mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
37545de79cc7e85eb57ac9c5d877f5213b6dad5a
stack/docs/scratchpads/task-mission-ownership-20260313.md
Jarvis 774b76447d
Some checks failed
ci/woodpecker/pr/ci Pipeline failed
Details
ci/woodpecker/push/ci Pipeline failed
Details
fix: rename all packages from @mosaic/* to @mosaicstack/* 
- Updated all package.json name fields and dependency references
- Updated all TypeScript/JavaScript imports
- Updated .woodpecker/publish.yml filters and registry paths
- Updated tools/install.sh scope default
- Updated .npmrc registry paths (worktree + host)
- Enhanced update-checker.ts with checkForAllUpdates() multi-package support
- Updated CLI update command to show table of all packages
- Added KNOWN_PACKAGES, formatAllPackagesTable, getInstallAllCommand
- Marked checkForUpdate() with @deprecated JSDoc

Closes #391
2026-04-04 21:43:23 -05:00

59 lines
2.8 KiB
Markdown
Raw Blame History

# Task Ownership Gap Fix Scratchpad
## Metadata
- Date: 2026-03-13
- Worktree: `/home/jwoltje/src/mosaic-mono-v1-worktrees/fix-task-ownership`
- Branch: `fix/task-mission-ownership`
- Scope: Fix ownership checks in TasksController/MissionsController and extend gateway ownership tests
- Related tracker: worker task only; `docs/TASKS.md` is orchestrator-owned and left unchanged
- Budget assumption: no explicit token cap; keep scope limited to requested gateway permission fixes
## Objective
Close ownership gaps so task listing/creation and mission creation enforce project/mission ownership and reject cross-user access.
## Acceptance Criteria
1. TasksController `list()` enforces ownership for `projectId` and `missionId`, and does not return cross-user data when neither filter is provided.
2. TasksController `create()` rejects unowned `projectId` and `missionId` references.
3. MissionsController `create()` rejects unowned `projectId` references.
4. Gateway ownership tests cover forbidden task creation and forbidden task listing by unowned project.
## Plan
1. Inspect current controller and ownership test patterns.
2. Add failing permission tests first.
3. Patch controller methods with existing ownership helpers.
4. Run targeted gateway tests, then gateway typecheck/lint/full test.
5. Perform independent review, record evidence, then complete the requested git/PR workflow.
## TDD Notes
- Required: yes. This is auth/permission logic and a bugfix.
- Strategy: add failing tests in `resource-ownership.test.ts`, verify red, then implement minimal controller changes.
## Verification Log
- `pnpm --filter @mosaicstack/gateway test -- src/__tests__/resource-ownership.test.ts`
- Red: failed with 2 expected permission-path failures before controller changes.
- Green: passed after wiring ownership checks and adding owned-task filtering coverage.
- `pnpm --filter @mosaicstack/gateway typecheck`
- Pass on 2026-03-13 after fixing parameter ordering and mission project nullability.
- `pnpm --filter @mosaicstack/gateway lint`
- Pass on 2026-03-13.
- `pnpm --filter @mosaicstack/gateway test`
- Pass on 2026-03-13 with 3 test files and 23 tests passing.
- `pnpm format:check`
- Pass on 2026-03-13.
## Review Log
- Manual review: checked for auth regressions, cross-user list leakage, and dashboard behavior impact; kept unfiltered task list functional by filtering to owned projects/missions instead of returning an empty list.
- Automated review: `~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted` running/re-run for independent review evidence.
## Risks / Blockers
- Repository-wide Mosaic instructions require merge/issue closure, but the user explicitly instructed PR-only and no merge; follow the user instruction.
- `docs/TASKS.md` is orchestrator-owned and will not be edited from this worker task.
Reference in New Issue View Git Blame Copy Permalink