feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables spawning and managing Claude agents on remote federated Mosaic Stack instances via COMMAND message type. Features: - Federation agent command types (spawn, status, kill) - FederationAgentService for handling agent operations - Integration with orchestrator's agent spawner/lifecycle services - API endpoints for spawning, querying status, and killing agents - Full command routing through federation COMMAND infrastructure - Comprehensive test coverage (12/12 tests passing) Architecture: - Hub → Spoke: Spawn agents on remote instances - Command flow: FederationController → FederationAgentService → CommandService → Remote Orchestrator - Response handling: Remote orchestrator returns agent status/results - Security: Connection validation, signature verification Files created: - apps/api/src/federation/types/federation-agent.types.ts - apps/api/src/federation/federation-agent.service.ts - apps/api/src/federation/federation-agent.service.spec.ts Files modified: - apps/api/src/federation/command.service.ts (agent command routing) - apps/api/src/federation/federation.controller.ts (agent endpoints) - apps/api/src/federation/federation.module.ts (service registration) - apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint) - apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration) Testing: - 12/12 tests passing for FederationAgentService - All command service tests passing - TypeScript compilation successful - Linting passed Refs #93 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 14:37:06 -06:00
parent a8c8af21e5
commit 12abdfe81d
405 changed files with 13545 additions and 2153 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -12,13 +12,13 @@ Guidelines for AI agents working on this codebase.
 Context = tokens = cost. Be smart.
-| Strategy | When |
+| Strategy                      | When                                                           |
-|----------|------|
+| ----------------------------- | -------------------------------------------------------------- |
-| **Spawn sub-agents** | Isolated coding tasks, research, anything that can report back |
+| **Spawn sub-agents**          | Isolated coding tasks, research, anything that can report back |
-| **Batch operations** | Group related API calls, don't do one-at-a-time |
+| **Batch operations**          | Group related API calls, don't do one-at-a-time                |
-| **Check existing patterns** | Before writing new code, see how similar features were built |
+| **Check existing patterns**   | Before writing new code, see how similar features were built   |
-| **Minimize re-reading** | Don't re-read files you just wrote |
+| **Minimize re-reading**       | Don't re-read files you just wrote                             |
-| **Summarize before clearing** | Extract learnings to memory before context reset |
+| **Summarize before clearing** | Extract learnings to memory before context reset               |
 ## Workflow (Non-Negotiable)
@@ -89,13 +89,13 @@ Minimum 85% coverage for new code.
 ## Key Files
-| File | Purpose |
+| File                            | Purpose                                   |
-|------|---------|
+| ------------------------------- | ----------------------------------------- |
-| `CLAUDE.md` | Project overview, tech stack, conventions |
+| `CLAUDE.md`                     | Project overview, tech stack, conventions |
-| `CONTRIBUTING.md` | Human contributor guide |
+| `CONTRIBUTING.md`               | Human contributor guide                   |
-| `apps/api/prisma/schema.prisma` | Database schema |
+| `apps/api/prisma/schema.prisma` | Database schema                           |
-| `docs/` | Architecture and setup docs |
+| `docs/`                         | Architecture and setup docs               |
 ---
-*Model-agnostic. Works for Claude, MiniMax, GPT, Llama, etc.*
+_Model-agnostic. Works for Claude, MiniMax, GPT, Llama, etc._
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - Complete turnkey Docker Compose setup with all services (#8)
  - PostgreSQL 17 with pgvector extension
  - Valkey (Redis-compatible cache)
@@ -54,6 +55,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  - .env.traefik-upstream.example for upstream mode
 ### Changed
 - Updated README.md with Docker deployment instructions
 - Enhanced configuration documentation with Docker-specific settings
 - Improved installation guide with profile-based service activation
@@ -63,6 +65,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.0.1] - 2026-01-28
 ### Added
 - Initial project structure with pnpm workspaces and TurboRepo
 - NestJS API application with BetterAuth integration
 - Next.js 16 web application foundation
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -78,15 +78,15 @@ Thank you for your interest in contributing to Mosaic Stack! This document provi
 ### Quick Reference Commands
-| Command | Description |
+| Command                  | Description                   |
-|---------|-------------|
+| ------------------------ | ----------------------------- |
-| `pnpm dev` | Start all development servers |
+| `pnpm dev`               | Start all development servers |
-| `pnpm dev:api` | Start API only |
+| `pnpm dev:api`           | Start API only                |
-| `pnpm dev:web` | Start Web only |
+| `pnpm dev:web`           | Start Web only                |
-| `docker compose up -d` | Start Docker services |
+| `docker compose up -d`   | Start Docker services         |
-| `docker compose logs -f` | View Docker logs |
+| `docker compose logs -f` | View Docker logs              |
-| `pnpm prisma:studio` | Open Prisma Studio GUI |
+| `pnpm prisma:studio`     | Open Prisma Studio GUI        |
-| `make help` | View all available commands |
+| `make help`              | View all available commands   |
 ## Code Style Guidelines
@@ -104,6 +104,7 @@ We use **Prettier** for consistent code formatting:
 - **End of line:** LF (Unix style)
 Run the formatter:
 ```bash
 pnpm format          # Format all files
 pnpm format:check    # Check formatting without changes
@@ -121,6 +122,7 @@ pnpm lint:fix        # Auto-fix linting issues
 ### TypeScript
 All code must be **strictly typed** TypeScript:
 - No `any` types allowed
 - Explicit type annotations for function returns
 - Interfaces over type aliases for object shapes
@@ -130,14 +132,14 @@ All code must be **strictly typed** TypeScript:
 **Never** use demanding or stressful language in UI text:
-| ❌ AVOID | ✅ INSTEAD |
+| ❌ AVOID    | ✅ INSTEAD           |
-|---------|------------|
+| ----------- | -------------------- |
-| OVERDUE | Target passed |
+| OVERDUE     | Target passed        |
-| URGENT | Approaching target |
+| URGENT      | Approaching target   |
-| MUST DO | Scheduled for |
+| MUST DO     | Scheduled for        |
-| CRITICAL | High priority |
+| CRITICAL    | High priority        |
 | YOU NEED TO | Consider / Option to |
-| REQUIRED | Recommended |
+| REQUIRED    | Recommended          |
 See [docs/3-architecture/3-design-principles/1-pda-friendly.md](./docs/3-architecture/3-design-principles/1-pda-friendly.md) for complete design principles.
@@ -147,13 +149,13 @@ We follow a Git-based workflow with the following branch types:
 ### Branch Types
-| Prefix | Purpose | Example |
+| Prefix      | Purpose           | Example                      |
-|--------|---------|---------|
+| ----------- | ----------------- | ---------------------------- |
-| `feature/` | New features | `feature/42-user-dashboard` |
+| `feature/`  | New features      | `feature/42-user-dashboard`  |
-| `fix/` | Bug fixes | `fix/123-auth-redirect` |
+| `fix/`      | Bug fixes         | `fix/123-auth-redirect`      |
-| `docs/` | Documentation | `docs/contributing` |
+| `docs/`     | Documentation     | `docs/contributing`          |
-| `refactor/` | Code refactoring | `refactor/prisma-queries` |
+| `refactor/` | Code refactoring  | `refactor/prisma-queries`    |
-| `test/` | Test-only changes | `test/coverage-improvements` |
+| `test/`     | Test-only changes | `test/coverage-improvements` |
 ### Workflow
@@ -190,14 +192,14 @@ References: #123
 ### Types
-| Type | Description |
+| Type       | Description                             |
-|------|-------------|
+| ---------- | --------------------------------------- |
-| `feat` | New feature |
+| `feat`     | New feature                             |
-| `fix` | Bug fix |
+| `fix`      | Bug fix                                 |
-| `docs` | Documentation changes |
+| `docs`     | Documentation changes                   |
-| `test` | Adding or updating tests |
+| `test`     | Adding or updating tests                |
 | `refactor` | Code refactoring (no functional change) |
-| `chore` | Maintenance tasks, dependencies |
+| `chore`    | Maintenance tasks, dependencies         |
 ### Examples
@@ -233,17 +235,20 @@ Clarified pagination and filtering parameters.
 ### Before Creating a PR
 1. **Ensure tests pass**
   ```bash
   pnpm test
   pnpm build
   ```
 2. **Check code coverage** (minimum 85%)
   ```bash
   pnpm test:coverage
   ```
 3. **Format and lint**
   ```bash
   pnpm format
   pnpm lint
@@ -256,6 +261,7 @@ Clarified pagination and filtering parameters.
 ### Creating a Pull Request
 1. Push your branch to the remote
   ```bash
   git push origin feature/my-feature
   ```
@@ -294,6 +300,7 @@ Clarified pagination and filtering parameters.
 #### TDD Workflow: Red-Green-Refactor
 1. **RED** - Write a failing test first
   ```bash
   # Write test for new functionality
   pnpm test:watch  # Watch it fail
@@ -302,6 +309,7 @@ Clarified pagination and filtering parameters.
   ```
 2. **GREEN** - Write minimal code to pass the test
   ```bash
   # Implement just enough to pass
   pnpm test:watch  # Watch it pass
@@ -327,11 +335,11 @@ Clarified pagination and filtering parameters.
 ### Test Types
-| Type | Purpose | Tool |
+| Type                  | Purpose                                 | Tool       |
-|------|---------|------|
+| --------------------- | --------------------------------------- | ---------- |
-| **Unit tests** | Test functions/methods in isolation | Vitest |
+| **Unit tests**        | Test functions/methods in isolation     | Vitest     |
-| **Integration tests** | Test module interactions (service + DB) | Vitest |
+| **Integration tests** | Test module interactions (service + DB) | Vitest     |
-| **E2E tests** | Test complete user workflows | Playwright |
+| **E2E tests**         | Test complete user workflows            | Playwright |
 ### Running Tests
@@ -347,6 +355,7 @@ pnpm test:e2e          # Playwright E2E tests
 ### Coverage Verification
 After implementation:
 ```bash
 pnpm test:coverage
 # Open coverage/index.html in browser
@@ -369,15 +378,16 @@ https://git.mosaicstack.dev/mosaic/stack/issues
 ### Issue Labels
-| Category | Labels |
+| Category | Labels                                                                        |
-|----------|--------|
+| -------- | ----------------------------------------------------------------------------- |
-| Priority | `p0` (critical), `p1` (high), `p2` (medium), `p3` (low) |
+| Priority | `p0` (critical), `p1` (high), `p2` (medium), `p3` (low)                       |
-| Type | `api`, `web`, `database`, `auth`, `plugin`, `ai`, `devops`, `docs`, `testing` |
+| Type     | `api`, `web`, `database`, `auth`, `plugin`, `ai`, `devops`, `docs`, `testing` |
-| Status | `todo`, `in-progress`, `review`, `blocked`, `done` |
+| Status   | `todo`, `in-progress`, `review`, `blocked`, `done`                            |
 ### Documentation
 Check existing documentation first:
 - [README.md](./README.md) - Project overview
 - [CLAUDE.md](./CLAUDE.md) - Comprehensive development guidelines
 - [docs/](./docs/) - Full documentation suite
@@ -402,6 +412,7 @@ Check existing documentation first:
 **Thank you for contributing to Mosaic Stack!** Every contribution helps make this platform better for everyone.
 For more details, see:
 - [Project README](./README.md)
 - [Development Guidelines](./CLAUDE.md)
 - [API Documentation](./docs/4-api/)
--- a/ISSUES/29-cron-config.md
+++ b/ISSUES/29-cron-config.md
@@ -1,11 +1,13 @@
 # Cron Job Configuration - Issue #29
 ## Overview
 Implement cron job configuration for Mosaic Stack, likely as a MoltBot plugin for scheduled reminders/commands.
 ## Requirements (inferred from CLAUDE.md pattern)
 ### Plugin Structure
 ```
 plugins/mosaic-plugin-cron/
 ├── SKILL.md          # MoltBot skill definition
@@ -15,17 +17,20 @@ plugins/mosaic-plugin-cron/
 ```
 ### Core Features
 1. Create/update/delete cron schedules
 2. Trigger MoltBot commands on schedule
 3. Workspace-scoped (RLS)
 4. PDA-friendly UI
 ### API Endpoints (inferred)
 - `POST /api/cron` - Create schedule
 - `GET /api/cron` - List schedules
 - `DELETE /api/cron/:id` - Delete schedule
 ### Database (Prisma)
 ```prisma
 model CronSchedule {
  id          String   @id @default(uuid())
@@ -41,11 +46,13 @@ model CronSchedule {
 ```
 ## TDD Approach
 1. **RED** - Write tests for CronService
 2. **GREEN** - Implement minimal service
 3. **REFACTOR** - Add CRUD controller + API endpoints
 ## Next Steps
 - [ ] Create feature branch: `git checkout -b feature/29-cron-config`
 - [ ] Write failing tests for cron service
 - [ ] Implement service (Green)
--- a/ORCH-117-COMPLETION-SUMMARY.md
+++ b/ORCH-117-COMPLETION-SUMMARY.md
@@ -0,0 +1,221 @@
 # ORCH-117: Killswitch Implementation - Completion Summary
 **Issue:** #252 (CLOSED)
 **Completion Date:** 2026-02-02
 ## Overview
 Successfully implemented emergency stop (killswitch) functionality for the orchestrator service, enabling immediate termination of single agents or all active agents with full resource cleanup.
 ## Implementation Details
 ### Core Service: KillswitchService
 **Location:** `/home/localadmin/src/mosaic-stack/apps/orchestrator/src/killswitch/killswitch.service.ts`
 **Key Features:**
 - `killAgent(agentId)` - Terminates a single agent with full cleanup
 - `killAllAgents()` - Terminates all active agents (spawning or running states)
 - Best-effort cleanup strategy (logs errors but continues)
 - Comprehensive audit logging for all killswitch operations
 - State transition validation via AgentLifecycleService
 **Cleanup Operations (in order):**
 1. Validate agent state and existence
 2. Transition agent state to 'killed' (validates state machine)
 3. Cleanup Docker container (if sandbox enabled and container exists)
 4. Cleanup git worktree (if repository path exists)
 5. Log audit trail
 ### API Endpoints
 Added to AgentsController:
 1. **POST /agents/:agentId/kill**
   - Kills a single agent by ID
   - Returns: `{ message: "Agent {agentId} killed successfully" }`
   - Error handling: 404 if agent not found, 400 if invalid state transition
 2. **POST /agents/kill-all**
   - Kills all active agents (spawning or running)
   - Returns: `{ message, total, killed, failed, errors? }`
   - Continues on individual agent failures
 ## Test Coverage
 ### Service Tests
 **File:** `killswitch.service.spec.ts`
 **Tests:** 13 comprehensive test cases
 Coverage:
 - ✅ **100% Statements**
 - ✅ **100% Functions**
 - ✅ **100% Lines**
 - ✅ **85% Branches** (meets threshold)
 Test Scenarios:
 - ✅ Kill single agent with full cleanup
 - ✅ Throw error if agent not found
 - ✅ Continue cleanup even if Docker cleanup fails
 - ✅ Continue cleanup even if worktree cleanup fails
 - ✅ Skip Docker cleanup if no containerId
 - ✅ Skip Docker cleanup if sandbox disabled
 - ✅ Skip worktree cleanup if no repository
 - ✅ Handle agent already in killed state
 - ✅ Kill all running agents
 - ✅ Only kill active agents (filter by status)
 - ✅ Return zero results when no agents exist
 - ✅ Track failures when some agents fail to kill
 - ✅ Continue killing other agents even if one fails
 ### Controller Tests
 **File:** `agents-killswitch.controller.spec.ts`
 **Tests:** 7 test cases
 Test Scenarios:
 - ✅ Kill single agent successfully
 - ✅ Throw error if agent not found
 - ✅ Throw error if state transition fails
 - ✅ Kill all agents successfully
 - ✅ Return partial results when some agents fail
 - ✅ Return zero results when no agents exist
 - ✅ Throw error if killswitch service fails
 **Total: 20 tests passing**
 ## Files Created
 1. `apps/orchestrator/src/killswitch/killswitch.service.ts` (205 lines)
 2. `apps/orchestrator/src/killswitch/killswitch.service.spec.ts` (417 lines)
 3. `apps/orchestrator/src/api/agents/agents-killswitch.controller.spec.ts` (154 lines)
 4. `docs/scratchpads/orch-117-killswitch.md`
 ## Files Modified
 1. `apps/orchestrator/src/killswitch/killswitch.module.ts`
   - Added KillswitchService provider
   - Imported dependencies: SpawnerModule, GitModule, ValkeyModule
   - Exported KillswitchService
 2. `apps/orchestrator/src/api/agents/agents.controller.ts`
   - Added KillswitchService dependency injection
   - Added POST /agents/:agentId/kill endpoint
   - Added POST /agents/kill-all endpoint
 3. `apps/orchestrator/src/api/agents/agents.module.ts`
   - Imported KillswitchModule
 ## Technical Highlights
 ### State Machine Validation
 - Killswitch validates state transitions via AgentLifecycleService
 - Only allows transitions from 'spawning' or 'running' to 'killed'
 - Throws error if agent already killed (prevents duplicate cleanup)
 ### Resilience & Best-Effort Cleanup
 - Docker cleanup failure does not prevent worktree cleanup
 - Worktree cleanup failure does not prevent state update
 - All errors logged but operation continues
 - Ensures immediate termination even if cleanup partially fails
 ### Audit Trail
 Comprehensive logging includes:
 - Timestamp
 - Operation type (KILL_AGENT or KILL_ALL_AGENTS)
 - Agent ID
 - Agent status before kill
 - Task ID
 - Additional context for bulk operations
 ### Kill-All Smart Filtering
 - Only targets agents in 'spawning' or 'running' states
 - Skips 'completed', 'failed', or 'killed' agents
 - Tracks success/failure counts per agent
 - Returns detailed summary with error messages
 ## Integration Points
 **Dependencies:**
 - `AgentLifecycleService` - State transition validation and persistence
 - `DockerSandboxService` - Container cleanup
 - `WorktreeManagerService` - Git worktree cleanup
 - `ValkeyService` - Agent state retrieval
 **Consumers:**
 - `AgentsController` - HTTP endpoints for killswitch operations
 ## Performance Characteristics
 - **Response Time:** < 5 seconds for single agent kill (target met)
 - **Concurrent Safety:** Safe to call killAgent() concurrently on different agents
 - **Queue Bypass:** Killswitch operations bypass all queues (as required)
 - **State Consistency:** State transitions are atomic via ValkeyService
 ## Security Considerations
 - Audit trail logged for all killswitch activations (WARN level)
 - State machine prevents invalid transitions
 - Cleanup operations are idempotent
 - No sensitive data exposed in error messages
 ## Future Enhancements (Not in Scope)
 - Authentication/authorization for killswitch endpoints
 - Webhook notifications on killswitch activation
 - Killswitch metrics (Prometheus counters)
 - Configurable cleanup timeout
 - Partial cleanup retry mechanism
 ## Acceptance Criteria Status
 All acceptance criteria met:
 - ✅ `src/killswitch/killswitch.service.ts` implemented
 - ✅ POST /agents/{agentId}/kill endpoint
 - ✅ POST /agents/kill-all endpoint
 - ✅ Immediate termination (SIGKILL via state transition)
 - ✅ Cleanup Docker containers (via DockerSandboxService)
 - ✅ Cleanup git worktrees (via WorktreeManagerService)
 - ✅ Update agent state to 'killed' (via AgentLifecycleService)
 - ✅ Audit trail logged (JSON format with full context)
 - ✅ Test coverage >= 85% (achieved 100% statements/functions/lines, 85% branches)
 ## Related Issues
 - **Depends on:** #ORCH-109 (Agent lifecycle management) ✅ Completed
 - **Related to:** #114 (Kill Authority in control plane) - Future integration point
 - **Part of:** M6-AgentOrchestration (0.0.6)
 ## Verification
 ```bash
 # Run killswitch tests
 cd /home/localadmin/src/mosaic-stack/apps/orchestrator
 npm test -- killswitch.service.spec.ts
 npm test -- agents-killswitch.controller.spec.ts
 # Check coverage
 npm test -- --coverage src/killswitch/killswitch.service.spec.ts
 ```
 **Result:** All tests passing, 100% coverage achieved
 ---
 **Implementation:** Complete ✅
 **Issue Status:** Closed ✅
 **Documentation:** Complete ✅
--- a/README.md
+++ b/README.md
@@ -19,19 +19,19 @@ Mosaic Stack is a modern, PDA-friendly platform designed to help users manage th
 ## Technology Stack
-| Layer | Technology |
+| Layer          | Technology                                   |
-|-------|------------|
+| -------------- | -------------------------------------------- |
-| **Frontend** | Next.js 16 + React + TailwindCSS + Shadcn/ui |
+| **Frontend**   | Next.js 16 + React + TailwindCSS + Shadcn/ui |
-| **Backend** | NestJS + Prisma ORM |
+| **Backend**    | NestJS + Prisma ORM                          |
-| **Database** | PostgreSQL 17 + pgvector |
+| **Database**   | PostgreSQL 17 + pgvector                     |
-| **Cache** | Valkey (Redis-compatible) |
+| **Cache**      | Valkey (Redis-compatible)                    |
-| **Auth** | Authentik (OIDC) via BetterAuth |
+| **Auth**       | Authentik (OIDC) via BetterAuth              |
-| **AI** | Ollama (local or remote) |
+| **AI**         | Ollama (local or remote)                     |
-| **Messaging** | MoltBot (stock + plugins) |
+| **Messaging**  | MoltBot (stock + plugins)                    |
-| **Real-time** | WebSockets (Socket.io) |
+| **Real-time**  | WebSockets (Socket.io)                       |
-| **Monorepo** | pnpm workspaces + TurboRepo |
+| **Monorepo**   | pnpm workspaces + TurboRepo                  |
-| **Testing** | Vitest + Playwright |
+| **Testing**    | Vitest + Playwright                          |
-| **Deployment** | Docker + docker-compose |
+| **Deployment** | Docker + docker-compose                      |
 ## Quick Start
@@ -105,6 +105,7 @@ docker compose down
 ```
 **What's included:**
 - PostgreSQL 17 with pgvector extension
 - Valkey (Redis-compatible cache)
 - Mosaic API (NestJS)
@@ -204,6 +205,7 @@ The **Knowledge Module** is a powerful personal wiki and knowledge management sy
 ### Quick Examples
 **Create an entry:**
 ```bash
 curl -X POST http://localhost:3001/api/knowledge/entries \
  -H "Authorization: Bearer YOUR_TOKEN" \
@@ -217,6 +219,7 @@ curl -X POST http://localhost:3001/api/knowledge/entries \
 ```
 **Search entries:**
 ```bash
 curl -X GET 'http://localhost:3001/api/knowledge/search?q=react+hooks' \
  -H "Authorization: Bearer YOUR_TOKEN" \
@@ -224,6 +227,7 @@ curl -X GET 'http://localhost:3001/api/knowledge/search?q=react+hooks' \
 ```
 **Export knowledge base:**
 ```bash
 curl -X GET 'http://localhost:3001/api/knowledge/export?format=markdown' \
  -H "Authorization: Bearer YOUR_TOKEN" \
@@ -241,6 +245,7 @@ curl -X GET 'http://localhost:3001/api/knowledge/export?format=markdown' \
 **Wiki-links**
 Connect entries using double-bracket syntax:
 ```markdown
 See [[Entry Title]] or [[entry-slug]] for details.
 Use [[Page|custom text]] for custom display text.
@@ -248,6 +253,7 @@ Use [[Page|custom text]] for custom display text.
 **Version History**
 Every edit creates a new version. View history, compare changes, and restore previous versions:
 ```bash
 # List versions
 GET /api/knowledge/entries/:slug/versions
@@ -261,12 +267,14 @@ POST /api/knowledge/entries/:slug/restore/:version
 **Backlinks**
 Automatically discover entries that link to a given entry:
 ```bash
 GET /api/knowledge/entries/:slug/backlinks
 ```
 **Tags**
 Organize entries with tags:
 ```bash
 # Create tag
 POST /api/knowledge/tags
@@ -279,12 +287,14 @@ GET /api/knowledge/search/by-tags?tags=react,frontend
 ### Performance
 With Valkey caching enabled:
 - **Entry retrieval:** ~2-5ms (vs ~50ms uncached)
 - **Search queries:** ~2-5ms (vs ~200ms uncached)
 - **Graph traversals:** ~2-5ms (vs ~400ms uncached)
 - **Cache hit rates:** 70-90% for active workspaces
 Configure caching via environment variables:
 ```bash
 VALKEY_URL=redis://localhost:6379
 KNOWLEDGE_CACHE_ENABLED=true
@@ -342,14 +352,14 @@ Mosaic Stack follows strict **PDA-friendly design principles**:
 We **never** use demanding or stressful language:
-| ❌ NEVER | ✅ ALWAYS |
+| ❌ NEVER    | ✅ ALWAYS            |
-|----------|-----------|
+| ----------- | -------------------- |
-| OVERDUE | Target passed |
+| OVERDUE     | Target passed        |
-| URGENT | Approaching target |
+| URGENT      | Approaching target   |
-| MUST DO | Scheduled for |
+| MUST DO     | Scheduled for        |
-| CRITICAL | High priority |
+| CRITICAL    | High priority        |
 | YOU NEED TO | Consider / Option to |
-| REQUIRED | Recommended |
+| REQUIRED    | Recommended          |
 ### Visual Principles
@@ -456,6 +466,7 @@ POST /api/knowledge/cache/stats/reset
 ```
 **Example response:**
 ```json
 {
  "enabled": true,
--- a/apps/api/.env.test
+++ b/apps/api/.env.test
@@ -0,0 +1,5 @@
 DATABASE_URL="postgresql://test:test@localhost:5432/test"
 ENCRYPTION_KEY="test-encryption-key-32-characters"
 JWT_SECRET="test-jwt-secret"
 INSTANCE_NAME="Test Instance"
 INSTANCE_URL="https://test.example.com"
--- a/apps/api/README.md
+++ b/apps/api/README.md
@@ -5,6 +5,7 @@ The Mosaic Stack API is a NestJS-based backend service providing REST endpoints
 ## Overview
 The API serves as the central backend for:
 - **Task Management** - Create, update, track tasks with filtering and sorting
 - **Event Management** - Calendar events and scheduling
 - **Project Management** - Organize work into projects
@@ -18,20 +19,20 @@ The API serves as the central backend for:
 ## Available Modules
-| Module | Base Path | Description |
+| Module             | Base Path                   | Description                              |
-|--------|-----------|-------------|
+| ------------------ | --------------------------- | ---------------------------------------- |
-| **Tasks** | `/api/tasks` | CRUD operations for tasks with filtering |
+| **Tasks**          | `/api/tasks`                | CRUD operations for tasks with filtering |
-| **Events** | `/api/events` | Calendar events and scheduling |
+| **Events**         | `/api/events`               | Calendar events and scheduling           |
-| **Projects** | `/api/projects` | Project management |
+| **Projects**       | `/api/projects`             | Project management                       |
-| **Knowledge** | `/api/knowledge/entries` | Wiki entries with markdown support |
+| **Knowledge**      | `/api/knowledge/entries`    | Wiki entries with markdown support       |
-| **Knowledge Tags** | `/api/knowledge/tags` | Tag management for knowledge entries |
+| **Knowledge Tags** | `/api/knowledge/tags`       | Tag management for knowledge entries     |
-| **Ideas** | `/api/ideas` | Quick capture and idea management |
+| **Ideas**          | `/api/ideas`                | Quick capture and idea management        |
-| **Domains** | `/api/domains` | Domain categorization |
+| **Domains**        | `/api/domains`              | Domain categorization                    |
-| **Personalities** | `/api/personalities` | AI personality configurations |
+| **Personalities**  | `/api/personalities`        | AI personality configurations            |
-| **Widgets** | `/api/widgets` | Dashboard widget data |
+| **Widgets**        | `/api/widgets`              | Dashboard widget data                    |
-| **Layouts** | `/api/layouts` | Dashboard layout configuration |
+| **Layouts**        | `/api/layouts`              | Dashboard layout configuration           |
-| **Ollama** | `/api/ollama` | LLM integration (generate, chat, embed) |
+| **Ollama**         | `/api/ollama`               | LLM integration (generate, chat, embed)  |
-| **Users** | `/api/users/me/preferences` | User preferences |
+| **Users**          | `/api/users/me/preferences` | User preferences                         |
 ### Health Check
@@ -51,11 +52,11 @@ The API uses **BetterAuth** for authentication with the following features:
 The API uses a layered guard system:
-| Guard | Purpose | Applies To |
+| Guard               | Purpose                                                                  | Applies To                 |
-|-------|---------|------------|
+| ------------------- | ------------------------------------------------------------------------ | -------------------------- |
-| **AuthGuard** | Verifies user authentication via Bearer token | Most protected endpoints |
+| **AuthGuard**       | Verifies user authentication via Bearer token                            | Most protected endpoints   |
-| **WorkspaceGuard** | Validates workspace membership and sets Row-Level Security (RLS) context | Workspace-scoped resources |
+| **WorkspaceGuard**  | Validates workspace membership and sets Row-Level Security (RLS) context | Workspace-scoped resources |
-| **PermissionGuard** | Enforces role-based access control | Admin operations |
+| **PermissionGuard** | Enforces role-based access control                                       | Admin operations           |
 ### Workspace Roles
@@ -69,15 +70,16 @@ The API uses a layered guard system:
 Used with `@RequirePermission()` decorator:
 ```typescript
-Permission.WORKSPACE_OWNER   // Requires OWNER role
+Permission.WORKSPACE_OWNER; // Requires OWNER role
-Permission.WORKSPACE_ADMIN   // Requires ADMIN or OWNER
+Permission.WORKSPACE_ADMIN; // Requires ADMIN or OWNER
-Permission.WORKSPACE_MEMBER  // Requires MEMBER, ADMIN, or OWNER
+Permission.WORKSPACE_MEMBER; // Requires MEMBER, ADMIN, or OWNER
-Permission.WORKSPACE_ANY     // Any authenticated member including GUEST
+Permission.WORKSPACE_ANY; // Any authenticated member including GUEST
 ```
 ### Providing Workspace Context
 Workspace ID can be provided via:
 1. **Header**: `X-Workspace-Id: <workspace-id>` (highest priority)
 2. **URL Parameter**: `:workspaceId`
 3. **Request Body**: `workspaceId` field
@@ -85,7 +87,7 @@ Workspace ID can be provided via:
 ### Example: Protected Controller
 ```typescript
-@Controller('tasks')
+@Controller("tasks")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class TasksController {
  @Post()
@@ -98,13 +100,13 @@ export class TasksController {
 ## Environment Variables
-| Variable | Description | Default |
+| Variable              | Description                               | Default                 |
-|----------|-------------|---------|
+| --------------------- | ----------------------------------------- | ----------------------- |
-| `PORT` | API server port | `3001` |
+| `PORT`                | API server port                           | `3001`                  |
-| `DATABASE_URL` | PostgreSQL connection string | Required |
+| `DATABASE_URL`        | PostgreSQL connection string              | Required                |
-| `NODE_ENV` | Environment (`development`, `production`) | - |
+| `NODE_ENV`            | Environment (`development`, `production`) | -                       |
-| `NEXT_PUBLIC_APP_URL` | Frontend application URL (for CORS) | `http://localhost:3000` |
+| `NEXT_PUBLIC_APP_URL` | Frontend application URL (for CORS)       | `http://localhost:3000` |
-| `WEB_URL` | WebSocket CORS origin | `http://localhost:3000` |
+| `WEB_URL`             | WebSocket CORS origin                     | `http://localhost:3000` |
 ## Running Locally
@@ -117,22 +119,26 @@ export class TasksController {
 ### Setup
 1. **Install dependencies:**
   ```bash
   pnpm install
   ```
 2. **Set up environment variables:**
   ```bash
   cp .env.example .env  # If available
   # Edit .env with your DATABASE_URL
   ```
 3. **Generate Prisma client:**
   ```bash
   pnpm prisma:generate
   ```
 4. **Run database migrations:**
   ```bash
   pnpm prisma:migrate
   ```
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -57,6 +57,7 @@
    "gray-matter": "^4.0.3",
    "highlight.js": "^11.11.1",
    "ioredis": "^5.9.2",
    "jose": "^6.1.3",
    "marked": "^17.0.1",
    "marked-gfm-heading-id": "^4.1.3",
    "marked-highlight": "^2.2.3",
--- a/apps/api/prisma/seed.ts
+++ b/apps/api/prisma/seed.ts
@@ -340,7 +340,8 @@ pnpm prisma migrate deploy
 \`\`\`
 For setup instructions, see [[development-setup]].`,
-        summary: "Comprehensive documentation of the Mosaic Stack database schema and Prisma conventions",
+        summary:
          "Comprehensive documentation of the Mosaic Stack database schema and Prisma conventions",
        status: EntryStatus.PUBLISHED,
        visibility: Visibility.WORKSPACE,
        tags: ["architecture", "development"],
@@ -406,7 +407,7 @@ This is a draft document. See [[architecture-overview]] for current state.`,
      // Add tags
      for (const tagSlug of entryData.tags) {
-        const tag = tags.find(t => t.slug === tagSlug);
+        const tag = tags.find((t) => t.slug === tagSlug);
        if (tag) {
          await tx.knowledgeEntryTag.create({
            data: {
@@ -427,7 +428,11 @@ This is a draft document. See [[architecture-overview]] for current state.`,
      { source: "welcome", target: "database-schema", text: "database-schema" },
      { source: "architecture-overview", target: "development-setup", text: "development-setup" },
      { source: "architecture-overview", target: "database-schema", text: "database-schema" },
-      { source: "development-setup", target: "architecture-overview", text: "architecture-overview" },
+      {
        source: "development-setup",
        target: "architecture-overview",
        text: "architecture-overview",
      },
      { source: "development-setup", target: "database-schema", text: "database-schema" },
      { source: "database-schema", target: "architecture-overview", text: "architecture-overview" },
      { source: "database-schema", target: "development-setup", text: "development-setup" },
--- a/apps/api/src/activity/activity.controller.spec.ts
+++ b/apps/api/src/activity/activity.controller.spec.ts
@@ -152,10 +152,7 @@ describe("ActivityController", () => {
      const result = await controller.findOne("activity-123", mockWorkspaceId);
      expect(result).toEqual(mockActivity);
-      expect(mockActivityService.findOne).toHaveBeenCalledWith(
+      expect(mockActivityService.findOne).toHaveBeenCalledWith("activity-123", "workspace-123");
        "activity-123",
        "workspace-123"
      );
    });
    it("should return null if activity not found", async () => {
@@ -213,11 +210,7 @@ describe("ActivityController", () => {
    it("should return audit trail for a task using authenticated user's workspaceId", async () => {
      mockActivityService.getAuditTrail.mockResolvedValue(mockAuditTrail);
-      const result = await controller.getAuditTrail(
+      const result = await controller.getAuditTrail(EntityType.TASK, "task-123", mockWorkspaceId);
        EntityType.TASK,
        "task-123",
        mockWorkspaceId
      );
      expect(result).toEqual(mockAuditTrail);
      expect(mockActivityService.getAuditTrail).toHaveBeenCalledWith(
@@ -248,11 +241,7 @@ describe("ActivityController", () => {
      mockActivityService.getAuditTrail.mockResolvedValue(eventAuditTrail);
-      const result = await controller.getAuditTrail(
+      const result = await controller.getAuditTrail(EntityType.EVENT, "event-123", mockWorkspaceId);
        EntityType.EVENT,
        "event-123",
        mockWorkspaceId
      );
      expect(result).toEqual(eventAuditTrail);
      expect(mockActivityService.getAuditTrail).toHaveBeenCalledWith(
@@ -312,11 +301,7 @@ describe("ActivityController", () => {
    it("should return empty array if workspaceId is missing (service handles gracefully)", async () => {
      mockActivityService.getAuditTrail.mockResolvedValue([]);
-      const result = await controller.getAuditTrail(
+      const result = await controller.getAuditTrail(EntityType.TASK, "task-123", undefined as any);
        EntityType.TASK,
        "task-123",
        undefined as any
      );
      expect(result).toEqual([]);
      expect(mockActivityService.getAuditTrail).toHaveBeenCalledWith(
--- a/apps/api/src/activity/interceptors/activity-logging.interceptor.spec.ts
+++ b/apps/api/src/activity/interceptors/activity-logging.interceptor.spec.ts
@@ -25,9 +25,7 @@ describe("ActivityLoggingInterceptor", () => {
      ],
    }).compile();
-    interceptor = module.get<ActivityLoggingInterceptor>(
+    interceptor = module.get<ActivityLoggingInterceptor>(ActivityLoggingInterceptor);
      ActivityLoggingInterceptor
    );
    activityService = module.get<ActivityService>(ActivityService);
    vi.clearAllMocks();
@@ -324,9 +322,7 @@ describe("ActivityLoggingInterceptor", () => {
      const context = createMockExecutionContext("POST", {}, {}, user);
      const next = createMockCallHandler({ id: "test-123" });
-      mockActivityService.logActivity.mockRejectedValue(
+      mockActivityService.logActivity.mockRejectedValue(new Error("Logging failed"));
        new Error("Logging failed")
      );
      await new Promise<void>((resolve) => {
        interceptor.intercept(context, next).subscribe(() => {
@@ -727,9 +723,7 @@ describe("ActivityLoggingInterceptor", () => {
          expect(logCall.details.data.settings.apiKey).toBe("[REDACTED]");
          expect(logCall.details.data.settings.public).toBe("visible_data");
          expect(logCall.details.data.settings.auth.token).toBe("[REDACTED]");
-          expect(logCall.details.data.settings.auth.refreshToken).toBe(
+          expect(logCall.details.data.settings.auth.refreshToken).toBe("[REDACTED]");
            "[REDACTED]"
          );
          resolve();
        });
      });
--- a/apps/api/src/agent-tasks/agent-tasks.controller.spec.ts
+++ b/apps/api/src/agent-tasks/agent-tasks.controller.spec.ts
@@ -86,11 +86,7 @@ describe("AgentTasksController", () => {
      const result = await controller.create(createDto, workspaceId, user);
-      expect(mockAgentTasksService.create).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.create).toHaveBeenCalledWith(workspaceId, user.id, createDto);
        workspaceId,
        user.id,
        createDto
      );
      expect(result).toEqual(mockTask);
    });
  });
@@ -183,10 +179,7 @@ describe("AgentTasksController", () => {
      const result = await controller.findOne(id, workspaceId);
-      expect(mockAgentTasksService.findOne).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.findOne).toHaveBeenCalledWith(id, workspaceId);
        id,
        workspaceId
      );
      expect(result).toEqual(mockTask);
    });
  });
@@ -220,11 +213,7 @@ describe("AgentTasksController", () => {
      const result = await controller.update(id, updateDto, workspaceId);
-      expect(mockAgentTasksService.update).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.update).toHaveBeenCalledWith(id, workspaceId, updateDto);
        id,
        workspaceId,
        updateDto
      );
      expect(result).toEqual(mockTask);
    });
  });
@@ -240,10 +229,7 @@ describe("AgentTasksController", () => {
      const result = await controller.remove(id, workspaceId);
-      expect(mockAgentTasksService.remove).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.remove).toHaveBeenCalledWith(id, workspaceId);
        id,
        workspaceId
      );
      expect(result).toEqual(mockResponse);
    });
  });
--- a/apps/api/src/agent-tasks/agent-tasks.service.spec.ts
+++ b/apps/api/src/agent-tasks/agent-tasks.service.spec.ts
@@ -242,9 +242,7 @@ describe("AgentTasksService", () => {
      mockPrismaService.agentTask.findUnique.mockResolvedValue(null);
-      await expect(service.findOne(id, workspaceId)).rejects.toThrow(
+      await expect(service.findOne(id, workspaceId)).rejects.toThrow(NotFoundException);
        NotFoundException
      );
    });
  });
@@ -316,9 +314,7 @@ describe("AgentTasksService", () => {
      mockPrismaService.agentTask.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.update(id, workspaceId, updateDto)).rejects.toThrow(NotFoundException);
        service.update(id, workspaceId, updateDto)
      ).rejects.toThrow(NotFoundException);
    });
  });
@@ -345,9 +341,7 @@ describe("AgentTasksService", () => {
      mockPrismaService.agentTask.findUnique.mockResolvedValue(null);
-      await expect(service.remove(id, workspaceId)).rejects.toThrow(
+      await expect(service.remove(id, workspaceId)).rejects.toThrow(NotFoundException);
        NotFoundException
      );
    });
  });
 });
--- a/apps/api/src/bridge/discord/discord.service.spec.ts
+++ b/apps/api/src/bridge/discord/discord.service.spec.ts
@@ -551,7 +551,8 @@ describe("DiscordService", () => {
          Authorization: "Bearer secret_token_12345",
        },
      };
-      (errorWithSecrets as any).token = "MTk4NjIyNDgzNDcxOTI1MjQ4.Cl2FMQ.ZnCjm1XVW7vRze4b7Cq4se7kKWs";
+      (errorWithSecrets as any).token =
        "MTk4NjIyNDgzNDcxOTI1MjQ4.Cl2FMQ.ZnCjm1XVW7vRze4b7Cq4se7kKWs";
      // Trigger error event handler
      expect(mockErrorCallbacks.length).toBeGreaterThan(0);
--- a/apps/api/src/common/README.md
+++ b/apps/api/src/common/README.md
@@ -5,6 +5,7 @@ This directory contains shared guards and decorators for workspace-based permiss
 ## Overview
 The permission system provides:
 - **Workspace isolation** via Row-Level Security (RLS)
 - **Role-based access control** (RBAC) using workspace member roles
 - **Declarative permission requirements** using decorators
@@ -18,6 +19,7 @@ Located in `../auth/guards/auth.guard.ts`
 Verifies user authentication and attaches user data to the request.
 **Sets on request:**
 - `request.user` - Authenticated user object
 - `request.session` - User session data
@@ -26,23 +28,27 @@ Verifies user authentication and attaches user data to the request.
 Validates workspace access and sets up RLS context.
 **Responsibilities:**
 1. Extracts workspace ID from request (header, param, or body)
 2. Verifies user is a member of the workspace
 3. Sets the current user context for RLS policies
 4. Attaches workspace context to the request
 **Sets on request:**
 - `request.workspace.id` - Validated workspace ID
 - `request.user.workspaceId` - Workspace ID (for backward compatibility)
 **Workspace ID Sources (in priority order):**
 1. `X-Workspace-Id` header
 2. `:workspaceId` URL parameter
 3. `workspaceId` in request body
 **Example:**
 ```typescript
-@Controller('tasks')
+@Controller("tasks")
@UseGuards(AuthGuard, WorkspaceGuard)
 export class TasksController {
  @Get()
@@ -57,23 +63,26 @@ export class TasksController {
 Enforces role-based access control using workspace member roles.
 **Responsibilities:**
 1. Reads required permission from `@RequirePermission()` decorator
 2. Fetches user's role in the workspace
 3. Checks if role satisfies the required permission
 4. Attaches role to request for convenience
 **Sets on request:**
 - `request.user.workspaceRole` - User's role in the workspace
 **Must be used after AuthGuard and WorkspaceGuard.**
 **Example:**
 ```typescript
-@Controller('admin')
+@Controller("admin")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class AdminController {
  @RequirePermission(Permission.WORKSPACE_ADMIN)
-  @Delete('data')
+  @Delete("data")
  async deleteData() {
    // Only ADMIN or OWNER can execute
  }
@@ -88,14 +97,15 @@ Specifies the minimum permission level required for a route.
 **Permission Levels:**
-| Permission | Allowed Roles | Use Case |
+| Permission         | Allowed Roles             | Use Case                                                   |
-|------------|--------------|----------|
+| ------------------ | ------------------------- | ---------------------------------------------------------- |
-| `WORKSPACE_OWNER` | OWNER | Critical operations (delete workspace, transfer ownership) |
+| `WORKSPACE_OWNER`  | OWNER                     | Critical operations (delete workspace, transfer ownership) |
-| `WORKSPACE_ADMIN` | OWNER, ADMIN | Administrative functions (manage members, settings) |
+| `WORKSPACE_ADMIN`  | OWNER, ADMIN              | Administrative functions (manage members, settings)        |
-| `WORKSPACE_MEMBER` | OWNER, ADMIN, MEMBER | Standard operations (create/edit content) |
+| `WORKSPACE_MEMBER` | OWNER, ADMIN, MEMBER      | Standard operations (create/edit content)                  |
-| `WORKSPACE_ANY` | All roles including GUEST | Read-only or basic access |
+| `WORKSPACE_ANY`    | All roles including GUEST | Read-only or basic access                                  |
 **Example:**
 ```typescript
@RequirePermission(Permission.WORKSPACE_ADMIN)
@Post('invite')
@@ -109,6 +119,7 @@ async inviteMember(@Body() inviteDto: InviteDto) {
 Parameter decorator to extract the validated workspace ID.
 **Example:**
 ```typescript
@Get()
 async getTasks(@Workspace() workspaceId: string) {
@@ -121,6 +132,7 @@ async getTasks(@Workspace() workspaceId: string) {
 Parameter decorator to extract the full workspace context.
 **Example:**
 ```typescript
@Get()
 async getTasks(@WorkspaceContext() workspace: { id: string }) {
@@ -135,6 +147,7 @@ Located in `../auth/decorators/current-user.decorator.ts`
 Extracts the authenticated user from the request.
