Merge branch 'develop' into feature/52-active-projects-widget

2026-02-04 01:36:57 +00:00
parent 4c3604e85c 25b0f122dd
commit 6d4fbef3f1
495 changed files with 26723 additions and 2242 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -12,13 +12,13 @@ Guidelines for AI agents working on this codebase.
 Context = tokens = cost. Be smart.
-| Strategy | When |
+| Strategy                      | When                                                           |
-|----------|------|
+| ----------------------------- | -------------------------------------------------------------- |
-| **Spawn sub-agents** | Isolated coding tasks, research, anything that can report back |
+| **Spawn sub-agents**          | Isolated coding tasks, research, anything that can report back |
-| **Batch operations** | Group related API calls, don't do one-at-a-time |
+| **Batch operations**          | Group related API calls, don't do one-at-a-time                |
-| **Check existing patterns** | Before writing new code, see how similar features were built |
+| **Check existing patterns**   | Before writing new code, see how similar features were built   |
-| **Minimize re-reading** | Don't re-read files you just wrote |
+| **Minimize re-reading**       | Don't re-read files you just wrote                             |
-| **Summarize before clearing** | Extract learnings to memory before context reset |
+| **Summarize before clearing** | Extract learnings to memory before context reset               |
 ## Workflow (Non-Negotiable)
@@ -89,13 +89,13 @@ Minimum 85% coverage for new code.
 ## Key Files
-| File | Purpose |
+| File                            | Purpose                                   |
-|------|---------|
+| ------------------------------- | ----------------------------------------- |
-| `CLAUDE.md` | Project overview, tech stack, conventions |
+| `CLAUDE.md`                     | Project overview, tech stack, conventions |
-| `CONTRIBUTING.md` | Human contributor guide |
+| `CONTRIBUTING.md`               | Human contributor guide                   |
-| `apps/api/prisma/schema.prisma` | Database schema |
+| `apps/api/prisma/schema.prisma` | Database schema                           |
-| `docs/` | Architecture and setup docs |
+| `docs/`                         | Architecture and setup docs               |
 ---
-*Model-agnostic. Works for Claude, MiniMax, GPT, Llama, etc.*
+_Model-agnostic. Works for Claude, MiniMax, GPT, Llama, etc._
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - Complete turnkey Docker Compose setup with all services (#8)
  - PostgreSQL 17 with pgvector extension
  - Valkey (Redis-compatible cache)
@@ -54,6 +55,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  - .env.traefik-upstream.example for upstream mode
 ### Changed
 - Updated README.md with Docker deployment instructions
 - Enhanced configuration documentation with Docker-specific settings
 - Improved installation guide with profile-based service activation
@@ -63,6 +65,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.0.1] - 2026-01-28
 ### Added
 - Initial project structure with pnpm workspaces and TurboRepo
 - NestJS API application with BetterAuth integration
 - Next.js 16 web application foundation
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -78,15 +78,15 @@ Thank you for your interest in contributing to Mosaic Stack! This document provi
 ### Quick Reference Commands
-| Command | Description |
+| Command                  | Description                   |
-|---------|-------------|
+| ------------------------ | ----------------------------- |
-| `pnpm dev` | Start all development servers |
+| `pnpm dev`               | Start all development servers |
-| `pnpm dev:api` | Start API only |
+| `pnpm dev:api`           | Start API only                |
-| `pnpm dev:web` | Start Web only |
+| `pnpm dev:web`           | Start Web only                |
-| `docker compose up -d` | Start Docker services |
+| `docker compose up -d`   | Start Docker services         |
-| `docker compose logs -f` | View Docker logs |
+| `docker compose logs -f` | View Docker logs              |
-| `pnpm prisma:studio` | Open Prisma Studio GUI |
+| `pnpm prisma:studio`     | Open Prisma Studio GUI        |
-| `make help` | View all available commands |
+| `make help`              | View all available commands   |
 ## Code Style Guidelines
@@ -104,6 +104,7 @@ We use **Prettier** for consistent code formatting:
 - **End of line:** LF (Unix style)
 Run the formatter:
 ```bash
 pnpm format          # Format all files
 pnpm format:check    # Check formatting without changes
@@ -121,6 +122,7 @@ pnpm lint:fix        # Auto-fix linting issues
 ### TypeScript
 All code must be **strictly typed** TypeScript:
 - No `any` types allowed
 - Explicit type annotations for function returns
 - Interfaces over type aliases for object shapes
@@ -130,14 +132,14 @@ All code must be **strictly typed** TypeScript:
 **Never** use demanding or stressful language in UI text:
-| ❌ AVOID | ✅ INSTEAD |
+| ❌ AVOID    | ✅ INSTEAD           |
-|---------|------------|
+| ----------- | -------------------- |
-| OVERDUE | Target passed |
+| OVERDUE     | Target passed        |
-| URGENT | Approaching target |
+| URGENT      | Approaching target   |
-| MUST DO | Scheduled for |
+| MUST DO     | Scheduled for        |
-| CRITICAL | High priority |
+| CRITICAL    | High priority        |
 | YOU NEED TO | Consider / Option to |
-| REQUIRED | Recommended |
+| REQUIRED    | Recommended          |
 See [docs/3-architecture/3-design-principles/1-pda-friendly.md](./docs/3-architecture/3-design-principles/1-pda-friendly.md) for complete design principles.
@@ -147,13 +149,13 @@ We follow a Git-based workflow with the following branch types:
 ### Branch Types
-| Prefix | Purpose | Example |
+| Prefix      | Purpose           | Example                      |
-|--------|---------|---------|
+| ----------- | ----------------- | ---------------------------- |
-| `feature/` | New features | `feature/42-user-dashboard` |
+| `feature/`  | New features      | `feature/42-user-dashboard`  |
-| `fix/` | Bug fixes | `fix/123-auth-redirect` |
+| `fix/`      | Bug fixes         | `fix/123-auth-redirect`      |
-| `docs/` | Documentation | `docs/contributing` |
+| `docs/`     | Documentation     | `docs/contributing`          |
-| `refactor/` | Code refactoring | `refactor/prisma-queries` |
+| `refactor/` | Code refactoring  | `refactor/prisma-queries`    |
-| `test/` | Test-only changes | `test/coverage-improvements` |
+| `test/`     | Test-only changes | `test/coverage-improvements` |
 ### Workflow
@@ -190,14 +192,14 @@ References: #123
 ### Types
-| Type | Description |
+| Type       | Description                             |
-|------|-------------|
+| ---------- | --------------------------------------- |
-| `feat` | New feature |
+| `feat`     | New feature                             |
-| `fix` | Bug fix |
+| `fix`      | Bug fix                                 |
-| `docs` | Documentation changes |
+| `docs`     | Documentation changes                   |
-| `test` | Adding or updating tests |
+| `test`     | Adding or updating tests                |
 | `refactor` | Code refactoring (no functional change) |
-| `chore` | Maintenance tasks, dependencies |
+| `chore`    | Maintenance tasks, dependencies         |
 ### Examples
@@ -233,17 +235,20 @@ Clarified pagination and filtering parameters.
 ### Before Creating a PR
 1. **Ensure tests pass**
   ```bash
   pnpm test
   pnpm build
   ```
 2. **Check code coverage** (minimum 85%)
   ```bash
   pnpm test:coverage
   ```
 3. **Format and lint**
   ```bash
   pnpm format
   pnpm lint
@@ -256,6 +261,7 @@ Clarified pagination and filtering parameters.
 ### Creating a Pull Request
 1. Push your branch to the remote
   ```bash
   git push origin feature/my-feature
   ```
@@ -294,6 +300,7 @@ Clarified pagination and filtering parameters.
 #### TDD Workflow: Red-Green-Refactor
 1. **RED** - Write a failing test first
   ```bash
   # Write test for new functionality
   pnpm test:watch  # Watch it fail
@@ -302,6 +309,7 @@ Clarified pagination and filtering parameters.
   ```
 2. **GREEN** - Write minimal code to pass the test
   ```bash
   # Implement just enough to pass
   pnpm test:watch  # Watch it pass
@@ -327,11 +335,11 @@ Clarified pagination and filtering parameters.
 ### Test Types
-| Type | Purpose | Tool |
+| Type                  | Purpose                                 | Tool       |
-|------|---------|------|
+| --------------------- | --------------------------------------- | ---------- |
-| **Unit tests** | Test functions/methods in isolation | Vitest |
+| **Unit tests**        | Test functions/methods in isolation     | Vitest     |
-| **Integration tests** | Test module interactions (service + DB) | Vitest |
+| **Integration tests** | Test module interactions (service + DB) | Vitest     |
-| **E2E tests** | Test complete user workflows | Playwright |
+| **E2E tests**         | Test complete user workflows            | Playwright |
 ### Running Tests
@@ -347,6 +355,7 @@ pnpm test:e2e          # Playwright E2E tests
 ### Coverage Verification
 After implementation:
 ```bash
 pnpm test:coverage
 # Open coverage/index.html in browser
@@ -369,15 +378,16 @@ https://git.mosaicstack.dev/mosaic/stack/issues
 ### Issue Labels
-| Category | Labels |
+| Category | Labels                                                                        |
-|----------|--------|
+| -------- | ----------------------------------------------------------------------------- |
-| Priority | `p0` (critical), `p1` (high), `p2` (medium), `p3` (low) |
+| Priority | `p0` (critical), `p1` (high), `p2` (medium), `p3` (low)                       |
-| Type | `api`, `web`, `database`, `auth`, `plugin`, `ai`, `devops`, `docs`, `testing` |
+| Type     | `api`, `web`, `database`, `auth`, `plugin`, `ai`, `devops`, `docs`, `testing` |
-| Status | `todo`, `in-progress`, `review`, `blocked`, `done` |
+| Status   | `todo`, `in-progress`, `review`, `blocked`, `done`                            |
 ### Documentation
 Check existing documentation first:
 - [README.md](./README.md) - Project overview
 - [CLAUDE.md](./CLAUDE.md) - Comprehensive development guidelines
 - [docs/](./docs/) - Full documentation suite
@@ -402,6 +412,7 @@ Check existing documentation first:
 **Thank you for contributing to Mosaic Stack!** Every contribution helps make this platform better for everyone.
 For more details, see:
 - [Project README](./README.md)
 - [Development Guidelines](./CLAUDE.md)
 - [API Documentation](./docs/4-api/)
--- a/ISSUES/29-cron-config.md
+++ b/ISSUES/29-cron-config.md
@@ -1,11 +1,13 @@
 # Cron Job Configuration - Issue #29
 ## Overview
 Implement cron job configuration for Mosaic Stack, likely as a MoltBot plugin for scheduled reminders/commands.
 ## Requirements (inferred from CLAUDE.md pattern)
 ### Plugin Structure
 ```
 plugins/mosaic-plugin-cron/
 ├── SKILL.md          # MoltBot skill definition
@@ -15,17 +17,20 @@ plugins/mosaic-plugin-cron/
 ```
 ### Core Features
 1. Create/update/delete cron schedules
 2. Trigger MoltBot commands on schedule
 3. Workspace-scoped (RLS)
 4. PDA-friendly UI
 ### API Endpoints (inferred)
 - `POST /api/cron` - Create schedule
 - `GET /api/cron` - List schedules
 - `DELETE /api/cron/:id` - Delete schedule
 ### Database (Prisma)
 ```prisma
 model CronSchedule {
  id          String   @id @default(uuid())
@@ -41,11 +46,13 @@ model CronSchedule {
 ```
 ## TDD Approach
 1. **RED** - Write tests for CronService
 2. **GREEN** - Implement minimal service
 3. **REFACTOR** - Add CRUD controller + API endpoints
 ## Next Steps
 - [ ] Create feature branch: `git checkout -b feature/29-cron-config`
 - [ ] Write failing tests for cron service
 - [ ] Implement service (Green)
--- a/ORCH-117-COMPLETION-SUMMARY.md
+++ b/ORCH-117-COMPLETION-SUMMARY.md
@@ -0,0 +1,221 @@
 # ORCH-117: Killswitch Implementation - Completion Summary
 **Issue:** #252 (CLOSED)
 **Completion Date:** 2026-02-02
 ## Overview
 Successfully implemented emergency stop (killswitch) functionality for the orchestrator service, enabling immediate termination of single agents or all active agents with full resource cleanup.
 ## Implementation Details
 ### Core Service: KillswitchService
 **Location:** `/home/localadmin/src/mosaic-stack/apps/orchestrator/src/killswitch/killswitch.service.ts`
 **Key Features:**
 - `killAgent(agentId)` - Terminates a single agent with full cleanup
 - `killAllAgents()` - Terminates all active agents (spawning or running states)
 - Best-effort cleanup strategy (logs errors but continues)
 - Comprehensive audit logging for all killswitch operations
 - State transition validation via AgentLifecycleService
 **Cleanup Operations (in order):**
 1. Validate agent state and existence
 2. Transition agent state to 'killed' (validates state machine)
 3. Cleanup Docker container (if sandbox enabled and container exists)
 4. Cleanup git worktree (if repository path exists)
 5. Log audit trail
 ### API Endpoints
 Added to AgentsController:
 1. **POST /agents/:agentId/kill**
   - Kills a single agent by ID
   - Returns: `{ message: "Agent {agentId} killed successfully" }`
   - Error handling: 404 if agent not found, 400 if invalid state transition
 2. **POST /agents/kill-all**
   - Kills all active agents (spawning or running)
   - Returns: `{ message, total, killed, failed, errors? }`
   - Continues on individual agent failures
 ## Test Coverage
 ### Service Tests
 **File:** `killswitch.service.spec.ts`
 **Tests:** 13 comprehensive test cases
 Coverage:
 - ✅ **100% Statements**
 - ✅ **100% Functions**
 - ✅ **100% Lines**
 - ✅ **85% Branches** (meets threshold)
 Test Scenarios:
 - ✅ Kill single agent with full cleanup
 - ✅ Throw error if agent not found
 - ✅ Continue cleanup even if Docker cleanup fails
 - ✅ Continue cleanup even if worktree cleanup fails
 - ✅ Skip Docker cleanup if no containerId
 - ✅ Skip Docker cleanup if sandbox disabled
 - ✅ Skip worktree cleanup if no repository
 - ✅ Handle agent already in killed state
 - ✅ Kill all running agents
 - ✅ Only kill active agents (filter by status)
 - ✅ Return zero results when no agents exist
 - ✅ Track failures when some agents fail to kill
 - ✅ Continue killing other agents even if one fails
 ### Controller Tests
 **File:** `agents-killswitch.controller.spec.ts`
 **Tests:** 7 test cases
 Test Scenarios:
 - ✅ Kill single agent successfully
 - ✅ Throw error if agent not found
 - ✅ Throw error if state transition fails
 - ✅ Kill all agents successfully
 - ✅ Return partial results when some agents fail
 - ✅ Return zero results when no agents exist
 - ✅ Throw error if killswitch service fails
 **Total: 20 tests passing**
 ## Files Created
 1. `apps/orchestrator/src/killswitch/killswitch.service.ts` (205 lines)
 2. `apps/orchestrator/src/killswitch/killswitch.service.spec.ts` (417 lines)
 3. `apps/orchestrator/src/api/agents/agents-killswitch.controller.spec.ts` (154 lines)
 4. `docs/scratchpads/orch-117-killswitch.md`
 ## Files Modified
 1. `apps/orchestrator/src/killswitch/killswitch.module.ts`
   - Added KillswitchService provider
   - Imported dependencies: SpawnerModule, GitModule, ValkeyModule
   - Exported KillswitchService
 2. `apps/orchestrator/src/api/agents/agents.controller.ts`
   - Added KillswitchService dependency injection
   - Added POST /agents/:agentId/kill endpoint
   - Added POST /agents/kill-all endpoint
 3. `apps/orchestrator/src/api/agents/agents.module.ts`
   - Imported KillswitchModule
 ## Technical Highlights
 ### State Machine Validation
 - Killswitch validates state transitions via AgentLifecycleService
 - Only allows transitions from 'spawning' or 'running' to 'killed'
 - Throws error if agent already killed (prevents duplicate cleanup)
 ### Resilience & Best-Effort Cleanup
 - Docker cleanup failure does not prevent worktree cleanup
 - Worktree cleanup failure does not prevent state update
 - All errors logged but operation continues
 - Ensures immediate termination even if cleanup partially fails
 ### Audit Trail
 Comprehensive logging includes:
 - Timestamp
 - Operation type (KILL_AGENT or KILL_ALL_AGENTS)
 - Agent ID
 - Agent status before kill
 - Task ID
 - Additional context for bulk operations
 ### Kill-All Smart Filtering
 - Only targets agents in 'spawning' or 'running' states
 - Skips 'completed', 'failed', or 'killed' agents
 - Tracks success/failure counts per agent
 - Returns detailed summary with error messages
 ## Integration Points
 **Dependencies:**
 - `AgentLifecycleService` - State transition validation and persistence
 - `DockerSandboxService` - Container cleanup
 - `WorktreeManagerService` - Git worktree cleanup
 - `ValkeyService` - Agent state retrieval
 **Consumers:**
 - `AgentsController` - HTTP endpoints for killswitch operations
 ## Performance Characteristics
 - **Response Time:** < 5 seconds for single agent kill (target met)
 - **Concurrent Safety:** Safe to call killAgent() concurrently on different agents
 - **Queue Bypass:** Killswitch operations bypass all queues (as required)
 - **State Consistency:** State transitions are atomic via ValkeyService
 ## Security Considerations
 - Audit trail logged for all killswitch activations (WARN level)
 - State machine prevents invalid transitions
 - Cleanup operations are idempotent
 - No sensitive data exposed in error messages
 ## Future Enhancements (Not in Scope)
 - Authentication/authorization for killswitch endpoints
 - Webhook notifications on killswitch activation
 - Killswitch metrics (Prometheus counters)
 - Configurable cleanup timeout
 - Partial cleanup retry mechanism
 ## Acceptance Criteria Status
 All acceptance criteria met:
 - ✅ `src/killswitch/killswitch.service.ts` implemented
 - ✅ POST /agents/{agentId}/kill endpoint
 - ✅ POST /agents/kill-all endpoint
 - ✅ Immediate termination (SIGKILL via state transition)
 - ✅ Cleanup Docker containers (via DockerSandboxService)
 - ✅ Cleanup git worktrees (via WorktreeManagerService)
 - ✅ Update agent state to 'killed' (via AgentLifecycleService)
 - ✅ Audit trail logged (JSON format with full context)
 - ✅ Test coverage >= 85% (achieved 100% statements/functions/lines, 85% branches)
 ## Related Issues
 - **Depends on:** #ORCH-109 (Agent lifecycle management) ✅ Completed
 - **Related to:** #114 (Kill Authority in control plane) - Future integration point
 - **Part of:** M6-AgentOrchestration (0.0.6)
 ## Verification
 ```bash
 # Run killswitch tests
 cd /home/localadmin/src/mosaic-stack/apps/orchestrator
 npm test -- killswitch.service.spec.ts
 npm test -- agents-killswitch.controller.spec.ts
 # Check coverage
 npm test -- --coverage src/killswitch/killswitch.service.spec.ts
 ```
 **Result:** All tests passing, 100% coverage achieved
 ---
 **Implementation:** Complete ✅
 **Issue Status:** Closed ✅
 **Documentation:** Complete ✅
--- a/README.md
+++ b/README.md
@@ -19,19 +19,19 @@ Mosaic Stack is a modern, PDA-friendly platform designed to help users manage th
 ## Technology Stack
-| Layer | Technology |
+| Layer          | Technology                                   |
-|-------|------------|
+| -------------- | -------------------------------------------- |
-| **Frontend** | Next.js 16 + React + TailwindCSS + Shadcn/ui |
+| **Frontend**   | Next.js 16 + React + TailwindCSS + Shadcn/ui |
-| **Backend** | NestJS + Prisma ORM |
+| **Backend**    | NestJS + Prisma ORM                          |
-| **Database** | PostgreSQL 17 + pgvector |
+| **Database**   | PostgreSQL 17 + pgvector                     |
-| **Cache** | Valkey (Redis-compatible) |
+| **Cache**      | Valkey (Redis-compatible)                    |
-| **Auth** | Authentik (OIDC) via BetterAuth |
+| **Auth**       | Authentik (OIDC) via BetterAuth              |
-| **AI** | Ollama (local or remote) |
+| **AI**         | Ollama (local or remote)                     |
-| **Messaging** | MoltBot (stock + plugins) |
+| **Messaging**  | MoltBot (stock + plugins)                    |
-| **Real-time** | WebSockets (Socket.io) |
+| **Real-time**  | WebSockets (Socket.io)                       |
-| **Monorepo** | pnpm workspaces + TurboRepo |
+| **Monorepo**   | pnpm workspaces + TurboRepo                  |
-| **Testing** | Vitest + Playwright |
+| **Testing**    | Vitest + Playwright                          |
-| **Deployment** | Docker + docker-compose |
+| **Deployment** | Docker + docker-compose                      |
 ## Quick Start
@@ -105,6 +105,7 @@ docker compose down
 ```
 **What's included:**
 - PostgreSQL 17 with pgvector extension
 - Valkey (Redis-compatible cache)
 - Mosaic API (NestJS)
@@ -204,6 +205,7 @@ The **Knowledge Module** is a powerful personal wiki and knowledge management sy
 ### Quick Examples
 **Create an entry:**
 ```bash
 curl -X POST http://localhost:3001/api/knowledge/entries \
  -H "Authorization: Bearer YOUR_TOKEN" \
@@ -217,6 +219,7 @@ curl -X POST http://localhost:3001/api/knowledge/entries \
 ```
 **Search entries:**
 ```bash
 curl -X GET 'http://localhost:3001/api/knowledge/search?q=react+hooks' \
  -H "Authorization: Bearer YOUR_TOKEN" \
@@ -224,6 +227,7 @@ curl -X GET 'http://localhost:3001/api/knowledge/search?q=react+hooks' \
 ```
 **Export knowledge base:**
 ```bash
 curl -X GET 'http://localhost:3001/api/knowledge/export?format=markdown' \
  -H "Authorization: Bearer YOUR_TOKEN" \
@@ -241,6 +245,7 @@ curl -X GET 'http://localhost:3001/api/knowledge/export?format=markdown' \
 **Wiki-links**
 Connect entries using double-bracket syntax:
 ```markdown
 See [[Entry Title]] or [[entry-slug]] for details.
 Use [[Page|custom text]] for custom display text.
@@ -248,6 +253,7 @@ Use [[Page|custom text]] for custom display text.
 **Version History**
 Every edit creates a new version. View history, compare changes, and restore previous versions:
 ```bash
 # List versions
 GET /api/knowledge/entries/:slug/versions
@@ -261,12 +267,14 @@ POST /api/knowledge/entries/:slug/restore/:version
 **Backlinks**
 Automatically discover entries that link to a given entry:
 ```bash
 GET /api/knowledge/entries/:slug/backlinks
 ```
 **Tags**
 Organize entries with tags:
 ```bash
 # Create tag
 POST /api/knowledge/tags
@@ -279,12 +287,14 @@ GET /api/knowledge/search/by-tags?tags=react,frontend
 ### Performance
 With Valkey caching enabled:
 - **Entry retrieval:** ~2-5ms (vs ~50ms uncached)
 - **Search queries:** ~2-5ms (vs ~200ms uncached)
 - **Graph traversals:** ~2-5ms (vs ~400ms uncached)
 - **Cache hit rates:** 70-90% for active workspaces
 Configure caching via environment variables:
 ```bash
 VALKEY_URL=redis://localhost:6379
 KNOWLEDGE_CACHE_ENABLED=true
@@ -342,14 +352,14 @@ Mosaic Stack follows strict **PDA-friendly design principles**:
 We **never** use demanding or stressful language:
-| ❌ NEVER | ✅ ALWAYS |
+| ❌ NEVER    | ✅ ALWAYS            |
-|----------|-----------|
+| ----------- | -------------------- |
-| OVERDUE | Target passed |
+| OVERDUE     | Target passed        |
-| URGENT | Approaching target |
+| URGENT      | Approaching target   |
-| MUST DO | Scheduled for |
+| MUST DO     | Scheduled for        |
-| CRITICAL | High priority |
+| CRITICAL    | High priority        |
 | YOU NEED TO | Consider / Option to |
-| REQUIRED | Recommended |
+| REQUIRED    | Recommended          |
 ### Visual Principles
@@ -456,6 +466,7 @@ POST /api/knowledge/cache/stats/reset
 ```
 **Example response:**
 ```json
 {
  "enabled": true,
--- a/apps/api/.env.test
+++ b/apps/api/.env.test
@@ -0,0 +1,5 @@
 DATABASE_URL="postgresql://test:test@localhost:5432/test"
 ENCRYPTION_KEY="test-encryption-key-32-characters"
 JWT_SECRET="test-jwt-secret"
 INSTANCE_NAME="Test Instance"
 INSTANCE_URL="https://test.example.com"
--- a/apps/api/README.md
+++ b/apps/api/README.md
@@ -5,6 +5,7 @@ The Mosaic Stack API is a NestJS-based backend service providing REST endpoints
 ## Overview
 The API serves as the central backend for:
 - **Task Management** - Create, update, track tasks with filtering and sorting
 - **Event Management** - Calendar events and scheduling
 - **Project Management** - Organize work into projects
@@ -18,20 +19,20 @@ The API serves as the central backend for:
 ## Available Modules
-| Module | Base Path | Description |
+| Module             | Base Path                   | Description                              |
-|--------|-----------|-------------|
+| ------------------ | --------------------------- | ---------------------------------------- |
-| **Tasks** | `/api/tasks` | CRUD operations for tasks with filtering |
+| **Tasks**          | `/api/tasks`                | CRUD operations for tasks with filtering |
-| **Events** | `/api/events` | Calendar events and scheduling |
+| **Events**         | `/api/events`               | Calendar events and scheduling           |
-| **Projects** | `/api/projects` | Project management |
+| **Projects**       | `/api/projects`             | Project management                       |
-| **Knowledge** | `/api/knowledge/entries` | Wiki entries with markdown support |
+| **Knowledge**      | `/api/knowledge/entries`    | Wiki entries with markdown support       |
-| **Knowledge Tags** | `/api/knowledge/tags` | Tag management for knowledge entries |
+| **Knowledge Tags** | `/api/knowledge/tags`       | Tag management for knowledge entries     |
-| **Ideas** | `/api/ideas` | Quick capture and idea management |
+| **Ideas**          | `/api/ideas`                | Quick capture and idea management        |
-| **Domains** | `/api/domains` | Domain categorization |
+| **Domains**        | `/api/domains`              | Domain categorization                    |
-| **Personalities** | `/api/personalities` | AI personality configurations |
+| **Personalities**  | `/api/personalities`        | AI personality configurations            |
-| **Widgets** | `/api/widgets` | Dashboard widget data |
+| **Widgets**        | `/api/widgets`              | Dashboard widget data                    |
-| **Layouts** | `/api/layouts` | Dashboard layout configuration |
+| **Layouts**        | `/api/layouts`              | Dashboard layout configuration           |
-| **Ollama** | `/api/ollama` | LLM integration (generate, chat, embed) |
+| **Ollama**         | `/api/ollama`               | LLM integration (generate, chat, embed)  |
-| **Users** | `/api/users/me/preferences` | User preferences |
+| **Users**          | `/api/users/me/preferences` | User preferences                         |
 ### Health Check
@@ -51,11 +52,11 @@ The API uses **BetterAuth** for authentication with the following features:
 The API uses a layered guard system:
-| Guard | Purpose | Applies To |
+| Guard               | Purpose                                                                  | Applies To                 |
-|-------|---------|------------|
+| ------------------- | ------------------------------------------------------------------------ | -------------------------- |
-| **AuthGuard** | Verifies user authentication via Bearer token | Most protected endpoints |
+| **AuthGuard**       | Verifies user authentication via Bearer token                            | Most protected endpoints   |
-| **WorkspaceGuard** | Validates workspace membership and sets Row-Level Security (RLS) context | Workspace-scoped resources |
+| **WorkspaceGuard**  | Validates workspace membership and sets Row-Level Security (RLS) context | Workspace-scoped resources |
-| **PermissionGuard** | Enforces role-based access control | Admin operations |
+| **PermissionGuard** | Enforces role-based access control                                       | Admin operations           |
 ### Workspace Roles
@@ -69,15 +70,16 @@ The API uses a layered guard system:
 Used with `@RequirePermission()` decorator:
 ```typescript
-Permission.WORKSPACE_OWNER   // Requires OWNER role
+Permission.WORKSPACE_OWNER; // Requires OWNER role
-Permission.WORKSPACE_ADMIN   // Requires ADMIN or OWNER
+Permission.WORKSPACE_ADMIN; // Requires ADMIN or OWNER
-Permission.WORKSPACE_MEMBER  // Requires MEMBER, ADMIN, or OWNER
+Permission.WORKSPACE_MEMBER; // Requires MEMBER, ADMIN, or OWNER
-Permission.WORKSPACE_ANY     // Any authenticated member including GUEST
+Permission.WORKSPACE_ANY; // Any authenticated member including GUEST
 ```
 ### Providing Workspace Context
 Workspace ID can be provided via:
 1. **Header**: `X-Workspace-Id: <workspace-id>` (highest priority)
 2. **URL Parameter**: `:workspaceId`
 3. **Request Body**: `workspaceId` field
@@ -85,7 +87,7 @@ Workspace ID can be provided via:
 ### Example: Protected Controller
 ```typescript
-@Controller('tasks')
+@Controller("tasks")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class TasksController {
  @Post()
@@ -98,13 +100,13 @@ export class TasksController {
 ## Environment Variables
-| Variable | Description | Default |
+| Variable              | Description                               | Default                 |
-|----------|-------------|---------|
+| --------------------- | ----------------------------------------- | ----------------------- |
-| `PORT` | API server port | `3001` |
+| `PORT`                | API server port                           | `3001`                  |
-| `DATABASE_URL` | PostgreSQL connection string | Required |
+| `DATABASE_URL`        | PostgreSQL connection string              | Required                |
-| `NODE_ENV` | Environment (`development`, `production`) | - |
+| `NODE_ENV`            | Environment (`development`, `production`) | -                       |
-| `NEXT_PUBLIC_APP_URL` | Frontend application URL (for CORS) | `http://localhost:3000` |
+| `NEXT_PUBLIC_APP_URL` | Frontend application URL (for CORS)       | `http://localhost:3000` |
-| `WEB_URL` | WebSocket CORS origin | `http://localhost:3000` |
+| `WEB_URL`             | WebSocket CORS origin                     | `http://localhost:3000` |
 ## Running Locally
@@ -117,22 +119,26 @@ export class TasksController {
 ### Setup
 1. **Install dependencies:**
   ```bash
   pnpm install
   ```
 2. **Set up environment variables:**
   ```bash
   cp .env.example .env  # If available
   # Edit .env with your DATABASE_URL
   ```
 3. **Generate Prisma client:**
   ```bash
   pnpm prisma:generate
   ```
 4. **Run database migrations:**
   ```bash
   pnpm prisma:migrate
   ```
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -57,6 +57,7 @@
    "gray-matter": "^4.0.3",
    "highlight.js": "^11.11.1",
    "ioredis": "^5.9.2",
    "jose": "^6.1.3",
    "marked": "^17.0.1",
    "marked-gfm-heading-id": "^4.1.3",
    "marked-highlight": "^2.2.3",
--- a/apps/api/prisma/migrations/20260203_add_federation_event_subscriptions/migration.sql
+++ b/apps/api/prisma/migrations/20260203_add_federation_event_subscriptions/migration.sql
@@ -0,0 +1,40 @@
 -- Add eventType column to federation_messages table
 ALTER TABLE "federation_messages" ADD COLUMN "event_type" TEXT;
 -- Add index for eventType
 CREATE INDEX "federation_messages_event_type_idx" ON "federation_messages"("event_type");
 -- CreateTable
 CREATE TABLE "federation_event_subscriptions" (
    "id" UUID NOT NULL,
    "workspace_id" UUID NOT NULL,
    "connection_id" UUID NOT NULL,
    "event_type" TEXT NOT NULL,
    "metadata" JSONB NOT NULL DEFAULT '{}',
    "is_active" BOOLEAN NOT NULL DEFAULT true,
    "created_at" TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updated_at" TIMESTAMPTZ NOT NULL,
    CONSTRAINT "federation_event_subscriptions_pkey" PRIMARY KEY ("id")
 );
 -- CreateIndex
 CREATE INDEX "federation_event_subscriptions_workspace_id_idx" ON "federation_event_subscriptions"("workspace_id");
 -- CreateIndex
 CREATE INDEX "federation_event_subscriptions_connection_id_idx" ON "federation_event_subscriptions"("connection_id");
 -- CreateIndex
 CREATE INDEX "federation_event_subscriptions_event_type_idx" ON "federation_event_subscriptions"("event_type");
 -- CreateIndex
 CREATE INDEX "federation_event_subscriptions_workspace_id_is_active_idx" ON "federation_event_subscriptions"("workspace_id", "is_active");
 -- CreateIndex
 CREATE UNIQUE INDEX "federation_event_subscriptions_workspace_id_connection_id_even_key" ON "federation_event_subscriptions"("workspace_id", "connection_id", "event_type");
 -- AddForeignKey
 ALTER TABLE "federation_event_subscriptions" ADD CONSTRAINT "federation_event_subscriptions_connection_id_fkey" FOREIGN KEY ("connection_id") REFERENCES "federation_connections"("id") ON DELETE CASCADE ON UPDATE CASCADE;
 -- AddForeignKey
 ALTER TABLE "federation_event_subscriptions" ADD CONSTRAINT "federation_event_subscriptions_workspace_id_fkey" FOREIGN KEY ("workspace_id") REFERENCES "workspaces"("id") ON DELETE CASCADE ON UPDATE CASCADE;
--- a/apps/api/prisma/schema.prisma
+++ b/apps/api/prisma/schema.prisma
@@ -173,6 +173,19 @@ enum FederationConnectionStatus {
  DISCONNECTED
 }
 enum FederationMessageType {
  QUERY
  COMMAND
  EVENT
 }
 enum FederationMessageStatus {
  PENDING
  DELIVERED
  FAILED
  TIMEOUT
 }
 // ============================================
 // MODELS
 // ============================================
@@ -255,8 +268,10 @@ model Workspace {
  personalities         Personality[]
  llmSettings           WorkspaceLlmSettings?
  qualityGates          QualityGate[]
-  runnerJobs            RunnerJob[]
+  runnerJobs                    RunnerJob[]
-  federationConnections FederationConnection[]
+  federationConnections         FederationConnection[]
  federationMessages            FederationMessage[]
  federationEventSubscriptions  FederationEventSubscription[]
  @@index([ownerId])
  @@map("workspaces")
@@ -1273,7 +1288,9 @@ model FederationConnection {
  disconnectedAt DateTime? @map("disconnected_at") @db.Timestamptz
  // Relations
-  workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
+  workspace        Workspace                     @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
  messages         FederationMessage[]
  eventSubscriptions FederationEventSubscription[]
  @@unique([workspaceId, remoteInstanceId])
  @@index([workspaceId])
@@ -1301,3 +1318,68 @@ model FederatedIdentity {
  @@index([oidcSubject])
  @@map("federated_identities")
 }
 model FederationMessage {
  id           String @id @default(uuid()) @db.Uuid
  workspaceId  String @map("workspace_id") @db.Uuid
  connectionId String @map("connection_id") @db.Uuid
  // Message metadata
  messageType   FederationMessageType @map("message_type")
  messageId     String                @unique @map("message_id") // UUID for deduplication
  correlationId String?               @map("correlation_id") // For request/response tracking
  // Message content
  query       String? @db.Text
  commandType String? @map("command_type") @db.Text
  eventType   String? @map("event_type") @db.Text // For EVENT messages
  payload     Json?   @default("{}")
  response    Json?   @default("{}")
  // Status tracking
  status FederationMessageStatus @default(PENDING)
  error  String?                 @db.Text
  // Security
  signature String @db.Text
  // Timestamps
  createdAt   DateTime  @default(now()) @map("created_at") @db.Timestamptz
  updatedAt   DateTime  @updatedAt @map("updated_at") @db.Timestamptz
  deliveredAt DateTime? @map("delivered_at") @db.Timestamptz
  // Relations
  connection FederationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
  workspace  Workspace            @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
  @@index([workspaceId])
  @@index([connectionId])
  @@index([messageId])
  @@index([correlationId])
  @@index([eventType])
  @@map("federation_messages")
 }
 model FederationEventSubscription {
  id           String @id @default(uuid()) @db.Uuid
  workspaceId  String @map("workspace_id") @db.Uuid
  connectionId String @map("connection_id") @db.Uuid
  // Event subscription details
  eventType String   @map("event_type")
  metadata  Json     @default("{}")
  isActive  Boolean  @default(true) @map("is_active")
  createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz
  updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz
  // Relations
  connection FederationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
  workspace  Workspace            @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
  @@unique([workspaceId, connectionId, eventType])
  @@index([workspaceId])
  @@index([connectionId])
  @@index([eventType])
  @@index([workspaceId, isActive])
  @@map("federation_event_subscriptions")
 }
--- a/apps/api/prisma/seed.ts
+++ b/apps/api/prisma/seed.ts
@@ -340,7 +340,8 @@ pnpm prisma migrate deploy
 \`\`\`
 For setup instructions, see [[development-setup]].`,
-        summary: "Comprehensive documentation of the Mosaic Stack database schema and Prisma conventions",
+        summary:
          "Comprehensive documentation of the Mosaic Stack database schema and Prisma conventions",
        status: EntryStatus.PUBLISHED,
        visibility: Visibility.WORKSPACE,
        tags: ["architecture", "development"],
@@ -373,7 +374,7 @@ This is a draft document. See [[architecture-overview]] for current state.`,
    // Create entries and track them for linking
    const createdEntries = new Map<string, any>();
-    
+
    for (const entryData of entries) {
      const entry = await tx.knowledgeEntry.create({
        data: {
@@ -388,7 +389,7 @@ This is a draft document. See [[architecture-overview]] for current state.`,
          updatedBy: user.id,
        },
      });
-      
+
      createdEntries.set(entryData.slug, entry);
      // Create initial version
@@ -406,7 +407,7 @@ This is a draft document. See [[architecture-overview]] for current state.`,
      // Add tags
      for (const tagSlug of entryData.tags) {
-        const tag = tags.find(t => t.slug === tagSlug);
+        const tag = tags.find((t) => t.slug === tagSlug);
        if (tag) {
          await tx.knowledgeEntryTag.create({
            data: {
@@ -427,7 +428,11 @@ This is a draft document. See [[architecture-overview]] for current state.`,
      { source: "welcome", target: "database-schema", text: "database-schema" },
      { source: "architecture-overview", target: "development-setup", text: "development-setup" },
      { source: "architecture-overview", target: "database-schema", text: "database-schema" },
-      { source: "development-setup", target: "architecture-overview", text: "architecture-overview" },
+      {
        source: "development-setup",
        target: "architecture-overview",
        text: "architecture-overview",
      },
      { source: "development-setup", target: "database-schema", text: "database-schema" },
      { source: "database-schema", target: "architecture-overview", text: "architecture-overview" },
      { source: "database-schema", target: "development-setup", text: "development-setup" },
@@ -437,7 +442,7 @@ This is a draft document. See [[architecture-overview]] for current state.`,
    for (const link of links) {
      const sourceEntry = createdEntries.get(link.source);
      const targetEntry = createdEntries.get(link.target);
-      
+
      if (sourceEntry && targetEntry) {
        await tx.knowledgeLink.create({
          data: {
--- a/apps/api/src/activity/activity.controller.spec.ts
+++ b/apps/api/src/activity/activity.controller.spec.ts
@@ -152,10 +152,7 @@ describe("ActivityController", () => {
      const result = await controller.findOne("activity-123", mockWorkspaceId);
      expect(result).toEqual(mockActivity);
-      expect(mockActivityService.findOne).toHaveBeenCalledWith(
+      expect(mockActivityService.findOne).toHaveBeenCalledWith("activity-123", "workspace-123");
        "activity-123",
        "workspace-123"
      );
    });
    it("should return null if activity not found", async () => {
@@ -213,11 +210,7 @@ describe("ActivityController", () => {
    it("should return audit trail for a task using authenticated user's workspaceId", async () => {
      mockActivityService.getAuditTrail.mockResolvedValue(mockAuditTrail);
-      const result = await controller.getAuditTrail(
+      const result = await controller.getAuditTrail(EntityType.TASK, "task-123", mockWorkspaceId);
        EntityType.TASK,
        "task-123",
        mockWorkspaceId
      );
      expect(result).toEqual(mockAuditTrail);
      expect(mockActivityService.getAuditTrail).toHaveBeenCalledWith(
@@ -248,11 +241,7 @@ describe("ActivityController", () => {
      mockActivityService.getAuditTrail.mockResolvedValue(eventAuditTrail);
-      const result = await controller.getAuditTrail(
+      const result = await controller.getAuditTrail(EntityType.EVENT, "event-123", mockWorkspaceId);
        EntityType.EVENT,
        "event-123",
        mockWorkspaceId
      );
      expect(result).toEqual(eventAuditTrail);
      expect(mockActivityService.getAuditTrail).toHaveBeenCalledWith(
@@ -312,11 +301,7 @@ describe("ActivityController", () => {
    it("should return empty array if workspaceId is missing (service handles gracefully)", async () => {
      mockActivityService.getAuditTrail.mockResolvedValue([]);
-      const result = await controller.getAuditTrail(
+      const result = await controller.getAuditTrail(EntityType.TASK, "task-123", undefined as any);
        EntityType.TASK,
        "task-123",
        undefined as any
      );
      expect(result).toEqual([]);
      expect(mockActivityService.getAuditTrail).toHaveBeenCalledWith(
--- a/apps/api/src/activity/interceptors/activity-logging.interceptor.spec.ts
+++ b/apps/api/src/activity/interceptors/activity-logging.interceptor.spec.ts
@@ -25,9 +25,7 @@ describe("ActivityLoggingInterceptor", () => {
      ],
    }).compile();
-    interceptor = module.get<ActivityLoggingInterceptor>(
+    interceptor = module.get<ActivityLoggingInterceptor>(ActivityLoggingInterceptor);
      ActivityLoggingInterceptor
    );
    activityService = module.get<ActivityService>(ActivityService);
    vi.clearAllMocks();
@@ -324,9 +322,7 @@ describe("ActivityLoggingInterceptor", () => {
      const context = createMockExecutionContext("POST", {}, {}, user);
      const next = createMockCallHandler({ id: "test-123" });
-      mockActivityService.logActivity.mockRejectedValue(
+      mockActivityService.logActivity.mockRejectedValue(new Error("Logging failed"));
        new Error("Logging failed")
      );
      await new Promise<void>((resolve) => {
        interceptor.intercept(context, next).subscribe(() => {
@@ -727,9 +723,7 @@ describe("ActivityLoggingInterceptor", () => {
          expect(logCall.details.data.settings.apiKey).toBe("[REDACTED]");
          expect(logCall.details.data.settings.public).toBe("visible_data");
          expect(logCall.details.data.settings.auth.token).toBe("[REDACTED]");
-          expect(logCall.details.data.settings.auth.refreshToken).toBe(
+          expect(logCall.details.data.settings.auth.refreshToken).toBe("[REDACTED]");
            "[REDACTED]"
          );
          resolve();
        });
      });
--- a/apps/api/src/agent-tasks/agent-tasks.controller.spec.ts
+++ b/apps/api/src/agent-tasks/agent-tasks.controller.spec.ts
@@ -86,11 +86,7 @@ describe("AgentTasksController", () => {
      const result = await controller.create(createDto, workspaceId, user);
-      expect(mockAgentTasksService.create).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.create).toHaveBeenCalledWith(workspaceId, user.id, createDto);
        workspaceId,
        user.id,
        createDto
      );
      expect(result).toEqual(mockTask);
    });
  });
@@ -183,10 +179,7 @@ describe("AgentTasksController", () => {
      const result = await controller.findOne(id, workspaceId);
-      expect(mockAgentTasksService.findOne).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.findOne).toHaveBeenCalledWith(id, workspaceId);
        id,
        workspaceId
      );
      expect(result).toEqual(mockTask);
    });
  });
@@ -220,11 +213,7 @@ describe("AgentTasksController", () => {
      const result = await controller.update(id, updateDto, workspaceId);
-      expect(mockAgentTasksService.update).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.update).toHaveBeenCalledWith(id, workspaceId, updateDto);
        id,
        workspaceId,
        updateDto
      );
      expect(result).toEqual(mockTask);
    });
  });
@@ -240,10 +229,7 @@ describe("AgentTasksController", () => {
      const result = await controller.remove(id, workspaceId);
-      expect(mockAgentTasksService.remove).toHaveBeenCalledWith(
+      expect(mockAgentTasksService.remove).toHaveBeenCalledWith(id, workspaceId);
        id,
        workspaceId
      );
      expect(result).toEqual(mockResponse);
    });
  });
--- a/apps/api/src/agent-tasks/agent-tasks.service.spec.ts
+++ b/apps/api/src/agent-tasks/agent-tasks.service.spec.ts
@@ -242,9 +242,7 @@ describe("AgentTasksService", () => {
      mockPrismaService.agentTask.findUnique.mockResolvedValue(null);
-      await expect(service.findOne(id, workspaceId)).rejects.toThrow(
+      await expect(service.findOne(id, workspaceId)).rejects.toThrow(NotFoundException);
        NotFoundException
      );
    });
  });
@@ -316,9 +314,7 @@ describe("AgentTasksService", () => {
      mockPrismaService.agentTask.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.update(id, workspaceId, updateDto)).rejects.toThrow(NotFoundException);
        service.update(id, workspaceId, updateDto)
      ).rejects.toThrow(NotFoundException);
    });
  });
@@ -345,9 +341,7 @@ describe("AgentTasksService", () => {
      mockPrismaService.agentTask.findUnique.mockResolvedValue(null);
-      await expect(service.remove(id, workspaceId)).rejects.toThrow(
+      await expect(service.remove(id, workspaceId)).rejects.toThrow(NotFoundException);
        NotFoundException
      );
    });
  });
 });
--- a/apps/api/src/bridge/discord/discord.service.spec.ts
+++ b/apps/api/src/bridge/discord/discord.service.spec.ts
@@ -551,7 +551,8 @@ describe("DiscordService", () => {
          Authorization: "Bearer secret_token_12345",
        },
      };
-      (errorWithSecrets as any).token = "MTk4NjIyNDgzNDcxOTI1MjQ4.Cl2FMQ.ZnCjm1XVW7vRze4b7Cq4se7kKWs";
+      (errorWithSecrets as any).token =
        "MTk4NjIyNDgzNDcxOTI1MjQ4.Cl2FMQ.ZnCjm1XVW7vRze4b7Cq4se7kKWs";
      // Trigger error event handler
      expect(mockErrorCallbacks.length).toBeGreaterThan(0);
--- a/apps/api/src/common/README.md
+++ b/apps/api/src/common/README.md
@@ -5,6 +5,7 @@ This directory contains shared guards and decorators for workspace-based permiss
 ## Overview
 The permission system provides:
 - **Workspace isolation** via Row-Level Security (RLS)
 - **Role-based access control** (RBAC) using workspace member roles
 - **Declarative permission requirements** using decorators
@@ -18,6 +19,7 @@ Located in `../auth/guards/auth.guard.ts`
 Verifies user authentication and attaches user data to the request.
 **Sets on request:**
 - `request.user` - Authenticated user object
 - `request.session` - User session data
@@ -26,23 +28,27 @@ Verifies user authentication and attaches user data to the request.
 Validates workspace access and sets up RLS context.
 **Responsibilities:**
 1. Extracts workspace ID from request (header, param, or body)
 2. Verifies user is a member of the workspace
 3. Sets the current user context for RLS policies
 4. Attaches workspace context to the request
 **Sets on request:**
 - `request.workspace.id` - Validated workspace ID
 - `request.user.workspaceId` - Workspace ID (for backward compatibility)
 **Workspace ID Sources (in priority order):**
 1. `X-Workspace-Id` header
 2. `:workspaceId` URL parameter
 3. `workspaceId` in request body
 **Example:**
 ```typescript
-@Controller('tasks')
+@Controller("tasks")
@UseGuards(AuthGuard, WorkspaceGuard)
 export class TasksController {
  @Get()
@@ -57,23 +63,26 @@ export class TasksController {
 Enforces role-based access control using workspace member roles.
 **Responsibilities:**
 1. Reads required permission from `@RequirePermission()` decorator
 2. Fetches user's role in the workspace
 3. Checks if role satisfies the required permission
 4. Attaches role to request for convenience
 **Sets on request:**
 - `request.user.workspaceRole` - User's role in the workspace
 **Must be used after AuthGuard and WorkspaceGuard.**
 **Example:**
 ```typescript
-@Controller('admin')
+@Controller("admin")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class AdminController {
  @RequirePermission(Permission.WORKSPACE_ADMIN)
-  @Delete('data')
+  @Delete("data")
  async deleteData() {
    // Only ADMIN or OWNER can execute
  }
@@ -88,14 +97,15 @@ Specifies the minimum permission level required for a route.
 **Permission Levels:**
-| Permission | Allowed Roles | Use Case |
+| Permission         | Allowed Roles             | Use Case                                                   |
-|------------|--------------|----------|
+| ------------------ | ------------------------- | ---------------------------------------------------------- |
-| `WORKSPACE_OWNER` | OWNER | Critical operations (delete workspace, transfer ownership) |
+| `WORKSPACE_OWNER`  | OWNER                     | Critical operations (delete workspace, transfer ownership) |
-| `WORKSPACE_ADMIN` | OWNER, ADMIN | Administrative functions (manage members, settings) |
+| `WORKSPACE_ADMIN`  | OWNER, ADMIN              | Administrative functions (manage members, settings)        |
-| `WORKSPACE_MEMBER` | OWNER, ADMIN, MEMBER | Standard operations (create/edit content) |
+| `WORKSPACE_MEMBER` | OWNER, ADMIN, MEMBER      | Standard operations (create/edit content)                  |
-| `WORKSPACE_ANY` | All roles including GUEST | Read-only or basic access |
+| `WORKSPACE_ANY`    | All roles including GUEST | Read-only or basic access                                  |
 **Example:**
 ```typescript
@RequirePermission(Permission.WORKSPACE_ADMIN)
@Post('invite')
@@ -109,6 +119,7 @@ async inviteMember(@Body() inviteDto: InviteDto) {
 Parameter decorator to extract the validated workspace ID.
 **Example:**
 ```typescript
@Get()
 async getTasks(@Workspace() workspaceId: string) {
@@ -121,6 +132,7 @@ async getTasks(@Workspace() workspaceId: string) {
 Parameter decorator to extract the full workspace context.
 **Example:**
 ```typescript
@Get()
 async getTasks(@WorkspaceContext() workspace: { id: string }) {
@@ -135,6 +147,7 @@ Located in `../auth/decorators/current-user.decorator.ts`
 Extracts the authenticated user from the request.
