Stage (#9213)

* fix: remove  and use only lax to avoid the oauth flow to be restrictive

* feat: migrate GitHub workflows to Ubicloud/Warp runners and normalize YAML quoting

* chore(deps): bump min-document from 2.19.0 to 2.19.2

Bumps [min-document](https://github.com/Raynos/min-document) from 2.19.0 to 2.19.2.
- [Commits](Raynos/min-document@v2.19.0...v2.19.2)

---
updated-dependencies:
- dependency-name: min-document
  dependency-version: 2.19.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

* feat(redis): migrate from cache-manager-redis-yet to @keyv/redis (#9172)

* feat(redis): improve Redis connection configuration

- Add pingInterval (30s) to prevent LB/firewall disconnections
- Add keepAlive (10s) for TCP keepalive
- Add reconnectStrategy with exponential backoff (1s-5s)
- Add connectTimeout (10s) for connection stability
- Apply improvements to session store, cache store, and health checks
- Optimize for DigitalOcean Valkey 8 compatibility

Resolves #9162 (step 4)

* fix typos

* fix(redis): implement true exponential backoff in reconnectStrategy

- Replace linear progression (1000 + retries * 200) with exponential backoff (1000 * 2^retries)
- Retry delays now: 1000ms, 2000ms, 4000ms, 5000ms (capped)
- Previous formula was arithmetic, not exponential as claimed in comment
- Apply fix to session store, cache store, and health checks

Resolves #9162 (reconnectStrategy fix)

* feat: migrate from cache-manager-redis-yet to @keyv/redis with production-ready options

- Replace outdated cache-manager-redis-yet with modern @keyv/redis adapter
- Create new CacheModule with Keyv Redis integration
- Add production-ready Redis connection options:
  - keepAlive: 10_000ms for TCP keepalive
  - reconnectStrategy with exponential backoff (1s-5s)
  - connectTimeout: 10_000ms for connection stability
  - pingInterval: 30_000ms to prevent LB/firewall disconnections
  - isolationPoolOptions with connection pooling (min: 1, max: 100)
  - TLS support for secure connections
- Configure Keyv options for optimal performance:
  - namespace: 'gauzy-cache' for key organization
  - useUnlink: true for better performance (UNLINK vs DEL)
  - clearBatchSize: 1000 for batch operations
  - throwOnConnectError: true for error handling
- Create CacheService with get/set/delete/clear methods
- Update app.module.ts to use new CacheModule
- Remove cache-manager-redis-yet dependency from package.json

* fix cspell

* fix redis config

* fix ttl config

* fix ttl config

* remove unused import

* chore: sanitize .env.sample - remove sensitive credentials

* Refactor cache service

* refactor(cache): migrate from cache-manager-redis-yet to cacheable with 2-layer non-blocking cache

- Replace cache-manager-redis-yet with cacheable package
- Implement 2-layer caching (in-memory L1 + Redis L2)
- Configure non-blocking mode for Redis operations
- Add Redis URL validation to prevent invalid URLs
- Remove custom cache module in favor of NestJS cache-manager integration
- Add fallback to in-memory cache if Redis connection fails

Follows NestJS caching documentation and cacheable best practices:
https://docs.nestjs.com/techniques/caching
https://cacheable.org/docs/cacheable/#non-blocking-with-keyvredis

* refactor(cache): simplify cache configuration using createKeyvNonBlocking helper

- Use createKeyvNonBlocking() helper function from @keyv/redis for non-blocking Redis setup
- Remove manual Redis client configuration (disableOfflineQueue, reconnectStrategy, event listeners)
- Remove explicit primary cache configuration (Cacheable manages in-memory LRU by default)
- Replace 'as any' type cast with factory function for type safety
- Simplify code from ~120 lines to ~40 lines while maintaining same functionality

Benefits:
- Automatic non-blocking configuration (disableOfflineQueue: true, reconnectStrategy: false, throwOnConnectError: false)
- Type-safe cache-manager integration without 'as any' cast
- Cleaner, more maintainable code following cacheable best practices
- Default in-memory LRU cache managed by Cacheable (Layer 1)
- Non-blocking Redis cache for distributed persistence (Layer 2)

Follows cacheable documentation:
https://cacheable.org/docs/cacheable/#non-blocking-with-keyvredis

