mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

Compare commits

base: mosaicstack:v0.1.0
Branches Tags
mosaicstack:main mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4
..
compare: mosaicstack:58ba99f3eba112eb3e480461f381e8f4b1dcafa3
Branches Tags
mosaicstack:main mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4

3 Commits
v0.1.0 ... 58ba99f3eb

Author SHA1 Message Date
Jason Woltje
58ba99f3eb fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting 2026-03-13 08:33:05 -05:00
Jason Woltje
3c8e7fd6b2 chore: format docs files 2026-03-13 08:26:24 -05:00
Jason Woltje
b86bfebe1f fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting 2026-03-13 08:25:57 -05:00
299 changed files with 480 additions and 32918 deletions
Expand all files Collapse all files

129
.env.example
View File

@@ -1,129 +1,20 @@
# ───────────────────────────────────────────────────────────────────────────── # Database (port 5433 avoids conflict with host PostgreSQL)
# Mosaic — Environment Variables Reference
# Copy this file to .env and fill in the values for your deployment.
# Lines beginning with # are comments; optional vars are commented out.
# ─────────────────────────────────────────────────────────────────────────────
# ─── Database (PostgreSQL 17 + pgvector) ─────────────────────────────────────
# Full connection string used by the gateway, ORM, and migration runner.
# Port 5433 avoids conflict with a host-side PostgreSQL instance.
DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic
# Docker Compose host-port override for the PostgreSQL container (default: 5433) # Valkey (Redis-compatible, port 6380 avoids conflict with host Redis/Valkey)
# PG_HOST_PORT=5433
# ─── Queue (Valkey 8 / Redis-compatible) ─────────────────────────────────────
# Port 6380 avoids conflict with a host-side Redis/Valkey instance.
VALKEY_URL=redis://localhost:6380 VALKEY_URL=redis://localhost:6380
# Docker Compose host-port override for the Valkey container (default: 6380) # Docker Compose host port overrides (optional)
# PG_HOST_PORT=5433
# VALKEY_HOST_PORT=6380 # VALKEY_HOST_PORT=6380
# OpenTelemetry
# ─── Gateway ─────────────────────────────────────────────────────────────────
# TCP port the NestJS/Fastify gateway listens on (default: 4000)
GATEWAY_PORT=4000
# Comma-separated list of allowed CORS origins.
# Must include the web app origin in production.
GATEWAY_CORS_ORIGIN=http://localhost:3000
# ─── Auth (BetterAuth) ───────────────────────────────────────────────────────
# REQUIRED — random secret used to sign sessions and tokens.
# Generate with: openssl rand -base64 32
BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
# Public base URL of the gateway (used by BetterAuth for callback URLs)
BETTER_AUTH_URL=http://localhost:4000
# ─── Web App (Next.js) ───────────────────────────────────────────────────────
# Public gateway URL — accessible from the browser, not just the server.
NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
# ─── OpenTelemetry ───────────────────────────────────────────────────────────
# OTLP HTTP endpoint (otel-collector or any OpenTelemetry-compatible backend)
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318 OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
# Service name shown in traces
OTEL_SERVICE_NAME=mosaic-gateway OTEL_SERVICE_NAME=mosaic-gateway
# Auth (BetterAuth)
BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
BETTER_AUTH_URL=http://localhost:4000
# ─── AI Providers ──────────────────────────────────────────────────────────── # Gateway
GATEWAY_PORT=4000
# Ollama (local models — set OLLAMA_BASE_URL to enable)
# OLLAMA_BASE_URL=http://localhost:11434
# OLLAMA_HOST is a legacy alias for OLLAMA_BASE_URL
# OLLAMA_HOST=http://localhost:11434
# Comma-separated list of Ollama model IDs to register (default: llama3.2,codellama,mistral)
# OLLAMA_MODELS=llama3.2,codellama,mistral
# OpenAI — required for embedding and log-summarization features
# OPENAI_API_KEY=sk-...
# Custom providers — JSON array of provider configs
# Format: [{"id":"<id>","baseUrl":"<url>","apiKey":"<key>","models":[{"id":"<model-id>","name":"<label>"}]}]
# MOSAIC_CUSTOM_PROVIDERS=
# ─── Embedding Service ───────────────────────────────────────────────────────
# OpenAI-compatible embeddings endpoint (default: OpenAI)
# EMBEDDING_API_URL=https://api.openai.com/v1
# EMBEDDING_MODEL=text-embedding-3-small
# ─── Log Summarization Service ───────────────────────────────────────────────
# OpenAI-compatible chat completions endpoint for log summarization (default: OpenAI)
# SUMMARIZATION_API_URL=https://api.openai.com/v1
# SUMMARIZATION_MODEL=gpt-4o-mini
# Cron schedule for summarization job (default: every 6 hours)
# SUMMARIZATION_CRON=0 */6 * * *
# Cron schedule for log tier management (default: daily at 03:00)
# TIER_MANAGEMENT_CRON=0 3 * * *
# ─── Agent ───────────────────────────────────────────────────────────────────
# Filesystem sandbox root for agent file tools (default: process.cwd())
# AGENT_FILE_SANDBOX_DIR=/var/lib/mosaic/sandbox
# Comma-separated list of tool names available to non-admin users.
# Leave unset to allow all tools for all authenticated users.
# AGENT_USER_TOOLS=read_file,list_directory,search_files
# System prompt injected into every agent session (optional)
# AGENT_SYSTEM_PROMPT=You are a helpful assistant.
# ─── MCP Servers ─────────────────────────────────────────────────────────────
# JSON array of MCP server configs — set to enable MCP tool integration.
# Each entry: {"name":"<id>","url":"<http-or-sse-url>"}
# MCP_SERVERS=[{"name":"my-mcp","url":"http://localhost:3100/sse"}]
# ─── Coordinator ─────────────────────────────────────────────────────────────
# Root directory used to scope coordinator (worktree/repo) operations.
# Defaults to the monorepo root auto-detected from process.cwd().
# MOSAIC_WORKSPACE_ROOT=/home/user/projects/mosaic
# ─── Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable) ─────────────
# DISCORD_BOT_TOKEN=
# DISCORD_GUILD_ID=
# DISCORD_GATEWAY_URL=http://localhost:4000
# ─── Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable) ───────────
# TELEGRAM_BOT_TOKEN=
# TELEGRAM_GATEWAY_URL=http://localhost:4000
# ─── Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable) ────────────
# AUTHENTIK_ISSUER=https://auth.example.com/application/o/mosaic/
# AUTHENTIK_CLIENT_ID=
# AUTHENTIK_CLIENT_SECRET=

3
.husky/pre-commit
View File

@@ -1 +1,4 @@
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
npx lint-staged npx lint-staged

3
.husky/pre-push
View File

@@ -1 +1,4 @@
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
pnpm typecheck && pnpm lint && pnpm format:check pnpm typecheck && pnpm lint && pnpm format:check

1
.prettierignore
View File

@@ -4,4 +4,3 @@ pnpm-lock.yaml
**/node_modules **/node_modules
**/drizzle **/drizzle
**/.next **/.next
.claude/

30
.woodpecker/ci.yml
View File

@@ -1,61 +1,57 @@
variables: variables:
- &node_image 'node:22-alpine' - &node_image 'node:22-alpine'
- &enable_pnpm 'corepack enable' - &install_deps |
corepack enable
pnpm install --frozen-lockfile
when: when:
- event: [push, pull_request, manual] - event: [push, pull_request, manual]
# Turbo remote cache (turbo.mosaicstack.dev) is configured via Woodpecker
# repository-level environment variables (TURBO_API, TURBO_TEAM, TURBO_TOKEN).
# This avoids from_secret which is blocked on pull_request events.
# If the env vars aren't set, turbo falls back to local cache only.
steps: steps:
install: install:
image: *node_image image: *node_image
commands: commands:
- corepack enable - *install_deps
- pnpm install --frozen-lockfile
typecheck: typecheck:
image: *node_image image: *node_image
commands: commands:
- *enable_pnpm - *install_deps
- pnpm typecheck - pnpm typecheck
depends_on: depends_on:
- install - install
# lint, format, and test are independent — run in parallel after typecheck
lint: lint:
image: *node_image image: *node_image
commands: commands:
- *enable_pnpm - *install_deps
- pnpm lint - pnpm lint
depends_on: depends_on:
- typecheck - install
format: format:
image: *node_image image: *node_image
commands: commands:
- *enable_pnpm - *install_deps
- pnpm format:check - pnpm format:check
depends_on: depends_on:
- typecheck - install
test: test:
image: *node_image image: *node_image
commands: commands:
- *enable_pnpm - *install_deps
- pnpm test - pnpm test
depends_on: depends_on:
- typecheck - install
build: build:
image: *node_image image: *node_image
commands: commands:
- *enable_pnpm - *install_deps
- pnpm build - pnpm build
depends_on: depends_on:
- typecheck
- lint - lint
- format - format
- test - test

12
apps/gateway/package.json
View File

@@ -15,16 +15,10 @@
"@fastify/helmet": "^13.0.2", "@fastify/helmet": "^13.0.2",
"@mariozechner/pi-ai": "~0.57.1", "@mariozechner/pi-ai": "~0.57.1",
"@mariozechner/pi-coding-agent": "~0.57.1", "@mariozechner/pi-coding-agent": "~0.57.1",
"@modelcontextprotocol/sdk": "^1.27.1",
"@mosaic/auth": "workspace:^", "@mosaic/auth": "workspace:^",
"@mosaic/queue": "workspace:^",
"@mosaic/brain": "workspace:^", "@mosaic/brain": "workspace:^",
"@mosaic/coord": "workspace:^", "@mosaic/coord": "workspace:^",
"@mosaic/db": "workspace:^", "@mosaic/db": "workspace:^",
"@mosaic/discord-plugin": "workspace:^",
"@mosaic/log": "workspace:^",
"@mosaic/memory": "workspace:^",
"@mosaic/telegram-plugin": "workspace:^",
"@mosaic/types": "workspace:^", "@mosaic/types": "workspace:^",
"@nestjs/common": "^11.0.0", "@nestjs/common": "^11.0.0",
"@nestjs/core": "^11.0.0", "@nestjs/core": "^11.0.0",
@@ -43,18 +37,14 @@
"better-auth": "^1.5.5", "better-auth": "^1.5.5",
"class-transformer": "^0.5.1", "class-transformer": "^0.5.1",
"class-validator": "^0.15.1", "class-validator": "^0.15.1",
"dotenv": "^17.3.1",
"fastify": "^5.0.0", "fastify": "^5.0.0",
"node-cron": "^4.2.1",
"reflect-metadata": "^0.2.0", "reflect-metadata": "^0.2.0",
"rxjs": "^7.8.0", "rxjs": "^7.8.0",
"socket.io": "^4.8.0", "socket.io": "^4.8.0",
"uuid": "^11.0.0", "uuid": "^11.0.0"
"zod": "^4.3.6"
}, },
"devDependencies": { "devDependencies": {
"@types/node": "^22.0.0", "@types/node": "^22.0.0",
"@types/node-cron": "^3.0.11",
"@types/uuid": "^10.0.0", "@types/uuid": "^10.0.0",
"tsx": "^4.0.0", "tsx": "^4.0.0",
"typescript": "^5.8.0", "typescript": "^5.8.0",

71
apps/gateway/src/__tests__/resource-ownership.test.ts
View File

@@ -1,4 +1,4 @@
import { ForbiddenException, NotFoundException } from '@nestjs/common'; import { ForbiddenException } from '@nestjs/common';
import { describe, expect, it, vi } from 'vitest'; import { describe, expect, it, vi } from 'vitest';
import { ConversationsController } from '../conversations/conversations.controller.js'; import { ConversationsController } from '../conversations/conversations.controller.js';
import { MissionsController } from '../missions/missions.controller.js'; import { MissionsController } from '../missions/missions.controller.js';
@@ -18,7 +18,6 @@ function createBrain() {
}, },
projects: { projects: {
findAll: vi.fn(), findAll: vi.fn(),
findAllForUser: vi.fn(),
findById: vi.fn(), findById: vi.fn(),
create: vi.fn(), create: vi.fn(),
update: vi.fn(), update: vi.fn(),
@@ -26,21 +25,12 @@ function createBrain() {
}, },
missions: { missions: {
findAll: vi.fn(), findAll: vi.fn(),
findAllByUser: vi.fn(),
findById: vi.fn(), findById: vi.fn(),
findByIdAndUser: vi.fn(),
findByProject: vi.fn(), findByProject: vi.fn(),
create: vi.fn(), create: vi.fn(),
update: vi.fn(), update: vi.fn(),
remove: vi.fn(), remove: vi.fn(),
}, },
missionTasks: {
findByMissionAndUser: vi.fn(),
findByIdAndUser: vi.fn(),
create: vi.fn(),
update: vi.fn(),
remove: vi.fn(),
},
tasks: { tasks: {
findAll: vi.fn(), findAll: vi.fn(),
findById: vi.fn(), findById: vi.fn(),
@@ -68,22 +58,21 @@ describe('Resource ownership checks', () => {
it('forbids access to another user project', async () => { it('forbids access to another user project', async () => {
const brain = createBrain(); const brain = createBrain();
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' }); brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const teamsService = { canAccessProject: vi.fn().mockResolvedValue(false) }; const controller = new ProjectsController(brain as never);
const controller = new ProjectsController(brain as never, teamsService as never);
await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf( await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
ForbiddenException, ForbiddenException,
); );
}); });
it('forbids access to a mission owned by another user', async () => { it('forbids access to a mission owned by another project owner', async () => {
const brain = createBrain(); const brain = createBrain();
// findByIdAndUser returns undefined when the mission doesn't belong to the user brain.missions.findById.mockResolvedValue({ id: 'mission-1', projectId: 'project-1' });
brain.missions.findByIdAndUser.mockResolvedValue(undefined); brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new MissionsController(brain as never); const controller = new MissionsController(brain as never);
await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf( await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf(
NotFoundException, ForbiddenException,
); );
}); });
@@ -97,52 +86,4 @@ describe('Resource ownership checks', () => {
ForbiddenException, ForbiddenException,
); );
}); });
it('forbids creating a task with an unowned project', async () => {
const brain = createBrain();
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new TasksController(brain as never);
await expect(
controller.create(
{
title: 'Task',
projectId: 'project-1',
},
{ id: 'user-1' },
),
).rejects.toBeInstanceOf(ForbiddenException);
});
it('forbids listing tasks for an unowned project', async () => {
const brain = createBrain();
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
const controller = new TasksController(brain as never);
await expect(
controller.list({ id: 'user-1' }, 'project-1', undefined, undefined),
).rejects.toBeInstanceOf(ForbiddenException);
});
it('lists only tasks for the current user owned projects when no filter is provided', async () => {
const brain = createBrain();
brain.projects.findAll.mockResolvedValue([
{ id: 'project-1', ownerId: 'user-1' },
{ id: 'project-2', ownerId: 'user-2' },
]);
brain.missions.findAll.mockResolvedValue([{ id: 'mission-1', projectId: 'project-1' }]);
brain.tasks.findAll.mockResolvedValue([
{ id: 'task-1', projectId: 'project-1' },
{ id: 'task-2', missionId: 'mission-1' },
{ id: 'task-3', projectId: 'project-2' },
]);
const controller = new TasksController(brain as never);
await expect(
controller.list({ id: 'user-1' }, undefined, undefined, undefined),
).resolves.toEqual([
{ id: 'task-1', projectId: 'project-1' },
{ id: 'task-2', missionId: 'mission-1' },
]);
});
}); });

73
apps/gateway/src/admin/admin-health.controller.ts
View File

@@ -1,73 +0,0 @@
import { Controller, Get, Inject, UseGuards } from '@nestjs/common';
import { sql, type Db } from '@mosaic/db';
import { createQueue } from '@mosaic/queue';
import { DB } from '../database/database.module.js';
import { AgentService } from '../agent/agent.service.js';
import { ProviderService } from '../agent/provider.service.js';
import { AdminGuard } from './admin.guard.js';
import type { HealthStatusDto, ServiceStatusDto } from './admin.dto.js';
@Controller('api/admin/health')
@UseGuards(AdminGuard)
export class AdminHealthController {
constructor(
@Inject(DB) private readonly db: Db,
@Inject(AgentService) private readonly agentService: AgentService,
@Inject(ProviderService) private readonly providerService: ProviderService,
) {}
@Get()
async check(): Promise<HealthStatusDto> {
const [database, cache] = await Promise.all([this.checkDatabase(), this.checkCache()]);
const sessions = this.agentService.listSessions();
const providers = this.providerService.listProviders();
const allOk = database.status === 'ok' && cache.status === 'ok';
return {
status: allOk ? 'ok' : 'degraded',
database,
cache,
agentPool: { activeSessions: sessions.length },
providers: providers.map((p) => ({
id: p.id,
name: p.name,
available: p.available,
modelCount: p.models.length,
})),
checkedAt: new Date().toISOString(),
};
}
private async checkDatabase(): Promise<ServiceStatusDto> {
const start = Date.now();
try {
await this.db.execute(sql`SELECT 1`);
return { status: 'ok', latencyMs: Date.now() - start };
} catch (err) {
return {
status: 'error',
latencyMs: Date.now() - start,
error: err instanceof Error ? err.message : String(err),
};
}
}
private async checkCache(): Promise<ServiceStatusDto> {
const start = Date.now();
const handle = createQueue();
try {
await handle.redis.ping();
return { status: 'ok', latencyMs: Date.now() - start };
} catch (err) {
return {
status: 'error',
latencyMs: Date.now() - start,
error: err instanceof Error ? err.message : String(err),
};
} finally {
await handle.close().catch(() => {});
}
}
}

146
apps/gateway/src/admin/admin.controller.ts
View File

@@ -1,146 +0,0 @@
import {
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
InternalServerErrorException,
NotFoundException,
Param,
Patch,
Post,
UseGuards,
} from '@nestjs/common';
import { eq, type Db, users as usersTable } from '@mosaic/db';
import type { Auth } from '@mosaic/auth';
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
import { AdminGuard } from './admin.guard.js';
import type {
BanUserDto,
CreateUserDto,
UpdateUserRoleDto,
UserDto,
UserListDto,
} from './admin.dto.js';
type UserRow = typeof usersTable.$inferSelect;
function toUserDto(u: UserRow): UserDto {
return {
id: u.id,
name: u.name,
email: u.email,
role: u.role,
banned: u.banned ?? false,
banReason: u.banReason ?? null,
createdAt: u.createdAt.toISOString(),
updatedAt: u.updatedAt.toISOString(),
};
}
async function requireUpdated(
db: Db,
id: string,
update: Partial<Omit<UserRow, 'id' | 'createdAt'>>,
): Promise<UserDto> {
const [updated] = await db
.update(usersTable)
.set({ ...update, updatedAt: new Date() })
.where(eq(usersTable.id, id))
.returning();
if (!updated) throw new InternalServerErrorException('Update returned no rows');
return toUserDto(updated);
}
@Controller('api/admin/users')
@UseGuards(AdminGuard)
export class AdminController {
constructor(
@Inject(DB) private readonly db: Db,
@Inject(AUTH) private readonly auth: Auth,
) {}
@Get()
async listUsers(): Promise<UserListDto> {
const rows = await this.db.select().from(usersTable).orderBy(usersTable.createdAt);
const userList: UserDto[] = rows.map(toUserDto);
return { users: userList, total: userList.length };
}
@Get(':id')
async getUser(@Param('id') id: string): Promise<UserDto> {
const [user] = await this.db.select().from(usersTable).where(eq(usersTable.id, id)).limit(1);
if (!user) throw new NotFoundException('User not found');
return toUserDto(user);
}
@Post()
async createUser(@Body() body: CreateUserDto): Promise<UserDto> {
// Use auth API to create user so password is properly hashed
const authApi = this.auth.api as unknown as {
createUser: (opts: {
body: { name: string; email: string; password: string; role?: string };
}) => Promise<{
user: { id: string; name: string; email: string; createdAt: unknown; updatedAt: unknown };
}>;
};
const result = await authApi.createUser({
body: {
name: body.name,
email: body.email,
password: body.password,
role: body.role ?? 'member',
},
});
// Re-fetch from DB to get full row with our schema
const [user] = await this.db
.select()
.from(usersTable)
.where(eq(usersTable.id, result.user.id))
.limit(1);
if (!user) throw new InternalServerErrorException('User created but not found in DB');
return toUserDto(user);
}
@Patch(':id/role')
async setRole(@Param('id') id: string, @Body() body: UpdateUserRoleDto): Promise<UserDto> {
await this.ensureExists(id);
return requireUpdated(this.db, id, { role: body.role });
}
@Post(':id/ban')
@HttpCode(HttpStatus.OK)
async banUser(@Param('id') id: string, @Body() body: BanUserDto): Promise<UserDto> {
await this.ensureExists(id);
return requireUpdated(this.db, id, { banned: true, banReason: body.reason ?? null });
}
@Post(':id/unban')
@HttpCode(HttpStatus.OK)
async unbanUser(@Param('id') id: string): Promise<UserDto> {
await this.ensureExists(id);
return requireUpdated(this.db, id, { banned: false, banReason: null, banExpires: null });
}
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async deleteUser(@Param('id') id: string): Promise<void> {
await this.ensureExists(id);
await this.db.delete(usersTable).where(eq(usersTable.id, id));
}
private async ensureExists(id: string): Promise<void> {
const [existing] = await this.db
.select({ id: usersTable.id })
.from(usersTable)
.where(eq(usersTable.id, id))
.limit(1);
if (!existing) throw new NotFoundException('User not found');
}
}

56
apps/gateway/src/admin/admin.dto.ts
View File

@@ -1,56 +0,0 @@
export interface UserDto {
id: string;
name: string;
email: string;
role: string;
banned: boolean;
banReason: string | null;
createdAt: string;
updatedAt: string;
}
export interface UserListDto {
users: UserDto[];
total: number;
}
export interface CreateUserDto {
name: string;
email: string;
password: string;
role?: string;
}
export interface UpdateUserRoleDto {
role: string;
}
export interface BanUserDto {
reason?: string;
}
export interface HealthStatusDto {
status: 'ok' | 'degraded' | 'error';
database: ServiceStatusDto;
cache: ServiceStatusDto;
agentPool: AgentPoolStatusDto;
providers: ProviderStatusDto[];
checkedAt: string;
}
export interface ServiceStatusDto {
status: 'ok' | 'error';
latencyMs?: number;
error?: string;
}
export interface AgentPoolStatusDto {
activeSessions: number;
}
export interface ProviderStatusDto {
id: string;
name: string;
available: boolean;
modelCount: number;
}

64
apps/gateway/src/admin/admin.guard.ts
View File

@@ -1,64 +0,0 @@
import {
CanActivate,
ExecutionContext,
ForbiddenException,
Inject,
Injectable,
UnauthorizedException,
} from '@nestjs/common';
import { fromNodeHeaders } from 'better-auth/node';
import type { Auth } from '@mosaic/auth';
import type { Db } from '@mosaic/db';
import { eq, users as usersTable } from '@mosaic/db';
import type { FastifyRequest } from 'fastify';
import { AUTH } from '../auth/auth.tokens.js';
import { DB } from '../database/database.module.js';
interface UserWithRole {
id: string;
role?: string;
}
@Injectable()
export class AdminGuard implements CanActivate {
constructor(
@Inject(AUTH) private readonly auth: Auth,
@Inject(DB) private readonly db: Db,
) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const request = context.switchToHttp().getRequest<FastifyRequest>();
const headers = fromNodeHeaders(request.raw.headers);
const result = await this.auth.api.getSession({ headers });
if (!result) {
throw new UnauthorizedException('Invalid or expired session');
}
const user = result.user as UserWithRole;
// Ensure the role field is populated. better-auth should include additionalFields
// in the session, but as a fallback, fetch the role from the database if needed.
let userRole = user.role;
if (!userRole) {
const [dbUser] = await this.db
.select({ role: usersTable.role })
.from(usersTable)
.where(eq(usersTable.id, user.id))
.limit(1);
userRole = dbUser?.role ?? 'member';
// Update the session user object with the fetched role
(user as UserWithRole).role = userRole;
}
if (userRole !== 'admin') {
throw new ForbiddenException('Admin access required');
}
(request as FastifyRequest & { user: unknown; session: unknown }).user = result.user;
(request as FastifyRequest & { user: unknown; session: unknown }).session = result.session;
return true;
}
}

10
apps/gateway/src/admin/admin.module.ts
View File

@@ -1,10 +0,0 @@
import { Module } from '@nestjs/common';
import { AdminController } from './admin.controller.js';
import { AdminHealthController } from './admin-health.controller.js';
import { AdminGuard } from './admin.guard.js';
@Module({
controllers: [AdminController, AdminHealthController],
providers: [AdminGuard],
})
export class AdminModule {}

97
apps/gateway/src/agent/agent-config.dto.ts
View File

@@ -1,97 +0,0 @@
import {
IsArray,
IsBoolean,
IsIn,
IsObject,
IsOptional,
IsString,
IsUUID,
MaxLength,
} from 'class-validator';
const agentStatuses = ['idle', 'active', 'error', 'offline'] as const;
export class CreateAgentConfigDto {
@IsString()
@MaxLength(255)
name!: string;
@IsString()
@MaxLength(255)
provider!: string;
@IsString()
@MaxLength(255)
model!: string;
@IsOptional()
@IsIn(agentStatuses)
status?: 'idle' | 'active' | 'error' | 'offline';
@IsOptional()
@IsUUID()
projectId?: string;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPrompt?: string;
@IsOptional()
@IsArray()
allowedTools?: string[];
@IsOptional()
@IsArray()
skills?: string[];
@IsOptional()
@IsBoolean()
isSystem?: boolean;
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
}
export class UpdateAgentConfigDto {
@IsOptional()
@IsString()
@MaxLength(255)
name?: string;
@IsOptional()
@IsString()
@MaxLength(255)
provider?: string;
@IsOptional()
@IsString()
@MaxLength(255)
model?: string;
@IsOptional()
@IsIn(agentStatuses)
status?: 'idle' | 'active' | 'error' | 'offline';
@IsOptional()
@IsUUID()
projectId?: string | null;
@IsOptional()
@IsString()
@MaxLength(50_000)
systemPrompt?: string | null;
@IsOptional()
@IsArray()
allowedTools?: string[] | null;
@IsOptional()
@IsArray()
skills?: string[] | null;
@IsOptional()
@IsObject()
config?: Record<string, unknown> | null;
}

84
apps/gateway/src/agent/agent-configs.controller.ts
View File

@@ -1,84 +0,0 @@
import {
Body,
Controller,
Delete,
ForbiddenException,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
UseGuards,
} from '@nestjs/common';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { CreateAgentConfigDto, UpdateAgentConfigDto } from './agent-config.dto.js';
@Controller('api/agents')
@UseGuards(AuthGuard)
export class AgentConfigsController {
constructor(@Inject(BRAIN) private readonly brain: Brain) {}
@Get()
async list(@CurrentUser() user: { id: string; role?: string }) {
return this.brain.agents.findAccessible(user.id);
}
@Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (!agent.isSystem && agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
return agent;
}
@Post()
async create(@Body() dto: CreateAgentConfigDto, @CurrentUser() user: { id: string }) {
return this.brain.agents.create({
...dto,
ownerId: user.id,
isSystem: false,
});
}
@Patch(':id')
async update(
@Param('id') id: string,
@Body() dto: UpdateAgentConfigDto,
@CurrentUser() user: { id: string; role?: string },
) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (agent.isSystem && user.role !== 'admin') {
throw new ForbiddenException('Only admins can update system agents');
}
if (!agent.isSystem && agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
const updated = await this.brain.agents.update(id, dto);
if (!updated) throw new NotFoundException('Agent not found');
return updated;
}
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string; role?: string }) {
const agent = await this.brain.agents.findById(id);
if (!agent) throw new NotFoundException('Agent not found');
if (agent.isSystem) {
throw new ForbiddenException('Cannot delete system agents');
}
if (agent.ownerId !== user.id) {
throw new ForbiddenException('Agent does not belong to the current user');
}
const deleted = await this.brain.agents.remove(id);
if (!deleted) throw new NotFoundException('Agent not found');
}
}

13
apps/gateway/src/agent/agent.module.ts
View File

@@ -2,20 +2,15 @@ import { Global, Module } from '@nestjs/common';
import { AgentService } from './agent.service.js'; import { AgentService } from './agent.service.js';
import { ProviderService } from './provider.service.js'; import { ProviderService } from './provider.service.js';
import { RoutingService } from './routing.service.js'; import { RoutingService } from './routing.service.js';
import { SkillLoaderService } from './skill-loader.service.js';
import { ProvidersController } from './providers.controller.js'; import { ProvidersController } from './providers.controller.js';
import { SessionsController } from './sessions.controller.js'; import { SessionsController } from './sessions.controller.js';
import { AgentConfigsController } from './agent-configs.controller.js';
import { CoordModule } from '../coord/coord.module.js'; import { CoordModule } from '../coord/coord.module.js';
import { McpClientModule } from '../mcp-client/mcp-client.module.js';
import { SkillsModule } from '../skills/skills.module.js';
import { GCModule } from '../gc/gc.module.js';
@Global() @Global()
@Module({ @Module({
imports: [CoordModule, McpClientModule, SkillsModule, GCModule], imports: [CoordModule],
providers: [ProviderService, RoutingService, SkillLoaderService, AgentService], providers: [ProviderService, RoutingService, AgentService],
controllers: [ProvidersController, SessionsController, AgentConfigsController], controllers: [ProvidersController, SessionsController],
exports: [AgentService, ProviderService, RoutingService, SkillLoaderService], exports: [AgentService, ProviderService, RoutingService],
}) })
export class AgentModule {} export class AgentModule {}