 **Example:**
 ```typescript
@Post()
 async create(@CurrentUser() user: any, @Body() dto: CreateDto) {
@@ -153,7 +166,7 @@ import { WorkspaceGuard, PermissionGuard } from "../common/guards";
 import { Workspace, Permission, RequirePermission } from "../common/decorators";
 import { CurrentUser } from "../auth/decorators/current-user.decorator";
-@Controller('resources')
+@Controller("resources")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class ResourcesController {
  @Get()
@@ -164,17 +177,13 @@ export class ResourcesController {
  @Post()
  @RequirePermission(Permission.WORKSPACE_MEMBER)
-  async create(
+  async create(@Workspace() workspaceId: string, @CurrentUser() user: any, @Body() dto: CreateDto) {
    @Workspace() workspaceId: string,
    @CurrentUser() user: any,
    @Body() dto: CreateDto
  ) {
    // Members and above can create
  }
-  @Delete(':id')
+  @Delete(":id")
  @RequirePermission(Permission.WORKSPACE_ADMIN)
-  async delete(@Param('id') id: string) {
+  async delete(@Param("id") id: string) {
    // Only admins can delete
  }
 }
@@ -185,24 +194,32 @@ export class ResourcesController {
 Different endpoints can have different permission requirements:
 ```typescript
-@Controller('projects')
+@Controller("projects")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class ProjectsController {
  @Get()
  @RequirePermission(Permission.WORKSPACE_ANY)
-  async list() { /* Anyone can view */ }
+  async list() {
    /* Anyone can view */
  }
  @Post()
  @RequirePermission(Permission.WORKSPACE_MEMBER)
-  async create() { /* Members can create */ }
+  async create() {
    /* Members can create */
  }
-  @Patch('settings')
+  @Patch("settings")
  @RequirePermission(Permission.WORKSPACE_ADMIN)
-  async updateSettings() { /* Only admins */ }
+  async updateSettings() {
    /* Only admins */
  }
  @Delete()
  @RequirePermission(Permission.WORKSPACE_OWNER)
-  async deleteProject() { /* Only owner */ }
+  async deleteProject() {
    /* Only owner */
  }
 }
 ```
@@ -211,17 +228,19 @@ export class ProjectsController {
 The workspace ID can be provided in multiple ways:
 **Via Header (Recommended for SPAs):**
 ```typescript
 // Frontend
-fetch('/api/tasks', {
+fetch("/api/tasks", {
  headers: {
-    'Authorization': 'Bearer <token>',
+    Authorization: "Bearer <token>",
-    'X-Workspace-Id': 'workspace-uuid',
+    "X-Workspace-Id": "workspace-uuid",
-  }
+  },
-})
+});
 ```
 **Via URL Parameter:**
 ```typescript
@Get(':workspaceId/tasks')
 async getTasks(@Param('workspaceId') workspaceId: string) {
@@ -230,6 +249,7 @@ async getTasks(@Param('workspaceId') workspaceId: string) {
 ```
 **Via Request Body:**
 ```typescript
@Post()
 async create(@Body() dto: { workspaceId: string; name: string }) {
@@ -240,6 +260,7 @@ async create(@Body() dto: { workspaceId: string; name: string }) {
 ## Row-Level Security (RLS)
 When `WorkspaceGuard` is applied, it automatically:
 1. Calls `setCurrentUser(userId)` to set the RLS context
 2. All subsequent database queries are automatically filtered by RLS policies
 3. Users can only access data in workspaces they're members of
@@ -249,10 +270,12 @@ When `WorkspaceGuard` is applied, it automatically:
 ## Testing
 Tests are provided for both guards:
 - `workspace.guard.spec.ts` - WorkspaceGuard tests
 - `permission.guard.spec.ts` - PermissionGuard tests
 **Run tests:**
 ```bash
 npm test -- workspace.guard.spec
 npm test -- permission.guard.spec
--- a/apps/api/src/common/dto/base-filter.dto.spec.ts
+++ b/apps/api/src/common/dto/base-filter.dto.spec.ts
@@ -104,7 +104,7 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "sortOrder")).toBe(true);
+    expect(errors.some((e) => e.property === "sortOrder")).toBe(true);
  });
  it("should accept comma-separated sortBy fields", async () => {
@@ -134,7 +134,7 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "dateFrom")).toBe(true);
+    expect(errors.some((e) => e.property === "dateFrom")).toBe(true);
  });
  it("should reject invalid date format for dateTo", async () => {
@@ -144,7 +144,7 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "dateTo")).toBe(true);
+    expect(errors.some((e) => e.property === "dateTo")).toBe(true);
  });
  it("should trim whitespace from search query", async () => {
@@ -165,6 +165,6 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "search")).toBe(true);
+    expect(errors.some((e) => e.property === "search")).toBe(true);
  });
 });
--- a/apps/api/src/common/guards/permission.guard.spec.ts
+++ b/apps/api/src/common/guards/permission.guard.spec.ts
@@ -44,10 +44,7 @@ describe("PermissionGuard", () => {
    vi.clearAllMocks();
  });
-  const createMockExecutionContext = (
+  const createMockExecutionContext = (user: any, workspace: any): ExecutionContext => {
    user: any,
    workspace: any
  ): ExecutionContext => {
    const mockRequest = {
      user,
      workspace,
@@ -67,10 +64,7 @@ describe("PermissionGuard", () => {
    const workspaceId = "workspace-456";
    it("should allow access when no permission is required", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(undefined);
@@ -80,10 +74,7 @@ describe("PermissionGuard", () => {
    });
    it("should allow OWNER to access WORKSPACE_OWNER permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_OWNER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
@@ -99,30 +90,19 @@ describe("PermissionGuard", () => {
    });
    it("should deny ADMIN access to WORKSPACE_OWNER permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_OWNER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        role: WorkspaceMemberRole.ADMIN,
      });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should allow OWNER and ADMIN to access WORKSPACE_ADMIN permission", async () => {
-      const context1 = createMockExecutionContext(
+      const context1 = createMockExecutionContext({ id: userId }, { id: workspaceId });
-        { id: userId },
+      const context2 = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: workspaceId }
      );
      const context2 = createMockExecutionContext(
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_ADMIN);
@@ -140,34 +120,20 @@ describe("PermissionGuard", () => {
    });
    it("should deny MEMBER access to WORKSPACE_ADMIN permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_ADMIN);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        role: WorkspaceMemberRole.MEMBER,
      });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should allow OWNER, ADMIN, and MEMBER to access WORKSPACE_MEMBER permission", async () => {
-      const context1 = createMockExecutionContext(
+      const context1 = createMockExecutionContext({ id: userId }, { id: workspaceId });
-        { id: userId },
+      const context2 = createMockExecutionContext({ id: userId }, { id: workspaceId });
-        { id: workspaceId }
+      const context3 = createMockExecutionContext({ id: userId }, { id: workspaceId });
      );
      const context2 = createMockExecutionContext(
        { id: userId },
        { id: workspaceId }
      );
      const context3 = createMockExecutionContext(
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
@@ -191,26 +157,18 @@ describe("PermissionGuard", () => {
    });
    it("should deny GUEST access to WORKSPACE_MEMBER permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        role: WorkspaceMemberRole.GUEST,
      });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should allow any role (including GUEST) to access WORKSPACE_ANY permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_ANY);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
@@ -227,9 +185,7 @@ describe("PermissionGuard", () => {
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should throw ForbiddenException when workspace context is missing", async () => {
@@ -237,42 +193,28 @@ describe("PermissionGuard", () => {
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should throw ForbiddenException when user is not a workspace member", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue(null);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "You are not a member of this workspace"
      );
    });
    it("should handle database errors gracefully", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
-      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(new Error("Database error"));
        new Error("Database error")
      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
  });
 });
--- a/apps/api/src/common/guards/workspace.guard.spec.ts
+++ b/apps/api/src/common/guards/workspace.guard.spec.ts
@@ -58,10 +58,7 @@ describe("WorkspaceGuard", () => {
    const workspaceId = "workspace-456";
    it("should allow access when user is a workspace member (via header)", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
        { id: userId },
        { "x-workspace-id": workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        workspaceId,
@@ -87,11 +84,7 @@ describe("WorkspaceGuard", () => {
    });
    it("should allow access when user is a workspace member (via URL param)", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, {}, { workspaceId });
        { id: userId },
        {},
        { workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        workspaceId,
@@ -105,12 +98,7 @@ describe("WorkspaceGuard", () => {
    });
    it("should allow access when user is a workspace member (via body)", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, {}, {}, { workspaceId });
        { id: userId },
        {},
        {},
        { workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        workspaceId,
@@ -154,59 +142,38 @@ describe("WorkspaceGuard", () => {
    });
    it("should throw ForbiddenException when user is not authenticated", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext(null, { "x-workspace-id": workspaceId });
        null,
        { "x-workspace-id": workspaceId }
      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
-        ForbiddenException
+      await expect(guard.canActivate(context)).rejects.toThrow("User not authenticated");
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "User not authenticated"
      );
    });
    it("should throw BadRequestException when workspace ID is missing", async () => {
      const context = createMockExecutionContext({ id: userId });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(BadRequestException);
-        BadRequestException
+      await expect(guard.canActivate(context)).rejects.toThrow("Workspace ID is required");
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "Workspace ID is required"
      );
    });
    it("should throw ForbiddenException when user is not a workspace member", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
        { id: userId },
        { "x-workspace-id": workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue(null);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "You do not have access to this workspace"
      );
    });
    it("should handle database errors gracefully", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
        { id: userId },
        { "x-workspace-id": workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(
        new Error("Database connection failed")
      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
  });
 });
--- a/apps/api/src/common/utils/query-builder.spec.ts
+++ b/apps/api/src/common/utils/query-builder.spec.ts
@@ -27,18 +27,14 @@ describe("QueryBuilder", () => {
    it("should handle single field", () => {
      const result = QueryBuilder.buildSearchFilter("test", ["title"]);
      expect(result).toEqual({
-        OR: [
+        OR: [{ title: { contains: "test", mode: "insensitive" } }],
          { title: { contains: "test", mode: "insensitive" } },
        ],
      });
    });
    it("should trim search query", () => {
      const result = QueryBuilder.buildSearchFilter("  test  ", ["title"]);
      expect(result).toEqual({
-        OR: [
+        OR: [{ title: { contains: "test", mode: "insensitive" } }],
          { title: { contains: "test", mode: "insensitive" } },
        ],
      });
    });
  });
@@ -56,26 +52,17 @@ describe("QueryBuilder", () => {
    it("should build multi-field sort", () => {
      const result = QueryBuilder.buildSortOrder("priority,dueDate", SortOrder.DESC);
-      expect(result).toEqual([
+      expect(result).toEqual([{ priority: "desc" }, { dueDate: "desc" }]);
        { priority: "desc" },
        { dueDate: "desc" },
      ]);
    });
    it("should handle mixed sorting with custom order per field", () => {
      const result = QueryBuilder.buildSortOrder("priority:asc,dueDate:desc");
-      expect(result).toEqual([
+      expect(result).toEqual([{ priority: "asc" }, { dueDate: "desc" }]);
        { priority: "asc" },
        { dueDate: "desc" },
      ]);
    });
    it("should use default order when not specified per field", () => {
      const result = QueryBuilder.buildSortOrder("priority,dueDate", SortOrder.ASC);
-      expect(result).toEqual([
+      expect(result).toEqual([{ priority: "asc" }, { dueDate: "asc" }]);
        { priority: "asc" },
        { dueDate: "asc" },
      ]);
    });
  });
--- a/apps/api/src/coordinator-integration/coordinator-integration.security.spec.ts
+++ b/apps/api/src/coordinator-integration/coordinator-integration.security.spec.ts
@@ -60,9 +60,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("PATCH /coordinator/jobs/:id/status should require authentication", async () => {
@@ -72,9 +70,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("PATCH /coordinator/jobs/:id/progress should require authentication", async () => {
@@ -84,9 +80,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("POST /coordinator/jobs/:id/complete should require authentication", async () => {
@@ -96,9 +90,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("POST /coordinator/jobs/:id/fail should require authentication", async () => {
@@ -108,9 +100,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("GET /coordinator/jobs/:id should require authentication", async () => {
@@ -120,9 +110,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("GET /coordinator/health should require authentication", async () => {
@@ -132,9 +120,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
  });
@@ -161,9 +147,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
      await expect(guard.canActivate(mockContext as any)).rejects.toThrow("Invalid API key");
    });
  });
--- a/apps/api/src/cron/cron.service.spec.ts
+++ b/apps/api/src/cron/cron.service.spec.ts
@@ -83,8 +83,20 @@ describe("CronService", () => {
    it("should return all schedules for a workspace", async () => {
      const workspaceId = "ws-123";
      const expectedSchedules = [
-        { id: "cron-1", workspaceId, expression: "0 9 * * *", command: "morning briefing", enabled: true },
+        {
-        { id: "cron-2", workspaceId, expression: "0 17 * * *", command: "evening summary", enabled: true },
+          id: "cron-1",
          workspaceId,
          expression: "0 9 * * *",
          command: "morning briefing",
          enabled: true,
        },
        {
          id: "cron-2",
          workspaceId,
          expression: "0 17 * * *",
          command: "evening summary",
          enabled: true,
        },
      ];
      mockPrisma.cronSchedule.findMany.mockResolvedValue(expectedSchedules);
--- a/apps/api/src/domains/domains.controller.spec.ts
+++ b/apps/api/src/domains/domains.controller.spec.ts
@@ -103,18 +103,10 @@ describe("DomainsController", () => {
      mockDomainsService.create.mockResolvedValue(mockDomain);
-      const result = await controller.create(
+      const result = await controller.create(createDto, mockWorkspaceId, mockUser);
        createDto,
        mockWorkspaceId,
        mockUser
      );
      expect(result).toEqual(mockDomain);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
  });
@@ -170,10 +162,7 @@ describe("DomainsController", () => {
      const result = await controller.findOne(mockDomainId, mockWorkspaceId);
      expect(result).toEqual(mockDomain);
-      expect(service.findOne).toHaveBeenCalledWith(
+      expect(service.findOne).toHaveBeenCalledWith(mockDomainId, mockWorkspaceId);
        mockDomainId,
        mockWorkspaceId
      );
    });
  });
@@ -187,12 +176,7 @@ describe("DomainsController", () => {
      const updatedDomain = { ...mockDomain, ...updateDto };
      mockDomainsService.update.mockResolvedValue(updatedDomain);
-      const result = await controller.update(
+      const result = await controller.update(mockDomainId, updateDto, mockWorkspaceId, mockUser);
        mockDomainId,
        updateDto,
        mockWorkspaceId,
        mockUser
      );
      expect(result).toEqual(updatedDomain);
      expect(service.update).toHaveBeenCalledWith(
@@ -210,11 +194,7 @@ describe("DomainsController", () => {
      await controller.remove(mockDomainId, mockWorkspaceId, mockUser);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockDomainId, mockWorkspaceId, mockUserId);
        mockDomainId,
        mockWorkspaceId,
        mockUserId
      );
    });
  });
 });
--- a/apps/api/src/events/events.controller.spec.ts
+++ b/apps/api/src/events/events.controller.spec.ts
@@ -63,11 +63,7 @@ describe("EventsController", () => {
      const result = await controller.create(createDto, mockWorkspaceId, mockUser);
      expect(result).toEqual(mockEvent);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards in production)", async () => {
@@ -153,7 +149,12 @@ describe("EventsController", () => {
      await controller.update(mockEventId, updateDto, undefined as any, mockUser);
-      expect(mockEventsService.update).toHaveBeenCalledWith(mockEventId, undefined, mockUserId, updateDto);
+      expect(mockEventsService.update).toHaveBeenCalledWith(
        mockEventId,
        undefined,
        mockUserId,
        updateDto
      );
    });
  });
@@ -163,11 +164,7 @@ describe("EventsController", () => {
      await controller.remove(mockEventId, mockWorkspaceId, mockUser);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockEventId, mockWorkspaceId, mockUserId);
        mockEventId,
        mockWorkspaceId,
        mockUserId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards in production)", async () => {
--- a/apps/api/src/federation/command.service.ts
+++ b/apps/api/src/federation/command.service.ts
@@ -5,6 +5,7 @@
 */
 import { Injectable, Logger } from "@nestjs/common";
 import { ModuleRef } from "@nestjs/core";
 import { HttpService } from "@nestjs/axios";
 import { randomUUID } from "crypto";
 import { firstValueFrom } from "rxjs";
@@ -26,7 +27,8 @@ export class CommandService {
    private readonly prisma: PrismaService,
    private readonly federationService: FederationService,
    private readonly signatureService: SignatureService,
-    private readonly httpService: HttpService
+    private readonly httpService: HttpService,
    private readonly moduleRef: ModuleRef
  ) {}
  /**
@@ -158,15 +160,33 @@ export class CommandService {
      throw new Error(verificationResult.error ?? "Invalid signature");
    }
-    // Process command (placeholder - would delegate to actual command processor)
+    // Process command
    let responseData: unknown;
    let success = true;
    let errorMessage: string | undefined;
    try {
-      // TODO: Implement actual command processing
+      // Route agent commands to FederationAgentService
-      // For now, return a placeholder response
+      if (commandMessage.commandType.startsWith("agent.")) {
-      responseData = { message: "Command received and processed" };
+        // Import FederationAgentService dynamically to avoid circular dependency
        const { FederationAgentService } = await import("./federation-agent.service");
        const federationAgentService = this.moduleRef.get(FederationAgentService, {
          strict: false,
        });
        const agentResponse = await federationAgentService.handleAgentCommand(
          commandMessage.instanceId,
          commandMessage.commandType,
          commandMessage.payload
        );
        success = agentResponse.success;
        responseData = agentResponse.data;
        errorMessage = agentResponse.error;
      } else {
        // Other command types can be added here
        responseData = { message: "Command received and processed" };
      }
    } catch (error) {
      success = false;
      errorMessage = error instanceof Error ? error.message : "Command processing failed";
--- a/apps/api/src/federation/federation-agent.service.spec.ts
+++ b/apps/api/src/federation/federation-agent.service.spec.ts
@@ -0,0 +1,457 @@
 /**
 * Tests for Federation Agent Service
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { HttpService } from "@nestjs/axios";
 import { ConfigService } from "@nestjs/config";
 import { FederationAgentService } from "./federation-agent.service";
 import { CommandService } from "./command.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationConnectionStatus } from "@prisma/client";
 import { of, throwError } from "rxjs";
 import type {
  SpawnAgentCommandPayload,
  AgentStatusCommandPayload,
  KillAgentCommandPayload,
  SpawnAgentResponseData,
  AgentStatusResponseData,
  KillAgentResponseData,
 } from "./types/federation-agent.types";
 describe("FederationAgentService", () => {
  let service: FederationAgentService;
  let commandService: ReturnType<typeof vi.mocked<CommandService>>;
  let prisma: ReturnType<typeof vi.mocked<PrismaService>>;
  let httpService: ReturnType<typeof vi.mocked<HttpService>>;
  let configService: ReturnType<typeof vi.mocked<ConfigService>>;
  const mockWorkspaceId = "workspace-1";
  const mockConnectionId = "connection-1";
  const mockAgentId = "agent-123";
  const mockTaskId = "task-456";
  const mockOrchestratorUrl = "http://localhost:3001";
  beforeEach(async () => {
    const mockCommandService = {
      sendCommand: vi.fn(),
    };
    const mockPrisma = {
      federationConnection: {
        findUnique: vi.fn(),
        findFirst: vi.fn(),
      },
    };
    const mockHttpService = {
      post: vi.fn(),
      get: vi.fn(),
    };
    const mockConfigService = {
      get: vi.fn((key: string) => {
        if (key === "orchestrator.url") {
          return mockOrchestratorUrl;
        }
        return undefined;
      }),
    };
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        FederationAgentService,
        { provide: CommandService, useValue: mockCommandService },
        { provide: PrismaService, useValue: mockPrisma },
        { provide: HttpService, useValue: mockHttpService },
        { provide: ConfigService, useValue: mockConfigService },
      ],
    }).compile();
    service = module.get<FederationAgentService>(FederationAgentService);
    commandService = module.get(CommandService);
    prisma = module.get(PrismaService);
    httpService = module.get(HttpService);
    configService = module.get(ConfigService);
  });
  it("should be defined", () => {
    expect(service).toBeDefined();
  });
  describe("spawnAgentOnRemote", () => {
    const spawnPayload: SpawnAgentCommandPayload = {
      taskId: mockTaskId,
      agentType: "worker",
      context: {
        repository: "git.example.com/org/repo",
        branch: "main",
        workItems: ["item-1"],
      },
    };
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should spawn agent on remote instance", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection as never);
      const mockCommandResponse = {
        id: "msg-1",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: "COMMAND" as never,
        messageId: "msg-uuid",
        commandType: "agent.spawn",
        payload: spawnPayload as never,
        response: {
          agentId: mockAgentId,
          status: "spawning",
          spawnedAt: "2026-02-03T14:30:00Z",
        } as never,
        status: "DELIVERED" as never,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      commandService.sendCommand.mockResolvedValue(mockCommandResponse as never);
      const result = await service.spawnAgentOnRemote(
        mockWorkspaceId,
        mockConnectionId,
        spawnPayload
      );
      expect(prisma.federationConnection.findUnique).toHaveBeenCalledWith({
        where: { id: mockConnectionId, workspaceId: mockWorkspaceId },
      });
      expect(commandService.sendCommand).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        "agent.spawn",
        spawnPayload
      );
      expect(result).toEqual(mockCommandResponse);
    });
    it("should throw error if connection not found", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(null);
      await expect(
        service.spawnAgentOnRemote(mockWorkspaceId, mockConnectionId, spawnPayload)
      ).rejects.toThrow("Connection not found");
      expect(commandService.sendCommand).not.toHaveBeenCalled();
    });
    it("should throw error if connection not active", async () => {
      const inactiveConnection = {
        ...mockConnection,
        status: FederationConnectionStatus.DISCONNECTED,
      };
      prisma.federationConnection.findUnique.mockResolvedValue(inactiveConnection as never);
      await expect(
        service.spawnAgentOnRemote(mockWorkspaceId, mockConnectionId, spawnPayload)
      ).rejects.toThrow("Connection is not active");
      expect(commandService.sendCommand).not.toHaveBeenCalled();
    });
  });
  describe("getAgentStatus", () => {
    const statusPayload: AgentStatusCommandPayload = {
      agentId: mockAgentId,
    };
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should get agent status from remote instance", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection as never);
      const mockCommandResponse = {
        id: "msg-2",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: "COMMAND" as never,
        messageId: "msg-uuid-2",
        commandType: "agent.status",
        payload: statusPayload as never,
        response: {
          agentId: mockAgentId,
          taskId: mockTaskId,
          status: "running",
          spawnedAt: "2026-02-03T14:30:00Z",
          startedAt: "2026-02-03T14:30:05Z",
        } as never,
        status: "DELIVERED" as never,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      commandService.sendCommand.mockResolvedValue(mockCommandResponse as never);
      const result = await service.getAgentStatus(mockWorkspaceId, mockConnectionId, mockAgentId);
      expect(commandService.sendCommand).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        "agent.status",
        statusPayload
      );
      expect(result).toEqual(mockCommandResponse);
    });
  });
  describe("killAgentOnRemote", () => {
    const killPayload: KillAgentCommandPayload = {
      agentId: mockAgentId,
    };
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should kill agent on remote instance", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection as never);
      const mockCommandResponse = {
        id: "msg-3",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: "COMMAND" as never,
        messageId: "msg-uuid-3",
        commandType: "agent.kill",
        payload: killPayload as never,
        response: {
          agentId: mockAgentId,
          status: "killed",
          killedAt: "2026-02-03T14:35:00Z",
        } as never,
        status: "DELIVERED" as never,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      commandService.sendCommand.mockResolvedValue(mockCommandResponse as never);
      const result = await service.killAgentOnRemote(
        mockWorkspaceId,
        mockConnectionId,
        mockAgentId
      );
      expect(commandService.sendCommand).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        "agent.kill",
        killPayload
      );
      expect(result).toEqual(mockCommandResponse);
    });
  });
  describe("handleAgentCommand", () => {
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should handle agent.spawn command", async () => {
      const spawnPayload: SpawnAgentCommandPayload = {
        taskId: mockTaskId,
        agentType: "worker",
        context: {
          repository: "git.example.com/org/repo",
          branch: "main",
          workItems: ["item-1"],
        },
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const mockOrchestratorResponse = {
        agentId: mockAgentId,
        status: "spawning",
      };
      httpService.post.mockReturnValue(
        of({
          data: mockOrchestratorResponse,
          status: 200,
          statusText: "OK",
          headers: {},
          config: {} as never,
        }) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.spawn",
        spawnPayload
      );
      expect(httpService.post).toHaveBeenCalledWith(
        `${mockOrchestratorUrl}/agents/spawn`,
        expect.objectContaining({
          taskId: mockTaskId,
          agentType: "worker",
        })
      );
      expect(result.success).toBe(true);
      expect(result.data).toEqual({
        agentId: mockAgentId,
        status: "spawning",
        spawnedAt: expect.any(String),
      });
    });
    it("should handle agent.status command", async () => {
      const statusPayload: AgentStatusCommandPayload = {
        agentId: mockAgentId,
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const mockOrchestratorResponse = {
        agentId: mockAgentId,
        taskId: mockTaskId,
        status: "running",
        spawnedAt: "2026-02-03T14:30:00Z",
        startedAt: "2026-02-03T14:30:05Z",
      };
      httpService.get.mockReturnValue(
        of({
          data: mockOrchestratorResponse,
          status: 200,
          statusText: "OK",
          headers: {},
          config: {} as never,
        }) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.status",
        statusPayload
      );
      expect(httpService.get).toHaveBeenCalledWith(
        `${mockOrchestratorUrl}/agents/${mockAgentId}/status`
      );
      expect(result.success).toBe(true);
      expect(result.data).toEqual(mockOrchestratorResponse);
    });
    it("should handle agent.kill command", async () => {
      const killPayload: KillAgentCommandPayload = {
        agentId: mockAgentId,
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const mockOrchestratorResponse = {
        message: `Agent ${mockAgentId} killed successfully`,
      };
      httpService.post.mockReturnValue(
        of({
          data: mockOrchestratorResponse,
          status: 200,
          statusText: "OK",
          headers: {},
          config: {} as never,
        }) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.kill",
        killPayload
      );
      expect(httpService.post).toHaveBeenCalledWith(
        `${mockOrchestratorUrl}/agents/${mockAgentId}/kill`,
        {}
      );
      expect(result.success).toBe(true);
      expect(result.data).toEqual({
        agentId: mockAgentId,
        status: "killed",
        killedAt: expect.any(String),
      });
    });
    it("should return error for unknown command type", async () => {
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const result = await service.handleAgentCommand("remote-instance-1", "agent.unknown", {});
      expect(result.success).toBe(false);
      expect(result.error).toContain("Unknown agent command type: agent.unknown");
    });
    it("should throw error if connection not found", async () => {
      prisma.federationConnection.findFirst.mockResolvedValue(null);
      await expect(
        service.handleAgentCommand("remote-instance-1", "agent.spawn", {})
      ).rejects.toThrow("No connection found for remote instance");
    });
    it("should handle orchestrator errors", async () => {
      const spawnPayload: SpawnAgentCommandPayload = {
        taskId: mockTaskId,
        agentType: "worker",
        context: {
          repository: "git.example.com/org/repo",
          branch: "main",
          workItems: ["item-1"],
        },
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      httpService.post.mockReturnValue(
        throwError(() => new Error("Orchestrator connection failed")) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.spawn",
        spawnPayload
      );
      expect(result.success).toBe(false);
      expect(result.error).toContain("Orchestrator connection failed");
    });
  });
 });
--- a/apps/api/src/federation/federation-agent.service.ts
+++ b/apps/api/src/federation/federation-agent.service.ts
@@ -0,0 +1,338 @@
 /**
 * Federation Agent Service
 *
 * Handles spawning and managing agents on remote federated instances.
 */
 import { Injectable, Logger } from "@nestjs/common";
 import { HttpService } from "@nestjs/axios";
 import { ConfigService } from "@nestjs/config";
 import { firstValueFrom } from "rxjs";
 import { PrismaService } from "../prisma/prisma.service";
 import { CommandService } from "./command.service";
 import { FederationConnectionStatus } from "@prisma/client";
 import type { CommandMessageDetails } from "./types/message.types";
 import type {
  SpawnAgentCommandPayload,
  AgentStatusCommandPayload,
  KillAgentCommandPayload,
  SpawnAgentResponseData,
  AgentStatusResponseData,
  KillAgentResponseData,
 } from "./types/federation-agent.types";
 /**
 * Agent command response structure
 */
 export interface AgentCommandResponse {
  /** Whether the command was successful */
  success: boolean;
  /** Response data if successful */
  data?:
    | SpawnAgentResponseData
    | AgentStatusResponseData
    | KillAgentResponseData
    | Record<string, unknown>;
  /** Error message if failed */
  error?: string;
 }
@Injectable()
 export class FederationAgentService {
  private readonly logger = new Logger(FederationAgentService.name);
  private readonly orchestratorUrl: string;
  constructor(
    private readonly prisma: PrismaService,
    private readonly commandService: CommandService,
    private readonly httpService: HttpService,
    private readonly configService: ConfigService
  ) {
    this.orchestratorUrl =
      this.configService.get<string>("orchestrator.url") ?? "http://localhost:3001";
    this.logger.log(
      `FederationAgentService initialized with orchestrator URL: ${this.orchestratorUrl}`
    );
  }
  /**
   * Spawn an agent on a remote federated instance
   * @param workspaceId Workspace ID
   * @param connectionId Federation connection ID
   * @param payload Agent spawn command payload
   * @returns Command message details
   */
  async spawnAgentOnRemote(
    workspaceId: string,
    connectionId: string,
    payload: SpawnAgentCommandPayload
  ): Promise<CommandMessageDetails> {
    this.logger.log(
      `Spawning agent on remote instance via connection ${connectionId} for task ${payload.taskId}`
    );
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Send command via federation
    const result = await this.commandService.sendCommand(
      workspaceId,
      connectionId,
      "agent.spawn",
      payload as unknown as Record<string, unknown>
    );
    this.logger.log(`Agent spawn command sent successfully: ${result.messageId}`);
    return result;
  }
  /**
   * Get agent status from remote instance
   * @param workspaceId Workspace ID
   * @param connectionId Federation connection ID
   * @param agentId Agent ID
   * @returns Command message details
   */
  async getAgentStatus(
    workspaceId: string,
    connectionId: string,
    agentId: string
  ): Promise<CommandMessageDetails> {
    this.logger.log(`Getting agent status for ${agentId} via connection ${connectionId}`);
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Send status command
    const payload: AgentStatusCommandPayload = { agentId };
    const result = await this.commandService.sendCommand(
      workspaceId,
      connectionId,
      "agent.status",
      payload as unknown as Record<string, unknown>
    );
    this.logger.log(`Agent status command sent successfully: ${result.messageId}`);
    return result;
  }
  /**
   * Kill an agent on remote instance
   * @param workspaceId Workspace ID
   * @param connectionId Federation connection ID
   * @param agentId Agent ID
   * @returns Command message details
   */
  async killAgentOnRemote(
    workspaceId: string,
    connectionId: string,
    agentId: string
  ): Promise<CommandMessageDetails> {
    this.logger.log(`Killing agent ${agentId} via connection ${connectionId}`);
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Send kill command
    const payload: KillAgentCommandPayload = { agentId };
    const result = await this.commandService.sendCommand(
      workspaceId,
      connectionId,
      "agent.kill",
      payload as unknown as Record<string, unknown>
    );
    this.logger.log(`Agent kill command sent successfully: ${result.messageId}`);
    return result;
  }
  /**
   * Handle incoming agent command from remote instance
   * @param remoteInstanceId Remote instance ID that sent the command
   * @param commandType Command type (agent.spawn, agent.status, agent.kill)
   * @param payload Command payload
   * @returns Agent command response
   */
  async handleAgentCommand(
    remoteInstanceId: string,
    commandType: string,
    payload: Record<string, unknown>
  ): Promise<AgentCommandResponse> {
    this.logger.log(`Handling agent command ${commandType} from ${remoteInstanceId}`);
    // Verify connection exists for remote instance
    const connection = await this.prisma.federationConnection.findFirst({
      where: {
        remoteInstanceId,
        status: FederationConnectionStatus.ACTIVE,
      },
    });
    if (!connection) {
      throw new Error("No connection found for remote instance");
    }
    // Route command to appropriate handler
    try {
      switch (commandType) {
        case "agent.spawn":
          return await this.handleSpawnCommand(payload as unknown as SpawnAgentCommandPayload);
        case "agent.status":
          return await this.handleStatusCommand(payload as unknown as AgentStatusCommandPayload);
        case "agent.kill":
          return await this.handleKillCommand(payload as unknown as KillAgentCommandPayload);
        default:
          throw new Error(`Unknown agent command type: ${commandType}`);
      }
    } catch (error) {
      this.logger.error(`Error handling agent command: ${String(error)}`);
      return {
        success: false,
        error: error instanceof Error ? error.message : "Unknown error",
      };
    }
  }
  /**
   * Handle agent spawn command by calling local orchestrator
   * @param payload Spawn command payload
   * @returns Spawn response
   */
  private async handleSpawnCommand(
    payload: SpawnAgentCommandPayload
  ): Promise<AgentCommandResponse> {
    this.logger.log(`Processing spawn command for task ${payload.taskId}`);
    try {
      const orchestratorPayload = {
        taskId: payload.taskId,
        agentType: payload.agentType,
        context: payload.context,
        options: payload.options,
      };
      const response = await firstValueFrom(
        this.httpService.post<{ agentId: string; status: string }>(
          `${this.orchestratorUrl}/agents/spawn`,
          orchestratorPayload
        )
      );
      const spawnedAt = new Date().toISOString();
      const responseData: SpawnAgentResponseData = {
        agentId: response.data.agentId,
        status: response.data.status as "spawning",
        spawnedAt,
      };
      this.logger.log(`Agent spawned successfully: ${responseData.agentId}`);
      return {
        success: true,
        data: responseData,
      };
    } catch (error) {
      this.logger.error(`Failed to spawn agent: ${String(error)}`);
      throw error;
    }
  }
  /**
   * Handle agent status command by calling local orchestrator
   * @param payload Status command payload
   * @returns Status response
   */
  private async handleStatusCommand(
    payload: AgentStatusCommandPayload
  ): Promise<AgentCommandResponse> {
    this.logger.log(`Processing status command for agent ${payload.agentId}`);
    try {
      const response = await firstValueFrom(
        this.httpService.get(`${this.orchestratorUrl}/agents/${payload.agentId}/status`)
      );
      const responseData: AgentStatusResponseData = response.data as AgentStatusResponseData;
      this.logger.log(`Agent status retrieved: ${responseData.status}`);
      return {
        success: true,
        data: responseData,
      };
    } catch (error) {
      this.logger.error(`Failed to get agent status: ${String(error)}`);
      throw error;
    }
  }
  /**
   * Handle agent kill command by calling local orchestrator
   * @param payload Kill command payload
   * @returns Kill response
   */
  private async handleKillCommand(payload: KillAgentCommandPayload): Promise<AgentCommandResponse> {
    this.logger.log(`Processing kill command for agent ${payload.agentId}`);
    try {
      await firstValueFrom(
        this.httpService.post(`${this.orchestratorUrl}/agents/${payload.agentId}/kill`, {})
      );
      const killedAt = new Date().toISOString();
      const responseData: KillAgentResponseData = {
        agentId: payload.agentId,
        status: "killed",
        killedAt,
      };
      this.logger.log(`Agent killed successfully: ${payload.agentId}`);
      return {
        success: true,
        data: responseData,
      };
    } catch (error) {
      this.logger.error(`Failed to kill agent: ${String(error)}`);
      throw error;
    }
  }
 }
--- a/apps/api/src/federation/federation.controller.ts
+++ b/apps/api/src/federation/federation.controller.ts
@@ -8,10 +8,12 @@ import { Controller, Get, Post, UseGuards, Logger, Req, Body, Param, Query } fro
 import { FederationService } from "./federation.service";
 import { FederationAuditService } from "./audit.service";
 import { ConnectionService } from "./connection.service";
 import { FederationAgentService } from "./federation-agent.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { AdminGuard } from "../auth/guards/admin.guard";
 import type { PublicInstanceIdentity } from "./types/instance.types";
 import type { ConnectionDetails } from "./types/connection.types";
 import type { CommandMessageDetails } from "./types/message.types";
 import type { AuthenticatedRequest } from "../common/types/user.types";
 import {
  InitiateConnectionDto,
@@ -20,6 +22,7 @@ import {
  DisconnectConnectionDto,
  IncomingConnectionRequestDto,
 } from "./dto/connection.dto";
 import type { SpawnAgentCommandPayload } from "./types/federation-agent.types";
 import { FederationConnectionStatus } from "@prisma/client";
@Controller("api/v1/federation")
@@ -29,7 +32,8 @@ export class FederationController {
  constructor(
    private readonly federationService: FederationService,
    private readonly auditService: FederationAuditService,
-    private readonly connectionService: ConnectionService
+    private readonly connectionService: ConnectionService,
    private readonly federationAgentService: FederationAgentService
  ) {}
  /**
@@ -211,4 +215,81 @@ export class FederationController {
      connectionId: connection.id,
    };
  }
  /**
   * Spawn an agent on a remote federated instance
   * Requires authentication
   */
  @Post("agents/spawn")
  @UseGuards(AuthGuard)
  async spawnAgentOnRemote(
    @Req() req: AuthenticatedRequest,
    @Body() body: { connectionId: string; payload: SpawnAgentCommandPayload }
  ): Promise<CommandMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    this.logger.log(
      `User ${req.user.id} spawning agent on remote instance via connection ${body.connectionId}`
    );
    return this.federationAgentService.spawnAgentOnRemote(
      req.user.workspaceId,
      body.connectionId,
      body.payload
    );
  }
  /**
   * Get agent status from remote instance
   * Requires authentication
   */
  @Get("agents/:agentId/status")
  @UseGuards(AuthGuard)
  async getAgentStatus(
    @Req() req: AuthenticatedRequest,
    @Param("agentId") agentId: string,
    @Query("connectionId") connectionId: string
  ): Promise<CommandMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    if (!connectionId) {
      throw new Error("connectionId query parameter is required");
    }
    this.logger.log(
      `User ${req.user.id} getting agent ${agentId} status via connection ${connectionId}`
    );
    return this.federationAgentService.getAgentStatus(req.user.workspaceId, connectionId, agentId);
  }
  /**
   * Kill an agent on remote instance
   * Requires authentication
   */
  @Post("agents/:agentId/kill")
  @UseGuards(AuthGuard)
  async killAgentOnRemote(
    @Req() req: AuthenticatedRequest,
    @Param("agentId") agentId: string,
    @Body() body: { connectionId: string }
  ): Promise<CommandMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    this.logger.log(
      `User ${req.user.id} killing agent ${agentId} via connection ${body.connectionId}`
    );
    return this.federationAgentService.killAgentOnRemote(
      req.user.workspaceId,
      body.connectionId,
      agentId
    );
  }
 }
--- a/apps/api/src/federation/federation.module.ts
+++ b/apps/api/src/federation/federation.module.ts
@@ -24,6 +24,7 @@ import { IdentityResolutionService } from "./identity-resolution.service";
 import { QueryService } from "./query.service";
 import { CommandService } from "./command.service";
 import { EventService } from "./event.service";
 import { FederationAgentService } from "./federation-agent.service";
 import { PrismaModule } from "../prisma/prisma.module";
@Module({
@@ -55,6 +56,7 @@ import { PrismaModule } from "../prisma/prisma.module";
    QueryService,
    CommandService,
    EventService,
    FederationAgentService,
  ],
  exports: [
    FederationService,
@@ -67,6 +69,7 @@ import { PrismaModule } from "../prisma/prisma.module";
    QueryService,
    CommandService,
    EventService,
    FederationAgentService,
  ],
 })
 export class FederationModule {}
--- a/apps/api/src/federation/types/federation-agent.types.ts
+++ b/apps/api/src/federation/types/federation-agent.types.ts
@@ -0,0 +1,149 @@
 /**
 * Federation Agent Command Types
 *
 * Types for agent spawn commands sent via federation COMMAND messages.