* fix(cache): improve security and error handling

Security improvements:
- Remove credential logging: Replace plain-text Redis URL logging with sanitized connection info
- Log only host, port, and protocol (rediss/redis) without username/password
- Prevent credential exposure in application logs (compliance & security best practice)

Error handling improvements:
- Fix invalid fallback: Replace 'store: undefined' with proper in-memory config
- Add try-catch around Redis initialization to handle connection failures gracefully
- Return '{ isGlobal: true }' for in-memory fallback instead of broken 'store: undefined'
- Ensure cache operations continue to work even when Redis is unavailable

Before (security risk):
  console.log('REDIS_URL: ', url); // Logs: redis://user:password@host:6379

After (secure):
  console.log('Redis Cache: Connecting to redis://host:6379'); // No credentials

Before (broken fallback):
  return { store: undefined }; // Cache operations will fail

After (working fallback):
  return { isGlobal: true }; // In-memory cache works correctly

* fix 2layer cache

* add primary store

* fix config

* fix return

* fix deeepscan

* feat: add comprehensive Redis configuration properties for cache consistency

- Parse Redis URL to extract username, password, host, port
- Add conditional socket configuration based on TLS/TCP mode
- TLS mode: tls, passphrase, rejectUnauthorized, connectTimeout
- TCP mode: keepAlive, keepAliveInitialDelay, connectTimeout
- Add pingInterval for connection keep-alive
- Maintain consistency with RedisHealthIndicator configuration
- Respect non-blocking mode constraints (reconnectStrategy omitted)

* fix parse

* fix parse

* add default port

* improve parse int

* fix comment

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: rolandm99 <[email protected]>
Co-authored-by: Paradoxe Ngwasi <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: samuel mbabhazi <[email protected]>

Author: 5 people

.cspell.json

@@ -268,6 +268,7 @@
 		"keyresult",
 		"keyresults",
 		"keyrings",
+		"keyv",
 		"killall",
 		"KNEX",
 		"knexfile",
@@ -348,6 +349,7 @@
 		"ngsw",
 		"ngtools",
 		"nocase",
+		"nodenext",
 		"nodownload",
 		"NOLOGO",
 		"notif",

.github/workflows/agent-prod.yml

@@ -2,7 +2,7 @@ name: Agent Build Prod
 
 on:
   workflow_run:
-    workflows: ['Release Prod']
+    workflows: ["Release Prod"]
     branches: [master]
     types:
       - completed
@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        os: [buildjet-16vcpu-ubuntu-2204]
+        os: [ubicloud-standard-16]
 
     steps:
       - name: Check out Git repository
@@ -27,28 +27,28 @@ jobs:
         uses: buildjet/setup-node@v4
         with:
           node-version: 20.18.1
-          cache: 'yarn'
+          cache: "yarn"
 
       - name: Change permissions
-        run: 'sudo chown -R $(whoami) ./*'
+        run: "sudo chown -R $(whoami) ./*"
 
       - name: Install system dependencies
-        run: 'sudo apt-get update && sudo apt install -y curl gnupg git libappindicator3-1 ca-certificates binutils icnsutils graphicsmagick'
+        run: "sudo apt-get update && sudo apt install -y curl gnupg git libappindicator3-1 ca-certificates binutils icnsutils graphicsmagick"
 
       - name: Fix node-gyp and Python
         run: python3 -m pip install packaging setuptools
 
       - name: Install latest version of NPM
-        run: 'sudo npm install -g npm@9'
+        run: "sudo npm install -g npm@9"
 
       - name: Install node-gyp package
-        run: 'sudo npm install --quiet -g [email protected]'
+        run: "sudo npm install --quiet -g [email protected]"
 
       - name: Install Yarn dependencies
-        run: 'yarn install --network-timeout 1000000 --frozen-lockfile --ignore-scripts'
+        run: "yarn install --network-timeout 1000000 --frozen-lockfile --ignore-scripts"
 
       - name: Run Postinstall Manually
-        run: 'yarn postinstall.manual'
+        run: "yarn postinstall.manual"
 
