: [
{
name: 'action',
type: 'enum',
optional: true,
values: ['status', 'reconnect', 'servers'],
description: 'Action: status (default), reconnect <name>, servers',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'reload',
description: 'Soft-reload gateway plugins and command manifest (admin)',
aliases: [],
scope: 'admin',
execution: 'socket',
available: true,
},
]);
}
}

263
apps/gateway/src/commands/commands.integration.spec.ts
View File

@@ -1,263 +0,0 @@
/**
* Integration tests for the gateway command system (P8-019)
*
* Covers:
* - CommandRegistryService.getManifest() returns 12+ core commands
* - All core commands have correct execution types
* - Alias resolution works for all defined aliases
* - CommandExecutorService routes known/unknown commands correctly
* - /gc handler calls SessionGCService.sweepOrphans
* - /system handler calls SystemOverrideService.set
* - Unknown command returns descriptive error
*/
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaicstack/types';
// ─── Mocks ───────────────────────────────────────────────────────────────────
const mockAgentService = {
getSession: vi.fn(() => undefined),
};
const mockSystemOverride = {
set: vi.fn().mockResolvedValue(undefined),
get: vi.fn().mockResolvedValue(null),
clear: vi.fn().mockResolvedValue(undefined),
renew: vi.fn().mockResolvedValue(undefined),
};
const mockSessionGC = {
sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 3, totalCleaned: [], duration: 12 }),
};
const mockRedis = {
set: vi.fn().mockResolvedValue('OK'),
get: vi.fn().mockResolvedValue(null),
del: vi.fn().mockResolvedValue(0),
keys: vi.fn().mockResolvedValue([]),
};
const mockBrain = {
agents: {
findByName: vi.fn().mockResolvedValue(undefined),
findById: vi.fn().mockResolvedValue(undefined),
create: vi.fn(),
},
};
// ─── Helpers ─────────────────────────────────────────────────────────────────
function buildRegistry(): CommandRegistryService {
const svc = new CommandRegistryService();
svc.onModuleInit(); // seed core commands
return svc;
}
function buildExecutor(registry: CommandRegistryService): CommandExecutorService {
return new CommandExecutorService(
registry as never,
mockAgentService as never,
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
mockBrain as never,
null, // reloadService (optional)
null, // chatGateway (optional)
null, // mcpClient (optional)
);
}
// ─── Registry Tests ───────────────────────────────────────────────────────────
describe('CommandRegistryService — integration', () => {
let registry: CommandRegistryService;
beforeEach(() => {
registry = buildRegistry();
});
it('getManifest() returns 12 or more core commands after onModuleInit', () => {
const manifest = registry.getManifest();
expect(manifest.commands.length).toBeGreaterThanOrEqual(12);
});
it('manifest version is 1', () => {
expect(registry.getManifest().version).toBe(1);
});
it('manifest.skills is an array', () => {
expect(Array.isArray(registry.getManifest().skills)).toBe(true);
});
it('all commands have required fields: name, description, execution, scope, available', () => {
for (const cmd of registry.getManifest().commands) {
expect(typeof cmd.name).toBe('string');
expect(typeof cmd.description).toBe('string');
expect(['local', 'socket', 'rest', 'hybrid']).toContain(cmd.execution);
expect(['core', 'agent', 'admin']).toContain(cmd.scope);
expect(typeof cmd.available).toBe('boolean');
}
});
// Execution type verification for core commands
const expectedExecutionTypes: Record<string, string> = {
model: 'socket',
thinking: 'socket',
new: 'socket',
clear: 'socket',
compact: 'socket',
retry: 'socket',
rename: 'rest',
history: 'rest',
export: 'rest',
preferences: 'rest',
system: 'socket',
help: 'local',
gc: 'socket',
agent: 'socket',
provider: 'hybrid',
mission: 'socket',
prdy: 'socket',
tools: 'socket',
reload: 'socket',
};
for (const [name, expectedExecution] of Object.entries(expectedExecutionTypes)) {
it(`command "${name}" has execution type "${expectedExecution}"`, () => {
const cmd = registry.getManifest().commands.find((c) => c.name === name);
expect(cmd, `command "${name}" not found`).toBeDefined();
expect(cmd!.execution).toBe(expectedExecution);
});
}
// Alias resolution checks
const expectedAliases: Array<[string, string]> = [
['m', 'model'],
['t', 'thinking'],
['n', 'new'],
['a', 'agent'],
['s', 'status'],
['h', 'help'],
['pref', 'preferences'],
];
for (const [alias, commandName] of expectedAliases) {
it(`alias "/${alias}" resolves to command "${commandName}" via aliases array`, () => {
const cmd = registry
.getManifest()
.commands.find((c) => c.name === commandName || c.aliases?.includes(alias));
expect(cmd, `command with alias "${alias}" not found`).toBeDefined();
});
}
});
// ─── Executor Tests ───────────────────────────────────────────────────────────
describe('CommandExecutorService — integration', () => {
let registry: CommandRegistryService;
let executor: CommandExecutorService;
const userId = 'user-integ-001';
const conversationId = 'conv-integ-001';
beforeEach(() => {
vi.clearAllMocks();
registry = buildRegistry();
executor = buildExecutor(registry);
});
// Unknown command returns error
it('unknown command returns success:false with descriptive message', async () => {
const payload: SlashCommandPayload = { command: 'nonexistent', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('nonexistent');
expect(result.command).toBe('nonexistent');
});
// /gc handler calls SessionGCService.sweepOrphans (admin-only, no userId arg)
it('/gc calls SessionGCService.sweepOrphans without arguments', async () => {
const payload: SlashCommandPayload = { command: 'gc', conversationId };
const result = await executor.execute(payload, userId);
expect(mockSessionGC.sweepOrphans).toHaveBeenCalledWith();
expect(result.success).toBe(true);
expect(result.message).toContain('GC sweep complete');
expect(result.message).toContain('3 orphaned sessions');
});
// /system with args calls SystemOverrideService.set
it('/system with text calls SystemOverrideService.set', async () => {
const override = 'You are a helpful assistant.';
const payload: SlashCommandPayload = { command: 'system', args: override, conversationId };
const result = await executor.execute(payload, userId);
expect(mockSystemOverride.set).toHaveBeenCalledWith(conversationId, override);
expect(result.success).toBe(true);
expect(result.message).toContain('override set');
});
// /system with no args clears the override
it('/system with no args calls SystemOverrideService.clear', async () => {
const payload: SlashCommandPayload = { command: 'system', conversationId };
const result = await executor.execute(payload, userId);
expect(mockSystemOverride.clear).toHaveBeenCalledWith(conversationId);
expect(result.success).toBe(true);
expect(result.message).toContain('cleared');
});
// /model with model name returns success
it('/model with a model name returns success', async () => {
const payload: SlashCommandPayload = {
command: 'model',
args: 'claude-3-opus',
conversationId,
};
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('model');
expect(result.message).toContain('claude-3-opus');
});
// /thinking with valid level returns success
it('/thinking with valid level returns success', async () => {
const payload: SlashCommandPayload = { command: 'thinking', args: 'high', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('high');
});
// /thinking with invalid level returns usage message
it('/thinking with invalid level returns usage message', async () => {
const payload: SlashCommandPayload = { command: 'thinking', args: 'invalid', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage:');
});
// /new command returns success
it('/new returns success', async () => {
const payload: SlashCommandPayload = { command: 'new', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('new');
});
// /reload without reloadService returns failure
it('/reload without ReloadService returns failure', async () => {
const payload: SlashCommandPayload = { command: 'reload', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('ReloadService');
});
// Commands not yet fully implemented return a fallback response
const stubCommands = ['clear', 'compact', 'retry'];
for (const cmd of stubCommands) {
it(`/${cmd} returns success (stub)`, async () => {
const payload: SlashCommandPayload = { command: cmd, conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe(cmd);
});
}
});

37
apps/gateway/src/commands/commands.module.ts
View File

@@ -1,37 +0,0 @@
import { forwardRef, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaicstack/queue';
import { ChatModule } from '../chat/chat.module.js';
import { GCModule } from '../gc/gc.module.js';
import { ReloadModule } from '../reload/reload.module.js';
import { CommandExecutorService } from './command-executor.service.js';
import { CommandRegistryService } from './command-registry.service.js';
import { COMMANDS_REDIS } from './commands.tokens.js';
const COMMANDS_QUEUE_HANDLE = 'COMMANDS_QUEUE_HANDLE';
@Module({
imports: [GCModule, forwardRef(() => ReloadModule), forwardRef(() => ChatModule)],
providers: [
{
provide: COMMANDS_QUEUE_HANDLE,
useFactory: (): QueueHandle => {
return createQueue();
},
},
{
provide: COMMANDS_REDIS,
useFactory: (handle: QueueHandle) => handle.redis,
inject: [COMMANDS_QUEUE_HANDLE],
},
CommandRegistryService,
CommandExecutorService,
],
exports: [CommandRegistryService, CommandExecutorService],
})
export class CommandsModule implements OnApplicationShutdown {
constructor(@Inject(COMMANDS_QUEUE_HANDLE) private readonly handle: QueueHandle) {}
async onApplicationShutdown(): Promise<void> {
await this.handle.close().catch(() => {});
}
}

1
apps/gateway/src/commands/commands.tokens.ts
View File

@@ -1 +0,0 @@
export const COMMANDS_REDIS = 'COMMANDS_REDIS';

16
apps/gateway/src/config/config.module.ts
View File

@@ -1,16 +0,0 @@
import { Global, Module } from '@nestjs/common';
import { loadConfig, type MosaicConfig } from '@mosaicstack/config';
export const MOSAIC_CONFIG = 'MOSAIC_CONFIG';
@Global()
@Module({
providers: [
{
provide: MOSAIC_CONFIG,
useFactory: (): MosaicConfig => loadConfig(),
},
],
exports: [MOSAIC_CONFIG],
})
export class ConfigModule {}

58
apps/gateway/src/conversations/conversations.controller.ts
View File

@@ -1,9 +1,7 @@
import { import {
BadRequestException,
Body, Body,
Controller, Controller,
Delete, Delete,
ForbiddenException,
Get, Get,
HttpCode, HttpCode,
HttpStatus, HttpStatus,
@@ -12,18 +10,17 @@ import {
Param, Param,
Patch, Patch,
Post, Post,
Query,
UseGuards, UseGuards,
} from '@nestjs/common'; } from '@nestjs/common';
import type { Brain } from '@mosaicstack/brain'; import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js'; import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js'; import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js'; import { CurrentUser } from '../auth/current-user.decorator.js';
import { assertOwner } from '../auth/resource-ownership.js';
import { import {
CreateConversationDto, CreateConversationDto,
UpdateConversationDto, UpdateConversationDto,
SendMessageDto, SendMessageDto,
SearchMessagesDto,
} from './conversations.dto.js'; } from './conversations.dto.js';
@Controller('api/conversations') @Controller('api/conversations')
@@ -36,21 +33,9 @@ export class ConversationsController {
return this.brain.conversations.findAll(user.id); return this.brain.conversations.findAll(user.id);
} }
@Get('search')
async search(@Query() dto: SearchMessagesDto, @CurrentUser() user: { id: string }) {
if (!dto.q || dto.q.trim().length === 0) {
throw new BadRequestException('Query parameter "q" is required and must not be empty');
}
const limit = dto.limit ?? 20;
const offset = dto.offset ?? 0;
return this.brain.conversations.searchMessages(user.id, dto.q.trim(), limit, offset);
}
@Get(':id') @Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) { async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const conversation = await this.brain.conversations.findById(id, user.id); return this.getOwnedConversation(id, user.id);
if (!conversation) throw new NotFoundException('Conversation not found');
return conversation;
} }
@Post() @Post()
@@ -68,7 +53,8 @@ export class ConversationsController {
@Body() dto: UpdateConversationDto, @Body() dto: UpdateConversationDto,
@CurrentUser() user: { id: string }, @CurrentUser() user: { id: string },
) { ) {
const conversation = await this.brain.conversations.update(id, user.id, dto); await this.getOwnedConversation(id, user.id);
const conversation = await this.brain.conversations.update(id, dto);
if (!conversation) throw new NotFoundException('Conversation not found'); if (!conversation) throw new NotFoundException('Conversation not found');
return conversation; return conversation;
} }
@@ -76,16 +62,15 @@ export class ConversationsController {
@Delete(':id') @Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) { async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const deleted = await this.brain.conversations.remove(id, user.id); await this.getOwnedConversation(id, user.id);
const deleted = await this.brain.conversations.remove(id);
if (!deleted) throw new NotFoundException('Conversation not found'); if (!deleted) throw new NotFoundException('Conversation not found');
} }
@Get(':id/messages') @Get(':id/messages')
async listMessages(@Param('id') id: string, @CurrentUser() user: { id: string }) { async listMessages(@Param('id') id: string, @CurrentUser() user: { id: string }) {
// Verify ownership explicitly to return a clear 404 rather than an empty list. await this.getOwnedConversation(id, user.id);
const conversation = await this.brain.conversations.findById(id, user.id); return this.brain.conversations.findMessages(id);
if (!conversation) throw new NotFoundException('Conversation not found');
return this.brain.conversations.findMessages(id, user.id);
} }
@Post(':id/messages') @Post(':id/messages')
@@ -94,16 +79,19 @@ export class ConversationsController {
@Body() dto: SendMessageDto, @Body() dto: SendMessageDto,
@CurrentUser() user: { id: string }, @CurrentUser() user: { id: string },
) { ) {
const message = await this.brain.conversations.addMessage( await this.getOwnedConversation(id, user.id);
{ return this.brain.conversations.addMessage({
conversationId: id, conversationId: id,
role: dto.role, role: dto.role,
content: dto.content, content: dto.content,
metadata: dto.metadata, metadata: dto.metadata,
}, });
user.id, }
);
if (!message) throw new ForbiddenException('Conversation not found or access denied'); private async getOwnedConversation(id: string, userId: string) {
return message; const conversation = await this.brain.conversations.findById(id);
if (!conversation) throw new NotFoundException('Conversation not found');
assertOwner(conversation.userId, userId, 'Conversation');
return conversation;
} }
} }

23
apps/gateway/src/conversations/conversations.dto.ts
View File

@@ -1,35 +1,12 @@
import { import {
IsBoolean, IsBoolean,
IsIn, IsIn,
IsInt,
IsObject, IsObject,
IsOptional, IsOptional,
IsString, IsString,
IsUUID, IsUUID,
Max,
MaxLength, MaxLength,
Min,
} from 'class-validator'; } from 'class-validator';
import { Type } from 'class-transformer';
export class SearchMessagesDto {
@IsString()
@MaxLength(500)
q!: string;
@IsOptional()
@Type(() => Number)
@IsInt()
@Min(1)
@Max(100)
limit?: number = 20;
@IsOptional()
@Type(() => Number)
@IsInt()
@Min(0)
offset?: number = 0;
}
export class CreateConversationDto { export class CreateConversationDto {
@IsOptional() @IsOptional()

136
apps/gateway/src/coord/coord.controller.ts
View File

@@ -1,17 +1,30 @@
import { import {
BadRequestException, BadRequestException,
Body,
Controller, Controller,
Delete,
Get, Get,
HttpCode,
HttpStatus,
Inject, Inject,
NotFoundException, NotFoundException,
Param, Param,
Patch,
Post,
Query, Query,
UseGuards, UseGuards,
} from '@nestjs/common'; } from '@nestjs/common';
import fs from 'node:fs'; import fs from 'node:fs';
import path from 'node:path'; import path from 'node:path';
import { AuthGuard } from '../auth/auth.guard.js'; import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { CoordService } from './coord.service.js'; import { CoordService } from './coord.service.js';
import type {
CreateDbMissionDto,
UpdateDbMissionDto,
CreateMissionTaskDto,
UpdateMissionTaskDto,
} from './coord.dto.js';
/** Walk up from cwd to find the monorepo root (has pnpm-workspace.yaml). */ /** Walk up from cwd to find the monorepo root (has pnpm-workspace.yaml). */
function findMonorepoRoot(start: string): string { function findMonorepoRoot(start: string): string {
@@ -44,15 +57,13 @@ function resolveAndValidatePath(raw: string | undefined): string {
return resolved; return resolved;
} }
/**
* File-based coord endpoints for agent tool consumption.
* DB-backed mission CRUD has moved to MissionsController at /api/missions.
*/
@Controller('api/coord') @Controller('api/coord')
@UseGuards(AuthGuard) @UseGuards(AuthGuard)
export class CoordController { export class CoordController {
constructor(@Inject(CoordService) private readonly coordService: CoordService) {} constructor(@Inject(CoordService) private readonly coordService: CoordService) {}
// ── File-based coord endpoints (legacy) ──
@Get('status') @Get('status')
async missionStatus(@Query('projectPath') projectPath?: string) { async missionStatus(@Query('projectPath') projectPath?: string) {
const resolvedPath = resolveAndValidatePath(projectPath); const resolvedPath = resolveAndValidatePath(projectPath);
@@ -74,4 +85,121 @@ export class CoordController {
if (!detail) throw new NotFoundException(`Task ${taskId} not found in coord mission`); if (!detail) throw new NotFoundException(`Task ${taskId} not found in coord mission`);
return detail; return detail;
} }
// ── DB-backed mission endpoints ──
@Get('missions')
async listDbMissions(@CurrentUser() user: { id: string }) {
return this.coordService.getMissionsByUser(user.id);
}
@Get('missions/:id')
async getDbMission(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const mission = await this.coordService.getMissionByIdAndUser(id, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
}
@Post('missions')
async createDbMission(@Body() dto: CreateDbMissionDto, @CurrentUser() user: { id: string }) {
return this.coordService.createDbMission({
name: dto.name,
description: dto.description,
projectId: dto.projectId,
userId: user.id,
phase: dto.phase,
milestones: dto.milestones,
config: dto.config,
status: dto.status,
});
}
@Patch('missions/:id')
async updateDbMission(
@Param('id') id: string,
@Body() dto: UpdateDbMissionDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.updateDbMission(id, user.id, dto);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
}
@Delete('missions/:id')
@HttpCode(HttpStatus.NO_CONTENT)
async deleteDbMission(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const deleted = await this.coordService.deleteDbMission(id, user.id);
if (!deleted) throw new NotFoundException('Mission not found');
}
// ── DB-backed mission task endpoints ──
@Get('missions/:missionId/mission-tasks')
async listMissionTasks(
@Param('missionId') missionId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return this.coordService.getMissionTasksByMissionAndUser(missionId, user.id);
}
@Get('missions/:missionId/mission-tasks/:taskId')
async getMissionTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const task = await this.coordService.getMissionTaskByIdAndUser(taskId, user.id);
if (!task) throw new NotFoundException('Mission task not found');
return task;
}
@Post('missions/:missionId/mission-tasks')
async createMissionTask(
@Param('missionId') missionId: string,
@Body() dto: CreateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return this.coordService.createMissionTask({
missionId,
taskId: dto.taskId,
userId: user.id,
status: dto.status,
description: dto.description,
notes: dto.notes,
pr: dto.pr,
});
}
@Patch('missions/:missionId/mission-tasks/:taskId')
async updateMissionTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@Body() dto: UpdateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const updated = await this.coordService.updateMissionTask(taskId, user.id, dto);
if (!updated) throw new NotFoundException('Mission task not found');
return updated;
}
@Delete('missions/:missionId/mission-tasks/:taskId')
@HttpCode(HttpStatus.NO_CONTENT)
async deleteMissionTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const deleted = await this.coordService.deleteMissionTask(taskId, user.id);
if (!deleted) throw new NotFoundException('Mission task not found');
}
} }