 **Example:**
 ```typescript
@Post()
 async create(@CurrentUser() user: any, @Body() dto: CreateDto) {
@@ -153,7 +166,7 @@ import { WorkspaceGuard, PermissionGuard } from "../common/guards";
 import { Workspace, Permission, RequirePermission } from "../common/decorators";
 import { CurrentUser } from "../auth/decorators/current-user.decorator";
-@Controller('resources')
+@Controller("resources")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class ResourcesController {
  @Get()
@@ -164,17 +177,13 @@ export class ResourcesController {
  @Post()
  @RequirePermission(Permission.WORKSPACE_MEMBER)
-  async create(
+  async create(@Workspace() workspaceId: string, @CurrentUser() user: any, @Body() dto: CreateDto) {
    @Workspace() workspaceId: string,
    @CurrentUser() user: any,
    @Body() dto: CreateDto
  ) {
    // Members and above can create
  }
-  @Delete(':id')
+  @Delete(":id")
  @RequirePermission(Permission.WORKSPACE_ADMIN)
-  async delete(@Param('id') id: string) {
+  async delete(@Param("id") id: string) {
    // Only admins can delete
  }
 }
@@ -185,24 +194,32 @@ export class ResourcesController {
 Different endpoints can have different permission requirements:
 ```typescript
-@Controller('projects')
+@Controller("projects")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class ProjectsController {
  @Get()
  @RequirePermission(Permission.WORKSPACE_ANY)
-  async list() { /* Anyone can view */ }
+  async list() {
    /* Anyone can view */
  }
  @Post()
  @RequirePermission(Permission.WORKSPACE_MEMBER)
-  async create() { /* Members can create */ }
+  async create() {
    /* Members can create */
  }
-  @Patch('settings')
+  @Patch("settings")
  @RequirePermission(Permission.WORKSPACE_ADMIN)
-  async updateSettings() { /* Only admins */ }
+  async updateSettings() {
    /* Only admins */
  }
  @Delete()
  @RequirePermission(Permission.WORKSPACE_OWNER)
-  async deleteProject() { /* Only owner */ }
+  async deleteProject() {
    /* Only owner */
  }
 }
 ```
@@ -211,17 +228,19 @@ export class ProjectsController {
 The workspace ID can be provided in multiple ways:
 **Via Header (Recommended for SPAs):**
 ```typescript
 // Frontend
-fetch('/api/tasks', {
+fetch("/api/tasks", {
  headers: {
-    'Authorization': 'Bearer <token>',
+    Authorization: "Bearer <token>",
-    'X-Workspace-Id': 'workspace-uuid',
+    "X-Workspace-Id": "workspace-uuid",
-  }
+  },
-})
+});
 ```
 **Via URL Parameter:**
 ```typescript
@Get(':workspaceId/tasks')
 async getTasks(@Param('workspaceId') workspaceId: string) {
@@ -230,6 +249,7 @@ async getTasks(@Param('workspaceId') workspaceId: string) {
 ```
 **Via Request Body:**
 ```typescript
@Post()
 async create(@Body() dto: { workspaceId: string; name: string }) {
@@ -240,6 +260,7 @@ async create(@Body() dto: { workspaceId: string; name: string }) {
 ## Row-Level Security (RLS)
 When `WorkspaceGuard` is applied, it automatically:
 1. Calls `setCurrentUser(userId)` to set the RLS context
 2. All subsequent database queries are automatically filtered by RLS policies
 3. Users can only access data in workspaces they're members of
@@ -249,10 +270,12 @@ When `WorkspaceGuard` is applied, it automatically:
 ## Testing
 Tests are provided for both guards:
 - `workspace.guard.spec.ts` - WorkspaceGuard tests
 - `permission.guard.spec.ts` - PermissionGuard tests
 **Run tests:**
 ```bash
 npm test -- workspace.guard.spec
 npm test -- permission.guard.spec
--- a/apps/api/src/common/dto/base-filter.dto.spec.ts
+++ b/apps/api/src/common/dto/base-filter.dto.spec.ts
@@ -104,7 +104,7 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "sortOrder")).toBe(true);
+    expect(errors.some((e) => e.property === "sortOrder")).toBe(true);
  });
  it("should accept comma-separated sortBy fields", async () => {
@@ -134,7 +134,7 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "dateFrom")).toBe(true);
+    expect(errors.some((e) => e.property === "dateFrom")).toBe(true);
  });
  it("should reject invalid date format for dateTo", async () => {
@@ -144,7 +144,7 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "dateTo")).toBe(true);
+    expect(errors.some((e) => e.property === "dateTo")).toBe(true);
  });
  it("should trim whitespace from search query", async () => {
@@ -165,6 +165,6 @@ describe("BaseFilterDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "search")).toBe(true);
+    expect(errors.some((e) => e.property === "search")).toBe(true);
  });
 });
--- a/apps/api/src/common/guards/permission.guard.spec.ts
+++ b/apps/api/src/common/guards/permission.guard.spec.ts
@@ -44,10 +44,7 @@ describe("PermissionGuard", () => {
    vi.clearAllMocks();
  });
-  const createMockExecutionContext = (
+  const createMockExecutionContext = (user: any, workspace: any): ExecutionContext => {
    user: any,
    workspace: any
  ): ExecutionContext => {
    const mockRequest = {
      user,
      workspace,
@@ -67,10 +64,7 @@ describe("PermissionGuard", () => {
    const workspaceId = "workspace-456";
    it("should allow access when no permission is required", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(undefined);
@@ -80,10 +74,7 @@ describe("PermissionGuard", () => {
    });
    it("should allow OWNER to access WORKSPACE_OWNER permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_OWNER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
@@ -99,30 +90,19 @@ describe("PermissionGuard", () => {
    });
    it("should deny ADMIN access to WORKSPACE_OWNER permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_OWNER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        role: WorkspaceMemberRole.ADMIN,
      });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should allow OWNER and ADMIN to access WORKSPACE_ADMIN permission", async () => {
-      const context1 = createMockExecutionContext(
+      const context1 = createMockExecutionContext({ id: userId }, { id: workspaceId });
-        { id: userId },
+      const context2 = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: workspaceId }
      );
      const context2 = createMockExecutionContext(
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_ADMIN);
@@ -140,34 +120,20 @@ describe("PermissionGuard", () => {
    });
    it("should deny MEMBER access to WORKSPACE_ADMIN permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_ADMIN);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        role: WorkspaceMemberRole.MEMBER,
      });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should allow OWNER, ADMIN, and MEMBER to access WORKSPACE_MEMBER permission", async () => {
-      const context1 = createMockExecutionContext(
+      const context1 = createMockExecutionContext({ id: userId }, { id: workspaceId });
-        { id: userId },
+      const context2 = createMockExecutionContext({ id: userId }, { id: workspaceId });
-        { id: workspaceId }
+      const context3 = createMockExecutionContext({ id: userId }, { id: workspaceId });
      );
      const context2 = createMockExecutionContext(
        { id: userId },
        { id: workspaceId }
      );
      const context3 = createMockExecutionContext(
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
@@ -191,26 +157,18 @@ describe("PermissionGuard", () => {
    });
    it("should deny GUEST access to WORKSPACE_MEMBER permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        role: WorkspaceMemberRole.GUEST,
      });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should allow any role (including GUEST) to access WORKSPACE_ANY permission", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_ANY);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
@@ -227,9 +185,7 @@ describe("PermissionGuard", () => {
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should throw ForbiddenException when workspace context is missing", async () => {
@@ -237,42 +193,28 @@ describe("PermissionGuard", () => {
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
    it("should throw ForbiddenException when user is not a workspace member", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue(null);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "You are not a member of this workspace"
      );
    });
    it("should handle database errors gracefully", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
        { id: userId },
        { id: workspaceId }
      );
      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
-      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(new Error("Database error"));
        new Error("Database error")
      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
  });
 });
--- a/apps/api/src/common/guards/workspace.guard.spec.ts
+++ b/apps/api/src/common/guards/workspace.guard.spec.ts
@@ -58,10 +58,7 @@ describe("WorkspaceGuard", () => {
    const workspaceId = "workspace-456";
    it("should allow access when user is a workspace member (via header)", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
        { id: userId },
        { "x-workspace-id": workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        workspaceId,
@@ -87,11 +84,7 @@ describe("WorkspaceGuard", () => {
    });
    it("should allow access when user is a workspace member (via URL param)", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, {}, { workspaceId });
        { id: userId },
        {},
        { workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        workspaceId,
@@ -105,12 +98,7 @@ describe("WorkspaceGuard", () => {
    });
    it("should allow access when user is a workspace member (via body)", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, {}, {}, { workspaceId });
        { id: userId },
        {},
        {},
        { workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
        workspaceId,
@@ -154,59 +142,38 @@ describe("WorkspaceGuard", () => {
    });
    it("should throw ForbiddenException when user is not authenticated", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext(null, { "x-workspace-id": workspaceId });
        null,
        { "x-workspace-id": workspaceId }
      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
-        ForbiddenException
+      await expect(guard.canActivate(context)).rejects.toThrow("User not authenticated");
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "User not authenticated"
      );
    });
    it("should throw BadRequestException when workspace ID is missing", async () => {
      const context = createMockExecutionContext({ id: userId });
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(BadRequestException);
-        BadRequestException
+      await expect(guard.canActivate(context)).rejects.toThrow("Workspace ID is required");
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "Workspace ID is required"
      );
    });
    it("should throw ForbiddenException when user is not a workspace member", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
        { id: userId },
        { "x-workspace-id": workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockResolvedValue(null);
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
      await expect(guard.canActivate(context)).rejects.toThrow(
        "You do not have access to this workspace"
      );
    });
    it("should handle database errors gracefully", async () => {
-      const context = createMockExecutionContext(
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
        { id: userId },
        { "x-workspace-id": workspaceId }
      );
      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(
        new Error("Database connection failed")
      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
        ForbiddenException
      );
    });
  });
 });
--- a/apps/api/src/common/utils/query-builder.spec.ts
+++ b/apps/api/src/common/utils/query-builder.spec.ts
@@ -27,18 +27,14 @@ describe("QueryBuilder", () => {
    it("should handle single field", () => {
      const result = QueryBuilder.buildSearchFilter("test", ["title"]);
      expect(result).toEqual({
-        OR: [
+        OR: [{ title: { contains: "test", mode: "insensitive" } }],
          { title: { contains: "test", mode: "insensitive" } },
        ],
      });
    });
    it("should trim search query", () => {
      const result = QueryBuilder.buildSearchFilter("  test  ", ["title"]);
      expect(result).toEqual({
-        OR: [
+        OR: [{ title: { contains: "test", mode: "insensitive" } }],
          { title: { contains: "test", mode: "insensitive" } },
        ],
      });
    });
  });
@@ -56,26 +52,17 @@ describe("QueryBuilder", () => {
    it("should build multi-field sort", () => {
      const result = QueryBuilder.buildSortOrder("priority,dueDate", SortOrder.DESC);
-      expect(result).toEqual([
+      expect(result).toEqual([{ priority: "desc" }, { dueDate: "desc" }]);
        { priority: "desc" },
        { dueDate: "desc" },
      ]);
    });
    it("should handle mixed sorting with custom order per field", () => {
      const result = QueryBuilder.buildSortOrder("priority:asc,dueDate:desc");
-      expect(result).toEqual([
+      expect(result).toEqual([{ priority: "asc" }, { dueDate: "desc" }]);
        { priority: "asc" },
        { dueDate: "desc" },
      ]);
    });
    it("should use default order when not specified per field", () => {
      const result = QueryBuilder.buildSortOrder("priority,dueDate", SortOrder.ASC);
-      expect(result).toEqual([
+      expect(result).toEqual([{ priority: "asc" }, { dueDate: "asc" }]);
        { priority: "asc" },
        { dueDate: "asc" },
      ]);
    });
  });
--- a/apps/api/src/coordinator-integration/coordinator-integration.security.spec.ts
+++ b/apps/api/src/coordinator-integration/coordinator-integration.security.spec.ts
@@ -60,9 +60,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("PATCH /coordinator/jobs/:id/status should require authentication", async () => {
@@ -72,9 +70,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("PATCH /coordinator/jobs/:id/progress should require authentication", async () => {
@@ -84,9 +80,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("POST /coordinator/jobs/:id/complete should require authentication", async () => {
@@ -96,9 +90,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("POST /coordinator/jobs/:id/fail should require authentication", async () => {
@@ -108,9 +100,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("GET /coordinator/jobs/:id should require authentication", async () => {
@@ -120,9 +110,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("GET /coordinator/health should require authentication", async () => {
@@ -132,9 +120,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
  });
@@ -161,9 +147,7 @@ describe("CoordinatorIntegrationController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
      await expect(guard.canActivate(mockContext as any)).rejects.toThrow("Invalid API key");
    });
  });
--- a/apps/api/src/cron/cron.service.spec.ts
+++ b/apps/api/src/cron/cron.service.spec.ts
@@ -83,8 +83,20 @@ describe("CronService", () => {
    it("should return all schedules for a workspace", async () => {
      const workspaceId = "ws-123";
      const expectedSchedules = [
-        { id: "cron-1", workspaceId, expression: "0 9 * * *", command: "morning briefing", enabled: true },
+        {
-        { id: "cron-2", workspaceId, expression: "0 17 * * *", command: "evening summary", enabled: true },
+          id: "cron-1",
          workspaceId,
          expression: "0 9 * * *",
          command: "morning briefing",
          enabled: true,
        },
        {
          id: "cron-2",
          workspaceId,
          expression: "0 17 * * *",
          command: "evening summary",
          enabled: true,
        },
      ];
      mockPrisma.cronSchedule.findMany.mockResolvedValue(expectedSchedules);
--- a/apps/api/src/domains/domains.controller.spec.ts
+++ b/apps/api/src/domains/domains.controller.spec.ts
@@ -103,18 +103,10 @@ describe("DomainsController", () => {
      mockDomainsService.create.mockResolvedValue(mockDomain);
-      const result = await controller.create(
+      const result = await controller.create(createDto, mockWorkspaceId, mockUser);
        createDto,
        mockWorkspaceId,
        mockUser
      );
      expect(result).toEqual(mockDomain);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
  });
@@ -170,10 +162,7 @@ describe("DomainsController", () => {
      const result = await controller.findOne(mockDomainId, mockWorkspaceId);
      expect(result).toEqual(mockDomain);
-      expect(service.findOne).toHaveBeenCalledWith(
+      expect(service.findOne).toHaveBeenCalledWith(mockDomainId, mockWorkspaceId);
        mockDomainId,
        mockWorkspaceId
      );
    });
  });
@@ -187,12 +176,7 @@ describe("DomainsController", () => {
      const updatedDomain = { ...mockDomain, ...updateDto };
      mockDomainsService.update.mockResolvedValue(updatedDomain);
-      const result = await controller.update(
+      const result = await controller.update(mockDomainId, updateDto, mockWorkspaceId, mockUser);
        mockDomainId,
        updateDto,
        mockWorkspaceId,
        mockUser
      );
      expect(result).toEqual(updatedDomain);
      expect(service.update).toHaveBeenCalledWith(
@@ -210,11 +194,7 @@ describe("DomainsController", () => {
      await controller.remove(mockDomainId, mockWorkspaceId, mockUser);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockDomainId, mockWorkspaceId, mockUserId);
        mockDomainId,
        mockWorkspaceId,
        mockUserId
      );
    });
  });
 });
--- a/apps/api/src/events/events.controller.spec.ts
+++ b/apps/api/src/events/events.controller.spec.ts
@@ -63,11 +63,7 @@ describe("EventsController", () => {
      const result = await controller.create(createDto, mockWorkspaceId, mockUser);
      expect(result).toEqual(mockEvent);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards in production)", async () => {
@@ -153,7 +149,12 @@ describe("EventsController", () => {
      await controller.update(mockEventId, updateDto, undefined as any, mockUser);
-      expect(mockEventsService.update).toHaveBeenCalledWith(mockEventId, undefined, mockUserId, updateDto);
+      expect(mockEventsService.update).toHaveBeenCalledWith(
        mockEventId,
        undefined,
        mockUserId,
        updateDto
      );
    });
  });
@@ -163,11 +164,7 @@ describe("EventsController", () => {
      await controller.remove(mockEventId, mockWorkspaceId, mockUser);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockEventId, mockWorkspaceId, mockUserId);
        mockEventId,
        mockWorkspaceId,
        mockUserId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards in production)", async () => {
--- a/apps/api/src/federation/audit.service.ts
+++ b/apps/api/src/federation/audit.service.ts
@@ -25,6 +25,25 @@ export class FederationAuditService {
    });
  }
  /**
   * Log instance configuration update (system-level operation)
   * Logged to application logs for security audit trail
   */
  logInstanceConfigurationUpdate(
    userId: string,
    instanceId: string,
    updates: Record<string, unknown>
  ): void {
    this.logger.log({
      event: "FEDERATION_INSTANCE_CONFIG_UPDATED",
      userId,
      instanceId,
      updates,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }
  /**
   * Log federated authentication initiation
   */
@@ -62,4 +81,46 @@ export class FederationAuditService {
      securityEvent: true,
    });
  }
  /**
   * Log identity verification attempt
   */
  logIdentityVerification(userId: string, remoteInstanceId: string, success: boolean): void {
    const level = success ? "log" : "warn";
    this.logger[level]({
      event: "FEDERATION_IDENTITY_VERIFIED",
      userId,
      remoteInstanceId,
      success,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }
  /**
   * Log identity linking (create mapping)
   */
  logIdentityLinking(localUserId: string, remoteInstanceId: string, remoteUserId: string): void {
    this.logger.log({
      event: "FEDERATION_IDENTITY_LINKED",
      localUserId,
      remoteUserId,
      remoteInstanceId,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }
  /**
   * Log identity revocation (remove mapping)
   */
  logIdentityRevocation(localUserId: string, remoteInstanceId: string): void {
    this.logger.warn({
      event: "FEDERATION_IDENTITY_REVOKED",
      localUserId,
      remoteInstanceId,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }
 }
--- a/apps/api/src/federation/command.controller.spec.ts
+++ b/apps/api/src/federation/command.controller.spec.ts
@@ -0,0 +1,236 @@
 /**
 * Command Controller Tests
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { CommandController } from "./command.controller";
 import { CommandService } from "./command.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { FederationMessageType, FederationMessageStatus } from "@prisma/client";
 import type { AuthenticatedRequest } from "../common/types/user.types";
 import type { CommandMessage, CommandResponse } from "./types/message.types";
 describe("CommandController", () => {
  let controller: CommandController;
  let commandService: CommandService;
  const mockWorkspaceId = "workspace-123";
  const mockUserId = "user-123";
  beforeEach(async () => {
    const module: TestingModule = await Test.createTestingModule({
      controllers: [CommandController],
      providers: [
        {
          provide: CommandService,
          useValue: {
            sendCommand: vi.fn(),
            handleIncomingCommand: vi.fn(),
            getCommandMessages: vi.fn(),
            getCommandMessage: vi.fn(),
          },
        },
      ],
    })
      .overrideGuard(AuthGuard)
      .useValue({ canActivate: () => true })
      .compile();
    controller = module.get<CommandController>(CommandController);
    commandService = module.get<CommandService>(CommandService);
  });
  describe("sendCommand", () => {
    it("should send a command", async () => {
      const req = {
        user: { id: mockUserId, workspaceId: mockWorkspaceId },
      } as AuthenticatedRequest;
      const dto = {
        connectionId: "conn-123",
        commandType: "spawn_agent",
        payload: { agentType: "task_executor" },
      };
      const mockResult = {
        id: "msg-123",
        workspaceId: mockWorkspaceId,
        connectionId: "conn-123",
        messageType: FederationMessageType.COMMAND,
        messageId: "cmd-123",
        commandType: "spawn_agent",
        payload: { agentType: "task_executor" },
        status: FederationMessageStatus.PENDING,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      vi.spyOn(commandService, "sendCommand").mockResolvedValue(mockResult as never);
      const result = await controller.sendCommand(req, dto);
      expect(result).toEqual(mockResult);
      expect(commandService.sendCommand).toHaveBeenCalledWith(
        mockWorkspaceId,
        "conn-123",
        "spawn_agent",
        { agentType: "task_executor" }
      );
    });
    it("should throw error if workspace ID not found", async () => {
      const req = {
        user: { id: mockUserId },
      } as AuthenticatedRequest;
      const dto = {
        connectionId: "conn-123",
        commandType: "test",
        payload: {},
      };
      await expect(controller.sendCommand(req, dto)).rejects.toThrow(
        "Workspace ID not found in request"
      );
    });
  });
  describe("handleIncomingCommand", () => {
    it("should handle an incoming command", async () => {
      const dto: CommandMessage = {
        messageId: "cmd-123",
        instanceId: "remote-instance",
        commandType: "spawn_agent",
        payload: { agentType: "task_executor" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      const mockResponse: CommandResponse = {
        messageId: "resp-123",
        correlationId: "cmd-123",
        instanceId: "local-instance",
        success: true,
        data: { result: "success" },
        timestamp: Date.now(),
        signature: "response-signature",
      };
      vi.spyOn(commandService, "handleIncomingCommand").mockResolvedValue(mockResponse);
      const result = await controller.handleIncomingCommand(dto);
      expect(result).toEqual(mockResponse);
      expect(commandService.handleIncomingCommand).toHaveBeenCalledWith(dto);
    });
  });
  describe("getCommands", () => {
    it("should return all commands for workspace", async () => {
      const req = {
        user: { id: mockUserId, workspaceId: mockWorkspaceId },
      } as AuthenticatedRequest;
      const mockCommands = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: "conn-123",
          messageType: FederationMessageType.COMMAND,
          messageId: "cmd-1",
          commandType: "test",
          payload: {},
          status: FederationMessageStatus.DELIVERED,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      vi.spyOn(commandService, "getCommandMessages").mockResolvedValue(mockCommands as never);
      const result = await controller.getCommands(req);
      expect(result).toEqual(mockCommands);
      expect(commandService.getCommandMessages).toHaveBeenCalledWith(mockWorkspaceId, undefined);
    });
    it("should filter commands by status", async () => {
      const req = {
        user: { id: mockUserId, workspaceId: mockWorkspaceId },
      } as AuthenticatedRequest;
      const mockCommands = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: "conn-123",
          messageType: FederationMessageType.COMMAND,
          messageId: "cmd-1",
          commandType: "test",
          payload: {},
          status: FederationMessageStatus.PENDING,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      vi.spyOn(commandService, "getCommandMessages").mockResolvedValue(mockCommands as never);
      await controller.getCommands(req, FederationMessageStatus.PENDING);
      expect(commandService.getCommandMessages).toHaveBeenCalledWith(
        mockWorkspaceId,
        FederationMessageStatus.PENDING
      );
    });
    it("should throw error if workspace ID not found", async () => {
      const req = {
        user: { id: mockUserId },
      } as AuthenticatedRequest;
      await expect(controller.getCommands(req)).rejects.toThrow(
        "Workspace ID not found in request"
      );
    });
  });
  describe("getCommand", () => {
    it("should return a single command", async () => {
      const req = {
        user: { id: mockUserId, workspaceId: mockWorkspaceId },
      } as AuthenticatedRequest;
      const mockCommand = {
        id: "msg-1",
        workspaceId: mockWorkspaceId,
        connectionId: "conn-123",
        messageType: FederationMessageType.COMMAND,
        messageId: "cmd-1",
        commandType: "test",
        payload: { key: "value" },
        status: FederationMessageStatus.DELIVERED,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      vi.spyOn(commandService, "getCommandMessage").mockResolvedValue(mockCommand as never);
      const result = await controller.getCommand(req, "msg-1");
      expect(result).toEqual(mockCommand);
      expect(commandService.getCommandMessage).toHaveBeenCalledWith(mockWorkspaceId, "msg-1");
    });
    it("should throw error if workspace ID not found", async () => {
      const req = {
        user: { id: mockUserId },
      } as AuthenticatedRequest;
      await expect(controller.getCommand(req, "msg-1")).rejects.toThrow(
        "Workspace ID not found in request"
      );
    });
  });
 });
--- a/apps/api/src/federation/command.controller.ts
+++ b/apps/api/src/federation/command.controller.ts
@@ -0,0 +1,91 @@
 /**
 * Command Controller
 *
 * API endpoints for federated command messages.
 */
 import { Controller, Post, Get, Body, Param, Query, UseGuards, Req, Logger } from "@nestjs/common";
 import { CommandService } from "./command.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { SendCommandDto, IncomingCommandDto } from "./dto/command.dto";
 import type { AuthenticatedRequest } from "../common/types/user.types";
 import type { CommandMessageDetails, CommandResponse } from "./types/message.types";
 import type { FederationMessageStatus } from "@prisma/client";
@Controller("api/v1/federation")
 export class CommandController {
  private readonly logger = new Logger(CommandController.name);
  constructor(private readonly commandService: CommandService) {}
  /**
   * Send a command to a remote instance
   * Requires authentication
   */
  @Post("command")
  @UseGuards(AuthGuard)
  async sendCommand(
    @Req() req: AuthenticatedRequest,
    @Body() dto: SendCommandDto
  ): Promise<CommandMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    this.logger.log(
      `User ${req.user.id} sending command to connection ${dto.connectionId} in workspace ${req.user.workspaceId}`
    );
    return this.commandService.sendCommand(
      req.user.workspaceId,
      dto.connectionId,
      dto.commandType,
      dto.payload
    );
  }
  /**
   * Handle incoming command from remote instance
   * Public endpoint - no authentication required (signature-based verification)
   */
  @Post("incoming/command")
  async handleIncomingCommand(@Body() dto: IncomingCommandDto): Promise<CommandResponse> {
    this.logger.log(`Received command from ${dto.instanceId}: ${dto.messageId}`);
    return this.commandService.handleIncomingCommand(dto);
  }
  /**
   * Get all command messages for the workspace
   * Requires authentication
   */
  @Get("commands")
  @UseGuards(AuthGuard)
  async getCommands(
    @Req() req: AuthenticatedRequest,
    @Query("status") status?: FederationMessageStatus
  ): Promise<CommandMessageDetails[]> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    return this.commandService.getCommandMessages(req.user.workspaceId, status);
  }
  /**
   * Get a single command message
   * Requires authentication
   */
  @Get("commands/:id")
  @UseGuards(AuthGuard)
  async getCommand(
    @Req() req: AuthenticatedRequest,
    @Param("id") messageId: string
  ): Promise<CommandMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    return this.commandService.getCommandMessage(req.user.workspaceId, messageId);
  }
 }
--- a/apps/api/src/federation/command.service.spec.ts
+++ b/apps/api/src/federation/command.service.spec.ts
@@ -0,0 +1,574 @@
 /**
 * Command Service Tests
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { HttpService } from "@nestjs/axios";
 import { CommandService } from "./command.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
 import {
  FederationConnectionStatus,
  FederationMessageType,
  FederationMessageStatus,
 } from "@prisma/client";
 import { of } from "rxjs";
 import type { CommandMessage, CommandResponse } from "./types/message.types";
 describe("CommandService", () => {
  let service: CommandService;
  let prisma: PrismaService;
  let federationService: FederationService;
  let signatureService: SignatureService;
  let httpService: HttpService;
  const mockWorkspaceId = "workspace-123";
  const mockConnectionId = "connection-123";
  const mockInstanceId = "instance-456";
  const mockRemoteUrl = "https://remote.example.com";
  beforeEach(async () => {
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        CommandService,
        {
          provide: PrismaService,
          useValue: {
            federationConnection: {
              findUnique: vi.fn(),
              findFirst: vi.fn(),
            },
            federationMessage: {
              create: vi.fn(),
              update: vi.fn(),
              findMany: vi.fn(),
              findUnique: vi.fn(),
              findFirst: vi.fn(),
            },
          },
        },
        {
          provide: FederationService,
          useValue: {
            getInstanceIdentity: vi.fn(),
          },
        },
        {
          provide: SignatureService,
          useValue: {
            signMessage: vi.fn(),
            verifyMessage: vi.fn(),
            validateTimestamp: vi.fn(),
          },
        },
        {
          provide: HttpService,
          useValue: {
            post: vi.fn(),
          },
        },
      ],
    }).compile();
    service = module.get<CommandService>(CommandService);
    prisma = module.get<PrismaService>(PrismaService);
    federationService = module.get<FederationService>(FederationService);
    signatureService = module.get<SignatureService>(SignatureService);
    httpService = module.get<HttpService>(HttpService);
  });
  describe("sendCommand", () => {
    it("should send a command to a remote instance", async () => {
      const commandType = "spawn_agent";
      const payload = { agentType: "task_executor" };
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        status: FederationConnectionStatus.ACTIVE,
        remoteUrl: mockRemoteUrl,
        remoteInstanceId: mockInstanceId,
      };
      const mockIdentity = {
        instanceId: "local-instance",
        displayName: "Local Instance",
      };
      const mockMessage = {
        id: "msg-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.COMMAND,
        messageId: expect.any(String),
        correlationId: null,
        query: null,
        commandType,
        payload,
        response: {},
        status: FederationMessageStatus.PENDING,
        error: null,
        signature: "signature-123",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: null,
      };
      vi.spyOn(prisma.federationConnection, "findUnique").mockResolvedValue(
        mockConnection as never
      );
      vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
      vi.spyOn(signatureService, "signMessage").mockResolvedValue("signature-123");
      vi.spyOn(prisma.federationMessage, "create").mockResolvedValue(mockMessage as never);
      vi.spyOn(httpService, "post").mockReturnValue(of({} as never));
      const result = await service.sendCommand(
        mockWorkspaceId,
        mockConnectionId,
        commandType,
        payload
      );
      expect(result).toMatchObject({
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.COMMAND,
        commandType,
        status: FederationMessageStatus.PENDING,
      });
      expect(httpService.post).toHaveBeenCalledWith(
        `${mockRemoteUrl}/api/v1/federation/incoming/command`,
        expect.objectContaining({
          messageId: expect.any(String),
          instanceId: "local-instance",
          commandType,
          payload,
          timestamp: expect.any(Number),
          signature: "signature-123",
        })
      );
    });
    it("should throw error if connection not found", async () => {
      vi.spyOn(prisma.federationConnection, "findUnique").mockResolvedValue(null);
      await expect(
        service.sendCommand(mockWorkspaceId, mockConnectionId, "test", {})
      ).rejects.toThrow("Connection not found");
    });
    it("should throw error if connection is not active", async () => {
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        status: FederationConnectionStatus.SUSPENDED,
      };
      vi.spyOn(prisma.federationConnection, "findUnique").mockResolvedValue(
        mockConnection as never
      );
      await expect(
        service.sendCommand(mockWorkspaceId, mockConnectionId, "test", {})
      ).rejects.toThrow("Connection is not active");
    });
    it("should mark command as failed if sending fails", async () => {
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        status: FederationConnectionStatus.ACTIVE,
        remoteUrl: mockRemoteUrl,
      };
      const mockIdentity = {
        instanceId: "local-instance",
        displayName: "Local Instance",
      };
      const mockMessage = {
        id: "msg-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.COMMAND,
        messageId: "test-msg-id",
        correlationId: null,
        query: null,
        commandType: "test",
        payload: {},
        response: {},
        status: FederationMessageStatus.PENDING,
        error: null,
        signature: "signature-123",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: null,
      };
      vi.spyOn(prisma.federationConnection, "findUnique").mockResolvedValue(
        mockConnection as never
      );
      vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
      vi.spyOn(signatureService, "signMessage").mockResolvedValue("signature-123");
      vi.spyOn(prisma.federationMessage, "create").mockResolvedValue(mockMessage as never);
      vi.spyOn(httpService, "post").mockReturnValue(
        new (class {
          subscribe(handlers: { error: (err: Error) => void }) {
            handlers.error(new Error("Network error"));
          }
        })() as never
      );
      vi.spyOn(prisma.federationMessage, "update").mockResolvedValue(mockMessage as never);
      await expect(
        service.sendCommand(mockWorkspaceId, mockConnectionId, "test", {})
      ).rejects.toThrow("Failed to send command");
      expect(prisma.federationMessage.update).toHaveBeenCalledWith({
        where: { id: "msg-123" },
        data: {
          status: FederationMessageStatus.FAILED,
          error: "Network error",
        },
      });
    });
  });
  describe("handleIncomingCommand", () => {
    it("should process a valid incoming command", async () => {
      const commandMessage: CommandMessage = {
        messageId: "cmd-123",
        instanceId: mockInstanceId,
        commandType: "spawn_agent",
        payload: { agentType: "task_executor" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      const mockConnection = {
        id: mockConnectionId,
        remoteInstanceId: mockInstanceId,
        status: FederationConnectionStatus.ACTIVE,
      };
      const mockIdentity = {
        instanceId: "local-instance",
        displayName: "Local Instance",
      };
      vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
      vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
      vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
        valid: true,
        error: null,
      } as never);
      vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
      vi.spyOn(signatureService, "signMessage").mockResolvedValue("response-signature");
      const response = await service.handleIncomingCommand(commandMessage);
      expect(response).toMatchObject({
        correlationId: "cmd-123",
        instanceId: "local-instance",
        success: true,
      });
      expect(signatureService.validateTimestamp).toHaveBeenCalledWith(commandMessage.timestamp);
      expect(signatureService.verifyMessage).toHaveBeenCalledWith(
        expect.objectContaining({
          messageId: "cmd-123",
          instanceId: mockInstanceId,
          commandType: "spawn_agent",
        }),
        "signature-123",
        mockInstanceId
      );
    });
    it("should reject command with invalid timestamp", async () => {
      const commandMessage: CommandMessage = {
        messageId: "cmd-123",
        instanceId: mockInstanceId,
        commandType: "test",
        payload: {},
        timestamp: Date.now() - 1000000,
        signature: "signature-123",
      };
      vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(false);
      await expect(service.handleIncomingCommand(commandMessage)).rejects.toThrow(
        "Command timestamp is outside acceptable range"
      );
    });
    it("should reject command if no connection found", async () => {
      const commandMessage: CommandMessage = {
        messageId: "cmd-123",
        instanceId: mockInstanceId,
        commandType: "test",
        payload: {},
        timestamp: Date.now(),
        signature: "signature-123",
      };
      vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
      vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(null);
      await expect(service.handleIncomingCommand(commandMessage)).rejects.toThrow(
        "No connection found for remote instance"
      );
    });
    it("should reject command with invalid signature", async () => {
      const commandMessage: CommandMessage = {
        messageId: "cmd-123",
        instanceId: mockInstanceId,
        commandType: "test",
        payload: {},
        timestamp: Date.now(),
        signature: "invalid-signature",
      };
      const mockConnection = {
        id: mockConnectionId,
        remoteInstanceId: mockInstanceId,
        status: FederationConnectionStatus.ACTIVE,
      };
      vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
      vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
      vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
        valid: false,
        error: "Invalid signature",
      } as never);
      await expect(service.handleIncomingCommand(commandMessage)).rejects.toThrow(
        "Invalid signature"
      );
    });
  });
  describe("processCommandResponse", () => {
    it("should process a successful command response", async () => {
      const response: CommandResponse = {
        messageId: "resp-123",
        correlationId: "cmd-123",
        instanceId: mockInstanceId,
        success: true,
        data: { result: "success" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      const mockMessage = {
        id: "msg-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.COMMAND,
        messageId: "cmd-123",
        correlationId: null,
        query: null,
        commandType: "test",
        payload: {},
        response: {},
        status: FederationMessageStatus.PENDING,
        error: null,
        signature: "signature-123",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: null,
      };
      vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
      vi.spyOn(prisma.federationMessage, "findFirst").mockResolvedValue(mockMessage as never);
      vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
        valid: true,
        error: null,
      } as never);
      vi.spyOn(prisma.federationMessage, "update").mockResolvedValue(mockMessage as never);
      await service.processCommandResponse(response);
      expect(prisma.federationMessage.update).toHaveBeenCalledWith({
        where: { id: "msg-123" },
        data: {
          status: FederationMessageStatus.DELIVERED,
          deliveredAt: expect.any(Date),
          response: { result: "success" },
        },
      });
    });
    it("should handle failed command response", async () => {
      const response: CommandResponse = {
        messageId: "resp-123",
        correlationId: "cmd-123",
        instanceId: mockInstanceId,
        success: false,
        error: "Command execution failed",
        timestamp: Date.now(),
        signature: "signature-123",
      };
      const mockMessage = {
        id: "msg-123",
        messageType: FederationMessageType.COMMAND,
        messageId: "cmd-123",
      };
      vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
      vi.spyOn(prisma.federationMessage, "findFirst").mockResolvedValue(mockMessage as never);
      vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
        valid: true,
        error: null,
      } as never);
      vi.spyOn(prisma.federationMessage, "update").mockResolvedValue(mockMessage as never);
      await service.processCommandResponse(response);
      expect(prisma.federationMessage.update).toHaveBeenCalledWith({
        where: { id: "msg-123" },
        data: {
          status: FederationMessageStatus.FAILED,
          deliveredAt: expect.any(Date),
          error: "Command execution failed",
        },
      });
    });
    it("should reject response with invalid timestamp", async () => {
      const response: CommandResponse = {
        messageId: "resp-123",
        correlationId: "cmd-123",
        instanceId: mockInstanceId,
        success: true,
        timestamp: Date.now() - 1000000,
        signature: "signature-123",
      };
      vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(false);
      await expect(service.processCommandResponse(response)).rejects.toThrow(
        "Response timestamp is outside acceptable range"
      );
    });
  });
  describe("getCommandMessages", () => {
    it("should return all command messages for a workspace", async () => {
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.COMMAND,
          messageId: "cmd-1",
          correlationId: null,
          query: null,
          commandType: "test",
          payload: {},
          response: {},
          status: FederationMessageStatus.DELIVERED,
          error: null,
          signature: "sig-1",
          createdAt: new Date(),
          updatedAt: new Date(),
          deliveredAt: new Date(),
        },
      ];
      vi.spyOn(prisma.federationMessage, "findMany").mockResolvedValue(mockMessages as never);
      const result = await service.getCommandMessages(mockWorkspaceId);
      expect(result).toHaveLength(1);
      expect(result[0]).toMatchObject({
        workspaceId: mockWorkspaceId,
        messageType: FederationMessageType.COMMAND,
        commandType: "test",
      });
    });
    it("should filter command messages by status", async () => {
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.COMMAND,
          messageId: "cmd-1",
          correlationId: null,
          query: null,
          commandType: "test",
          payload: {},
          response: {},
          status: FederationMessageStatus.PENDING,
          error: null,
          signature: "sig-1",
          createdAt: new Date(),
          updatedAt: new Date(),
          deliveredAt: null,
        },
      ];
      vi.spyOn(prisma.federationMessage, "findMany").mockResolvedValue(mockMessages as never);
      await service.getCommandMessages(mockWorkspaceId, FederationMessageStatus.PENDING);
      expect(prisma.federationMessage.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId: mockWorkspaceId,
          messageType: FederationMessageType.COMMAND,
          status: FederationMessageStatus.PENDING,
        },
        orderBy: { createdAt: "desc" },
      });
    });
  });
  describe("getCommandMessage", () => {
    it("should return a single command message", async () => {
      const mockMessage = {
        id: "msg-1",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.COMMAND,
        messageId: "cmd-1",
        correlationId: null,
        query: null,
        commandType: "test",
        payload: { key: "value" },
        response: {},
        status: FederationMessageStatus.DELIVERED,
        error: null,
        signature: "sig-1",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: new Date(),
      };
      vi.spyOn(prisma.federationMessage, "findUnique").mockResolvedValue(mockMessage as never);
      const result = await service.getCommandMessage(mockWorkspaceId, "msg-1");
      expect(result).toMatchObject({
        id: "msg-1",
        workspaceId: mockWorkspaceId,
        commandType: "test",
        payload: { key: "value" },
      });
    });
    it("should throw error if command message not found", async () => {
      vi.spyOn(prisma.federationMessage, "findUnique").mockResolvedValue(null);
      await expect(service.getCommandMessage(mockWorkspaceId, "invalid-id")).rejects.toThrow(
        "Command message not found"
      );
    });
  });
 });
--- a/apps/api/src/federation/command.service.ts
+++ b/apps/api/src/federation/command.service.ts
@@ -0,0 +1,386 @@
 /**
 * Command Service
 *
 * Handles federated command messages.
 */
 import { Injectable, Logger } from "@nestjs/common";
 import { ModuleRef } from "@nestjs/core";
 import { HttpService } from "@nestjs/axios";
 import { randomUUID } from "crypto";
 import { firstValueFrom } from "rxjs";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
 import {
  FederationConnectionStatus,
  FederationMessageType,
  FederationMessageStatus,
 } from "@prisma/client";
 import type { CommandMessage, CommandResponse, CommandMessageDetails } from "./types/message.types";
@Injectable()
 export class CommandService {
  private readonly logger = new Logger(CommandService.name);
  constructor(
    private readonly prisma: PrismaService,
    private readonly federationService: FederationService,
    private readonly signatureService: SignatureService,
    private readonly httpService: HttpService,
    private readonly moduleRef: ModuleRef
  ) {}
  /**
   * Send a command to a remote instance
   */
  async sendCommand(
    workspaceId: string,
    connectionId: string,
    commandType: string,
    payload: Record<string, unknown>
  ): Promise<CommandMessageDetails> {
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Get local instance identity
    const identity = await this.federationService.getInstanceIdentity();
    // Create command message
    const messageId = randomUUID();
    const timestamp = Date.now();
    const commandPayload: Record<string, unknown> = {
      messageId,
      instanceId: identity.instanceId,
      commandType,
      payload,
      timestamp,
    };
    // Sign the command
    const signature = await this.signatureService.signMessage(commandPayload);
    const signedCommand = {
      messageId,
      instanceId: identity.instanceId,
      commandType,
      payload,
      timestamp,
      signature,
    } as CommandMessage;
    // Store message in database
    const message = await this.prisma.federationMessage.create({
      data: {
        workspaceId,
        connectionId,
        messageType: FederationMessageType.COMMAND,
        messageId,
        commandType,
        payload: payload as never,
        status: FederationMessageStatus.PENDING,
        signature,
      },
    });
    // Send command to remote instance
    try {
      const remoteUrl = `${connection.remoteUrl}/api/v1/federation/incoming/command`;
      await firstValueFrom(this.httpService.post(remoteUrl, signedCommand));
      this.logger.log(`Command sent to ${connection.remoteUrl}: ${messageId}`);
    } catch (error) {
      this.logger.error(`Failed to send command to ${connection.remoteUrl}`, error);
      // Update message status to failed
      await this.prisma.federationMessage.update({
        where: { id: message.id },
        data: {
          status: FederationMessageStatus.FAILED,
          error: error instanceof Error ? error.message : "Unknown error",
        },
      });
      throw new Error("Failed to send command");
    }
    return this.mapToCommandMessageDetails(message);
  }
  /**
   * Handle incoming command from remote instance
   */
  async handleIncomingCommand(commandMessage: CommandMessage): Promise<CommandResponse> {
    this.logger.log(
      `Received command from ${commandMessage.instanceId}: ${commandMessage.messageId}`
    );
    // Validate timestamp
    if (!this.signatureService.validateTimestamp(commandMessage.timestamp)) {
      throw new Error("Command timestamp is outside acceptable range");
    }
    // Find connection for remote instance
    const connection = await this.prisma.federationConnection.findFirst({
      where: {
        remoteInstanceId: commandMessage.instanceId,
        status: FederationConnectionStatus.ACTIVE,
      },
    });
    if (!connection) {
      throw new Error("No connection found for remote instance");
    }
    // Validate connection is active
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Verify signature
    const { signature, ...messageToVerify } = commandMessage;
    const verificationResult = await this.signatureService.verifyMessage(
      messageToVerify,
      signature,
      commandMessage.instanceId
    );
    if (!verificationResult.valid) {
      throw new Error(verificationResult.error ?? "Invalid signature");
    }
    // Process command
    let responseData: unknown;
    let success = true;
    let errorMessage: string | undefined;
    try {
      // Route agent commands to FederationAgentService
      if (commandMessage.commandType.startsWith("agent.")) {
        // Import FederationAgentService dynamically to avoid circular dependency
        const { FederationAgentService } = await import("./federation-agent.service");
        const federationAgentService = this.moduleRef.get(FederationAgentService, {
          strict: false,
        });
        const agentResponse = await federationAgentService.handleAgentCommand(
          commandMessage.instanceId,
          commandMessage.commandType,
          commandMessage.payload
        );
        success = agentResponse.success;
        responseData = agentResponse.data;
        errorMessage = agentResponse.error;
      } else {
        // Other command types can be added here
        responseData = { message: "Command received and processed" };
      }
    } catch (error) {
      success = false;
      errorMessage = error instanceof Error ? error.message : "Command processing failed";
      this.logger.error(`Command processing failed: ${errorMessage}`);
    }
    // Get local instance identity
    const identity = await this.federationService.getInstanceIdentity();
    // Create response
    const responseMessageId = randomUUID();
    const responseTimestamp = Date.now();
    const responsePayload: Record<string, unknown> = {
      messageId: responseMessageId,
      correlationId: commandMessage.messageId,
      instanceId: identity.instanceId,
      success,
      timestamp: responseTimestamp,
    };
    if (responseData !== undefined) {
      responsePayload.data = responseData;
    }
    if (errorMessage !== undefined) {
      responsePayload.error = errorMessage;
    }
    // Sign the response
    const responseSignature = await this.signatureService.signMessage(responsePayload);
    const response = {
      messageId: responseMessageId,
      correlationId: commandMessage.messageId,
      instanceId: identity.instanceId,
      success,
      ...(responseData !== undefined ? { data: responseData } : {}),
      ...(errorMessage !== undefined ? { error: errorMessage } : {}),
      timestamp: responseTimestamp,
      signature: responseSignature,
    } as CommandResponse;
    return response;
  }
  /**
   * Get all command messages for a workspace
   */
  async getCommandMessages(
    workspaceId: string,
    status?: FederationMessageStatus
  ): Promise<CommandMessageDetails[]> {
    const where: Record<string, unknown> = {
      workspaceId,
      messageType: FederationMessageType.COMMAND,
    };
    if (status) {
      where.status = status;
    }
    const messages = await this.prisma.federationMessage.findMany({
      where,
      orderBy: { createdAt: "desc" },
    });
    return messages.map((msg) => this.mapToCommandMessageDetails(msg));
  }
  /**
   * Get a single command message
   */
  async getCommandMessage(workspaceId: string, messageId: string): Promise<CommandMessageDetails> {
    const message = await this.prisma.federationMessage.findUnique({
      where: { id: messageId, workspaceId },
    });
    if (!message) {
      throw new Error("Command message not found");
    }
    return this.mapToCommandMessageDetails(message);
  }
  /**
   * Process a command response from remote instance
   */
  async processCommandResponse(response: CommandResponse): Promise<void> {
    this.logger.log(`Received response for command: ${response.correlationId}`);
    // Validate timestamp
    if (!this.signatureService.validateTimestamp(response.timestamp)) {
      throw new Error("Response timestamp is outside acceptable range");
    }
    // Find original command message
    const message = await this.prisma.federationMessage.findFirst({
      where: {
        messageId: response.correlationId,
        messageType: FederationMessageType.COMMAND,
      },
    });
    if (!message) {
      throw new Error("Original command message not found");
    }
    // Verify signature
    const { signature, ...responseToVerify } = response;
    const verificationResult = await this.signatureService.verifyMessage(
      responseToVerify,
      signature,
      response.instanceId
    );
    if (!verificationResult.valid) {
      throw new Error(verificationResult.error ?? "Invalid signature");
    }
    // Update message with response
    const updateData: Record<string, unknown> = {
      status: response.success ? FederationMessageStatus.DELIVERED : FederationMessageStatus.FAILED,
      deliveredAt: new Date(),
    };
    if (response.data !== undefined) {
      updateData.response = response.data;
    }
    if (response.error !== undefined) {
      updateData.error = response.error;
    }
    await this.prisma.federationMessage.update({
      where: { id: message.id },
      data: updateData,
    });
    this.logger.log(`Command response processed: ${response.correlationId}`);
  }
  /**
   * Map Prisma FederationMessage to CommandMessageDetails
   */
  private mapToCommandMessageDetails(message: {
    id: string;
    workspaceId: string;
    connectionId: string;
    messageType: FederationMessageType;
    messageId: string;
    correlationId: string | null;
    query: string | null;
    commandType: string | null;
    payload: unknown;
    response: unknown;
    status: FederationMessageStatus;
    error: string | null;
    createdAt: Date;
    updatedAt: Date;
    deliveredAt: Date | null;
  }): CommandMessageDetails {
    const details: CommandMessageDetails = {
      id: message.id,
      workspaceId: message.workspaceId,
      connectionId: message.connectionId,
      messageType: message.messageType,
      messageId: message.messageId,
      response: message.response,
      status: message.status,
      createdAt: message.createdAt,
      updatedAt: message.updatedAt,
    };
    if (message.correlationId !== null) {
      details.correlationId = message.correlationId;
    }
    if (message.commandType !== null) {
      details.commandType = message.commandType;
    }
    if (message.payload !== null && typeof message.payload === "object") {
      details.payload = message.payload as Record<string, unknown>;
    }
    if (message.error !== null) {
      details.error = message.error;
    }
    if (message.deliveredAt !== null) {
      details.deliveredAt = message.deliveredAt;
    }
    return details;
  }
 }
--- a/apps/api/src/federation/dto/command.dto.ts
+++ b/apps/api/src/federation/dto/command.dto.ts
@@ -0,0 +1,54 @@
 /**
 * Command DTOs
 *
 * Data Transfer Objects for command message operations.
 */
 import { IsString, IsObject, IsNotEmpty, IsNumber } from "class-validator";
 import type { CommandMessage } from "../types/message.types";
 /**
 * DTO for sending a command to a remote instance
 */
 export class SendCommandDto {
  @IsString()
  @IsNotEmpty()
  connectionId!: string;
  @IsString()
  @IsNotEmpty()
  commandType!: string;
  @IsObject()
  @IsNotEmpty()
  payload!: Record<string, unknown>;
 }
 /**
 * DTO for incoming command request from remote instance
 */
 export class IncomingCommandDto implements CommandMessage {
  @IsString()
  @IsNotEmpty()
  messageId!: string;
  @IsString()
  @IsNotEmpty()
  instanceId!: string;
  @IsString()
  @IsNotEmpty()
  commandType!: string;
  @IsObject()
  @IsNotEmpty()
  payload!: Record<string, unknown>;
  @IsNumber()
  @IsNotEmpty()
  timestamp!: number;
  @IsString()
  @IsNotEmpty()
  signature!: string;
 }
--- a/apps/api/src/federation/dto/event.dto.ts
+++ b/apps/api/src/federation/dto/event.dto.ts
@@ -0,0 +1,109 @@
 /**
 * Event DTOs
 *
 * Data Transfer Objects for event subscription and publishing.
 */
 import { IsString, IsNotEmpty, IsOptional, IsObject } from "class-validator";
 /**
 * DTO for subscribing to an event type
 */
 export class SubscribeToEventDto {
  @IsString()
  @IsNotEmpty()
  connectionId!: string;
  @IsString()
  @IsNotEmpty()
  eventType!: string;
  @IsOptional()
  @IsObject()
  metadata?: Record<string, unknown>;
 }
 /**
 * DTO for unsubscribing from an event type
 */
 export class UnsubscribeFromEventDto {
  @IsString()
  @IsNotEmpty()
  connectionId!: string;
  @IsString()
  @IsNotEmpty()
  eventType!: string;
 }
 /**
 * DTO for publishing an event
 */
 export class PublishEventDto {
  @IsString()
  @IsNotEmpty()
  eventType!: string;
  @IsObject()
  @IsNotEmpty()
  payload!: Record<string, unknown>;
 }
 /**
 * DTO for incoming event request
 */
 export class IncomingEventDto {
  @IsString()
  @IsNotEmpty()
  messageId!: string;
  @IsString()
  @IsNotEmpty()
  instanceId!: string;
  @IsString()
  @IsNotEmpty()
  eventType!: string;
  @IsObject()
  @IsNotEmpty()
  payload!: Record<string, unknown>;
  @IsNotEmpty()
  timestamp!: number;
  @IsString()
  @IsNotEmpty()
  signature!: string;
 }
 /**
 * DTO for incoming event acknowledgment
 */
 export class IncomingEventAckDto {
  @IsString()
  @IsNotEmpty()
  messageId!: string;
  @IsString()
  @IsNotEmpty()
  correlationId!: string;
  @IsString()
  @IsNotEmpty()
  instanceId!: string;
  @IsNotEmpty()
  received!: boolean;
  @IsOptional()
  @IsString()
  error?: string;
  @IsNotEmpty()
  timestamp!: number;
  @IsString()
  @IsNotEmpty()
  signature!: string;
 }
--- a/apps/api/src/federation/dto/identity-linking.dto.ts
+++ b/apps/api/src/federation/dto/identity-linking.dto.ts
@@ -0,0 +1,98 @@
 /**
 * Identity Linking DTOs
 *
 * Data transfer objects for identity linking API endpoints.
 */
 import { IsString, IsEmail, IsOptional, IsObject, IsArray, IsNumber } from "class-validator";
 /**
 * DTO for verifying identity from remote instance
 */
 export class VerifyIdentityDto {
  @IsString()
  localUserId!: string;
  @IsString()
  remoteUserId!: string;
  @IsString()
  remoteInstanceId!: string;
  @IsString()
  oidcToken!: string;
  @IsNumber()
  timestamp!: number;
  @IsString()
  signature!: string;
 }
 /**
 * DTO for resolving remote user to local user
 */
 export class ResolveIdentityDto {
  @IsString()
  remoteInstanceId!: string;
  @IsString()
  remoteUserId!: string;
 }
 /**
 * DTO for reverse resolving local user to remote identity
 */
 export class ReverseResolveIdentityDto {
  @IsString()
  localUserId!: string;
  @IsString()
  remoteInstanceId!: string;
 }
 /**
 * DTO for bulk identity resolution
 */
 export class BulkResolveIdentityDto {
  @IsString()
  remoteInstanceId!: string;
  @IsArray()
  @IsString({ each: true })
  remoteUserIds!: string[];
 }
 /**
 * DTO for creating identity mapping
 */
 export class CreateIdentityMappingDto {
  @IsString()
  remoteInstanceId!: string;
  @IsString()
  remoteUserId!: string;
  @IsString()
  oidcSubject!: string;
  @IsEmail()
  email!: string;
  @IsOptional()
  @IsObject()
  metadata?: Record<string, unknown>;
  @IsOptional()
  @IsString()
  oidcToken?: string;
 }
 /**
 * DTO for updating identity mapping
 */
 export class UpdateIdentityMappingDto {
  @IsOptional()
  @IsObject()
  metadata?: Record<string, unknown>;
 }
--- a/apps/api/src/federation/dto/instance.dto.ts
+++ b/apps/api/src/federation/dto/instance.dto.ts
@@ -0,0 +1,46 @@
 /**
 * Instance Configuration DTOs
 *
 * Data Transfer Objects for instance configuration API.
