Files
stack/packages/mosaic
Hermes Agent d12c5f7808
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
test(mosaic): make #791 PR2 Part 7 symlink control busybox-portable (#791 PR2)
CI #1881 failed at head 8bee1b65: the durable-snapshot gate was 40/41, the sole
failure being the Part 7 NEGATIVE control ("secret leaked through the symlink").
Root cause is a test-harness portability gap, not a code defect: node:24-alpine
runs busybox cp as root, and busybox cp REPLACES a symlinked destination instead
of following it, whereas GNU/BSD cp — what a real operator runs `mosaic update`
under — follows the link and leaks. So under the CI harness the CWE-59 leak vector
the control asserts simply cannot occur, and the negative control can't reproduce.

Fix is test-only; install.sh (independently approved at 8bee1b65) and the real
security assertions are untouched. make_symlink_leaf_shim now emulates GNU cp's
follow-through-dest-symlink behavior portably: when the destination is a symlink it
writes the source bytes through the link via redirection (which follows symlinks on
every coreutils, busybox included); otherwise it delegates to the host cp unchanged.
Both the shipped-case and the control run through this single shim, so the ONLY
difference between them remains the SYMLINK-LEAF-GUARD — the control stays
load-bearing and non-tautological, now on busybox too. With the guard present the
symlinked leaf is dropped before this cp runs, so the shipped path is unchanged.

Verified in the exact CI image (node:24-alpine, busybox, root, apk add bash rsync):
durable-snapshot 41/41, manifest-guard 193, rollback 28. GNU host 41/41, shellcheck
clean. Sole tracked delta vs 8bee1b65 = this test file.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-16 19:24:49 -05:00
..

@mosaicstack/mosaic

CLI package for the Mosaic self-hosted AI agent platform.

Usage

mosaic wizard           # First-run setup wizard
mosaic gateway install  # Install the gateway daemon
mosaic config show      # View current configuration
mosaic config hooks list  # Manage Claude hooks

Headless / CI Installation

Set MOSAIC_ASSUME_YES=1 (or ensure stdin is not a TTY) to skip all interactive prompts. The following environment variables control the install:

Gateway configuration (mosaic gateway install)

Variable Default Required
MOSAIC_STORAGE_TIER local No
MOSAIC_GATEWAY_PORT 14242 No
MOSAIC_DATABASE_URL (none) Yes if tier=team
MOSAIC_VALKEY_URL (none) Yes if tier=team
MOSAIC_ANTHROPIC_API_KEY (none) No
MOSAIC_CORS_ORIGIN http://localhost:3000 No

Admin user bootstrap

Variable Default Required
MOSAIC_ADMIN_NAME (none) Yes (headless)
MOSAIC_ADMIN_EMAIL (none) Yes (headless)
MOSAIC_ADMIN_PASSWORD (none) Yes (headless)

MOSAIC_ADMIN_PASSWORD must be at least 8 characters. In headless mode a missing or too-short password causes a non-zero exit.

Example: Docker / CI install

export MOSAIC_ASSUME_YES=1
export MOSAIC_ADMIN_NAME="Admin"
export MOSAIC_ADMIN_EMAIL="admin@example.com"
export MOSAIC_ADMIN_PASSWORD="securepass123"

mosaic gateway install

Runtime launchers

mosaic claude            # Launch Claude Code with Mosaic injection
mosaic yolo claude       # …with --dangerously-skip-permissions
mosaic codex | opencode | pi

mosaic claudex (EXPERIMENTAL)

Runs GPT models inside the Claude Code harness by pointing Claude Code at a local claude-code-proxy that translates the Anthropic Messages API to a ChatGPT-subscription (Codex OAuth) backend. This is not Anthropic Claude — model behavior, tool use, and output quality may differ. Intended for evaluation, not production delivery.

mosaic claudex           # launch (prompts through the proxy readiness gate)
mosaic yolo claudex      # …with --dangerously-skip-permissions
mosaic claudex --print "hello"   # trailing args are forwarded to Claude Code

Prerequisite: the claude-code-proxy binary must be installed and authenticated (claude-code-proxy codex auth …). mosaic claudex runs a preflight that verifies the binary, the OAuth state (triggering a device re-auth if needed), and a trusted local listener before launching; it fails closed if the proxy cannot be brought up with a verified identity.

Isolation (never touches your real Claude state). claudex always launches against an isolated CLAUDE_CONFIG_DIR (default ~/.config/mosaic/claudex/home). The ambient CLAUDE_CONFIG_DIR is deliberately ignored, and a guard proves the resolved dir can never be — or live under — the real ~/.claude. A claudex session therefore cannot mutate your normal Claude Code config.

No token leakage. claudex never reads the proxy's credential file. Claude Code is handed only ANTHROPIC_AUTH_TOKEN=unused pointed at the loopback proxy; the entire credential-bearing env family (ANTHROPIC_*, AWS_*, GOOGLE_CLOUD_*, GOOGLE_APPLICATION_CREDENTIALS, *_TOKEN, *_KEY, *_SECRET, …) is stripped from the composed environment. The Bedrock/Vertex routing switches (CLAUDE_CODE_USE_BEDROCK, CLAUDE_CODE_USE_VERTEX, and the _SKIP_*_AUTH pair) are force-removed regardless of value — otherwise their mere presence would route Claude Code to the real Anthropic API via AWS/GCP and bypass the proxy. The proxy holds the real OAuth credential.

Model tiers (override via env).

Tier Env var Default
primary (opus/sonnet) ANTHROPIC_MODEL gpt-5.6-sol
small/fast (haiku) ANTHROPIC_SMALL_FAST_MODEL gpt-5.6-luna

Operator-provided values win over the defaults. Additional overrides: MOSAIC_CLAUDEX_CONFIG_DIR (isolated config dir), ANTHROPIC_BASE_URL (proxy endpoint).

Hooks management

After running mosaic wizard, Claude hooks are installed in ~/.claude/hooks-config.json.

mosaic config hooks list              # Show all hooks and enabled/disabled status
mosaic config hooks disable PostToolUse  # Disable a hook (reversible)
mosaic config hooks enable PostToolUse   # Re-enable a disabled hook

Set CLAUDE_HOME to override the default ~/.claude directory.