226
apps/gateway/src/agent/agent.service.ts
View File

@@ -1,65 +1,22 @@
import { Inject, Injectable, Logger, Optional, type OnModuleDestroy } from '@nestjs/common'; import { Inject, Injectable, Logger, type OnModuleDestroy } from '@nestjs/common';
import { import {
createAgentSession, createAgentSession,
DefaultResourceLoader,
SessionManager, SessionManager,
type AgentSession as PiAgentSession, type AgentSession as PiAgentSession,
type AgentSessionEvent, type AgentSessionEvent,
type ToolDefinition, type ToolDefinition,
} from '@mariozechner/pi-coding-agent'; } from '@mariozechner/pi-coding-agent';
import type { Brain } from '@mosaic/brain'; import type { Brain } from '@mosaic/brain';
import type { Memory } from '@mosaic/memory';
import { BRAIN } from '../brain/brain.tokens.js'; import { BRAIN } from '../brain/brain.tokens.js';
import { MEMORY } from '../memory/memory.tokens.js';
import { EmbeddingService } from '../memory/embedding.service.js';
import { CoordService } from '../coord/coord.service.js'; import { CoordService } from '../coord/coord.service.js';
import { ProviderService } from './provider.service.js'; import { ProviderService } from './provider.service.js';
import { McpClientService } from '../mcp-client/mcp-client.service.js';
import { SkillLoaderService } from './skill-loader.service.js';
import { createBrainTools } from './tools/brain-tools.js'; import { createBrainTools } from './tools/brain-tools.js';
import { createCoordTools } from './tools/coord-tools.js'; import { createCoordTools } from './tools/coord-tools.js';
import { createMemoryTools } from './tools/memory-tools.js';
import { createFileTools } from './tools/file-tools.js';
import { createGitTools } from './tools/git-tools.js';
import { createShellTools } from './tools/shell-tools.js';
import { createWebTools } from './tools/web-tools.js';
import type { SessionInfoDto } from './session.dto.js'; import type { SessionInfoDto } from './session.dto.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { PreferencesService } from '../preferences/preferences.service.js';
import { SessionGCService } from '../gc/session-gc.service.js';
export interface AgentSessionOptions { export interface AgentSessionOptions {
provider?: string; provider?: string;
modelId?: string; modelId?: string;
/**
* Sandbox working directory for the session.
* File, git, and shell tools will be restricted to this directory.
* Falls back to AGENT_FILE_SANDBOX_DIR env var or process.cwd().
*/
sandboxDir?: string;
/**
* Platform-level system prompt for this session.
* Merged with skill prompt additions (platform prompt first, then skills).
* Falls back to AGENT_SYSTEM_PROMPT env var when omitted.
*/
systemPrompt?: string;
/**
* Explicit allowlist of tool names available in this session.
* When set, only listed tools are registered with the agent.
* When omitted for non-admin users, falls back to AGENT_USER_TOOLS env var.
* Admins (isAdmin=true) always receive the full tool set unless explicitly restricted.
*/
allowedTools?: string[];
/** Whether the requesting user has admin privileges. Controls default tool access. */
isAdmin?: boolean;
/**
* DB agent config ID. When provided, loads agent config from DB and merges
* provider, model, systemPrompt, and allowedTools. Explicit call-site options
* take precedence over config values.
*/
agentConfigId?: string;
/** ID of the user who owns this session. Used for preferences and system override lookups. */
userId?: string;
} }
export interface AgentSession { export interface AgentSession {
@@ -72,14 +29,6 @@ export interface AgentSession {
createdAt: number; createdAt: number;
promptCount: number; promptCount: number;
channels: Set<string>; channels: Set<string>;
/** System prompt additions injected from enabled prompt-type skills. */
skillPromptAdditions: string[];
/** Resolved sandbox directory for this session. */
sandboxDir: string;
/** Tool names available in this session, or null when all tools are available. */
allowedTools: string[] | null;
/** User ID that owns this session, used for preference lookups. */
userId?: string;
} }
@Injectable() @Injectable()
@@ -88,64 +37,15 @@ export class AgentService implements OnModuleDestroy {
private readonly sessions = new Map<string, AgentSession>(); private readonly sessions = new Map<string, AgentSession>();
private readonly creating = new Map<string, Promise<AgentSession>>(); private readonly creating = new Map<string, Promise<AgentSession>>();
private readonly customTools: ToolDefinition[];
constructor( constructor(
@Inject(ProviderService) private readonly providerService: ProviderService, @Inject(ProviderService) private readonly providerService: ProviderService,
@Inject(BRAIN) private readonly brain: Brain, @Inject(BRAIN) private readonly brain: Brain,
@Inject(MEMORY) private readonly memory: Memory,
@Inject(EmbeddingService) private readonly embeddingService: EmbeddingService,
@Inject(CoordService) private readonly coordService: CoordService, @Inject(CoordService) private readonly coordService: CoordService,
@Inject(McpClientService) private readonly mcpClientService: McpClientService, ) {
@Inject(SkillLoaderService) private readonly skillLoaderService: SkillLoaderService, this.customTools = [...createBrainTools(brain), ...createCoordTools(coordService)];
@Optional() this.logger.log(`Registered ${this.customTools.length} custom tools`);
@Inject(SystemOverrideService)
private readonly systemOverride: SystemOverrideService | null,
@Optional()
@Inject(PreferencesService)
private readonly preferencesService: PreferencesService | null,
@Inject(SessionGCService) private readonly gc: SessionGCService,
) {}
/**
* Build the full set of custom tools scoped to the given sandbox directory.
* Brain/coord/memory/web tools are stateless with respect to cwd; file/git/shell
* tools receive the resolved sandboxDir so they operate within the sandbox.
*/
private buildToolsForSandbox(sandboxDir: string): ToolDefinition[] {
return [
...createBrainTools(this.brain),
...createCoordTools(this.coordService),
...createMemoryTools(
this.memory,
this.embeddingService.available ? this.embeddingService : null,
),
...createFileTools(sandboxDir),
...createGitTools(sandboxDir),
...createShellTools(sandboxDir),
...createWebTools(),
];
}
/**
* Resolve the tool allowlist for a session.
* - Admin users: all tools unless an explicit allowedTools list is passed.
* - Regular users: use allowedTools if provided, otherwise parse AGENT_USER_TOOLS env var.
* Returns null when all tools should be available.
*/
private resolveAllowedTools(isAdmin: boolean, allowedTools?: string[]): string[] | null {
if (allowedTools !== undefined) {
return allowedTools.length === 0 ? [] : allowedTools;
}
if (isAdmin) {
return null; // admins get everything
}
const envTools = process.env['AGENT_USER_TOOLS'];
if (!envTools) {
return null; // no restriction configured
}
return envTools
.split(',')
.map((t) => t.trim())
.filter((t) => t.length > 0);
} }
async createSession(sessionId: string, options?: AgentSessionOptions): Promise<AgentSession> { async createSession(sessionId: string, options?: AgentSessionOptions): Promise<AgentSession> {
@@ -166,104 +66,22 @@ export class AgentService implements OnModuleDestroy {
sessionId: string, sessionId: string,
options?: AgentSessionOptions, options?: AgentSessionOptions,
): Promise<AgentSession> { ): Promise<AgentSession> {
// Merge DB agent config when agentConfigId is provided const model = this.resolveModel(options);
let mergedOptions = options;
if (options?.agentConfigId) {
const agentConfig = await this.brain.agents.findById(options.agentConfigId);
if (agentConfig) {
mergedOptions = {
provider: options.provider ?? agentConfig.provider,
modelId: options.modelId ?? agentConfig.model,
systemPrompt: options.systemPrompt ?? agentConfig.systemPrompt ?? undefined,
allowedTools: options.allowedTools ?? agentConfig.allowedTools ?? undefined,
sandboxDir: options.sandboxDir,
isAdmin: options.isAdmin,
agentConfigId: options.agentConfigId,
};
this.logger.log(
`Merged agent config "${agentConfig.name}" (${agentConfig.id}) into session ${sessionId}`,
);
}
}
const model = this.resolveModel(mergedOptions);
const providerName = model?.provider ?? 'default'; const providerName = model?.provider ?? 'default';
const modelId = model?.id ?? 'default'; const modelId = model?.id ?? 'default';
// Resolve sandbox directory: option > env var > process.cwd()
const sandboxDir =
mergedOptions?.sandboxDir ?? process.env['AGENT_FILE_SANDBOX_DIR'] ?? process.cwd();
// Resolve allowed tool set
const allowedTools = this.resolveAllowedTools(
mergedOptions?.isAdmin ?? false,
mergedOptions?.allowedTools,
);
this.logger.log( this.logger.log(
`Creating agent session: ${sessionId} (provider=${providerName}, model=${modelId}, sandbox=${sandboxDir}, tools=${allowedTools === null ? 'all' : allowedTools.join(',') || 'none'})`, `Creating agent session: ${sessionId} (provider=${providerName}, model=${modelId})`,
); );
// Load skill tools from the catalog
const { metaTools: skillMetaTools, promptAdditions } =
await this.skillLoaderService.loadForSession();
if (skillMetaTools.length > 0) {
this.logger.log(`Attaching ${skillMetaTools.length} skill tool(s) to session ${sessionId}`);
}
if (promptAdditions.length > 0) {
this.logger.log(
`Injecting ${promptAdditions.length} skill prompt addition(s) into session ${sessionId}`,
);
}
// Build per-session tools scoped to the sandbox directory
const sandboxTools = this.buildToolsForSandbox(sandboxDir);
// Combine static tools with dynamically discovered MCP client tools and skill tools
const mcpTools = this.mcpClientService.getToolDefinitions();
let allCustomTools = [...sandboxTools, ...skillMetaTools, ...mcpTools];
if (mcpTools.length > 0) {
this.logger.log(`Attaching ${mcpTools.length} MCP client tool(s) to session ${sessionId}`);
}
// Filter tools by allowlist when a restriction is in effect
if (allowedTools !== null) {
const allowedSet = new Set(allowedTools);
const before = allCustomTools.length;
allCustomTools = allCustomTools.filter((t) => allowedSet.has(t.name));
this.logger.log(
`Tool restriction applied: ${allCustomTools.length}/${before} tools allowed for session ${sessionId}`,
);
}
// Build system prompt: platform prompt + skill additions appended
const platformPrompt =
mergedOptions?.systemPrompt ?? process.env['AGENT_SYSTEM_PROMPT'] ?? undefined;
const appendSystemPrompt =
promptAdditions.length > 0 ? promptAdditions.join('\n\n') : undefined;
// Construct a resource loader that injects the configured system prompt
const resourceLoader = new DefaultResourceLoader({
cwd: sandboxDir,
noExtensions: true,
noSkills: true,
noPromptTemplates: true,
noThemes: true,
systemPrompt: platformPrompt,
appendSystemPrompt: appendSystemPrompt,
});
await resourceLoader.reload();
let piSession: PiAgentSession; let piSession: PiAgentSession;
try { try {
const result = await createAgentSession({ const result = await createAgentSession({
sessionManager: SessionManager.inMemory(), sessionManager: SessionManager.inMemory(),
modelRegistry: this.providerService.getRegistry(), modelRegistry: this.providerService.getRegistry(),
model: model ?? undefined, model: model ?? undefined,
cwd: sandboxDir,
tools: [], tools: [],
customTools: allCustomTools, customTools: this.customTools,
resourceLoader,
}); });
piSession = result.session; piSession = result.session;
} catch (err) { } catch (err) {
@@ -296,10 +114,6 @@ export class AgentService implements OnModuleDestroy {
createdAt: Date.now(), createdAt: Date.now(),
promptCount: 0, promptCount: 0,
channels: new Set(), channels: new Set(),
skillPromptAdditions: promptAdditions,
sandboxDir,
allowedTools,
userId: mergedOptions?.userId,
}; };
this.sessions.set(sessionId, session); this.sessions.set(sessionId, session);
@@ -383,20 +197,8 @@ export class AgentService implements OnModuleDestroy {
throw new Error(`No agent session found: ${sessionId}`); throw new Error(`No agent session found: ${sessionId}`);
} }
session.promptCount += 1; session.promptCount += 1;
// Prepend session-scoped system override if present (renew TTL on each turn)
let effectiveMessage = message;
if (this.systemOverride) {
const override = await this.systemOverride.get(sessionId);
if (override) {
effectiveMessage = `[System Override]\n${override}\n\n${message}`;
await this.systemOverride.renew(sessionId);
this.logger.debug(`Applied system override for session ${sessionId}`);
}
}
try { try {
await session.piSession.prompt(effectiveMessage); await session.piSession.prompt(message);
} catch (err) { } catch (err) {
this.logger.error( this.logger.error(
`Prompt failed for session=${sessionId}, messageLength=${message.length}`, `Prompt failed for session=${sessionId}, messageLength=${message.length}`,
@@ -432,14 +234,6 @@ export class AgentService implements OnModuleDestroy {
session.listeners.clear(); session.listeners.clear();
session.channels.clear(); session.channels.clear();
this.sessions.delete(sessionId); this.sessions.delete(sessionId);
// Run GC cleanup for this session (fire and forget, errors are logged)
this.gc.collect(sessionId).catch((err: unknown) => {
this.logger.error(
`GC collect failed for session ${sessionId}`,
err instanceof Error ? err.stack : String(err),
);
});
} }
async onModuleDestroy(): Promise<void> { async onModuleDestroy(): Promise<void> {

17
apps/gateway/src/agent/provider.dto.ts
View File

@@ -1,17 +0,0 @@
export interface TestConnectionDto {
/** Provider identifier to test (e.g. 'ollama', custom provider id) */
providerId: string;
/** Optional base URL override for ad-hoc testing */
baseUrl?: string;
}
export interface TestConnectionResultDto {
providerId: string;
reachable: boolean;
/** Round-trip latency in milliseconds (present when reachable) */
latencyMs?: number;
/** Human-readable error when unreachable */
error?: string;
/** Model ids discovered at the remote endpoint (present when reachable) */
discoveredModels?: string[];
}

70
apps/gateway/src/agent/provider.service.ts
View File

@@ -2,15 +2,14 @@ import { Injectable, Logger, type OnModuleInit } from '@nestjs/common';
import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent'; import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent';
import type { Model, Api } from '@mariozechner/pi-ai'; import type { Model, Api } from '@mariozechner/pi-ai';
import type { ModelInfo, ProviderInfo, CustomProviderConfig } from '@mosaic/types'; import type { ModelInfo, ProviderInfo, CustomProviderConfig } from '@mosaic/types';
import type { TestConnectionResultDto } from './provider.dto.js';
@Injectable() @Injectable()
export class ProviderService implements OnModuleInit { export class ProviderService implements OnModuleInit {
private readonly logger = new Logger(ProviderService.name); private readonly logger = new Logger(ProviderService.name);
private registry!: ModelRegistry; private registry!: ModelRegistry;
onModuleInit(): void { async onModuleInit(): Promise<void> {
const authStorage = AuthStorage.inMemory(); const authStorage = AuthStorage.create();
this.registry = new ModelRegistry(authStorage); this.registry = new ModelRegistry(authStorage);
this.registerOllamaProvider(); this.registerOllamaProvider();
@@ -65,63 +64,6 @@ export class ProviderService implements OnModuleInit {
return this.registry.getAvailable().map((m) => this.toModelInfo(m)); return this.registry.getAvailable().map((m) => this.toModelInfo(m));
} }
async testConnection(providerId: string, baseUrl?: string): Promise<TestConnectionResultDto> {
// Resolve baseUrl: explicit override > registered provider > ollama env
let resolvedUrl = baseUrl;
if (!resolvedUrl) {
const allModels = this.registry.getAll();
const providerModels = allModels.filter((m) => m.provider === providerId);
if (providerModels.length === 0) {
return { providerId, reachable: false, error: `Provider '${providerId}' not found` };
}
// For Ollama, derive the base URL from environment
if (providerId === 'ollama') {
const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
if (!ollamaUrl) {
return { providerId, reachable: false, error: 'OLLAMA_BASE_URL not configured' };
}
resolvedUrl = `${ollamaUrl}/v1/models`;
} else {
// For other providers, we can only do a basic check
return { providerId, reachable: true, discoveredModels: providerModels.map((m) => m.id) };
}
} else {
resolvedUrl = resolvedUrl.replace(/\/?$/, '') + '/models';
}
const start = Date.now();
try {
const res = await fetch(resolvedUrl, {
method: 'GET',
headers: { Accept: 'application/json' },
signal: AbortSignal.timeout(5000),
});
const latencyMs = Date.now() - start;
if (!res.ok) {
return { providerId, reachable: false, latencyMs, error: `HTTP ${res.status}` };
}
let discoveredModels: string[] | undefined;
try {
const json = (await res.json()) as { models?: Array<{ id?: string; name?: string }> };
if (Array.isArray(json.models)) {
discoveredModels = json.models.map((m) => m.id ?? m.name ?? '').filter(Boolean);
}
} catch {
// ignore parse errors — endpoint was reachable
}
return { providerId, reachable: true, latencyMs, discoveredModels };
} catch (err) {
const latencyMs = Date.now() - start;
const message = err instanceof Error ? err.message : String(err);
return { providerId, reachable: false, latencyMs, error: message };
}
}
registerCustomProvider(config: CustomProviderConfig): void { registerCustomProvider(config: CustomProviderConfig): void {
this.registry.registerProvider(config.id, { this.registry.registerProvider(config.id, {
baseUrl: config.baseUrl, baseUrl: config.baseUrl,
@@ -150,16 +92,14 @@ export class ProviderService implements OnModuleInit {
.map((modelId: string) => modelId.trim()) .map((modelId: string) => modelId.trim())
.filter(Boolean); .filter(Boolean);
this.registry.registerProvider('ollama', { this.registerCustomProvider({
id: 'ollama',
name: 'Ollama',
baseUrl: `${ollamaUrl}/v1`, baseUrl: `${ollamaUrl}/v1`,
apiKey: 'ollama',
api: 'openai-completions' as never,
models: modelIds.map((id) => ({ models: modelIds.map((id) => ({
id, id,
name: id, name: id,
reasoning: false, reasoning: false,
input: ['text'] as ('text' | 'image')[],
cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
contextWindow: 8192, contextWindow: 8192,
maxTokens: 4096, maxTokens: 4096,
})), })),

6
apps/gateway/src/agent/providers.controller.ts
View File

@@ -3,7 +3,6 @@ import type { RoutingCriteria } from '@mosaic/types';
import { AuthGuard } from '../auth/auth.guard.js'; import { AuthGuard } from '../auth/auth.guard.js';
import { ProviderService } from './provider.service.js'; import { ProviderService } from './provider.service.js';
import { RoutingService } from './routing.service.js'; import { RoutingService } from './routing.service.js';
import type { TestConnectionDto, TestConnectionResultDto } from './provider.dto.js';
@Controller('api/providers') @Controller('api/providers')
@UseGuards(AuthGuard) @UseGuards(AuthGuard)
@@ -23,11 +22,6 @@ export class ProvidersController {
return this.providerService.listAvailableModels(); return this.providerService.listAvailableModels();
} }
@Post('test')
testConnection(@Body() body: TestConnectionDto): Promise<TestConnectionResultDto> {
return this.providerService.testConnection(body.providerId, body.baseUrl);
}
@Post('route') @Post('route')
route(@Body() criteria: RoutingCriteria) { route(@Body() criteria: RoutingCriteria) {
return this.routingService.route(criteria); return this.routingService.route(criteria);

30
apps/gateway/src/agent/session.dto.ts
View File

@@ -12,33 +12,3 @@ export interface SessionListDto {
sessions: SessionInfoDto[]; sessions: SessionInfoDto[];
total: number; total: number;
} }
/**
* Options accepted when creating an agent session.
* All fields are optional; omitting them falls back to env-var or process defaults.
*/
export interface CreateSessionOptionsDto {
/** Provider name (e.g. "anthropic", "openai"). */
provider?: string;
/** Model ID to use for this session. */
modelId?: string;
/**
* Sandbox working directory for the session.
* File, git, and shell tools will be restricted to this directory.
* Defaults to AGENT_FILE_SANDBOX_DIR env var or process.cwd().
*/
sandboxDir?: string;
/**
* Platform-level system prompt for this session.
* Merged with skill prompt additions (platform prompt first, then skills).
* Falls back to AGENT_SYSTEM_PROMPT env var when omitted.
*/
systemPrompt?: string;
/**
* Explicit allowlist of tool names available in this session.
* When provided, only listed tools are registered with the agent.
* Admins receive all tools; regular users fall back to AGENT_USER_TOOLS
* env var (comma-separated) when this field is not supplied.
*/
allowedTools?: string[];
}

59
apps/gateway/src/agent/skill-loader.service.ts
View File

@@ -1,59 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { SkillsService } from '../skills/skills.service.js';
import { createSkillTools } from './tools/skill-tools.js';
export interface LoadedSkills {
/** Meta-tools: skill_list + skill_invoke */
metaTools: ToolDefinition[];
/**
* System prompt additions from enabled prompt-type skills.
* Callers may prepend these to the session system prompt.
*/
promptAdditions: string[];
}
/**
* SkillLoaderService is responsible for:
* 1. Providing the skill meta-tools (skill_list, skill_invoke) to agent sessions.
* 2. Collecting system-prompt additions from enabled prompt-type skills.
*/
@Injectable()
export class SkillLoaderService {
private readonly logger = new Logger(SkillLoaderService.name);
constructor(@Inject(SkillsService) private readonly skillsService: SkillsService) {}
/**
* Load enabled skills and return tools + prompt additions for a new session.
*/
async loadForSession(): Promise<LoadedSkills> {
const metaTools = createSkillTools(this.skillsService);
let promptAdditions: string[] = [];
try {
const enabledSkills = await this.skillsService.findEnabled();
promptAdditions = enabledSkills.flatMap((skill) => {
const config = (skill.config ?? {}) as Record<string, unknown>;
const skillType = (config['type'] as string | undefined) ?? 'prompt';
if (skillType === 'prompt') {
const addition = (config['prompt'] as string | undefined) ?? skill.description;
return addition ? [addition] : [];
}
return [];
});
this.logger.log(
`Loaded ${enabledSkills.length} enabled skill(s), ` +
`${promptAdditions.length} prompt addition(s)`,
);
} catch (err) {
// Non-fatal: log and continue without prompt additions
this.logger.warn(
`Failed to load skill prompt additions: ${err instanceof Error ? err.message : String(err)}`,
);
}
return { metaTools, promptAdditions };
}
}

194
apps/gateway/src/agent/tools/file-tools.ts
View File

@@ -1,194 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js';
const MAX_READ_BYTES = 512 * 1024; // 512 KB read limit
const MAX_WRITE_BYTES = 1024 * 1024; // 1 MB write limit
export function createFileTools(baseDir: string): ToolDefinition[] {
const readFileTool: ToolDefinition = {
name: 'fs_read_file',
label: 'Read File',
description:
'Read the contents of a file. Path is resolved relative to the sandbox base directory.',
parameters: Type.Object({
path: Type.String({
description: 'File path (relative to sandbox base or absolute within it)',
}),
encoding: Type.Optional(
Type.String({ description: 'Encoding: utf8 (default), base64, hex' }),
),
}),
async execute(_toolCallId, params) {
const { path, encoding } = params as { path: string; encoding?: string };
let safePath: string;
try {
safePath = guardPath(path, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
try {
const info = await stat(safePath);
if (!info.isFile()) {
return {
content: [{ type: 'text' as const, text: `Error: path is not a file: ${path}` }],
details: undefined,
};
}
if (info.size > MAX_READ_BYTES) {
return {
content: [
{
type: 'text' as const,
text: `Error: file too large (${info.size} bytes, limit ${MAX_READ_BYTES} bytes)`,
},
],
details: undefined,
};
}
const enc = (encoding ?? 'utf8') as BufferEncoding;
const content = await readFile(safePath, { encoding: enc });
return {
content: [{ type: 'text' as const, text: String(content) }],
details: undefined,
};
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
details: undefined,
};
}
},
};
const writeFileTool: ToolDefinition = {
name: 'fs_write_file',
label: 'Write File',
description:
'Write content to a file. Path is resolved relative to the sandbox base directory. Overwrites existing file.',
parameters: Type.Object({
path: Type.String({
description: 'File path (relative to sandbox base or absolute within it)',
}),
content: Type.String({ description: 'Content to write' }),
encoding: Type.Optional(Type.String({ description: 'Encoding: utf8 (default), base64' })),
}),
async execute(_toolCallId, params) {
const { path, content, encoding } = params as {
path: string;
content: string;
encoding?: string;
};
let safePath: string;
try {
safePath = guardPathUnsafe(path, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
if (Buffer.byteLength(content, 'utf8') > MAX_WRITE_BYTES) {
return {
content: [
{
type: 'text' as const,
text: `Error: content too large (limit ${MAX_WRITE_BYTES} bytes)`,
},
],
details: undefined,
};
}
try {
const enc = (encoding ?? 'utf8') as BufferEncoding;
await writeFile(safePath, content, { encoding: enc });
return {
content: [{ type: 'text' as const, text: `File written successfully: ${path}` }],
details: undefined,
};
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error writing file: ${String(err)}` }],
details: undefined,
};
}
},
};
const listDirectoryTool: ToolDefinition = {
name: 'fs_list_directory',
label: 'List Directory',
description: 'List files and directories at a given path within the sandbox base directory.',
parameters: Type.Object({
path: Type.Optional(
Type.String({
description: 'Directory path (relative to sandbox base). Defaults to base directory.',
}),
),
}),
async execute(_toolCallId, params) {
const { path } = params as { path?: string };
const target = path ?? '.';
let safePath: string;
try {
safePath = guardPath(target, baseDir);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
try {
const info = await stat(safePath);
if (!info.isDirectory()) {
return {
content: [{ type: 'text' as const, text: `Error: path is not a directory: ${target}` }],
details: undefined,
};
}
const entries = await readdir(safePath, { withFileTypes: true });
const items = entries.map((e) => ({
name: e.name,
type: e.isDirectory() ? 'directory' : e.isSymbolicLink() ? 'symlink' : 'file',
}));
return {
content: [{ type: 'text' as const, text: JSON.stringify(items, null, 2) }],
details: undefined,
};
} catch (err) {
return {
content: [{ type: 'text' as const, text: `Error listing directory: ${String(err)}` }],
details: undefined,
};
}
},
};
return [readFileTool, writeFileTool, listDirectoryTool];
}

212
apps/gateway/src/agent/tools/git-tools.ts
View File

@@ -1,212 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { exec } from 'node:child_process';
import { promisify } from 'node:util';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js';
const execAsync = promisify(exec);
const GIT_TIMEOUT_MS = 15_000;
const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
async function runGit(
args: string[],
cwd?: string,
): Promise<{ stdout: string; stderr: string; error?: string }> {
// Only allow specific safe read-only git subcommands
const allowedSubcommands = ['status', 'log', 'diff', 'show', 'branch', 'tag', 'ls-files'];
const subcommand = args[0];
if (!subcommand || !allowedSubcommands.includes(subcommand)) {
return {
stdout: '',
stderr: '',
error: `Blocked: git subcommand "${subcommand}" is not allowed. Permitted: ${allowedSubcommands.join(', ')}`,
};
}
const cmd = `git ${args.map((a) => JSON.stringify(a)).join(' ')}`;
try {
const { stdout, stderr } = await execAsync(cmd, {
cwd,
timeout: GIT_TIMEOUT_MS,
maxBuffer: MAX_OUTPUT_BYTES,
});
return { stdout, stderr };
} catch (err: unknown) {
const e = err as { stdout?: string; stderr?: string; message?: string };
return {
stdout: e.stdout ?? '',
stderr: e.stderr ?? '',
error: e.message ?? String(err),
};
}
}
export function createGitTools(sandboxDir?: string): ToolDefinition[] {
const defaultCwd = sandboxDir ?? process.cwd();
const gitStatus: ToolDefinition = {
name: 'git_status',
label: 'Git Status',
description: 'Show the working tree status (staged, unstaged, untracked files).',
parameters: Type.Object({
cwd: Type.Optional(
Type.String({
description: 'Repository working directory (relative to sandbox or absolute within it).',
}),
),
}),
async execute(_toolCallId, params) {
const { cwd } = params as { cwd?: string };
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const result = await runGit(['status', '--short', '--branch'], safeCwd);
const text = result.error
? `Error: ${result.error}\n${result.stderr}`
: result.stdout || '(no output)';
return {
content: [{ type: 'text' as const, text: text }],
details: undefined,
};
},
};
const gitLog: ToolDefinition = {
name: 'git_log',
label: 'Git Log',
description: 'Show recent commit history.',
parameters: Type.Object({
limit: Type.Optional(Type.Number({ description: 'Number of commits to show (default 20)' })),
oneline: Type.Optional(
Type.Boolean({ description: 'Compact one-line format (default true)' }),
),
cwd: Type.Optional(
Type.String({
description: 'Repository working directory (relative to sandbox or absolute within it).',
}),
),
}),
async execute(_toolCallId, params) {
const { limit, oneline, cwd } = params as {
limit?: number;
oneline?: boolean;
cwd?: string;
};
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const args = ['log', `--max-count=${limit ?? 20}`];
if (oneline !== false) args.push('--oneline');
const result = await runGit(args, safeCwd);
const text = result.error
? `Error: ${result.error}\n${result.stderr}`
: result.stdout || '(no commits)';
return {
content: [{ type: 'text' as const, text: text }],
details: undefined,
};
},
};
const gitDiff: ToolDefinition = {
name: 'git_diff',
label: 'Git Diff',
description: 'Show changes between commits, working tree, or staged changes.',
parameters: Type.Object({
staged: Type.Optional(
Type.Boolean({ description: 'Show staged (cached) changes instead of unstaged' }),
),
ref: Type.Optional(
Type.String({ description: 'Compare against this ref (commit SHA, branch, or tag)' }),
),
path: Type.Optional(
Type.String({ description: 'Limit diff to a specific file or directory' }),
),
cwd: Type.Optional(
Type.String({
description: 'Repository working directory (relative to sandbox or absolute within it).',
}),
),
}),
async execute(_toolCallId, params) {
const { staged, ref, path, cwd } = params as {
staged?: boolean;
ref?: string;
path?: string;
cwd?: string;
};
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
let safePath: string | undefined;
if (path !== undefined) {
try {
safePath = guardPathUnsafe(path, defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
}
const args = ['diff'];
if (staged) args.push('--cached');
if (ref) args.push(ref);
args.push('--');
if (safePath !== undefined) args.push(safePath);
const result = await runGit(args, safeCwd);
const text = result.error
? `Error: ${result.error}\n${result.stderr}`
: result.stdout || '(no diff)';
return {
content: [{ type: 'text' as const, text: text }],
details: undefined,
};
},
};
return [gitStatus, gitLog, gitDiff];
}

