mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
cfdd2b679c36e12ea664c6f3b67dee3e42060426
stack/docs/scratchpads/task-mission-ownership-20260313.md
Jason Woltje 684dbdc6a4
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
fix(gateway): enforce task and mission ownership
2026-03-13 14:43:33 -05:00

2.8 KiB
Raw Blame History

Task Ownership Gap Fix Scratchpad

Metadata

  • Date: 2026-03-13
  • Worktree: /home/jwoltje/src/mosaic-mono-v1-worktrees/fix-task-ownership
  • Branch: fix/task-mission-ownership
  • Scope: Fix ownership checks in TasksController/MissionsController and extend gateway ownership tests
  • Related tracker: worker task only; docs/TASKS.md is orchestrator-owned and left unchanged
  • Budget assumption: no explicit token cap; keep scope limited to requested gateway permission fixes

Objective

Close ownership gaps so task listing/creation and mission creation enforce project/mission ownership and reject cross-user access.

Acceptance Criteria

  1. TasksController list() enforces ownership for projectId and missionId, and does not return cross-user data when neither filter is provided.
  2. TasksController create() rejects unowned projectId and missionId references.
  3. MissionsController create() rejects unowned projectId references.
  4. Gateway ownership tests cover forbidden task creation and forbidden task listing by unowned project.

Plan

  1. Inspect current controller and ownership test patterns.
  2. Add failing permission tests first.
  3. Patch controller methods with existing ownership helpers.
  4. Run targeted gateway tests, then gateway typecheck/lint/full test.
  5. Perform independent review, record evidence, then complete the requested git/PR workflow.

TDD Notes

  • Required: yes. This is auth/permission logic and a bugfix.
  • Strategy: add failing tests in resource-ownership.test.ts, verify red, then implement minimal controller changes.

Verification Log

  • pnpm --filter @mosaic/gateway test -- src/__tests__/resource-ownership.test.ts
    • Red: failed with 2 expected permission-path failures before controller changes.
    • Green: passed after wiring ownership checks and adding owned-task filtering coverage.
  • pnpm --filter @mosaic/gateway typecheck
    • Pass on 2026-03-13 after fixing parameter ordering and mission project nullability.
  • pnpm --filter @mosaic/gateway lint
    • Pass on 2026-03-13.
  • pnpm --filter @mosaic/gateway test
    • Pass on 2026-03-13 with 3 test files and 23 tests passing.
  • pnpm format:check
    • Pass on 2026-03-13.

Review Log

  • Manual review: checked for auth regressions, cross-user list leakage, and dashboard behavior impact; kept unfiltered task list functional by filtering to owned projects/missions instead of returning an empty list.
  • Automated review: ~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted running/re-run for independent review evidence.

Risks / Blockers

  • Repository-wide Mosaic instructions require merge/issue closure, but the user explicitly instructed PR-only and no merge; follow the user instruction.
  • docs/TASKS.md is orchestrator-owned and will not be edited from this worker task.
Reference in New Issue View Git Blame Copy Permalink