feat(storage): mosaic storage migrate-tier with dry-run + idempotency (FED-M1-05)

Adds `mosaic storage migrate-tier --to federated` for one-way migration
from `local` (PGlite) or `standalone` (PG without pgvector) to
`federated` (PG + pgvector). Source is read via DrizzleMigrationSource
which queries the normalized schema (the same path the gateway writes
through), so the migration captures all real domain data — not just
the flat key/value collections.

Key behaviors:
- `--dry-run` prints per-table row counts without writes
- `--allow-non-empty` required to write into a populated target (default
  refuses to mix data sets)
- Per-table transactions; partial failure does not leave half-migrated
  tables
- Idempotent on re-run via INSERT ... ON CONFLICT DO UPDATE keyed on id
- Topological table order respects FK dependencies (verified against
  schema.references())
- Skips sessions, verifications, admin_tokens (TTL'd / one-time / env-bound)
- For sources without pgvector, insights.embedding is projected to NULL
  on read, then upserted as NULL (column is nullable)

32 unit tests cover ordering, dry-run, idempotency, empty-target
preconditions, table skipping, and embedding-null projection. Integration
test against real PG/PGlite is FED-M1-08.

Refs #460

.env.example

@@ -23,8 +23,8 @@ VALKEY_URL=redis://localhost:6380
 
 
 # ─── Gateway ─────────────────────────────────────────────────────────────────
-# TCP port the NestJS/Fastify gateway listens on (default: 4000)
+# TCP port the NestJS/Fastify gateway listens on (default: 14242)
-GATEWAY_PORT=4000
+GATEWAY_PORT=14242
 
 # Comma-separated list of allowed CORS origins.
 # Must include the web app origin in production.
@@ -37,12 +37,12 @@ GATEWAY_CORS_ORIGIN=http://localhost:3000
 BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
 
 # Public base URL of the gateway (used by BetterAuth for callback URLs)
-BETTER_AUTH_URL=http://localhost:4000
+BETTER_AUTH_URL=http://localhost:14242
 
 
 # ─── Web App (Next.js) ───────────────────────────────────────────────────────
 # Public gateway URL — accessible from the browser, not just the server.
-NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
+NEXT_PUBLIC_GATEWAY_URL=http://localhost:14242
 
 
 # ─── OpenTelemetry ───────────────────────────────────────────────────────────
@@ -121,12 +121,12 @@ OTEL_SERVICE_NAME=mosaic-gateway
 # ─── Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable) ─────────────
 # DISCORD_BOT_TOKEN=
 # DISCORD_GUILD_ID=
-# DISCORD_GATEWAY_URL=http://localhost:4000
+# DISCORD_GATEWAY_URL=http://localhost:14242
 
 
 # ─── Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable) ───────────
 # TELEGRAM_BOT_TOKEN=
-# TELEGRAM_GATEWAY_URL=http://localhost:4000
+# TELEGRAM_GATEWAY_URL=http://localhost:14242
 
 
 # ─── SSO Providers (add credentials to enable) ───────────────────────────────

.npmrc

@@ -1 +1 @@
-@mosaic:registry=https://git.mosaicstack.dev/api/packages/mosaic/npm/
+@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/

.woodpecker/ci.yml

@@ -15,6 +15,7 @@ steps:
     image: *node_image
     commands:
       - corepack enable
+      - apk add --no-cache python3 make g++
       - pnpm install --frozen-lockfile
 
   typecheck:
@@ -44,18 +45,30 @@ steps:
 
   test:
     image: *node_image
+    environment:
+      DATABASE_URL: postgresql://mosaic:mosaic@postgres:5432/mosaic
     commands:
       - *enable_pnpm
+      # Install postgresql-client for pg_isready
+      - apk add --no-cache postgresql-client
+      # Wait up to 30s for postgres to be ready
+      - |
+        for i in $(seq 1 30); do
+          pg_isready -h postgres -p 5432 -U mosaic && break
+          echo "Waiting for postgres ($i/30)..."
+          sleep 1
+        done
+      # Run migrations (DATABASE_URL is set in environment above)
+      - pnpm --filter @mosaicstack/db run db:migrate
+      # Run all tests
       - pnpm test
     depends_on:
       - typecheck
 
-  build:
+services:
-    image: *node_image
+  postgres:
-    commands:
+    image: pgvector/pgvector:pg17
-      - *enable_pnpm
+    environment:
-      - pnpm build
+      POSTGRES_USER: mosaic
-    depends_on:
+      POSTGRES_PASSWORD: mosaic
-      - lint
+      POSTGRES_DB: mosaic
-      - format
-      - test

.woodpecker/publish.yml

@@ -0,0 +1,140 @@
+# Build, publish npm packages, and push Docker images
+# Runs only on main branch push/tag
+
+variables:
+  - &node_image 'node:22-alpine'
+  - &enable_pnpm 'corepack enable'
+
+when:
+  - branch: [main]
+    event: [push, manual, tag]
+
+steps:
+  install:
+    image: *node_image
+    commands:
+      - corepack enable
+      - pnpm install --frozen-lockfile
+
+  build:
+    image: *node_image
+    commands:
+      - *enable_pnpm
+      - pnpm build
+    depends_on:
+      - install
+
+  publish-npm:
+    image: *node_image
+    environment:
+      NPM_TOKEN:
+        from_secret: gitea_token
+    commands:
+      - *enable_pnpm
+      # Configure auth for Gitea npm registry
+      - |
+        echo "//git.mosaicstack.dev/api/packages/mosaicstack/npm/:_authToken=$NPM_TOKEN" > ~/.npmrc
+        echo "@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/" >> ~/.npmrc
+      # Publish non-private packages to Gitea.
+      #
+      # The only publish failure we tolerate is "version already exists" —
+      # that legitimately happens when only some packages were bumped in
+      # the merge. Any other failure (registry 404, auth error, network
+      # error) MUST fail the pipeline loudly: the previous
+      # `|| echo "... continuing"` fallback silently hid a 404 from the
+      # Gitea org rename and caused every @mosaicstack/* publish to fall
+      # on the floor while CI still reported green.
+      - |
+        # Portable sh (Alpine ash) — avoid bashisms like PIPESTATUS.
+        set +e
+        pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public >/tmp/publish.log 2>&1
+        EXIT=$?
+        set -e
+        cat /tmp/publish.log
+        if [ "$EXIT" -eq 0 ]; then
+          echo "[publish] all packages published successfully"
+          exit 0
+        fi
+        # Hard registry / auth / network errors → fatal. Match npm's own
+        # error lines specifically to avoid false positives on arbitrary
+        # log text that happens to contain "E404" etc.
+        if grep -qE "npm (error|ERR!) code (E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND)" /tmp/publish.log; then
+          echo "[publish] FATAL: registry/auth/network error detected — failing pipeline" >&2
+          exit 1
+        fi
+        # Only tolerate the explicit "version already published" case.
+        # npm returns this as E403 with body "You cannot publish over..."
+        # or EPUBLISHCONFLICT depending on version.
+        if grep -qE "EPUBLISHCONFLICT|You cannot publish over|previously published" /tmp/publish.log; then
+          echo "[publish] some packages already at this version — continuing (non-fatal)"
+          exit 0
+        fi
+        echo "[publish] FATAL: publish failed with unrecognized error — failing pipeline" >&2
+        exit 1
+    depends_on:
+      - build
+
+  # TODO: Uncomment when ready to publish to npmjs.org
+  # publish-npmjs:
+  #   image: *node_image
+  #   environment:
+  #     NPM_TOKEN:
+  #       from_secret: npmjs_token
+  #   commands:
+  #     - *enable_pnpm
+  #     - apk add --no-cache jq bash
+  #     - bash scripts/publish-npmjs.sh
+  #   depends_on:
+  #     - build
+  #   when:
+  #     - event: [tag]
+
+  build-gateway:
+    image: gcr.io/kaniko-project/executor:debug
+    environment:
+      REGISTRY_USER:
+        from_secret: gitea_username
+      REGISTRY_PASS:
+        from_secret: gitea_password
+      CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
+      CI_COMMIT_TAG: ${CI_COMMIT_TAG}
+      CI_COMMIT_SHA: ${CI_COMMIT_SHA}
+    commands:
+      - mkdir -p /kaniko/.docker
+      - echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
+      - |
+        DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/gateway:sha-${CI_COMMIT_SHA:0:7}"
+        if [ "$CI_COMMIT_BRANCH" = "main" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/gateway:latest"
+        fi
+        if [ -n "$CI_COMMIT_TAG" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/gateway:$CI_COMMIT_TAG"
+        fi
+        /kaniko/executor --context . --dockerfile docker/gateway.Dockerfile $DESTINATIONS
+    depends_on:
+      - build
+
+  build-web:
+    image: gcr.io/kaniko-project/executor:debug
+    environment:
+      REGISTRY_USER:
+        from_secret: gitea_username
+      REGISTRY_PASS:
+        from_secret: gitea_password
+      CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
+      CI_COMMIT_TAG: ${CI_COMMIT_TAG}
+      CI_COMMIT_SHA: ${CI_COMMIT_SHA}
+    commands:
+      - mkdir -p /kaniko/.docker
+      - echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
+      - |
+        DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/web:sha-${CI_COMMIT_SHA:0:7}"
+        if [ "$CI_COMMIT_BRANCH" = "main" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/web:latest"
+        fi
+        if [ -n "$CI_COMMIT_TAG" ]; then
+          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/web:$CI_COMMIT_TAG"
+        fi
+        /kaniko/executor --context . --dockerfile docker/web.Dockerfile $DESTINATIONS
+    depends_on:
+      - build

AGENTS.md

@@ -21,11 +21,11 @@ Mosaic Stack is a self-hosted, multi-user AI agent platform. TypeScript monorepo
 | `apps/web`         | Next.js dashboard               | React 19, Tailwind               |
 | `packages/types`   | Shared TypeScript contracts     | class-validator                  |
 | `packages/db`      | Drizzle ORM schema + migrations | drizzle-orm, postgres            |
-| `packages/auth`    | BetterAuth configuration        | better-auth, @mosaic/db          |
+| `packages/auth`    | BetterAuth configuration        | better-auth, @mosaicstack/db     |
-| `packages/brain`   | Data layer (PG-backed)          | @mosaic/db                       |
+| `packages/brain`   | Data layer (PG-backed)          | @mosaicstack/db                  |
 | `packages/queue`   | Valkey task queue + MCP         | ioredis                          |
-| `packages/coord`   | Mission coordination            | @mosaic/queue                    |
+| `packages/coord`   | Mission coordination            | @mosaicstack/queue               |
-| `packages/cli`     | Unified CLI + Pi TUI            | Ink, Pi SDK                      |
+| `packages/mosaic`  | Unified `mosaic` CLI + TUI      | Ink, Pi SDK, commander           |
 | `plugins/discord`  | Discord channel plugin          | discord.js                       |
 | `plugins/telegram` | Telegram channel plugin         | Telegraf                         |
 
@@ -33,9 +33,9 @@ Mosaic Stack is a self-hosted, multi-user AI agent platform. TypeScript monorepo
 
 1. Gateway is the single API surface — all clients connect through it
 2. Pi SDK is ESM-only — gateway and CLI must use ESM
-3. Socket.IO typed events defined in `@mosaic/types` enforce compile-time contracts
+3. Socket.IO typed events defined in `@mosaicstack/types` enforce compile-time contracts
 4. OTEL auto-instrumentation loads before NestJS bootstrap
-5. BetterAuth manages auth tables; schema defined in `@mosaic/db`
+5. BetterAuth manages auth tables; schema defined in `@mosaicstack/db`
 6. Docker Compose provides PG (5433), Valkey (6380), OTEL Collector (4317/4318), Jaeger (16686)
 7. Explicit `@Inject()` decorators required in NestJS (tsx/esbuild doesn't emit decorator metadata)
 
@@ -58,14 +58,14 @@ pnpm typecheck && pnpm lint && pnpm format:check  # Quality gates
 
 The `agent` column specifies the required model for each task. **This is set at task creation by the orchestrator and must not be changed by workers.**
 
-| Value    | When to use                                                 | Budget                     |
+| Value     | When to use                                                 | Budget                     |
-| -------- | ----------------------------------------------------------- | -------------------------- |
+| --------- | ----------------------------------------------------------- | -------------------------- |
-| `codex`  | All coding tasks (default for implementation)               | OpenAI credits — preferred |
+| `codex`   | All coding tasks (default for implementation)               | OpenAI credits — preferred |
-| `glm-5`  | Cost-sensitive coding where Codex is unavailable            | Z.ai credits               |
+| `glm-5.1` | Cost-sensitive coding where Codex is unavailable            | Z.ai credits               |
-| `haiku`  | Review gates, verify tasks, status checks, docs-only        | Cheapest Claude tier       |
+| `haiku`   | Review gates, verify tasks, status checks, docs-only        | Cheapest Claude tier       |
-| `sonnet` | Complex planning, multi-file reasoning, architecture review | Claude quota               |
+| `sonnet`  | Complex planning, multi-file reasoning, architecture review | Claude quota               |
-| `opus`   | Major cross-cutting architecture decisions ONLY             | Most expensive — minimize  |
+| `opus`    | Major cross-cutting architecture decisions ONLY             | Most expensive — minimize  |
-| `—`      | No preference / auto-select cheapest capable                | Pipeline decides           |
+| `—`       | No preference / auto-select cheapest capable                | Pipeline decides           |
 
 Pipeline crons read this column and spawn accordingly. Workers never modify `docs/TASKS.md` — only the orchestrator writes it.
 

CLAUDE.md

@@ -10,7 +10,7 @@ Self-hosted, multi-user AI agent platform. TypeScript monorepo.
 - **Web**: Next.js 16 + React 19 (`apps/web`)
 - **ORM**: Drizzle ORM + PostgreSQL 17 + pgvector (`packages/db`)
 - **Auth**: BetterAuth (`packages/auth`)
-- **Agent**: Pi SDK (`packages/agent`, `packages/cli`)
+- **Agent**: Pi SDK (`packages/agent`, `packages/mosaic`)
 - **Queue**: Valkey 8 (`packages/queue`)
 - **Build**: pnpm workspaces + Turborepo
 - **CI**: Woodpecker CI
@@ -26,13 +26,13 @@ pnpm test             # Vitest (all packages)
 pnpm build            # Build all packages
 
 # Database
-pnpm --filter @mosaic/db db:push      # Push schema to PG (dev)
+pnpm --filter @mosaicstack/db db:push      # Push schema to PG (dev)
-pnpm --filter @mosaic/db db:generate  # Generate migrations
+pnpm --filter @mosaicstack/db db:generate  # Generate migrations
-pnpm --filter @mosaic/db db:migrate   # Run migrations
+pnpm --filter @mosaicstack/db db:migrate   # Run migrations
 