5
apps/gateway/src/agent/tools/index.ts
View File

@@ -1,7 +1,2 @@
export { createBrainTools } from './brain-tools.js'; export { createBrainTools } from './brain-tools.js';
export { createCoordTools } from './coord-tools.js'; export { createCoordTools } from './coord-tools.js';
export { createFileTools } from './file-tools.js';
export { createGitTools } from './git-tools.js';
export { createShellTools } from './shell-tools.js';
export { createWebTools } from './web-tools.js';
export { createSkillTools } from './skill-tools.js';

158
apps/gateway/src/agent/tools/memory-tools.ts
View File

@@ -1,158 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import type { Memory } from '@mosaic/memory';
import type { EmbeddingProvider } from '@mosaic/memory';
export function createMemoryTools(
memory: Memory,
embeddingProvider: EmbeddingProvider | null,
): ToolDefinition[] {
const searchMemory: ToolDefinition = {
name: 'memory_search',
label: 'Search Memory',
description:
'Search across stored insights and knowledge using natural language. Returns semantically similar results.',
parameters: Type.Object({
userId: Type.String({ description: 'User ID to search memory for' }),
query: Type.String({ description: 'Natural language search query' }),
limit: Type.Optional(Type.Number({ description: 'Max results (default 5)' })),
}),
async execute(_toolCallId, params) {
const { userId, query, limit } = params as {
userId: string;
query: string;
limit?: number;
};
if (!embeddingProvider) {
return {
content: [
{
type: 'text' as const,
text: 'Semantic search unavailable — no embedding provider configured',
},
],
details: undefined,
};
}
const embedding = await embeddingProvider.embed(query);
const results = await memory.insights.searchByEmbedding(userId, embedding, limit ?? 5);
return {
content: [{ type: 'text' as const, text: JSON.stringify(results, null, 2) }],
details: undefined,
};
},
};
const getPreferences: ToolDefinition = {
name: 'memory_get_preferences',
label: 'Get User Preferences',
description: 'Retrieve stored preferences for a user.',
parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
category: Type.Optional(
Type.String({
description: 'Filter by category: communication, coding, workflow, appearance, general',
}),
),
}),
async execute(_toolCallId, params) {
const { userId, category } = params as { userId: string; category?: string };
type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
const prefs = category
? await memory.preferences.findByUserAndCategory(userId, category as Cat)
: await memory.preferences.findByUser(userId);
return {
content: [{ type: 'text' as const, text: JSON.stringify(prefs, null, 2) }],
details: undefined,
};
},
};
const savePreference: ToolDefinition = {
name: 'memory_save_preference',
label: 'Save User Preference',
description:
'Store a learned user preference (e.g., "prefers tables over paragraphs", "timezone: America/Chicago").',
parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
key: Type.String({ description: 'Preference key' }),
value: Type.String({ description: 'Preference value (JSON string)' }),
category: Type.Optional(
Type.String({
description: 'Category: communication, coding, workflow, appearance, general',
}),
),
}),
async execute(_toolCallId, params) {
const { userId, key, value, category } = params as {
userId: string;
key: string;
value: string;
category?: string;
};
type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
let parsedValue: unknown;
try {
parsedValue = JSON.parse(value);
} catch {
parsedValue = value;
}
const pref = await memory.preferences.upsert({
userId,
key,
value: parsedValue,
category: (category as Cat) ?? 'general',
source: 'agent',
});
return {
content: [{ type: 'text' as const, text: JSON.stringify(pref, null, 2) }],
details: undefined,
};
},
};
const saveInsight: ToolDefinition = {
name: 'memory_save_insight',
label: 'Save Insight',
description:
'Store a learned insight, decision, or knowledge extracted from the current interaction.',
parameters: Type.Object({
userId: Type.String({ description: 'User ID' }),
content: Type.String({ description: 'The insight or knowledge to store' }),
category: Type.Optional(
Type.String({
description: 'Category: decision, learning, preference, fact, pattern, general',
}),
),
}),
async execute(_toolCallId, params) {
const { userId, content, category } = params as {
userId: string;
content: string;
category?: string;
};
type Cat = 'decision' | 'learning' | 'preference' | 'fact' | 'pattern' | 'general';
let embedding: number[] | null = null;
if (embeddingProvider) {
embedding = await embeddingProvider.embed(content);
}
const insight = await memory.insights.create({
userId,
content,
embedding,
source: 'agent',
category: (category as Cat) ?? 'learning',
});
return {
content: [{ type: 'text' as const, text: JSON.stringify(insight, null, 2) }],
details: undefined,
};
},
};
return [searchMemory, getPreferences, savePreference, saveInsight];
}

104
apps/gateway/src/agent/tools/path-guard.test.ts
View File

@@ -1,104 +0,0 @@
import { describe, it, expect } from 'vitest';
import { guardPath, guardPathUnsafe, SandboxEscapeError } from './path-guard.js';
import path from 'node:path';
import os from 'node:os';
import fs from 'node:fs';
describe('guardPathUnsafe', () => {
const sandbox = '/tmp/test-sandbox';
it('allows paths inside sandbox', () => {
const result = guardPathUnsafe('foo/bar.txt', sandbox);
expect(result).toBe(path.resolve(sandbox, 'foo/bar.txt'));
});
it('allows sandbox root itself', () => {
const result = guardPathUnsafe('.', sandbox);
expect(result).toBe(path.resolve(sandbox));
});
it('rejects path traversal with ../', () => {
expect(() => guardPathUnsafe('../escape.txt', sandbox)).toThrow(SandboxEscapeError);
});
it('rejects absolute path outside sandbox', () => {
expect(() => guardPathUnsafe('/etc/passwd', sandbox)).toThrow(SandboxEscapeError);
});
it('rejects deeply nested traversal', () => {
expect(() => guardPathUnsafe('a/b/../../../../../../etc/passwd', sandbox)).toThrow(
SandboxEscapeError,
);
});
it('rejects path that starts with sandbox name but is sibling', () => {
expect(() => guardPathUnsafe('/tmp/test-sandbox-evil/file.txt', sandbox)).toThrow(
SandboxEscapeError,
);
});
it('returns the resolved absolute path for nested paths', () => {
const result = guardPathUnsafe('deep/nested/file.ts', sandbox);
expect(result).toBe('/tmp/test-sandbox/deep/nested/file.ts');
});
it('SandboxEscapeError includes the user path and sandbox in message', () => {
let caught: unknown;
try {
guardPathUnsafe('../escape.txt', sandbox);
} catch (err) {
caught = err;
}
expect(caught).toBeInstanceOf(SandboxEscapeError);
const e = caught as SandboxEscapeError;
expect(e.userPath).toBe('../escape.txt');
expect(e.sandboxDir).toBe(sandbox);
expect(e.message).toContain('Path escape attempt blocked');
});
});
describe('guardPath', () => {
let tmpDir: string;
it('allows an existing path inside a real temp sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
const subdir = path.join(tmpDir, 'subdir');
fs.mkdirSync(subdir);
const result = guardPath('subdir', tmpDir);
expect(result).toBe(subdir);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('allows sandbox root itself', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
const result = guardPath('.', tmpDir);
// realpathSync resolves the tmpdir symlinks (macOS /var -> /private/var)
const realTmp = fs.realpathSync.native(tmpDir);
expect(result).toBe(realTmp);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects path traversal with ../ on existing sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
expect(() => guardPath('../escape', tmpDir)).toThrow(SandboxEscapeError);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects absolute path outside sandbox', () => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'path-guard-test-'));
try {
expect(() => guardPath('/etc/passwd', tmpDir)).toThrow(SandboxEscapeError);
} finally {
fs.rmSync(tmpDir, { recursive: true, force: true });
}
});
});

58
apps/gateway/src/agent/tools/path-guard.ts
View File

@@ -1,58 +0,0 @@
import path from 'node:path';
import fs from 'node:fs';
/**
* Resolves a user-provided path and verifies it is inside the allowed sandbox directory.
* Throws SandboxEscapeError if the resolved path is outside the sandbox.
*
* Uses realpathSync to resolve symlinks in the sandbox root. The user-supplied path
* is checked for containment AFTER lexical resolution but BEFORE resolving any symlinks
* within the user path — so symlink escape attempts are caught too.
*
* @param userPath - The path provided by the agent (may be relative or absolute)
* @param sandboxDir - The allowed root directory (already validated on session creation)
* @returns The resolved absolute path, guaranteed to be within sandboxDir
*/
export function guardPath(userPath: string, sandboxDir: string): string {
const resolved = path.resolve(sandboxDir, userPath);
const sandboxResolved = fs.realpathSync.native(sandboxDir);
// Normalize both paths to resolve any symlinks in the sandbox root itself.
// For the user path, we check containment BEFORE resolving symlinks in the path
// (so we catch symlink escape attempts too — the resolved path must still be under sandbox)
if (!resolved.startsWith(sandboxResolved + path.sep) && resolved !== sandboxResolved) {
throw new SandboxEscapeError(userPath, sandboxDir, resolved);
}
return resolved;
}
/**
* Validates a path without resolving symlinks in the user-provided portion.
* Use for paths that may not exist yet (creates, writes).
*
* Performs a lexical containment check only using path.resolve.
*/
export function guardPathUnsafe(userPath: string, sandboxDir: string): string {
const resolved = path.resolve(sandboxDir, userPath);
const sandboxAbs = path.resolve(sandboxDir);
if (!resolved.startsWith(sandboxAbs + path.sep) && resolved !== sandboxAbs) {
throw new SandboxEscapeError(userPath, sandboxDir, resolved);
}
return resolved;
}
export class SandboxEscapeError extends Error {
constructor(
public readonly userPath: string,
public readonly sandboxDir: string,
public readonly resolvedPath: string,
) {
super(
`Path escape attempt blocked: "${userPath}" resolves to "${resolvedPath}" which is outside sandbox "${sandboxDir}"`,
);
this.name = 'SandboxEscapeError';
}
}

218
apps/gateway/src/agent/tools/shell-tools.ts
View File

@@ -1,218 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import { spawn } from 'node:child_process';
import { guardPath, SandboxEscapeError } from './path-guard.js';
const DEFAULT_TIMEOUT_MS = 30_000;
const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
/**
* Commands that are outright blocked for safety.
* This is a denylist; the agent should be instructed to use
* the least-privilege command necessary.
*/
const BLOCKED_COMMANDS = new Set([
'rm',
'rmdir',
'mkfs',
'dd',
'format',
'fdisk',
'parted',
'shred',
'wipefs',
'sudo',
'su',
'chown',
'chmod',
'passwd',
'useradd',
'userdel',
'groupadd',
'shutdown',
'reboot',
'halt',
'poweroff',
'kill',
'killall',
'pkill',
'curl',
'wget',
'nc',
'netcat',
'ncat',
'ssh',
'scp',
'sftp',
'rsync',
'iptables',
'ip6tables',
'nft',
'ufw',
'firewall-cmd',
'docker',
'podman',
'kubectl',
'helm',
'terraform',
'ansible',
'crontab',
'at',
'batch',
]);
function extractBaseCommand(command: string): string {
// Extract the first word (the binary name), stripping path
const trimmed = command.trim();
const firstToken = trimmed.split(/\s+/)[0] ?? '';
return firstToken.split('/').pop() ?? firstToken;
}
function runCommand(
command: string,
options: { timeoutMs: number; cwd?: string },
): Promise<{ stdout: string; stderr: string; exitCode: number | null; timedOut: boolean }> {
return new Promise((resolve) => {
const child = spawn('sh', ['-c', command], {
cwd: options.cwd,
stdio: ['ignore', 'pipe', 'pipe'],
detached: false,
});
let stdout = '';
let stderr = '';
let timedOut = false;
let totalBytes = 0;
let truncated = false;
child.stdout?.on('data', (chunk: Buffer) => {
if (truncated) return;
totalBytes += chunk.length;
if (totalBytes > MAX_OUTPUT_BYTES) {
stdout += chunk.subarray(0, MAX_OUTPUT_BYTES - (totalBytes - chunk.length)).toString();
stdout += '\n[output truncated at 100 KB limit]';
truncated = true;
child.kill('SIGTERM');
} else {
stdout += chunk.toString();
}
});
child.stderr?.on('data', (chunk: Buffer) => {
if (stderr.length < MAX_OUTPUT_BYTES) {
stderr += chunk.toString();
}
});
const timer = setTimeout(() => {
timedOut = true;
child.kill('SIGTERM');
setTimeout(() => {
try {
child.kill('SIGKILL');
} catch {
// already exited
}
}, 2000);
}, options.timeoutMs);
child.on('close', (exitCode) => {
clearTimeout(timer);
resolve({ stdout, stderr, exitCode, timedOut });
});
child.on('error', (err) => {
clearTimeout(timer);
resolve({ stdout, stderr: stderr + String(err), exitCode: null, timedOut: false });
});
});
}
export function createShellTools(sandboxDir?: string): ToolDefinition[] {
const defaultCwd = sandboxDir ?? process.cwd();
const shellExec: ToolDefinition = {
name: 'shell_exec',
label: 'Shell Execute',
description:
'Execute a shell command with timeout and output limits. Dangerous commands (rm, sudo, docker, etc.) are blocked. Working directory is restricted to the session sandbox.',
parameters: Type.Object({
command: Type.String({ description: 'Shell command to execute' }),
cwd: Type.Optional(
Type.String({
description:
'Working directory for the command (relative to sandbox or absolute within it).',
}),
),
timeout: Type.Optional(
Type.Number({ description: 'Timeout in milliseconds (default 30000, max 60000)' }),
),
}),
async execute(_toolCallId, params) {
const { command, cwd, timeout } = params as {
command: string;
cwd?: string;
timeout?: number;
};
const base = extractBaseCommand(command);
if (BLOCKED_COMMANDS.has(base)) {
return {
content: [
{
type: 'text' as const,
text: `Error: command "${base}" is blocked for safety reasons.`,
},
],
details: undefined,
};
}
const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 60_000);
let safeCwd: string;
try {
safeCwd = guardPath(cwd ?? '.', defaultCwd);
} catch (err) {
if (err instanceof SandboxEscapeError) {
return {
content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
details: undefined,
};
}
return {
content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
details: undefined,
};
}
const result = await runCommand(command, {
timeoutMs,
cwd: safeCwd,
});
if (result.timedOut) {
return {
content: [
{
type: 'text' as const,
text: `Command timed out after ${timeoutMs}ms.\nPartial stdout:\n${result.stdout}\nPartial stderr:\n${result.stderr}`,
},
],
details: undefined,
};
}
const parts: string[] = [];
if (result.stdout) parts.push(`stdout:\n${result.stdout}`);
if (result.stderr) parts.push(`stderr:\n${result.stderr}`);
parts.push(`exit code: ${result.exitCode ?? 'null'}`);
return {
content: [{ type: 'text' as const, text: parts.join('\n') }],
details: undefined,
};
},
};
return [shellExec];
}

180
apps/gateway/src/agent/tools/skill-tools.ts
View File

@@ -1,180 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import type { SkillsService } from '../../skills/skills.service.js';
/**
* Creates meta-tools that allow agents to list and invoke skills from the catalog.
*
* skill_list — list all enabled skills
* skill_invoke — execute a skill by name with parameters
*/
export function createSkillTools(skillsService: SkillsService): ToolDefinition[] {
const skillList: ToolDefinition = {
name: 'skill_list',
label: 'List Skills',
description:
'List all enabled skills available in the catalog. Returns name, description, type, and config for each skill.',
parameters: Type.Object({}),
async execute() {
const skills = await skillsService.findEnabled();
const summary = skills.map((s) => ({
name: s.name,
description: s.description,
version: s.version,
source: s.source,
config: s.config,
}));
return {
content: [
{
type: 'text' as const,
text:
summary.length > 0
? JSON.stringify(summary, null, 2)
: 'No enabled skills found in catalog.',
},
],
details: undefined,
};
},
};
const skillInvoke: ToolDefinition = {
name: 'skill_invoke',
label: 'Invoke Skill',
description:
'Invoke a skill from the catalog by name. For prompt skills, returns the prompt addition. ' +
'For tool skills, executes the embedded logic. For workflow skills, returns the workflow steps.',
parameters: Type.Object({
name: Type.String({ description: 'Skill name to invoke' }),
params: Type.Optional(
Type.Record(Type.String(), Type.Unknown(), {
description: 'Parameters to pass to the skill (if applicable)',
}),
),
}),
async execute(_toolCallId, rawParams) {
const { name, params } = rawParams as {
name: string;
params?: Record<string, unknown>;
};
const skill = await skillsService.findByName(name);
if (!skill) {
return {
content: [{ type: 'text' as const, text: `Skill not found: ${name}` }],
details: undefined,
};
}
if (!skill.enabled) {
return {
content: [{ type: 'text' as const, text: `Skill is disabled: ${name}` }],
details: undefined,
};
}
const config = (skill.config ?? {}) as Record<string, unknown>;
const skillType = (config['type'] as string | undefined) ?? 'prompt';
switch (skillType) {
case 'prompt': {
const promptAddition =
(config['prompt'] as string | undefined) ?? skill.description ?? '';
return {
content: [
{
type: 'text' as const,
text: promptAddition
? `[Skill: ${name}] ${promptAddition}`
: `[Skill: ${name}] No prompt content defined.`,
},
],
details: undefined,
};
}
case 'tool': {
const toolLogic = config['logic'] as string | undefined;
if (!toolLogic) {
return {
content: [
{
type: 'text' as const,
text: `[Skill: ${name}] Tool skill has no logic defined.`,
},
],
details: undefined,
};
}
// Inline tool skill execution: the logic field holds a JS expression or template
// For safety, treat it as a template that can reference params
const result = renderTemplate(toolLogic, { params: params ?? {}, skill });
return {
content: [{ type: 'text' as const, text: `[Skill: ${name}]\n${result}` }],
details: undefined,
};
}
case 'workflow': {
const steps = config['steps'] as unknown[] | undefined;
if (!steps || steps.length === 0) {
return {
content: [
{
type: 'text' as const,
text: `[Skill: ${name}] Workflow has no steps defined.`,
},
],
details: undefined,
};
}
return {
content: [
{
type: 'text' as const,
text: `[Skill: ${name}] Workflow steps:\n${JSON.stringify(steps, null, 2)}`,
},
],
details: undefined,
};
}
default: {
// Unknown type — return full config so the agent can decide what to do
return {
content: [
{
type: 'text' as const,
text: `[Skill: ${name}] (type: ${skillType})\n${JSON.stringify(config, null, 2)}`,
},
],
details: undefined,
};
}
}
},
};
return [skillList, skillInvoke];
}
/**
* Minimal template renderer — replaces {{key}} with values from the context.
* Used for tool skill logic templates.
*/
function renderTemplate(template: string, context: Record<string, unknown>): string {
return template.replace(/\{\{(\w+(?:\.\w+)*)\}\}/g, (_match, path: string) => {
const parts = path.split('.');
let value: unknown = context;
for (const part of parts) {
if (value != null && typeof value === 'object') {
value = (value as Record<string, unknown>)[part];
} else {
value = undefined;
break;
}
}
return value !== undefined && value !== null ? String(value) : '';
});
}

225
apps/gateway/src/agent/tools/web-tools.ts
View File

@@ -1,225 +0,0 @@
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
const DEFAULT_TIMEOUT_MS = 15_000;
const MAX_RESPONSE_BYTES = 512 * 1024; // 512 KB
/**
* Blocked URL patterns (private IP ranges, localhost, link-local).
*/
const BLOCKED_HOSTNAMES = [
/^localhost$/i,
/^127\./,
/^10\./,
/^172\.(1[6-9]|2\d|3[01])\./,
/^192\.168\./,
/^::1$/,
/^fc[0-9a-f][0-9a-f]:/i,
/^fe80:/i,
/^0\.0\.0\.0$/,
/^169\.254\./,
];
function isBlockedUrl(urlString: string): string | null {
let parsed: URL;
try {
parsed = new URL(urlString);
} catch {
return `Invalid URL: ${urlString}`;
}
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
return `Unsupported protocol: ${parsed.protocol}. Only http and https are allowed.`;
}
const hostname = parsed.hostname;
for (const pattern of BLOCKED_HOSTNAMES) {
if (pattern.test(hostname)) {
return `Blocked: requests to "${hostname}" are not allowed (private/local addresses).`;
}
}
return null;
}
async function fetchWithLimit(
url: string,
options: RequestInit,
timeoutMs: number,
): Promise<{ text: string; status: number; contentType: string }> {
const controller = new AbortController();
const timer = setTimeout(() => controller.abort(), timeoutMs);
try {
const response = await fetch(url, { ...options, signal: controller.signal });
const contentType = response.headers.get('content-type') ?? '';
// Stream response and enforce size limit
const reader = response.body?.getReader();
if (!reader) {
return { text: '', status: response.status, contentType };
}
const chunks: Uint8Array[] = [];
let totalBytes = 0;
let truncated = false;
while (true) {
const { done, value } = await reader.read();
if (done) break;
totalBytes += value.length;
if (totalBytes > MAX_RESPONSE_BYTES) {
const remaining = MAX_RESPONSE_BYTES - (totalBytes - value.length);
chunks.push(value.subarray(0, remaining));
truncated = true;
reader.cancel();
break;
}
chunks.push(value);
}
const combined = new Uint8Array(chunks.reduce((acc, c) => acc + c.length, 0));
let offset = 0;
for (const chunk of chunks) {
combined.set(chunk, offset);
offset += chunk.length;
}
let text = new TextDecoder().decode(combined);
if (truncated) {
text += '\n[response truncated at 512 KB limit]';
}
return { text, status: response.status, contentType };
} finally {
clearTimeout(timer);
}
}
export function createWebTools(): ToolDefinition[] {
const webGet: ToolDefinition = {
name: 'web_get',
label: 'HTTP GET',
description:
'Perform an HTTP GET request and return the response body. Private/local addresses are blocked.',
parameters: Type.Object({
url: Type.String({ description: 'URL to fetch (http/https only)' }),
headers: Type.Optional(
Type.Record(Type.String(), Type.String(), {
description: 'Optional request headers as key-value pairs',
}),
),
timeout: Type.Optional(
Type.Number({ description: 'Timeout in milliseconds (default 15000, max 30000)' }),
),
}),
async execute(_toolCallId, params) {
const { url, headers, timeout } = params as {
url: string;
headers?: Record<string, string>;
timeout?: number;
};
const blocked = isBlockedUrl(url);
if (blocked) {
return {
content: [{ type: 'text' as const, text: `Error: ${blocked}` }],
details: undefined,
};
}
const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 30_000);
try {
const result = await fetchWithLimit(
url,
{ method: 'GET', headers: headers ?? {} },
timeoutMs,
);
return {
content: [
{
type: 'text' as const,
text: `HTTP ${result.status} (${result.contentType})\n\n${result.text}`,
},
],
details: undefined,
};
} catch (err) {
const msg = err instanceof Error ? err.message : String(err);
return {
content: [{ type: 'text' as const, text: `Error fetching URL: ${msg}` }],
details: undefined,
};
}
},
};
const webPost: ToolDefinition = {
name: 'web_post',
label: 'HTTP POST',
description:
'Perform an HTTP POST request with a JSON or text body. Private/local addresses are blocked.',
parameters: Type.Object({
url: Type.String({ description: 'URL to POST to (http/https only)' }),
body: Type.String({ description: 'Request body (JSON string or plain text)' }),
contentType: Type.Optional(
Type.String({ description: 'Content-Type header (default: application/json)' }),
),
headers: Type.Optional(
Type.Record(Type.String(), Type.String(), {
description: 'Optional additional request headers',
}),
),
timeout: Type.Optional(
Type.Number({ description: 'Timeout in milliseconds (default 15000, max 30000)' }),
),
}),
async execute(_toolCallId, params) {
const { url, body, contentType, headers, timeout } = params as {
url: string;
body: string;
contentType?: string;
headers?: Record<string, string>;
timeout?: number;
};
const blocked = isBlockedUrl(url);
if (blocked) {
return {
content: [{ type: 'text' as const, text: `Error: ${blocked}` }],
details: undefined,
};
}
const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 30_000);
const ct = contentType ?? 'application/json';
try {
const result = await fetchWithLimit(
url,
{
method: 'POST',
headers: { 'Content-Type': ct, ...(headers ?? {}) },
body,
},
timeoutMs,
);
return {
content: [
{
type: 'text' as const,
text: `HTTP ${result.status} (${result.contentType})\n\n${result.text}`,
},
],
details: undefined,
};
} catch (err) {
const msg = err instanceof Error ? err.message : String(err);
return {
content: [{ type: 'text' as const, text: `Error posting to URL: ${msg}` }],
details: undefined,
};
}
},
};
return [webGet, webPost];
}

22
apps/gateway/src/app.module.ts
View File

@@ -11,17 +11,6 @@ import { ProjectsModule } from './projects/projects.module.js';
import { MissionsModule } from './missions/missions.module.js'; import { MissionsModule } from './missions/missions.module.js';
import { TasksModule } from './tasks/tasks.module.js'; import { TasksModule } from './tasks/tasks.module.js';
import { CoordModule } from './coord/coord.module.js'; import { CoordModule } from './coord/coord.module.js';
import { MemoryModule } from './memory/memory.module.js';
import { LogModule } from './log/log.module.js';
import { SkillsModule } from './skills/skills.module.js';
import { PluginModule } from './plugin/plugin.module.js';
import { McpModule } from './mcp/mcp.module.js';
import { AdminModule } from './admin/admin.module.js';
import { CommandsModule } from './commands/commands.module.js';
import { PreferencesModule } from './preferences/preferences.module.js';
import { GCModule } from './gc/gc.module.js';
import { ReloadModule } from './reload/reload.module.js';
import { WorkspaceModule } from './workspace/workspace.module.js';
import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler'; import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
@Module({ @Module({
@@ -37,17 +26,6 @@ import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
MissionsModule, MissionsModule,
TasksModule, TasksModule,
CoordModule, CoordModule,
MemoryModule,
LogModule,
SkillsModule,
PluginModule,
McpModule,
AdminModule,
PreferencesModule,
CommandsModule,
GCModule,
ReloadModule,
WorkspaceModule,
], ],
controllers: [HealthController], controllers: [HealthController],
providers: [ providers: [

30
apps/gateway/src/auth/auth.controller.ts
View File

@@ -7,17 +7,16 @@ import { AUTH } from './auth.tokens.js';
export function mountAuthHandler(app: NestFastifyApplication): void { export function mountAuthHandler(app: NestFastifyApplication): void {
const auth = app.get<Auth>(AUTH); const auth = app.get<Auth>(AUTH);
const nodeHandler = toNodeHandler(auth); const nodeHandler = toNodeHandler(auth);
const corsOrigin = process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000';
const fastify = app.getHttpAdapter().getInstance(); const fastify = app.getHttpAdapter().getInstance();
// BetterAuth is mounted at the raw HTTP level via Fastify's onRequest hook, // Use Fastify's addHook to intercept auth requests at the raw HTTP level,
// bypassing NestJS middleware (including CORS). We must set CORS headers // before Fastify's body parser runs. This avoids conflicts with NestJS's
// manually on the raw response before handing off to BetterAuth. // custom content-type parser.
fastify.addHook( fastify.addHook(
'onRequest', 'onRequest',
( (
req: { raw: IncomingMessage; url: string; method: string }, req: { raw: IncomingMessage; url: string },
reply: { raw: ServerResponse; hijack: () => void }, reply: { raw: ServerResponse; hijack: () => void },
done: () => void, done: () => void,
) => { ) => {
@@ -26,27 +25,6 @@ export function mountAuthHandler(app: NestFastifyApplication): void {
return; return;
} }
const origin = req.raw.headers.origin;
const allowed = corsOrigin.split(',').map((o) => o.trim());
if (origin && allowed.includes(origin)) {
reply.raw.setHeader('Access-Control-Allow-Origin', origin);
reply.raw.setHeader('Access-Control-Allow-Credentials', 'true');
reply.raw.setHeader(
'Access-Control-Allow-Methods',
'GET, POST, PUT, PATCH, DELETE, OPTIONS',
);
reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Cookie');
}
// Handle preflight
if (req.method === 'OPTIONS') {
reply.hijack();
reply.raw.writeHead(204);
reply.raw.end();
return;
}
reply.hijack(); reply.hijack();
nodeHandler(req.raw as IncomingMessage, reply.raw as ServerResponse) nodeHandler(req.raw as IncomingMessage, reply.raw as ServerResponse)
.then(() => { .then(() => {

4
apps/gateway/src/chat/chat.dto.ts
View File

@@ -28,8 +28,4 @@ export class ChatSocketMessageDto {
@IsString() @IsString()
@MaxLength(255) @MaxLength(255)
modelId?: string; modelId?: string;
@IsOptional()
@IsUUID()
agentId?: string;
} }

