Wrapper hardening: TLS validation, cred-path fallback, no-CI fast-exit (framework/tools) #550

New Issue

jason.woltje · 2026-06-18T19:02:27Z

jason.woltje commented

2026-06-18 19:02:27 +00:00

Wrapper hardening — three authorized defects in `packages/mosaic/framework/tools/`

Authorized by repo owner. One PR fixing three defects in the Mosaic framework tool wrappers.

F-03 — TLS validation disabled for all hosts (`-k` blanket)

The generic HTTP helpers (mosaic_http, mosaic_http_post, mosaic_http_patch) and the Woodpecker scripts used curl -sk, disabling TLS verification for every service — including public WAN hosts where MITM matters.

Fix: validate by default; pass -k only for private-network IP literals (trusted LAN) or an explicit MOSAIC_INSECURE_TLS opt-in, via a new _mosaic_tls_opt helper. Woodpecker scripts talk only to the two public/valid CI hosts, so -k is removed outright there (-sk → -sS).

F-02 — hardcoded credentials path

credentials.sh hardcoded the jarvis-brain legacy path as the only default. Fix: fallback chain — env first, then standard config path (~/.config/mosaic/credentials.json), then the legacy path retained as final fallback so the running fleet keeps working.

F-06 — `pr-ci-wait.sh` burns full timeout on no-CI repos

Repos with no CI configured (device-imaging class) loop to timeout because empty status was treated as unknown/pending. Fix: a distinct no-status state plus a consecutive-empty counter (N=3) that fast-exits 0 with a clear "no CI configured" message. Repos that DO have pipelines are unaffected — any pipeline signal resets the streak and pending still waits.

Not in scope

F-04 was deliberately NOT swept in this PR.

## Wrapper hardening — three authorized defects in `packages/mosaic/framework/tools/` Authorized by repo owner. One PR fixing three defects in the Mosaic framework tool wrappers. ### F-03 — TLS validation disabled for all hosts (`-k` blanket) The generic HTTP helpers (`mosaic_http`, `mosaic_http_post`, `mosaic_http_patch`) and the Woodpecker scripts used `curl -sk`, disabling TLS verification for **every** service — including public WAN hosts where MITM matters. Fix: validate by default; pass `-k` only for private-network IP literals (trusted LAN) or an explicit `MOSAIC_INSECURE_TLS` opt-in, via a new `_mosaic_tls_opt` helper. Woodpecker scripts talk only to the two public/valid CI hosts, so `-k` is removed outright there (`-sk` → `-sS`). ### F-02 — hardcoded credentials path `credentials.sh` hardcoded the jarvis-brain legacy path as the only default. Fix: fallback chain — env first, then standard config path (`~/.config/mosaic/credentials.json`), then the legacy path retained as final fallback so the running fleet keeps working. ### F-06 — `pr-ci-wait.sh` burns full timeout on no-CI repos Repos with no CI configured (device-imaging class) loop to timeout because empty status was treated as `unknown`/`pending`. Fix: a distinct `no-status` state plus a consecutive-empty counter (N=3) that fast-exits 0 with a clear "no CI configured" message. Repos that DO have pipelines are unaffected — any pipeline signal resets the streak and `pending` still waits. ### Not in scope F-04 was deliberately NOT swept in this PR.

jason.woltje referenced this issue from a commit

2026-06-18 19:02:49 +00:00

fix(framework/tools): wrapper hardening — TLS validation, cred-path fallback, no-CI fast-exit (#550)

jason.woltje referenced a pull request that will close this issue

2026-06-18 19:03:13 +00:00

fix(framework/tools): wrapper hardening — TLS validation, cred-path fallback, no-CI fast-exit #551

jason.woltje referenced this issue from a commit

2026-06-18 19:18:39 +00:00

fix(pr-ci-wait): CI-history primary tier — close webhook-lag false-green (#550)

Sign in to join this conversation.