 */
 /**
 * Agent type options for spawning
 */
 export type FederationAgentType = "worker" | "reviewer" | "tester";
 /**
 * Agent status returned from remote instance
 */
 export type FederationAgentStatus = "spawning" | "running" | "completed" | "failed" | "killed";
 /**
 * Context for agent execution
 */
 export interface FederationAgentContext {
  /** Git repository URL or path */
  repository: string;
  /** Git branch to work on */
  branch: string;
  /** Work items for the agent to complete */
  workItems: string[];
  /** Optional skills to load */
  skills?: string[];
  /** Optional instructions */
  instructions?: string;
 }
 /**
 * Options for spawning an agent
 */
 export interface FederationAgentOptions {
  /** Enable Docker sandbox isolation */
  sandbox?: boolean;
  /** Timeout in milliseconds */
  timeout?: number;
  /** Maximum retry attempts */
  maxRetries?: number;
 }
 /**
 * Payload for agent.spawn command
 */
 export interface SpawnAgentCommandPayload {
  /** Unique task identifier */
  taskId: string;
  /** Type of agent to spawn */
  agentType: FederationAgentType;
  /** Context for task execution */
  context: FederationAgentContext;
  /** Optional configuration */
  options?: FederationAgentOptions;
 }
 /**
 * Payload for agent.status command
 */
 export interface AgentStatusCommandPayload {
  /** Unique agent identifier */
  agentId: string;
 }
 /**
 * Payload for agent.kill command
 */
 export interface KillAgentCommandPayload {
  /** Unique agent identifier */
  agentId: string;
 }
 /**
 * Response data for agent.spawn command
 */
 export interface SpawnAgentResponseData {
  /** Unique agent identifier */
  agentId: string;
  /** Current agent status */
  status: FederationAgentStatus;
  /** Timestamp when agent was spawned */
  spawnedAt: string;
 }
 /**
 * Response data for agent.status command
 */
 export interface AgentStatusResponseData {
  /** Unique agent identifier */
  agentId: string;
  /** Task identifier */
  taskId: string;
  /** Current agent status */
  status: FederationAgentStatus;
  /** Timestamp when agent was spawned */
  spawnedAt: string;
  /** Timestamp when agent started (if running/completed) */
  startedAt?: string;
  /** Timestamp when agent completed (if completed/failed/killed) */
  completedAt?: string;
  /** Error message (if failed) */
  error?: string;
  /** Agent progress data */
  progress?: Record<string, unknown>;
 }
 /**
 * Response data for agent.kill command
 */
 export interface KillAgentResponseData {
  /** Unique agent identifier */
  agentId: string;
  /** Status after kill operation */
  status: FederationAgentStatus;
  /** Timestamp when agent was killed */
  killedAt: string;
 }
 /**
 * Details about a federated agent
 */
 export interface FederatedAgentDetails {
  /** Agent ID */
  agentId: string;
  /** Task ID */
  taskId: string;
  /** Remote instance ID where agent is running */
  remoteInstanceId: string;
  /** Connection ID used to spawn the agent */
  connectionId: string;
  /** Agent type */
  agentType: FederationAgentType;
  /** Current status */
  status: FederationAgentStatus;
  /** Spawn timestamp */
  spawnedAt: Date;
  /** Start timestamp */
  startedAt?: Date;
  /** Completion timestamp */
  completedAt?: Date;
  /** Error message if failed */
  error?: string;
  /** Context used to spawn agent */
  context: FederationAgentContext;
  /** Options used to spawn agent */
  options?: FederationAgentOptions;
 }
--- a/apps/api/src/federation/types/index.ts
+++ b/apps/api/src/federation/types/index.ts
@@ -9,3 +9,4 @@ export * from "./connection.types";
 export * from "./oidc.types";
 export * from "./identity-linking.types";
 export * from "./message.types";
 export * from "./federation-agent.types";
--- a/apps/api/src/herald/herald.service.spec.ts
+++ b/apps/api/src/herald/herald.service.spec.ts
@@ -375,9 +375,7 @@ describe("HeraldService", () => {
      mockDiscord.sendThreadMessage.mockRejectedValue(discordError);
      // Act & Assert
-      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow(
+      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow("Rate limit exceeded");
        "Rate limit exceeded"
      );
    });
    it("should propagate errors when fetching job events fails", async () => {
@@ -405,9 +403,7 @@ describe("HeraldService", () => {
      mockDiscord.isConnected.mockReturnValue(true);
      // Act & Assert
-      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow(
+      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow("Query timeout");
        "Query timeout"
      );
    });
    it("should include job context in error messages", async () => {
--- a/apps/api/src/knowledge/graph.controller.spec.ts
+++ b/apps/api/src/knowledge/graph.controller.spec.ts
@@ -146,9 +146,9 @@ describe("KnowledgeGraphController", () => {
    it("should throw error if entry not found", async () => {
      mockGraphService.getEntryGraphBySlug.mockRejectedValue(new Error("Entry not found"));
-      await expect(
+      await expect(controller.getEntryGraph("workspace-1", "non-existent", {})).rejects.toThrow(
-        controller.getEntryGraph("workspace-1", "non-existent", {})
+        "Entry not found"
-      ).rejects.toThrow("Entry not found");
+      );
    });
  });
 });
--- a/apps/api/src/knowledge/services/cache.service.spec.ts
+++ b/apps/api/src/knowledge/services/cache.service.spec.ts
@@ -1,17 +1,17 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
-import { Test, TestingModule } from '@nestjs/testing';
+import { Test, TestingModule } from "@nestjs/testing";
-import { KnowledgeCacheService } from './cache.service';
+import { KnowledgeCacheService } from "./cache.service";
 // Integration tests - require running Valkey instance
 // Skip in unit test runs, enable with: INTEGRATION_TESTS=true pnpm test
-describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
+describe.skipIf(!process.env.INTEGRATION_TESTS)("KnowledgeCacheService", () => {
  let service: KnowledgeCacheService;
  beforeEach(async () => {
    // Set environment variables for testing
-    process.env.KNOWLEDGE_CACHE_ENABLED = 'true';
+    process.env.KNOWLEDGE_CACHE_ENABLED = "true";
-    process.env.KNOWLEDGE_CACHE_TTL = '300';
+    process.env.KNOWLEDGE_CACHE_TTL = "300";
-    process.env.VALKEY_URL = 'redis://localhost:6379';
+    process.env.VALKEY_URL = "redis://localhost:6379";
    const module: TestingModule = await Test.createTestingModule({
      providers: [KnowledgeCacheService],
@@ -27,13 +27,13 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
    }
  });
-  describe('Cache Enabled/Disabled', () => {
+  describe("Cache Enabled/Disabled", () => {
-    it('should be enabled by default', () => {
+    it("should be enabled by default", () => {
      expect(service.isEnabled()).toBe(true);
    });
-    it('should be disabled when KNOWLEDGE_CACHE_ENABLED=false', async () => {
+    it("should be disabled when KNOWLEDGE_CACHE_ENABLED=false", async () => {
-      process.env.KNOWLEDGE_CACHE_ENABLED = 'false';
+      process.env.KNOWLEDGE_CACHE_ENABLED = "false";
      const module = await Test.createTestingModule({
        providers: [KnowledgeCacheService],
      }).compile();
@@ -43,19 +43,19 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
    });
  });
-  describe('Entry Caching', () => {
+  describe("Entry Caching", () => {
-    const workspaceId = 'test-workspace-id';
+    const workspaceId = "test-workspace-id";
-    const slug = 'test-entry';
+    const slug = "test-entry";
    const entryData = {
-      id: 'entry-id',
+      id: "entry-id",
      workspaceId,
      slug,
-      title: 'Test Entry',
+      title: "Test Entry",
-      content: 'Test content',
+      content: "Test content",
      tags: [],
    };
-    it('should return null on cache miss', async () => {
+    it("should return null on cache miss", async () => {
      if (!service.isEnabled()) {
        return; // Skip if cache is disabled
      }
@@ -65,7 +65,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(result).toBeNull();
    });
-    it('should cache and retrieve entry data', async () => {
+    it("should cache and retrieve entry data", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -80,7 +80,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(result).toEqual(entryData);
    });
-    it('should invalidate entry cache', async () => {
+    it("should invalidate entry cache", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -103,17 +103,17 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
    });
  });
-  describe('Search Caching', () => {
+  describe("Search Caching", () => {
-    const workspaceId = 'test-workspace-id';
+    const workspaceId = "test-workspace-id";
-    const query = 'test search';
+    const query = "test search";
-    const filters = { status: 'PUBLISHED', page: 1, limit: 20 };
+    const filters = { status: "PUBLISHED", page: 1, limit: 20 };
    const searchResults = {
      data: [],
      pagination: { page: 1, limit: 20, total: 0, totalPages: 0 },
      query,
    };
-    it('should cache and retrieve search results', async () => {
+    it("should cache and retrieve search results", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -128,7 +128,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(result).toEqual(searchResults);
    });
-    it('should differentiate search results by filters', async () => {
+    it("should differentiate search results by filters", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -151,7 +151,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(result2.pagination.page).toBe(2);
    });
-    it('should invalidate all search caches for workspace', async () => {
+    it("should invalidate all search caches for workspace", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -159,33 +159,33 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      await service.onModuleInit();
      // Set multiple search caches
-      await service.setSearch(workspaceId, 'query1', {}, searchResults);
+      await service.setSearch(workspaceId, "query1", {}, searchResults);
-      await service.setSearch(workspaceId, 'query2', {}, searchResults);
+      await service.setSearch(workspaceId, "query2", {}, searchResults);
      // Invalidate all
      await service.invalidateSearches(workspaceId);
      // Verify both are gone
-      const result1 = await service.getSearch(workspaceId, 'query1', {});
+      const result1 = await service.getSearch(workspaceId, "query1", {});
-      const result2 = await service.getSearch(workspaceId, 'query2', {});
+      const result2 = await service.getSearch(workspaceId, "query2", {});
      expect(result1).toBeNull();
      expect(result2).toBeNull();
    });
  });
-  describe('Graph Caching', () => {
+  describe("Graph Caching", () => {
-    const workspaceId = 'test-workspace-id';
+    const workspaceId = "test-workspace-id";
-    const entryId = 'entry-id';
+    const entryId = "entry-id";
    const maxDepth = 2;
    const graphData = {
-      centerNode: { id: entryId, slug: 'test', title: 'Test', tags: [], depth: 0 },
+      centerNode: { id: entryId, slug: "test", title: "Test", tags: [], depth: 0 },
      nodes: [],
      edges: [],
      stats: { totalNodes: 1, totalEdges: 0, maxDepth },
    };
-    it('should cache and retrieve graph data', async () => {
+    it("should cache and retrieve graph data", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -200,7 +200,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(result).toEqual(graphData);
    });
-    it('should differentiate graphs by maxDepth', async () => {
+    it("should differentiate graphs by maxDepth", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -220,7 +220,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(result2.stats.maxDepth).toBe(2);
    });
-    it('should invalidate all graph caches for workspace', async () => {
+    it("should invalidate all graph caches for workspace", async () => {
      if (!service.isEnabled()) {
        return;
      }
@@ -239,17 +239,17 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
    });
  });
-  describe('Cache Statistics', () => {
+  describe("Cache Statistics", () => {
-    it('should track hits and misses', async () => {
+    it("should track hits and misses", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      const workspaceId = 'test-workspace-id';
+      const workspaceId = "test-workspace-id";
-      const slug = 'test-entry';
+      const slug = "test-entry";
-      const entryData = { id: '1', slug, title: 'Test' };
+      const entryData = { id: "1", slug, title: "Test" };
      // Reset stats
      service.resetStats();
@@ -272,15 +272,15 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(stats.hitRate).toBeCloseTo(0.5); // 1 hit, 1 miss = 50%
    });
-    it('should reset statistics', async () => {
+    it("should reset statistics", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      const workspaceId = 'test-workspace-id';
+      const workspaceId = "test-workspace-id";
-      const slug = 'test-entry';
+      const slug = "test-entry";
      await service.getEntry(workspaceId, slug); // miss
@@ -295,28 +295,28 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
    });
  });
-  describe('Clear Workspace Cache', () => {
+  describe("Clear Workspace Cache", () => {
-    it('should clear all caches for a workspace', async () => {
+    it("should clear all caches for a workspace", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      const workspaceId = 'test-workspace-id';
+      const workspaceId = "test-workspace-id";
      // Set various caches
-      await service.setEntry(workspaceId, 'entry1', { id: '1' });
+      await service.setEntry(workspaceId, "entry1", { id: "1" });
-      await service.setSearch(workspaceId, 'query', {}, { data: [] });
+      await service.setSearch(workspaceId, "query", {}, { data: [] });
-      await service.setGraph(workspaceId, 'entry-id', 1, { nodes: [] });
+      await service.setGraph(workspaceId, "entry-id", 1, { nodes: [] });
      // Clear all
      await service.clearWorkspaceCache(workspaceId);
      // Verify all are gone
-      const entry = await service.getEntry(workspaceId, 'entry1');
+      const entry = await service.getEntry(workspaceId, "entry1");
-      const search = await service.getSearch(workspaceId, 'query', {});
+      const search = await service.getSearch(workspaceId, "query", {});
-      const graph = await service.getGraph(workspaceId, 'entry-id', 1);
+      const graph = await service.getGraph(workspaceId, "entry-id", 1);
      expect(entry).toBeNull();
      expect(search).toBeNull();
--- a/apps/api/src/knowledge/services/graph.service.spec.ts
+++ b/apps/api/src/knowledge/services/graph.service.spec.ts
@@ -271,9 +271,7 @@ describe("GraphService", () => {
    });
    it("should filter by status", async () => {
-      const entries = [
+      const entries = [{ ...mockEntry, id: "entry-1", status: "PUBLISHED", tags: [] }];
        { ...mockEntry, id: "entry-1", status: "PUBLISHED", tags: [] },
      ];
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue(entries);
      mockPrismaService.knowledgeLink.findMany.mockResolvedValue([]);
@@ -351,9 +349,7 @@ describe("GraphService", () => {
        { id: "entry-1", slug: "entry-1", title: "Entry 1", link_count: "5" },
        { id: "entry-2", slug: "entry-2", title: "Entry 2", link_count: "3" },
      ]);
-      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([
+      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([{ id: "orphan-1" }]);
        { id: "orphan-1" },
      ]);
      const result = await service.getGraphStats("workspace-1");
--- a/apps/api/src/knowledge/services/import-export.service.spec.ts
+++ b/apps/api/src/knowledge/services/import-export.service.spec.ts
@@ -170,9 +170,9 @@ This is the content of the entry.`;
        path: "",
      };
-      await expect(
+      await expect(service.importEntries(workspaceId, userId, file)).rejects.toThrow(
-        service.importEntries(workspaceId, userId, file)
+        BadRequestException
-      ).rejects.toThrow(BadRequestException);
+      );
    });
    it("should handle import errors gracefully", async () => {
@@ -195,9 +195,7 @@ Content`;
        path: "",
      };
-      mockKnowledgeService.create.mockRejectedValue(
+      mockKnowledgeService.create.mockRejectedValue(new Error("Database error"));
        new Error("Database error")
      );
      const result = await service.importEntries(workspaceId, userId, file);
@@ -240,10 +238,7 @@ title: Empty Entry
    it("should export entries as markdown format", async () => {
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([mockEntry]);
-      const result = await service.exportEntries(
+      const result = await service.exportEntries(workspaceId, ExportFormat.MARKDOWN);
        workspaceId,
        ExportFormat.MARKDOWN
      );
      expect(result.filename).toMatch(/knowledge-export-\d{4}-\d{2}-\d{2}\.zip/);
      expect(result.stream).toBeDefined();
@@ -289,9 +284,9 @@ title: Empty Entry
    it("should throw error when no entries found", async () => {
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([]);
-      await expect(
+      await expect(service.exportEntries(workspaceId, ExportFormat.MARKDOWN)).rejects.toThrow(
-        service.exportEntries(workspaceId, ExportFormat.MARKDOWN)
+        BadRequestException
-      ).rejects.toThrow(BadRequestException);
+      );
    });
  });
 });
--- a/apps/api/src/knowledge/services/link-resolution.service.spec.ts
+++ b/apps/api/src/knowledge/services/link-resolution.service.spec.ts
@@ -88,27 +88,20 @@ describe("LinkResolutionService", () => {
  describe("resolveLink", () => {
    describe("Exact title match", () => {
      it("should resolve link by exact title match", async () => {
-        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "TypeScript Guide");
          workspaceId,
          "TypeScript Guide"
        );
        expect(result).toBe("entry-1");
-        expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledWith(
+        expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledWith({
-          {
+          where: {
-            where: {
+            workspaceId,
-              workspaceId,
+            title: "TypeScript Guide",
-              title: "TypeScript Guide",
+          },
-            },
+          select: {
-            select: {
+            id: true,
-              id: true,
+          },
-            },
+        });
          }
        );
      });
      it("should be case-sensitive for exact title match", async () => {
@@ -116,10 +109,7 @@ describe("LinkResolutionService", () => {
        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(null);
        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([]);
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "typescript guide");
          workspaceId,
          "typescript guide"
        );
        expect(result).toBeNull();
      });
@@ -128,41 +118,29 @@ describe("LinkResolutionService", () => {
    describe("Slug match", () => {
      it("should resolve link by slug", async () => {
        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(null);
-        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "typescript-guide");
          workspaceId,
          "typescript-guide"
        );
        expect(result).toBe("entry-1");
-        expect(mockPrismaService.knowledgeEntry.findUnique).toHaveBeenCalledWith(
+        expect(mockPrismaService.knowledgeEntry.findUnique).toHaveBeenCalledWith({
-          {
+          where: {
-            where: {
+            workspaceId_slug: {
-              workspaceId_slug: {
+              workspaceId,
-                workspaceId,
+              slug: "typescript-guide",
                slug: "typescript-guide",
              },
            },
-            select: {
+          },
-              id: true,
+          select: {
-            },
+            id: true,
-          }
+          },
-        );
+        });
      });
      it("should prioritize exact title match over slug match", async () => {
        // If exact title matches, slug should not be checked
-        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "TypeScript Guide");
          workspaceId,
          "TypeScript Guide"
        );
        expect(result).toBe("entry-1");
        expect(mockPrismaService.knowledgeEntry.findUnique).not.toHaveBeenCalled();
@@ -173,14 +151,9 @@ describe("LinkResolutionService", () => {
      it("should resolve link by case-insensitive fuzzy match", async () => {
        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(null);
        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(null);
-        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([
+        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([mockEntries[0]]);
          mockEntries[0],
        ]);
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "typescript guide");
          workspaceId,
          "typescript guide"
        );
        expect(result).toBe("entry-1");
        expect(mockPrismaService.knowledgeEntry.findMany).toHaveBeenCalledWith({
@@ -216,10 +189,7 @@ describe("LinkResolutionService", () => {
        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(null);
        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([]);
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "Non-existent Entry");
          workspaceId,
          "Non-existent Entry"
        );
        expect(result).toBeNull();
      });
@@ -266,14 +236,9 @@ describe("LinkResolutionService", () => {
      });
      it("should trim whitespace from target before resolving", async () => {
-        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "  TypeScript Guide  ");
          workspaceId,
          "  TypeScript Guide  "
        );
        expect(result).toBe("entry-1");
        expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledWith(
@@ -291,23 +256,19 @@ describe("LinkResolutionService", () => {
    it("should resolve multiple links in batch", async () => {
      // First link: "TypeScript Guide" -> exact title match
      // Second link: "react-hooks" -> slug match
-      mockPrismaService.knowledgeEntry.findFirst.mockImplementation(
+      mockPrismaService.knowledgeEntry.findFirst.mockImplementation(async ({ where }: any) => {
-        async ({ where }: any) => {
+        if (where.title === "TypeScript Guide") {
-          if (where.title === "TypeScript Guide") {
+          return mockEntries[0];
            return mockEntries[0];
          }
          return null;
        }
-      );
+        return null;
      });
-      mockPrismaService.knowledgeEntry.findUnique.mockImplementation(
+      mockPrismaService.knowledgeEntry.findUnique.mockImplementation(async ({ where }: any) => {
-        async ({ where }: any) => {
+        if (where.workspaceId_slug?.slug === "react-hooks") {
-          if (where.workspaceId_slug?.slug === "react-hooks") {
+          return mockEntries[1];
            return mockEntries[1];
          }
          return null;
        }
-      );
+        return null;
      });
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([]);
@@ -344,9 +305,7 @@ describe("LinkResolutionService", () => {
    });
    it("should deduplicate targets", async () => {
-      mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+      mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
        mockEntries[0]
      );
      const result = await service.resolveLinks(workspaceId, [
        "TypeScript Guide",
@@ -357,9 +316,7 @@ describe("LinkResolutionService", () => {
        "TypeScript Guide": "entry-1",
      });
      // Should only be called once for the deduplicated target
-      expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledTimes(
+      expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledTimes(1);
        1
      );
    });
  });
@@ -370,10 +327,7 @@ describe("LinkResolutionService", () => {
        { id: "entry-3", title: "React Hooks Advanced" },
      ]);
-      const result = await service.getAmbiguousMatches(
+      const result = await service.getAmbiguousMatches(workspaceId, "react hooks");
        workspaceId,
        "react hooks"
      );
      expect(result).toHaveLength(2);
      expect(result).toEqual([
@@ -385,10 +339,7 @@ describe("LinkResolutionService", () => {
    it("should return empty array when no matches found", async () => {
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([]);
-      const result = await service.getAmbiguousMatches(
+      const result = await service.getAmbiguousMatches(workspaceId, "Non-existent");
        workspaceId,
        "Non-existent"
      );
      expect(result).toEqual([]);
    });
@@ -398,10 +349,7 @@ describe("LinkResolutionService", () => {
        { id: "entry-1", title: "TypeScript Guide" },
      ]);
-      const result = await service.getAmbiguousMatches(
+      const result = await service.getAmbiguousMatches(workspaceId, "typescript guide");
        workspaceId,
        "typescript guide"
      );
      expect(result).toHaveLength(1);
    });
@@ -409,8 +357,7 @@ describe("LinkResolutionService", () => {
  describe("resolveLinksFromContent", () => {
    it("should parse and resolve wiki links from content", async () => {
-      const content =
+      const content = "Check out [[TypeScript Guide]] and [[React Hooks]] for more info.";
        "Check out [[TypeScript Guide]] and [[React Hooks]] for more info.";
      // Mock resolveLink for each target
      mockPrismaService.knowledgeEntry.findFirst
@@ -522,9 +469,7 @@ describe("LinkResolutionService", () => {
        },
      ];
-      mockPrismaService.knowledgeLink.findMany.mockResolvedValueOnce(
+      mockPrismaService.knowledgeLink.findMany.mockResolvedValueOnce(mockBacklinks);
        mockBacklinks
      );
      const result = await service.getBacklinks(targetEntryId);
--- a/apps/api/src/knowledge/services/semantic-search.integration.spec.ts
+++ b/apps/api/src/knowledge/services/semantic-search.integration.spec.ts
@@ -37,11 +37,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
    } as unknown as KnowledgeCacheService;
    embeddingService = new EmbeddingService(prismaService);
-    searchService = new SearchService(
+    searchService = new SearchService(prismaService, cacheService, embeddingService);
      prismaService,
      cacheService,
      embeddingService
    );
    // Create test workspace and user
    const workspace = await prisma.workspace.create({
@@ -84,10 +80,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
      const title = "Introduction to PostgreSQL";
      const content = "PostgreSQL is a powerful open-source database.";
-      const prepared = embeddingService.prepareContentForEmbedding(
+      const prepared = embeddingService.prepareContentForEmbedding(title, content);
        title,
        content
      );
      // Title should appear twice for weighting
      expect(prepared).toContain(title);
@@ -122,10 +115,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
    it("should skip semantic search if OpenAI not configured", async () => {
      if (!embeddingService.isConfigured()) {
        await expect(
-          searchService.semanticSearch(
+          searchService.semanticSearch("database performance", testWorkspaceId)
            "database performance",
            testWorkspaceId
          )
        ).rejects.toThrow();
      } else {
        // If configured, this is expected to work (tested below)
@@ -156,10 +146,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
            entry.title,
            entry.content
          );
-          await embeddingService.generateAndStoreEmbedding(
+          await embeddingService.generateAndStoreEmbedding(created.id, preparedContent);
            created.id,
            preparedContent
          );
        }
        // Wait a bit for embeddings to be stored
@@ -175,9 +162,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
        expect(results.data.length).toBeGreaterThan(0);
        // PostgreSQL entry should rank high for "relational database"
-        const postgresEntry = results.data.find(
+        const postgresEntry = results.data.find((r) => r.slug === "postgresql-intro");
          (r) => r.slug === "postgresql-intro"
        );
        expect(postgresEntry).toBeDefined();
        expect(postgresEntry!.rank).toBeGreaterThan(0);
      },
@@ -187,18 +172,13 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
    it.skipIf(!process.env["OPENAI_API_KEY"])(
      "should perform hybrid search combining vector and keyword",
      async () => {
-        const results = await searchService.hybridSearch(
+        const results = await searchService.hybridSearch("indexing", testWorkspaceId);
          "indexing",
          testWorkspaceId
        );
        // Should return results
        expect(results.data.length).toBeGreaterThan(0);
        // Should find the indexing entry
-        const indexingEntry = results.data.find(
+        const indexingEntry = results.data.find((r) => r.slug === "database-indexing");
          (r) => r.slug === "database-indexing"
        );
        expect(indexingEntry).toBeDefined();
      },
      30000
@@ -230,15 +210,10 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
        // Batch generate embeddings
        const entriesForEmbedding = entries.map((e) => ({
          id: e.id,
-          content: embeddingService.prepareContentForEmbedding(
+          content: embeddingService.prepareContentForEmbedding(e.title, e.content),
            e.title,
            e.content
          ),
        }));
-        const successCount = await embeddingService.batchGenerateEmbeddings(
+        const successCount = await embeddingService.batchGenerateEmbeddings(entriesForEmbedding);
          entriesForEmbedding
        );
        expect(successCount).toBe(3);
--- a/apps/api/src/knowledge/tags.controller.spec.ts
+++ b/apps/api/src/knowledge/tags.controller.spec.ts
@@ -48,10 +48,7 @@ describe("TagsController", () => {
      const result = await controller.create(createDto, workspaceId);
      expect(result).toEqual(mockTag);
-      expect(mockTagsService.create).toHaveBeenCalledWith(
+      expect(mockTagsService.create).toHaveBeenCalledWith(workspaceId, createDto);
        workspaceId,
        createDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -108,10 +105,7 @@ describe("TagsController", () => {
      const result = await controller.findOne("architecture", workspaceId);
      expect(result).toEqual(mockTagWithCount);
-      expect(mockTagsService.findOne).toHaveBeenCalledWith(
+      expect(mockTagsService.findOne).toHaveBeenCalledWith("architecture", workspaceId);
        "architecture",
        workspaceId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -138,18 +132,10 @@ describe("TagsController", () => {
      mockTagsService.update.mockResolvedValue(updatedTag);
-      const result = await controller.update(
+      const result = await controller.update("architecture", updateDto, workspaceId);
        "architecture",
        updateDto,
        workspaceId
      );
      expect(result).toEqual(updatedTag);
-      expect(mockTagsService.update).toHaveBeenCalledWith(
+      expect(mockTagsService.update).toHaveBeenCalledWith("architecture", workspaceId, updateDto);
        "architecture",
        workspaceId,
        updateDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -171,10 +157,7 @@ describe("TagsController", () => {
      await controller.remove("architecture", workspaceId);
-      expect(mockTagsService.remove).toHaveBeenCalledWith(
+      expect(mockTagsService.remove).toHaveBeenCalledWith("architecture", workspaceId);
        "architecture",
        workspaceId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -206,10 +189,7 @@ describe("TagsController", () => {
      const result = await controller.getEntries("architecture", workspaceId);
      expect(result).toEqual(mockEntries);
-      expect(mockTagsService.getEntriesWithTag).toHaveBeenCalledWith(
+      expect(mockTagsService.getEntriesWithTag).toHaveBeenCalledWith("architecture", workspaceId);
        "architecture",
        workspaceId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
--- a/apps/api/src/knowledge/tags.service.spec.ts
+++ b/apps/api/src/knowledge/tags.service.spec.ts
@@ -2,11 +2,7 @@ import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { TagsService } from "./tags.service";
 import { PrismaService } from "../prisma/prisma.service";
-import {
+import { NotFoundException, ConflictException, BadRequestException } from "@nestjs/common";
  NotFoundException,
  ConflictException,
  BadRequestException,
 } from "@nestjs/common";
 import type { CreateTagDto, UpdateTagDto } from "./dto";
 describe("TagsService", () => {
@@ -113,9 +109,7 @@ describe("TagsService", () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(mockTag);
-      await expect(service.create(workspaceId, createDto)).rejects.toThrow(
+      await expect(service.create(workspaceId, createDto)).rejects.toThrow(ConflictException);
        ConflictException
      );
    });
    it("should throw BadRequestException for invalid slug format", async () => {
@@ -124,9 +118,7 @@ describe("TagsService", () => {
        slug: "Invalid_Slug!",
      };
-      await expect(service.create(workspaceId, createDto)).rejects.toThrow(
+      await expect(service.create(workspaceId, createDto)).rejects.toThrow(BadRequestException);
        BadRequestException
      );
    });
    it("should generate slug from name with spaces and special chars", async () => {
@@ -135,12 +127,10 @@ describe("TagsService", () => {
      };
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      mockPrismaService.knowledgeTag.create.mockImplementation(
+      mockPrismaService.knowledgeTag.create.mockImplementation(async ({ data }: any) => ({
-        async ({ data }: any) => ({
+        ...mockTag,
-          ...mockTag,
+        slug: data.slug,
-          slug: data.slug,
+      }));
        })
      );
      const result = await service.create(workspaceId, createDto);
@@ -183,9 +173,7 @@ describe("TagsService", () => {
  describe("findOne", () => {
    it("should return a tag by slug", async () => {
      const mockTagWithCount = { ...mockTag, _count: { entries: 5 } };
-      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(
+      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(mockTagWithCount);
        mockTagWithCount
      );
      const result = await service.findOne("architecture", workspaceId);
@@ -208,9 +196,7 @@ describe("TagsService", () => {
    it("should throw NotFoundException if tag not found", async () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.findOne("nonexistent", workspaceId)).rejects.toThrow(NotFoundException);
        service.findOne("nonexistent", workspaceId)
      ).rejects.toThrow(NotFoundException);
    });
  });
@@ -245,9 +231,9 @@ describe("TagsService", () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.update("nonexistent", workspaceId, updateDto)).rejects.toThrow(
-        service.update("nonexistent", workspaceId, updateDto)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
    it("should throw ConflictException if new slug conflicts", async () => {
@@ -263,9 +249,9 @@ describe("TagsService", () => {
          slug: "design",
        } as any);
-      await expect(
+      await expect(service.update("architecture", workspaceId, updateDto)).rejects.toThrow(
-        service.update("architecture", workspaceId, updateDto)
+        ConflictException
-      ).rejects.toThrow(ConflictException);
+      );
    });
  });
@@ -292,9 +278,7 @@ describe("TagsService", () => {
    it("should throw NotFoundException if tag not found", async () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.remove("nonexistent", workspaceId)).rejects.toThrow(NotFoundException);
        service.remove("nonexistent", workspaceId)
      ).rejects.toThrow(NotFoundException);
    });
  });
@@ -398,9 +382,9 @@ describe("TagsService", () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.findOrCreateTags(workspaceId, slugs, false)).rejects.toThrow(
-        service.findOrCreateTags(workspaceId, slugs, false)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
 });
--- a/apps/api/src/knowledge/utils/README.md
+++ b/apps/api/src/knowledge/utils/README.md
@@ -17,9 +17,9 @@ The `wiki-link-parser.ts` utility provides parsing of wiki-style `[[links]]` fro
 ### Usage
 ```typescript
-import { parseWikiLinks } from './utils/wiki-link-parser';
+import { parseWikiLinks } from "./utils/wiki-link-parser";
-const content = 'See [[Main Page]] and [[Getting Started|start here]].';
+const content = "See [[Main Page]] and [[Getting Started|start here]].";
 const links = parseWikiLinks(content);
 // Result:
@@ -44,32 +44,41 @@ const links = parseWikiLinks(content);
 ### Supported Link Formats
 #### Basic Link (by title)
 ```markdown
 [[Page Name]]
 ```
 Links to a page by its title. Display text will be "Page Name".
 #### Link with Display Text
 ```markdown
 [[Page Name|custom display]]
 ```
 Links to "Page Name" but displays "custom display".
 #### Link by Slug
 ```markdown
 [[page-slug-name]]
 ```
 Links to a page by its URL slug (kebab-case).
 ### Edge Cases
 #### Nested Brackets
 ```markdown
-[[Page [with] brackets]]  ✓ Parsed correctly
+[[Page [with] brackets]] ✓ Parsed correctly
 ```
 Single brackets inside link text are allowed.
 #### Code Blocks (Not Parsed)
 ```markdown
 Use `[[WikiLink]]` syntax for linking.
@@ -77,36 +86,41 @@ Use `[[WikiLink]]` syntax for linking.
 const link = "[[not parsed]]";
 \`\`\`
 ```
 Links inside inline code or fenced code blocks are ignored.
 #### Escaped Brackets
 ```markdown
 \[[not a link]] but [[real link]] works
 ```
 Escaped brackets are not parsed as links.
 #### Empty or Invalid Links
 ```markdown
 [[]]           ✗ Empty link (ignored)
-[[   ]]        ✗ Whitespace only (ignored)
+[[]] ✗ Whitespace only (ignored)
-[[  Target  ]] ✓ Trimmed to "Target"
+[[Target]] ✓ Trimmed to "Target"
 ```
 ### Return Type
 ```typescript
 interface WikiLink {
-  raw: string;        // Full matched text: "[[Page Name]]"
+  raw: string; // Full matched text: "[[Page Name]]"
-  target: string;     // Target page: "Page Name"
+  target: string; // Target page: "Page Name"
  displayText: string; // Display text: "Page Name" or custom
-  start: number;      // Start position in content
+  start: number; // Start position in content
-  end: number;        // End position in content
+  end: number; // End position in content
 }
 ```
 ### Testing
 Comprehensive test suite (100% coverage) includes:
 - Basic parsing (single, multiple, consecutive links)
 - Display text variations
 - Edge cases (brackets, escapes, empty links)
@@ -116,6 +130,7 @@ Comprehensive test suite (100% coverage) includes:
 - Malformed input handling
 Run tests:
 ```bash
 pnpm test --filter=@mosaic/api -- wiki-link-parser.spec.ts
 ```
@@ -130,6 +145,7 @@ This parser is designed to work with the Knowledge Module's linking system:
 4. **Link Rendering**: Replace `[[links]]` with HTML anchors
 See related issues:
 - #59 - Wiki-link parser (this implementation)
 - Future: Link resolution and storage
 - Future: Backlink display and navigation
@@ -151,33 +167,38 @@ The `markdown.ts` utility provides secure markdown rendering with GFM (GitHub Fl
 ### Usage
 ```typescript
-import { renderMarkdown, markdownToPlainText } from './utils/markdown';
+import { renderMarkdown, markdownToPlainText } from "./utils/markdown";
 // Render markdown to HTML (async)
-const html = await renderMarkdown('# Hello **World**');
+const html = await renderMarkdown("# Hello **World**");
 // Result: <h1 id="hello-world">Hello <strong>World</strong></h1>
 // Extract plain text (for search indexing)
-const plainText = await markdownToPlainText('# Hello **World**');
+const plainText = await markdownToPlainText("# Hello **World**");
 // Result: "Hello World"
 ```
 ### Supported Markdown Features
 #### Basic Formatting
 - **Bold**: `**text**` or `__text__`
- *Italic*: `*text*` or `_text_`
+- _Italic_: `*text*` or `_text_`
 - ~~Strikethrough~~: `~~text~~`
 - `Inline code`: `` `code` ``
 #### Headers
 ```markdown
 # H1
 ## H2
 ### H3
 ```
 #### Lists
 ```markdown
 - Unordered list
  - Nested item
@@ -187,19 +208,22 @@ const plainText = await markdownToPlainText('# Hello **World**');
 ```
 #### Task Lists
 ```markdown
 - [ ] Unchecked task
 - [x] Completed task
 ```
 #### Tables
 ```markdown
 | Header 1 | Header 2 |
-|----------|----------|
+| -------- | -------- |
 | Cell 1   | Cell 2   |
 ```
 #### Code Blocks
 ````markdown
 ```typescript
 const greeting: string = "Hello";
@@ -208,12 +232,14 @@ console.log(greeting);
 ````
 #### Links and Images
 ```markdown
 [Link text](https://example.com)
 ![Alt text](https://example.com/image.png)
 ```
 #### Blockquotes
 ```markdown
 > This is a quote
 > Multi-line quote
@@ -233,6 +259,7 @@ The renderer implements multiple layers of security:
 ### Testing
 Comprehensive test suite covers:
 - Basic markdown rendering
 - GFM features (tables, task lists, strikethrough)
 - Code syntax highlighting
@@ -240,6 +267,7 @@ Comprehensive test suite covers:
 - Edge cases (unicode, long content, nested structures)
 Run tests:
 ```bash
 pnpm test --filter=@mosaic/api -- markdown.spec.ts
 ```
--- a/apps/api/src/knowledge/utils/markdown.spec.ts
+++ b/apps/api/src/knowledge/utils/markdown.spec.ts
@@ -1,9 +1,5 @@
 import { describe, it, expect } from "vitest";
-import {
+import { renderMarkdown, renderMarkdownSync, markdownToPlainText } from "./markdown";
  renderMarkdown,
  renderMarkdownSync,
  markdownToPlainText,
 } from "./markdown";
 describe("Markdown Rendering", () => {
  describe("renderMarkdown", () => {
@@ -77,7 +73,7 @@ describe("Markdown Rendering", () => {
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<input');
+      expect(html).toContain("<input");
      expect(html).toContain('type="checkbox"');
      expect(html).toContain('disabled="disabled"'); // Should be disabled for safety
    });
@@ -145,16 +141,17 @@ plain text code
      const markdown = "![Alt text](https://example.com/image.png)";
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<img');
+      expect(html).toContain("<img");
      expect(html).toContain('src="https://example.com/image.png"');
      expect(html).toContain('alt="Alt text"');
    });
    it("should allow data URIs for images", async () => {
-      const markdown = "![Image](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==)";
+      const markdown =
        "![Image](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==)";
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<img');
+      expect(html).toContain("<img");
      expect(html).toContain('src="data:image/png;base64');
    });
  });
@@ -164,7 +161,7 @@ plain text code
      const markdown = "# My Header Title";
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<h1');
+      expect(html).toContain("<h1");
      expect(html).toContain('id="');
    });
@@ -282,7 +279,7 @@ plain text code
    });
    it("should strip all HTML tags", async () => {
-      const markdown = '[Link](https://example.com)\n\n![Image](image.png)';
+      const markdown = "[Link](https://example.com)\n\n![Image](image.png)";
      const plainText = await markdownToPlainText(markdown);
      expect(plainText).not.toContain("<a");
--- a/apps/api/src/knowledge/utils/wiki-link-parser.spec.ts
+++ b/apps/api/src/knowledge/utils/wiki-link-parser.spec.ts
@@ -333,9 +333,7 @@ const link = "[[Not A Link]]";
      expect(links[0].start).toBe(5);
      expect(links[0].end).toBe(23);
-      expect(content.substring(links[0].start, links[0].end)).toBe(
+      expect(content.substring(links[0].start, links[0].end)).toBe("[[Target|Display]]");
        "[[Target|Display]]"
      );
    });
    it("should track positions in multiline content", () => {
--- a/apps/api/src/layouts/tests/layouts.service.spec.ts
+++ b/apps/api/src/layouts/tests/layouts.service.spec.ts
@@ -114,9 +114,9 @@ describe("LayoutsService", () => {
        .mockResolvedValueOnce(null) // No default
        .mockResolvedValueOnce(null); // No layouts
-      await expect(
+      await expect(service.findDefault(mockWorkspaceId, mockUserId)).rejects.toThrow(
-        service.findDefault(mockWorkspaceId, mockUserId)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
@@ -139,9 +139,9 @@ describe("LayoutsService", () => {
    it("should throw NotFoundException if layout not found", async () => {
      prisma.userLayout.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.findOne("invalid-id", mockWorkspaceId, mockUserId)).rejects.toThrow(
-        service.findOne("invalid-id", mockWorkspaceId, mockUserId)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
@@ -221,12 +221,7 @@ describe("LayoutsService", () => {
        })
      );
-      const result = await service.update(
+      const result = await service.update("layout-1", mockWorkspaceId, mockUserId, updateDto);
        "layout-1",
        mockWorkspaceId,
        mockUserId,
        updateDto
      );
      expect(result).toBeDefined();
      expect(mockFindUnique).toHaveBeenCalled();
@@ -244,9 +239,9 @@ describe("LayoutsService", () => {
        })
      );
-      await expect(
+      await expect(service.update("invalid-id", mockWorkspaceId, mockUserId, {})).rejects.toThrow(
-        service.update("invalid-id", mockWorkspaceId, mockUserId, {})
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
@@ -269,9 +264,9 @@ describe("LayoutsService", () => {
    it("should throw NotFoundException if layout not found", async () => {
      prisma.userLayout.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.remove("invalid-id", mockWorkspaceId, mockUserId)).rejects.toThrow(
-        service.remove("invalid-id", mockWorkspaceId, mockUserId)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
 });
--- a/apps/api/src/ollama/ollama.controller.spec.ts
+++ b/apps/api/src/ollama/ollama.controller.spec.ts
@@ -48,11 +48,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.generate).toHaveBeenCalledWith(
+      expect(mockOllamaService.generate).toHaveBeenCalledWith("Hello", undefined, undefined);
        "Hello",
        undefined,
        undefined
      );
    });
    it("should generate with options and custom model", async () => {
@@ -84,9 +80,7 @@ describe("OllamaController", () => {
  describe("chat", () => {
    it("should complete chat conversation", async () => {
-      const messages: ChatMessage[] = [
+      const messages: ChatMessage[] = [{ role: "user", content: "Hello!" }];
        { role: "user", content: "Hello!" },
      ];
      const mockResponse = {
        model: "llama3.2",
@@ -104,11 +98,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.chat).toHaveBeenCalledWith(
+      expect(mockOllamaService.chat).toHaveBeenCalledWith(messages, undefined, undefined);
        messages,
        undefined,
        undefined
      );
    });
    it("should chat with options and custom model", async () => {
@@ -158,10 +148,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.embed).toHaveBeenCalledWith(
+      expect(mockOllamaService.embed).toHaveBeenCalledWith("Sample text", undefined);
        "Sample text",
        undefined
      );
    });
    it("should embed with custom model", async () => {
@@ -177,10 +164,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.embed).toHaveBeenCalledWith(
+      expect(mockOllamaService.embed).toHaveBeenCalledWith("Test", "nomic-embed-text");
        "Test",
        "nomic-embed-text"
      );
    });
  });
--- a/apps/api/src/ollama/ollama.service.spec.ts
+++ b/apps/api/src/ollama/ollama.service.spec.ts
@@ -2,11 +2,7 @@ import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { OllamaService } from "./ollama.service";
 import { HttpException, HttpStatus } from "@nestjs/common";
-import type {
+import type { GenerateOptionsDto, ChatMessage, ChatOptionsDto } from "./dto";
  GenerateOptionsDto,
  ChatMessage,
  ChatOptionsDto,
 } from "./dto";
 describe("OllamaService", () => {
  let service: OllamaService;
@@ -133,9 +129,7 @@ describe("OllamaService", () => {
      mockFetch.mockRejectedValue(new Error("Network error"));
      await expect(service.generate("Hello")).rejects.toThrow(HttpException);
-      await expect(service.generate("Hello")).rejects.toThrow(
+      await expect(service.generate("Hello")).rejects.toThrow("Failed to connect to Ollama");
        "Failed to connect to Ollama"
      );
    });
    it("should throw HttpException on non-ok response", async () => {
@@ -163,12 +157,9 @@ describe("OllamaService", () => {
        ],
      }).compile();
-      const shortTimeoutService =
+      const shortTimeoutService = shortTimeoutModule.get<OllamaService>(OllamaService);
        shortTimeoutModule.get<OllamaService>(OllamaService);
-      await expect(shortTimeoutService.generate("Hello")).rejects.toThrow(
+      await expect(shortTimeoutService.generate("Hello")).rejects.toThrow(HttpException);
        HttpException
      );
    });
  });
@@ -210,9 +201,7 @@ describe("OllamaService", () => {
    });
    it("should chat with custom options", async () => {
-      const messages: ChatMessage[] = [
+      const messages: ChatMessage[] = [{ role: "user", content: "Hello!" }];
        { role: "user", content: "Hello!" },
      ];
      const options: ChatOptionsDto = {
        temperature: 0.5,
@@ -251,9 +240,9 @@ describe("OllamaService", () => {
    it("should throw HttpException on chat error", async () => {
      mockFetch.mockRejectedValue(new Error("Connection refused"));
-      await expect(
+      await expect(service.chat([{ role: "user", content: "Hello" }])).rejects.toThrow(
-        service.chat([{ role: "user", content: "Hello" }])
+        HttpException
-      ).rejects.toThrow(HttpException);
+      );
    });
  });
--- a/apps/api/src/prisma/prisma.service.spec.ts
+++ b/apps/api/src/prisma/prisma.service.spec.ts
@@ -23,9 +23,7 @@ describe("PrismaService", () => {
  describe("onModuleInit", () => {
    it("should connect to the database", async () => {
-      const connectSpy = vi
+      const connectSpy = vi.spyOn(service, "$connect").mockResolvedValue(undefined);
        .spyOn(service, "$connect")
        .mockResolvedValue(undefined);
      await service.onModuleInit();
@@ -42,9 +40,7 @@ describe("PrismaService", () => {
  describe("onModuleDestroy", () => {
    it("should disconnect from the database", async () => {
-      const disconnectSpy = vi
+      const disconnectSpy = vi.spyOn(service, "$disconnect").mockResolvedValue(undefined);
        .spyOn(service, "$disconnect")
        .mockResolvedValue(undefined);
      await service.onModuleDestroy();
@@ -62,9 +58,7 @@ describe("PrismaService", () => {
    });
    it("should return false when database is not accessible", async () => {
-      vi
+      vi.spyOn(service, "$queryRaw").mockRejectedValue(new Error("Database error"));
        .spyOn(service, "$queryRaw")
        .mockRejectedValue(new Error("Database error"));
      const result = await service.isHealthy();
@@ -100,9 +94,7 @@ describe("PrismaService", () => {
    });
    it("should return connected false when query fails", async () => {
-      vi
+      vi.spyOn(service, "$queryRaw").mockRejectedValue(new Error("Query failed"));
        .spyOn(service, "$queryRaw")
        .mockRejectedValue(new Error("Query failed"));
      const result = await service.getConnectionInfo();
--- a/apps/api/src/projects/projects.controller.spec.ts
+++ b/apps/api/src/projects/projects.controller.spec.ts
@@ -62,11 +62,7 @@ describe("ProjectsController", () => {
      const result = await controller.create(createDto, mockWorkspaceId, mockUser);
      expect(result).toEqual(mockProject);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -74,7 +70,9 @@ describe("ProjectsController", () => {
      await controller.create({ name: "Test" }, undefined as any, mockUser);
-      expect(mockProjectsService.create).toHaveBeenCalledWith(undefined, mockUserId, { name: "Test" });
+      expect(mockProjectsService.create).toHaveBeenCalledWith(undefined, mockUserId, {
        name: "Test",
      });
    });
  });
@@ -149,7 +147,12 @@ describe("ProjectsController", () => {
      await controller.update(mockProjectId, updateDto, undefined as any, mockUser);
-      expect(mockProjectsService.update).toHaveBeenCalledWith(mockProjectId, undefined, mockUserId, updateDto);
+      expect(mockProjectsService.update).toHaveBeenCalledWith(
        mockProjectId,
        undefined,
        mockUserId,
        updateDto
      );
    });
  });
@@ -159,11 +162,7 @@ describe("ProjectsController", () => {
      await controller.remove(mockProjectId, mockWorkspaceId, mockUser);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockProjectId, mockWorkspaceId, mockUserId);
        mockProjectId,
        mockWorkspaceId,
        mockUserId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
--- a/apps/api/src/stitcher/stitcher.security.spec.ts
+++ b/apps/api/src/stitcher/stitcher.security.spec.ts
@@ -55,9 +55,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("POST /stitcher/dispatch should require authentication", async () => {
@@ -67,9 +65,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
  });
@@ -96,9 +92,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
      await expect(guard.canActivate(mockContext as any)).rejects.toThrow("Invalid API key");
    });
@@ -111,9 +105,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
      await expect(guard.canActivate(mockContext as any)).rejects.toThrow("No API key provided");
    });
  });
@@ -133,9 +125,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
  });
 });
--- a/apps/api/src/tasks/dto/query-tasks.dto.spec.ts
+++ b/apps/api/src/tasks/dto/query-tasks.dto.spec.ts
@@ -24,7 +24,7 @@ describe("QueryTasksDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "workspaceId")).toBe(true);
+    expect(errors.some((e) => e.property === "workspaceId")).toBe(true);
  });
  it("should accept valid status filter", async () => {
--- a/apps/api/src/tasks/tasks.controller.spec.ts
+++ b/apps/api/src/tasks/tasks.controller.spec.ts
@@ -106,18 +106,10 @@ describe("TasksController", () => {
      mockTasksService.create.mockResolvedValue(mockTask);
-      const result = await controller.create(
+      const result = await controller.create(createDto, mockWorkspaceId, mockRequest.user);
        createDto,
        mockWorkspaceId,
        mockRequest.user
      );
      expect(result).toEqual(mockTask);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
  });
@@ -247,11 +239,7 @@ describe("TasksController", () => {
      await controller.remove(mockTaskId, mockWorkspaceId, mockRequest.user);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId, mockUserId);
        mockTaskId,
        mockWorkspaceId,
        mockUserId
      );
    });
    it("should throw error if workspaceId not found", async () => {
@@ -262,11 +250,7 @@ describe("TasksController", () => {
      await controller.remove(mockTaskId, mockWorkspaceId, mockRequest.user);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId, mockUserId);
        mockTaskId,
        mockWorkspaceId,
        mockUserId
      );
    });
  });
 });
--- a/apps/api/src/valkey/README.md
+++ b/apps/api/src/valkey/README.md
@@ -69,8 +69,8 @@ docker compose up -d valkey
 ### 1. Inject the Service
 ```typescript
-import { Injectable } from '@nestjs/common';
+import { Injectable } from "@nestjs/common";
-import { ValkeyService } from './valkey/valkey.service';
+import { ValkeyService } from "./valkey/valkey.service";
@Injectable()
 export class MyService {
@@ -82,11 +82,11 @@ export class MyService {
 ```typescript
 const task = await this.valkeyService.enqueue({
-  type: 'send-email',
+  type: "send-email",
  data: {
-    to: 'user@example.com',
+    to: "user@example.com",
-    subject: 'Welcome!',
+    subject: "Welcome!",
-    body: 'Hello, welcome to Mosaic Stack',
+    body: "Hello, welcome to Mosaic Stack",
  },
 });
@@ -129,8 +129,8 @@ const status = await this.valkeyService.getStatus(taskId);
 if (status) {
  console.log(status.status); // 'completed' | 'failed' | 'processing' | 'pending'
-  console.log(status.data);   // Task metadata
+  console.log(status.data); // Task metadata
-  console.log(status.error);  // Error message if failed
+  console.log(status.error); // Error message if failed
 }
 ```
@@ -143,7 +143,7 @@ console.log(`${length} tasks in queue`);
 // Health check
 const healthy = await this.valkeyService.healthCheck();
-console.log(`Valkey is ${healthy ? 'healthy' : 'down'}`);
+console.log(`Valkey is ${healthy ? "healthy" : "down"}`);
 // Clear queue (use with caution!)
 await this.valkeyService.clearQueue();
@@ -186,7 +186,7 @@ export class EmailWorker {
        await this.processTask(task);
      } else {
        // No tasks, wait 5 seconds
-        await new Promise(resolve => setTimeout(resolve, 5000));
+        await new Promise((resolve) => setTimeout(resolve, 5000));
      }
    }
  }
@@ -194,10 +194,10 @@ export class EmailWorker {
  private async processTask(task: TaskDto) {
    try {
      switch (task.type) {
-        case 'send-email':
+        case "send-email":
          await this.sendEmail(task.data);
          break;
-        case 'generate-report':
+        case "generate-report":
          await this.generateReport(task.data);
          break;
      }
@@ -222,10 +222,10 @@ export class EmailWorker {
 export class ScheduledTasks {
  constructor(private readonly valkeyService: ValkeyService) {}
-  @Cron('0 0 * * *') // Daily at midnight
+  @Cron("0 0 * * *") // Daily at midnight
  async dailyReport() {
    await this.valkeyService.enqueue({
-      type: 'daily-report',
+      type: "daily-report",
      data: { date: new Date().toISOString() },
    });
  }
@@ -241,6 +241,7 @@ pnpm test valkey.service.spec.ts
 ```
 Tests cover:
 - ✅ Connection and initialization
 - ✅ Enqueue operations
 - ✅ Dequeue FIFO behavior
@@ -254,9 +255,11 @@ Tests cover:
 ### ValkeyService Methods
 #### `enqueue(task: EnqueueTaskDto): Promise<TaskDto>`
 Add a task to the queue.