104
apps/gateway/src/chat/chat.gateway.ts
View File

@@ -12,11 +12,8 @@ import {
import { Server, Socket } from 'socket.io'; import { Server, Socket } from 'socket.io';
import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent'; import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
import type { Auth } from '@mosaic/auth'; import type { Auth } from '@mosaic/auth';
import type { SetThinkingPayload, SlashCommandPayload, SystemReloadPayload } from '@mosaic/types';
import { AgentService } from '../agent/agent.service.js'; import { AgentService } from '../agent/agent.service.js';
import { AUTH } from '../auth/auth.tokens.js'; import { AUTH } from '../auth/auth.tokens.js';
import { CommandRegistryService } from '../commands/command-registry.service.js';
import { CommandExecutorService } from '../commands/command-executor.service.js';
import { v4 as uuid } from 'uuid'; import { v4 as uuid } from 'uuid';
import { ChatSocketMessageDto } from './chat.dto.js'; import { ChatSocketMessageDto } from './chat.dto.js';
import { validateSocketSession } from './chat.gateway-auth.js'; import { validateSocketSession } from './chat.gateway-auth.js';
@@ -40,8 +37,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
constructor( constructor(
@Inject(AgentService) private readonly agentService: AgentService, @Inject(AgentService) private readonly agentService: AgentService,
@Inject(AUTH) private readonly auth: Auth, @Inject(AUTH) private readonly auth: Auth,
@Inject(CommandRegistryService) private readonly commandRegistry: CommandRegistryService,
@Inject(CommandExecutorService) private readonly commandExecutor: CommandExecutorService,
) {} ) {}
afterInit(): void { afterInit(): void {
@@ -59,9 +54,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
client.data.user = session.user; client.data.user = session.user;
client.data.session = session.session; client.data.session = session.session;
this.logger.log(`Client connected: ${client.id}`); this.logger.log(`Client connected: ${client.id}`);
// Broadcast command manifest to the newly connected client
client.emit('commands:manifest', { manifest: this.commandRegistry.getManifest() });
} }
handleDisconnect(client: Socket): void { handleDisconnect(client: Socket): void {
@@ -87,12 +79,9 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
try { try {
let agentSession = this.agentService.getSession(conversationId); let agentSession = this.agentService.getSession(conversationId);
if (!agentSession) { if (!agentSession) {
const userId = (client.data.user as { id: string } | undefined)?.id;
agentSession = await this.agentService.createSession(conversationId, { agentSession = await this.agentService.createSession(conversationId, {
provider: data.provider, provider: data.provider,
modelId: data.modelId, modelId: data.modelId,
agentConfigId: data.agentId,
userId,
}); });
} }
} catch (err) { } catch (err) {
@@ -123,21 +112,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
// Track channel connection // Track channel connection
this.agentService.addChannel(conversationId, `websocket:${client.id}`); this.agentService.addChannel(conversationId, `websocket:${client.id}`);
// Send session info so the client knows the model/provider
{
const agentSession = this.agentService.getSession(conversationId);
if (agentSession) {
const piSession = agentSession.piSession;
client.emit('session:info', {
conversationId,
provider: agentSession.provider,
modelId: agentSession.modelId,
thinkingLevel: piSession.thinkingLevel,
availableThinkingLevels: piSession.getAvailableThinkingLevels(),
});
}
}
// Send acknowledgment // Send acknowledgment
client.emit('message:ack', { conversationId, messageId: uuid() }); client.emit('message:ack', { conversationId, messageId: uuid() });
@@ -156,58 +130,6 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
} }
} }
@SubscribeMessage('set:thinking')
handleSetThinking(
@ConnectedSocket() client: Socket,
@MessageBody() data: SetThinkingPayload,
): void {
const session = this.agentService.getSession(data.conversationId);
if (!session) {
client.emit('error', {
conversationId: data.conversationId,
error: 'No active session for this conversation.',
});
return;
}
const validLevels = session.piSession.getAvailableThinkingLevels();
if (!validLevels.includes(data.level as never)) {
client.emit('error', {
conversationId: data.conversationId,
error: `Invalid thinking level "${data.level}". Available: ${validLevels.join(', ')}`,
});
return;
}
session.piSession.setThinkingLevel(data.level as never);
this.logger.log(
`Thinking level set to "${data.level}" for conversation ${data.conversationId}`,
);
client.emit('session:info', {
conversationId: data.conversationId,
provider: session.provider,
modelId: session.modelId,
thinkingLevel: session.piSession.thinkingLevel,
availableThinkingLevels: session.piSession.getAvailableThinkingLevels(),
});
}
@SubscribeMessage('command:execute')
async handleCommandExecute(
@ConnectedSocket() client: Socket,
@MessageBody() payload: SlashCommandPayload,
): Promise<void> {
const userId = (client.data.user as { id: string } | undefined)?.id ?? 'unknown';
const result = await this.commandExecutor.execute(payload, userId);
client.emit('command:result', result);
}
broadcastReload(payload: SystemReloadPayload): void {
this.server.emit('system:reload', payload);
this.logger.log('Broadcasted system:reload to all connected clients');
}
private relayEvent(client: Socket, conversationId: string, event: AgentSessionEvent): void { private relayEvent(client: Socket, conversationId: string, event: AgentSessionEvent): void {
if (!client.connected) { if (!client.connected) {
this.logger.warn( this.logger.warn(
@@ -221,31 +143,9 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
client.emit('agent:start', { conversationId }); client.emit('agent:start', { conversationId });
break; break;
case 'agent_end': { case 'agent_end':
// Gather usage stats from the Pi session client.emit('agent:end', { conversationId });
const agentSession = this.agentService.getSession(conversationId);
const piSession = agentSession?.piSession;
const stats = piSession?.getSessionStats();
const contextUsage = piSession?.getContextUsage();
client.emit('agent:end', {
conversationId,
usage: stats
? {
provider: agentSession?.provider ?? 'unknown',
modelId: agentSession?.modelId ?? 'unknown',
thinkingLevel: piSession?.thinkingLevel ?? 'off',
tokens: stats.tokens,
cost: stats.cost,
context: {
percent: contextUsage?.percent ?? null,
window: contextUsage?.contextWindow ?? 0,
},
}
: undefined,
});
break; break;
}
case 'message_update': { case 'message_update': {
const assistantEvent = event.assistantMessageEvent; const assistantEvent = event.assistantMessageEvent;

5
apps/gateway/src/chat/chat.module.ts
View File

@@ -1,12 +1,9 @@
import { forwardRef, Module } from '@nestjs/common'; import { Module } from '@nestjs/common';
import { CommandsModule } from '../commands/commands.module.js';
import { ChatGateway } from './chat.gateway.js'; import { ChatGateway } from './chat.gateway.js';
import { ChatController } from './chat.controller.js'; import { ChatController } from './chat.controller.js';
@Module({ @Module({
imports: [forwardRef(() => CommandsModule)],
controllers: [ChatController], controllers: [ChatController],
providers: [ChatGateway], providers: [ChatGateway],
exports: [ChatGateway],
}) })
export class ChatModule {} export class ChatModule {}

213
apps/gateway/src/commands/command-executor-p8012.spec.ts
View File

@@ -1,213 +0,0 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaic/types';
// Minimal mock implementations
const mockRegistry = {
getManifest: vi.fn(() => ({
version: 1,
commands: [
{ name: 'provider', aliases: [], scope: 'agent', execution: 'hybrid', available: true },
{ name: 'mission', aliases: [], scope: 'agent', execution: 'socket', available: true },
{ name: 'agent', aliases: ['a'], scope: 'agent', execution: 'socket', available: true },
{ name: 'prdy', aliases: [], scope: 'agent', execution: 'socket', available: true },
{ name: 'tools', aliases: [], scope: 'agent', execution: 'socket', available: true },
],
skills: [],
})),
};
const mockAgentService = {
getSession: vi.fn(() => undefined),
};
const mockSystemOverride = {
set: vi.fn(),
get: vi.fn(),
clear: vi.fn(),
renew: vi.fn(),
};
const mockSessionGC = {
sweepOrphans: vi.fn(() => ({ orphanedSessions: 0, totalCleaned: [], duration: 0 })),
};
const mockRedis = {
set: vi.fn().mockResolvedValue('OK'),
get: vi.fn(),
del: vi.fn(),
};
function buildService(): CommandExecutorService {
return new CommandExecutorService(
mockRegistry as never,
mockAgentService as never,
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
null,
null,
);
}
describe('CommandExecutorService — P8-012 commands', () => {
let service: CommandExecutorService;
const userId = 'user-123';
const conversationId = 'conv-456';
beforeEach(() => {
vi.clearAllMocks();
service = buildService();
});
// /provider login — missing provider name
it('/provider login with no provider name returns usage error', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'login', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Usage: /provider login');
expect(result.command).toBe('provider');
});
// /provider login anthropic — success with URL containing poll token
it('/provider login <name> returns success with URL and poll token', async () => {
const payload: SlashCommandPayload = {
command: 'provider',
args: 'login anthropic',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('provider');
expect(result.message).toContain('anthropic');
expect(result.message).toContain('http');
// data should contain loginUrl and pollToken
expect(result.data).toBeDefined();
const data = result.data as Record<string, unknown>;
expect(typeof data['loginUrl']).toBe('string');
expect(typeof data['pollToken']).toBe('string');
expect(data['loginUrl'] as string).toContain('anthropic');
expect(data['loginUrl'] as string).toContain(data['pollToken'] as string);
// Verify Valkey was called
expect(mockRedis.set).toHaveBeenCalledOnce();
const [key, value, , ttl] = mockRedis.set.mock.calls[0] as [string, string, string, number];
expect(key).toContain('mosaic:auth:poll:');
const stored = JSON.parse(value) as { status: string; provider: string; userId: string };
expect(stored.status).toBe('pending');
expect(stored.provider).toBe('anthropic');
expect(stored.userId).toBe(userId);
expect(ttl).toBe(300);
});
// /provider with no args — returns usage
it('/provider with no args returns usage message', async () => {
const payload: SlashCommandPayload = { command: 'provider', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage: /provider');
});
// /provider list
it('/provider list returns success', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'list', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('provider');
});
// /provider logout with no name — usage error
it('/provider logout with no name returns error', async () => {
const payload: SlashCommandPayload = { command: 'provider', args: 'logout', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Usage: /provider logout');
});
// /provider unknown subcommand
it('/provider unknown subcommand returns error', async () => {
const payload: SlashCommandPayload = {
command: 'provider',
args: 'unknown',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('Unknown subcommand');
});
// /mission status
it('/mission status returns stub message', async () => {
const payload: SlashCommandPayload = { command: 'mission', args: 'status', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('mission');
expect(result.message).toContain('Mission status');
});
// /mission with no args
it('/mission with no args returns status stub', async () => {
const payload: SlashCommandPayload = { command: 'mission', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Mission status');
});
// /mission set <id>
it('/mission set <id> returns confirmation', async () => {
const payload: SlashCommandPayload = {
command: 'mission',
args: 'set my-mission-123',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('my-mission-123');
});
// /agent list
it('/agent list returns stub message', async () => {
const payload: SlashCommandPayload = { command: 'agent', args: 'list', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('agent');
expect(result.message).toContain('agent');
});
// /agent with no args
it('/agent with no args returns usage', async () => {
const payload: SlashCommandPayload = { command: 'agent', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage: /agent');
});
// /agent <id> — switch
it('/agent <id> returns switch confirmation', async () => {
const payload: SlashCommandPayload = {
command: 'agent',
args: 'my-agent-id',
conversationId,
};
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('my-agent-id');
});
// /prdy
it('/prdy returns PRD wizard message', async () => {
const payload: SlashCommandPayload = { command: 'prdy', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('prdy');
expect(result.message).toContain('mosaic prdy');
});
// /tools
it('/tools returns tools stub message', async () => {
const payload: SlashCommandPayload = { command: 'tools', conversationId };
const result = await service.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('tools');
expect(result.message).toContain('tools');
});
});

373
apps/gateway/src/commands/command-executor.service.ts
View File

@@ -1,373 +0,0 @@
import { forwardRef, Inject, Injectable, Logger, Optional } from '@nestjs/common';
import type { QueueHandle } from '@mosaic/queue';
import type { SlashCommandPayload, SlashCommandResultPayload } from '@mosaic/types';
import { AgentService } from '../agent/agent.service.js';
import { ChatGateway } from '../chat/chat.gateway.js';
import { SessionGCService } from '../gc/session-gc.service.js';
import { SystemOverrideService } from '../preferences/system-override.service.js';
import { ReloadService } from '../reload/reload.service.js';
import { COMMANDS_REDIS } from './commands.tokens.js';
import { CommandRegistryService } from './command-registry.service.js';
@Injectable()
export class CommandExecutorService {
private readonly logger = new Logger(CommandExecutorService.name);
constructor(
@Inject(CommandRegistryService) private readonly registry: CommandRegistryService,
@Inject(AgentService) private readonly agentService: AgentService,
@Inject(SystemOverrideService) private readonly systemOverride: SystemOverrideService,
@Inject(SessionGCService) private readonly sessionGC: SessionGCService,
@Inject(COMMANDS_REDIS) private readonly redis: QueueHandle['redis'],
@Optional()
@Inject(forwardRef(() => ReloadService))
private readonly reloadService: ReloadService | null,
@Optional()
@Inject(forwardRef(() => ChatGateway))
private readonly chatGateway: ChatGateway | null,
) {}
async execute(payload: SlashCommandPayload, userId: string): Promise<SlashCommandResultPayload> {
const { command, args, conversationId } = payload;
const def = this.registry.getManifest().commands.find((c) => c.name === command);
if (!def) {
return {
command,
conversationId,
success: false,
message: `Unknown command: /${command}`,
};
}
try {
switch (command) {
case 'model':
return await this.handleModel(args ?? null, conversationId);
case 'thinking':
return await this.handleThinking(args ?? null, conversationId);
case 'system':
return await this.handleSystem(args ?? null, conversationId);
case 'new':
return {
command,
conversationId,
success: true,
message: 'Start a new conversation by selecting New Conversation.',
};
case 'clear':
return {
command,
conversationId,
success: true,
message: 'Conversation display cleared.',
};
case 'compact':
return {
command,
conversationId,
success: true,
message: 'Context compaction requested.',
};
case 'retry':
return {
command,
conversationId,
success: true,
message: 'Retry last message requested.',
};
case 'gc': {
// User-scoped sweep for non-admin; system-wide for admin
const result = await this.sessionGC.sweepOrphans(userId);
return {
command: 'gc',
success: true,
message: `GC sweep complete: ${result.orphanedSessions} orphaned sessions cleaned in ${result.duration}ms.`,
conversationId,
};
}
case 'agent':
return await this.handleAgent(args ?? null, conversationId);
case 'provider':
return await this.handleProvider(args ?? null, userId, conversationId);
case 'mission':
return await this.handleMission(args ?? null, conversationId, userId);
case 'prdy':
return {
command: 'prdy',
success: true,
message:
'PRD wizard: run `mosaic prdy` in your project workspace to create or update a PRD.',
conversationId,
};
case 'tools':
return await this.handleTools(conversationId, userId);
case 'reload': {
if (!this.reloadService) {
return {
command: 'reload',
conversationId,
success: false,
message: 'ReloadService is not available.',
};
}
const reloadResult = await this.reloadService.reload('command');
this.chatGateway?.broadcastReload(reloadResult);
return {
command: 'reload',
success: true,
message: reloadResult.message,
conversationId,
};
}
default:
return {
command,
conversationId,
success: false,
message: `Command /${command} is not yet implemented.`,
};
}
} catch (err) {
this.logger.error(`Command /${command} failed: ${err}`);
return { command, conversationId, success: false, message: String(err) };
}
}
private async handleModel(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'model',
conversationId,
success: true,
message: 'Usage: /model <model-name>',
};
}
// Update agent session model if session is active
// For now, acknowledge the request — full wiring done in P8-012
const session = this.agentService.getSession(conversationId);
if (!session) {
return {
command: 'model',
conversationId,
success: true,
message: `Model switch to "${args}" requested. No active session for this conversation.`,
};
}
return {
command: 'model',
conversationId,
success: true,
message: `Model switch to "${args}" requested.`,
};
}
private async handleThinking(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
const level = args?.toLowerCase();
if (!level || !['none', 'low', 'medium', 'high', 'auto'].includes(level)) {
return {
command: 'thinking',
conversationId,
success: true,
message: 'Usage: /thinking <none|low|medium|high|auto>',
};
}
return {
command: 'thinking',
conversationId,
success: true,
message: `Thinking level set to "${level}".`,
};
}
private async handleSystem(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args.trim().length === 0) {
// Clear the override when called with no args
await this.systemOverride.clear(conversationId);
return {
command: 'system',
conversationId,
success: true,
message: 'Session system prompt override cleared.',
};
}
await this.systemOverride.set(conversationId, args.trim());
return {
command: 'system',
conversationId,
success: true,
message: `Session system prompt override set (expires in 5 minutes of inactivity).`,
};
}
private async handleAgent(
args: string | null,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'agent',
success: true,
message: 'Usage: /agent <agent-id> to switch, or /agent list to see available agents.',
conversationId,
};
}
if (args === 'list') {
return {
command: 'agent',
success: true,
message: 'Agent listing: use the web dashboard for full agent management.',
conversationId,
};
}
// Switch agent — stub for now (full implementation in P8-015)
return {
command: 'agent',
success: true,
message: `Agent switch to "${args}" requested. Restart conversation to apply.`,
conversationId,
};
}
private async handleProvider(
args: string | null,
userId: string,
conversationId: string,
): Promise<SlashCommandResultPayload> {
if (!args) {
return {
command: 'provider',
success: true,
message: 'Usage: /provider list | /provider login <name> | /provider logout <name>',
conversationId,
};
}
const spaceIdx = args.indexOf(' ');
const subcommand = spaceIdx >= 0 ? args.slice(0, spaceIdx) : args;
const providerName = spaceIdx >= 0 ? args.slice(spaceIdx + 1).trim() : '';
switch (subcommand) {
case 'list':
return {
command: 'provider',
success: true,
message: 'Use the web dashboard to manage providers.',
conversationId,
};
case 'login': {
if (!providerName) {
return {
command: 'provider',
success: false,
message: 'Usage: /provider login <provider-name>',
conversationId,
};
}
const pollToken = crypto.randomUUID();
const key = `mosaic:auth:poll:${pollToken}`;
// Store pending state in Valkey (TTL 5 minutes)
await this.redis.set(
key,
JSON.stringify({ status: 'pending', provider: providerName, userId }),
'EX',
300,
);
// In production this would construct an OAuth URL
const loginUrl = `${process.env['MOSAIC_BASE_URL'] ?? 'http://localhost:3000'}/auth/provider/${providerName}?token=${pollToken}`;
return {
command: 'provider',
success: true,
message: `Open this URL to authenticate with ${providerName}:\n${loginUrl}`,
conversationId,
data: { loginUrl, pollToken, provider: providerName },
};
}
case 'logout': {
if (!providerName) {
return {
command: 'provider',
success: false,
message: 'Usage: /provider logout <provider-name>',
conversationId,
};
}
return {
command: 'provider',
success: true,
message: `Logout from ${providerName}: use the web dashboard to revoke provider tokens.`,
conversationId,
};
}
default:
return {
command: 'provider',
success: false,
message: `Unknown subcommand: ${subcommand}. Use list, login, or logout.`,
conversationId,
};
}
}
private async handleMission(
args: string | null,
conversationId: string,
_userId: string,
): Promise<SlashCommandResultPayload> {
if (!args || args === 'status') {
// TODO: fetch active mission from DB when MissionsService is available
return {
command: 'mission',
success: true,
message: 'Mission status: use the web dashboard for full mission management.',
conversationId,
};
}
if (args.startsWith('set ')) {
const missionId = args.slice(4).trim();
return {
command: 'mission',
success: true,
message: `Mission set to ${missionId}. Session context updated.`,
conversationId,
};
}
return {
command: 'mission',
success: true,
message: 'Usage: /mission [status|set <id>|list|tasks]',
conversationId,
};
}
private async handleTools(
conversationId: string,
_userId: string,
): Promise<SlashCommandResultPayload> {
// TODO: fetch tool list from active agent session
return {
command: 'tools',
success: true,
message:
'Available tools depend on the active agent configuration. Use the web dashboard to configure tool access.',
conversationId,
};
}
}

53
apps/gateway/src/commands/command-registry.service.spec.ts
View File

@@ -1,53 +0,0 @@
import { describe, it, expect, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import type { CommandDef } from '@mosaic/types';
const mockCmd: CommandDef = {
name: 'test',
description: 'Test command',
aliases: ['t'],
scope: 'core',
execution: 'local',
available: true,
};
describe('CommandRegistryService', () => {
let service: CommandRegistryService;
beforeEach(() => {
service = new CommandRegistryService();
});
it('starts with empty manifest', () => {
expect(service.getManifest().commands).toHaveLength(0);
});
it('registers a command', () => {
service.registerCommand(mockCmd);
expect(service.getManifest().commands).toHaveLength(1);
});
it('updates existing command by name', () => {
service.registerCommand(mockCmd);
service.registerCommand({ ...mockCmd, description: 'Updated' });
expect(service.getManifest().commands).toHaveLength(1);
expect(service.getManifest().commands[0]?.description).toBe('Updated');
});
it('onModuleInit registers core commands', () => {
service.onModuleInit();
const manifest = service.getManifest();
expect(manifest.commands.length).toBeGreaterThan(5);
expect(manifest.commands.some((c) => c.name === 'model')).toBe(true);
expect(manifest.commands.some((c) => c.name === 'help')).toBe(true);
});
it('manifest includes skills array', () => {
const manifest = service.getManifest();
expect(Array.isArray(manifest.skills)).toBe(true);
});
it('manifest version is 1', () => {
expect(service.getManifest().version).toBe(1);
});
});

273
apps/gateway/src/commands/command-registry.service.ts
View File

@@ -1,273 +0,0 @@
import { Injectable, type OnModuleInit } from '@nestjs/common';
import type { CommandDef, CommandManifest } from '@mosaic/types';
@Injectable()
export class CommandRegistryService implements OnModuleInit {
private readonly commands: CommandDef[] = [];
registerCommand(def: CommandDef): void {
const existing = this.commands.findIndex((c) => c.name === def.name);
if (existing >= 0) {
this.commands[existing] = def;
} else {
this.commands.push(def);
}
}
registerCommands(defs: CommandDef[]): void {
for (const def of defs) {
this.registerCommand(def);
}
}
getManifest(): CommandManifest {
return {
version: 1,
commands: [...this.commands],
skills: [],
};
}
onModuleInit(): void {
this.registerCommands([
{
name: 'model',
description: 'Switch the active model',
aliases: ['m'],
args: [
{
name: 'model-name',
type: 'string',
optional: false,
description: 'Model name to switch to',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'thinking',
description: 'Set thinking level (none/low/medium/high/auto)',
aliases: ['t'],
args: [
{
name: 'level',
type: 'enum',
optional: false,
values: ['none', 'low', 'medium', 'high', 'auto'],
description: 'Thinking level',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'new',
description: 'Start a new conversation',
aliases: ['n'],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'clear',
description: 'Clear conversation context and GC session artifacts',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'compact',
description: 'Request context compaction',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'retry',
description: 'Retry the last message',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'rename',
description: 'Rename current conversation',
aliases: [],
args: [
{ name: 'name', type: 'string', optional: false, description: 'New conversation name' },
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'history',
description: 'Show conversation history',
aliases: [],
args: [
{
name: 'limit',
type: 'string',
optional: true,
description: 'Number of messages to show',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'export',
description: 'Export conversation to markdown or JSON',
aliases: [],
args: [
{
name: 'format',
type: 'enum',
optional: true,
values: ['md', 'json'],
description: 'Export format',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'preferences',
description: 'View or set user preferences',
aliases: ['pref'],
args: [
{
name: 'action',
type: 'enum',
optional: true,
values: ['show', 'set', 'reset'],
description: 'Action to perform',
},
],
scope: 'core',
execution: 'rest',
available: true,
},
{
name: 'system',
description: 'Set session-scoped system prompt override',
aliases: [],
args: [
{
name: 'override',
type: 'string',
optional: false,
description: 'System prompt text to inject for this session',
},
],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'status',
description: 'Show session and connection status',
aliases: ['s'],
scope: 'core',
execution: 'hybrid',
available: true,
},
{
name: 'help',
description: 'Show available commands',
aliases: ['h'],
scope: 'core',
execution: 'local',
available: true,
},
{
name: 'gc',
description: 'Trigger garbage collection sweep (user-scoped)',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
{
name: 'agent',
description: 'Switch or list available agents',
aliases: ['a'],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'list or <agent-id>',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'provider',
description: 'Manage LLM providers (list/login/logout)',
aliases: [],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'list | login <name> | logout <name>',
},
],
scope: 'agent',
execution: 'hybrid',
available: true,
},
{
name: 'mission',
description: 'View or set active mission',
aliases: [],
args: [
{
name: 'args',
type: 'string',
optional: true,
description: 'status | set <id> | list | tasks',
},
],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'prdy',
description: 'Launch PRD wizard',
aliases: [],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'tools',
description: 'List available agent tools',
aliases: [],
scope: 'agent',
execution: 'socket',
available: true,
},
{
name: 'reload',
description: 'Soft-reload gateway plugins and command manifest (admin)',
aliases: [],
scope: 'admin',
execution: 'socket',
available: true,
},
]);
}
}

253
apps/gateway/src/commands/commands.integration.spec.ts
View File

@@ -1,253 +0,0 @@
/**
* Integration tests for the gateway command system (P8-019)
*
* Covers:
* - CommandRegistryService.getManifest() returns 12+ core commands
* - All core commands have correct execution types
* - Alias resolution works for all defined aliases
* - CommandExecutorService routes known/unknown commands correctly
* - /gc handler calls SessionGCService.sweepOrphans
* - /system handler calls SystemOverrideService.set
* - Unknown command returns descriptive error
*/
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { CommandRegistryService } from './command-registry.service.js';
import { CommandExecutorService } from './command-executor.service.js';
import type { SlashCommandPayload } from '@mosaic/types';
// ─── Mocks ───────────────────────────────────────────────────────────────────
const mockAgentService = {
getSession: vi.fn(() => undefined),
};
const mockSystemOverride = {
set: vi.fn().mockResolvedValue(undefined),
get: vi.fn().mockResolvedValue(null),
clear: vi.fn().mockResolvedValue(undefined),
renew: vi.fn().mockResolvedValue(undefined),
};
const mockSessionGC = {
sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 3, totalCleaned: [], duration: 12 }),
};
const mockRedis = {
set: vi.fn().mockResolvedValue('OK'),
get: vi.fn().mockResolvedValue(null),
del: vi.fn().mockResolvedValue(0),
keys: vi.fn().mockResolvedValue([]),
};
// ─── Helpers ─────────────────────────────────────────────────────────────────
function buildRegistry(): CommandRegistryService {
const svc = new CommandRegistryService();
svc.onModuleInit(); // seed core commands
return svc;
}
function buildExecutor(registry: CommandRegistryService): CommandExecutorService {
return new CommandExecutorService(
registry as never,
mockAgentService as never,
mockSystemOverride as never,
mockSessionGC as never,
mockRedis as never,
null, // reloadService (optional)
null, // chatGateway (optional)
);
}
// ─── Registry Tests ───────────────────────────────────────────────────────────
describe('CommandRegistryService — integration', () => {
let registry: CommandRegistryService;
beforeEach(() => {
registry = buildRegistry();
});
it('getManifest() returns 12 or more core commands after onModuleInit', () => {
const manifest = registry.getManifest();
expect(manifest.commands.length).toBeGreaterThanOrEqual(12);
});
it('manifest version is 1', () => {
expect(registry.getManifest().version).toBe(1);
});
it('manifest.skills is an array', () => {
expect(Array.isArray(registry.getManifest().skills)).toBe(true);
});
it('all commands have required fields: name, description, execution, scope, available', () => {
for (const cmd of registry.getManifest().commands) {
expect(typeof cmd.name).toBe('string');
expect(typeof cmd.description).toBe('string');
expect(['local', 'socket', 'rest', 'hybrid']).toContain(cmd.execution);
expect(['core', 'agent', 'admin']).toContain(cmd.scope);
expect(typeof cmd.available).toBe('boolean');
}
});
// Execution type verification for core commands
const expectedExecutionTypes: Record<string, string> = {
model: 'socket',
thinking: 'socket',
new: 'socket',
clear: 'socket',
compact: 'socket',
retry: 'socket',
rename: 'rest',
history: 'rest',
export: 'rest',
preferences: 'rest',
system: 'socket',
help: 'local',
gc: 'socket',
agent: 'socket',
provider: 'hybrid',
mission: 'socket',
prdy: 'socket',
tools: 'socket',
reload: 'socket',
};
for (const [name, expectedExecution] of Object.entries(expectedExecutionTypes)) {
it(`command "${name}" has execution type "${expectedExecution}"`, () => {
const cmd = registry.getManifest().commands.find((c) => c.name === name);
expect(cmd, `command "${name}" not found`).toBeDefined();
expect(cmd!.execution).toBe(expectedExecution);
});
}
// Alias resolution checks
const expectedAliases: Array<[string, string]> = [
['m', 'model'],
['t', 'thinking'],
['n', 'new'],
['a', 'agent'],
['s', 'status'],
['h', 'help'],
['pref', 'preferences'],
];
for (const [alias, commandName] of expectedAliases) {
it(`alias "/${alias}" resolves to command "${commandName}" via aliases array`, () => {
const cmd = registry
.getManifest()
.commands.find((c) => c.name === commandName || c.aliases?.includes(alias));
expect(cmd, `command with alias "${alias}" not found`).toBeDefined();
});
}
});
// ─── Executor Tests ───────────────────────────────────────────────────────────
describe('CommandExecutorService — integration', () => {
let registry: CommandRegistryService;
let executor: CommandExecutorService;
const userId = 'user-integ-001';
const conversationId = 'conv-integ-001';
beforeEach(() => {
vi.clearAllMocks();
registry = buildRegistry();
executor = buildExecutor(registry);
});
// Unknown command returns error
it('unknown command returns success:false with descriptive message', async () => {
const payload: SlashCommandPayload = { command: 'nonexistent', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('nonexistent');
expect(result.command).toBe('nonexistent');
});
// /gc handler calls SessionGCService.sweepOrphans
it('/gc calls SessionGCService.sweepOrphans with userId', async () => {
const payload: SlashCommandPayload = { command: 'gc', conversationId };
const result = await executor.execute(payload, userId);
expect(mockSessionGC.sweepOrphans).toHaveBeenCalledWith(userId);
expect(result.success).toBe(true);
expect(result.message).toContain('GC sweep complete');
expect(result.message).toContain('3 orphaned sessions');
});
// /system with args calls SystemOverrideService.set
it('/system with text calls SystemOverrideService.set', async () => {
const override = 'You are a helpful assistant.';
const payload: SlashCommandPayload = { command: 'system', args: override, conversationId };
const result = await executor.execute(payload, userId);
expect(mockSystemOverride.set).toHaveBeenCalledWith(conversationId, override);
expect(result.success).toBe(true);
expect(result.message).toContain('override set');
});
// /system with no args clears the override
it('/system with no args calls SystemOverrideService.clear', async () => {
const payload: SlashCommandPayload = { command: 'system', conversationId };
const result = await executor.execute(payload, userId);
expect(mockSystemOverride.clear).toHaveBeenCalledWith(conversationId);
expect(result.success).toBe(true);
expect(result.message).toContain('cleared');
});
// /model with model name returns success
it('/model with a model name returns success', async () => {
const payload: SlashCommandPayload = {
command: 'model',
args: 'claude-3-opus',
conversationId,
};
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('model');
expect(result.message).toContain('claude-3-opus');
});
// /thinking with valid level returns success
it('/thinking with valid level returns success', async () => {
const payload: SlashCommandPayload = { command: 'thinking', args: 'high', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('high');
});
// /thinking with invalid level returns usage message
it('/thinking with invalid level returns usage message', async () => {
const payload: SlashCommandPayload = { command: 'thinking', args: 'invalid', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.message).toContain('Usage:');
});
// /new command returns success
it('/new returns success', async () => {
const payload: SlashCommandPayload = { command: 'new', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe('new');
});
// /reload without reloadService returns failure
it('/reload without ReloadService returns failure', async () => {
const payload: SlashCommandPayload = { command: 'reload', conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(false);
expect(result.message).toContain('ReloadService');
});
// Commands not yet fully implemented return a fallback response
const stubCommands = ['clear', 'compact', 'retry'];
for (const cmd of stubCommands) {
it(`/${cmd} returns success (stub)`, async () => {
const payload: SlashCommandPayload = { command: cmd, conversationId };
const result = await executor.execute(payload, userId);
expect(result.success).toBe(true);
expect(result.command).toBe(cmd);
});
}
});