 */
 import { IsString, IsBoolean, IsOptional, IsObject, ValidateNested } from "class-validator";
 import { Type } from "class-transformer";
 /**
 * DTO for federation capabilities
 */
 export class FederationCapabilitiesDto {
  @IsBoolean()
  supportsQuery!: boolean;
  @IsBoolean()
  supportsCommand!: boolean;
  @IsBoolean()
  supportsEvent!: boolean;
  @IsBoolean()
  supportsAgentSpawn!: boolean;
  @IsString()
  protocolVersion!: string;
 }
 /**
 * DTO for updating instance configuration
 */
 export class UpdateInstanceDto {
  @IsOptional()
  @IsString()
  name?: string;
  @IsOptional()
  @ValidateNested()
  @Type(() => FederationCapabilitiesDto)
  capabilities?: FederationCapabilitiesDto;
  @IsOptional()
  @IsObject()
  metadata?: Record<string, unknown>;
 }
--- a/apps/api/src/federation/dto/query.dto.ts
+++ b/apps/api/src/federation/dto/query.dto.ts
@@ -0,0 +1,53 @@
 /**
 * Query DTOs
 *
 * Data Transfer Objects for query message operations.
 */
 import { IsString, IsOptional, IsObject, IsNotEmpty } from "class-validator";
 import type { QueryMessage } from "../types/message.types";
 /**
 * DTO for sending a query to a remote instance
 */
 export class SendQueryDto {
  @IsString()
  @IsNotEmpty()
  connectionId!: string;
  @IsString()
  @IsNotEmpty()
  query!: string;
  @IsOptional()
  @IsObject()
  context?: Record<string, unknown>;
 }
 /**
 * DTO for incoming query request from remote instance
 */
 export class IncomingQueryDto implements QueryMessage {
  @IsString()
  @IsNotEmpty()
  messageId!: string;
  @IsString()
  @IsNotEmpty()
  instanceId!: string;
  @IsString()
  @IsNotEmpty()
  query!: string;
  @IsOptional()
  @IsObject()
  context?: Record<string, unknown>;
  @IsNotEmpty()
  timestamp!: number;
  @IsString()
  @IsNotEmpty()
  signature!: string;
 }
--- a/apps/api/src/federation/event.controller.spec.ts
+++ b/apps/api/src/federation/event.controller.spec.ts
@@ -0,0 +1,393 @@
 /**
 * EventController Tests
 *
 * Tests for event subscription and publishing endpoints.
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { EventController } from "./event.controller";
 import { EventService } from "./event.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { FederationMessageType, FederationMessageStatus } from "@prisma/client";
 import type { AuthenticatedRequest } from "../common/types/user.types";
 import type { EventMessage, EventAck } from "./types/message.types";
 describe("EventController", () => {
  let controller: EventController;
  let eventService: EventService;
  const mockEventService = {
    subscribeToEventType: vi.fn(),
    unsubscribeFromEventType: vi.fn(),
    publishEvent: vi.fn(),
    getEventSubscriptions: vi.fn(),
    getEventMessages: vi.fn(),
    getEventMessage: vi.fn(),
    handleIncomingEvent: vi.fn(),
    processEventAck: vi.fn(),
  };
  const mockWorkspaceId = "workspace-123";
  const mockUserId = "user-123";
  const mockConnectionId = "connection-123";
  const mockEventType = "task.created";
  beforeEach(async () => {
    vi.clearAllMocks();
    const module: TestingModule = await Test.createTestingModule({
      controllers: [EventController],
      providers: [
        {
          provide: EventService,
          useValue: mockEventService,
        },
      ],
    })
      .overrideGuard(AuthGuard)
      .useValue({ canActivate: () => true })
      .compile();
    controller = module.get<EventController>(EventController);
    eventService = module.get<EventService>(EventService);
  });
  describe("subscribeToEvent", () => {
    it("should subscribe to an event type", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const dto = {
        connectionId: mockConnectionId,
        eventType: mockEventType,
        metadata: { key: "value" },
      };
      const mockSubscription = {
        id: "sub-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        eventType: mockEventType,
        metadata: { key: "value" },
        isActive: true,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      mockEventService.subscribeToEventType.mockResolvedValue(mockSubscription);
      const result = await controller.subscribeToEvent(req, dto);
      expect(result).toEqual(mockSubscription);
      expect(mockEventService.subscribeToEventType).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        mockEventType,
        { key: "value" }
      );
    });
    it("should throw error if workspace not found", async () => {
      const req = {
        user: {
          id: mockUserId,
        },
      } as AuthenticatedRequest;
      const dto = {
        connectionId: mockConnectionId,
        eventType: mockEventType,
      };
      await expect(controller.subscribeToEvent(req, dto)).rejects.toThrow(
        "Workspace ID not found in request"
      );
    });
  });
  describe("unsubscribeFromEvent", () => {
    it("should unsubscribe from an event type", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const dto = {
        connectionId: mockConnectionId,
        eventType: mockEventType,
      };
      mockEventService.unsubscribeFromEventType.mockResolvedValue(undefined);
      await controller.unsubscribeFromEvent(req, dto);
      expect(mockEventService.unsubscribeFromEventType).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        mockEventType
      );
    });
  });
  describe("publishEvent", () => {
    it("should publish an event", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const dto = {
        eventType: mockEventType,
        payload: { data: "test" },
      };
      const mockMessages = [
        {
          id: "msg-123",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.EVENT,
          messageId: "msg-id-123",
          eventType: mockEventType,
          payload: { data: "test" },
          status: FederationMessageStatus.DELIVERED,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      mockEventService.publishEvent.mockResolvedValue(mockMessages);
      const result = await controller.publishEvent(req, dto);
      expect(result).toEqual(mockMessages);
      expect(mockEventService.publishEvent).toHaveBeenCalledWith(mockWorkspaceId, mockEventType, {
        data: "test",
      });
    });
  });
  describe("getSubscriptions", () => {
    it("should return all subscriptions for workspace", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const mockSubscriptions = [
        {
          id: "sub-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          eventType: "task.created",
          metadata: {},
          isActive: true,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      mockEventService.getEventSubscriptions.mockResolvedValue(mockSubscriptions);
      const result = await controller.getSubscriptions(req);
      expect(result).toEqual(mockSubscriptions);
      expect(mockEventService.getEventSubscriptions).toHaveBeenCalledWith(
        mockWorkspaceId,
        undefined
      );
    });
    it("should filter by connectionId when provided", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const mockSubscriptions = [
        {
          id: "sub-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          eventType: "task.created",
          metadata: {},
          isActive: true,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      mockEventService.getEventSubscriptions.mockResolvedValue(mockSubscriptions);
      const result = await controller.getSubscriptions(req, mockConnectionId);
      expect(result).toEqual(mockSubscriptions);
      expect(mockEventService.getEventSubscriptions).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId
      );
    });
  });
  describe("getEventMessages", () => {
    it("should return all event messages for workspace", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.EVENT,
          messageId: "msg-id-1",
          eventType: "task.created",
          payload: { data: "test1" },
          status: FederationMessageStatus.DELIVERED,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      mockEventService.getEventMessages.mockResolvedValue(mockMessages);
      const result = await controller.getEventMessages(req);
      expect(result).toEqual(mockMessages);
      expect(mockEventService.getEventMessages).toHaveBeenCalledWith(mockWorkspaceId, undefined);
    });
    it("should filter by status when provided", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.EVENT,
          messageId: "msg-id-1",
          eventType: "task.created",
          payload: { data: "test1" },
          status: FederationMessageStatus.PENDING,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      mockEventService.getEventMessages.mockResolvedValue(mockMessages);
      const result = await controller.getEventMessages(req, FederationMessageStatus.PENDING);
      expect(result).toEqual(mockMessages);
      expect(mockEventService.getEventMessages).toHaveBeenCalledWith(
        mockWorkspaceId,
        FederationMessageStatus.PENDING
      );
    });
  });
  describe("getEventMessage", () => {
    it("should return a single event message", async () => {
      const req = {
        user: {
          id: mockUserId,
          workspaceId: mockWorkspaceId,
        },
      } as AuthenticatedRequest;
      const messageId = "msg-123";
      const mockMessage = {
        id: messageId,
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.EVENT,
        messageId: "msg-id-123",
        eventType: "task.created",
        payload: { data: "test" },
        status: FederationMessageStatus.DELIVERED,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      mockEventService.getEventMessage.mockResolvedValue(mockMessage);
      const result = await controller.getEventMessage(req, messageId);
      expect(result).toEqual(mockMessage);
      expect(mockEventService.getEventMessage).toHaveBeenCalledWith(mockWorkspaceId, messageId);
    });
  });
  describe("handleIncomingEvent", () => {
    it("should handle incoming event and return acknowledgment", async () => {
      const eventMessage: EventMessage = {
        messageId: "msg-123",
        instanceId: "remote-instance-123",
        eventType: "task.created",
        payload: { data: "test" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      const mockAck: EventAck = {
        messageId: "ack-123",
        correlationId: eventMessage.messageId,
        instanceId: "local-instance-123",
        received: true,
        timestamp: Date.now(),
        signature: "ack-signature-123",
      };
      mockEventService.handleIncomingEvent.mockResolvedValue(mockAck);
      const result = await controller.handleIncomingEvent(eventMessage);
      expect(result).toEqual(mockAck);
      expect(mockEventService.handleIncomingEvent).toHaveBeenCalledWith(eventMessage);
    });
  });
  describe("handleIncomingEventAck", () => {
    it("should process event acknowledgment", async () => {
      const ack: EventAck = {
        messageId: "ack-123",
        correlationId: "msg-123",
        instanceId: "remote-instance-123",
        received: true,
        timestamp: Date.now(),
        signature: "ack-signature-123",
      };
      mockEventService.processEventAck.mockResolvedValue(undefined);
      const result = await controller.handleIncomingEventAck(ack);
      expect(result).toEqual({ status: "acknowledged" });
      expect(mockEventService.processEventAck).toHaveBeenCalledWith(ack);
    });
  });
 });
--- a/apps/api/src/federation/event.controller.ts
+++ b/apps/api/src/federation/event.controller.ts
@@ -0,0 +1,197 @@
 /**
 * Event Controller
 *
 * API endpoints for event subscriptions and publishing.
 */
 import { Controller, Get, Post, UseGuards, Logger, Req, Body, Param, Query } from "@nestjs/common";
 import { EventService } from "./event.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { FederationMessageStatus } from "@prisma/client";
 import type { AuthenticatedRequest } from "../common/types/user.types";
 import type {
  EventMessage,
  EventAck,
  EventMessageDetails,
  SubscriptionDetails,
 } from "./types/message.types";
 import {
  SubscribeToEventDto,
  UnsubscribeFromEventDto,
  PublishEventDto,
  IncomingEventDto,
  IncomingEventAckDto,
 } from "./dto/event.dto";
@Controller("api/v1/federation")
 export class EventController {
  private readonly logger = new Logger(EventController.name);
  constructor(private readonly eventService: EventService) {}
  /**
   * Subscribe to an event type from a remote instance
   * Requires authentication
   */
  @Post("events/subscribe")
  @UseGuards(AuthGuard)
  async subscribeToEvent(
    @Req() req: AuthenticatedRequest,
    @Body() dto: SubscribeToEventDto
  ): Promise<SubscriptionDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    this.logger.log(
      `User ${req.user.id} subscribing to event type ${dto.eventType} on connection ${dto.connectionId}`
    );
    return this.eventService.subscribeToEventType(
      req.user.workspaceId,
      dto.connectionId,
      dto.eventType,
      dto.metadata
    );
  }
  /**
   * Unsubscribe from an event type
   * Requires authentication
   */
  @Post("events/unsubscribe")
  @UseGuards(AuthGuard)
  async unsubscribeFromEvent(
    @Req() req: AuthenticatedRequest,
    @Body() dto: UnsubscribeFromEventDto
  ): Promise<{ status: string }> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    this.logger.log(
      `User ${req.user.id} unsubscribing from event type ${dto.eventType} on connection ${dto.connectionId}`
    );
    await this.eventService.unsubscribeFromEventType(
      req.user.workspaceId,
      dto.connectionId,
      dto.eventType
    );
    return { status: "unsubscribed" };
  }
  /**
   * Publish an event to subscribed instances
   * Requires authentication
   */
  @Post("events/publish")
  @UseGuards(AuthGuard)
  async publishEvent(
    @Req() req: AuthenticatedRequest,
    @Body() dto: PublishEventDto
  ): Promise<EventMessageDetails[]> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    this.logger.log(`User ${req.user.id} publishing event type ${dto.eventType}`);
    return this.eventService.publishEvent(req.user.workspaceId, dto.eventType, dto.payload);
  }
  /**
   * Get all event subscriptions for the workspace
   * Requires authentication
   */
  @Get("events/subscriptions")
  @UseGuards(AuthGuard)
  async getSubscriptions(
    @Req() req: AuthenticatedRequest,
    @Query("connectionId") connectionId?: string
  ): Promise<SubscriptionDetails[]> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    return this.eventService.getEventSubscriptions(req.user.workspaceId, connectionId);
  }
  /**
   * Get all event messages for the workspace
   * Requires authentication
   */
  @Get("events/messages")
  @UseGuards(AuthGuard)
  async getEventMessages(
    @Req() req: AuthenticatedRequest,
    @Query("status") status?: FederationMessageStatus
  ): Promise<EventMessageDetails[]> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    return this.eventService.getEventMessages(req.user.workspaceId, status);
  }
  /**
   * Get a single event message
   * Requires authentication
   */
  @Get("events/messages/:id")
  @UseGuards(AuthGuard)
  async getEventMessage(
    @Req() req: AuthenticatedRequest,
    @Param("id") messageId: string
  ): Promise<EventMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    return this.eventService.getEventMessage(req.user.workspaceId, messageId);
  }
  /**
   * Handle incoming event from remote instance
   * Public endpoint - no authentication required (signature-based verification)
   */
  @Post("incoming/event")
  async handleIncomingEvent(@Body() dto: IncomingEventDto): Promise<EventAck> {
    this.logger.log(`Received event from ${dto.instanceId}: ${dto.messageId}`);
    const eventMessage: EventMessage = {
      messageId: dto.messageId,
      instanceId: dto.instanceId,
      eventType: dto.eventType,
      payload: dto.payload,
      timestamp: dto.timestamp,
      signature: dto.signature,
    };
    return this.eventService.handleIncomingEvent(eventMessage);
  }
  /**
   * Handle incoming event acknowledgment from remote instance
   * Public endpoint - no authentication required (signature-based verification)
   */
  @Post("incoming/event/ack")
  async handleIncomingEventAck(@Body() dto: IncomingEventAckDto): Promise<{ status: string }> {
    this.logger.log(`Received acknowledgment for event: ${dto.correlationId}`);
    const ack: EventAck = {
      messageId: dto.messageId,
      correlationId: dto.correlationId,
      instanceId: dto.instanceId,
      received: dto.received,
      ...(dto.error !== undefined ? { error: dto.error } : {}),
      timestamp: dto.timestamp,
      signature: dto.signature,
    };
    await this.eventService.processEventAck(ack);
    return { status: "acknowledged" };
  }
 }
--- a/apps/api/src/federation/event.service.spec.ts
+++ b/apps/api/src/federation/event.service.spec.ts
@@ -0,0 +1,825 @@
 /**
 * EventService Tests
 *
 * Tests for federated event message handling.
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { EventService } from "./event.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
 import { HttpService } from "@nestjs/axios";
 import { of, throwError } from "rxjs";
 import {
  FederationConnectionStatus,
  FederationMessageType,
  FederationMessageStatus,
 } from "@prisma/client";
 import type { EventMessage, EventAck } from "./types/message.types";
 import type { AxiosResponse } from "axios";
 describe("EventService", () => {
  let service: EventService;
  let prisma: PrismaService;
  let federationService: FederationService;
  let signatureService: SignatureService;
  let httpService: HttpService;
  const mockWorkspaceId = "workspace-123";
  const mockConnectionId = "connection-123";
  const mockInstanceId = "instance-123";
  const mockRemoteInstanceId = "remote-instance-123";
  const mockMessageId = "message-123";
  const mockEventType = "task.created";
  const mockPrisma = {
    federationConnection: {
      findUnique: vi.fn(),
      findFirst: vi.fn(),
    },
    federationEventSubscription: {
      create: vi.fn(),
      findMany: vi.fn(),
      findUnique: vi.fn(),
      findFirst: vi.fn(),
      update: vi.fn(),
      delete: vi.fn(),
    },
    federationMessage: {
      create: vi.fn(),
      findMany: vi.fn(),
      findUnique: vi.fn(),
      findFirst: vi.fn(),
      update: vi.fn(),
    },
  };
  const mockFederationService = {
    getInstanceIdentity: vi.fn(),
  };
  const mockSignatureService = {
    signMessage: vi.fn(),
    verifyMessage: vi.fn(),
    validateTimestamp: vi.fn(),
  };
  const mockHttpService = {
    post: vi.fn(),
  };
  beforeEach(async () => {
    vi.clearAllMocks();
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        EventService,
        {
          provide: PrismaService,
          useValue: mockPrisma,
        },
        {
          provide: FederationService,
          useValue: mockFederationService,
        },
        {
          provide: SignatureService,
          useValue: mockSignatureService,
        },
        {
          provide: HttpService,
          useValue: mockHttpService,
        },
      ],
    }).compile();
    service = module.get<EventService>(EventService);
    prisma = module.get(PrismaService);
    federationService = module.get(FederationService);
    signatureService = module.get(SignatureService);
    httpService = module.get(HttpService);
  });
  describe("subscribeToEventType", () => {
    it("should create a new subscription", async () => {
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        remoteInstanceId: mockRemoteInstanceId,
        remoteUrl: "https://remote.example.com",
        remotePublicKey: "public-key",
        remoteCapabilities: {},
        status: FederationConnectionStatus.ACTIVE,
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
        connectedAt: new Date(),
        disconnectedAt: null,
      };
      const mockSubscription = {
        id: "subscription-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        eventType: mockEventType,
        metadata: {},
        isActive: true,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection);
      prisma.federationEventSubscription.create.mockResolvedValue(mockSubscription);
      const result = await service.subscribeToEventType(
        mockWorkspaceId,
        mockConnectionId,
        mockEventType
      );
      expect(result).toEqual({
        id: mockSubscription.id,
        workspaceId: mockSubscription.workspaceId,
        connectionId: mockSubscription.connectionId,
        eventType: mockSubscription.eventType,
        metadata: mockSubscription.metadata,
        isActive: mockSubscription.isActive,
        createdAt: mockSubscription.createdAt,
        updatedAt: mockSubscription.updatedAt,
      });
      expect(prisma.federationConnection.findUnique).toHaveBeenCalledWith({
        where: { id: mockConnectionId, workspaceId: mockWorkspaceId },
      });
      expect(prisma.federationEventSubscription.create).toHaveBeenCalledWith({
        data: {
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          eventType: mockEventType,
          metadata: {},
        },
      });
    });
    it("should throw error if connection not found", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(null);
      await expect(
        service.subscribeToEventType(mockWorkspaceId, mockConnectionId, mockEventType)
      ).rejects.toThrow("Connection not found");
    });
    it("should throw error if connection not active", async () => {
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        remoteInstanceId: mockRemoteInstanceId,
        remoteUrl: "https://remote.example.com",
        remotePublicKey: "public-key",
        remoteCapabilities: {},
        status: FederationConnectionStatus.SUSPENDED,
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
        connectedAt: new Date(),
        disconnectedAt: null,
      };
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection);
      await expect(
        service.subscribeToEventType(mockWorkspaceId, mockConnectionId, mockEventType)
      ).rejects.toThrow("Connection is not active");
    });
  });
  describe("unsubscribeFromEventType", () => {
    it("should delete an existing subscription", async () => {
      const mockSubscription = {
        id: "subscription-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        eventType: mockEventType,
        metadata: {},
        isActive: true,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      prisma.federationEventSubscription.findFirst.mockResolvedValue(mockSubscription);
      prisma.federationEventSubscription.delete.mockResolvedValue(mockSubscription);
      await service.unsubscribeFromEventType(mockWorkspaceId, mockConnectionId, mockEventType);
      expect(prisma.federationEventSubscription.findFirst).toHaveBeenCalledWith({
        where: {
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          eventType: mockEventType,
        },
      });
      expect(prisma.federationEventSubscription.delete).toHaveBeenCalledWith({
        where: { id: mockSubscription.id },
      });
    });
    it("should throw error if subscription not found", async () => {
      prisma.federationEventSubscription.findFirst.mockResolvedValue(null);
      await expect(
        service.unsubscribeFromEventType(mockWorkspaceId, mockConnectionId, mockEventType)
      ).rejects.toThrow("Subscription not found");
    });
  });
  describe("publishEvent", () => {
    it("should publish event to subscribed connections", async () => {
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        remoteInstanceId: mockRemoteInstanceId,
        remoteUrl: "https://remote.example.com",
        remotePublicKey: "public-key",
        remoteCapabilities: {},
        status: FederationConnectionStatus.ACTIVE,
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
        connectedAt: new Date(),
        disconnectedAt: null,
      };
      const mockSubscription = {
        id: "subscription-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        eventType: mockEventType,
        metadata: {},
        isActive: true,
        createdAt: new Date(),
        updatedAt: new Date(),
        connection: mockConnection,
      };
      const mockIdentity = {
        id: "id-123",
        instanceId: mockInstanceId,
        name: "Local Instance",
        url: "https://local.example.com",
        publicKey: "public-key",
        privateKey: "private-key",
        capabilities: {},
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      const mockMessage = {
        id: "message-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.EVENT,
        messageId: expect.any(String),
        correlationId: null,
        query: null,
        commandType: null,
        eventType: mockEventType,
        payload: { data: "test" },
        response: null,
        status: FederationMessageStatus.PENDING,
        error: null,
        signature: "signature-123",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: null,
      };
      prisma.federationEventSubscription.findMany.mockResolvedValue([mockSubscription]);
      federationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
      signatureService.signMessage.mockResolvedValue("signature-123");
      prisma.federationMessage.create.mockResolvedValue(mockMessage);
      httpService.post.mockReturnValue(
        of({ data: {}, status: 200, statusText: "OK", headers: {}, config: {} as never })
      );
      const result = await service.publishEvent(mockWorkspaceId, mockEventType, { data: "test" });
      expect(result).toHaveLength(1);
      expect(result[0]).toMatchObject({
        id: mockMessage.id,
        workspaceId: mockMessage.workspaceId,
        connectionId: mockMessage.connectionId,
        messageType: mockMessage.messageType,
        eventType: mockMessage.eventType,
        status: mockMessage.status,
      });
      expect(prisma.federationEventSubscription.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId: mockWorkspaceId,
          eventType: mockEventType,
          isActive: true,
        },
        include: {
          connection: true,
        },
      });
      expect(httpService.post).toHaveBeenCalledWith(
        `${mockConnection.remoteUrl}/api/v1/federation/incoming/event`,
        expect.objectContaining({
          instanceId: mockInstanceId,
          eventType: mockEventType,
          payload: { data: "test" },
          signature: "signature-123",
        })
      );
    });
    it("should return empty array if no active subscriptions", async () => {
      prisma.federationEventSubscription.findMany.mockResolvedValue([]);
      const result = await service.publishEvent(mockWorkspaceId, mockEventType, { data: "test" });
      expect(result).toEqual([]);
    });
    it("should handle failed delivery", async () => {
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        remoteInstanceId: mockRemoteInstanceId,
        remoteUrl: "https://remote.example.com",
        remotePublicKey: "public-key",
        remoteCapabilities: {},
        status: FederationConnectionStatus.ACTIVE,
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
        connectedAt: new Date(),
        disconnectedAt: null,
      };
      const mockSubscription = {
        id: "subscription-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        eventType: mockEventType,
        metadata: {},
        isActive: true,
        createdAt: new Date(),
        updatedAt: new Date(),
        connection: mockConnection,
      };
      const mockIdentity = {
        id: "id-123",
        instanceId: mockInstanceId,
        name: "Local Instance",
        url: "https://local.example.com",
        publicKey: "public-key",
        privateKey: "private-key",
        capabilities: {},
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      const mockMessage = {
        id: "message-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.EVENT,
        messageId: expect.any(String),
        correlationId: null,
        query: null,
        commandType: null,
        eventType: mockEventType,
        payload: { data: "test" },
        response: null,
        status: FederationMessageStatus.PENDING,
        error: null,
        signature: "signature-123",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: null,
      };
      prisma.federationEventSubscription.findMany.mockResolvedValue([mockSubscription]);
      federationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
      signatureService.signMessage.mockResolvedValue("signature-123");
      prisma.federationMessage.create.mockResolvedValue(mockMessage);
      httpService.post.mockReturnValue(throwError(() => new Error("Network error")));
      prisma.federationMessage.update.mockResolvedValue({
        ...mockMessage,
        status: FederationMessageStatus.FAILED,
        error: "Network error",
      });
      const result = await service.publishEvent(mockWorkspaceId, mockEventType, { data: "test" });
      expect(result).toHaveLength(1);
      expect(prisma.federationMessage.update).toHaveBeenCalledWith({
        where: { id: mockMessage.id },
        data: {
          status: FederationMessageStatus.FAILED,
          error: "Network error",
        },
      });
    });
  });
  describe("handleIncomingEvent", () => {
    it("should handle incoming event and return acknowledgment", async () => {
      const eventMessage: EventMessage = {
        messageId: mockMessageId,
        instanceId: mockRemoteInstanceId,
        eventType: mockEventType,
        payload: { data: "test" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        remoteInstanceId: mockRemoteInstanceId,
        remoteUrl: "https://remote.example.com",
        remotePublicKey: "public-key",
        remoteCapabilities: {},
        status: FederationConnectionStatus.ACTIVE,
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
        connectedAt: new Date(),
        disconnectedAt: null,
      };
      const mockIdentity = {
        id: "id-123",
        instanceId: mockInstanceId,
        name: "Local Instance",
        url: "https://local.example.com",
        publicKey: "public-key",
        privateKey: "private-key",
        capabilities: {},
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
      signatureService.verifyMessage.mockResolvedValue({ valid: true, error: null });
      federationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
      signatureService.signMessage.mockResolvedValue("ack-signature-123");
      const result = await service.handleIncomingEvent(eventMessage);
      expect(result).toEqual({
        messageId: expect.any(String),
        correlationId: mockMessageId,
        instanceId: mockInstanceId,
        received: true,
        timestamp: expect.any(Number),
        signature: "ack-signature-123",
      });
      expect(signatureService.validateTimestamp).toHaveBeenCalledWith(eventMessage.timestamp);
      expect(prisma.federationConnection.findFirst).toHaveBeenCalledWith({
        where: {
          remoteInstanceId: mockRemoteInstanceId,
          status: FederationConnectionStatus.ACTIVE,
        },
      });
      expect(signatureService.verifyMessage).toHaveBeenCalledWith(
        {
          messageId: eventMessage.messageId,
          instanceId: eventMessage.instanceId,
          eventType: eventMessage.eventType,
          payload: eventMessage.payload,
          timestamp: eventMessage.timestamp,
        },
        eventMessage.signature,
        eventMessage.instanceId
      );
    });
    it("should throw error for invalid timestamp", async () => {
      const eventMessage: EventMessage = {
        messageId: mockMessageId,
        instanceId: mockRemoteInstanceId,
        eventType: mockEventType,
        payload: { data: "test" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      signatureService.validateTimestamp.mockReturnValue(false);
      await expect(service.handleIncomingEvent(eventMessage)).rejects.toThrow(
        "Event timestamp is outside acceptable range"
      );
    });
    it("should throw error if no active connection found", async () => {
      const eventMessage: EventMessage = {
        messageId: mockMessageId,
        instanceId: mockRemoteInstanceId,
        eventType: mockEventType,
        payload: { data: "test" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      prisma.federationConnection.findFirst.mockResolvedValue(null);
      await expect(service.handleIncomingEvent(eventMessage)).rejects.toThrow(
        "No connection found for remote instance"
      );
    });
    it("should throw error for invalid signature", async () => {
      const eventMessage: EventMessage = {
        messageId: mockMessageId,
        instanceId: mockRemoteInstanceId,
        eventType: mockEventType,
        payload: { data: "test" },
        timestamp: Date.now(),
        signature: "signature-123",
      };
      const mockConnection = {
        id: mockConnectionId,
        workspaceId: mockWorkspaceId,
        remoteInstanceId: mockRemoteInstanceId,
        remoteUrl: "https://remote.example.com",
        remotePublicKey: "public-key",
        remoteCapabilities: {},
        status: FederationConnectionStatus.ACTIVE,
        metadata: {},
        createdAt: new Date(),
        updatedAt: new Date(),
        connectedAt: new Date(),
        disconnectedAt: null,
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
      signatureService.verifyMessage.mockResolvedValue({
        valid: false,
        error: "Invalid signature",
      });
      await expect(service.handleIncomingEvent(eventMessage)).rejects.toThrow("Invalid signature");
    });
  });
  describe("processEventAck", () => {
    it("should process event acknowledgment", async () => {
      const ack: EventAck = {
        messageId: "ack-123",
        correlationId: mockMessageId,
        instanceId: mockRemoteInstanceId,
        received: true,
        timestamp: Date.now(),
        signature: "ack-signature-123",
      };
      const mockMessage = {
        id: "message-123",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: FederationMessageType.EVENT,
        messageId: mockMessageId,
        correlationId: null,
        query: null,
        commandType: null,
        eventType: mockEventType,
        payload: { data: "test" },
        response: null,
        status: FederationMessageStatus.PENDING,
        error: null,
        signature: "signature-123",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: null,
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      prisma.federationMessage.findFirst.mockResolvedValue(mockMessage);
      signatureService.verifyMessage.mockResolvedValue({ valid: true, error: null });
      prisma.federationMessage.update.mockResolvedValue({
        ...mockMessage,
        status: FederationMessageStatus.DELIVERED,
        deliveredAt: new Date(),
      });
      await service.processEventAck(ack);
      expect(signatureService.validateTimestamp).toHaveBeenCalledWith(ack.timestamp);
      expect(prisma.federationMessage.findFirst).toHaveBeenCalledWith({
        where: {
          messageId: ack.correlationId,
          messageType: FederationMessageType.EVENT,
        },
      });
      expect(prisma.federationMessage.update).toHaveBeenCalledWith({
        where: { id: mockMessage.id },
        data: {
          status: FederationMessageStatus.DELIVERED,
          deliveredAt: expect.any(Date),
        },
      });
    });
    it("should throw error if original event not found", async () => {
      const ack: EventAck = {
        messageId: "ack-123",
        correlationId: mockMessageId,
        instanceId: mockRemoteInstanceId,
        received: true,
        timestamp: Date.now(),
        signature: "ack-signature-123",
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      prisma.federationMessage.findFirst.mockResolvedValue(null);
      await expect(service.processEventAck(ack)).rejects.toThrow(
        "Original event message not found"
      );
    });
  });
  describe("getEventSubscriptions", () => {
    it("should return all subscriptions for workspace", async () => {
      const mockSubscriptions = [
        {
          id: "sub-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          eventType: "task.created",
          metadata: {},
          isActive: true,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
        {
          id: "sub-2",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          eventType: "task.updated",
          metadata: {},
          isActive: true,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      prisma.federationEventSubscription.findMany.mockResolvedValue(mockSubscriptions);
      const result = await service.getEventSubscriptions(mockWorkspaceId);
      expect(result).toHaveLength(2);
      expect(prisma.federationEventSubscription.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId: mockWorkspaceId,
        },
        orderBy: { createdAt: "desc" },
      });
    });
    it("should filter by connectionId when provided", async () => {
      const mockSubscriptions = [
        {
          id: "sub-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          eventType: "task.created",
          metadata: {},
          isActive: true,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      prisma.federationEventSubscription.findMany.mockResolvedValue(mockSubscriptions);
      const result = await service.getEventSubscriptions(mockWorkspaceId, mockConnectionId);
      expect(result).toHaveLength(1);
      expect(prisma.federationEventSubscription.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
        },
        orderBy: { createdAt: "desc" },
      });
    });
  });
  describe("getEventMessages", () => {
    it("should return all event messages for workspace", async () => {
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.EVENT,
          messageId: "msg-id-1",
          correlationId: null,
          query: null,
          commandType: null,
          eventType: "task.created",
          payload: { data: "test1" },
          response: null,
          status: FederationMessageStatus.DELIVERED,
          error: null,
          signature: "sig-1",
          createdAt: new Date(),
          updatedAt: new Date(),
          deliveredAt: new Date(),
        },
        {
          id: "msg-2",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.EVENT,
          messageId: "msg-id-2",
          correlationId: null,
          query: null,
          commandType: null,
          eventType: "task.updated",
          payload: { data: "test2" },
          response: null,
          status: FederationMessageStatus.PENDING,
          error: null,
          signature: "sig-2",
          createdAt: new Date(),
          updatedAt: new Date(),
          deliveredAt: null,
        },
      ];
      prisma.federationMessage.findMany.mockResolvedValue(mockMessages);
      const result = await service.getEventMessages(mockWorkspaceId);
      expect(result).toHaveLength(2);
      expect(prisma.federationMessage.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId: mockWorkspaceId,
          messageType: FederationMessageType.EVENT,
        },
        orderBy: { createdAt: "desc" },
      });
    });
    it("should filter by status when provided", async () => {
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId: mockWorkspaceId,
          connectionId: mockConnectionId,
          messageType: FederationMessageType.EVENT,
          messageId: "msg-id-1",
          correlationId: null,
          query: null,
          commandType: null,
          eventType: "task.created",
          payload: { data: "test1" },
          response: null,
          status: FederationMessageStatus.PENDING,
          error: null,
          signature: "sig-1",
          createdAt: new Date(),
          updatedAt: new Date(),
          deliveredAt: null,
        },
      ];
      prisma.federationMessage.findMany.mockResolvedValue(mockMessages);
      const result = await service.getEventMessages(
        mockWorkspaceId,
        FederationMessageStatus.PENDING
      );
      expect(result).toHaveLength(1);
      expect(prisma.federationMessage.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId: mockWorkspaceId,
          messageType: FederationMessageType.EVENT,
          status: FederationMessageStatus.PENDING,
        },
        orderBy: { createdAt: "desc" },
      });
    });
  });
 });
--- a/apps/api/src/federation/event.service.ts
+++ b/apps/api/src/federation/event.service.ts
@@ -0,0 +1,500 @@
 /**
 * Event Service
 *
 * Handles federated event messages and subscriptions.
 */
 import { Injectable, Logger } from "@nestjs/common";
 import { HttpService } from "@nestjs/axios";
 import { randomUUID } from "crypto";
 import { firstValueFrom } from "rxjs";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
 import {
  FederationConnectionStatus,
  FederationMessageType,
  FederationMessageStatus,
 } from "@prisma/client";
 import type {
  EventMessage,
  EventAck,
  EventMessageDetails,
  SubscriptionDetails,
 } from "./types/message.types";
@Injectable()
 export class EventService {
  private readonly logger = new Logger(EventService.name);
  constructor(
    private readonly prisma: PrismaService,
    private readonly federationService: FederationService,
    private readonly signatureService: SignatureService,
    private readonly httpService: HttpService
  ) {}
  /**
   * Subscribe to an event type from a remote instance
   */
  async subscribeToEventType(
    workspaceId: string,
    connectionId: string,
    eventType: string,
    metadata?: Record<string, unknown>
  ): Promise<SubscriptionDetails> {
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Create subscription
    const subscription = await this.prisma.federationEventSubscription.create({
      data: {
        workspaceId,
        connectionId,
        eventType,
        metadata: (metadata ?? {}) as never,
      },
    });
    this.logger.log(`Subscribed to event type ${eventType} on connection ${connectionId}`);
    return this.mapToSubscriptionDetails(subscription);
  }
  /**
   * Unsubscribe from an event type
   */
  async unsubscribeFromEventType(
    workspaceId: string,
    connectionId: string,
    eventType: string
  ): Promise<void> {
    // Find subscription
    const subscription = await this.prisma.federationEventSubscription.findFirst({
      where: {
        workspaceId,
        connectionId,
        eventType,
      },
    });
    if (!subscription) {
      throw new Error("Subscription not found");
    }
    // Delete subscription
    await this.prisma.federationEventSubscription.delete({
      where: { id: subscription.id },
    });
    this.logger.log(`Unsubscribed from event type ${eventType} on connection ${connectionId}`);
  }
  /**
   * Publish an event to all subscribed instances
   */
  async publishEvent(
    workspaceId: string,
    eventType: string,
    payload: Record<string, unknown>
  ): Promise<EventMessageDetails[]> {
    // Find all active subscriptions for this event type
    const subscriptions = await this.prisma.federationEventSubscription.findMany({
      where: {
        workspaceId,
        eventType,
        isActive: true,
      },
      include: {
        connection: true,
      },
    });
    if (subscriptions.length === 0) {
      this.logger.debug(`No active subscriptions for event type ${eventType}`);
      return [];
    }
    // Get local instance identity
    const identity = await this.federationService.getInstanceIdentity();
    const results: EventMessageDetails[] = [];
    // Publish to each subscribed connection
    for (const subscription of subscriptions) {
      const connection = subscription.connection;
      // Skip if connection is not active
      if (connection.status !== FederationConnectionStatus.ACTIVE) {
        this.logger.warn(`Skipping inactive connection ${connection.id} for event ${eventType}`);
        continue;
      }
      try {
        // Create event message
        const messageId = randomUUID();
        const timestamp = Date.now();
        const eventPayload: Record<string, unknown> = {
          messageId,
          instanceId: identity.instanceId,
          eventType,
          payload,
          timestamp,
        };
        // Sign the event
        const signature = await this.signatureService.signMessage(eventPayload);
        const signedEvent = {
          messageId,
          instanceId: identity.instanceId,
          eventType,
          payload,
          timestamp,
          signature,
        } as EventMessage;
        // Store message in database
        const message = await this.prisma.federationMessage.create({
          data: {
            workspaceId,
            connectionId: connection.id,
            messageType: FederationMessageType.EVENT,
            messageId,
            eventType,
            payload: payload as never,
            status: FederationMessageStatus.PENDING,
            signature,
          },
        });
        // Send event to remote instance
        try {
          const remoteUrl = `${connection.remoteUrl}/api/v1/federation/incoming/event`;
          await firstValueFrom(this.httpService.post(remoteUrl, signedEvent));
          this.logger.log(`Event sent to ${connection.remoteUrl}: ${messageId}`);
          results.push(this.mapToEventMessageDetails(message));
        } catch (error) {
          this.logger.error(`Failed to send event to ${connection.remoteUrl}`, error);
          // Update message status to failed
          await this.prisma.federationMessage.update({
            where: { id: message.id },
            data: {
              status: FederationMessageStatus.FAILED,
              error: error instanceof Error ? error.message : "Unknown error",
            },
          });
          results.push(
            this.mapToEventMessageDetails({
              ...message,
              status: FederationMessageStatus.FAILED,
              error: error instanceof Error ? error.message : "Unknown error",
            })
          );
        }
      } catch (error) {
        this.logger.error(`Failed to publish event to connection ${connection.id}`, error);
      }
    }
    return results;
  }
  /**
   * Handle incoming event from remote instance
   */
  async handleIncomingEvent(eventMessage: EventMessage): Promise<EventAck> {
    this.logger.log(`Received event from ${eventMessage.instanceId}: ${eventMessage.messageId}`);
    // Validate timestamp
    if (!this.signatureService.validateTimestamp(eventMessage.timestamp)) {
      throw new Error("Event timestamp is outside acceptable range");
    }
    // Find connection for remote instance
    const connection = await this.prisma.federationConnection.findFirst({
      where: {
        remoteInstanceId: eventMessage.instanceId,
        status: FederationConnectionStatus.ACTIVE,
      },
    });
    if (!connection) {
      throw new Error("No connection found for remote instance");
    }
    // Validate connection is active
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Verify signature
    const { signature, ...messageToVerify } = eventMessage;
    const verificationResult = await this.signatureService.verifyMessage(
      messageToVerify,
      signature,
      eventMessage.instanceId
    );
    if (!verificationResult.valid) {
      throw new Error(verificationResult.error ?? "Invalid signature");
    }
    // Store received event
    await this.prisma.federationMessage.create({
      data: {
        workspaceId: connection.workspaceId,
        connectionId: connection.id,
        messageType: FederationMessageType.EVENT,
        messageId: eventMessage.messageId,
        eventType: eventMessage.eventType,
        payload: eventMessage.payload as never,
        status: FederationMessageStatus.DELIVERED,
        signature: eventMessage.signature,
        deliveredAt: new Date(),
      },
    });
    // Get local instance identity
    const identity = await this.federationService.getInstanceIdentity();
    // Create acknowledgment
    const ackMessageId = randomUUID();
    const ackTimestamp = Date.now();
    const ackPayload: Record<string, unknown> = {
      messageId: ackMessageId,
      correlationId: eventMessage.messageId,
      instanceId: identity.instanceId,
      received: true,
      timestamp: ackTimestamp,
    };
    // Sign the acknowledgment
    const ackSignature = await this.signatureService.signMessage(ackPayload);
    const ack = {
      messageId: ackMessageId,
      correlationId: eventMessage.messageId,
      instanceId: identity.instanceId,
      received: true,
      timestamp: ackTimestamp,
      signature: ackSignature,
    } as EventAck;
    return ack;
  }
  /**
   * Process an event acknowledgment from remote instance
   */
  async processEventAck(ack: EventAck): Promise<void> {
    this.logger.log(`Received acknowledgment for event: ${ack.correlationId}`);
    // Validate timestamp
    if (!this.signatureService.validateTimestamp(ack.timestamp)) {
      throw new Error("Acknowledgment timestamp is outside acceptable range");
    }
    // Find original event message
    const message = await this.prisma.federationMessage.findFirst({
      where: {
        messageId: ack.correlationId,
        messageType: FederationMessageType.EVENT,
      },
    });
    if (!message) {
      throw new Error("Original event message not found");
    }
    // Verify signature
    const { signature, ...ackToVerify } = ack;
    const verificationResult = await this.signatureService.verifyMessage(
      ackToVerify,
      signature,
      ack.instanceId
    );
    if (!verificationResult.valid) {
      throw new Error(verificationResult.error ?? "Invalid signature");
    }
    // Update message with acknowledgment
    const updateData: Record<string, unknown> = {
      status: ack.received ? FederationMessageStatus.DELIVERED : FederationMessageStatus.FAILED,
      deliveredAt: new Date(),
    };
    if (ack.error !== undefined) {
      updateData.error = ack.error;
    }
    await this.prisma.federationMessage.update({
      where: { id: message.id },
      data: updateData,
    });
    this.logger.log(`Event acknowledgment processed: ${ack.correlationId}`);
  }
  /**
   * Get all event subscriptions for a workspace
   */
  async getEventSubscriptions(
    workspaceId: string,
    connectionId?: string
  ): Promise<SubscriptionDetails[]> {
    const where: Record<string, unknown> = {
      workspaceId,
    };
    if (connectionId) {
      where.connectionId = connectionId;
    }
    const subscriptions = await this.prisma.federationEventSubscription.findMany({
      where,
      orderBy: { createdAt: "desc" },
    });
    return subscriptions.map((sub) => this.mapToSubscriptionDetails(sub));
  }
  /**
   * Get all event messages for a workspace
   */
  async getEventMessages(
    workspaceId: string,
    status?: FederationMessageStatus
  ): Promise<EventMessageDetails[]> {
    const where: Record<string, unknown> = {
      workspaceId,
      messageType: FederationMessageType.EVENT,
    };
    if (status) {
      where.status = status;
    }
    const messages = await this.prisma.federationMessage.findMany({
      where,
      orderBy: { createdAt: "desc" },
    });
    return messages.map((msg) => this.mapToEventMessageDetails(msg));
  }
  /**
   * Get a single event message
   */
  async getEventMessage(workspaceId: string, messageId: string): Promise<EventMessageDetails> {
    const message = await this.prisma.federationMessage.findUnique({
      where: { id: messageId, workspaceId },
    });
    if (!message) {
      throw new Error("Event message not found");
    }
    return this.mapToEventMessageDetails(message);
  }
  /**
   * Map Prisma FederationMessage to EventMessageDetails
   */
  private mapToEventMessageDetails(message: {
    id: string;
    workspaceId: string;
    connectionId: string;
    messageType: FederationMessageType;
    messageId: string;
    correlationId: string | null;
    query: string | null;
    commandType: string | null;
    eventType: string | null;
    payload: unknown;
    response: unknown;
    status: FederationMessageStatus;
    error: string | null;
    createdAt: Date;
    updatedAt: Date;
    deliveredAt: Date | null;
  }): EventMessageDetails {
    const details: EventMessageDetails = {
      id: message.id,
      workspaceId: message.workspaceId,
      connectionId: message.connectionId,
      messageType: message.messageType,
      messageId: message.messageId,
      response: message.response,
      status: message.status,
      createdAt: message.createdAt,
      updatedAt: message.updatedAt,
    };
    if (message.correlationId !== null) {
      details.correlationId = message.correlationId;
    }
    if (message.eventType !== null) {
      details.eventType = message.eventType;
    }
    if (message.payload !== null && typeof message.payload === "object") {
      details.payload = message.payload as Record<string, unknown>;
    }
    if (message.error !== null) {
      details.error = message.error;
    }
    if (message.deliveredAt !== null) {
      details.deliveredAt = message.deliveredAt;
    }
    return details;
  }
  /**
   * Map Prisma FederationEventSubscription to SubscriptionDetails
   */
  private mapToSubscriptionDetails(subscription: {
    id: string;
    workspaceId: string;
    connectionId: string;
    eventType: string;
    metadata: unknown;
    isActive: boolean;
    createdAt: Date;
    updatedAt: Date;
  }): SubscriptionDetails {
    return {
      id: subscription.id,
      workspaceId: subscription.workspaceId,
      connectionId: subscription.connectionId,
      eventType: subscription.eventType,
      metadata:
        typeof subscription.metadata === "object" && subscription.metadata !== null
          ? (subscription.metadata as Record<string, unknown>)
          : {},
      isActive: subscription.isActive,
      createdAt: subscription.createdAt,
      updatedAt: subscription.updatedAt,
    };
  }
 }
--- a/apps/api/src/federation/federation-agent.service.spec.ts
+++ b/apps/api/src/federation/federation-agent.service.spec.ts
@@ -0,0 +1,457 @@
 /**
 * Tests for Federation Agent Service
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { HttpService } from "@nestjs/axios";
 import { ConfigService } from "@nestjs/config";
 import { FederationAgentService } from "./federation-agent.service";
 import { CommandService } from "./command.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationConnectionStatus } from "@prisma/client";
 import { of, throwError } from "rxjs";
 import type {
  SpawnAgentCommandPayload,
  AgentStatusCommandPayload,
  KillAgentCommandPayload,
  SpawnAgentResponseData,
  AgentStatusResponseData,
  KillAgentResponseData,
 } from "./types/federation-agent.types";
 describe("FederationAgentService", () => {
  let service: FederationAgentService;
  let commandService: ReturnType<typeof vi.mocked<CommandService>>;
  let prisma: ReturnType<typeof vi.mocked<PrismaService>>;
  let httpService: ReturnType<typeof vi.mocked<HttpService>>;
  let configService: ReturnType<typeof vi.mocked<ConfigService>>;
  const mockWorkspaceId = "workspace-1";
  const mockConnectionId = "connection-1";
  const mockAgentId = "agent-123";
  const mockTaskId = "task-456";
  const mockOrchestratorUrl = "http://localhost:3001";
  beforeEach(async () => {
    const mockCommandService = {
      sendCommand: vi.fn(),
    };
    const mockPrisma = {
      federationConnection: {
        findUnique: vi.fn(),
        findFirst: vi.fn(),
      },
    };
    const mockHttpService = {
      post: vi.fn(),
      get: vi.fn(),
    };
    const mockConfigService = {
      get: vi.fn((key: string) => {
        if (key === "orchestrator.url") {
          return mockOrchestratorUrl;
        }
        return undefined;
      }),
    };
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        FederationAgentService,
        { provide: CommandService, useValue: mockCommandService },
        { provide: PrismaService, useValue: mockPrisma },
        { provide: HttpService, useValue: mockHttpService },
        { provide: ConfigService, useValue: mockConfigService },
      ],
    }).compile();
    service = module.get<FederationAgentService>(FederationAgentService);
    commandService = module.get(CommandService);
    prisma = module.get(PrismaService);
    httpService = module.get(HttpService);
    configService = module.get(ConfigService);
  });
  it("should be defined", () => {
    expect(service).toBeDefined();
  });
  describe("spawnAgentOnRemote", () => {
    const spawnPayload: SpawnAgentCommandPayload = {
      taskId: mockTaskId,
      agentType: "worker",
      context: {
        repository: "git.example.com/org/repo",
        branch: "main",
        workItems: ["item-1"],
      },
    };
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should spawn agent on remote instance", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection as never);
      const mockCommandResponse = {
        id: "msg-1",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: "COMMAND" as never,
        messageId: "msg-uuid",
        commandType: "agent.spawn",
        payload: spawnPayload as never,
        response: {
          agentId: mockAgentId,
          status: "spawning",
          spawnedAt: "2026-02-03T14:30:00Z",
        } as never,
        status: "DELIVERED" as never,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      commandService.sendCommand.mockResolvedValue(mockCommandResponse as never);
      const result = await service.spawnAgentOnRemote(
        mockWorkspaceId,
        mockConnectionId,
        spawnPayload
      );
      expect(prisma.federationConnection.findUnique).toHaveBeenCalledWith({
        where: { id: mockConnectionId, workspaceId: mockWorkspaceId },
      });
      expect(commandService.sendCommand).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        "agent.spawn",
        spawnPayload
      );
      expect(result).toEqual(mockCommandResponse);
    });
    it("should throw error if connection not found", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(null);
      await expect(
        service.spawnAgentOnRemote(mockWorkspaceId, mockConnectionId, spawnPayload)
      ).rejects.toThrow("Connection not found");
      expect(commandService.sendCommand).not.toHaveBeenCalled();
    });
    it("should throw error if connection not active", async () => {
      const inactiveConnection = {
        ...mockConnection,
        status: FederationConnectionStatus.DISCONNECTED,
      };
      prisma.federationConnection.findUnique.mockResolvedValue(inactiveConnection as never);
      await expect(
        service.spawnAgentOnRemote(mockWorkspaceId, mockConnectionId, spawnPayload)
      ).rejects.toThrow("Connection is not active");
      expect(commandService.sendCommand).not.toHaveBeenCalled();
    });
  });
  describe("getAgentStatus", () => {
    const statusPayload: AgentStatusCommandPayload = {
      agentId: mockAgentId,
    };
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should get agent status from remote instance", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection as never);
      const mockCommandResponse = {
        id: "msg-2",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: "COMMAND" as never,
        messageId: "msg-uuid-2",
        commandType: "agent.status",
        payload: statusPayload as never,
        response: {
          agentId: mockAgentId,
          taskId: mockTaskId,
          status: "running",
          spawnedAt: "2026-02-03T14:30:00Z",
          startedAt: "2026-02-03T14:30:05Z",
        } as never,
        status: "DELIVERED" as never,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      commandService.sendCommand.mockResolvedValue(mockCommandResponse as never);
      const result = await service.getAgentStatus(mockWorkspaceId, mockConnectionId, mockAgentId);
      expect(commandService.sendCommand).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        "agent.status",
        statusPayload
      );
      expect(result).toEqual(mockCommandResponse);
    });
  });
  describe("killAgentOnRemote", () => {
    const killPayload: KillAgentCommandPayload = {
      agentId: mockAgentId,
    };
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should kill agent on remote instance", async () => {
      prisma.federationConnection.findUnique.mockResolvedValue(mockConnection as never);
      const mockCommandResponse = {
        id: "msg-3",
        workspaceId: mockWorkspaceId,
        connectionId: mockConnectionId,
        messageType: "COMMAND" as never,
        messageId: "msg-uuid-3",
        commandType: "agent.kill",
        payload: killPayload as never,
        response: {
          agentId: mockAgentId,
          status: "killed",
          killedAt: "2026-02-03T14:35:00Z",
        } as never,
        status: "DELIVERED" as never,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      commandService.sendCommand.mockResolvedValue(mockCommandResponse as never);
      const result = await service.killAgentOnRemote(
        mockWorkspaceId,
        mockConnectionId,
        mockAgentId
      );
      expect(commandService.sendCommand).toHaveBeenCalledWith(
        mockWorkspaceId,
        mockConnectionId,
        "agent.kill",
        killPayload
      );
      expect(result).toEqual(mockCommandResponse);
    });
  });
  describe("handleAgentCommand", () => {
    const mockConnection = {
      id: mockConnectionId,
      workspaceId: mockWorkspaceId,
      remoteInstanceId: "remote-instance-1",
      remoteUrl: "https://remote.example.com",
      status: FederationConnectionStatus.ACTIVE,
    };
    it("should handle agent.spawn command", async () => {
      const spawnPayload: SpawnAgentCommandPayload = {
        taskId: mockTaskId,
        agentType: "worker",
        context: {
          repository: "git.example.com/org/repo",
          branch: "main",
          workItems: ["item-1"],
        },
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const mockOrchestratorResponse = {
        agentId: mockAgentId,
        status: "spawning",
      };
      httpService.post.mockReturnValue(
        of({
          data: mockOrchestratorResponse,
          status: 200,
          statusText: "OK",
          headers: {},
          config: {} as never,
        }) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.spawn",
        spawnPayload
      );
      expect(httpService.post).toHaveBeenCalledWith(
        `${mockOrchestratorUrl}/agents/spawn`,
        expect.objectContaining({
          taskId: mockTaskId,
          agentType: "worker",
        })
      );
      expect(result.success).toBe(true);
      expect(result.data).toEqual({
        agentId: mockAgentId,
        status: "spawning",
        spawnedAt: expect.any(String),
      });
    });
    it("should handle agent.status command", async () => {
      const statusPayload: AgentStatusCommandPayload = {
        agentId: mockAgentId,
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const mockOrchestratorResponse = {
        agentId: mockAgentId,
        taskId: mockTaskId,
        status: "running",
        spawnedAt: "2026-02-03T14:30:00Z",
        startedAt: "2026-02-03T14:30:05Z",
      };
      httpService.get.mockReturnValue(
        of({
          data: mockOrchestratorResponse,
          status: 200,
          statusText: "OK",
          headers: {},
          config: {} as never,
        }) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.status",
        statusPayload
      );
      expect(httpService.get).toHaveBeenCalledWith(
        `${mockOrchestratorUrl}/agents/${mockAgentId}/status`
      );
      expect(result.success).toBe(true);
      expect(result.data).toEqual(mockOrchestratorResponse);
    });
    it("should handle agent.kill command", async () => {
      const killPayload: KillAgentCommandPayload = {
        agentId: mockAgentId,
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const mockOrchestratorResponse = {
        message: `Agent ${mockAgentId} killed successfully`,
      };
      httpService.post.mockReturnValue(
        of({
          data: mockOrchestratorResponse,
          status: 200,
          statusText: "OK",
          headers: {},
          config: {} as never,
        }) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.kill",
        killPayload
      );
      expect(httpService.post).toHaveBeenCalledWith(
        `${mockOrchestratorUrl}/agents/${mockAgentId}/kill`,
        {}
      );
      expect(result.success).toBe(true);
      expect(result.data).toEqual({
        agentId: mockAgentId,
        status: "killed",
        killedAt: expect.any(String),
      });
    });
    it("should return error for unknown command type", async () => {
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      const result = await service.handleAgentCommand("remote-instance-1", "agent.unknown", {});
      expect(result.success).toBe(false);
      expect(result.error).toContain("Unknown agent command type: agent.unknown");
    });
    it("should throw error if connection not found", async () => {
      prisma.federationConnection.findFirst.mockResolvedValue(null);
      await expect(
        service.handleAgentCommand("remote-instance-1", "agent.spawn", {})
      ).rejects.toThrow("No connection found for remote instance");
    });
    it("should handle orchestrator errors", async () => {
      const spawnPayload: SpawnAgentCommandPayload = {
        taskId: mockTaskId,
        agentType: "worker",
        context: {
          repository: "git.example.com/org/repo",
          branch: "main",
          workItems: ["item-1"],
        },
      };
      prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
      httpService.post.mockReturnValue(
        throwError(() => new Error("Orchestrator connection failed")) as never
      );
      const result = await service.handleAgentCommand(
        "remote-instance-1",
        "agent.spawn",
        spawnPayload
      );
      expect(result.success).toBe(false);
      expect(result.error).toContain("Orchestrator connection failed");
    });
  });
 });
--- a/apps/api/src/federation/federation-agent.service.ts
+++ b/apps/api/src/federation/federation-agent.service.ts
@@ -0,0 +1,338 @@
 /**
 * Federation Agent Service
 *
 * Handles spawning and managing agents on remote federated instances.