76
apps/gateway/src/coord/coord.service.ts
View File

@@ -1,4 +1,6 @@
import { Injectable, Logger } from '@nestjs/common'; import { Injectable, Logger, Inject } from '@nestjs/common';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { import {
loadMission, loadMission,
getMissionStatus, getMissionStatus,
@@ -8,18 +10,16 @@ import {
type MissionStatusSummary, type MissionStatusSummary,
type MissionTask, type MissionTask,
type TaskDetail, type TaskDetail,
} from '@mosaicstack/coord'; } from '@mosaic/coord';
import { promises as fs } from 'node:fs'; import { promises as fs } from 'node:fs';
import path from 'node:path'; import path from 'node:path';
/**
* File-based coord operations for agent tool consumption.
* DB-backed mission CRUD is handled directly by MissionsController via Brain repos.
*/
@Injectable() @Injectable()
export class CoordService { export class CoordService {
private readonly logger = new Logger(CoordService.name); private readonly logger = new Logger(CoordService.name);
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
async loadMission(projectPath: string): Promise<Mission | null> { async loadMission(projectPath: string): Promise<Mission | null> {
try { try {
return await loadMission(projectPath); return await loadMission(projectPath);
@@ -74,4 +74,68 @@ export class CoordService {
return []; return [];
} }
} }
// ── DB-backed methods for multi-tenant mission management ──
async getMissionsByUser(userId: string) {
return this.brain.missions.findAllByUser(userId);
}
async getMissionByIdAndUser(id: string, userId: string) {
return this.brain.missions.findByIdAndUser(id, userId);
}
async getMissionsByProjectAndUser(projectId: string, userId: string) {
return this.brain.missions.findByProjectAndUser(projectId, userId);
}
async createDbMission(data: Parameters<Brain['missions']['create']>[0]) {
return this.brain.missions.create(data);
}
async updateDbMission(
id: string,
userId: string,
data: Parameters<Brain['missions']['update']>[1],
) {
const existing = await this.brain.missions.findByIdAndUser(id, userId);
if (!existing) return null;
return this.brain.missions.update(id, data);
}
async deleteDbMission(id: string, userId: string) {
const existing = await this.brain.missions.findByIdAndUser(id, userId);
if (!existing) return false;
return this.brain.missions.remove(id);
}
// ── DB-backed methods for mission tasks (coord tracking) ──
async getMissionTasksByMissionAndUser(missionId: string, userId: string) {
return this.brain.missionTasks.findByMissionAndUser(missionId, userId);
}
async getMissionTaskByIdAndUser(id: string, userId: string) {
return this.brain.missionTasks.findByIdAndUser(id, userId);
}
async createMissionTask(data: Parameters<Brain['missionTasks']['create']>[0]) {
return this.brain.missionTasks.create(data);
}
async updateMissionTask(
id: string,
userId: string,
data: Parameters<Brain['missionTasks']['update']>[1],
) {
const existing = await this.brain.missionTasks.findByIdAndUser(id, userId);
if (!existing) return null;
return this.brain.missionTasks.update(id, data);
}
async deleteMissionTask(id: string, userId: string) {
const existing = await this.brain.missionTasks.findByIdAndUser(id, userId);
if (!existing) return false;
return this.brain.missionTasks.remove(id);
}
} }

75
apps/gateway/src/database/database.module.ts
View File

@@ -1,89 +1,28 @@
import { mkdirSync } from 'node:fs'; import { Global, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
import { homedir } from 'node:os'; import { createDb, type Db, type DbHandle } from '@mosaic/db';
import { join } from 'node:path';
import {
Global,
Inject,
Logger,
Module,
type OnApplicationShutdown,
type OnModuleInit,
} from '@nestjs/common';
import {
createDb,
createPgliteDb,
runPgliteMigrations,
type Db,
type DbHandle,
} from '@mosaicstack/db';
import { createStorageAdapter, type StorageAdapter } from '@mosaicstack/storage';
import type { MosaicConfig } from '@mosaicstack/config';
import { MOSAIC_CONFIG } from '../config/config.module.js';
export const DB_HANDLE = 'DB_HANDLE'; export const DB_HANDLE = 'DB_HANDLE';
export const DB = 'DB'; export const DB = 'DB';
export const STORAGE_ADAPTER = 'STORAGE_ADAPTER';
@Global() @Global()
@Module({ @Module({
providers: [ providers: [
{ {
provide: DB_HANDLE, provide: DB_HANDLE,
useFactory: (config: MosaicConfig): DbHandle => { useFactory: (): DbHandle => createDb(),
if (config.tier === 'local') {
const dataDir = join(homedir(), '.config', 'mosaic', 'gateway', 'pglite');
mkdirSync(dataDir, { recursive: true });
return createPgliteDb(dataDir);
}
return createDb(config.storage.type === 'postgres' ? config.storage.url : undefined);
},
inject: [MOSAIC_CONFIG],
}, },
{ {
provide: DB, provide: DB,
useFactory: (handle: DbHandle): Db => handle.db, useFactory: (handle: DbHandle): Db => handle.db,
inject: [DB_HANDLE], inject: [DB_HANDLE],
}, },
{
provide: STORAGE_ADAPTER,
useFactory: (config: MosaicConfig): StorageAdapter => createStorageAdapter(config.storage),
inject: [MOSAIC_CONFIG],
},
], ],
exports: [DB, STORAGE_ADAPTER], exports: [DB],
}) })
export class DatabaseModule implements OnApplicationShutdown, OnModuleInit { export class DatabaseModule implements OnApplicationShutdown {
private readonly logger = new Logger(DatabaseModule.name); constructor(@Inject(DB_HANDLE) private readonly handle: DbHandle) {}
constructor(
@Inject(DB_HANDLE) private readonly handle: DbHandle,
@Inject(STORAGE_ADAPTER) private readonly storageAdapter: StorageAdapter,
@Inject(MOSAIC_CONFIG) private readonly config: MosaicConfig,
) {}
// Migrations must complete before any module that injects DB starts serving
// requests. NestJS awaits onModuleInit before app.listen(), and modules that
// inject DB are initialized after this one — so all DB-dependent code sees a
// populated schema before the first HTTP request lands.
//
// Local (PGlite) tier: we run gateway-DB migrations explicitly here. The
// storage adapter writes to a separate PGlite directory and only manages its
// own KV tables, so we still call its migrate() afterwards.
//
// Postgres tier: PostgresAdapter.migrate() already calls runMigrations() on
// the same DATABASE_URL, so a single call covers both the gateway DB and
// the storage tables. We deliberately do NOT call runMigrations() here to
// avoid opening a second short-lived connection and doubling startup cost.
async onModuleInit(): Promise<void> {
if (this.config.tier === 'local') {
this.logger.log('Applying PGlite schema migrations...');
await runPgliteMigrations(this.handle);
}
this.logger.log(`Initializing storage adapter (${this.storageAdapter.name})...`);
await this.storageAdapter.migrate();
}
async onApplicationShutdown(): Promise<void> { async onApplicationShutdown(): Promise<void> {
await Promise.all([this.handle.close(), this.storageAdapter.close()]); await this.handle.close();
} }
} }

401
apps/gateway/src/federation/__tests__/enrollment.service.spec.ts
View File

@@ -1,401 +0,0 @@
/**
* Unit tests for EnrollmentService — federation enrollment token flow (FED-M2-07).
*
* Coverage:
* createToken:
* - inserts token row with correct grantId, peerId, and future expiresAt
* - returns { token, expiresAt } with a 64-char hex token
* - clamps ttlSeconds to 900
*
* redeem — error paths:
* - NotFoundException when token row not found
* - GoneException when token already used (usedAt set)
* - GoneException when token expired (expiresAt < now)
* - GoneException when grant status is not pending
*
* redeem — success path:
* - atomically claims token BEFORE cert issuance (claim → issueCert → tx)
* - calls CaService.issueCert with correct args
* - activates grant + updates peer + writes audit log inside a transaction
* - returns { certPem, certChainPem }
*
* redeem — replay protection:
* - GoneException when claim UPDATE returns empty array (concurrent request won)
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach, beforeAll } from 'vitest';
import { GoneException, NotFoundException } from '@nestjs/common';
import type { Db } from '@mosaicstack/db';
import { EnrollmentService } from '../enrollment.service.js';
import { makeSelfSignedCert } from './helpers/test-cert.js';
// ---------------------------------------------------------------------------
// Test constants
// ---------------------------------------------------------------------------
const GRANT_ID = 'g1111111-1111-1111-1111-111111111111';
const PEER_ID = 'p2222222-2222-2222-2222-222222222222';
const USER_ID = 'u3333333-3333-3333-3333-333333333333';
const TOKEN = 'a'.repeat(64); // 64-char hex
// Real self-signed EC P-256 cert — populated once in beforeAll.
// Required because EnrollmentService.extractCertNotAfter calls new X509Certificate(certPem)
// with strict parsing (PR #501 HIGH-2: no silent fallback).
let REAL_CERT_PEM: string;
const MOCK_CHAIN_PEM = () => REAL_CERT_PEM + REAL_CERT_PEM;
const MOCK_SERIAL = 'ABCD1234';
beforeAll(async () => {
REAL_CERT_PEM = await makeSelfSignedCert();
});
// ---------------------------------------------------------------------------
// Factory helpers
// ---------------------------------------------------------------------------
function makeTokenRow(overrides: Partial<Record<string, unknown>> = {}) {
return {
token: TOKEN,
grantId: GRANT_ID,
peerId: PEER_ID,
expiresAt: new Date(Date.now() + 60_000), // 1 min from now
usedAt: null,
createdAt: new Date(),
...overrides,
};
}
function makeGrant(overrides: Partial<Record<string, unknown>> = {}) {
return {
id: GRANT_ID,
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: { resources: ['tasks'], excluded_resources: [], max_rows_per_query: 100 },
status: 'pending',
expiresAt: null,
createdAt: new Date(),
revokedAt: null,
revokedReason: null,
...overrides,
};
}
// ---------------------------------------------------------------------------
// Mock DB builder
// ---------------------------------------------------------------------------
function makeDb({
tokenRows = [makeTokenRow()],
// claimedRows is returned by the .returning() on the token-claim UPDATE.
// Empty array = concurrent request won the race (GoneException).
claimedRows = [{ token: TOKEN }],
}: {
tokenRows?: unknown[];
claimedRows?: unknown[];
} = {}) {
// insert().values() — for createToken (outer db, not tx)
const insertValues = vi.fn().mockResolvedValue(undefined);
const insertMock = vi.fn().mockReturnValue({ values: insertValues });
// select().from().where().limit() — for fetching the token row
const limitSelect = vi.fn().mockResolvedValue(tokenRows);
const whereSelect = vi.fn().mockReturnValue({ limit: limitSelect });
const fromSelect = vi.fn().mockReturnValue({ where: whereSelect });
const selectMock = vi.fn().mockReturnValue({ from: fromSelect });
// update().set().where().returning() — for the atomic token claim (outer db)
const returningMock = vi.fn().mockResolvedValue(claimedRows);
const whereClaimUpdate = vi.fn().mockReturnValue({ returning: returningMock });
const setClaimMock = vi.fn().mockReturnValue({ where: whereClaimUpdate });
const claimUpdateMock = vi.fn().mockReturnValue({ set: setClaimMock });
// transaction(cb) — cb receives txMock; txMock has update + insert
//
// The tx mock must support two tx.update() call patterns (CRIT-2, PR #501):
// 1. Grant activation: .update().set().where().returning() → resolves to [{ id }]
// 2. Peer update: .update().set().where() → resolves to undefined
//
// We achieve this by making txWhereUpdate return an object with BOTH a thenable
// interface (so `await tx.update().set().where()` works) AND a .returning() method.
const txGrantActivatedRow = { id: GRANT_ID };
const txReturningMock = vi.fn().mockResolvedValue([txGrantActivatedRow]);
const txWhereUpdate = vi.fn().mockReturnValue({
// .returning() for grant activation (first tx.update call)
returning: txReturningMock,
// thenables so `await tx.update().set().where()` also works for peer update
then: (resolve: (v: undefined) => void) => resolve(undefined),
catch: () => undefined,
finally: () => undefined,
});
const txSetMock = vi.fn().mockReturnValue({ where: txWhereUpdate });
const txUpdateMock = vi.fn().mockReturnValue({ set: txSetMock });
const txInsertValues = vi.fn().mockResolvedValue(undefined);
const txInsertMock = vi.fn().mockReturnValue({ values: txInsertValues });
const txMock = { update: txUpdateMock, insert: txInsertMock };
const transactionMock = vi
.fn()
.mockImplementation(async (cb: (tx: typeof txMock) => Promise<void>) => cb(txMock));
return {
insert: insertMock,
select: selectMock,
update: claimUpdateMock,
transaction: transactionMock,
_mocks: {
insertValues,
insertMock,
limitSelect,
whereSelect,
fromSelect,
selectMock,
returningMock,
whereClaimUpdate,
setClaimMock,
claimUpdateMock,
txInsertValues,
txInsertMock,
txWhereUpdate,
txReturningMock,
txSetMock,
txUpdateMock,
txMock,
transactionMock,
},
};
}
// ---------------------------------------------------------------------------
// Mock CaService
// ---------------------------------------------------------------------------
function makeCaService() {
return {
// REAL_CERT_PEM is populated by beforeAll — safe to reference via closure here
// because makeCaService() is only called after the suite's beforeAll runs.
issueCert: vi.fn().mockImplementation(async () => ({
certPem: REAL_CERT_PEM,
certChainPem: MOCK_CHAIN_PEM(),
serialNumber: MOCK_SERIAL,
})),
};
}
// ---------------------------------------------------------------------------
// Mock GrantsService
// ---------------------------------------------------------------------------
function makeGrantsService(grantOverrides: Partial<Record<string, unknown>> = {}) {
return {
getGrant: vi.fn().mockResolvedValue(makeGrant(grantOverrides)),
activateGrant: vi.fn().mockResolvedValue(makeGrant({ status: 'active' })),
};
}
// ---------------------------------------------------------------------------
// Helper: build service under test
// ---------------------------------------------------------------------------
function buildService({
db = makeDb(),
caService = makeCaService(),
grantsService = makeGrantsService(),
}: {
db?: ReturnType<typeof makeDb>;
caService?: ReturnType<typeof makeCaService>;
grantsService?: ReturnType<typeof makeGrantsService>;
} = {}) {
return new EnrollmentService(db as unknown as Db, caService as never, grantsService as never);
}
// ---------------------------------------------------------------------------
// Tests: createToken
// ---------------------------------------------------------------------------
describe('EnrollmentService.createToken', () => {
it('inserts a token row and returns { token, expiresAt }', async () => {
const db = makeDb();
const service = buildService({ db });
const result = await service.createToken({
grantId: GRANT_ID,
peerId: PEER_ID,
ttlSeconds: 900,
});
expect(result.token).toHaveLength(64); // 32 bytes hex
expect(result.expiresAt).toBeDefined();
expect(new Date(result.expiresAt).getTime()).toBeGreaterThan(Date.now());
expect(db._mocks.insertValues).toHaveBeenCalledWith(
expect.objectContaining({ grantId: GRANT_ID, peerId: PEER_ID }),
);
});
it('clamps ttlSeconds to 900', async () => {
const db = makeDb();
const service = buildService({ db });
const before = Date.now();
const result = await service.createToken({
grantId: GRANT_ID,
peerId: PEER_ID,
ttlSeconds: 9999,
});
const after = Date.now();
const expiresMs = new Date(result.expiresAt).getTime();
// Should be at most 900s from now
expect(expiresMs - before).toBeLessThanOrEqual(900_000 + 100);
expect(expiresMs - after).toBeGreaterThanOrEqual(0);
});
});
// ---------------------------------------------------------------------------
// Tests: redeem — error paths
// ---------------------------------------------------------------------------
describe('EnrollmentService.redeem — error paths', () => {
it('throws NotFoundException when token row not found', async () => {
const db = makeDb({ tokenRows: [] });
const service = buildService({ db });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(NotFoundException);
});
it('throws GoneException when usedAt is set (already redeemed)', async () => {
const db = makeDb({ tokenRows: [makeTokenRow({ usedAt: new Date(Date.now() - 1000) })] });
const service = buildService({ db });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('throws GoneException when token has expired', async () => {
const db = makeDb({ tokenRows: [makeTokenRow({ expiresAt: new Date(Date.now() - 1000) })] });
const service = buildService({ db });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('throws GoneException when grant status is not pending', async () => {
const db = makeDb();
const grantsService = makeGrantsService({ status: 'active' });
const service = buildService({ db, grantsService });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('throws GoneException when token claim UPDATE returns empty array (concurrent replay)', async () => {
const db = makeDb({ claimedRows: [] });
const caService = makeCaService();
const grantsService = makeGrantsService();
const service = buildService({ db, caService, grantsService });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
});
it('does NOT call issueCert when token claim fails (no double minting)', async () => {
const db = makeDb({ claimedRows: [] });
const caService = makeCaService();
const service = buildService({ db, caService });
await expect(service.redeem(TOKEN, '---CSR---')).rejects.toBeInstanceOf(GoneException);
expect(caService.issueCert).not.toHaveBeenCalled();
});
});
// ---------------------------------------------------------------------------
// Tests: redeem — success path
// ---------------------------------------------------------------------------
describe('EnrollmentService.redeem — success path', () => {
let db: ReturnType<typeof makeDb>;
let caService: ReturnType<typeof makeCaService>;
let grantsService: ReturnType<typeof makeGrantsService>;
let service: EnrollmentService;
beforeEach(() => {
db = makeDb();
caService = makeCaService();
grantsService = makeGrantsService();
service = buildService({ db, caService, grantsService });
});
it('claims token BEFORE calling issueCert (prevents double minting)', async () => {
const callOrder: string[] = [];
db._mocks.returningMock.mockImplementation(async () => {
callOrder.push('claim');
return [{ token: TOKEN }];
});
caService.issueCert.mockImplementation(async () => {
callOrder.push('issueCert');
return { certPem: REAL_CERT_PEM, certChainPem: MOCK_CHAIN_PEM(), serialNumber: MOCK_SERIAL };
});
await service.redeem(TOKEN, '---CSR---');
expect(callOrder).toEqual(['claim', 'issueCert']);
});
it('calls CaService.issueCert with grantId, subjectUserId, csrPem, ttlSeconds=300', async () => {
await service.redeem(TOKEN, '---CSR---');
expect(caService.issueCert).toHaveBeenCalledWith(
expect.objectContaining({
grantId: GRANT_ID,
subjectUserId: USER_ID,
csrPem: '---CSR---',
ttlSeconds: 300,
}),
);
});
it('runs activate grant + peer update + audit inside a transaction', async () => {
await service.redeem(TOKEN, '---CSR---');
expect(db._mocks.transactionMock).toHaveBeenCalledOnce();
// tx.update called twice: activate grant + update peer
expect(db._mocks.txUpdateMock).toHaveBeenCalledTimes(2);
// tx.insert called once: audit log
expect(db._mocks.txInsertMock).toHaveBeenCalledOnce();
});
it('activates grant (sets status=active) inside the transaction', async () => {
await service.redeem(TOKEN, '---CSR---');
expect(db._mocks.txSetMock).toHaveBeenCalledWith(expect.objectContaining({ status: 'active' }));
});
it('updates the federationPeers row with certPem, certSerial, state=active inside the transaction', async () => {
await service.redeem(TOKEN, '---CSR---');
expect(db._mocks.txSetMock).toHaveBeenCalledWith(
expect.objectContaining({
certPem: REAL_CERT_PEM,
certSerial: MOCK_SERIAL,
state: 'active',
}),
);
});
it('inserts an audit log row inside the transaction', async () => {
await service.redeem(TOKEN, '---CSR---');
expect(db._mocks.txInsertValues).toHaveBeenCalledWith(
expect.objectContaining({
peerId: PEER_ID,
grantId: GRANT_ID,
verb: 'enrollment',
}),
);
});
it('returns { certPem, certChainPem } from CaService', async () => {
const result = await service.redeem(TOKEN, '---CSR---');
expect(result).toEqual({
certPem: REAL_CERT_PEM,
certChainPem: MOCK_CHAIN_PEM(),
});
});
});