       - name: Bump agent version
         uses: actions/github-script@v7
@@ -57,24 +57,24 @@ jobs:
             const script = require('./.scripts/bump-version-electron.js')
             console.log(script.agent(true))
         env:
-          PROJECT_REPO: 'https://github.com/ever-co/ever-gauzy.git'
-          AGENT_APP_NAME: 'ever-gauzy-agent'
-          COMPANY_SITE_LINK: 'https://gauzy.co'
-          AGENT_APP_DESCRIPTION: 'Ever Gauzy Agent'
-          AGENT_APP_ID: 'com.ever.gauzyagent'
+          PROJECT_REPO: "https://github.com/ever-co/ever-gauzy.git"
+          AGENT_APP_NAME: "ever-gauzy-agent"
+          COMPANY_SITE_LINK: "https://gauzy.co"
+          AGENT_APP_DESCRIPTION: "Ever Gauzy Agent"
+          AGENT_APP_ID: "com.ever.gauzyagent"
 
       - name: Build Agent
-        run: 'yarn build:agent:linux:release:gh'
+        run: "yarn build:agent:linux:release:gh"
         env:
           USE_HARD_LINKS: false
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
           EP_GH_IGNORE_TIME: true
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_TRACES_SAMPLE_RATE: '${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}'
-          SENTRY_PROFILE_SAMPLE_RATE: '${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}'
-          SENTRY_HTTP_TRACING_ENABLED: '${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}'
-          SENTRY_POSTGRES_TRACKING_ENABLED: '${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}'
-          SENTRY_PROFILING_ENABLED: '${{ secrets.SENTRY_PROFILING_ENABLED }}'
+          SENTRY_TRACES_SAMPLE_RATE: "${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}"
+          SENTRY_PROFILE_SAMPLE_RATE: "${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}"
+          SENTRY_HTTP_TRACING_ENABLED: "${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}"
+          SENTRY_POSTGRES_TRACKING_ENABLED: "${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}"
+          SENTRY_PROFILING_ENABLED: "${{ secrets.SENTRY_PROFILING_ENABLED }}"
           DO_KEY_ID: ${{ secrets.DO_KEY_ID }}
           DO_SECRET_KEY: ${{ secrets.DO_SECRET_KEY }}
           NX_NO_CLOUD: true
@@ -84,7 +84,7 @@ jobs:
 
     strategy:
       matrix:
-        os: [macos-latest]
+        os: [warp-macos-15-arm64-6x]
 
     steps:
       - name: Check out Git repository
@@ -94,22 +94,22 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.18.1
-          cache: 'yarn'
+          cache: "yarn"
 
       - name: Fix node-gyp and Python
         run: python3 -m pip install --break-system-packages packaging setuptools
 
       - name: Install latest version of NPM
-        run: 'sudo npm install -g npm@9'
+        run: "sudo npm install -g npm@9"
 
       - name: Install node-gyp package
-        run: 'sudo npm install --quiet -g [email protected]'
+        run: "sudo npm install --quiet -g [email protected]"
 
       - name: Install Yarn dependencies
-        run: 'yarn install --network-timeout 1000000 --frozen-lockfile --ignore-scripts'
+        run: "yarn install --network-timeout 1000000 --frozen-lockfile --ignore-scripts"
 
       - name: Run Postinstall Manually
-        run: 'yarn postinstall.manual'
+        run: "yarn postinstall.manual"
 
       - name: Bump Agent version
         uses: actions/github-script@v7
@@ -118,24 +118,24 @@ jobs:
             const script = require('./.scripts/bump-version-electron.js')
             console.log(script.agent(true))
         env:
-          PROJECT_REPO: 'https://github.com/ever-co/ever-gauzy.git'
-          AGENT_APP_NAME: 'ever-gauzy-agent'
-          COMPANY_SITE_LINK: 'https://gauzy.co'
-          AGENT_APP_DESCRIPTION: 'Ever Gauzy Agent'
-          AGENT_APP_ID: 'com.ever.gauzyagent'
+          PROJECT_REPO: "https://github.com/ever-co/ever-gauzy.git"
+          AGENT_APP_NAME: "ever-gauzy-agent"
+          COMPANY_SITE_LINK: "https://gauzy.co"
+          AGENT_APP_DESCRIPTION: "Ever Gauzy Agent"
+          AGENT_APP_ID: "com.ever.gauzyagent"
 