 */
 import { Injectable, Logger } from "@nestjs/common";
 import { HttpService } from "@nestjs/axios";
 import { ConfigService } from "@nestjs/config";
 import { firstValueFrom } from "rxjs";
 import { PrismaService } from "../prisma/prisma.service";
 import { CommandService } from "./command.service";
 import { FederationConnectionStatus } from "@prisma/client";
 import type { CommandMessageDetails } from "./types/message.types";
 import type {
  SpawnAgentCommandPayload,
  AgentStatusCommandPayload,
  KillAgentCommandPayload,
  SpawnAgentResponseData,
  AgentStatusResponseData,
  KillAgentResponseData,
 } from "./types/federation-agent.types";
 /**
 * Agent command response structure
 */
 export interface AgentCommandResponse {
  /** Whether the command was successful */
  success: boolean;
  /** Response data if successful */
  data?:
    | SpawnAgentResponseData
    | AgentStatusResponseData
    | KillAgentResponseData
    | Record<string, unknown>;
  /** Error message if failed */
  error?: string;
 }
@Injectable()
 export class FederationAgentService {
  private readonly logger = new Logger(FederationAgentService.name);
  private readonly orchestratorUrl: string;
  constructor(
    private readonly prisma: PrismaService,
    private readonly commandService: CommandService,
    private readonly httpService: HttpService,
    private readonly configService: ConfigService
  ) {
    this.orchestratorUrl =
      this.configService.get<string>("orchestrator.url") ?? "http://localhost:3001";
    this.logger.log(
      `FederationAgentService initialized with orchestrator URL: ${this.orchestratorUrl}`
    );
  }
  /**
   * Spawn an agent on a remote federated instance
   * @param workspaceId Workspace ID
   * @param connectionId Federation connection ID
   * @param payload Agent spawn command payload
   * @returns Command message details
   */
  async spawnAgentOnRemote(
    workspaceId: string,
    connectionId: string,
    payload: SpawnAgentCommandPayload
  ): Promise<CommandMessageDetails> {
    this.logger.log(
      `Spawning agent on remote instance via connection ${connectionId} for task ${payload.taskId}`
    );
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Send command via federation
    const result = await this.commandService.sendCommand(
      workspaceId,
      connectionId,
      "agent.spawn",
      payload as unknown as Record<string, unknown>
    );
    this.logger.log(`Agent spawn command sent successfully: ${result.messageId}`);
    return result;
  }
  /**
   * Get agent status from remote instance
   * @param workspaceId Workspace ID
   * @param connectionId Federation connection ID
   * @param agentId Agent ID
   * @returns Command message details
   */
  async getAgentStatus(
    workspaceId: string,
    connectionId: string,
    agentId: string
  ): Promise<CommandMessageDetails> {
    this.logger.log(`Getting agent status for ${agentId} via connection ${connectionId}`);
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Send status command
    const payload: AgentStatusCommandPayload = { agentId };
    const result = await this.commandService.sendCommand(
      workspaceId,
      connectionId,
      "agent.status",
      payload as unknown as Record<string, unknown>
    );
    this.logger.log(`Agent status command sent successfully: ${result.messageId}`);
    return result;
  }
  /**
   * Kill an agent on remote instance
   * @param workspaceId Workspace ID
   * @param connectionId Federation connection ID
   * @param agentId Agent ID
   * @returns Command message details
   */
  async killAgentOnRemote(
    workspaceId: string,
    connectionId: string,
    agentId: string
  ): Promise<CommandMessageDetails> {
    this.logger.log(`Killing agent ${agentId} via connection ${connectionId}`);
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Send kill command
    const payload: KillAgentCommandPayload = { agentId };
    const result = await this.commandService.sendCommand(
      workspaceId,
      connectionId,
      "agent.kill",
      payload as unknown as Record<string, unknown>
    );
    this.logger.log(`Agent kill command sent successfully: ${result.messageId}`);
    return result;
  }
  /**
   * Handle incoming agent command from remote instance
   * @param remoteInstanceId Remote instance ID that sent the command
   * @param commandType Command type (agent.spawn, agent.status, agent.kill)
   * @param payload Command payload
   * @returns Agent command response
   */
  async handleAgentCommand(
    remoteInstanceId: string,
    commandType: string,
    payload: Record<string, unknown>
  ): Promise<AgentCommandResponse> {
    this.logger.log(`Handling agent command ${commandType} from ${remoteInstanceId}`);
    // Verify connection exists for remote instance
    const connection = await this.prisma.federationConnection.findFirst({
      where: {
        remoteInstanceId,
        status: FederationConnectionStatus.ACTIVE,
      },
    });
    if (!connection) {
      throw new Error("No connection found for remote instance");
    }
    // Route command to appropriate handler
    try {
      switch (commandType) {
        case "agent.spawn":
          return await this.handleSpawnCommand(payload as unknown as SpawnAgentCommandPayload);
        case "agent.status":
          return await this.handleStatusCommand(payload as unknown as AgentStatusCommandPayload);
        case "agent.kill":
          return await this.handleKillCommand(payload as unknown as KillAgentCommandPayload);
        default:
          throw new Error(`Unknown agent command type: ${commandType}`);
      }
    } catch (error) {
      this.logger.error(`Error handling agent command: ${String(error)}`);
      return {
        success: false,
        error: error instanceof Error ? error.message : "Unknown error",
      };
    }
  }
  /**
   * Handle agent spawn command by calling local orchestrator
   * @param payload Spawn command payload
   * @returns Spawn response
   */
  private async handleSpawnCommand(
    payload: SpawnAgentCommandPayload
  ): Promise<AgentCommandResponse> {
    this.logger.log(`Processing spawn command for task ${payload.taskId}`);
    try {
      const orchestratorPayload = {
        taskId: payload.taskId,
        agentType: payload.agentType,
        context: payload.context,
        options: payload.options,
      };
      const response = await firstValueFrom(
        this.httpService.post<{ agentId: string; status: string }>(
          `${this.orchestratorUrl}/agents/spawn`,
          orchestratorPayload
        )
      );
      const spawnedAt = new Date().toISOString();
      const responseData: SpawnAgentResponseData = {
        agentId: response.data.agentId,
        status: response.data.status as "spawning",
        spawnedAt,
      };
      this.logger.log(`Agent spawned successfully: ${responseData.agentId}`);
      return {
        success: true,
        data: responseData,
      };
    } catch (error) {
      this.logger.error(`Failed to spawn agent: ${String(error)}`);
      throw error;
    }
  }
  /**
   * Handle agent status command by calling local orchestrator
   * @param payload Status command payload
   * @returns Status response
   */
  private async handleStatusCommand(
    payload: AgentStatusCommandPayload
  ): Promise<AgentCommandResponse> {
    this.logger.log(`Processing status command for agent ${payload.agentId}`);
    try {
      const response = await firstValueFrom(
        this.httpService.get(`${this.orchestratorUrl}/agents/${payload.agentId}/status`)
      );
      const responseData: AgentStatusResponseData = response.data as AgentStatusResponseData;
      this.logger.log(`Agent status retrieved: ${responseData.status}`);
      return {
        success: true,
        data: responseData,
      };
    } catch (error) {
      this.logger.error(`Failed to get agent status: ${String(error)}`);
      throw error;
    }
  }
  /**
   * Handle agent kill command by calling local orchestrator
   * @param payload Kill command payload
   * @returns Kill response
   */
  private async handleKillCommand(payload: KillAgentCommandPayload): Promise<AgentCommandResponse> {
    this.logger.log(`Processing kill command for agent ${payload.agentId}`);
    try {
      await firstValueFrom(
        this.httpService.post(`${this.orchestratorUrl}/agents/${payload.agentId}/kill`, {})
      );
      const killedAt = new Date().toISOString();
      const responseData: KillAgentResponseData = {
        agentId: payload.agentId,
        status: "killed",
        killedAt,
      };
      this.logger.log(`Agent killed successfully: ${payload.agentId}`);
      return {
        success: true,
        data: responseData,
      };
    } catch (error) {
      this.logger.error(`Failed to kill agent: ${String(error)}`);
      throw error;
    }
  }
 }
--- a/apps/api/src/federation/federation-auth.controller.spec.ts
+++ b/apps/api/src/federation/federation-auth.controller.spec.ts
@@ -240,9 +240,9 @@ describe("FederationAuthController", () => {
        subject: "user-subject-123",
      };
-      mockOIDCService.validateToken.mockReturnValue(mockValidation);
+      mockOIDCService.validateToken.mockResolvedValue(mockValidation);
-      const result = controller.validateToken(dto);
+      const result = await controller.validateToken(dto);
      expect(result).toEqual(mockValidation);
      expect(mockOIDCService.validateToken).toHaveBeenCalledWith(dto.token, dto.instanceId);
@@ -259,9 +259,9 @@ describe("FederationAuthController", () => {
        error: "Token has expired",
      };
-      mockOIDCService.validateToken.mockReturnValue(mockValidation);
+      mockOIDCService.validateToken.mockResolvedValue(mockValidation);
-      const result = controller.validateToken(dto);
+      const result = await controller.validateToken(dto);
      expect(result.valid).toBe(false);
      expect(result.error).toBeDefined();
--- a/apps/api/src/federation/federation-auth.controller.ts
+++ b/apps/api/src/federation/federation-auth.controller.ts
@@ -2,9 +2,11 @@
 * Federation Auth Controller
 *
 * API endpoints for federated OIDC authentication.
 * Issue #272: Rate limiting applied to prevent DoS attacks
 */
 import { Controller, Post, Get, Delete, Body, Param, Req, UseGuards, Logger } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { OIDCService } from "./oidc.service";
 import { FederationAuditService } from "./audit.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
@@ -28,9 +30,11 @@ export class FederationAuthController {
  /**
   * Initiate federated authentication flow
   * Returns authorization URL to redirect user to
   * Rate limit: "medium" tier (20 req/min) - authenticated endpoint
   */
  @Post("initiate")
  @UseGuards(AuthGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  initiateAuth(
    @Req() req: AuthenticatedRequest,
    @Body() dto: InitiateFederatedAuthDto
@@ -54,9 +58,11 @@ export class FederationAuthController {
  /**
   * Link federated identity to local user
   * Rate limit: "medium" tier (20 req/min) - authenticated endpoint
   */
  @Post("link")
  @UseGuards(AuthGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  async linkIdentity(
    @Req() req: AuthenticatedRequest,
    @Body() dto: LinkFederatedIdentityDto
@@ -84,9 +90,11 @@ export class FederationAuthController {
  /**
   * Get user's federated identities
   * Rate limit: "long" tier (200 req/hour) - read-only endpoint
   */
  @Get("identities")
  @UseGuards(AuthGuard)
  @Throttle({ long: { limit: 200, ttl: 3600000 } })
  async getIdentities(@Req() req: AuthenticatedRequest): Promise<FederatedIdentity[]> {
    if (!req.user) {
      throw new Error("User not authenticated");
@@ -97,9 +105,11 @@ export class FederationAuthController {
  /**
   * Revoke a federated identity
   * Rate limit: "medium" tier (20 req/min) - authenticated endpoint
   */
  @Delete("identities/:instanceId")
  @UseGuards(AuthGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  async revokeIdentity(
    @Req() req: AuthenticatedRequest,
    @Param("instanceId") instanceId: string
@@ -121,8 +131,10 @@ export class FederationAuthController {
  /**
   * Validate a federated token
   * Public endpoint (no auth required) - used by federated instances
   * Rate limit: "short" tier (3 req/sec) - CRITICAL DoS protection (Issue #272)
   */
  @Post("validate")
  @Throttle({ short: { limit: 3, ttl: 1000 } })
  validateToken(@Body() dto: ValidateFederatedTokenDto): FederatedTokenValidation {
    this.logger.debug(`Validating federated token from ${dto.instanceId}`);
--- a/apps/api/src/federation/federation.controller.spec.ts
+++ b/apps/api/src/federation/federation.controller.spec.ts
@@ -8,6 +8,7 @@ import { FederationController } from "./federation.controller";
 import { FederationService } from "./federation.service";
 import { FederationAuditService } from "./audit.service";
 import { ConnectionService } from "./connection.service";
 import { FederationAgentService } from "./federation-agent.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { AdminGuard } from "../auth/guards/admin.guard";
 import { FederationConnectionStatus } from "@prisma/client";
@@ -88,6 +89,14 @@ describe("FederationController", () => {
            handleIncomingConnectionRequest: vi.fn(),
          },
        },
        {
          provide: FederationAgentService,
          useValue: {
            spawnAgentOnRemote: vi.fn(),
            getAgentStatus: vi.fn(),
            killAgentOnRemote: vi.fn(),
          },
        },
      ],
    })
      .overrideGuard(AuthGuard)
--- a/apps/api/src/federation/federation.controller.ts
+++ b/apps/api/src/federation/federation.controller.ts
@@ -2,9 +2,11 @@
 * Federation Controller
 *
 * API endpoints for instance identity and federation management.
 * Issue #272: Rate limiting applied to prevent DoS attacks
 */
 import { Controller, Get, Post, UseGuards, Logger, Req, Body, Param, Query } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { FederationService } from "./federation.service";
 import { FederationAuditService } from "./audit.service";
 import { ConnectionService } from "./connection.service";
@@ -35,8 +37,10 @@ export class FederationController {
  /**
   * Get this instance's public identity
   * No authentication required - this is public information for federation
   * Rate limit: "long" tier (200 req/hour) - public endpoint
   */
  @Get("instance")
  @Throttle({ long: { limit: 200, ttl: 3600000 } })
  async getInstance(): Promise<PublicInstanceIdentity> {
    this.logger.debug("GET /api/v1/federation/instance");
    return this.federationService.getPublicIdentity();
@@ -46,9 +50,11 @@ export class FederationController {
   * Regenerate instance keypair
   * Requires system administrator privileges
   * Returns public identity only (private key never exposed in API)
   * Rate limit: "medium" tier (20 req/min) - sensitive admin operation
   */
  @Post("instance/regenerate-keys")
  @UseGuards(AuthGuard, AdminGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  async regenerateKeys(@Req() req: AuthenticatedRequest): Promise<PublicInstanceIdentity> {
    if (!req.user) {
      throw new Error("User not authenticated");
@@ -67,9 +73,11 @@ export class FederationController {
  /**
   * Initiate a connection to a remote instance
   * Requires authentication
   * Rate limit: "medium" tier (20 req/min) - authenticated endpoint
   */
  @Post("connections/initiate")
  @UseGuards(AuthGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  async initiateConnection(
    @Req() req: AuthenticatedRequest,
    @Body() dto: InitiateConnectionDto
@@ -88,9 +96,11 @@ export class FederationController {
  /**
   * Accept a pending connection
   * Requires authentication
   * Rate limit: "medium" tier (20 req/min) - authenticated endpoint
   */
  @Post("connections/:id/accept")
  @UseGuards(AuthGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  async acceptConnection(
    @Req() req: AuthenticatedRequest,
    @Param("id") connectionId: string,
@@ -114,9 +124,11 @@ export class FederationController {
  /**
   * Reject a pending connection
   * Requires authentication
   * Rate limit: "medium" tier (20 req/min) - authenticated endpoint
   */
  @Post("connections/:id/reject")
  @UseGuards(AuthGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  async rejectConnection(
    @Req() req: AuthenticatedRequest,
    @Param("id") connectionId: string,
@@ -134,9 +146,11 @@ export class FederationController {
  /**
   * Disconnect an active connection
   * Requires authentication
   * Rate limit: "medium" tier (20 req/min) - authenticated endpoint
   */
  @Post("connections/:id/disconnect")
  @UseGuards(AuthGuard)
  @Throttle({ medium: { limit: 20, ttl: 60000 } })
  async disconnectConnection(
    @Req() req: AuthenticatedRequest,
    @Param("id") connectionId: string,
@@ -154,9 +168,11 @@ export class FederationController {
  /**
   * Get all connections for the workspace
   * Requires authentication
   * Rate limit: "long" tier (200 req/hour) - read-only endpoint
   */
  @Get("connections")
  @UseGuards(AuthGuard)
  @Throttle({ long: { limit: 200, ttl: 3600000 } })
  async getConnections(
    @Req() req: AuthenticatedRequest,
    @Query("status") status?: FederationConnectionStatus
@@ -171,9 +187,11 @@ export class FederationController {
  /**
   * Get a single connection
   * Requires authentication
   * Rate limit: "long" tier (200 req/hour) - read-only endpoint
   */
  @Get("connections/:id")
  @UseGuards(AuthGuard)
  @Throttle({ long: { limit: 200, ttl: 3600000 } })
  async getConnection(
    @Req() req: AuthenticatedRequest,
    @Param("id") connectionId: string
@@ -188,8 +206,10 @@ export class FederationController {
  /**
   * Handle incoming connection request from remote instance
   * Public endpoint - no authentication required (signature-based verification)
   * Rate limit: "short" tier (3 req/sec) - CRITICAL DoS protection (Issue #272)
   */
  @Post("incoming/connect")
  @Throttle({ short: { limit: 3, ttl: 1000 } })
  async handleIncomingConnection(
    @Body() dto: IncomingConnectionRequestDto
  ): Promise<{ status: string; connectionId?: string }> {
--- a/apps/api/src/federation/federation.module.ts
+++ b/apps/api/src/federation/federation.module.ts
@@ -1,14 +1,16 @@
 /**
 * Federation Module
 *
- * Provides instance identity and federation management.
+ * Provides instance identity and federation management with DoS protection via rate limiting.
 * Issue #272: Rate limiting added to prevent DoS attacks on federation endpoints
 */
 import { Module } from "@nestjs/common";
 import { ConfigModule } from "@nestjs/config";
 import { HttpModule } from "@nestjs/axios";
 import { ThrottlerModule } from "@nestjs/throttler";
 import { FederationController } from "./federation.controller";
-import { FederationAuthController } from "./federation-auth.controller";
+import { FederationAuthController} from "./federation-auth.controller";
 import { FederationService } from "./federation.service";
 import { CryptoService } from "./crypto.service";
 import { FederationAuditService } from "./audit.service";
@@ -25,6 +27,26 @@ import { PrismaModule } from "../prisma/prisma.module";
      timeout: 10000,
      maxRedirects: 5,
    }),
    // Rate limiting for DoS protection (Issue #272)
    // Uses in-memory storage by default (suitable for single-instance deployments)
    // For multi-instance deployments, configure Redis storage via ThrottlerStorageRedisService
    ThrottlerModule.forRoot([
      {
        name: "short",
        ttl: 1000, // 1 second
        limit: 3, // 3 requests per second (very strict for public endpoints)
      },
      {
        name: "medium",
        ttl: 60000, // 1 minute
        limit: 20, // 20 requests per minute (for authenticated endpoints)
      },
      {
        name: "long",
        ttl: 3600000, // 1 hour
        limit: 200, // 200 requests per hour (for read operations)
      },
    ]),
  ],
  controllers: [FederationController, FederationAuthController],
  providers: [
--- a/apps/api/src/federation/federation.service.spec.ts
+++ b/apps/api/src/federation/federation.service.spec.ts
@@ -228,4 +228,126 @@ describe("FederationService", () => {
      expect(result).toHaveProperty("instanceId");
    });
  });
  describe("updateInstanceConfiguration", () => {
    it("should update instance name", async () => {
      // Arrange
      const updatedInstance = { ...mockInstance, name: "Updated Instance" };
      vi.spyOn(service, "getInstanceIdentity").mockResolvedValue({
        ...mockInstance,
        privateKey: mockDecryptedPrivateKey,
      });
      vi.spyOn(prismaService.instance, "update").mockResolvedValue(updatedInstance);
      // Act
      const result = await service.updateInstanceConfiguration({ name: "Updated Instance" });
      // Assert
      expect(prismaService.instance.update).toHaveBeenCalledWith({
        where: { id: mockInstance.id },
        data: { name: "Updated Instance" },
      });
      expect(result.name).toBe("Updated Instance");
      expect(result).not.toHaveProperty("privateKey");
    });
    it("should update instance capabilities", async () => {
      // Arrange
      const newCapabilities = {
        supportsQuery: true,
        supportsCommand: false,
        supportsEvent: true,
        supportsAgentSpawn: false,
        protocolVersion: "1.0",
      };
      const updatedInstance = { ...mockInstance, capabilities: newCapabilities };
      vi.spyOn(service, "getInstanceIdentity").mockResolvedValue({
        ...mockInstance,
        privateKey: mockDecryptedPrivateKey,
      });
      vi.spyOn(prismaService.instance, "update").mockResolvedValue(updatedInstance);
      // Act
      const result = await service.updateInstanceConfiguration({ capabilities: newCapabilities });
      // Assert
      expect(prismaService.instance.update).toHaveBeenCalledWith({
        where: { id: mockInstance.id },
        data: { capabilities: newCapabilities },
      });
      expect(result.capabilities).toEqual(newCapabilities);
    });
    it("should update instance metadata", async () => {
      // Arrange
      const newMetadata = { description: "Test description", region: "us-west-2" };
      const updatedInstance = { ...mockInstance, metadata: newMetadata };
      vi.spyOn(service, "getInstanceIdentity").mockResolvedValue({
        ...mockInstance,
        privateKey: mockDecryptedPrivateKey,
      });
      vi.spyOn(prismaService.instance, "update").mockResolvedValue(updatedInstance);
      // Act
      const result = await service.updateInstanceConfiguration({ metadata: newMetadata });
      // Assert
      expect(prismaService.instance.update).toHaveBeenCalledWith({
        where: { id: mockInstance.id },
        data: { metadata: newMetadata },
      });
      expect(result.metadata).toEqual(newMetadata);
    });
    it("should update multiple fields at once", async () => {
      // Arrange
      const updates = {
        name: "Updated Instance",
        capabilities: {
          supportsQuery: false,
          supportsCommand: false,
          supportsEvent: false,
          supportsAgentSpawn: false,
          protocolVersion: "1.0",
        },
        metadata: { description: "Updated" },
      };
      const updatedInstance = { ...mockInstance, ...updates };
      vi.spyOn(service, "getInstanceIdentity").mockResolvedValue({
        ...mockInstance,
        privateKey: mockDecryptedPrivateKey,
      });
      vi.spyOn(prismaService.instance, "update").mockResolvedValue(updatedInstance);
      // Act
      const result = await service.updateInstanceConfiguration(updates);
      // Assert
      expect(prismaService.instance.update).toHaveBeenCalledWith({
        where: { id: mockInstance.id },
        data: updates,
      });
      expect(result.name).toBe("Updated Instance");
      expect(result.capabilities).toEqual(updates.capabilities);
      expect(result.metadata).toEqual(updates.metadata);
    });
    it("should not expose private key in response", async () => {
      // Arrange
      const updatedInstance = { ...mockInstance, name: "Updated" };
      vi.spyOn(service, "getInstanceIdentity").mockResolvedValue({
        ...mockInstance,
        privateKey: mockDecryptedPrivateKey,
      });
      vi.spyOn(prismaService.instance, "update").mockResolvedValue(updatedInstance);
      // Act
      const result = await service.updateInstanceConfiguration({ name: "Updated" });
      // Assert - SECURITY: Verify private key is NOT in response
      expect(result).not.toHaveProperty("privateKey");
      expect(result).toHaveProperty("publicKey");
      expect(result).toHaveProperty("instanceId");
    });
  });
 });
--- a/apps/api/src/federation/federation.service.ts
+++ b/apps/api/src/federation/federation.service.ts
@@ -104,6 +104,46 @@ export class FederationService {
    return publicIdentity;
  }
  /**
   * Update instance configuration
   * Allows updating name, capabilities, and metadata
   * Returns public identity only (no private key exposure)
   */
  async updateInstanceConfiguration(updates: {
    name?: string;
    capabilities?: FederationCapabilities;
    metadata?: Record<string, unknown>;
  }): Promise<PublicInstanceIdentity> {
    const instance = await this.getInstanceIdentity();
    // Build update data object
    const data: Prisma.InstanceUpdateInput = {};
    if (updates.name !== undefined) {
      data.name = updates.name;
    }
    if (updates.capabilities !== undefined) {
      data.capabilities = updates.capabilities as Prisma.JsonObject;
    }
    if (updates.metadata !== undefined) {
      data.metadata = updates.metadata as Prisma.JsonObject;
    }
    const updatedInstance = await this.prisma.instance.update({
      where: { id: instance.id },
      data,
    });
    this.logger.log(`Instance configuration updated: ${JSON.stringify(updates)}`);
    // Return public identity only (security fix)
    const identity = this.mapToInstanceIdentity(updatedInstance);
    const { privateKey: _privateKey, ...publicIdentity } = identity;
    return publicIdentity;
  }
  /**
   * Create a new instance identity
   */
@@ -145,6 +185,28 @@ export class FederationService {
    return instance;
  }
  /**
   * Get a federation connection by remote instance ID
   * Returns the first active or pending connection
   */
  async getConnectionByRemoteInstanceId(
    remoteInstanceId: string
  ): Promise<{ remotePublicKey: string } | null> {
    const connection = await this.prisma.federationConnection.findFirst({
      where: {
        remoteInstanceId,
        status: {
          in: ["ACTIVE", "PENDING"],
        },
      },
      select: {
        remotePublicKey: true,
      },
    });
    return connection;
  }
  /**
   * Generate a unique instance ID
   */
--- a/apps/api/src/federation/identity-linking.controller.spec.ts
+++ b/apps/api/src/federation/identity-linking.controller.spec.ts
@@ -0,0 +1,319 @@
 /**
 * Identity Linking Controller Tests
 *
 * Integration tests for identity linking API endpoints.
 */
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { ExecutionContext } from "@nestjs/common";
 import { Reflector } from "@nestjs/core";
 import { IdentityLinkingController } from "./identity-linking.controller";
 import { IdentityLinkingService } from "./identity-linking.service";
 import { IdentityResolutionService } from "./identity-resolution.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import type { FederatedIdentity } from "./types/oidc.types";
 import type {
  CreateIdentityMappingDto,
  UpdateIdentityMappingDto,
  VerifyIdentityDto,
  ResolveIdentityDto,
  BulkResolveIdentityDto,
 } from "./dto/identity-linking.dto";
 describe("IdentityLinkingController", () => {
  let controller: IdentityLinkingController;
  let identityLinkingService: IdentityLinkingService;
  let identityResolutionService: IdentityResolutionService;
  const mockIdentity: FederatedIdentity = {
    id: "identity-id",
    localUserId: "local-user-id",
    remoteUserId: "remote-user-id",
    remoteInstanceId: "remote-instance-id",
    oidcSubject: "oidc-subject",
    email: "user@example.com",
    metadata: {},
    createdAt: new Date(),
    updatedAt: new Date(),
  };
  const mockUser = {
    id: "local-user-id",
    email: "user@example.com",
    name: "Test User",
  };
  beforeEach(async () => {
    const mockIdentityLinkingService = {
      verifyIdentity: vi.fn(),
      createIdentityMapping: vi.fn(),
      updateIdentityMapping: vi.fn(),
      validateIdentityMapping: vi.fn(),
      listUserIdentities: vi.fn(),
      revokeIdentityMapping: vi.fn(),
    };
    const mockIdentityResolutionService = {
      resolveIdentity: vi.fn(),
      reverseResolveIdentity: vi.fn(),
      bulkResolveIdentities: vi.fn(),
    };
    const mockAuthGuard = {
      canActivate: (context: ExecutionContext) => {
        const request = context.switchToHttp().getRequest();
        request.user = mockUser;
        return true;
      },
    };
    const module: TestingModule = await Test.createTestingModule({
      controllers: [IdentityLinkingController],
      providers: [
        { provide: IdentityLinkingService, useValue: mockIdentityLinkingService },
        { provide: IdentityResolutionService, useValue: mockIdentityResolutionService },
        { provide: Reflector, useValue: { getAllAndOverride: vi.fn(() => []) } },
      ],
    })
      .overrideGuard(AuthGuard)
      .useValue(mockAuthGuard)
      .compile();
    controller = module.get<IdentityLinkingController>(IdentityLinkingController);
    identityLinkingService = module.get(IdentityLinkingService);
    identityResolutionService = module.get(IdentityResolutionService);
  });
  afterEach(() => {
    vi.clearAllMocks();
  });
  describe("POST /identity/verify", () => {
    it("should verify identity with valid request", async () => {
      const dto: VerifyIdentityDto = {
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        oidcToken: "valid-token",
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      identityLinkingService.verifyIdentity.mockResolvedValue({
        verified: true,
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        email: "user@example.com",
      });
      const result = await controller.verifyIdentity(dto);
      expect(result.verified).toBe(true);
      expect(result.localUserId).toBe("local-user-id");
      expect(identityLinkingService.verifyIdentity).toHaveBeenCalledWith(dto);
    });
    it("should return verification failure", async () => {
      const dto: VerifyIdentityDto = {
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        oidcToken: "invalid-token",
        timestamp: Date.now(),
        signature: "invalid-signature",
      };
      identityLinkingService.verifyIdentity.mockResolvedValue({
        verified: false,
        error: "Invalid signature",
      });
      const result = await controller.verifyIdentity(dto);
      expect(result.verified).toBe(false);
      expect(result.error).toBe("Invalid signature");
    });
  });
  describe("POST /identity/resolve", () => {
    it("should resolve remote user to local user", async () => {
      const dto: ResolveIdentityDto = {
        remoteInstanceId: "remote-instance-id",
        remoteUserId: "remote-user-id",
      };
      identityResolutionService.resolveIdentity.mockResolvedValue({
        found: true,
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        email: "user@example.com",
      });
      const result = await controller.resolveIdentity(dto);
      expect(result.found).toBe(true);
      expect(result.localUserId).toBe("local-user-id");
      expect(identityResolutionService.resolveIdentity).toHaveBeenCalledWith(
        "remote-instance-id",
        "remote-user-id"
      );
    });
    it("should return not found when mapping does not exist", async () => {
      const dto: ResolveIdentityDto = {
        remoteInstanceId: "remote-instance-id",
        remoteUserId: "unknown-user-id",
      };
      identityResolutionService.resolveIdentity.mockResolvedValue({
        found: false,
        remoteUserId: "unknown-user-id",
        remoteInstanceId: "remote-instance-id",
      });
      const result = await controller.resolveIdentity(dto);
      expect(result.found).toBe(false);
      expect(result.localUserId).toBeUndefined();
    });
  });
  describe("POST /identity/bulk-resolve", () => {
    it("should resolve multiple remote users", async () => {
      const dto: BulkResolveIdentityDto = {
        remoteInstanceId: "remote-instance-id",
        remoteUserIds: ["remote-user-1", "remote-user-2", "unknown-user"],
      };
      identityResolutionService.bulkResolveIdentities.mockResolvedValue({
        mappings: {
          "remote-user-1": "local-user-1",
          "remote-user-2": "local-user-2",
        },
        notFound: ["unknown-user"],
      });
      const result = await controller.bulkResolveIdentity(dto);
      expect(result.mappings).toEqual({
        "remote-user-1": "local-user-1",
        "remote-user-2": "local-user-2",
      });
      expect(result.notFound).toEqual(["unknown-user"]);
    });
  });
  describe("GET /identity/me", () => {
    it("should return current user's federated identities", async () => {
      identityLinkingService.listUserIdentities.mockResolvedValue([mockIdentity]);
      const result = await controller.getCurrentUserIdentities(mockUser);
      expect(result).toHaveLength(1);
      expect(result[0]).toEqual(mockIdentity);
      expect(identityLinkingService.listUserIdentities).toHaveBeenCalledWith("local-user-id");
    });
    it("should return empty array if no identities", async () => {
      identityLinkingService.listUserIdentities.mockResolvedValue([]);
      const result = await controller.getCurrentUserIdentities(mockUser);
      expect(result).toEqual([]);
    });
  });
  describe("POST /identity/link", () => {
    it("should create identity mapping", async () => {
      const dto: CreateIdentityMappingDto = {
        remoteInstanceId: "remote-instance-id",
        remoteUserId: "remote-user-id",
        oidcSubject: "oidc-subject",
        email: "user@example.com",
        metadata: { source: "manual" },
      };
      identityLinkingService.createIdentityMapping.mockResolvedValue(mockIdentity);
      const result = await controller.createIdentityMapping(mockUser, dto);
      expect(result).toEqual(mockIdentity);
      expect(identityLinkingService.createIdentityMapping).toHaveBeenCalledWith(
        "local-user-id",
        dto
      );
    });
  });
  describe("PATCH /identity/:remoteInstanceId", () => {
    it("should update identity mapping", async () => {
      const remoteInstanceId = "remote-instance-id";
      const dto: UpdateIdentityMappingDto = {
        metadata: { updated: true },
      };
      const updatedIdentity = { ...mockIdentity, metadata: { updated: true } };
      identityLinkingService.updateIdentityMapping.mockResolvedValue(updatedIdentity);
      const result = await controller.updateIdentityMapping(mockUser, remoteInstanceId, dto);
      expect(result.metadata).toEqual({ updated: true });
      expect(identityLinkingService.updateIdentityMapping).toHaveBeenCalledWith(
        "local-user-id",
        remoteInstanceId,
        dto
      );
    });
  });
  describe("DELETE /identity/:remoteInstanceId", () => {
    it("should revoke identity mapping", async () => {
      const remoteInstanceId = "remote-instance-id";
      identityLinkingService.revokeIdentityMapping.mockResolvedValue(undefined);
      const result = await controller.revokeIdentityMapping(mockUser, remoteInstanceId);
      expect(result).toEqual({ success: true });
      expect(identityLinkingService.revokeIdentityMapping).toHaveBeenCalledWith(
        "local-user-id",
        remoteInstanceId
      );
    });
  });
  describe("GET /identity/:remoteInstanceId/validate", () => {
    it("should validate existing identity mapping", async () => {
      const remoteInstanceId = "remote-instance-id";
      identityLinkingService.validateIdentityMapping.mockResolvedValue({
        valid: true,
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
      });
      const result = await controller.validateIdentityMapping(mockUser, remoteInstanceId);
      expect(result.valid).toBe(true);
      expect(result.localUserId).toBe("local-user-id");
    });
    it("should return invalid if mapping not found", async () => {
      const remoteInstanceId = "unknown-instance-id";
      identityLinkingService.validateIdentityMapping.mockResolvedValue({
        valid: false,
        error: "Identity mapping not found",
      });
      const result = await controller.validateIdentityMapping(mockUser, remoteInstanceId);
      expect(result.valid).toBe(false);
      expect(result.error).toContain("not found");
    });
  });
 });
--- a/apps/api/src/federation/identity-linking.controller.ts
+++ b/apps/api/src/federation/identity-linking.controller.ts
@@ -0,0 +1,151 @@
 /**
 * Identity Linking Controller
 *
 * API endpoints for cross-instance identity verification and management.
 */
 import { Controller, Post, Get, Patch, Delete, Body, Param, UseGuards } from "@nestjs/common";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { IdentityLinkingService } from "./identity-linking.service";
 import { IdentityResolutionService } from "./identity-resolution.service";
 import { CurrentUser } from "../auth/decorators/current-user.decorator";
 import type {
  VerifyIdentityDto,
  ResolveIdentityDto,
  BulkResolveIdentityDto,
  CreateIdentityMappingDto,
  UpdateIdentityMappingDto,
 } from "./dto/identity-linking.dto";
 import type {
  IdentityVerificationResponse,
  IdentityResolutionResponse,
  BulkIdentityResolutionResponse,
  IdentityMappingValidation,
 } from "./types/identity-linking.types";
 import type { FederatedIdentity } from "./types/oidc.types";
 /**
 * User object from authentication
 */
 interface AuthenticatedUser {
  id: string;
  email: string;
  name: string;
 }
@Controller("federation/identity")
 export class IdentityLinkingController {
  constructor(
    private readonly identityLinkingService: IdentityLinkingService,
    private readonly identityResolutionService: IdentityResolutionService
  ) {}
  /**
   * POST /api/v1/federation/identity/verify
   *
   * Verify a user's identity from a remote instance.
   * Validates signature and OIDC token.
   */
  @Post("verify")
  async verifyIdentity(@Body() dto: VerifyIdentityDto): Promise<IdentityVerificationResponse> {
    return this.identityLinkingService.verifyIdentity(dto);
  }
  /**
   * POST /api/v1/federation/identity/resolve
   *
   * Resolve a remote user to a local user.
   */
  @Post("resolve")
  @UseGuards(AuthGuard)
  async resolveIdentity(@Body() dto: ResolveIdentityDto): Promise<IdentityResolutionResponse> {
    return this.identityResolutionService.resolveIdentity(dto.remoteInstanceId, dto.remoteUserId);
  }
  /**
   * POST /api/v1/federation/identity/bulk-resolve
   *
   * Bulk resolve multiple remote users to local users.
   */
  @Post("bulk-resolve")
  @UseGuards(AuthGuard)
  async bulkResolveIdentity(
    @Body() dto: BulkResolveIdentityDto
  ): Promise<BulkIdentityResolutionResponse> {
    return this.identityResolutionService.bulkResolveIdentities(
      dto.remoteInstanceId,
      dto.remoteUserIds
    );
  }
  /**
   * GET /api/v1/federation/identity/me
   *
   * Get the current user's federated identities.
   */
  @Get("me")
  @UseGuards(AuthGuard)
  async getCurrentUserIdentities(
    @CurrentUser() user: AuthenticatedUser
  ): Promise<FederatedIdentity[]> {
    return this.identityLinkingService.listUserIdentities(user.id);
  }
  /**
   * POST /api/v1/federation/identity/link
   *
   * Create a new identity mapping for the current user.
   */
  @Post("link")
  @UseGuards(AuthGuard)
  async createIdentityMapping(
    @CurrentUser() user: AuthenticatedUser,
    @Body() dto: CreateIdentityMappingDto
  ): Promise<FederatedIdentity> {
    return this.identityLinkingService.createIdentityMapping(user.id, dto);
  }
  /**
   * PATCH /api/v1/federation/identity/:remoteInstanceId
   *
   * Update an existing identity mapping.
   */
  @Patch(":remoteInstanceId")
  @UseGuards(AuthGuard)
  async updateIdentityMapping(
    @CurrentUser() user: AuthenticatedUser,
    @Param("remoteInstanceId") remoteInstanceId: string,
    @Body() dto: UpdateIdentityMappingDto
  ): Promise<FederatedIdentity> {
    return this.identityLinkingService.updateIdentityMapping(user.id, remoteInstanceId, dto);
  }
  /**
   * DELETE /api/v1/federation/identity/:remoteInstanceId
   *
   * Revoke an identity mapping.
   */
  @Delete(":remoteInstanceId")
  @UseGuards(AuthGuard)
  async revokeIdentityMapping(
    @CurrentUser() user: AuthenticatedUser,
    @Param("remoteInstanceId") remoteInstanceId: string
  ): Promise<{ success: boolean }> {
    await this.identityLinkingService.revokeIdentityMapping(user.id, remoteInstanceId);
    return { success: true };
  }
  /**
   * GET /api/v1/federation/identity/:remoteInstanceId/validate
   *
   * Validate an identity mapping exists and is valid.
   */
  @Get(":remoteInstanceId/validate")
  @UseGuards(AuthGuard)
  async validateIdentityMapping(
    @CurrentUser() user: AuthenticatedUser,
    @Param("remoteInstanceId") remoteInstanceId: string
  ): Promise<IdentityMappingValidation> {
    return this.identityLinkingService.validateIdentityMapping(user.id, remoteInstanceId);
  }
 }
--- a/apps/api/src/federation/identity-linking.service.spec.ts
+++ b/apps/api/src/federation/identity-linking.service.spec.ts
@@ -0,0 +1,404 @@
 /**
 * Identity Linking Service Tests
 *
 * Tests for cross-instance identity verification and mapping.
 */
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { IdentityLinkingService } from "./identity-linking.service";
 import { OIDCService } from "./oidc.service";
 import { SignatureService } from "./signature.service";
 import { FederationAuditService } from "./audit.service";
 import { PrismaService } from "../prisma/prisma.service";
 import type {
  IdentityVerificationRequest,
  CreateIdentityMappingDto,
  UpdateIdentityMappingDto,
 } from "./types/identity-linking.types";
 import type { FederatedIdentity } from "./types/oidc.types";
 describe("IdentityLinkingService", () => {
  let service: IdentityLinkingService;
  let oidcService: OIDCService;
  let signatureService: SignatureService;
  let auditService: FederationAuditService;
  let prismaService: PrismaService;
  const mockFederatedIdentity: FederatedIdentity = {
    id: "identity-id",
    localUserId: "local-user-id",
    remoteUserId: "remote-user-id",
    remoteInstanceId: "remote-instance-id",
    oidcSubject: "oidc-subject",
    email: "user@example.com",
    metadata: {},
    createdAt: new Date(),
    updatedAt: new Date(),
  };
  beforeEach(async () => {
    const mockOIDCService = {
      linkFederatedIdentity: vi.fn(),
      getFederatedIdentity: vi.fn(),
      getUserFederatedIdentities: vi.fn(),
      revokeFederatedIdentity: vi.fn(),
      validateToken: vi.fn(),
    };
    const mockSignatureService = {
      verifyMessage: vi.fn(),
      validateTimestamp: vi.fn(),
    };
    const mockAuditService = {
      logIdentityVerification: vi.fn(),
      logIdentityLinking: vi.fn(),
      logIdentityRevocation: vi.fn(),
    };
    const mockPrismaService = {
      federatedIdentity: {
        findUnique: vi.fn(),
        findFirst: vi.fn(),
        update: vi.fn(),
      },
    };
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        IdentityLinkingService,
        { provide: OIDCService, useValue: mockOIDCService },
        { provide: SignatureService, useValue: mockSignatureService },
        { provide: FederationAuditService, useValue: mockAuditService },
        { provide: PrismaService, useValue: mockPrismaService },
      ],
    }).compile();
    service = module.get<IdentityLinkingService>(IdentityLinkingService);
    oidcService = module.get(OIDCService);
    signatureService = module.get(SignatureService);
    auditService = module.get(FederationAuditService);
    prismaService = module.get(PrismaService);
  });
  afterEach(() => {
    vi.clearAllMocks();
  });
  describe("verifyIdentity", () => {
    it("should verify identity with valid signature and token", async () => {
      const request: IdentityVerificationRequest = {
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        oidcToken: "valid-token",
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      signatureService.verifyMessage.mockResolvedValue({ valid: true });
      oidcService.validateToken.mockReturnValue({
        valid: true,
        userId: "remote-user-id",
        instanceId: "remote-instance-id",
        email: "user@example.com",
      });
      oidcService.getFederatedIdentity.mockResolvedValue(mockFederatedIdentity);
      const result = await service.verifyIdentity(request);
      expect(result.verified).toBe(true);
      expect(result.localUserId).toBe("local-user-id");
      expect(result.remoteUserId).toBe("remote-user-id");
      expect(result.remoteInstanceId).toBe("remote-instance-id");
      expect(signatureService.validateTimestamp).toHaveBeenCalledWith(request.timestamp);
      expect(signatureService.verifyMessage).toHaveBeenCalled();
      expect(oidcService.validateToken).toHaveBeenCalledWith("valid-token", "remote-instance-id");
      expect(auditService.logIdentityVerification).toHaveBeenCalled();
    });
    it("should reject identity with invalid signature", async () => {
      const request: IdentityVerificationRequest = {
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        oidcToken: "valid-token",
        timestamp: Date.now(),
        signature: "invalid-signature",
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      signatureService.verifyMessage.mockResolvedValue({
        valid: false,
        error: "Invalid signature",
      });
      const result = await service.verifyIdentity(request);
      expect(result.verified).toBe(false);
      expect(result.error).toContain("Invalid signature");
      expect(oidcService.validateToken).not.toHaveBeenCalled();
    });
    it("should reject identity with expired timestamp", async () => {
      const request: IdentityVerificationRequest = {
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        oidcToken: "valid-token",
        timestamp: Date.now() - 10 * 60 * 1000, // 10 minutes ago
        signature: "valid-signature",
      };
      signatureService.validateTimestamp.mockReturnValue(false);
      const result = await service.verifyIdentity(request);
      expect(result.verified).toBe(false);
      expect(result.error).toContain("expired");
      expect(signatureService.verifyMessage).not.toHaveBeenCalled();
    });
    it("should reject identity with invalid OIDC token", async () => {
      const request: IdentityVerificationRequest = {
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        oidcToken: "invalid-token",
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      signatureService.verifyMessage.mockResolvedValue({ valid: true });
      oidcService.validateToken.mockReturnValue({
        valid: false,
        error: "Invalid token",
      });
      const result = await service.verifyIdentity(request);
      expect(result.verified).toBe(false);
      expect(result.error).toContain("Invalid token");
    });
    it("should reject identity if mapping does not exist", async () => {
      const request: IdentityVerificationRequest = {
        localUserId: "local-user-id",
        remoteUserId: "remote-user-id",
        remoteInstanceId: "remote-instance-id",
        oidcToken: "valid-token",
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      signatureService.validateTimestamp.mockReturnValue(true);
      signatureService.verifyMessage.mockResolvedValue({ valid: true });
      oidcService.validateToken.mockReturnValue({
        valid: true,
        userId: "remote-user-id",
        instanceId: "remote-instance-id",
      });
      oidcService.getFederatedIdentity.mockResolvedValue(null);
      const result = await service.verifyIdentity(request);
      expect(result.verified).toBe(false);
      expect(result.error).toContain("not found");
    });
  });
  describe("resolveLocalIdentity", () => {
    it("should resolve remote user to local user", async () => {
      prismaService.federatedIdentity.findFirst.mockResolvedValue(mockFederatedIdentity as never);
      const result = await service.resolveLocalIdentity("remote-instance-id", "remote-user-id");
      expect(result).not.toBeNull();
      expect(result?.localUserId).toBe("local-user-id");
      expect(result?.remoteUserId).toBe("remote-user-id");
      expect(result?.email).toBe("user@example.com");
    });
    it("should return null when mapping not found", async () => {
      prismaService.federatedIdentity.findFirst.mockResolvedValue(null);
      const result = await service.resolveLocalIdentity("remote-instance-id", "unknown-user-id");
      expect(result).toBeNull();
    });
  });
  describe("resolveRemoteIdentity", () => {
    it("should resolve local user to remote user", async () => {
      oidcService.getFederatedIdentity.mockResolvedValue(mockFederatedIdentity);
      const result = await service.resolveRemoteIdentity("local-user-id", "remote-instance-id");
      expect(result).not.toBeNull();
      expect(result?.remoteUserId).toBe("remote-user-id");
      expect(result?.localUserId).toBe("local-user-id");
    });
    it("should return null when mapping not found", async () => {
      oidcService.getFederatedIdentity.mockResolvedValue(null);
      const result = await service.resolveRemoteIdentity("unknown-user-id", "remote-instance-id");
      expect(result).toBeNull();
    });
  });
  describe("createIdentityMapping", () => {
    it("should create identity mapping with valid data", async () => {
      const dto: CreateIdentityMappingDto = {
        remoteInstanceId: "remote-instance-id",
        remoteUserId: "remote-user-id",
        oidcSubject: "oidc-subject",
        email: "user@example.com",
        metadata: { source: "manual" },
      };
      oidcService.linkFederatedIdentity.mockResolvedValue(mockFederatedIdentity);
      const result = await service.createIdentityMapping("local-user-id", dto);
      expect(result).toEqual(mockFederatedIdentity);
      expect(oidcService.linkFederatedIdentity).toHaveBeenCalledWith(
        "local-user-id",
        "remote-user-id",
        "remote-instance-id",
        "oidc-subject",
        "user@example.com",
        { source: "manual" }
      );
      expect(auditService.logIdentityLinking).toHaveBeenCalled();
    });
    it("should validate OIDC token if provided", async () => {
      const dto: CreateIdentityMappingDto = {
        remoteInstanceId: "remote-instance-id",
        remoteUserId: "remote-user-id",
        oidcSubject: "oidc-subject",
        email: "user@example.com",
        oidcToken: "valid-token",
      };
      oidcService.validateToken.mockReturnValue({ valid: true });
      oidcService.linkFederatedIdentity.mockResolvedValue(mockFederatedIdentity);
      await service.createIdentityMapping("local-user-id", dto);
      expect(oidcService.validateToken).toHaveBeenCalledWith("valid-token", "remote-instance-id");
    });
    it("should throw error if OIDC token is invalid", async () => {
      const dto: CreateIdentityMappingDto = {
        remoteInstanceId: "remote-instance-id",
        remoteUserId: "remote-user-id",
        oidcSubject: "oidc-subject",
        email: "user@example.com",
        oidcToken: "invalid-token",
      };
      oidcService.validateToken.mockReturnValue({
        valid: false,
        error: "Invalid token",
      });
      await expect(service.createIdentityMapping("local-user-id", dto)).rejects.toThrow(
        "Invalid OIDC token"
      );
    });
  });
  describe("updateIdentityMapping", () => {
    it("should update identity mapping metadata", async () => {
      const dto: UpdateIdentityMappingDto = {
        metadata: { updated: true },
      };
      const updatedIdentity = { ...mockFederatedIdentity, metadata: { updated: true } };
      prismaService.federatedIdentity.findUnique.mockResolvedValue(mockFederatedIdentity as never);
      prismaService.federatedIdentity.update.mockResolvedValue(updatedIdentity as never);
      const result = await service.updateIdentityMapping(
        "local-user-id",
        "remote-instance-id",
        dto
      );
      expect(result.metadata).toEqual({ updated: true });
      expect(prismaService.federatedIdentity.update).toHaveBeenCalled();
    });
    it("should throw error if mapping not found", async () => {
      const dto: UpdateIdentityMappingDto = {
        metadata: { updated: true },
      };
      prismaService.federatedIdentity.findUnique.mockResolvedValue(null);
      await expect(
        service.updateIdentityMapping("unknown-user-id", "remote-instance-id", dto)
      ).rejects.toThrow("not found");
    });
  });
  describe("validateIdentityMapping", () => {
    it("should validate existing identity mapping", async () => {
      oidcService.getFederatedIdentity.mockResolvedValue(mockFederatedIdentity);
      const result = await service.validateIdentityMapping("local-user-id", "remote-instance-id");
      expect(result.valid).toBe(true);
      expect(result.localUserId).toBe("local-user-id");
      expect(result.remoteUserId).toBe("remote-user-id");
    });
    it("should return invalid if mapping not found", async () => {
      oidcService.getFederatedIdentity.mockResolvedValue(null);
      const result = await service.validateIdentityMapping("unknown-user-id", "remote-instance-id");
      expect(result.valid).toBe(false);
      expect(result.error).toContain("not found");
    });
  });
  describe("listUserIdentities", () => {
    it("should list all federated identities for a user", async () => {
      const identities = [mockFederatedIdentity];
      oidcService.getUserFederatedIdentities.mockResolvedValue(identities);
      const result = await service.listUserIdentities("local-user-id");
      expect(result).toEqual(identities);
      expect(oidcService.getUserFederatedIdentities).toHaveBeenCalledWith("local-user-id");
    });
    it("should return empty array if user has no federated identities", async () => {
      oidcService.getUserFederatedIdentities.mockResolvedValue([]);
      const result = await service.listUserIdentities("local-user-id");
      expect(result).toEqual([]);
    });
  });
  describe("revokeIdentityMapping", () => {
    it("should revoke identity mapping", async () => {
      oidcService.revokeFederatedIdentity.mockResolvedValue(undefined);
      await service.revokeIdentityMapping("local-user-id", "remote-instance-id");
      expect(oidcService.revokeFederatedIdentity).toHaveBeenCalledWith(
        "local-user-id",
        "remote-instance-id"
      );
      expect(auditService.logIdentityRevocation).toHaveBeenCalled();
    });
  });
 });
--- a/apps/api/src/federation/identity-linking.service.ts
+++ b/apps/api/src/federation/identity-linking.service.ts
@@ -0,0 +1,323 @@
 /**
 * Identity Linking Service
 *
 * Handles cross-instance user identity verification and mapping.