212
apps/gateway/src/federation/__tests__/federation.controller.spec.ts
View File

@@ -1,212 +0,0 @@
/**
* Unit tests for FederationController (FED-M2-08).
*
* Coverage:
* - listGrants: delegates to GrantsService with query params
* - createGrant: delegates to GrantsService, validates body
* - generateToken: returns enrollmentUrl containing the token
* - listPeers: returns DB rows
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { NotFoundException } from '@nestjs/common';
import type { Db } from '@mosaicstack/db';
import { FederationController } from '../federation.controller.js';
import type { GrantsService } from '../grants.service.js';
import type { EnrollmentService } from '../enrollment.service.js';
// ---------------------------------------------------------------------------
// Constants
// ---------------------------------------------------------------------------
const GRANT_ID = 'g1111111-1111-1111-1111-111111111111';
const PEER_ID = 'p2222222-2222-2222-2222-222222222222';
const USER_ID = 'u3333333-3333-3333-3333-333333333333';
const MOCK_GRANT = {
id: GRANT_ID,
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: { resources: ['tasks'], operations: ['list'] },
status: 'pending' as const,
expiresAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
revokedReason: null,
};
const MOCK_PEER = {
id: PEER_ID,
commonName: 'test-peer',
displayName: 'Test Peer',
certPem: '',
certSerial: 'pending',
certNotAfter: new Date(0),
clientKeyPem: null,
state: 'pending' as const,
endpointUrl: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
updatedAt: new Date('2026-01-01T00:00:00Z'),
};
// ---------------------------------------------------------------------------
// DB mock builder
// ---------------------------------------------------------------------------
function makeDbMock(rows: unknown[] = []) {
const orderBy = vi.fn().mockResolvedValue(rows);
const where = vi.fn().mockReturnValue({ orderBy });
const from = vi.fn().mockReturnValue({ where, orderBy });
const select = vi.fn().mockReturnValue({ from });
return {
select,
from,
where,
orderBy,
insert: vi.fn(),
update: vi.fn(),
delete: vi.fn(),
} as unknown as Db;
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('FederationController', () => {
let db: Db;
let grantsService: GrantsService;
let enrollmentService: EnrollmentService;
let controller: FederationController;
beforeEach(() => {
db = makeDbMock([MOCK_PEER]);
grantsService = {
createGrant: vi.fn().mockResolvedValue(MOCK_GRANT),
getGrant: vi.fn().mockResolvedValue(MOCK_GRANT),
listGrants: vi.fn().mockResolvedValue([MOCK_GRANT]),
revokeGrant: vi.fn().mockResolvedValue({ ...MOCK_GRANT, status: 'revoked' }),
activateGrant: vi.fn(),
expireGrant: vi.fn(),
} as unknown as GrantsService;
enrollmentService = {
createToken: vi.fn().mockResolvedValue({
token: 'abc123def456abc123def456abc123def456abc123def456abc123def456ab12',
expiresAt: '2026-01-01T00:15:00.000Z',
}),
redeem: vi.fn(),
} as unknown as EnrollmentService;
controller = new FederationController(db, grantsService, enrollmentService);
});
// ─── Grant management ──────────────────────────────────────────────────
describe('listGrants', () => {
it('delegates to GrantsService with provided query params', async () => {
const query = { peerId: PEER_ID, status: 'pending' as const };
const result = await controller.listGrants(query);
expect(grantsService.listGrants).toHaveBeenCalledWith(query);
expect(result).toEqual([MOCK_GRANT]);
});
it('delegates to GrantsService with empty filters', async () => {
const result = await controller.listGrants({});
expect(grantsService.listGrants).toHaveBeenCalledWith({});
expect(result).toEqual([MOCK_GRANT]);
});
});
describe('createGrant', () => {
it('delegates to GrantsService and returns created grant', async () => {
const body = {
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: { resources: ['tasks'], operations: ['list'] },
};
const result = await controller.createGrant(body);
expect(grantsService.createGrant).toHaveBeenCalledWith(body);
expect(result).toEqual(MOCK_GRANT);
});
});
describe('getGrant', () => {
it('delegates to GrantsService with provided ID', async () => {
const result = await controller.getGrant(GRANT_ID);
expect(grantsService.getGrant).toHaveBeenCalledWith(GRANT_ID);
expect(result).toEqual(MOCK_GRANT);
});
});
describe('revokeGrant', () => {
it('delegates to GrantsService with id and reason', async () => {
const result = await controller.revokeGrant(GRANT_ID, { reason: 'test reason' });
expect(grantsService.revokeGrant).toHaveBeenCalledWith(GRANT_ID, 'test reason');
expect(result).toMatchObject({ status: 'revoked' });
});
it('delegates without reason when omitted', async () => {
await controller.revokeGrant(GRANT_ID, {});
expect(grantsService.revokeGrant).toHaveBeenCalledWith(GRANT_ID, undefined);
});
});
describe('generateToken', () => {
it('returns enrollmentUrl containing the token', async () => {
const token = 'abc123def456abc123def456abc123def456abc123def456abc123def456ab12';
vi.mocked(enrollmentService.createToken).mockResolvedValueOnce({
token,
expiresAt: '2026-01-01T00:15:00.000Z',
});
const result = await controller.generateToken(GRANT_ID, { ttlSeconds: 900 });
expect(result.token).toBe(token);
expect(result.enrollmentUrl).toContain(token);
expect(result.enrollmentUrl).toContain('/api/federation/enrollment/');
});
it('creates token via EnrollmentService with correct grantId and peerId', async () => {
await controller.generateToken(GRANT_ID, { ttlSeconds: 300 });
expect(enrollmentService.createToken).toHaveBeenCalledWith({
grantId: GRANT_ID,
peerId: PEER_ID,
ttlSeconds: 300,
});
});
it('throws NotFoundException when grant does not exist', async () => {
vi.mocked(grantsService.getGrant).mockRejectedValueOnce(
new NotFoundException(`Grant ${GRANT_ID} not found`),
);
await expect(controller.generateToken(GRANT_ID, { ttlSeconds: 900 })).rejects.toThrow(
NotFoundException,
);
});
});
// ─── Peer management ───────────────────────────────────────────────────
describe('listPeers', () => {
it('returns DB rows ordered by commonName', async () => {
const result = await controller.listPeers();
expect(db.select).toHaveBeenCalled();
// The DB mock resolves with [MOCK_PEER]
expect(result).toEqual([MOCK_PEER]);
});
});
});

351
apps/gateway/src/federation/__tests__/grants.service.spec.ts
View File

@@ -1,351 +0,0 @@
/**
* Unit tests for GrantsService — federation grants CRUD + status transitions (FED-M2-06).
*
* Coverage:
* - createGrant: validates scope via parseFederationScope
* - createGrant: inserts with status 'pending'
* - getGrant: returns grant when found
* - getGrant: throws NotFoundException when not found
* - listGrants: no filters returns all grants
* - listGrants: filters by peerId
* - listGrants: filters by subjectUserId
* - listGrants: filters by status
* - listGrants: multiple filters combined
* - activateGrant: pending → active works
* - activateGrant: non-pending throws ConflictException
* - revokeGrant: active → revoked works, sets revokedAt
* - revokeGrant: non-active throws ConflictException
* - expireGrant: active → expired works
* - expireGrant: non-active throws ConflictException
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { ConflictException, NotFoundException } from '@nestjs/common';
import type { Db } from '@mosaicstack/db';
import { GrantsService } from '../grants.service.js';
import { FederationScopeError } from '../scope-schema.js';
// ---------------------------------------------------------------------------
// Minimal valid federation scope for testing
// ---------------------------------------------------------------------------
const VALID_SCOPE = {
resources: ['tasks'] as const,
excluded_resources: [],
max_rows_per_query: 100,
};
const PEER_ID = 'a1111111-1111-1111-1111-111111111111';
const USER_ID = 'u2222222-2222-2222-2222-222222222222';
const GRANT_ID = 'g3333333-3333-3333-3333-333333333333';
// ---------------------------------------------------------------------------
// Build a mock DB that mimics chained Drizzle query builder calls
// ---------------------------------------------------------------------------
function makeMockGrant(overrides: Partial<Record<string, unknown>> = {}) {
return {
id: GRANT_ID,
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: VALID_SCOPE,
status: 'pending',
expiresAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
revokedReason: null,
...overrides,
};
}
function makeDb(
overrides: {
insertReturning?: unknown[];
selectRows?: unknown[];
updateReturning?: unknown[];
} = {},
) {
const insertReturning = overrides.insertReturning ?? [makeMockGrant()];
const selectRows = overrides.selectRows ?? [makeMockGrant()];
const updateReturning = overrides.updateReturning ?? [makeMockGrant({ status: 'active' })];
// Drizzle returns a chainable builder; we need to mock the full chain.
const returningInsert = vi.fn().mockResolvedValue(insertReturning);
const valuesInsert = vi.fn().mockReturnValue({ returning: returningInsert });
const insertMock = vi.fn().mockReturnValue({ values: valuesInsert });
// select().from().where().limit()
const limitSelect = vi.fn().mockResolvedValue(selectRows);
const whereSelect = vi.fn().mockReturnValue({ limit: limitSelect });
// from returns something that is both thenable (for full-table select) and has .where()
const fromSelect = vi.fn().mockReturnValue({
where: whereSelect,
limit: limitSelect,
// Make it thenable for listGrants with no filters (await db.select().from(federationGrants))
then: (resolve: (v: unknown) => unknown) => resolve(selectRows),
});
const selectMock = vi.fn().mockReturnValue({ from: fromSelect });
const returningUpdate = vi.fn().mockResolvedValue(updateReturning);
const whereUpdate = vi.fn().mockReturnValue({ returning: returningUpdate });
const setMock = vi.fn().mockReturnValue({ where: whereUpdate });
const updateMock = vi.fn().mockReturnValue({ set: setMock });
return {
insert: insertMock,
select: selectMock,
update: updateMock,
// Expose internals for assertions
_mocks: {
insertReturning,
valuesInsert,
insertMock,
limitSelect,
whereSelect,
fromSelect,
selectMock,
returningUpdate,
whereUpdate,
setMock,
updateMock,
},
};
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('GrantsService', () => {
let db: ReturnType<typeof makeDb>;
let service: GrantsService;
beforeEach(() => {
db = makeDb();
service = new GrantsService(db as unknown as Db);
});
// ─── createGrant ──────────────────────────────────────────────────────────
describe('createGrant', () => {
it('calls parseFederationScope — rejects an invalid scope', async () => {
const invalidScope = { resources: [], max_rows_per_query: 0 };
await expect(
service.createGrant({ peerId: PEER_ID, subjectUserId: USER_ID, scope: invalidScope }),
).rejects.toBeInstanceOf(FederationScopeError);
});
it('inserts a grant with status pending and returns it', async () => {
const result = await service.createGrant({
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: VALID_SCOPE,
});
expect(db._mocks.valuesInsert).toHaveBeenCalledWith(
expect.objectContaining({ status: 'pending', peerId: PEER_ID, subjectUserId: USER_ID }),
);
expect(result.status).toBe('pending');
});
it('passes expiresAt as a Date when provided', async () => {
await service.createGrant({
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: VALID_SCOPE,
expiresAt: '2027-01-01T00:00:00Z',
});
expect(db._mocks.valuesInsert).toHaveBeenCalledWith(
expect.objectContaining({ expiresAt: expect.any(Date) }),
);
});
it('sets expiresAt to null when not provided', async () => {
await service.createGrant({ peerId: PEER_ID, subjectUserId: USER_ID, scope: VALID_SCOPE });
expect(db._mocks.valuesInsert).toHaveBeenCalledWith(
expect.objectContaining({ expiresAt: null }),
);
});
});
// ─── getGrant ─────────────────────────────────────────────────────────────
describe('getGrant', () => {
it('returns the grant when found', async () => {
const result = await service.getGrant(GRANT_ID);
expect(result.id).toBe(GRANT_ID);
});
it('throws NotFoundException when no rows returned', async () => {
db = makeDb({ selectRows: [] });
service = new GrantsService(db as unknown as Db);
await expect(service.getGrant(GRANT_ID)).rejects.toBeInstanceOf(NotFoundException);
});
});
// ─── listGrants ───────────────────────────────────────────────────────────
describe('listGrants', () => {
it('queries without where clause when no filters provided', async () => {
const result = await service.listGrants({});
expect(Array.isArray(result)).toBe(true);
});
it('applies peerId filter', async () => {
await service.listGrants({ peerId: PEER_ID });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
it('applies subjectUserId filter', async () => {
await service.listGrants({ subjectUserId: USER_ID });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
it('applies status filter', async () => {
await service.listGrants({ status: 'active' });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
it('applies multiple filters combined', async () => {
await service.listGrants({ peerId: PEER_ID, status: 'pending' });
expect(db._mocks.whereSelect).toHaveBeenCalled();
});
});
// ─── activateGrant ────────────────────────────────────────────────────────
describe('activateGrant', () => {
it('transitions pending → active and returns updated grant', async () => {
db = makeDb({
selectRows: [makeMockGrant({ status: 'pending' })],
updateReturning: [makeMockGrant({ status: 'active' })],
});
service = new GrantsService(db as unknown as Db);
const result = await service.activateGrant(GRANT_ID);
expect(db._mocks.setMock).toHaveBeenCalledWith({ status: 'active' });
expect(result.status).toBe('active');
});
it('throws ConflictException when grant is already active', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'active' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.activateGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is revoked', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'revoked' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.activateGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is expired', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'expired' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.activateGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
});
// ─── revokeGrant ──────────────────────────────────────────────────────────
describe('revokeGrant', () => {
it('transitions active → revoked and sets revokedAt', async () => {
const revokedAt = new Date();
db = makeDb({
selectRows: [makeMockGrant({ status: 'active' })],
updateReturning: [makeMockGrant({ status: 'revoked', revokedAt })],
});
service = new GrantsService(db as unknown as Db);
const result = await service.revokeGrant(GRANT_ID, 'test reason');
expect(db._mocks.setMock).toHaveBeenCalledWith(
expect.objectContaining({
status: 'revoked',
revokedAt: expect.any(Date),
revokedReason: 'test reason',
}),
);
expect(result.status).toBe('revoked');
});
it('sets revokedReason to null when not provided', async () => {
db = makeDb({
selectRows: [makeMockGrant({ status: 'active' })],
updateReturning: [makeMockGrant({ status: 'revoked', revokedAt: new Date() })],
});
service = new GrantsService(db as unknown as Db);
await service.revokeGrant(GRANT_ID);
expect(db._mocks.setMock).toHaveBeenCalledWith(
expect.objectContaining({ revokedReason: null }),
);
});
it('throws ConflictException when grant is pending', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'pending' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.revokeGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is already revoked', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'revoked' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.revokeGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is expired', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'expired' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.revokeGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
});
// ─── expireGrant ──────────────────────────────────────────────────────────
describe('expireGrant', () => {
it('transitions active → expired and returns updated grant', async () => {
db = makeDb({
selectRows: [makeMockGrant({ status: 'active' })],
updateReturning: [makeMockGrant({ status: 'expired' })],
});
service = new GrantsService(db as unknown as Db);
const result = await service.expireGrant(GRANT_ID);
expect(db._mocks.setMock).toHaveBeenCalledWith({ status: 'expired' });
expect(result.status).toBe('expired');
});
it('throws ConflictException when grant is pending', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'pending' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.expireGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is already expired', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'expired' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.expireGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
it('throws ConflictException when grant is revoked', async () => {
db = makeDb({ selectRows: [makeMockGrant({ status: 'revoked' })] });
service = new GrantsService(db as unknown as Db);
await expect(service.expireGrant(GRANT_ID)).rejects.toBeInstanceOf(ConflictException);
});
});
});