       - name: Build Agent
-        run: 'yarn build:agent:mac:release'
+        run: "yarn build:agent:mac:release"
         env:
           USE_HARD_LINKS: false
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
           EP_GH_IGNORE_TIME: true
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_TRACES_SAMPLE_RATE: '${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}'
-          SENTRY_PROFILE_SAMPLE_RATE: '${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}'
-          SENTRY_HTTP_TRACING_ENABLED: '${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}'
-          SENTRY_POSTGRES_TRACKING_ENABLED: '${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}'
-          SENTRY_PROFILING_ENABLED: '${{ secrets.SENTRY_PROFILING_ENABLED }}'
+          SENTRY_TRACES_SAMPLE_RATE: "${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}"
+          SENTRY_PROFILE_SAMPLE_RATE: "${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}"
+          SENTRY_HTTP_TRACING_ENABLED: "${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}"
+          SENTRY_POSTGRES_TRACKING_ENABLED: "${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}"
+          SENTRY_PROFILING_ENABLED: "${{ secrets.SENTRY_PROFILING_ENABLED }}"
           DO_KEY_ID: ${{ secrets.DO_KEY_ID }}
           DO_SECRET_KEY: ${{ secrets.DO_SECRET_KEY }}
           NX_NO_CLOUD: true
@@ -148,7 +148,7 @@ jobs:
 
     strategy:
       matrix:
-        os: [windows-latest]
+        os: [warp-windows-2025-x64-8x]
 
     steps:
       - name: Check out Git repository
@@ -158,22 +158,22 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.18.1
-          cache: 'yarn'
+          cache: "yarn"
 
       - name: Fix node-gyp and Python
         run: python3 -m pip install packaging setuptools
 
       - name: Install latest version of NPM
-        run: 'npm install -g npm@9'
+        run: "npm install -g npm@9"
 
       - name: Install node-gyp package
-        run: 'npm install --quiet -g [email protected]'
+        run: "npm install --quiet -g [email protected]"
 
       - name: Install Yarn dependencies
-        run: 'yarn install --network-timeout 1000000 --frozen-lockfile --ignore-scripts'
+        run: "yarn install --network-timeout 1000000 --frozen-lockfile --ignore-scripts"
 
       - name: Run Postinstall Manually
-        run: 'yarn postinstall.manual'
+        run: "yarn postinstall.manual"
 
       - name: Bump Agent version
         uses: actions/github-script@v7
@@ -182,11 +182,11 @@ jobs:
             const script = require('./.scripts/bump-version-electron.js')
             console.log(script.agent(true))
         env:
-          PROJECT_REPO: 'https://github.com/ever-co/ever-gauzy.git'
-          AGENT_APP_NAME: 'ever-gauzy-agent'
-          COMPANY_SITE_LINK: 'https://gauzy.co'
-          AGENT_APP_DESCRIPTION: 'Ever Gauzy Agent'
-          AGENT_APP_ID: 'com.ever.gauzyagent'
+          PROJECT_REPO: "https://github.com/ever-co/ever-gauzy.git"
+          AGENT_APP_NAME: "ever-gauzy-agent"
+          COMPANY_SITE_LINK: "https://gauzy.co"
+          AGENT_APP_DESCRIPTION: "Ever Gauzy Agent"
+          AGENT_APP_ID: "com.ever.gauzyagent"
 
       - name: Build Agent
         run: |
@@ -196,11 +196,11 @@ jobs:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
           EP_GH_IGNORE_TIME: true
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_TRACES_SAMPLE_RATE: '${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}'
-          SENTRY_PROFILE_SAMPLE_RATE: '${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}'
-          SENTRY_HTTP_TRACING_ENABLED: '${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}'
-          SENTRY_POSTGRES_TRACKING_ENABLED: '${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}'
-          SENTRY_PROFILING_ENABLED: '${{ secrets.SENTRY_PROFILING_ENABLED }}'
+          SENTRY_TRACES_SAMPLE_RATE: "${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}"
+          SENTRY_PROFILE_SAMPLE_RATE: "${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}"
+          SENTRY_HTTP_TRACING_ENABLED: "${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}"
+          SENTRY_POSTGRES_TRACKING_ENABLED: "${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}"
+          SENTRY_PROFILING_ENABLED: "${{ secrets.SENTRY_PROFILING_ENABLED }}"
           DO_KEY_ID: ${{ secrets.DO_KEY_ID }}
           DO_SECRET_KEY: ${{ secrets.DO_SECRET_KEY }}
           NX_NO_CLOUD: true