 */
 import { Injectable, Logger, NotFoundException, UnauthorizedException } from "@nestjs/common";
 import { Prisma } from "@prisma/client";
 import { PrismaService } from "../prisma/prisma.service";
 import { OIDCService } from "./oidc.service";
 import { SignatureService } from "./signature.service";
 import { FederationAuditService } from "./audit.service";
 import type {
  IdentityVerificationRequest,
  IdentityVerificationResponse,
  CreateIdentityMappingDto,
  UpdateIdentityMappingDto,
  IdentityMappingValidation,
 } from "./types/identity-linking.types";
 import type { FederatedIdentity } from "./types/oidc.types";
@Injectable()
 export class IdentityLinkingService {
  private readonly logger = new Logger(IdentityLinkingService.name);
  constructor(
    private readonly prisma: PrismaService,
    private readonly oidcService: OIDCService,
    private readonly signatureService: SignatureService,
    private readonly auditService: FederationAuditService
  ) {}
  /**
   * Verify a user's identity from a remote instance
   *
   * Validates:
   * 1. Timestamp is recent (not expired)
   * 2. Signature is valid (signed by remote instance)
   * 3. OIDC token is valid
   * 4. Identity mapping exists
   */
  async verifyIdentity(
    request: IdentityVerificationRequest
  ): Promise<IdentityVerificationResponse> {
    this.logger.log(`Verifying identity: ${request.localUserId} from ${request.remoteInstanceId}`);
    // Validate timestamp (prevent replay attacks)
    if (!this.signatureService.validateTimestamp(request.timestamp)) {
      this.logger.warn(`Identity verification failed: Request timestamp expired`);
      return {
        verified: false,
        error: "Request timestamp expired",
      };
    }
    // Verify signature
    const { signature, ...messageToVerify } = request;
    const signatureValidation = await this.signatureService.verifyMessage(
      messageToVerify,
      signature,
      request.remoteInstanceId
    );
    if (!signatureValidation.valid) {
      const errorMessage = signatureValidation.error ?? "Invalid signature";
      this.logger.warn(`Identity verification failed: ${errorMessage}`);
      return {
        verified: false,
        error: errorMessage,
      };
    }
    // Validate OIDC token
    const tokenValidation = await this.oidcService.validateToken(
      request.oidcToken,
      request.remoteInstanceId
    );
    if (!tokenValidation.valid) {
      const tokenError = tokenValidation.error ?? "Invalid OIDC token";
      this.logger.warn(`Identity verification failed: ${tokenError}`);
      return {
        verified: false,
        error: tokenError,
      };
    }
    // Check if identity mapping exists
    const identity = await this.oidcService.getFederatedIdentity(
      request.localUserId,
      request.remoteInstanceId
    );
    if (!identity) {
      this.logger.warn(
        `Identity verification failed: Mapping not found for ${request.localUserId}`
      );
      return {
        verified: false,
        error: "Identity mapping not found",
      };
    }
    // Verify that the remote user ID matches
    if (identity.remoteUserId !== request.remoteUserId) {
      this.logger.warn(
        `Identity verification failed: Remote user ID mismatch (expected ${identity.remoteUserId}, got ${request.remoteUserId})`
      );
      return {
        verified: false,
        error: "Remote user ID mismatch",
      };
    }
    // Log successful verification
    this.auditService.logIdentityVerification(request.localUserId, request.remoteInstanceId, true);
    this.logger.log(`Identity verified successfully: ${request.localUserId}`);
    return {
      verified: true,
      localUserId: identity.localUserId,
      remoteUserId: identity.remoteUserId,
      remoteInstanceId: identity.remoteInstanceId,
      email: identity.email,
    };
  }
  /**
   * Resolve a remote user to a local user
   *
   * Looks up the identity mapping by remote instance and user ID.
   */
  async resolveLocalIdentity(
    remoteInstanceId: string,
    remoteUserId: string
  ): Promise<FederatedIdentity | null> {
    this.logger.debug(`Resolving local identity for ${remoteUserId}@${remoteInstanceId}`);
    // Query by remoteInstanceId and remoteUserId
    // Note: Prisma doesn't have a unique constraint for this pair,
    // so we use findFirst
    const identity = await this.prisma.federatedIdentity.findFirst({
      where: {
        remoteInstanceId,
        remoteUserId,
      },
    });
    if (!identity) {
      this.logger.debug(`No local identity found for ${remoteUserId}@${remoteInstanceId}`);
      return null;
    }
    return {
      id: identity.id,
      localUserId: identity.localUserId,
      remoteUserId: identity.remoteUserId,
      remoteInstanceId: identity.remoteInstanceId,
      oidcSubject: identity.oidcSubject,
      email: identity.email,
      metadata: identity.metadata as Record<string, unknown>,
      createdAt: identity.createdAt,
      updatedAt: identity.updatedAt,
    };
  }
  /**
   * Resolve a local user to a remote identity
   *
   * Looks up the identity mapping by local user ID and remote instance.
   */
  async resolveRemoteIdentity(
    localUserId: string,
    remoteInstanceId: string
  ): Promise<FederatedIdentity | null> {
    this.logger.debug(`Resolving remote identity for ${localUserId}@${remoteInstanceId}`);
    const identity = await this.oidcService.getFederatedIdentity(localUserId, remoteInstanceId);
    if (!identity) {
      this.logger.debug(`No remote identity found for ${localUserId}@${remoteInstanceId}`);
      return null;
    }
    return identity;
  }
  /**
   * Create a new identity mapping
   *
   * Optionally validates OIDC token if provided.
   */
  async createIdentityMapping(
    localUserId: string,
    dto: CreateIdentityMappingDto
  ): Promise<FederatedIdentity> {
    this.logger.log(
      `Creating identity mapping: ${localUserId} -> ${dto.remoteUserId}@${dto.remoteInstanceId}`
    );
    // Validate OIDC token if provided
    if (dto.oidcToken) {
      const tokenValidation = await this.oidcService.validateToken(
        dto.oidcToken,
        dto.remoteInstanceId
      );
      if (!tokenValidation.valid) {
        const validationError = tokenValidation.error ?? "Unknown validation error";
        throw new UnauthorizedException(`Invalid OIDC token: ${validationError}`);
      }
    }
    // Create identity mapping via OIDCService
    const identity = await this.oidcService.linkFederatedIdentity(
      localUserId,
      dto.remoteUserId,
      dto.remoteInstanceId,
      dto.oidcSubject,
      dto.email,
      dto.metadata ?? {}
    );
    // Log identity linking
    this.auditService.logIdentityLinking(localUserId, dto.remoteInstanceId, dto.remoteUserId);
    return identity;
  }
  /**
   * Update an existing identity mapping
   */
  async updateIdentityMapping(
    localUserId: string,
    remoteInstanceId: string,
    dto: UpdateIdentityMappingDto
  ): Promise<FederatedIdentity> {
    this.logger.log(`Updating identity mapping: ${localUserId}@${remoteInstanceId}`);
    // Verify mapping exists
    const existing = await this.prisma.federatedIdentity.findUnique({
      where: {
        localUserId_remoteInstanceId: {
          localUserId,
          remoteInstanceId,
        },
      },
    });
    if (!existing) {
      throw new NotFoundException("Identity mapping not found");
    }
    // Update metadata
    const updated = await this.prisma.federatedIdentity.update({
      where: {
        localUserId_remoteInstanceId: {
          localUserId,
          remoteInstanceId,
        },
      },
      data: {
        metadata: (dto.metadata ?? existing.metadata) as Prisma.InputJsonValue,
      },
    });
    return {
      id: updated.id,
      localUserId: updated.localUserId,
      remoteUserId: updated.remoteUserId,
      remoteInstanceId: updated.remoteInstanceId,
      oidcSubject: updated.oidcSubject,
      email: updated.email,
      metadata: updated.metadata as Record<string, unknown>,
      createdAt: updated.createdAt,
      updatedAt: updated.updatedAt,
    };
  }
  /**
   * Validate an identity mapping exists and is valid
   */
  async validateIdentityMapping(
    localUserId: string,
    remoteInstanceId: string
  ): Promise<IdentityMappingValidation> {
    const identity = await this.oidcService.getFederatedIdentity(localUserId, remoteInstanceId);
    if (!identity) {
      return {
        valid: false,
        error: "Identity mapping not found",
      };
    }
    return {
      valid: true,
      localUserId: identity.localUserId,
      remoteUserId: identity.remoteUserId,
      remoteInstanceId: identity.remoteInstanceId,
    };
  }
  /**
   * List all federated identities for a user
   */
  async listUserIdentities(localUserId: string): Promise<FederatedIdentity[]> {
    return this.oidcService.getUserFederatedIdentities(localUserId);
  }
  /**
   * Revoke an identity mapping
   */
  async revokeIdentityMapping(localUserId: string, remoteInstanceId: string): Promise<void> {
    this.logger.log(`Revoking identity mapping: ${localUserId}@${remoteInstanceId}`);
    await this.oidcService.revokeFederatedIdentity(localUserId, remoteInstanceId);
    // Log revocation
    this.auditService.logIdentityRevocation(localUserId, remoteInstanceId);
  }
 }
--- a/apps/api/src/federation/identity-resolution.service.spec.ts
+++ b/apps/api/src/federation/identity-resolution.service.spec.ts
@@ -0,0 +1,151 @@
 /**
 * Identity Resolution Service Tests
 *
 * Tests for resolving identities between local and remote instances.
 */
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { IdentityResolutionService } from "./identity-resolution.service";
 import { IdentityLinkingService } from "./identity-linking.service";
 import type { FederatedIdentity } from "./types/oidc.types";
 describe("IdentityResolutionService", () => {
  let service: IdentityResolutionService;
  let identityLinkingService: IdentityLinkingService;
  const mockIdentity: FederatedIdentity = {
    id: "identity-id",
    localUserId: "local-user-id",
    remoteUserId: "remote-user-id",
    remoteInstanceId: "remote-instance-id",
    oidcSubject: "oidc-subject",
    email: "user@example.com",
    metadata: {},
    createdAt: new Date(),
    updatedAt: new Date(),
  };
  beforeEach(async () => {
    const mockIdentityLinkingService = {
      resolveLocalIdentity: vi.fn(),
      resolveRemoteIdentity: vi.fn(),
    };
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        IdentityResolutionService,
        { provide: IdentityLinkingService, useValue: mockIdentityLinkingService },
      ],
    }).compile();
    service = module.get<IdentityResolutionService>(IdentityResolutionService);
    identityLinkingService = module.get(IdentityLinkingService);
  });
  afterEach(() => {
    vi.clearAllMocks();
  });
  describe("resolveIdentity", () => {
    it("should resolve remote identity to local user", async () => {
      identityLinkingService.resolveLocalIdentity.mockResolvedValue(mockIdentity);
      const result = await service.resolveIdentity("remote-instance-id", "remote-user-id");
      expect(result.found).toBe(true);
      expect(result.localUserId).toBe("local-user-id");
      expect(result.remoteUserId).toBe("remote-user-id");
      expect(result.email).toBe("user@example.com");
      expect(identityLinkingService.resolveLocalIdentity).toHaveBeenCalledWith(
        "remote-instance-id",
        "remote-user-id"
      );
    });
    it("should return not found when mapping does not exist", async () => {
      identityLinkingService.resolveLocalIdentity.mockResolvedValue(null);
      const result = await service.resolveIdentity("remote-instance-id", "unknown-user-id");
      expect(result.found).toBe(false);
      expect(result.localUserId).toBeUndefined();
      expect(result.remoteUserId).toBe("unknown-user-id");
    });
  });
  describe("reverseResolveIdentity", () => {
    it("should resolve local user to remote identity", async () => {
      identityLinkingService.resolveRemoteIdentity.mockResolvedValue(mockIdentity);
      const result = await service.reverseResolveIdentity("local-user-id", "remote-instance-id");
      expect(result.found).toBe(true);
      expect(result.remoteUserId).toBe("remote-user-id");
      expect(result.localUserId).toBe("local-user-id");
      expect(identityLinkingService.resolveRemoteIdentity).toHaveBeenCalledWith(
        "local-user-id",
        "remote-instance-id"
      );
    });
    it("should return not found when mapping does not exist", async () => {
      identityLinkingService.resolveRemoteIdentity.mockResolvedValue(null);
      const result = await service.reverseResolveIdentity("unknown-user-id", "remote-instance-id");
      expect(result.found).toBe(false);
      expect(result.remoteUserId).toBeUndefined();
      expect(result.localUserId).toBe("unknown-user-id");
    });
  });
  describe("bulkResolveIdentities", () => {
    it("should resolve multiple remote users to local users", async () => {
      const mockIdentity2: FederatedIdentity = {
        ...mockIdentity,
        id: "identity-id-2",
        localUserId: "local-user-id-2",
        remoteUserId: "remote-user-id-2",
      };
      identityLinkingService.resolveLocalIdentity
        .mockResolvedValueOnce(mockIdentity)
        .mockResolvedValueOnce(mockIdentity2)
        .mockResolvedValueOnce(null);
      const result = await service.bulkResolveIdentities("remote-instance-id", [
        "remote-user-id",
        "remote-user-id-2",
        "unknown-user-id",
      ]);
      expect(result.mappings["remote-user-id"]).toBe("local-user-id");
      expect(result.mappings["remote-user-id-2"]).toBe("local-user-id-2");
      expect(result.notFound).toEqual(["unknown-user-id"]);
      expect(identityLinkingService.resolveLocalIdentity).toHaveBeenCalledTimes(3);
    });
    it("should handle empty array", async () => {
      const result = await service.bulkResolveIdentities("remote-instance-id", []);
      expect(result.mappings).toEqual({});
      expect(result.notFound).toEqual([]);
      expect(identityLinkingService.resolveLocalIdentity).not.toHaveBeenCalled();
    });
    it("should handle all not found", async () => {
      identityLinkingService.resolveLocalIdentity
        .mockResolvedValueOnce(null)
        .mockResolvedValueOnce(null);
      const result = await service.bulkResolveIdentities("remote-instance-id", [
        "unknown-1",
        "unknown-2",
      ]);
      expect(result.mappings).toEqual({});
      expect(result.notFound).toEqual(["unknown-1", "unknown-2"]);
    });
  });
 });
--- a/apps/api/src/federation/identity-resolution.service.ts
+++ b/apps/api/src/federation/identity-resolution.service.ts
@@ -0,0 +1,137 @@
 /**
 * Identity Resolution Service
 *
 * Handles identity resolution (lookup) between local and remote instances.
 * Optimized for read-heavy operations.
 */
 import { Injectable, Logger } from "@nestjs/common";
 import { IdentityLinkingService } from "./identity-linking.service";
 import type {
  IdentityResolutionResponse,
  BulkIdentityResolutionResponse,
 } from "./types/identity-linking.types";
@Injectable()
 export class IdentityResolutionService {
  private readonly logger = new Logger(IdentityResolutionService.name);
  constructor(private readonly identityLinkingService: IdentityLinkingService) {}
  /**
   * Resolve a remote user to a local user
   *
   * Looks up the identity mapping by remote instance and user ID.
   */
  async resolveIdentity(
    remoteInstanceId: string,
    remoteUserId: string
  ): Promise<IdentityResolutionResponse> {
    this.logger.debug(`Resolving identity: ${remoteUserId}@${remoteInstanceId}`);
    const identity = await this.identityLinkingService.resolveLocalIdentity(
      remoteInstanceId,
      remoteUserId
    );
    if (!identity) {
      return {
        found: false,
        remoteUserId,
        remoteInstanceId,
      };
    }
    return {
      found: true,
      localUserId: identity.localUserId,
      remoteUserId: identity.remoteUserId,
      remoteInstanceId: identity.remoteInstanceId,
      email: identity.email,
      metadata: identity.metadata,
    };
  }
  /**
   * Reverse resolve a local user to a remote identity
   *
   * Looks up the identity mapping by local user ID and remote instance.
   */
  async reverseResolveIdentity(
    localUserId: string,
    remoteInstanceId: string
  ): Promise<IdentityResolutionResponse> {
    this.logger.debug(`Reverse resolving identity: ${localUserId}@${remoteInstanceId}`);
    const identity = await this.identityLinkingService.resolveRemoteIdentity(
      localUserId,
      remoteInstanceId
    );
    if (!identity) {
      return {
        found: false,
        localUserId,
        remoteInstanceId,
      };
    }
    return {
      found: true,
      localUserId: identity.localUserId,
      remoteUserId: identity.remoteUserId,
      remoteInstanceId: identity.remoteInstanceId,
      email: identity.email,
      metadata: identity.metadata,
    };
  }
  /**
   * Bulk resolve multiple remote users to local users
   *
   * Efficient batch operation for resolving many identities at once.
   * Useful for aggregated dashboard views and multi-user operations.
   */
  async bulkResolveIdentities(
    remoteInstanceId: string,
    remoteUserIds: string[]
  ): Promise<BulkIdentityResolutionResponse> {
    this.logger.debug(
      `Bulk resolving ${remoteUserIds.length.toString()} identities for ${remoteInstanceId}`
    );
    if (remoteUserIds.length === 0) {
      return {
        mappings: {},
        notFound: [],
      };
    }
    const mappings: Record<string, string> = {};
    const notFound: string[] = [];
    // Resolve each identity
    // TODO: Optimize with a single database query using IN clause
    for (const remoteUserId of remoteUserIds) {
      const identity = await this.identityLinkingService.resolveLocalIdentity(
        remoteInstanceId,
        remoteUserId
      );
      if (identity) {
        mappings[remoteUserId] = identity.localUserId;
      } else {
        notFound.push(remoteUserId);
      }
    }
    this.logger.debug(
      `Bulk resolution complete: ${Object.keys(mappings).length.toString()} found, ${notFound.length.toString()} not found`
    );
    return {
      mappings,
      notFound,
    };
  }
 }
--- a/apps/api/src/federation/index.ts
+++ b/apps/api/src/federation/index.ts
@@ -5,6 +5,15 @@
 export * from "./federation.module";
 export * from "./federation.service";
 export * from "./federation.controller";
 export * from "./identity-linking.service";
 export * from "./identity-resolution.service";
 export * from "./identity-linking.controller";
 export * from "./crypto.service";
 export * from "./audit.service";
 export * from "./query.service";
 export * from "./query.controller";
 export * from "./command.service";
 export * from "./command.controller";
 export * from "./types/instance.types";
 export * from "./types/identity-linking.types";
 export * from "./types/message.types";
--- a/apps/api/src/federation/oidc.service.spec.ts
+++ b/apps/api/src/federation/oidc.service.spec.ts
@@ -14,6 +14,28 @@ import type {
  FederatedTokenValidation,
  OIDCTokenClaims,
 } from "./types/oidc.types";
 import * as jose from "jose";
 /**
 * Helper function to create test JWTs for testing
 */
 async function createTestJWT(
  claims: OIDCTokenClaims,
  secret: string = "test-secret-key-for-jwt-signing"
 ): Promise<string> {
  const secretKey = new TextEncoder().encode(secret);
  const jwt = await new jose.SignJWT(claims as Record<string, unknown>)
    .setProtectedHeader({ alg: "HS256" })
    .setIssuedAt(claims.iat)
    .setExpirationTime(claims.exp)
    .setSubject(claims.sub)
    .setIssuer(claims.iss)
    .setAudience(claims.aud)
    .sign(secretKey);
  return jwt;
 }
 describe("OIDCService", () => {
  let service: OIDCService;
@@ -288,90 +310,137 @@ describe("OIDCService", () => {
    });
  });
-  describe("validateToken", () => {
+  describe("validateToken - Real JWT Validation", () => {
-    it("should validate a valid OIDC token", () => {
+    it("should reject malformed token (not a JWT)", async () => {
-      const token = "valid-oidc-token";
+      const token = "not-a-jwt-token";
      const instanceId = "remote-instance-123";
-      // Mock token validation (simplified - real implementation would decode JWT)
+      const result = await service.validateToken(token, instanceId);
-      const mockClaims: OIDCTokenClaims = {
+
-        sub: "user-subject-123",
+      expect(result.valid).toBe(false);
      expect(result.error).toContain("Malformed token");
    });
    it("should reject token with invalid format (missing parts)", async () => {
      const token = "header.payload"; // Missing signature
      const instanceId = "remote-instance-123";
      const result = await service.validateToken(token, instanceId);
      expect(result.valid).toBe(false);
      expect(result.error).toContain("Malformed token");
    });
    it("should reject expired token", async () => {
      // Create an expired JWT (exp in the past)
      const expiredToken = await createTestJWT({
        sub: "user-123",
        iss: "https://auth.example.com",
        aud: "mosaic-client-id",
        exp: Math.floor(Date.now() / 1000) - 3600, // Expired 1 hour ago
        iat: Math.floor(Date.now() / 1000) - 7200,
        email: "user@example.com",
      });
      const result = await service.validateToken(expiredToken, "remote-instance-123");
      expect(result.valid).toBe(false);
      expect(result.error).toContain("expired");
    });
    it("should reject token with invalid signature", async () => {
      // Create a JWT with a different key than what the service will validate
      const invalidToken = await createTestJWT(
        {
          sub: "user-123",
          iss: "https://auth.example.com",
          aud: "mosaic-client-id",
          exp: Math.floor(Date.now() / 1000) + 3600,
          iat: Math.floor(Date.now() / 1000),
          email: "user@example.com",
        },
        "wrong-secret-key"
      );
      const result = await service.validateToken(invalidToken, "remote-instance-123");
      expect(result.valid).toBe(false);
      expect(result.error).toContain("signature");
    });
    it("should reject token with wrong issuer", async () => {
      const token = await createTestJWT({
        sub: "user-123",
        iss: "https://wrong-issuer.com", // Wrong issuer
        aud: "mosaic-client-id",
        exp: Math.floor(Date.now() / 1000) + 3600,
        iat: Math.floor(Date.now() / 1000),
        email: "user@example.com",
      });
      const result = await service.validateToken(token, "remote-instance-123");
      expect(result.valid).toBe(false);
      expect(result.error).toContain("issuer");
    });
    it("should reject token with wrong audience", async () => {
      const token = await createTestJWT({
        sub: "user-123",
        iss: "https://auth.example.com",
        aud: "wrong-audience", // Wrong audience
        exp: Math.floor(Date.now() / 1000) + 3600,
        iat: Math.floor(Date.now() / 1000),
        email: "user@example.com",
      });
      const result = await service.validateToken(token, "remote-instance-123");
      expect(result.valid).toBe(false);
      expect(result.error).toContain("audience");
    });
    it("should validate a valid JWT token with correct signature and claims", async () => {
      const validToken = await createTestJWT({
        sub: "user-123",
        iss: "https://auth.example.com",
        aud: "mosaic-client-id",
        exp: Math.floor(Date.now() / 1000) + 3600,
        iat: Math.floor(Date.now() / 1000),
        email: "user@example.com",
        email_verified: true,
-      };
+        name: "Test User",
      });
-      const expectedResult: FederatedTokenValidation = {
+      const result = await service.validateToken(validToken, "remote-instance-123");
        valid: true,
        userId: "user-subject-123",
        instanceId,
        email: "user@example.com",
        subject: "user-subject-123",
      };
      // For now, we'll mock the validation
      // Real implementation would use jose or jsonwebtoken to decode and verify
      vi.spyOn(service, "validateToken").mockReturnValue(expectedResult);
      const result = service.validateToken(token, instanceId);
      expect(result.valid).toBe(true);
-      expect(result.userId).toBe("user-subject-123");
+      expect(result.userId).toBe("user-123");
      expect(result.subject).toBe("user-123");
      expect(result.email).toBe("user@example.com");
      expect(result.instanceId).toBe("remote-instance-123");
      expect(result.error).toBeUndefined();
    });
-    it("should reject expired token", () => {
+    it("should extract all user info from valid token", async () => {
-      const token = "expired-token";
+      const validToken = await createTestJWT({
-      const instanceId = "remote-instance-123";
+        sub: "user-456",
        iss: "https://auth.example.com",
        aud: "mosaic-client-id",
        exp: Math.floor(Date.now() / 1000) + 3600,
        iat: Math.floor(Date.now() / 1000),
        email: "test@example.com",
        email_verified: true,
        name: "Test User",
        preferred_username: "testuser",
      });
-      const expectedResult: FederatedTokenValidation = {
+      const result = await service.validateToken(validToken, "remote-instance-123");
        valid: false,
        error: "Token has expired",
      };
-      vi.spyOn(service, "validateToken").mockReturnValue(expectedResult);
+      expect(result.valid).toBe(true);
-
+      expect(result.userId).toBe("user-456");
-      const result = service.validateToken(token, instanceId);
+      expect(result.email).toBe("test@example.com");
-
+      expect(result.subject).toBe("user-456");
      expect(result.valid).toBe(false);
      expect(result.error).toBeDefined();
    });
    it("should reject token with invalid signature", () => {
      const token = "invalid-signature-token";
      const instanceId = "remote-instance-123";
      const expectedResult: FederatedTokenValidation = {
        valid: false,
        error: "Invalid token signature",
      };
      vi.spyOn(service, "validateToken").mockReturnValue(expectedResult);
      const result = service.validateToken(token, instanceId);
      expect(result.valid).toBe(false);
      expect(result.error).toBe("Invalid token signature");
    });
    it("should reject malformed token", () => {
      const token = "not-a-jwt";
      const instanceId = "remote-instance-123";
      const expectedResult: FederatedTokenValidation = {
        valid: false,
        error: "Malformed token",
      };
      vi.spyOn(service, "validateToken").mockReturnValue(expectedResult);
      const result = service.validateToken(token, instanceId);
      expect(result.valid).toBe(false);
      expect(result.error).toBe("Malformed token");
    });
  });
--- a/apps/api/src/federation/oidc.service.ts
+++ b/apps/api/src/federation/oidc.service.ts
@@ -9,6 +9,7 @@ import { ConfigService } from "@nestjs/config";
 import { PrismaService } from "../prisma/prisma.service";
 import type { FederatedIdentity, FederatedTokenValidation } from "./types/oidc.types";
 import type { Prisma } from "@prisma/client";
 import * as jose from "jose";
@Injectable()
 export class OIDCService {
@@ -100,34 +101,112 @@ export class OIDCService {
  /**
   * Validate an OIDC token from a federated instance
   *
-   * NOTE: This is a simplified implementation for the initial version.
+   * Verifies JWT signature and validates all standard claims.
-   * In production, this should:
+   *
   * Current implementation uses a test secret for validation.
   * Production implementation should:
   * 1. Fetch OIDC discovery metadata from the issuer
   * 2. Retrieve and cache JWKS (JSON Web Key Set)
-   * 3. Verify JWT signature using the public key
+   * 3. Verify JWT signature using the public key from JWKS
-   * 4. Validate claims (iss, aud, exp, etc.)
+   * 4. Handle key rotation and JWKS refresh
   * 5. Handle token refresh if needed
   *
   * For now, we provide the interface and basic structure.
   * Full JWT validation will be implemented when needed.
   */
-  validateToken(_token: string, _instanceId: string): FederatedTokenValidation {
+  async validateToken(token: string, instanceId: string): Promise<FederatedTokenValidation> {
    try {
-      // TODO: Implement full JWT validation
+      // Validate token format
-      // For now, this is a placeholder that should be implemented
+      if (!token || typeof token !== "string") {
-      // when federation OIDC is actively used
+        return {
          valid: false,
          error: "Malformed token: token must be a non-empty string",
        };
      }
-      this.logger.warn("Token validation not fully implemented - returning mock validation");
+      // Check if token looks like a JWT (three parts separated by dots)
      const parts = token.split(".");
      if (parts.length !== 3) {
        return {
          valid: false,
          error: "Malformed token: JWT must have three parts (header.payload.signature)",
        };
      }
-      // This is a placeholder response
+      // Get validation secret from config (for testing/development)
-      // Real implementation would decode and verify the JWT
+      // In production, this should fetch JWKS from the remote instance
-      return {
+      const secret =
-        valid: false,
+        this.config.get<string>("OIDC_VALIDATION_SECRET") ?? "test-secret-key-for-jwt-signing";
-        error: "Token validation not yet implemented",
+      const secretKey = new TextEncoder().encode(secret);
      // Verify and decode JWT
      const { payload } = await jose.jwtVerify(token, secretKey, {
        issuer: "https://auth.example.com", // TODO: Fetch from remote instance config
        audience: "mosaic-client-id", // TODO: Get from config
      });
      // Extract claims
      const sub = payload.sub;
      const email = payload.email as string | undefined;
      if (!sub) {
        return {
          valid: false,
          error: "Token missing required 'sub' claim",
        };
      }
      // Return validation result
      const result: FederatedTokenValidation = {
        valid: true,
        userId: sub,
        subject: sub,
        instanceId,
      };
      // Only include email if present (exactOptionalPropertyTypes compliance)
      if (email) {
        result.email = email;
      }
      return result;
    } catch (error) {
      // Handle specific JWT errors
      if (error instanceof jose.errors.JWTExpired) {
        return {
          valid: false,
          error: "Token has expired",
        };
      }
      if (error instanceof jose.errors.JWTClaimValidationFailed) {
        const claimError = error.message;
        // Check specific claim failures
        if (claimError.includes("iss") || claimError.includes("issuer")) {
          return {
            valid: false,
            error: "Invalid token issuer",
          };
        }
        if (claimError.includes("aud") || claimError.includes("audience")) {
          return {
            valid: false,
            error: "Invalid token audience",
          };
        }
        return {
          valid: false,
          error: `Claim validation failed: ${claimError}`,
        };
      }
      if (error instanceof jose.errors.JWSSignatureVerificationFailed) {
        return {
          valid: false,
          error: "Invalid token signature",
        };
      }
      // Generic error handling
      this.logger.error(
-        `Token validation error: ${error instanceof Error ? error.message : "Unknown error"}`
+        `Token validation error: ${error instanceof Error ? error.message : "Unknown error"}`,
        error instanceof Error ? error.stack : undefined
      );
      return {
--- a/apps/api/src/federation/query.controller.spec.ts
+++ b/apps/api/src/federation/query.controller.spec.ts
@@ -0,0 +1,238 @@
 /**
 * Query Controller Tests
 *
 * Tests for federated query API endpoints.
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { FederationMessageType, FederationMessageStatus } from "@prisma/client";
 import { QueryController } from "./query.controller";
 import { QueryService } from "./query.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import type { AuthenticatedRequest } from "../common/types/user.types";
 import type { SendQueryDto, IncomingQueryDto } from "./dto/query.dto";
 describe("QueryController", () => {
  let controller: QueryController;
  let queryService: QueryService;
  const mockQueryService = {
    sendQuery: vi.fn(),
    handleIncomingQuery: vi.fn(),
    getQueryMessages: vi.fn(),
    getQueryMessage: vi.fn(),
  };
  beforeEach(async () => {
    const module: TestingModule = await Test.createTestingModule({
      controllers: [QueryController],
      providers: [{ provide: QueryService, useValue: mockQueryService }],
    })
      .overrideGuard(AuthGuard)
      .useValue({ canActivate: () => true })
      .compile();
    controller = module.get<QueryController>(QueryController);
    queryService = module.get<QueryService>(QueryService);
    vi.clearAllMocks();
  });
  describe("sendQuery", () => {
    it("should send query to remote instance", async () => {
      const req = {
        user: {
          id: "user-1",
          workspaceId: "workspace-1",
        },
      } as AuthenticatedRequest;
      const dto: SendQueryDto = {
        connectionId: "connection-1",
        query: "SELECT * FROM tasks",
        context: { userId: "user-1" },
      };
      const mockResult = {
        id: "msg-1",
        workspaceId: "workspace-1",
        connectionId: "connection-1",
        messageType: FederationMessageType.QUERY,
        messageId: "unique-msg-1",
        query: dto.query,
        status: FederationMessageStatus.PENDING,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      mockQueryService.sendQuery.mockResolvedValue(mockResult);
      const result = await controller.sendQuery(req, dto);
      expect(result).toBeDefined();
      expect(result.messageType).toBe(FederationMessageType.QUERY);
      expect(mockQueryService.sendQuery).toHaveBeenCalledWith(
        "workspace-1",
        dto.connectionId,
        dto.query,
        dto.context
      );
    });
    it("should throw error if user not authenticated", async () => {
      const req = {} as AuthenticatedRequest;
      const dto: SendQueryDto = {
        connectionId: "connection-1",
        query: "SELECT * FROM tasks",
      };
      await expect(controller.sendQuery(req, dto)).rejects.toThrow(
        "Workspace ID not found in request"
      );
    });
  });
  describe("handleIncomingQuery", () => {
    it("should process incoming query", async () => {
      const dto: IncomingQueryDto = {
        messageId: "msg-1",
        instanceId: "remote-instance-1",
        query: "SELECT * FROM tasks",
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      const mockResponse = {
        messageId: "response-1",
        correlationId: dto.messageId,
        instanceId: "local-instance-1",
        success: true,
        data: { tasks: [] },
        timestamp: Date.now(),
        signature: "response-signature",
      };
      mockQueryService.handleIncomingQuery.mockResolvedValue(mockResponse);
      const result = await controller.handleIncomingQuery(dto);
      expect(result).toBeDefined();
      expect(result.correlationId).toBe(dto.messageId);
      expect(mockQueryService.handleIncomingQuery).toHaveBeenCalledWith(dto);
    });
    it("should return error response for invalid query", async () => {
      const dto: IncomingQueryDto = {
        messageId: "msg-1",
        instanceId: "remote-instance-1",
        query: "SELECT * FROM tasks",
        timestamp: Date.now(),
        signature: "invalid-signature",
      };
      mockQueryService.handleIncomingQuery.mockRejectedValue(new Error("Invalid signature"));
      await expect(controller.handleIncomingQuery(dto)).rejects.toThrow("Invalid signature");
    });
  });
  describe("getQueries", () => {
    it("should return query messages for workspace", async () => {
      const req = {
        user: {
          id: "user-1",
          workspaceId: "workspace-1",
        },
      } as AuthenticatedRequest;
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId: "workspace-1",
          connectionId: "connection-1",
          messageType: FederationMessageType.QUERY,
          messageId: "unique-msg-1",
          query: "SELECT * FROM tasks",
          status: FederationMessageStatus.DELIVERED,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      mockQueryService.getQueryMessages.mockResolvedValue(mockMessages);
      const result = await controller.getQueries(req, undefined);
      expect(result).toHaveLength(1);
      expect(mockQueryService.getQueryMessages).toHaveBeenCalledWith("workspace-1", undefined);
    });
    it("should filter by status when provided", async () => {
      const req = {
        user: {
          id: "user-1",
          workspaceId: "workspace-1",
        },
      } as AuthenticatedRequest;
      const status = FederationMessageStatus.PENDING;
      mockQueryService.getQueryMessages.mockResolvedValue([]);
      await controller.getQueries(req, status);
      expect(mockQueryService.getQueryMessages).toHaveBeenCalledWith("workspace-1", status);
    });
    it("should throw error if user not authenticated", async () => {
      const req = {} as AuthenticatedRequest;
      await expect(controller.getQueries(req, undefined)).rejects.toThrow(
        "Workspace ID not found in request"
      );
    });
  });
  describe("getQuery", () => {
    it("should return query message by ID", async () => {
      const req = {
        user: {
          id: "user-1",
          workspaceId: "workspace-1",
        },
      } as AuthenticatedRequest;
      const messageId = "msg-1";
      const mockMessage = {
        id: messageId,
        workspaceId: "workspace-1",
        connectionId: "connection-1",
        messageType: FederationMessageType.QUERY,
        messageId: "unique-msg-1",
        query: "SELECT * FROM tasks",
        status: FederationMessageStatus.DELIVERED,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      mockQueryService.getQueryMessage.mockResolvedValue(mockMessage);
      const result = await controller.getQuery(req, messageId);
      expect(result).toBeDefined();
      expect(result.id).toBe(messageId);
      expect(mockQueryService.getQueryMessage).toHaveBeenCalledWith("workspace-1", messageId);
    });
    it("should throw error if user not authenticated", async () => {
      const req = {} as AuthenticatedRequest;
      await expect(controller.getQuery(req, "msg-1")).rejects.toThrow(
        "Workspace ID not found in request"
      );
    });
  });
 });
--- a/apps/api/src/federation/query.controller.ts
+++ b/apps/api/src/federation/query.controller.ts
@@ -0,0 +1,91 @@
 /**
 * Query Controller
 *
 * API endpoints for federated query messages.
 */
 import { Controller, Post, Get, Body, Param, Query, UseGuards, Req, Logger } from "@nestjs/common";
 import { QueryService } from "./query.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { SendQueryDto, IncomingQueryDto } from "./dto/query.dto";
 import type { AuthenticatedRequest } from "../common/types/user.types";
 import type { QueryMessageDetails, QueryResponse } from "./types/message.types";
 import type { FederationMessageStatus } from "@prisma/client";
@Controller("api/v1/federation")
 export class QueryController {
  private readonly logger = new Logger(QueryController.name);
  constructor(private readonly queryService: QueryService) {}
  /**
   * Send a query to a remote instance
   * Requires authentication
   */
  @Post("query")
  @UseGuards(AuthGuard)
  async sendQuery(
    @Req() req: AuthenticatedRequest,
    @Body() dto: SendQueryDto
  ): Promise<QueryMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    this.logger.log(
      `User ${req.user.id} sending query to connection ${dto.connectionId} in workspace ${req.user.workspaceId}`
    );
    return this.queryService.sendQuery(
      req.user.workspaceId,
      dto.connectionId,
      dto.query,
      dto.context
    );
  }
  /**
   * Handle incoming query from remote instance
   * Public endpoint - no authentication required (signature-based verification)
   */
  @Post("incoming/query")
  async handleIncomingQuery(@Body() dto: IncomingQueryDto): Promise<QueryResponse> {
    this.logger.log(`Received query from ${dto.instanceId}: ${dto.messageId}`);
    return this.queryService.handleIncomingQuery(dto);
  }
  /**
   * Get all query messages for the workspace
   * Requires authentication
   */
  @Get("queries")
  @UseGuards(AuthGuard)
  async getQueries(
    @Req() req: AuthenticatedRequest,
    @Query("status") status?: FederationMessageStatus
  ): Promise<QueryMessageDetails[]> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    return this.queryService.getQueryMessages(req.user.workspaceId, status);
  }
  /**
   * Get a single query message
   * Requires authentication
   */
  @Get("queries/:id")
  @UseGuards(AuthGuard)
  async getQuery(
    @Req() req: AuthenticatedRequest,
    @Param("id") messageId: string
  ): Promise<QueryMessageDetails> {
    if (!req.user?.workspaceId) {
      throw new Error("Workspace ID not found in request");
    }
    return this.queryService.getQueryMessage(req.user.workspaceId, messageId);
  }
 }
--- a/apps/api/src/federation/query.service.spec.ts
+++ b/apps/api/src/federation/query.service.spec.ts
@@ -0,0 +1,493 @@
 /**
 * Query Service Tests
 *
 * Tests for federated query message handling.
 */
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { ConfigService } from "@nestjs/config";
 import {
  FederationConnectionStatus,
  FederationMessageType,
  FederationMessageStatus,
 } from "@prisma/client";
 import { QueryService } from "./query.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
 import { HttpService } from "@nestjs/axios";
 import { of, throwError } from "rxjs";
 import type { AxiosResponse } from "axios";
 describe("QueryService", () => {
  let service: QueryService;
  let prisma: PrismaService;
  let federationService: FederationService;
  let signatureService: SignatureService;
  let httpService: HttpService;
  const mockPrisma = {
    federationConnection: {
      findUnique: vi.fn(),
      findFirst: vi.fn(),
    },
    federationMessage: {
      create: vi.fn(),
      findMany: vi.fn(),
      findUnique: vi.fn(),
      findFirst: vi.fn(),
      update: vi.fn(),
    },
  };
  const mockFederationService = {
    getInstanceIdentity: vi.fn(),
    getPublicIdentity: vi.fn(),
  };
  const mockSignatureService = {
    signMessage: vi.fn(),
    verifyMessage: vi.fn(),
    validateTimestamp: vi.fn(),
  };
  const mockHttpService = {
    post: vi.fn(),
  };
  const mockConfig = {
    get: vi.fn(),
  };
  beforeEach(async () => {
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        QueryService,
        { provide: PrismaService, useValue: mockPrisma },
        { provide: FederationService, useValue: mockFederationService },
        { provide: SignatureService, useValue: mockSignatureService },
        { provide: HttpService, useValue: mockHttpService },
        { provide: ConfigService, useValue: mockConfig },
      ],
    }).compile();
    service = module.get<QueryService>(QueryService);
    prisma = module.get<PrismaService>(PrismaService);
    federationService = module.get<FederationService>(FederationService);
    signatureService = module.get<SignatureService>(SignatureService);
    httpService = module.get<HttpService>(HttpService);
    vi.clearAllMocks();
  });
  describe("sendQuery", () => {
    it("should send query to remote instance with signed message", async () => {
      const workspaceId = "workspace-1";
      const connectionId = "connection-1";
      const query = "SELECT * FROM tasks";
      const context = { userId: "user-1" };
      const mockConnection = {
        id: connectionId,
        workspaceId,
        remoteInstanceId: "remote-instance-1",
        remoteUrl: "https://remote.example.com",
        remotePublicKey: "mock-public-key",
        status: FederationConnectionStatus.ACTIVE,
      };
      const mockIdentity = {
        id: "identity-1",
        instanceId: "local-instance-1",
        name: "Local Instance",
        url: "https://local.example.com",
        publicKey: "local-public-key",
        privateKey: "local-private-key",
      };
      const mockMessage = {
        id: "message-1",
        workspaceId,
        connectionId,
        messageType: FederationMessageType.QUERY,
        messageId: expect.any(String),
        correlationId: null,
        query,
        response: null,
        status: FederationMessageStatus.PENDING,
        error: null,
        signature: "mock-signature",
        createdAt: new Date(),
        updatedAt: new Date(),
        deliveredAt: null,
      };
      const mockResponse: AxiosResponse = {
        data: { success: true },
        status: 200,
        statusText: "OK",
        headers: {},
        config: { headers: {} as never },
      };
      mockPrisma.federationConnection.findUnique.mockResolvedValue(mockConnection);
      mockFederationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
      mockSignatureService.signMessage.mockResolvedValue("mock-signature");
      mockPrisma.federationMessage.create.mockResolvedValue(mockMessage);
      mockHttpService.post.mockReturnValue(of(mockResponse));
      const result = await service.sendQuery(workspaceId, connectionId, query, context);
      expect(result).toBeDefined();
      expect(result.messageType).toBe(FederationMessageType.QUERY);
      expect(result.query).toBe(query);
      expect(mockPrisma.federationConnection.findUnique).toHaveBeenCalledWith({
        where: { id: connectionId, workspaceId },
      });
      expect(mockPrisma.federationMessage.create).toHaveBeenCalled();
      expect(mockHttpService.post).toHaveBeenCalledWith(
        `${mockConnection.remoteUrl}/api/v1/federation/incoming/query`,
        expect.objectContaining({
          messageId: expect.any(String),
          instanceId: mockIdentity.instanceId,
          query,
          context,
          timestamp: expect.any(Number),
          signature: "mock-signature",
        })
      );
    });
    it("should throw error if connection not found", async () => {
      mockPrisma.federationConnection.findUnique.mockResolvedValue(null);
      await expect(
        service.sendQuery("workspace-1", "connection-1", "SELECT * FROM tasks")
      ).rejects.toThrow("Connection not found");
    });
    it("should throw error if connection not active", async () => {
      const mockConnection = {
        id: "connection-1",
        workspaceId: "workspace-1",
        status: FederationConnectionStatus.PENDING,
      };
      mockPrisma.federationConnection.findUnique.mockResolvedValue(mockConnection);
      await expect(
        service.sendQuery("workspace-1", "connection-1", "SELECT * FROM tasks")
      ).rejects.toThrow("Connection is not active");
    });
    it("should handle network errors gracefully", async () => {
      const mockConnection = {
        id: "connection-1",
        workspaceId: "workspace-1",
        remoteInstanceId: "remote-instance-1",
        remoteUrl: "https://remote.example.com",
        status: FederationConnectionStatus.ACTIVE,
      };
      const mockIdentity = {
        instanceId: "local-instance-1",
      };
      mockPrisma.federationConnection.findUnique.mockResolvedValue(mockConnection);
      mockFederationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
      mockSignatureService.signMessage.mockResolvedValue("mock-signature");
      mockPrisma.federationMessage.create.mockResolvedValue({
        id: "message-1",
        messageId: "msg-1",
      });
      mockHttpService.post.mockReturnValue(throwError(() => new Error("Network error")));
      await expect(
        service.sendQuery("workspace-1", "connection-1", "SELECT * FROM tasks")
      ).rejects.toThrow("Failed to send query");
    });
  });
  describe("handleIncomingQuery", () => {
    it("should process valid incoming query", async () => {
      const queryMessage = {
        messageId: "msg-1",
        instanceId: "remote-instance-1",
        query: "SELECT * FROM tasks",
        context: {},
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      const mockConnection = {
        id: "connection-1",
        workspaceId: "workspace-1",
        remoteInstanceId: "remote-instance-1",
        status: FederationConnectionStatus.ACTIVE,
      };
      const mockIdentity = {
        instanceId: "local-instance-1",
      };
      mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
      mockSignatureService.validateTimestamp.mockReturnValue(true);
      mockSignatureService.verifyMessage.mockResolvedValue({ valid: true });
      mockFederationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
      mockSignatureService.signMessage.mockResolvedValue("response-signature");
      const result = await service.handleIncomingQuery(queryMessage);
      expect(result).toBeDefined();
      expect(result.messageId).toBeDefined();
      expect(result.correlationId).toBe(queryMessage.messageId);
      expect(result.instanceId).toBe(mockIdentity.instanceId);
      expect(result.signature).toBe("response-signature");
    });
    it("should reject query with invalid signature", async () => {
      const queryMessage = {
        messageId: "msg-1",
        instanceId: "remote-instance-1",
        query: "SELECT * FROM tasks",
        timestamp: Date.now(),
        signature: "invalid-signature",
      };
      const mockConnection = {
        id: "connection-1",
        workspaceId: "workspace-1",
        remoteInstanceId: "remote-instance-1",
        status: FederationConnectionStatus.ACTIVE,
      };
      mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
      mockSignatureService.validateTimestamp.mockReturnValue(true);
      mockSignatureService.verifyMessage.mockResolvedValue({
        valid: false,
        error: "Invalid signature",
      });
      await expect(service.handleIncomingQuery(queryMessage)).rejects.toThrow("Invalid signature");
    });
    it("should reject query with expired timestamp", async () => {
      const queryMessage = {
        messageId: "msg-1",
        instanceId: "remote-instance-1",
        query: "SELECT * FROM tasks",
        timestamp: Date.now() - 10 * 60 * 1000, // 10 minutes ago
        signature: "valid-signature",
      };
      const mockConnection = {
        id: "connection-1",
        workspaceId: "workspace-1",
        remoteInstanceId: "remote-instance-1",
        status: FederationConnectionStatus.ACTIVE,
      };
      mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
      mockSignatureService.validateTimestamp.mockReturnValue(false);
      await expect(service.handleIncomingQuery(queryMessage)).rejects.toThrow(
        "Query timestamp is outside acceptable range"
      );
    });
    it("should reject query from inactive connection", async () => {
      const queryMessage = {
        messageId: "msg-1",
        instanceId: "remote-instance-1",
        query: "SELECT * FROM tasks",
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      const mockConnection = {
        id: "connection-1",
        workspaceId: "workspace-1",
        remoteInstanceId: "remote-instance-1",
        status: FederationConnectionStatus.PENDING,
      };
      mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
      mockSignatureService.validateTimestamp.mockReturnValue(true);
      await expect(service.handleIncomingQuery(queryMessage)).rejects.toThrow(
        "Connection is not active"
      );
    });
    it("should reject query from unknown instance", async () => {
      const queryMessage = {
        messageId: "msg-1",
        instanceId: "unknown-instance",
        query: "SELECT * FROM tasks",
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      mockPrisma.federationConnection.findFirst.mockResolvedValue(null);
      mockSignatureService.validateTimestamp.mockReturnValue(true);
      await expect(service.handleIncomingQuery(queryMessage)).rejects.toThrow(
        "No connection found for remote instance"
      );
    });
  });
  describe("getQueryMessages", () => {
    it("should return query messages for workspace", async () => {
      const workspaceId = "workspace-1";
      const mockMessages = [
        {
          id: "msg-1",
          workspaceId,
          connectionId: "connection-1",
          messageType: FederationMessageType.QUERY,
          messageId: "unique-msg-1",
          query: "SELECT * FROM tasks",
          status: FederationMessageStatus.DELIVERED,
          createdAt: new Date(),
          updatedAt: new Date(),
        },
      ];
      mockPrisma.federationMessage.findMany.mockResolvedValue(mockMessages);
      const result = await service.getQueryMessages(workspaceId);
      expect(result).toHaveLength(1);
      expect(result[0].id).toBe("msg-1");
      expect(mockPrisma.federationMessage.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId,
          messageType: FederationMessageType.QUERY,
        },
        orderBy: { createdAt: "desc" },
      });
    });
    it("should filter by status when provided", async () => {
      const workspaceId = "workspace-1";
      const status = FederationMessageStatus.PENDING;
      mockPrisma.federationMessage.findMany.mockResolvedValue([]);
      await service.getQueryMessages(workspaceId, status);
      expect(mockPrisma.federationMessage.findMany).toHaveBeenCalledWith({
        where: {
          workspaceId,
          messageType: FederationMessageType.QUERY,
          status,
        },
        orderBy: { createdAt: "desc" },
      });
    });
  });
  describe("getQueryMessage", () => {
    it("should return query message by ID", async () => {
      const workspaceId = "workspace-1";
      const messageId = "msg-1";
      const mockMessage = {
        id: "msg-1",
        workspaceId,
        messageType: FederationMessageType.QUERY,
        messageId: "unique-msg-1",
        query: "SELECT * FROM tasks",
        status: FederationMessageStatus.DELIVERED,
        createdAt: new Date(),
        updatedAt: new Date(),
      };
      mockPrisma.federationMessage.findUnique.mockResolvedValue(mockMessage);
      const result = await service.getQueryMessage(workspaceId, messageId);
      expect(result).toBeDefined();
      expect(result.id).toBe(messageId);
      expect(mockPrisma.federationMessage.findUnique).toHaveBeenCalledWith({
        where: { id: messageId, workspaceId },
      });
    });
    it("should throw error if message not found", async () => {
      mockPrisma.federationMessage.findUnique.mockResolvedValue(null);
      await expect(service.getQueryMessage("workspace-1", "msg-1")).rejects.toThrow(
        "Query message not found"
      );
    });
  });
  describe("processQueryResponse", () => {
    it("should update message with response", async () => {
      const response = {
        messageId: "response-1",
        correlationId: "original-msg-1",
        instanceId: "remote-instance-1",
        success: true,
        data: { tasks: [] },
        timestamp: Date.now(),
        signature: "valid-signature",
      };
      const mockMessage = {
        id: "msg-1",
        messageId: "original-msg-1",
        workspaceId: "workspace-1",
        status: FederationMessageStatus.PENDING,
      };
      mockPrisma.federationMessage.findFirst.mockResolvedValue(mockMessage);
      mockSignatureService.validateTimestamp.mockReturnValue(true);
      mockSignatureService.verifyMessage.mockResolvedValue({ valid: true });
      mockPrisma.federationMessage.update.mockResolvedValue({
        ...mockMessage,
        status: FederationMessageStatus.DELIVERED,
        response: response.data,
      });
      await service.processQueryResponse(response);
      expect(mockPrisma.federationMessage.update).toHaveBeenCalledWith({
        where: { id: mockMessage.id },
        data: {
          status: FederationMessageStatus.DELIVERED,
          response: response.data,
          deliveredAt: expect.any(Date),
        },
      });
    });
    it("should reject response with invalid signature", async () => {
      const response = {
        messageId: "response-1",
        correlationId: "original-msg-1",
        instanceId: "remote-instance-1",
        success: true,
        timestamp: Date.now(),
        signature: "invalid-signature",
      };
      const mockMessage = {
        id: "msg-1",
        messageId: "original-msg-1",
        workspaceId: "workspace-1",
      };
      mockPrisma.federationMessage.findFirst.mockResolvedValue(mockMessage);
      mockSignatureService.validateTimestamp.mockReturnValue(true);
      mockSignatureService.verifyMessage.mockResolvedValue({
        valid: false,
        error: "Invalid signature",
      });
      await expect(service.processQueryResponse(response)).rejects.toThrow("Invalid signature");
    });
  });
 });
--- a/apps/api/src/federation/query.service.ts
+++ b/apps/api/src/federation/query.service.ts
@@ -0,0 +1,360 @@
 /**
 * Query Service
 *
 * Handles federated query messages.