138
apps/gateway/src/federation/__tests__/helpers/test-cert.ts
View File

@@ -1,138 +0,0 @@
/**
* Test helpers for generating real X.509 PEM certificates in unit tests.
*
* PR #501 (FED-M2-11) introduced strict `new X509Certificate(certPem)` parsing
* in both EnrollmentService.extractCertNotAfter and CaService.issueCert — dummy
* cert strings now throw `error:0680007B:asn1 encoding routines::header too long`.
*
* These helpers produce minimal but cryptographically valid self-signed EC P-256
* certificates via @peculiar/x509 + Node.js webcrypto, suitable for test mocks.
*
* Two variants:
* - makeSelfSignedCert() Plain cert — satisfies node:crypto X509Certificate parse.
* - makeMosaicIssuedCert(opts) Cert with custom Mosaic OID extensions — satisfies the
* CRIT-1 OID presence + value checks in CaService.issueCert.
*/
import { webcrypto } from 'node:crypto';
import {
X509CertificateGenerator,
Extension,
KeyUsagesExtension,
KeyUsageFlags,
BasicConstraintsExtension,
cryptoProvider,
} from '@peculiar/x509';
// ---------------------------------------------------------------------------
// Internal helpers
// ---------------------------------------------------------------------------
/**
* Encode a string as an ASN.1 UTF8String TLV:
* 0x0C (tag) + 1-byte length (for strings ≤ 127 bytes) + UTF-8 bytes.
*
* CaService.issueCert reads the extension value as:
* decoder.decode(grantIdExt.value.slice(2))
* i.e. it skips the tag + length byte and decodes the remainder as UTF-8.
* So we must produce exactly this encoding as the OCTET STRING content.
*/
function encodeUtf8String(value: string): Uint8Array {
const utf8 = new TextEncoder().encode(value);
if (utf8.length > 127) {
throw new Error('encodeUtf8String: value too long for single-byte length encoding');
}
const buf = new Uint8Array(2 + utf8.length);
buf[0] = 0x0c; // ASN.1 UTF8String tag
buf[1] = utf8.length;
buf.set(utf8, 2);
return buf;
}
// ---------------------------------------------------------------------------
// Mosaic OID constants (must match production CaService)
// ---------------------------------------------------------------------------
const OID_MOSAIC_GRANT_ID = '1.3.6.1.4.1.99999.1';
const OID_MOSAIC_SUBJECT_USER_ID = '1.3.6.1.4.1.99999.2';
// ---------------------------------------------------------------------------
// Public API
// ---------------------------------------------------------------------------
/**
* Generate a minimal self-signed EC P-256 certificate valid for 1 day.
* CN=harness-test, no custom extensions.
*
* Suitable for:
* - EnrollmentService.extractCertNotAfter (just needs parseable PEM)
* - Any mock that returns certPem / certChainPem without OID checks
*/
export async function makeSelfSignedCert(): Promise<string> {
// Ensure @peculiar/x509 uses Node.js webcrypto (available as globalThis.crypto in Node 19+,
// but we set it explicitly here to be safe on all Node 18+ versions).
cryptoProvider.set(webcrypto as unknown as Parameters<typeof cryptoProvider.set>[0]);
const alg = { name: 'ECDSA', namedCurve: 'P-256', hash: 'SHA-256' } as const;
const keys = await webcrypto.subtle.generateKey(alg, false, ['sign', 'verify']);
const now = new Date();
const tomorrow = new Date(now.getTime() + 86_400_000);
const cert = await X509CertificateGenerator.createSelfSigned({
serialNumber: '01',
name: 'CN=harness-test',
notBefore: now,
notAfter: tomorrow,
signingAlgorithm: alg,
keys,
extensions: [
new BasicConstraintsExtension(false),
new KeyUsagesExtension(KeyUsageFlags.digitalSignature),
],
});
return cert.toString('pem');
}
/**
* Generate a self-signed EC P-256 certificate that contains the two custom
* Mosaic OID extensions required by CaService.issueCert's CRIT-1 check:
* OID 1.3.6.1.4.1.99999.1 → mosaic_grant_id (value = grantId)
* OID 1.3.6.1.4.1.99999.2 → mosaic_subject_user_id (value = subjectUserId)
*
* The extension value encoding matches the production parser's `.slice(2)` assumption:
* each extension value is an OCTET STRING wrapping an ASN.1 UTF8String TLV.
*/
export async function makeMosaicIssuedCert(opts: {
grantId: string;
subjectUserId: string;
}): Promise<string> {
// Ensure @peculiar/x509 uses Node.js webcrypto.
cryptoProvider.set(webcrypto as unknown as Parameters<typeof cryptoProvider.set>[0]);
const alg = { name: 'ECDSA', namedCurve: 'P-256', hash: 'SHA-256' } as const;
const keys = await webcrypto.subtle.generateKey(alg, false, ['sign', 'verify']);
const now = new Date();
const tomorrow = new Date(now.getTime() + 86_400_000);
const cert = await X509CertificateGenerator.createSelfSigned({
serialNumber: '01',
name: 'CN=mosaic-issued-test',
notBefore: now,
notAfter: tomorrow,
signingAlgorithm: alg,
keys,
extensions: [
new BasicConstraintsExtension(false),
new KeyUsagesExtension(KeyUsageFlags.digitalSignature),
// mosaic_grant_id — OID 1.3.6.1.4.1.99999.1
new Extension(OID_MOSAIC_GRANT_ID, false, encodeUtf8String(opts.grantId)),
// mosaic_subject_user_id — OID 1.3.6.1.4.1.99999.2
new Extension(OID_MOSAIC_SUBJECT_USER_ID, false, encodeUtf8String(opts.subjectUserId)),
],
});
return cert.toString('pem');
}

63
apps/gateway/src/federation/__tests__/peer-key.spec.ts
View File

@@ -1,63 +0,0 @@
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
import { sealClientKey, unsealClientKey } from '../peer-key.util.js';
const TEST_SECRET = 'test-secret-for-peer-key-unit-tests-only';
const TEST_PEM = `-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7o4qne60TB3wo
pCOW8QqstpxEBpnFo37JxLYEJbpE3gUlJajsHv9UWRQ7m5B7n+MBXwTCQqMEY8Wl
kHv9tGgz1YGwzBjNKxPJXE6pPTXQ1Oa0VB9l3qHdqF5HtZoJzE0c6dO8HJ5YUVL
-----END PRIVATE KEY-----`;
let savedSecret: string | undefined;
beforeEach(() => {
savedSecret = process.env['BETTER_AUTH_SECRET'];
process.env['BETTER_AUTH_SECRET'] = TEST_SECRET;
});
afterEach(() => {
if (savedSecret === undefined) {
delete process.env['BETTER_AUTH_SECRET'];
} else {
process.env['BETTER_AUTH_SECRET'] = savedSecret;
}
});
describe('peer-key seal/unseal', () => {
it('round-trip: unsealClientKey(sealClientKey(pem)) returns original pem', () => {
const sealed = sealClientKey(TEST_PEM);
const roundTripped = unsealClientKey(sealed);
expect(roundTripped).toBe(TEST_PEM);
});
it('non-determinism: sealClientKey produces different ciphertext each call', () => {
const sealed1 = sealClientKey(TEST_PEM);
const sealed2 = sealClientKey(TEST_PEM);
expect(sealed1).not.toBe(sealed2);
});
it('at-rest: sealed output does not contain plaintext PEM content', () => {
const sealed = sealClientKey(TEST_PEM);
expect(sealed).not.toContain('PRIVATE KEY');
expect(sealed).not.toContain(
'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7o4qne60TB3wo',
);
});
it('tamper: flipping a byte in the sealed payload causes unseal to throw', () => {
const sealed = sealClientKey(TEST_PEM);
const buf = Buffer.from(sealed, 'base64');
// Flip a byte in the middle of the buffer (past IV and authTag)
const midpoint = Math.floor(buf.length / 2);
buf[midpoint] = buf[midpoint]! ^ 0xff;
const tampered = buf.toString('base64');
expect(() => unsealClientKey(tampered)).toThrow();
});
it('missing secret: unsealClientKey throws when BETTER_AUTH_SECRET is unset', () => {
const sealed = sealClientKey(TEST_PEM);
delete process.env['BETTER_AUTH_SECRET'];
expect(() => unsealClientKey(sealed)).toThrow('BETTER_AUTH_SECRET is not set');
});
});

57
apps/gateway/src/federation/ca.dto.ts
View File

@@ -1,57 +0,0 @@
/**
* DTOs for the Step-CA client service (FED-M2-04).
*
* IssueCertRequestDto — input to CaService.issueCert()
* IssuedCertDto — output from CaService.issueCert()
*/
import { IsInt, IsNotEmpty, IsOptional, IsString, IsUUID, Max, Min } from 'class-validator';
export class IssueCertRequestDto {
/**
* PEM-encoded PKCS#10 Certificate Signing Request.
* The CSR must already include the desired SANs.
*/
@IsString()
@IsNotEmpty()
csrPem!: string;
/**
* UUID of the federation_grants row this certificate is being issued for.
* Embedded as the `mosaic_grant_id` custom OID extension.
*/
@IsUUID()
grantId!: string;
/**
* UUID of the local user on whose behalf the cert is being issued.
* Embedded as the `mosaic_subject_user_id` custom OID extension.
*/
@IsUUID()
subjectUserId!: string;
/**
* Requested certificate validity in seconds.
* Hard cap: 900 s (15 minutes). Default: 300 s (5 minutes).
* The service will always clamp to 900 s regardless of this value.
*/
@IsOptional()
@IsInt()
@Min(60)
@Max(15 * 60)
ttlSeconds: number = 300;
}
export class IssuedCertDto {
/** PEM-encoded leaf certificate returned by step-ca. */
certPem!: string;
/**
* PEM-encoded full certificate chain (leaf + intermediates + root).
* Falls back to `certPem` when step-ca returns no `certChain` field.
*/
certChainPem!: string;
/** Decimal serial number string of the issued certificate. */
serialNumber!: string;
}

