Jason Woltje b5d600e39b fix(memory): scope InsightsRepo operations to userId — M2-001/002 ...

Security audit findings and fixes:

M2-001 — searchByEmbedding: confirmed already user-scoped via WHERE user_id
M2-002 — findByUser: confirmed already user-scoped
M2-002 — decayOldInsights: was global (no userId filter); now requires userId
  param and scopes UPDATE to eq(insights.userId, userId). Added decayAllInsights
  as a separate system-only method for cron tier management.

Additional unscoped operations fixed:
- findById: added userId param + AND eq(userId) to prevent cross-user read
- update: added userId param + AND eq(userId) to prevent cross-user write
- remove: added userId param + AND eq(userId) to prevent cross-user delete
- memory.controller getInsight/removeInsight: now pass user.id for ownership
- summarization.service: switched tier-management cron to decayAllInsights

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-21 15:16:24 -05:00

.husky

chore: remove deprecated husky v9 shim lines (#113)

2026-03-15 16:48:51 +00:00

.mosaic

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

.woodpecker

fix(ci): remove from_secret to unblock PR pipelines (#156)

2026-03-15 21:48:51 +00:00

apps

fix(memory): scope InsightsRepo operations to userId — M2-001/002

2026-03-21 15:16:24 -05:00

docker

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

docs

chore: bootstrap Harness Foundation mission (Phase 9) (#289)

2026-03-21 20:10:48 +00:00

infra

fix(gateway): CORS, memory userId from session, pgvector auto-init (#110)

2026-03-15 16:40:28 +00:00

packages

fix(memory): scope InsightsRepo operations to userId — M2-001/002

2026-03-21 15:16:24 -05:00

plugins

feat(gateway): Discord channel auto-creation on project bootstrap (#200)

2026-03-17 02:32:14 +00:00

scripts/agent

chore: planning gate — milestones, issues, and task breakdown

2026-03-12 19:51:51 -05:00

.env.example

Merge pull request 'feat(gateway): add Anthropic, OpenAI, Z.ai LLM providers (P8-002)' (#212) from feat/p8-002-llm-providers into main

2026-03-21 12:28:50 +00:00

.gitignore

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

.lintstagedrc

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

.npmrc

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

.prettierignore

feat(web): wire WebSocket chat with streaming and conversation switching (#120) (#136)

2026-03-15 18:09:14 +00:00

.prettierrc

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

AGENTS.md

docs: add TASKS.md agent-column schema to AGENTS.md (canonical reference)

2026-03-19 20:10:45 -05:00

CLAUDE.md

feat: Woodpecker CI pipeline + project docs (P0-007, P0-008) (#69)

2026-03-13 02:25:31 +00:00

docker-compose.yml

fix(gateway): CORS, memory userId from session, pgvector auto-init (#110)

2026-03-15 16:40:28 +00:00

eslint.config.mjs

feat(web): Playwright E2E test suite for critical paths (#152)

2026-03-15 19:46:13 +00:00

package.json

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

pnpm-lock.yaml

feat(web): port chat UI — model selector, keybindings, thinking display, styled header

2026-03-19 20:42:48 -05:00

pnpm-workspace.yaml

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

tsconfig.base.json

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

turbo.json

fix(turbo): typecheck must depend on ^build so package types are available

2026-03-13 12:38:54 -05:00

vitest.workspace.ts

feat(P0-001): scaffold monorepo structure (#60)

2026-03-13 01:11:46 +00:00

Description

Self-hosted multi-user AI agent platform — web dashboard, TUI, remote control, shared memory, mission orchestration

16 MiB

Releases 11

mosaic v0.0.29 Latest

2026-04-08 00:42:54 +00:00

Languages

TypeScript 74.5%

Shell 19.7%

PowerShell 3%

JavaScript 1.4%

Python 1%

Other 0.4%