 */
 import { Injectable, Logger } from "@nestjs/common";
 import { HttpService } from "@nestjs/axios";
 import { randomUUID } from "crypto";
 import { firstValueFrom } from "rxjs";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
 import {
  FederationConnectionStatus,
  FederationMessageType,
  FederationMessageStatus,
 } from "@prisma/client";
 import type { QueryMessage, QueryResponse, QueryMessageDetails } from "./types/message.types";
@Injectable()
 export class QueryService {
  private readonly logger = new Logger(QueryService.name);
  constructor(
    private readonly prisma: PrismaService,
    private readonly federationService: FederationService,
    private readonly signatureService: SignatureService,
    private readonly httpService: HttpService
  ) {}
  /**
   * Send a query to a remote instance
   */
  async sendQuery(
    workspaceId: string,
    connectionId: string,
    query: string,
    context?: Record<string, unknown>
  ): Promise<QueryMessageDetails> {
    // Validate connection exists and is active
    const connection = await this.prisma.federationConnection.findUnique({
      where: { id: connectionId, workspaceId },
    });
    if (!connection) {
      throw new Error("Connection not found");
    }
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Get local instance identity
    const identity = await this.federationService.getInstanceIdentity();
    // Create query message
    const messageId = randomUUID();
    const timestamp = Date.now();
    const queryPayload: Record<string, unknown> = {
      messageId,
      instanceId: identity.instanceId,
      query,
      timestamp,
    };
    if (context) {
      queryPayload.context = context;
    }
    // Sign the query
    const signature = await this.signatureService.signMessage(queryPayload);
    const signedQuery = {
      messageId,
      instanceId: identity.instanceId,
      query,
      ...(context ? { context } : {}),
      timestamp,
      signature,
    } as QueryMessage;
    // Store message in database
    const message = await this.prisma.federationMessage.create({
      data: {
        workspaceId,
        connectionId,
        messageType: FederationMessageType.QUERY,
        messageId,
        query,
        status: FederationMessageStatus.PENDING,
        signature,
      },
    });
    // Send query to remote instance
    try {
      const remoteUrl = `${connection.remoteUrl}/api/v1/federation/incoming/query`;
      await firstValueFrom(this.httpService.post(remoteUrl, signedQuery));
      this.logger.log(`Query sent to ${connection.remoteUrl}: ${messageId}`);
    } catch (error) {
      this.logger.error(`Failed to send query to ${connection.remoteUrl}`, error);
      // Update message status to failed
      await this.prisma.federationMessage.update({
        where: { id: message.id },
        data: {
          status: FederationMessageStatus.FAILED,
          error: error instanceof Error ? error.message : "Unknown error",
        },
      });
      throw new Error("Failed to send query");
    }
    return this.mapToQueryMessageDetails(message);
  }
  /**
   * Handle incoming query from remote instance
   */
  async handleIncomingQuery(queryMessage: QueryMessage): Promise<QueryResponse> {
    this.logger.log(`Received query from ${queryMessage.instanceId}: ${queryMessage.messageId}`);
    // Validate timestamp
    if (!this.signatureService.validateTimestamp(queryMessage.timestamp)) {
      throw new Error("Query timestamp is outside acceptable range");
    }
    // Find connection for remote instance
    const connection = await this.prisma.federationConnection.findFirst({
      where: {
        remoteInstanceId: queryMessage.instanceId,
        status: FederationConnectionStatus.ACTIVE,
      },
    });
    if (!connection) {
      throw new Error("No connection found for remote instance");
    }
    // Validate connection is active
    if (connection.status !== FederationConnectionStatus.ACTIVE) {
      throw new Error("Connection is not active");
    }
    // Verify signature
    const { signature, ...messageToVerify } = queryMessage;
    const verificationResult = await this.signatureService.verifyMessage(
      messageToVerify,
      signature,
      queryMessage.instanceId
    );
    if (!verificationResult.valid) {
      throw new Error(verificationResult.error ?? "Invalid signature");
    }
    // Process query (placeholder - would delegate to actual query processor)
    let responseData: unknown;
    let success = true;
    let errorMessage: string | undefined;
    try {
      // TODO: Implement actual query processing
      // For now, return a placeholder response
      responseData = { message: "Query received and processed" };
    } catch (error) {
      success = false;
      errorMessage = error instanceof Error ? error.message : "Query processing failed";
      this.logger.error(`Query processing failed: ${errorMessage}`);
    }
    // Get local instance identity
    const identity = await this.federationService.getInstanceIdentity();
    // Create response
    const responseMessageId = randomUUID();
    const responseTimestamp = Date.now();
    const responsePayload: Record<string, unknown> = {
      messageId: responseMessageId,
      correlationId: queryMessage.messageId,
      instanceId: identity.instanceId,
      success,
      timestamp: responseTimestamp,
    };
    if (responseData !== undefined) {
      responsePayload.data = responseData;
    }
    if (errorMessage !== undefined) {
      responsePayload.error = errorMessage;
    }
    // Sign the response
    const responseSignature = await this.signatureService.signMessage(responsePayload);
    const response = {
      messageId: responseMessageId,
      correlationId: queryMessage.messageId,
      instanceId: identity.instanceId,
      success,
      ...(responseData !== undefined ? { data: responseData } : {}),
      ...(errorMessage !== undefined ? { error: errorMessage } : {}),
      timestamp: responseTimestamp,
      signature: responseSignature,
    } as QueryResponse;
    return response;
  }
  /**
   * Get all query messages for a workspace
   */
  async getQueryMessages(
    workspaceId: string,
    status?: FederationMessageStatus
  ): Promise<QueryMessageDetails[]> {
    const where: Record<string, unknown> = {
      workspaceId,
      messageType: FederationMessageType.QUERY,
    };
    if (status) {
      where.status = status;
    }
    const messages = await this.prisma.federationMessage.findMany({
      where,
      orderBy: { createdAt: "desc" },
    });
    return messages.map((msg) => this.mapToQueryMessageDetails(msg));
  }
  /**
   * Get a single query message
   */
  async getQueryMessage(workspaceId: string, messageId: string): Promise<QueryMessageDetails> {
    const message = await this.prisma.federationMessage.findUnique({
      where: { id: messageId, workspaceId },
    });
    if (!message) {
      throw new Error("Query message not found");
    }
    return this.mapToQueryMessageDetails(message);
  }
  /**
   * Process a query response from remote instance
   */
  async processQueryResponse(response: QueryResponse): Promise<void> {
    this.logger.log(`Received response for query: ${response.correlationId}`);
    // Validate timestamp
    if (!this.signatureService.validateTimestamp(response.timestamp)) {
      throw new Error("Response timestamp is outside acceptable range");
    }
    // Find original query message
    const message = await this.prisma.federationMessage.findFirst({
      where: {
        messageId: response.correlationId,
        messageType: FederationMessageType.QUERY,
      },
    });
    if (!message) {
      throw new Error("Original query message not found");
    }
    // Verify signature
    const { signature, ...responseToVerify } = response;
    const verificationResult = await this.signatureService.verifyMessage(
      responseToVerify,
      signature,
      response.instanceId
    );
    if (!verificationResult.valid) {
      throw new Error(verificationResult.error ?? "Invalid signature");
    }
    // Update message with response
    const updateData: Record<string, unknown> = {
      status: response.success ? FederationMessageStatus.DELIVERED : FederationMessageStatus.FAILED,
      deliveredAt: new Date(),
    };
    if (response.data !== undefined) {
      updateData.response = response.data;
    }
    if (response.error !== undefined) {
      updateData.error = response.error;
    }
    await this.prisma.federationMessage.update({
      where: { id: message.id },
      data: updateData,
    });
    this.logger.log(`Query response processed: ${response.correlationId}`);
  }
  /**
   * Map Prisma FederationMessage to QueryMessageDetails
   */
  private mapToQueryMessageDetails(message: {
    id: string;
    workspaceId: string;
    connectionId: string;
    messageType: FederationMessageType;
    messageId: string;
    correlationId: string | null;
    query: string | null;
    response: unknown;
    status: FederationMessageStatus;
    error: string | null;
    createdAt: Date;
    updatedAt: Date;
    deliveredAt: Date | null;
  }): QueryMessageDetails {
    const details: QueryMessageDetails = {
      id: message.id,
      workspaceId: message.workspaceId,
      connectionId: message.connectionId,
      messageType: message.messageType,
      messageId: message.messageId,
      response: message.response,
      status: message.status,
      createdAt: message.createdAt,
      updatedAt: message.updatedAt,
    };
    if (message.correlationId !== null) {
      details.correlationId = message.correlationId;
    }
    if (message.query !== null) {
      details.query = message.query;
    }
    if (message.error !== null) {
      details.error = message.error;
    }
    if (message.deliveredAt !== null) {
      details.deliveredAt = message.deliveredAt;
    }
    return details;
  }
 }
--- a/apps/api/src/federation/signature.service.ts
+++ b/apps/api/src/federation/signature.service.ts
@@ -116,6 +116,40 @@ export class SignatureService {
    return this.sign(message, identity.privateKey);
  }
  /**
   * Verify a message signature using a remote instance's public key
   * Fetches the public key from the connection record
   */
  async verifyMessage(
    message: SignableMessage,
    signature: string,
    remoteInstanceId: string
  ): Promise<SignatureValidationResult> {
    try {
      // Fetch remote instance public key from connection record
      // For now, we'll fetch from any connection with this instance
      // In production, this should be cached or fetched from instance identity endpoint
      const connection =
        await this.federationService.getConnectionByRemoteInstanceId(remoteInstanceId);
      if (!connection) {
        return {
          valid: false,
          error: "Remote instance not connected",
        };
      }
      // Verify signature using remote public key
      return this.verify(message, signature, connection.remotePublicKey);
    } catch (error) {
      this.logger.error("Failed to verify message", error);
      return {
        valid: false,
        error: error instanceof Error ? error.message : "Verification failed",
      };
    }
  }
  /**
   * Verify a connection request signature
   */
--- a/apps/api/src/federation/types/federation-agent.types.ts
+++ b/apps/api/src/federation/types/federation-agent.types.ts
@@ -0,0 +1,149 @@
 /**
 * Federation Agent Command Types
 *
 * Types for agent spawn commands sent via federation COMMAND messages.
 */
 /**
 * Agent type options for spawning
 */
 export type FederationAgentType = "worker" | "reviewer" | "tester";
 /**
 * Agent status returned from remote instance
 */
 export type FederationAgentStatus = "spawning" | "running" | "completed" | "failed" | "killed";
 /**
 * Context for agent execution
 */
 export interface FederationAgentContext {
  /** Git repository URL or path */
  repository: string;
  /** Git branch to work on */
  branch: string;
  /** Work items for the agent to complete */
  workItems: string[];
  /** Optional skills to load */
  skills?: string[];
  /** Optional instructions */
  instructions?: string;
 }
 /**
 * Options for spawning an agent
 */
 export interface FederationAgentOptions {
  /** Enable Docker sandbox isolation */
  sandbox?: boolean;
  /** Timeout in milliseconds */
  timeout?: number;
  /** Maximum retry attempts */
  maxRetries?: number;
 }
 /**
 * Payload for agent.spawn command
 */
 export interface SpawnAgentCommandPayload {
  /** Unique task identifier */
  taskId: string;
  /** Type of agent to spawn */
  agentType: FederationAgentType;
  /** Context for task execution */
  context: FederationAgentContext;
  /** Optional configuration */
  options?: FederationAgentOptions;
 }
 /**
 * Payload for agent.status command
 */
 export interface AgentStatusCommandPayload {
  /** Unique agent identifier */
  agentId: string;
 }
 /**
 * Payload for agent.kill command
 */
 export interface KillAgentCommandPayload {
  /** Unique agent identifier */
  agentId: string;
 }
 /**
 * Response data for agent.spawn command
 */
 export interface SpawnAgentResponseData {
  /** Unique agent identifier */
  agentId: string;
  /** Current agent status */
  status: FederationAgentStatus;
  /** Timestamp when agent was spawned */
  spawnedAt: string;
 }
 /**
 * Response data for agent.status command
 */
 export interface AgentStatusResponseData {
  /** Unique agent identifier */
  agentId: string;
  /** Task identifier */
  taskId: string;
  /** Current agent status */
  status: FederationAgentStatus;
  /** Timestamp when agent was spawned */
  spawnedAt: string;
  /** Timestamp when agent started (if running/completed) */
  startedAt?: string;
  /** Timestamp when agent completed (if completed/failed/killed) */
  completedAt?: string;
  /** Error message (if failed) */
  error?: string;
  /** Agent progress data */
  progress?: Record<string, unknown>;
 }
 /**
 * Response data for agent.kill command
 */
 export interface KillAgentResponseData {
  /** Unique agent identifier */
  agentId: string;
  /** Status after kill operation */
  status: FederationAgentStatus;
  /** Timestamp when agent was killed */
  killedAt: string;
 }
 /**
 * Details about a federated agent
 */
 export interface FederatedAgentDetails {
  /** Agent ID */
  agentId: string;
  /** Task ID */
  taskId: string;
  /** Remote instance ID where agent is running */
  remoteInstanceId: string;
  /** Connection ID used to spawn the agent */
  connectionId: string;
  /** Agent type */
  agentType: FederationAgentType;
  /** Current status */
  status: FederationAgentStatus;
  /** Spawn timestamp */
  spawnedAt: Date;
  /** Start timestamp */
  startedAt?: Date;
  /** Completion timestamp */
  completedAt?: Date;
  /** Error message if failed */
  error?: string;
  /** Context used to spawn agent */
  context: FederationAgentContext;
  /** Options used to spawn agent */
  options?: FederationAgentOptions;
 }
--- a/apps/api/src/federation/types/identity-linking.types.ts
+++ b/apps/api/src/federation/types/identity-linking.types.ts
@@ -0,0 +1,141 @@
 /**
 * Federation Identity Linking Types
 *
 * Types for cross-instance user identity verification and resolution.
 */
 /**
 * Request to verify a user's identity from a remote instance
 */
 export interface IdentityVerificationRequest {
  /** Local user ID on this instance */
  localUserId: string;
  /** Remote user ID on the originating instance */
  remoteUserId: string;
  /** Remote instance federation ID */
  remoteInstanceId: string;
  /** OIDC token for authentication */
  oidcToken: string;
  /** Request timestamp (Unix milliseconds) */
  timestamp: number;
  /** Request signature (signed by remote instance private key) */
  signature: string;
 }
 /**
 * Response from identity verification
 */
 export interface IdentityVerificationResponse {
  /** Whether the identity was verified successfully */
  verified: boolean;
  /** Local user ID (if verified) */
  localUserId?: string;
  /** Remote user ID (if verified) */
  remoteUserId?: string;
  /** Remote instance ID (if verified) */
  remoteInstanceId?: string;
  /** User's email (if verified) */
  email?: string;
  /** Error message if verification failed */
  error?: string;
 }
 /**
 * Request to resolve a remote user to a local user
 */
 export interface IdentityResolutionRequest {
  /** Remote instance federation ID */
  remoteInstanceId: string;
  /** Remote user ID to resolve */
  remoteUserId: string;
 }
 /**
 * Response from identity resolution
 */
 export interface IdentityResolutionResponse {
  /** Whether a mapping was found */
  found: boolean;
  /** Local user ID (if found) */
  localUserId?: string;
  /** Remote user ID */
  remoteUserId?: string;
  /** Remote instance ID */
  remoteInstanceId?: string;
  /** User's email (if found) */
  email?: string;
  /** Additional metadata */
  metadata?: Record<string, unknown>;
 }
 /**
 * Request to reverse resolve a local user to a remote identity
 */
 export interface ReverseIdentityResolutionRequest {
  /** Local user ID to resolve */
  localUserId: string;
  /** Remote instance federation ID */
  remoteInstanceId: string;
 }
 /**
 * Request for bulk identity resolution
 */
 export interface BulkIdentityResolutionRequest {
  /** Remote instance federation ID */
  remoteInstanceId: string;
  /** Array of remote user IDs to resolve */
  remoteUserIds: string[];
 }
 /**
 * Response for bulk identity resolution
 */
 export interface BulkIdentityResolutionResponse {
  /** Map of remoteUserId -> localUserId */
  mappings: Record<string, string>;
  /** Remote user IDs that could not be resolved */
  notFound: string[];
 }
 /**
 * DTO for creating identity mapping
 */
 export interface CreateIdentityMappingDto {
  /** Remote instance ID */
  remoteInstanceId: string;
  /** Remote user ID */
  remoteUserId: string;
  /** OIDC subject identifier */
  oidcSubject: string;
  /** User's email */
  email: string;
  /** Optional metadata */
  metadata?: Record<string, unknown>;
  /** Optional: OIDC token for validation */
  oidcToken?: string;
 }
 /**
 * DTO for updating identity mapping
 */
 export interface UpdateIdentityMappingDto {
  /** Updated metadata */
  metadata?: Record<string, unknown>;
 }
 /**
 * Identity mapping validation result
 */
 export interface IdentityMappingValidation {
  /** Whether the mapping is valid */
  valid: boolean;
  /** Local user ID (if valid) */
  localUserId?: string;
  /** Remote user ID (if valid) */
  remoteUserId?: string;
  /** Remote instance ID (if valid) */
  remoteInstanceId?: string;
  /** Error message if invalid */
  error?: string;
 }
--- a/apps/api/src/federation/types/index.ts
+++ b/apps/api/src/federation/types/index.ts
@@ -7,3 +7,6 @@
 export * from "./instance.types";
 export * from "./connection.types";
 export * from "./oidc.types";
 export * from "./identity-linking.types";
 export * from "./message.types";
 export * from "./federation-agent.types";
--- a/apps/api/src/federation/types/message.types.ts
+++ b/apps/api/src/federation/types/message.types.ts
@@ -0,0 +1,247 @@
 /**
 * Message Protocol Types
 *
 * Types for federation message protocol (QUERY, COMMAND, EVENT).
 */
 import type { FederationMessageType, FederationMessageStatus } from "@prisma/client";
 /**
 * Query message payload (sent to remote instance)
 */
 export interface QueryMessage {
  /** Unique message identifier for deduplication */
  messageId: string;
  /** Sending instance's federation ID */
  instanceId: string;
  /** Query string to execute */
  query: string;
  /** Optional context for query execution */
  context?: Record<string, unknown>;
  /** Request timestamp (Unix milliseconds) */
  timestamp: number;
  /** RSA signature of the query payload */
  signature: string;
 }
 /**
 * Query response payload
 */
 export interface QueryResponse {
  /** Unique message identifier for this response */
  messageId: string;
  /** Original query messageId (for correlation) */
  correlationId: string;
  /** Responding instance's federation ID */
  instanceId: string;
  /** Whether the query was successful */
  success: boolean;
  /** Query result data */
  data?: unknown;
  /** Error message (if success=false) */
  error?: string;
  /** Response timestamp (Unix milliseconds) */
  timestamp: number;
  /** RSA signature of the response payload */
  signature: string;
 }
 /**
 * Query message details response
 */
 export interface QueryMessageDetails {
  /** Message ID */
  id: string;
  /** Workspace ID */
  workspaceId: string;
  /** Connection ID */
  connectionId: string;
  /** Message type */
  messageType: FederationMessageType;
  /** Unique message identifier */
  messageId: string;
  /** Correlation ID (for responses) */
  correlationId?: string;
  /** Query string */
  query?: string;
  /** Response data */
  response?: unknown;
  /** Message status */
  status: FederationMessageStatus;
  /** Error message */
  error?: string;
  /** Creation timestamp */
  createdAt: Date;
  /** Last update timestamp */
  updatedAt: Date;
  /** Delivery timestamp */
  deliveredAt?: Date;
 }
 /**
 * Command message payload (sent to remote instance)
 */
 export interface CommandMessage {
  /** Unique message identifier for deduplication */
  messageId: string;
  /** Sending instance's federation ID */
  instanceId: string;
  /** Command type to execute */
  commandType: string;
  /** Command-specific payload */
  payload: Record<string, unknown>;
  /** Request timestamp (Unix milliseconds) */
  timestamp: number;
  /** RSA signature of the command payload */
  signature: string;
 }
 /**
 * Command response payload
 */
 export interface CommandResponse {
  /** Unique message identifier for this response */
  messageId: string;
  /** Original command messageId (for correlation) */
  correlationId: string;
  /** Responding instance's federation ID */
  instanceId: string;
  /** Whether the command was successful */
  success: boolean;
  /** Command result data */
  data?: unknown;
  /** Error message (if success=false) */
  error?: string;
  /** Response timestamp (Unix milliseconds) */
  timestamp: number;
  /** RSA signature of the response payload */
  signature: string;
 }
 /**
 * Command message details response
 */
 export interface CommandMessageDetails {
  /** Message ID */
  id: string;
  /** Workspace ID */
  workspaceId: string;
  /** Connection ID */
  connectionId: string;
  /** Message type */
  messageType: FederationMessageType;
  /** Unique message identifier */
  messageId: string;
  /** Correlation ID (for responses) */
  correlationId?: string;
  /** Command type */
  commandType?: string;
  /** Command payload */
  payload?: Record<string, unknown>;
  /** Response data */
  response?: unknown;
  /** Message status */
  status: FederationMessageStatus;
  /** Error message */
  error?: string;
  /** Creation timestamp */
  createdAt: Date;
  /** Last update timestamp */
  updatedAt: Date;
  /** Delivery timestamp */
  deliveredAt?: Date;
 }
 /**
 * Event message payload (sent to remote instance)
 */
 export interface EventMessage {
  /** Unique message identifier for deduplication */
  messageId: string;
  /** Sending instance's federation ID */
  instanceId: string;
  /** Event type (e.g., "task.created", "user.updated") */
  eventType: string;
  /** Event-specific payload */
  payload: Record<string, unknown>;
  /** Request timestamp (Unix milliseconds) */
  timestamp: number;
  /** RSA signature of the event payload */
  signature: string;
 }
 /**
 * Event acknowledgment payload
 */
 export interface EventAck {
  /** Unique message identifier for this acknowledgment */
  messageId: string;
  /** Original event messageId (for correlation) */
  correlationId: string;
  /** Acknowledging instance's federation ID */
  instanceId: string;
  /** Whether the event was received successfully */
  received: boolean;
  /** Error message (if received=false) */
  error?: string;
  /** Acknowledgment timestamp (Unix milliseconds) */
  timestamp: number;
  /** RSA signature of the acknowledgment payload */
  signature: string;
 }
 /**
 * Event message details response
 */
 export interface EventMessageDetails {
  /** Message ID */
  id: string;
  /** Workspace ID */
  workspaceId: string;
  /** Connection ID */
  connectionId: string;
  /** Message type */
  messageType: FederationMessageType;
  /** Unique message identifier */
  messageId: string;
  /** Correlation ID (for acknowledgments) */
  correlationId?: string;
  /** Event type */
  eventType?: string;
  /** Event payload */
  payload?: Record<string, unknown>;
  /** Response data */
  response?: unknown;
  /** Message status */
  status: FederationMessageStatus;
  /** Error message */
  error?: string;
  /** Creation timestamp */
  createdAt: Date;
  /** Last update timestamp */
  updatedAt: Date;
  /** Delivery timestamp */
  deliveredAt?: Date;
 }
 /**
 * Event subscription details
 */
 export interface SubscriptionDetails {
  /** Subscription ID */
  id: string;
  /** Workspace ID */
  workspaceId: string;
  /** Connection ID */
  connectionId: string;
  /** Event type subscribed to */
  eventType: string;
  /** Additional metadata */
  metadata: Record<string, unknown>;
  /** Whether subscription is active */
  isActive: boolean;
  /** Creation timestamp */
  createdAt: Date;
  /** Last update timestamp */
  updatedAt: Date;
 }
--- a/apps/api/src/herald/herald.service.spec.ts
+++ b/apps/api/src/herald/herald.service.spec.ts
@@ -375,9 +375,7 @@ describe("HeraldService", () => {
      mockDiscord.sendThreadMessage.mockRejectedValue(discordError);
      // Act & Assert
-      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow(
+      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow("Rate limit exceeded");
        "Rate limit exceeded"
      );
    });
    it("should propagate errors when fetching job events fails", async () => {
@@ -405,9 +403,7 @@ describe("HeraldService", () => {
      mockDiscord.isConnected.mockReturnValue(true);
      // Act & Assert
-      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow(
+      await expect(service.broadcastJobEvent(jobId, event)).rejects.toThrow("Query timeout");
        "Query timeout"
      );
    });
    it("should include job context in error messages", async () => {
--- a/apps/api/src/knowledge/graph.controller.spec.ts
+++ b/apps/api/src/knowledge/graph.controller.spec.ts
@@ -146,9 +146,9 @@ describe("KnowledgeGraphController", () => {
    it("should throw error if entry not found", async () => {
      mockGraphService.getEntryGraphBySlug.mockRejectedValue(new Error("Entry not found"));
-      await expect(
+      await expect(controller.getEntryGraph("workspace-1", "non-existent", {})).rejects.toThrow(
-        controller.getEntryGraph("workspace-1", "non-existent", {})
+        "Entry not found"
-      ).rejects.toThrow("Entry not found");
+      );
    });
  });
 });
--- a/apps/api/src/knowledge/services/cache.service.spec.ts
+++ b/apps/api/src/knowledge/services/cache.service.spec.ts
@@ -1,17 +1,17 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
-import { Test, TestingModule } from '@nestjs/testing';
+import { Test, TestingModule } from "@nestjs/testing";
-import { KnowledgeCacheService } from './cache.service';
+import { KnowledgeCacheService } from "./cache.service";
 // Integration tests - require running Valkey instance
 // Skip in unit test runs, enable with: INTEGRATION_TESTS=true pnpm test
-describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
+describe.skipIf(!process.env.INTEGRATION_TESTS)("KnowledgeCacheService", () => {
  let service: KnowledgeCacheService;
  beforeEach(async () => {
    // Set environment variables for testing
-    process.env.KNOWLEDGE_CACHE_ENABLED = 'true';
+    process.env.KNOWLEDGE_CACHE_ENABLED = "true";
-    process.env.KNOWLEDGE_CACHE_TTL = '300';
+    process.env.KNOWLEDGE_CACHE_TTL = "300";
-    process.env.VALKEY_URL = 'redis://localhost:6379';
+    process.env.VALKEY_URL = "redis://localhost:6379";
    const module: TestingModule = await Test.createTestingModule({
      providers: [KnowledgeCacheService],
@@ -27,35 +27,35 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
    }
  });
-  describe('Cache Enabled/Disabled', () => {
+  describe("Cache Enabled/Disabled", () => {
-    it('should be enabled by default', () => {
+    it("should be enabled by default", () => {
      expect(service.isEnabled()).toBe(true);
    });
-    it('should be disabled when KNOWLEDGE_CACHE_ENABLED=false', async () => {
+    it("should be disabled when KNOWLEDGE_CACHE_ENABLED=false", async () => {
-      process.env.KNOWLEDGE_CACHE_ENABLED = 'false';
+      process.env.KNOWLEDGE_CACHE_ENABLED = "false";
      const module = await Test.createTestingModule({
        providers: [KnowledgeCacheService],
      }).compile();
      const disabledService = module.get<KnowledgeCacheService>(KnowledgeCacheService);
-      
+
      expect(disabledService.isEnabled()).toBe(false);
    });
  });
-  describe('Entry Caching', () => {
+  describe("Entry Caching", () => {
-    const workspaceId = 'test-workspace-id';
+    const workspaceId = "test-workspace-id";
-    const slug = 'test-entry';
+    const slug = "test-entry";
    const entryData = {
-      id: 'entry-id',
+      id: "entry-id",
      workspaceId,
      slug,
-      title: 'Test Entry',
+      title: "Test Entry",
-      content: 'Test content',
+      content: "Test content",
      tags: [],
    };
-    it('should return null on cache miss', async () => {
+    it("should return null on cache miss", async () => {
      if (!service.isEnabled()) {
        return; // Skip if cache is disabled
      }
@@ -65,206 +65,206 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(result).toBeNull();
    });
-    it('should cache and retrieve entry data', async () => {
+    it("should cache and retrieve entry data", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      // Set cache
      await service.setEntry(workspaceId, slug, entryData);
-      
+
      // Get from cache
      const result = await service.getEntry(workspaceId, slug);
      expect(result).toEqual(entryData);
    });
-    it('should invalidate entry cache', async () => {
+    it("should invalidate entry cache", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      // Set cache
      await service.setEntry(workspaceId, slug, entryData);
-      
+
      // Verify it's cached
      let result = await service.getEntry(workspaceId, slug);
      expect(result).toEqual(entryData);
-      
+
      // Invalidate
      await service.invalidateEntry(workspaceId, slug);
-      
+
      // Verify it's gone
      result = await service.getEntry(workspaceId, slug);
      expect(result).toBeNull();
    });
  });
-  describe('Search Caching', () => {
+  describe("Search Caching", () => {
-    const workspaceId = 'test-workspace-id';
+    const workspaceId = "test-workspace-id";
-    const query = 'test search';
+    const query = "test search";
-    const filters = { status: 'PUBLISHED', page: 1, limit: 20 };
+    const filters = { status: "PUBLISHED", page: 1, limit: 20 };
    const searchResults = {
      data: [],
      pagination: { page: 1, limit: 20, total: 0, totalPages: 0 },
      query,
    };
-    it('should cache and retrieve search results', async () => {
+    it("should cache and retrieve search results", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      // Set cache
      await service.setSearch(workspaceId, query, filters, searchResults);
-      
+
      // Get from cache
      const result = await service.getSearch(workspaceId, query, filters);
      expect(result).toEqual(searchResults);
    });
-    it('should differentiate search results by filters', async () => {
+    it("should differentiate search results by filters", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      const filters1 = { page: 1, limit: 20 };
      const filters2 = { page: 2, limit: 20 };
-      
+
      const results1 = { ...searchResults, pagination: { ...searchResults.pagination, page: 1 } };
      const results2 = { ...searchResults, pagination: { ...searchResults.pagination, page: 2 } };
-      
+
      await service.setSearch(workspaceId, query, filters1, results1);
      await service.setSearch(workspaceId, query, filters2, results2);
-      
+
      const result1 = await service.getSearch(workspaceId, query, filters1);
      const result2 = await service.getSearch(workspaceId, query, filters2);
-      
+
      expect(result1.pagination.page).toBe(1);
      expect(result2.pagination.page).toBe(2);
    });
-    it('should invalidate all search caches for workspace', async () => {
+    it("should invalidate all search caches for workspace", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      // Set multiple search caches
-      await service.setSearch(workspaceId, 'query1', {}, searchResults);
+      await service.setSearch(workspaceId, "query1", {}, searchResults);
-      await service.setSearch(workspaceId, 'query2', {}, searchResults);
+      await service.setSearch(workspaceId, "query2", {}, searchResults);
-      
+
      // Invalidate all
      await service.invalidateSearches(workspaceId);
-      
+
      // Verify both are gone
-      const result1 = await service.getSearch(workspaceId, 'query1', {});
+      const result1 = await service.getSearch(workspaceId, "query1", {});
-      const result2 = await service.getSearch(workspaceId, 'query2', {});
+      const result2 = await service.getSearch(workspaceId, "query2", {});
-      
+
      expect(result1).toBeNull();
      expect(result2).toBeNull();
    });
  });
-  describe('Graph Caching', () => {
+  describe("Graph Caching", () => {
-    const workspaceId = 'test-workspace-id';
+    const workspaceId = "test-workspace-id";
-    const entryId = 'entry-id';
+    const entryId = "entry-id";
    const maxDepth = 2;
    const graphData = {
-      centerNode: { id: entryId, slug: 'test', title: 'Test', tags: [], depth: 0 },
+      centerNode: { id: entryId, slug: "test", title: "Test", tags: [], depth: 0 },
      nodes: [],
      edges: [],
      stats: { totalNodes: 1, totalEdges: 0, maxDepth },
    };
-    it('should cache and retrieve graph data', async () => {
+    it("should cache and retrieve graph data", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      // Set cache
      await service.setGraph(workspaceId, entryId, maxDepth, graphData);
-      
+
      // Get from cache
      const result = await service.getGraph(workspaceId, entryId, maxDepth);
      expect(result).toEqual(graphData);
    });
-    it('should differentiate graphs by maxDepth', async () => {
+    it("should differentiate graphs by maxDepth", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      const graph1 = { ...graphData, stats: { ...graphData.stats, maxDepth: 1 } };
      const graph2 = { ...graphData, stats: { ...graphData.stats, maxDepth: 2 } };
-      
+
      await service.setGraph(workspaceId, entryId, 1, graph1);
      await service.setGraph(workspaceId, entryId, 2, graph2);
-      
+
      const result1 = await service.getGraph(workspaceId, entryId, 1);
      const result2 = await service.getGraph(workspaceId, entryId, 2);
-      
+
      expect(result1.stats.maxDepth).toBe(1);
      expect(result2.stats.maxDepth).toBe(2);
    });
-    it('should invalidate all graph caches for workspace', async () => {
+    it("should invalidate all graph caches for workspace", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
      // Set cache
      await service.setGraph(workspaceId, entryId, maxDepth, graphData);
-      
+
      // Invalidate
      await service.invalidateGraphs(workspaceId);
-      
+
      // Verify it's gone
      const result = await service.getGraph(workspaceId, entryId, maxDepth);
      expect(result).toBeNull();
    });
  });
-  describe('Cache Statistics', () => {
+  describe("Cache Statistics", () => {
-    it('should track hits and misses', async () => {
+    it("should track hits and misses", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
-      const workspaceId = 'test-workspace-id';
+      const workspaceId = "test-workspace-id";
-      const slug = 'test-entry';
+      const slug = "test-entry";
-      const entryData = { id: '1', slug, title: 'Test' };
+      const entryData = { id: "1", slug, title: "Test" };
-      
+
      // Reset stats
      service.resetStats();
-      
+
      // Miss
      await service.getEntry(workspaceId, slug);
      let stats = service.getStats();
      expect(stats.misses).toBe(1);
      expect(stats.hits).toBe(0);
-      
+
      // Set
      await service.setEntry(workspaceId, slug, entryData);
      stats = service.getStats();
      expect(stats.sets).toBe(1);
-      
+
      // Hit
      await service.getEntry(workspaceId, slug);
      stats = service.getStats();
@@ -272,21 +272,21 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
      expect(stats.hitRate).toBeCloseTo(0.5); // 1 hit, 1 miss = 50%
    });
-    it('should reset statistics', async () => {
+    it("should reset statistics", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
-      const workspaceId = 'test-workspace-id';
+      const workspaceId = "test-workspace-id";
-      const slug = 'test-entry';
+      const slug = "test-entry";
-      
+
      await service.getEntry(workspaceId, slug); // miss
-      
+
      service.resetStats();
      const stats = service.getStats();
-      
+
      expect(stats.hits).toBe(0);
      expect(stats.misses).toBe(0);
      expect(stats.sets).toBe(0);
@@ -295,29 +295,29 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)('KnowledgeCacheService', () => {
    });
  });
-  describe('Clear Workspace Cache', () => {
+  describe("Clear Workspace Cache", () => {
-    it('should clear all caches for a workspace', async () => {
+    it("should clear all caches for a workspace", async () => {
      if (!service.isEnabled()) {
        return;
      }
      await service.onModuleInit();
-      
+
-      const workspaceId = 'test-workspace-id';
+      const workspaceId = "test-workspace-id";
-      
+
      // Set various caches
-      await service.setEntry(workspaceId, 'entry1', { id: '1' });
+      await service.setEntry(workspaceId, "entry1", { id: "1" });
-      await service.setSearch(workspaceId, 'query', {}, { data: [] });
+      await service.setSearch(workspaceId, "query", {}, { data: [] });
-      await service.setGraph(workspaceId, 'entry-id', 1, { nodes: [] });
+      await service.setGraph(workspaceId, "entry-id", 1, { nodes: [] });
-      
+
      // Clear all
      await service.clearWorkspaceCache(workspaceId);
-      
+
      // Verify all are gone
-      const entry = await service.getEntry(workspaceId, 'entry1');
+      const entry = await service.getEntry(workspaceId, "entry1");
-      const search = await service.getSearch(workspaceId, 'query', {});
+      const search = await service.getSearch(workspaceId, "query", {});
-      const graph = await service.getGraph(workspaceId, 'entry-id', 1);
+      const graph = await service.getGraph(workspaceId, "entry-id", 1);
-      
+
      expect(entry).toBeNull();
      expect(search).toBeNull();
      expect(graph).toBeNull();
--- a/apps/api/src/knowledge/services/graph.service.spec.ts
+++ b/apps/api/src/knowledge/services/graph.service.spec.ts
@@ -271,9 +271,7 @@ describe("GraphService", () => {
    });
    it("should filter by status", async () => {
-      const entries = [
+      const entries = [{ ...mockEntry, id: "entry-1", status: "PUBLISHED", tags: [] }];
        { ...mockEntry, id: "entry-1", status: "PUBLISHED", tags: [] },
      ];
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue(entries);
      mockPrismaService.knowledgeLink.findMany.mockResolvedValue([]);
@@ -351,9 +349,7 @@ describe("GraphService", () => {
        { id: "entry-1", slug: "entry-1", title: "Entry 1", link_count: "5" },
        { id: "entry-2", slug: "entry-2", title: "Entry 2", link_count: "3" },
      ]);
-      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([
+      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([{ id: "orphan-1" }]);
        { id: "orphan-1" },
      ]);
      const result = await service.getGraphStats("workspace-1");
--- a/apps/api/src/knowledge/services/import-export.service.spec.ts
+++ b/apps/api/src/knowledge/services/import-export.service.spec.ts
@@ -170,9 +170,9 @@ This is the content of the entry.`;
        path: "",
      };
-      await expect(
+      await expect(service.importEntries(workspaceId, userId, file)).rejects.toThrow(
-        service.importEntries(workspaceId, userId, file)
+        BadRequestException
-      ).rejects.toThrow(BadRequestException);
+      );
    });
    it("should handle import errors gracefully", async () => {
@@ -195,9 +195,7 @@ Content`;
        path: "",
      };
-      mockKnowledgeService.create.mockRejectedValue(
+      mockKnowledgeService.create.mockRejectedValue(new Error("Database error"));
        new Error("Database error")
      );
      const result = await service.importEntries(workspaceId, userId, file);
@@ -240,10 +238,7 @@ title: Empty Entry
    it("should export entries as markdown format", async () => {
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([mockEntry]);
-      const result = await service.exportEntries(
+      const result = await service.exportEntries(workspaceId, ExportFormat.MARKDOWN);
        workspaceId,
        ExportFormat.MARKDOWN
      );
      expect(result.filename).toMatch(/knowledge-export-\d{4}-\d{2}-\d{2}\.zip/);
      expect(result.stream).toBeDefined();
@@ -289,9 +284,9 @@ title: Empty Entry
    it("should throw error when no entries found", async () => {
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([]);
-      await expect(
+      await expect(service.exportEntries(workspaceId, ExportFormat.MARKDOWN)).rejects.toThrow(
-        service.exportEntries(workspaceId, ExportFormat.MARKDOWN)
+        BadRequestException
-      ).rejects.toThrow(BadRequestException);
+      );
    });
  });
 });
--- a/apps/api/src/knowledge/services/link-resolution.service.spec.ts
+++ b/apps/api/src/knowledge/services/link-resolution.service.spec.ts
@@ -88,27 +88,20 @@ describe("LinkResolutionService", () => {
  describe("resolveLink", () => {
    describe("Exact title match", () => {
      it("should resolve link by exact title match", async () => {
-        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "TypeScript Guide");
          workspaceId,
          "TypeScript Guide"
        );
        expect(result).toBe("entry-1");
-        expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledWith(
+        expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledWith({
-          {
+          where: {
-            where: {
+            workspaceId,
-              workspaceId,
+            title: "TypeScript Guide",
-              title: "TypeScript Guide",
+          },
-            },
+          select: {
-            select: {
+            id: true,
-              id: true,
+          },
-            },
+        });
          }
        );
      });
      it("should be case-sensitive for exact title match", async () => {
@@ -116,10 +109,7 @@ describe("LinkResolutionService", () => {
        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(null);
        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([]);
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "typescript guide");
          workspaceId,
          "typescript guide"
        );
        expect(result).toBeNull();
      });
@@ -128,41 +118,29 @@ describe("LinkResolutionService", () => {
    describe("Slug match", () => {
      it("should resolve link by slug", async () => {
        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(null);
-        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "typescript-guide");
          workspaceId,
          "typescript-guide"
        );
        expect(result).toBe("entry-1");
-        expect(mockPrismaService.knowledgeEntry.findUnique).toHaveBeenCalledWith(
+        expect(mockPrismaService.knowledgeEntry.findUnique).toHaveBeenCalledWith({
-          {
+          where: {
-            where: {
+            workspaceId_slug: {
-              workspaceId_slug: {
+              workspaceId,
-                workspaceId,
+              slug: "typescript-guide",
                slug: "typescript-guide",
              },
            },
-            select: {
+          },
-              id: true,
+          select: {
-            },
+            id: true,
-          }
+          },
-        );
+        });
      });
      it("should prioritize exact title match over slug match", async () => {
        // If exact title matches, slug should not be checked
-        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "TypeScript Guide");
          workspaceId,
          "TypeScript Guide"
        );
        expect(result).toBe("entry-1");
        expect(mockPrismaService.knowledgeEntry.findUnique).not.toHaveBeenCalled();
@@ -173,14 +151,9 @@ describe("LinkResolutionService", () => {
      it("should resolve link by case-insensitive fuzzy match", async () => {
        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(null);
        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(null);
-        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([
+        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([mockEntries[0]]);
          mockEntries[0],
        ]);
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "typescript guide");
          workspaceId,
          "typescript guide"
        );
        expect(result).toBe("entry-1");
        expect(mockPrismaService.knowledgeEntry.findMany).toHaveBeenCalledWith({
@@ -216,10 +189,7 @@ describe("LinkResolutionService", () => {
        mockPrismaService.knowledgeEntry.findUnique.mockResolvedValueOnce(null);
        mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([]);
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "Non-existent Entry");
          workspaceId,
          "Non-existent Entry"
        );
        expect(result).toBeNull();
      });
@@ -266,14 +236,9 @@ describe("LinkResolutionService", () => {
      });
      it("should trim whitespace from target before resolving", async () => {
-        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+        mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
          mockEntries[0]
        );
-        const result = await service.resolveLink(
+        const result = await service.resolveLink(workspaceId, "  TypeScript Guide  ");
          workspaceId,
          "  TypeScript Guide  "
        );
        expect(result).toBe("entry-1");
        expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledWith(
@@ -291,23 +256,19 @@ describe("LinkResolutionService", () => {
    it("should resolve multiple links in batch", async () => {
      // First link: "TypeScript Guide" -> exact title match
      // Second link: "react-hooks" -> slug match
-      mockPrismaService.knowledgeEntry.findFirst.mockImplementation(
+      mockPrismaService.knowledgeEntry.findFirst.mockImplementation(async ({ where }: any) => {
-        async ({ where }: any) => {
+        if (where.title === "TypeScript Guide") {
-          if (where.title === "TypeScript Guide") {
+          return mockEntries[0];
            return mockEntries[0];
          }
          return null;
        }
-      );
+        return null;
      });
-      mockPrismaService.knowledgeEntry.findUnique.mockImplementation(
+      mockPrismaService.knowledgeEntry.findUnique.mockImplementation(async ({ where }: any) => {
-        async ({ where }: any) => {
+        if (where.workspaceId_slug?.slug === "react-hooks") {
-          if (where.workspaceId_slug?.slug === "react-hooks") {
+          return mockEntries[1];
            return mockEntries[1];
          }
          return null;
        }
-      );
+        return null;
      });
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValue([]);
@@ -344,9 +305,7 @@ describe("LinkResolutionService", () => {
    });
    it("should deduplicate targets", async () => {
-      mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(
+      mockPrismaService.knowledgeEntry.findFirst.mockResolvedValueOnce(mockEntries[0]);
        mockEntries[0]
      );
      const result = await service.resolveLinks(workspaceId, [
        "TypeScript Guide",
@@ -357,9 +316,7 @@ describe("LinkResolutionService", () => {
        "TypeScript Guide": "entry-1",
      });
      // Should only be called once for the deduplicated target
-      expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledTimes(
+      expect(mockPrismaService.knowledgeEntry.findFirst).toHaveBeenCalledTimes(1);
        1
      );
    });
  });
@@ -370,10 +327,7 @@ describe("LinkResolutionService", () => {
        { id: "entry-3", title: "React Hooks Advanced" },
      ]);
-      const result = await service.getAmbiguousMatches(
+      const result = await service.getAmbiguousMatches(workspaceId, "react hooks");
        workspaceId,
        "react hooks"
      );
      expect(result).toHaveLength(2);
      expect(result).toEqual([
@@ -385,10 +339,7 @@ describe("LinkResolutionService", () => {
    it("should return empty array when no matches found", async () => {
      mockPrismaService.knowledgeEntry.findMany.mockResolvedValueOnce([]);
-      const result = await service.getAmbiguousMatches(
+      const result = await service.getAmbiguousMatches(workspaceId, "Non-existent");
        workspaceId,
        "Non-existent"
      );
      expect(result).toEqual([]);
    });
@@ -398,10 +349,7 @@ describe("LinkResolutionService", () => {
        { id: "entry-1", title: "TypeScript Guide" },
      ]);
-      const result = await service.getAmbiguousMatches(
+      const result = await service.getAmbiguousMatches(workspaceId, "typescript guide");
        workspaceId,
        "typescript guide"
      );
      expect(result).toHaveLength(1);
    });
@@ -409,8 +357,7 @@ describe("LinkResolutionService", () => {
  describe("resolveLinksFromContent", () => {
    it("should parse and resolve wiki links from content", async () => {
-      const content =
+      const content = "Check out [[TypeScript Guide]] and [[React Hooks]] for more info.";
        "Check out [[TypeScript Guide]] and [[React Hooks]] for more info.";
      // Mock resolveLink for each target
      mockPrismaService.knowledgeEntry.findFirst
@@ -522,9 +469,7 @@ describe("LinkResolutionService", () => {
        },
      ];
-      mockPrismaService.knowledgeLink.findMany.mockResolvedValueOnce(
+      mockPrismaService.knowledgeLink.findMany.mockResolvedValueOnce(mockBacklinks);
        mockBacklinks
      );
      const result = await service.getBacklinks(targetEntryId);
--- a/apps/api/src/knowledge/services/semantic-search.integration.spec.ts
+++ b/apps/api/src/knowledge/services/semantic-search.integration.spec.ts
@@ -26,7 +26,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
    // Initialize services
    prisma = new PrismaClient();
    const prismaService = prisma as unknown as PrismaService;
-    
+
    // Mock cache service for testing
    cacheService = {
      getSearch: async () => null,
@@ -37,11 +37,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
    } as unknown as KnowledgeCacheService;
    embeddingService = new EmbeddingService(prismaService);
-    searchService = new SearchService(
+    searchService = new SearchService(prismaService, cacheService, embeddingService);
      prismaService,
      cacheService,
      embeddingService
    );
    // Create test workspace and user
    const workspace = await prisma.workspace.create({
@@ -84,10 +80,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
      const title = "Introduction to PostgreSQL";
      const content = "PostgreSQL is a powerful open-source database.";
-      const prepared = embeddingService.prepareContentForEmbedding(
+      const prepared = embeddingService.prepareContentForEmbedding(title, content);
        title,
        content
      );
      // Title should appear twice for weighting
      expect(prepared).toContain(title);
@@ -122,10 +115,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
    it("should skip semantic search if OpenAI not configured", async () => {
      if (!embeddingService.isConfigured()) {
        await expect(
-          searchService.semanticSearch(
+          searchService.semanticSearch("database performance", testWorkspaceId)
            "database performance",
            testWorkspaceId
          )
        ).rejects.toThrow();
      } else {
        // If configured, this is expected to work (tested below)
@@ -156,10 +146,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
            entry.title,
            entry.content
          );
-          await embeddingService.generateAndStoreEmbedding(
+          await embeddingService.generateAndStoreEmbedding(created.id, preparedContent);
            created.id,
            preparedContent
          );
        }
        // Wait a bit for embeddings to be stored
@@ -175,9 +162,7 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
        expect(results.data.length).toBeGreaterThan(0);
        // PostgreSQL entry should rank high for "relational database"
-        const postgresEntry = results.data.find(
+        const postgresEntry = results.data.find((r) => r.slug === "postgresql-intro");
          (r) => r.slug === "postgresql-intro"
        );
        expect(postgresEntry).toBeDefined();
        expect(postgresEntry!.rank).toBeGreaterThan(0);
      },
@@ -187,18 +172,13 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
    it.skipIf(!process.env["OPENAI_API_KEY"])(
      "should perform hybrid search combining vector and keyword",
      async () => {
-        const results = await searchService.hybridSearch(
+        const results = await searchService.hybridSearch("indexing", testWorkspaceId);
          "indexing",
          testWorkspaceId
        );
        // Should return results
        expect(results.data.length).toBeGreaterThan(0);
        // Should find the indexing entry
-        const indexingEntry = results.data.find(
+        const indexingEntry = results.data.find((r) => r.slug === "database-indexing");
          (r) => r.slug === "database-indexing"
        );
        expect(indexingEntry).toBeDefined();
      },
      30000
@@ -230,15 +210,10 @@ describe.skipIf(!process.env.INTEGRATION_TESTS)("Semantic Search Integration", (
        // Batch generate embeddings
        const entriesForEmbedding = entries.map((e) => ({
          id: e.id,
-          content: embeddingService.prepareContentForEmbedding(
+          content: embeddingService.prepareContentForEmbedding(e.title, e.content),
            e.title,
            e.content
          ),
        }));
-        const successCount = await embeddingService.batchGenerateEmbeddings(
+        const successCount = await embeddingService.batchGenerateEmbeddings(entriesForEmbedding);
          entriesForEmbedding
        );
        expect(successCount).toBe(3);
--- a/apps/api/src/knowledge/tags.controller.spec.ts
+++ b/apps/api/src/knowledge/tags.controller.spec.ts
@@ -48,10 +48,7 @@ describe("TagsController", () => {
      const result = await controller.create(createDto, workspaceId);
      expect(result).toEqual(mockTag);
-      expect(mockTagsService.create).toHaveBeenCalledWith(
+      expect(mockTagsService.create).toHaveBeenCalledWith(workspaceId, createDto);
        workspaceId,
        createDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -108,10 +105,7 @@ describe("TagsController", () => {
      const result = await controller.findOne("architecture", workspaceId);
      expect(result).toEqual(mockTagWithCount);
-      expect(mockTagsService.findOne).toHaveBeenCalledWith(
+      expect(mockTagsService.findOne).toHaveBeenCalledWith("architecture", workspaceId);
        "architecture",
        workspaceId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -138,18 +132,10 @@ describe("TagsController", () => {
      mockTagsService.update.mockResolvedValue(updatedTag);
-      const result = await controller.update(
+      const result = await controller.update("architecture", updateDto, workspaceId);
        "architecture",
        updateDto,
        workspaceId
      );
      expect(result).toEqual(updatedTag);
-      expect(mockTagsService.update).toHaveBeenCalledWith(
+      expect(mockTagsService.update).toHaveBeenCalledWith("architecture", workspaceId, updateDto);
        "architecture",
        workspaceId,
        updateDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -171,10 +157,7 @@ describe("TagsController", () => {
      await controller.remove("architecture", workspaceId);
-      expect(mockTagsService.remove).toHaveBeenCalledWith(
+      expect(mockTagsService.remove).toHaveBeenCalledWith("architecture", workspaceId);
        "architecture",
        workspaceId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -206,10 +189,7 @@ describe("TagsController", () => {
      const result = await controller.getEntries("architecture", workspaceId);
      expect(result).toEqual(mockEntries);
-      expect(mockTagsService.getEntriesWithTag).toHaveBeenCalledWith(
+      expect(mockTagsService.getEntriesWithTag).toHaveBeenCalledWith("architecture", workspaceId);
        "architecture",
        workspaceId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
--- a/apps/api/src/knowledge/tags.service.spec.ts
+++ b/apps/api/src/knowledge/tags.service.spec.ts
@@ -2,11 +2,7 @@ import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { TagsService } from "./tags.service";
 import { PrismaService } from "../prisma/prisma.service";
-import {
+import { NotFoundException, ConflictException, BadRequestException } from "@nestjs/common";
  NotFoundException,
  ConflictException,
  BadRequestException,
 } from "@nestjs/common";
 import type { CreateTagDto, UpdateTagDto } from "./dto";
 describe("TagsService", () => {
@@ -113,9 +109,7 @@ describe("TagsService", () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(mockTag);
-      await expect(service.create(workspaceId, createDto)).rejects.toThrow(
+      await expect(service.create(workspaceId, createDto)).rejects.toThrow(ConflictException);
        ConflictException
      );
    });
    it("should throw BadRequestException for invalid slug format", async () => {
@@ -124,9 +118,7 @@ describe("TagsService", () => {
        slug: "Invalid_Slug!",
      };
-      await expect(service.create(workspaceId, createDto)).rejects.toThrow(
+      await expect(service.create(workspaceId, createDto)).rejects.toThrow(BadRequestException);
        BadRequestException
      );
    });
    it("should generate slug from name with spaces and special chars", async () => {
@@ -135,12 +127,10 @@ describe("TagsService", () => {
      };
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      mockPrismaService.knowledgeTag.create.mockImplementation(
+      mockPrismaService.knowledgeTag.create.mockImplementation(async ({ data }: any) => ({
-        async ({ data }: any) => ({
+        ...mockTag,
-          ...mockTag,
+        slug: data.slug,
-          slug: data.slug,
+      }));
        })
      );
      const result = await service.create(workspaceId, createDto);
@@ -183,9 +173,7 @@ describe("TagsService", () => {
  describe("findOne", () => {
    it("should return a tag by slug", async () => {
      const mockTagWithCount = { ...mockTag, _count: { entries: 5 } };
-      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(
+      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(mockTagWithCount);
        mockTagWithCount
      );
      const result = await service.findOne("architecture", workspaceId);
@@ -208,9 +196,7 @@ describe("TagsService", () => {
    it("should throw NotFoundException if tag not found", async () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.findOne("nonexistent", workspaceId)).rejects.toThrow(NotFoundException);
        service.findOne("nonexistent", workspaceId)
      ).rejects.toThrow(NotFoundException);
    });
  });
@@ -245,9 +231,9 @@ describe("TagsService", () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.update("nonexistent", workspaceId, updateDto)).rejects.toThrow(
-        service.update("nonexistent", workspaceId, updateDto)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
    it("should throw ConflictException if new slug conflicts", async () => {
@@ -263,9 +249,9 @@ describe("TagsService", () => {
          slug: "design",
        } as any);
-      await expect(
+      await expect(service.update("architecture", workspaceId, updateDto)).rejects.toThrow(
-        service.update("architecture", workspaceId, updateDto)
+        ConflictException
-      ).rejects.toThrow(ConflictException);
+      );
    });
  });
@@ -292,9 +278,7 @@ describe("TagsService", () => {
    it("should throw NotFoundException if tag not found", async () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.remove("nonexistent", workspaceId)).rejects.toThrow(NotFoundException);
        service.remove("nonexistent", workspaceId)
      ).rejects.toThrow(NotFoundException);
    });
  });
@@ -398,9 +382,9 @@ describe("TagsService", () => {
      mockPrismaService.knowledgeTag.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.findOrCreateTags(workspaceId, slugs, false)).rejects.toThrow(
-        service.findOrCreateTags(workspaceId, slugs, false)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
 });
--- a/apps/api/src/knowledge/utils/README.md
+++ b/apps/api/src/knowledge/utils/README.md
@@ -17,9 +17,9 @@ The `wiki-link-parser.ts` utility provides parsing of wiki-style `[[links]]` fro
 ### Usage
 ```typescript
-import { parseWikiLinks } from './utils/wiki-link-parser';
+import { parseWikiLinks } from "./utils/wiki-link-parser";
-const content = 'See [[Main Page]] and [[Getting Started|start here]].';
+const content = "See [[Main Page]] and [[Getting Started|start here]].";
 const links = parseWikiLinks(content);
 // Result:
@@ -44,32 +44,41 @@ const links = parseWikiLinks(content);
 ### Supported Link Formats
 #### Basic Link (by title)
 ```markdown
 [[Page Name]]
 ```
 Links to a page by its title. Display text will be "Page Name".