 **Parameters:**
 - `task.type` (string): Task type identifier
 - `task.data` (object): Task metadata
@@ -265,6 +268,7 @@ Add a task to the queue.
 ---
 #### `dequeue(): Promise<TaskDto | null>`
 Get the next task from the queue (FIFO).
 **Returns:** Next task with status updated to PROCESSING, or null if queue is empty
@@ -272,9 +276,11 @@ Get the next task from the queue (FIFO).
 ---
 #### `getStatus(taskId: string): Promise<TaskDto | null>`
 Retrieve task status and metadata.
 **Parameters:**
 - `taskId` (string): Task UUID
 **Returns:** Task data or null if not found
@@ -282,9 +288,11 @@ Retrieve task status and metadata.
 ---
 #### `updateStatus(taskId: string, update: UpdateTaskStatusDto): Promise<TaskDto | null>`
 Update task status and optionally add results or errors.
 **Parameters:**
 - `taskId` (string): Task UUID
 - `update.status` (TaskStatus): New status
 - `update.error` (string, optional): Error message for failed tasks
@@ -295,6 +303,7 @@ Update task status and optionally add results or errors.
 ---
 #### `getQueueLength(): Promise<number>`
 Get the number of tasks in queue.
 **Returns:** Queue length
@@ -302,11 +311,13 @@ Get the number of tasks in queue.
 ---
 #### `clearQueue(): Promise<void>`
 Remove all tasks from queue (metadata remains until TTL).
 ---
 #### `healthCheck(): Promise<boolean>`
 Verify Valkey connectivity.
 **Returns:** true if connected, false otherwise
@@ -314,6 +325,7 @@ Verify Valkey connectivity.
 ## Migration Notes
 If upgrading from BullMQ or another queue system:
 1. Task IDs are UUIDs (not incremental)
 2. No built-in retry mechanism (implement in worker)
 3. No job priorities (strict FIFO)
@@ -329,7 +341,7 @@ For advanced features like retries, priorities, or scheduled jobs, consider wrap
 // Check Valkey connectivity
 const healthy = await this.valkeyService.healthCheck();
 if (!healthy) {
-  console.error('Valkey is not responding');
+  console.error("Valkey is not responding");
 }
 ```
@@ -349,6 +361,7 @@ docker exec -it mosaic-valkey valkey-cli DEL mosaic:task:queue
 ### Debug Logging
 The service logs all operations at `info` level. Check application logs for:
 - Task enqueue/dequeue operations
 - Status updates
 - Connection events
@@ -356,6 +369,7 @@ The service logs all operations at `info` level. Check application logs for:
 ## Future Enhancements
 Potential improvements for consideration:
 - [ ] Task priorities (weighted queues)
 - [ ] Retry mechanism with exponential backoff
 - [ ] Delayed/scheduled tasks
--- a/apps/api/src/valkey/valkey.service.spec.ts
+++ b/apps/api/src/valkey/valkey.service.spec.ts
@@ -1,10 +1,10 @@
-import { Test, TestingModule } from '@nestjs/testing';
+import { Test, TestingModule } from "@nestjs/testing";
-import { describe, it, expect, beforeEach, vi, afterEach } from 'vitest';
+import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
-import { ValkeyService } from './valkey.service';
+import { ValkeyService } from "./valkey.service";
-import { TaskStatus } from './dto/task.dto';
+import { TaskStatus } from "./dto/task.dto";
 // Mock ioredis module
-vi.mock('ioredis', () => {
+vi.mock("ioredis", () => {
  // In-memory store for mocked Redis
  const store = new Map<string, string>();
  const lists = new Map<string, string[]>();
@@ -13,7 +13,7 @@ vi.mock('ioredis', () => {
  class MockRedisClient {
    // Connection methods
    async ping() {
-      return 'PONG';
+      return "PONG";
    }
    async quit() {
@@ -27,7 +27,7 @@ vi.mock('ioredis', () => {
    // String operations
    async setex(key: string, ttl: number, value: string) {
      store.set(key, value);
-      return 'OK';
+      return "OK";
    }
    async get(key: string) {
@@ -59,7 +59,7 @@ vi.mock('ioredis', () => {
    async del(...keys: string[]) {
      let deleted = 0;
-      keys.forEach(key => {
+      keys.forEach((key) => {
        if (store.delete(key)) deleted++;
        if (lists.delete(key)) deleted++;
      });
@@ -78,16 +78,16 @@ vi.mock('ioredis', () => {
  };
 });
-describe('ValkeyService', () => {
+describe("ValkeyService", () => {
  let service: ValkeyService;
  let module: TestingModule;
  beforeEach(async () => {
    // Clear environment
-    process.env.VALKEY_URL = 'redis://localhost:6379';
+    process.env.VALKEY_URL = "redis://localhost:6379";
    // Clear the mock store before each test
-    const Redis = await import('ioredis');
+    const Redis = await import("ioredis");
    (Redis.default as any).__clearStore();
    module = await Test.createTestingModule({
@@ -104,41 +104,41 @@ describe('ValkeyService', () => {
    await service.onModuleDestroy();
  });
-  describe('initialization', () => {
+  describe("initialization", () => {
-    it('should be defined', () => {
+    it("should be defined", () => {
      expect(service).toBeDefined();
    });
-    it('should connect to Valkey on module init', async () => {
+    it("should connect to Valkey on module init", async () => {
      expect(service).toBeDefined();
      const healthCheck = await service.healthCheck();
      expect(healthCheck).toBe(true);
    });
  });
-  describe('enqueue', () => {
+  describe("enqueue", () => {
-    it('should enqueue a task successfully', async () => {
+    it("should enqueue a task successfully", async () => {
      const taskDto = {
-        type: 'test-task',
+        type: "test-task",
-        data: { message: 'Hello World' },
+        data: { message: "Hello World" },
      };
      const result = await service.enqueue(taskDto);
      expect(result).toBeDefined();
      expect(result.id).toBeDefined();
-      expect(result.type).toBe('test-task');
+      expect(result.type).toBe("test-task");
-      expect(result.data).toEqual({ message: 'Hello World' });
+      expect(result.data).toEqual({ message: "Hello World" });
      expect(result.status).toBe(TaskStatus.PENDING);
      expect(result.createdAt).toBeDefined();
      expect(result.updatedAt).toBeDefined();
    });
-    it('should increment queue length when enqueueing', async () => {
+    it("should increment queue length when enqueueing", async () => {
      const initialLength = await service.getQueueLength();
      await service.enqueue({
-        type: 'task-1',
+        type: "task-1",
        data: {},
      });
@@ -147,20 +147,20 @@ describe('ValkeyService', () => {
    });
  });
-  describe('dequeue', () => {
+  describe("dequeue", () => {
-    it('should return null when queue is empty', async () => {
+    it("should return null when queue is empty", async () => {
      const result = await service.dequeue();
      expect(result).toBeNull();
    });
-    it('should dequeue tasks in FIFO order', async () => {
+    it("should dequeue tasks in FIFO order", async () => {
      const task1 = await service.enqueue({
-        type: 'task-1',
+        type: "task-1",
        data: { order: 1 },
      });
      const task2 = await service.enqueue({
-        type: 'task-2',
+        type: "task-2",
        data: { order: 2 },
      });
@@ -173,9 +173,9 @@ describe('ValkeyService', () => {
      expect(dequeued2?.status).toBe(TaskStatus.PROCESSING);
    });
-    it('should update task status to PROCESSING when dequeued', async () => {
+    it("should update task status to PROCESSING when dequeued", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
        data: {},
      });
@@ -187,73 +187,73 @@ describe('ValkeyService', () => {
    });
  });
-  describe('getStatus', () => {
+  describe("getStatus", () => {
-    it('should return null for non-existent task', async () => {
+    it("should return null for non-existent task", async () => {
-      const status = await service.getStatus('non-existent-id');
+      const status = await service.getStatus("non-existent-id");
      expect(status).toBeNull();
    });
-    it('should return task status for existing task', async () => {
+    it("should return task status for existing task", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
-        data: { key: 'value' },
+        data: { key: "value" },
      });
      const status = await service.getStatus(task.id);
      expect(status).toBeDefined();
      expect(status?.id).toBe(task.id);
-      expect(status?.type).toBe('test-task');
+      expect(status?.type).toBe("test-task");
-      expect(status?.data).toEqual({ key: 'value' });
+      expect(status?.data).toEqual({ key: "value" });
    });
  });
-  describe('updateStatus', () => {
+  describe("updateStatus", () => {
-    it('should update task status to COMPLETED', async () => {
+    it("should update task status to COMPLETED", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
        data: {},
      });
      const updated = await service.updateStatus(task.id, {
        status: TaskStatus.COMPLETED,
-        result: { output: 'success' },
+        result: { output: "success" },
      });
      expect(updated).toBeDefined();
      expect(updated?.status).toBe(TaskStatus.COMPLETED);
      expect(updated?.completedAt).toBeDefined();
-      expect(updated?.data).toEqual({ output: 'success' });
+      expect(updated?.data).toEqual({ output: "success" });
    });
-    it('should update task status to FAILED with error', async () => {
+    it("should update task status to FAILED with error", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
        data: {},
      });
      const updated = await service.updateStatus(task.id, {
        status: TaskStatus.FAILED,
-        error: 'Task failed due to error',
+        error: "Task failed due to error",
      });
      expect(updated).toBeDefined();
      expect(updated?.status).toBe(TaskStatus.FAILED);
-      expect(updated?.error).toBe('Task failed due to error');
+      expect(updated?.error).toBe("Task failed due to error");
      expect(updated?.completedAt).toBeDefined();
    });
-    it('should return null when updating non-existent task', async () => {
+    it("should return null when updating non-existent task", async () => {
-      const updated = await service.updateStatus('non-existent-id', {
+      const updated = await service.updateStatus("non-existent-id", {
        status: TaskStatus.COMPLETED,
      });
      expect(updated).toBeNull();
    });
-    it('should preserve existing data when updating status', async () => {
+    it("should preserve existing data when updating status", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
-        data: { original: 'data' },
+        data: { original: "data" },
      });
      await service.updateStatus(task.id, {
@@ -261,28 +261,28 @@ describe('ValkeyService', () => {
      });
      const status = await service.getStatus(task.id);
-      expect(status?.data).toEqual({ original: 'data' });
+      expect(status?.data).toEqual({ original: "data" });
    });
  });
-  describe('getQueueLength', () => {
+  describe("getQueueLength", () => {
-    it('should return 0 for empty queue', async () => {
+    it("should return 0 for empty queue", async () => {
      const length = await service.getQueueLength();
      expect(length).toBe(0);
    });
-    it('should return correct queue length', async () => {
+    it("should return correct queue length", async () => {
-      await service.enqueue({ type: 'task-1', data: {} });
+      await service.enqueue({ type: "task-1", data: {} });
-      await service.enqueue({ type: 'task-2', data: {} });
+      await service.enqueue({ type: "task-2", data: {} });
-      await service.enqueue({ type: 'task-3', data: {} });
+      await service.enqueue({ type: "task-3", data: {} });
      const length = await service.getQueueLength();
      expect(length).toBe(3);
    });
-    it('should decrease when tasks are dequeued', async () => {
+    it("should decrease when tasks are dequeued", async () => {
-      await service.enqueue({ type: 'task-1', data: {} });
+      await service.enqueue({ type: "task-1", data: {} });
-      await service.enqueue({ type: 'task-2', data: {} });
+      await service.enqueue({ type: "task-2", data: {} });
      expect(await service.getQueueLength()).toBe(2);
@@ -294,10 +294,10 @@ describe('ValkeyService', () => {
    });
  });
-  describe('clearQueue', () => {
+  describe("clearQueue", () => {
-    it('should clear all tasks from queue', async () => {
+    it("should clear all tasks from queue", async () => {
-      await service.enqueue({ type: 'task-1', data: {} });
+      await service.enqueue({ type: "task-1", data: {} });
-      await service.enqueue({ type: 'task-2', data: {} });
+      await service.enqueue({ type: "task-2", data: {} });
      expect(await service.getQueueLength()).toBe(2);
@@ -306,21 +306,21 @@ describe('ValkeyService', () => {
    });
  });
-  describe('healthCheck', () => {
+  describe("healthCheck", () => {
-    it('should return true when Valkey is healthy', async () => {
+    it("should return true when Valkey is healthy", async () => {
      const healthy = await service.healthCheck();
      expect(healthy).toBe(true);
    });
  });
-  describe('integration flow', () => {
+  describe("integration flow", () => {
-    it('should handle complete task lifecycle', async () => {
+    it("should handle complete task lifecycle", async () => {
      // 1. Enqueue task
      const task = await service.enqueue({
-        type: 'email-notification',
+        type: "email-notification",
        data: {
-          to: 'user@example.com',
+          to: "user@example.com",
-          subject: 'Test Email',
+          subject: "Test Email",
        },
      });
@@ -335,8 +335,8 @@ describe('ValkeyService', () => {
      const completedTask = await service.updateStatus(task.id, {
        status: TaskStatus.COMPLETED,
        result: {
-          to: 'user@example.com',
+          to: "user@example.com",
-          subject: 'Test Email',
+          subject: "Test Email",
          sentAt: new Date().toISOString(),
        },
      });
@@ -350,11 +350,11 @@ describe('ValkeyService', () => {
      expect(finalStatus?.data.sentAt).toBeDefined();
    });
-    it('should handle multiple concurrent tasks', async () => {
+    it("should handle multiple concurrent tasks", async () => {
      const tasks = await Promise.all([
-        service.enqueue({ type: 'task-1', data: { id: 1 } }),
+        service.enqueue({ type: "task-1", data: { id: 1 } }),
-        service.enqueue({ type: 'task-2', data: { id: 2 } }),
+        service.enqueue({ type: "task-2", data: { id: 2 } }),
-        service.enqueue({ type: 'task-3', data: { id: 3 } }),
+        service.enqueue({ type: "task-3", data: { id: 3 } }),
      ]);
      expect(await service.getQueueLength()).toBe(3);
--- a/apps/api/src/websocket/websocket.gateway.spec.ts
+++ b/apps/api/src/websocket/websocket.gateway.spec.ts
@@ -1,9 +1,9 @@
-import { Test, TestingModule } from '@nestjs/testing';
+import { Test, TestingModule } from "@nestjs/testing";
-import { WebSocketGateway } from './websocket.gateway';
+import { WebSocketGateway } from "./websocket.gateway";
-import { AuthService } from '../auth/auth.service';
+import { AuthService } from "../auth/auth.service";
-import { PrismaService } from '../prisma/prisma.service';
+import { PrismaService } from "../prisma/prisma.service";
-import { Server, Socket } from 'socket.io';
+import { Server, Socket } from "socket.io";
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 interface AuthenticatedSocket extends Socket {
  data: {
@@ -12,7 +12,7 @@ interface AuthenticatedSocket extends Socket {
  };
 }
-describe('WebSocketGateway', () => {
+describe("WebSocketGateway", () => {
  let gateway: WebSocketGateway;
  let authService: AuthService;
  let prismaService: PrismaService;
@@ -53,7 +53,7 @@ describe('WebSocketGateway', () => {
    // Mock authenticated client
    mockClient = {
-      id: 'test-socket-id',
+      id: "test-socket-id",
      join: vi.fn(),
      leave: vi.fn(),
      emit: vi.fn(),
@@ -61,7 +61,7 @@ describe('WebSocketGateway', () => {
      data: {},
      handshake: {
        auth: {
-          token: 'valid-token',
+          token: "valid-token",
        },
      },
    } as unknown as AuthenticatedSocket;
@@ -76,36 +76,36 @@ describe('WebSocketGateway', () => {
    }
  });
-  describe('Authentication', () => {
+  describe("Authentication", () => {
-    it('should validate token and populate socket.data on successful authentication', async () => {
+    it("should validate token and populate socket.data on successful authentication", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
-      expect(authService.verifySession).toHaveBeenCalledWith('valid-token');
+      expect(authService.verifySession).toHaveBeenCalledWith("valid-token");
-      expect(mockClient.data.userId).toBe('user-123');
+      expect(mockClient.data.userId).toBe("user-123");
-      expect(mockClient.data.workspaceId).toBe('workspace-456');
+      expect(mockClient.data.workspaceId).toBe("workspace-456");
    });
-    it('should disconnect client with invalid token', async () => {
+    it("should disconnect client with invalid token", async () => {
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(null);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(null);
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).toHaveBeenCalled();
    });
-    it('should disconnect client without token', async () => {
+    it("should disconnect client without token", async () => {
      const clientNoToken = {
        ...mockClient,
        handshake: { auth: {} },
@@ -116,23 +116,23 @@ describe('WebSocketGateway', () => {
      expect(clientNoToken.disconnect).toHaveBeenCalled();
    });
-    it('should disconnect client if token verification throws error', async () => {
+    it("should disconnect client if token verification throws error", async () => {
-      vi.spyOn(authService, 'verifySession').mockRejectedValue(new Error('Invalid token'));
+      vi.spyOn(authService, "verifySession").mockRejectedValue(new Error("Invalid token"));
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).toHaveBeenCalled();
    });
-    it('should have connection timeout mechanism in place', () => {
+    it("should have connection timeout mechanism in place", () => {
      // This test verifies that the gateway has a CONNECTION_TIMEOUT_MS constant
      // The actual timeout is tested indirectly through authentication failure tests
      expect((gateway as { CONNECTION_TIMEOUT_MS: number }).CONNECTION_TIMEOUT_MS).toBe(5000);
    });
  });
-  describe('Rate Limiting', () => {
+  describe("Rate Limiting", () => {
-    it('should reject connections exceeding rate limit', async () => {
+    it("should reject connections exceeding rate limit", async () => {
      // Mock rate limiter to return false (limit exceeded)
      const rateLimitedClient = { ...mockClient } as AuthenticatedSocket;
@@ -146,109 +146,109 @@ describe('WebSocketGateway', () => {
      // expect(rateLimitedClient.disconnect).toHaveBeenCalled();
    });
-    it('should allow connections within rate limit', async () => {
+    it("should allow connections within rate limit", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).not.toHaveBeenCalled();
-      expect(mockClient.data.userId).toBe('user-123');
+      expect(mockClient.data.userId).toBe("user-123");
    });
  });
-  describe('Workspace Access Validation', () => {
+  describe("Workspace Access Validation", () => {
-    it('should verify user has access to workspace', async () => {
+    it("should verify user has access to workspace", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
      expect(prismaService.workspaceMember.findFirst).toHaveBeenCalledWith({
-        where: { userId: 'user-123' },
+        where: { userId: "user-123" },
        select: { workspaceId: true, userId: true, role: true },
      });
    });
-    it('should disconnect client without workspace access', async () => {
+    it("should disconnect client without workspace access", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue(null);
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue(null);
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).toHaveBeenCalled();
    });
-    it('should only allow joining workspace rooms user has access to', async () => {
+    it("should only allow joining workspace rooms user has access to", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
      // Should join the workspace room they have access to
-      expect(mockClient.join).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockClient.join).toHaveBeenCalledWith("workspace:workspace-456");
    });
  });
-  describe('handleConnection', () => {
+  describe("handleConnection", () => {
    beforeEach(() => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      mockClient.data = {
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
    });
-    it('should join client to workspace room on connection', async () => {
+    it("should join client to workspace room on connection", async () => {
      await gateway.handleConnection(mockClient);
-      expect(mockClient.join).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockClient.join).toHaveBeenCalledWith("workspace:workspace-456");
    });
-    it('should reject connection without authentication', async () => {
+    it("should reject connection without authentication", async () => {
      const unauthClient = {
        ...mockClient,
        data: {},
@@ -261,23 +261,23 @@ describe('WebSocketGateway', () => {
    });
  });
-  describe('handleDisconnect', () => {
+  describe("handleDisconnect", () => {
-    it('should leave workspace room on disconnect', () => {
+    it("should leave workspace room on disconnect", () => {
      // Populate data as if client was authenticated
      const authenticatedClient = {
        ...mockClient,
        data: {
-          userId: 'user-123',
+          userId: "user-123",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
        },
      } as unknown as AuthenticatedSocket;
      gateway.handleDisconnect(authenticatedClient);
-      expect(authenticatedClient.leave).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(authenticatedClient.leave).toHaveBeenCalledWith("workspace:workspace-456");
    });
-    it('should not throw error when disconnecting unauthenticated client', () => {
+    it("should not throw error when disconnecting unauthenticated client", () => {
      const unauthenticatedClient = {
        ...mockClient,
        data: {},
@@ -287,279 +287,279 @@ describe('WebSocketGateway', () => {
    });
  });
-  describe('emitTaskCreated', () => {
+  describe("emitTaskCreated", () => {
-    it('should emit task:created event to workspace room', () => {
+    it("should emit task:created event to workspace room", () => {
      const task = {
-        id: 'task-1',
+        id: "task-1",
-        title: 'Test Task',
+        title: "Test Task",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitTaskCreated('workspace-456', task);
+      gateway.emitTaskCreated("workspace-456", task);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('task:created', task);
+      expect(mockServer.emit).toHaveBeenCalledWith("task:created", task);
    });
  });
-  describe('emitTaskUpdated', () => {
+  describe("emitTaskUpdated", () => {
-    it('should emit task:updated event to workspace room', () => {
+    it("should emit task:updated event to workspace room", () => {
      const task = {
-        id: 'task-1',
+        id: "task-1",
-        title: 'Updated Task',
+        title: "Updated Task",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitTaskUpdated('workspace-456', task);
+      gateway.emitTaskUpdated("workspace-456", task);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('task:updated', task);
+      expect(mockServer.emit).toHaveBeenCalledWith("task:updated", task);
    });
  });
-  describe('emitTaskDeleted', () => {
+  describe("emitTaskDeleted", () => {
-    it('should emit task:deleted event to workspace room', () => {
+    it("should emit task:deleted event to workspace room", () => {
-      const taskId = 'task-1';
+      const taskId = "task-1";
-      gateway.emitTaskDeleted('workspace-456', taskId);
+      gateway.emitTaskDeleted("workspace-456", taskId);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('task:deleted', { id: taskId });
+      expect(mockServer.emit).toHaveBeenCalledWith("task:deleted", { id: taskId });
    });
  });
-  describe('emitEventCreated', () => {
+  describe("emitEventCreated", () => {
-    it('should emit event:created event to workspace room', () => {
+    it("should emit event:created event to workspace room", () => {
      const event = {
-        id: 'event-1',
+        id: "event-1",
-        title: 'Test Event',
+        title: "Test Event",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitEventCreated('workspace-456', event);
+      gateway.emitEventCreated("workspace-456", event);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('event:created', event);
+      expect(mockServer.emit).toHaveBeenCalledWith("event:created", event);
    });
  });
-  describe('emitEventUpdated', () => {
+  describe("emitEventUpdated", () => {
-    it('should emit event:updated event to workspace room', () => {
+    it("should emit event:updated event to workspace room", () => {
      const event = {
-        id: 'event-1',
+        id: "event-1",
-        title: 'Updated Event',
+        title: "Updated Event",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitEventUpdated('workspace-456', event);
+      gateway.emitEventUpdated("workspace-456", event);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('event:updated', event);
+      expect(mockServer.emit).toHaveBeenCalledWith("event:updated", event);
    });
  });
-  describe('emitEventDeleted', () => {
+  describe("emitEventDeleted", () => {
-    it('should emit event:deleted event to workspace room', () => {
+    it("should emit event:deleted event to workspace room", () => {
-      const eventId = 'event-1';
+      const eventId = "event-1";
-      gateway.emitEventDeleted('workspace-456', eventId);
+      gateway.emitEventDeleted("workspace-456", eventId);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('event:deleted', { id: eventId });
+      expect(mockServer.emit).toHaveBeenCalledWith("event:deleted", { id: eventId });
    });
  });
-  describe('emitProjectUpdated', () => {
+  describe("emitProjectUpdated", () => {
-    it('should emit project:updated event to workspace room', () => {
+    it("should emit project:updated event to workspace room", () => {
      const project = {
-        id: 'project-1',
+        id: "project-1",
-        name: 'Updated Project',
+        name: "Updated Project",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitProjectUpdated('workspace-456', project);
+      gateway.emitProjectUpdated("workspace-456", project);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('project:updated', project);
+      expect(mockServer.emit).toHaveBeenCalledWith("project:updated", project);
    });
  });
-  describe('Job Events', () => {
+  describe("Job Events", () => {
-    describe('emitJobCreated', () => {
+    describe("emitJobCreated", () => {
-      it('should emit job:created event to workspace jobs room', () => {
+      it("should emit job:created event to workspace jobs room", () => {
        const job = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          type: 'code-task',
+          type: "code-task",
-          status: 'PENDING',
+          status: "PENDING",
        };
-        gateway.emitJobCreated('workspace-456', job);
+        gateway.emitJobCreated("workspace-456", job);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('job:created', job);
+        expect(mockServer.emit).toHaveBeenCalledWith("job:created", job);
      });
-      it('should emit job:created event to specific job room', () => {
+      it("should emit job:created event to specific job room", () => {
        const job = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          type: 'code-task',
+          type: "code-task",
-          status: 'PENDING',
+          status: "PENDING",
        };
-        gateway.emitJobCreated('workspace-456', job);
+        gateway.emitJobCreated("workspace-456", job);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitJobStatusChanged', () => {
+    describe("emitJobStatusChanged", () => {
-      it('should emit job:status event to workspace jobs room', () => {
+      it("should emit job:status event to workspace jobs room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          status: 'RUNNING',
+          status: "RUNNING",
-          previousStatus: 'PENDING',
+          previousStatus: "PENDING",
        };
-        gateway.emitJobStatusChanged('workspace-456', 'job-1', data);
+        gateway.emitJobStatusChanged("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('job:status', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("job:status", data);
      });
-      it('should emit job:status event to specific job room', () => {
+      it("should emit job:status event to specific job room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          status: 'RUNNING',
+          status: "RUNNING",
-          previousStatus: 'PENDING',
+          previousStatus: "PENDING",
        };
-        gateway.emitJobStatusChanged('workspace-456', 'job-1', data);
+        gateway.emitJobStatusChanged("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitJobProgress', () => {
+    describe("emitJobProgress", () => {
-      it('should emit job:progress event to workspace jobs room', () => {
+      it("should emit job:progress event to workspace jobs room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
          progressPercent: 45,
-          message: 'Processing step 2 of 4',
+          message: "Processing step 2 of 4",
        };
-        gateway.emitJobProgress('workspace-456', 'job-1', data);
+        gateway.emitJobProgress("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('job:progress', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("job:progress", data);
      });
-      it('should emit job:progress event to specific job room', () => {
+      it("should emit job:progress event to specific job room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
          progressPercent: 45,
-          message: 'Processing step 2 of 4',
+          message: "Processing step 2 of 4",
        };
-        gateway.emitJobProgress('workspace-456', 'job-1', data);
+        gateway.emitJobProgress("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitStepStarted', () => {
+    describe("emitStepStarted", () => {
-      it('should emit step:started event to workspace jobs room', () => {
+      it("should emit step:started event to workspace jobs room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
        };
-        gateway.emitStepStarted('workspace-456', 'job-1', data);
+        gateway.emitStepStarted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('step:started', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("step:started", data);
      });
-      it('should emit step:started event to specific job room', () => {
+      it("should emit step:started event to specific job room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
        };
-        gateway.emitStepStarted('workspace-456', 'job-1', data);
+        gateway.emitStepStarted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitStepCompleted', () => {
+    describe("emitStepCompleted", () => {
-      it('should emit step:completed event to workspace jobs room', () => {
+      it("should emit step:completed event to workspace jobs room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
          success: true,
        };
-        gateway.emitStepCompleted('workspace-456', 'job-1', data);
+        gateway.emitStepCompleted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('step:completed', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("step:completed", data);
      });
-      it('should emit step:completed event to specific job room', () => {
+      it("should emit step:completed event to specific job room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
          success: true,
        };
-        gateway.emitStepCompleted('workspace-456', 'job-1', data);
+        gateway.emitStepCompleted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitStepOutput', () => {
+    describe("emitStepOutput", () => {
-      it('should emit step:output event to workspace jobs room', () => {
+      it("should emit step:output event to workspace jobs room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          output: 'Build completed successfully',
+          output: "Build completed successfully",
          timestamp: new Date().toISOString(),
        };
-        gateway.emitStepOutput('workspace-456', 'job-1', data);
+        gateway.emitStepOutput("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('step:output', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("step:output", data);
      });
-      it('should emit step:output event to specific job room', () => {
+      it("should emit step:output event to specific job room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          output: 'Build completed successfully',
+          output: "Build completed successfully",
          timestamp: new Date().toISOString(),
        };
-        gateway.emitStepOutput('workspace-456', 'job-1', data);
+        gateway.emitStepOutput("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
  });
--- a/apps/orchestrator/src/api/agents/agents.controller.ts
+++ b/apps/orchestrator/src/api/agents/agents.controller.ts
@@ -1,9 +1,11 @@
 import {
  Controller,
  Post,
  Get,
  Body,
  Param,
  BadRequestException,
  NotFoundException,
  Logger,
  UsePipes,
  ValidationPipe,
@@ -11,6 +13,7 @@ import {
 } from "@nestjs/common";
 import { QueueService } from "../../queue/queue.service";
 import { AgentSpawnerService } from "../../spawner/agent-spawner.service";
 import { AgentLifecycleService } from "../../spawner/agent-lifecycle.service";
 import { KillswitchService } from "../../killswitch/killswitch.service";
 import { SpawnAgentDto, SpawnAgentResponseDto } from "./dto/spawn-agent.dto";
@@ -24,6 +27,7 @@ export class AgentsController {
  constructor(
    private readonly queueService: QueueService,
    private readonly spawnerService: AgentSpawnerService,
    private readonly lifecycleService: AgentLifecycleService,
    private readonly killswitchService: KillswitchService
  ) {}
@@ -66,6 +70,64 @@ export class AgentsController {
    }
  }
  /**
   * Get agent status
   * @param agentId Agent ID to query
   * @returns Agent status details
   */
  @Get(":agentId/status")
  async getAgentStatus(@Param("agentId") agentId: string): Promise<{
    agentId: string;
    taskId: string;
    status: string;
    spawnedAt: string;
    startedAt?: string;
    completedAt?: string;
    error?: string;
  }> {
    this.logger.log(`Received status request for agent: ${agentId}`);
    try {
      // Try to get from lifecycle service (Valkey)
      const lifecycleState = await this.lifecycleService.getAgentLifecycleState(agentId);
      if (lifecycleState) {
        return {
          agentId: lifecycleState.agentId,
          taskId: lifecycleState.taskId,
          status: lifecycleState.status,
          spawnedAt: lifecycleState.startedAt ?? new Date().toISOString(),
          startedAt: lifecycleState.startedAt,
          completedAt: lifecycleState.completedAt,
          error: lifecycleState.error,
        };
      }
      // Fallback to spawner service (in-memory)
      const session = this.spawnerService.getAgentSession(agentId);
      if (session) {
        return {
          agentId: session.agentId,
          taskId: session.taskId,
          status: session.state,
          spawnedAt: session.spawnedAt.toISOString(),
          completedAt: session.completedAt?.toISOString(),
          error: session.error,
        };
      }
      throw new NotFoundException(`Agent ${agentId} not found`);
    } catch (error: unknown) {
      if (error instanceof NotFoundException) {
        throw error;
      }
      const errorMessage = error instanceof Error ? error.message : String(error);
      this.logger.error(`Failed to get agent status: ${errorMessage}`);
      throw new Error(`Failed to get agent status: ${errorMessage}`);
    }
  }
  /**
   * Kill a single agent immediately
   * @param agentId Agent ID to kill
--- a/apps/orchestrator/src/api/agents/agents.module.ts
+++ b/apps/orchestrator/src/api/agents/agents.module.ts
@@ -3,9 +3,10 @@ import { AgentsController } from "./agents.controller";
 import { QueueModule } from "../../queue/queue.module";
 import { SpawnerModule } from "../../spawner/spawner.module";
 import { KillswitchModule } from "../../killswitch/killswitch.module";
 import { ValkeyModule } from "../../valkey/valkey.module";
@Module({
-  imports: [QueueModule, SpawnerModule, KillswitchModule],
+  imports: [QueueModule, SpawnerModule, KillswitchModule, ValkeyModule],
  controllers: [AgentsController],
 })
 export class AgentsModule {}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -358,6 +358,8 @@ services:
      dockerfile: ./apps/orchestrator/Dockerfile
    container_name: mosaic-orchestrator
    restart: unless-stopped
    # Run as non-root user (node:node, UID 1000)
    user: "1000:1000"
    environment:
      NODE_ENV: production
      # Orchestrator Configuration
@@ -377,7 +379,7 @@ services:
    ports:
      - "3002:3001"
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
      - orchestrator_workspace:/workspace
    depends_on:
      valkey:
@@ -392,9 +394,22 @@ services:
      start_period: 40s
    networks:
      - mosaic-internal
    # Security hardening
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    read_only: false  # Cannot be read-only due to workspace writes
    tmpfs:
      - /tmp:noexec,nosuid,size=100m
    labels:
      - "com.mosaic.service=orchestrator"
      - "com.mosaic.description=Mosaic Agent Orchestrator"
      - "com.mosaic.security=hardened"
      - "com.mosaic.security.non-root=true"
      - "com.mosaic.security.capabilities=minimal"
  # ======================
  # Mosaic Web
--- a/docs/1-getting-started/1-quick-start/1-overview.md
+++ b/docs/1-getting-started/1-quick-start/1-overview.md
@@ -42,11 +42,11 @@ docker compose logs -f api
 ## What's Running?
-| Service | Port | Purpose |
+| Service    | Port | Purpose                  |
-|---------|------|---------|
+| ---------- | ---- | ------------------------ |
-| API | 3001 | NestJS backend |
+| API        | 3001 | NestJS backend           |
-| PostgreSQL | 5432 | Database |
+| PostgreSQL | 5432 | Database                 |
-| Valkey | 6379 | Cache (Redis-compatible) |
+| Valkey     | 6379 | Cache (Redis-compatible) |
 ## Next Steps
@@ -57,6 +57,7 @@ docker compose logs -f api
 ## Troubleshooting
 **Port already in use:**
 ```bash
 # Stop existing services
 docker compose down
@@ -66,6 +67,7 @@ lsof -i :3001
 ```
 **Database connection failed:**
 ```bash
 # Check PostgreSQL is running
 docker compose ps postgres
--- a/docs/1-getting-started/2-installation/1-prerequisites.md
+++ b/docs/1-getting-started/2-installation/1-prerequisites.md
@@ -168,5 +168,6 @@ psql --version      # 17.x.x or higher (if using native PostgreSQL)
 ## Next Steps
 Proceed to:
 - [Local Setup](2-local-setup.md) for native development
 - [Docker Setup](3-docker-setup.md) for containerized deployment
--- a/docs/1-getting-started/2-installation/2-local-setup.md
+++ b/docs/1-getting-started/2-installation/2-local-setup.md
@@ -20,6 +20,7 @@ pnpm install
 ```
 This installs dependencies for:
 - Root workspace
 - `apps/api` (NestJS backend)
 - `apps/web` (Next.js frontend - when implemented)
@@ -123,6 +124,7 @@ curl http://localhost:3001/health
 ```
 **Expected response:**
 ```json
 {
  "status": "ok",
@@ -138,6 +140,7 @@ pnpm test
 ```
 **Expected output:**
 ```
 Test Files  5 passed (5)
     Tests  26 passed (26)
--- a/docs/1-getting-started/2-installation/3-docker-setup.md
+++ b/docs/1-getting-started/2-installation/3-docker-setup.md
@@ -81,17 +81,17 @@ docker compose up -d
 **Services available:**
-| Service | Container | Port | Profile | Purpose |
+| Service              | Container                 | Port       | Profile   | Purpose                |
-|---------|-----------|------|---------|---------|
+| -------------------- | ------------------------- | ---------- | --------- | ---------------------- |
-| PostgreSQL | mosaic-postgres | 5432 | core | Database with pgvector |
+| PostgreSQL           | mosaic-postgres           | 5432       | core      | Database with pgvector |
-| Valkey | mosaic-valkey | 6379 | core | Redis-compatible cache |
+| Valkey               | mosaic-valkey             | 6379       | core      | Redis-compatible cache |
-| API | mosaic-api | 3001 | core | NestJS backend |
+| API                  | mosaic-api                | 3001       | core      | NestJS backend         |
-| Web | mosaic-web | 3000 | core | Next.js frontend |
+| Web                  | mosaic-web                | 3000       | core      | Next.js frontend       |
-| Authentik Server | mosaic-authentik-server | 9000, 9443 | authentik | OIDC provider |
+| Authentik Server     | mosaic-authentik-server   | 9000, 9443 | authentik | OIDC provider          |
-| Authentik Worker | mosaic-authentik-worker | - | authentik | Background jobs |
+| Authentik Worker     | mosaic-authentik-worker   | -          | authentik | Background jobs        |
-| Authentik PostgreSQL | mosaic-authentik-postgres | - | authentik | Auth database |
+| Authentik PostgreSQL | mosaic-authentik-postgres | -          | authentik | Auth database          |
-| Authentik Redis | mosaic-authentik-redis | - | authentik | Auth cache |
+| Authentik Redis      | mosaic-authentik-redis    | -          | authentik | Auth cache             |
-| Ollama | mosaic-ollama | 11434 | ollama | LLM service |
+| Ollama               | mosaic-ollama             | 11434      | ollama    | LLM service            |
 ## Step 4: Run Database Migrations
@@ -236,7 +236,7 @@ services:
      replicas: 2
      resources:
        limits:
-          cpus: '1.0'
+          cpus: "1.0"
          memory: 1G
  web:
@@ -247,7 +247,7 @@ services:
      replicas: 2
      resources:
        limits:
-          cpus: '0.5'
+          cpus: "0.5"
          memory: 512M
 ```
--- a/docs/1-getting-started/3-configuration/1-environment.md
+++ b/docs/1-getting-started/3-configuration/1-environment.md
@@ -261,11 +261,13 @@ PRISMA_LOG_QUERIES=false
 Environment variables are validated at application startup. Missing required variables will cause the application to fail with a clear error message.
 **Required variables:**
 - `DATABASE_URL`
 - `JWT_SECRET`
 - `NEXT_PUBLIC_APP_URL`
 **Optional variables:**
 - All OIDC settings (if using Authentik)
 - All Ollama settings (if using AI features)
 - Logging and monitoring settings
--- a/docs/1-getting-started/3-configuration/2-authentik.md
+++ b/docs/1-getting-started/3-configuration/2-authentik.md
@@ -36,6 +36,7 @@ docker compose logs -f
 ```
 **Access Authentik:**
 - URL: http://localhost:9000/if/flow/initial-setup/
 - Create admin account during initial setup
@@ -53,17 +54,17 @@ Sign up at [goauthentik.io](https://goauthentik.io) for managed Authentik.
 4. **Configure Provider:**
-   | Field | Value |
+   | Field                          | Value                                           |
-   |-------|-------|
+   | ------------------------------ | ----------------------------------------------- |
-   | **Name** | Mosaic Stack |
+   | **Name**                       | Mosaic Stack                                    |
-   | **Authorization flow** | default-provider-authorization-implicit-consent |
+   | **Authorization flow**         | default-provider-authorization-implicit-consent |
-   | **Client type** | Confidential |
+   | **Client type**                | Confidential                                    |
-   | **Client ID** | (auto-generated, save this) |
+   | **Client ID**                  | (auto-generated, save this)                     |
-   | **Client Secret** | (auto-generated, save this) |
+   | **Client Secret**              | (auto-generated, save this)                     |
-   | **Redirect URIs** | `http://localhost:3001/auth/callback` |
+   | **Redirect URIs**              | `http://localhost:3001/auth/callback`           |
-   | **Scopes** | `openid`, `email`, `profile` |
+   | **Scopes**                     | `openid`, `email`, `profile`                    |
-   | **Subject mode** | Based on User's UUID |
+   | **Subject mode**               | Based on User's UUID                            |
-   | **Include claims in id_token** | ✅ Enabled |
+   | **Include claims in id_token** | ✅ Enabled                                      |
 5. **Click "Create"**
@@ -77,12 +78,12 @@ Sign up at [goauthentik.io](https://goauthentik.io) for managed Authentik.
 3. **Configure Application:**
-   | Field | Value |
+   | Field          | Value                                     |
-   |-------|-------|
+   | -------------- | ----------------------------------------- |
-   | **Name** | Mosaic Stack |
+   | **Name**       | Mosaic Stack                              |
-   | **Slug** | mosaic-stack |
+   | **Slug**       | mosaic-stack                              |
-   | **Provider** | Select "Mosaic Stack" (created in Step 2) |
+   | **Provider**   | Select "Mosaic Stack" (created in Step 2) |
-   | **Launch URL** | `http://localhost:3000` |
+   | **Launch URL** | `http://localhost:3000`                   |
 4. **Click "Create"**
@@ -99,6 +100,7 @@ OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
 ```
 **Important Notes:**
 - `OIDC_ISSUER` must end with a trailing slash `/`
 - Replace `<your-client-id>` and `<your-client-secret>` with actual values from Step 2
 - `OIDC_REDIRECT_URI` must exactly match what you configured in Authentik
@@ -218,6 +220,7 @@ Customize Authentik's login page:
 **Cause:** Redirect URI in `.env` doesn't match Authentik configuration
 **Fix:**
 ```bash
 # Ensure exact match (including http vs https)
 # In Authentik: http://localhost:3001/auth/callback
@@ -229,6 +232,7 @@ Customize Authentik's login page:
 **Cause:** Incorrect client ID or secret
 **Fix:**
 1. Double-check Client ID and Secret in Authentik provider
 2. Copy values exactly (no extra spaces)
 3. Update `.env` with correct values
@@ -239,6 +243,7 @@ Customize Authentik's login page:
 **Cause:** `OIDC_ISSUER` incorrect or Authentik not accessible
 **Fix:**
 ```bash
 # Ensure OIDC_ISSUER ends with /
 # Test discovery endpoint
@@ -252,6 +257,7 @@ curl http://localhost:9000/application/o/mosaic-stack/.well-known/openid-configu
 **Cause:** User doesn't have permission in Authentik
 **Fix:**
 1. In Authentik, go to **Directory** → **Users**
 2. Select user
 3. Click **Assigned to applications**
@@ -264,6 +270,7 @@ Or enable **Superuser privileges** for the user (development only).
 **Cause:** JWT expiration set too low
 **Fix:**
 ```bash
 # In .env, increase expiration
 JWT_EXPIRATION=7d  # 7 days instead of 24h
--- a/docs/1-getting-started/3-configuration/3-docker.md
+++ b/docs/1-getting-started/3-configuration/3-docker.md
@@ -93,6 +93,7 @@ OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
 ```
 **Bootstrap Credentials:**
 - Username: `akadmin`
 - Password: Value of `AUTHENTIK_BOOTSTRAP_PASSWORD`
@@ -124,6 +125,7 @@ COMPOSE_PROFILES=full              # Enable all optional services
 ```
 Available profiles:
 - `authentik` - Authentik OIDC provider stack
 - `ollama` - Ollama LLM service
 - `full` - All optional services
@@ -257,7 +259,7 @@ services:
      replicas: 2
      resources:
        limits:
-          cpus: '1.0'
+          cpus: "1.0"
          memory: 1G
  web:
@@ -268,11 +270,12 @@ services:
      replicas: 2
      resources:
        limits:
-          cpus: '0.5'
+          cpus: "0.5"
          memory: 512M
 ```
 Deploy:
 ```bash
 docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
 ```
@@ -311,9 +314,9 @@ services:
    deploy:
      resources:
        limits:
-          cpus: '1.0'
+          cpus: "1.0"
        reservations:
-          cpus: '0.25'
+          cpus: "0.25"
 ```
 ## Health Checks
@@ -325,10 +328,10 @@ All services include health checks. Adjust timing if needed:
 services:
  postgres:
    healthcheck:
-      interval: 30s      # Check every 30s
+      interval: 30s # Check every 30s
-      timeout: 10s       # Timeout after 10s
+      timeout: 10s # Timeout after 10s
-      retries: 5         # Retry 5 times
+      retries: 5 # Retry 5 times
-      start_period: 60s  # Wait 60s before first check
+      start_period: 60s # Wait 60s before first check
 ```
 ## Logging Configuration
@@ -349,6 +352,7 @@ services:
 ### Centralized Logging
 For production, consider:
 - Loki + Grafana
 - ELK Stack (Elasticsearch, Logstash, Kibana)
 - Fluentd
@@ -371,11 +375,13 @@ services:
 ### Container Won't Start
 Check logs:
 ```bash
 docker compose logs <service>
 ```
 Common issues:
 - Port conflict: Change port in `.env`
 - Missing environment variable: Check `.env` file
 - Health check failing: Increase `start_period`
@@ -383,6 +389,7 @@ Common issues:
 ### Network Issues
 Test connectivity between containers:
 ```bash
 # From API container to PostgreSQL
 docker compose exec api sh
@@ -392,6 +399,7 @@ nc -zv postgres 5432
 ### Volume Permission Issues
 Fix permissions:
 ```bash
 # PostgreSQL volume
 docker compose exec postgres chown -R postgres:postgres /var/lib/postgresql/data
@@ -400,6 +408,7 @@ docker compose exec postgres chown -R postgres:postgres /var/lib/postgresql/data
 ### Out of Disk Space
 Clean up:
 ```bash
 # Remove unused containers, networks, images
 docker system prune -a
--- a/docs/1-getting-started/4-docker-deployment/README.md
+++ b/docs/1-getting-started/4-docker-deployment/README.md
@@ -36,6 +36,7 @@ docker compose logs -f
 ```
 That's it! Your Mosaic Stack is now running:
 - Web: http://localhost:3000
 - API: http://localhost:3001
 - PostgreSQL: localhost:5432
@@ -46,6 +47,7 @@ That's it! Your Mosaic Stack is now running:
 Mosaic Stack uses Docker Compose profiles to enable optional services:
 ### Core Services (Always Active)
 - `postgres` - PostgreSQL database
 - `valkey` - Valkey cache
 - `api` - Mosaic API
@@ -54,6 +56,7 @@ Mosaic Stack uses Docker Compose profiles to enable optional services:
 ### Optional Services (Profiles)
 #### Traefik (Reverse Proxy)
 ```bash
 # Start with bundled Traefik
 docker compose --profile traefik-bundled up -d
@@ -63,11 +66,13 @@ COMPOSE_PROFILES=traefik-bundled
 ```
 Services included:
 - `traefik` - Traefik reverse proxy with dashboard (http://localhost:8080)
 See [Traefik Integration Guide](traefik.md) for detailed configuration options including upstream mode.