 # Dev
 docker compose up -d                  # Start PG, Valkey, OTEL, Jaeger
-pnpm --filter @mosaic/gateway exec tsx src/main.ts  # Start gateway
+pnpm --filter @mosaicstack/gateway exec tsx src/main.ts  # Start gateway
 ```
 
 ## Conventions

README.md

@@ -0,0 +1,360 @@
+# Mosaic Stack
+
+Self-hosted, multi-user AI agent platform. One config, every runtime, same standards.
+
+Mosaic gives you a unified launcher for Claude Code, Codex, OpenCode, and Pi — injecting consistent system prompts, guardrails, skills, and mission context into every session. A NestJS gateway provides the API surface, a Next.js dashboard gives you the UI, and a plugin system connects Discord, Telegram, and more.
+
+## Quick Install
+
+```bash
+curl -fsSL https://mosaicstack.dev/install.sh | bash
+```
+
+Or use the direct URL:
+
+```bash
+bash <(curl -fsSL https://git.mosaicstack.dev/mosaicstack/stack/raw/branch/main/tools/install.sh)
+```
+
+The installer auto-launches the setup wizard, which walks you through gateway install and verification. Flags for non-interactive use:
+
+```bash
+bash <(curl -fsSL …) --yes               # Accept all defaults
+bash <(curl -fsSL …) --yes --no-auto-launch  # Install only, skip wizard
+```
+
+This installs both components:
+
+| Component               | What                                                             | Where                |
+| ----------------------- | ---------------------------------------------------------------- | -------------------- |
+| **Framework**           | Bash launcher, guides, runtime configs, tools, skills            | `~/.config/mosaic/`  |
+| **@mosaicstack/mosaic** | Unified `mosaic` CLI — TUI, gateway client, wizard, auto-updater | `~/.npm-global/bin/` |
+
+After install, the wizard runs automatically or you can invoke it manually:
+
+```bash
+mosaic wizard        # Full guided setup (gateway install → verify)
+```
+
+### Requirements
+
+- Node.js ≥ 20
+- npm (for global @mosaicstack/mosaic install)
+- One or more runtimes: [Claude Code](https://docs.anthropic.com/en/docs/claude-code), [Codex](https://github.com/openai/codex), [OpenCode](https://opencode.ai), or [Pi](https://github.com/mariozechner/pi-coding-agent)
+
+## Usage
+
+### Launching Agent Sessions
+
+```bash
+mosaic pi                    # Launch Pi with Mosaic injection
+mosaic claude                # Launch Claude Code with Mosaic injection
+mosaic codex                 # Launch Codex with Mosaic injection
+mosaic opencode              # Launch OpenCode with Mosaic injection
+
+mosaic yolo claude           # Claude with dangerous-permissions mode
+mosaic yolo pi               # Pi in yolo mode
+```
+
+The launcher verifies your config, checks for `SOUL.md`, injects your `AGENTS.md` standards into the runtime, and forwards all arguments.
+
+### TUI & Gateway
+
+```bash
+mosaic tui                   # Interactive TUI connected to the gateway
+mosaic gateway login         # Authenticate with a gateway instance
+mosaic sessions list         # List active agent sessions
+```
+
+### Gateway Management
+
+```bash
+mosaic gateway install       # Install and configure the gateway service
+mosaic gateway verify        # Post-install health check
+mosaic gateway login         # Authenticate and store a session token
+mosaic gateway config rotate-token    # Rotate your API token
+mosaic gateway config recover-token  # Recover a token via BetterAuth cookie
+```
+
+If you already have a gateway account but no token, use `mosaic gateway config recover-token` to retrieve one without recreating your account.
+
+### Configuration
+
+```bash
+mosaic config show           # Print full config as JSON
+mosaic config get <key>      # Read a specific key
+mosaic config set <key> <val># Write a key
+mosaic config edit           # Open config in $EDITOR
+mosaic config path           # Print config file path
+```
+
+### Management
+
+```bash
+mosaic doctor                # Health audit — detect drift and missing files
+mosaic sync                  # Sync skills from canonical source
+mosaic update                # Check for and install CLI updates
+mosaic wizard                # Full guided setup wizard
+mosaic bootstrap <path>      # Bootstrap a repo with Mosaic standards
+mosaic coord init            # Initialize a new orchestration mission
+mosaic prdy init             # Create a PRD via guided session
+```
+
+### Sub-package Commands
+
+Each Mosaic sub-package exposes its API surface through the unified CLI:
+
+```bash
+# User management
+mosaic auth users list
+mosaic auth users create
+mosaic auth sso
+
+# Agent brain (projects, missions, tasks)
+mosaic brain projects
+mosaic brain missions
+mosaic brain tasks
+mosaic brain conversations
+
+# Agent forge pipeline
+mosaic forge run
+mosaic forge status
+mosaic forge resume
+mosaic forge personas
+
+# Structured logging
+mosaic log tail
+mosaic log search
+mosaic log export
+mosaic log level
+
+# MACP protocol
+mosaic macp tasks
+mosaic macp submit
+mosaic macp gate
+mosaic macp events
+
+# Agent memory
+mosaic memory search
+mosaic memory stats
+mosaic memory insights
+mosaic memory preferences
+
+# Task queue (Valkey)
+mosaic queue list
+mosaic queue stats
+mosaic queue pause
+mosaic queue resume
+mosaic queue jobs
+mosaic queue drain
+
+# Object storage
+mosaic storage status
+mosaic storage tier
+mosaic storage export
+mosaic storage import
+mosaic storage migrate
+```
+
+### Telemetry
+
+```bash
+# Local observability (OTEL / Jaeger)
+mosaic telemetry local status
+mosaic telemetry local tail
+mosaic telemetry local jaeger
+
+# Remote telemetry (dry-run by default)
+mosaic telemetry status
+mosaic telemetry opt-in
+mosaic telemetry opt-out
+mosaic telemetry test
+mosaic telemetry upload        # Dry-run unless opted in
+```
+
+Consent state is persisted in config. Remote upload is a no-op until you run `mosaic telemetry opt-in`.
+
+## Development
+
+### Prerequisites
+
+- Node.js ≥ 20
+- pnpm 10.6+
+- Docker & Docker Compose
+
+### Setup
+
+```bash
+git clone git@git.mosaicstack.dev:mosaicstack/stack.git
+cd stack
+
+# Start infrastructure (Postgres, Valkey, Jaeger)
+docker compose up -d
+
+# Install dependencies
+pnpm install
+
+# Run migrations
+pnpm --filter @mosaicstack/db run db:migrate
+
+# Start all services in dev mode
+pnpm dev
+```
+
+### Infrastructure
+
+Docker Compose provides:
+
+| Service               | Port      | Purpose                |
+| --------------------- | --------- | ---------------------- |
+| PostgreSQL (pgvector) | 5433      | Primary database       |
+| Valkey                | 6380      | Task queue + caching   |
+| Jaeger                | 16686     | Distributed tracing UI |
+| OTEL Collector        | 4317/4318 | Telemetry ingestion    |
+
+### Quality Gates
+
+```bash
+pnpm typecheck               # TypeScript type checking (all packages)
+pnpm lint                    # ESLint (all packages)
+pnpm test                    # Vitest (all packages)
+pnpm format:check            # Prettier check
+pnpm format                  # Prettier auto-fix
+```
+
+### CI
+
+Woodpecker CI runs on every push:
+
+- `pnpm install --frozen-lockfile`
+- Database migration against a fresh Postgres
+- `pnpm test` (Turbo-orchestrated across all packages)
+
+npm packages are published to the Gitea package registry on main merges.
+
+## Architecture
+
+```
+stack/
+├── apps/
+│   ├── gateway/             NestJS API + WebSocket hub (Fastify, Socket.IO, OTEL)
+│   └── web/                 Next.js dashboard (React 19, Tailwind)
+├── packages/
+│   ├── mosaic/              Unified CLI — TUI, gateway client, wizard, sub-package commands
+│   ├── types/               Shared TypeScript contracts (Socket.IO typed events)
+│   ├── db/                  Drizzle ORM schema + migrations (pgvector)
+│   ├── auth/                BetterAuth configuration
+│   ├── brain/               Data layer (PG-backed)
+│   ├── queue/               Valkey task queue + MCP
+│   ├── coord/               Mission coordination
+│   ├── forge/               Multi-stage AI pipeline (intake → board → plan → code → review)
+│   ├── macp/                MACP protocol — credential resolution, gate runner, events
+│   ├── agent/               Agent session management
+│   ├── memory/              Agent memory layer
+│   ├── log/                 Structured logging
+│   ├── prdy/                PRD creation and validation
+│   ├── quality-rails/       Quality templates (TypeScript, Next.js, monorepo)
+│   └── design-tokens/       Shared design tokens
+├── plugins/
+│   ├── discord/             Discord channel plugin (discord.js)
+│   ├── telegram/            Telegram channel plugin (Telegraf)
+│   ├── macp/                OpenClaw MACP runtime plugin
+│   └── mosaic-framework/    OpenClaw framework injection plugin
+├── tools/
+│   └── install.sh           Unified installer (framework + npm CLI, --yes / --no-auto-launch)
+├── scripts/agent/           Agent session lifecycle scripts
+├── docker-compose.yml       Dev infrastructure
+└── .woodpecker/             CI pipeline configs
+```
+
+### Key Design Decisions
+
+- **Gateway is the single API surface** — all clients (TUI, web, Discord, Telegram) connect through it
+- **ESM everywhere** — `"type": "module"`, `.js` extensions in imports, NodeNext resolution
+- **Socket.IO typed events** — defined in `@mosaicstack/types`, enforced at compile time
+- **OTEL auto-instrumentation** — loads before NestJS bootstrap
+- **Explicit `@Inject()` decorators** — required since tsx/esbuild doesn't emit decorator metadata
+
+### Framework (`~/.config/mosaic/`)
+
+The framework is the bash-based standards layer installed to every developer machine:
+
+```
+~/.config/mosaic/
+├── AGENTS.md              ← Central standards (loaded into every runtime)
+├── SOUL.md                ← Agent identity (name, style, guardrails)
+├── USER.md                ← User profile (name, timezone, preferences)
+├── TOOLS.md               ← Machine-level tool reference
+├── bin/mosaic             ← Unified launcher (claude, codex, opencode, pi, yolo)
+├── guides/                ← E2E delivery, orchestrator protocol, PRD, etc.
+├── runtime/               ← Per-runtime configs (claude/, codex/, opencode/, pi/)
+├── skills/                ← Universal skills (synced from agent-skills repo)
+├── tools/                 ← Tool suites (orchestrator, git, quality, prdy, etc.)
+└── memory/                ← Persistent agent memory (preserved across upgrades)
+```
+
+### Forge Pipeline
+
+Forge is a multi-stage AI pipeline for autonomous feature delivery:
+
+```
+Intake → Discovery → Board Review → Planning (3 stages) → Coding → Review → Remediation → Test → Deploy
+```
+
+Each stage has a dispatch mode (`exec` for research/review, `yolo` for coding), quality gates, and timeouts. The board review uses multiple AI personas (CEO, CTO, CFO, COO + specialists) to evaluate briefs before committing resources.
+
+## Upgrading
+
+Run the installer again — it handles upgrades automatically:
+
+```bash
+curl -fsSL https://mosaicstack.dev/install.sh | bash
+```
+
+Or use the direct URL:
+
+```bash
+bash <(curl -fsSL https://git.mosaicstack.dev/mosaicstack/stack/raw/branch/main/tools/install.sh)
+```
+
+Or use the CLI:
+
+```bash
+mosaic update                # Check + install CLI updates
+mosaic update --check        # Check only, don't install
+```
+
+The CLI also performs a background update check on every invocation (cached for 1 hour).
+
+### Installer Flags
+
+```bash
+bash tools/install.sh --check           # Version check only
+bash tools/install.sh --framework       # Framework only (skip npm CLI)
+bash tools/install.sh --cli             # npm CLI only (skip framework)
+bash tools/install.sh --ref v1.0        # Install from a specific git ref
+bash tools/install.sh --yes             # Non-interactive, accept all defaults
+bash tools/install.sh --no-auto-launch  # Skip auto-launch of wizard
+```
+
+## Contributing
+
+```bash
+# Create a feature branch
+git checkout -b feat/my-feature
+
+# Make changes, then verify
+pnpm typecheck && pnpm lint && pnpm test && pnpm format:check
+
+# Commit (husky runs lint-staged automatically)
+git commit -m "feat: description of change"
+
+# Push and create PR
+git push -u origin feat/my-feature
+```
+
+DTOs go in `*.dto.ts` files at module boundaries. Scratchpads (`docs/scratchpads/`) are mandatory for non-trivial tasks. See `AGENTS.md` for the full standards reference.
+
+## License
+
+Proprietary — all rights reserved.

apps/gateway/package.json

@@ -1,9 +1,23 @@
 {
-  "name": "@mosaic/gateway",
+  "name": "@mosaicstack/gateway",
-  "version": "0.0.0",
+  "version": "0.0.6",
-  "private": true,
+  "repository": {
+    "type": "git",
+    "url": "https://git.mosaicstack.dev/mosaicstack/stack.git",
+    "directory": "apps/gateway"
+  },
   "type": "module",
   "main": "dist/main.js",
+  "bin": {
+    "mosaic-gateway": "dist/main.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "registry": "https://git.mosaicstack.dev/api/packages/mosaicstack/npm/",
+    "access": "public"
+  },
   "scripts": {
     "build": "tsc",
     "dev": "tsx watch src/main.ts",
@@ -14,26 +28,28 @@
   "dependencies": {
     "@anthropic-ai/sdk": "^0.80.0",
     "@fastify/helmet": "^13.0.2",
-    "@mariozechner/pi-ai": "~0.57.1",
+    "@mariozechner/pi-ai": "^0.65.0",
-    "@mariozechner/pi-coding-agent": "~0.57.1",
+    "@mariozechner/pi-coding-agent": "^0.65.0",
     "@modelcontextprotocol/sdk": "^1.27.1",
-    "@mosaic/auth": "workspace:^",
+    "@mosaicstack/auth": "workspace:^",
-    "@mosaic/brain": "workspace:^",
+    "@mosaicstack/brain": "workspace:^",
-    "@mosaic/coord": "workspace:^",
+    "@mosaicstack/config": "workspace:^",
-    "@mosaic/db": "workspace:^",
+    "@mosaicstack/coord": "workspace:^",
-    "@mosaic/discord-plugin": "workspace:^",
+    "@mosaicstack/db": "workspace:^",
-    "@mosaic/log": "workspace:^",
+    "@mosaicstack/discord-plugin": "workspace:^",
-    "@mosaic/memory": "workspace:^",
+    "@mosaicstack/log": "workspace:^",
-    "@mosaic/queue": "workspace:^",
+    "@mosaicstack/memory": "workspace:^",
-    "@mosaic/telegram-plugin": "workspace:^",
+    "@mosaicstack/queue": "workspace:^",
-    "@mosaic/types": "workspace:^",
+    "@mosaicstack/storage": "workspace:^",
+    "@mosaicstack/telegram-plugin": "workspace:^",
+    "@mosaicstack/types": "workspace:^",
     "@nestjs/common": "^11.0.0",
     "@nestjs/core": "^11.0.0",
     "@nestjs/platform-fastify": "^11.0.0",
     "@nestjs/platform-socket.io": "^11.0.0",
     "@nestjs/throttler": "^6.5.0",
     "@nestjs/websockets": "^11.0.0",
-    "@opentelemetry/auto-instrumentations-node": "^0.71.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.72.0",
     "@opentelemetry/exporter-metrics-otlp-http": "^0.213.0",
     "@opentelemetry/exporter-trace-otlp-http": "^0.213.0",
     "@opentelemetry/resources": "^2.6.0",
@@ -47,8 +63,10 @@
     "class-validator": "^0.15.1",
     "dotenv": "^17.3.1",
     "fastify": "^5.0.0",
+    "ioredis": "^5.10.0",
     "node-cron": "^4.2.1",
     "openai": "^6.32.0",
+    "postgres": "^3.4.8",
     "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.0",
     "socket.io": "^4.8.0",
@@ -56,11 +74,17 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
+    "@nestjs/testing": "^11.1.18",
+    "@swc/core": "^1.15.24",
+    "@swc/helpers": "^0.5.21",
     "@types/node": "^22.0.0",
     "@types/node-cron": "^3.0.11",
+    "@types/supertest": "^7.2.0",
     "@types/uuid": "^10.0.0",
+    "supertest": "^7.2.2",
     "tsx": "^4.0.0",
     "typescript": "^5.8.0",
+    "unplugin-swc": "^1.5.9",
     "vitest": "^2.0.0"
   }
 }

apps/gateway/src/__tests__/conversation-persistence.test.ts

@@ -12,7 +12,7 @@ import { BadRequestException, NotFoundException } from '@nestjs/common';
 import { describe, expect, it, vi, beforeEach } from 'vitest';
 import type { ConversationHistoryMessage } from '../agent/agent.service.js';
 import { ConversationsController } from '../conversations/conversations.controller.js';
-import type { Message } from '@mosaic/brain';
+import type { Message } from '@mosaicstack/brain';
 
 // ---------------------------------------------------------------------------
 // Shared test data

apps/gateway/src/__tests__/cross-user-isolation.test.ts

@@ -18,13 +18,13 @@
  */
 
 import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
-import { createDb } from '@mosaic/db';
+import { createDb } from '@mosaicstack/db';
-import { createConversationsRepo } from '@mosaic/brain';
+import { createConversationsRepo } from '@mosaicstack/brain';
-import { createAgentsRepo } from '@mosaic/brain';
+import { createAgentsRepo } from '@mosaicstack/brain';
-import { createPreferencesRepo, createInsightsRepo } from '@mosaic/memory';
+import { createPreferencesRepo, createInsightsRepo } from '@mosaicstack/memory';
-import { users, conversations, messages, agents, preferences, insights } from '@mosaic/db';
+import { users, conversations, messages, agents, preferences, insights } from '@mosaicstack/db';
-import { eq } from '@mosaic/db';
+import { eq } from '@mosaicstack/db';
-import type { DbHandle } from '@mosaic/db';
+import type { DbHandle } from '@mosaicstack/db';
 
 // ─── Fixed IDs so the afterAll cleanup is deterministic ──────────────────────
 

apps/gateway/src/admin/admin-health.controller.ts

@@ -1,6 +1,6 @@
 import { Controller, Get, Inject, UseGuards } from '@nestjs/common';
-import { sql, type Db } from '@mosaic/db';
+import { sql, type Db } from '@mosaicstack/db';
-import { createQueue } from '@mosaic/queue';
+import { createQueue } from '@mosaicstack/queue';
 import { DB } from '../database/database.module.js';
 import { AgentService } from '../agent/agent.service.js';
 import { ProviderService } from '../agent/provider.service.js';

apps/gateway/src/admin/admin-tokens.controller.ts

@@ -0,0 +1,90 @@
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  HttpCode,
+  HttpStatus,
+  Inject,
+  Param,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
+import { randomBytes, createHash } from 'node:crypto';
+import { eq, type Db, adminTokens } from '@mosaicstack/db';
+import { v4 as uuid } from 'uuid';
+import { DB } from '../database/database.module.js';
+import { AdminGuard } from './admin.guard.js';
+import { CurrentUser } from '../auth/current-user.decorator.js';
+import type {
+  CreateTokenDto,
+  TokenCreatedDto,
+  TokenDto,
+  TokenListDto,
+} from './admin-tokens.dto.js';
+
+function hashToken(plaintext: string): string {
+  return createHash('sha256').update(plaintext).digest('hex');
+}
+
+function toTokenDto(row: typeof adminTokens.$inferSelect): TokenDto {
+  return {
+    id: row.id,
+    label: row.label,
+    scope: row.scope,
+    expiresAt: row.expiresAt?.toISOString() ?? null,
+    lastUsedAt: row.lastUsedAt?.toISOString() ?? null,
+    createdAt: row.createdAt.toISOString(),
+  };
+}
+
+@Controller('api/admin/tokens')
+@UseGuards(AdminGuard)
+export class AdminTokensController {
+  constructor(@Inject(DB) private readonly db: Db) {}
+
+  @Post()
+  async create(
+    @Body() dto: CreateTokenDto,
+    @CurrentUser() user: { id: string },
+  ): Promise<TokenCreatedDto> {
+    const plaintext = randomBytes(32).toString('hex');
+    const tokenHash = hashToken(plaintext);
+    const id = uuid();
+
+    const expiresAt = dto.expiresInDays
+      ? new Date(Date.now() + dto.expiresInDays * 24 * 60 * 60 * 1000)
+      : null;
+
+    const [row] = await this.db
+      .insert(adminTokens)
+      .values({
+        id,
+        userId: user.id,
+        tokenHash,
+        label: dto.label ?? 'CLI token',
+        scope: dto.scope ?? 'admin',
+        expiresAt,
+      })
+      .returning();
+
+    return { ...toTokenDto(row!), plaintext };
+  }
+
+  @Get()
+  async list(@CurrentUser() user: { id: string }): Promise<TokenListDto> {
+    const rows = await this.db
+      .select()
+      .from(adminTokens)
+      .where(eq(adminTokens.userId, user.id))
+      .orderBy(adminTokens.createdAt);
+
+    return { tokens: rows.map(toTokenDto), total: rows.length };
+  }
+
+  @Delete(':id')
+  @HttpCode(HttpStatus.NO_CONTENT)
+  async revoke(@Param('id') id: string, @CurrentUser() _user: { id: string }): Promise<void> {
+    await this.db.delete(adminTokens).where(eq(adminTokens.id, id));
+  }
+}

apps/gateway/src/admin/admin-tokens.dto.ts

@@ -0,0 +1,33 @@
+import { IsString, IsOptional, IsInt, Min } from 'class-validator';
+
+export class CreateTokenDto {
+  @IsString()
+  label!: string;
+
+  @IsOptional()
+  @IsString()
+  scope?: string;
+
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  expiresInDays?: number;
+}
+
+export interface TokenDto {
+  id: string;
+  label: string;
+  scope: string;
+  expiresAt: string | null;
+  lastUsedAt: string | null;
+  createdAt: string;
+}
+
+export interface TokenCreatedDto extends TokenDto {
+  plaintext: string;
+}
+
+export interface TokenListDto {
+  tokens: TokenDto[];
+  total: number;
+}

apps/gateway/src/admin/admin.controller.ts

@@ -13,8 +13,8 @@ import {
   Post,
   UseGuards,
 } from '@nestjs/common';
-import { eq, type Db, users as usersTable } from '@mosaic/db';
+import { eq, type Db, users as usersTable } from '@mosaicstack/db';
-import type { Auth } from '@mosaic/auth';
+import type { Auth } from '@mosaicstack/auth';
 import { AUTH } from '../auth/auth.tokens.js';
 import { DB } from '../database/database.module.js';
 import { AdminGuard } from './admin.guard.js';

apps/gateway/src/admin/admin.guard.ts

@@ -6,10 +6,11 @@ import {
   Injectable,
   UnauthorizedException,
 } from '@nestjs/common';
+import { createHash } from 'node:crypto';
 import { fromNodeHeaders } from 'better-auth/node';
-import type { Auth } from '@mosaic/auth';