37
apps/gateway/src/commands/commands.module.ts
View File

@@ -1,37 +0,0 @@
import { forwardRef, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaic/queue';
import { ChatModule } from '../chat/chat.module.js';
import { GCModule } from '../gc/gc.module.js';
import { ReloadModule } from '../reload/reload.module.js';
import { CommandExecutorService } from './command-executor.service.js';
import { CommandRegistryService } from './command-registry.service.js';
import { COMMANDS_REDIS } from './commands.tokens.js';
const COMMANDS_QUEUE_HANDLE = 'COMMANDS_QUEUE_HANDLE';
@Module({
imports: [GCModule, forwardRef(() => ReloadModule), forwardRef(() => ChatModule)],
providers: [
{
provide: COMMANDS_QUEUE_HANDLE,
useFactory: (): QueueHandle => {
return createQueue();
},
},
{
provide: COMMANDS_REDIS,
useFactory: (handle: QueueHandle) => handle.redis,
inject: [COMMANDS_QUEUE_HANDLE],
},
CommandRegistryService,
CommandExecutorService,
],
exports: [CommandRegistryService, CommandExecutorService],
})
export class CommandsModule implements OnApplicationShutdown {
constructor(@Inject(COMMANDS_QUEUE_HANDLE) private readonly handle: QueueHandle) {}
async onApplicationShutdown(): Promise<void> {
await this.handle.close().catch(() => {});
}
}

1
apps/gateway/src/commands/commands.tokens.ts
View File

@@ -1 +0,0 @@
export const COMMANDS_REDIS = 'COMMANDS_REDIS';

14
apps/gateway/src/conversations/conversations.dto.ts
View File

@@ -1,12 +1,4 @@
import { import { IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
IsBoolean,
IsIn,
IsObject,
IsOptional,
IsString,
IsUUID,
MaxLength,
} from 'class-validator';
export class CreateConversationDto { export class CreateConversationDto {
@IsOptional() @IsOptional()
@@ -28,10 +20,6 @@ export class UpdateConversationDto {
@IsOptional() @IsOptional()
@IsUUID() @IsUUID()
projectId?: string | null; projectId?: string | null;
@IsOptional()
@IsBoolean()
archived?: boolean;
} }
export class SendMessageDto { export class SendMessageDto {

4
apps/gateway/src/coord/coord.controller.ts
View File

@@ -44,10 +44,6 @@ function resolveAndValidatePath(raw: string | undefined): string {
return resolved; return resolved;
} }
/**
* File-based coord endpoints for agent tool consumption.
* DB-backed mission CRUD has moved to MissionsController at /api/missions.
*/
@Controller('api/coord') @Controller('api/coord')
@UseGuards(AuthGuard) @UseGuards(AuthGuard)
export class CoordController { export class CoordController {

41
apps/gateway/src/coord/coord.dto.ts
View File

@@ -1,5 +1,3 @@
// ── File-based coord DTOs (legacy file-system backed) ──
export interface CoordMissionStatusDto { export interface CoordMissionStatusDto {
mission: { mission: {
id: string; id: string;
@@ -49,42 +47,3 @@ export interface CoordTaskDetailDto {
startedAt: string; startedAt: string;
}; };
} }
// ── DB-backed coord DTOs ──
export interface CreateDbMissionDto {
name: string;
description?: string;
projectId?: string;
phase?: string;
milestones?: Record<string, unknown>[];
config?: Record<string, unknown>;
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
}
export interface UpdateDbMissionDto {
name?: string;
description?: string;
projectId?: string;
phase?: string;
milestones?: Record<string, unknown>[];
config?: Record<string, unknown>;
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
}
export interface CreateMissionTaskDto {
missionId: string;
taskId?: string;
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
description?: string;
notes?: string;
pr?: string;
}
export interface UpdateMissionTaskDto {
taskId?: string;
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
description?: string;
notes?: string;
pr?: string;
}

4
apps/gateway/src/coord/coord.service.ts
View File

@@ -12,10 +12,6 @@ import {
import { promises as fs } from 'node:fs'; import { promises as fs } from 'node:fs';
import path from 'node:path'; import path from 'node:path';
/**
* File-based coord operations for agent tool consumption.
* DB-backed mission CRUD is handled directly by MissionsController via Brain repos.
*/
@Injectable() @Injectable()
export class CoordService { export class CoordService {
private readonly logger = new Logger(CoordService.name); private readonly logger = new Logger(CoordService.name);

31
apps/gateway/src/gc/gc.module.ts
View File

@@ -1,31 +0,0 @@
import { Module, type OnApplicationShutdown, Inject } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaic/queue';
import { SessionGCService } from './session-gc.service.js';
import { REDIS } from './gc.tokens.js';
const GC_QUEUE_HANDLE = 'GC_QUEUE_HANDLE';
@Module({
providers: [
{
provide: GC_QUEUE_HANDLE,
useFactory: (): QueueHandle => {
return createQueue();
},
},
{
provide: REDIS,
useFactory: (handle: QueueHandle) => handle.redis,
inject: [GC_QUEUE_HANDLE],
},
SessionGCService,
],
exports: [SessionGCService],
})
export class GCModule implements OnApplicationShutdown {
constructor(@Inject(GC_QUEUE_HANDLE) private readonly handle: QueueHandle) {}
async onApplicationShutdown(): Promise<void> {
await this.handle.close().catch(() => {});
}
}

1
apps/gateway/src/gc/gc.tokens.ts
View File

@@ -1 +0,0 @@
export const REDIS = 'REDIS';

97
apps/gateway/src/gc/session-gc.service.spec.ts
View File

@@ -1,97 +0,0 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { Logger } from '@nestjs/common';
import type { QueueHandle } from '@mosaic/queue';
import type { LogService } from '@mosaic/log';
import { SessionGCService } from './session-gc.service.js';
type MockRedis = {
keys: ReturnType<typeof vi.fn>;
del: ReturnType<typeof vi.fn>;
};
describe('SessionGCService', () => {
let service: SessionGCService;
let mockRedis: MockRedis;
let mockLogService: { logs: { promoteToWarm: ReturnType<typeof vi.fn> } };
beforeEach(() => {
mockRedis = {
keys: vi.fn().mockResolvedValue([]),
del: vi.fn().mockResolvedValue(0),
};
mockLogService = {
logs: {
promoteToWarm: vi.fn().mockResolvedValue(0),
},
};
// Suppress logger output in tests
vi.spyOn(Logger.prototype, 'log').mockImplementation(() => {});
service = new SessionGCService(
mockRedis as unknown as QueueHandle['redis'],
mockLogService as unknown as LogService,
);
});
it('collect() deletes Valkey keys for session', async () => {
mockRedis.keys.mockResolvedValue(['mosaic:session:abc:system', 'mosaic:session:abc:foo']);
const result = await service.collect('abc');
expect(mockRedis.del).toHaveBeenCalledWith(
'mosaic:session:abc:system',
'mosaic:session:abc:foo',
);
expect(result.cleaned.valkeyKeys).toBe(2);
});
it('collect() with no keys returns empty cleaned valkeyKeys', async () => {
mockRedis.keys.mockResolvedValue([]);
const result = await service.collect('abc');
expect(result.cleaned.valkeyKeys).toBeUndefined();
});
it('collect() returns sessionId in result', async () => {
const result = await service.collect('test-session-id');
expect(result.sessionId).toBe('test-session-id');
});
it('fullCollect() deletes all session keys', async () => {
mockRedis.keys.mockResolvedValue(['mosaic:session:abc:system', 'mosaic:session:xyz:foo']);
const result = await service.fullCollect();
expect(mockRedis.del).toHaveBeenCalled();
expect(result.valkeyKeys).toBe(2);
});
it('fullCollect() with no keys returns 0 valkeyKeys', async () => {
mockRedis.keys.mockResolvedValue([]);
const result = await service.fullCollect();
expect(result.valkeyKeys).toBe(0);
expect(mockRedis.del).not.toHaveBeenCalled();
});
it('fullCollect() returns duration', async () => {
const result = await service.fullCollect();
expect(result.duration).toBeGreaterThanOrEqual(0);
});
it('sweepOrphans() extracts unique session IDs and collects them', async () => {
mockRedis.keys.mockResolvedValue([
'mosaic:session:abc:system',
'mosaic:session:abc:messages',
'mosaic:session:xyz:system',
]);
mockRedis.del.mockResolvedValue(1);
const result = await service.sweepOrphans();
expect(result.orphanedSessions).toBeGreaterThanOrEqual(0);
expect(result.duration).toBeGreaterThanOrEqual(0);
});
it('sweepOrphans() returns empty when no session keys', async () => {
mockRedis.keys.mockResolvedValue([]);
const result = await service.sweepOrphans();
expect(result.orphanedSessions).toBe(0);
expect(result.totalCleaned).toHaveLength(0);
});
});

139
apps/gateway/src/gc/session-gc.service.ts
View File

@@ -1,139 +0,0 @@
import { Inject, Injectable, Logger, type OnModuleInit } from '@nestjs/common';
import type { QueueHandle } from '@mosaic/queue';
import type { LogService } from '@mosaic/log';
import { LOG_SERVICE } from '../log/log.tokens.js';
import { REDIS } from './gc.tokens.js';
export interface GCResult {
sessionId: string;
cleaned: {
valkeyKeys?: number;
logsDemoted?: number;
tempFilesRemoved?: number;
};
}
export interface GCSweepResult {
orphanedSessions: number;
totalCleaned: GCResult[];
duration: number;
}
export interface FullGCResult {
valkeyKeys: number;
logsDemoted: number;
jobsPurged: number;
tempFilesRemoved: number;
duration: number;
}
@Injectable()
export class SessionGCService implements OnModuleInit {
private readonly logger = new Logger(SessionGCService.name);
constructor(
@Inject(REDIS) private readonly redis: QueueHandle['redis'],
@Inject(LOG_SERVICE) private readonly logService: LogService,
) {}
async onModuleInit(): Promise<void> {
this.logger.log('Running full GC on cold start...');
const result = await this.fullCollect();
this.logger.log(
`Full GC complete: ${result.valkeyKeys} Valkey keys, ` +
`${result.logsDemoted} logs demoted, ` +
`${result.jobsPurged} jobs purged, ` +
`${result.tempFilesRemoved} temp dirs removed ` +
`(${result.duration}ms)`,
);
}
/**
* Immediate cleanup for a single session (call from destroySession).
*/
async collect(sessionId: string): Promise<GCResult> {
const result: GCResult = { sessionId, cleaned: {} };
// 1. Valkey: delete all session-scoped keys
const pattern = `mosaic:session:${sessionId}:*`;
const valkeyKeys = await this.redis.keys(pattern);
if (valkeyKeys.length > 0) {
await this.redis.del(...valkeyKeys);
result.cleaned.valkeyKeys = valkeyKeys.length;
}
// 2. PG: demote hot-tier agent_logs for this session to warm
const cutoff = new Date(); // demote all hot logs for this session
const logsDemoted = await this.logService.logs.promoteToWarm(cutoff);
if (logsDemoted > 0) {
result.cleaned.logsDemoted = logsDemoted;
}
return result;
}
/**
* Sweep GC — find orphaned artifacts from dead sessions.
* User-scoped when userId provided; system-wide when null (admin).
*/
async sweepOrphans(_userId?: string): Promise<GCSweepResult> {
const start = Date.now();
const cleaned: GCResult[] = [];
// 1. Find all session-scoped Valkey keys
const allSessionKeys = await this.redis.keys('mosaic:session:*');
// Extract unique session IDs from keys
const sessionIds = new Set<string>();
for (const key of allSessionKeys) {
const match = key.match(/^mosaic:session:([^:]+):/);
if (match) sessionIds.add(match[1]!);
}
// 2. For each session ID, collect stale keys
for (const sessionId of sessionIds) {
const gcResult = await this.collect(sessionId);
if (Object.keys(gcResult.cleaned).length > 0) {
cleaned.push(gcResult);
}
}
return {
orphanedSessions: cleaned.length,
totalCleaned: cleaned,
duration: Date.now() - start,
};
}
/**
* Full GC — aggressive collection for cold start.
* Assumes no sessions survived the restart.
*/
async fullCollect(): Promise<FullGCResult> {
const start = Date.now();
// 1. Valkey: delete ALL session-scoped keys
const sessionKeys = await this.redis.keys('mosaic:session:*');
if (sessionKeys.length > 0) {
await this.redis.del(...sessionKeys);
}
// 2. NOTE: channel keys are NOT collected on cold start
// (discord/telegram plugins may reconnect and resume)
// 3. PG: demote stale hot-tier logs older than 24h to warm
const hotCutoff = new Date(Date.now() - 24 * 60 * 60 * 1000);
const logsDemoted = await this.logService.logs.promoteToWarm(hotCutoff);
// 4. No summarization job purge API available yet
const jobsPurged = 0;
return {
valkeyKeys: sessionKeys.length,
logsDemoted,
jobsPurged,
tempFilesRemoved: 0,
duration: Date.now() - start,
};
}
}

63
apps/gateway/src/log/cron.service.ts
View File

@@ -1,63 +0,0 @@
import {
Inject,
Injectable,
Logger,
type OnModuleInit,
type OnModuleDestroy,
} from '@nestjs/common';
import cron from 'node-cron';
import { SummarizationService } from './summarization.service.js';
import { SessionGCService } from '../gc/session-gc.service.js';
@Injectable()
export class CronService implements OnModuleInit, OnModuleDestroy {
private readonly logger = new Logger(CronService.name);
private readonly tasks: cron.ScheduledTask[] = [];
constructor(
@Inject(SummarizationService) private readonly summarization: SummarizationService,
@Inject(SessionGCService) private readonly sessionGC: SessionGCService,
) {}
onModuleInit(): void {
const summarizationSchedule = process.env['SUMMARIZATION_CRON'] ?? '0 */6 * * *'; // every 6 hours
const tierManagementSchedule = process.env['TIER_MANAGEMENT_CRON'] ?? '0 3 * * *'; // daily at 3am
const gcSchedule = process.env['SESSION_GC_CRON'] ?? '0 4 * * *'; // daily at 4am
this.tasks.push(
cron.schedule(summarizationSchedule, () => {
this.summarization.runSummarization().catch((err) => {
this.logger.error(`Scheduled summarization failed: ${err}`);
});
}),
);
this.tasks.push(
cron.schedule(tierManagementSchedule, () => {
this.summarization.runTierManagement().catch((err) => {
this.logger.error(`Scheduled tier management failed: ${err}`);
});
}),
);
this.tasks.push(
cron.schedule(gcSchedule, () => {
this.sessionGC.sweepOrphans().catch((err) => {
this.logger.error(`Session GC sweep failed: ${err}`);
});
}),
);
this.logger.log(
`Cron scheduled: summarization="${summarizationSchedule}", tier="${tierManagementSchedule}", gc="${gcSchedule}"`,
);
}
onModuleDestroy(): void {
for (const task of this.tasks) {
task.stop();
}
this.tasks.length = 0;
this.logger.log('Cron tasks stopped');
}
}

62
apps/gateway/src/log/log.controller.ts
View File

@@ -1,62 +0,0 @@
import { Body, Controller, Get, Inject, Param, Post, Query, UseGuards } from '@nestjs/common';
import type { LogService } from '@mosaic/log';
import { LOG_SERVICE } from './log.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import type { IngestLogDto, QueryLogsDto } from './log.dto.js';
@Controller('api/logs')
@UseGuards(AuthGuard)
export class LogController {
constructor(@Inject(LOG_SERVICE) private readonly logService: LogService) {}
@Post()
async ingest(@Query('userId') userId: string, @Body() dto: IngestLogDto) {
return this.logService.logs.ingest({
sessionId: dto.sessionId,
userId,
level: dto.level,
category: dto.category,
content: dto.content,
metadata: dto.metadata,
});
}
@Post('batch')
async ingestBatch(@Query('userId') userId: string, @Body() dtos: IngestLogDto[]) {
const entries = dtos.map((dto) => ({
sessionId: dto.sessionId,
userId,
level: dto.level as 'debug' | 'info' | 'warn' | 'error' | undefined,
category: dto.category as
| 'decision'
| 'tool_use'
| 'learning'
| 'error'
| 'general'
| undefined,
content: dto.content,
metadata: dto.metadata,
}));
return this.logService.logs.ingestBatch(entries);
}
@Get()
async query(@Query('userId') userId: string, @Query() params: QueryLogsDto) {
return this.logService.logs.query({
userId,
sessionId: params.sessionId,
level: params.level,
category: params.category,
tier: params.tier,
since: params.since ? new Date(params.since) : undefined,
until: params.until ? new Date(params.until) : undefined,
limit: params.limit ? Number(params.limit) : undefined,
offset: params.offset ? Number(params.offset) : undefined,
});
}
@Get(':id')
async findOne(@Param('id') id: string) {
return this.logService.logs.findById(id);
}
}

18
apps/gateway/src/log/log.dto.ts
View File

@@ -1,18 +0,0 @@
export interface IngestLogDto {
sessionId: string;
level?: 'debug' | 'info' | 'warn' | 'error';
category?: 'decision' | 'tool_use' | 'learning' | 'error' | 'general';
content: string;
metadata?: Record<string, unknown>;
}
export interface QueryLogsDto {
sessionId?: string;
level?: 'debug' | 'info' | 'warn' | 'error';
category?: 'decision' | 'tool_use' | 'learning' | 'error' | 'general';
tier?: 'hot' | 'warm' | 'cold';
since?: string;
until?: string;
limit?: string;
offset?: string;
}

26
apps/gateway/src/log/log.module.ts
View File

@@ -1,26 +0,0 @@
import { Global, Module } from '@nestjs/common';
import { createLogService, type LogService } from '@mosaic/log';
import type { Db } from '@mosaic/db';
import { DB } from '../database/database.module.js';
import { LOG_SERVICE } from './log.tokens.js';
import { LogController } from './log.controller.js';
import { SummarizationService } from './summarization.service.js';
import { CronService } from './cron.service.js';
import { GCModule } from '../gc/gc.module.js';
@Global()
@Module({
imports: [GCModule],
providers: [
{
provide: LOG_SERVICE,
useFactory: (db: Db): LogService => createLogService(db),
inject: [DB],
},
SummarizationService,
CronService,
],
controllers: [LogController],
exports: [LOG_SERVICE, SummarizationService],
})
export class LogModule {}

1
apps/gateway/src/log/log.tokens.ts
View File

@@ -1 +0,0 @@
export const LOG_SERVICE = 'LOG_SERVICE';

178
apps/gateway/src/log/summarization.service.ts
View File

@@ -1,178 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import type { LogService } from '@mosaic/log';
import type { Memory } from '@mosaic/memory';
import { LOG_SERVICE } from './log.tokens.js';
import { MEMORY } from '../memory/memory.tokens.js';
import { EmbeddingService } from '../memory/embedding.service.js';
import type { Db } from '@mosaic/db';
import { sql, summarizationJobs } from '@mosaic/db';
import { DB } from '../database/database.module.js';
const SUMMARIZATION_PROMPT = `You are a knowledge extraction assistant. Given the following agent interaction logs, extract the key decisions, learnings, and patterns. Output a concise summary (2-4 sentences) that captures the most important information for future reference. Focus on actionable insights, not raw events.
Logs:
{logs}
Summary:`;
interface ChatCompletion {
choices: Array<{ message: { content: string } }>;
}
@Injectable()
export class SummarizationService {
private readonly logger = new Logger(SummarizationService.name);
private readonly apiKey: string | undefined;
private readonly baseUrl: string;
private readonly model: string;
constructor(
@Inject(LOG_SERVICE) private readonly logService: LogService,
@Inject(MEMORY) private readonly memory: Memory,
@Inject(EmbeddingService) private readonly embeddings: EmbeddingService,
@Inject(DB) private readonly db: Db,
) {
this.apiKey = process.env['OPENAI_API_KEY'];
this.baseUrl = process.env['SUMMARIZATION_API_URL'] ?? 'https://api.openai.com/v1';
this.model = process.env['SUMMARIZATION_MODEL'] ?? 'gpt-4o-mini';
}
/**
* Run one summarization cycle:
* 1. Find hot logs older than 24h with decision/learning/tool_use categories
* 2. Group by session
* 3. Summarize each group via cheap LLM
* 4. Store as insights with embeddings
* 5. Transition processed logs to warm tier
*/
async runSummarization(): Promise<{ logsProcessed: number; insightsCreated: number }> {
const cutoff = new Date(Date.now() - 24 * 60 * 60 * 1000); // 24h ago
// Create job record
const [job] = await this.db
.insert(summarizationJobs)
.values({ status: 'running', startedAt: new Date() })
.returning();
try {
const logs = await this.logService.logs.getLogsForSummarization(cutoff, 200);
if (logs.length === 0) {
await this.db
.update(summarizationJobs)
.set({ status: 'completed', completedAt: new Date() })
.where(sql`id = ${job!.id}`);
return { logsProcessed: 0, insightsCreated: 0 };
}
// Group logs by session
const bySession = new Map<string, typeof logs>();
for (const log of logs) {
const group = bySession.get(log.sessionId) ?? [];
group.push(log);
bySession.set(log.sessionId, group);
}
let insightsCreated = 0;
for (const [sessionId, sessionLogs] of bySession) {
const userId = sessionLogs[0]?.userId;
if (!userId) continue;
const logsText = sessionLogs.map((l) => `[${l.category}] ${l.content}`).join('\n');
const summary = await this.summarize(logsText);
if (!summary) continue;
const embedding = this.embeddings.available
? await this.embeddings.embed(summary)
: undefined;
await this.memory.insights.create({
userId,
content: summary,
embedding: embedding ?? null,
source: 'summarization',
category: 'learning',
metadata: { sessionId, logCount: sessionLogs.length },
});
insightsCreated++;
}
// Transition processed logs to warm
await this.logService.logs.promoteToWarm(cutoff);
await this.db
.update(summarizationJobs)
.set({
status: 'completed',
logsProcessed: logs.length,
insightsCreated,
completedAt: new Date(),
})
.where(sql`id = ${job!.id}`);
this.logger.log(`Summarization complete: ${logs.length} logs → ${insightsCreated} insights`);
return { logsProcessed: logs.length, insightsCreated };
} catch (error) {
const message = error instanceof Error ? error.message : String(error);
await this.db
.update(summarizationJobs)
.set({ status: 'failed', errorMessage: message, completedAt: new Date() })
.where(sql`id = ${job!.id}`);
this.logger.error(`Summarization failed: ${message}`);
throw error;
}
}
/**
* Run tier management:
* - Warm logs older than 30 days → cold
* - Cold logs older than 90 days → purged
* - Decay old insight relevance scores
*/
async runTierManagement(): Promise<void> {
const warmCutoff = new Date(Date.now() - 30 * 24 * 60 * 60 * 1000);
const coldCutoff = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);
const decayCutoff = new Date(Date.now() - 14 * 24 * 60 * 60 * 1000);
const promoted = await this.logService.logs.promoteToCold(warmCutoff);
const purged = await this.logService.logs.purge(coldCutoff);
const decayed = await this.memory.insights.decayOldInsights(decayCutoff);
this.logger.log(
`Tier management: ${promoted} logs→cold, ${purged} purged, ${decayed} insights decayed`,
);
}
private async summarize(logsText: string): Promise<string | null> {
if (!this.apiKey) {
this.logger.warn('No API key configured — skipping summarization');
return null;
}
const prompt = SUMMARIZATION_PROMPT.replace('{logs}', logsText);
const response = await fetch(`${this.baseUrl}/chat/completions`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${this.apiKey}`,
},
body: JSON.stringify({
model: this.model,
messages: [{ role: 'user', content: prompt }],
max_tokens: 300,
temperature: 0.3,
}),
});
if (!response.ok) {
const body = await response.text();
this.logger.error(`Summarization API error: ${response.status} ${body}`);
return null;
}
const json = (await response.json()) as ChatCompletion;
return json.choices[0]?.message.content ?? null;
}
}

28
apps/gateway/src/main.ts
View File

@@ -1,10 +1,3 @@
import { config } from 'dotenv';
import { resolve } from 'node:path';
// Load .env from monorepo root (cwd is apps/gateway when run via pnpm filter)
config({ path: resolve(process.cwd(), '../../.env') });
config(); // Also load apps/gateway/.env if present (overrides)
import './tracing.js'; import './tracing.js';
import 'reflect-metadata'; import 'reflect-metadata';
import { NestFactory } from '@nestjs/core'; import { NestFactory } from '@nestjs/core';
@@ -13,36 +6,18 @@ import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fa
import helmet from '@fastify/helmet'; import helmet from '@fastify/helmet';
import { AppModule } from './app.module.js'; import { AppModule } from './app.module.js';
import { mountAuthHandler } from './auth/auth.controller.js'; import { mountAuthHandler } from './auth/auth.controller.js';
import { mountMcpHandler } from './mcp/mcp.controller.js';
import { McpService } from './mcp/mcp.service.js';
async function bootstrap(): Promise<void> { async function bootstrap(): Promise<void> {
const logger = new Logger('Bootstrap');
if (!process.env['BETTER_AUTH_SECRET']) { if (!process.env['BETTER_AUTH_SECRET']) {
throw new Error('BETTER_AUTH_SECRET is required'); throw new Error('BETTER_AUTH_SECRET is required');
} }
if ( const logger = new Logger('Bootstrap');
process.env['AUTHENTIK_CLIENT_ID'] &&
(!process.env['AUTHENTIK_CLIENT_SECRET'] || !process.env['AUTHENTIK_ISSUER'])
) {
console.warn(
'[warn] AUTHENTIK_CLIENT_ID is set but AUTHENTIK_CLIENT_SECRET or AUTHENTIK_ISSUER is missing — Authentik SSO will not work',
);
}
const app = await NestFactory.create<NestFastifyApplication>( const app = await NestFactory.create<NestFastifyApplication>(
AppModule, AppModule,
new FastifyAdapter({ bodyLimit: 1_048_576 }), new FastifyAdapter({ bodyLimit: 1_048_576 }),
); );
app.enableCors({
origin: process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000',
credentials: true,
methods: ['GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
});
await app.register(helmet as never, { contentSecurityPolicy: false }); await app.register(helmet as never, { contentSecurityPolicy: false });
app.useGlobalPipes( app.useGlobalPipes(
new ValidationPipe({ new ValidationPipe({
@@ -53,7 +28,6 @@ async function bootstrap(): Promise<void> {
); );
mountAuthHandler(app); mountAuthHandler(app);
mountMcpHandler(app, app.get(McpService));
const port = Number(process.env['GATEWAY_PORT'] ?? 4000); const port = Number(process.env['GATEWAY_PORT'] ?? 4000);
await app.listen(port, '0.0.0.0'); await app.listen(port, '0.0.0.0');