592
apps/gateway/src/federation/ca.service.spec.ts
View File

@@ -1,592 +0,0 @@
/**
* Unit tests for CaService — Step-CA client (FED-M2-04).
*
* Coverage:
* - Happy path: returns IssuedCertDto with certPem, certChainPem, serialNumber
* - certChainPem fallback: falls back to certPem when certChain absent
* - certChainPem from ca field: uses crt+ca when certChain absent but ca present
* - HTTP 401: throws CaServiceError with cause + remediation
* - HTTP non-401 error: throws CaServiceError
* - Malformed CSR: throws before HTTP call (INVALID_CSR)
* - Non-JSON response: throws CaServiceError
* - HTTPS connection error: throws CaServiceError
* - JWT custom claims: mosaic_grant_id and mosaic_subject_user_id present in OTT payload
* verified with jose.jwtVerify (real signature check)
* - CaServiceError: has cause + remediation properties
* - Missing crt in response: throws CaServiceError
* - Real CSR validation: valid P-256 CSR passes; malformed CSR fails with INVALID_CSR
* - provisionerPassword never appears in CaServiceError messages
* - HTTPS-only enforcement: http:// URL throws in constructor
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach, beforeAll, type Mock } from 'vitest';
import { jwtVerify, exportJWK, generateKeyPair } from 'jose';
import { Pkcs10CertificateRequestGenerator } from '@peculiar/x509';
import { makeMosaicIssuedCert } from './__tests__/helpers/test-cert.js';
// ---------------------------------------------------------------------------
// Mock node:https BEFORE importing CaService so the mock is in place when
// the module is loaded. Vitest/ESM require vi.mock at the top level.
// ---------------------------------------------------------------------------
vi.mock('node:https', () => {
const mockRequest = vi.fn();
const mockAgent = vi.fn().mockImplementation(() => ({}));
return {
default: { request: mockRequest, Agent: mockAgent },
request: mockRequest,
Agent: mockAgent,
};
});
vi.mock('node:fs', () => {
const mockReadFileSync = vi
.fn()
.mockReturnValue('-----BEGIN CERTIFICATE-----\nFAKEROOT\n-----END CERTIFICATE-----\n');
return {
default: { readFileSync: mockReadFileSync },
readFileSync: mockReadFileSync,
};
});
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
// Real self-signed EC P-256 certificate generated with openssl for testing.
// openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -nodes -keyout /dev/null \
// -out /dev/stdout -subj "/CN=test" -days 1
const FAKE_CERT_PEM = `-----BEGIN CERTIFICATE-----
MIIBdDCCARmgAwIBAgIUM+iUJSayN+PwXkyVN6qwSY7sr6gwCgYIKoZIzj0EAwIw
DzENMAsGA1UEAwwEdGVzdDAeFw0yNjA0MjIwMzE5MTlaFw0yNjA0MjMwMzE5MTla
MA8xDTALBgNVBAMMBHRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR21kHL
n1GmFQ4TEBw3EA53pD+2McIBf5WcoHE+x0eMz5DpRKJe0ksHwOVN5Yev5d57kb+4
MvG1LhbHCB/uQo8So1MwUTAdBgNVHQ4EFgQUPq0pdIGiQ7pLBRXICS8GTliCrLsw
HwYDVR0jBBgwFoAUPq0pdIGiQ7pLBRXICS8GTliCrLswDwYDVR0TAQH/BAUwAwEB
/zAKBggqhkjOPQQDAgNJADBGAiEAypJqyC6S77aQ3eEXokM6sgAsD7Oa3tJbCbVm
zG3uJb0CIQC1w+GE+Ad0OTR5Quja46R1RjOo8ydpzZ7Fh4rouAiwEw==
-----END CERTIFICATE-----
`;
// Use a second copy of the same cert for the CA field in tests.
const FAKE_CA_PEM = FAKE_CERT_PEM;
const GRANT_ID = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11';
const SUBJECT_USER_ID = 'b1ffcd00-0d1c-5f09-cc7e-7cc0ce491b22';
// Real self-signed cert containing both Mosaic OID extensions — populated in beforeAll.
// Required because CaService.issueCert performs CRIT-1 OID presence/value checks on the
// response cert (PR #501 — strict parsing, no silent fallback).
let realIssuedCertPem: string;
// ---------------------------------------------------------------------------
// Generate a real EC P-256 key pair and CSR for integration-style tests
// ---------------------------------------------------------------------------
// We generate this once at module level so it's available to all tests.
// The key pair and CSR PEM are populated asynchronously in the test that needs them.
let realCsrPem: string;
async function generateRealCsr(): Promise<string> {
const { privateKey, publicKey } = await generateKeyPair('ES256');
// Export public key JWK for potential verification (not used here but confirms key is exportable)
await exportJWK(publicKey);
// Use @peculiar/x509 to build a proper CSR
const csr = await Pkcs10CertificateRequestGenerator.create({
name: 'CN=test.federation.local',
signingAlgorithm: { name: 'ECDSA', hash: 'SHA-256' },
keys: { privateKey, publicKey },
});
return csr.toString('pem');
}
// ---------------------------------------------------------------------------
// Setup env before importing service
// We use an EC P-256 key pair here so the JWK-based signing works.
// The key pair is generated once and stored in module-level vars.
// ---------------------------------------------------------------------------
// Real EC P-256 test JWK (test-only, never used in production).
// Generated with node webcrypto for use in unit tests.
const TEST_EC_PRIVATE_JWK = {
key_ops: ['sign'],
ext: true,
kty: 'EC',
x: 'Xq2RjZctcPcUMU14qfjs3MtZTmFk8z1lFGQyypgXZOU',
y: 't8w9Cbt4RVmR47Wnb_i5cLwefEnMcvwse049zu9Rl_E',
crv: 'P-256',
d: 'TM6N79w1HE-PiML5Td4mbXfJaLHEaZrVyVrrwlJv7q8',
kid: 'test-ec-kid',
};
const TEST_EC_PUBLIC_JWK = {
key_ops: ['verify'],
ext: true,
kty: 'EC',
x: 'Xq2RjZctcPcUMU14qfjs3MtZTmFk8z1lFGQyypgXZOU',
y: 't8w9Cbt4RVmR47Wnb_i5cLwefEnMcvwse049zu9Rl_E',
crv: 'P-256',
kid: 'test-ec-kid',
};
process.env['STEP_CA_URL'] = 'https://step-ca:9000';
process.env['STEP_CA_PROVISIONER_KEY_JSON'] = JSON.stringify(TEST_EC_PRIVATE_JWK);
process.env['STEP_CA_ROOT_CERT_PATH'] = '/fake/root.pem';
// Import AFTER env is set and mocks are registered
import * as httpsModule from 'node:https';
import { CaService, CaServiceError } from './ca.service.js';
import type { IssueCertRequestDto } from './ca.dto.js';
// ---------------------------------------------------------------------------
// Helper to build a mock https.request that simulates step-ca
// ---------------------------------------------------------------------------
function makeHttpsMock(statusCode: number, body: unknown, errorMsg?: string): void {
const mockReq = {
write: vi.fn(),
end: vi.fn(),
on: vi.fn(),
setTimeout: vi.fn(),
};
(httpsModule.request as unknown as Mock).mockImplementation(
(
_options: unknown,
callback: (res: {
statusCode: number;
on: (event: string, cb: (chunk?: Buffer) => void) => void;
}) => void,
) => {
const mockRes = {
statusCode,
on: (event: string, cb: (chunk?: Buffer) => void) => {
if (event === 'data') {
if (body !== undefined) {
cb(Buffer.from(typeof body === 'string' ? body : JSON.stringify(body)));
}
}
if (event === 'end') {
cb();
}
},
};
if (errorMsg) {
// Simulate a connection error via the req.on('error') handler
mockReq.on.mockImplementation((event: string, cb: (err: Error) => void) => {
if (event === 'error') {
setImmediate(() => cb(new Error(errorMsg)));
}
});
} else {
// Normal flow: call the response callback
setImmediate(() => callback(mockRes));
}
return mockReq;
},
);
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('CaService', () => {
let service: CaService;
beforeAll(async () => {
// Generate a cert with the two Mosaic OIDs so that CaService.issueCert's
// CRIT-1 OID checks pass when mock step-ca returns it as `crt`.
realIssuedCertPem = await makeMosaicIssuedCert({
grantId: GRANT_ID,
subjectUserId: SUBJECT_USER_ID,
});
});
beforeEach(() => {
vi.clearAllMocks();
service = new CaService();
});
function makeReq(overrides: Partial<IssueCertRequestDto> = {}): IssueCertRequestDto {
// Use a real CSR if available; fall back to a minimal placeholder
const defaultCsr = realCsrPem ?? makeFakeCsr();
return {
csrPem: defaultCsr,
grantId: GRANT_ID,
subjectUserId: SUBJECT_USER_ID,
ttlSeconds: 300,
...overrides,
};
}
function makeFakeCsr(): string {
// A structurally valid-looking CSR header/footer (body will fail crypto verify)
return `-----BEGIN CERTIFICATE REQUEST-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0000000000000000AAAA\n-----END CERTIFICATE REQUEST-----\n`;
}
// -------------------------------------------------------------------------
// Real CSR generation — runs once and populates realCsrPem
// -------------------------------------------------------------------------
it('generates a real P-256 CSR that passes validateCsr', async () => {
realCsrPem = await generateRealCsr();
expect(realCsrPem).toMatch(/BEGIN CERTIFICATE REQUEST/);
// Now test that the service's validateCsr accepts it.
// We call it indirectly via issueCert with a successful mock.
makeHttpsMock(200, { crt: realIssuedCertPem, certChain: [realIssuedCertPem, FAKE_CA_PEM] });
const result = await service.issueCert(makeReq({ csrPem: realCsrPem }));
expect(result.certPem).toBe(realIssuedCertPem);
});
it('throws INVALID_CSR for a malformed PEM-shaped CSR', async () => {
const malformedCsr =
'-----BEGIN CERTIFICATE REQUEST-----\nTm90QVJlYWxDU1I=\n-----END CERTIFICATE REQUEST-----\n';
await expect(service.issueCert(makeReq({ csrPem: malformedCsr }))).rejects.toSatisfy(
(err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.code).toBe('INVALID_CSR');
return true;
},
);
});
// -------------------------------------------------------------------------
// Happy path
// -------------------------------------------------------------------------
it('returns IssuedCertDto on success (certChain present)', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, {
crt: realIssuedCertPem,
certChain: [realIssuedCertPem, FAKE_CA_PEM],
});
const result = await service.issueCert(makeReq());
expect(result.certPem).toBe(realIssuedCertPem);
expect(result.certChainPem).toContain(realIssuedCertPem);
expect(result.certChainPem).toContain(FAKE_CA_PEM);
expect(typeof result.serialNumber).toBe('string');
});
// -------------------------------------------------------------------------
// certChainPem fallback — certChain absent, ca field present
// -------------------------------------------------------------------------
it('builds certChainPem from crt+ca when certChain is absent', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, {
crt: realIssuedCertPem,
ca: FAKE_CA_PEM,
});
const result = await service.issueCert(makeReq());
expect(result.certPem).toBe(realIssuedCertPem);
expect(result.certChainPem).toContain(realIssuedCertPem);
expect(result.certChainPem).toContain(FAKE_CA_PEM);
});
// -------------------------------------------------------------------------
// certChainPem fallback — no certChain, no ca field
// -------------------------------------------------------------------------
it('falls back to certPem alone when certChain and ca are absent', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, { crt: realIssuedCertPem });
const result = await service.issueCert(makeReq());
expect(result.certPem).toBe(realIssuedCertPem);
expect(result.certChainPem).toBe(realIssuedCertPem);
});
// -------------------------------------------------------------------------
// HTTP 401
// -------------------------------------------------------------------------
it('throws CaServiceError on HTTP 401', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(401, { message: 'Unauthorized' });
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/401/);
expect(err.remediation).toBeTruthy();
return true;
});
});
// -------------------------------------------------------------------------
// HTTP non-401 error (e.g. 422)
// -------------------------------------------------------------------------
it('throws CaServiceError on HTTP 422', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(422, { message: 'Unprocessable Entity' });
await expect(service.issueCert(makeReq())).rejects.toBeInstanceOf(CaServiceError);
});
// -------------------------------------------------------------------------
// Malformed CSR — throws before HTTP call
// -------------------------------------------------------------------------
it('throws CaServiceError for malformed CSR without making HTTP call', async () => {
const requestSpy = vi.spyOn(httpsModule, 'request');
await expect(service.issueCert(makeReq({ csrPem: 'not-a-valid-csr' }))).rejects.toBeInstanceOf(
CaServiceError,
);
expect(requestSpy).not.toHaveBeenCalled();
});
// -------------------------------------------------------------------------
// Non-JSON response
// -------------------------------------------------------------------------
it('throws CaServiceError when step-ca returns non-JSON', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, 'this is not json');
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/non-JSON/);
return true;
});
});
// -------------------------------------------------------------------------
// HTTPS connection error
// -------------------------------------------------------------------------
it('throws CaServiceError on HTTPS connection error', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(0, undefined, 'connect ECONNREFUSED 127.0.0.1:9000');
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/HTTPS connection/);
expect(err.cause).toBeInstanceOf(Error);
return true;
});
});
// -------------------------------------------------------------------------
// JWT custom claims: mosaic_grant_id and mosaic_subject_user_id
// Verified with jose.jwtVerify for real signature verification (M6)
// -------------------------------------------------------------------------
it('OTT contains mosaic_grant_id, mosaic_subject_user_id, and jti; signature verifies with jose', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
let capturedBody: Record<string, unknown> | undefined;
const mockReq = {
write: vi.fn((data: string) => {
capturedBody = JSON.parse(data) as Record<string, unknown>;
}),
end: vi.fn(),
on: vi.fn(),
setTimeout: vi.fn(),
};
(httpsModule.request as unknown as Mock).mockImplementation(
(
_options: unknown,
callback: (res: {
statusCode: number;
on: (event: string, cb: (chunk?: Buffer) => void) => void;
}) => void,
) => {
const mockRes = {
statusCode: 200,
on: (event: string, cb: (chunk?: Buffer) => void) => {
if (event === 'data') {
cb(Buffer.from(JSON.stringify({ crt: realIssuedCertPem })));
}
if (event === 'end') {
cb();
}
},
};
setImmediate(() => callback(mockRes));
return mockReq;
},
);
await service.issueCert(makeReq({ csrPem: realCsrPem }));
expect(capturedBody).toBeDefined();
const ott = capturedBody!['ott'] as string;
expect(typeof ott).toBe('string');
// Verify JWT structure
const parts = ott.split('.');
expect(parts).toHaveLength(3);
// Decode payload without signature check first
const payloadJson = Buffer.from(parts[1]!, 'base64url').toString('utf8');
const payload = JSON.parse(payloadJson) as Record<string, unknown>;
expect(payload['mosaic_grant_id']).toBe(GRANT_ID);
expect(payload['mosaic_subject_user_id']).toBe(SUBJECT_USER_ID);
expect(typeof payload['jti']).toBe('string'); // M2: jti present
expect(payload['jti']).toMatch(/^[0-9a-f-]{36}$/); // UUID format
// M3: top-level sha should NOT be present; step.sha should be present
expect(payload['sha']).toBeUndefined();
const step = payload['step'] as Record<string, unknown> | undefined;
expect(step?.['sha']).toBeDefined();
// M6: Verify signature with jose.jwtVerify using the public key
const { importJWK: importJose } = await import('jose');
const publicKey = await importJose(TEST_EC_PUBLIC_JWK, 'ES256');
const verified = await jwtVerify(ott, publicKey);
expect(verified.payload['mosaic_grant_id']).toBe(GRANT_ID);
});
// -------------------------------------------------------------------------
// CaServiceError has cause + remediation
// -------------------------------------------------------------------------
it('CaServiceError carries cause and remediation', () => {
const cause = new Error('original error');
const err = new CaServiceError('something went wrong', 'fix it like this', cause);
expect(err).toBeInstanceOf(Error);
expect(err).toBeInstanceOf(CaServiceError);
expect(err.message).toBe('something went wrong');
expect(err.remediation).toBe('fix it like this');
expect(err.cause).toBe(cause);
expect(err.name).toBe('CaServiceError');
});
// -------------------------------------------------------------------------
// Missing crt in response
// -------------------------------------------------------------------------
it('throws CaServiceError when response is missing the crt field', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(200, { ca: FAKE_CA_PEM });
await expect(service.issueCert(makeReq())).rejects.toSatisfy((err: unknown) => {
if (!(err instanceof CaServiceError)) return false;
expect(err.message).toMatch(/missing the "crt" field/);
return true;
});
});
// -------------------------------------------------------------------------
// M6: provisionerPassword must never appear in CaServiceError messages
// -------------------------------------------------------------------------
it('provisionerPassword does not appear in any CaServiceError message', async () => {
// Temporarily set a recognizable password to test against
const originalPassword = process.env['STEP_CA_PROVISIONER_PASSWORD'];
process.env['STEP_CA_PROVISIONER_PASSWORD'] = 'super-secret-password-12345';
// Generate a bad CSR to trigger an error path
const caughtErrors: CaServiceError[] = [];
try {
await service.issueCert(makeReq({ csrPem: 'not-a-csr' }));
} catch (err) {
if (err instanceof CaServiceError) {
caughtErrors.push(err);
}
}
// Also try HTTP 401 path
if (!realCsrPem) realCsrPem = await generateRealCsr();
makeHttpsMock(401, { message: 'Unauthorized' });
try {
await service.issueCert(makeReq({ csrPem: realCsrPem }));
} catch (err) {
if (err instanceof CaServiceError) {
caughtErrors.push(err);
}
}
for (const err of caughtErrors) {
expect(err.message).not.toContain('super-secret-password-12345');
if (err.remediation) {
expect(err.remediation).not.toContain('super-secret-password-12345');
}
}
process.env['STEP_CA_PROVISIONER_PASSWORD'] = originalPassword;
});
// -------------------------------------------------------------------------
// M7: HTTPS-only enforcement in constructor
// -------------------------------------------------------------------------
it('throws in constructor if STEP_CA_URL uses http://', () => {
const originalUrl = process.env['STEP_CA_URL'];
process.env['STEP_CA_URL'] = 'http://step-ca:9000';
expect(() => new CaService()).toThrow(CaServiceError);
process.env['STEP_CA_URL'] = originalUrl;
});
// -------------------------------------------------------------------------
// TTL clamp: ttlSeconds is clamped to 900 s (15 min) maximum
// -------------------------------------------------------------------------
it('clamps ttlSeconds to 900 s regardless of input', async () => {
if (!realCsrPem) realCsrPem = await generateRealCsr();
let capturedBody: Record<string, unknown> | undefined;
const mockReq = {
write: vi.fn((data: string) => {
capturedBody = JSON.parse(data) as Record<string, unknown>;
}),
end: vi.fn(),
on: vi.fn(),
setTimeout: vi.fn(),
};
(httpsModule.request as unknown as Mock).mockImplementation(
(
_options: unknown,
callback: (res: {
statusCode: number;
on: (event: string, cb: (chunk?: Buffer) => void) => void;
}) => void,
) => {
const mockRes = {
statusCode: 200,
on: (event: string, cb: (chunk?: Buffer) => void) => {
if (event === 'data') {
cb(Buffer.from(JSON.stringify({ crt: realIssuedCertPem })));
}
if (event === 'end') {
cb();
}
},
};
setImmediate(() => callback(mockRes));
return mockReq;
},
);
// Request 86400 s — should be clamped to 900
await service.issueCert(makeReq({ ttlSeconds: 86400 }));
expect(capturedBody).toBeDefined();
const validity = capturedBody!['validity'] as Record<string, unknown>;
expect(validity['duration']).toBe('900s');
});
});