+import type { Auth } from '@mosaicstack/auth';
-import type { Db } from '@mosaic/db';
+import type { Db } from '@mosaicstack/db';
-import { eq, users as usersTable } from '@mosaic/db';
+import { eq, adminTokens, users as usersTable } from '@mosaicstack/db';
 import type { FastifyRequest } from 'fastify';
 import { AUTH } from '../auth/auth.tokens.js';
 import { DB } from '../database/database.module.js';
@@ -19,6 +20,8 @@ interface UserWithRole {
   role?: string;
 }
 
+type AuthenticatedRequest = FastifyRequest & { user: unknown; session: unknown };
+
 @Injectable()
 export class AdminGuard implements CanActivate {
   constructor(
@@ -28,8 +31,64 @@ export class AdminGuard implements CanActivate {
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<FastifyRequest>();
-    const headers = fromNodeHeaders(request.raw.headers);
 
+    // Try bearer token auth first
+    const authHeader = request.raw.headers['authorization'];
+    if (authHeader?.startsWith('Bearer ')) {
+      return this.validateBearerToken(request, authHeader.slice(7));
+    }
+
+    // Fall back to BetterAuth session
+    return this.validateSession(request);
+  }
+
+  private async validateBearerToken(request: FastifyRequest, plaintext: string): Promise<boolean> {
+    const tokenHash = createHash('sha256').update(plaintext).digest('hex');
+
+    const [row] = await this.db
+      .select({
+        tokenId: adminTokens.id,
+        userId: adminTokens.userId,
+        scope: adminTokens.scope,
+        expiresAt: adminTokens.expiresAt,
+        userName: usersTable.name,
+        userEmail: usersTable.email,
+        userRole: usersTable.role,
+      })
+      .from(adminTokens)
+      .innerJoin(usersTable, eq(adminTokens.userId, usersTable.id))
+      .where(eq(adminTokens.tokenHash, tokenHash))
+      .limit(1);
+
+    if (!row) {
+      throw new UnauthorizedException('Invalid API token');
+    }
+
+    if (row.expiresAt && row.expiresAt < new Date()) {
+      throw new UnauthorizedException('API token expired');
+    }
+
+    if (row.userRole !== 'admin') {
+      throw new ForbiddenException('Admin access required');
+    }
+
+    // Update last-used timestamp (fire-and-forget)
+    this.db
+      .update(adminTokens)
+      .set({ lastUsedAt: new Date() })
+      .where(eq(adminTokens.id, row.tokenId))
+      .then(() => {})
+      .catch(() => {});
+
+    const req = request as AuthenticatedRequest;
+    req.user = { id: row.userId, name: row.userName, email: row.userEmail, role: row.userRole };
+    req.session = { id: `token:${row.tokenId}`, userId: row.userId };
+
+    return true;
+  }
+
+  private async validateSession(request: FastifyRequest): Promise<boolean> {
+    const headers = fromNodeHeaders(request.raw.headers);
     const result = await this.auth.api.getSession({ headers });
 
     if (!result) {
@@ -38,8 +97,6 @@ export class AdminGuard implements CanActivate {
 
     const user = result.user as UserWithRole;
 
-    // Ensure the role field is populated. better-auth should include additionalFields
-    // in the session, but as a fallback, fetch the role from the database if needed.
     let userRole = user.role;
     if (!userRole) {
       const [dbUser] = await this.db
@@ -48,7 +105,6 @@ export class AdminGuard implements CanActivate {
         .where(eq(usersTable.id, user.id))
         .limit(1);
       userRole = dbUser?.role ?? 'member';
-      // Update the session user object with the fetched role
       (user as UserWithRole).role = userRole;
     }
 
@@ -56,8 +112,9 @@ export class AdminGuard implements CanActivate {
       throw new ForbiddenException('Admin access required');
     }
 
-    (request as FastifyRequest & { user: unknown; session: unknown }).user = result.user;
+    const req = request as AuthenticatedRequest;
-    (request as FastifyRequest & { user: unknown; session: unknown }).session = result.session;
+    req.user = result.user;
+    req.session = result.session;
 
     return true;
   }

apps/gateway/src/admin/admin.module.ts

@@ -2,10 +2,18 @@ import { Module } from '@nestjs/common';
 import { AdminController } from './admin.controller.js';
 import { AdminHealthController } from './admin-health.controller.js';
 import { AdminJobsController } from './admin-jobs.controller.js';
+import { AdminTokensController } from './admin-tokens.controller.js';
+import { BootstrapController } from './bootstrap.controller.js';
 import { AdminGuard } from './admin.guard.js';
 
 @Module({
-  controllers: [AdminController, AdminHealthController, AdminJobsController],
+  controllers: [
+    AdminController,
+    AdminHealthController,
+    AdminJobsController,
+    AdminTokensController,
+    BootstrapController,
+  ],
   providers: [AdminGuard],
 })
 export class AdminModule {}

apps/gateway/src/admin/bootstrap.controller.ts

@@ -0,0 +1,102 @@
+import {
+  Body,
+  Controller,
+  ForbiddenException,
+  Get,
+  Inject,
+  InternalServerErrorException,
+  Post,
+} from '@nestjs/common';
+import { randomBytes, createHash } from 'node:crypto';
+import { count, eq, type Db, users as usersTable, adminTokens } from '@mosaicstack/db';
+import type { Auth } from '@mosaicstack/auth';
+import { v4 as uuid } from 'uuid';
+import { AUTH } from '../auth/auth.tokens.js';
+import { DB } from '../database/database.module.js';
+import { BootstrapSetupDto } from './bootstrap.dto.js';
+import type { BootstrapStatusDto, BootstrapResultDto } from './bootstrap.dto.js';
+
+@Controller('api/bootstrap')
+export class BootstrapController {
+  constructor(
+    @Inject(AUTH) private readonly auth: Auth,
+    @Inject(DB) private readonly db: Db,
+  ) {}
+
+  @Get('status')
+  async status(): Promise<BootstrapStatusDto> {
+    const [result] = await this.db.select({ total: count() }).from(usersTable);
+    return { needsSetup: (result?.total ?? 0) === 0 };
+  }
+
+  @Post('setup')
+  async setup(@Body() dto: BootstrapSetupDto): Promise<BootstrapResultDto> {
+    // Only allow setup when zero users exist
+    const [result] = await this.db.select({ total: count() }).from(usersTable);
+    if ((result?.total ?? 0) > 0) {
+      throw new ForbiddenException('Setup already completed — users exist');
+    }
+
+    // Create admin user via BetterAuth API
+    const authApi = this.auth.api as unknown as {
+      createUser: (opts: {
+        body: { name: string; email: string; password: string; role?: string };
+      }) => Promise<{
+        user: { id: string; name: string; email: string };
+      }>;
+    };
+
+    const created = await authApi.createUser({
+      body: {
+        name: dto.name,
+        email: dto.email,
+        password: dto.password,
+        role: 'admin',
+      },
+    });
+
+    // Verify user was created
+    const [user] = await this.db
+      .select()
+      .from(usersTable)
+      .where(eq(usersTable.id, created.user.id))
+      .limit(1);
+
+    if (!user) throw new InternalServerErrorException('User created but not found');
+
+    // Ensure role is admin (createUser may not set it via BetterAuth)
+    if (user.role !== 'admin') {
+      await this.db.update(usersTable).set({ role: 'admin' }).where(eq(usersTable.id, user.id));
+    }
+
+    // Generate admin API token
+    const plaintext = randomBytes(32).toString('hex');
+    const tokenHash = createHash('sha256').update(plaintext).digest('hex');
+    const tokenId = uuid();
+
+    const [token] = await this.db
+      .insert(adminTokens)
+      .values({
+        id: tokenId,
+        userId: user.id,
+        tokenHash,
+        label: 'Initial setup token',
+        scope: 'admin',
+      })
+      .returning();
+
+    return {
+      user: {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+        role: 'admin',
+      },
+      token: {
+        id: token!.id,
+        plaintext,
+        label: token!.label,
+      },
+    };
+  }
+}

apps/gateway/src/admin/bootstrap.dto.ts

@@ -0,0 +1,31 @@
+import { IsString, IsEmail, MinLength } from 'class-validator';
+
+export class BootstrapSetupDto {
+  @IsString()
+  name!: string;
+
+  @IsEmail()
+  email!: string;
+
+  @IsString()
+  @MinLength(8)
+  password!: string;
+}
+
+export interface BootstrapStatusDto {
+  needsSetup: boolean;
+}
+
+export interface BootstrapResultDto {
+  user: {
+    id: string;
+    name: string;
+    email: string;
+    role: string;
+  };
+  token: {
+    id: string;
+    plaintext: string;
+    label: string;
+  };
+}

apps/gateway/src/admin/bootstrap.e2e.spec.ts

@@ -0,0 +1,190 @@
+/**
+ * E2E integration test — POST /api/bootstrap/setup
+ *
+ * Regression guard for the `import type { BootstrapSetupDto }` class-erasure
+ * bug (IUV-M01, issue #436).
+ *
+ * When `BootstrapSetupDto` is imported with `import type`, TypeScript erases
+ * the class at compile time. NestJS then sees `Object` as the `@Body()`
+ * metatype, and ValidationPipe with `whitelist:true + forbidNonWhitelisted:true`
+ * treats every property as non-whitelisted, returning:
+ *
+ *   400 { message: ["property email should not exist", "property password should not exist"] }
+ *
+ * The fix is a plain value import (`import { BootstrapSetupDto }`), which
+ * preserves the class reference so Nest can read the class-validator decorators.
+ *
+ * This test MUST fail if `import type` is re-introduced on `BootstrapSetupDto`.
+ * A controller unit test that constructs ValidationPipe manually won't catch
+ * this — only the real DI binding path exercises the metatype lookup.
+ */
+
+import 'reflect-metadata';
+import { describe, it, expect, afterAll, beforeAll } from 'vitest';
+import { Test } from '@nestjs/testing';
+import { ValidationPipe, type INestApplication } from '@nestjs/common';
+import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
+import request from 'supertest';
+import { BootstrapController } from './bootstrap.controller.js';
+import type { BootstrapResultDto } from './bootstrap.dto.js';
+
+// ─── Minimal mock dependencies ───────────────────────────────────────────────
+
+/**
+ * We use explicit `@Inject(AUTH)` / `@Inject(DB)` in the controller so we
+ * can provide mock values by token without spinning up the real DB or Auth.
+ */
+import { AUTH } from '../auth/auth.tokens.js';
+import { DB } from '../database/database.module.js';
+
+const MOCK_USER_ID = 'mock-user-id-001';
+
+const mockAuth = {
+  api: {
+    createUser: () =>
+      Promise.resolve({
+        user: {
+          id: MOCK_USER_ID,
+          name: 'Admin',
+          email: 'admin@example.com',
+        },
+      }),
+  },
+};
+
+// Override db.select() so the second query (verify user exists) returns a user.
+// The bootstrap controller calls select().from() twice:
+//   1. count() to check zero users  → returns [{total: 0}]
+//   2. select().where().limit()     → returns [the created user]
+let selectCallCount = 0;
+const mockDbWithUser = {
+  select: () => {
+    selectCallCount++;
+    return {
+      from: () => {
+        if (selectCallCount === 1) {
+          // First call: count — zero users
+          return Promise.resolve([{ total: 0 }]);
+        }
+        // Subsequent calls: return a mock user row
+        return {
+          where: () => ({
+            limit: () =>
+              Promise.resolve([
+                {
+                  id: MOCK_USER_ID,
+                  name: 'Admin',
+                  email: 'admin@example.com',
+                  role: 'admin',
+                },
+              ]),
+          }),
+        };
+      },
+    };
+  },
+  update: () => ({
+    set: () => ({
+      where: () => Promise.resolve([]),
+    }),
+  }),
+  insert: () => ({
+    values: () => ({
+      returning: () =>
+        Promise.resolve([
+          {
+            id: 'token-id-001',
+            label: 'Initial setup token',
+          },
+        ]),
+    }),
+  }),
+};
+
+// ─── Test suite ───────────────────────────────────────────────────────────────
+
+describe('POST /api/bootstrap/setup — ValidationPipe DTO binding', () => {
+  let app: INestApplication;
+
+  beforeAll(async () => {
+    selectCallCount = 0;
+
+    const moduleRef = await Test.createTestingModule({
+      controllers: [BootstrapController],
+      providers: [
+        { provide: AUTH, useValue: mockAuth },
+        { provide: DB, useValue: mockDbWithUser },
+      ],
+    }).compile();
+
+    app = moduleRef.createNestApplication<NestFastifyApplication>(new FastifyAdapter());
+
+    // Mirror main.ts configuration exactly — this is what reproduced the 400.
+    app.useGlobalPipes(
+      new ValidationPipe({
+        whitelist: true,
+        forbidNonWhitelisted: true,
+        transform: true,
+      }),
+    );
+
+    await app.init();
+    // Fastify requires waiting for the adapter to be ready
+    await app.getHttpAdapter().getInstance().ready();
+  });
+
+  afterAll(async () => {
+    await app.close();
+  });
+
+  it('returns 201 (not 400) when a valid {name, email, password} body is sent', async () => {
+    const res = await request(app.getHttpServer())
+      .post('/api/bootstrap/setup')
+      .send({ name: 'Admin', email: 'admin@example.com', password: 'password123' })
+      .set('Content-Type', 'application/json');
+
+    // Before the fix (import type), Nest ValidationPipe returned 400 with
+    // "property email should not exist" / "property password should not exist"
+    // because the DTO class was erased and every field looked non-whitelisted.
+    expect(res.status).not.toBe(400);
+    expect(res.status).toBe(201);
+    const body = res.body as BootstrapResultDto;
+    expect(body.user).toBeDefined();
+    expect(body.user.email).toBe('admin@example.com');
+    expect(body.token).toBeDefined();
+    expect(body.token.plaintext).toBeDefined();
+  });
+
+  it('returns 400 when extra forbidden properties are sent', async () => {
+    // This proves ValidationPipe IS active and working (forbidNonWhitelisted).
+    const res = await request(app.getHttpServer())
+      .post('/api/bootstrap/setup')
+      .send({
+        name: 'Admin',
+        email: 'admin@example.com',
+        password: 'password123',
+        extraField: 'should-be-rejected',
+      })
+      .set('Content-Type', 'application/json');
+
+    expect(res.status).toBe(400);
+  });
+
+  it('returns 400 when email is invalid', async () => {
+    const res = await request(app.getHttpServer())
+      .post('/api/bootstrap/setup')
+      .send({ name: 'Admin', email: 'not-an-email', password: 'password123' })
+      .set('Content-Type', 'application/json');
+
+    expect(res.status).toBe(400);
+  });
+
+  it('returns 400 when password is too short', async () => {
+    const res = await request(app.getHttpServer())
+      .post('/api/bootstrap/setup')
+      .send({ name: 'Admin', email: 'admin@example.com', password: 'short' })
+      .set('Content-Type', 'application/json');
+
+    expect(res.status).toBe(400);
+  });
+});

apps/gateway/src/agent/__tests__/provider-adapters.test.ts

@@ -62,7 +62,7 @@ function restoreEnv(saved: Map<EnvKey, string | undefined>): void {
 }
 
 function makeRegistry(): ModelRegistry {
-  return new ModelRegistry(AuthStorage.inMemory());
+  return ModelRegistry.inMemory(AuthStorage.inMemory());
 }
 
 // ---------------------------------------------------------------------------

apps/gateway/src/agent/__tests__/routing.service.test.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { RoutingService } from '../routing.service.js';
-import type { ModelInfo } from '@mosaic/types';
+import type { ModelInfo } from '@mosaicstack/types';
 
 const mockModels: ModelInfo[] = [
   {

apps/gateway/src/agent/adapters/anthropic.adapter.ts

@@ -7,7 +7,7 @@ import type {
   IProviderAdapter,
   ModelInfo,
   ProviderHealth,
-} from '@mosaic/types';
+} from '@mosaicstack/types';
 
 /**
  * Anthropic provider adapter.

apps/gateway/src/agent/adapters/ollama.adapter.ts

@@ -6,7 +6,7 @@ import type {
   IProviderAdapter,
   ModelInfo,
   ProviderHealth,
-} from '@mosaic/types';
+} from '@mosaicstack/types';
 
 /** Embedding models that Ollama ships with out of the box */
 const OLLAMA_EMBEDDING_MODELS: ReadonlyArray<{

apps/gateway/src/agent/adapters/openai.adapter.ts

@@ -7,7 +7,7 @@ import type {
   IProviderAdapter,
   ModelInfo,
   ProviderHealth,
-} from '@mosaic/types';
+} from '@mosaicstack/types';
 
 /**
  * OpenAI provider adapter.

apps/gateway/src/agent/adapters/openrouter.adapter.ts

@@ -6,7 +6,7 @@ import type {
   IProviderAdapter,
   ModelInfo,
   ProviderHealth,
-} from '@mosaic/types';
+} from '@mosaicstack/types';
 
 const OPENROUTER_BASE_URL = 'https://openrouter.ai/api/v1';
 

apps/gateway/src/agent/adapters/zai.adapter.ts

@@ -6,7 +6,7 @@ import type {
   IProviderAdapter,
   ModelInfo,
   ProviderHealth,
-} from '@mosaic/types';
+} from '@mosaicstack/types';
 import { getModelCapability } from '../model-capabilities.js';
 
 /**

apps/gateway/src/agent/agent-configs.controller.ts

@@ -13,7 +13,7 @@ import {
   Post,
   UseGuards,
 } from '@nestjs/common';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';

apps/gateway/src/agent/agent.service.ts

@@ -7,8 +7,8 @@ import {
   type AgentSessionEvent,
   type ToolDefinition,
 } from '@mariozechner/pi-coding-agent';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
-import type { Memory } from '@mosaic/memory';
+import type { Memory } from '@mosaicstack/memory';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { MEMORY } from '../memory/memory.tokens.js';
 import { EmbeddingService } from '../memory/embedding.service.js';
@@ -23,6 +23,7 @@ import { createFileTools } from './tools/file-tools.js';
 import { createGitTools } from './tools/git-tools.js';
 import { createShellTools } from './tools/shell-tools.js';
 import { createWebTools } from './tools/web-tools.js';
+import { createSearchTools } from './tools/search-tools.js';
 import type { SessionInfoDto, SessionMetrics } from './session.dto.js';
 import { SystemOverrideService } from '../preferences/system-override.service.js';
 import { PreferencesService } from '../preferences/preferences.service.js';
@@ -146,6 +147,7 @@ export class AgentService implements OnModuleDestroy {
       ...createGitTools(sandboxDir),
       ...createShellTools(sandboxDir),
       ...createWebTools(),
+      ...createSearchTools(),
     ];
   }
 

apps/gateway/src/agent/model-capabilities.ts

@@ -1,4 +1,4 @@
-import type { ModelCapability } from '@mosaic/types';
+import type { ModelCapability } from '@mosaicstack/types';
 
 /**
  * Comprehensive capability matrix for all target models.

apps/gateway/src/agent/provider-credentials.service.ts

@@ -1,7 +1,7 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
 import { createCipheriv, createDecipheriv, createHash, randomBytes } from 'node:crypto';
-import type { Db } from '@mosaic/db';
+import type { Db } from '@mosaicstack/db';
-import { providerCredentials, eq, and } from '@mosaic/db';
+import { providerCredentials, eq, and } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 import type { ProviderCredentialSummaryDto } from './provider-credentials.dto.js';
 

apps/gateway/src/agent/provider.service.ts

@@ -14,7 +14,7 @@ import type {
   ModelInfo,
   ProviderHealth,
   ProviderInfo,
-} from '@mosaic/types';
+} from '@mosaicstack/types';
 import {
   AnthropicAdapter,
   OllamaAdapter,
@@ -67,7 +67,7 @@ export class ProviderService implements OnModuleInit, OnModuleDestroy {
 
   async onModuleInit(): Promise<void> {
     const authStorage = AuthStorage.inMemory();
-    this.registry = new ModelRegistry(authStorage);
+    this.registry = ModelRegistry.inMemory(authStorage);
 
     // Build the default set of adapters that rely on the registry
     this.adapters = [

apps/gateway/src/agent/providers.controller.ts

@@ -1,5 +1,5 @@
 import { Body, Controller, Delete, Get, Inject, Param, Post, UseGuards } from '@nestjs/common';
-import type { RoutingCriteria } from '@mosaic/types';
+import type { RoutingCriteria } from '@mosaicstack/types';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';
 import { ProviderService } from './provider.service.js';

apps/gateway/src/agent/routing.service.ts

@@ -1,6 +1,6 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
-import type { ModelInfo } from '@mosaic/types';
+import type { ModelInfo } from '@mosaicstack/types';
-import type { RoutingCriteria, RoutingResult, CostTier } from '@mosaic/types';
+import type { RoutingCriteria, RoutingResult, CostTier } from '@mosaicstack/types';
 import { ProviderService } from './provider.service.js';
 
 /** Per-million-token cost thresholds for tier classification */

apps/gateway/src/agent/routing/default-rules.ts

@@ -1,5 +1,5 @@
 import { Inject, Injectable, Logger, type OnModuleInit } from '@nestjs/common';
-import { routingRules, type Db, sql } from '@mosaic/db';
+import { routingRules, type Db, sql } from '@mosaicstack/db';
 import { DB } from '../../database/database.module.js';
 import type { RoutingCondition, RoutingAction } from './routing.types.js';
 

apps/gateway/src/agent/routing/routing-engine.service.ts

@@ -1,5 +1,5 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
-import { routingRules, type Db, and, asc, eq, or } from '@mosaic/db';
+import { routingRules, type Db, and, asc, eq, or } from '@mosaicstack/db';
 import { DB } from '../../database/database.module.js';
 import { ProviderService } from '../provider.service.js';
 import { classifyTask } from './task-classifier.js';

apps/gateway/src/agent/routing/routing.controller.ts

@@ -13,7 +13,7 @@ import {
   Post,
   UseGuards,
 } from '@nestjs/common';
-import { routingRules, type Db, and, asc, eq, or, inArray } from '@mosaic/db';
+import { routingRules, type Db, and, asc, eq, or, inArray } from '@mosaicstack/db';
 import { DB } from '../../database/database.module.js';