33
apps/gateway/src/mcp-client/mcp-client.dto.ts
View File

@@ -1,33 +0,0 @@
/**
* DTOs for MCP client configuration and tool discovery.
*/
export interface McpServerConfigDto {
/** Unique name identifying this MCP server */
name: string;
/** URL of the MCP server (streamable HTTP or SSE endpoint) */
url: string;
/** Optional HTTP headers to send with requests (e.g., Authorization) */
headers?: Record<string, string>;
}
export interface McpToolDto {
/** Namespaced tool name: "<serverName>__<toolName>" */
name: string;
/** Human-readable description of the tool */
description: string;
/** JSON Schema for tool input parameters */
inputSchema: Record<string, unknown>;
/** MCP server this tool belongs to */
serverName: string;
/** Original tool name on the remote server */
remoteName: string;
}
export interface McpServerStatusDto {
name: string;
url: string;
connected: boolean;
toolCount: number;
error?: string;
}

8
apps/gateway/src/mcp-client/mcp-client.module.ts
View File

@@ -1,8 +0,0 @@
import { Module } from '@nestjs/common';
import { McpClientService } from './mcp-client.service.js';
@Module({
providers: [McpClientService],
exports: [McpClientService],
})
export class McpClientModule {}

331
apps/gateway/src/mcp-client/mcp-client.service.ts
View File

@@ -1,331 +0,0 @@
import { Injectable, Logger, OnModuleInit, OnModuleDestroy } from '@nestjs/common';
import { Client } from '@modelcontextprotocol/sdk/client/index.js';
import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
import { Type } from '@sinclair/typebox';
import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
import type { McpServerConfigDto, McpToolDto, McpServerStatusDto } from './mcp-client.dto.js';
interface ConnectedServer {
config: McpServerConfigDto;
client: Client;
tools: McpToolDto[];
connected: boolean;
error?: string;
}
/**
* McpClientService connects to external MCP servers, discovers their tools,
* and bridges them into Pi SDK ToolDefinition format for agent sessions.
*
* Configuration is read from the MCP_SERVERS environment variable:
* MCP_SERVERS='[{"name":"my-server","url":"http://localhost:3001/mcp","headers":{"Authorization":"Bearer token"}}]'
*/
@Injectable()
export class McpClientService implements OnModuleInit, OnModuleDestroy {
private readonly logger = new Logger(McpClientService.name);
private readonly servers = new Map<string, ConnectedServer>();
async onModuleInit(): Promise<void> {
const configs = this.loadConfigs();
if (configs.length === 0) {
this.logger.log('No external MCP servers configured (MCP_SERVERS not set)');
return;
}
this.logger.log(`Connecting to ${configs.length} external MCP server(s)`);
await Promise.allSettled(configs.map((cfg) => this.connectServer(cfg)));
}
async onModuleDestroy(): Promise<void> {
this.logger.log(`Disconnecting from ${this.servers.size} MCP server(s)`);
const disconnects = Array.from(this.servers.values()).map((s) => this.disconnectServer(s));
await Promise.allSettled(disconnects);
this.servers.clear();
}
/**
* Returns all bridged Pi SDK ToolDefinitions from all connected MCP servers.
*/
getToolDefinitions(): ToolDefinition[] {
const tools: ToolDefinition[] = [];
for (const server of this.servers.values()) {
if (!server.connected) continue;
for (const mcpTool of server.tools) {
tools.push(this.bridgeTool(server.client, mcpTool));
}
}
return tools;
}
/**
* Returns status information for all configured MCP servers.
*/
getServerStatuses(): McpServerStatusDto[] {
return Array.from(this.servers.values()).map((s) => ({
name: s.config.name,
url: s.config.url,
connected: s.connected,
toolCount: s.tools.length,
error: s.error,
}));
}
/**
* Attempts to reconnect a server that has been disconnected.
*/
async reconnectServer(serverName: string): Promise<void> {
const existing = this.servers.get(serverName);
if (!existing) {
throw new Error(`MCP server not found: ${serverName}`);
}
if (existing.connected) return;
this.logger.log(`Reconnecting to MCP server: ${serverName}`);
await this.connectServer(existing.config);
}
// ─── Private helpers ──────────────────────────────────────────────────────
private loadConfigs(): McpServerConfigDto[] {
const raw = process.env['MCP_SERVERS'];
if (!raw) return [];
try {
const parsed: unknown = JSON.parse(raw);
if (!Array.isArray(parsed)) {
this.logger.warn('MCP_SERVERS must be a JSON array — ignoring');
return [];
}
const configs: McpServerConfigDto[] = [];
for (const item of parsed) {
if (
typeof item === 'object' &&
item !== null &&
'name' in item &&
typeof (item as Record<string, unknown>)['name'] === 'string' &&
'url' in item &&
typeof (item as Record<string, unknown>)['url'] === 'string'
) {
const cfg = item as McpServerConfigDto;
configs.push({
name: cfg.name,
url: cfg.url,
headers: cfg.headers,
});
} else {
this.logger.warn(`Skipping invalid MCP server config entry: ${JSON.stringify(item)}`);
}
}
return configs;
} catch (err) {
this.logger.error(
`Failed to parse MCP_SERVERS: ${err instanceof Error ? err.message : String(err)}`,
);
return [];
}
}
private async connectServer(config: McpServerConfigDto): Promise<void> {
const serverEntry: ConnectedServer = {
config,
client: new Client({ name: 'mosaic-gateway', version: '1.0.0' }),
tools: [],
connected: false,
};
// Preserve existing entry if reconnecting
this.servers.set(config.name, serverEntry);
try {
const url = new URL(config.url);
const headers = config.headers ?? {};
// Attempt StreamableHTTP first, fall back to SSE
let connected = false;
try {
const transport = new StreamableHTTPClientTransport(url, { requestInit: { headers } });
await serverEntry.client.connect(transport);
connected = true;
this.logger.log(`Connected to MCP server "${config.name}" via StreamableHTTP`);
} catch (streamErr) {
this.logger.warn(
`StreamableHTTP failed for "${config.name}", trying SSE: ${streamErr instanceof Error ? streamErr.message : String(streamErr)}`,
);
// Reset client for SSE attempt
serverEntry.client = new Client({ name: 'mosaic-gateway', version: '1.0.0' });
try {
const transport = new SSEClientTransport(url, { requestInit: { headers } });
await serverEntry.client.connect(transport);
connected = true;
this.logger.log(`Connected to MCP server "${config.name}" via SSE`);
} catch (sseErr) {
throw new Error(
`Both transports failed for "${config.name}": SSE error: ${sseErr instanceof Error ? sseErr.message : String(sseErr)}`,
);
}
}
if (!connected) return;
// Discover tools
const toolsResult = await serverEntry.client.listTools();
serverEntry.tools = toolsResult.tools.map((t) => ({
name: `${config.name}__${t.name}`,
description: t.description ?? `Tool ${t.name} from MCP server ${config.name}`,
inputSchema: (t.inputSchema as Record<string, unknown>) ?? {},
serverName: config.name,
remoteName: t.name,
}));
serverEntry.connected = true;
this.logger.log(
`Discovered ${serverEntry.tools.length} tool(s) from MCP server "${config.name}"`,
);
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
serverEntry.error = message;
serverEntry.connected = false;
this.logger.error(`Failed to connect to MCP server "${config.name}": ${message}`);
}
}
private async disconnectServer(server: ConnectedServer): Promise<void> {
try {
await server.client.close();
} catch (err) {
this.logger.warn(
`Error closing MCP client for "${server.config.name}": ${err instanceof Error ? err.message : String(err)}`,
);
}
}
/**
* Bridges a single McpToolDto into a Pi SDK ToolDefinition.
* The MCP inputSchema is converted to a TypeBox schema representation.
*/
private bridgeTool(client: Client, mcpTool: McpToolDto): ToolDefinition {
const schema = this.inputSchemaToTypeBox(mcpTool.inputSchema);
return {
name: mcpTool.name,
label: mcpTool.remoteName,
description: mcpTool.description,
parameters: schema,
execute: async (_toolCallId: string, params: unknown) => {
try {
const result = await client.callTool({
name: mcpTool.remoteName,
arguments: (params as Record<string, unknown>) ?? {},
});
// MCP callTool returns { content: [...], isError?: boolean }
const content = Array.isArray(result.content) ? result.content : [];
const textParts = content
.filter((c): c is { type: 'text'; text: string } => c.type === 'text')
.map((c) => c.text)
.join('\n');
if (result.isError) {
return {
content: [
{
type: 'text' as const,
text: `MCP tool error from "${mcpTool.serverName}/${mcpTool.remoteName}": ${textParts || 'Unknown error'}`,
},
],
details: undefined,
};
}
return {
content:
content.length > 0
? (content as { type: 'text'; text: string }[])
: [{ type: 'text' as const, text: '' }],
details: undefined,
};
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
this.logger.error(
`MCP tool call failed: ${mcpTool.serverName}/${mcpTool.remoteName}: ${message}`,
);
return {
content: [
{
type: 'text' as const,
text: `Failed to call MCP tool "${mcpTool.name}": ${message}`,
},
],
details: undefined,
};
}
},
};
}
/**
* Converts a JSON Schema object to a TypeBox-compatible schema.
* For simplicity, maps the inputSchema properties to TypeBox Type.Object.
* Unknown/complex schemas fall back to Type.Object with Type.Unknown values.
*/
private inputSchemaToTypeBox(
inputSchema: Record<string, unknown>,
): ReturnType<typeof Type.Object> {
const properties = inputSchema['properties'];
if (!properties || typeof properties !== 'object') {
return Type.Object({});
}
const required: string[] = Array.isArray(inputSchema['required'])
? (inputSchema['required'] as string[])
: [];
const tbProps: Record<string, ReturnType<typeof Type.String>> = {};
for (const [key, schemaDef] of Object.entries(properties as Record<string, unknown>)) {
const def = schemaDef as Record<string, unknown>;
const desc = typeof def['description'] === 'string' ? def['description'] : undefined;
const isOptional = !required.includes(key);
const base = this.jsonSchemaToTypeBox(def);
tbProps[key] = isOptional
? (Type.Optional(base) as unknown as ReturnType<typeof Type.String>)
: (base as unknown as ReturnType<typeof Type.String>);
if (desc && tbProps[key]) {
// Attach description via metadata
(tbProps[key] as Record<string, unknown>)['description'] = desc;
}
}
return Type.Object(tbProps as Parameters<typeof Type.Object>[0]);
}
private jsonSchemaToTypeBox(
def: Record<string, unknown>,
):
| ReturnType<typeof Type.String>
| ReturnType<typeof Type.Number>
| ReturnType<typeof Type.Boolean>
| ReturnType<typeof Type.Unknown> {
const type = def['type'];
const desc = typeof def['description'] === 'string' ? { description: def['description'] } : {};
switch (type) {
case 'string':
return Type.String(desc);
case 'number':
case 'integer':
return Type.Number(desc);
case 'boolean':
return Type.Boolean(desc);
default:
return Type.Unknown(desc);
}
}
}

1
apps/gateway/src/mcp-client/mcp-client.tokens.ts
View File

@@ -1 +0,0 @@
export const MCP_CLIENT_SERVICE = 'MCP_CLIENT_SERVICE';

142
apps/gateway/src/mcp/mcp.controller.ts
View File

@@ -1,142 +0,0 @@
import type { IncomingMessage, ServerResponse } from 'node:http';
import { Logger } from '@nestjs/common';
import { fromNodeHeaders } from 'better-auth/node';
import type { Auth } from '@mosaic/auth';
import type { NestFastifyApplication } from '@nestjs/platform-fastify';
import type { McpService } from './mcp.service.js';
import { AUTH } from '../auth/auth.tokens.js';
/**
* Mounts the MCP streamable HTTP transport endpoint at /mcp on the Fastify instance.
*
* This follows the same low-level Fastify hook pattern used by the auth controller,
* bypassing NestJS routing to directly delegate to the MCP SDK transport handlers.
*
* Endpoint: POST /mcp (and GET /mcp for SSE stream reconnect)
* Auth: Requires a valid BetterAuth session (cookie or Authorization header).
* Session: Stateful — each initialized client gets a session ID via Mcp-Session-Id header.
*/
export function mountMcpHandler(app: NestFastifyApplication, mcpService: McpService): void {
const auth = app.get<Auth>(AUTH);
const logger = new Logger('McpController');
const fastify = app.getHttpAdapter().getInstance();
fastify.addHook(
'onRequest',
(
req: { raw: IncomingMessage; url: string; method: string },
reply: { raw: ServerResponse; hijack: () => void },
done: () => void,
) => {
if (!req.url.startsWith('/mcp')) {
done();
return;
}
reply.hijack();
handleMcpRequest(req, reply, auth, mcpService, logger).catch((err: unknown) => {
logger.error(
`MCP request handler error: ${err instanceof Error ? err.message : String(err)}`,
);
if (!reply.raw.headersSent) {
reply.raw.writeHead(500, { 'Content-Type': 'application/json' });
}
if (!reply.raw.writableEnded) {
reply.raw.end(JSON.stringify({ error: 'Internal server error' }));
}
});
},
);
}
async function handleMcpRequest(
req: { raw: IncomingMessage; url: string; method: string },
reply: { raw: ServerResponse; hijack: () => void },
auth: Auth,
mcpService: McpService,
logger: Logger,
): Promise<void> {
// ─── Authentication ─────────────────────────────────────────────────────
const headers = fromNodeHeaders(req.raw.headers);
const result = await auth.api.getSession({ headers });
if (!result) {
reply.raw.writeHead(401, { 'Content-Type': 'application/json' });
reply.raw.end(JSON.stringify({ error: 'Unauthorized: valid session required' }));
return;
}
const userId = result.user.id;
// ─── Session routing ─────────────────────────────────────────────────────
const sessionId = req.raw.headers['mcp-session-id'];
if (typeof sessionId === 'string' && sessionId.length > 0) {
// Existing session request
const transport = mcpService.getSession(sessionId);
if (!transport) {
logger.warn(`MCP session not found: ${sessionId}`);
reply.raw.writeHead(404, { 'Content-Type': 'application/json' });
reply.raw.end(JSON.stringify({ error: 'Session not found' }));
return;
}
await transport.handleRequest(req.raw, reply.raw);
return;
}
// ─── Initialize new session ───────────────────────────────────────────────
// Only POST requests can initialize a new session (must be initialize message)
if (req.method !== 'POST') {
reply.raw.writeHead(400, { 'Content-Type': 'application/json' });
reply.raw.end(
JSON.stringify({
error: 'New session must be established via POST with initialize message',
}),
);
return;
}
// Parse body to verify this is an initialize request before creating a session
let body: unknown;
try {
body = await readRequestBody(req.raw);
} catch (err) {
logger.warn(
`Failed to parse MCP request body: ${err instanceof Error ? err.message : String(err)}`,
);
reply.raw.writeHead(400, { 'Content-Type': 'application/json' });
reply.raw.end(JSON.stringify({ error: 'Invalid request body' }));
return;
}
// Create new session and handle this initializing request
const { transport } = mcpService.createSession(userId);
logger.log(`New MCP session created for user ${userId}`);
await transport.handleRequest(req.raw, reply.raw, body);
}
/**
* Reads and parses the JSON body from a Node.js IncomingMessage.
*/
function readRequestBody(req: IncomingMessage): Promise<unknown> {
return new Promise((resolve, reject) => {
const chunks: Buffer[] = [];
req.on('data', (chunk: Buffer) => chunks.push(chunk));
req.on('end', () => {
const raw = Buffer.concat(chunks).toString('utf8');
if (!raw) {
resolve(undefined);
return;
}
try {
resolve(JSON.parse(raw));
} catch (err) {
reject(err);
}
});
req.on('error', reject);
});
}

19
apps/gateway/src/mcp/mcp.dto.ts
View File

@@ -1,19 +0,0 @@
/**
* MCP (Model Context Protocol) DTOs
*
* Defines the data transfer objects for the MCP streamable HTTP transport.
* See: https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http
*/
export interface McpToolDescriptor {
name: string;
description: string;
inputSchema: Record<string, unknown>;
}
export interface McpServerInfo {
name: string;
version: string;
protocolVersion: string;
tools: McpToolDescriptor[];
}

10
apps/gateway/src/mcp/mcp.module.ts
View File

@@ -1,10 +0,0 @@
import { Module } from '@nestjs/common';
import { McpService } from './mcp.service.js';
import { CoordModule } from '../coord/coord.module.js';
@Module({
imports: [CoordModule],
providers: [McpService],
exports: [McpService],
})
export class McpModule {}

429
apps/gateway/src/mcp/mcp.service.ts
View File

@@ -1,429 +0,0 @@
import { Injectable, Logger, Inject, OnModuleDestroy } from '@nestjs/common';
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
import { randomUUID } from 'node:crypto';
import { z } from 'zod';
import type { Brain } from '@mosaic/brain';
import type { Memory } from '@mosaic/memory';
import { BRAIN } from '../brain/brain.tokens.js';
import { MEMORY } from '../memory/memory.tokens.js';
import { EmbeddingService } from '../memory/embedding.service.js';
import { CoordService } from '../coord/coord.service.js';
interface SessionEntry {
server: McpServer;
transport: StreamableHTTPServerTransport;
createdAt: Date;
userId: string;
}
@Injectable()
export class McpService implements OnModuleDestroy {
private readonly logger = new Logger(McpService.name);
private readonly sessions = new Map<string, SessionEntry>();
constructor(
@Inject(BRAIN) private readonly brain: Brain,
@Inject(MEMORY) private readonly memory: Memory,
@Inject(EmbeddingService) private readonly embeddings: EmbeddingService,
@Inject(CoordService) private readonly coordService: CoordService,
) {}
/**
* Creates a new MCP session with its own server + transport pair.
* Returns the transport for use by the controller.
*/
createSession(userId: string): { sessionId: string; transport: StreamableHTTPServerTransport } {
const sessionId = randomUUID();
const transport = new StreamableHTTPServerTransport({
sessionIdGenerator: () => sessionId,
onsessioninitialized: (id) => {
this.logger.log(`MCP session initialized: ${id} for user ${userId}`);
},
});
const server = new McpServer(
{ name: 'mosaic-gateway', version: '1.0.0' },
{ capabilities: { tools: {} } },
);
this.registerTools(server, userId);
transport.onclose = () => {
this.logger.log(`MCP session closed: ${sessionId}`);
this.sessions.delete(sessionId);
};
server.connect(transport).catch((err: unknown) => {
this.logger.error(
`MCP server connect error for session ${sessionId}: ${err instanceof Error ? err.message : String(err)}`,
);
});
this.sessions.set(sessionId, { server, transport, createdAt: new Date(), userId });
return { sessionId, transport };
}
/**
* Returns the transport for an existing session, or null if not found.
*/
getSession(sessionId: string): StreamableHTTPServerTransport | null {
return this.sessions.get(sessionId)?.transport ?? null;
}
/**
* Registers all platform tools on the given McpServer instance.
*/
private registerTools(server: McpServer, _userId: string): void {
// ─── Brain: Project tools ────────────────────────────────────────────
server.registerTool(
'brain_list_projects',
{
description: 'List all projects in the brain.',
inputSchema: z.object({}),
},
async () => {
const projects = await this.brain.projects.findAll();
return {
content: [{ type: 'text' as const, text: JSON.stringify(projects, null, 2) }],
};
},
);
server.registerTool(
'brain_get_project',
{
description: 'Get a project by ID.',
inputSchema: z.object({
id: z.string().describe('Project ID (UUID)'),
}),
},
async ({ id }) => {
const project = await this.brain.projects.findById(id);
return {
content: [
{
type: 'text' as const,
text: project ? JSON.stringify(project, null, 2) : `Project not found: ${id}`,
},
],
};
},
);
// ─── Brain: Task tools ───────────────────────────────────────────────
server.registerTool(
'brain_list_tasks',
{
description: 'List tasks, optionally filtered by project, mission, or status.',
inputSchema: z.object({
projectId: z.string().optional().describe('Filter by project ID'),
missionId: z.string().optional().describe('Filter by mission ID'),
status: z.string().optional().describe('Filter by status'),
}),
},
async ({ projectId, missionId, status }) => {
type TaskStatus = 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
let tasks;
if (projectId) tasks = await this.brain.tasks.findByProject(projectId);
else if (missionId) tasks = await this.brain.tasks.findByMission(missionId);
else if (status) tasks = await this.brain.tasks.findByStatus(status as TaskStatus);
else tasks = await this.brain.tasks.findAll();
return { content: [{ type: 'text' as const, text: JSON.stringify(tasks, null, 2) }] };
},
);
server.registerTool(
'brain_create_task',
{
description: 'Create a new task in the brain.',
inputSchema: z.object({
title: z.string().describe('Task title'),
description: z.string().optional().describe('Task description'),
projectId: z.string().optional().describe('Project ID'),
missionId: z.string().optional().describe('Mission ID'),
priority: z.string().optional().describe('Priority: low, medium, high, critical'),
}),
},
async (params) => {
type Priority = 'low' | 'medium' | 'high' | 'critical';
const task = await this.brain.tasks.create({
...params,
priority: params.priority as Priority | undefined,
});
return { content: [{ type: 'text' as const, text: JSON.stringify(task, null, 2) }] };
},
);
server.registerTool(
'brain_update_task',
{
description: 'Update an existing task.',
inputSchema: z.object({
id: z.string().describe('Task ID'),
title: z.string().optional(),
description: z.string().optional(),
status: z
.string()
.optional()
.describe('not-started, in-progress, blocked, done, cancelled'),
priority: z.string().optional(),
}),
},
async ({ id, ...updates }) => {
type TaskStatus = 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
type Priority = 'low' | 'medium' | 'high' | 'critical';
const task = await this.brain.tasks.update(id, {
...updates,
status: updates.status as TaskStatus | undefined,
priority: updates.priority as Priority | undefined,
});
return {
content: [
{
type: 'text' as const,
text: task ? JSON.stringify(task, null, 2) : `Task not found: ${id}`,
},
],
};
},
);
// ─── Brain: Mission tools ────────────────────────────────────────────
server.registerTool(
'brain_list_missions',
{
description: 'List all missions, optionally filtered by project.',
inputSchema: z.object({
projectId: z.string().optional().describe('Filter by project ID'),
}),
},
async ({ projectId }) => {
const missions = projectId
? await this.brain.missions.findByProject(projectId)
: await this.brain.missions.findAll();
return { content: [{ type: 'text' as const, text: JSON.stringify(missions, null, 2) }] };
},
);
server.registerTool(
'brain_list_conversations',
{
description: 'List conversations for a user.',
inputSchema: z.object({
userId: z.string().describe('User ID'),
}),
},
async ({ userId }) => {
const conversations = await this.brain.conversations.findAll(userId);
return {
content: [{ type: 'text' as const, text: JSON.stringify(conversations, null, 2) }],
};
},
);
// ─── Memory tools ────────────────────────────────────────────────────
server.registerTool(
'memory_search',
{
description:
'Search across stored insights and knowledge using natural language. Returns semantically similar results.',
inputSchema: z.object({
userId: z.string().describe('User ID to search memory for'),
query: z.string().describe('Natural language search query'),
limit: z.number().optional().describe('Max results (default 5)'),
}),
},
async ({ userId, query, limit }) => {
if (!this.embeddings.available) {
return {
content: [
{
type: 'text' as const,
text: 'Semantic search unavailable — no embedding provider configured',
},
],
};
}
const embedding = await this.embeddings.embed(query);
const results = await this.memory.insights.searchByEmbedding(userId, embedding, limit ?? 5);
return { content: [{ type: 'text' as const, text: JSON.stringify(results, null, 2) }] };
},
);
server.registerTool(
'memory_get_preferences',
{
description: 'Retrieve stored preferences for a user.',
inputSchema: z.object({
userId: z.string().describe('User ID'),
category: z
.string()
.optional()
.describe('Filter by category: communication, coding, workflow, appearance, general'),
}),
},
async ({ userId, category }) => {
type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
const prefs = category
? await this.memory.preferences.findByUserAndCategory(userId, category as Cat)
: await this.memory.preferences.findByUser(userId);
return { content: [{ type: 'text' as const, text: JSON.stringify(prefs, null, 2) }] };
},
);
server.registerTool(
'memory_save_preference',
{
description:
'Store a learned user preference (e.g., "prefers tables over paragraphs", "timezone: America/Chicago").',
inputSchema: z.object({
userId: z.string().describe('User ID'),
key: z.string().describe('Preference key'),
value: z.string().describe('Preference value (JSON string)'),
category: z
.string()
.optional()
.describe('Category: communication, coding, workflow, appearance, general'),
}),
},
async ({ userId, key, value, category }) => {
type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
let parsedValue: unknown;
try {
parsedValue = JSON.parse(value);
} catch {
parsedValue = value;
}
const pref = await this.memory.preferences.upsert({
userId,
key,
value: parsedValue,
category: (category as Cat) ?? 'general',
source: 'agent',
});
return { content: [{ type: 'text' as const, text: JSON.stringify(pref, null, 2) }] };
},
);
server.registerTool(
'memory_save_insight',
{
description:
'Store a learned insight, decision, or knowledge extracted from the current interaction.',
inputSchema: z.object({
userId: z.string().describe('User ID'),
content: z.string().describe('The insight or knowledge to store'),
category: z
.string()
.optional()
.describe('Category: decision, learning, preference, fact, pattern, general'),
}),
},
async ({ userId, content, category }) => {
type Cat = 'decision' | 'learning' | 'preference' | 'fact' | 'pattern' | 'general';
const embedding = this.embeddings.available ? await this.embeddings.embed(content) : null;
const insight = await this.memory.insights.create({
userId,
content,
embedding,
source: 'agent',
category: (category as Cat) ?? 'learning',
});
return { content: [{ type: 'text' as const, text: JSON.stringify(insight, null, 2) }] };
},
);
// ─── Coord tools ─────────────────────────────────────────────────────
server.registerTool(
'coord_mission_status',
{
description:
'Get the current orchestration mission status including milestones, tasks, and active session.',
inputSchema: z.object({
projectPath: z
.string()
.optional()
.describe('Project path. Defaults to gateway working directory.'),
}),
},
async ({ projectPath }) => {
const resolvedPath = projectPath ?? process.cwd();
const status = await this.coordService.getMissionStatus(resolvedPath);
return {
content: [
{
type: 'text' as const,
text: status ? JSON.stringify(status, null, 2) : 'No active coord mission found.',
},
],
};
},
);
server.registerTool(
'coord_list_tasks',
{
description: 'List all tasks from the orchestration TASKS.md file.',
inputSchema: z.object({
projectPath: z
.string()
.optional()
.describe('Project path. Defaults to gateway working directory.'),
}),
},
async ({ projectPath }) => {
const resolvedPath = projectPath ?? process.cwd();
const tasks = await this.coordService.listTasks(resolvedPath);
return { content: [{ type: 'text' as const, text: JSON.stringify(tasks, null, 2) }] };
},
);
server.registerTool(
'coord_task_detail',
{
description: 'Get detailed status for a specific orchestration task.',
inputSchema: z.object({
taskId: z.string().describe('Task ID (e.g. P2-005)'),
projectPath: z
.string()
.optional()
.describe('Project path. Defaults to gateway working directory.'),
}),
},
async ({ taskId, projectPath }) => {
const resolvedPath = projectPath ?? process.cwd();
const detail = await this.coordService.getTaskStatus(resolvedPath, taskId);
return {
content: [
{
type: 'text' as const,
text: detail
? JSON.stringify(detail, null, 2)
: `Task ${taskId} not found in coord mission.`,
},
],
};
},
);
}
async onModuleDestroy(): Promise<void> {
this.logger.log(`Closing ${this.sessions.size} MCP sessions on shutdown`);
const closePromises = Array.from(this.sessions.values()).map(({ transport }) =>
transport.close().catch((err: unknown) => {
this.logger.warn(
`Error closing MCP transport: ${err instanceof Error ? err.message : String(err)}`,
);
}),
);
await Promise.all(closePromises);
this.sessions.clear();
}
}

1
apps/gateway/src/mcp/mcp.tokens.ts
View File

@@ -1 +0,0 @@
export const MCP_SERVICE = 'MCP_SERVICE';

69
apps/gateway/src/memory/embedding.service.ts
View File

@@ -1,69 +0,0 @@
import { Injectable, Logger } from '@nestjs/common';
import type { EmbeddingProvider } from '@mosaic/memory';
const DEFAULT_MODEL = 'text-embedding-3-small';
const DEFAULT_DIMENSIONS = 1536;
interface EmbeddingResponse {
data: Array<{ embedding: number[]; index: number }>;
model: string;
usage: { prompt_tokens: number; total_tokens: number };
}
/**
* Generates embeddings via the OpenAI-compatible embeddings API.
* Supports OpenAI, Azure OpenAI, and any provider with a compatible endpoint.
*/
@Injectable()
export class EmbeddingService implements EmbeddingProvider {
private readonly logger = new Logger(EmbeddingService.name);
private readonly apiKey: string | undefined;
private readonly baseUrl: string;
private readonly model: string;
readonly dimensions = DEFAULT_DIMENSIONS;
constructor() {
this.apiKey = process.env['OPENAI_API_KEY'];
this.baseUrl = process.env['EMBEDDING_API_URL'] ?? 'https://api.openai.com/v1';
this.model = process.env['EMBEDDING_MODEL'] ?? DEFAULT_MODEL;
}
get available(): boolean {
return !!this.apiKey;
}
async embed(text: string): Promise<number[]> {
const results = await this.embedBatch([text]);
return results[0]!;
}
async embedBatch(texts: string[]): Promise<number[][]> {
if (!this.apiKey) {
this.logger.warn('No OPENAI_API_KEY configured — returning zero vectors');
return texts.map(() => new Array<number>(this.dimensions).fill(0));
}
const response = await fetch(`${this.baseUrl}/embeddings`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${this.apiKey}`,
},
body: JSON.stringify({
model: this.model,
input: texts,
dimensions: this.dimensions,
}),
});
if (!response.ok) {
const body = await response.text();
this.logger.error(`Embedding API error: ${response.status} ${body}`);
throw new Error(`Embedding API returned ${response.status}`);
}
const json = (await response.json()) as EmbeddingResponse;
return json.data.sort((a, b) => a.index - b.index).map((d) => d.embedding);
}
}