680
apps/gateway/src/federation/ca.service.ts
View File

@@ -1,680 +0,0 @@
/**
* CaService — Step-CA client for federation grant certificate issuance.
*
* Responsibilities:
* 1. Build a JWK-provisioner One-Time Token (OTT) signed with the provisioner
* private key (ES256/ES384/RS256 per JWK kty/crv) carrying Mosaic-specific
* claims (`mosaic_grant_id`, `mosaic_subject_user_id`, `step.sha`) per the
* step-ca JWK provisioner protocol.
* 2. POST the CSR + OTT to the step-ca `/1.0/sign` endpoint over HTTPS,
* pinning the trust to the CA root cert supplied via env.
* 3. Return an IssuedCertDto containing the leaf cert, full chain, and
* serial number.
*
* Environment variables (all required at runtime — validated in constructor):
* STEP_CA_URL https://step-ca:9000
* STEP_CA_PROVISIONER_KEY_JSON JWK provisioner private key (JSON)
* STEP_CA_ROOT_CERT_PATH Absolute path to the CA root PEM
*
* Optional (only used for JWK PBES2 decrypt at startup if key is encrypted):
* STEP_CA_PROVISIONER_PASSWORD JWK provisioner password (raw string)
*
* Custom OID registry (PRD §6, docs/federation/SETUP.md):
* 1.3.6.1.4.1.99999.1 — mosaic_grant_id
* 1.3.6.1.4.1.99999.2 — mosaic_subject_user_id
*
* Fail-loud contract:
* Every error path throws CaServiceError with a human-readable `remediation`
* field. Silent OID-stripping is NEVER allowed — if the sign response does
* not include the cert, we throw rather than return a cert that may be
* missing the custom extensions.
*/
import { Injectable, Logger } from '@nestjs/common';
import * as crypto from 'node:crypto';
import * as fs from 'node:fs';
import * as https from 'node:https';
import { SignJWT, importJWK } from 'jose';
import { Pkcs10CertificateRequest, X509Certificate } from '@peculiar/x509';
import type { IssueCertRequestDto } from './ca.dto.js';
import { IssuedCertDto } from './ca.dto.js';
// ---------------------------------------------------------------------------
// Custom error class
// ---------------------------------------------------------------------------
export class CaServiceError extends Error {
readonly cause: unknown;
readonly remediation: string;
readonly code?: string;
constructor(message: string, remediation: string, cause?: unknown, code?: string) {
super(message);
this.name = 'CaServiceError';
this.cause = cause;
this.remediation = remediation;
this.code = code;
}
}
// ---------------------------------------------------------------------------
// Internal types
// ---------------------------------------------------------------------------
interface StepSignResponse {
crt: string;
ca?: string;
certChain?: string[];
}
interface JwkKey {
kty: string;
kid?: string;
use?: string;
alg?: string;
k?: string; // symmetric
n?: string; // RSA
e?: string;
d?: string;
x?: string; // EC
y?: string;
crv?: string;
[key: string]: unknown;
}
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
/** UUID regex for validation */
const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
/**
* Derive the JWT algorithm string from a JWK's kty/crv fields.
* EC P-256 → ES256, EC P-384 → ES384, RSA → RS256.
*/
function algFromJwk(jwk: JwkKey): string {
if (jwk.alg) return jwk.alg;
if (jwk.kty === 'EC') {
if (jwk.crv === 'P-384') return 'ES384';
return 'ES256'; // default for P-256 and Ed25519-style EC keys
}
if (jwk.kty === 'RSA') return 'RS256';
throw new CaServiceError(
`Unsupported JWK kty: ${jwk.kty}`,
'STEP_CA_PROVISIONER_KEY_JSON must be an EC (P-256/P-384) or RSA JWK private key.',
);
}
/**
* Compute SHA-256 fingerprint of the DER-encoded CSR body.
* step-ca uses this as the `step.sha` claim to bind the OTT to a specific CSR.
*/
function csrFingerprint(csrPem: string): string {
// Strip PEM headers and decode base64 body
const b64 = csrPem
.replace(/-----BEGIN CERTIFICATE REQUEST-----/, '')
.replace(/-----END CERTIFICATE REQUEST-----/, '')
.replace(/\s+/g, '');
let derBuf: Buffer;
try {
derBuf = Buffer.from(b64, 'base64');
} catch (err) {
throw new CaServiceError(
'Failed to base64-decode the CSR PEM body',
'Verify that csrPem is a valid PKCS#10 PEM-encoded certificate request.',
err,
);
}
if (derBuf.length === 0) {
throw new CaServiceError(
'CSR PEM decoded to empty buffer — malformed input',
'Provide a valid non-empty PKCS#10 PEM-encoded certificate request.',
);
}
return crypto.createHash('sha256').update(derBuf).digest('hex');
}
/**
* Send a JSON POST to the step-ca sign endpoint.
* Returns the parsed response body or throws CaServiceError.
*/
function httpsPost(url: string, body: unknown, agent: https.Agent): Promise<StepSignResponse> {
return new Promise((resolve, reject) => {
const bodyStr = JSON.stringify(body);
const parsed = new URL(url);
const options: https.RequestOptions = {
hostname: parsed.hostname,
port: parsed.port ? parseInt(parsed.port, 10) : 443,
path: parsed.pathname,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(bodyStr),
},
agent,
timeout: 5000,
};
const req = https.request(options, (res) => {
const chunks: Buffer[] = [];
res.on('data', (chunk: Buffer) => chunks.push(chunk));
res.on('end', () => {
const raw = Buffer.concat(chunks).toString('utf8');
if (res.statusCode === 401) {
reject(
new CaServiceError(
`step-ca returned HTTP 401 — invalid or expired OTT`,
'Check STEP_CA_PROVISIONER_KEY_JSON. Ensure the mosaic-fed provisioner is configured in the CA.',
),
);
return;
}
if (res.statusCode && res.statusCode >= 400) {
reject(
new CaServiceError(
`step-ca returned HTTP ${res.statusCode}: ${raw.slice(0, 256)}`,
`Review the step-ca logs. Status ${res.statusCode} may indicate a CSR policy violation or misconfigured provisioner.`,
),
);
return;
}
let parsed: unknown;
try {
parsed = JSON.parse(raw) as unknown;
} catch (err) {
reject(
new CaServiceError(
'step-ca returned a non-JSON response',
'Verify STEP_CA_URL points to a running step-ca instance and that TLS is properly configured.',
err,
),
);
return;
}
resolve(parsed as StepSignResponse);
});
});
req.setTimeout(5000, () => {
req.destroy(new Error('Request timed out after 5000ms'));
});
req.on('error', (err: Error) => {
reject(
new CaServiceError(
`HTTPS connection to step-ca failed: ${err.message}`,
'Ensure STEP_CA_URL is reachable and STEP_CA_ROOT_CERT_PATH points to the correct CA root certificate.',
err,
),
);
});
req.write(bodyStr);
req.end();
});
}
/**
* Extract a decimal serial number from a PEM certificate.
* Throws CaServiceError on failure — never silently returns 'unknown'.
*/
function extractSerial(certPem: string): string {
let cert: crypto.X509Certificate;
try {
cert = new crypto.X509Certificate(certPem);
} catch (err) {
throw new CaServiceError(
'Failed to parse the issued certificate PEM',
'The certificate returned by step-ca could not be parsed. Check that step-ca is returning a valid PEM certificate.',
err,
'CERT_PARSE',
);
}
return cert.serialNumber;
}
// ---------------------------------------------------------------------------
// Service
// ---------------------------------------------------------------------------
@Injectable()
export class CaService {
private readonly logger = new Logger(CaService.name);
private readonly caUrl: string;
private readonly rootCertPath: string;
private readonly httpsAgent: https.Agent;
private readonly jwk: JwkKey;
private cachedPrivateKey: crypto.KeyObject | null = null;
private readonly jwtAlg: string;
private readonly kid: string;
constructor() {
const caUrl = process.env['STEP_CA_URL'];
const provisionerKeyJson = process.env['STEP_CA_PROVISIONER_KEY_JSON'];
const rootCertPath = process.env['STEP_CA_ROOT_CERT_PATH'];
if (!caUrl) {
throw new CaServiceError(
'STEP_CA_URL is not set',
'Set STEP_CA_URL to the base URL of the step-ca instance, e.g. https://step-ca:9000',
);
}
// Enforce HTTPS-only URL
let parsedUrl: URL;
try {
parsedUrl = new URL(caUrl);
} catch (err) {
throw new CaServiceError(
`STEP_CA_URL is not a valid URL: ${caUrl}`,
'Set STEP_CA_URL to a valid HTTPS URL, e.g. https://step-ca:9000',
err,
);
}
if (parsedUrl.protocol !== 'https:') {
throw new CaServiceError(
`STEP_CA_URL must use HTTPS — got: ${parsedUrl.protocol}`,
'Set STEP_CA_URL to an https:// URL. Unencrypted connections to the CA are not permitted.',
);
}
if (!provisionerKeyJson) {
throw new CaServiceError(
'STEP_CA_PROVISIONER_KEY_JSON is not set',
'Set STEP_CA_PROVISIONER_KEY_JSON to the JSON-encoded JWK for the mosaic-fed provisioner.',
);
}
if (!rootCertPath) {
throw new CaServiceError(
'STEP_CA_ROOT_CERT_PATH is not set',
'Set STEP_CA_ROOT_CERT_PATH to the absolute path of the step-ca root CA certificate PEM file.',
);
}
// Parse JWK once — do NOT store the raw JSON string as a class field
let jwk: JwkKey;
try {
jwk = JSON.parse(provisionerKeyJson) as JwkKey;
} catch (err) {
throw new CaServiceError(
'STEP_CA_PROVISIONER_KEY_JSON is not valid JSON',
'Set STEP_CA_PROVISIONER_KEY_JSON to the JSON-serialised JWK object for the mosaic-fed provisioner.',
err,
);
}
// Derive algorithm from JWK metadata
const jwtAlg = algFromJwk(jwk);
const kid = jwk.kid ?? 'mosaic-fed';
// Import the JWK into a native KeyObject — fail loudly if it cannot be loaded.
// We do this synchronously here by calling the async importJWK via a blocking workaround.
// Actually importJWK is async, so we store it for use during token building.
// We keep the raw jwk object for later async import inside buildOtt.
// NOTE: We do NOT store provisionerKeyJson string as a class field.
this.jwk = jwk;
this.jwtAlg = jwtAlg;
this.kid = kid;
this.caUrl = caUrl;
this.rootCertPath = rootCertPath;
// Read the root cert and pin it for all HTTPS connections.
let rootCert: string;
try {
rootCert = fs.readFileSync(this.rootCertPath, 'utf8');
} catch (err) {
throw new CaServiceError(
`Cannot read STEP_CA_ROOT_CERT_PATH: ${rootCertPath}`,
'Ensure the file exists and is readable by the gateway process.',
err,
);
}
this.httpsAgent = new https.Agent({
ca: rootCert,
rejectUnauthorized: true,
});
this.logger.log(`CaService initialised — CA URL: ${this.caUrl}`);
}
/**
* Lazily import the private key from JWK on first use.
* The key is cached in cachedPrivateKey after first import.
*/
private async getPrivateKey(): Promise<crypto.KeyObject> {
if (this.cachedPrivateKey !== null) return this.cachedPrivateKey;
try {
const key = await importJWK(this.jwk, this.jwtAlg);
// importJWK returns KeyLike (crypto.KeyObject | Uint8Array) — in Node.js it's KeyObject
this.cachedPrivateKey = key as unknown as crypto.KeyObject;
return this.cachedPrivateKey;
} catch (err) {
throw new CaServiceError(
'Failed to import STEP_CA_PROVISIONER_KEY_JSON as a cryptographic key',
'Ensure STEP_CA_PROVISIONER_KEY_JSON contains a valid JWK private key (EC P-256/P-384 or RSA).',
err,
);
}
}
/**
* Build the JWK-provisioner OTT signed with the provisioner private key.
* Algorithm is derived from the JWK kty/crv fields.
*/
private async buildOtt(params: {
csrPem: string;
grantId: string;
subjectUserId: string;
ttlSeconds: number;
csrCn: string;
}): Promise<string> {
const { csrPem, grantId, subjectUserId, ttlSeconds, csrCn } = params;
// Validate UUID shape for grant id and subject user id
if (!UUID_RE.test(grantId)) {
throw new CaServiceError(
`grantId is not a valid UUID: ${grantId}`,
'Provide a valid UUID (RFC 4122) for grantId.',
undefined,
'INVALID_GRANT_ID',
);
}
if (!UUID_RE.test(subjectUserId)) {
throw new CaServiceError(
`subjectUserId is not a valid UUID: ${subjectUserId}`,
'Provide a valid UUID (RFC 4122) for subjectUserId.',
undefined,
'INVALID_GRANT_ID',
);
}
const sha = csrFingerprint(csrPem);
const now = Math.floor(Date.now() / 1000);
const privateKey = await this.getPrivateKey();
const ott = await new SignJWT({
iss: this.kid,
sub: csrCn, // M1: set sub to identity from CSR CN
aud: [`${this.caUrl}/1.0/sign`],
iat: now,
nbf: now - 30, // 30 s clock-skew tolerance
exp: now + Math.min(ttlSeconds, 3600), // OTT validity ≤ 1 h
jti: crypto.randomUUID(), // M2: unique token ID
// step.sha is the canonical field name used in the template — M3: keep only step.sha
step: { sha },
// Mosaic custom claims consumed by federation.tpl
mosaic_grant_id: grantId,
mosaic_subject_user_id: subjectUserId,
})
.setProtectedHeader({ alg: this.jwtAlg, typ: 'JWT', kid: this.kid })
.sign(privateKey);
return ott;
}
/**
* Validate a PEM-encoded CSR using @peculiar/x509.
* Verifies the self-signature, key type/size, and signature algorithm.
* Optionally verifies that the CSR's SANs match the expected set.
*
* Throws CaServiceError with code 'INVALID_CSR' on failure.
*/
private async validateCsr(pem: string, expectedSans?: string[]): Promise<string> {
let csr: Pkcs10CertificateRequest;
try {
csr = new Pkcs10CertificateRequest(pem);
} catch (err) {
throw new CaServiceError(
'Failed to parse CSR PEM as a valid PKCS#10 certificate request',
'Provide a valid PEM-encoded PKCS#10 CSR.',
err,
'INVALID_CSR',
);
}
// Verify self-signature
let valid: boolean;
try {
valid = await csr.verify();
} catch (err) {
throw new CaServiceError(
'CSR signature verification threw an error',
'The CSR self-signature could not be verified. Ensure the CSR is properly formed.',
err,
'INVALID_CSR',
);
}
if (!valid) {
throw new CaServiceError(
'CSR self-signature is invalid',
'The CSR must be self-signed with the corresponding private key.',
undefined,
'INVALID_CSR',
);
}
// Validate signature algorithm — reject MD5 and SHA-1
// signatureAlgorithm is HashedAlgorithm which extends Algorithm.
// Cast through unknown to access .name and .hash.name without DOM lib globals.
const sigAlgAny = csr.signatureAlgorithm as unknown as {
name?: string;
hash?: { name?: string };
};
const sigAlgName = (sigAlgAny.name ?? '').toLowerCase();
const hashName = (sigAlgAny.hash?.name ?? '').toLowerCase();
if (
sigAlgName.includes('md5') ||
sigAlgName.includes('sha1') ||
hashName === 'sha-1' ||
hashName === 'sha1'
) {
throw new CaServiceError(
`CSR uses a forbidden signature algorithm: ${sigAlgAny.name ?? 'unknown'}`,
'Use SHA-256 or stronger. MD5 and SHA-1 are not permitted.',
undefined,
'INVALID_CSR',
);
}
// Validate public key algorithm and strength via the algorithm descriptor on the key.
// csr.publicKey.algorithm is type Algorithm (WebCrypto) — use name-based checks.
// We cast to an extended interface to access curve/modulus info without DOM globals.
const pubKeyAlgo = csr.publicKey.algorithm as {
name: string;
namedCurve?: string;
modulusLength?: number;
};
const keyAlgoName = pubKeyAlgo.name;
if (keyAlgoName === 'RSASSA-PKCS1-v1_5' || keyAlgoName === 'RSA-PSS') {
const modulusLength = pubKeyAlgo.modulusLength ?? 0;
if (modulusLength < 2048) {
throw new CaServiceError(
`CSR RSA key is too short: ${modulusLength} bits (minimum 2048)`,
'Use an RSA key of at least 2048 bits.',
undefined,
'INVALID_CSR',
);
}
} else if (keyAlgoName === 'ECDSA') {
const namedCurve = pubKeyAlgo.namedCurve ?? '';
const allowedCurves = new Set(['P-256', 'P-384']);
if (!allowedCurves.has(namedCurve)) {
throw new CaServiceError(
`CSR EC key uses disallowed curve: ${namedCurve}`,
'Use EC P-256 or P-384. Other curves are not permitted.',
undefined,
'INVALID_CSR',
);
}
} else if (keyAlgoName === 'Ed25519') {
// Ed25519 is explicitly allowed
} else {
throw new CaServiceError(
`CSR uses unsupported key algorithm: ${keyAlgoName}`,
'Use EC (P-256/P-384), Ed25519, or RSA (≥2048 bit) keys.',
undefined,
'INVALID_CSR',
);
}
// Extract SANs if expectedSans provided
if (expectedSans && expectedSans.length > 0) {
// Get SANs from CSR extensions
const sanExtension = csr.extensions?.find(
(ext) => ext.type === '2.5.29.17', // Subject Alternative Name OID
);
const csrSans: string[] = [];
if (sanExtension) {
// Parse the raw SAN extension — store as stringified for comparison
// @peculiar/x509 exposes SANs through the parsed extension
const sanExt = sanExtension as { names?: Array<{ type: string; value: string }> };
if (sanExt.names) {
for (const name of sanExt.names) {
csrSans.push(name.value);
}
}
}
const csrSanSet = new Set(csrSans);
const expectedSanSet = new Set(expectedSans);
const missing = expectedSans.filter((s) => !csrSanSet.has(s));
const extra = csrSans.filter((s) => !expectedSanSet.has(s));
if (missing.length > 0 || extra.length > 0) {
throw new CaServiceError(
`CSR SANs do not match expected set. Missing: [${missing.join(', ')}], Extra: [${extra.join(', ')}]`,
'The CSR must include exactly the SANs specified in the issuance request.',
undefined,
'INVALID_CSR',
);
}
}
// Return the CN from the CSR subject for use as JWT sub
const cn = csr.subjectName.getField('CN')?.[0] ?? '';
return cn;
}
/**
* Submit a CSR to step-ca and return the issued certificate.
*
* Throws `CaServiceError` on any failure (network, auth, malformed input).
* Never silently swallows errors — fail-loud is a hard contract per M2-02 review.
*/
async issueCert(req: IssueCertRequestDto): Promise<IssuedCertDto> {
// Clamp TTL to 15-minute maximum (H2)
const ttl = Math.min(req.ttlSeconds ?? 300, 900);
this.logger.debug(
`issueCert — grantId=${req.grantId} subjectUserId=${req.subjectUserId} ttl=${ttl}s`,
);
// Validate CSR — real cryptographic validation (H3)
const csrCn = await this.validateCsr(req.csrPem);
const ott = await this.buildOtt({
csrPem: req.csrPem,
grantId: req.grantId,
subjectUserId: req.subjectUserId,
ttlSeconds: ttl,
csrCn,
});
const signUrl = `${this.caUrl}/1.0/sign`;
const requestBody = {
csr: req.csrPem,
ott,
validity: {
duration: `${ttl}s`,
},
};
this.logger.debug(`Posting CSR to ${signUrl}`);
const response = await httpsPost(signUrl, requestBody, this.httpsAgent);
if (!response.crt) {
throw new CaServiceError(
'step-ca sign response missing the "crt" field',
'This is unexpected — the step-ca instance may be misconfigured or running an incompatible version.',
);
}
// Build certChainPem: prefer certChain array, fall back to ca field, fall back to crt alone.
let certChainPem: string;
if (response.certChain && response.certChain.length > 0) {
certChainPem = response.certChain.join('\n');
} else if (response.ca) {
certChainPem = response.crt + '\n' + response.ca;
} else {
certChainPem = response.crt;
}
const serialNumber = extractSerial(response.crt);
// CRIT-1: Verify the issued certificate contains both Mosaic OID extensions
// with the correct values. Step-CA's federation.tpl encodes each as an ASN.1
// UTF8String TLV: tag 0x0C + 1-byte length + UUID bytes. We skip 2 bytes
// (tag + length) to extract the raw UUID string.
const issuedCert = new X509Certificate(response.crt);
const decoder = new TextDecoder();
const grantIdExt = issuedCert.getExtension('1.3.6.1.4.1.99999.1');
if (!grantIdExt) {
throw new CaServiceError(
'Issued certificate is missing required Mosaic OID: mosaic_grant_id',
'The Step-CA federation.tpl template did not embed OID 1.3.6.1.4.1.99999.1. Check the provisioner template configuration.',
undefined,
'OID_MISSING',
);
}
const grantIdInCert = decoder.decode(grantIdExt.value.slice(2));
if (grantIdInCert !== req.grantId) {
throw new CaServiceError(
`Issued certificate mosaic_grant_id mismatch: expected ${req.grantId}, got ${grantIdInCert}`,
'The Step-CA issued a certificate with a different grant ID than requested. This may indicate a provisioner misconfiguration or a MITM.',
undefined,
'OID_MISMATCH',
);
}
const subjectUserIdExt = issuedCert.getExtension('1.3.6.1.4.1.99999.2');
if (!subjectUserIdExt) {
throw new CaServiceError(
'Issued certificate is missing required Mosaic OID: mosaic_subject_user_id',
'The Step-CA federation.tpl template did not embed OID 1.3.6.1.4.1.99999.2. Check the provisioner template configuration.',
undefined,
'OID_MISSING',
);
}
const subjectUserIdInCert = decoder.decode(subjectUserIdExt.value.slice(2));
if (subjectUserIdInCert !== req.subjectUserId) {
throw new CaServiceError(
`Issued certificate mosaic_subject_user_id mismatch: expected ${req.subjectUserId}, got ${subjectUserIdInCert}`,
'The Step-CA issued a certificate with a different subject user ID than requested. This may indicate a provisioner misconfiguration or a MITM.',
undefined,
'OID_MISMATCH',
);
}
this.logger.log(`Certificate issued — serial=${serialNumber} grantId=${req.grantId}`);
const result = new IssuedCertDto();
result.certPem = response.crt;
result.certChainPem = certChainPem;
result.serialNumber = serialNumber;
return result;
}
}