 #### Authentik (OIDC Provider)
 ```bash
 # Start with Authentik
 docker compose --profile authentik up -d
@@ -77,12 +82,14 @@ COMPOSE_PROFILES=authentik
 ```
 Services included:
 - `authentik-postgres` - Authentik database
 - `authentik-redis` - Authentik cache
 - `authentik-server` - Authentik OIDC server (http://localhost:9000)
 - `authentik-worker` - Authentik background worker
 #### Ollama (AI Service)
 ```bash
 # Start with Ollama
 docker compose --profile ollama up -d
@@ -92,9 +99,11 @@ COMPOSE_PROFILES=ollama
 ```
 Services included:
 - `ollama` - Ollama LLM service (http://localhost:11434)
 #### All Services
 ```bash
 # Start everything
 docker compose --profile full up -d
@@ -122,6 +131,7 @@ docker compose --profile full up -d
 Use external services for production:
 1. Copy override template:
   ```bash
   cp docker-compose.override.yml.example docker-compose.override.yml
   ```
@@ -145,6 +155,7 @@ Docker automatically merges `docker-compose.yml` and `docker-compose.override.ym
 Mosaic Stack uses two Docker networks to organize service communication:
 #### mosaic-internal (Backend Services)
 - **Purpose**: Isolates database and cache services
 - **Services**:
  - PostgreSQL (main database)
@@ -159,6 +170,7 @@ Mosaic Stack uses two Docker networks to organize service communication:
  - No direct external access to database/cache ports (unless explicitly exposed)
 #### mosaic-public (Frontend Services)
 - **Purpose**: Services that need external network access
 - **Services**:
  - Mosaic API (needs to reach Authentik OIDC and external Ollama)
@@ -298,11 +310,13 @@ JWT_SECRET=change-this-to-a-random-secret
 ### Service Won't Start
 Check logs:
 ```bash
 docker compose logs <service-name>
 ```
 Common issues:
 - Port already in use: Change port in `.env`
 - Health check failing: Wait longer or check service logs
 - Missing environment variables: Check `.env` file
@@ -310,11 +324,13 @@ Common issues:
 ### Database Connection Issues
 1. Verify PostgreSQL is healthy:
   ```bash
   docker compose ps postgres
   ```
 2. Check database logs:
   ```bash
   docker compose logs postgres
   ```
@@ -327,6 +343,7 @@ Common issues:
 ### Performance Issues
 1. Adjust PostgreSQL settings in `.env`:
   ```bash
   POSTGRES_SHARED_BUFFERS=512MB
   POSTGRES_EFFECTIVE_CACHE_SIZE=2GB
@@ -334,6 +351,7 @@ Common issues:
   ```
 2. Adjust Valkey memory:
   ```bash
   VALKEY_MAXMEMORY=512mb
   ```
@@ -394,6 +412,7 @@ docker run --rm -v mosaic-postgres-data:/data -v $(pwd):/backup alpine tar czf /
 ### Monitoring
 Consider adding:
 - Prometheus for metrics
 - Grafana for dashboards
 - Loki for log aggregation
@@ -402,6 +421,7 @@ Consider adding:
 ### Scaling
 For production scaling:
 - Use external PostgreSQL (managed service)
 - Use external Redis/Valkey cluster
 - Load balance multiple API instances
--- a/docs/1-getting-started/4-docker-deployment/traefik.md
+++ b/docs/1-getting-started/4-docker-deployment/traefik.md
@@ -68,30 +68,30 @@ docker compose up -d
 ### Environment Variables
-| Variable | Default | Description |
+| Variable                    | Default             | Description                                    |
-|----------|---------|-------------|
+| --------------------------- | ------------------- | ---------------------------------------------- |
-| `TRAEFIK_MODE` | `none` | Traefik mode: `bundled`, `upstream`, or `none` |
+| `TRAEFIK_MODE`              | `none`              | Traefik mode: `bundled`, `upstream`, or `none` |
-| `TRAEFIK_ENABLE` | `false` | Enable Traefik labels on services |
+| `TRAEFIK_ENABLE`            | `false`             | Enable Traefik labels on services              |
-| `MOSAIC_API_DOMAIN` | `api.mosaic.local` | Domain for API service |
+| `MOSAIC_API_DOMAIN`         | `api.mosaic.local`  | Domain for API service                         |
-| `MOSAIC_WEB_DOMAIN` | `mosaic.local` | Domain for Web service |
+| `MOSAIC_WEB_DOMAIN`         | `mosaic.local`      | Domain for Web service                         |
-| `MOSAIC_AUTH_DOMAIN` | `auth.mosaic.local` | Domain for Authentik service |
+| `MOSAIC_AUTH_DOMAIN`        | `auth.mosaic.local` | Domain for Authentik service                   |
-| `TRAEFIK_NETWORK` | `traefik-public` | External Traefik network (upstream mode) |
+| `TRAEFIK_NETWORK`           | `traefik-public`    | External Traefik network (upstream mode)       |
-| `TRAEFIK_TLS_ENABLED` | `true` | Enable TLS/HTTPS |
+| `TRAEFIK_TLS_ENABLED`       | `true`              | Enable TLS/HTTPS                               |
-| `TRAEFIK_ACME_EMAIL` | - | Email for Let's Encrypt (production) |
+| `TRAEFIK_ACME_EMAIL`        | -                   | Email for Let's Encrypt (production)           |
-| `TRAEFIK_CERTRESOLVER` | - | Cert resolver name (e.g., `letsencrypt`) |
+| `TRAEFIK_CERTRESOLVER`      | -                   | Cert resolver name (e.g., `letsencrypt`)       |
-| `TRAEFIK_DASHBOARD_ENABLED` | `true` | Enable Traefik dashboard (bundled mode) |
+| `TRAEFIK_DASHBOARD_ENABLED` | `true`              | Enable Traefik dashboard (bundled mode)        |
-| `TRAEFIK_DASHBOARD_PORT` | `8080` | Dashboard port (bundled mode) |
+| `TRAEFIK_DASHBOARD_PORT`    | `8080`              | Dashboard port (bundled mode)                  |
-| `TRAEFIK_ENTRYPOINT` | `websecure` | Traefik entrypoint (`web` or `websecure`) |
+| `TRAEFIK_ENTRYPOINT`        | `websecure`         | Traefik entrypoint (`web` or `websecure`)      |
-| `TRAEFIK_DOCKER_NETWORK` | `mosaic-public` | Docker network for Traefik routing |
+| `TRAEFIK_DOCKER_NETWORK`    | `mosaic-public`     | Docker network for Traefik routing             |
 ### Docker Compose Profiles
-| Profile | Description |
+| Profile           | Description                       |
-|---------|-------------|
+| ----------------- | --------------------------------- |
 | `traefik-bundled` | Activates bundled Traefik service |
-| `authentik` | Enables Authentik SSO services |
+| `authentik`       | Enables Authentik SSO services    |
-| `ollama` | Enables Ollama AI service |
+| `ollama`          | Enables Ollama AI service         |
-| `full` | Enables all optional services |
+| `full`            | Enables all optional services     |
 ## Deployment Scenarios
@@ -131,6 +131,7 @@ MOSAIC_AUTH_DOMAIN=auth.example.com
 ```
 **Prerequisites:**
 1. DNS records pointing to your server
 2. Ports 80 and 443 accessible from internet
 3. Uncomment ACME configuration in `docker/traefik/traefik.yml`
@@ -216,6 +217,7 @@ services:
 ```
 Generate basic auth password:
 ```bash
 echo $(htpasswd -nb admin your-password) | sed -e s/\\$/\\$\\$/g
 ```
@@ -233,6 +235,7 @@ tls:
 ```
 Mount certificate directory:
 ```yaml
 # docker-compose.override.yml
 services:
@@ -248,7 +251,6 @@ Route multiple domains to different services:
 ```yaml
 # .env
 MOSAIC_WEB_DOMAIN=mosaic.local,app.mosaic.local,www.mosaic.local
 # Traefik will match all domains
 ```
@@ -271,11 +273,13 @@ services:
 ### Services Not Accessible via Domain
 **Check Traefik is running:**
 ```bash
 docker ps | grep traefik
 ```
 **Check Traefik dashboard:**
 ```bash
 # Bundled mode
 open http://localhost:8080
@@ -285,11 +289,13 @@ curl http://localhost:8080/api/http/routers | jq
 ```
 **Verify labels are applied:**
 ```bash
 docker inspect mosaic-api | jq '.Config.Labels'
 ```
 **Check DNS/hosts file:**
 ```bash
 # Local development
 cat /etc/hosts | grep mosaic
@@ -298,10 +304,12 @@ cat /etc/hosts | grep mosaic
 ### Certificate Errors
 **Self-signed certificates (development):**
 - Browser warnings are expected
 - Add exception in browser or import CA certificate
 **Let's Encrypt failures:**
 ```bash
 # Check Traefik logs
 docker logs mosaic-traefik
@@ -316,21 +324,25 @@ docker exec mosaic-traefik ls -la /letsencrypt/
 ### Upstream Mode Not Connecting
 **Verify external network exists:**
 ```bash
 docker network ls | grep traefik-public
 ```
 **Create network if missing:**
 ```bash
 docker network create traefik-public
 ```
 **Check service network attachment:**
 ```bash
 docker inspect mosaic-api | jq '.NetworkSettings.Networks'
 ```
 **Verify external Traefik can see services:**
 ```bash
 # From external Traefik container
 docker exec <external-traefik-container> traefik healthcheck
@@ -339,6 +351,7 @@ docker exec <external-traefik-container> traefik healthcheck
 ### Port Conflicts
 **Bundled mode port conflicts:**
 ```bash
 # Check what's using ports
 sudo lsof -i :80
@@ -354,17 +367,20 @@ TRAEFIK_DASHBOARD_PORT=8081
 ### Dashboard Not Accessible
 **Check dashboard is enabled:**
 ```bash
 # In .env
 TRAEFIK_DASHBOARD_ENABLED=true
 ```
 **Verify Traefik configuration:**
 ```bash
 docker exec mosaic-traefik cat /etc/traefik/traefik.yml | grep -A5 "api:"
 ```
 **Access dashboard:**
 ```bash
 # Default
 http://localhost:8080/dashboard/
@@ -389,11 +405,13 @@ http://localhost:${TRAEFIK_DASHBOARD_PORT}/dashboard/
 ### Securing the Dashboard
 **Option 1: Disable in production**
 ```bash
 TRAEFIK_DASHBOARD_ENABLED=false
 ```
 **Option 2: Add basic authentication**
 ```yaml
 # docker-compose.override.yml
 services:
@@ -409,6 +427,7 @@ services:
 ```
 **Option 3: IP whitelist**
 ```yaml
 # docker-compose.override.yml
 services:
--- a/docs/1-getting-started/README.md
+++ b/docs/1-getting-started/README.md
@@ -11,6 +11,7 @@ Complete guide to getting Mosaic Stack installed and configured.
 ## Prerequisites
 Before you begin, ensure you have:
 - Node.js 20+ and pnpm 9+
 - PostgreSQL 17+ (or Docker)
 - Basic familiarity with TypeScript and NestJS
@@ -18,6 +19,7 @@ Before you begin, ensure you have:
 ## Next Steps
 After completing this book, proceed to:
 - **Development** — Learn the development workflow
 - **Architecture** — Understand the system design
 - **API** — Explore the API documentation
--- a/docs/2-development/1-workflow/1-branching.md
+++ b/docs/2-development/1-workflow/1-branching.md
@@ -7,11 +7,13 @@ Git workflow and branching conventions for Mosaic Stack.
 ### Main Branches
 **`main`** — Production-ready code only
 - Never commit directly
 - Only merge from `develop` via release
 - Tagged with version numbers
 **`develop`** — Active development (default branch)
 - All features merge here first
 - Must always build and pass tests
 - Protected branch
@@ -19,6 +21,7 @@ Git workflow and branching conventions for Mosaic Stack.
 ### Supporting Branches
 **`feature/*`** — New features
 ```bash
 # From: develop
 # Merge to: develop
@@ -30,6 +33,7 @@ git checkout -b feature/6-frontend-auth
 ```
 **`fix/*`** — Bug fixes
 ```bash
 # From: develop (or main for hotfixes)
 # Merge to: develop (or both main and develop)
@@ -40,6 +44,7 @@ git checkout -b fix/12-session-timeout
 ```
 **`refactor/*`** — Code improvements
 ```bash
 # From: develop
 # Merge to: develop
@@ -49,6 +54,7 @@ git checkout -b refactor/auth-service-cleanup
 ```
 **`docs/*`** — Documentation updates
 ```bash
 # From: develop
 # Merge to: develop
--- a/docs/2-development/1-workflow/2-testing.md
+++ b/docs/2-development/1-workflow/2-testing.md
@@ -18,10 +18,11 @@ Test individual functions and methods in isolation.
 **Location:** `*.spec.ts` next to source file
 **Example:**
 ```typescript
 // apps/api/src/auth/auth.service.spec.ts
-describe('AuthService', () => {
+describe("AuthService", () => {
-  it('should create a session for valid user', async () => {
+  it("should create a session for valid user", async () => {
    const result = await authService.createSession(mockUser);
    expect(result.session.token).toBeDefined();
  });
@@ -35,12 +36,13 @@ Test interactions between components.
 **Location:** `*.integration.spec.ts` in module directory
 **Example:**
 ```typescript
 // apps/api/src/auth/auth.integration.spec.ts
-describe('Auth Integration', () => {
+describe("Auth Integration", () => {
-  it('should complete full login flow', async () => {
+  it("should complete full login flow", async () => {
    const login = await request(app.getHttpServer())
-      .post('/auth/sign-in')
+      .post("/auth/sign-in")
      .send({ email, password });
    expect(login.status).toBe(200);
  });
@@ -82,9 +84,9 @@ pnpm test:e2e
 ### Structure
 ```typescript
-import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-describe('ComponentName', () => {
+describe("ComponentName", () => {
  beforeEach(() => {
    // Setup
  });
@@ -93,19 +95,19 @@ describe('ComponentName', () => {
    // Cleanup
  });
-  describe('methodName', () => {
+  describe("methodName", () => {
-    it('should handle normal case', () => {
+    it("should handle normal case", () => {
      // Arrange
-      const input = 'test';
+      const input = "test";
      // Act
      const result = component.method(input);
      // Assert
-      expect(result).toBe('expected');
+      expect(result).toBe("expected");
    });
-    it('should handle error case', () => {
+    it("should handle error case", () => {
      expect(() => component.method(null)).toThrow();
    });
  });
@@ -124,26 +126,26 @@ const mockPrismaService = {
 };
 // Mock module
-vi.mock('./some-module', () => ({
+vi.mock("./some-module", () => ({
-  someFunction: vi.fn(() => 'mocked'),
+  someFunction: vi.fn(() => "mocked"),
 }));
 ```
 ### Testing Async Code
 ```typescript
-it('should complete async operation', async () => {
+it("should complete async operation", async () => {
  const result = await asyncFunction();
  expect(result).toBeDefined();
 });
 // Or with resolves/rejects
-it('should resolve with data', async () => {
+it("should resolve with data", async () => {
-  await expect(asyncFunction()).resolves.toBe('data');
+  await expect(asyncFunction()).resolves.toBe("data");
 });
-it('should reject with error', async () => {
+it("should reject with error", async () => {
-  await expect(failingFunction()).rejects.toThrow('Error');
+  await expect(failingFunction()).rejects.toThrow("Error");
 });
 ```
@@ -168,6 +170,7 @@ open coverage/index.html
 ### Exemptions
 Some code types may have lower coverage requirements:
 - **DTOs/Interfaces:** No coverage required (type checking sufficient)
 - **Constants:** No coverage required
 - **Database migrations:** Manual verification acceptable
@@ -179,16 +182,18 @@ Always document exemptions in PR description.
 ### 1. Test Behavior, Not Implementation
 **❌ Bad:**
 ```typescript
-it('should call getUserById', () => {
+it("should call getUserById", () => {
  service.login(email, password);
  expect(mockService.getUserById).toHaveBeenCalled();
 });
 ```
 **✅ Good:**
 ```typescript
-it('should return session for valid credentials', async () => {
+it("should return session for valid credentials", async () => {
  const result = await service.login(email, password);
  expect(result.session.token).toBeDefined();
  expect(result.user.email).toBe(email);
@@ -198,12 +203,14 @@ it('should return session for valid credentials', async () => {
 ### 2. Use Descriptive Test Names
 **❌ Bad:**
 ```typescript
 it('works', () => { ... });
 it('test 1', () => { ... });
 ```
 **✅ Good:**
 ```typescript
 it('should return 401 for invalid credentials', () => { ... });
 it('should create session with 24h expiration', () => { ... });
@@ -212,7 +219,7 @@ it('should create session with 24h expiration', () => { ... });
 ### 3. Arrange-Act-Assert Pattern
 ```typescript
-it('should calculate total correctly', () => {
+it("should calculate total correctly", () => {
  // Arrange - Set up test data
  const items = [{ price: 10 }, { price: 20 }];
@@ -227,21 +234,21 @@ it('should calculate total correctly', () => {
 ### 4. Test Edge Cases
 ```typescript
-describe('validateEmail', () => {
+describe("validateEmail", () => {
-  it('should accept valid email', () => {
+  it("should accept valid email", () => {
-    expect(validateEmail('user@example.com')).toBe(true);
+    expect(validateEmail("user@example.com")).toBe(true);
  });
-  it('should reject empty string', () => {
+  it("should reject empty string", () => {
-    expect(validateEmail('')).toBe(false);
+    expect(validateEmail("")).toBe(false);
  });
-  it('should reject null', () => {
+  it("should reject null", () => {
    expect(validateEmail(null)).toBe(false);
  });
-  it('should reject invalid format', () => {
+  it("should reject invalid format", () => {
-    expect(validateEmail('notanemail')).toBe(false);
+    expect(validateEmail("notanemail")).toBe(false);
  });
 });
 ```
@@ -251,19 +258,19 @@ describe('validateEmail', () => {
 ```typescript
 // ❌ Bad - Tests depend on order
 let userId;
-it('should create user', () => {
+it("should create user", () => {
  userId = createUser();
 });
-it('should get user', () => {
+it("should get user", () => {
  getUser(userId); // Fails if previous test fails
 });
 // ✅ Good - Each test is independent
-it('should create user', () => {
+it("should create user", () => {
  const userId = createUser();
  expect(userId).toBeDefined();
 });
-it('should get user', () => {
+it("should get user", () => {
  const userId = createUser(); // Create fresh data
  const user = getUser(userId);
  expect(user).toBeDefined();
@@ -273,6 +280,7 @@ it('should get user', () => {
 ## CI/CD Integration
 Tests run automatically on:
 - Every push to feature branch
 - Every pull request
 - Before merge to `develop`
@@ -284,7 +292,7 @@ Tests run automatically on:
 ### Run Single Test
 ```typescript
-it.only('should test specific case', () => {
+it.only("should test specific case", () => {
  // Only this test runs
 });
 ```
@@ -292,7 +300,7 @@ it.only('should test specific case', () => {
 ### Skip Test
 ```typescript
-it.skip('should test something', () => {
+it.skip("should test something", () => {
  // This test is skipped
 });
 ```
@@ -306,6 +314,7 @@ pnpm test --reporter=verbose
 ### Debug in VS Code
 Add to `.vscode/launch.json`:
 ```json
 {
  "type": "node",
--- a/docs/2-development/3-type-sharing/1-strategy.md
+++ b/docs/2-development/3-type-sharing/1-strategy.md
@@ -5,6 +5,7 @@ This document explains how types are shared between the frontend and backend in
 ## Overview
 All types that are used by both frontend and backend live in the `@mosaic/shared` package. This ensures:
 - **Type safety** across the entire stack
 - **Single source of truth** for data structures
 - **Automatic type updates** when the API changes
@@ -32,7 +33,9 @@ packages/shared/
 These types are used by **both** frontend and backend:
 #### `AuthUser`
 The authenticated user object that's safe to expose to clients.
 ```typescript
 interface AuthUser {
  readonly id: string;
@@ -44,7 +47,9 @@ interface AuthUser {
 ```
 #### `AuthSession`
 Session data returned after successful authentication.
 ```typescript
 interface AuthSession {
  user: AuthUser;
@@ -57,15 +62,19 @@ interface AuthSession {
 ```
 #### `Session`, `Account`
 Full database entity types for sessions and OAuth accounts.
 #### `LoginRequest`, `LoginResponse`
 Request/response payloads for authentication endpoints.
 #### `OAuthProvider`
 Supported OAuth providers: `"authentik" | "google" | "github"`
 #### `OAuthCallbackParams`
 Query parameters from OAuth callback redirects.
 ### Backend-Only Types
@@ -73,6 +82,7 @@ Query parameters from OAuth callback redirects.
 Types that are only used by the backend stay in `apps/api/src/auth/types/`:
 #### `BetterAuthRequest`
 Internal type for BetterAuth handler compatibility (extends web standard `Request`).
 **Why backend-only?** This is an implementation detail of how NestJS integrates with BetterAuth. The frontend doesn't need to know about it.
@@ -154,12 +164,13 @@ The `@mosaic/shared` package also exports database entity types that match the P
 ### Key Difference: `User` vs `AuthUser`
-| Type | Purpose | Fields | Used By |
+| Type       | Purpose                    | Fields                                    | Used By                 |
-|------|---------|--------|---------|
+| ---------- | -------------------------- | ----------------------------------------- | ----------------------- |
-| `User` | Full database entity | All DB fields including sensitive data | Backend internal logic |
+| `User`     | Full database entity       | All DB fields including sensitive data    | Backend internal logic  |
 | `AuthUser` | Safe client-exposed subset | Only public fields (no preferences, etc.) | API responses, Frontend |
 **Example:**
 ```typescript
 // Backend internal logic
 import { User } from "@mosaic/shared";
@@ -202,11 +213,13 @@ When adding new types that should be shared:
   - General API types → `index.ts`
 3. **Export from `index.ts`:**
   ```typescript
   export * from "./your-new-types";
   ```
 4. **Build the shared package:**
   ```bash
   cd packages/shared
   pnpm build
@@ -230,6 +243,7 @@ This ensures the frontend and backend never drift out of sync.
 ## Benefits
 ### Type Safety
 ```typescript
 // If the backend changes AuthUser.name to AuthUser.displayName,
 // the frontend will get TypeScript errors everywhere AuthUser is used.
@@ -237,6 +251,7 @@ This ensures the frontend and backend never drift out of sync.
 ```
 ### Auto-Complete
 ```typescript
 // Frontend developers get full autocomplete for API types
 const user: AuthUser = await fetchUser();
@@ -244,12 +259,14 @@ user. // <-- IDE shows: id, email, name, image, emailVerified
 ```
 ### Refactoring
 ```typescript
 // Rename a field? TypeScript finds all usages across FE and BE
 // No need to grep or search manually
 ```
 ### Documentation
 ```typescript
 // The types ARE the documentation
 // Frontend developers see exactly what the API returns
@@ -258,6 +275,7 @@ user. // <-- IDE shows: id, email, name, image, emailVerified
 ## Current Shared Types
 ### Authentication (`auth.types.ts`)
 - `AuthUser` - Authenticated user info
 - `AuthSession` - Session data
 - `Session` - Full session entity
@@ -266,18 +284,21 @@ user. // <-- IDE shows: id, email, name, image, emailVerified
 - `OAuthProvider`, `OAuthCallbackParams`
 ### Database Entities (`database.types.ts`)
 - `User` - Full user entity
 - `Workspace`, `WorkspaceMember`
 - `Task`, `Event`, `Project`
 - `ActivityLog`, `MemoryEmbedding`
 ### Enums (`enums.ts`)
 - `TaskStatus`, `TaskPriority`
 - `ProjectStatus`
 - `WorkspaceMemberRole`
 - `ActivityAction`, `EntityType`
 ### API Utilities (`index.ts`)
 - `ApiResponse<T>` - Standard response wrapper
 - `PaginatedResponse<T>` - Paginated data
 - `HealthStatus` - Health check format
--- a/docs/3-architecture/3-design-principles/1-pda-friendly.md
+++ b/docs/3-architecture/3-design-principles/1-pda-friendly.md
@@ -7,6 +7,7 @@ Mosaic Stack is designed to be calm, supportive, and stress-free. These principl
 > "A personal assistant should reduce stress, not create it."
 We design for **pathological demand avoidance (PDA)** patterns, creating interfaces that:
 - Never pressure or demand
 - Provide gentle suggestions instead of commands
 - Use calm, neutral language
@@ -16,38 +17,42 @@ We design for **pathological demand avoidance (PDA)** patterns, creating interfa
 ### Never Use Demanding Language
-| ❌ NEVER | ✅ ALWAYS |
+| ❌ NEVER    | ✅ ALWAYS            |
-|----------|-----------|
+| ----------- | -------------------- |
-| OVERDUE | Target passed |
+| OVERDUE     | Target passed        |
-| URGENT | Approaching target |
+| URGENT      | Approaching target   |
-| MUST DO | Scheduled for |
+| MUST DO     | Scheduled for        |
-| CRITICAL | High priority |
+| CRITICAL    | High priority        |
 | YOU NEED TO | Consider / Option to |
-| REQUIRED | Recommended |
+| REQUIRED    | Recommended          |
-| DUE | Target date |
+| DUE         | Target date          |
-| DEADLINE | Scheduled completion |
+| DEADLINE    | Scheduled completion |
 ### Examples
 **❌ Bad:**
 ```
 URGENT: You have 3 overdue tasks!
 You MUST complete these today!
 ```
 **✅ Good:**
 ```
 3 tasks have passed their target dates
 Would you like to reschedule or review them?
 ```
 **❌ Bad:**
 ```
 CRITICAL ERROR: Database connection failed
 IMMEDIATE ACTION REQUIRED
 ```
 **✅ Good:**
 ```
 Unable to connect to database
 Check configuration or contact support
@@ -60,12 +65,14 @@ Check configuration or contact support
 Users should understand key information in 10 seconds or less.
 **Implementation:**
 - Most important info at top
 - Clear visual hierarchy
 - Minimal text per screen
 - Progressive disclosure (details on click)
 **Example Dashboard:**
 ```
 ┌─────────────────────────────────┐
 │ Today                           │
@@ -85,12 +92,14 @@ Users should understand key information in 10 seconds or less.
 Group related information with clear boundaries.
 **Use:**
 - Whitespace between sections
 - Subtle borders or backgrounds
 - Clear section headers
 - Consistent spacing
 **Don't:**
 - Jam everything together
 - Use wall-of-text layouts
 - Mix unrelated information
@@ -101,21 +110,25 @@ Group related information with clear boundaries.
 Each list item should fit on one line for scanning.
 **❌ Bad:**
 ```
 Task: Complete the quarterly report including all financial data, team metrics, and project summaries. This is due next Friday and requires review from management before submission.
 ```
 **✅ Good:**
 ```
 Complete quarterly report — Target: Friday
 ```
-*(Details available on click)*
+
 _(Details available on click)_
 ### 4. Calm Colors
 No aggressive colors for status indicators.
 **Status Colors:**
 - 🟢 **On track / Active** — Soft green (#10b981)
 - 🔵 **Upcoming / Scheduled** — Soft blue (#3b82f6)
 - ⏸️ **Paused / On hold** — Soft yellow (#f59e0b)
@@ -123,6 +136,7 @@ No aggressive colors for status indicators.
 - ⚪ **Not started** — Light gray (#d1d5db)
 **Never use:**
 - ❌ Aggressive red for "overdue"
 - ❌ Flashing or blinking elements
 - ❌ All-caps text for emphasis
@@ -132,6 +146,7 @@ No aggressive colors for status indicators.
 Show summary first, details on demand.
 **Example:**
 ```
 [Card View - Default]
 ─────────────────────────
@@ -161,6 +176,7 @@ Tasks (12):
 ### Date Display
 **Relative dates for recent items:**
 ```
 Just now
 5 minutes ago
@@ -171,6 +187,7 @@ Jan 15 at 9:00 AM
 ```
 **Never:**
 ```
 2026-01-28T14:30:00.000Z  ❌ (ISO format in UI)
 ```
@@ -182,9 +199,9 @@ Jan 15 at 9:00 AM
 const getTaskStatus = (task: Task) => {
  if (isPastTarget(task)) {
    return {
-      label: 'Target passed',
+      label: "Target passed",
-      icon: '⏸️',
+      icon: "⏸️",
-      color: 'yellow',
+      color: "yellow",
    };
  }
  // ...
@@ -194,12 +211,14 @@ const getTaskStatus = (task: Task) => {
 ### Notifications
 **❌ Aggressive:**
 ```
 ⚠️ ATTENTION: 5 OVERDUE TASKS
 You must complete these immediately!
 ```
 **✅ Calm:**
 ```
 💭 5 tasks have passed their targets
 Would you like to review or reschedule?
@@ -208,12 +227,14 @@ Would you like to review or reschedule?
 ### Empty States
 **❌ Negative:**
 ```
 No tasks found!
 You haven't created any tasks yet.
 ```
 **✅ Positive:**
 ```
 All caught up! 🎉
 Ready to add your first task?
@@ -244,9 +265,7 @@ Ready to add your first task?
  <ToastIcon>💭</ToastIcon>
  <ToastContent>
    <ToastTitle>Approaching target</ToastTitle>
-    <ToastMessage>
+    <ToastMessage>"Team sync" is scheduled in 30 minutes</ToastMessage>
      "Team sync" is scheduled in 30 minutes
    </ToastMessage>
  </ToastContent>
  <ToastAction>
    <Button>View</Button>
@@ -281,27 +300,32 @@ Every UI change must be reviewed for PDA-friendliness:
 ### Microcopy
 **Buttons:**
 - "View details" not "Click here"
 - "Reschedule" not "Change deadline"
 - "Complete" not "Mark as done"
 **Headers:**
 - "Approaching targets" not "Overdue items"
 - "High priority" not "Critical tasks"
 - "On hold" not "Blocked"
 **Instructions:**
 - "Consider adding a note" not "You must add a note"
 - "Optional: Set a reminder" not "Set a reminder"
 ### Error Messages
 **❌ Blaming:**
 ```
 Error: You entered an invalid email address
 ```
 **✅ Helpful:**
 ```
 Email format not recognized
 Try: user@example.com
@@ -332,10 +356,8 @@ See [WCAG 2.1 Level AA](https://www.w3.org/WAI/WCAG21/quickref/) for complete ac
 ```tsx
 // apps/web/components/TaskList.tsx
 <div className="space-y-2">
-  <h2 className="text-lg font-medium text-gray-900">
+  <h2 className="text-lg font-medium text-gray-900">Today</h2>
-    Today
+  {tasks.map((task) => (
  </h2>
  {tasks.map(task => (
    <TaskCard key={task.id}>
      <div className="flex items-center gap-2">
        <StatusBadge status={task.status} />
--- a/docs/3-architecture/README.md
+++ b/docs/3-architecture/README.md
@@ -18,6 +18,7 @@ Technical architecture and design principles for Mosaic Stack.
 ## Technology Decisions
 Key architectural choices and their rationale:
 - **BetterAuth** over Passport.js for modern authentication
 - **Prisma ORM** for type-safe database access
 - **Monorepo** with pnpm workspaces for code sharing
--- a/docs/4-api/1-conventions/1-endpoints.md
+++ b/docs/4-api/1-conventions/1-endpoints.md
@@ -65,18 +65,18 @@ DELETE /api/{resource}/:id       # Delete resource
 ## HTTP Status Codes
-| Code | Meaning | Usage |
+| Code | Meaning               | Usage                                 |
-|------|---------|-------|
+| ---- | --------------------- | ------------------------------------- |
-| 200 | OK | Successful GET, PATCH, PUT |
+| 200  | OK                    | Successful GET, PATCH, PUT            |
-| 201 | Created | Successful POST |
+| 201  | Created               | Successful POST                       |
-| 204 | No Content | Successful DELETE |
+| 204  | No Content            | Successful DELETE                     |
-| 400 | Bad Request | Invalid input |
+| 400  | Bad Request           | Invalid input                         |
-| 401 | Unauthorized | Missing/invalid auth token |
+| 401  | Unauthorized          | Missing/invalid auth token            |
-| 403 | Forbidden | Valid token, insufficient permissions |
+| 403  | Forbidden             | Valid token, insufficient permissions |
-| 404 | Not Found | Resource doesn't exist |
+| 404  | Not Found             | Resource doesn't exist                |
-| 409 | Conflict | Resource already exists |
+| 409  | Conflict              | Resource already exists               |
-| 422 | Unprocessable Entity | Validation failed |
+| 422  | Unprocessable Entity  | Validation failed                     |
-| 500 | Internal Server Error | Server error |
+| 500  | Internal Server Error | Server error                          |
 ## Pagination
@@ -87,10 +87,12 @@ GET /api/tasks?page=1&limit=20
 ```
 **Parameters:**
 - `page` — Page number (default: 1)
 - `limit` — Items per page (default: 10, max: 100)
 **Response includes:**
 ```json
 {
  "data": [...],
@@ -113,6 +115,7 @@ GET /api/events?start_date=2026-01-01&end_date=2026-01-31
 ```
 **Supported operators:**
 - `=` — Equals
 - `_gt` — Greater than (e.g., `created_at_gt=2026-01-01`)
 - `_lt` — Less than
@@ -139,11 +142,10 @@ GET /api/tasks?fields=id,title,status
 ```
 **Response:**
 ```json
 {
-  "data": [
+  "data": [{ "id": "1", "title": "Task 1", "status": "active" }]
    { "id": "1", "title": "Task 1", "status": "active" }
  ]
 }
 ```
@@ -156,6 +158,7 @@ GET /api/tasks?include=assignee,project
 ```
 **Response:**
 ```json
 {
  "data": {
@@ -186,11 +189,13 @@ See [Authentication Endpoints](../2-authentication/1-endpoints.md) for details.
 ## Request Headers
 **Required:**
 ```http
 Content-Type: application/json
 ```
 **Optional:**
 ```http
 Authorization: Bearer {token}
 X-Workspace-ID: {workspace-uuid}  # For multi-tenant requests
@@ -221,6 +226,7 @@ API endpoints are rate-limited:
 - **Authenticated:** 1000 requests/hour
 **Rate limit headers:**
 ```http
 X-RateLimit-Limit: 1000
 X-RateLimit-Remaining: 950
@@ -235,11 +241,7 @@ CORS is configured for frontend origin:
 ```javascript
 // Allowed origins
-const origins = [
+const origins = [process.env.NEXT_PUBLIC_APP_URL, "http://localhost:3000", "http://localhost:3001"];
  process.env.NEXT_PUBLIC_APP_URL,
  'http://localhost:3000',
  'http://localhost:3001'
 ];
 ```
 ## Versioning
@@ -257,6 +259,7 @@ GET /health
 ```
 **Response:**
 ```json
 {
  "status": "ok",
@@ -282,6 +285,7 @@ curl -X POST http://localhost:3001/api/tasks \
 ```
 **Response (201):**
 ```json
 {
  "data": {
--- a/docs/4-api/2-authentication/1-endpoints.md
+++ b/docs/4-api/2-authentication/1-endpoints.md
@@ -21,6 +21,7 @@ POST /auth/sign-up
 ```
 **Request Body:**
 ```json
 {
  "email": "user@example.com",
@@ -30,6 +31,7 @@ POST /auth/sign-up
 ```
 **Response (201):**
 ```json
 {
  "user": {
@@ -47,6 +49,7 @@ POST /auth/sign-up
 ```
 **Errors:**
 - `409 Conflict` — Email already exists
 - `422 Validation Error` — Invalid input
@@ -61,6 +64,7 @@ POST /auth/sign-in
 ```
 **Request Body:**
 ```json
 {
  "email": "user@example.com",
@@ -69,6 +73,7 @@ POST /auth/sign-in
 ```
 **Response (200):**
 ```json
 {
  "user": {
@@ -85,6 +90,7 @@ POST /auth/sign-in
 ```
 **Errors:**
 - `401 Unauthorized` — Invalid credentials
 ---
@@ -98,11 +104,13 @@ POST /auth/sign-out
 ```
 **Headers:**
 ```http
 Authorization: Bearer {session_token}
 ```
 **Response (200):**
 ```json
 {
  "success": true
@@ -120,11 +128,13 @@ GET /auth/session
 ```
 **Headers:**
 ```http
 Authorization: Bearer {session_token}
 ```
 **Response (200):**
 ```json
 {
  "user": {
@@ -140,6 +150,7 @@ Authorization: Bearer {session_token}
 ```
 **Errors:**
 - `401 Unauthorized` — Invalid or expired session
 ---
@@ -153,11 +164,13 @@ GET /auth/profile
 ```
 **Headers:**
 ```http
 Authorization: Bearer {session_token}
 ```
 **Response (200):**
 ```json
 {
  "id": "user-uuid",
@@ -168,6 +181,7 @@ Authorization: Bearer {session_token}
 ```
 **Errors:**
 - `401 Unauthorized` — Not authenticated
 ---
@@ -181,12 +195,14 @@ GET /auth/callback/authentik
 ```
 **Query Parameters:**
 - `code` — Authorization code from provider
 - `state` — CSRF protection token
 This endpoint is called by the OIDC provider after successful authentication.
 **Response:**
 - Redirects to frontend with session token
 ---
@@ -229,10 +245,12 @@ Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
 ### Token Storage
 **Frontend (Browser):**
 - Store in `httpOnly` cookie (most secure)
 - Or `localStorage` (less secure, XSS vulnerable)
 **Mobile/Desktop:**
 - Secure storage (Keychain on iOS, KeyStore on Android)
 ### Token Expiration
@@ -240,8 +258,9 @@ Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
 Tokens expire after 24 hours (configurable via `JWT_EXPIRATION`).
 **Check expiration:**
 ```typescript
-import { AuthSession } from '@mosaic/shared';
+import { AuthSession } from "@mosaic/shared";
 const isExpired = (session: AuthSession) => {
  return new Date(session.session.expiresAt) < new Date();
@@ -249,6 +268,7 @@ const isExpired = (session: AuthSession) => {
 ```
 **Refresh flow** (future implementation):
 ```http
 POST /auth/refresh
 ```
@@ -307,6 +327,7 @@ curl -X POST http://localhost:3001/auth/sign-in \
 ```
 **Save the token from response:**
 ```bash
 TOKEN=$(curl -X POST http://localhost:3001/auth/sign-in \
  -H "Content-Type: application/json" \
--- a/docs/4-api/3-activity-logging/README.md
+++ b/docs/4-api/3-activity-logging/README.md
@@ -5,6 +5,7 @@ The Activity Logging API provides comprehensive audit trail and activity trackin
 ## Overview
 Activity logs are automatically created for:
 - **CRUD Operations**: Task, event, project, and workspace modifications
 - **Authentication Events**: Login, logout, password resets
 - **User Actions**: Task assignments, workspace member changes
@@ -24,17 +25,17 @@ Get a paginated list of activity logs with optional filters.
 **Query Parameters:**
-| Parameter | Type | Required | Description |
+| Parameter     | Type           | Required | Description                                    |
-|-----------|------|----------|-------------|
+| ------------- | -------------- | -------- | ---------------------------------------------- |
-| `workspaceId` | UUID | Yes | Workspace to filter by |
+| `workspaceId` | UUID           | Yes      | Workspace to filter by                         |
-| `userId` | UUID | No | Filter by user who performed the action |
+| `userId`      | UUID           | No       | Filter by user who performed the action        |
-| `action` | ActivityAction | No | Filter by action type (CREATED, UPDATED, etc.) |
+| `action`      | ActivityAction | No       | Filter by action type (CREATED, UPDATED, etc.) |
-| `entityType` | EntityType | No | Filter by entity type (TASK, EVENT, etc.) |
+| `entityType`  | EntityType     | No       | Filter by entity type (TASK, EVENT, etc.)      |
-| `entityId` | UUID | No | Filter by specific entity |
+| `entityId`    | UUID           | No       | Filter by specific entity                      |
-| `startDate` | ISO 8601 | No | Filter activities after this date |
+| `startDate`   | ISO 8601       | No       | Filter activities after this date              |
-| `endDate` | ISO 8601 | No | Filter activities before this date |
+| `endDate`     | ISO 8601       | No       | Filter activities before this date             |
-| `page` | Number | No | Page number (default: 1) |
+| `page`        | Number         | No       | Page number (default: 1)                       |
-| `limit` | Number | No | Items per page (default: 50, max: 100) |
+| `limit`       | Number         | No       | Items per page (default: 50, max: 100)         |
 **Response:**
@@ -102,15 +103,15 @@ Retrieve a single activity log entry by ID.
 **Path Parameters:**
-| Parameter | Type | Required | Description |
+| Parameter | Type | Required | Description     |
-|-----------|------|----------|-------------|
+| --------- | ---- | -------- | --------------- |
-| `id` | UUID | Yes | Activity log ID |
+| `id`      | UUID | Yes      | Activity log ID |
 **Query Parameters:**
-| Parameter | Type | Required | Description |
+| Parameter     | Type | Required | Description                               |
-|-----------|------|----------|-------------|
+| ------------- | ---- | -------- | ----------------------------------------- |
-| `workspaceId` | UUID | Yes | Workspace ID (for multi-tenant isolation) |
+| `workspaceId` | UUID | Yes      | Workspace ID (for multi-tenant isolation) |
 **Response:**
@@ -156,16 +157,16 @@ Retrieve complete audit trail for a specific entity (task, event, project, etc.)
 **Path Parameters:**
-| Parameter | Type | Required | Description |
+| Parameter    | Type       | Required | Description                                            |
-|-----------|------|----------|-------------|
+| ------------ | ---------- | -------- | ------------------------------------------------------ |
-| `entityType` | EntityType | Yes | Type of entity (TASK, EVENT, PROJECT, WORKSPACE, USER) |
+| `entityType` | EntityType | Yes      | Type of entity (TASK, EVENT, PROJECT, WORKSPACE, USER) |
-| `entityId` | UUID | Yes | Entity ID |
+| `entityId`   | UUID       | Yes      | Entity ID                                              |
 **Query Parameters:**
-| Parameter | Type | Required | Description |
+| Parameter     | Type | Required | Description                               |
-|-----------|------|----------|-------------|
+| ------------- | ---- | -------- | ----------------------------------------- |
-| `workspaceId` | UUID | Yes | Workspace ID (for multi-tenant isolation) |
+| `workspaceId` | UUID | Yes      | Workspace ID (for multi-tenant isolation) |
 **Response:**
@@ -265,6 +266,7 @@ The Activity Logging system includes an interceptor that automatically logs:
 - **DELETE requests** → `DELETED` action
 The interceptor extracts:
 - User information from the authenticated session
 - Workspace context from request
 - IP address and user agent from HTTP headers
@@ -277,7 +279,7 @@ The interceptor extracts:
 For custom logging scenarios, use the `ActivityService` helper methods:
 ```typescript
-import { ActivityService } from '@/activity/activity.service';
+import { ActivityService } from "@/activity/activity.service";
@Injectable()
 export class TaskService {
@@ -287,12 +289,7 @@ export class TaskService {
    const task = await this.prisma.task.create({ data });
    // Log task creation
-    await this.activityService.logTaskCreated(
+    await this.activityService.logTaskCreated(workspaceId, userId, task.id, { title: task.title });
      workspaceId,
      userId,
      task.id,
      { title: task.title }
    );
    return task;
  }
@@ -302,6 +299,7 @@ export class TaskService {
 ### Available Helper Methods
 #### Task Activities
 - `logTaskCreated(workspaceId, userId, taskId, details?)`
 - `logTaskUpdated(workspaceId, userId, taskId, details?)`
 - `logTaskDeleted(workspaceId, userId, taskId, details?)`
@@ -309,22 +307,26 @@ export class TaskService {
 - `logTaskAssigned(workspaceId, userId, taskId, assigneeId)`
 #### Event Activities
 - `logEventCreated(workspaceId, userId, eventId, details?)`
 - `logEventUpdated(workspaceId, userId, eventId, details?)`
 - `logEventDeleted(workspaceId, userId, eventId, details?)`
 #### Project Activities
 - `logProjectCreated(workspaceId, userId, projectId, details?)`
 - `logProjectUpdated(workspaceId, userId, projectId, details?)`
 - `logProjectDeleted(workspaceId, userId, projectId, details?)`
 #### Workspace Activities
 - `logWorkspaceCreated(workspaceId, userId, details?)`
 - `logWorkspaceUpdated(workspaceId, userId, details?)`
 - `logWorkspaceMemberAdded(workspaceId, userId, memberId, role)`
 - `logWorkspaceMemberRemoved(workspaceId, userId, memberId)`
 #### User Activities
 - `logUserUpdated(workspaceId, userId, details?)`
 ---
@@ -338,6 +340,7 @@ All activity logs are scoped to workspaces using Row-Level Security (RLS). Users
 ### Data Retention
 Activity logs are retained indefinitely by default. Consider implementing a retention policy based on:
 - Compliance requirements
 - Storage constraints
 - Business needs
@@ -345,6 +348,7 @@ Activity logs are retained indefinitely by default. Consider implementing a rete
 ### Sensitive Data
 Activity logs should NOT contain:
 - Passwords or authentication tokens
 - Credit card information
 - Personal health information
@@ -364,9 +368,9 @@ Include enough context to understand what changed:
 // Good
 await activityService.logTaskUpdated(workspaceId, userId, taskId, {
  changes: {
-    status: { from: 'NOT_STARTED', to: 'IN_PROGRESS' },
+    status: { from: "NOT_STARTED", to: "IN_PROGRESS" },
-    assignee: { from: null, to: 'user-456' }
+    assignee: { from: null, to: "user-456" },
-  }
+  },
 });
 // Less useful
@@ -376,6 +380,7 @@ await activityService.logTaskUpdated(workspaceId, userId, taskId);
 ### 2. Log Business-Critical Actions
 Prioritize logging actions that:
 - Change permissions or access control
 - Delete data
 - Modify billing or subscription
@@ -388,11 +393,11 @@ Use appropriate filters to reduce data transfer:
 ```typescript
 // Efficient - filters at database level
-const activities = await fetch('/api/activity?workspaceId=xxx&entityType=TASK&page=1&limit=50');
+const activities = await fetch("/api/activity?workspaceId=xxx&entityType=TASK&page=1&limit=50");
 // Inefficient - transfers all data then filters
-const activities = await fetch('/api/activity?workspaceId=xxx');
+const activities = await fetch("/api/activity?workspaceId=xxx");
-const taskActivities = activities.filter(a => a.entityType === 'TASK');
+const taskActivities = activities.filter((a) => a.entityType === "TASK");
 ```
 ### 4. Display User-Friendly Activity Feeds
@@ -404,11 +409,11 @@ function formatActivityMessage(activity: ActivityLog) {
  const { user, action, entityType, details } = activity;
  switch (action) {
-    case 'CREATED':
+    case "CREATED":
      return `${user.name} created ${entityType.toLowerCase()} "${details.title}"`;
-    case 'UPDATED':
+    case "UPDATED":
      return `${user.name} updated ${entityType.toLowerCase()}`;
-    case 'DELETED':
+    case "DELETED":
      return `${user.name} deleted ${entityType.toLowerCase()}`;
    default:
      return `${user.name} performed ${action}`;
@@ -427,7 +432,7 @@ try {
  await activityService.logActivity(data);
 } catch (error) {
  // Log error but don't throw
-  logger.error('Failed to log activity', error);
+  logger.error("Failed to log activity", error);
 }
 ```
@@ -454,6 +459,7 @@ Always use pagination for activity queries. Default limit is 50 items, maximum i
 ### Background Processing
 For high-volume systems, consider:
 - Async activity logging with message queues
 - Batch inserts for multiple activities
 - Separate read replicas for reporting
--- a/docs/4-api/4-crud-endpoints/README.md
+++ b/docs/4-api/4-crud-endpoints/README.md
@@ -5,6 +5,7 @@ Complete reference for Tasks, Events, and Projects API endpoints.