 #### Link with Display Text
 ```markdown
 [[Page Name|custom display]]
 ```
 Links to "Page Name" but displays "custom display".
 #### Link by Slug
 ```markdown
 [[page-slug-name]]
 ```
 Links to a page by its URL slug (kebab-case).
 ### Edge Cases
 #### Nested Brackets
 ```markdown
-[[Page [with] brackets]]  ✓ Parsed correctly
+[[Page [with] brackets]] ✓ Parsed correctly
 ```
 Single brackets inside link text are allowed.
 #### Code Blocks (Not Parsed)
 ```markdown
 Use `[[WikiLink]]` syntax for linking.
@@ -77,36 +86,41 @@ Use `[[WikiLink]]` syntax for linking.
 const link = "[[not parsed]]";
 \`\`\`
 ```
 Links inside inline code or fenced code blocks are ignored.
 #### Escaped Brackets
 ```markdown
 \[[not a link]] but [[real link]] works
 ```
 Escaped brackets are not parsed as links.
 #### Empty or Invalid Links
 ```markdown
 [[]]           ✗ Empty link (ignored)
-[[   ]]        ✗ Whitespace only (ignored)
+[[]] ✗ Whitespace only (ignored)
-[[  Target  ]] ✓ Trimmed to "Target"
+[[Target]] ✓ Trimmed to "Target"
 ```
 ### Return Type
 ```typescript
 interface WikiLink {
-  raw: string;        // Full matched text: "[[Page Name]]"
+  raw: string; // Full matched text: "[[Page Name]]"
-  target: string;     // Target page: "Page Name"
+  target: string; // Target page: "Page Name"
  displayText: string; // Display text: "Page Name" or custom
-  start: number;      // Start position in content
+  start: number; // Start position in content
-  end: number;        // End position in content
+  end: number; // End position in content
 }
 ```
 ### Testing
 Comprehensive test suite (100% coverage) includes:
 - Basic parsing (single, multiple, consecutive links)
 - Display text variations
 - Edge cases (brackets, escapes, empty links)
@@ -116,6 +130,7 @@ Comprehensive test suite (100% coverage) includes:
 - Malformed input handling
 Run tests:
 ```bash
 pnpm test --filter=@mosaic/api -- wiki-link-parser.spec.ts
 ```
@@ -130,6 +145,7 @@ This parser is designed to work with the Knowledge Module's linking system:
 4. **Link Rendering**: Replace `[[links]]` with HTML anchors
 See related issues:
 - #59 - Wiki-link parser (this implementation)
 - Future: Link resolution and storage
 - Future: Backlink display and navigation
@@ -151,33 +167,38 @@ The `markdown.ts` utility provides secure markdown rendering with GFM (GitHub Fl
 ### Usage
 ```typescript
-import { renderMarkdown, markdownToPlainText } from './utils/markdown';
+import { renderMarkdown, markdownToPlainText } from "./utils/markdown";
 // Render markdown to HTML (async)
-const html = await renderMarkdown('# Hello **World**');
+const html = await renderMarkdown("# Hello **World**");
 // Result: <h1 id="hello-world">Hello <strong>World</strong></h1>
 // Extract plain text (for search indexing)
-const plainText = await markdownToPlainText('# Hello **World**');
+const plainText = await markdownToPlainText("# Hello **World**");
 // Result: "Hello World"
 ```
 ### Supported Markdown Features
 #### Basic Formatting
 - **Bold**: `**text**` or `__text__`
- *Italic*: `*text*` or `_text_`
+- _Italic_: `*text*` or `_text_`
 - ~~Strikethrough~~: `~~text~~`
 - `Inline code`: `` `code` ``
 #### Headers
 ```markdown
 # H1
 ## H2
 ### H3
 ```
 #### Lists
 ```markdown
 - Unordered list
  - Nested item
@@ -187,19 +208,22 @@ const plainText = await markdownToPlainText('# Hello **World**');
 ```
 #### Task Lists
 ```markdown
 - [ ] Unchecked task
 - [x] Completed task
 ```
 #### Tables
 ```markdown
 | Header 1 | Header 2 |
-|----------|----------|
+| -------- | -------- |
 | Cell 1   | Cell 2   |
 ```
 #### Code Blocks
 ````markdown
 ```typescript
 const greeting: string = "Hello";
@@ -208,12 +232,14 @@ console.log(greeting);
 ````
 #### Links and Images
 ```markdown
 [Link text](https://example.com)
 ![Alt text](https://example.com/image.png)
 ```
 #### Blockquotes
 ```markdown
 > This is a quote
 > Multi-line quote
@@ -233,6 +259,7 @@ The renderer implements multiple layers of security:
 ### Testing
 Comprehensive test suite covers:
 - Basic markdown rendering
 - GFM features (tables, task lists, strikethrough)
 - Code syntax highlighting
@@ -240,6 +267,7 @@ Comprehensive test suite covers:
 - Edge cases (unicode, long content, nested structures)
 Run tests:
 ```bash
 pnpm test --filter=@mosaic/api -- markdown.spec.ts
 ```
--- a/apps/api/src/knowledge/utils/markdown.spec.ts
+++ b/apps/api/src/knowledge/utils/markdown.spec.ts
@@ -1,9 +1,5 @@
 import { describe, it, expect } from "vitest";
-import {
+import { renderMarkdown, renderMarkdownSync, markdownToPlainText } from "./markdown";
  renderMarkdown,
  renderMarkdownSync,
  markdownToPlainText,
 } from "./markdown";
 describe("Markdown Rendering", () => {
  describe("renderMarkdown", () => {
@@ -77,7 +73,7 @@ describe("Markdown Rendering", () => {
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<input');
+      expect(html).toContain("<input");
      expect(html).toContain('type="checkbox"');
      expect(html).toContain('disabled="disabled"'); // Should be disabled for safety
    });
@@ -145,16 +141,17 @@ plain text code
      const markdown = "![Alt text](https://example.com/image.png)";
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<img');
+      expect(html).toContain("<img");
      expect(html).toContain('src="https://example.com/image.png"');
      expect(html).toContain('alt="Alt text"');
    });
    it("should allow data URIs for images", async () => {
-      const markdown = "![Image](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==)";
+      const markdown =
        "![Image](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==)";
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<img');
+      expect(html).toContain("<img");
      expect(html).toContain('src="data:image/png;base64');
    });
  });
@@ -164,7 +161,7 @@ plain text code
      const markdown = "# My Header Title";
      const html = await renderMarkdown(markdown);
-      expect(html).toContain('<h1');
+      expect(html).toContain("<h1");
      expect(html).toContain('id="');
    });
@@ -282,7 +279,7 @@ plain text code
    });
    it("should strip all HTML tags", async () => {
-      const markdown = '[Link](https://example.com)\n\n![Image](image.png)';
+      const markdown = "[Link](https://example.com)\n\n![Image](image.png)";
      const plainText = await markdownToPlainText(markdown);
      expect(plainText).not.toContain("<a");
--- a/apps/api/src/knowledge/utils/wiki-link-parser.spec.ts
+++ b/apps/api/src/knowledge/utils/wiki-link-parser.spec.ts
@@ -333,9 +333,7 @@ const link = "[[Not A Link]]";
      expect(links[0].start).toBe(5);
      expect(links[0].end).toBe(23);
-      expect(content.substring(links[0].start, links[0].end)).toBe(
+      expect(content.substring(links[0].start, links[0].end)).toBe("[[Target|Display]]");
        "[[Target|Display]]"
      );
    });
    it("should track positions in multiline content", () => {
--- a/apps/api/src/layouts/tests/layouts.service.spec.ts
+++ b/apps/api/src/layouts/tests/layouts.service.spec.ts
@@ -114,9 +114,9 @@ describe("LayoutsService", () => {
        .mockResolvedValueOnce(null) // No default
        .mockResolvedValueOnce(null); // No layouts
-      await expect(
+      await expect(service.findDefault(mockWorkspaceId, mockUserId)).rejects.toThrow(
-        service.findDefault(mockWorkspaceId, mockUserId)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
@@ -139,9 +139,9 @@ describe("LayoutsService", () => {
    it("should throw NotFoundException if layout not found", async () => {
      prisma.userLayout.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.findOne("invalid-id", mockWorkspaceId, mockUserId)).rejects.toThrow(
-        service.findOne("invalid-id", mockWorkspaceId, mockUserId)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
@@ -221,12 +221,7 @@ describe("LayoutsService", () => {
        })
      );
-      const result = await service.update(
+      const result = await service.update("layout-1", mockWorkspaceId, mockUserId, updateDto);
        "layout-1",
        mockWorkspaceId,
        mockUserId,
        updateDto
      );
      expect(result).toBeDefined();
      expect(mockFindUnique).toHaveBeenCalled();
@@ -244,9 +239,9 @@ describe("LayoutsService", () => {
        })
      );
-      await expect(
+      await expect(service.update("invalid-id", mockWorkspaceId, mockUserId, {})).rejects.toThrow(
-        service.update("invalid-id", mockWorkspaceId, mockUserId, {})
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
@@ -269,9 +264,9 @@ describe("LayoutsService", () => {
    it("should throw NotFoundException if layout not found", async () => {
      prisma.userLayout.findUnique.mockResolvedValue(null);
-      await expect(
+      await expect(service.remove("invalid-id", mockWorkspaceId, mockUserId)).rejects.toThrow(
-        service.remove("invalid-id", mockWorkspaceId, mockUserId)
+        NotFoundException
-      ).rejects.toThrow(NotFoundException);
+      );
    });
  });
 });
--- a/apps/api/src/ollama/ollama.controller.spec.ts
+++ b/apps/api/src/ollama/ollama.controller.spec.ts
@@ -48,11 +48,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.generate).toHaveBeenCalledWith(
+      expect(mockOllamaService.generate).toHaveBeenCalledWith("Hello", undefined, undefined);
        "Hello",
        undefined,
        undefined
      );
    });
    it("should generate with options and custom model", async () => {
@@ -84,9 +80,7 @@ describe("OllamaController", () => {
  describe("chat", () => {
    it("should complete chat conversation", async () => {
-      const messages: ChatMessage[] = [
+      const messages: ChatMessage[] = [{ role: "user", content: "Hello!" }];
        { role: "user", content: "Hello!" },
      ];
      const mockResponse = {
        model: "llama3.2",
@@ -104,11 +98,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.chat).toHaveBeenCalledWith(
+      expect(mockOllamaService.chat).toHaveBeenCalledWith(messages, undefined, undefined);
        messages,
        undefined,
        undefined
      );
    });
    it("should chat with options and custom model", async () => {
@@ -158,10 +148,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.embed).toHaveBeenCalledWith(
+      expect(mockOllamaService.embed).toHaveBeenCalledWith("Sample text", undefined);
        "Sample text",
        undefined
      );
    });
    it("should embed with custom model", async () => {
@@ -177,10 +164,7 @@ describe("OllamaController", () => {
      });
      expect(result).toEqual(mockResponse);
-      expect(mockOllamaService.embed).toHaveBeenCalledWith(
+      expect(mockOllamaService.embed).toHaveBeenCalledWith("Test", "nomic-embed-text");
        "Test",
        "nomic-embed-text"
      );
    });
  });
--- a/apps/api/src/ollama/ollama.service.spec.ts
+++ b/apps/api/src/ollama/ollama.service.spec.ts
@@ -2,11 +2,7 @@ import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { OllamaService } from "./ollama.service";
 import { HttpException, HttpStatus } from "@nestjs/common";
-import type {
+import type { GenerateOptionsDto, ChatMessage, ChatOptionsDto } from "./dto";
  GenerateOptionsDto,
  ChatMessage,
  ChatOptionsDto,
 } from "./dto";
 describe("OllamaService", () => {
  let service: OllamaService;
@@ -133,9 +129,7 @@ describe("OllamaService", () => {
      mockFetch.mockRejectedValue(new Error("Network error"));
      await expect(service.generate("Hello")).rejects.toThrow(HttpException);
-      await expect(service.generate("Hello")).rejects.toThrow(
+      await expect(service.generate("Hello")).rejects.toThrow("Failed to connect to Ollama");
        "Failed to connect to Ollama"
      );
    });
    it("should throw HttpException on non-ok response", async () => {
@@ -163,12 +157,9 @@ describe("OllamaService", () => {
        ],
      }).compile();
-      const shortTimeoutService =
+      const shortTimeoutService = shortTimeoutModule.get<OllamaService>(OllamaService);
        shortTimeoutModule.get<OllamaService>(OllamaService);
-      await expect(shortTimeoutService.generate("Hello")).rejects.toThrow(
+      await expect(shortTimeoutService.generate("Hello")).rejects.toThrow(HttpException);
        HttpException
      );
    });
  });
@@ -210,9 +201,7 @@ describe("OllamaService", () => {
    });
    it("should chat with custom options", async () => {
-      const messages: ChatMessage[] = [
+      const messages: ChatMessage[] = [{ role: "user", content: "Hello!" }];
        { role: "user", content: "Hello!" },
      ];
      const options: ChatOptionsDto = {
        temperature: 0.5,
@@ -251,9 +240,9 @@ describe("OllamaService", () => {
    it("should throw HttpException on chat error", async () => {
      mockFetch.mockRejectedValue(new Error("Connection refused"));
-      await expect(
+      await expect(service.chat([{ role: "user", content: "Hello" }])).rejects.toThrow(
-        service.chat([{ role: "user", content: "Hello" }])
+        HttpException
-      ).rejects.toThrow(HttpException);
+      );
    });
  });
--- a/apps/api/src/prisma/prisma.service.spec.ts
+++ b/apps/api/src/prisma/prisma.service.spec.ts
@@ -23,9 +23,7 @@ describe("PrismaService", () => {
  describe("onModuleInit", () => {
    it("should connect to the database", async () => {
-      const connectSpy = vi
+      const connectSpy = vi.spyOn(service, "$connect").mockResolvedValue(undefined);
        .spyOn(service, "$connect")
        .mockResolvedValue(undefined);
      await service.onModuleInit();
@@ -42,9 +40,7 @@ describe("PrismaService", () => {
  describe("onModuleDestroy", () => {
    it("should disconnect from the database", async () => {
-      const disconnectSpy = vi
+      const disconnectSpy = vi.spyOn(service, "$disconnect").mockResolvedValue(undefined);
        .spyOn(service, "$disconnect")
        .mockResolvedValue(undefined);
      await service.onModuleDestroy();
@@ -62,9 +58,7 @@ describe("PrismaService", () => {
    });
    it("should return false when database is not accessible", async () => {
-      vi
+      vi.spyOn(service, "$queryRaw").mockRejectedValue(new Error("Database error"));
        .spyOn(service, "$queryRaw")
        .mockRejectedValue(new Error("Database error"));
      const result = await service.isHealthy();
@@ -100,9 +94,7 @@ describe("PrismaService", () => {
    });
    it("should return connected false when query fails", async () => {
-      vi
+      vi.spyOn(service, "$queryRaw").mockRejectedValue(new Error("Query failed"));
        .spyOn(service, "$queryRaw")
        .mockRejectedValue(new Error("Query failed"));
      const result = await service.getConnectionInfo();
--- a/apps/api/src/projects/projects.controller.spec.ts
+++ b/apps/api/src/projects/projects.controller.spec.ts
@@ -62,11 +62,7 @@ describe("ProjectsController", () => {
      const result = await controller.create(createDto, mockWorkspaceId, mockUser);
      expect(result).toEqual(mockProject);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
@@ -74,7 +70,9 @@ describe("ProjectsController", () => {
      await controller.create({ name: "Test" }, undefined as any, mockUser);
-      expect(mockProjectsService.create).toHaveBeenCalledWith(undefined, mockUserId, { name: "Test" });
+      expect(mockProjectsService.create).toHaveBeenCalledWith(undefined, mockUserId, {
        name: "Test",
      });
    });
  });
@@ -149,7 +147,12 @@ describe("ProjectsController", () => {
      await controller.update(mockProjectId, updateDto, undefined as any, mockUser);
-      expect(mockProjectsService.update).toHaveBeenCalledWith(mockProjectId, undefined, mockUserId, updateDto);
+      expect(mockProjectsService.update).toHaveBeenCalledWith(
        mockProjectId,
        undefined,
        mockUserId,
        updateDto
      );
    });
  });
@@ -159,11 +162,7 @@ describe("ProjectsController", () => {
      await controller.remove(mockProjectId, mockWorkspaceId, mockUser);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockProjectId, mockWorkspaceId, mockUserId);
        mockProjectId,
        mockWorkspaceId,
        mockUserId
      );
    });
    it("should pass undefined workspaceId to service (validation handled by guards)", async () => {
--- a/apps/api/src/stitcher/stitcher.security.spec.ts
+++ b/apps/api/src/stitcher/stitcher.security.spec.ts
@@ -55,9 +55,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
    it("POST /stitcher/dispatch should require authentication", async () => {
@@ -67,9 +65,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
  });
@@ -96,9 +92,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
      await expect(guard.canActivate(mockContext as any)).rejects.toThrow("Invalid API key");
    });
@@ -111,9 +105,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
      await expect(guard.canActivate(mockContext as any)).rejects.toThrow("No API key provided");
    });
  });
@@ -133,9 +125,7 @@ describe("StitcherController - Security", () => {
        }),
      };
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
        UnauthorizedException
      );
    });
  });
 });
--- a/apps/api/src/tasks/dto/query-tasks.dto.spec.ts
+++ b/apps/api/src/tasks/dto/query-tasks.dto.spec.ts
@@ -24,7 +24,7 @@ describe("QueryTasksDto", () => {
    const errors = await validate(dto);
    expect(errors.length).toBeGreaterThan(0);
-    expect(errors.some(e => e.property === "workspaceId")).toBe(true);
+    expect(errors.some((e) => e.property === "workspaceId")).toBe(true);
  });
  it("should accept valid status filter", async () => {
--- a/apps/api/src/tasks/tasks.controller.spec.ts
+++ b/apps/api/src/tasks/tasks.controller.spec.ts
@@ -106,18 +106,10 @@ describe("TasksController", () => {
      mockTasksService.create.mockResolvedValue(mockTask);
-      const result = await controller.create(
+      const result = await controller.create(createDto, mockWorkspaceId, mockRequest.user);
        createDto,
        mockWorkspaceId,
        mockRequest.user
      );
      expect(result).toEqual(mockTask);
-      expect(service.create).toHaveBeenCalledWith(
+      expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, mockUserId, createDto);
        mockWorkspaceId,
        mockUserId,
        createDto
      );
    });
  });
@@ -247,11 +239,7 @@ describe("TasksController", () => {
      await controller.remove(mockTaskId, mockWorkspaceId, mockRequest.user);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId, mockUserId);
        mockTaskId,
        mockWorkspaceId,
        mockUserId
      );
    });
    it("should throw error if workspaceId not found", async () => {
@@ -262,11 +250,7 @@ describe("TasksController", () => {
      await controller.remove(mockTaskId, mockWorkspaceId, mockRequest.user);
-      expect(service.remove).toHaveBeenCalledWith(
+      expect(service.remove).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId, mockUserId);
        mockTaskId,
        mockWorkspaceId,
        mockUserId
      );
    });
  });
 });
--- a/apps/api/src/valkey/README.md
+++ b/apps/api/src/valkey/README.md
@@ -69,8 +69,8 @@ docker compose up -d valkey
 ### 1. Inject the Service
 ```typescript
-import { Injectable } from '@nestjs/common';
+import { Injectable } from "@nestjs/common";
-import { ValkeyService } from './valkey/valkey.service';
+import { ValkeyService } from "./valkey/valkey.service";
@Injectable()
 export class MyService {
@@ -82,11 +82,11 @@ export class MyService {
 ```typescript
 const task = await this.valkeyService.enqueue({
-  type: 'send-email',
+  type: "send-email",
  data: {
-    to: 'user@example.com',
+    to: "user@example.com",
-    subject: 'Welcome!',
+    subject: "Welcome!",
-    body: 'Hello, welcome to Mosaic Stack',
+    body: "Hello, welcome to Mosaic Stack",
  },
 });
@@ -102,11 +102,11 @@ const task = await this.valkeyService.dequeue();
 if (task) {
  console.log(task.status); // 'processing'
-  
+
  try {
    // Do work...
    await sendEmail(task.data);
-    
+
    // Mark as completed
    await this.valkeyService.updateStatus(task.id, {
      status: TaskStatus.COMPLETED,
@@ -129,8 +129,8 @@ const status = await this.valkeyService.getStatus(taskId);
 if (status) {
  console.log(status.status); // 'completed' | 'failed' | 'processing' | 'pending'
-  console.log(status.data);   // Task metadata
+  console.log(status.data); // Task metadata
-  console.log(status.error);  // Error message if failed
+  console.log(status.error); // Error message if failed
 }
 ```
@@ -143,7 +143,7 @@ console.log(`${length} tasks in queue`);
 // Health check
 const healthy = await this.valkeyService.healthCheck();
-console.log(`Valkey is ${healthy ? 'healthy' : 'down'}`);
+console.log(`Valkey is ${healthy ? "healthy" : "down"}`);
 // Clear queue (use with caution!)
 await this.valkeyService.clearQueue();
@@ -181,12 +181,12 @@ export class EmailWorker {
  private async startWorker() {
    while (true) {
      const task = await this.valkeyService.dequeue();
-      
+
      if (task) {
        await this.processTask(task);
      } else {
        // No tasks, wait 5 seconds
-        await new Promise(resolve => setTimeout(resolve, 5000));
+        await new Promise((resolve) => setTimeout(resolve, 5000));
      }
    }
  }
@@ -194,14 +194,14 @@ export class EmailWorker {
  private async processTask(task: TaskDto) {
    try {
      switch (task.type) {
-        case 'send-email':
+        case "send-email":
          await this.sendEmail(task.data);
          break;
-        case 'generate-report':
+        case "generate-report":
          await this.generateReport(task.data);
          break;
      }
-      
+
      await this.valkeyService.updateStatus(task.id, {
        status: TaskStatus.COMPLETED,
      });
@@ -222,10 +222,10 @@ export class EmailWorker {
 export class ScheduledTasks {
  constructor(private readonly valkeyService: ValkeyService) {}
-  @Cron('0 0 * * *') // Daily at midnight
+  @Cron("0 0 * * *") // Daily at midnight
  async dailyReport() {
    await this.valkeyService.enqueue({
-      type: 'daily-report',
+      type: "daily-report",
      data: { date: new Date().toISOString() },
    });
  }
@@ -241,6 +241,7 @@ pnpm test valkey.service.spec.ts
 ```
 Tests cover:
 - ✅ Connection and initialization
 - ✅ Enqueue operations
 - ✅ Dequeue FIFO behavior
@@ -254,9 +255,11 @@ Tests cover:
 ### ValkeyService Methods
 #### `enqueue(task: EnqueueTaskDto): Promise<TaskDto>`
 Add a task to the queue.
 **Parameters:**
 - `task.type` (string): Task type identifier
 - `task.data` (object): Task metadata
@@ -265,6 +268,7 @@ Add a task to the queue.
 ---
 #### `dequeue(): Promise<TaskDto | null>`
 Get the next task from the queue (FIFO).
 **Returns:** Next task with status updated to PROCESSING, or null if queue is empty
@@ -272,9 +276,11 @@ Get the next task from the queue (FIFO).
 ---
 #### `getStatus(taskId: string): Promise<TaskDto | null>`
 Retrieve task status and metadata.
 **Parameters:**
 - `taskId` (string): Task UUID
 **Returns:** Task data or null if not found
@@ -282,9 +288,11 @@ Retrieve task status and metadata.
 ---
 #### `updateStatus(taskId: string, update: UpdateTaskStatusDto): Promise<TaskDto | null>`
 Update task status and optionally add results or errors.
 **Parameters:**
 - `taskId` (string): Task UUID
 - `update.status` (TaskStatus): New status
 - `update.error` (string, optional): Error message for failed tasks
@@ -295,6 +303,7 @@ Update task status and optionally add results or errors.
 ---
 #### `getQueueLength(): Promise<number>`
 Get the number of tasks in queue.
 **Returns:** Queue length
@@ -302,11 +311,13 @@ Get the number of tasks in queue.
 ---
 #### `clearQueue(): Promise<void>`
 Remove all tasks from queue (metadata remains until TTL).
 ---
 #### `healthCheck(): Promise<boolean>`
 Verify Valkey connectivity.
 **Returns:** true if connected, false otherwise
@@ -314,6 +325,7 @@ Verify Valkey connectivity.
 ## Migration Notes
 If upgrading from BullMQ or another queue system:
 1. Task IDs are UUIDs (not incremental)
 2. No built-in retry mechanism (implement in worker)
 3. No job priorities (strict FIFO)
@@ -329,7 +341,7 @@ For advanced features like retries, priorities, or scheduled jobs, consider wrap
 // Check Valkey connectivity
 const healthy = await this.valkeyService.healthCheck();
 if (!healthy) {
-  console.error('Valkey is not responding');
+  console.error("Valkey is not responding");
 }
 ```
@@ -349,6 +361,7 @@ docker exec -it mosaic-valkey valkey-cli DEL mosaic:task:queue
 ### Debug Logging
 The service logs all operations at `info` level. Check application logs for:
 - Task enqueue/dequeue operations
 - Status updates
 - Connection events
@@ -356,6 +369,7 @@ The service logs all operations at `info` level. Check application logs for:
 ## Future Enhancements
 Potential improvements for consideration:
 - [ ] Task priorities (weighted queues)
 - [ ] Retry mechanism with exponential backoff
 - [ ] Delayed/scheduled tasks
--- a/apps/api/src/valkey/valkey.service.spec.ts
+++ b/apps/api/src/valkey/valkey.service.spec.ts
@@ -1,10 +1,10 @@
-import { Test, TestingModule } from '@nestjs/testing';
+import { Test, TestingModule } from "@nestjs/testing";
-import { describe, it, expect, beforeEach, vi, afterEach } from 'vitest';
+import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
-import { ValkeyService } from './valkey.service';
+import { ValkeyService } from "./valkey.service";
-import { TaskStatus } from './dto/task.dto';
+import { TaskStatus } from "./dto/task.dto";
 // Mock ioredis module
-vi.mock('ioredis', () => {
+vi.mock("ioredis", () => {
  // In-memory store for mocked Redis
  const store = new Map<string, string>();
  const lists = new Map<string, string[]>();
@@ -13,13 +13,13 @@ vi.mock('ioredis', () => {
  class MockRedisClient {
    // Connection methods
    async ping() {
-      return 'PONG';
+      return "PONG";
    }
-    
+
    async quit() {
      return undefined;
    }
-    
+
    on() {
      return this;
    }
@@ -27,9 +27,9 @@ vi.mock('ioredis', () => {
    // String operations
    async setex(key: string, ttl: number, value: string) {
      store.set(key, value);
-      return 'OK';
+      return "OK";
    }
-    
+
    async get(key: string) {
      return store.get(key) || null;
    }
@@ -43,7 +43,7 @@ vi.mock('ioredis', () => {
      list.push(...values);
      return list.length;
    }
-    
+
    async lpop(key: string) {
      const list = lists.get(key);
      if (!list || list.length === 0) {
@@ -51,15 +51,15 @@ vi.mock('ioredis', () => {
      }
      return list.shift()!;
    }
-    
+
    async llen(key: string) {
      const list = lists.get(key);
      return list ? list.length : 0;
    }
-    
+
    async del(...keys: string[]) {
      let deleted = 0;
-      keys.forEach(key => {
+      keys.forEach((key) => {
        if (store.delete(key)) deleted++;
        if (lists.delete(key)) deleted++;
      });
@@ -78,16 +78,16 @@ vi.mock('ioredis', () => {
  };
 });
-describe('ValkeyService', () => {
+describe("ValkeyService", () => {
  let service: ValkeyService;
  let module: TestingModule;
  beforeEach(async () => {
    // Clear environment
-    process.env.VALKEY_URL = 'redis://localhost:6379';
+    process.env.VALKEY_URL = "redis://localhost:6379";
    // Clear the mock store before each test
-    const Redis = await import('ioredis');
+    const Redis = await import("ioredis");
    (Redis.default as any).__clearStore();
    module = await Test.createTestingModule({
@@ -95,7 +95,7 @@ describe('ValkeyService', () => {
    }).compile();
    service = module.get<ValkeyService>(ValkeyService);
-    
+
    // Initialize the service
    await service.onModuleInit();
  });
@@ -104,41 +104,41 @@ describe('ValkeyService', () => {
    await service.onModuleDestroy();
  });
-  describe('initialization', () => {
+  describe("initialization", () => {
-    it('should be defined', () => {
+    it("should be defined", () => {
      expect(service).toBeDefined();
    });
-    it('should connect to Valkey on module init', async () => {
+    it("should connect to Valkey on module init", async () => {
      expect(service).toBeDefined();
      const healthCheck = await service.healthCheck();
      expect(healthCheck).toBe(true);
    });
  });
-  describe('enqueue', () => {
+  describe("enqueue", () => {
-    it('should enqueue a task successfully', async () => {
+    it("should enqueue a task successfully", async () => {
      const taskDto = {
-        type: 'test-task',
+        type: "test-task",
-        data: { message: 'Hello World' },
+        data: { message: "Hello World" },
      };
      const result = await service.enqueue(taskDto);
      expect(result).toBeDefined();
      expect(result.id).toBeDefined();
-      expect(result.type).toBe('test-task');
+      expect(result.type).toBe("test-task");
-      expect(result.data).toEqual({ message: 'Hello World' });
+      expect(result.data).toEqual({ message: "Hello World" });
      expect(result.status).toBe(TaskStatus.PENDING);
      expect(result.createdAt).toBeDefined();
      expect(result.updatedAt).toBeDefined();
    });
-    it('should increment queue length when enqueueing', async () => {
+    it("should increment queue length when enqueueing", async () => {
      const initialLength = await service.getQueueLength();
-      
+
      await service.enqueue({
-        type: 'task-1',
+        type: "task-1",
        data: {},
      });
@@ -147,20 +147,20 @@ describe('ValkeyService', () => {
    });
  });
-  describe('dequeue', () => {
+  describe("dequeue", () => {
-    it('should return null when queue is empty', async () => {
+    it("should return null when queue is empty", async () => {
      const result = await service.dequeue();
      expect(result).toBeNull();
    });
-    it('should dequeue tasks in FIFO order', async () => {
+    it("should dequeue tasks in FIFO order", async () => {
      const task1 = await service.enqueue({
-        type: 'task-1',
+        type: "task-1",
        data: { order: 1 },
      });
      const task2 = await service.enqueue({
-        type: 'task-2',
+        type: "task-2",
        data: { order: 2 },
      });
@@ -173,9 +173,9 @@ describe('ValkeyService', () => {
      expect(dequeued2?.status).toBe(TaskStatus.PROCESSING);
    });
-    it('should update task status to PROCESSING when dequeued', async () => {
+    it("should update task status to PROCESSING when dequeued", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
        data: {},
      });
@@ -187,73 +187,73 @@ describe('ValkeyService', () => {
    });
  });
-  describe('getStatus', () => {
+  describe("getStatus", () => {
-    it('should return null for non-existent task', async () => {
+    it("should return null for non-existent task", async () => {
-      const status = await service.getStatus('non-existent-id');
+      const status = await service.getStatus("non-existent-id");
      expect(status).toBeNull();
    });
-    it('should return task status for existing task', async () => {
+    it("should return task status for existing task", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
-        data: { key: 'value' },
+        data: { key: "value" },
      });
      const status = await service.getStatus(task.id);
      expect(status).toBeDefined();
      expect(status?.id).toBe(task.id);
-      expect(status?.type).toBe('test-task');
+      expect(status?.type).toBe("test-task");
-      expect(status?.data).toEqual({ key: 'value' });
+      expect(status?.data).toEqual({ key: "value" });
    });
  });
-  describe('updateStatus', () => {
+  describe("updateStatus", () => {
-    it('should update task status to COMPLETED', async () => {
+    it("should update task status to COMPLETED", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
        data: {},
      });
      const updated = await service.updateStatus(task.id, {
        status: TaskStatus.COMPLETED,
-        result: { output: 'success' },
+        result: { output: "success" },
      });
      expect(updated).toBeDefined();
      expect(updated?.status).toBe(TaskStatus.COMPLETED);
      expect(updated?.completedAt).toBeDefined();
-      expect(updated?.data).toEqual({ output: 'success' });
+      expect(updated?.data).toEqual({ output: "success" });
    });
-    it('should update task status to FAILED with error', async () => {
+    it("should update task status to FAILED with error", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
        data: {},
      });
      const updated = await service.updateStatus(task.id, {
        status: TaskStatus.FAILED,
-        error: 'Task failed due to error',
+        error: "Task failed due to error",
      });
      expect(updated).toBeDefined();
      expect(updated?.status).toBe(TaskStatus.FAILED);
-      expect(updated?.error).toBe('Task failed due to error');
+      expect(updated?.error).toBe("Task failed due to error");
      expect(updated?.completedAt).toBeDefined();
    });
-    it('should return null when updating non-existent task', async () => {
+    it("should return null when updating non-existent task", async () => {
-      const updated = await service.updateStatus('non-existent-id', {
+      const updated = await service.updateStatus("non-existent-id", {
        status: TaskStatus.COMPLETED,
      });
      expect(updated).toBeNull();
    });
-    it('should preserve existing data when updating status', async () => {
+    it("should preserve existing data when updating status", async () => {
      const task = await service.enqueue({
-        type: 'test-task',
+        type: "test-task",
-        data: { original: 'data' },
+        data: { original: "data" },
      });
      await service.updateStatus(task.id, {
@@ -261,28 +261,28 @@ describe('ValkeyService', () => {
      });
      const status = await service.getStatus(task.id);
-      expect(status?.data).toEqual({ original: 'data' });
+      expect(status?.data).toEqual({ original: "data" });
    });
  });
-  describe('getQueueLength', () => {
+  describe("getQueueLength", () => {
-    it('should return 0 for empty queue', async () => {
+    it("should return 0 for empty queue", async () => {
      const length = await service.getQueueLength();
      expect(length).toBe(0);
    });
-    it('should return correct queue length', async () => {
+    it("should return correct queue length", async () => {
-      await service.enqueue({ type: 'task-1', data: {} });
+      await service.enqueue({ type: "task-1", data: {} });
-      await service.enqueue({ type: 'task-2', data: {} });
+      await service.enqueue({ type: "task-2", data: {} });
-      await service.enqueue({ type: 'task-3', data: {} });
+      await service.enqueue({ type: "task-3", data: {} });
      const length = await service.getQueueLength();
      expect(length).toBe(3);
    });
-    it('should decrease when tasks are dequeued', async () => {
+    it("should decrease when tasks are dequeued", async () => {
-      await service.enqueue({ type: 'task-1', data: {} });
+      await service.enqueue({ type: "task-1", data: {} });
-      await service.enqueue({ type: 'task-2', data: {} });
+      await service.enqueue({ type: "task-2", data: {} });
      expect(await service.getQueueLength()).toBe(2);
@@ -294,10 +294,10 @@ describe('ValkeyService', () => {
    });
  });
-  describe('clearQueue', () => {
+  describe("clearQueue", () => {
-    it('should clear all tasks from queue', async () => {
+    it("should clear all tasks from queue", async () => {
-      await service.enqueue({ type: 'task-1', data: {} });
+      await service.enqueue({ type: "task-1", data: {} });
-      await service.enqueue({ type: 'task-2', data: {} });
+      await service.enqueue({ type: "task-2", data: {} });
      expect(await service.getQueueLength()).toBe(2);
@@ -306,21 +306,21 @@ describe('ValkeyService', () => {
    });
  });
-  describe('healthCheck', () => {
+  describe("healthCheck", () => {
-    it('should return true when Valkey is healthy', async () => {
+    it("should return true when Valkey is healthy", async () => {
      const healthy = await service.healthCheck();
      expect(healthy).toBe(true);
    });
  });
-  describe('integration flow', () => {
+  describe("integration flow", () => {
-    it('should handle complete task lifecycle', async () => {
+    it("should handle complete task lifecycle", async () => {
      // 1. Enqueue task
      const task = await service.enqueue({
-        type: 'email-notification',
+        type: "email-notification",
        data: {
-          to: 'user@example.com',
+          to: "user@example.com",
-          subject: 'Test Email',
+          subject: "Test Email",
        },
      });
@@ -335,8 +335,8 @@ describe('ValkeyService', () => {
      const completedTask = await service.updateStatus(task.id, {
        status: TaskStatus.COMPLETED,
        result: {
-          to: 'user@example.com',
+          to: "user@example.com",
-          subject: 'Test Email',
+          subject: "Test Email",
          sentAt: new Date().toISOString(),
        },
      });
@@ -350,11 +350,11 @@ describe('ValkeyService', () => {
      expect(finalStatus?.data.sentAt).toBeDefined();
    });
-    it('should handle multiple concurrent tasks', async () => {
+    it("should handle multiple concurrent tasks", async () => {
      const tasks = await Promise.all([
-        service.enqueue({ type: 'task-1', data: { id: 1 } }),
+        service.enqueue({ type: "task-1", data: { id: 1 } }),
-        service.enqueue({ type: 'task-2', data: { id: 2 } }),
+        service.enqueue({ type: "task-2", data: { id: 2 } }),
-        service.enqueue({ type: 'task-3', data: { id: 3 } }),
+        service.enqueue({ type: "task-3", data: { id: 3 } }),
      ]);
      expect(await service.getQueueLength()).toBe(3);
--- a/apps/api/src/websocket/websocket.gateway.spec.ts
+++ b/apps/api/src/websocket/websocket.gateway.spec.ts
@@ -1,9 +1,9 @@
-import { Test, TestingModule } from '@nestjs/testing';
+import { Test, TestingModule } from "@nestjs/testing";
-import { WebSocketGateway } from './websocket.gateway';
+import { WebSocketGateway } from "./websocket.gateway";
-import { AuthService } from '../auth/auth.service';
+import { AuthService } from "../auth/auth.service";
-import { PrismaService } from '../prisma/prisma.service';
+import { PrismaService } from "../prisma/prisma.service";
-import { Server, Socket } from 'socket.io';
+import { Server, Socket } from "socket.io";
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 interface AuthenticatedSocket extends Socket {
  data: {
@@ -12,7 +12,7 @@ interface AuthenticatedSocket extends Socket {
  };
 }
-describe('WebSocketGateway', () => {
+describe("WebSocketGateway", () => {
  let gateway: WebSocketGateway;
  let authService: AuthService;
  let prismaService: PrismaService;
@@ -53,7 +53,7 @@ describe('WebSocketGateway', () => {
    // Mock authenticated client
    mockClient = {
-      id: 'test-socket-id',
+      id: "test-socket-id",
      join: vi.fn(),
      leave: vi.fn(),
      emit: vi.fn(),
@@ -61,7 +61,7 @@ describe('WebSocketGateway', () => {
      data: {},
      handshake: {
        auth: {
-          token: 'valid-token',
+          token: "valid-token",
        },
      },
    } as unknown as AuthenticatedSocket;
@@ -76,36 +76,36 @@ describe('WebSocketGateway', () => {
    }
  });
-  describe('Authentication', () => {
+  describe("Authentication", () => {
-    it('should validate token and populate socket.data on successful authentication', async () => {
+    it("should validate token and populate socket.data on successful authentication", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
-      expect(authService.verifySession).toHaveBeenCalledWith('valid-token');
+      expect(authService.verifySession).toHaveBeenCalledWith("valid-token");
-      expect(mockClient.data.userId).toBe('user-123');
+      expect(mockClient.data.userId).toBe("user-123");
-      expect(mockClient.data.workspaceId).toBe('workspace-456');
+      expect(mockClient.data.workspaceId).toBe("workspace-456");
    });
-    it('should disconnect client with invalid token', async () => {
+    it("should disconnect client with invalid token", async () => {
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(null);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(null);
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).toHaveBeenCalled();
    });
-    it('should disconnect client without token', async () => {
+    it("should disconnect client without token", async () => {
      const clientNoToken = {
        ...mockClient,
        handshake: { auth: {} },
@@ -116,23 +116,23 @@ describe('WebSocketGateway', () => {
      expect(clientNoToken.disconnect).toHaveBeenCalled();
    });
-    it('should disconnect client if token verification throws error', async () => {
+    it("should disconnect client if token verification throws error", async () => {
-      vi.spyOn(authService, 'verifySession').mockRejectedValue(new Error('Invalid token'));
+      vi.spyOn(authService, "verifySession").mockRejectedValue(new Error("Invalid token"));
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).toHaveBeenCalled();
    });
-    it('should have connection timeout mechanism in place', () => {
+    it("should have connection timeout mechanism in place", () => {
      // This test verifies that the gateway has a CONNECTION_TIMEOUT_MS constant
      // The actual timeout is tested indirectly through authentication failure tests
      expect((gateway as { CONNECTION_TIMEOUT_MS: number }).CONNECTION_TIMEOUT_MS).toBe(5000);
    });
  });
-  describe('Rate Limiting', () => {
+  describe("Rate Limiting", () => {
-    it('should reject connections exceeding rate limit', async () => {
+    it("should reject connections exceeding rate limit", async () => {
      // Mock rate limiter to return false (limit exceeded)
      const rateLimitedClient = { ...mockClient } as AuthenticatedSocket;
@@ -146,109 +146,109 @@ describe('WebSocketGateway', () => {
      // expect(rateLimitedClient.disconnect).toHaveBeenCalled();
    });
-    it('should allow connections within rate limit', async () => {
+    it("should allow connections within rate limit", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).not.toHaveBeenCalled();
-      expect(mockClient.data.userId).toBe('user-123');
+      expect(mockClient.data.userId).toBe("user-123");
    });
  });
-  describe('Workspace Access Validation', () => {
+  describe("Workspace Access Validation", () => {
-    it('should verify user has access to workspace', async () => {
+    it("should verify user has access to workspace", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
      expect(prismaService.workspaceMember.findFirst).toHaveBeenCalledWith({
-        where: { userId: 'user-123' },
+        where: { userId: "user-123" },
        select: { workspaceId: true, userId: true, role: true },
      });
    });
-    it('should disconnect client without workspace access', async () => {
+    it("should disconnect client without workspace access", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue(null);
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue(null);
      await gateway.handleConnection(mockClient);
      expect(mockClient.disconnect).toHaveBeenCalled();
    });
-    it('should only allow joining workspace rooms user has access to', async () => {
+    it("should only allow joining workspace rooms user has access to", async () => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      await gateway.handleConnection(mockClient);
      // Should join the workspace room they have access to
-      expect(mockClient.join).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockClient.join).toHaveBeenCalledWith("workspace:workspace-456");
    });
  });
-  describe('handleConnection', () => {
+  describe("handleConnection", () => {
    beforeEach(() => {
      const mockSessionData = {
-        user: { id: 'user-123', email: 'test@example.com' },
+        user: { id: "user-123", email: "test@example.com" },
-        session: { id: 'session-123' },
+        session: { id: "session-123" },
      };
-      vi.spyOn(authService, 'verifySession').mockResolvedValue(mockSessionData);
+      vi.spyOn(authService, "verifySession").mockResolvedValue(mockSessionData);
-      vi.spyOn(prismaService.workspaceMember, 'findFirst').mockResolvedValue({
+      vi.spyOn(prismaService.workspaceMember, "findFirst").mockResolvedValue({
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
-        role: 'MEMBER',
+        role: "MEMBER",
      } as never);
      mockClient.data = {
-        userId: 'user-123',
+        userId: "user-123",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
    });
-    it('should join client to workspace room on connection', async () => {
+    it("should join client to workspace room on connection", async () => {
      await gateway.handleConnection(mockClient);
-      expect(mockClient.join).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockClient.join).toHaveBeenCalledWith("workspace:workspace-456");
    });
-    it('should reject connection without authentication', async () => {
+    it("should reject connection without authentication", async () => {
      const unauthClient = {
        ...mockClient,
        data: {},
@@ -261,23 +261,23 @@ describe('WebSocketGateway', () => {
    });
  });
-  describe('handleDisconnect', () => {
+  describe("handleDisconnect", () => {
-    it('should leave workspace room on disconnect', () => {
+    it("should leave workspace room on disconnect", () => {
      // Populate data as if client was authenticated
      const authenticatedClient = {
        ...mockClient,
        data: {
-          userId: 'user-123',
+          userId: "user-123",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
        },
      } as unknown as AuthenticatedSocket;
      gateway.handleDisconnect(authenticatedClient);
-      expect(authenticatedClient.leave).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(authenticatedClient.leave).toHaveBeenCalledWith("workspace:workspace-456");
    });
-    it('should not throw error when disconnecting unauthenticated client', () => {
+    it("should not throw error when disconnecting unauthenticated client", () => {
      const unauthenticatedClient = {
        ...mockClient,
        data: {},
@@ -287,279 +287,279 @@ describe('WebSocketGateway', () => {
    });
  });
-  describe('emitTaskCreated', () => {
+  describe("emitTaskCreated", () => {
-    it('should emit task:created event to workspace room', () => {
+    it("should emit task:created event to workspace room", () => {
      const task = {
-        id: 'task-1',
+        id: "task-1",
-        title: 'Test Task',
+        title: "Test Task",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitTaskCreated('workspace-456', task);
+      gateway.emitTaskCreated("workspace-456", task);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('task:created', task);
+      expect(mockServer.emit).toHaveBeenCalledWith("task:created", task);
    });
  });
-  describe('emitTaskUpdated', () => {
+  describe("emitTaskUpdated", () => {
-    it('should emit task:updated event to workspace room', () => {
+    it("should emit task:updated event to workspace room", () => {
      const task = {
-        id: 'task-1',
+        id: "task-1",
-        title: 'Updated Task',
+        title: "Updated Task",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitTaskUpdated('workspace-456', task);
+      gateway.emitTaskUpdated("workspace-456", task);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('task:updated', task);
+      expect(mockServer.emit).toHaveBeenCalledWith("task:updated", task);
    });
  });
-  describe('emitTaskDeleted', () => {
+  describe("emitTaskDeleted", () => {
-    it('should emit task:deleted event to workspace room', () => {
+    it("should emit task:deleted event to workspace room", () => {
-      const taskId = 'task-1';
+      const taskId = "task-1";
-      gateway.emitTaskDeleted('workspace-456', taskId);
+      gateway.emitTaskDeleted("workspace-456", taskId);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('task:deleted', { id: taskId });
+      expect(mockServer.emit).toHaveBeenCalledWith("task:deleted", { id: taskId });
    });
  });
-  describe('emitEventCreated', () => {
+  describe("emitEventCreated", () => {
-    it('should emit event:created event to workspace room', () => {
+    it("should emit event:created event to workspace room", () => {
      const event = {
-        id: 'event-1',
+        id: "event-1",
-        title: 'Test Event',
+        title: "Test Event",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitEventCreated('workspace-456', event);
+      gateway.emitEventCreated("workspace-456", event);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('event:created', event);
+      expect(mockServer.emit).toHaveBeenCalledWith("event:created", event);
    });
  });
-  describe('emitEventUpdated', () => {
+  describe("emitEventUpdated", () => {
-    it('should emit event:updated event to workspace room', () => {
+    it("should emit event:updated event to workspace room", () => {
      const event = {
-        id: 'event-1',
+        id: "event-1",
-        title: 'Updated Event',
+        title: "Updated Event",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitEventUpdated('workspace-456', event);
+      gateway.emitEventUpdated("workspace-456", event);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('event:updated', event);
+      expect(mockServer.emit).toHaveBeenCalledWith("event:updated", event);
    });
  });
-  describe('emitEventDeleted', () => {
+  describe("emitEventDeleted", () => {
-    it('should emit event:deleted event to workspace room', () => {
+    it("should emit event:deleted event to workspace room", () => {
-      const eventId = 'event-1';
+      const eventId = "event-1";
-      gateway.emitEventDeleted('workspace-456', eventId);
+      gateway.emitEventDeleted("workspace-456", eventId);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('event:deleted', { id: eventId });
+      expect(mockServer.emit).toHaveBeenCalledWith("event:deleted", { id: eventId });
    });
  });
-  describe('emitProjectUpdated', () => {
+  describe("emitProjectUpdated", () => {
-    it('should emit project:updated event to workspace room', () => {
+    it("should emit project:updated event to workspace room", () => {
      const project = {
-        id: 'project-1',
+        id: "project-1",
-        name: 'Updated Project',
+        name: "Updated Project",
-        workspaceId: 'workspace-456',
+        workspaceId: "workspace-456",
      };
-      gateway.emitProjectUpdated('workspace-456', project);
+      gateway.emitProjectUpdated("workspace-456", project);
-      expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456');
+      expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456");
-      expect(mockServer.emit).toHaveBeenCalledWith('project:updated', project);
+      expect(mockServer.emit).toHaveBeenCalledWith("project:updated", project);
    });
  });
-  describe('Job Events', () => {
+  describe("Job Events", () => {
-    describe('emitJobCreated', () => {
+    describe("emitJobCreated", () => {
-      it('should emit job:created event to workspace jobs room', () => {
+      it("should emit job:created event to workspace jobs room", () => {
        const job = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          type: 'code-task',
+          type: "code-task",
-          status: 'PENDING',
+          status: "PENDING",
        };
-        gateway.emitJobCreated('workspace-456', job);
+        gateway.emitJobCreated("workspace-456", job);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('job:created', job);
+        expect(mockServer.emit).toHaveBeenCalledWith("job:created", job);
      });
-      it('should emit job:created event to specific job room', () => {
+      it("should emit job:created event to specific job room", () => {
        const job = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          type: 'code-task',
+          type: "code-task",
-          status: 'PENDING',
+          status: "PENDING",
        };
-        gateway.emitJobCreated('workspace-456', job);
+        gateway.emitJobCreated("workspace-456", job);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitJobStatusChanged', () => {
+    describe("emitJobStatusChanged", () => {
-      it('should emit job:status event to workspace jobs room', () => {
+      it("should emit job:status event to workspace jobs room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          status: 'RUNNING',
+          status: "RUNNING",
-          previousStatus: 'PENDING',
+          previousStatus: "PENDING",
        };
-        gateway.emitJobStatusChanged('workspace-456', 'job-1', data);
+        gateway.emitJobStatusChanged("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('job:status', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("job:status", data);
      });
-      it('should emit job:status event to specific job room', () => {
+      it("should emit job:status event to specific job room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          status: 'RUNNING',
+          status: "RUNNING",
-          previousStatus: 'PENDING',
+          previousStatus: "PENDING",
        };
-        gateway.emitJobStatusChanged('workspace-456', 'job-1', data);
+        gateway.emitJobStatusChanged("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitJobProgress', () => {
+    describe("emitJobProgress", () => {
-      it('should emit job:progress event to workspace jobs room', () => {
+      it("should emit job:progress event to workspace jobs room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
          progressPercent: 45,
-          message: 'Processing step 2 of 4',
+          message: "Processing step 2 of 4",
        };
-        gateway.emitJobProgress('workspace-456', 'job-1', data);
+        gateway.emitJobProgress("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('job:progress', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("job:progress", data);
      });
-      it('should emit job:progress event to specific job room', () => {
+      it("should emit job:progress event to specific job room", () => {
        const data = {
-          id: 'job-1',
+          id: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
          progressPercent: 45,
-          message: 'Processing step 2 of 4',
+          message: "Processing step 2 of 4",
        };
-        gateway.emitJobProgress('workspace-456', 'job-1', data);
+        gateway.emitJobProgress("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitStepStarted', () => {
+    describe("emitStepStarted", () => {
-      it('should emit step:started event to workspace jobs room', () => {
+      it("should emit step:started event to workspace jobs room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
        };
-        gateway.emitStepStarted('workspace-456', 'job-1', data);
+        gateway.emitStepStarted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('step:started', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("step:started", data);
      });
-      it('should emit step:started event to specific job room', () => {
+      it("should emit step:started event to specific job room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
        };
-        gateway.emitStepStarted('workspace-456', 'job-1', data);
+        gateway.emitStepStarted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitStepCompleted', () => {
+    describe("emitStepCompleted", () => {
-      it('should emit step:completed event to workspace jobs room', () => {
+      it("should emit step:completed event to workspace jobs room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
          success: true,
        };
-        gateway.emitStepCompleted('workspace-456', 'job-1', data);
+        gateway.emitStepCompleted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('step:completed', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("step:completed", data);
      });
-      it('should emit step:completed event to specific job room', () => {
+      it("should emit step:completed event to specific job room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          name: 'Build',
+          name: "Build",
          success: true,
        };
-        gateway.emitStepCompleted('workspace-456', 'job-1', data);
+        gateway.emitStepCompleted("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
-    describe('emitStepOutput', () => {
+    describe("emitStepOutput", () => {
-      it('should emit step:output event to workspace jobs room', () => {
+      it("should emit step:output event to workspace jobs room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          output: 'Build completed successfully',
+          output: "Build completed successfully",
          timestamp: new Date().toISOString(),
        };
-        gateway.emitStepOutput('workspace-456', 'job-1', data);
+        gateway.emitStepOutput("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('workspace:workspace-456:jobs');
+        expect(mockServer.to).toHaveBeenCalledWith("workspace:workspace-456:jobs");
-        expect(mockServer.emit).toHaveBeenCalledWith('step:output', data);
+        expect(mockServer.emit).toHaveBeenCalledWith("step:output", data);
      });
-      it('should emit step:output event to specific job room', () => {
+      it("should emit step:output event to specific job room", () => {
        const data = {
-          id: 'step-1',
+          id: "step-1",
-          jobId: 'job-1',
+          jobId: "job-1",
-          workspaceId: 'workspace-456',
+          workspaceId: "workspace-456",
-          output: 'Build completed successfully',
+          output: "Build completed successfully",
          timestamp: new Date().toISOString(),
        };
-        gateway.emitStepOutput('workspace-456', 'job-1', data);
+        gateway.emitStepOutput("workspace-456", "job-1", data);
-        expect(mockServer.to).toHaveBeenCalledWith('job:job-1');
+        expect(mockServer.to).toHaveBeenCalledWith("job:job-1");
      });
    });
  });
--- a/apps/orchestrator/src/api/agents/agents.controller.ts
+++ b/apps/orchestrator/src/api/agents/agents.controller.ts
@@ -1,9 +1,11 @@
 import {
  Controller,
  Post,
  Get,
  Body,
  Param,
  BadRequestException,
  NotFoundException,
  Logger,
  UsePipes,
  ValidationPipe,
@@ -11,6 +13,7 @@ import {
 } from "@nestjs/common";
 import { QueueService } from "../../queue/queue.service";
 import { AgentSpawnerService } from "../../spawner/agent-spawner.service";
 import { AgentLifecycleService } from "../../spawner/agent-lifecycle.service";
 import { KillswitchService } from "../../killswitch/killswitch.service";
 import { SpawnAgentDto, SpawnAgentResponseDto } from "./dto/spawn-agent.dto";
@@ -24,6 +27,7 @@ export class AgentsController {
  constructor(
    private readonly queueService: QueueService,
    private readonly spawnerService: AgentSpawnerService,
    private readonly lifecycleService: AgentLifecycleService,
    private readonly killswitchService: KillswitchService
  ) {}
@@ -66,6 +70,64 @@ export class AgentsController {
    }
  }
  /**
   * Get agent status
   * @param agentId Agent ID to query
   * @returns Agent status details
   */
  @Get(":agentId/status")
  async getAgentStatus(@Param("agentId") agentId: string): Promise<{
    agentId: string;
    taskId: string;
    status: string;
    spawnedAt: string;
    startedAt?: string;
    completedAt?: string;
    error?: string;
  }> {
    this.logger.log(`Received status request for agent: ${agentId}`);
    try {
      // Try to get from lifecycle service (Valkey)
      const lifecycleState = await this.lifecycleService.getAgentLifecycleState(agentId);
      if (lifecycleState) {
        return {
          agentId: lifecycleState.agentId,
          taskId: lifecycleState.taskId,
          status: lifecycleState.status,
          spawnedAt: lifecycleState.startedAt ?? new Date().toISOString(),
          startedAt: lifecycleState.startedAt,
          completedAt: lifecycleState.completedAt,
          error: lifecycleState.error,
        };
      }
      // Fallback to spawner service (in-memory)
      const session = this.spawnerService.getAgentSession(agentId);
      if (session) {
        return {
          agentId: session.agentId,
          taskId: session.taskId,
          status: session.state,
          spawnedAt: session.spawnedAt.toISOString(),
          completedAt: session.completedAt?.toISOString(),
          error: session.error,
        };
      }
      throw new NotFoundException(`Agent ${agentId} not found`);
    } catch (error: unknown) {
      if (error instanceof NotFoundException) {
        throw error;
      }
      const errorMessage = error instanceof Error ? error.message : String(error);
      this.logger.error(`Failed to get agent status: ${errorMessage}`);
      throw new Error(`Failed to get agent status: ${errorMessage}`);
    }
  }
  /**
   * Kill a single agent immediately
   * @param agentId Agent ID to kill
--- a/apps/orchestrator/src/api/agents/agents.module.ts
+++ b/apps/orchestrator/src/api/agents/agents.module.ts
@@ -3,9 +3,10 @@ import { AgentsController } from "./agents.controller";
 import { QueueModule } from "../../queue/queue.module";
 import { SpawnerModule } from "../../spawner/spawner.module";
 import { KillswitchModule } from "../../killswitch/killswitch.module";
 import { ValkeyModule } from "../../valkey/valkey.module";
@Module({
-  imports: [QueueModule, SpawnerModule, KillswitchModule],
+  imports: [QueueModule, SpawnerModule, KillswitchModule, ValkeyModule],
  controllers: [AgentsController],
 })
 export class AgentsModule {}
--- a/apps/web/src/app/(authenticated)/federation/connections/page.tsx
+++ b/apps/web/src/app/(authenticated)/federation/connections/page.tsx
@@ -0,0 +1,220 @@
 "use client";
 /**
 * Federation Connections Page
 * Manage connections to remote Mosaic Stack instances
 */
 import { useState, useEffect } from "react";
 import { ConnectionList } from "@/components/federation/ConnectionList";
 import { InitiateConnectionDialog } from "@/components/federation/InitiateConnectionDialog";
 import {
  mockConnections,
  FederationConnectionStatus,
  type ConnectionDetails,
 } from "@/lib/api/federation";
 // TODO: Replace with real API calls when backend is integrated
 // import {
 //   fetchConnections,
 //   initiateConnection,
 //   acceptConnection,
 //   rejectConnection,
 //   disconnectConnection,
 // } from "@/lib/api/federation";
 export default function ConnectionsPage(): React.JSX.Element {
  const [connections, setConnections] = useState<ConnectionDetails[]>([]);
  const [isLoading, setIsLoading] = useState(false);
  const [showDialog, setShowDialog] = useState(false);
  const [dialogLoading, setDialogLoading] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [dialogError, setDialogError] = useState<string | null>(null);
  // Load connections on mount
  useEffect(() => {
    void loadConnections();
  }, []);
  const loadConnections = async (): Promise<void> => {
    setIsLoading(true);
    setError(null);
    try {
      // TODO: Replace with real API call when backend is integrated
      // const data = await fetchConnections();
      // Using mock data for now
      await new Promise((resolve) => setTimeout(resolve, 500)); // Simulate network delay
      setConnections(mockConnections);
    } catch (err) {
      setError(
        err instanceof Error ? err.message : "Unable to load connections. Please try again."
