mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
774b76447d8e9e2b6eef9a5d0e6f75d3537230e7
stack/docs/scratchpads/gateway-security-20260313.md
Jarvis 774b76447d
Some checks failed
ci/woodpecker/pr/ci Pipeline failed
Details
ci/woodpecker/push/ci Pipeline failed
Details
fix: rename all packages from @mosaic/* to @mosaicstack/* 
- Updated all package.json name fields and dependency references
- Updated all TypeScript/JavaScript imports
- Updated .woodpecker/publish.yml filters and registry paths
- Updated tools/install.sh scope default
- Updated .npmrc registry paths (worktree + host)
- Enhanced update-checker.ts with checkForAllUpdates() multi-package support
- Updated CLI update command to show table of all packages
- Added KNOWN_PACKAGES, formatAllPackagesTable, getInstallAllCommand
- Marked checkForUpdate() with @deprecated JSDoc

Closes #391
2026-04-04 21:43:23 -05:00

69 lines
2.7 KiB
Markdown
Raw Blame History

# Gateway Security Hardening Scratchpad
## Metadata
- Date: 2026-03-13
- Worktree: `/home/jwoltje/src/mosaic-mono-v1-worktrees/sec-remediation`
- Branch: `fix/gateway-security`
- Scope: Finish 7 requested gateway security fixes without switching branches or worktrees
- Related tracker: worker task only; `docs/TASKS.md` is orchestrator-owned and left unchanged
- Budget assumption: no explicit token cap; keep scope limited to requested gateway/auth/validation hardening
## Objective
Complete the remaining gateway security hardening work:
1. Chat HTTP auth guard enforcement
2. Chat WebSocket session validation
3. Ownership checks on by-id CRUD routes
4. Global validation pipe and DTO enforcement
5. Rate limiting
6. Helmet security headers
7. Body limit and env validation
## Plan
1. Reconcile current worktree state against requested fixes.
2. Patch or extend tests first for DTO/auth behavior mismatches.
3. Implement minimal code changes to satisfy tests and requested behavior.
4. Run targeted gateway tests.
5. Run baseline gates: `pnpm typecheck`, `pnpm lint`.
6. Perform manual code review and record findings.
7. Commit, push branch, open PR, send OpenClaw event, remove worktree.
## Progress Log
### 2026-03-13T00:00 local
- Loaded required Mosaic/global/runtime instructions and applicable skills.
- Confirmed active worktree is `sec-remediation` and branch is already dirty with prior session changes.
- Identified remaining gaps: DTO validation mismatch and non-requested socket auth helper typing/behavior drift.
## TDD Notes
- Required: yes. This is security/auth/permission logic.
- Approach: update targeted unit tests first, verify failure, then patch code minimally.
## Verification Log
- `pnpm --filter @mosaicstack/gateway test -- src/chat/__tests__/chat-security.test.ts src/__tests__/resource-ownership.test.ts`
- Red: failed on socket session reshaping and DTO role/length mismatches.
- Green: passed with 3 test files and 20 tests passing.
- `pnpm typecheck`
- Pass on 2026-03-13 with 18/18 package typecheck tasks successful.
- `pnpm lint`
- Pass on 2026-03-13 with 18/18 package lint tasks successful.
- `pnpm format:check`
- Pass on 2026-03-13 with `All matched files use Prettier code style!`
## Review Log
- Manual review completed against auth, authorization, validation, and runtime hardening requirements.
- No blocker findings remained after remediation.
## Risks / Blockers
- Repository instructions conflict on PR merge behavior; user explicitly instructed PR-only, no merge. Follow user instruction.
- Existing worktree contains prior-session modifications; do not revert unrelated changes.
- `missions` and `tasks` currently depend on project ownership because the schema does not carry a direct user owner column.
Reference in New Issue View Git Blame Copy Permalink