127
apps/gateway/src/memory/memory.controller.ts
View File

@@ -1,127 +0,0 @@
import {
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Post,
Query,
UseGuards,
} from '@nestjs/common';
import type { Memory } from '@mosaic/memory';
import { MEMORY } from './memory.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { EmbeddingService } from './embedding.service.js';
import type { UpsertPreferenceDto, CreateInsightDto, SearchMemoryDto } from './memory.dto.js';
@Controller('api/memory')
@UseGuards(AuthGuard)
export class MemoryController {
constructor(
@Inject(MEMORY) private readonly memory: Memory,
@Inject(EmbeddingService) private readonly embeddings: EmbeddingService,
) {}
// ─── Preferences ────────────────────────────────────────────────────
@Get('preferences')
async listPreferences(@CurrentUser() user: { id: string }, @Query('category') category?: string) {
if (category) {
return this.memory.preferences.findByUserAndCategory(
user.id,
category as Parameters<typeof this.memory.preferences.findByUserAndCategory>[1],
);
}
return this.memory.preferences.findByUser(user.id);
}
@Get('preferences/:key')
async getPreference(@CurrentUser() user: { id: string }, @Param('key') key: string) {
const pref = await this.memory.preferences.findByUserAndKey(user.id, key);
if (!pref) throw new NotFoundException('Preference not found');
return pref;
}
@Post('preferences')
async upsertPreference(@CurrentUser() user: { id: string }, @Body() dto: UpsertPreferenceDto) {
return this.memory.preferences.upsert({
userId: user.id,
key: dto.key,
value: dto.value,
category: dto.category,
source: dto.source,
});
}
@Delete('preferences/:key')
@HttpCode(HttpStatus.NO_CONTENT)
async removePreference(@CurrentUser() user: { id: string }, @Param('key') key: string) {
const deleted = await this.memory.preferences.remove(user.id, key);
if (!deleted) throw new NotFoundException('Preference not found');
}
// ─── Insights ───────────────────────────────────────────────────────
@Get('insights')
async listInsights(@CurrentUser() user: { id: string }, @Query('limit') limit?: string) {
return this.memory.insights.findByUser(user.id, limit ? Number(limit) : undefined);
}
@Get('insights/:id')
async getInsight(@Param('id') id: string) {
const insight = await this.memory.insights.findById(id);
if (!insight) throw new NotFoundException('Insight not found');
return insight;
}
@Post('insights')
async createInsight(@CurrentUser() user: { id: string }, @Body() dto: CreateInsightDto) {
const embedding = this.embeddings.available
? await this.embeddings.embed(dto.content)
: undefined;
return this.memory.insights.create({
userId: user.id,
content: dto.content,
source: dto.source,
category: dto.category,
metadata: dto.metadata,
embedding: embedding ?? null,
});
}
@Delete('insights/:id')
@HttpCode(HttpStatus.NO_CONTENT)
async removeInsight(@Param('id') id: string) {
const deleted = await this.memory.insights.remove(id);
if (!deleted) throw new NotFoundException('Insight not found');
}
// ─── Search ─────────────────────────────────────────────────────────
@Post('search')
async searchMemory(@CurrentUser() user: { id: string }, @Body() dto: SearchMemoryDto) {
if (!this.embeddings.available) {
return {
query: dto.query,
results: [],
message: 'Semantic search requires OPENAI_API_KEY for embeddings',
};
}
const queryEmbedding = await this.embeddings.embed(dto.query);
const results = await this.memory.insights.searchByEmbedding(
user.id,
queryEmbedding,
dto.limit ?? 10,
dto.maxDistance ?? 0.8,
);
return { query: dto.query, results };
}
}

19
apps/gateway/src/memory/memory.dto.ts
View File

@@ -1,19 +0,0 @@
export interface UpsertPreferenceDto {
key: string;
value: unknown;
category?: 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
source?: string;
}
export interface CreateInsightDto {
content: string;
source?: 'agent' | 'user' | 'summarization' | 'system';
category?: 'decision' | 'learning' | 'preference' | 'fact' | 'pattern' | 'general';
metadata?: Record<string, unknown>;
}
export interface SearchMemoryDto {
query: string;
limit?: number;
maxDistance?: number;
}

22
apps/gateway/src/memory/memory.module.ts
View File

@@ -1,22 +0,0 @@
import { Global, Module } from '@nestjs/common';
import { createMemory, type Memory } from '@mosaic/memory';
import type { Db } from '@mosaic/db';
import { DB } from '../database/database.module.js';
import { MEMORY } from './memory.tokens.js';
import { MemoryController } from './memory.controller.js';
import { EmbeddingService } from './embedding.service.js';
@Global()
@Module({
providers: [
{
provide: MEMORY,
useFactory: (db: Db): Memory => createMemory(db),
inject: [DB],
},
EmbeddingService,
],
controllers: [MemoryController],
exports: [MEMORY, EmbeddingService],
})
export class MemoryModule {}

1
apps/gateway/src/memory/memory.tokens.ts
View File

@@ -1 +0,0 @@
export const MEMORY = 'MEMORY';

111
apps/gateway/src/missions/missions.controller.ts
View File

@@ -2,6 +2,7 @@ import {
Body, Body,
Controller, Controller,
Delete, Delete,
ForbiddenException,
Get, Get,
HttpCode, HttpCode,
HttpStatus, HttpStatus,
@@ -16,42 +17,30 @@ import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js'; import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js'; import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js'; import { CurrentUser } from '../auth/current-user.decorator.js';
import { import { assertOwner } from '../auth/resource-ownership.js';
CreateMissionDto, import { CreateMissionDto, UpdateMissionDto } from './missions.dto.js';
UpdateMissionDto,
CreateMissionTaskDto,
UpdateMissionTaskDto,
} from './missions.dto.js';
@Controller('api/missions') @Controller('api/missions')
@UseGuards(AuthGuard) @UseGuards(AuthGuard)
export class MissionsController { export class MissionsController {
constructor(@Inject(BRAIN) private readonly brain: Brain) {} constructor(@Inject(BRAIN) private readonly brain: Brain) {}
// ── Missions CRUD (user-scoped) ──
@Get() @Get()
async list(@CurrentUser() user: { id: string }) { async list() {
return this.brain.missions.findAllByUser(user.id); return this.brain.missions.findAll();
} }
@Get(':id') @Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) { async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const mission = await this.brain.missions.findByIdAndUser(id, user.id); return this.getOwnedMission(id, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return mission;
} }
@Post() @Post()
async create(@Body() dto: CreateMissionDto, @CurrentUser() user: { id: string }) { async create(@Body() dto: CreateMissionDto) {
return this.brain.missions.create({ return this.brain.missions.create({
name: dto.name, name: dto.name,
description: dto.description, description: dto.description,
projectId: dto.projectId, projectId: dto.projectId,
userId: user.id,
phase: dto.phase,
milestones: dto.milestones,
config: dto.config,
status: dto.status, status: dto.status,
}); });
} }
@@ -62,8 +51,10 @@ export class MissionsController {
@Body() dto: UpdateMissionDto, @Body() dto: UpdateMissionDto,
@CurrentUser() user: { id: string }, @CurrentUser() user: { id: string },
) { ) {
const existing = await this.brain.missions.findByIdAndUser(id, user.id); await this.getOwnedMission(id, user.id);
if (!existing) throw new NotFoundException('Mission not found'); if (dto.projectId) {
await this.getOwnedProject(dto.projectId, user.id, 'Mission');
}
const mission = await this.brain.missions.update(id, dto); const mission = await this.brain.missions.update(id, dto);
if (!mission) throw new NotFoundException('Mission not found'); if (!mission) throw new NotFoundException('Mission not found');
return mission; return mission;
@@ -72,81 +63,33 @@ export class MissionsController {
@Delete(':id') @Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) { async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
const existing = await this.brain.missions.findByIdAndUser(id, user.id); await this.getOwnedMission(id, user.id);
if (!existing) throw new NotFoundException('Mission not found');
const deleted = await this.brain.missions.remove(id); const deleted = await this.brain.missions.remove(id);
if (!deleted) throw new NotFoundException('Mission not found'); if (!deleted) throw new NotFoundException('Mission not found');
} }
// ── Mission Tasks sub-routes ── private async getOwnedMission(id: string, userId: string) {
const mission = await this.brain.missions.findById(id);
@Get(':missionId/tasks')
async listTasks(@Param('missionId') missionId: string, @CurrentUser() user: { id: string }) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found'); if (!mission) throw new NotFoundException('Mission not found');
return this.brain.missionTasks.findByMissionAndUser(missionId, user.id); await this.getOwnedProject(mission.projectId, userId, 'Mission');
return mission;
} }
@Get(':missionId/tasks/:taskId') private async getOwnedProject(
async getTask( projectId: string | null | undefined,
@Param('missionId') missionId: string, userId: string,
@Param('taskId') taskId: string, resourceName: string,
@CurrentUser() user: { id: string },
) { ) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id); if (!projectId) {
if (!mission) throw new NotFoundException('Mission not found'); throw new ForbiddenException(`${resourceName} does not belong to the current user`);
const task = await this.brain.missionTasks.findByIdAndUser(taskId, user.id);
if (!task) throw new NotFoundException('Mission task not found');
return task;
} }
@Post(':missionId/tasks') const project = await this.brain.projects.findById(projectId);
async createTask( if (!project) {
@Param('missionId') missionId: string, throw new ForbiddenException(`${resourceName} does not belong to the current user`);
@Body() dto: CreateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
return this.brain.missionTasks.create({
missionId,
taskId: dto.taskId,
userId: user.id,
status: dto.status,
description: dto.description,
notes: dto.notes,
pr: dto.pr,
});
} }
@Patch(':missionId/tasks/:taskId') assertOwner(project.ownerId, userId, resourceName);
async updateTask( return project;
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@Body() dto: UpdateMissionTaskDto,
@CurrentUser() user: { id: string },
) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const existing = await this.brain.missionTasks.findByIdAndUser(taskId, user.id);
if (!existing) throw new NotFoundException('Mission task not found');
const updated = await this.brain.missionTasks.update(taskId, dto);
if (!updated) throw new NotFoundException('Mission task not found');
return updated;
}
@Delete(':missionId/tasks/:taskId')
@HttpCode(HttpStatus.NO_CONTENT)
async removeTask(
@Param('missionId') missionId: string,
@Param('taskId') taskId: string,
@CurrentUser() user: { id: string },
) {
const mission = await this.brain.missions.findByIdAndUser(missionId, user.id);
if (!mission) throw new NotFoundException('Mission not found');
const existing = await this.brain.missionTasks.findByIdAndUser(taskId, user.id);
if (!existing) throw new NotFoundException('Mission task not found');
const deleted = await this.brain.missionTasks.remove(taskId);
if (!deleted) throw new NotFoundException('Mission task not found');
} }
} }

79
apps/gateway/src/missions/missions.dto.ts
View File

@@ -1,7 +1,6 @@
import { IsArray, IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator'; import { IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
const missionStatuses = ['planning', 'active', 'paused', 'completed', 'failed'] as const; const missionStatuses = ['planning', 'active', 'paused', 'completed', 'failed'] as const;
const taskStatuses = ['not-started', 'in-progress', 'blocked', 'done', 'cancelled'] as const;
export class CreateMissionDto { export class CreateMissionDto {
@IsString() @IsString()
@@ -20,19 +19,6 @@ export class CreateMissionDto {
@IsOptional() @IsOptional()
@IsIn(missionStatuses) @IsIn(missionStatuses)
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed'; status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
@IsOptional()
@IsString()
@MaxLength(255)
phase?: string;
@IsOptional()
@IsArray()
milestones?: Record<string, unknown>[];
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
} }
export class UpdateMissionDto { export class UpdateMissionDto {
@@ -54,70 +40,7 @@ export class UpdateMissionDto {
@IsIn(missionStatuses) @IsIn(missionStatuses)
status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed'; status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
@IsOptional()
@IsString()
@MaxLength(255)
phase?: string;
@IsOptional()
@IsArray()
milestones?: Record<string, unknown>[];
@IsOptional()
@IsObject()
config?: Record<string, unknown>;
@IsOptional() @IsOptional()
@IsObject() @IsObject()
metadata?: Record<string, unknown> | null; metadata?: Record<string, unknown> | null;
} }
export class CreateMissionTaskDto {
@IsOptional()
@IsUUID()
taskId?: string;
@IsOptional()
@IsIn(taskStatuses)
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
notes?: string;
@IsOptional()
@IsString()
@MaxLength(255)
pr?: string;
}
export class UpdateMissionTaskDto {
@IsOptional()
@IsUUID()
taskId?: string;
@IsOptional()
@IsIn(taskStatuses)
status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
@IsOptional()
@IsString()
@MaxLength(10_000)
description?: string;
@IsOptional()
@IsString()
@MaxLength(10_000)
notes?: string;
@IsOptional()
@IsString()
@MaxLength(255)
pr?: string;
}

11
apps/gateway/src/plugin/plugin.interface.ts
View File

@@ -1,11 +0,0 @@
export interface IChannelPlugin {
readonly name: string;
start(): Promise<void>;
stop(): Promise<void>;
/** Called when a new project is bootstrapped. Return channelId if a channel was created. */
onProjectCreated?(project: {
id: string;
name: string;
description?: string;
}): Promise<{ channelId: string } | null>;
}

117
apps/gateway/src/plugin/plugin.module.ts
View File

@@ -1,117 +0,0 @@
import {
Global,
Inject,
Logger,
Module,
type OnModuleDestroy,
type OnModuleInit,
} from '@nestjs/common';
import { DiscordPlugin } from '@mosaic/discord-plugin';
import { TelegramPlugin } from '@mosaic/telegram-plugin';
import { PluginService } from './plugin.service.js';
import type { IChannelPlugin } from './plugin.interface.js';
import { PLUGIN_REGISTRY } from './plugin.tokens.js';
class DiscordChannelPluginAdapter implements IChannelPlugin {
readonly name = 'discord';
constructor(private readonly plugin: DiscordPlugin) {}
async start(): Promise<void> {
await this.plugin.start();
}
async stop(): Promise<void> {
await this.plugin.stop();
}
async onProjectCreated(project: {
id: string;
name: string;
description?: string;
}): Promise<{ channelId: string } | null> {
return this.plugin.createProjectChannel(project);
}
}
class TelegramChannelPluginAdapter implements IChannelPlugin {
readonly name = 'telegram';
constructor(private readonly plugin: TelegramPlugin) {}
async start(): Promise<void> {
await this.plugin.start();
}
async stop(): Promise<void> {
await this.plugin.stop();
}
}
const DEFAULT_GATEWAY_URL = 'http://localhost:4000';
function createPluginRegistry(): IChannelPlugin[] {
const plugins: IChannelPlugin[] = [];
const discordToken = process.env['DISCORD_BOT_TOKEN'];
const discordGuildId = process.env['DISCORD_GUILD_ID'];
const discordGatewayUrl = process.env['DISCORD_GATEWAY_URL'] ?? DEFAULT_GATEWAY_URL;
if (discordToken) {
plugins.push(
new DiscordChannelPluginAdapter(
new DiscordPlugin({
token: discordToken,
guildId: discordGuildId,
gatewayUrl: discordGatewayUrl,
}),
),
);
}
const telegramToken = process.env['TELEGRAM_BOT_TOKEN'];
const telegramGatewayUrl = process.env['TELEGRAM_GATEWAY_URL'] ?? DEFAULT_GATEWAY_URL;
if (telegramToken) {
plugins.push(
new TelegramChannelPluginAdapter(
new TelegramPlugin({
token: telegramToken,
gatewayUrl: telegramGatewayUrl,
}),
),
);
}
return plugins;
}
@Global()
@Module({
providers: [
{
provide: PLUGIN_REGISTRY,
useFactory: (): IChannelPlugin[] => createPluginRegistry(),
},
PluginService,
],
exports: [PluginService, PLUGIN_REGISTRY],
})
export class PluginModule implements OnModuleInit, OnModuleDestroy {
private readonly logger = new Logger(PluginModule.name);
constructor(@Inject(PLUGIN_REGISTRY) private readonly plugins: IChannelPlugin[]) {}
async onModuleInit(): Promise<void> {
for (const plugin of this.plugins) {
this.logger.log(`Starting plugin: ${plugin.name}`);
await plugin.start();
}
}
async onModuleDestroy(): Promise<void> {
for (const plugin of [...this.plugins].reverse()) {
this.logger.log(`Stopping plugin: ${plugin.name}`);
await plugin.stop();
}
}
}

16
apps/gateway/src/plugin/plugin.service.ts
View File

@@ -1,16 +0,0 @@
import { Inject, Injectable } from '@nestjs/common';
import { PLUGIN_REGISTRY } from './plugin.tokens.js';
import type { IChannelPlugin } from './plugin.interface.js';
@Injectable()
export class PluginService {
constructor(@Inject(PLUGIN_REGISTRY) private readonly plugins: IChannelPlugin[]) {}
getPlugins(): IChannelPlugin[] {
return this.plugins;
}
getPlugin(name: string): IChannelPlugin | undefined {
return this.plugins.find((plugin: IChannelPlugin) => plugin.name === name);
}
}

1
apps/gateway/src/plugin/plugin.tokens.ts
View File

@@ -1 +0,0 @@
export const PLUGIN_REGISTRY = Symbol('PLUGIN_REGISTRY');

44
apps/gateway/src/preferences/preferences.controller.ts
View File

@@ -1,44 +0,0 @@
import {
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
Param,
Post,
UseGuards,
} from '@nestjs/common';
import { PreferencesService } from './preferences.service.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
@Controller('api/preferences')
@UseGuards(AuthGuard)
export class PreferencesController {
constructor(@Inject(PreferencesService) private readonly preferences: PreferencesService) {}
@Get()
async show(@CurrentUser() user: { id: string }): Promise<Record<string, unknown>> {
return this.preferences.getEffective(user.id);
}
@Post()
@HttpCode(HttpStatus.OK)
async set(
@CurrentUser() user: { id: string },
@Body() body: { key: string; value: unknown },
): Promise<{ success: boolean; message: string }> {
return this.preferences.set(user.id, body.key, body.value);
}
@Delete(':key')
@HttpCode(HttpStatus.OK)
async reset(
@CurrentUser() user: { id: string },
@Param('key') key: string,
): Promise<{ success: boolean; message: string }> {
return this.preferences.reset(user.id, key);
}
}

12
apps/gateway/src/preferences/preferences.module.ts
View File

@@ -1,12 +0,0 @@
import { Global, Module } from '@nestjs/common';
import { PreferencesService } from './preferences.service.js';
import { PreferencesController } from './preferences.controller.js';
import { SystemOverrideService } from './system-override.service.js';
@Global()
@Module({
controllers: [PreferencesController],
providers: [PreferencesService, SystemOverrideService],
exports: [PreferencesService, SystemOverrideService],
})
export class PreferencesModule {}

167
apps/gateway/src/preferences/preferences.service.spec.ts
View File

@@ -1,167 +0,0 @@
import { describe, it, expect, vi } from 'vitest';
import { PreferencesService, PLATFORM_DEFAULTS, IMMUTABLE_KEYS } from './preferences.service.js';
import type { Db } from '@mosaic/db';
/**
* Build a mock Drizzle DB where the select chain supports:
* db.select().from().where() → resolves to `listRows`
* db.select().from().where().limit(n) → resolves to `singleRow`
*/
function makeMockDb(
listRows: Array<{ key: string; value: unknown }> = [],
singleRow: Array<{ id: string }> = [],
): Db {
const chainWithLimit = {
limit: vi.fn().mockResolvedValue(singleRow),
then: (resolve: (v: typeof listRows) => unknown) => Promise.resolve(listRows).then(resolve),
};
const selectFrom = {
from: vi.fn().mockReturnThis(),
where: vi.fn().mockReturnValue(chainWithLimit),
};
const updateResult = {
set: vi.fn().mockReturnThis(),
where: vi.fn().mockResolvedValue([]),
};
const deleteResult = {
where: vi.fn().mockResolvedValue([]),
};
const insertResult = {
values: vi.fn().mockResolvedValue([]),
};
return {
select: vi.fn().mockReturnValue(selectFrom),
update: vi.fn().mockReturnValue(updateResult),
delete: vi.fn().mockReturnValue(deleteResult),
insert: vi.fn().mockReturnValue(insertResult),
} as unknown as Db;
}
describe('PreferencesService', () => {
describe('getEffective', () => {
it('returns platform defaults when user has no overrides', async () => {
const db = makeMockDb([]);
const service = new PreferencesService(db);
const result = await service.getEffective('user-1');
expect(result['agent.thinkingLevel']).toBe('auto');
expect(result['agent.streamingEnabled']).toBe(true);
expect(result['session.autoCompactEnabled']).toBe(true);
expect(result['session.autoCompactThreshold']).toBe(0.8);
});
it('applies user overrides for mutable keys', async () => {
const db = makeMockDb([
{ key: 'agent.thinkingLevel', value: 'high' },
{ key: 'response.language', value: 'es' },
]);
const service = new PreferencesService(db);
const result = await service.getEffective('user-1');
expect(result['agent.thinkingLevel']).toBe('high');
expect(result['response.language']).toBe('es');
});
it('ignores user overrides for immutable keys — enforcement always wins', async () => {
const db = makeMockDb([
{ key: 'limits.maxThinkingLevel', value: 'high' },
{ key: 'limits.rateLimit', value: 9999 },
]);
const service = new PreferencesService(db);
const result = await service.getEffective('user-1');
// Should still be null (platform default), not the user-supplied values
expect(result['limits.maxThinkingLevel']).toBeNull();
expect(result['limits.rateLimit']).toBeNull();
});
});
describe('set', () => {
it('returns error when attempting to override an immutable key', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.set('user-1', 'limits.maxThinkingLevel', 'high');
expect(result.success).toBe(false);
expect(result.message).toContain('platform enforcement');
});
it('returns error when attempting to override limits.rateLimit', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.set('user-1', 'limits.rateLimit', 100);
expect(result.success).toBe(false);
expect(result.message).toContain('platform enforcement');
});
it('upserts a mutable preference and returns success — insert path', async () => {
// singleRow=[] → no existing row → insert path
const db = makeMockDb([], []);
const service = new PreferencesService(db);
const result = await service.set('user-1', 'agent.thinkingLevel', 'high');
expect(result.success).toBe(true);
expect(result.message).toContain('"agent.thinkingLevel"');
});
it('upserts a mutable preference and returns success — update path', async () => {
// singleRow has an id → existing row → update path
const db = makeMockDb([], [{ id: 'existing-id' }]);
const service = new PreferencesService(db);
const result = await service.set('user-1', 'agent.thinkingLevel', 'low');
expect(result.success).toBe(true);
expect(result.message).toContain('"agent.thinkingLevel"');
});
});
describe('reset', () => {
it('returns error when attempting to reset an immutable key', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.reset('user-1', 'limits.rateLimit');
expect(result.success).toBe(false);
expect(result.message).toContain('platform enforcement');
});
it('deletes user override and returns default value in message', async () => {
const db = makeMockDb();
const service = new PreferencesService(db);
const result = await service.reset('user-1', 'agent.thinkingLevel');
expect(result.success).toBe(true);
expect(result.message).toContain('"auto"'); // platform default for agent.thinkingLevel
});
});
describe('IMMUTABLE_KEYS', () => {
it('contains only the enforcement keys', () => {
expect(IMMUTABLE_KEYS.has('limits.maxThinkingLevel')).toBe(true);
expect(IMMUTABLE_KEYS.has('limits.rateLimit')).toBe(true);
expect(IMMUTABLE_KEYS.has('agent.thinkingLevel')).toBe(false);
});
});
describe('PLATFORM_DEFAULTS', () => {
it('has all expected keys', () => {
const expectedKeys = [
'agent.defaultModel',
'agent.thinkingLevel',
'agent.streamingEnabled',
'response.language',
'response.codeAnnotations',
'safety.confirmDestructiveTools',
'session.autoCompactThreshold',
'session.autoCompactEnabled',
'limits.maxThinkingLevel',
'limits.rateLimit',
];
for (const key of expectedKeys) {
expect(Object.prototype.hasOwnProperty.call(PLATFORM_DEFAULTS, key)).toBe(true);
}
});
});
});

119
apps/gateway/src/preferences/preferences.service.ts
View File

@@ -1,119 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { eq, and, type Db, preferences as preferencesTable } from '@mosaic/db';
import { DB } from '../database/database.module.js';
export const PLATFORM_DEFAULTS: Record<string, unknown> = {
'agent.defaultModel': null,
'agent.thinkingLevel': 'auto',
'agent.streamingEnabled': true,
'response.language': 'auto',
'response.codeAnnotations': true,
'safety.confirmDestructiveTools': true,
'session.autoCompactThreshold': 0.8,
'session.autoCompactEnabled': true,
'limits.maxThinkingLevel': null,
'limits.rateLimit': null,
};
export const IMMUTABLE_KEYS = new Set<string>(['limits.maxThinkingLevel', 'limits.rateLimit']);
@Injectable()
export class PreferencesService {
private readonly logger = new Logger(PreferencesService.name);
constructor(@Inject(DB) private readonly db: Db) {}
/**
* Returns the effective preference set for a user:
* Platform defaults → user overrides (mutable keys only) → enforcements re-applied last
*/
async getEffective(userId: string): Promise<Record<string, unknown>> {
const userPrefs = await this.getUserPrefs(userId);
const result: Record<string, unknown> = { ...PLATFORM_DEFAULTS };
for (const [key, value] of Object.entries(userPrefs)) {
if (!IMMUTABLE_KEYS.has(key)) {
result[key] = value;
}
}
// Re-apply immutable keys (enforcements always win)
for (const key of IMMUTABLE_KEYS) {
result[key] = PLATFORM_DEFAULTS[key];
}
return result;
}
async set(
userId: string,
key: string,
value: unknown,
): Promise<{ success: boolean; message: string }> {
if (IMMUTABLE_KEYS.has(key)) {
return {
success: false,
message: `Cannot override "${key}" — this is a platform enforcement. Contact your admin.`,
};
}
await this.upsertPref(userId, key, value);
return { success: true, message: `Preference "${key}" set to ${JSON.stringify(value)}.` };
}
async reset(userId: string, key: string): Promise<{ success: boolean; message: string }> {
if (IMMUTABLE_KEYS.has(key)) {
return { success: false, message: `Cannot reset "${key}" — it is a platform enforcement.` };
}
await this.deletePref(userId, key);
const defaultVal = PLATFORM_DEFAULTS[key];
return {
success: true,
message: `Preference "${key}" reset to default: ${JSON.stringify(defaultVal)}.`,
};
}
private async getUserPrefs(userId: string): Promise<Record<string, unknown>> {
const rows = await this.db
.select({ key: preferencesTable.key, value: preferencesTable.value })
.from(preferencesTable)
.where(eq(preferencesTable.userId, userId));
const result: Record<string, unknown> = {};
for (const row of rows) {
result[row.key] = row.value;
}
return result;
}
private async upsertPref(userId: string, key: string, value: unknown): Promise<void> {
const existing = await this.db
.select({ id: preferencesTable.id })
.from(preferencesTable)
.where(and(eq(preferencesTable.userId, userId), eq(preferencesTable.key, key)))
.limit(1);
if (existing.length > 0) {
await this.db
.update(preferencesTable)
.set({ value: value as never, updatedAt: new Date() })
.where(and(eq(preferencesTable.userId, userId), eq(preferencesTable.key, key)));
} else {
await this.db.insert(preferencesTable).values({
userId,
key,
value: value as never,
mutable: true,
});
}
this.logger.debug(`Upserted preference "${key}" for user ${userId}`);
}
private async deletePref(userId: string, key: string): Promise<void> {
await this.db
.delete(preferencesTable)
.where(and(eq(preferencesTable.userId, userId), eq(preferencesTable.key, key)));
this.logger.debug(`Deleted preference "${key}" for user ${userId}`);
}
}