553
apps/gateway/src/federation/client/__tests__/federation-client.service.spec.ts
View File

@@ -1,553 +0,0 @@
/**
* Unit tests for FederationClientService (FED-M3-08).
*
* HTTP mocking strategy:
* undici MockAgent is used to intercept outbound HTTP requests. The service
* uses `undici.fetch` with a `dispatcher` option, so MockAgent is set as the
* global dispatcher and all requests flow through it.
*
* Because the service builds one `undici.Agent` per peer and passes it as
* the dispatcher on every fetch call, we cannot intercept at the Agent level
* in unit tests without significant refactoring. Instead, we set the global
* dispatcher to a MockAgent and override the service's `doRequest` indirection
* by spying on the internal fetch call.
*
* For the cert/key wiring, we use the real `sealClientKey` function from
* peer-key.util.ts with a test secret — no stubs.
*
* Sealed-key setup:
* Each test (or beforeAll) calls `sealClientKey(TEST_PRIVATE_KEY_PEM)` with
* BETTER_AUTH_SECRET set to a deterministic test value so that
* `unsealClientKey` in the service recovers the original PEM.
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach, afterEach, beforeAll, afterAll } from 'vitest';
import { MockAgent, setGlobalDispatcher, getGlobalDispatcher } from 'undici';
import type { Dispatcher } from 'undici';
import { writeFileSync, unlinkSync } from 'node:fs';
import { tmpdir } from 'node:os';
import { join } from 'node:path';
import type { Db } from '@mosaicstack/db';
import { FederationClientService, FederationClientError } from '../federation-client.service.js';
import { sealClientKey } from '../../peer-key.util.js';
// ---------------------------------------------------------------------------
// Test constants
// ---------------------------------------------------------------------------
const TEST_SECRET = 'test-secret-for-federation-client-spec-only';
const PEER_ID = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
const ENDPOINT = 'https://peer.example.com';
// Minimal valid RSA/EC private key PEM — does NOT need to be a real key for
// unit tests because we only verify it round-trips through seal/unseal, not
// that it actually negotiates TLS (MockAgent handles that).
const TEST_PRIVATE_KEY_PEM = `-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDummyKeyForTests
-----END PRIVATE KEY-----`;
// Minimal self-signed cert PEM (dummy — only used for mTLS Agent construction)
const TEST_CERT_PEM = `-----BEGIN CERTIFICATE-----
MIIBdummyCertForFederationClientTests==
-----END CERTIFICATE-----`;
const TEST_CERT_SERIAL = 'ABCDEF1234567890';
// ---------------------------------------------------------------------------
// Sealed key (computed once in beforeAll)
// ---------------------------------------------------------------------------
let SEALED_KEY: string;
// Path to a stub Step-CA root cert file written in beforeAll. The cert is never
// actually used to negotiate TLS in unit tests (MockAgent + spy on resolveEntry
// short-circuit the network), but loadStepCaRoot() requires the file to exist.
const STUB_CA_PEM_PATH = join(tmpdir(), 'federation-client-spec-ca.pem');
const STUB_CA_PEM = `-----BEGIN CERTIFICATE-----
MIIBdummyCAforFederationClientSpecOnly==
-----END CERTIFICATE-----
`;
// ---------------------------------------------------------------------------
// Peer row factory
// ---------------------------------------------------------------------------
function makePeerRow(overrides: Partial<Record<string, unknown>> = {}) {
return {
id: PEER_ID,
commonName: 'peer-example-com',
displayName: 'Test Peer',
certPem: TEST_CERT_PEM,
certSerial: TEST_CERT_SERIAL,
certNotAfter: new Date('2030-01-01T00:00:00Z'),
clientKeyPem: SEALED_KEY,
state: 'active' as const,
endpointUrl: ENDPOINT,
lastSeenAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
...overrides,
};
}
// ---------------------------------------------------------------------------
// Mock DB builder
// ---------------------------------------------------------------------------
function makeDb(selectRows: unknown[] = [makePeerRow()]): Db {
const limitSelect = vi.fn().mockResolvedValue(selectRows);
const whereSelect = vi.fn().mockReturnValue({ limit: limitSelect });
const fromSelect = vi.fn().mockReturnValue({ where: whereSelect });
const selectMock = vi.fn().mockReturnValue({ from: fromSelect });
return {
select: selectMock,
insert: vi.fn(),
update: vi.fn(),
delete: vi.fn(),
transaction: vi.fn(),
} as unknown as Db;
}
// ---------------------------------------------------------------------------
// Helpers for MockAgent HTTP interception
// ---------------------------------------------------------------------------
/**
* Create a MockAgent + MockPool for the peer endpoint, set it as the global
* dispatcher, and return both for per-test configuration.
*/
function makeMockAgent() {
const mockAgent = new MockAgent({ connections: 1 });
mockAgent.disableNetConnect();
setGlobalDispatcher(mockAgent);
const pool = mockAgent.get(ENDPOINT);
return { mockAgent, pool };
}
/**
* Build a FederationClientService with a mock DB and a spy on the internal
* fetch so we can intercept at the HTTP layer via MockAgent.
*
* The service calls `fetch(url, { dispatcher: agent })` where `agent` is the
* mTLS undici.Agent built from the peer's cert+key. To make MockAgent work,
* we need the fetch dispatcher to be the MockAgent, not the per-peer Agent.
*
* Strategy: we replace the private `resolveEntry` result's `agent` field with
* the MockAgent's pool, so fetch uses our interceptor. We do this by spying
* on `resolveEntry` and returning a controlled entry.
*/
function makeService(db: Db, mockPool: Dispatcher): FederationClientService {
const svc = new FederationClientService(db);
// Override resolveEntry to inject MockAgent pool as the dispatcher
vi.spyOn(
svc as unknown as { resolveEntry: (peerId: string) => Promise<unknown> },
'resolveEntry',
).mockImplementation(async (_peerId: string) => {
// Still call DB (via the real logic) to exercise peer validation,
// but return mock pool as the agent.
// For simplicity in unit tests, directly return a controlled entry.
return {
agent: mockPool,
endpointUrl: ENDPOINT,
certPem: TEST_CERT_PEM,
certSerial: TEST_CERT_SERIAL,
};
});
return svc;
}
// ---------------------------------------------------------------------------
// Test setup
// ---------------------------------------------------------------------------
let originalDispatcher: Dispatcher;
beforeAll(() => {
// Seal the test key once — requires BETTER_AUTH_SECRET
const saved = process.env['BETTER_AUTH_SECRET'];
process.env['BETTER_AUTH_SECRET'] = TEST_SECRET;
try {
SEALED_KEY = sealClientKey(TEST_PRIVATE_KEY_PEM);
} finally {
if (saved === undefined) {
delete process.env['BETTER_AUTH_SECRET'];
} else {
process.env['BETTER_AUTH_SECRET'] = saved;
}
}
writeFileSync(STUB_CA_PEM_PATH, STUB_CA_PEM, 'utf8');
});
afterAll(() => {
try {
unlinkSync(STUB_CA_PEM_PATH);
} catch {
// best-effort cleanup
}
});
beforeEach(() => {
originalDispatcher = getGlobalDispatcher();
process.env['BETTER_AUTH_SECRET'] = TEST_SECRET;
process.env['STEP_CA_ROOT_CERT_PATH'] = STUB_CA_PEM_PATH;
});
afterEach(() => {
setGlobalDispatcher(originalDispatcher);
vi.restoreAllMocks();
delete process.env['BETTER_AUTH_SECRET'];
delete process.env['STEP_CA_ROOT_CERT_PATH'];
});
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
/** Successful list response body */
const LIST_BODY = {
items: [{ id: '1', title: 'Task One' }],
nextCursor: undefined,
_partial: false,
};
/** Successful get response body */
const GET_BODY = {
item: { id: '1', title: 'Task One' },
_partial: false,
};
/** Successful capabilities response body */
const CAP_BODY = {
resources: ['tasks'],
excluded_resources: [],
max_rows_per_query: 100,
supported_verbs: ['list', 'get', 'capabilities'] as const,
};
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('FederationClientService', () => {
// ─── Successful verb calls ─────────────────────────────────────────────────
describe('list()', () => {
it('returns parsed typed response on success', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({
path: '/api/federation/v1/list/tasks',
method: 'POST',
})
.reply(200, LIST_BODY, { headers: { 'content-type': 'application/json' } });
const result = await svc.list(PEER_ID, 'tasks', {});
expect(result.items).toHaveLength(1);
expect(result.items[0]).toMatchObject({ id: '1', title: 'Task One' });
await mockAgent.close();
});
});
describe('get()', () => {
it('returns parsed typed response on success', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({
path: '/api/federation/v1/get/tasks/1',
method: 'POST',
})
.reply(200, GET_BODY, { headers: { 'content-type': 'application/json' } });
const result = await svc.get(PEER_ID, 'tasks', '1', {});
expect(result.item).toMatchObject({ id: '1', title: 'Task One' });
await mockAgent.close();
});
});
describe('capabilities()', () => {
it('returns parsed capabilities response on success', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({
path: '/api/federation/v1/capabilities',
method: 'GET',
})
.reply(200, CAP_BODY, { headers: { 'content-type': 'application/json' } });
const result = await svc.capabilities(PEER_ID);
expect(result.resources).toContain('tasks');
expect(result.max_rows_per_query).toBe(100);
await mockAgent.close();
});
});
// ─── HTTP error surfaces ──────────────────────────────────────────────────
describe('non-2xx responses', () => {
it('surfaces 403 as FederationClientError({ status: 403, code: "FORBIDDEN" })', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool.intercept({ path: '/api/federation/v1/list/tasks', method: 'POST' }).reply(
403,
{ error: { code: 'forbidden', message: 'Access denied' } },
{
headers: { 'content-type': 'application/json' },
},
);
await expect(svc.list(PEER_ID, 'tasks', {})).rejects.toMatchObject({
status: 403,
code: 'FORBIDDEN',
peerId: PEER_ID,
});
await mockAgent.close();
});
it('surfaces 404 as FederationClientError({ status: 404, code: "HTTP_404" })', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool.intercept({ path: '/api/federation/v1/get/tasks/999', method: 'POST' }).reply(
404,
{ error: { code: 'not_found', message: 'Not found' } },
{
headers: { 'content-type': 'application/json' },
},
);
await expect(svc.get(PEER_ID, 'tasks', '999', {})).rejects.toMatchObject({
status: 404,
code: 'HTTP_404',
peerId: PEER_ID,
});
await mockAgent.close();
});
});
// ─── Network error ─────────────────────────────────────────────────────────
describe('network errors', () => {
it('surfaces network error as FederationClientError({ code: "NETWORK" })', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({ path: '/api/federation/v1/capabilities', method: 'GET' })
.replyWithError(new Error('ECONNREFUSED'));
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'NETWORK',
peerId: PEER_ID,
});
await mockAgent.close();
});
});
// ─── Invalid response body ─────────────────────────────────────────────────
describe('invalid response body', () => {
it('surfaces as FederationClientError({ code: "INVALID_RESPONSE" }) when body shape is wrong', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
// capabilities returns wrong shape (missing required fields)
pool
.intercept({ path: '/api/federation/v1/capabilities', method: 'GET' })
.reply(200, { totally: 'wrong' }, { headers: { 'content-type': 'application/json' } });
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'INVALID_RESPONSE',
peerId: PEER_ID,
});
await mockAgent.close();
});
});
// ─── Peer DB validation ────────────────────────────────────────────────────
describe('peer validation (without resolveEntry spy)', () => {
/**
* These tests exercise the real `resolveEntry` path — no spy on resolveEntry.
*/
it('throws PEER_NOT_FOUND when peer is not in DB', async () => {
// DB returns empty array (peer not found)
const db = makeDb([]);
const svc = new FederationClientService(db);
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'PEER_NOT_FOUND',
peerId: PEER_ID,
});
});
it('throws PEER_INACTIVE when peer state is not "active"', async () => {
const db = makeDb([makePeerRow({ state: 'suspended' })]);
const svc = new FederationClientService(db);
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'PEER_INACTIVE',
peerId: PEER_ID,
});
});
});
// ─── Cache behaviour ───────────────────────────────────────────────────────
describe('cache behaviour', () => {
it('hits cache on second call — only one DB lookup happens', async () => {
// Verify cache by calling the private resolveEntry directly twice and
// asserting the DB was queried only once. This avoids the HTTP layer,
// which would require either a real network or per-peer Agent rewiring
// that the cache invariant doesn't depend on.
const db = makeDb();
const selectSpy = vi.spyOn(db, 'select');
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as { resolveEntry: (peerId: string) => Promise<unknown> }
).resolveEntry.bind(svc);
const first = await resolveEntry(PEER_ID);
const second = await resolveEntry(PEER_ID);
expect(first).toBe(second);
expect(selectSpy).toHaveBeenCalledTimes(1);
});
it('serializes concurrent resolveEntry calls — only one DB lookup', async () => {
const db = makeDb();
const selectSpy = vi.spyOn(db, 'select');
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as {
resolveEntry: (peerId: string) => Promise<unknown>;
}
).resolveEntry.bind(svc);
const [a, b] = await Promise.all([resolveEntry(PEER_ID), resolveEntry(PEER_ID)]);
expect(a).toBe(b);
expect(selectSpy).toHaveBeenCalledTimes(1);
});
it('flushPeer destroys the evicted Agent so old TLS connections close', async () => {
const db = makeDb();
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as {
resolveEntry: (peerId: string) => Promise<{ agent: { destroy: () => Promise<void> } }>;
}
).resolveEntry.bind(svc);
const entry = await resolveEntry(PEER_ID);
const destroySpy = vi.spyOn(entry.agent, 'destroy').mockResolvedValue();
svc.flushPeer(PEER_ID);
expect(destroySpy).toHaveBeenCalledTimes(1);
});
it('flushPeer() invalidates cache — next call re-reads DB', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({ path: '/api/federation/v1/capabilities', method: 'GET' })
.reply(200, CAP_BODY, { headers: { 'content-type': 'application/json' } })
.times(2);
// First call — populates cache (via mock resolveEntry)
await svc.capabilities(PEER_ID);
// Flush the cache
svc.flushPeer(PEER_ID);
// The spy on resolveEntry is still active — check it's called again after flush
const resolveEntrySpy = vi.spyOn(
svc as unknown as { resolveEntry: (peerId: string) => Promise<unknown> },
'resolveEntry',
);
// Second call after flush — should call resolveEntry again
await svc.capabilities(PEER_ID);
// resolveEntry should have been called once after we started spying (post-flush)
expect(resolveEntrySpy).toHaveBeenCalledTimes(1);
await mockAgent.close();
});
});
// ─── loadStepCaRoot env-var guard ─────────────────────────────────────────
describe('loadStepCaRoot() env-var guard', () => {
it('throws PEER_MISCONFIGURED when STEP_CA_ROOT_CERT_PATH is not set', async () => {
delete process.env['STEP_CA_ROOT_CERT_PATH'];
const db = makeDb();
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as {
resolveEntry: (peerId: string) => Promise<unknown>;
}
).resolveEntry.bind(svc);
await expect(resolveEntry(PEER_ID)).rejects.toMatchObject({
code: 'PEER_MISCONFIGURED',
});
});
});
// ─── FederationClientError class ──────────────────────────────────────────
describe('FederationClientError', () => {
it('is instanceof Error and FederationClientError', () => {
const err = new FederationClientError({
code: 'PEER_NOT_FOUND',
message: 'test',
peerId: PEER_ID,
});
expect(err).toBeInstanceOf(Error);
expect(err).toBeInstanceOf(FederationClientError);
expect(err.name).toBe('FederationClientError');
});
it('carries status, code, and peerId', () => {
const err = new FederationClientError({
status: 403,
code: 'FORBIDDEN',
message: 'forbidden',
peerId: PEER_ID,
});
expect(err.status).toBe(403);
expect(err.code).toBe('FORBIDDEN');
expect(err.peerId).toBe(PEER_ID);
});
});
});

