mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
9da096fe9b7cedfb668b1aac7dd17de832a83687
stack/docs/reports/qa/gateway-security-20260313.md
Jarvis 774b76447d
Some checks failed
ci/woodpecker/pr/ci Pipeline failed
Details
ci/woodpecker/push/ci Pipeline failed
Details
fix: rename all packages from @mosaic/* to @mosaicstack/* 
- Updated all package.json name fields and dependency references
- Updated all TypeScript/JavaScript imports
- Updated .woodpecker/publish.yml filters and registry paths
- Updated tools/install.sh scope default
- Updated .npmrc registry paths (worktree + host)
- Enhanced update-checker.ts with checkForAllUpdates() multi-package support
- Updated CLI update command to show table of all packages
- Added KNOWN_PACKAGES, formatAllPackagesTable, getInstallAllCommand
- Marked checkForUpdate() with @deprecated JSDoc

Closes #391
2026-04-04 21:43:23 -05:00

1.9 KiB
Raw Blame History

QA Report — Gateway Security Hardening

Scope

  • Chat HTTP auth guard hardening
  • Chat WebSocket session validation
  • DTO validation rules for chat and conversation payloads
  • Ownership regression coverage for by-id routes

TDD

  • Required: yes
  • Applied: yes
  • Red step: targeted tests failed on socket session reshaping and DTO role/length mismatches
  • Green step: targeted tests passed after runtime and DTO alignment

Baseline Verification

Command Result Evidence
pnpm --filter @mosaicstack/gateway test -- src/chat/__tests__/chat-security.test.ts src/__tests__/resource-ownership.test.ts pass 3 test files passed, 20 tests passed
pnpm typecheck pass turbo completed 18/18 package typecheck tasks
pnpm lint pass turbo completed 18/18 package lint tasks
pnpm format:check pass All matched files use Prettier code style!

Situational Verification

Acceptance Criterion Verification Method Evidence
Chat controller requires auth and current-user context source assertion test chat-security.test.ts checks @UseGuards(AuthGuard) and @CurrentUser() user: { id: string }
WebSocket handshake requires Better Auth session unit tests for validateSocketSession() null handshake returns null; valid handshake returns original session object
Conversation messages reject non-user/assistant roles class-validator test system role fails validation
Conversation messages enforce a 32k max length class-validator test 32_001 chars fail validation
Chat request payload enforces a 10k max length class-validator test 10_001 chars fail validation
By-id routes reject cross-user access ownership regression tests conversations, projects, missions, tasks each raise ForbiddenException for non-owner access

Residual Risk

  • No live HTTP or WebSocket smoke test against a running gateway process was executed in this session.
Reference in New Issue View Git Blame Copy Permalink