131
apps/gateway/src/preferences/system-override.service.ts
View File

@@ -1,131 +0,0 @@
import { Injectable, Logger } from '@nestjs/common';
import { createQueue, type QueueHandle } from '@mosaic/queue';
const SESSION_SYSTEM_KEY = (sessionId: string) => `mosaic:session:${sessionId}:system`;
const SESSION_SYSTEM_FRAGMENTS_KEY = (sessionId: string) =>
`mosaic:session:${sessionId}:system:fragments`;
const SYSTEM_OVERRIDE_TTL_SECONDS = 604800; // 7 days
interface OverrideFragment {
text: string;
addedAt: number;
}
@Injectable()
export class SystemOverrideService {
private readonly logger = new Logger(SystemOverrideService.name);
private readonly handle: QueueHandle;
constructor() {
this.handle = createQueue();
}
async set(sessionId: string, override: string): Promise<void> {
// Load existing fragments
const existing = await this.handle.redis.get(SESSION_SYSTEM_FRAGMENTS_KEY(sessionId));
const fragments: OverrideFragment[] = existing
? (JSON.parse(existing) as OverrideFragment[])
: [];
// Append new fragment
fragments.push({ text: override, addedAt: Date.now() });
// Condense fragments into one coherent override
const texts = fragments.map((f) => f.text);
const condensed = await this.condenseOverrides(texts);
// Store both: fragments array and condensed result
const pipeline = this.handle.redis.pipeline();
pipeline.setex(
SESSION_SYSTEM_FRAGMENTS_KEY(sessionId),
SYSTEM_OVERRIDE_TTL_SECONDS,
JSON.stringify(fragments),
);
pipeline.setex(SESSION_SYSTEM_KEY(sessionId), SYSTEM_OVERRIDE_TTL_SECONDS, condensed);
await pipeline.exec();
this.logger.debug(
`Set system override for session ${sessionId} (${fragments.length} fragment(s), TTL=${SYSTEM_OVERRIDE_TTL_SECONDS}s)`,
);
}
async get(sessionId: string): Promise<string | null> {
return this.handle.redis.get(SESSION_SYSTEM_KEY(sessionId));
}
async renew(sessionId: string): Promise<void> {
const pipeline = this.handle.redis.pipeline();
pipeline.expire(SESSION_SYSTEM_KEY(sessionId), SYSTEM_OVERRIDE_TTL_SECONDS);
pipeline.expire(SESSION_SYSTEM_FRAGMENTS_KEY(sessionId), SYSTEM_OVERRIDE_TTL_SECONDS);
await pipeline.exec();
}
async clear(sessionId: string): Promise<void> {
await this.handle.redis.del(
SESSION_SYSTEM_KEY(sessionId),
SESSION_SYSTEM_FRAGMENTS_KEY(sessionId),
);
this.logger.debug(`Cleared system override for session ${sessionId}`);
}
/**
* Merge an array of override fragments into one coherent string.
* If only one fragment exists, returns it as-is.
* For multiple fragments, calls Haiku to produce a merged instruction.
* Falls back to newline concatenation if the LLM call fails.
*/
async condenseOverrides(fragments: string[]): Promise<string> {
if (fragments.length === 0) return '';
if (fragments.length === 1) return fragments[0]!;
const numbered = fragments.map((f, i) => `${i + 1}. ${f}`).join('\n');
const prompt =
`Merge these system prompt instructions into one coherent paragraph. ` +
`If instructions conflict, favor the most recently added (last in the list). ` +
`Be concise — output only the merged instruction, nothing else.\n\n` +
`Instructions (oldest first):\n${numbered}`;
const apiKey = process.env['ANTHROPIC_API_KEY'];
if (!apiKey) {
this.logger.warn('ANTHROPIC_API_KEY not set — falling back to newline concatenation');
return fragments.join('\n');
}
try {
const response = await fetch('https://api.anthropic.com/v1/messages', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'x-api-key': apiKey,
'anthropic-version': '2023-06-01',
},
body: JSON.stringify({
model: 'claude-haiku-4-5-20251001',
max_tokens: 1024,
messages: [{ role: 'user', content: prompt }],
}),
});
if (!response.ok) {
const errorText = await response.text();
throw new Error(`Anthropic API error ${response.status}: ${errorText}`);
}
const data = (await response.json()) as {
content: Array<{ type: string; text: string }>;
};
const textBlock = data.content.find((c) => c.type === 'text');
if (!textBlock) {
throw new Error('No text block in Anthropic response');
}
return textBlock.text.trim();
} catch (err) {
this.logger.error(
`Condensation LLM call failed — falling back to newline concatenation: ${String(err)}`,
);
return fragments.join('\n');
}
}
}

28
apps/gateway/src/projects/projects.controller.ts
View File

@@ -2,7 +2,6 @@ import {
Body, Body,
Controller, Controller,
Delete, Delete,
ForbiddenException,
Get, Get,
HttpCode, HttpCode,
HttpStatus, HttpStatus,
@@ -17,25 +16,22 @@ import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js'; import { BRAIN } from '../brain/brain.tokens.js';
import { AuthGuard } from '../auth/auth.guard.js'; import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js'; import { CurrentUser } from '../auth/current-user.decorator.js';
import { TeamsService } from '../workspace/teams.service.js'; import { assertOwner } from '../auth/resource-ownership.js';
import { CreateProjectDto, UpdateProjectDto } from './projects.dto.js'; import { CreateProjectDto, UpdateProjectDto } from './projects.dto.js';
@Controller('api/projects') @Controller('api/projects')
@UseGuards(AuthGuard) @UseGuards(AuthGuard)
export class ProjectsController { export class ProjectsController {
constructor( constructor(@Inject(BRAIN) private readonly brain: Brain) {}
@Inject(BRAIN) private readonly brain: Brain,
private readonly teamsService: TeamsService,
) {}
@Get() @Get()
async list(@CurrentUser() user: { id: string }) { async list() {
return this.brain.projects.findAllForUser(user.id); return this.brain.projects.findAll();
} }
@Get(':id') @Get(':id')
async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) { async findOne(@Param('id') id: string, @CurrentUser() user: { id: string }) {
return this.getAccessibleProject(id, user.id); return this.getOwnedProject(id, user.id);
} }
@Post() @Post()
@@ -54,7 +50,7 @@ export class ProjectsController {
@Body() dto: UpdateProjectDto, @Body() dto: UpdateProjectDto,
@CurrentUser() user: { id: string }, @CurrentUser() user: { id: string },
) { ) {
await this.getAccessibleProject(id, user.id); await this.getOwnedProject(id, user.id);
const project = await this.brain.projects.update(id, dto); const project = await this.brain.projects.update(id, dto);
if (!project) throw new NotFoundException('Project not found'); if (!project) throw new NotFoundException('Project not found');
return project; return project;
@@ -63,21 +59,15 @@ export class ProjectsController {
@Delete(':id') @Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) { async remove(@Param('id') id: string, @CurrentUser() user: { id: string }) {
await this.getAccessibleProject(id, user.id); await this.getOwnedProject(id, user.id);
const deleted = await this.brain.projects.remove(id); const deleted = await this.brain.projects.remove(id);
if (!deleted) throw new NotFoundException('Project not found'); if (!deleted) throw new NotFoundException('Project not found');
} }
/** private async getOwnedProject(id: string, userId: string) {
* Verify the requesting user can access the project — either as the direct
* owner or as a member of the owning team. Throws NotFoundException when the
* project does not exist and ForbiddenException when the user lacks access.
*/
private async getAccessibleProject(id: string, userId: string) {
const project = await this.brain.projects.findById(id); const project = await this.brain.projects.findById(id);
if (!project) throw new NotFoundException('Project not found'); if (!project) throw new NotFoundException('Project not found');
const canAccess = await this.teamsService.canAccessProject(userId, id); assertOwner(project.ownerId, userId, 'Project');
if (!canAccess) throw new ForbiddenException('Project does not belong to the current user');
return project; return project;
} }
} }

2
apps/gateway/src/projects/projects.module.ts
View File

@@ -1,9 +1,7 @@
import { Module } from '@nestjs/common'; import { Module } from '@nestjs/common';
import { ProjectsController } from './projects.controller.js'; import { ProjectsController } from './projects.controller.js';
import { WorkspaceModule } from '../workspace/workspace.module.js';
@Module({ @Module({
imports: [WorkspaceModule],
controllers: [ProjectsController], controllers: [ProjectsController],
}) })
export class ProjectsModule {} export class ProjectsModule {}

20
apps/gateway/src/reload/mosaic-plugin.interface.ts
View File

@@ -1,20 +0,0 @@
export interface MosaicPlugin {
/** Called when the plugin is loaded/reloaded */
onLoad(): Promise<void>;
/** Called before the plugin is unloaded during reload */
onUnload(): Promise<void>;
/** Plugin identifier for registry */
readonly pluginName: string;
}
export function isMosaicPlugin(obj: unknown): obj is MosaicPlugin {
return (
typeof obj === 'object' &&
obj !== null &&
typeof (obj as MosaicPlugin).onLoad === 'function' &&
typeof (obj as MosaicPlugin).onUnload === 'function' &&
typeof (obj as MosaicPlugin).pluginName === 'string'
);
}

22
apps/gateway/src/reload/reload.controller.ts
View File

@@ -1,22 +0,0 @@
import { Controller, HttpCode, HttpStatus, Inject, Post, UseGuards } from '@nestjs/common';
import type { SystemReloadPayload } from '@mosaic/types';
import { AdminGuard } from '../admin/admin.guard.js';
import { ChatGateway } from '../chat/chat.gateway.js';
import { ReloadService } from './reload.service.js';
@Controller('api/admin')
@UseGuards(AdminGuard)
export class ReloadController {
constructor(
@Inject(ReloadService) private readonly reloadService: ReloadService,
@Inject(ChatGateway) private readonly chatGateway: ChatGateway,
) {}
@Post('reload')
@HttpCode(HttpStatus.OK)
async triggerReload(): Promise<SystemReloadPayload> {
const result = await this.reloadService.reload('rest');
this.chatGateway.broadcastReload(result);
return result;
}
}

14
apps/gateway/src/reload/reload.module.ts
View File

@@ -1,14 +0,0 @@
import { forwardRef, Module } from '@nestjs/common';
import { AdminGuard } from '../admin/admin.guard.js';
import { ChatModule } from '../chat/chat.module.js';
import { CommandsModule } from '../commands/commands.module.js';
import { ReloadController } from './reload.controller.js';
import { ReloadService } from './reload.service.js';
@Module({
imports: [forwardRef(() => CommandsModule), forwardRef(() => ChatModule)],
controllers: [ReloadController],
providers: [ReloadService, AdminGuard],
exports: [ReloadService],
})
export class ReloadModule {}

106
apps/gateway/src/reload/reload.service.spec.ts
View File

@@ -1,106 +0,0 @@
import { describe, expect, it, vi } from 'vitest';
import { ReloadService } from './reload.service.js';
function createMockCommandRegistry() {
return {
getManifest: vi.fn().mockReturnValue({
version: 1,
commands: [],
skills: [],
}),
};
}
function createService() {
const registry = createMockCommandRegistry();
const service = new ReloadService(registry as never);
return { service, registry };
}
describe('ReloadService', () => {
it('reload() calls onUnload then onLoad for registered MosaicPlugin', async () => {
const { service } = createService();
const callOrder: string[] = [];
const mockPlugin = {
pluginName: 'test-plugin',
onLoad: vi.fn().mockImplementation(() => {
callOrder.push('onLoad');
return Promise.resolve();
}),
onUnload: vi.fn().mockImplementation(() => {
callOrder.push('onUnload');
return Promise.resolve();
}),
};
service.registerPlugin('test-plugin', mockPlugin);
const result = await service.reload('command');
expect(mockPlugin.onUnload).toHaveBeenCalledOnce();
expect(mockPlugin.onLoad).toHaveBeenCalledOnce();
expect(callOrder).toEqual(['onUnload', 'onLoad']);
expect(result.message).toContain('test-plugin');
});
it('reload() continues if one plugin throws during onUnload', async () => {
const { service } = createService();
const badPlugin = {
pluginName: 'bad-plugin',
onLoad: vi.fn().mockResolvedValue(undefined),
onUnload: vi.fn().mockRejectedValue(new Error('unload failed')),
};
service.registerPlugin('bad-plugin', badPlugin);
const result = await service.reload('command');
expect(result.message).toContain('bad-plugin');
expect(result.message).toContain('unload failed');
});
it('reload() skips non-MosaicPlugin objects', async () => {
const { service } = createService();
const notAPlugin = { foo: 'bar' };
service.registerPlugin('not-a-plugin', notAPlugin);
// Should not throw
const result = await service.reload('command');
expect(result).toBeDefined();
expect(result.message).not.toContain('not-a-plugin');
});
it('reload() returns SystemReloadPayload with commands, skills, providers, message', async () => {
const { service, registry } = createService();
registry.getManifest.mockReturnValue({
version: 1,
commands: [
{
name: 'test',
description: 'test cmd',
aliases: [],
scope: 'core',
execution: 'socket',
available: true,
},
],
skills: [],
});
const result = await service.reload('rest');
expect(result).toHaveProperty('commands');
expect(result).toHaveProperty('skills');
expect(result).toHaveProperty('providers');
expect(result).toHaveProperty('message');
expect(result.commands).toHaveLength(1);
});
it('registerPlugin() logs plugin registration', () => {
const { service } = createService();
// Should not throw and should register
expect(() => service.registerPlugin('my-plugin', {})).not.toThrow();
});
});

92
apps/gateway/src/reload/reload.service.ts
View File

@@ -1,92 +0,0 @@
import {
Inject,
Injectable,
Logger,
type OnApplicationBootstrap,
type OnApplicationShutdown,
} from '@nestjs/common';
import type { SystemReloadPayload } from '@mosaic/types';
import { CommandRegistryService } from '../commands/command-registry.service.js';
import { isMosaicPlugin } from './mosaic-plugin.interface.js';
@Injectable()
export class ReloadService implements OnApplicationBootstrap, OnApplicationShutdown {
private readonly logger = new Logger(ReloadService.name);
private readonly plugins: Map<string, unknown> = new Map();
private shutdownHandlerAttached = false;
constructor(
@Inject(CommandRegistryService) private readonly commandRegistry: CommandRegistryService,
) {}
onApplicationBootstrap(): void {
if (!this.shutdownHandlerAttached) {
process.on('SIGHUP', () => {
this.logger.log('SIGHUP received — triggering soft reload');
this.reload('sighup').catch((err: unknown) => {
this.logger.error(`SIGHUP reload failed: ${err}`);
});
});
this.shutdownHandlerAttached = true;
}
}
onApplicationShutdown(): void {
process.removeAllListeners('SIGHUP');
}
registerPlugin(name: string, plugin: unknown): void {
this.plugins.set(name, plugin);
this.logger.log(`Plugin registered: ${name}`);
}
/**
* Soft reload — unload plugins, reload plugins, broadcast.
* Does NOT restart the HTTP server or drop connections.
*/
async reload(
trigger: 'command' | 'rest' | 'sighup' | 'file-watch',
): Promise<SystemReloadPayload> {
this.logger.log(`Soft reload triggered by: ${trigger}`);
const reloaded: string[] = [];
const errors: string[] = [];
// 1. Unload all registered MosaicPlugin instances
for (const [name, plugin] of this.plugins) {
if (isMosaicPlugin(plugin)) {
try {
await plugin.onUnload();
reloaded.push(name);
} catch (err) {
errors.push(`${name}: unload failed — ${err}`);
}
}
}
// 2. Reload all MosaicPlugin instances
for (const [name, plugin] of this.plugins) {
if (isMosaicPlugin(plugin)) {
try {
await plugin.onLoad();
} catch (err) {
errors.push(`${name}: load failed — ${err}`);
}
}
}
const manifest = this.commandRegistry.getManifest();
const errorSuffix = errors.length > 0 ? ` Errors: ${errors.join(', ')}` : '';
const payload: SystemReloadPayload = {
commands: manifest.commands,
skills: manifest.skills,
providers: [],
message: `Reload complete (trigger=${trigger}). Plugins reloaded: [${reloaded.join(', ')}].${errorSuffix}`,
};
this.logger.log(
`Reload complete. Reloaded: [${reloaded.join(', ')}]. Errors: ${errors.length}`,
);
return payload;
}
}

68
apps/gateway/src/skills/skills.controller.ts
View File

@@ -1,68 +0,0 @@
import {
Body,
Controller,
Delete,
Get,
HttpCode,
HttpStatus,
Inject,
NotFoundException,
Param,
Patch,
Post,
UseGuards,
} from '@nestjs/common';
import { SkillsService } from './skills.service.js';
import { AuthGuard } from '../auth/auth.guard.js';
import type { CreateSkillDto, UpdateSkillDto } from './skills.dto.js';
@Controller('api/skills')
@UseGuards(AuthGuard)
export class SkillsController {
constructor(@Inject(SkillsService) private readonly skills: SkillsService) {}
@Get()
async list() {
return this.skills.findAll();
}
@Get(':id')
async findOne(@Param('id') id: string) {
const skill = await this.skills.findById(id);
if (!skill) throw new NotFoundException('Skill not found');
return skill;
}
@Post()
async create(@Body() dto: CreateSkillDto) {
return this.skills.create({
name: dto.name,
description: dto.description,
version: dto.version,
source: dto.source,
config: dto.config,
enabled: dto.enabled,
});
}
@Patch(':id')
async update(@Param('id') id: string, @Body() dto: UpdateSkillDto) {
const skill = await this.skills.update(id, dto);
if (!skill) throw new NotFoundException('Skill not found');
return skill;
}
@Patch(':id/toggle')
async toggle(@Param('id') id: string, @Body() body: { enabled: boolean }) {
const skill = await this.skills.toggle(id, body.enabled);
if (!skill) throw new NotFoundException('Skill not found');
return skill;
}
@Delete(':id')
@HttpCode(HttpStatus.NO_CONTENT)
async remove(@Param('id') id: string) {
const deleted = await this.skills.remove(id);
if (!deleted) throw new NotFoundException('Skill not found');
}
}

15
apps/gateway/src/skills/skills.dto.ts
View File

@@ -1,15 +0,0 @@
export interface CreateSkillDto {
name: string;
description?: string;
version?: string;
source?: 'builtin' | 'community' | 'custom';
config?: Record<string, unknown>;
enabled?: boolean;
}
export interface UpdateSkillDto {
description?: string;
version?: string;
config?: Record<string, unknown>;
enabled?: boolean;
}

10
apps/gateway/src/skills/skills.module.ts
View File

@@ -1,10 +0,0 @@
import { Module } from '@nestjs/common';
import { SkillsService } from './skills.service.js';
import { SkillsController } from './skills.controller.js';
@Module({
providers: [SkillsService],
controllers: [SkillsController],
exports: [SkillsService],
})
export class SkillsModule {}

52
apps/gateway/src/skills/skills.service.ts
View File

@@ -1,52 +0,0 @@
import { Inject, Injectable } from '@nestjs/common';
import { eq, type Db, skills } from '@mosaic/db';
import { DB } from '../database/database.module.js';
type Skill = typeof skills.$inferSelect;
type NewSkill = typeof skills.$inferInsert;
@Injectable()
export class SkillsService {
constructor(@Inject(DB) private readonly db: Db) {}
async findAll(): Promise<Skill[]> {
return this.db.select().from(skills);
}
async findEnabled(): Promise<Skill[]> {
return this.db.select().from(skills).where(eq(skills.enabled, true));
}
async findById(id: string): Promise<Skill | undefined> {
const rows = await this.db.select().from(skills).where(eq(skills.id, id));
return rows[0];
}
async findByName(name: string): Promise<Skill | undefined> {
const rows = await this.db.select().from(skills).where(eq(skills.name, name));
return rows[0];
}
async create(data: NewSkill): Promise<Skill> {
const rows = await this.db.insert(skills).values(data).returning();
return rows[0]!;
}
async update(id: string, data: Partial<NewSkill>): Promise<Skill | undefined> {
const rows = await this.db
.update(skills)
.set({ ...data, updatedAt: new Date() })
.where(eq(skills.id, id))
.returning();
return rows[0];
}
async remove(id: string): Promise<boolean> {
const rows = await this.db.delete(skills).where(eq(skills.id, id)).returning();
return rows.length > 0;
}
async toggle(id: string, enabled: boolean): Promise<Skill | undefined> {
return this.update(id, { enabled });
}
}

49
apps/gateway/src/tasks/tasks.controller.ts
View File

@@ -28,48 +28,17 @@ export class TasksController {
@Get() @Get()
async list( async list(
@CurrentUser() user: { id: string },
@Query('projectId') projectId?: string, @Query('projectId') projectId?: string,
@Query('missionId') missionId?: string, @Query('missionId') missionId?: string,
@Query('status') status?: string, @Query('status') status?: string,
) { ) {
if (projectId) { if (projectId) return this.brain.tasks.findByProject(projectId);
await this.getOwnedProject(projectId, user.id, 'Task'); if (missionId) return this.brain.tasks.findByMission(missionId);
return this.brain.tasks.findByProject(projectId); if (status)
} return this.brain.tasks.findByStatus(
if (missionId) {
await this.getOwnedMission(missionId, user.id, 'Task');
return this.brain.tasks.findByMission(missionId);
}
const [projects, missions, tasks] = await Promise.all([
this.brain.projects.findAll(),
this.brain.missions.findAll(),
status
? this.brain.tasks.findByStatus(
status as Parameters<typeof this.brain.tasks.findByStatus>[0], status as Parameters<typeof this.brain.tasks.findByStatus>[0],
)
: this.brain.tasks.findAll(),
]);
const ownedProjectIds = new Set(
projects.filter((project) => project.ownerId === user.id).map((project) => project.id),
);
const ownedMissionIds = new Set(
missions
.filter(
(ownedMission) =>
typeof ownedMission.projectId === 'string' &&
ownedProjectIds.has(ownedMission.projectId),
)
.map((ownedMission) => ownedMission.id),
);
return tasks.filter(
(task) =>
(task.projectId ? ownedProjectIds.has(task.projectId) : false) ||
(task.missionId ? ownedMissionIds.has(task.missionId) : false),
); );
return this.brain.tasks.findAll();
} }
@Get(':id') @Get(':id')
@@ -78,13 +47,7 @@ export class TasksController {
} }
@Post() @Post()
async create(@Body() dto: CreateTaskDto, @CurrentUser() user: { id: string }) { async create(@Body() dto: CreateTaskDto) {
if (dto.projectId) {
await this.getOwnedProject(dto.projectId, user.id, 'Task');
}
if (dto.missionId) {
await this.getOwnedMission(dto.missionId, user.id, 'Task');
}
return this.brain.tasks.create({ return this.brain.tasks.create({
title: dto.title, title: dto.title,
description: dto.description, description: dto.description,

98
apps/gateway/src/workspace/project-bootstrap.service.ts
View File

@@ -1,98 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import type { Brain } from '@mosaic/brain';
import { BRAIN } from '../brain/brain.tokens.js';
import { PluginService } from '../plugin/plugin.service.js';
import { WorkspaceService } from './workspace.service.js';
export interface BootstrapProjectParams {
name: string;
description?: string;
userId: string;
teamId?: string;
repoUrl?: string;
}
export interface BootstrapProjectResult {
projectId: string;
workspacePath: string;
}
@Injectable()
export class ProjectBootstrapService {
private readonly logger = new Logger(ProjectBootstrapService.name);
constructor(
@Inject(BRAIN) private readonly brain: Brain,
private readonly workspace: WorkspaceService,
private readonly pluginService: PluginService,
) {}
/**
* Bootstrap a new project: create DB record + workspace directory.
* Returns the created project with its workspace path.
*/
async bootstrap(params: BootstrapProjectParams): Promise<BootstrapProjectResult> {
const ownerType: 'user' | 'team' = params.teamId ? 'team' : 'user';
this.logger.log(
`Bootstrapping project "${params.name}" for ${ownerType} ${params.teamId ?? params.userId}`,
);
// 1. Create DB record
const project = await this.brain.projects.create({
name: params.name,
description: params.description,
ownerId: params.userId,
teamId: params.teamId ?? null,
ownerType,
});
// 2. Create workspace directory (includes docs structure)
const workspacePath = await this.workspace.create(
{
id: project.id,
ownerType,
userId: params.userId,
teamId: params.teamId ?? null,
},
params.repoUrl,
);
// 3. Create default agent config for the project
await this.brain.agents.create({
name: 'default',
provider: '',
model: '',
projectId: project.id,
ownerId: params.userId,
isSystem: false,
status: 'active',
});
// 4. Notify plugins so they can set up project-specific resources (e.g. Discord channel)
try {
for (const plugin of this.pluginService.getPlugins()) {
if (plugin.onProjectCreated) {
const result = await plugin.onProjectCreated({
id: project.id,
name: params.name,
description: params.description,
});
if (result?.channelId) {
await this.brain.projects.update(project.id, {
metadata: { discordChannelId: result.channelId },
});
}
}
}
} catch (err) {
this.logger.warn(
`Plugin project notification failed: ${err instanceof Error ? err.message : String(err)}`,
);
}
this.logger.log(`Project ${project.id} bootstrapped at ${workspacePath}`);
return { projectId: project.id, workspacePath };
}
}

30
apps/gateway/src/workspace/teams.controller.ts
View File

@@ -1,30 +0,0 @@
import { Controller, Get, Param, UseGuards } from '@nestjs/common';
import { AuthGuard } from '../auth/auth.guard.js';
import { TeamsService } from './teams.service.js';
@Controller('api/teams')
@UseGuards(AuthGuard)
export class TeamsController {
constructor(private readonly teams: TeamsService) {}
@Get()
async list() {
return this.teams.findAll();
}
@Get(':teamId')
async findOne(@Param('teamId') teamId: string) {
return this.teams.findById(teamId);
}
@Get(':teamId/members')
async listMembers(@Param('teamId') teamId: string) {
return this.teams.listMembers(teamId);
}
@Get(':teamId/members/:userId')
async checkMembership(@Param('teamId') teamId: string, @Param('userId') userId: string) {
const isMember = await this.teams.isMember(teamId, userId);
return { isMember };
}
}

73
apps/gateway/src/workspace/teams.service.ts
View File

@@ -1,73 +0,0 @@
import { Inject, Injectable, Logger } from '@nestjs/common';
import { eq, and, type Db, teams, teamMembers, projects } from '@mosaic/db';
import { DB } from '../database/database.module.js';
@Injectable()
export class TeamsService {
private readonly logger = new Logger(TeamsService.name);
constructor(@Inject(DB) private readonly db: Db) {}
/**
* Check if a user is a member of a team.
*/
async isMember(teamId: string, userId: string): Promise<boolean> {
const rows = await this.db
.select({ id: teamMembers.id })
.from(teamMembers)
.where(and(eq(teamMembers.teamId, teamId), eq(teamMembers.userId, userId)));
return rows.length > 0;
}
/**
* Check project access for a user.
* - ownerType === 'user': project.ownerId must equal userId
* - ownerType === 'team': userId must be a member of project.teamId
*/
async canAccessProject(userId: string, projectId: string): Promise<boolean> {
const rows = await this.db
.select({
id: projects.id,
ownerType: projects.ownerType,
ownerId: projects.ownerId,
teamId: projects.teamId,
})
.from(projects)
.where(eq(projects.id, projectId));
const project = rows[0];
if (!project) return false;
if (project.ownerType === 'user') {
return project.ownerId === userId;
}
if (project.ownerType === 'team' && project.teamId) {
return this.isMember(project.teamId, userId);
}
return false;
}
/**
* List all teams (for admin/listing endpoints).
*/
async findAll() {
return this.db.select().from(teams);
}
/**
* Find a team by ID.
*/
async findById(id: string) {
const rows = await this.db.select().from(teams).where(eq(teams.id, id));
return rows[0];
}
/**
* List members of a team.
*/
async listMembers(teamId: string) {
return this.db.select().from(teamMembers).where(eq(teamMembers.teamId, teamId));
}
}

30
apps/gateway/src/workspace/workspace.controller.ts
View File

@@ -1,30 +0,0 @@
import { Body, Controller, Post, UseGuards } from '@nestjs/common';
import { AuthGuard } from '../auth/auth.guard.js';
import { CurrentUser } from '../auth/current-user.decorator.js';
import { ProjectBootstrapService } from './project-bootstrap.service.js';
@Controller('api/workspaces')
@UseGuards(AuthGuard)
export class WorkspaceController {
constructor(private readonly bootstrap: ProjectBootstrapService) {}
@Post()
async create(
@CurrentUser() user: { id: string },
@Body()
body: {
name: string;
description?: string;
teamId?: string;
repoUrl?: string;
},
) {
return this.bootstrap.bootstrap({
name: body.name,
description: body.description,
userId: user.id,
teamId: body.teamId,
repoUrl: body.repoUrl,
});
}
}

13
apps/gateway/src/workspace/workspace.module.ts
View File

@@ -1,13 +0,0 @@
import { Module } from '@nestjs/common';
import { WorkspaceService } from './workspace.service.js';
import { ProjectBootstrapService } from './project-bootstrap.service.js';
import { TeamsService } from './teams.service.js';
import { WorkspaceController } from './workspace.controller.js';
import { TeamsController } from './teams.controller.js';
@Module({
controllers: [WorkspaceController, TeamsController],
providers: [WorkspaceService, ProjectBootstrapService, TeamsService],
exports: [WorkspaceService, ProjectBootstrapService, TeamsService],
})
export class WorkspaceModule {}

79
apps/gateway/src/workspace/workspace.service.spec.ts
View File

@@ -1,79 +0,0 @@
import { describe, it, expect, beforeEach } from 'vitest';
import { WorkspaceService } from './workspace.service.js';
import path from 'node:path';
describe('WorkspaceService', () => {
let service: WorkspaceService;
beforeEach(() => {
service = new WorkspaceService();
});
describe('resolvePath', () => {
it('resolves user workspace path', () => {
const result = service.resolvePath({
id: 'proj1',
ownerType: 'user',
userId: 'user1',
teamId: null,
});
expect(result).toContain(path.join('users', 'user1', 'proj1'));
});
it('resolves team workspace path', () => {
const result = service.resolvePath({
id: 'proj1',
ownerType: 'team',
userId: 'user1',
teamId: 'team1',
});
expect(result).toContain(path.join('teams', 'team1', 'proj1'));
});
it('falls back to user path when ownerType is team but teamId is null', () => {
const result = service.resolvePath({
id: 'proj1',
ownerType: 'team',
userId: 'user1',
teamId: null,
});
expect(result).toContain(path.join('users', 'user1', 'proj1'));
});
it('uses MOSAIC_ROOT env var as the base path', () => {
const originalRoot = process.env['MOSAIC_ROOT'];
process.env['MOSAIC_ROOT'] = '/custom/root';
const customService = new WorkspaceService();
const result = customService.resolvePath({
id: 'proj1',
ownerType: 'user',
userId: 'user1',
teamId: null,
});
expect(result).toMatch(/^\/custom\/root/);
// Restore
if (originalRoot === undefined) {
delete process.env['MOSAIC_ROOT'];
} else {
process.env['MOSAIC_ROOT'] = originalRoot;
}
});
it('defaults to /opt/mosaic when MOSAIC_ROOT is unset', () => {
const originalRoot = process.env['MOSAIC_ROOT'];
delete process.env['MOSAIC_ROOT'];
const defaultService = new WorkspaceService();
const result = defaultService.resolvePath({
id: 'proj2',
ownerType: 'user',
userId: 'user2',
teamId: null,
});
expect(result).toMatch(/^\/opt\/mosaic/);
// Restore
if (originalRoot !== undefined) {
process.env['MOSAIC_ROOT'] = originalRoot;
}
});
});
});

Some files were not shown because too many files have changed in this diff Show More