500
apps/gateway/src/federation/client/federation-client.service.ts
View File

@@ -1,500 +0,0 @@
/**
* FederationClientService — outbound mTLS client for federation requests (FED-M3-08).
*
* Dials peer gateways over mTLS using the cert+sealed-key stored in `federation_peers`,
* invokes federation verbs (list / get / capabilities), and surfaces all failure modes
* as typed `FederationClientError` instances.
*
* ## Error code taxonomy
*
* | Code | When |
* | ------------------ | ------------------------------------------------------------- |
* | PEER_NOT_FOUND | No row in federation_peers for the given peerId |
* | PEER_INACTIVE | Peer row exists but state !== 'active' |
* | PEER_MISCONFIGURED | Peer row is active but missing endpointUrl or clientKeyPem |
* | NETWORK | undici threw a connection / TLS / timeout error |
* | HTTP_{status} | Peer returned a non-2xx response (e.g. HTTP_403, HTTP_404) |
* | FORBIDDEN | Peer returned 403 (convenience alias alongside HTTP_403) |
* | INVALID_RESPONSE | Response body failed Zod schema validation |
*
* ## Cache strategy
*
* Per-peer `undici.Agent` instances are cached in a `Map<peerId, AgentCacheEntry>` for
* the lifetime of the service instance. The cache is keyed on peerId (UUID).
*
* Cache invalidation:
* - `flushPeer(peerId)` — removes the entry immediately. M5/M6 MUST call this on
* cert rotation or peer revocation events so the next request re-reads the DB and
* builds a fresh TLS Agent with the new cert material.
* - On cache miss: re-reads the DB, checks state === 'active', rebuilds Agent.
*
* Cache does NOT auto-expire. The service is expected to be a singleton scoped to the
* NestJS application lifecycle; flushing on revocation/rotation is the only invalidation
* path by design (avoids redundant DB round-trips on the hot path).
*/
import { Injectable, Inject, Logger } from '@nestjs/common';
import { readFileSync } from 'node:fs';
import { Agent, fetch as undiciFetch } from 'undici';
import type { Dispatcher } from 'undici';
import { z } from 'zod';
import { type Db, eq, federationPeers } from '@mosaicstack/db';
import {
FederationListResponseSchema,
FederationGetResponseSchema,
FederationCapabilitiesResponseSchema,
FederationErrorEnvelopeSchema,
type FederationListResponse,
type FederationGetResponse,
type FederationCapabilitiesResponse,
} from '@mosaicstack/types';
import { DB } from '../../database/database.module.js';
import { unsealClientKey } from '../peer-key.util.js';
// ---------------------------------------------------------------------------
// Error taxonomy
// ---------------------------------------------------------------------------
/**
* Client-side error code set. Distinct from the server-side `FederationErrorCode`
* (which lives in `@mosaicstack/types`) because the client has additional failure
* modes (PEER_NOT_FOUND, PEER_INACTIVE, PEER_MISCONFIGURED, NETWORK) that the
* server never emits.
*/
export type FederationClientErrorCode =
| 'PEER_NOT_FOUND'
| 'PEER_INACTIVE'
| 'PEER_MISCONFIGURED'
| 'NETWORK'
| 'FORBIDDEN'
| 'INVALID_RESPONSE'
| `HTTP_${number}`;
export interface FederationClientErrorOptions {
status?: number;
code: FederationClientErrorCode;
message: string;
peerId: string;
cause?: unknown;
}
/**
* Thrown by FederationClientService on every failure path.
* Callers can dispatch on `error.code` for programmatic handling.
*/
export class FederationClientError extends Error {
readonly status?: number;
readonly code: FederationClientErrorCode;
readonly peerId: string;
readonly cause?: unknown;
constructor(opts: FederationClientErrorOptions) {
super(opts.message);
this.name = 'FederationClientError';
this.status = opts.status;
this.code = opts.code;
this.peerId = opts.peerId;
this.cause = opts.cause;
}
}
// ---------------------------------------------------------------------------
// Internal cache types
// ---------------------------------------------------------------------------
interface AgentCacheEntry {
agent: Agent;
endpointUrl: string;
certPem: string;
certSerial: string;
}
// ---------------------------------------------------------------------------
// Service
// ---------------------------------------------------------------------------
@Injectable()
export class FederationClientService {
private readonly logger = new Logger(FederationClientService.name);
/**
* Per-peer undici Agent cache.
* Key = peerId (UUID string).
*
* Values are either a resolved `AgentCacheEntry` or an in-flight
* `Promise<AgentCacheEntry>` (promise-cache pattern). Storing the promise
* prevents duplicate DB lookups and duplicate key-unseal operations when two
* requests for the same peer arrive before the first build completes.
*
* Flush via `flushPeer(peerId)` on cert rotation / peer revocation (M5/M6).
*/
private readonly cache = new Map<string, AgentCacheEntry | Promise<AgentCacheEntry>>();
/**
* Step-CA root cert PEM, loaded once from `STEP_CA_ROOT_CERT_PATH`.
* Used as the trust anchor for peer server certificates so federation TLS is
* pinned to our PKI, not the public trust store. Lazily loaded on first use
* so unit tests that don't exercise the agent path can run without the env var.
*/
private cachedCaPem: string | null = null;
constructor(@Inject(DB) private readonly db: Db) {}
// -------------------------------------------------------------------------
// Public verb API
// -------------------------------------------------------------------------
/**
* Invoke the `list` verb on a remote peer.
*
* @param peerId UUID of the peer row in `federation_peers`.
* @param resource Resource path, e.g. "tasks".
* @param request Free-form body sent as JSON in the POST body.
* @returns Parsed `FederationListResponse<T>`.
*/
async list<T>(
peerId: string,
resource: string,
request: Record<string, unknown>,
): Promise<FederationListResponse<T>> {
const { endpointUrl, agent } = await this.resolveEntry(peerId);
const url = `${endpointUrl}/api/federation/v1/list/${encodeURIComponent(resource)}`;
const body = await this.doPost(peerId, url, agent, request);
return this.parseWith<FederationListResponse<T>>(
peerId,
body,
FederationListResponseSchema(z.unknown()),
);
}
/**
* Invoke the `get` verb on a remote peer.
*
* @param peerId UUID of the peer row in `federation_peers`.
* @param resource Resource path, e.g. "tasks".
* @param id Resource identifier.
* @param request Free-form body sent as JSON in the POST body.
* @returns Parsed `FederationGetResponse<T>`.
*/
async get<T>(
peerId: string,
resource: string,
id: string,
request: Record<string, unknown>,
): Promise<FederationGetResponse<T>> {
const { endpointUrl, agent } = await this.resolveEntry(peerId);
const url = `${endpointUrl}/api/federation/v1/get/${encodeURIComponent(resource)}/${encodeURIComponent(id)}`;
const body = await this.doPost(peerId, url, agent, request);
return this.parseWith<FederationGetResponse<T>>(
peerId,
body,
FederationGetResponseSchema(z.unknown()),
);
}
/**
* Invoke the `capabilities` verb on a remote peer.
*
* @param peerId UUID of the peer row in `federation_peers`.
* @returns Parsed `FederationCapabilitiesResponse`.
*/
async capabilities(peerId: string): Promise<FederationCapabilitiesResponse> {
const { endpointUrl, agent } = await this.resolveEntry(peerId);
const url = `${endpointUrl}/api/federation/v1/capabilities`;
const body = await this.doGet(peerId, url, agent);
return this.parseWith<FederationCapabilitiesResponse>(
peerId,
body,
FederationCapabilitiesResponseSchema,
);
}
// -------------------------------------------------------------------------
// Cache management
// -------------------------------------------------------------------------
/**
* Flush the cached Agent for a specific peer.
*
* M5/M6 MUST call this on:
* - cert rotation events (so new cert material is picked up)
* - peer revocation events (so future requests fail at PEER_INACTIVE)
*
* After flushing, the next call to `list`, `get`, or `capabilities` for
* this peer will re-read the DB and rebuild the Agent.
*/
flushPeer(peerId: string): void {
const entry = this.cache.get(peerId);
if (entry === undefined) {
return;
}
this.cache.delete(peerId);
if (!(entry instanceof Promise)) {
// best-effort destroy; promise-cached entries skip destroy because
// the in-flight build owns its own Agent which will be GC'd when the
// owning request handles the rejection from the cache miss
entry.agent.destroy().catch(() => {
// intentionally ignored — destroy errors are not actionable
});
}
this.logger.log(`Cache flushed for peer ${peerId}`);
}
// -------------------------------------------------------------------------
// Internal helpers
// -------------------------------------------------------------------------
/**
* Load and cache the Step-CA root cert PEM from `STEP_CA_ROOT_CERT_PATH`.
* Throws `FederationClientError` if the env var is unset or the file cannot
* be read — mTLS to a peer without a pinned trust anchor would silently
* fall back to the public trust store.
*/
private loadStepCaRoot(): string {
if (this.cachedCaPem !== null) {
return this.cachedCaPem;
}
const path = process.env['STEP_CA_ROOT_CERT_PATH'];
if (!path) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: 'STEP_CA_ROOT_CERT_PATH is not set; refusing to dial peer without pinned CA trust',
peerId: '',
});
}
try {
const pem = readFileSync(path, 'utf8');
this.cachedCaPem = pem;
return pem;
} catch (err) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: `Failed to read STEP_CA_ROOT_CERT_PATH (${path})`,
peerId: '',
cause: err,
});
}
}
/**
* Resolve the cache entry for a peer, reading DB on miss.
*
* Uses a promise-cache pattern: concurrent callers for the same uncached
* `peerId` all `await` the same in-flight `Promise<AgentCacheEntry>` so
* only one DB lookup and one key-unseal ever runs per peer per cache miss.
* The promise is replaced with the concrete entry on success, or deleted on
* rejection so a transient error does not poison the cache permanently.
*
* Throws `FederationClientError` with appropriate code if the peer is not
* found, is inactive, or is missing required fields.
*/
private async resolveEntry(peerId: string): Promise<AgentCacheEntry> {
const cached = this.cache.get(peerId);
if (cached) {
return cached; // Promise or concrete entry — both are awaitable
}
const inflight = this.buildEntry(peerId).then(
(entry) => {
this.cache.set(peerId, entry); // replace promise with concrete value
return entry;
},
(err: unknown) => {
this.cache.delete(peerId); // don't poison the cache with a rejected promise
throw err;
},
);
this.cache.set(peerId, inflight);
return inflight;
}
/**
* Build the `AgentCacheEntry` for a peer by reading the DB, validating the
* peer's state, unsealing the private key, and constructing the mTLS Agent.
*
* Throws `FederationClientError` with appropriate code if the peer is not
* found, is inactive, or is missing required fields.
*/
private async buildEntry(peerId: string): Promise<AgentCacheEntry> {
// DB lookup
const [peer] = await this.db
.select()
.from(federationPeers)
.where(eq(federationPeers.id, peerId))
.limit(1);
if (!peer) {
throw new FederationClientError({
code: 'PEER_NOT_FOUND',
message: `Federation peer ${peerId} not found`,
peerId,
});
}
if (peer.state !== 'active') {
throw new FederationClientError({
code: 'PEER_INACTIVE',
message: `Federation peer ${peerId} is not active (state: ${peer.state})`,
peerId,
});
}
if (!peer.endpointUrl || !peer.clientKeyPem) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: `Federation peer ${peerId} is missing endpointUrl or clientKeyPem`,
peerId,
});
}
// Unseal the private key
let privateKeyPem: string;
try {
privateKeyPem = unsealClientKey(peer.clientKeyPem);
} catch (err) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: `Failed to unseal client key for peer ${peerId}`,
peerId,
cause: err,
});
}
// Build mTLS agent — pin trust to Step-CA root so we never accept
// a peer cert signed by a public CA (defense against MITM with a
// publicly-trusted DV cert for the peer's hostname).
const agent = new Agent({
connect: {
cert: peer.certPem,
key: privateKeyPem,
ca: this.loadStepCaRoot(),
// rejectUnauthorized: true is the undici default for HTTPS
},
});
const entry: AgentCacheEntry = {
agent,
endpointUrl: peer.endpointUrl,
certPem: peer.certPem,
certSerial: peer.certSerial,
};
this.logger.log(`Agent cached for peer ${peerId} (serial: ${peer.certSerial})`);
return entry;
}
/**
* Execute a POST request with a JSON body.
* Returns the parsed response body as an unknown value.
* Throws `FederationClientError` on network errors and non-2xx responses.
*/
private async doPost(
peerId: string,
url: string,
agent: Dispatcher,
body: Record<string, unknown>,
): Promise<unknown> {
return this.doRequest(peerId, url, agent, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(body),
});
}
/**
* Execute a GET request.
* Returns the parsed response body as an unknown value.
* Throws `FederationClientError` on network errors and non-2xx responses.
*/
private async doGet(peerId: string, url: string, agent: Dispatcher): Promise<unknown> {
return this.doRequest(peerId, url, agent, { method: 'GET' });
}
private async doRequest(
peerId: string,
url: string,
agent: Dispatcher,
init: { method: string; headers?: Record<string, string>; body?: string },
): Promise<unknown> {
let response: Awaited<ReturnType<typeof undiciFetch>>;
try {
response = await undiciFetch(url, {
...init,
dispatcher: agent,
});
} catch (err) {
throw new FederationClientError({
code: 'NETWORK',
message: `Network error calling peer ${peerId} at ${url}: ${err instanceof Error ? err.message : String(err)}`,
peerId,
cause: err,
});
}
const rawBody = await response.text().catch(() => '');
if (!response.ok) {
const status = response.status;
// Attempt to parse as federation error envelope
let serverMessage = `HTTP ${status}`;
try {
const json: unknown = JSON.parse(rawBody);
const result = FederationErrorEnvelopeSchema.safeParse(json);
if (result.success) {
serverMessage = result.data.error.message;
}
} catch {
// Not valid JSON or not a federation envelope — use generic message
}
// Specific code for 403 (most actionable for callers); generic HTTP_{n} for others
const code: FederationClientErrorCode = status === 403 ? 'FORBIDDEN' : `HTTP_${status}`;
throw new FederationClientError({
status,
code,
message: `Peer ${peerId} returned ${status}: ${serverMessage}`,
peerId,
});
}
try {
return JSON.parse(rawBody) as unknown;
} catch (err) {
throw new FederationClientError({
code: 'INVALID_RESPONSE',
message: `Peer ${peerId} returned non-JSON body`,
peerId,
cause: err,
});
}
}
/**
* Parse and validate a response body against a Zod schema.
*
* For list/get, callers pass the result of `FederationListResponseSchema(z.unknown())`
* so that the envelope structure is validated without requiring a concrete item schema
* at the client level. The generic `T` provides compile-time typing.
*
* Throws `FederationClientError({ code: 'INVALID_RESPONSE' })` on parse failure.
*/
private parseWith<T>(peerId: string, body: unknown, schema: z.ZodTypeAny): T {
const result = schema.safeParse(body);
if (!result.success) {
const issues = result.error.issues
.map((e: z.ZodIssue) => `[${e.path.join('.') || 'root'}] ${e.message}`)
.join('; ');
throw new FederationClientError({
code: 'INVALID_RESPONSE',
message: `Peer ${peerId} returned invalid response shape: ${issues}`,
peerId,
});
}
return result.data as T;
}
}

Some files were not shown because too many files have changed in this diff Show More