 import { AuthGuard } from '../../auth/auth.guard.js';
 import { CurrentUser } from '../../auth/current-user.decorator.js';

apps/gateway/src/agent/routing/routing.types.ts

@@ -1,7 +1,7 @@
 /**
  * Routing engine types — M4-002 (condition types) and M4-003 (action types).
  *
- * These types are re-exported from `@mosaic/types` for shared use across packages.
+ * These types are re-exported from `@mosaicstack/types` for shared use across packages.
  */
 
 // ─── Classification primitives ───────────────────────────────────────────────
@@ -23,7 +23,7 @@ export type Domain = 'frontend' | 'backend' | 'devops' | 'docs' | 'general';
 
 /**
  * Cost tier for model selection.
- * Extends the existing `CostTier` in `@mosaic/types` with `local` for self-hosted models.
+ * Extends the existing `CostTier` in `@mosaicstack/types` with `local` for self-hosted models.
  */
 export type CostTier = 'cheap' | 'standard' | 'premium' | 'local';
 

apps/gateway/src/agent/tools/brain-tools.ts

@@ -1,6 +1,6 @@
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 
 export function createBrainTools(brain: Brain): ToolDefinition[] {
   const listProjects: ToolDefinition = {

apps/gateway/src/agent/tools/file-tools.ts

@@ -190,5 +190,169 @@ export function createFileTools(baseDir: string): ToolDefinition[] {
     },
   };
 
-  return [readFileTool, writeFileTool, listDirectoryTool];
+  const editFileTool: ToolDefinition = {
+    name: 'fs_edit_file',
+    label: 'Edit File',
+    description:
+      'Make targeted text replacements in a file. Each edit replaces an exact match of oldText with newText. ' +
+      'All edits are matched against the original file content (not incrementally). ' +
+      'Each oldText must be unique in the file and edits must not overlap.',
+    parameters: Type.Object({
+      path: Type.String({
+        description: 'File path (relative to sandbox base or absolute within it)',
+      }),
+      edits: Type.Array(
+        Type.Object({
+          oldText: Type.String({
+            description: 'Exact text to find and replace (must be unique in the file)',
+          }),
+          newText: Type.String({ description: 'Replacement text' }),
+        }),
+        { description: 'One or more targeted replacements', minItems: 1 },
+      ),
+    }),
+    async execute(_toolCallId, params) {
+      const { path, edits } = params as {
+        path: string;
+        edits: Array<{ oldText: string; newText: string }>;
+      };
+
+      let safePath: string;
+      try {
+        safePath = guardPath(path, baseDir);
+      } catch (err) {
+        if (err instanceof SandboxEscapeError) {
+          return {
+            content: [{ type: 'text' as const, text: `Error: ${err.message}` }],
+            details: undefined,
+          };
+        }
+        return {
+          content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
+          details: undefined,
+        };
+      }
+
+      try {
+        const info = await stat(safePath);
+        if (!info.isFile()) {
+          return {
+            content: [{ type: 'text' as const, text: `Error: path is not a file: ${path}` }],
+            details: undefined,
+          };
+        }
+        if (info.size > MAX_READ_BYTES) {
+          return {
+            content: [
+              {
+                type: 'text' as const,
+                text: `Error: file too large for editing (${info.size} bytes, limit ${MAX_READ_BYTES} bytes)`,
+              },
+            ],
+            details: undefined,
+          };
+        }
+      } catch (err) {
+        return {
+          content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
+          details: undefined,
+        };
+      }
+
+      let content: string;
+      try {
+        content = await readFile(safePath, { encoding: 'utf8' });
+      } catch (err) {
+        return {
+          content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
+          details: undefined,
+        };
+      }
+
+      // Validate all edits before applying any
+      const errors: string[] = [];
+      for (let i = 0; i < edits.length; i++) {
+        const edit = edits[i]!;
+        const occurrences = content.split(edit.oldText).length - 1;
+        if (occurrences === 0) {
+          errors.push(`Edit ${i + 1}: oldText not found in file`);
+        } else if (occurrences > 1) {
+          errors.push(`Edit ${i + 1}: oldText matches ${occurrences} locations (must be unique)`);
+        }
+      }
+
+      // Check for overlapping edits
+      if (errors.length === 0) {
+        const positions = edits.map((edit, i) => ({
+          index: i,
+          start: content.indexOf(edit.oldText),
+          end: content.indexOf(edit.oldText) + edit.oldText.length,
+        }));
+        positions.sort((a, b) => a.start - b.start);
+        for (let i = 1; i < positions.length; i++) {
+          if (positions[i]!.start < positions[i - 1]!.end) {
+            errors.push(
+              `Edits ${positions[i - 1]!.index + 1} and ${positions[i]!.index + 1} overlap`,
+            );
+          }
+        }
+      }
+
+      if (errors.length > 0) {
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: `Edit validation failed:\n${errors.join('\n')}`,
+            },
+          ],
+          details: undefined,
+        };
+      }
+
+      // Apply edits: process from end to start to preserve positions
+      const positions = edits.map((edit) => ({
+        edit,
+        start: content.indexOf(edit.oldText),
+      }));
+      positions.sort((a, b) => b.start - a.start); // reverse order
+
+      let result = content;
+      for (const { edit } of positions) {
+        result = result.replace(edit.oldText, edit.newText);
+      }
+
+      if (Buffer.byteLength(result, 'utf8') > MAX_WRITE_BYTES) {
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: `Error: resulting file too large (limit ${MAX_WRITE_BYTES} bytes)`,
+            },
+          ],
+          details: undefined,
+        };
+      }
+
+      try {
+        await writeFile(safePath, result, { encoding: 'utf8' });
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: `File edited successfully: ${path} (${edits.length} edit(s) applied)`,
+            },
+          ],
+          details: undefined,
+        };
+      } catch (err) {
+        return {
+          content: [{ type: 'text' as const, text: `Error writing file: ${String(err)}` }],
+          details: undefined,
+        };
+      }
+    },
+  };
+
+  return [readFileTool, writeFileTool, listDirectoryTool, editFileTool];
 }

apps/gateway/src/agent/tools/index.ts

@@ -2,6 +2,7 @@ export { createBrainTools } from './brain-tools.js';
 export { createCoordTools } from './coord-tools.js';
 export { createFileTools } from './file-tools.js';
 export { createGitTools } from './git-tools.js';
+export { createSearchTools } from './search-tools.js';
 export { createShellTools } from './shell-tools.js';
 export { createWebTools } from './web-tools.js';
 export { createSkillTools } from './skill-tools.js';

apps/gateway/src/agent/tools/memory-tools.ts

@@ -1,7 +1,7 @@
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
-import type { Memory } from '@mosaic/memory';
+import type { Memory } from '@mosaicstack/memory';
-import type { EmbeddingProvider } from '@mosaic/memory';
+import type { EmbeddingProvider } from '@mosaicstack/memory';
 
 /**
  * Create memory tools bound to the session's authenticated userId.

apps/gateway/src/agent/tools/search-tools.ts

@@ -0,0 +1,496 @@
+import { Type } from '@sinclair/typebox';
+import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
+
+const DEFAULT_TIMEOUT_MS = 15_000;
+const MAX_RESULTS = 10;
+const MAX_RESPONSE_BYTES = 256 * 1024; // 256 KB
+
+// ─── Provider helpers ────────────────────────────────────────────────────────
+
+interface SearchResult {
+  title: string;
+  url: string;
+  snippet: string;
+}
+
+interface SearchResponse {
+  provider: string;
+  query: string;
+  results: SearchResult[];
+  error?: string;
+}
+
+async function fetchWithTimeout(
+  url: string,
+  init: RequestInit,
+  timeoutMs: number,
+): Promise<Response> {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal });
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+async function readLimited(response: Response): Promise<string> {
+  const reader = response.body?.getReader();
+  if (!reader) return '';
+  const chunks: Uint8Array[] = [];
+  let total = 0;
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    total += value.length;
+    if (total > MAX_RESPONSE_BYTES) {
+      chunks.push(value.subarray(0, MAX_RESPONSE_BYTES - (total - value.length)));
+      reader.cancel();
+      break;
+    }
+    chunks.push(value);
+  }
+  const combined = new Uint8Array(chunks.reduce((a, c) => a + c.length, 0));
+  let offset = 0;
+  for (const chunk of chunks) {
+    combined.set(chunk, offset);
+    offset += chunk.length;
+  }
+  return new TextDecoder().decode(combined);
+}
+
+// ─── Brave Search ────────────────────────────────────────────────────────────
+
+async function searchBrave(query: string, limit: number): Promise<SearchResponse> {
+  const apiKey = process.env['BRAVE_API_KEY'];
+  if (!apiKey) return { provider: 'brave', query, results: [], error: 'BRAVE_API_KEY not set' };
+
+  try {
+    const params = new URLSearchParams({
+      q: query,
+      count: String(Math.min(limit, 20)),
+    });
+    const res = await fetchWithTimeout(
+      `https://api.search.brave.com/res/v1/web/search?${params}`,
+      { headers: { 'X-Subscription-Token': apiKey, Accept: 'application/json' } },
+      DEFAULT_TIMEOUT_MS,
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => '');
+      return { provider: 'brave', query, results: [], error: `HTTP ${res.status}: ${body}` };
+    }
+    const data = (await res.json()) as {
+      web?: { results?: Array<{ title: string; url: string; description: string }> };
+    };
+    const results: SearchResult[] = (data.web?.results ?? []).slice(0, limit).map((r) => ({
+      title: r.title,
+      url: r.url,
+      snippet: r.description,
+    }));
+    return { provider: 'brave', query, results };
+  } catch (err) {
+    return {
+      provider: 'brave',
+      query,
+      results: [],
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+
+// ─── Tavily Search ───────────────────────────────────────────────────────────
+
+async function searchTavily(query: string, limit: number): Promise<SearchResponse> {
+  const apiKey = process.env['TAVILY_API_KEY'];
+  if (!apiKey) return { provider: 'tavily', query, results: [], error: 'TAVILY_API_KEY not set' };
+
+  try {
+    const res = await fetchWithTimeout(
+      'https://api.tavily.com/search',
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          api_key: apiKey,
+          query,
+          max_results: Math.min(limit, 10),
+          include_answer: false,
+        }),
+      },
+      DEFAULT_TIMEOUT_MS,
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => '');
+      return { provider: 'tavily', query, results: [], error: `HTTP ${res.status}: ${body}` };
+    }
+    const data = (await res.json()) as {
+      results?: Array<{ title: string; url: string; content: string }>;
+    };
+    const results: SearchResult[] = (data.results ?? []).slice(0, limit).map((r) => ({
+      title: r.title,
+      url: r.url,
+      snippet: r.content,
+    }));
+    return { provider: 'tavily', query, results };
+  } catch (err) {
+    return {
+      provider: 'tavily',
+      query,
+      results: [],
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+
+// ─── SearXNG (self-hosted) ───────────────────────────────────────────────────
+
+async function searchSearxng(query: string, limit: number): Promise<SearchResponse> {
+  const baseUrl = process.env['SEARXNG_URL'];
+  if (!baseUrl) return { provider: 'searxng', query, results: [], error: 'SEARXNG_URL not set' };
+
+  try {
+    const params = new URLSearchParams({
+      q: query,
+      format: 'json',
+      pageno: '1',
+    });
+    const res = await fetchWithTimeout(
+      `${baseUrl.replace(/\/$/, '')}/search?${params}`,
+      { headers: { Accept: 'application/json' } },
+      DEFAULT_TIMEOUT_MS,
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => '');
+      return { provider: 'searxng', query, results: [], error: `HTTP ${res.status}: ${body}` };
+    }
+    const data = (await res.json()) as {
+      results?: Array<{ title: string; url: string; content: string }>;
+    };
+    const results: SearchResult[] = (data.results ?? []).slice(0, limit).map((r) => ({
+      title: r.title,
+      url: r.url,
+      snippet: r.content,
+    }));
+    return { provider: 'searxng', query, results };
+  } catch (err) {
+    return {
+      provider: 'searxng',
+      query,
+      results: [],
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+
+// ─── DuckDuckGo (lite HTML endpoint) ─────────────────────────────────────────
+
+async function searchDuckDuckGo(query: string, limit: number): Promise<SearchResponse> {
+  try {
+    // Use the DuckDuckGo Instant Answer API (JSON, free, no key)
+    const params = new URLSearchParams({
+      q: query,
+      format: 'json',
+      no_html: '1',
+      skip_disambig: '1',
+    });
+    const res = await fetchWithTimeout(
+      `https://api.duckduckgo.com/?${params}`,
+      { headers: { Accept: 'application/json' } },
+      DEFAULT_TIMEOUT_MS,
+    );
+    if (!res.ok) {
+      return {
+        provider: 'duckduckgo',
+        query,
+        results: [],
+        error: `HTTP ${res.status}`,
+      };
+    }
+    const text = await readLimited(res);
+    const data = JSON.parse(text) as {
+      AbstractText?: string;
+      AbstractURL?: string;
+      AbstractSource?: string;
+      RelatedTopics?: Array<{
+        Text?: string;
+        FirstURL?: string;
+        Result?: string;
+        Topics?: Array<{ Text?: string; FirstURL?: string }>;
+      }>;
+    };
+
+    const results: SearchResult[] = [];
+
+    // Main abstract result
+    if (data.AbstractText && data.AbstractURL) {
+      results.push({
+        title: data.AbstractSource ?? 'DuckDuckGo Abstract',
+        url: data.AbstractURL,
+        snippet: data.AbstractText,
+      });
+    }
+
+    // Related topics
+    for (const topic of data.RelatedTopics ?? []) {
+      if (results.length >= limit) break;
+      if (topic.Text && topic.FirstURL) {
+        results.push({
+          title: topic.Text.slice(0, 120),
+          url: topic.FirstURL,
+          snippet: topic.Text,
+        });
+      }
+      // Sub-topics
+      for (const sub of topic.Topics ?? []) {
+        if (results.length >= limit) break;
+        if (sub.Text && sub.FirstURL) {
+          results.push({
+            title: sub.Text.slice(0, 120),
+            url: sub.FirstURL,
+            snippet: sub.Text,
+          });
+        }
+      }
+    }
+
+    return { provider: 'duckduckgo', query, results: results.slice(0, limit) };
+  } catch (err) {
+    return {
+      provider: 'duckduckgo',
+      query,
+      results: [],
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+
+// ─── Provider resolution ─────────────────────────────────────────────────────
+
+type SearchProvider = 'brave' | 'tavily' | 'searxng' | 'duckduckgo' | 'auto';
+
+function getAvailableProviders(): SearchProvider[] {
+  const available: SearchProvider[] = [];
+  if (process.env['BRAVE_API_KEY']) available.push('brave');
+  if (process.env['TAVILY_API_KEY']) available.push('tavily');
+  if (process.env['SEARXNG_URL']) available.push('searxng');
+  // DuckDuckGo is always available (no API key needed)
+  available.push('duckduckgo');
+  return available;
+}
+
+async function executeSearch(
+  provider: SearchProvider,
+  query: string,
+  limit: number,
+): Promise<SearchResponse> {
+  switch (provider) {
+    case 'brave':
+      return searchBrave(query, limit);
+    case 'tavily':
+      return searchTavily(query, limit);
+    case 'searxng':
+      return searchSearxng(query, limit);
+    case 'duckduckgo':
+      return searchDuckDuckGo(query, limit);
+    case 'auto': {
+      // Try providers in priority order: Brave > Tavily > SearXNG > DuckDuckGo
+      const available = getAvailableProviders();
+      for (const p of available) {
+        const result = await executeSearch(p, query, limit);
+        if (!result.error && result.results.length > 0) return result;
+      }
+      // Fall back to DuckDuckGo if everything failed
+      return searchDuckDuckGo(query, limit);
+    }
+  }
+}
+
+function formatSearchResults(response: SearchResponse): string {
+  const lines: string[] = [];
+  lines.push(`Search provider: ${response.provider}`);
+  lines.push(`Query: "${response.query}"`);
+
+  if (response.error) {
+    lines.push(`Error: ${response.error}`);
+  }
+
+  if (response.results.length === 0) {
+    lines.push('No results found.');
+  } else {
+    lines.push(`Results (${response.results.length}):\n`);
+    for (let i = 0; i < response.results.length; i++) {
+      const r = response.results[i]!;
+      lines.push(`${i + 1}. ${r.title}`);
+      lines.push(`   URL: ${r.url}`);
+      lines.push(`   ${r.snippet}`);
+      lines.push('');
+    }
+  }
+  return lines.join('\n');
+}
+
+// ─── Tool exports ────────────────────────────────────────────────────────────
+
+export function createSearchTools(): ToolDefinition[] {
+  const webSearch: ToolDefinition = {
+    name: 'web_search',
+    label: 'Web Search',
+    description:
+      'Search the web using configured search providers. ' +
+      'Supports Brave, Tavily, SearXNG, and DuckDuckGo. ' +
+      'Use "auto" provider to pick the best available. ' +
+      'DuckDuckGo is always available as a fallback (no API key needed).',
+    parameters: Type.Object({
+      query: Type.String({ description: 'Search query' }),
+      provider: Type.Optional(
+        Type.String({
+          description:
+            'Search provider: "auto" (default), "brave", "tavily", "searxng", or "duckduckgo"',
+        }),
+      ),
+      limit: Type.Optional(
+        Type.Number({ description: `Max results to return (default 5, max ${MAX_RESULTS})` }),
+      ),
+    }),
+    async execute(_toolCallId, params) {
+      const { query, provider, limit } = params as {
+        query: string;
+        provider?: string;
+        limit?: number;
+      };
+
+      const effectiveProvider = (provider ?? 'auto') as SearchProvider;
+      const validProviders = ['auto', 'brave', 'tavily', 'searxng', 'duckduckgo'];
+      if (!validProviders.includes(effectiveProvider)) {
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: `Invalid provider "${provider}". Valid: ${validProviders.join(', ')}`,
+            },
+          ],
+          details: undefined,
+        };
+      }
+
+      const effectiveLimit = Math.min(Math.max(limit ?? 5, 1), MAX_RESULTS);
+
+      try {
+        const response = await executeSearch(effectiveProvider, query, effectiveLimit);
+        return {
+          content: [{ type: 'text' as const, text: formatSearchResults(response) }],
+          details: undefined,
+        };
+      } catch (err) {
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: `Search failed: ${err instanceof Error ? err.message : String(err)}`,
+            },
+          ],
+          details: undefined,
+        };
+      }
+    },
+  };
+
+  const webSearchNews: ToolDefinition = {
+    name: 'web_search_news',
+    label: 'Web Search (News)',
+    description:
+      'Search for recent news articles. Uses Brave News API if available, falls back to standard search with news keywords.',
+    parameters: Type.Object({
+      query: Type.String({ description: 'News search query' }),
+      limit: Type.Optional(
+        Type.Number({ description: `Max results (default 5, max ${MAX_RESULTS})` }),
+      ),
+    }),
+    async execute(_toolCallId, params) {
+      const { query, limit } = params as { query: string; limit?: number };
+      const effectiveLimit = Math.min(Math.max(limit ?? 5, 1), MAX_RESULTS);
+
+      // Try Brave News API first (dedicated news endpoint)
+      const braveKey = process.env['BRAVE_API_KEY'];
+      if (braveKey) {
+        try {
+          const newsParams = new URLSearchParams({
+            q: query,
+            count: String(effectiveLimit),
+          });
+          const res = await fetchWithTimeout(
+            `https://api.search.brave.com/res/v1/news/search?${newsParams}`,
+            {
+              headers: {
+                'X-Subscription-Token': braveKey,
+                Accept: 'application/json',
+              },
+            },
+            DEFAULT_TIMEOUT_MS,
+          );
+          if (res.ok) {
+            const data = (await res.json()) as {
+              results?: Array<{
+                title: string;
+                url: string;
+                description: string;
+                age?: string;
+              }>;
+            };
+            const results: SearchResult[] = (data.results ?? [])
+              .slice(0, effectiveLimit)
+              .map((r) => ({
+                title: r.title + (r.age ? ` (${r.age})` : ''),
+                url: r.url,
+                snippet: r.description,
+              }));
+            const response: SearchResponse = { provider: 'brave-news', query, results };
+            return {
+              content: [{ type: 'text' as const, text: formatSearchResults(response) }],
+              details: undefined,
+            };
+          }
+        } catch {
+          // Fall through to generic search
+        }
+      }
+
+      // Fallback: standard search with "news" appended
+      const newsQuery = `${query} news latest`;