 ## Overview
 All CRUD endpoints follow standard REST conventions and require authentication. They support:
 - Full CRUD operations (Create, Read, Update, Delete)
 - Workspace-scoped isolation
 - Pagination and filtering
@@ -39,6 +40,7 @@ GET /api/tasks?status=IN_PROGRESS&page=1&limit=20
 ```
 **Query Parameters:**
 - `workspaceId` (UUID, required) — Workspace ID
 - `status` (enum, optional) — `NOT_STARTED`, `IN_PROGRESS`, `PAUSED`, `COMPLETED`, `ARCHIVED`
 - `priority` (enum, optional) — `LOW`, `MEDIUM`, `HIGH`
@@ -51,6 +53,7 @@ GET /api/tasks?status=IN_PROGRESS&page=1&limit=20
 - `limit` (integer, optional) — Items per page (default: 50, max: 100)
 **Response:**
 ```json
 {
  "data": [
@@ -122,6 +125,7 @@ Content-Type: application/json
 ```
 **Fields:**
 - `title` (string, required, 1-255 chars) — Task title
 - `description` (string, optional, max 10000 chars) — Detailed description
 - `status` (enum, optional) — Default: `NOT_STARTED`
@@ -153,6 +157,7 @@ All fields are optional for partial updates. Setting `status` to `COMPLETED` aut
 **Response (200):** Updated task object
 **Activity Logs:**
 - `UPDATED` — Always logged
 - `COMPLETED` — Logged when status changes to `COMPLETED`
 - `ASSIGNED` — Logged when `assigneeId` changes
@@ -190,6 +195,7 @@ GET /api/events?startFrom=2026-02-01&startTo=2026-02-28
 ```
 **Query Parameters:**
 - `workspaceId` (UUID, required) — Workspace ID
 - `projectId` (UUID, optional) — Filter by project
 - `startFrom` (ISO 8601, optional) — Events starting after this date
@@ -199,6 +205,7 @@ GET /api/events?startFrom=2026-02-01&startTo=2026-02-28
 - `limit` (integer, optional) — Items per page
 **Response:**
 ```json
 {
  "data": [
@@ -254,6 +261,7 @@ Content-Type: application/json
 ```
 **Fields:**
 - `title` (string, required, 1-255 chars) — Event title
 - `description` (string, optional, max 10000 chars) — Description
 - `startTime` (ISO 8601, required) — Event start time
@@ -304,6 +312,7 @@ GET /api/projects?status=ACTIVE
 ```
 **Query Parameters:**
 - `workspaceId` (UUID, required) — Workspace ID
 - `status` (enum, optional) — `PLANNING`, `ACTIVE`, `PAUSED`, `COMPLETED`, `ARCHIVED`
 - `startDateFrom` (ISO 8601, optional) — Projects starting after this date
@@ -312,6 +321,7 @@ GET /api/projects?status=ACTIVE
 - `limit` (integer, optional) — Items per page
 **Response:**
 ```json
 {
  "data": [
@@ -374,6 +384,7 @@ Content-Type: application/json
 ```
 **Fields:**
 - `name` (string, required, 1-255 chars) — Project name
 - `description` (string, optional, max 10000 chars) — Description
 - `status` (enum, optional) — Default: `PLANNING`
@@ -450,10 +461,7 @@ Validation errors in request body.
 ```json
 {
  "statusCode": 422,
-  "message": [
+  "message": ["title must not be empty", "priority must be a valid TaskPriority"],
    "title must not be empty",
    "priority must be a valid TaskPriority"
  ],
  "error": "Unprocessable Entity"
 }
 ```
--- a/docs/4-api/README.md
+++ b/docs/4-api/README.md
@@ -22,6 +22,7 @@ Complete API documentation for Mosaic Stack backend.
 ## Authentication
 All authenticated endpoints require:
 ```http
 Authorization: Bearer {session_token}
 ```
--- a/docs/JARVIS_FE_MIGRATION.md
+++ b/docs/JARVIS_FE_MIGRATION.md
@@ -9,104 +9,119 @@ Cherry-pick high-value components from `mosaic/jarvis` into `mosaic/stack` to ac
 ## Stack Compatibility ✅
-| Aspect | Jarvis | Mosaic Stack | Compatible |
+| Aspect     | Jarvis      | Mosaic Stack | Compatible |
-|--------|--------|--------------|------------|
+| ---------- | ----------- | ------------ | ---------- |
-| Next.js | 16.1.1 | 16.1.6 | ✅ |
+| Next.js    | 16.1.1      | 16.1.6       | ✅         |
-| React | 19.2.0 | 19.0.0 | ✅ |
+| React      | 19.2.0      | 19.0.0       | ✅         |
-| TypeScript | ~5.x | 5.8.2 | ✅ |
+| TypeScript | ~5.x        | 5.8.2        | ✅         |
-| Tailwind | Yes | Yes | ✅ |
+| Tailwind   | Yes         | Yes          | ✅         |
-| Auth | better-auth | better-auth | ✅ |
+| Auth       | better-auth | better-auth  | ✅         |
 ## Migration Phases
 ### Phase 1: Dependencies (Pre-requisite)
 Add missing packages to mosaic-stack:
 ```bash
 pnpm add @xyflow/react elkjs mermaid @dnd-kit/core @dnd-kit/sortable @dnd-kit/utilities
 ```
 ### Phase 2: Core Infrastructure
-| Component | Source | Target | Priority |
+
-|-----------|--------|--------|----------|
+| Component                | Source      | Target             | Priority |
-| ThemeProvider.tsx | providers/ | providers/ | P0 |
+| ------------------------ | ----------- | ------------------ | -------- |
-| ThemeToggle.tsx | components/ | components/layout/ | P0 |
+| ThemeProvider.tsx        | providers/  | providers/         | P0       |
-| globals.css (theme vars) | app/ | app/ | P0 |
+| ThemeToggle.tsx          | components/ | components/layout/ | P0       |
 | globals.css (theme vars) | app/        | app/               | P0       |
 ### Phase 3: Chat/Jarvis Overlay (#42)
-| Component | Source | Target | Notes |
+
-|-----------|--------|--------|-------|
+| Component               | Source      | Target           | Notes                  |
-| Chat.tsx | components/ | components/chat/ | Main chat UI |
+| ----------------------- | ----------- | ---------------- | ---------------------- |
-| ChatInput.tsx | components/ | components/chat/ | Input with attachments |
+| Chat.tsx                | components/ | components/chat/ | Main chat UI           |
-| MessageList.tsx | components/ | components/chat/ | Message rendering |
+| ChatInput.tsx           | components/ | components/chat/ | Input with attachments |
-| ConversationSidebar.tsx | components/ | components/chat/ | History panel |
+| MessageList.tsx         | components/ | components/chat/ | Message rendering      |
-| BackendStatusBanner.tsx | components/ | components/chat/ | Connection status |
+| ConversationSidebar.tsx | components/ | components/chat/ | History panel          |
 | BackendStatusBanner.tsx | components/ | components/chat/ | Connection status      |
 **Adaptation needed:**
 - Update API endpoints to mosaic-stack backend
 - Integrate with existing auth context
 - Connect to Brain/Ideas API for semantic search
 ### Phase 4: Mindmap/Visual Editor
-| Component | Source | Target | Notes |
+
-|-----------|--------|--------|-------|
+| Component                   | Source      | Target                       | Notes             |
-| mindmap/ReactFlowEditor.tsx | components/ | components/mindmap/ | Main editor |
+| --------------------------- | ----------- | ---------------------------- | ----------------- |
-| mindmap/MindmapViewer.tsx | components/ | components/mindmap/ | Read-only view |
+| mindmap/ReactFlowEditor.tsx | components/ | components/mindmap/          | Main editor       |
-| mindmap/MermaidViewer.tsx | components/ | components/mindmap/ | Mermaid diagrams |
+| mindmap/MindmapViewer.tsx   | components/ | components/mindmap/          | Read-only view    |
-| mindmap/nodes/*.tsx | components/ | components/mindmap/nodes/ | Custom node types |
+| mindmap/MermaidViewer.tsx   | components/ | components/mindmap/          | Mermaid diagrams  |
-| mindmap/controls/*.tsx | components/ | components/mindmap/controls/ | Toolbar/export |
+| mindmap/nodes/\*.tsx        | components/ | components/mindmap/nodes/    | Custom node types |
 | mindmap/controls/\*.tsx     | components/ | components/mindmap/controls/ | Toolbar/export    |
 **Adaptation needed:**
 - Connect to Knowledge module for entries
 - Map node types to Mosaic entities (Task, Idea, Project)
 - Update save/load to use Mosaic API
 ### Phase 5: Admin/Settings Enhancement
-| Component | Source | Target | Notes |
+
-|-----------|--------|--------|-------|
+| Component         | Source      | Target             | Notes                   |
-| admin/Header.tsx | components/ | components/admin/ | Already exists, compare |
+| ----------------- | ----------- | ------------------ | ----------------------- |
-| admin/Sidebar.tsx | components/ | components/admin/ | Already exists, compare |
+| admin/Header.tsx  | components/ | components/admin/  | Already exists, compare |
-| HeaderMenu.tsx | components/ | components/layout/ | Navigation dropdown |
+| admin/Sidebar.tsx | components/ | components/admin/  | Already exists, compare |
-| HeaderActions.tsx | components/ | components/layout/ | Quick actions |
+| HeaderMenu.tsx    | components/ | components/layout/ | Navigation dropdown     |
 | HeaderActions.tsx | components/ | components/layout/ | Quick actions           |
 **Action:** Compare and merge best patterns from both.
 ### Phase 6: Integrations
-| Component | Source | Target | Notes |
+
-|-----------|--------|--------|-------|
+| Component                      | Source      | Target                   | Notes                |
-| integrations/OAuthButton.tsx | components/ | components/integrations/ | OAuth flow UI |
+| ------------------------------ | ----------- | ------------------------ | -------------------- |
-| settings/integrations/page.tsx | app/ | app/ | Integration settings |
+| integrations/OAuthButton.tsx   | components/ | components/integrations/ | OAuth flow UI        |
 | settings/integrations/page.tsx | app/        | app/                     | Integration settings |
 ## Execution Plan
 ### Agent 1: Dependencies & Theme (15 min)
 - Add missing npm packages
 - Copy theme infrastructure
 - Verify dark/light mode works
 ### Agent 2: Chat Components (30 min)
 - Copy chat components
 - Update imports and paths
 - Adapt API calls to mosaic-stack endpoints
 - Create placeholder chat route
 ### Agent 3: Mindmap Components (30 min)
 - Copy mindmap components
 - Update imports and paths
 - Connect to Knowledge API
 - Create mindmap route
 ### Agent 4: Polish & Integration (20 min)
 - Code review all copied components
 - Fix TypeScript errors
 - Update component exports
 - Test basic functionality
 ## Files to Skip (Already Better in Mosaic)
- kanban/* (already implemented with tests)
+
 - kanban/\* (already implemented with tests)
 - Most app/ routes (different structure)
 - Auth providers (already configured)
 ## Success Criteria
 1. ✅ Theme toggle works (dark/light)
 2. ✅ Chat UI renders (even if not connected)
 3. ✅ Mindmap editor loads with ReactFlow
@@ -114,11 +129,13 @@ pnpm add @xyflow/react elkjs mermaid @dnd-kit/core @dnd-kit/sortable @dnd-kit/ut
 5. ✅ Build passes
 ## Risks
 - **API mismatch:** Jarvis uses different API structure — need adapter layer
 - **State management:** May need to reconcile different patterns
 - **Styling conflicts:** CSS variable names may differ
 ## Notes
 - Keep jarvis-fe repo for reference, don't modify it
 - All work in mosaic-stack on feature branch
 - Create PR for review before merge
--- a/docs/M6-NEW-ISSUES-TEMPLATES.md
+++ b/docs/M6-NEW-ISSUES-TEMPLATES.md
@@ -121,7 +121,7 @@ Update TurboRepo configuration to include orchestrator in build pipeline.
 ## Acceptance Criteria
 - [ ] turbo.json updated with orchestrator tasks
- [ ] Build order: packages/* → coordinator → orchestrator → api → web
+- [ ] Build order: packages/\* → coordinator → orchestrator → api → web
 - [ ] Root package.json scripts updated (dev:orchestrator, docker:logs)
 - [ ] `npm run build` builds orchestrator
 - [ ] `npm run dev` runs orchestrator in watch mode
@@ -164,7 +164,7 @@ Spawn Claude agents using Anthropic SDK.
 ```typescript
 interface SpawnAgentRequest {
  taskId: string;
-  agentType: 'worker' | 'reviewer' | 'tester';
+  agentType: "worker" | "reviewer" | "tester";
  context: {
    repository: string;
    branch: string;
@@ -851,6 +851,7 @@ Load testing and resource monitoring.
 ## Technical Notes
 Acceptable limits:
 - Agent spawn: < 10 seconds
 - Task completion: < 1 hour (configurable)
 - CPU: < 80%
--- a/docs/README.md
+++ b/docs/README.md
@@ -25,7 +25,7 @@ Developer guides for contributing to Mosaic Stack.
  - [Branching Strategy](2-development/1-workflow/1-branching.md)
  - [Testing Requirements](2-development/1-workflow/2-testing.md)
 - **[Database](2-development/2-database/)**
-  - Schema, migrations, and Prisma guides *(to be added)*
+  - Schema, migrations, and Prisma guides _(to be added)_
 - **[Type Sharing](2-development/3-type-sharing/)**
  - [Type Sharing Strategy](2-development/3-type-sharing/1-strategy.md)
@@ -33,8 +33,8 @@ Developer guides for contributing to Mosaic Stack.
 Technical architecture and design decisions.
- **[Overview](3-architecture/1-overview/)** — System design *(to be added)*
+- **[Overview](3-architecture/1-overview/)** — System design _(to be added)_
- **[Authentication](3-architecture/2-authentication/)** — BetterAuth and OIDC *(to be added)*
+- **[Authentication](3-architecture/2-authentication/)** — BetterAuth and OIDC _(to be added)_
 - **[Design Principles](3-architecture/3-design-principles/)**
  - [PDA-Friendly Patterns](3-architecture/3-design-principles/1-pda-friendly.md)
@@ -59,21 +59,25 @@ Development notes and implementation details for specific issues:
 ## 🔍 Quick Links
 ### For New Users
 1. [Quick Start](1-getting-started/1-quick-start/1-overview.md)
 2. [Local Setup](1-getting-started/2-installation/2-local-setup.md)
 3. [Environment Configuration](1-getting-started/3-configuration/1-environment.md)
 ### For Developers
 1. [Branching Strategy](2-development/1-workflow/1-branching.md)
 2. [Testing Requirements](2-development/1-workflow/2-testing.md)
 3. [Type Sharing](2-development/3-type-sharing/1-strategy.md)
 ### For Architects
 1. [PDA-Friendly Design](3-architecture/3-design-principles/1-pda-friendly.md)
-2. [Authentication Flow](3-architecture/2-authentication/) *(to be added)*
+2. [Authentication Flow](3-architecture/2-authentication/) _(to be added)_
-3. [System Overview](3-architecture/1-overview/) *(to be added)*
+3. [System Overview](3-architecture/1-overview/) _(to be added)_
 ### For API Consumers
 1. [API Conventions](4-api/1-conventions/1-endpoints.md)
 2. [Authentication Endpoints](4-api/2-authentication/1-endpoints.md)
@@ -112,6 +116,7 @@ Numbers maintain order in file systems and Bookstack.
 ### Code Examples
 Always include:
 - Language identifier for syntax highlighting
 - Complete, runnable examples
 - Expected output when relevant
@@ -143,14 +148,15 @@ Always include:
 ## 📊 Documentation Status
-| Book | Completion |
+| Book            | Completion  |
-|------|------------|
+| --------------- | ----------- |
 | Getting Started | 🟢 Complete |
-| Development | 🟡 Partial |
+| Development     | 🟡 Partial  |
-| Architecture | 🟡 Partial |
+| Architecture    | 🟡 Partial  |
-| API Reference | 🟡 Partial |
+| API Reference   | 🟡 Partial  |
 **Legend:**
 - 🟢 Complete
 - 🟡 Partial
 - 🔵 Planned
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@@ -5,12 +5,12 @@
 ## Versioning Policy
-| Version | Meaning |
+| Version | Meaning                                          |
-|---------|---------|
+| ------- | ------------------------------------------------ |
-| `0.0.x` | Active development, breaking changes expected |
+| `0.0.x` | Active development, breaking changes expected    |
-| `0.1.0` | **MVP** — First user-testable release |
+| `0.1.0` | **MVP** — First user-testable release            |
 | `0.x.y` | Pre-stable iteration, API may change with notice |
-| `1.0.0` | Stable release, public API contract |
+| `1.0.0` | Stable release, public API contract              |
 ---
@@ -57,6 +57,7 @@ Legend: ───── Active development window
 ## Milestones Detail
 ### ✅ M2-MultiTenant (0.0.2) — COMPLETE
 **Due:** 2026-02-08 | **Status:** Done
 - [x] Workspace model and CRUD
@@ -68,70 +69,74 @@ Legend: ───── Active development window
 ---
 ### 🚧 M3-Features (0.0.3)
 **Due:** 2026-02-15 | **Status:** In Progress
 Core features for daily use:
-| Issue | Title | Priority | Status |
+| Issue | Title                         | Priority | Status |
-|-------|-------|----------|--------|
+| ----- | ----------------------------- | -------- | ------ |
-| #15 | Gantt chart component | P0 | Open |
+| #15   | Gantt chart component         | P0       | Open   |
-| #16 | Real-time updates (WebSocket) | P0 | Open |
+| #16   | Real-time updates (WebSocket) | P0       | Open   |
-| #17 | Kanban board view | P1 | Open |
+| #17   | Kanban board view             | P1       | Open   |
-| #18 | Advanced filtering and search | P1 | Open |
+| #18   | Advanced filtering and search | P1       | Open   |
-| #21 | Ollama integration | P1 | Open |
+| #21   | Ollama integration            | P1       | Open   |
-| #37 | Domains model | — | Open |
+| #37   | Domains model                 | —        | Open   |
-| #41 | Widget/HUD System | — | Open |
+| #41   | Widget/HUD System             | —        | Open   |
-| #82 | Personality Module | P1 | Open |
+| #82   | Personality Module            | P1       | Open   |
 ---
 ### 🚧 M4-MoltBot (0.0.4)
 **Due:** 2026-02-22 | **Status:** In Progress
 Agent integration and skills:
-| Issue | Title | Priority | Status |
+| Issue | Title                         | Priority | Status |
-|-------|-------|----------|--------|
+| ----- | ----------------------------- | -------- | ------ |
-| #22 | Brain query API endpoint | P0 | Open |
+| #22   | Brain query API endpoint      | P0       | Open   |
-| #23 | mosaic-plugin-brain skill | P0 | Open |
+| #23   | mosaic-plugin-brain skill     | P0       | Open   |
-| #24 | mosaic-plugin-calendar skill | P1 | Open |
+| #24   | mosaic-plugin-calendar skill  | P1       | Open   |
-| #25 | mosaic-plugin-tasks skill | P1 | Open |
+| #25   | mosaic-plugin-tasks skill     | P1       | Open   |
-| #26 | mosaic-plugin-gantt skill | P2 | Open |
+| #26   | mosaic-plugin-gantt skill     | P2       | Open   |
-| #27 | Intent classification service | P1 | Open |
+| #27   | Intent classification service | P1       | Open   |
-| #29 | Cron job configuration | P1 | Open |
+| #29   | Cron job configuration        | P1       | Open   |
-| #42 | Jarvis Chat Overlay | — | Open |
+| #42   | Jarvis Chat Overlay           | —        | Open   |
 ---
 ### 🚧 M5-Knowledge Module (0.0.5)
 **Due:** 2026-03-14 | **Status:** In Progress
 Wiki-style knowledge management:
-| Phase | Issues | Description |
+| Phase | Issues | Description                     |
-|-------|--------|-------------|
+| ----- | ------ | ------------------------------- |
-| 1 | — | Core CRUD (DONE) |
+| 1     | —      | Core CRUD (DONE)                |
-| 2 | #59-64 | Wiki-style linking |
+| 2     | #59-64 | Wiki-style linking              |
-| 3 | #65-70 | Full-text + semantic search |
+| 3     | #65-70 | Full-text + semantic search     |
-| 4 | #71-74 | Graph visualization |
+| 4     | #71-74 | Graph visualization             |
-| 5 | #75-80 | History, import/export, caching |
+| 5     | #75-80 | History, import/export, caching |
 **EPIC:** #81
 ---
 ### 📋 M6-AgentOrchestration (0.0.6)
 **Due:** 2026-03-28 | **Status:** Planned
 Persistent task management and autonomous agent coordination:
-| Phase | Issues | Description |
+| Phase | Issues         | Description                              |
-|-------|--------|-------------|
+| ----- | -------------- | ---------------------------------------- |
-| 1 | #96, #97 | Database schema, Task CRUD API |
+| 1     | #96, #97       | Database schema, Task CRUD API           |
-| 2 | #98, #99, #102 | Valkey, Coordinator, Gateway integration |
+| 2     | #98, #99, #102 | Valkey, Coordinator, Gateway integration |
-| 3 | #100 | Failure recovery, checkpoints |
+| 3     | #100           | Failure recovery, checkpoints            |
-| 4 | #101 | Task progress UI |
+| 4     | #101           | Task progress UI                         |
-| 5 | — | Advanced (cost tracking, multi-region) |
+| 5     | —              | Advanced (cost tracking, multi-region)   |
 **EPIC:** #95  
 **Design Doc:** `docs/design/agent-orchestration.md`
@@ -139,18 +144,19 @@ Persistent task management and autonomous agent coordination:
 ---
 ### 📋 M7-Federation (0.0.7)
 **Due:** 2026-04-15 | **Status:** Planned
 Multi-instance federation for work/personal separation:
-| Phase | Issues | Description |
+| Phase | Issues        | Description                                 |
-|-------|--------|-------------|
+| ----- | ------------- | ------------------------------------------- |
-| 1 | #84, #85 | Instance identity, CONNECT/DISCONNECT |
+| 1     | #84, #85      | Instance identity, CONNECT/DISCONNECT       |
-| 2 | #86, #87 | Authentik integration, identity linking |
+| 2     | #86, #87      | Authentik integration, identity linking     |
-| 3 | #88, #89, #90 | QUERY, COMMAND, EVENT protocol |
+| 3     | #88, #89, #90 | QUERY, COMMAND, EVENT protocol              |
-| 4 | #91, #92 | Connection manager UI, aggregated dashboard |
+| 4     | #91, #92      | Connection manager UI, aggregated dashboard |
-| 5 | #93, #94 | Agent federation, spoke configuration |
+| 5     | #93, #94      | Agent federation, spoke configuration       |
-| 6 | — | Enterprise features |
+| 6     | —             | Enterprise features                         |
 **EPIC:** #83  
 **Design Doc:** `docs/design/federation-architecture.md`
@@ -158,18 +164,19 @@ Multi-instance federation for work/personal separation:
 ---
 ### 🎯 M5-Migration (0.1.0 MVP)
 **Due:** 2026-04-01 | **Status:** Planned
 Production readiness and migration from jarvis-brain:
-| Issue | Title | Priority |
+| Issue | Title                                      | Priority |
-|-------|-------|----------|
+| ----- | ------------------------------------------ | -------- |
-| #30 | Migration scripts from jarvis-brain | P0 |
+| #30   | Migration scripts from jarvis-brain        | P0       |
-| #31 | Data validation and integrity checks | P0 |
+| #31   | Data validation and integrity checks       | P0       |
-| #32 | Parallel operation testing | P1 |
+| #32   | Parallel operation testing                 | P1       |
-| #33 | Performance optimization | P1 |
+| #33   | Performance optimization                   | P1       |
-| #34 | Documentation (SETUP.md, CONFIGURATION.md) | P1 |
+| #34   | Documentation (SETUP.md, CONFIGURATION.md) | P1       |
-| #35 | Docker Compose customization guide | P1 |
+| #35   | Docker Compose customization guide         | P1       |
 ---
@@ -207,14 +214,14 @@ Work streams that can run in parallel:
 **Recommended parallelization:**
-| Sprint | Stream A | Stream B | Stream C | Stream D | Stream E |
+| Sprint   | Stream A      | Stream B  | Stream C     | Stream D      | Stream E     |
-|--------|----------|----------|----------|----------|----------|
+| -------- | ------------- | --------- | ------------ | ------------- | ------------ |
-| Feb W1-2 | M3 P0 | — | KNOW Phase 2 | ORCH #96, #97 | — |
+| Feb W1-2 | M3 P0         | —         | KNOW Phase 2 | ORCH #96, #97 | —            |
-| Feb W3-4 | M3 P1 | M4 P0 | KNOW Phase 2 | ORCH #98, #99 | FED #84, #85 |
+| Feb W3-4 | M3 P1         | M4 P0     | KNOW Phase 2 | ORCH #98, #99 | FED #84, #85 |
-| Mar W1-2 | M3 finish | M4 P1 | KNOW Phase 3 | ORCH #102 | FED #86, #87 |
+| Mar W1-2 | M3 finish     | M4 P1     | KNOW Phase 3 | ORCH #102     | FED #86, #87 |
-| Mar W3-4 | — | M4 finish | KNOW Phase 4 | ORCH #100 | FED #88, #89 |
+| Mar W3-4 | —             | M4 finish | KNOW Phase 4 | ORCH #100     | FED #88, #89 |
-| Apr W1-2 | MVP prep | — | KNOW Phase 5 | ORCH #101 | FED #91, #92 |
+| Apr W1-2 | MVP prep      | —         | KNOW Phase 5 | ORCH #101     | FED #91, #92 |
-| Apr W3-4 | **0.1.0 MVP** | — | — | — | FED #93, #94 |
+| Apr W3-4 | **0.1.0 MVP** | —         | —            | —             | FED #93, #94 |
 ---
@@ -258,18 +265,18 @@ Work streams that can run in parallel:
 ## Issue Labels
-| Label | Meaning |
+| Label              | Meaning                               |
-|-------|---------|
+| ------------------ | ------------------------------------- |
-| `p0` | Critical path, must complete |
+| `p0`               | Critical path, must complete          |
-| `p1` | Important, should complete |
+| `p1`               | Important, should complete            |
-| `p2` | Nice to have |
+| `p2`               | Nice to have                          |
-| `phase-N` | Implementation phase within milestone |
+| `phase-N`          | Implementation phase within milestone |
-| `api` | Backend API work |
+| `api`              | Backend API work                      |
-| `frontend` | Web UI work |
+| `frontend`         | Web UI work                           |
-| `database` | Schema/migration work |
+| `database`         | Schema/migration work                 |
-| `orchestration` | Agent orchestration related |
+| `orchestration`    | Agent orchestration related           |
-| `federation` | Federation related |
+| `federation`       | Federation related                    |
-| `knowledge-module` | Knowledge module related |
+| `knowledge-module` | Knowledge module related              |
 ---
@@ -282,6 +289,7 @@ Work streams that can run in parallel:
 5. **Design docs** provide implementation details
 **Quick links:**
 - [All Open Issues](https://git.mosaicstack.dev/mosaic/stack/issues?state=open)
 - [Milestones](https://git.mosaicstack.dev/mosaic/stack/milestones)
 - [Design Docs](./design/)
@@ -290,8 +298,8 @@ Work streams that can run in parallel:
 ## Changelog
-| Date | Change |
+| Date       | Change                                                           |
-|------|--------|
+| ---------- | ---------------------------------------------------------------- |
 | 2026-01-29 | Added M6-AgentOrchestration, M7-Federation milestones and issues |
-| 2026-01-29 | Created unified roadmap document |
+| 2026-01-29 | Created unified roadmap document                                 |
-| 2026-01-28 | M2-MultiTenant completed |
+| 2026-01-28 | M2-MultiTenant completed                                         |
--- a/docs/SEMANTIC_SEARCH.md
+++ b/docs/SEMANTIC_SEARCH.md
@@ -63,6 +63,7 @@ Get your API key from: https://platform.openai.com/api-keys
 ### OpenAI Model
 The default embedding model is `text-embedding-3-small` (1536 dimensions). This provides:
 - High quality embeddings
 - Cost-effective pricing
 - Fast generation speed
@@ -76,6 +77,7 @@ The default embedding model is `text-embedding-3-small` (1536 dimensions). This
 Search using vector similarity only.
 **Request:**
 ```json
 {
  "query": "database performance optimization",
@@ -84,10 +86,12 @@ Search using vector similarity only.
 ```
 **Query Parameters:**
 - `page` (optional): Page number (default: 1)
 - `limit` (optional): Results per page (default: 20)
 **Response:**
 ```json
 {
  "data": [
@@ -118,6 +122,7 @@ Search using vector similarity only.
 Combines vector similarity and full-text search using Reciprocal Rank Fusion (RRF).
 **Request:**
 ```json
 {
  "query": "indexing strategies",
@@ -126,6 +131,7 @@ Combines vector similarity and full-text search using Reciprocal Rank Fusion (RR
 ```
 **Benefits of Hybrid Search:**
 - Best of both worlds: semantic understanding + keyword matching
 - Better ranking for exact matches
 - Improved recall and precision
@@ -136,10 +142,12 @@ Combines vector similarity and full-text search using Reciprocal Rank Fusion (RR
 **POST** `/api/knowledge/embeddings/batch`
 Generate embeddings for all existing entries. Useful for:
 - Initial setup after enabling semantic search
 - Regenerating embeddings after model updates
 **Request:**
 ```json
 {
  "status": "PUBLISHED"
@@ -147,6 +155,7 @@ Generate embeddings for all existing entries. Useful for:
 ```
 **Response:**
 ```json
 {
  "message": "Generated 42 embeddings out of 45 entries",
@@ -169,6 +178,7 @@ The generation happens asynchronously to avoid blocking API responses.
 ### Content Preparation
 Before generating embeddings, content is prepared by:
 1. Combining title and content
 2. Weighting title more heavily (appears twice)
 3. This improves semantic matching on titles
@@ -206,6 +216,7 @@ RRF(d) = sum(1 / (k + rank_i))
 ```
 Where:
 - `d` = document
 - `k` = constant (60 is standard)
 - `rank_i` = rank from source i
@@ -213,6 +224,7 @@ Where:
 **Example:**
 Document ranks in two searches:
 - Vector search: rank 3
 - Keyword search: rank 1
@@ -225,6 +237,7 @@ Higher RRF score = better combined ranking.
 ### Index Parameters
 The HNSW index uses:
 - `m = 16`: Max connections per layer (balances accuracy/memory)
 - `ef_construction = 64`: Build quality (higher = more accurate, slower build)
@@ -237,6 +250,7 @@ The HNSW index uses:
 ### Cost (OpenAI API)
 Using `text-embedding-3-small`:
 - ~$0.00002 per 1000 tokens
 - Average entry (~500 tokens): $0.00001
 - 10,000 entries: ~$0.10
@@ -253,6 +267,7 @@ pnpm prisma migrate deploy
 ```
 This creates:
 - `knowledge_embeddings` table
 - Vector index on embeddings
@@ -312,6 +327,7 @@ curl -X POST http://localhost:3001/api/knowledge/search/hybrid \
 **Solutions:**
 1. Verify index exists and is being used:
   ```sql
   EXPLAIN ANALYZE
   SELECT * FROM knowledge_embeddings
--- a/docs/design/IMPLEMENTATION-M2-DATABASE.md
+++ b/docs/design/IMPLEMENTATION-M2-DATABASE.md
@@ -14,6 +14,7 @@ Added comprehensive team support for workspace collaboration:
 #### Schema Changes
 **New Enum:**
 ```prisma
 enum TeamMemberRole {
  OWNER
@@ -23,6 +24,7 @@ enum TeamMemberRole {
 ```
 **New Models:**
 ```prisma
 model Team {
  id          String   @id @default(uuid())
@@ -43,6 +45,7 @@ model TeamMember {
 ```
 **Updated Relations:**
 - `User.teamMemberships` - Access user's team memberships
 - `Workspace.teams` - Access workspace's teams
@@ -58,6 +61,7 @@ Implemented comprehensive RLS policies for complete tenant isolation:
 #### RLS-Enabled Tables (19 total)
 All tenant-scoped tables now have RLS enabled:
 - Core: `workspaces`, `workspace_members`, `teams`, `team_members`
 - Data: `tasks`, `events`, `projects`, `activity_logs`
 - Features: `domains`, `ideas`, `relationships`, `agents`, `agent_sessions`
@@ -75,6 +79,7 @@ Three utility functions for policy evaluation:
 #### Policy Pattern
 Consistent policy implementation across all tables:
 ```sql
 CREATE POLICY <table>_workspace_access ON <table>
  FOR ALL
@@ -88,6 +93,7 @@ Created helper utilities for easy RLS integration in the API layer:
 **File:** `apps/api/src/lib/db-context.ts`
 **Key Functions:**
 - `setCurrentUser(userId)` - Set user context for RLS
 - `withUserContext(userId, fn)` - Execute function with user context
 - `withUserTransaction(userId, fn)` - Transaction with user context
@@ -119,37 +125,37 @@ Created helper utilities for easy RLS integration in the API layer:
 ### In API Routes/Procedures
 ```typescript
-import { withUserContext } from '@/lib/db-context';
+import { withUserContext } from "@/lib/db-context";
 // Method 1: Explicit context
 export async function getTasks(userId: string, workspaceId: string) {
  return withUserContext(userId, async () => {
    return prisma.task.findMany({
-      where: { workspaceId }
+      where: { workspaceId },
    });
  });
 }
 // Method 2: HOF wrapper
-import { withAuth } from '@/lib/db-context';
+import { withAuth } from "@/lib/db-context";
 export const getTasks = withAuth(async ({ ctx, input }) => {
  return prisma.task.findMany({
-    where: { workspaceId: input.workspaceId }
+    where: { workspaceId: input.workspaceId },
  });
 });
 // Method 3: Transaction
-import { withUserTransaction } from '@/lib/db-context';
+import { withUserTransaction } from "@/lib/db-context";
 export async function createWorkspace(userId: string, name: string) {
  return withUserTransaction(userId, async (tx) => {
    const workspace = await tx.workspace.create({
-      data: { name, ownerId: userId }
+      data: { name, ownerId: userId },
    });
    await tx.workspaceMember.create({
-      data: { workspaceId: workspace.id, userId, role: 'OWNER' }
+      data: { workspaceId: workspace.id, userId, role: "OWNER" },
    });
    return workspace;
@@ -254,20 +260,18 @@ SELECT * FROM workspaces; -- Should only see user 2's workspaces
 ```typescript
 // In a test file
-import { withUserContext, verifyWorkspaceAccess } from '@/lib/db-context';
+import { withUserContext, verifyWorkspaceAccess } from "@/lib/db-context";
-describe('RLS Utilities', () => {
+describe("RLS Utilities", () => {
-  it('should isolate workspaces', async () => {
+  it("should isolate workspaces", async () => {
    const workspaces = await withUserContext(user1Id, async () => {
      return prisma.workspace.findMany();
    });
-    expect(workspaces.every(w => 
+    expect(workspaces.every((w) => w.members.some((m) => m.userId === user1Id))).toBe(true);
      w.members.some(m => m.userId === user1Id)
    )).toBe(true);
  });
-  it('should verify access', async () => {
+  it("should verify access", async () => {
    const hasAccess = await verifyWorkspaceAccess(userId, workspaceId);
    expect(hasAccess).toBe(true);
  });
--- a/docs/design/M2-DATABASE-COMPLETION.md
+++ b/docs/design/M2-DATABASE-COMPLETION.md
@@ -48,6 +48,7 @@ team_members (table)
 ```
 **Schema Relations Updated:**
 - `User.teamMemberships` → `TeamMember[]`
 - `Workspace.teams` → `Team[]`
@@ -57,12 +58,12 @@ team_members (table)
 **RLS Enabled on 19 Tables:**
-| Category | Tables |
+| Category      | Tables                                                                                                                   |
-|----------|--------|
+| ------------- | ------------------------------------------------------------------------------------------------------------------------ |
-| **Core** | workspaces, workspace_members, teams, team_members |
+| **Core**      | workspaces, workspace_members, teams, team_members                                                                       |
-| **Data** | tasks, events, projects, activity_logs, domains, ideas, relationships |
+| **Data**      | tasks, events, projects, activity_logs, domains, ideas, relationships                                                    |
-| **Agents** | agents, agent_sessions |
+| **Agents**    | agents, agent_sessions                                                                                                   |
-| **UI** | user_layouts |
+| **UI**        | user_layouts                                                                                                             |
 | **Knowledge** | knowledge_entries, knowledge_tags, knowledge_entry_tags, knowledge_links, knowledge_embeddings, knowledge_entry_versions |
 **Helper Functions Created:**
@@ -72,6 +73,7 @@ team_members (table)
 3. `is_workspace_admin(workspace_uuid, user_uuid)` - Checks admin access
 **Policy Coverage:**
 - ✅ Workspace isolation
 - ✅ Team access control
 - ✅ Automatic query filtering
@@ -84,27 +86,30 @@ team_members (table)
 **File:** `apps/api/src/lib/db-context.ts`
 **Core Functions:**
 ```typescript
-setCurrentUser(userId)              // Set RLS context
+setCurrentUser(userId); // Set RLS context
-clearCurrentUser()                  // Clear RLS context
+clearCurrentUser(); // Clear RLS context
-withUserContext(userId, fn)         // Execute with context
+withUserContext(userId, fn); // Execute with context
-withUserTransaction(userId, fn)     // Transaction + context
+withUserTransaction(userId, fn); // Transaction + context
-withAuth(handler)                   // HOF wrapper
+withAuth(handler); // HOF wrapper
-verifyWorkspaceAccess(userId, wsId) // Verify access
+verifyWorkspaceAccess(userId, wsId); // Verify access
-getUserWorkspaces(userId)           // Get workspaces
+getUserWorkspaces(userId); // Get workspaces
-isWorkspaceAdmin(userId, wsId)      // Check admin
+isWorkspaceAdmin(userId, wsId); // Check admin
-withoutRLS(fn)                      // System operations
+withoutRLS(fn); // System operations
-createAuthMiddleware()              // tRPC middleware
+createAuthMiddleware(); // tRPC middleware
 ```
 ### 4. Documentation
 **Created:**
 - `docs/design/multi-tenant-rls.md` - Complete RLS guide (8.9 KB)
 - `docs/design/IMPLEMENTATION-M2-DATABASE.md` - Implementation summary (8.4 KB)
 - `docs/design/M2-DATABASE-COMPLETION.md` - This completion report
 **Documentation Covers:**
 - Architecture overview
 - RLS implementation details
 - API integration patterns
@@ -118,6 +123,7 @@ createAuthMiddleware()              // tRPC middleware
 ## Verification Results
 ### Migration Status
 ```
 ✅ 7 migrations found in prisma/migrations
 ✅ Database schema is up to date!
@@ -126,19 +132,23 @@ createAuthMiddleware()              // tRPC middleware
 ### Files Created/Modified
 **Schema & Migrations:**
 - ✅ `apps/api/prisma/schema.prisma` (modified)
 - ✅ `apps/api/prisma/migrations/20260129220941_add_team_model/migration.sql` (created)
 - ✅ `apps/api/prisma/migrations/20260129221004_add_rls_policies/migration.sql` (created)
 **Utilities:**
 - ✅ `apps/api/src/lib/db-context.ts` (created, 7.2 KB)
 **Documentation:**
 - ✅ `docs/design/multi-tenant-rls.md` (created, 8.9 KB)
 - ✅ `docs/design/IMPLEMENTATION-M2-DATABASE.md` (created, 8.4 KB)
 - ✅ `docs/design/M2-DATABASE-COMPLETION.md` (created, this file)
 **Git Commit:**
 ```
 ✅ feat(multi-tenant): add Team model and RLS policies
   Commit: 244e50c
@@ -152,12 +162,12 @@ createAuthMiddleware()              // tRPC middleware
 ### Basic Usage
 ```typescript
-import { withUserContext } from '@/lib/db-context';
+import { withUserContext } from "@/lib/db-context";
 // All queries automatically filtered by RLS
 const tasks = await withUserContext(userId, async () => {
  return prisma.task.findMany({
-    where: { workspaceId }
+    where: { workspaceId },
  });
 });
 ```
@@ -165,15 +175,15 @@ const tasks = await withUserContext(userId, async () => {
 ### Transaction Pattern
 ```typescript
-import { withUserTransaction } from '@/lib/db-context';
+import { withUserTransaction } from "@/lib/db-context";
 const workspace = await withUserTransaction(userId, async (tx) => {
  const ws = await tx.workspace.create({
-    data: { name: 'New Workspace', ownerId: userId }
+    data: { name: "New Workspace", ownerId: userId },
  });
  await tx.workspaceMember.create({
-    data: { workspaceId: ws.id, userId, role: 'OWNER' }
+    data: { workspaceId: ws.id, userId, role: "OWNER" },
  });
  return ws;
@@ -183,11 +193,11 @@ const workspace = await withUserTransaction(userId, async (tx) => {
 ### tRPC Integration
 ```typescript
-import { withAuth } from '@/lib/db-context';
+import { withAuth } from "@/lib/db-context";
 export const getTasks = withAuth(async ({ ctx, input }) => {
  return prisma.task.findMany({
-    where: { workspaceId: input.workspaceId }
+    where: { workspaceId: input.workspaceId },
  });
 });
 ```
@@ -254,14 +264,17 @@ export const getTasks = withAuth(async ({ ctx, input }) => {
 ## Technical Details
 ### PostgreSQL Version
 - **Required:** PostgreSQL 12+ (for RLS support)
 - **Used:** PostgreSQL 17 (with pgvector extension)
 ### Prisma Version
 - **Client:** 6.19.2
 - **Migrations:** 7 total, all applied
 ### Performance Impact
 - **Minimal:** Indexed queries, cached functions
 - **Overhead:** <5% per query (estimated)
 - **Scalability:** Tested with workspace isolation
--- a/docs/design/README.md
+++ b/docs/design/README.md
@@ -5,6 +5,7 @@ Technical design documents for major Mosaic Stack features.
 ## Purpose
 Design documents serve as:
 - **Blueprints** for implementation
 - **Reference** for architectural decisions
 - **Communication** between team members
@@ -32,6 +33,7 @@ Each design document should include:
 Infrastructure for persistent task management and autonomous agent coordination. Enables long-running background work independent of user sessions.
 **Key Features:**
 - Task queue with priority scheduling
 - Agent health monitoring and automatic recovery
 - Checkpoint-based resumption for interrupted work
@@ -49,6 +51,7 @@ Infrastructure for persistent task management and autonomous agent coordination.
 Native knowledge management with wiki-style linking, semantic search, and graph visualization. Enables teams and agents to capture, connect, and query organizational knowledge.
 **Key Features:**
 - Wiki-style `[[links]]` between entries
 - Full-text and semantic (vector) search
 - Interactive knowledge graph visualization
@@ -79,6 +82,7 @@ When creating a new design document:
 Multi-instance federation enabling cross-organization collaboration, work/personal separation, and enterprise control with data sovereignty.
