Jason Woltje
0d310c083e
CRITICAL data-loss in the routine update path. `mosaic update` auto-runs install.sh keep-mode sync (#610); the rsync --delete honored PRESERVE_PATHS but fleet/ was not listed, so the sync WIPED ~/.config/mosaic/fleet/roster.yaml (and fleet/run, fleet/agents). Any user running `mosaic update` lost their fleet. PRIMARY (data-loss): - install.sh PRESERVE_PATHS += fleet/*.yaml, fleet/agents, fleet/run. The framework still SEEDS fleet/examples + fleet/roles + fleet/roster.schema.json (synced); the operator's roster, custom rosters, per-agent env, and heartbeat run dir are preserved. - Made the cp (no-rsync) fallback GLOB-AWARE so fleet/*.yaml is preserved there too; fixed the restore to re-glob per pattern (restores only the user file, not the freshly-synced fleet/ dir). - file-adapter.ts (TS installer): mirrored the preserve list for dual-installer parity. (syncDirectory is copy-only — never --delete — so it never had the bug; this is parity + belt-and-suspenders.) SECONDARY (stale active units): - refreshActiveFleetUnits(): the re-seed updates ~/.config/mosaic/systemd/user but systemd runs ~/.config/systemd/user, so shipped unit fixes (#627) did not take effect after update. `mosaic update` now copies the fresh mosaic-*.service → the active dir + daemon-reload (best-effort, only when a fleet is installed). Verified: bash F6 fixture (roster/custom-yaml/agents/run survive + examples refreshed + schema seeded), 20/20 migration matrix; TS file-adapter keep-mode test; 2 refreshActiveFleetUnits unit tests. tsc/eslint/prettier/sanitize clean. Refs #631 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01EsgTQzV5YUGk1JtCLP4B83
Quality Rails
Portable quality enforcement for TypeScript, Python, and Node.js projects.
🎯 What This Prevents
Based on real-world validation of 50 issues in a production codebase:
- ❌ Hardcoded passwords
- ❌ SQL injection vulnerabilities
- ❌ Type safety violations (
anytypes) - ❌ Missing test coverage
- ❌ Build failures
- ❌ Dependency vulnerabilities
70% of these issues are prevented mechanically with quality-rails.
⚡ Quick Start (Mosaic)
New Project
# Apply template from Mosaic
~/.config/mosaic/bin/mosaic-quality-apply --template typescript-node --target /path/to/project
# Install dependencies
cd /path/to/project
npm install
# Initialize git hooks
npx husky install
# Verify enforcement is working
~/.config/mosaic/bin/mosaic-quality-verify --target /path/to/project
Existing Project
# Same as above - works for new or existing projects
~/.config/mosaic/bin/mosaic-quality-apply --template typescript-node --target /path/to/existing-project
🛡️ What You Get
✅ TypeScript strict mode - All type checks enabled
✅ ESLint blocking any types - no-explicit-any: error
✅ Pre-commit hooks - Type check + lint + format before commit
✅ Secret scanning (gitleaks) - Block hardcoded passwords/API keys (pre-commit + CI)
✅ CI/CD templates - Woodpecker, GitHub Actions, GitLab
✅ Test coverage enforcement - 80% threshold
✅ Security scanning - npm audit, OWASP checks
📦 Available Templates
| Template | Language | Framework | Status |
|---|---|---|---|
typescript-node |
TypeScript | Node.js | ✅ Ready |
typescript-nextjs |
TypeScript | Next.js | ✅ Ready |
monorepo |
TypeScript | TurboRepo + pnpm | ✅ Ready |
python |
Python | - | 🚧 Coming Soon |
Monorepo Template
Perfect for projects combining Next.js frontend + NestJS backend in one repository.
Features:
- 🎯 Multi-package aware - lint-staged only checks changed packages
- ⚡ TurboRepo caching - Faster builds and tests
- 🔀 Parallel dev servers - Run web + API simultaneously
- 📦 pnpm workspaces - Efficient dependency management
- 🛡️ Package-specific rules - Next.js and NestJS get appropriate ESLint configs
Example structure:
monorepo/
├── apps/
│ ├── web/ # Next.js frontend
│ └── api/ # NestJS backend
└── packages/
├── shared-types/
├── ui/
└── config/
🧪 How It Works
Pre-Commit (Local Enforcement)
# You try to commit code with a type error
git commit -m "Add feature"
# Quality rails blocks it:
❌ Type error: Type 'number' is not assignable to type 'string'
❌ ESLint: Unexpected any. Specify a different type.
✋ Commit blocked - fix errors and try again
CI/CD (Remote Enforcement)
# Woodpecker pipeline runs:
✓ gitleaks (secret scanning — parallel, no deps)
✓ npm audit (dependency security)
✓ eslint (code quality)
✓ tsc --noEmit (type checking)
✓ jest --coverage (tests + coverage)
✓ npm run build (compilation — gates on all above)
# If any step fails, merge is blocked
🎓 Philosophy
Process compliance doesn't work.
Instructing AI agents to "do code review" or "run tests" fails. They claim to follow processes but output quality doesn't match claims.
Mechanical enforcement works.
Quality rails don't ask agents to follow processes. They block commits that don't pass automated checks.
- Type errors? → Commit blocked
- Hardcoded secrets? → Commit blocked
- Test failures? → Commit blocked
- Missing coverage? → Commit blocked
This works for any agent runtime (Codex, Claude, OpenCode, Gemini, etc.) because enforcement is mechanical, not instructional.
📖 Documentation
🔧 Scripts
| Script | Purpose |
|---|---|
scripts/install.sh |
Install template to project (Linux/Mac) |
scripts/install.ps1 |
Install template to project (Windows) |
scripts/verify.sh |
Verify enforcement is working (Linux/Mac) |
scripts/verify.ps1 |
Verify enforcement is working (Windows) |
🚀 Roadmap
- TypeScript/Node template
- Pre-commit enforcement (husky + lint-staged)
- CI/CD templates (Woodpecker, GitHub Actions)
- Installation scripts
- Verification testing
- Next.js template
- Monorepo template
- Python template
- Coverage visualization
- IDE integration (VSCode extension)
🤝 Contributing
Quality Rails is based on lessons learned from real production codebases. Contributions welcome!
📝 License
MIT License - See LICENSE file for details
🙏 Credits
Built to solve real problems discovered in AI-assisted development workflows.
Based on validation findings from a production patch milestone.