feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables spawning and managing Claude agents on remote federated Mosaic Stack instances via COMMAND message type. Features: - Federation agent command types (spawn, status, kill) - FederationAgentService for handling agent operations - Integration with orchestrator's agent spawner/lifecycle services - API endpoints for spawning, querying status, and killing agents - Full command routing through federation COMMAND infrastructure - Comprehensive test coverage (12/12 tests passing) Architecture: - Hub → Spoke: Spawn agents on remote instances - Command flow: FederationController → FederationAgentService → CommandService → Remote Orchestrator - Response handling: Remote orchestrator returns agent status/results - Security: Connection validation, signature verification Files created: - apps/api/src/federation/types/federation-agent.types.ts - apps/api/src/federation/federation-agent.service.ts - apps/api/src/federation/federation-agent.service.spec.ts Files modified: - apps/api/src/federation/command.service.ts (agent command routing) - apps/api/src/federation/federation.controller.ts (agent endpoints) - apps/api/src/federation/federation.module.ts (service registration) - apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint) - apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration) Testing: - 12/12 tests passing for FederationAgentService - All command service tests passing - TypeScript compilation successful - Linting passed Refs #93 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 14:37:06 -06:00
parent a8c8af21e5
commit 12abdfe81d
405 changed files with 13545 additions and 2153 deletions
--- a/docs/scratchpads/4-authentik-oidc-final-status.md
+++ b/docs/scratchpads/4-authentik-oidc-final-status.md
@@ -29,6 +29,7 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 ### Backend (API)

 **Created:**
+
 - `apps/api/src/auth/auth.config.ts` - BetterAuth configuration factory
 - `apps/api/src/auth/auth.service.ts` - Authentication service
 - `apps/api/src/auth/auth.controller.ts` - Auth route handler
@@ -41,6 +42,7 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 - `apps/api/src/auth/guards/auth.guard.spec.ts` - Guard tests (4 tests)

 **Modified:**
+
 - `apps/api/prisma/schema.prisma` - Added auth tables and updated User model
 - `apps/api/src/app.module.ts` - Integrated AuthModule
 - `.env.example` - Added OIDC and JWT configuration
@@ -48,15 +50,18 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 ### Shared Package

 **Created:**
+
 - `packages/shared/src/types/auth.types.ts` - Shared authentication types

 **Modified:**
+
 - `packages/shared/src/types/database.types.ts` - Updated User interface
 - `packages/shared/src/types/index.ts` - Added auth type exports

 ### Documentation

 **Created:**
+
 - `docs/TYPE-SHARING.md` - Type sharing strategy and usage guide
 - `docs/scratchpads/4-authentik-oidc.md` - Implementation scratchpad
 - `docs/scratchpads/4-authentik-oidc-final-status.md` - This file
@@ -66,6 +71,7 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 ## Quality Metrics

 ### Tests
+
 ```
 ✅ Test Files: 5/5 passing
 ✅ Unit Tests: 26/26 passing (100%)
@@ -76,14 +82,17 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 ### Code Review Results

 **Round 1 (Initial):**
+
 - 2 Critical Issues → ✅ All Fixed
 - 3 Important Issues → ✅ All Fixed

 **Round 2 (After Type Sharing):**
+
 - 0 Critical Issues
 - 3 Important Issues → ✅ All Fixed

 **Issues Addressed:**
+
 1. ✅ Missing BetterAuth database tables → Added Session, Account, Verification
 2. ✅ Duplicate PrismaClient instantiation → Using shared Prisma instance
 3. ✅ Missing verifySession test coverage → Added 3 tests
@@ -111,6 +120,7 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 **Decision:** Use BetterAuth library instead of building custom Passport.js OIDC strategy

 **Rationale:**
+
 - Modern, actively maintained library
 - Built-in session management
 - Better TypeScript support
@@ -122,12 +132,14 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 **Decision:** All types used by both FE and BE live in `@mosaic/shared`

 **Rationale:**
+
 - Single source of truth for data structures
 - Automatic type updates across stack
 - Prevents frontend/backend type drift
 - Better developer experience with autocomplete

 **Types Shared:**
+
 - `AuthUser` - Client-safe user data
 - `Session`, `Account` - Auth entities
 - `LoginRequest`, `LoginResponse` - API payloads
@@ -138,6 +150,7 @@ Successfully implemented BetterAuth-based authentication with Authentik OIDC int
 **Decision:** Separate `User` (full DB entity) from `AuthUser` (client-safe subset)

 **Rationale:**
+
 - Security: Don't expose sensitive fields (preferences, internal IDs)
 - Flexibility: Can change DB schema without breaking client contracts
 - Clarity: Explicit about what data is safe to expose
@@ -194,16 +207,19 @@ BetterAuth provides these endpoints automatically:
 These are recommended but not blocking:

 ### Priority 9-10 (Critical for production)
+
 - Add CurrentUser decorator tests
 - Test malformed authorization headers
 - Test null returns in getUserBy methods

 ### Priority 7-8 (Important)
+
 - Verify request mutation in AuthGuard tests
 - Add shared type validation tests
 - Test token extraction edge cases

 ### Priority 4-6 (Nice to have)
+
 - Add E2E/integration tests for full OAuth flow
 - Refactor mock coupling in service tests
 - Add rate limiting to auth endpoints
@@ -218,6 +234,7 @@ These are recommended but not blocking:
 ### New Tables

 **sessions**
+
 ```sql
 - id: UUID (PK)
 - user_id: UUID (FK → users.id)
@@ -229,6 +246,7 @@ These are recommended but not blocking:
 ```

 **accounts**
+
 ```sql
 - id: UUID (PK)
 - user_id: UUID (FK → users.id)
@@ -243,6 +261,7 @@ These are recommended but not blocking:
 ```

 **verifications**
+
 ```sql
 - id: UUID (PK)
 - identifier: STRING (indexed)
@@ -254,6 +273,7 @@ These are recommended but not blocking:
 ### Modified Tables

 **users**
+
 ```sql
 Added fields:
 - email_verified: BOOLEAN (default: false)
@@ -352,6 +372,7 @@ async function login(email: string, password: string): Promise<AuthUser> {
 ---

 **Next Steps:**
+
 1. Frontend can now import types from `@mosaic/shared`
 2. Implement login UI in Next.js (Issue #6)
 3. Configure Authentik instance with proper client credentials