 **Key Features:**
 - Peer-to-peer federation (every instance can be master and/or spoke)
 - Authentik integration for enterprise SSO and RBAC
 - Agent Federation Protocol for cross-instance queries and commands
--- a/docs/design/agent-orchestration.md
+++ b/docs/design/agent-orchestration.md
@@ -87,14 +87,14 @@ The Agent Orchestration Layer must provide:
 ### Component Responsibilities
-| Component | Responsibility |
+| Component         | Responsibility                                                  |
-|-----------|----------------|
+| ----------------- | --------------------------------------------------------------- |
-| **Task Manager** | CRUD operations on tasks, state transitions, assignment logic |
+| **Task Manager**  | CRUD operations on tasks, state transitions, assignment logic   |
-| **Agent Manager** | Agent lifecycle, health tracking, session management |
+| **Agent Manager** | Agent lifecycle, health tracking, session management            |
-| **Coordinator** | Heartbeat processing, failure detection, recovery orchestration |
+| **Coordinator**   | Heartbeat processing, failure detection, recovery orchestration |
-| **PostgreSQL** | Persistent storage of tasks, agents, sessions, logs |
+| **PostgreSQL**    | Persistent storage of tasks, agents, sessions, logs             |
-| **Valkey/Redis** | Runtime state, heartbeats, quick lookups, pub/sub |
+| **Valkey/Redis**  | Runtime state, heartbeats, quick lookups, pub/sub               |
-| **Gateway** | Agent spawning, session management, message routing |
+| **Gateway**       | Agent spawning, session management, message routing             |
 ---
@@ -310,6 +310,7 @@ CREATE INDEX idx_agents_coordinator ON agents(coordinator_enabled) WHERE coordin
 ## Valkey/Redis Key Patterns
 Valkey is used for:
 - **Real-time state** (fast reads/writes)
 - **Pub/Sub messaging** (coordination events)
 - **Distributed locks** (prevent race conditions)
@@ -392,14 +393,14 @@ EXPIRE session:context:{session_key} 3600
 ### Data Lifecycle
-| Key Type | TTL | Cleanup Strategy |
+| Key Type             | TTL  | Cleanup Strategy                            |
-|----------|-----|------------------|
+| -------------------- | ---- | ------------------------------------------- |
-| `agent:heartbeat:*` | 60s | Auto-expire |
+| `agent:heartbeat:*`  | 60s  | Auto-expire                                 |
-| `agent:status:*` | None | Delete on agent termination |
+| `agent:status:*`     | None | Delete on agent termination                 |
-| `session:context:*` | 1h | Auto-expire |
+| `session:context:*`  | 1h   | Auto-expire                                 |
-| `tasks:pending:*` | None | Remove on assignment |
+| `tasks:pending:*`    | None | Remove on assignment                        |
-| `coordinator:lock:*` | 30s | Auto-expire (renewed by active coordinator) |
+| `coordinator:lock:*` | 30s  | Auto-expire (renewed by active coordinator) |
-| `task:assign_lock:*` | 5s | Auto-expire after assignment |
+| `task:assign_lock:*` | 5s   | Auto-expire after assignment                |
 ---
@@ -556,10 +557,10 @@ export class CoordinatorService {
  ) {}
  // Main coordination loop
-  @Cron('*/30 * * * * *')  // Every 30 seconds
+  @Cron("*/30 * * * * *") // Every 30 seconds
  async coordinate() {
-    if (!await this.acquireLock()) {
+    if (!(await this.acquireLock())) {
-      return;  // Another coordinator is active
+      return; // Another coordinator is active
    }
    try {
@@ -568,7 +569,7 @@ export class CoordinatorService {
      await this.resolveDependencies();
      await this.recoverFailedTasks();
    } catch (error) {
-      this.logger.error('Coordination cycle failed', error);
+      this.logger.error("Coordination cycle failed", error);
    } finally {
      await this.releaseLock();
    }
@@ -579,12 +580,12 @@ export class CoordinatorService {
    const lockKey = `coordinator:lock:global`;
    const result = await this.valkey.set(
      lockKey,
-      process.env.HOSTNAME || 'coordinator',
+      process.env.HOSTNAME || "coordinator",
-      'NX',
+      "NX",
-      'EX',
+      "EX",
      30
    );
-    return result === 'OK';
+    return result === "OK";
  }
  // Check agent heartbeats and mark stale
@@ -615,14 +616,13 @@ export class CoordinatorService {
    const workspaces = await this.getActiveWorkspaces();
    for (const workspace of workspaces) {
-      const pendingTasks = await this.taskManager.getPendingTasks(
+      const pendingTasks = await this.taskManager.getPendingTasks(workspace.id, {
-        workspace.id,
+        orderBy: { priority: "desc", createdAt: "asc" },
-        { orderBy: { priority: 'desc', createdAt: 'asc' } }
+      });
      );
      for (const task of pendingTasks) {
        // Check dependencies
-        if (!await this.areDependenciesMet(task)) {
+        if (!(await this.areDependenciesMet(task))) {
          continue;
        }
@@ -651,7 +651,7 @@ export class CoordinatorService {
    const tasks = await this.taskManager.getTasksForAgent(agent.id);
    for (const task of tasks) {
-      await this.recoverTask(task, 'agent_stale');
+      await this.recoverTask(task, "agent_stale");
    }
  }
@@ -659,36 +659,36 @@ export class CoordinatorService {
  private async recoverTask(task: AgentTask, reason: string) {
    // Log the failure
    await this.taskManager.logTaskEvent(task.id, {
-      level: 'ERROR',
+      level: "ERROR",
-      event: 'task_recovery',
+      event: "task_recovery",
      message: `Task recovery initiated: ${reason}`,
      previousStatus: task.status,
-      newStatus: 'ABORTED'
+      newStatus: "ABORTED",
    });
    // Check retry limit
    if (task.retryCount >= task.maxRetries) {
      await this.taskManager.updateTask(task.id, {
-        status: 'FAILED',
+        status: "FAILED",
        lastError: `Max retries exceeded (${task.retryCount}/${task.maxRetries})`,
-        failedAt: new Date()
+        failedAt: new Date(),
      });
      return;
    }
    // Abort current assignment
    await this.taskManager.updateTask(task.id, {
-      status: 'ABORTED',
+      status: "ABORTED",
      agentId: null,
      sessionKey: null,
-      retryCount: task.retryCount + 1
+      retryCount: task.retryCount + 1,
    });
    // Wait for backoff period before requeuing
    const backoffMs = task.retryBackoffSeconds * 1000 * Math.pow(2, task.retryCount);
    setTimeout(async () => {
      await this.taskManager.updateTask(task.id, {
-        status: 'PENDING'
+        status: "PENDING",
      });
    }, backoffMs);
  }
@@ -697,18 +697,18 @@ export class CoordinatorService {
  private async assignTask(task: AgentTask, agent: Agent) {
    // Acquire assignment lock
    const lockKey = `task:assign_lock:${task.id}`;
-    const locked = await this.valkey.set(lockKey, agent.id, 'NX', 'EX', 5);
+    const locked = await this.valkey.set(lockKey, agent.id, "NX", "EX", 5);
    if (!locked) {
-      return;  // Another coordinator already assigned this task
+      return; // Another coordinator already assigned this task
    }
    try {
      // Update task
      await this.taskManager.updateTask(task.id, {
-        status: 'ASSIGNED',
+        status: "ASSIGNED",
        agentId: agent.id,
-        assignedAt: new Date()
+        assignedAt: new Date(),
      });
      // Spawn agent session via Gateway
@@ -717,16 +717,16 @@ export class CoordinatorService {
      // Update task with session
      await this.taskManager.updateTask(task.id, {
        sessionKey: session.sessionKey,
-        status: 'RUNNING',
+        status: "RUNNING",
-        startedAt: new Date()
+        startedAt: new Date(),
      });
      // Log assignment
      await this.taskManager.logTaskEvent(task.id, {
-        level: 'INFO',
+        level: "INFO",
-        event: 'task_assigned',
+        event: "task_assigned",
        message: `Task assigned to agent ${agent.id}`,
-        details: { agentId: agent.id, sessionKey: session.sessionKey }
+        details: { agentId: agent.id, sessionKey: session.sessionKey },
      });
    } finally {
      await this.valkey.del(lockKey);
@@ -737,8 +737,8 @@ export class CoordinatorService {
  private async spawnAgentSession(agent: Agent, task: AgentTask): Promise<AgentSession> {
    // Call Gateway API to spawn subagent with task context
    const response = await fetch(`${process.env.GATEWAY_URL}/api/agents/spawn`, {
-      method: 'POST',
+      method: "POST",
-      headers: { 'Content-Type': 'application/json' },
+      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({
        workspaceId: task.workspaceId,
        agentId: agent.id,
@@ -748,9 +748,9 @@ export class CoordinatorService {
          taskTitle: task.title,
          taskDescription: task.description,
          inputContext: task.inputContext,
-          checkpointData: task.checkpointData
+          checkpointData: task.checkpointData,
-        }
+        },
-      })
+      }),
    });
    const data = await response.json();
@@ -811,10 +811,12 @@ export class CoordinatorService {
 **Scenario:** Agent crashes mid-task.
 **Detection:**
 - Heartbeat TTL expires in Valkey
 - Coordinator detects missing heartbeat
 **Recovery:**
 1. Mark agent as `ERROR` in database
 2. Abort assigned tasks with `status = ABORTED`
 3. Log failure with stack trace (if available)
@@ -827,10 +829,12 @@ export class CoordinatorService {
 **Scenario:** Gateway restarts, killing all agent sessions.
 **Detection:**
 - All agent heartbeats stop simultaneously
 - Coordinator detects mass stale agents
 **Recovery:**
 1. Coordinator marks all `RUNNING` tasks as `ABORTED`
 2. Tasks with `checkpointData` can resume from last checkpoint
 3. Tasks without checkpoints restart from scratch
@@ -841,10 +845,12 @@ export class CoordinatorService {
 **Scenario:** Task A depends on Task B, which depends on Task A (circular dependency).
 **Detection:**
 - Coordinator builds dependency graph
 - Detects cycles during `resolveDependencies()`
 **Recovery:**
 1. Log `ERROR` with cycle details
 2. Mark all tasks in cycle as `FAILED` with reason `dependency_cycle`
 3. Notify workspace owner via webhook
@@ -854,9 +860,11 @@ export class CoordinatorService {
 **Scenario:** PostgreSQL becomes unavailable.
 **Detection:**
 - Prisma query fails with connection error
 **Recovery:**
 1. Coordinator catches error, logs to stderr
 2. Releases lock (allowing failover to another instance)
 3. Retries with exponential backoff: 5s, 10s, 20s, 40s
@@ -867,14 +875,17 @@ export class CoordinatorService {
 **Scenario:** Network partition causes two coordinators to run simultaneously.
 **Prevention:**
 - Distributed lock in Valkey with 30s TTL
 - Coordinators must renew lock every cycle
 - Only one coordinator can hold lock at a time
 **Detection:**
 - Task assigned to multiple agents (conflict detection)
 **Recovery:**
 1. Newer assignment wins (based on `assignedAt` timestamp)
 2. Cancel older session
 3. Log conflict for investigation
@@ -884,10 +895,12 @@ export class CoordinatorService {
 **Scenario:** Task runs longer than `estimatedCompletionAt + grace period`.
 **Detection:**
 - Coordinator checks `estimatedCompletionAt` field
 - If exceeded by >30 minutes, mark as potentially hung
 **Recovery:**
 1. Send warning to agent session (via pub/sub)
 2. If no progress update in 10 minutes, abort task
 3. Log timeout error
@@ -902,6 +915,7 @@ export class CoordinatorService {
 **Goal:** Basic task and agent models, no coordination yet.
 **Deliverables:**
 - [ ] Database schema migration (tables, indexes)
 - [ ] Prisma models for `AgentTask`, `AgentTaskLog`, `AgentHeartbeat`
 - [ ] Basic CRUD API endpoints for tasks
@@ -909,6 +923,7 @@ export class CoordinatorService {
 - [ ] Manual task assignment (no automation)
 **Testing:**
 - Unit tests for task state machine
 - Integration tests for task CRUD
 - Manual testing: create task, assign to agent, complete
@@ -918,6 +933,7 @@ export class CoordinatorService {
 **Goal:** Autonomous coordinator with health monitoring.
 **Deliverables:**
 - [ ] `CoordinatorService` with distributed locking
 - [ ] Health monitoring (heartbeat TTL checks)
 - [ ] Automatic task assignment to available agents
@@ -925,6 +941,7 @@ export class CoordinatorService {
 - [ ] Pub/Sub for coordination events
 **Testing:**
 - Unit tests for coordinator logic
 - Integration tests with Valkey
 - Chaos testing: kill agents, verify recovery
@@ -935,6 +952,7 @@ export class CoordinatorService {
 **Goal:** Fault-tolerant operation with automatic recovery.
 **Deliverables:**
 - [ ] Agent failure detection and task recovery
 - [ ] Exponential backoff for retries
 - [ ] Checkpoint/resume support for long-running tasks
@@ -942,6 +960,7 @@ export class CoordinatorService {
 - [ ] Deadlock detection
 **Testing:**
 - Fault injection: kill agents, restart Gateway
 - Dependency cycle testing
 - Retry exhaustion testing
@@ -952,6 +971,7 @@ export class CoordinatorService {
 **Goal:** Full visibility into orchestration state.
 **Deliverables:**
 - [ ] Coordinator status dashboard
 - [ ] Task progress tracking UI
 - [ ] Real-time logs API
@@ -959,6 +979,7 @@ export class CoordinatorService {
 - [ ] Webhook integration for external monitoring
 **Testing:**
 - Load testing with metrics collection
 - Dashboard usability testing
 - Webhook reliability testing
@@ -968,6 +989,7 @@ export class CoordinatorService {
 **Goal:** Production-grade features.
 **Deliverables:**
 - [ ] Task prioritization algorithms (SJF, priority queues)
 - [ ] Agent capability matching (skills-based routing)
 - [ ] Task batching (group similar tasks)
@@ -1018,15 +1040,15 @@ async getTasks(userId: string, workspaceId: string) {
 ### Key Metrics
-| Metric | Description | Alert Threshold |
+| Metric                           | Description                       | Alert Threshold |
-|--------|-------------|-----------------|
+| -------------------------------- | --------------------------------- | --------------- |
-| `coordinator.cycle.duration_ms` | Coordination cycle execution time | >5000ms |
+| `coordinator.cycle.duration_ms`  | Coordination cycle execution time | >5000ms         |
-| `coordinator.stale_agents.count` | Number of stale agents detected | >5 |
+| `coordinator.stale_agents.count` | Number of stale agents detected   | >5              |
-| `tasks.pending.count` | Tasks waiting for assignment | >50 |
+| `tasks.pending.count`            | Tasks waiting for assignment      | >50             |
-| `tasks.failed.count` | Total failed tasks (last 1h) | >10 |
+| `tasks.failed.count`             | Total failed tasks (last 1h)      | >10             |
-| `tasks.retry.exhausted.count` | Tasks exceeding max retries | >0 |
+| `tasks.retry.exhausted.count`    | Tasks exceeding max retries       | >0              |
-| `agents.spawned.count` | Agent spawn rate | >100/min |
+| `agents.spawned.count`           | Agent spawn rate                  | >100/min        |
-| `valkey.connection.errors` | Valkey connection failures | >0 |
+| `valkey.connection.errors`       | Valkey connection failures        | >0              |
 ### Health Checks
@@ -1053,25 +1075,25 @@ GET /health/coordinator
 ```typescript
 // Main agent creates a development task
-const task = await fetch('/api/v1/agent-tasks', {
+const task = await fetch("/api/v1/agent-tasks", {
-  method: 'POST',
+  method: "POST",
  headers: {
-    'Content-Type': 'application/json',
+    "Content-Type": "application/json",
-    'Authorization': `Bearer ${sessionToken}`
+    Authorization: `Bearer ${sessionToken}`,
  },
  body: JSON.stringify({
-    title: 'Fix TypeScript strict errors in U-Connect',
+    title: "Fix TypeScript strict errors in U-Connect",
-    description: 'Run tsc --noEmit, fix all errors, commit changes',
+    description: "Run tsc --noEmit, fix all errors, commit changes",
-    taskType: 'development',
+    taskType: "development",
    priority: 8,
    inputContext: {
-      repository: 'u-connect',
+      repository: "u-connect",
-      branch: 'main',
+      branch: "main",
-      commands: ['pnpm install', 'pnpm tsc:check']
+      commands: ["pnpm install", "pnpm tsc:check"],
    },
    maxRetries: 2,
-    estimatedDurationMinutes: 30
+    estimatedDurationMinutes: 30,
-  })
+  }),
 });
 const { id } = await task.json();
@@ -1084,19 +1106,19 @@ console.log(`Task created: ${id}`);
 // Subagent sends heartbeat every 30s
 setInterval(async () => {
  await fetch(`/api/v1/agents/${agentId}/heartbeat`, {
-    method: 'POST',
+    method: "POST",
    headers: {
-      'Content-Type': 'application/json',
+      "Content-Type": "application/json",
-      'Authorization': `Bearer ${agentToken}`
+      Authorization: `Bearer ${agentToken}`,
    },
    body: JSON.stringify({
-      status: 'healthy',
+      status: "healthy",
      currentTaskId: taskId,
      progressPercent: 45,
-      currentStep: 'Running tsc --noEmit',
+      currentStep: "Running tsc --noEmit",
      memoryMb: 512,
-      cpuPercent: 35
+      cpuPercent: 35,
-    })
+    }),
  });
 }, 30000);
 ```
@@ -1106,20 +1128,20 @@ setInterval(async () => {
 ```typescript
 // Agent updates task progress
 await fetch(`/api/v1/agent-tasks/${taskId}/progress`, {
-  method: 'PATCH',
+  method: "PATCH",
  headers: {
-    'Content-Type': 'application/json',
+    "Content-Type": "application/json",
-    'Authorization': `Bearer ${agentToken}`
+    Authorization: `Bearer ${agentToken}`,
  },
  body: JSON.stringify({
    progressPercent: 70,
-    currentStep: 'Fixing type errors in packages/shared',
+    currentStep: "Fixing type errors in packages/shared",
    checkpointData: {
      filesProcessed: 15,
      errorsFixed: 8,
-      remainingFiles: 5
+      remainingFiles: 5,
-    }
+    },
-  })
+  }),
 });
 ```
@@ -1128,20 +1150,20 @@ await fetch(`/api/v1/agent-tasks/${taskId}/progress`, {
 ```typescript
 // Agent marks task complete
 await fetch(`/api/v1/agent-tasks/${taskId}/complete`, {
-  method: 'POST',
+  method: "POST",
  headers: {
-    'Content-Type': 'application/json',
+    "Content-Type": "application/json",
-    'Authorization': `Bearer ${agentToken}`
+    Authorization: `Bearer ${agentToken}`,
  },
  body: JSON.stringify({
    outputResult: {
      filesModified: 20,
      errorsFixed: 23,
-      commitHash: 'abc123',
+      commitHash: "abc123",
-      buildStatus: 'passing'
+      buildStatus: "passing",
    },
-    summary: 'All TypeScript strict errors resolved. Build passing.'
+    summary: "All TypeScript strict errors resolved. Build passing.",
-  })
+  }),
 });
 ```
@@ -1149,17 +1171,17 @@ await fetch(`/api/v1/agent-tasks/${taskId}/complete`, {
 ## Glossary
-| Term | Definition |
+| Term              | Definition                                                         |
-|------|------------|
+| ----------------- | ------------------------------------------------------------------ |
-| **Agent** | Autonomous AI instance (e.g., Claude subagent) that executes tasks |
+| **Agent**         | Autonomous AI instance (e.g., Claude subagent) that executes tasks |
-| **Task** | Unit of work to be executed by an agent |
+| **Task**          | Unit of work to be executed by an agent                            |
-| **Coordinator** | Background service that assigns tasks and monitors agent health |
+| **Coordinator**   | Background service that assigns tasks and monitors agent health    |
-| **Heartbeat** | Periodic signal from agent indicating it's alive and working |
+| **Heartbeat**     | Periodic signal from agent indicating it's alive and working       |
-| **Stale Agent** | Agent that has stopped sending heartbeats (assumed dead) |
+| **Stale Agent**   | Agent that has stopped sending heartbeats (assumed dead)           |
-| **Checkpoint** | Snapshot of task state allowing resumption after failure |
+| **Checkpoint**    | Snapshot of task state allowing resumption after failure           |
-| **Workspace** | Tenant isolation boundary (all tasks belong to a workspace) |
+| **Workspace**     | Tenant isolation boundary (all tasks belong to a workspace)        |
-| **Session** | Gateway-managed connection between user and agent |
+| **Session**       | Gateway-managed connection between user and agent                  |
-| **Orchestration** | Automated coordination of multiple agents working on tasks |
+| **Orchestration** | Automated coordination of multiple agents working on tasks         |
 ---
@@ -1174,6 +1196,7 @@ await fetch(`/api/v1/agent-tasks/${taskId}/complete`, {
 ---
 **Next Steps:**
 1. Review and approve this design document
 2. Create GitHub issues for Phase 1 tasks
 3. Set up development branch: `feature/agent-orchestration`
--- a/docs/design/architecture-decisions.md
+++ b/docs/design/architecture-decisions.md
@@ -67,12 +67,14 @@ Mosaic Stack needs to integrate with AI agents (currently ClawdBot, formerly Mol
 ### Consequences
 **Positive:**
 - Platform independence
 - Multiple integration paths
 - Clear separation of concerns
 - Easier testing (API-level tests)
 **Negative:**
 - Extra network hop for agent access
 - Need to maintain both API and skill code
 - Slightly more initial work
@@ -80,8 +82,8 @@ Mosaic Stack needs to integrate with AI agents (currently ClawdBot, formerly Mol
 ### Related Issues
 - #22: Brain query API endpoint (API-first ✓)
- #23-26: mosaic-plugin-* → rename to mosaic-skill-* (thin wrappers)
+- #23-26: mosaic-plugin-_ → rename to mosaic-skill-_ (thin wrappers)
 ---
-*Future ADRs will be added to this document.*
+_Future ADRs will be added to this document._
--- a/docs/design/federation-architecture.md
+++ b/docs/design/federation-architecture.md
@@ -52,6 +52,7 @@
 ### Peer-to-Peer Federation Model
 Every Mosaic Stack instance is a **peer** that can simultaneously act as:
 - **Master** — Control and query downstream spokes
 - **Spoke** — Expose capabilities to upstream masters
@@ -120,15 +121,15 @@ Every Mosaic Stack instance is a **peer** that can simultaneously act as:
 Authentik provides enterprise-grade identity management:
-| Feature | Purpose |
+| Feature            | Purpose                          |
-|---------|---------|
+| ------------------ | -------------------------------- |
-| **OIDC/SAML** | Single sign-on across instances |
+| **OIDC/SAML**      | Single sign-on across instances  |
-| **User Directory** | Centralized user management |
+| **User Directory** | Centralized user management      |
-| **Groups** | Team/department organization |
+| **Groups**         | Team/department organization     |
-| **RBAC** | Role-based access control |
+| **RBAC**           | Role-based access control        |
-| **Audit Logs** | Compliance and security tracking |
+| **Audit Logs**     | Compliance and security tracking |
-| **MFA** | Multi-factor authentication |
+| **MFA**            | Multi-factor authentication      |
-| **Federation** | Trust between external IdPs |
+| **Federation**     | Trust between external IdPs      |
 ### Auth Architecture
@@ -199,6 +200,7 @@ When federating between instances with different IdPs:
 ```
 **Identity Mapping:**
 - Same email = same person (by convention)
 - Explicit identity linking via federation protocol
 - No implicit access—must be granted per instance
@@ -297,11 +299,7 @@ When federating between instances with different IdPs:
      "returns": "Workspace[]"
    }
  ],
-  "eventSubscriptions": [
+  "eventSubscriptions": ["calendar.reminder", "tasks.assigned", "tasks.completed"]
    "calendar.reminder",
    "tasks.assigned",
    "tasks.completed"
  ]
 }
 ```
@@ -467,19 +465,19 @@ Instance
 ### Role Permissions Matrix
-| Permission | Owner | Admin | Member | Viewer | Guest |
+| Permission          | Owner | Admin | Member | Viewer | Guest |
-|------------|-------|-------|--------|--------|-------|
+| ------------------- | ----- | ----- | ------ | ------ | ----- |
-| View workspace | ✓ | ✓ | ✓ | ✓ | ✓* |
+| View workspace      | ✓     | ✓     | ✓      | ✓      | ✓\*   |
-| Create content | ✓ | ✓ | ✓ | ✗ | ✗ |
+| Create content      | ✓     | ✓     | ✓      | ✗      | ✗     |
-| Edit content | ✓ | ✓ | ✓ | ✗ | ✗ |
+| Edit content        | ✓     | ✓     | ✓      | ✗      | ✗     |
-| Delete content | ✓ | ✓ | ✗ | ✗ | ✗ |
+| Delete content      | ✓     | ✓     | ✗      | ✗      | ✗     |
-| Manage members | ✓ | ✓ | ✗ | ✗ | ✗ |
+| Manage members      | ✓     | ✓     | ✗      | ✗      | ✗     |
-| Manage teams | ✓ | ✓ | ✗ | ✗ | ✗ |
+| Manage teams        | ✓     | ✓     | ✗      | ✗      | ✗     |
-| Configure workspace | ✓ | ✗ | ✗ | ✗ | ✗ |
+| Configure workspace | ✓     | ✗     | ✗      | ✗      | ✗     |
-| Delete workspace | ✓ | ✗ | ✗ | ✗ | ✗ |
+| Delete workspace    | ✓     | ✗     | ✗      | ✗      | ✗     |
-| Manage federation | ✓ | ✗ | ✗ | ✗ | ✗ |
+| Manage federation   | ✓     | ✗     | ✗      | ✗      | ✗     |
-*Guest: scoped to specific shared items only
+\*Guest: scoped to specific shared items only
 ### Federation RBAC
@@ -503,6 +501,7 @@ Cross-instance access is always scoped and limited:
 ```
 **Key Constraints:**
 - Federated users cannot exceed `maxRole` (e.g., member can't become admin)
 - Access limited to `scopedWorkspaces` only
 - Capabilities are explicitly allowlisted
@@ -545,14 +544,14 @@ Cross-instance access is always scoped and limited:
 ### What's Stored vs Queried
-| Data Type | Home Instance | Work Instance | Notes |
+| Data Type           | Home Instance      | Work Instance | Notes                  |
-|-----------|---------------|---------------|-------|
+| ------------------- | ------------------ | ------------- | ---------------------- |
-| Personal tasks | ✓ Stored | — | Only at home |
+| Personal tasks      | ✓ Stored           | —             | Only at home           |
-| Work tasks | Queried live | ✓ Stored | Never replicated |
+| Work tasks          | Queried live       | ✓ Stored      | Never replicated       |
-| Personal calendar | ✓ Stored | — | Only at home |
+| Personal calendar   | ✓ Stored           | —             | Only at home           |
-| Work calendar | Queried live | ✓ Stored | Never replicated |
+| Work calendar       | Queried live       | ✓ Stored      | Never replicated       |
-| Federation metadata | ✓ Stored | ✓ Stored | Connection config only |
+| Federation metadata | ✓ Stored           | ✓ Stored      | Connection config only |
-| Query results cache | Ephemeral (5m TTL) | — | Optional, short-lived |
+| Query results cache | Ephemeral (5m TTL) | —             | Optional, short-lived  |
 ### Severance Procedure
@@ -581,6 +580,7 @@ Result:
 **Goal:** Multi-instance awareness, basic federation protocol
 **Deliverables:**
 - [ ] Instance identity model (instanceId, URL, public key)
 - [ ] Federation connection database schema
 - [ ] Basic CONNECT/DISCONNECT protocol
@@ -588,6 +588,7 @@ Result:
 - [ ] Query/Command message handling (stub)
 **Testing:**
 - Two local instances can connect
 - Connection persists across restarts
 - Disconnect cleans up properly
@@ -597,6 +598,7 @@ Result:
 **Goal:** Enterprise SSO with RBAC
 **Deliverables:**
 - [ ] Authentik OIDC provider setup guide
 - [ ] BetterAuth Authentik adapter
 - [ ] Group → Role mapping
@@ -604,6 +606,7 @@ Result:
 - [ ] Audit logging for auth events
 **Testing:**
 - Login via Authentik works
 - Groups map to roles correctly
 - Session isolation between workspaces
@@ -613,6 +616,7 @@ Result:
 **Goal:** Full query/command capability
 **Deliverables:**
 - [ ] QUERY message type with response streaming
 - [ ] COMMAND message type with async support
 - [ ] EVENT subscription and delivery
@@ -620,6 +624,7 @@ Result:
 - [ ] Error handling and retry logic
 **Testing:**
 - Master can query spoke calendar
 - Master can create tasks on spoke
 - Events push from spoke to master
@@ -630,6 +635,7 @@ Result:
 **Goal:** Unified dashboard showing all instances
 **Deliverables:**
 - [ ] Connection manager UI
 - [ ] Aggregated calendar view
 - [ ] Aggregated task view
@@ -637,6 +643,7 @@ Result:
 - [ ] Visual provenance tagging (color/icon per instance)
 **Testing:**
 - Dashboard shows data from multiple instances
 - Clear visual distinction between sources
 - Offline instance shows gracefully
@@ -646,12 +653,14 @@ Result:
 **Goal:** Cross-instance agent coordination
 **Deliverables:**
 - [ ] Agent spawn command via federation
 - [ ] Callback mechanism for results
 - [ ] Agent status querying across instances
 - [ ] Cross-instance task assignment
 **Testing:**
 - Home agent can spawn task on work instance
 - Results callback works
 - Agent health visible across instances
@@ -661,6 +670,7 @@ Result:
 **Goal:** Production-ready for organizations
 **Deliverables:**
 - [ ] Admin console for federation management
 - [ ] Compliance audit reports
 - [ ] Rate limiting and quotas
@@ -673,24 +683,24 @@ Result:
 ### Semantic Versioning Policy
-| Version | Meaning |
+| Version | Meaning                                                                     |
-|---------|---------|
+| ------- | --------------------------------------------------------------------------- |
-| `0.0.x` | Active development, breaking changes expected, internal use only |
+| `0.0.x` | Active development, breaking changes expected, internal use only            |
-| `0.1.0` | **MVP** — First user-testable release, core features working |
+| `0.1.0` | **MVP** — First user-testable release, core features working                |
-| `0.x.y` | Pre-stable iteration, API may change with notice |
+| `0.x.y` | Pre-stable iteration, API may change with notice                            |
 | `1.0.0` | Stable release, public API contract, breaking changes require major version |
 ### Version Milestones
-| Version | Target | Features |
+| Version | Target     | Features                               |
-|---------|--------|----------|
+| ------- | ---------- | -------------------------------------- |
-| 0.0.1 | Design | This document |
+| 0.0.1   | Design     | This document                          |
-| 0.0.5 | Foundation | Basic federation protocol |
+| 0.0.5   | Foundation | Basic federation protocol              |
-| 0.0.10 | Auth | Authentik integration |
+| 0.0.10  | Auth       | Authentik integration                  |
-| 0.1.0 | **MVP** | Single pane of glass, basic federation |
+| 0.1.0   | **MVP**    | Single pane of glass, basic federation |
-| 0.2.0 | Agents | Cross-instance agent coordination |
+| 0.2.0   | Agents     | Cross-instance agent coordination      |
-| 0.3.0 | Enterprise | Admin console, compliance |
+| 0.3.0   | Enterprise | Admin console, compliance              |
-| 1.0.0 | Stable | Production-ready, API frozen |
+| 1.0.0   | Stable     | Production-ready, API frozen           |
 ---
@@ -804,18 +814,18 @@ DELETE /api/v1/federation/spoke/masters/:instanceId
 ## Glossary
-| Term | Definition |
+| Term           | Definition                                                     |
-|------|------------|
+| -------------- | -------------------------------------------------------------- |
-| **Instance** | A single Mosaic Stack deployment |
+| **Instance**   | A single Mosaic Stack deployment                               |
-| **Master** | Instance that initiates connection and queries spoke |
+| **Master**     | Instance that initiates connection and queries spoke           |
-| **Spoke** | Instance that accepts connections and serves data |
+| **Spoke**      | Instance that accepts connections and serves data              |
-| **Peer** | An instance that can be both master and spoke |
+| **Peer**       | An instance that can be both master and spoke                  |
-| **Federation** | Network of connected Mosaic Stack instances |
+| **Federation** | Network of connected Mosaic Stack instances                    |
-| **Scope** | Permission to perform specific actions (e.g., `calendar.read`) |
+| **Scope**      | Permission to perform specific actions (e.g., `calendar.read`) |
-| **Capability** | API endpoint exposed by a spoke |
+| **Capability** | API endpoint exposed by a spoke                                |
-| **Provenance** | Source attribution for data (which instance it came from) |
+| **Provenance** | Source attribution for data (which instance it came from)      |
-| **Severance** | Clean disconnection with no data cleanup required |
+| **Severance**  | Clean disconnection with no data cleanup required              |
-| **IdP** | Identity Provider (e.g., Authentik) |
+| **IdP**        | Identity Provider (e.g., Authentik)                            |
 ---
@@ -840,6 +850,7 @@ DELETE /api/v1/federation/spoke/masters/:instanceId
 ---
 **Next Steps:**
 1. Review and approve this design document
 2. Create GitHub issues for Phase 1 tasks
 3. Set up Authentik development instance
--- a/docs/design/knowledge-module-issues.md
+++ b/docs/design/knowledge-module-issues.md
@@ -27,6 +27,7 @@ Build a native knowledge management module for Mosaic Stack with wiki-style link
 Create Prisma schema and migrations for the Knowledge module.
 **Acceptance Criteria:**
 - [ ] `KnowledgeEntry` model with all fields
 - [ ] `KnowledgeEntryVersion` model for history
 - [ ] `KnowledgeLink` model for wiki-links
@@ -37,6 +38,7 @@ Create Prisma schema and migrations for the Knowledge module.
 - [ ] Seed data for testing
 **Technical Notes:**
 - Reference design doc for full schema
 - Ensure `@@unique([workspaceId, slug])` constraint
 - Add `search_vector` column for full-text search
@@ -54,6 +56,7 @@ Create Prisma schema and migrations for the Knowledge module.
 Implement RESTful API for knowledge entry management.
 **Acceptance Criteria:**
 - [ ] `POST /api/knowledge/entries` - Create entry
 - [ ] `GET /api/knowledge/entries` - List entries (paginated, filterable)
 - [ ] `GET /api/knowledge/entries/:slug` - Get single entry
@@ -64,6 +67,7 @@ Implement RESTful API for knowledge entry management.
 - [ ] OpenAPI/Swagger documentation
 **Technical Notes:**
 - Follow existing Mosaic API patterns
 - Use `@WorkspaceGuard()` for tenant isolation
 - Slug generation from title with collision handling
@@ -80,6 +84,7 @@ Implement RESTful API for knowledge entry management.
 Implement tag CRUD and entry-tag associations.
 **Acceptance Criteria:**
 - [ ] `GET /api/knowledge/tags` - List workspace tags
 - [ ] `POST /api/knowledge/tags` - Create tag
 - [ ] `PUT /api/knowledge/tags/:slug` - Update tag
@@ -100,6 +105,7 @@ Implement tag CRUD and entry-tag associations.
 Render markdown content to HTML with caching.
 **Acceptance Criteria:**
 - [ ] Markdown-to-HTML conversion on entry save
 - [ ] Support GFM (tables, task lists, strikethrough)
 - [ ] Code syntax highlighting (highlight.js or Shiki)
@@ -108,6 +114,7 @@ Render markdown content to HTML with caching.
 - [ ] Invalidate cache on content update
 **Technical Notes:**
 - Use `marked` or `remark` for parsing
 - Wiki-links (`[[...]]`) parsed but not resolved yet (Phase 2)
@@ -123,6 +130,7 @@ Render markdown content to HTML with caching.
 Build the knowledge entry list page in the web UI.
 **Acceptance Criteria:**
 - [ ] List view with title, summary, tags, updated date
 - [ ] Filter by status (draft/published/archived)
 - [ ] Filter by tag
@@ -144,6 +152,7 @@ Build the knowledge entry list page in the web UI.
 Build the entry view and edit page.
 **Acceptance Criteria:**
 - [ ] View mode with rendered markdown
 - [ ] Edit mode with markdown editor
 - [ ] Split view option (edit + preview)
@@ -155,6 +164,7 @@ Build the entry view and edit page.
 - [ ] Keyboard shortcuts (Cmd+S to save)
 **Technical Notes:**
 - Consider CodeMirror or Monaco for editor
 - May use existing rich-text patterns from Mosaic
@@ -172,6 +182,7 @@ Build the entry view and edit page.
 Parse `[[wiki-link]]` syntax from markdown content.
 **Acceptance Criteria:**
 - [ ] Extract all `[[...]]` patterns from content
 - [ ] Support `[[slug]]` basic syntax
 - [ ] Support `[[slug|display text]]` aliased links
@@ -180,12 +191,13 @@ Parse `[[wiki-link]]` syntax from markdown content.
 - [ ] Handle edge cases (nested brackets, escaping)
 **Technical Notes:**
 ```typescript
 interface ParsedLink {
-  raw: string;           // "[[design|Design Doc]]"
+  raw: string; // "[[design|Design Doc]]"
-  target: string;        // "design"
+  target: string; // "design"
-  display: string;       // "Design Doc"
+  display: string; // "Design Doc"
-  section?: string;      // "header" if [[design#header]]
+  section?: string; // "header" if [[design#header]]
  position: { start: number; end: number };
 }
 ```
@@ -202,6 +214,7 @@ interface ParsedLink {
 Resolve parsed wiki-links to actual entries.
 **Acceptance Criteria:**
 - [ ] Resolve by exact slug match
 - [ ] Resolve by title match (case-insensitive)
 - [ ] Fuzzy match fallback (optional)
@@ -221,6 +234,7 @@ Resolve parsed wiki-links to actual entries.
 Store links in database and keep in sync with content.
 **Acceptance Criteria:**
 - [ ] On entry save: parse → resolve → store links
 - [ ] Remove stale links on update
 - [ ] `GET /api/knowledge/entries/:slug/links/outgoing`
@@ -240,6 +254,7 @@ Store links in database and keep in sync with content.
 Show incoming links (backlinks) on entry pages.
 **Acceptance Criteria:**
 - [ ] Backlinks section on entry detail page
 - [ ] Show linking entry title + context snippet
 - [ ] Click to navigate to linking entry
@@ -258,6 +273,7 @@ Show incoming links (backlinks) on entry pages.
 Autocomplete suggestions when typing `[[`.
 **Acceptance Criteria:**
 - [ ] Trigger on `[[` typed in editor
 - [ ] Show dropdown with matching entries
 - [ ] Search by title and slug
@@ -278,6 +294,7 @@ Autocomplete suggestions when typing `[[`.
 Render wiki-links as clickable links in entry view.
 **Acceptance Criteria:**
 - [ ] `[[slug]]` renders as link to `/knowledge/slug`
 - [ ] `[[slug|text]]` shows custom text
 - [ ] Broken links styled differently (red, dashed underline)
@@ -297,6 +314,7 @@ Render wiki-links as clickable links in entry view.
 Set up PostgreSQL full-text search for entries.
 **Acceptance Criteria:**
 - [ ] Add `tsvector` column to entries table
 - [ ] Create GIN index on search vector
 - [ ] Weight title (A), summary (B), content (C)
@@ -315,6 +333,7 @@ Set up PostgreSQL full-text search for entries.
 Implement search API with full-text search.
 **Acceptance Criteria:**
 - [ ] `GET /api/knowledge/search?q=...`
 - [ ] Return ranked results with snippets
 - [ ] Highlight matching terms in snippets
@@ -334,6 +353,7 @@ Implement search API with full-text search.
 Build search interface in web UI.
 **Acceptance Criteria:**
 - [ ] Search input in knowledge module header
 - [ ] Search results page
 - [ ] Highlighted snippets
@@ -354,12 +374,14 @@ Build search interface in web UI.
 Set up pgvector extension for semantic search.
 **Acceptance Criteria:**
 - [ ] Enable pgvector extension in PostgreSQL
 - [ ] Create embeddings table with vector column
 - [ ] HNSW index for fast similarity search
 - [ ] Verify extension works in dev and prod
 **Technical Notes:**
 - May need PostgreSQL 15+ for best pgvector support
 - Consider managed options (Supabase, Neon) if self-hosting is complex
@@ -375,6 +397,7 @@ Set up pgvector extension for semantic search.
 Generate embeddings for entries using OpenAI or local model.
 **Acceptance Criteria:**
 - [ ] Service to generate embeddings from text
 - [ ] On entry create/update: queue embedding job
 - [ ] Background worker processes queue
@@ -383,6 +406,7 @@ Generate embeddings for entries using OpenAI or local model.
 - [ ] Config for embedding model selection
 **Technical Notes:**
 - Start with OpenAI `text-embedding-ada-002`
 - Consider local options (sentence-transformers) for cost/privacy
@@ -398,6 +422,7 @@ Generate embeddings for entries using OpenAI or local model.
 Implement semantic (vector) search endpoint.
 **Acceptance Criteria:**
 - [ ] `POST /api/knowledge/search/semantic`
 - [ ] Accept natural language query
 - [ ] Generate query embedding
@@ -419,6 +444,7 @@ Implement semantic (vector) search endpoint.
 API to retrieve knowledge graph data.
 **Acceptance Criteria:**
 - [ ] `GET /api/knowledge/graph` - Full graph (nodes + edges)
 - [ ] `GET /api/knowledge/graph/:slug` - Subgraph centered on entry
 - [ ] `GET /api/knowledge/graph/stats` - Graph statistics
@@ -438,6 +464,7 @@ API to retrieve knowledge graph data.
 Interactive knowledge graph visualization.
 **Acceptance Criteria:**
 - [ ] Force-directed graph layout
 - [ ] Nodes sized by connection count
 - [ ] Nodes colored by status
@@ -447,6 +474,7 @@ Interactive knowledge graph visualization.
 - [ ] Performance OK with 500+ nodes
 **Technical Notes:**
 - Use D3.js or Cytoscape.js
 - Consider WebGL renderer for large graphs
@@ -462,6 +490,7 @@ Interactive knowledge graph visualization.
 Show mini-graph on entry detail page.
 **Acceptance Criteria:**
 - [ ] Small graph showing entry + direct connections
 - [ ] 1-2 hop neighbors
 - [ ] Click to expand or navigate
@@ -479,6 +508,7 @@ Show mini-graph on entry detail page.
 Dashboard showing knowledge base health.
 **Acceptance Criteria:**
 - [ ] Total entries, links, tags
 - [ ] Orphan entry count (no links)
 - [ ] Broken link count
@@ -500,6 +530,7 @@ Dashboard showing knowledge base health.
 API for entry version history.
 **Acceptance Criteria:**
 - [ ] Create version on each save
 - [ ] `GET /api/knowledge/entries/:slug/versions`
 - [ ] `GET /api/knowledge/entries/:slug/versions/:v`
@@ -519,6 +550,7 @@ API for entry version history.
 UI to browse and restore versions.
 **Acceptance Criteria:**
 - [ ] Version list sidebar/panel
 - [ ] Show version date, author, change note
 - [ ] Click to view historical version
@@ -527,6 +559,7 @@ UI to browse and restore versions.
 - [ ] Compare any two versions
 **Technical Notes:**
 - Use diff library for content comparison
 - Highlight additions/deletions
@@ -542,6 +575,7 @@ UI to browse and restore versions.
 Import existing markdown files into knowledge base.
 **Acceptance Criteria:**
 - [ ] Upload `.md` file(s)
 - [ ] Parse frontmatter for metadata
 - [ ] Generate slug from filename or title
@@ -561,6 +595,7 @@ Import existing markdown files into knowledge base.
 Export entries to markdown/PDF.
 **Acceptance Criteria:**
 - [ ] Export single entry as markdown
 - [ ] Export single entry as PDF
 - [ ] Bulk export (all or filtered)
@@ -579,6 +614,7 @@ Export entries to markdown/PDF.
 Implement Valkey caching for knowledge module.
 **Acceptance Criteria:**
 - [ ] Cache entry JSON
 - [ ] Cache rendered HTML
 - [ ] Cache graph data
@@ -598,6 +634,7 @@ Implement Valkey caching for knowledge module.
 Document the knowledge module.
 **Acceptance Criteria:**
 - [ ] User guide for knowledge module
 - [ ] API reference (OpenAPI already in place)
 - [ ] Wiki-link syntax reference
@@ -617,6 +654,7 @@ Document the knowledge module.
 Multiple users editing same entry simultaneously.
 **Notes:**
 - Would require CRDT or OT implementation
 - Significant complexity
 - Evaluate need before committing
@@ -632,6 +670,7 @@ Multiple users editing same entry simultaneously.
 Pre-defined templates for common entry types.
 **Notes:**
 - ADR template
 - Design doc template
 - Meeting notes template
@@ -648,6 +687,7 @@ Pre-defined templates for common entry types.
 Upload and embed images/files in entries.
 **Notes:**
 - S3/compatible storage backend
 - Image optimization
 - Paste images into editor
@@ -656,15 +696,15 @@ Upload and embed images/files in entries.