+      const response = await executeSearch('auto', newsQuery, effectiveLimit);
+      return {
+        content: [{ type: 'text' as const, text: formatSearchResults(response) }],
+        details: undefined,
+      };
+    },
+  };
+
+  const searchProviders: ToolDefinition = {
+    name: 'web_search_providers',
+    label: 'List Search Providers',
+    description: 'List the currently available and configured web search providers.',
+    parameters: Type.Object({}),
+    async execute() {
+      const available = getAvailableProviders();
+      const allProviders = [
+        { name: 'brave', configured: !!process.env['BRAVE_API_KEY'], envVar: 'BRAVE_API_KEY' },
+        { name: 'tavily', configured: !!process.env['TAVILY_API_KEY'], envVar: 'TAVILY_API_KEY' },
+        { name: 'searxng', configured: !!process.env['SEARXNG_URL'], envVar: 'SEARXNG_URL' },
+        { name: 'duckduckgo', configured: true, envVar: '(none — always available)' },
+      ];
+
+      const lines = ['Search providers:\n'];
+      for (const p of allProviders) {
+        const status = p.configured ? '✓ configured' : '✗ not configured';
+        lines.push(`  ${p.name}: ${status} (${p.envVar})`);
+      }
+      lines.push(`\nActive providers for "auto" mode: ${available.join(', ')}`);
+      return {
+        content: [{ type: 'text' as const, text: lines.join('\n') }],
+        details: undefined,
+      };
+    },
+  };
+
+  return [webSearch, webSearchNews, searchProviders];
+}

apps/gateway/src/app.module.ts

@@ -1,6 +1,7 @@
 import { Module } from '@nestjs/common';
 import { APP_GUARD } from '@nestjs/core';
 import { HealthController } from './health/health.controller.js';
+import { ConfigModule } from './config/config.module.js';
 import { DatabaseModule } from './database/database.module.js';
 import { AuthModule } from './auth/auth.module.js';
 import { BrainModule } from './brain/brain.module.js';
@@ -28,6 +29,7 @@ import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
 @Module({
   imports: [
     ThrottlerModule.forRoot([{ name: 'default', ttl: 60_000, limit: 60 }]),
+    ConfigModule,
     DatabaseModule,
     AuthModule,
     BrainModule,

apps/gateway/src/auth/auth.controller.ts

@@ -1,6 +1,6 @@
 import type { IncomingMessage, ServerResponse } from 'node:http';
 import { toNodeHandler } from 'better-auth/node';
-import type { Auth } from '@mosaic/auth';
+import type { Auth } from '@mosaicstack/auth';
 import type { NestFastifyApplication } from '@nestjs/platform-fastify';
 import { AUTH } from './auth.tokens.js';
 

apps/gateway/src/auth/auth.guard.ts

@@ -6,7 +6,7 @@ import {
   UnauthorizedException,
 } from '@nestjs/common';
 import { fromNodeHeaders } from 'better-auth/node';
-import type { Auth } from '@mosaic/auth';
+import type { Auth } from '@mosaicstack/auth';
 import type { FastifyRequest } from 'fastify';
 import { AUTH } from './auth.tokens.js';
 

apps/gateway/src/auth/auth.module.ts

@@ -1,6 +1,6 @@
 import { Global, Module } from '@nestjs/common';
-import { createAuth, type Auth } from '@mosaic/auth';
+import { createAuth, type Auth } from '@mosaicstack/auth';
-import type { Db } from '@mosaic/db';
+import type { Db } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 import { AUTH } from './auth.tokens.js';
 import { SsoController } from './sso.controller.js';
@@ -14,7 +14,7 @@ import { SsoController } from './sso.controller.js';
       useFactory: (db: Db): Auth =>
         createAuth({
           db,
-          baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
+          baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:14242',
           secret: process.env['BETTER_AUTH_SECRET'],
         }),
       inject: [DB],

apps/gateway/src/auth/sso.controller.ts

@@ -1,5 +1,5 @@
 import { Controller, Get } from '@nestjs/common';
-import { buildSsoDiscovery, type SsoProviderDiscovery } from '@mosaic/auth';
+import { buildSsoDiscovery, type SsoProviderDiscovery } from '@mosaicstack/auth';
 
 @Controller('api/sso/providers')
 export class SsoController {

apps/gateway/src/bootstrap/tier-detector.spec.ts

@@ -0,0 +1,344 @@
+/**
+ * Unit tests for tier-detector.ts.
+ *
+ * All external I/O (postgres, ioredis) is mocked — no live services required.
+ *
+ * Note on hoisting: vi.mock() factories are hoisted above all imports by vitest.
+ * Variables referenced inside factory callbacks must be declared via vi.hoisted()
+ * so they are available at hoist time.
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+/* ------------------------------------------------------------------ */
+/*  Hoist shared mock state so factories can reference it              */
+/* ------------------------------------------------------------------ */
+
+const mocks = vi.hoisted(() => {
+  const mockSqlFn = vi.fn();
+  const mockEnd = vi.fn().mockResolvedValue(undefined);
+  const mockPostgresConstructor = vi.fn(() => {
+    const sql = mockSqlFn as ReturnType<typeof mockSqlFn>;
+    (sql as unknown as Record<string, unknown>)['end'] = mockEnd;
+    return sql;
+  });
+
+  const mockRedisConnect = vi.fn().mockResolvedValue(undefined);
+  const mockRedisPing = vi.fn().mockResolvedValue('PONG');
+  const mockRedisDisconnect = vi.fn();
+  const MockRedis = vi.fn().mockImplementation(() => ({
+    connect: mockRedisConnect,
+    ping: mockRedisPing,
+    disconnect: mockRedisDisconnect,
+  }));
+
+  return {
+    mockSqlFn,
+    mockEnd,
+    mockPostgresConstructor,
+    mockRedisConnect,
+    mockRedisPing,
+    mockRedisDisconnect,
+    MockRedis,
+  };
+});
+
+/* ------------------------------------------------------------------ */
+/*  Module mocks (registered at hoist time)                            */
+/* ------------------------------------------------------------------ */
+
+vi.mock('postgres', () => ({
+  default: mocks.mockPostgresConstructor,
+}));
+
+vi.mock('ioredis', () => ({
+  Redis: mocks.MockRedis,
+}));
+
+/* ------------------------------------------------------------------ */
+/*  Import SUT after mocks are registered                              */
+/* ------------------------------------------------------------------ */
+
+import { detectAndAssertTier, TierDetectionError } from './tier-detector.js';
+import type { MosaicConfig } from '@mosaicstack/config';
+
+/* ------------------------------------------------------------------ */
+/*  Config fixtures                                                     */
+/* ------------------------------------------------------------------ */
+
+const LOCAL_CONFIG: MosaicConfig = {
+  tier: 'local',
+  storage: { type: 'pglite', dataDir: '.mosaic/pglite' },
+  queue: { type: 'local', dataDir: '.mosaic/queue' },
+  memory: { type: 'keyword' },
+};
+
+const STANDALONE_CONFIG: MosaicConfig = {
+  tier: 'standalone',
+  storage: { type: 'postgres', url: 'postgresql://mosaic:mosaic@db-host:5432/mosaic' },
+  queue: { type: 'bullmq', url: 'redis://valkey-host:6380' },
+  memory: { type: 'keyword' },
+};
+
+const FEDERATED_CONFIG: MosaicConfig = {
+  tier: 'federated',
+  storage: {
+    type: 'postgres',
+    url: 'postgresql://mosaic:mosaic@db-host:5433/mosaic',
+    enableVector: true,
+  },
+  queue: { type: 'bullmq', url: 'redis://valkey-host:6380' },
+  memory: { type: 'pgvector' },
+};
+
+/* ------------------------------------------------------------------ */
+/*  Tests                                                               */
+/* ------------------------------------------------------------------ */
+
+describe('detectAndAssertTier', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+
+    // Default: all probes succeed.
+    mocks.mockSqlFn.mockResolvedValue([]);
+    mocks.mockEnd.mockResolvedValue(undefined);
+    mocks.mockRedisConnect.mockResolvedValue(undefined);
+    mocks.mockRedisPing.mockResolvedValue('PONG');
+
+    // Re-wire constructor to return a fresh sql-like object each time.
+    mocks.mockPostgresConstructor.mockImplementation(() => {
+      const sql = mocks.mockSqlFn as ReturnType<typeof mocks.mockSqlFn>;
+      (sql as unknown as Record<string, unknown>)['end'] = mocks.mockEnd;
+      return sql;
+    });
+    mocks.MockRedis.mockImplementation(() => ({
+      connect: mocks.mockRedisConnect,
+      ping: mocks.mockRedisPing,
+      disconnect: mocks.mockRedisDisconnect,
+    }));
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  1. local — no-op                                                 */
+  /* ---------------------------------------------------------------- */
+
+  it('resolves immediately for tier=local without touching postgres or ioredis', async () => {
+    await expect(detectAndAssertTier(LOCAL_CONFIG)).resolves.toBeUndefined();
+    expect(mocks.mockPostgresConstructor).not.toHaveBeenCalled();
+    expect(mocks.MockRedis).not.toHaveBeenCalled();
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  2. standalone — happy path                                       */
+  /* ---------------------------------------------------------------- */
+
+  it('resolves for tier=standalone when postgres and valkey are reachable', async () => {
+    await expect(detectAndAssertTier(STANDALONE_CONFIG)).resolves.toBeUndefined();
+
+    // Postgres was probed (SELECT 1 only — no pgvector check).
+    expect(mocks.mockPostgresConstructor).toHaveBeenCalledTimes(1);
+    expect(mocks.mockSqlFn).toHaveBeenCalledTimes(1);
+    // Valkey was probed.
+    expect(mocks.MockRedis).toHaveBeenCalledTimes(1);
+    expect(mocks.mockRedisPing).toHaveBeenCalledTimes(1);
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  3. standalone — postgres unreachable                             */
+  /* ---------------------------------------------------------------- */
+
+  it('throws TierDetectionError with service=postgres when postgres query rejects', async () => {
+    mocks.mockSqlFn.mockRejectedValueOnce(new Error('connection refused'));
+
+    const promise = detectAndAssertTier(STANDALONE_CONFIG);
+    await expect(promise).rejects.toBeInstanceOf(TierDetectionError);
+
+    // Confirm no valkey probe happened (fail fast on first error).
+    expect(mocks.MockRedis).not.toHaveBeenCalled();
+  });
+
+  it('sets service=postgres on the error when postgres fails', async () => {
+    mocks.mockSqlFn.mockRejectedValue(new Error('connection refused'));
+
+    try {
+      await detectAndAssertTier(STANDALONE_CONFIG);
+      expect.fail('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(TierDetectionError);
+      const typed = err as TierDetectionError;
+      expect(typed.service).toBe('postgres');
+      expect(typed.remediation).toContain('docker compose');
+    }
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  4. standalone — valkey unreachable                               */
+  /* ---------------------------------------------------------------- */
+
+  it('throws TierDetectionError with service=valkey when ping fails', async () => {
+    // Postgres probe succeeds; valkey connect fails.
+    mocks.mockSqlFn.mockResolvedValue([]);
+    mocks.mockRedisConnect.mockRejectedValue(new Error('ECONNREFUSED'));
+
+    try {
+      await detectAndAssertTier(STANDALONE_CONFIG);
+      expect.fail('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(TierDetectionError);
+      const typed = err as TierDetectionError;
+      expect(typed.service).toBe('valkey');
+      expect(typed.message).toContain('valkey');
+      expect(typed.remediation).toContain('valkey-federated');
+    }
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  5. federated — happy path                                        */
+  /* ---------------------------------------------------------------- */
+
+  it('resolves for tier=federated when all three checks pass', async () => {
+    // SELECT 1 and CREATE EXTENSION both succeed.
+    mocks.mockSqlFn.mockResolvedValue([]);
+
+    await expect(detectAndAssertTier(FEDERATED_CONFIG)).resolves.toBeUndefined();
+
+    // postgres probe (SELECT 1) + pgvector probe (CREATE EXTENSION) = 2 postgres constructors.
+    expect(mocks.mockPostgresConstructor).toHaveBeenCalledTimes(2);
+    expect(mocks.mockSqlFn).toHaveBeenCalledTimes(2);
+    // Valkey probed once.
+    expect(mocks.MockRedis).toHaveBeenCalledTimes(1);
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  6. federated — pgvector not installable                          */
+  /* ---------------------------------------------------------------- */
+
+  it('throws TierDetectionError with service=pgvector when CREATE EXTENSION fails', async () => {
+    // SELECT 1 succeeds (first call), CREATE EXTENSION fails (second call).
+    mocks.mockSqlFn
+      .mockResolvedValueOnce([]) // SELECT 1
+      .mockRejectedValueOnce(new Error('extension "vector" is not available'));
+
+    try {
+      await detectAndAssertTier(FEDERATED_CONFIG);
+      expect.fail('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(TierDetectionError);
+      const typed = err as TierDetectionError;
+      expect(typed.service).toBe('pgvector');
+      expect(typed.message).toContain('pgvector');
+      expect(typed.remediation).toContain('pgvector/pgvector');
+    }
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  7. probeValkey honors connectTimeout                             */
+  /* ---------------------------------------------------------------- */
+
+  it('constructs the ioredis Redis client with connectTimeout: 5000', async () => {
+    await detectAndAssertTier(STANDALONE_CONFIG);
+
+    expect(mocks.MockRedis).toHaveBeenCalledOnce();
+    const [, options] = mocks.MockRedis.mock.calls[0] as [string, Record<string, unknown>];
+    expect(options).toMatchObject({ connectTimeout: 5000 });
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  8. probePgvector — library-not-installed remediation             */
+  /* ---------------------------------------------------------------- */
+
+  it('includes pgvector/pgvector:pg17 in remediation when pgvector library is missing', async () => {
+    // SELECT 1 succeeds; CREATE EXTENSION fails with the canonical library-missing message.
+    mocks.mockSqlFn
+      .mockResolvedValueOnce([]) // SELECT 1 (probePostgres)
+      .mockRejectedValueOnce(new Error('extension "vector" is not available')); // probePgvector
+
+    try {
+      await detectAndAssertTier(FEDERATED_CONFIG);
+      expect.fail('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(TierDetectionError);
+      const typed = err as TierDetectionError;
+      expect(typed.service).toBe('pgvector');
+      expect(typed.remediation).toContain('pgvector/pgvector:pg17');
+    }
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  9. probePgvector — permission / other error remediation          */
+  /* ---------------------------------------------------------------- */
+
+  it('mentions CREATE permission or superuser in remediation for a generic pgvector error', async () => {
+    // SELECT 1 succeeds; CREATE EXTENSION fails with a permission error (not the library-missing message).
+    mocks.mockSqlFn
+      .mockResolvedValueOnce([]) // SELECT 1 (probePostgres)
+      .mockRejectedValueOnce(new Error('permission denied to create extension'));
+
+    try {
+      await detectAndAssertTier(FEDERATED_CONFIG);
+      expect.fail('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(TierDetectionError);
+      const typed = err as TierDetectionError;
+      expect(typed.service).toBe('pgvector');
+      // Must NOT point to the image fix — that's only for the library-missing case.
+      expect(typed.remediation).not.toContain('pgvector/pgvector:pg17');
+      // Must mention permissions or superuser.
+      expect(typed.remediation).toMatch(/CREATE|superuser/i);
+    }
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  10. federated tier rejects non-bullmq queue.type                 */
+  /* ---------------------------------------------------------------- */
+
+  it('throws TierDetectionError with service=config for federated tier with queue.type !== bullmq', async () => {
+    const badConfig: MosaicConfig = {
+      tier: 'federated',
+      storage: {
+        type: 'postgres',
+        url: 'postgresql://mosaic:mosaic@db-host:5433/mosaic',
+        enableVector: true,
+      },
+      queue: { type: 'local', dataDir: '.mosaic/queue' },
+      memory: { type: 'pgvector' },
+    };
+
+    try {
+      await detectAndAssertTier(badConfig);
+      expect.fail('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(TierDetectionError);
+      const typed = err as TierDetectionError;
+      expect(typed.service).toBe('config');
+      expect(typed.remediation).toContain('bullmq');
+    }
+
+    // No network probes should have been attempted.
+    expect(mocks.mockPostgresConstructor).not.toHaveBeenCalled();
+    expect(mocks.MockRedis).not.toHaveBeenCalled();
+  });
+
+  /* ---------------------------------------------------------------- */
+  /*  11. Error fields populated                                        */
+  /* ---------------------------------------------------------------- */
+
+  it('populates host, port, and remediation on a thrown TierDetectionError', async () => {
+    mocks.mockSqlFn.mockRejectedValue(new Error('connection refused'));
+
+    let caught: TierDetectionError | undefined;
+    try {
+      await detectAndAssertTier(STANDALONE_CONFIG);
+    } catch (err) {
+      caught = err as TierDetectionError;
+    }
+
+    expect(caught).toBeInstanceOf(TierDetectionError);
+    expect(caught!.service).toBe('postgres');
+    // Host and port are extracted from the Postgres URL in STANDALONE_CONFIG.
+    expect(caught!.host).toBe('db-host');
+    expect(caught!.port).toBe(5432);
+    expect(caught!.remediation).toMatch(/docker compose/i);
+    expect(caught!.message).toContain('db-host:5432');
+  });
+});

apps/gateway/src/bootstrap/tier-detector.ts

@@ -0,0 +1,220 @@
+/**
+ * Tier Detector — pre-flight service reachability assertions.
+ *
+ * Runs BEFORE NestFactory.create() to surface actionable errors immediately
+ * rather than crashing mid-boot with an opaque stack trace.
+ *
+ * Library choices:
+ * - Postgres: `postgres` npm package (already a dep via @mosaicstack/db / drizzle-orm).
+ *   The spec mentions `pg`, but only `postgres` is installed in this monorepo.
+ * - Valkey: `ioredis` (already a dep via @mosaicstack/queue → bullmq; same URL
+ *   convention used by the bullmq adapter).
+ */
+
+import postgres from 'postgres';
+import { Redis } from 'ioredis';
+import type { MosaicConfig } from '@mosaicstack/config';
+
+/* ------------------------------------------------------------------ */
+/*  Structured error type                                               */
+/* ------------------------------------------------------------------ */
+
+export class TierDetectionError extends Error {
+  public readonly service: 'postgres' | 'valkey' | 'pgvector' | 'config';
+  public readonly host: string;
+  public readonly port: number;
+  public readonly remediation: string;
+
+  constructor(opts: {
+    service: 'postgres' | 'valkey' | 'pgvector' | 'config';
+    host: string;
+    port: number;
+    remediation: string;
+    cause?: unknown;
+  }) {
+    const message =
+      `[tier-detector] ${opts.service} unreachable or unusable at ` +
+      `${opts.host}:${opts.port} — ${opts.remediation}`;
+    super(message, { cause: opts.cause });
+    this.name = 'TierDetectionError';
+    this.service = opts.service;
+    this.host = opts.host;
+    this.port = opts.port;
+    this.remediation = opts.remediation;
+  }
+}
+
+/* ------------------------------------------------------------------ */
+/*  URL helpers                                                        */
+/* ------------------------------------------------------------------ */
+
+/** Extract host and port from a URL string, returning safe fallbacks on parse failure. */
+function parseHostPort(url: string, defaultPort: number): { host: string; port: number } {
+  try {
+    const parsed = new URL(url);
+    const host = parsed.hostname || 'unknown';
+    const port = parsed.port ? parseInt(parsed.port, 10) : defaultPort;
+    return { host, port };
+  } catch {
+    return { host: 'unknown', port: defaultPort };
+  }
+}
+
+/* ------------------------------------------------------------------ */
+/*  Postgres probe                                                      */
+/* ------------------------------------------------------------------ */
+
+async function probePostgres(url: string): Promise<void> {
+  const { host, port } = parseHostPort(url, 5432);
+  let sql: ReturnType<typeof postgres> | undefined;
+  try {
+    sql = postgres(url, {
+      max: 1,
+      connect_timeout: 5,
+      idle_timeout: 5,
+    });
+    // Run a trivial query to confirm connectivity.
+    await sql`SELECT 1`;
+  } catch (cause) {
+    throw new TierDetectionError({
+      service: 'postgres',
+      host,
+      port,
+      remediation:
+        'Start Postgres: `docker compose -f docker-compose.federated.yml --profile federated up -d postgres-federated`',
+      cause,
+    });
+  } finally {
+    if (sql) {
+      await sql.end({ timeout: 2 }).catch(() => {
+        // Ignore cleanup errors — we already have what we need.
+      });
+    }
+  }
+}
+
+/* ------------------------------------------------------------------ */
+/*  pgvector probe                                                      */
+/* ------------------------------------------------------------------ */
+
+async function probePgvector(url: string): Promise<void> {
+  const { host, port } = parseHostPort(url, 5432);
+  let sql: ReturnType<typeof postgres> | undefined;
+  try {
+    sql = postgres(url, {
+      max: 1,
+      connect_timeout: 5,
+      idle_timeout: 5,
+    });
+    // This succeeds whether the extension is already installed or freshly created.
+    // It errors only if the pgvector shared library is missing from the Postgres binary.
+    await sql`CREATE EXTENSION IF NOT EXISTS vector`;
+  } catch (cause) {
+    const causeMsg = cause instanceof Error ? cause.message.toLowerCase() : '';
+    const isLibraryMissing = causeMsg.includes('extension "vector" is not available');
+    const remediation = isLibraryMissing
+      ? 'Use the `pgvector/pgvector:pg17` image, not the stock `postgres:17` image. See `docker-compose.federated.yml`.'
+      : 'The database role lacks permission to CREATE EXTENSION. Grant `CREATE` on the database, or run as a superuser.';
+    throw new TierDetectionError({
+      service: 'pgvector',
+      host,
+      port,
+      remediation,
+      cause,
+    });
+  } finally {
+    if (sql) {
+      await sql.end({ timeout: 2 }).catch(() => {
+        // Ignore cleanup errors.
+      });
+    }
+  }
+}
+
+/* ------------------------------------------------------------------ */
+/*  Valkey probe                                                        */
+/* ------------------------------------------------------------------ */
+
+const DEFAULT_VALKEY_URL = 'redis://localhost:6380';
+
+async function probeValkey(url: string): Promise<void> {
+  const { host, port } = parseHostPort(url, 6380);
+  const client = new Redis(url, {
+    enableReadyCheck: false,
+    maxRetriesPerRequest: 0,
+    retryStrategy: () => null, // no retries — fail fast
+    lazyConnect: true,
+    connectTimeout: 5000, // fail-fast: 5-second hard cap on connection attempt
+  });
+
+  try {
+    await client.connect();
+    const pong = await client.ping();
+    if (pong !== 'PONG') {
+      throw new Error(`Unexpected PING response: ${pong}`);
+    }
+  } catch (cause) {
+    throw new TierDetectionError({
+      service: 'valkey',
+      host,
+      port,
+      remediation:
+        'Start Valkey: `docker compose -f docker-compose.federated.yml --profile federated up -d valkey-federated`',
+      cause,
+    });
+  } finally {
+    client.disconnect();
+  }
+}
+
+/* ------------------------------------------------------------------ */
+/*  Public entry point                                                  */
+/* ------------------------------------------------------------------ */
+
+/**
+ * Assert that all services required by `config.tier` are reachable.
+ *
+ * - `local`      — no-op (PGlite is in-process; no external services).
+ * - `standalone` — assert Postgres + Valkey (if queue.type === 'bullmq').
+ * - `federated`  — assert Postgres + Valkey + pgvector installability.
+ *
+ * Throws `TierDetectionError` on the first failure with host:port and
+ * a remediation hint.
+ */
+export async function detectAndAssertTier(config: MosaicConfig): Promise<void> {
+  if (config.tier === 'local') {
+    // PGlite runs in-process — nothing to probe.
+    return;
+  }
+
+  const pgUrl =
+    config.storage.type === 'postgres' ? config.storage.url : 'postgresql://localhost:5432/mosaic';
+
+  const valkeyUrl =
+    config.queue.type === 'bullmq' ? (config.queue.url ?? DEFAULT_VALKEY_URL) : null;
+
+  if (config.tier === 'standalone') {
+    await probePostgres(pgUrl);
+    if (valkeyUrl) {
+      await probeValkey(valkeyUrl);
+    }
+    return;
+  }
+
+  // tier === 'federated'
+  // Reject misconfigured queue upfront — federated requires bullmq + a Valkey URL.
+  if (config.queue.type !== 'bullmq') {
+    throw new TierDetectionError({
+      service: 'config',
+      host: 'localhost',
+      port: 0,
+      remediation:
+        "Federated tier requires queue.type === 'bullmq'. " +
+        "Set queue: { type: 'bullmq', url: 'redis://...' } in your mosaic.config.json.",
+    });
+  }
+  const federatedValkeyUrl = config.queue.url ?? DEFAULT_VALKEY_URL;
+  await probePostgres(pgUrl);
+  await probeValkey(federatedValkeyUrl);
+  await probePgvector(pgUrl);
+}

apps/gateway/src/brain/brain.module.ts

@@ -1,6 +1,6 @@
 import { Global, Module } from '@nestjs/common';
-import { createBrain, type Brain } from '@mosaic/brain';
+import { createBrain, type Brain } from '@mosaicstack/brain';
-import type { Db } from '@mosaic/db';
+import type { Db } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 import { BRAIN } from './brain.tokens.js';
 

apps/gateway/src/chat/chat.gateway.ts

@@ -11,14 +11,15 @@ import {
 } from '@nestjs/websockets';
 import { Server, Socket } from 'socket.io';
 import type { AgentSessionEvent } from '@mariozechner/pi-coding-agent';
-import type { Auth } from '@mosaic/auth';
+import type { Auth } from '@mosaicstack/auth';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 import type {
   SetThinkingPayload,
   SlashCommandPayload,
   SystemReloadPayload,
   RoutingDecisionInfo,
-} from '@mosaic/types';
+  AbortPayload,
+} from '@mosaicstack/types';
 import { AgentService, type ConversationHistoryMessage } from '../agent/agent.service.js';
 import { AUTH } from '../auth/auth.tokens.js';
 import { BRAIN } from '../brain/brain.tokens.js';
@@ -325,6 +326,38 @@ export class ChatGateway implements OnGatewayInit, OnGatewayConnection, OnGatewa
     });
   }
 
+  @SubscribeMessage('abort')
+  async handleAbort(
+    @ConnectedSocket() client: Socket,
+    @MessageBody() data: AbortPayload,
+  ): Promise<void> {
+    const conversationId = data.conversationId;
+    this.logger.log(`Abort requested by ${client.id} for conversation ${conversationId}`);
+
+    const session = this.agentService.getSession(conversationId);
+    if (!session) {
+      client.emit('error', {
+        conversationId,
+        error: 'No active session to abort.',
+      });
+      return;
+    }
+
+    try {
+      await session.piSession.abort();
+      this.logger.log(`Agent session ${conversationId} aborted successfully`);
+    } catch (err) {
+      this.logger.error(
+        `Failed to abort session ${conversationId}`,
+        err instanceof Error ? err.stack : String(err),
+      );
+      client.emit('error', {
+        conversationId,
+        error: 'Failed to abort the agent operation.',
+      });
+    }
+  }
+
   @SubscribeMessage('command:execute')
   async handleCommandExecute(
     @ConnectedSocket() client: Socket,

apps/gateway/src/commands/command-executor-p8012.spec.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { CommandExecutorService } from './command-executor.service.js';
-import type { SlashCommandPayload } from '@mosaic/types';
+import type { SlashCommandPayload } from '@mosaicstack/types';
 
 // Minimal mock implementations
 const mockRegistry = {
@@ -82,6 +82,7 @@ function buildService(): CommandExecutorService {
     mockBrain as never,
     null,
     mockChatGateway as never,
+    null,
   );
 }
 

apps/gateway/src/commands/command-executor.service.ts

@@ -1,12 +1,13 @@
 import { forwardRef, Inject, Injectable, Logger, Optional } from '@nestjs/common';
-import type { QueueHandle } from '@mosaic/queue';
+import type { QueueHandle } from '@mosaicstack/queue';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
-import type { SlashCommandPayload, SlashCommandResultPayload } from '@mosaic/types';
+import type { SlashCommandPayload, SlashCommandResultPayload } from '@mosaicstack/types';
 import { AgentService } from '../agent/agent.service.js';
 import { ChatGateway } from '../chat/chat.gateway.js';
 import { SessionGCService } from '../gc/session-gc.service.js';
 import { SystemOverrideService } from '../preferences/system-override.service.js';
 import { ReloadService } from '../reload/reload.service.js';
+import { McpClientService } from '../mcp-client/mcp-client.service.js';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { COMMANDS_REDIS } from './commands.tokens.js';
 import { CommandRegistryService } from './command-registry.service.js';
@@ -28,6 +29,9 @@ export class CommandExecutorService {
     @Optional()
     @Inject(forwardRef(() => ChatGateway))
     private readonly chatGateway: ChatGateway | null,
+    @Optional()
+    @Inject(McpClientService)
+    private readonly mcpClient: McpClientService | null,
   ) {}
 
   async execute(payload: SlashCommandPayload, userId: string): Promise<SlashCommandResultPayload> {
@@ -105,6 +109,8 @@ export class CommandExecutorService {
           };
         case 'tools':
           return await this.handleTools(conversationId, userId);
+        case 'mcp':
+          return await this.handleMcp(args ?? null, conversationId);
         case 'reload': {
           if (!this.reloadService) {
             return {
@@ -489,4 +495,92 @@ export class CommandExecutorService {
       conversationId,
     };
   }
+
+  private async handleMcp(
+    args: string | null,
+    conversationId: string,
+  ): Promise<SlashCommandResultPayload> {
+    if (!this.mcpClient) {
+      return {
+        command: 'mcp',
+        conversationId,
+        success: false,
+        message: 'MCP client service is not available.',
+      };
+    }
+
+    const action = args?.trim().split(/\s+/)[0] ?? 'status';
+
+    switch (action) {
+      case 'status':
+      case 'servers': {
+        const statuses = this.mcpClient.getServerStatuses();
+        if (statuses.length === 0) {
+          return {
+            command: 'mcp',
+            conversationId,
+            success: true,
+            message:
+              'No MCP servers configured. Set MCP_SERVERS env var to connect external tool servers.',
+          };
+        }
+        const lines = ['MCP Server Status:\n'];
+        for (const s of statuses) {
+          const status = s.connected ? '✓ connected' : '✗ disconnected';
+          lines.push(`  ${s.name}: ${status}`);
+          lines.push(`    URL: ${s.url}`);
+          lines.push(`    Tools: ${s.toolCount}`);
+          if (s.error) lines.push(`    Error: ${s.error}`);
+          lines.push('');
+        }
+        const tools = this.mcpClient.getToolDefinitions();
+        if (tools.length > 0) {
+          lines.push(`Total bridged tools: ${tools.length}`);
+          lines.push(`Tool names: ${tools.map((t) => t.name).join(', ')}`);
+        }
+        return {
+          command: 'mcp',
+          conversationId,
+          success: true,
+          message: lines.join('\n'),
+        };
+      }
+
+      case 'reconnect': {
+        const serverName = args?.trim().split(/\s+/).slice(1).join(' ');
+        if (!serverName) {
+          return {
+            command: 'mcp',
+            conversationId,
+            success: false,
+            message: 'Usage: /mcp reconnect <server-name>',
+          };
+        }
+        try {
+          await this.mcpClient.reconnectServer(serverName);
+          return {
+            command: 'mcp',
+            conversationId,
+            success: true,
+            message: `MCP server "${serverName}" reconnected successfully.`,
+          };
+        } catch (err) {
+          return {
+            command: 'mcp',
+            conversationId,
+            success: false,
+            message: `Failed to reconnect MCP server "${serverName}": ${err instanceof Error ? err.message : String(err)}`,
+          };
+        }
+      }
+
+      default:
+        return {
+          command: 'mcp',
+          conversationId,
+          success: false,
+          message: `Unknown MCP action: "${action}". Use: /mcp status, /mcp servers, /mcp reconnect <name>`,
+        };
+    }
+  }
 }

apps/gateway/src/commands/command-registry.service.spec.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect, beforeEach } from 'vitest';
 import { CommandRegistryService } from './command-registry.service.js';
-import type { CommandDef } from '@mosaic/types';
+import type { CommandDef } from '@mosaicstack/types';
 
 const mockCmd: CommandDef = {
   name: 'test',

apps/gateway/src/commands/command-registry.service.ts

@@ -1,5 +1,5 @@
 import { Injectable, type OnModuleInit } from '@nestjs/common';
-import type { CommandDef, CommandManifest } from '@mosaic/types';
+import type { CommandDef, CommandManifest } from '@mosaicstack/types';
 
 @Injectable()
 export class CommandRegistryService implements OnModuleInit {
@@ -260,6 +260,23 @@ export class CommandRegistryService implements OnModuleInit {
         execution: 'socket',
         available: true,
       },
+      {
+        name: 'mcp',
+        description: 'Manage MCP server connections (status/reconnect/servers)',
+        aliases: [],
+        args: [
+          {
+            name: 'action',
+            type: 'enum',
+            optional: true,
+            values: ['status', 'reconnect', 'servers'],
+            description: 'Action: status (default), reconnect <name>, servers',
+          },
+        ],
+        scope: 'agent',
+        execution: 'socket',
+        available: true,
+      },
       {
         name: 'reload',
         description: 'Soft-reload gateway plugins and command manifest (admin)',

apps/gateway/src/commands/commands.integration.spec.ts

@@ -13,7 +13,7 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { CommandRegistryService } from './command-registry.service.js';
 import { CommandExecutorService } from './command-executor.service.js';
-import type { SlashCommandPayload } from '@mosaic/types';
+import type { SlashCommandPayload } from '@mosaicstack/types';
 
 // ─── Mocks ───────────────────────────────────────────────────────────────────
 
@@ -65,6 +65,7 @@ function buildExecutor(registry: CommandRegistryService): CommandExecutorService
     mockBrain as never,
     null, // reloadService (optional)
     null, // chatGateway (optional)
+    null, // mcpClient (optional)
   );
 }
 

apps/gateway/src/commands/commands.module.ts

@@ -1,5 +1,5 @@
 import { forwardRef, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
-import { createQueue, type QueueHandle } from '@mosaic/queue';
+import { createQueue, type QueueHandle } from '@mosaicstack/queue';
 import { ChatModule } from '../chat/chat.module.js';
 import { GCModule } from '../gc/gc.module.js';
 import { ReloadModule } from '../reload/reload.module.js';

apps/gateway/src/config/config.module.ts

@@ -0,0 +1,16 @@
+import { Global, Module } from '@nestjs/common';
+import { loadConfig, type MosaicConfig } from '@mosaicstack/config';
+
+export const MOSAIC_CONFIG = 'MOSAIC_CONFIG';
+
+@Global()
+@Module({
+  providers: [
+    {
+      provide: MOSAIC_CONFIG,
+      useFactory: (): MosaicConfig => loadConfig(),
+    },
+  ],
+  exports: [MOSAIC_CONFIG],
+})
+export class ConfigModule {}

apps/gateway/src/conversations/conversations.controller.ts

@@ -15,7 +15,7 @@ import {
   Query,
   UseGuards,
 } from '@nestjs/common';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';

apps/gateway/src/coord/coord.service.ts

@@ -8,7 +8,7 @@ import {
   type MissionStatusSummary,
   type MissionTask,
   type TaskDetail,
-} from '@mosaic/coord';
+} from '@mosaicstack/coord';
 import { promises as fs } from 'node:fs';
 import path from 'node:path';
 

apps/gateway/src/database/database.module.ts

@@ -1,28 +1,51 @@
+import { mkdirSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
 import { Global, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
-import { createDb, type Db, type DbHandle } from '@mosaic/db';
+import { createDb, createPgliteDb, type Db, type DbHandle } from '@mosaicstack/db';
+import { createStorageAdapter, type StorageAdapter } from '@mosaicstack/storage';
+import type { MosaicConfig } from '@mosaicstack/config';
+import { MOSAIC_CONFIG } from '../config/config.module.js';
 
 export const DB_HANDLE = 'DB_HANDLE';
 export const DB = 'DB';
+export const STORAGE_ADAPTER = 'STORAGE_ADAPTER';
 
 @Global()
 @Module({
   providers: [
     {
       provide: DB_HANDLE,
-      useFactory: (): DbHandle => createDb(),
+      useFactory: (config: MosaicConfig): DbHandle => {
+        if (config.tier === 'local') {
+          const dataDir = join(homedir(), '.config', 'mosaic', 'gateway', 'pglite');
+          mkdirSync(dataDir, { recursive: true });
+          return createPgliteDb(dataDir);
+        }
+        return createDb(config.storage.type === 'postgres' ? config.storage.url : undefined);
+      },
+      inject: [MOSAIC_CONFIG],
     },
     {
       provide: DB,
       useFactory: (handle: DbHandle): Db => handle.db,
       inject: [DB_HANDLE],
     },
+    {
+      provide: STORAGE_ADAPTER,
+      useFactory: (config: MosaicConfig): StorageAdapter => createStorageAdapter(config.storage),
+      inject: [MOSAIC_CONFIG],
+    },
   ],
-  exports: [DB],
+  exports: [DB, STORAGE_ADAPTER],
 })
 export class DatabaseModule implements OnApplicationShutdown {
-  constructor(@Inject(DB_HANDLE) private readonly handle: DbHandle) {}
+  constructor(
+    @Inject(DB_HANDLE) private readonly handle: DbHandle,
+    @Inject(STORAGE_ADAPTER) private readonly storageAdapter: StorageAdapter,
+  ) {}
 
   async onApplicationShutdown(): Promise<void> {
-    await this.handle.close();
+    await Promise.all([this.handle.close(), this.storageAdapter.close()]);
   }
 }

apps/gateway/src/gc/gc.module.ts

@@ -1,5 +1,5 @@
 import { Module, type OnApplicationShutdown, Inject } from '@nestjs/common';
-import { createQueue, type QueueHandle } from '@mosaic/queue';
+import { createQueue, type QueueHandle } from '@mosaicstack/queue';
 import { SessionGCService } from './session-gc.service.js';
 import { REDIS } from './gc.tokens.js';
 

apps/gateway/src/gc/session-gc.service.spec.ts

@@ -1,7 +1,7 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { Logger } from '@nestjs/common';
-import type { QueueHandle } from '@mosaic/queue';
+import type { QueueHandle } from '@mosaicstack/queue';
-import type { LogService } from '@mosaic/log';
+import type { LogService } from '@mosaicstack/log';
 import { SessionGCService } from './session-gc.service.js';
 
 type MockRedis = {

apps/gateway/src/gc/session-gc.service.ts

@@ -1,6 +1,6 @@
 import { Inject, Injectable, Logger, type OnModuleInit } from '@nestjs/common';
-import type { QueueHandle } from '@mosaic/queue';
+import type { QueueHandle } from '@mosaicstack/queue';
-import type { LogService } from '@mosaic/log';
+import type { LogService } from '@mosaicstack/log';
 import { LOG_SERVICE } from '../log/log.tokens.js';
 import { REDIS } from './gc.tokens.js';
 

apps/gateway/src/log/log.controller.ts

@@ -1,5 +1,5 @@
 import { Body, Controller, Get, Inject, Param, Post, Query, UseGuards } from '@nestjs/common';
-import type { LogService } from '@mosaic/log';
+import type { LogService } from '@mosaicstack/log';
 import { LOG_SERVICE } from './log.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import type { IngestLogDto, QueryLogsDto } from './log.dto.js';

apps/gateway/src/log/log.module.ts

@@ -1,6 +1,6 @@
 import { Global, Module } from '@nestjs/common';
-import { createLogService, type LogService } from '@mosaic/log';
+import { createLogService, type LogService } from '@mosaicstack/log';
-import type { Db } from '@mosaic/db';
+import type { Db } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 import { LOG_SERVICE } from './log.tokens.js';
 import { LogController } from './log.controller.js';

apps/gateway/src/log/summarization.service.ts

@@ -1,11 +1,11 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
-import type { LogService } from '@mosaic/log';
+import type { LogService } from '@mosaicstack/log';
-import type { Memory } from '@mosaic/memory';
+import type { Memory } from '@mosaicstack/memory';
 import { LOG_SERVICE } from './log.tokens.js';
 import { MEMORY } from '../memory/memory.tokens.js';
 import { EmbeddingService } from '../memory/embedding.service.js';
-import type { Db } from '@mosaic/db';
+import type { Db } from '@mosaicstack/db';
-import { sql, summarizationJobs } from '@mosaic/db';
+import { sql, summarizationJobs } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 
 const SUMMARIZATION_PROMPT = `You are a knowledge extraction assistant. Given the following agent interaction logs, extract the key decisions, learnings, and patterns. Output a concise summary (2-4 sentences) that captures the most important information for future reference. Focus on actionable insights, not raw events.

apps/gateway/src/main.ts

@@ -1,5 +1,13 @@
+#!/usr/bin/env node
 import { config } from 'dotenv';
-import { resolve } from 'node:path';
+import { existsSync } from 'node:fs';
+import { resolve, join } from 'node:path';
+import { homedir } from 'node:os';
+
+// Load .env from daemon config dir (global install / daemon mode).
+// Loaded first so monorepo .env can override for local dev.
+const daemonEnv = join(homedir(), '.config', 'mosaic', 'gateway', '.env');
+if (existsSync(daemonEnv)) config({ path: daemonEnv });
 
 // Load .env from monorepo root (cwd is apps/gateway when run via pnpm filter)
 config({ path: resolve(process.cwd(), '../../.env') });
@@ -11,11 +19,13 @@ import { NestFactory } from '@nestjs/core';
 import { Logger, ValidationPipe } from '@nestjs/common';
 import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fastify';
 import helmet from '@fastify/helmet';
-import { listSsoStartupWarnings } from '@mosaic/auth';
+import { listSsoStartupWarnings } from '@mosaicstack/auth';
+import { loadConfig } from '@mosaicstack/config';
 import { AppModule } from './app.module.js';
 import { mountAuthHandler } from './auth/auth.controller.js';
 import { mountMcpHandler } from './mcp/mcp.controller.js';
 import { McpService } from './mcp/mcp.service.js';
+import { detectAndAssertTier, TierDetectionError } from './bootstrap/tier-detector.js';
 
 async function bootstrap(): Promise<void> {
   const logger = new Logger('Bootstrap');
@@ -24,6 +34,20 @@ async function bootstrap(): Promise<void> {
     throw new Error('BETTER_AUTH_SECRET is required');