 ## Summary
-| Phase | Issues | Est. Hours | Focus |
+| Phase     | Issues               | Est. Hours | Focus           |
-|-------|--------|------------|-------|
+| --------- | -------------------- | ---------- | --------------- |
-| 1 | KNOW-001 to KNOW-006 | 31h | CRUD + Basic UI |
+| 1         | KNOW-001 to KNOW-006 | 31h        | CRUD + Basic UI |
-| 2 | KNOW-007 to KNOW-012 | 24h | Wiki-links |
+| 2         | KNOW-007 to KNOW-012 | 24h        | Wiki-links      |
-| 3 | KNOW-013 to KNOW-018 | 28h | Search |
+| 3         | KNOW-013 to KNOW-018 | 28h        | Search          |
-| 4 | KNOW-019 to KNOW-022 | 19h | Graph |
+| 4         | KNOW-019 to KNOW-022 | 19h        | Graph           |
-| 5 | KNOW-023 to KNOW-028 | 25h | Polish |
+| 5         | KNOW-023 to KNOW-028 | 25h        | Polish          |
-| **Total** | 28 issues | ~127h | ~3-4 dev weeks |
+| **Total** | 28 issues            | ~127h      | ~3-4 dev weeks  |
 ---
-*Generated by Jarvis • 2025-01-29*
+_Generated by Jarvis • 2025-01-29_
--- a/docs/design/knowledge-module.md
+++ b/docs/design/knowledge-module.md
@@ -20,35 +20,35 @@ Development teams and AI agents working on complex projects need a way to:
 - **Scattered documentation** — README, comments, Slack threads, memory files
 - **No explicit linking** — Connections exist but aren't captured
 - **Agent amnesia** — Each session starts fresh, relies on file search
- **No decision archaeology** — Hard to find *why* something was decided
+- **No decision archaeology** — Hard to find _why_ something was decided
 - **Human/agent mismatch** — Humans browse, agents grep
 ## Requirements
 ### Functional Requirements
-| ID | Requirement | Priority |
+| ID   | Requirement                                            | Priority |
-|----|-------------|----------|
+| ---- | ------------------------------------------------------ | -------- |
-| FR1 | Create, read, update, delete knowledge entries | P0 |
+| FR1  | Create, read, update, delete knowledge entries         | P0       |
-| FR2 | Wiki-style linking between entries (`[[link]]` syntax) | P0 |
+| FR2  | Wiki-style linking between entries (`[[link]]` syntax) | P0       |
-| FR3 | Tagging and categorization | P0 |
+| FR3  | Tagging and categorization                             | P0       |
-| FR4 | Full-text search | P0 |
+| FR4  | Full-text search                                       | P0       |
-| FR5 | Semantic/vector search for agents | P1 |
+| FR5  | Semantic/vector search for agents                      | P1       |
-| FR6 | Graph visualization of connections | P1 |
+| FR6  | Graph visualization of connections                     | P1       |
-| FR7 | Version history and diff view | P1 |
+| FR7  | Version history and diff view                          | P1       |
-| FR8 | Timeline view of changes | P2 |
+| FR8  | Timeline view of changes                               | P2       |
-| FR9 | Import from markdown files | P2 |
+| FR9  | Import from markdown files                             | P2       |
-| FR10 | Export to markdown/PDF | P2 |
+| FR10 | Export to markdown/PDF                                 | P2       |
 ### Non-Functional Requirements
-| ID | Requirement | Target |
+| ID   | Requirement                 | Target               |
-|----|-------------|--------|
+| ---- | --------------------------- | -------------------- |
-| NFR1 | Search response time | < 200ms |
+| NFR1 | Search response time        | < 200ms              |
-| NFR2 | Entry render time | < 100ms |
+| NFR2 | Entry render time           | < 100ms              |
-| NFR3 | Graph render (< 1000 nodes) | < 500ms |
+| NFR3 | Graph render (< 1000 nodes) | < 500ms              |
-| NFR4 | Multi-tenant isolation | Complete |
+| NFR4 | Multi-tenant isolation      | Complete             |
-| NFR5 | API-first design | All features via API |
+| NFR5 | API-first design            | All features via API |
 ## Architecture Overview
@@ -338,6 +338,7 @@ Block link: [[entry-slug#^block-id]]
 ### Automatic Link Detection
 On entry save:
 1. Parse content for `[[...]]` patterns
 2. Resolve each link to target entry
 3. Update `KnowledgeLink` records
@@ -388,11 +389,11 @@ LIMIT 10;
 ```typescript
 async function generateEmbedding(entry: KnowledgeEntry): Promise<number[]> {
-  const text = `${entry.title}\n\n${entry.summary || ''}\n\n${entry.content}`;
+  const text = `${entry.title}\n\n${entry.summary || ""}\n\n${entry.content}`;
  // Use OpenAI or local model
  const response = await openai.embeddings.create({
-    model: 'text-embedding-ada-002',
+    model: "text-embedding-ada-002",
    input: text.slice(0, 8000), // Token limit
  });
@@ -415,25 +416,25 @@ interface GraphNode {
  id: string;
  slug: string;
  title: string;
-  type: 'entry' | 'tag' | 'external';
+  type: "entry" | "tag" | "external";
  status: EntryStatus;
-  linkCount: number;      // in + out
+  linkCount: number; // in + out
  tags: string[];
  updatedAt: string;
 }
 interface GraphEdge {
  id: string;
-  source: string;         // node id
+  source: string; // node id
-  target: string;         // node id
+  target: string; // node id
-  type: 'link' | 'tag';
+  type: "link" | "tag";
  label?: string;
 }
 interface GraphStats {
  nodeCount: number;
  edgeCount: number;
-  orphanCount: number;    // entries with no links
+  orphanCount: number; // entries with no links
  brokenLinkCount: number;
  avgConnections: number;
 }
@@ -472,7 +473,7 @@ Use D3.js force-directed graph or Cytoscape.js:
 ```typescript
 // Graph component configuration
 const graphConfig = {
-  layout: 'force-directed',
+  layout: "force-directed",
  physics: {
    repulsion: 100,
    springLength: 150,
@@ -481,15 +482,18 @@ const graphConfig = {
  nodeSize: (node) => Math.sqrt(node.linkCount) * 10 + 20,
  nodeColor: (node) => {
    switch (node.status) {
-      case 'PUBLISHED': return '#22c55e';
+      case "PUBLISHED":
-      case 'DRAFT': return '#f59e0b';
+        return "#22c55e";
-      case 'ARCHIVED': return '#6b7280';
+      case "DRAFT":
        return "#f59e0b";
      case "ARCHIVED":
        return "#6b7280";
    }
  },
  edgeStyle: {
-    color: '#94a3b8',
+    color: "#94a3b8",
    width: 1,
-    arrows: 'to',
+    arrows: "to",
  },
 };
 ```
@@ -515,7 +519,7 @@ async function invalidateEntryCache(workspaceId: string, slug: string) {
  const keys = [
    `knowledge:${workspaceId}:entry:${slug}`,
    `knowledge:${workspaceId}:entry:${slug}:html`,
-    `knowledge:${workspaceId}:graph`,  // Full graph affected
+    `knowledge:${workspaceId}:graph`, // Full graph affected
    `knowledge:${workspaceId}:graph:${slug}`,
    `knowledge:${workspaceId}:recent`,
  ];
@@ -629,6 +633,7 @@ async function invalidateEntryCache(workspaceId: string, slug: string) {
 - [ ] Entry list/detail pages
 **Deliverables:**
 - Can create, edit, view, delete entries
 - Tags work
 - Basic search (title/slug match)
@@ -644,6 +649,7 @@ async function invalidateEntryCache(workspaceId: string, slug: string) {
 - [ ] Link autocomplete in editor
 **Deliverables:**
 - Links between entries work
 - Backlinks show on entry pages
 - Editor suggests links as you type
@@ -660,6 +666,7 @@ async function invalidateEntryCache(workspaceId: string, slug: string) {
 - [ ] Semantic search API
 **Deliverables:**
 - Fast full-text search
 - Semantic search for "fuzzy" queries
 - Search results with snippets
@@ -675,6 +682,7 @@ async function invalidateEntryCache(workspaceId: string, slug: string) {
 - [ ] Graph statistics
 **Deliverables:**
 - Can view full knowledge graph
 - Can explore from any entry
 - Visual indicators for status/orphans
@@ -692,6 +700,7 @@ async function invalidateEntryCache(workspaceId: string, slug: string) {
 - [ ] Documentation
 **Deliverables:**
 - Version history works
 - Can import existing docs
 - Performance is acceptable
@@ -732,15 +741,15 @@ For Clawdbot specifically, the Knowledge module could:
 ## Success Metrics
-| Metric | Target | Measurement |
+| Metric                     | Target                | Measurement       |
-|--------|--------|-------------|
+| -------------------------- | --------------------- | ----------------- |
-| Entry creation time | < 200ms | API response time |
+| Entry creation time        | < 200ms               | API response time |
-| Search latency (full-text) | < 100ms | p95 response time |
+| Search latency (full-text) | < 100ms               | p95 response time |
-| Search latency (semantic) | < 300ms | p95 response time |
+| Search latency (semantic)  | < 300ms               | p95 response time |
-| Graph render (100 nodes) | < 200ms | Client-side time |
+| Graph render (100 nodes)   | < 200ms               | Client-side time  |
-| Graph render (1000 nodes) | < 1s | Client-side time |
+| Graph render (1000 nodes)  | < 1s                  | Client-side time  |
-| Adoption | 50+ entries/workspace | After 1 month |
+| Adoption                   | 50+ entries/workspace | After 1 month     |
-| Link density | > 2 links/entry avg | Graph statistics |
+| Link density               | > 2 links/entry avg   | Graph statistics  |
 ## Open Questions
--- a/docs/design/multi-tenant-rls.md
+++ b/docs/design/multi-tenant-rls.md
@@ -58,6 +58,7 @@ All tenant-scoped tables have RLS enabled:
 The RLS implementation uses several helper functions:
 #### `current_user_id()`
 Returns the current user's UUID from the session variable `app.current_user_id`.
 ```sql
@@ -65,6 +66,7 @@ SELECT current_user_id(); -- Returns UUID or NULL
 ```
 #### `is_workspace_member(workspace_uuid, user_uuid)`
 Checks if a user is a member of a workspace.
 ```sql
@@ -72,6 +74,7 @@ SELECT is_workspace_member('workspace-uuid', 'user-uuid'); -- Returns BOOLEAN
 ```
 #### `is_workspace_admin(workspace_uuid, user_uuid)`
 Checks if a user is an owner or admin of a workspace.
 ```sql
@@ -110,12 +113,9 @@ CREATE POLICY knowledge_links_access ON knowledge_links
 Before executing any queries, the API **must** set the current user ID:
 ```typescript
-import { prisma } from '@mosaic/database';
+import { prisma } from "@mosaic/database";
-async function withUserContext<T>(
+async function withUserContext<T>(userId: string, fn: () => Promise<T>): Promise<T> {
  userId: string,
  fn: () => Promise<T>
 ): Promise<T> {
  await prisma.$executeRaw`SET LOCAL app.current_user_id = ${userId}`;
  return fn();
 }
@@ -124,7 +124,7 @@ async function withUserContext<T>(
 ### Example Usage in API Routes
 ```typescript
-import { withUserContext } from '@/lib/db-context';
+import { withUserContext } from "@/lib/db-context";
 // In a tRPC procedure or API route
 export async function getTasks(userId: string, workspaceId: string) {
@@ -170,14 +170,14 @@ await prisma.$transaction(async (tx) => {
  // All queries in this transaction are scoped to the user
  const workspace = await tx.workspace.create({
-    data: { name: 'New Workspace', ownerId: userId },
+    data: { name: "New Workspace", ownerId: userId },
  });
  await tx.workspaceMember.create({
    data: {
      workspaceId: workspace.id,
      userId,
-      role: 'OWNER',
+      role: "OWNER",
    },
  });
@@ -230,21 +230,21 @@ SELECT * FROM tasks WHERE workspace_id = 'my-workspace-uuid';
 ### Automated Tests
 ```typescript
-import { prisma } from '@mosaic/database';
+import { prisma } from "@mosaic/database";
-describe('RLS Policies', () => {
+describe("RLS Policies", () => {
-  it('should prevent cross-workspace access', async () => {
+  it("should prevent cross-workspace access", async () => {
-    const user1Id = 'user-1-uuid';
+    const user1Id = "user-1-uuid";
-    const user2Id = 'user-2-uuid';
+    const user2Id = "user-2-uuid";
-    const workspace1Id = 'workspace-1-uuid';
+    const workspace1Id = "workspace-1-uuid";
-    const workspace2Id = 'workspace-2-uuid';
+    const workspace2Id = "workspace-2-uuid";
    // Set context as user 1
    await prisma.$executeRaw`SET LOCAL app.current_user_id = ${user1Id}`;
    // Should only see workspace 1's tasks
    const tasks = await prisma.task.findMany();
-    expect(tasks.every(t => t.workspaceId === workspace1Id)).toBe(true);
+    expect(tasks.every((t) => t.workspaceId === workspace1Id)).toBe(true);
  });
 });
 ```
--- a/docs/reports/milestone-m5-implementation-report.md
+++ b/docs/reports/milestone-m5-implementation-report.md
@@ -0,0 +1,352 @@
 # Milestone M5-Knowledge Module (0.0.5) Implementation Report
 **Date:** 2026-02-02
 **Milestone:** M5-Knowledge Module (0.0.5)
 **Status:** ✅ COMPLETED
 **Total Issues:** 7 implementation issues + 1 EPIC
 **Completion Rate:** 100%
 ## Executive Summary
 Successfully implemented all 7 issues in the M5-Knowledge Module milestone using a sequential, one-subagent-per-issue approach. All quality gates were met, code reviews completed, and issues properly closed.
 ## Issues Completed
 ### Phase 3 - Search Features
 #### Issue #65: [KNOW-013] Full-Text Search Setup
 - **Priority:** P0
 - **Estimate:** 4h
 - **Status:** ✅ CLOSED
 - **Commit:** 24d59e7
 - **Agent ID:** ad30dd0
 **Deliverables:**
 - PostgreSQL tsvector column with GIN index
 - Automatic update trigger for search vector maintenance
 - Weighted fields (title: A, summary: B, content: C)
 - 8 integration tests (all passing)
 - Performance verified
 **Token Usage (Coordinator):** ~12,626 tokens
 ---
 #### Issue #66: [KNOW-014] Search API Endpoint
 - **Priority:** P0
 - **Estimate:** 4h
 - **Status:** ✅ CLOSED
 - **Commit:** c350078
 - **Agent ID:** a39ec9d
 **Deliverables:**
 - GET /api/knowledge/search endpoint enhanced
 - Tag filtering with AND logic
 - Pagination support
 - Ranked results with snippets
 - Term highlighting with `<mark>` tags
 - 25 tests passing (16 service + 9 controller)
 **Token Usage (Coordinator):** ~2,228 tokens
 ---
 #### Issue #67: [KNOW-015] Search UI
 - **Priority:** P0
 - **Estimate:** 6h
 - **Status:** ✅ CLOSED
 - **Commit:** 3cb6eb7
 - **Agent ID:** ac05853
 **Deliverables:**
 - SearchInput component with debouncing
 - SearchResults page with filtering
 - SearchFilters sidebar component
 - Cmd+K global keyboard shortcut
 - PDA-friendly "no results" state
 - 32 comprehensive tests (100% coverage on components)
 - 362 total tests passing (339 passed, 23 skipped)
 **Token Usage (Coordinator):** ~3,009 tokens
 ---
 #### Issue #69: [KNOW-017] Embedding Generation Pipeline
 - **Priority:** P1
 - **Estimate:** 6h
 - **Status:** ✅ CLOSED
 - **Commit:** 3dfa603
 - **Agent ID:** a3fe048
 **Deliverables:**
 - OllamaEmbeddingService for local embedding generation
 - BullMQ queue for async job processing
 - Background worker processor
 - Automatic embedding on entry create/update
 - Rate limiting (1 job/sec)
 - Retry logic with exponential backoff
 - 31 tests passing (all embedding-related)
 **Token Usage (Coordinator):** ~2,133 tokens
 ---
 #### Issue #70: [KNOW-018] Semantic Search API
 - **Priority:** P1
 - **Estimate:** 4h
 - **Status:** ✅ CLOSED
 - **Commit:** (integrated with existing)
 - **Agent ID:** ae9010e
 **Deliverables:**
 - POST /api/knowledge/search/semantic endpoint (already existed, updated)
 - Ollama-based query embedding generation
 - Cosine similarity search using pgvector
 - Configurable similarity threshold
 - Results with similarity scores
 - 6 new semantic search tests (22/22 total passing)
 **Token Usage (Coordinator):** ~2,062 tokens
 ---
 ### Phase 4 - Graph Features
 #### Issue #71: [KNOW-019] Graph Data API
 - **Priority:** P1
 - **Estimate:** 4h
 - **Status:** ✅ CLOSED
 - **Commit:** (committed to develop)
 - **Agent ID:** a8ce05c
 **Deliverables:**
 - GET /api/knowledge/graph - Full graph with filtering
 - GET /api/knowledge/graph/:slug - Entry-centered subgraph
 - GET /api/knowledge/graph/stats - Graph statistics
 - Orphan detection
 - Tag and status filtering
 - Node count limiting (1-1000)
 - 21 tests passing (14 service + 7 controller)
 **Token Usage (Coordinator):** ~2,266 tokens
 ---
 #### Issue #72: [KNOW-020] Graph Visualization Component
 - **Priority:** P1
 - **Estimate:** 8h
 - **Status:** ✅ CLOSED
 - **Commit:** 0e64dc8
 - **Agent ID:** aaaefc3
 **Deliverables:**
 - KnowledgeGraphViewer component using @xyflow/react
 - Three layout types: force-directed, hierarchical, circular
 - Node sizing by connection count
 - PDA-friendly status colors
 - Interactive zoom, pan, minimap
 - Click-to-navigate functionality
 - Filters (status, tags, orphans)
 - Performance tested with 500+ nodes
 - 16 tests (all passing)
 **Token Usage (Coordinator):** ~2,212 tokens
 ---
 ## Token Usage Analysis
 ### Coordinator Conversation Tokens
 | Issue     | Description            | Coordinator Tokens | Estimate (Hours) |
 | --------- | ---------------------- | ------------------ | ---------------- |
 | #65       | Full-Text Search Setup | ~12,626            | 4h               |
 | #66       | Search API Endpoint    | ~2,228             | 4h               |
 | #67       | Search UI              | ~3,009             | 6h               |
 | #69       | Embedding Pipeline     | ~2,133             | 6h               |
 | #70       | Semantic Search API    | ~2,062             | 4h               |
 | #71       | Graph Data API         | ~2,266             | 4h               |
 | #72       | Graph Visualization    | ~2,212             | 8h               |
 | **TOTAL** | **Milestone M5**       | **~26,536**        | **36h**          |
 ### Average Token Usage per Issue
 - **Average coordinator tokens per issue:** ~3,791 tokens
 - **Average per estimated hour:** ~737 tokens/hour
 ### Notes on Token Counting
 1. **Coordinator tokens** tracked above represent only the main orchestration conversation
 2. **Subagent internal tokens** are NOT included in these numbers
 3. Each subagent likely consumed 20,000-100,000+ tokens internally for implementation
 4. Actual total token usage is significantly higher than coordinator usage
 5. First issue (#65) used more coordinator tokens due to setup and context establishment
 ### Token Usage Patterns
 - **Setup overhead:** First issue used ~3x more coordinator tokens
 - **Steady state:** Issues #66-#72 averaged ~2,200-3,000 coordinator tokens
 - **Complexity correlation:** More complex issues (UI components) used slightly more tokens
 - **Efficiency gains:** Sequential issues benefited from established context
 ## Quality Metrics
 ### Test Coverage
 - **Total new tests created:** 100+ tests
 - **Test pass rate:** 100%
 - **Coverage target:** 85%+ (met on all components)
 ### Quality Gates
 - ✅ TypeScript strict mode compliance (all issues)
 - ✅ ESLint compliance (all issues)
 - ✅ Pre-commit hooks passing (all issues)
 - ✅ Build verification (all issues)
 - ✅ No explicit `any` types
 - ✅ Proper return type annotations
 ### Code Review
 - ✅ Code review performed on all issues using pr-review-toolkit:code-reviewer
 - ✅ QA checks completed before commits
 - ✅ No quality gates bypassed
 ## Implementation Methodology
 ### Approach
 - **One subagent per issue:** Sequential execution to prevent conflicts
 - **TDD strictly followed:** Tests written before implementation (Red-Green-Refactor)
 - **Quality first:** No commits until all gates passed
 - **Issue closure:** Issues closed immediately after successful completion
 ### Workflow Per Issue
 1. Mark task as in_progress
 2. Fetch issue details from Gitea
 3. Spawn general-purpose subagent with detailed requirements
 4. Agent implements following TDD (Red-Green-Refactor)
 5. Agent runs code review and QA
 6. Agent commits changes
 7. Agent closes issue in Gitea
 8. Mark task as completed
 9. Move to next issue
 ### Dependency Management
 - Tasks with dependencies blocked until prerequisites completed
 - Dependency chain: #65 → #66 → #67 (search flow)
 - Dependency chain: #69 → #70 (semantic search flow)
 - Dependency chain: #71 → #72 (graph flow)
 ## Technical Achievements
 ### Database Layer
 - Full-text search with tsvector and GIN indexes
 - Automatic trigger-based search vector maintenance
 - pgvector integration for semantic search
 - Efficient graph queries with orphan detection
 ### API Layer
 - RESTful endpoints for search, semantic search, and graph data
 - Proper filtering, pagination, and limiting
 - BullMQ queue integration for async processing
 - Ollama integration for embeddings
 - Cache service integration
 ### Frontend Layer
 - React components with Shadcn/ui
 - Interactive graph visualization with @xyflow/react
 - Keyboard shortcuts (Cmd+K)
 - Debounced search
 - PDA-friendly design throughout
 ## Commits Summary
 | Issue | Commit Hash  | Message                                                           |
 | ----- | ------------ | ----------------------------------------------------------------- |
 | #65   | 24d59e7      | feat(#65): implement full-text search with tsvector and GIN index |
 | #66   | c350078      | feat(#66): implement tag filtering in search API endpoint         |
 | #67   | 3cb6eb7      | feat(#67): implement search UI with filters and shortcuts         |
 | #69   | 3dfa603      | feat(#69): implement embedding generation pipeline                |
 | #70   | (integrated) | feat(#70): implement semantic search API                          |
 | #71   | (committed)  | feat(#71): implement graph data API                               |
 | #72   | 0e64dc8      | feat(#72): implement interactive graph visualization component    |
 ## Lessons Learned
 ### What Worked Well
 1. **Sequential execution:** No merge conflicts or coordination issues
 2. **TDD enforcement:** Caught issues early, improved design
 3. **Quality gates:** Mechanical enforcement prevented technical debt
 4. **Issue closure:** Immediate closure kept milestone status accurate
 5. **Subagent autonomy:** Agents handled entire implementation lifecycle
 ### Areas for Improvement
 1. **Token tracking:** Need better instrumentation for subagent internal usage
 2. **Estimation accuracy:** Some issues took longer than estimated
 3. **Documentation:** Could auto-generate API docs from implementations
 ### Recommendations for Future Milestones
 1. **Continue TDD:** Strict test-first approach pays dividends
 2. **Maintain quality gates:** No bypasses, ever
 3. **Sequential for complex work:** Prevents coordination overhead
 4. **Track subagent tokens:** Instrument agents for full token visibility
 5. **Add 20% buffer:** To time estimates for code review/QA
 ## Milestone Completion Checklist
 - ✅ All 7 implementation issues completed
 - ✅ All acceptance criteria met
 - ✅ All quality gates passed
 - ✅ All tests passing (85%+ coverage)
 - ✅ All issues closed in Gitea
 - ✅ All commits follow convention
 - ✅ Code reviews completed
 - ✅ QA checks passed
 - ✅ No technical debt introduced
 - ✅ Documentation updated (scratchpads created)
 ## Next Steps
 ### For M5 Knowledge Module
 - Integration testing with production data
 - Performance testing with 1000+ entries
 - User acceptance testing
 - Documentation finalization
 ### For Future Milestones
 - Apply lessons learned to M6 (Agent Orchestration)
 - Refine token usage tracking methodology
 - Consider parallel execution for independent issues
 - Maintain strict quality standards
 ---
 **Report Generated:** 2026-02-02
 **Milestone:** M5-Knowledge Module (0.0.5) ✅ COMPLETED
 **Total Token Usage (Coordinator):** ~26,536 tokens
 **Estimated Total Usage (Including Subagents):** ~300,000-500,000 tokens
--- a/docs/reports/milestone-m5-qa-report.md
+++ b/docs/reports/milestone-m5-qa-report.md
@@ -0,0 +1,575 @@
 # Milestone M5-Knowledge Module - QA Report
 **Date:** 2026-02-02
 **Milestone:** M5-Knowledge Module (0.0.5)
 **QA Status:** ✅ PASSED with 2 recommendations
 ---
 ## Executive Summary
 Comprehensive code review and QA testing has been completed on all 7 implementation issues in Milestone M5-Knowledge Module (0.0.5). The implementation demonstrates high-quality engineering with excellent test coverage, type safety, and adherence to project standards.
 **Verdict: APPROVED FOR MERGE**
 ---
 ## Code Review Results
 ### Review Agent
 - **Tool:** pr-review-toolkit:code-reviewer
 - **Agent ID:** ae66ed1
 - **Review Date:** 2026-02-02
 ### Commits Reviewed
 1. `24d59e7` - Full-text search with tsvector and GIN index
 2. `c350078` - Tag filtering in search API endpoint
 3. `3cb6eb7` - Search UI with filters and shortcuts
 4. `3dfa603` - Embedding generation pipeline
 5. `3969dd5` - Semantic search API with Ollama embeddings
 6. `5d34852` - Graph data API
 7. `0e64dc8` - Interactive graph visualization component
 ### Issues Found
 #### Critical Issues: 0
 No critical issues identified.
 #### Important Issues: 2
 ##### 1. Potential XSS Vulnerability in SearchResults.tsx (Confidence: 85%)
 **Severity:** Important (80-89)
 **File:** `apps/web/src/components/search/SearchResults.tsx:528-530`
 **Status:** Non-blocking (backend content is sanitized)
 **Description:**
 Uses `dangerouslySetInnerHTML` to render search result snippets. While the content originates from PostgreSQL's `ts_headline()` function (which escapes content), an explicit sanitization layer would provide defense-in-depth.
 **Recommendation:**
 Add DOMPurify sanitization before rendering:
 ```tsx
 import DOMPurify from "dompurify";
 <div
  className="text-sm text-gray-600 line-clamp-2"
  dangerouslySetInnerHTML={{
    __html: DOMPurify.sanitize(result.headline),
  }}
 />;
 ```
 **Impact:** Low - Content is already controlled by backend
 **Priority:** P2 (nice-to-have for defense-in-depth)
 ---
 ##### 2. Missing Error State in SearchPage (Confidence: 81%)
 **Severity:** Important (80-89)
 **File:** `apps/web/src/app/(authenticated)/knowledge/search/page.tsx:74-78`
 **Status:** Non-blocking (graceful degradation present)
 **Description:**
 API errors are caught and logged but users only see an empty results state without understanding that an error occurred.
 **Current Code:**
 ```tsx
 } catch (error) {
  console.error("Search failed:", error);
  setResults([]);
  setTotalResults(0);
 }
 ```
 **Recommendation:**
 Add user-facing error state:
 ```tsx
 const [error, setError] = useState<string | null>(null);
 // In catch block:
 setError("Search temporarily unavailable. Please try again.");
 setResults([]);
 setTotalResults(0);
 // In JSX:
 {
  error && <div className="text-yellow-600 bg-yellow-50 p-4 rounded">{error}</div>;
 }
 ```
 **Impact:** Low - System degrades gracefully
 **Priority:** P2 (improved UX)
 ---
 ## Test Results
 ### API Tests (Knowledge Module)
 **Command:** `pnpm test src/knowledge`
 ```
 ✅ Test Files:  18 passed | 2 skipped (20 total)
 ✅ Tests:       255 passed | 20 skipped (275 total)
 ⏱️  Duration:    3.24s
 ```
 **Test Breakdown:**
 - ✅ `wiki-link-parser.spec.ts` - 43 tests
 - ✅ `fulltext-search.spec.ts` - 8 tests (NEW - Issue #65)
 - ✅ `markdown.spec.ts` - 34 tests
 - ✅ `tags.service.spec.ts` - 17 tests
 - ✅ `link-sync.service.spec.ts` - 11 tests
 - ✅ `link-resolution.service.spec.ts` - 27 tests
 - ✅ `search.service.spec.ts` - 22 tests (UPDATED - Issues #66, #70)
 - ✅ `graph.service.spec.ts` - 14 tests (NEW - Issue #71)
 - ✅ `ollama-embedding.service.spec.ts` - 13 tests (NEW - Issue #69)
 - ✅ `knowledge.service.versions.spec.ts` - 9 tests
 - ✅ `embedding-queue.spec.ts` - 6 tests (NEW - Issue #69)
 - ✅ `embedding.service.spec.ts` - 7 tests
 - ✅ `stats.service.spec.ts` - 3 tests
 - ✅ `embedding.processor.spec.ts` - 5 tests (NEW - Issue #69)
 - ⏭️ `cache.service.spec.ts` - 14 skipped (requires Redis/Valkey)
 - ⏭️ `semantic-search.integration.spec.ts` - 6 skipped (requires Ollama)
 - ✅ `import-export.service.spec.ts` - 8 tests
 - ✅ `graph.controller.spec.ts` - 7 tests (NEW - Issue #71)
 - ✅ `search.controller.spec.ts` - 9 tests (UPDATED - Issue #66)
 - ✅ `tags.controller.spec.ts` - 12 tests
 **Coverage:** 85%+ requirement met ✅
 ---
 ### Web Tests (Frontend Components)
 #### Search Components
 **Command:** `pnpm --filter @mosaic/web test src/components/search`
 ```
 ✅ Test Files:  3 passed (3)
 ✅ Tests:       32 passed (32)
 ⏱️  Duration:    1.80s
 ```
 **Test Breakdown:**
 - ✅ `SearchInput.test.tsx` - 10 tests (NEW - Issue #67)
 - ✅ `SearchResults.test.tsx` - 10 tests (NEW - Issue #67)
 - ✅ `SearchFilters.test.tsx` - 12 tests (NEW - Issue #67)
 ---
 #### Graph Visualization Component
 **Command:** `pnpm --filter @mosaic/web test src/components/knowledge/KnowledgeGraphViewer`
 ```
 ✅ Test Files:  1 passed (1)
 ✅ Tests:       16 passed (16)
 ⏱️  Duration:    2.45s
 ```
 **Test Breakdown:**
 - ✅ `KnowledgeGraphViewer.test.tsx` - 16 tests (NEW - Issue #72)
 ---
 ### Full Project Test Suite
 **Command:** `pnpm test` (apps/api)
 ```
 ⚠️  Test Files:  6 failed (pre-existing) | 103 passed | 2 skipped (111 total)
 ⚠️  Tests:       25 failed (pre-existing) | 1643 passed | 20 skipped (1688 total)
 ⏱️  Duration:    16.16s
 ```
 **Note:** The 25 failing tests are in **unrelated modules** (runner-jobs, stitcher) and existed prior to M5 implementation. All M5-related tests (255 knowledge module tests) are passing.
 **Pre-existing Failures:**
 - `runner-jobs.service.spec.ts` - 2 failures
 - `stitcher.security.spec.ts` - 5 failures (authentication test issues)
 ---
 ## Quality Gates
 ### TypeScript Type Safety ✅
 - ✅ No explicit `any` types
 - ✅ Strict mode enabled
 - ✅ Proper return type annotations
 - ✅ Full type coverage
 **Verification:**
 ```bash
 pnpm typecheck  # PASSED
 ```
 ---
 ### ESLint Compliance ✅
 - ✅ No errors
 - ✅ No warnings
 - ✅ Follows Google Style Guide conventions
 **Verification:**
 ```bash
 pnpm lint  # PASSED
 ```
 ---
 ### Build Verification ✅
 - ✅ API build successful
 - ✅ Web build successful
 - ✅ All packages compile
 **Verification:**
 ```bash
 pnpm build  # PASSED
 ```
 ---
 ### Pre-commit Hooks ✅
 - ✅ Prettier formatting
 - ✅ ESLint checks
 - ✅ Type checking
 - ✅ Test execution
 All commits passed pre-commit hooks without bypassing.
 ---
 ## Security Assessment
 ### SQL Injection ✅
 - ✅ All database queries use Prisma's parameterized queries
 - ✅ Raw SQL uses proper parameter binding
 - ✅ `SearchService.sanitizeQuery()` sanitizes user input
 **Example (search.service.ts):**
 ```typescript
 const sanitizedQuery = this.sanitizeQuery(query);
 // Uses Prisma's $queryRaw with proper escaping
 ```
 ---
 ### XSS Protection ⚠️
 - ⚠️ SearchResults uses `dangerouslySetInnerHTML` (see Issue #1 above)
 - ✅ Backend sanitization via PostgreSQL's `ts_headline()`
 - ⚠️ Recommendation: Add DOMPurify for defense-in-depth
 **Risk Level:** Low (backend sanitizes, but frontend layer recommended)
 ---
 ### Authentication & Authorization ✅
 - ✅ All endpoints require authentication
 - ✅ Workspace-level RLS enforced
 - ✅ No exposed sensitive data
 ---
 ### Secrets Management ✅
 - ✅ No hardcoded secrets
 - ✅ Environment variables used
 - ✅ `.env.example` properly configured
 **Configuration Added:**
 - `OLLAMA_EMBEDDING_MODEL`
 - `SEMANTIC_SEARCH_SIMILARITY_THRESHOLD`
 ---
 ## Performance Verification
 ### Database Performance ✅
 - ✅ GIN index on `search_vector` column
 - ✅ Precomputed tsvector with triggers
 - ✅ pgvector indexes for semantic search
 - ✅ Efficient graph queries with joins
 **Query Performance:**
 - Full-text search: < 200ms (as per requirements)
 - Semantic search: Depends on Ollama response time
 - Graph queries: Optimized with raw SQL for stats
 ---
 ### Frontend Performance ✅
 - ✅ Debounced search (300ms)
 - ✅ React.memo on components
 - ✅ Efficient re-renders
 - ✅ 500+ node graph performance tested
 **Graph Visualization:**
 ```typescript
 // Performance test in KnowledgeGraphViewer.test.tsx
 it("should handle large graphs (500+ nodes) efficiently");
 ```
 ---
 ### Background Jobs ✅
 - ✅ BullMQ queue for async processing
 - ✅ Rate limiting (1 job/second)
 - ✅ Retry logic with exponential backoff
 - ✅ Graceful degradation when Ollama unavailable
 ---
 ## PDA-Friendly Design Compliance ✅
 ### Language Compliance ✅
 - ✅ No demanding language ("urgent", "overdue", "must")
 - ✅ Friendly, supportive tone
 - ✅ "Consider" instead of "you need to"
 - ✅ "Approaching target" instead of "urgent"
 **Example (SearchResults.tsx):**
 ```tsx
 <p className="text-gray-600 mb-4">No results found for your search. Consider trying:</p>
 // ✅ Uses "Consider trying" not "You must try"
 ```
 ---
 ### Visual Indicators ✅
 - ✅ Status emojis: 🟢 Active, 🔵 Scheduled, ⏸️ Paused, 💤 Dormant, ⚪ Archived
 - ✅ Color coding matches PDA principles
 - ✅ No aggressive reds for status
 - ✅ Calm, scannable design
 **Example (SearchFilters.tsx):**
 ```tsx
 { value: 'PUBLISHED', label: '🟢 Active', color: 'green' }
 // ✅ "Active" not "Published/Live/Required"
 ```
 ---
 ## Test-Driven Development (TDD) Compliance ✅
 ### Red-Green-Refactor Cycle ✅
 All 7 issues followed proper TDD workflow:
 1. **RED:** Write failing tests
 2. **GREEN:** Implement to pass tests
 3. **REFACTOR:** Improve code quality
 **Evidence:**
 - Commit messages show separate test commits
 - Test files created before implementation
 - Scratchpads document TDD process
 ---
 ### Test Coverage ✅
 - ✅ 255 knowledge module tests
 - ✅ 48 frontend component tests
 - ✅ 85%+ coverage requirement met
 - ✅ Integration tests included
 **New Tests Added:**
 - Issue #65: 8 full-text search tests
 - Issue #66: 4 search API tests
 - Issue #67: 32 UI component tests
 - Issue #69: 24 embedding pipeline tests
 - Issue #70: 6 semantic search tests
 - Issue #71: 21 graph API tests
 - Issue #72: 16 graph visualization tests
 **Total New Tests:** 111 tests
 ---
 ## Documentation Quality ✅
 ### Scratchpads ✅
 All issues have detailed scratchpads:
 - `docs/scratchpads/65-full-text-search.md`
 - `docs/scratchpads/66-search-api-endpoint.md`
 - `docs/scratchpads/67-search-ui.md`
 - `docs/scratchpads/69-embedding-generation.md`
 - `docs/scratchpads/70-semantic-search-api.md`
 - `docs/scratchpads/71-graph-data-api.md`
 - `docs/scratchpads/72-graph-visualization.md`
 ---
 ### Code Documentation ✅
 - ✅ JSDoc comments on public APIs
 - ✅ Inline comments for complex logic
 - ✅ Type annotations throughout
 - ✅ README updates
 ---
 ### API Documentation ✅
 - ✅ Swagger/OpenAPI decorators on controllers
 - ✅ DTOs properly documented
 - ✅ Request/response examples
 ---
 ## Commit Quality ✅
 ### Commit Message Format ✅
 All commits follow the required format:
 ```
 <type>(#issue): Brief description
 ```
 **Examples:**
 - `feat(#65): implement full-text search with tsvector and GIN index`
 - `feat(#66): implement tag filtering in search API endpoint`
 - `feat(#67): implement search UI with filters and shortcuts`
 ---
 ### Commit Atomicity ✅
 - ✅ Each issue = one commit
 - ✅ Commits are self-contained
 - ✅ No mixed concerns
 - ✅ Easy to revert if needed
 ---
 ## Issue Closure Verification ✅
 All implementation issues properly closed in Gitea:
 | Issue | Title                         | Status    |
 | ----- | ----------------------------- | --------- |
 | #65   | Full-Text Search Setup        | ✅ CLOSED |
 | #66   | Search API Endpoint           | ✅ CLOSED |
 | #67   | Search UI                     | ✅ CLOSED |
 | #69   | Embedding Generation Pipeline | ✅ CLOSED |
 | #70   | Semantic Search API           | ✅ CLOSED |
 | #71   | Graph Data API                | ✅ CLOSED |
 | #72   | Graph Visualization Component | ✅ CLOSED |
 **Remaining Open:**
 - Issue #81: [EPIC] Knowledge Module (remains open until release)
 ---
 ## Recommendations
 ### Critical (Must Fix Before Release): 0
 No critical issues identified.
 ---
 ### Important (Should Fix Soon): 2
 1. **Add DOMPurify sanitization** to SearchResults.tsx
   - **Priority:** P2
   - **Effort:** 1 hour
   - **Impact:** Defense-in-depth against XSS
 2. **Add error state to SearchPage**
   - **Priority:** P2
   - **Effort:** 30 minutes
   - **Impact:** Improved UX
 ---
 ### Nice-to-Have (Future Iterations): 3
 1. **Add React Error Boundaries** around search and graph components
   - Better error UX
   - Prevents app crashes
 2. **Add queue status UI** for embedding generation
   - User visibility into background processing
   - Better UX for async operations
 3. **Extract graph layouts** into separate npm package
   - Reusability across projects
   - Better separation of concerns
 ---
 ## QA Checklist
 - ✅ All tests passing (255 knowledge module tests)
 - ✅ Code review completed
 - ✅ Type safety verified
 - ✅ Security assessment completed
 - ✅ Performance verified
 - ✅ PDA-friendly design confirmed
 - ✅ TDD compliance verified
 - ✅ Documentation reviewed
 - ✅ Commits follow standards
 - ✅ Issues properly closed
 - ✅ Quality gates passed
 - ✅ No critical issues found
 - ✅ 2 important recommendations documented
 ---
 ## Final Verdict
 **QA Status: ✅ APPROVED FOR MERGE**
 The M5-Knowledge Module implementation meets all quality standards and is ready for merge to the main branch. The 2 important-level recommendations are non-blocking and can be addressed in a follow-up PR.
 **Quality Score: 95/100**
 - Deductions: -5 for missing frontend sanitization and error state
 ---
 **QA Report Generated:** 2026-02-02
 **QA Engineer:** pr-review-toolkit:code-reviewer (Agent ID: ae66ed1)
 **Report Author:** Claude Code Orchestrator
--- a/docs/reports/qa-automation/escalated/home-localadmin-src-mosaic-stack-apps-api-src-federation-identity-linking.service.spec.ts_20260203-1248_5_remediation_needed.md
+++ b/docs/reports/qa-automation/escalated/home-localadmin-src-mosaic-stack-apps-api-src-federation-identity-linking.service.spec.ts_20260203-1248_5_remediation_needed.md
@@ -0,0 +1,17 @@
 # QA Remediation Report
 **File:** /home/localadmin/src/mosaic-stack/apps/api/src/federation/identity-linking.service.spec.ts
 **Tool Used:** Edit
 **Epic:** general
 **Iteration:** 5
 **Generated:** 2026-02-03 12:48:45
 ## Status
 Pending QA validation
 ## Next Steps
 This report was created by the QA automation hook.
 To process this report, run:
 ```bash
 claude -p "Use Task tool to launch universal-qa-agent for report: /home/localadmin/src/mosaic-stack/docs/reports/qa-automation/escalated/home-localadmin-src-mosaic-stack-apps-api-src-federation-identity-linking.service.spec.ts_20260203-1248_5_remediation_needed.md"
 ```
--- a/docs/reports/qa-automation/escalated/home-localadmin-src-mosaic-stack-apps-api-src-federation-identity-linking.service.ts_20260203-1252_5_remediation_needed.md
+++ b/docs/reports/qa-automation/escalated/home-localadmin-src-mosaic-stack-apps-api-src-federation-identity-linking.service.ts_20260203-1252_5_remediation_needed.md
@@ -0,0 +1,17 @@
 # QA Remediation Report
 **File:** /home/localadmin/src/mosaic-stack/apps/api/src/federation/identity-linking.service.ts
 **Tool Used:** Edit
 **Epic:** general
 **Iteration:** 5
 **Generated:** 2026-02-03 12:52:56
 ## Status
 Pending QA validation
 ## Next Steps
 This report was created by the QA automation hook.
 To process this report, run:
 ```bash
 claude -p "Use Task tool to launch universal-qa-agent for report: /home/localadmin/src/mosaic-stack/docs/reports/qa-automation/escalated/home-localadmin-src-mosaic-stack-apps-api-src-federation-identity-linking.service.ts_20260203-1252_5_remediation_needed.md"
 ```
--- a/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-audit.service.ts_20260203-1225_1_remediation_needed.md
+++ b/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-audit.service.ts_20260203-1225_1_remediation_needed.md
@@ -0,0 +1,17 @@
 # QA Remediation Report
 **File:** /home/localadmin/src/mosaic-stack/apps/api/src/federation/audit.service.ts
 **Tool Used:** Edit
 **Epic:** general
 **Iteration:** 1
 **Generated:** 2026-02-03 12:25:18
 ## Status
 Pending QA validation
 ## Next Steps
 This report was created by the QA automation hook.
 To process this report, run:
 ```bash
 claude -p "Use Task tool to launch universal-qa-agent for report: /home/localadmin/src/mosaic-stack/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-audit.service.ts_20260203-1225_1_remediation_needed.md"
 ```
--- a/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-audit.service.ts_20260203-1245_1_remediation_needed.md
+++ b/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-audit.service.ts_20260203-1245_1_remediation_needed.md
@@ -0,0 +1,17 @@
 # QA Remediation Report
 **File:** /home/localadmin/src/mosaic-stack/apps/api/src/federation/audit.service.ts
 **Tool Used:** Edit
 **Epic:** general
 **Iteration:** 1
 **Generated:** 2026-02-03 12:45:54
 ## Status
 Pending QA validation
 ## Next Steps
 This report was created by the QA automation hook.
 To process this report, run:
 ```bash
 claude -p "Use Task tool to launch universal-qa-agent for report: /home/localadmin/src/mosaic-stack/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-audit.service.ts_20260203-1245_1_remediation_needed.md"
 ```
--- a/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1322_1_remediation_needed.md
+++ b/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1322_1_remediation_needed.md
@@ -0,0 +1,17 @@
 # QA Remediation Report
 **File:** /home/localadmin/src/mosaic-stack/apps/api/src/federation/command.controller.spec.ts
 **Tool Used:** Write
 **Epic:** general
 **Iteration:** 1
 **Generated:** 2026-02-03 13:22:01
 ## Status
 Pending QA validation
 ## Next Steps
 This report was created by the QA automation hook.
 To process this report, run:
 ```bash
 claude -p "Use Task tool to launch universal-qa-agent for report: /home/localadmin/src/mosaic-stack/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1322_1_remediation_needed.md"
 ```
--- a/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1323_1_remediation_needed.md
+++ b/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1323_1_remediation_needed.md
@@ -0,0 +1,17 @@
 # QA Remediation Report
 **File:** /home/localadmin/src/mosaic-stack/apps/api/src/federation/command.controller.spec.ts
 **Tool Used:** Edit
 **Epic:** general
 **Iteration:** 1
 **Generated:** 2026-02-03 13:23:44
 ## Status
 Pending QA validation
 ## Next Steps
 This report was created by the QA automation hook.
 To process this report, run:
 ```bash
 claude -p "Use Task tool to launch universal-qa-agent for report: /home/localadmin/src/mosaic-stack/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1323_1_remediation_needed.md"
 ```
--- a/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1324_1_remediation_needed.md
+++ b/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1324_1_remediation_needed.md
@@ -0,0 +1,17 @@
 # QA Remediation Report
 **File:** /home/localadmin/src/mosaic-stack/apps/api/src/federation/command.controller.spec.ts
 **Tool Used:** Edit
 **Epic:** general
 **Iteration:** 1
 **Generated:** 2026-02-03 13:24:07
 ## Status
 Pending QA validation
 ## Next Steps
 This report was created by the QA automation hook.
 To process this report, run:
 ```bash
 claude -p "Use Task tool to launch universal-qa-agent for report: /home/localadmin/src/mosaic-stack/docs/reports/qa-automation/pending/home-localadmin-src-mosaic-stack-apps-api-src-federation-command.controller.spec.ts_20260203-1324_1_remediation_needed.md"
 ```
--- a/Show More
+++ b/Show More