   }
 
+  // Pre-flight: assert all external services required by the configured tier
+  // are reachable. Runs before NestFactory.create() so failures are visible
+  // immediately with actionable remediation hints.
+  const mosaicConfig = loadConfig();
+  try {
+    await detectAndAssertTier(mosaicConfig);
+  } catch (err) {
+    if (err instanceof TierDetectionError) {
+      logger.error(`Tier detection failed: ${err.message}`);
+      logger.error(`Remediation: ${err.remediation}`);
+    }
+    throw err;
+  }
+
   for (const warning of listSsoStartupWarnings()) {
     logger.warn(warning);
   }
@@ -51,7 +75,7 @@ async function bootstrap(): Promise<void> {
   mountAuthHandler(app);
   mountMcpHandler(app, app.get(McpService));
 
-  const port = Number(process.env['GATEWAY_PORT'] ?? 4000);
+  const port = Number(process.env['GATEWAY_PORT'] ?? 14242);
   await app.listen(port, '0.0.0.0');
   logger.log(`Gateway listening on port ${port}`);
 }

apps/gateway/src/mcp/mcp.controller.ts

@@ -1,7 +1,7 @@
 import type { IncomingMessage, ServerResponse } from 'node:http';
 import { Logger } from '@nestjs/common';
 import { fromNodeHeaders } from 'better-auth/node';
-import type { Auth } from '@mosaic/auth';
+import type { Auth } from '@mosaicstack/auth';
 import type { NestFastifyApplication } from '@nestjs/platform-fastify';
 import type { McpService } from './mcp.service.js';
 import { AUTH } from '../auth/auth.tokens.js';

apps/gateway/src/mcp/mcp.service.ts

@@ -3,8 +3,8 @@ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { randomUUID } from 'node:crypto';
 import { z } from 'zod';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
-import type { Memory } from '@mosaic/memory';
+import type { Memory } from '@mosaicstack/memory';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { MEMORY } from '../memory/memory.tokens.js';
 import { EmbeddingService } from '../memory/embedding.service.js';

apps/gateway/src/memory/embedding.service.ts

@@ -1,5 +1,5 @@
 import { Injectable, Logger } from '@nestjs/common';
-import type { EmbeddingProvider } from '@mosaic/memory';
+import type { EmbeddingProvider } from '@mosaicstack/memory';
 
 // ---------------------------------------------------------------------------
 // Environment-driven configuration

apps/gateway/src/memory/memory.controller.ts

@@ -12,7 +12,7 @@ import {
   Query,
   UseGuards,
 } from '@nestjs/common';
-import type { Memory } from '@mosaic/memory';
+import type { Memory } from '@mosaicstack/memory';
 import { MEMORY } from './memory.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';

apps/gateway/src/memory/memory.module.ts

@@ -1,11 +1,29 @@
 import { Global, Module } from '@nestjs/common';
-import { createMemory, type Memory } from '@mosaic/memory';
+import {
-import type { Db } from '@mosaic/db';
+  createMemory,
-import { DB } from '../database/database.module.js';
+  type Memory,
+  createMemoryAdapter,
+  type MemoryAdapter,
+  type MemoryConfig,
+} from '@mosaicstack/memory';
+import type { Db } from '@mosaicstack/db';
+import type { StorageAdapter } from '@mosaicstack/storage';
+import type { MosaicConfig } from '@mosaicstack/config';
+import { MOSAIC_CONFIG } from '../config/config.module.js';
+import { DB, STORAGE_ADAPTER } from '../database/database.module.js';
 import { MEMORY } from './memory.tokens.js';
 import { MemoryController } from './memory.controller.js';
 import { EmbeddingService } from './embedding.service.js';
 
+export const MEMORY_ADAPTER = 'MEMORY_ADAPTER';
+
+function buildMemoryConfig(config: MosaicConfig, storageAdapter: StorageAdapter): MemoryConfig {
+  if (config.memory.type === 'keyword') {
+    return { type: 'keyword', storage: storageAdapter };
+  }
+  return { type: config.memory.type };
+}
+
 @Global()
 @Module({
   providers: [
@@ -14,9 +32,15 @@ import { EmbeddingService } from './embedding.service.js';
       useFactory: (db: Db): Memory => createMemory(db),
       inject: [DB],
     },
+    {
+      provide: MEMORY_ADAPTER,
+      useFactory: (config: MosaicConfig, storageAdapter: StorageAdapter): MemoryAdapter =>
+        createMemoryAdapter(buildMemoryConfig(config, storageAdapter)),
+      inject: [MOSAIC_CONFIG, STORAGE_ADAPTER],
+    },
     EmbeddingService,
   ],
   controllers: [MemoryController],
-  exports: [MEMORY, EmbeddingService],
+  exports: [MEMORY, MEMORY_ADAPTER, EmbeddingService],
 })
 export class MemoryModule {}

apps/gateway/src/missions/missions.controller.ts

@@ -12,7 +12,7 @@ import {
   Post,
   UseGuards,
 } from '@nestjs/common';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';

apps/gateway/src/plugin/plugin.module.ts

@@ -6,8 +6,8 @@ import {
   type OnModuleDestroy,
   type OnModuleInit,
 } from '@nestjs/common';
-import { DiscordPlugin } from '@mosaic/discord-plugin';
+import { DiscordPlugin } from '@mosaicstack/discord-plugin';
-import { TelegramPlugin } from '@mosaic/telegram-plugin';
+import { TelegramPlugin } from '@mosaicstack/telegram-plugin';
 import { PluginService } from './plugin.service.js';
 import type { IChannelPlugin } from './plugin.interface.js';
 import { PLUGIN_REGISTRY } from './plugin.tokens.js';
@@ -48,7 +48,7 @@ class TelegramChannelPluginAdapter implements IChannelPlugin {
   }
 }
 
-const DEFAULT_GATEWAY_URL = 'http://localhost:4000';
+const DEFAULT_GATEWAY_URL = 'http://localhost:14242';
 
 function createPluginRegistry(): IChannelPlugin[] {
   const plugins: IChannelPlugin[] = [];

apps/gateway/src/preferences/preferences.service.spec.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi } from 'vitest';
 import { PreferencesService, PLATFORM_DEFAULTS, IMMUTABLE_KEYS } from './preferences.service.js';
-import type { Db } from '@mosaic/db';
+import type { Db } from '@mosaicstack/db';
 
 /**
  * Build a mock Drizzle DB where the select chain supports:

apps/gateway/src/preferences/preferences.service.ts

@@ -1,5 +1,5 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
-import { eq, and, sql, type Db, preferences as preferencesTable } from '@mosaic/db';
+import { eq, and, sql, type Db, preferences as preferencesTable } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 
 export const PLATFORM_DEFAULTS: Record<string, unknown> = {

apps/gateway/src/preferences/system-override.service.ts

@@ -1,5 +1,5 @@
 import { Injectable, Logger } from '@nestjs/common';
-import { createQueue, type QueueHandle } from '@mosaic/queue';
+import { createQueue, type QueueHandle } from '@mosaicstack/queue';
 
 const SESSION_SYSTEM_KEY = (sessionId: string) => `mosaic:session:${sessionId}:system`;
 const SESSION_SYSTEM_FRAGMENTS_KEY = (sessionId: string) =>

apps/gateway/src/projects/projects.controller.ts

@@ -13,7 +13,7 @@ import {
   Post,
   UseGuards,
 } from '@nestjs/common';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';

apps/gateway/src/queue/queue.module.ts

@@ -1,9 +1,21 @@
 import { Global, Module } from '@nestjs/common';
+import { createQueueAdapter, type QueueAdapter } from '@mosaicstack/queue';
+import type { MosaicConfig } from '@mosaicstack/config';
+import { MOSAIC_CONFIG } from '../config/config.module.js';
 import { QueueService } from './queue.service.js';
 
+export const QUEUE_ADAPTER = 'QUEUE_ADAPTER';
+
 @Global()
 @Module({
-  providers: [QueueService],
+  providers: [
-  exports: [QueueService],
+    QueueService,
+    {
+      provide: QUEUE_ADAPTER,
+      useFactory: (config: MosaicConfig): QueueAdapter => createQueueAdapter(config.queue),
+      inject: [MOSAIC_CONFIG],
+    },
+  ],
+  exports: [QueueService, QUEUE_ADAPTER],
 })
 export class QueueModule {}

apps/gateway/src/queue/queue.service.ts

@@ -7,7 +7,7 @@ import {
   type OnModuleDestroy,
 } from '@nestjs/common';
 import { Queue, Worker, type Job, type ConnectionOptions } from 'bullmq';
-import type { LogService } from '@mosaic/log';
+import type { LogService } from '@mosaicstack/log';
 import { LOG_SERVICE } from '../log/log.tokens.js';
 import type { JobDto, JobStatus } from './queue-admin.dto.js';
 
@@ -51,16 +51,42 @@ export interface QueueHealthStatus {
 // Constants
 // ---------------------------------------------------------------------------
 
-export const QUEUE_SUMMARIZATION = 'mosaic:summarization';
+export const QUEUE_SUMMARIZATION = 'mosaic-summarization';
-export const QUEUE_GC = 'mosaic:gc';
+export const QUEUE_GC = 'mosaic-gc';
-export const QUEUE_TIER_MANAGEMENT = 'mosaic:tier-management';
+export const QUEUE_TIER_MANAGEMENT = 'mosaic-tier-management';
 
 const DEFAULT_VALKEY_URL = 'redis://localhost:6380';
 
+/**
+ * Parse a Redis URL string into a BullMQ-compatible ConnectionOptions object.
+ *
+ * BullMQ v5 does `Object.assign({ port: 6379, host: '127.0.0.1' }, opts)` in
+ * its RedisConnection constructor. If opts is a URL string, Object.assign only
+ * copies character-index properties and the defaults survive — so 6379 wins.
+ * We must parse the URL ourselves and return a plain RedisOptions object.
+ */
 function getConnection(): ConnectionOptions {
   const url = process.env['VALKEY_URL'] ?? DEFAULT_VALKEY_URL;
-  // BullMQ ConnectionOptions accepts a URL string (ioredis-compatible)
+  try {
-  return url as unknown as ConnectionOptions;
+    const parsed = new URL(url);
+    const opts: ConnectionOptions = {
+      host: parsed.hostname || '127.0.0.1',
+      port: parsed.port ? parseInt(parsed.port, 10) : 6380,
+    };
+    if (parsed.password) {
+      (opts as Record<string, unknown>)['password'] = decodeURIComponent(parsed.password);
+    }
+    if (parsed.pathname && parsed.pathname.length > 1) {
+      const db = parseInt(parsed.pathname.slice(1), 10);
+      if (!isNaN(db)) {
+        (opts as Record<string, unknown>)['db'] = db;
+      }
+    }
+    return opts;
+  } catch {
+    // Fallback: hope the value is already a host string ioredis understands
+    return { host: '127.0.0.1', port: 6380 } as ConnectionOptions;
+  }
 }
 
 // ---------------------------------------------------------------------------

apps/gateway/src/reload/reload.controller.ts

@@ -1,5 +1,5 @@
 import { Controller, HttpCode, HttpStatus, Inject, Post, UseGuards } from '@nestjs/common';
-import type { SystemReloadPayload } from '@mosaic/types';
+import type { SystemReloadPayload } from '@mosaicstack/types';
 import { AdminGuard } from '../admin/admin.guard.js';
 import { ChatGateway } from '../chat/chat.gateway.js';
 import { ReloadService } from './reload.service.js';

apps/gateway/src/reload/reload.service.ts

@@ -5,7 +5,7 @@ import {
   type OnApplicationBootstrap,
   type OnApplicationShutdown,
 } from '@nestjs/common';
-import type { SystemReloadPayload } from '@mosaic/types';
+import type { SystemReloadPayload } from '@mosaicstack/types';
 import { CommandRegistryService } from '../commands/command-registry.service.js';
 import { isMosaicPlugin } from './mosaic-plugin.interface.js';
 

apps/gateway/src/skills/skills.service.ts

@@ -1,5 +1,5 @@
 import { Inject, Injectable } from '@nestjs/common';
-import { eq, type Db, skills } from '@mosaic/db';
+import { eq, type Db, skills } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 
 type Skill = typeof skills.$inferSelect;

apps/gateway/src/tasks/tasks.controller.ts

@@ -14,7 +14,7 @@ import {
   Query,
   UseGuards,
 } from '@nestjs/common';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';

apps/gateway/src/workspace/project-bootstrap.service.ts

@@ -1,5 +1,5 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
-import type { Brain } from '@mosaic/brain';
+import type { Brain } from '@mosaicstack/brain';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { PluginService } from '../plugin/plugin.service.js';
 import { WorkspaceService } from './workspace.service.js';

apps/gateway/src/workspace/teams.service.ts

@@ -1,5 +1,5 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
-import { eq, and, type Db, teams, teamMembers, projects } from '@mosaic/db';
+import { eq, and, type Db, teams, teamMembers, projects } from '@mosaicstack/db';
 import { DB } from '../database/database.module.js';
 
 @Injectable()

apps/gateway/tsconfig.typecheck.json

@@ -4,15 +4,15 @@
     "rootDir": "../..",
     "baseUrl": ".",
     "paths": {
-      "@mosaic/auth": ["../../packages/auth/src/index.ts"],
+      "@mosaicstack/auth": ["../../packages/auth/src/index.ts"],
-      "@mosaic/brain": ["../../packages/brain/src/index.ts"],
+      "@mosaicstack/brain": ["../../packages/brain/src/index.ts"],
-      "@mosaic/coord": ["../../packages/coord/src/index.ts"],
+      "@mosaicstack/coord": ["../../packages/coord/src/index.ts"],
-      "@mosaic/db": ["../../packages/db/src/index.ts"],
+      "@mosaicstack/db": ["../../packages/db/src/index.ts"],
-      "@mosaic/log": ["../../packages/log/src/index.ts"],
+      "@mosaicstack/log": ["../../packages/log/src/index.ts"],
-      "@mosaic/memory": ["../../packages/memory/src/index.ts"],
+      "@mosaicstack/memory": ["../../packages/memory/src/index.ts"],
-      "@mosaic/types": ["../../packages/types/src/index.ts"],
+      "@mosaicstack/types": ["../../packages/types/src/index.ts"],
-      "@mosaic/discord-plugin": ["../../plugins/discord/src/index.ts"],
+      "@mosaicstack/discord-plugin": ["../../plugins/discord/src/index.ts"],
-      "@mosaic/telegram-plugin": ["../../plugins/telegram/src/index.ts"]
+      "@mosaicstack/telegram-plugin": ["../../plugins/telegram/src/index.ts"]
     }
   }
 }

apps/gateway/vitest.config.ts

@@ -1,3 +1,4 @@
+import swc from 'unplugin-swc';
 import { defineConfig } from 'vitest/config';
 
 export default defineConfig({
@@ -5,4 +6,22 @@ export default defineConfig({
     globals: true,
     environment: 'node',
   },
+  plugins: [
+    swc.vite({
+      jsc: {
+        parser: {
+          syntax: 'typescript',
+          decorators: true,
+        },
+        transform: {
+          decoratorMetadata: true,
+          legacyDecorator: true,
+        },
+        target: 'es2022',
+      },
+      module: {
+        type: 'nodenext',
+      },
+    }),
+  ],
 });

apps/web/next.config.ts

@@ -2,7 +2,7 @@ import type { NextConfig } from 'next';
 
 const nextConfig: NextConfig = {
   output: 'standalone',
-  transpilePackages: ['@mosaic/design-tokens'],
+  transpilePackages: ['@mosaicstack/design-tokens'],
 
   // Enable gzip/brotli compression for all responses.
   compress: true,

apps/web/package.json

@@ -1,6 +1,6 @@
 {
-  "name": "@mosaic/web",
+  "name": "@mosaicstack/web",
-  "version": "0.0.0",
+  "version": "0.0.2",
   "private": true,
   "scripts": {
     "build": "next build",
@@ -12,7 +12,7 @@
     "start": "next start"
   },
   "dependencies": {
-    "@mosaic/design-tokens": "workspace:^",
+    "@mosaicstack/design-tokens": "workspace:^",
     "better-auth": "^1.5.5",
     "clsx": "^2.1.0",
     "next": "^16.0.0",

apps/web/playwright.config.ts

@@ -5,9 +5,9 @@ import { defineConfig, devices } from '@playwright/test';
  *
  * Assumes:
  *   - Next.js web app running on http://localhost:3000
- *   - NestJS gateway running on http://localhost:4000
+ *   - NestJS gateway running on http://localhost:14242
  *
- * Run with:   pnpm --filter @mosaic/web test:e2e
+ * Run with:   pnpm --filter @mosaicstack/web test:e2e
  */
 export default defineConfig({
   testDir: './e2e',

apps/web/src/lib/api.ts

@@ -1,4 +1,4 @@
-const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:4000';
+const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:14242';
 
 export interface ApiRequestInit extends Omit<RequestInit, 'body'> {
   body?: unknown;

apps/web/src/lib/auth-client.ts

@@ -2,7 +2,7 @@ import { createAuthClient } from 'better-auth/react';
 import { adminClient, genericOAuthClient } from 'better-auth/client/plugins';
 
 export const authClient = createAuthClient({
-  baseURL: process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:4000',
+  baseURL: process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:14242',
   plugins: [adminClient(), genericOAuthClient()],
 });
 

apps/web/src/lib/socket.ts

@@ -1,6 +1,6 @@
 import { io, type Socket } from 'socket.io-client';
 
-const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:4000';
+const GATEWAY_URL = process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:14242';
 
 let socket: Socket | null = null;
 

briefs/monorepo-consolidation.md

@@ -0,0 +1,231 @@
+# Brief: Monorepo Consolidation — mosaic/stack → mosaic/mosaic-stack
+
+## Source
+
+Architecture consolidation — merge the mosaic/stack repo (Forge pipeline, MACP protocol, framework tools) into mosaic/mosaic-stack (Harness Foundation platform). Two repos doing related work that need to converge.
+
+## Context
+
+**mosaic/stack** (OLD) contains:
+
+- Forge progressive refinement pipeline (stages, agents, personas, rails, debate protocol, brief classification)
+- MACP protocol (JSON schemas, deterministic Python controller, dispatcher, event system, gate runner)
+- Credential resolver (Python — OC config, mosaic files, ambient env, JSON5 parser)
+- OC framework plugin (injects Mosaic rails into all agent sessions)
+- Profiles (runtime-neutral context packs for tech stacks and domains)
+- Stage adapter (Forge→MACP bridge)
+- Board tasks (multi-agent board evaluation)
+- OpenBrain specialist memory (learning capture/recall)
+- 17 guides, 5 universal skills
+
+**mosaic/mosaic-stack** (NEW) contains:
+
+- Harness Foundation platform (NestJS gateway, Next.js web, Drizzle ORM, Pi SDK runtime)
+- 5 provider adapters, task classifier, routing rules, model capability matrix
+- MACP OC plugin (ACP runtime backend with Pi bridge)
+- TS coord package (mission runner, tasks file manager, status tracker — 1635 lines)
+- BullMQ job queue, OTEL telemetry, channel plugins (Discord, Telegram)
+- CLI with TUI, 65/65 tasks done, v0.2.0
+
+**Decision:** NEW repo is the base. All unique work from OLD gets ported into NEW as packages.
+
+## Scope
+
+### Work Package 1: Forge Pipeline Package (`packages/forge`)
+
+Port the entire Forge progressive refinement pipeline as a TypeScript package.
+
+**From OLD:**
+
+- `forge/pipeline/stages/*.md` — 11 stage definitions
+- `forge/pipeline/agents/{board,generalists,specialists,cross-cutting}/*.md` — all persona definitions
+- `forge/pipeline/rails/*.md` — debate protocol, dynamic composition, worker rails
+- `forge/pipeline/gates/` — gate reviewer definitions
+- `forge/pipeline/orchestrator/run-structure.md` — file-based observability spec
+- `forge/templates/` — brief and PRD templates
+- `forge/pipeline/orchestrator/board_tasks.py` → rewrite in TS
+- `forge/pipeline/orchestrator/stage_adapter.py` → rewrite in TS
+- `forge/pipeline/orchestrator/pipeline_runner.py` → rewrite in TS
+- `forge/forge` CLI (Python) → rewrite in TS, integrate with `packages/cli`
+
+**Package structure:**
+
+```
+packages/forge/
+├── src/
+│   ├── index.ts              # Public API
+│   ├── pipeline-runner.ts    # Orchestrates full pipeline run
+│   ├── stage-adapter.ts      # Maps stages to MACP/coord tasks
+│   ├── board-tasks.ts        # Multi-agent board evaluation task generator
+│   ├── brief-classifier.ts   # strategic/technical/hotfix classification
+│   ├── types.ts              # Stage specs, run manifest, gate results
+│   └── constants.ts          # Stage sequence, timeouts, labels
+├── pipeline/
+│   ├── stages/               # .md stage definitions (copied)
+│   ├── agents/               # .md persona definitions (copied)
+│   │   ├── board/
+│   │   ├── cross-cutting/
+│   │   ├── generalists/
+│   │   └── specialists/
+│   │       ├── language/
+│   │       └── domain/
+│   ├── rails/                # .md rails (copied)
+│   ├── gates/                # .md gate definitions (copied)
+│   └── templates/            # brief + PRD templates (copied)
+└── package.json
+```
+
+**Key design decisions:**
+
+- Pipeline markdown assets are runtime data, not compiled — ship as-is in the package
+- `pipeline-runner.ts` calls into `packages/coord` for task execution (not a separate controller)
+- Stage adapter generates coord-compatible tasks, not MACP JSON directly
+- Board tasks use `depends_on_policy: "all_terminal"` for synthesis
+- Per-stage timeouts from `STAGE_TIMEOUTS` map
+- Brief classifier supports CLI flag, YAML frontmatter, and keyword auto-detection
+- Run output goes to project-scoped `.forge/runs/{run-id}/` (not inside the Forge package)
+
+**Persona override system (new):**
+
+- Base personas ship with the package (read-only)
+- Project-level overrides in `.forge/personas/{role}.md` extend (not replace) base personas
+- Board composition configurable via `.forge/config.yaml`:
+  ```yaml
+  board:
+    additional_members:
+      - compliance-officer.md
+    skip_members: []
+  specialists:
+    always_include:
+      - proxmox-expert
+  ```
+- OpenBrain integration for cross-run specialist memory (when enabled)
+
+### Work Package 2: MACP Protocol Package (`packages/macp`)
+
+Port the MACP protocol layer, event system, and gate runner as a TypeScript package.
+
+**From OLD:**
+
+- `tools/macp/protocol/task.schema.json` — task JSON schema
+- `tools/macp/protocol/` — event schemas
+- `tools/macp/controller/gate_runner.py` → rewrite in TS as `gate-runner.ts`
+- `tools/macp/events/` — event watcher, webhook adapter, Discord formatter → rewrite in TS
+- `tools/macp/dispatcher/credential_resolver.py` → rewrite in TS as `credential-resolver.ts`
+- `tools/macp/memory/learning_capture.py` + `learning_recall.py` → rewrite in TS
+
+**Package structure:**
+
+```
+packages/macp/
+├── src/
+│   ├── index.ts                # Public API
+│   ├── types.ts                # Task, event, result, gate types
+│   ├── schemas/                # JSON schemas (copied)
+│   ├── gate-runner.ts          # Mechanical + AI review quality gates
+│   ├── credential-resolver.ts  # Provider credential resolution (mosaic files, OC config, ambient)
+│   ├── event-emitter.ts        # Append events to ndjson, structured event types
+│   ├── event-watcher.ts        # Poll events.ndjson with cursor persistence
+│   ├── webhook-adapter.ts      # POST events to configurable URL
+│   ├── discord-formatter.ts    # Human-readable event messages
+│   └── learning.ts             # OpenBrain capture + recall
+└── package.json
+```
+
+**Integration with existing packages:**
+
+- `packages/coord` uses `packages/macp` for event emission, gate running, and credential resolution
+- `plugins/macp` uses `packages/macp` for protocol types and credential resolution
+- `packages/forge` uses `packages/macp` gate types for stage gates
+
+### Work Package 3: OC Framework Plugin (`plugins/mosaic-framework`)
+
+Port the OC framework plugin that injects Mosaic rails into all agent sessions.
+
+**From OLD:**
+
+- `oc-plugins/mosaic-framework/index.ts` — `before_agent_start` + `subagent_spawning` hooks
+- `oc-plugins/mosaic-framework/openclaw.plugin.json`
+
+**Structure:**
+
+```
+plugins/mosaic-framework/
+├── src/
+│   └── index.ts    # Plugin hooks
+└── package.json
+```
+
+**This is separate from `plugins/macp`:**
+
+- `mosaic-framework` = injects Mosaic rails/contracts into every OC session (passive enforcement)
+- `macp` = provides an ACP runtime backend for MACP task execution (active runtime)
+
+### Work Package 4: Profiles + Guides + Skills
+
+Port reference content as a documentation/config package or top-level directories.
+
+**From OLD:**
+
+- `profiles/domains/*.json` — HIPAA, fintech, crypto context packs
+- `profiles/tech-stacks/*.json` — NestJS, Next.js, FastAPI, React conventions
+- `profiles/workflows/*.json` — API development, frontend component, testing workflows
+- `guides/*.md` — 17 guides (auth, backend, QA, orchestrator, PRD, etc.)
+- `skills-universal/` — jarvis, macp, mosaic-standards, prd, setup-cicd skills
+
+**Destination:**
+
+```
+profiles/           # Top-level (same as OLD)
+guides/             # Top-level (same as OLD)
+skills/             # Top-level (renamed from skills-universal)
+```
+
+These are runtime-neutral assets consumed by any agent or profile loader — they don't belong in a compiled package.
+
+## Out of Scope
+
+- Rewriting the NestJS orchestrator app from OLD (`apps/orchestrator/`) — its functionality is subsumed by `packages/coord` + `apps/gateway`
+- Porting the FastAPI coordinator from OLD (`apps/coordinator/`) — its functionality (webhook receiver, issue parser, quality orchestrator) is handled by `packages/coord` + `apps/gateway` in the new architecture
+- Porting the Prisma schema or OLD's `apps/api` — Drizzle migration is complete
+- Old Docker Compose configs (Traefik, Matrix, OpenBao) — NEW has its own infra setup
+
+## Success Criteria
+
+1. `packages/forge` exists with all 11 stage definitions, all persona markdowns, all rails, and TS implementations of pipeline-runner, stage-adapter, board-tasks, and brief-classifier
+2. `packages/macp` exists with gate-runner, credential-resolver, event system, and learning capture/recall — all in TypeScript
+3. `plugins/mosaic-framework` exists and registers OC hooks for rails injection
+4. Profiles, guides, and skills are present at top-level
+5. `packages/forge` integrates with `packages/coord` for task execution
+6. `packages/macp` credential-resolver is used by `plugins/macp` Pi bridge
+7. All existing tests pass (no regressions)
+8. New packages have test coverage ≥85%
+9. `pnpm lint && pnpm typecheck && pnpm build` passes
+10. `.forge/runs/` project-scoped output directory works for at least one test run
+
+## Technical Constraints
+
+- All new code is ESM with NodeNext module resolution
+- No Python in the new repo — everything rewrites to TypeScript
+- Pipeline markdown assets (stages, personas, rails) are shipped as package data, not compiled
+- Credential resolver must support: mosaic credential files, OC config (JSON5), ambient environment — same resolution order as the Python version
+- Must preserve `depends_on_policy` semantics (all, any, all_terminal)
+- Per-stage timeouts must be preserved
+- JSON5 stripping must use the placeholder-extraction approach (not naive regex on string content)
+
+## Estimated Complexity
+
+High — crosses 4 work packages with protocol porting, TS rewrites, and integration wiring. Each work package is independently shippable.
+
+**Suggested execution order:**
+
+1. WP4 (profiles/guides/skills) — pure copy, no code, fast win
+2. WP2 (packages/macp) — protocol foundation, needed by WP1 and WP3
+3. WP1 (packages/forge) — the big one, depends on WP2
+4. WP3 (plugins/mosaic-framework) — OC integration, can parallel with WP1
+
+## Dependencies
+
+- `packages/coord` must be stable (it is — WP1 integrates with it)
+- `plugins/macp` must be stable (it is — WP2 provides types/credentials to it)
+- Pi SDK (`@mariozechner/pi-agent-core`) already in the dependency tree

docker-compose.federated.yml

@@ -0,0 +1,60 @@
+# docker-compose.federated.yml — Federated tier overlay
+#
+# USAGE:
+#   docker compose -f docker-compose.federated.yml --profile federated up -d
+#
+# This file is a standalone overlay for the Mosaic federated tier.
+# It is NOT an extension of docker-compose.yml — it defines its own services
+# and named volumes so it can run independently of the base dev stack.
+#
+# IMPORTANT — HOST PORT CONFLICTS:
+#   The federated services bind the same host ports as the base dev stack
+#   (5433 for Postgres, 6380 for Valkey). You must stop the base dev stack
+#   before starting the federated stack on the same machine:
+#     docker compose down
+#     docker compose -f docker-compose.federated.yml --profile federated up -d
+#
+# pgvector extension:
+#   The vector extension is created automatically at first boot via
+#   ./infra/pg-init/01-extensions.sql (CREATE EXTENSION IF NOT EXISTS vector).
+#
+# Tier configuration:
+#   Used by `mosaic` instances configured with `tier: federated`.
+#   DEFAULT_FEDERATED_CONFIG points at:
+#     postgresql://mosaic:mosaic@localhost:5433/mosaic
+
+services:
+  postgres-federated:
+    image: pgvector/pgvector:pg17
+    profiles: [federated]
+    ports:
+      - '${PG_FEDERATED_HOST_PORT:-5433}:5432'
+    environment:
+      POSTGRES_USER: mosaic
+      POSTGRES_PASSWORD: mosaic
+      POSTGRES_DB: mosaic
+    volumes:
+      - pg_federated_data:/var/lib/postgresql/data
+      - ./infra/pg-init:/docker-entrypoint-initdb.d:ro
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U mosaic']
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  valkey-federated:
+    image: valkey/valkey:8-alpine
+    profiles: [federated]
+    ports:
+      - '${VALKEY_FEDERATED_HOST_PORT:-6380}:6379'
+    volumes:
+      - valkey_federated_data:/data
+    healthcheck:
+      test: ['CMD', 'valkey-cli', 'ping']
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+volumes:
+  pg_federated_data:
+  valkey_federated_data:

docs/MISSION-MANIFEST.md

@@ -1,70 +1,116 @@
-# Mission Manifest — Harness Foundation
+# Mission Manifest — MVP
 
-> Persistent document tracking full mission scope, status, and session history.
+> Top-level rollup tracking Mosaic Stack MVP execution.
-> Updated by the orchestrator at each phase transition and milestone completion.
+> Workstreams have their own manifests; this document is the source of truth for MVP scope, status, and history.
+> Owner: Orchestrator (sole writer).
 
 ## Mission
 
-**ID:** harness-20260321
+**ID:** mvp-20260312
-**Statement:** Transform Mosaic Stack from a functional demo into a real multi-provider, task-routing AI harness. Persist all conversations, integrate frontier LLM providers (Anthropic, OpenAI, OpenRouter, Z.ai, Ollama), build granular task-aware agent routing, harden agent sessions, replace cron with BullMQ, and design the channel protocol for future Matrix/remote integration.
+**Statement:** Ship a self-hosted, multi-user AI agent platform that consolidates the user's disparate jarvis-brain usage across home and USC workstations into a single coherent system reachable via three first-class surfaces — webUI, TUI, and CLI — with federation as the data-layer mechanism that makes cross-host agent sessions work in real time without copying user data across the boundary.
-**Phase:** Complete
+**Phase:** Execution (workstream W1 in planning-complete state)
-**Current Milestone:** All milestones done
+**Current Workstream:** W1 — Federation v1
-**Progress:** 7 / 7 milestones
+**Progress:** 0 / 1 declared workstreams complete (more workstreams will be declared as scope is refined)
-**Status:** complete
+**Status:** active (continuous since 2026-03-13)
-**Last Updated:** 2026-03-22 UTC
+**Last Updated:** 2026-04-19 (manifest authored at the rollup level; install-ux-v2 archived; W1 federation planning landed via PR #468)
+**Source PRD:** [docs/PRD.md](./PRD.md) — Mosaic Stack v0.1.0
+**Scratchpad:** [docs/scratchpads/mvp-20260312.md](./scratchpads/mvp-20260312.md) (active since 2026-03-13; 14 prior sessions of phase-based execution)
+
+## Context
+
+Jarvis (v0.2.0) was a single-host Python/Next.js assistant. The user runs sessions across 3–4 workstations split between home and USC. Today every session reaches back to a single jarvis-brain checkout, which is brittle (offline-hostile, no consolidation, no shared state beyond a single repo). A prior OpenBrain attempt punished offline use, introduced cache/latency/opacity pain, and tightly coupled every session to a remote service.
+
+The MVP solution: keep each user's home gateway as the source of truth, connect gateways gateway-to-gateway over mTLS with scoped read-only data exposure, and expose the unified experience through three coherent surfaces:
+
+- **webUI** — the primary visual control plane (Next.js + React 19, `apps/web`)
+- **TUI** — the terminal-native interface for agent work (`packages/mosaic` wizard + Pi TUI)
+- **CLI** — `mosaic` command for scripted/headless workflows
+
+Federation is required NOW because it unblocks cross-host consolidation; it is necessary but not sufficient for MVP. Additional workstreams will be declared as their scope solidifies.
+
+## Prior Execution (March 13 → April 5)
+
+This manifest was authored on 2026-04-19 to rollup work that began 2026-03-13. Before this date, MVP work was tracked via phase-based Gitea milestones and the scratchpad — there was no rollup manifest at the `docs/MISSION-MANIFEST.md` path (the slot was occupied by sub-mission manifests for `install-ux-hardening` and then `install-ux-v2`).
+
+Prior execution outline (full detail in [scratchpads/mvp-20260312.md](./scratchpads/mvp-20260312.md)):
+
+- **Phases 0 → 7** (Gitea milestones `ms-157` → `ms-164`, issues #1–#59): foundation, core API, agent layer, web dashboard, memory, remote control, CLI/tools, polish/beta. Substantially shipped by Session 13.
+- **Phase 8** (Gitea milestone `ms-165`, issues #160–#172): platform architecture extension — teams, workspaces, `/provider` OAuth, preferences, etc. Wave-based execution plan defined at Session 14.
+- **Sub-missions** during the gap: `install-ux-hardening` (complete, `mosaic-v0.0.25`), `install-ux-v2` (complete on 2026-04-19, `0.0.27` → `0.0.29`). Both archived under `docs/archive/missions/`.
+
+Going forward, MVP execution is tracked through the **Workstreams** table below. Phase-based issue numbering is preserved on Gitea but is no longer the primary control plane.
+
+## Cross-Cutting MVP Requirements
+
+These apply to every workstream and every milestone. A workstream cannot ship if it breaks any of them.
+
+| #      | Requirement                                                                                                                                                                      |
+| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| MVP-X1 | Three-surface parity: every user-facing capability is reachable via webUI **and** TUI **and** CLI (read paths at minimum; mutating paths where applicable to the surface).       |
+| MVP-X2 | Multi-tenant isolation is enforced at every boundary; no cross-user leakage under any circumstance.                                                                              |
+| MVP-X3 | Auth via BetterAuth (existing); SSO adapters per PRD; admin bootstrap remains a one-shot.                                                                                        |
+| MVP-X4 | Three quality gates green before push: `pnpm typecheck`, `pnpm lint`, `pnpm format:check`.                                                                                       |
+| MVP-X5 | Federated tier (PG + pgvector + Valkey) is the canonical MVP deployment topology; local/standalone tiers continue to work for non-federated installs but are not the MVP target. |
+| MVP-X6 | OTEL tracing on every request path; `traceparent` propagated across the federation boundary in both directions.                                                                  |
+| MVP-X7 | Trunk merge strategy: branch from `main`, squash-merge via PR, never push to `main` directly.                                                                                    |
 
 ## Success Criteria
 
-- [x] AC-1: Send messages in TUI → restart TUI → resume conversation → agent has full history and context
+The MVP is complete when ALL declared workstreams are complete AND every cross-cutting requirement is verifiable on a live two-host deployment (woltje.com ↔ uscllc.com).
-- [x] AC-2: Route a coding task to Claude Opus 4.6, a simple question to Haiku, a summarization to GLM-5 — all via granular routing rules
-- [x] AC-3: Two users exist, User A's memory searches never return User B's data
-- [x] AC-4: `/model claude-sonnet-4-6` in TUI switches the active model for subsequent messages
-- [x] AC-5: `/agent coding-agent` in TUI switches to a different agent with different system prompt and tools
-- [x] AC-6: BullMQ jobs execute on schedule, failures retry with backoff, admin can inspect via `/api/admin/jobs`
-- [x] AC-7: Channel protocol document exists with Matrix integration points defined, reviewed, and approved
-- [x] AC-8: Embeddings run on Ollama local models (no external API dependency for vector operations)
-- [x] AC-9: All five providers (Anthropic, OpenAI, OpenRouter, Z.ai, Ollama) connect, list models, and complete chat requests
-- [x] AC-10: Routing transparency — TUI displays which model was selected and the routing reason for each response
 
-## Milestones
+- [ ] AC-MVP-1: All declared workstreams reach `complete` status with merged PRs and green CI
+- [ ] AC-MVP-2: A user session on the home gateway can transparently query work-gateway data subject to scope, with no data persisted across the boundary
+- [ ] AC-MVP-3: The same user-facing capability is reachable from webUI, TUI, and CLI (per MVP-X1)
+- [ ] AC-MVP-4: Two-gateway production deployment (woltje.com ↔ uscllc.com) operational ≥7 days without incident
+- [ ] AC-MVP-5: All cross-cutting requirements (MVP-X1 → MVP-X7) verified with evidence
+- [ ] AC-MVP-6: PRD `docs/PRD.md` "In Scope (v0.1.0 Beta)" list mapped to evidence (each item: shipped / explicitly deferred with rationale)
 
-| #   | ID     | Name                               | Status | Branch | Issue     | Started    | Completed  |
+## Workstreams
-| --- | ------ | ---------------------------------- | ------ | ------ | --------- | ---------- | ---------- |
-| 1   | ms-166 | Conversation Persistence & Context | done   | —      | #224–#231 | 2026-03-21 | 2026-03-21 |
-| 2   | ms-167 | Security & Isolation               | done   | —      | #232–#239 | 2026-03-21 | 2026-03-21 |
-| 3   | ms-168 | Provider Integration               | done   | —      | #240–#251 | 2026-03-21 | 2026-03-22 |
-| 4   | ms-169 | Agent Routing Engine               | done   | —      | #252–#264 | 2026-03-22 | 2026-03-22 |
-| 5   | ms-170 | Agent Session Hardening            | done   | —      | #265–#272 | 2026-03-22 | 2026-03-22 |
-| 6   | ms-171 | Job Queue Foundation               | done   | —      | #273–#280 | 2026-03-22 | 2026-03-22 |
-| 7   | ms-172 | Channel Protocol Design            | done   | —      | #281–#288 | 2026-03-22 | 2026-03-22 |
 
-## Deployment
+| #   | ID  | Name                                        | Status            | Manifest                                                                | Notes                                               |
+| --- | --- | ------------------------------------------- | ----------------- | ----------------------------------------------------------------------- | --------------------------------------------------- |
+| W1  | FED | Federation v1                               | planning-complete | [docs/federation/MISSION-MANIFEST.md](./federation/MISSION-MANIFEST.md) | 7 milestones, ~175K tokens, issues #460–#466 filed  |
+| W2+ | TBD | (additional workstreams declared as scoped) | —                 | —                                                                       | Scope creep is expected and explicitly accommodated |
 
-| Target               | URL       | Method                     |
+### Likely Additional Workstreams (Not Yet Declared)
-| -------------------- | --------- | -------------------------- |
-| Docker Compose (dev) | localhost | docker compose up          |
-| Production           | TBD       | Docker Swarm via Portainer |
 
-## Coordination
+These are anticipated based on the PRD `In Scope` list but are NOT counted toward MVP completion until they have their own manifest, milestones, and tracking issues. Listed here so the orchestrator knows what's likely coming.
 
-- **Primary Agent:** claude-opus-4-6
+- Web dashboard parity with PRD scope (chat, tasks, projects, missions, agent status surfaces)
-- **Sibling Agents:** sonnet (workers), haiku (verification)
+- Pi TUI integration for terminal-native agent work
-- **Shared Contracts:** docs/PRD-Harness_Foundation.md, docs/TASKS.md
+- CLI completeness for headless / scripted workflows that mirror webUI capability
+- Remote control plugins (Discord priority, then Telegram)
+- Multi-user / SSO finishing (BetterAuth + Authentik/WorkOS/Keycloak adapters per PRD)
+- LLM provider expansion (Anthropic, Codex, Z.ai, Ollama, LM Studio, llama.cpp) + routing matrix
+- MCP server/client capability + skill import interface
+- Brain (`@mosaicstack/brain`) as the structured data layer on PG + vector
 
-## Token Budget
+When any of these solidify into a real workstream, add a row to the Workstreams table, create a workstream-level manifest under `docs/{workstream}/MISSION-MANIFEST.md`, and file tracking issues.
 
-| Metric | Value  |
+## Risks
-| ------ | ------ |
+
-| Budget | —      |
+- **Scope creep is the named risk.** Workstreams will be added; the rule is that each must have its own manifest + milestones + acceptance criteria before it consumes execution capacity.
-| Used   | ~2.5M  |
+- **Federation urgency vs. surface parity** — federation is being built first because it unblocks the user, but webUI/TUI/CLI parity (MVP-X1) cannot slip indefinitely. Track surface coverage explicitly when each workstream lands.
-| Mode   | normal |
+- **Three-surface fan-out** — the same capability exposed three ways multiplies test surface and design effort. Default to a shared API/contract layer, then thin surface adapters; resist surface-specific business logic.
+- **Federated-tier dependency** — MVP requires PG + pgvector + Valkey; users on local/standalone tier cannot federate. This is intentional but must be communicated clearly in the wizard.
+
+## Out of Scope (MVP)
+
+- SaaS / multi-tenant revenue model — personal/family/team tool only
+- Mobile native apps — responsive web only
+- Public npm registry publishing — Gitea registry only
+- Voice / video agent interaction
+- Full OpenClaw feature parity — inspiration only
+- Calendar / GLPI / Woodpecker tooling integrations (deferred to post-MVP)
 
 ## Session History
 
-| Session | Runtime         | Started    | Duration | Ended Reason | Last Task         |
+For sessions 1–14 (phase-based execution, 2026-03-13 → 2026-03-15), see [scratchpads/mvp-20260312.md](./scratchpads/mvp-20260312.md). Sessions below are tracked at the rollup level.
-| ------- | --------------- | ---------- | -------- | ------------ | ----------------- |
-| 1       | claude-opus-4-6 | 2026-03-21 | ~6h      | complete     | M7-008 — all done |
 
-## Scratchpad
+| Session | Date       | Runtime | Outcome                                                                                                                                                                                                                                                                |
+| ------- | ---------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| S15     | 2026-04-19 | claude  | MVP rollup manifest authored. Install-ux-v2 archived (IUV-M03 retroactively closed — shipped via PR #446 + releases 0.0.27 → 0.0.29). Federation v1 planning landed via PR #468. W1 manifest reachable at `docs/federation/MISSION-MANIFEST.md`. Next: kickoff FED-M1. |
 
-Path: `docs/scratchpads/harness-20260321.md`
+## Next Step
+
+Begin W1 / FED-M1 — federated tier infrastructure. Task breakdown lives at [docs/federation/TASKS.md](./federation/TASKS.md).

docs/PERFORMANCE.md

@@ -153,7 +153,7 @@ for any `<Image>` components added in the future.
 
 ```bash
 # Run the DB migration (requires a live DB)
-pnpm --filter @mosaic/db exec drizzle-kit migrate
+pnpm --filter @mosaicstack/db exec drizzle-kit migrate
 
 # Or, in Docker/Swarm — migrations run automatically on gateway startup
 # via runMigrations() in packages/db/src/migrate.ts