      );
    } finally {
      setIsLoading(false);
    }
  };
  const handleInitiate = async (_url: string): Promise<void> => {
    setDialogLoading(true);
    setDialogError(null);
    try {
      // TODO: Replace with real API call
      // const newConnection = await initiateConnection({ remoteUrl: url });
      // Simulate API call for now
      await new Promise((resolve) => setTimeout(resolve, 1000));
      // Close dialog and reload connections
      setShowDialog(false);
      await loadConnections();
    } catch (err) {
      setDialogError(
        err instanceof Error
          ? err.message
          : "Unable to initiate connection. Please check the URL and try again."
      );
    } finally {
      setDialogLoading(false);
    }
  };
  const handleAccept = async (connectionId: string): Promise<void> => {
    setError(null);
    try {
      // TODO: Replace with real API call
      // await acceptConnection(connectionId);
      // Simulate API call and optimistic update
      await new Promise((resolve) => setTimeout(resolve, 500));
      setConnections((prev) =>
        prev.map((conn) =>
          conn.id === connectionId
            ? {
                ...conn,
                status: FederationConnectionStatus.ACTIVE,
                connectedAt: new Date().toISOString(),
              }
            : conn
        )
      );
    } catch (err) {
      setError(
        err instanceof Error ? err.message : "Unable to accept connection. Please try again."
      );
    }
  };
  const handleReject = async (connectionId: string): Promise<void> => {
    setError(null);
    try {
      // TODO: Replace with real API call
      // await rejectConnection(connectionId, { reason: "User declined" });
      // Simulate API call and optimistic update
      await new Promise((resolve) => setTimeout(resolve, 500));
      setConnections((prev) =>
        prev.map((conn) =>
          conn.id === connectionId
            ? {
                ...conn,
                status: FederationConnectionStatus.REJECTED,
              }
            : conn
        )
      );
    } catch (err) {
      setError(
        err instanceof Error ? err.message : "Unable to reject connection. Please try again."
      );
    }
  };
  const handleDisconnect = async (connectionId: string): Promise<void> => {
    setError(null);
    try {
      // TODO: Replace with real API call
      // await disconnectConnection(connectionId);
      // Simulate API call and optimistic update
      await new Promise((resolve) => setTimeout(resolve, 500));
      setConnections((prev) =>
        prev.map((conn) =>
          conn.id === connectionId
            ? {
                ...conn,
                status: FederationConnectionStatus.DISCONNECTED,
                disconnectedAt: new Date().toISOString(),
              }
            : conn
        )
      );
    } catch (err) {
      setError(err instanceof Error ? err.message : "Unable to disconnect. Please try again.");
    }
  };
  return (
    <main className="container mx-auto px-4 py-8">
      {/* Header */}
      <div className="mb-8 flex items-center justify-between">
        <div>
          <h1 className="text-3xl font-bold text-gray-900">Federation Connections</h1>
          <p className="text-gray-600 mt-2">Manage connections to other Mosaic Stack instances</p>
        </div>
        <button
          onClick={() => {
            setShowDialog(true);
          }}
          className="px-4 py-2 bg-blue-600 text-white text-sm font-medium rounded-md hover:bg-blue-700 transition-colors"
        >
          Connect to Instance
        </button>
      </div>
      {/* Error Banner */}
      {error && (
        <div className="mb-6 p-4 bg-red-50 border border-red-200 rounded-lg">
          <p className="text-sm text-red-600">{error}</p>
          <button
            onClick={() => {
              setError(null);
            }}
            className="text-sm text-red-700 underline mt-2"
          >
            Dismiss
          </button>
        </div>
      )}
      {/* Connection List */}
      <ConnectionList
        connections={connections}
        isLoading={isLoading}
        onAccept={handleAccept}
        onReject={handleReject}
        onDisconnect={handleDisconnect}
      />
      {/* Initiate Connection Dialog */}
      <InitiateConnectionDialog
        open={showDialog}
        onInitiate={handleInitiate}
        onCancel={() => {
          setShowDialog(false);
          setDialogError(null);
        }}
        isLoading={dialogLoading}
        {...(dialogError && { error: dialogError })}
      />
    </main>
  );
 }
--- a/apps/web/src/app/(authenticated)/federation/dashboard/page.tsx
+++ b/apps/web/src/app/(authenticated)/federation/dashboard/page.tsx
@@ -0,0 +1,175 @@
 "use client";
 /**
 * Aggregated Dashboard Page
 * Displays data from multiple federated instances in a unified view
 */
 import { useState, useEffect } from "react";
 import { AggregatedDataGrid } from "@/components/federation/AggregatedDataGrid";
 import type { FederatedTask, FederatedEvent } from "@/components/federation/types";
 import {
  fetchConnections,
  FederationConnectionStatus,
  type ConnectionDetails,
 } from "@/lib/api/federation";
 import { sendFederatedQuery } from "@/lib/api/federation-queries";
 import type { Task, Event } from "@mosaic/shared";
 export default function AggregatedDashboardPage(): React.JSX.Element {
  const [tasks, setTasks] = useState<FederatedTask[]>([]);
  const [events, setEvents] = useState<FederatedEvent[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [connections, setConnections] = useState<ConnectionDetails[]>([]);
  useEffect(() => {
    void loadAggregatedData();
  }, []);
  async function loadAggregatedData(): Promise<void> {
    setIsLoading(true);
    setError(null);
    try {
      // Fetch all active connections
      const allConnections = await fetchConnections(FederationConnectionStatus.ACTIVE);
      setConnections(allConnections);
      if (allConnections.length === 0) {
        setIsLoading(false);
        return;
      }
      // Query each connection for tasks and events
      const allTasks: FederatedTask[] = [];
      const allEvents: FederatedEvent[] = [];
      const errors: string[] = [];
      for (const connection of allConnections) {
        try {
          // Query tasks
          if (connection.remoteCapabilities.supportsQuery) {
            const taskResponse = await sendFederatedQuery(connection.id, "tasks.list", {
              limit: 10,
            });
            // Wait a bit for the query to be processed and response received
            // In production, this would use WebSocket or polling
            await new Promise((resolve) => setTimeout(resolve, 1000));
            // For MVP, we'll use mock data since query processing is async
            // In production, we'd poll for the response or use WebSocket
            if (taskResponse.response) {
              const responseTasks = (taskResponse.response as { data?: Task[] }).data ?? [];
              const federatedTasks = responseTasks.map((task) => ({
                task,
                provenance: {
                  instanceId: connection.remoteInstanceId,
                  instanceName:
                    (connection.metadata.name as string | undefined) ?? connection.remoteUrl,
                  instanceUrl: connection.remoteUrl,
                  timestamp: new Date().toISOString(),
                },
              }));
              allTasks.push(...federatedTasks);
            }
            // Query events
            const eventResponse = await sendFederatedQuery(connection.id, "events.list", {
              limit: 10,
            });
            await new Promise((resolve) => setTimeout(resolve, 1000));
            if (eventResponse.response) {
              const responseEvents = (eventResponse.response as { data?: Event[] }).data ?? [];
              const federatedEvents = responseEvents.map((event) => ({
                event,
                provenance: {
                  instanceId: connection.remoteInstanceId,
                  instanceName:
                    (connection.metadata.name as string | undefined) ?? connection.remoteUrl,
                  instanceUrl: connection.remoteUrl,
                  timestamp: new Date().toISOString(),
                },
              }));
              allEvents.push(...federatedEvents);
            }
          }
        } catch (err) {
          const errorMessage = err instanceof Error ? err.message : "Unknown error";
          const instanceName =
            (connection.metadata.name as string | undefined) ?? connection.remoteUrl;
          errors.push(`Unable to reach ${instanceName}: ${errorMessage}`);
        }
      }
      setTasks(allTasks);
      setEvents(allEvents);
      if (errors.length > 0 && allTasks.length === 0 && allEvents.length === 0) {
        setError(errors.join(", "));
      }
    } catch (err) {
      const errorMessage = err instanceof Error ? err.message : "Unable to load connections";
      setError(errorMessage);
    } finally {
      setIsLoading(false);
    }
  }
  async function handleRefresh(): Promise<void> {
    await loadAggregatedData();
  }
  return (
    <main className="container mx-auto px-4 py-8">
      {/* Header */}
      <div className="mb-8 flex items-center justify-between">
        <div>
          <h1 className="text-3xl font-bold text-gray-900">Aggregated Dashboard</h1>
          <p className="text-gray-600 mt-2">View tasks and events from all connected instances</p>
        </div>
        <button
          onClick={handleRefresh}
          disabled={isLoading}
          className="px-4 py-2 bg-blue-600 text-white text-sm font-medium rounded-md hover:bg-blue-700 disabled:opacity-50 disabled:cursor-not-allowed transition-colors"
        >
          {isLoading ? "Loading..." : "Refresh"}
        </button>
      </div>
      {/* Connection status */}
      {!isLoading && connections.length > 0 && (
        <div className="mb-6">
          <p className="text-sm text-gray-600">
            Connected to <span className="font-medium text-gray-900">{connections.length}</span>{" "}
            {connections.length === 1 ? "instance" : "instances"}
          </p>
        </div>
      )}
      {/* Connection warning */}
      {!isLoading && connections.length === 0 && (
        <div className="mb-6 p-4 bg-yellow-50 border border-yellow-200 rounded-lg">
          <p className="text-sm text-yellow-800">
            No active connections found. Please visit the{" "}
            <a href="/federation/connections" className="font-medium underline">
              Connection Manager
            </a>{" "}
            to connect to remote instances.
          </p>
        </div>
      )}
      {/* Data grid */}
      <AggregatedDataGrid
        tasks={tasks}
        events={events}
        isLoading={isLoading}
        {...(error !== null && { error })}
      />
    </main>
  );
 }
--- a/apps/web/src/app/(authenticated)/federation/settings/page.tsx
+++ b/apps/web/src/app/(authenticated)/federation/settings/page.tsx
@@ -0,0 +1,228 @@
 "use client";
 /**
 * Federation Settings Page
 * Configure local instance federation settings (spoke configuration)
 * Admin-only page
 */
 import { useState, useEffect } from "react";
 import { SpokeConfigurationForm } from "@/components/federation/SpokeConfigurationForm";
 import {
  fetchInstanceIdentity,
  updateInstanceConfiguration,
  regenerateInstanceKeys,
  type PublicInstanceIdentity,
  type UpdateInstanceRequest,
 } from "@/lib/api/federation";
 export default function FederationSettingsPage(): React.JSX.Element {
  const [instance, setInstance] = useState<PublicInstanceIdentity | null>(null);
  const [isLoading, setIsLoading] = useState(false);
  const [isSaving, setIsSaving] = useState(false);
  const [isRegenerating, setIsRegenerating] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [saveError, setSaveError] = useState<string | null>(null);
  const [successMessage, setSuccessMessage] = useState<string | null>(null);
  const [showRegenerateConfirm, setShowRegenerateConfirm] = useState(false);
  // Load instance identity on mount
  useEffect(() => {
    void loadInstance();
  }, []);
  const loadInstance = async (): Promise<void> => {
    setIsLoading(true);
    setError(null);
    try {
      const data = await fetchInstanceIdentity();
      setInstance(data);
    } catch (err) {
      setError(
        err instanceof Error
          ? err.message
          : "Unable to load instance configuration. Please try again."
      );
    } finally {
      setIsLoading(false);
    }
  };
  const handleSave = async (updates: UpdateInstanceRequest): Promise<void> => {
    setIsSaving(true);
    setSaveError(null);
    setSuccessMessage(null);
    try {
      const updatedInstance = await updateInstanceConfiguration(updates);
      setInstance(updatedInstance);
      setSuccessMessage("Configuration saved successfully");
      // Clear success message after 3 seconds
      setTimeout(() => {
        setSuccessMessage(null);
      }, 3000);
    } catch (err) {
      setSaveError(
        err instanceof Error ? err.message : "Unable to save configuration. Please try again."
      );
    } finally {
      setIsSaving(false);
    }
  };
  const handleRegenerateKeys = async (): Promise<void> => {
    setIsRegenerating(true);
    setSaveError(null);
    setSuccessMessage(null);
    try {
      const updatedInstance = await regenerateInstanceKeys();
      setInstance(updatedInstance);
      setSuccessMessage("Instance keypair regenerated successfully");
      setShowRegenerateConfirm(false);
      // Clear success message after 3 seconds
      setTimeout(() => {
        setSuccessMessage(null);
      }, 3000);
    } catch (err) {
      setSaveError(
        err instanceof Error ? err.message : "Unable to regenerate keys. Please try again."
      );
    } finally {
      setIsRegenerating(false);
    }
  };
  // Loading state
  if (isLoading) {
    return (
      <div className="container mx-auto px-4 py-8">
        <div className="max-w-4xl mx-auto">
          <h1 className="text-3xl font-bold text-gray-900 mb-8">Federation Settings</h1>
          <div className="bg-white border border-gray-200 rounded-lg p-8 text-center">
            <div className="text-gray-600">Loading configuration...</div>
          </div>
        </div>
      </div>
    );
  }
  // Error state
  if (error) {
    return (
      <div className="container mx-auto px-4 py-8">
        <div className="max-w-4xl mx-auto">
          <h1 className="text-3xl font-bold text-gray-900 mb-8">Federation Settings</h1>
          <div className="bg-red-50 border border-red-200 rounded-lg p-8">
            <h2 className="text-lg font-semibold text-red-900 mb-2">
              Unable to Load Configuration
            </h2>
            <p className="text-red-700">{error}</p>
            <button
              onClick={() => void loadInstance()}
              className="mt-4 px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-700 transition-colors"
            >
              Try Again
            </button>
          </div>
        </div>
      </div>
    );
  }
  // No instance (shouldn't happen, but handle gracefully)
  if (!instance) {
    return (
      <div className="container mx-auto px-4 py-8">
        <div className="max-w-4xl mx-auto">
          <h1 className="text-3xl font-bold text-gray-900 mb-8">Federation Settings</h1>
          <div className="bg-gray-50 border border-gray-200 rounded-lg p-8 text-center">
            <div className="text-gray-600">No instance configuration found</div>
          </div>
        </div>
      </div>
    );
  }
  return (
    <div className="container mx-auto px-4 py-8">
      <div className="max-w-4xl mx-auto">
        {/* Page Header */}
        <div className="mb-8">
          <h1 className="text-3xl font-bold text-gray-900 mb-2">Federation Settings</h1>
          <p className="text-gray-600">
            Configure your instance's federation capabilities and identity. These settings determine
            how your instance interacts with other Mosaic Stack instances.
          </p>
        </div>
        {/* Success Message */}
        {successMessage && (
          <div className="mb-6 bg-green-50 border border-green-200 text-green-700 px-4 py-3 rounded-lg">
            {successMessage}
          </div>
        )}
        {/* Main Configuration Form */}
        <div className="bg-white border border-gray-200 rounded-lg p-6">
          <SpokeConfigurationForm
            instance={instance}
            onSave={handleSave}
            isLoading={isSaving}
            {...(saveError && { error: saveError })}
          />
        </div>
        {/* Advanced Section: Regenerate Keys */}
        <div className="mt-8 bg-white border border-gray-200 rounded-lg p-6">
          <h3 className="text-lg font-medium text-gray-900 mb-2">Advanced</h3>
          <p className="text-sm text-gray-600 mb-4">
            Regenerating your instance's keypair will invalidate all existing federation
            connections. Connected instances will need to re-establish connections with your new
            public key.
          </p>
          {showRegenerateConfirm ? (
            <div className="bg-yellow-50 border border-yellow-200 rounded-lg p-4">
              <h4 className="font-medium text-yellow-900 mb-2">Confirm Keypair Regeneration</h4>
              <p className="text-sm text-yellow-800 mb-4">
                This action will disconnect all federated instances. They will need to reconnect
                using your new public key. This action cannot be undone.
              </p>
              <div className="flex items-center space-x-3">
                <button
                  onClick={() => void handleRegenerateKeys()}
                  disabled={isRegenerating}
                  className="px-4 py-2 bg-yellow-600 text-white rounded-lg hover:bg-yellow-700 disabled:bg-gray-300 disabled:cursor-not-allowed transition-colors"
                >
                  {isRegenerating ? "Regenerating..." : "Confirm Regenerate"}
                </button>
                <button
                  onClick={() => {
                    setShowRegenerateConfirm(false);
                  }}
                  disabled={isRegenerating}
                  className="px-4 py-2 border border-gray-300 text-gray-700 rounded-lg hover:bg-gray-50 disabled:bg-gray-100 disabled:cursor-not-allowed transition-colors"
                >
                  Cancel
                </button>
              </div>
            </div>
          ) : (
            <button
              onClick={() => {
                setShowRegenerateConfirm(true);
              }}
              className="px-4 py-2 border border-yellow-600 text-yellow-700 rounded-lg hover:bg-yellow-50 transition-colors"
            >
              Regenerate Keypair
            </button>
          )}
        </div>
      </div>
    </div>
  );
 }
--- a/apps/web/src/components/federation/AggregatedDataGrid.test.tsx
+++ b/apps/web/src/components/federation/AggregatedDataGrid.test.tsx
@@ -0,0 +1,156 @@
 /**
 * AggregatedDataGrid Component Tests
 */
 import { describe, it, expect } from "vitest";
 import { render, screen } from "@testing-library/react";
 import { AggregatedDataGrid } from "./AggregatedDataGrid";
 import { TaskStatus, TaskPriority } from "@mosaic/shared";
 import type { FederatedTask, FederatedEvent } from "./types";
 const mockTasks: FederatedTask[] = [
  {
    task: {
      id: "task-1",
      title: "Task from Work",
      description: "Work task",
      status: TaskStatus.IN_PROGRESS,
      priority: TaskPriority.HIGH,
      dueDate: new Date("2026-02-05"),
      creatorId: "user-1",
      assigneeId: "user-1",
      workspaceId: "workspace-1",
      projectId: null,
      parentId: null,
      sortOrder: 0,
      metadata: {},
      completedAt: null,
      createdAt: new Date("2026-02-03"),
      updatedAt: new Date("2026-02-03"),
    },
    provenance: {
      instanceId: "instance-work-001",
      instanceName: "Work Instance",
      instanceUrl: "https://mosaic.work.example.com",
      timestamp: "2026-02-03T14:00:00Z",
    },
  },
  {
    task: {
      id: "task-2",
      title: "Task from Home",
      description: "Home task",
      status: TaskStatus.NOT_STARTED,
      priority: TaskPriority.MEDIUM,
      dueDate: new Date("2026-02-06"),
      creatorId: "user-1",
      assigneeId: "user-1",
      workspaceId: "workspace-2",
      projectId: null,
      parentId: null,
      sortOrder: 0,
      metadata: {},
      completedAt: null,
      createdAt: new Date("2026-02-03"),
      updatedAt: new Date("2026-02-03"),
    },
    provenance: {
      instanceId: "instance-home-001",
      instanceName: "Home Instance",
      instanceUrl: "https://mosaic.home.example.com",
      timestamp: "2026-02-03T14:00:00Z",
    },
  },
 ];
 const mockEvents: FederatedEvent[] = [
  {
    event: {
      id: "event-1",
      title: "Meeting from Work",
      description: "Team standup",
      startTime: new Date("2026-02-05T10:00:00"),
      endTime: new Date("2026-02-05T10:30:00"),
      allDay: false,
      location: "Zoom",
      recurrence: null,
      creatorId: "user-1",
      workspaceId: "workspace-1",
      projectId: null,
      metadata: {},
      createdAt: new Date("2026-02-03"),
      updatedAt: new Date("2026-02-03"),
    },
    provenance: {
      instanceId: "instance-work-001",
      instanceName: "Work Instance",
      instanceUrl: "https://mosaic.work.example.com",
      timestamp: "2026-02-03T14:00:00Z",
    },
  },
 ];
 describe("AggregatedDataGrid", () => {
  it("should render tasks", () => {
    render(<AggregatedDataGrid tasks={mockTasks} events={[]} />);
    expect(screen.getByText("Task from Work")).toBeInTheDocument();
    expect(screen.getByText("Task from Home")).toBeInTheDocument();
  });
  it("should render events", () => {
    render(<AggregatedDataGrid tasks={[]} events={mockEvents} />);
    expect(screen.getByText("Meeting from Work")).toBeInTheDocument();
  });
  it("should render both tasks and events", () => {
    render(<AggregatedDataGrid tasks={mockTasks} events={mockEvents} />);
    expect(screen.getByText("Task from Work")).toBeInTheDocument();
    expect(screen.getByText("Meeting from Work")).toBeInTheDocument();
  });
  it("should show loading state", () => {
    render(<AggregatedDataGrid tasks={[]} events={[]} isLoading={true} />);
    expect(screen.getByText("Loading data from instances...")).toBeInTheDocument();
  });
  it("should show empty state when no data", () => {
    render(<AggregatedDataGrid tasks={[]} events={[]} />);
    expect(screen.getByText("No data available from connected instances")).toBeInTheDocument();
  });
  it("should show error message", () => {
    render(<AggregatedDataGrid tasks={[]} events={[]} error="Unable to reach work instance" />);
    expect(screen.getByText("Unable to reach work instance")).toBeInTheDocument();
  });
  it("should render with custom className", () => {
    const { container } = render(
      <AggregatedDataGrid tasks={mockTasks} events={[]} className="custom-class" />
    );
    expect(container.querySelector(".custom-class")).toBeInTheDocument();
  });
  it("should show instance provenance indicators", () => {
    render(<AggregatedDataGrid tasks={mockTasks} events={[]} />);
    expect(screen.getByText("Work Instance")).toBeInTheDocument();
    expect(screen.getByText("Home Instance")).toBeInTheDocument();
  });
  it("should render with compact mode", () => {
    const { container } = render(
      <AggregatedDataGrid tasks={mockTasks} events={[]} compact={true} />
    );
    // Check that cards have compact padding
    const compactCards = container.querySelectorAll(".p-3");
    expect(compactCards.length).toBeGreaterThan(0);
  });
 });
--- a/apps/web/src/components/federation/AggregatedDataGrid.tsx
+++ b/apps/web/src/components/federation/AggregatedDataGrid.tsx
@@ -0,0 +1,100 @@
 /**
 * AggregatedDataGrid Component
 * Displays aggregated tasks and events from multiple federated instances
 */
 import type { FederatedTask, FederatedEvent } from "./types";
 import { FederatedTaskCard } from "./FederatedTaskCard";
 import { FederatedEventCard } from "./FederatedEventCard";
 interface AggregatedDataGridProps {
  tasks: FederatedTask[];
  events: FederatedEvent[];
  isLoading?: boolean;
  error?: string;
  compact?: boolean;
  className?: string;
 }
 export function AggregatedDataGrid({
  tasks,
  events,
  isLoading = false,
  error,
  compact = false,
  className = "",
 }: AggregatedDataGridProps): React.JSX.Element {
  // Loading state
  if (isLoading) {
    return (
      <div className={`flex items-center justify-center p-8 ${className}`}>
        <div className="text-center">
          <div className="inline-block animate-spin rounded-full h-8 w-8 border-b-2 border-blue-600 mb-4"></div>
          <p className="text-gray-600">Loading data from instances...</p>
        </div>
      </div>
    );
  }
  // Error state
  if (error) {
    return (
      <div className={`flex items-center justify-center p-8 ${className}`}>
        <div className="text-center">
          <span className="text-4xl mb-4 block">⚠️</span>
          <p className="text-gray-900 font-medium mb-2">Unable to load data</p>
          <p className="text-gray-600 text-sm">{error}</p>
        </div>
      </div>
    );
  }
  // Empty state
  if (tasks.length === 0 && events.length === 0) {
    return (
      <div className={`flex items-center justify-center p-8 ${className}`}>
        <div className="text-center">
          <span className="text-4xl mb-4 block">📋</span>
          <p className="text-gray-900 font-medium mb-2">No data available</p>
          <p className="text-gray-600 text-sm">No data available from connected instances</p>
        </div>
      </div>
    );
  }
  return (
    <div className={`space-y-4 ${className}`}>
      {/* Tasks section */}
      {tasks.length > 0 && (
        <div>
          <h3 className="text-lg font-medium text-gray-900 mb-3">Tasks ({tasks.length})</h3>
          <div className="space-y-2">
            {tasks.map((federatedTask) => (
              <FederatedTaskCard
                key={`task-${federatedTask.task.id}-${federatedTask.provenance.instanceId}`}
                federatedTask={federatedTask}
                compact={compact}
              />
            ))}
          </div>
        </div>
      )}
      {/* Events section */}
      {events.length > 0 && (
        <div>
          <h3 className="text-lg font-medium text-gray-900 mb-3">Events ({events.length})</h3>
          <div className="space-y-2">
            {events.map((federatedEvent) => (
              <FederatedEventCard
                key={`event-${federatedEvent.event.id}-${federatedEvent.provenance.instanceId}`}
                federatedEvent={federatedEvent}
                compact={compact}
              />
            ))}
          </div>
        </div>
      )}
    </div>
  );
 }
--- a/apps/web/src/components/federation/ConnectionCard.test.tsx
+++ b/apps/web/src/components/federation/ConnectionCard.test.tsx
@@ -0,0 +1,201 @@
 /**
 * ConnectionCard Component Tests
 * Following TDD - write tests first!
 */
 import { describe, it, expect, vi } from "vitest";
 import { render, screen } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
 import { ConnectionCard } from "./ConnectionCard";
 import { FederationConnectionStatus, type ConnectionDetails } from "@/lib/api/federation";
 describe("ConnectionCard", (): void => {
  const mockActiveConnection: ConnectionDetails = {
    id: "conn-1",
    workspaceId: "workspace-1",
    remoteInstanceId: "instance-work-001",
    remoteUrl: "https://mosaic.work.example.com",
    remotePublicKey: "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
    remoteCapabilities: {
      supportsQuery: true,
      supportsCommand: true,
      supportsEvent: true,
      supportsAgentSpawn: true,
      protocolVersion: "1.0",
    },
    status: FederationConnectionStatus.ACTIVE,
    metadata: {
      name: "Work Instance",
      description: "Corporate Mosaic instance",
    },
    createdAt: new Date("2026-02-01").toISOString(),
    updatedAt: new Date("2026-02-01").toISOString(),
    connectedAt: new Date("2026-02-01").toISOString(),
    disconnectedAt: null,
  };
  const mockPendingConnection: ConnectionDetails = {
    ...mockActiveConnection,
    id: "conn-2",
    status: FederationConnectionStatus.PENDING,
    metadata: {
      name: "Partner Instance",
      description: "Awaiting acceptance",
    },
    connectedAt: null,
  };
  const mockOnAccept = vi.fn();
  const mockOnReject = vi.fn();
  const mockOnDisconnect = vi.fn();
  it("should render connection name from metadata", (): void => {
    render(<ConnectionCard connection={mockActiveConnection} />);
    expect(screen.getByText("Work Instance")).toBeInTheDocument();
  });
  it("should render connection URL", (): void => {
    render(<ConnectionCard connection={mockActiveConnection} />);
    expect(screen.getByText("https://mosaic.work.example.com")).toBeInTheDocument();
  });
  it("should render connection description from metadata", (): void => {
    render(<ConnectionCard connection={mockActiveConnection} />);
    expect(screen.getByText("Corporate Mosaic instance")).toBeInTheDocument();
  });
  it("should show Active status with green indicator for active connections", (): void => {
    render(<ConnectionCard connection={mockActiveConnection} />);
    expect(screen.getByText("Active")).toBeInTheDocument();
  });
  it("should show Pending status with blue indicator for pending connections", (): void => {
    render(<ConnectionCard connection={mockPendingConnection} />);
    expect(screen.getByText("Pending")).toBeInTheDocument();
  });
  it("should show Disconnected status for disconnected connections", (): void => {
    const disconnectedConnection = {
      ...mockActiveConnection,
      status: FederationConnectionStatus.DISCONNECTED,
      disconnectedAt: new Date("2026-02-02").toISOString(),
    };
    render(<ConnectionCard connection={disconnectedConnection} />);
    expect(screen.getByText("Disconnected")).toBeInTheDocument();
  });
  it("should show Rejected status for rejected connections", (): void => {
    const rejectedConnection = {
      ...mockActiveConnection,
      status: FederationConnectionStatus.REJECTED,
    };
    render(<ConnectionCard connection={rejectedConnection} />);
    expect(screen.getByText("Rejected")).toBeInTheDocument();
  });
  it("should show Disconnect button for active connections", (): void => {
    render(<ConnectionCard connection={mockActiveConnection} onDisconnect={mockOnDisconnect} />);
    expect(screen.getByRole("button", { name: /disconnect/i })).toBeInTheDocument();
  });
  it("should show Accept and Reject buttons for pending connections", (): void => {
    render(
      <ConnectionCard
        connection={mockPendingConnection}
        onAccept={mockOnAccept}
        onReject={mockOnReject}
      />
    );
    expect(screen.getByRole("button", { name: /accept/i })).toBeInTheDocument();
    expect(screen.getByRole("button", { name: /reject/i })).toBeInTheDocument();
  });
  it("should not show action buttons for disconnected connections", (): void => {
    const disconnectedConnection = {
      ...mockActiveConnection,
      status: FederationConnectionStatus.DISCONNECTED,
    };
    render(<ConnectionCard connection={disconnectedConnection} />);
    expect(screen.queryByRole("button")).not.toBeInTheDocument();
  });
  it("should call onAccept when accept button clicked", async (): Promise<void> => {
    const user = userEvent.setup();
    render(
      <ConnectionCard
        connection={mockPendingConnection}
        onAccept={mockOnAccept}
        onReject={mockOnReject}
      />
    );
    const acceptButton = screen.getByRole("button", { name: /accept/i });
    await user.click(acceptButton);
    expect(mockOnAccept).toHaveBeenCalledWith(mockPendingConnection.id);
  });
  it("should call onReject when reject button clicked", async (): Promise<void> => {
    const user = userEvent.setup();
    render(
      <ConnectionCard
        connection={mockPendingConnection}
        onAccept={mockOnAccept}
        onReject={mockOnReject}
      />
    );
    const rejectButton = screen.getByRole("button", { name: /reject/i });
    await user.click(rejectButton);
    expect(mockOnReject).toHaveBeenCalledWith(mockPendingConnection.id);
  });
  it("should call onDisconnect when disconnect button clicked", async (): Promise<void> => {
    const user = userEvent.setup();
    render(<ConnectionCard connection={mockActiveConnection} onDisconnect={mockOnDisconnect} />);
    const disconnectButton = screen.getByRole("button", { name: /disconnect/i });
    await user.click(disconnectButton);
    expect(mockOnDisconnect).toHaveBeenCalledWith(mockActiveConnection.id);
  });
  it("should display capabilities when showDetails is true", (): void => {
    render(<ConnectionCard connection={mockActiveConnection} showDetails={true} />);
    expect(screen.getByText(/Query/i)).toBeInTheDocument();
    expect(screen.getByText(/Command/i)).toBeInTheDocument();
    expect(screen.getByText(/Events/i)).toBeInTheDocument();
    expect(screen.getByText(/Agent Spawn/i)).toBeInTheDocument();
  });
  it("should not display capabilities by default", (): void => {
    render(<ConnectionCard connection={mockActiveConnection} />);
    // Capabilities should not be visible without showDetails=true
    const card = screen.getByText("Work Instance").closest("div");
    expect(card?.textContent).not.toMatch(/Query.*Command.*Events/);
  });
  it("should use fallback name if metadata name is missing", (): void => {
    const connectionWithoutName = {
      ...mockActiveConnection,
      metadata: {},
    };
    render(<ConnectionCard connection={connectionWithoutName} />);
    expect(screen.getByText("Remote Instance")).toBeInTheDocument();
  });
  it("should render with compact layout when compact prop is true", (): void => {
    const { container } = render(
      <ConnectionCard connection={mockActiveConnection} compact={true} />
    );
    // Verify compact class is applied
    expect(container.querySelector(".p-3")).toBeInTheDocument();
  });
  it("should render with full layout by default", (): void => {
    const { container } = render(<ConnectionCard connection={mockActiveConnection} />);
    // Verify full padding is applied
    expect(container.querySelector(".p-4")).toBeInTheDocument();
  });
 });
--- a/apps/web/src/components/federation/ConnectionCard.tsx
+++ b/apps/web/src/components/federation/ConnectionCard.tsx
@@ -0,0 +1,152 @@
 /**
 * ConnectionCard Component
 * Displays a single federation connection with PDA-friendly design
 */
 import { FederationConnectionStatus, type ConnectionDetails } from "@/lib/api/federation";
 interface ConnectionCardProps {
  connection: ConnectionDetails;
  onAccept?: (connectionId: string) => void;
  onReject?: (connectionId: string) => void;
  onDisconnect?: (connectionId: string) => void;
  showDetails?: boolean;
  compact?: boolean;
 }
 /**
 * Get PDA-friendly status text and color
 */
 function getStatusDisplay(status: FederationConnectionStatus): {
  text: string;
  colorClass: string;
  icon: string;
 } {
  switch (status) {
    case FederationConnectionStatus.ACTIVE:
      return {
        text: "Active",
        colorClass: "text-green-600 bg-green-50",
        icon: "🟢",
      };
    case FederationConnectionStatus.PENDING:
      return {
        text: "Pending",
        colorClass: "text-blue-600 bg-blue-50",
        icon: "🔵",
      };
    case FederationConnectionStatus.DISCONNECTED:
      return {
        text: "Disconnected",
        colorClass: "text-yellow-600 bg-yellow-50",
        icon: "⏸️",
      };
    case FederationConnectionStatus.REJECTED:
      return {
        text: "Rejected",
        colorClass: "text-gray-600 bg-gray-50",
        icon: "⚪",
      };
  }
 }
 export function ConnectionCard({
  connection,
  onAccept,
  onReject,
  onDisconnect,
  showDetails = false,
  compact = false,
 }: ConnectionCardProps): React.JSX.Element {
  const status = getStatusDisplay(connection.status);
  const name =
    typeof connection.metadata.name === "string" ? connection.metadata.name : "Remote Instance";
  const description = connection.metadata.description as string | undefined;
  const paddingClass = compact ? "p-3" : "p-4";
  return (
    <div
      className={`border border-gray-200 rounded-lg ${paddingClass} hover:border-gray-300 transition-colors`}
    >
      {/* Header */}
      <div className="flex items-start justify-between mb-2">
        <div className="flex-1">
          <h3 className="text-lg font-medium text-gray-900">{name}</h3>
          <p className="text-sm text-gray-600 mt-1">{connection.remoteUrl}</p>
          {description && <p className="text-sm text-gray-500 mt-1">{description}</p>}
        </div>
        {/* Status Badge */}
        <div
          className={`flex items-center gap-1 px-3 py-1 rounded-full text-sm font-medium ${status.colorClass}`}
        >
          <span>{status.icon}</span>
          <span>{status.text}</span>
        </div>
      </div>
      {/* Capabilities (when showDetails is true) */}
      {showDetails && (
        <div className="mt-3 pt-3 border-t border-gray-100">
          <p className="text-xs font-medium text-gray-700 mb-2">Capabilities</p>
          <div className="flex flex-wrap gap-2">
            {connection.remoteCapabilities.supportsQuery && (
              <span className="text-xs px-2 py-1 bg-gray-100 text-gray-700 rounded">Query</span>
            )}
            {connection.remoteCapabilities.supportsCommand && (
              <span className="text-xs px-2 py-1 bg-gray-100 text-gray-700 rounded">Command</span>
            )}
            {connection.remoteCapabilities.supportsEvent && (
              <span className="text-xs px-2 py-1 bg-gray-100 text-gray-700 rounded">Events</span>
            )}
            {connection.remoteCapabilities.supportsAgentSpawn && (
              <span className="text-xs px-2 py-1 bg-gray-100 text-gray-700 rounded">
                Agent Spawn
              </span>
            )}
          </div>
        </div>
      )}
      {/* Actions */}
      {connection.status === FederationConnectionStatus.PENDING && (onAccept ?? onReject) && (
        <div className="mt-4 flex gap-2">
          {onAccept && (
            <button
              onClick={() => {
                onAccept(connection.id);
              }}
              className="px-4 py-2 bg-green-600 text-white text-sm font-medium rounded-md hover:bg-green-700 transition-colors"
            >
              Accept
            </button>
          )}
          {onReject && (
            <button
              onClick={() => {
                onReject(connection.id);
              }}
              className="px-4 py-2 bg-gray-200 text-gray-700 text-sm font-medium rounded-md hover:bg-gray-300 transition-colors"
            >
              Reject
            </button>
          )}
        </div>
      )}
      {connection.status === FederationConnectionStatus.ACTIVE && onDisconnect && (
        <div className="mt-4">
          <button
            onClick={() => {
              onDisconnect(connection.id);
            }}
            className="px-4 py-2 bg-gray-200 text-gray-700 text-sm font-medium rounded-md hover:bg-gray-300 transition-colors"
          >
            Disconnect
          </button>
        </div>
      )}
    </div>
  );
 }
--- a/apps/web/src/components/federation/ConnectionList.test.tsx
+++ b/apps/web/src/components/federation/ConnectionList.test.tsx
@@ -0,0 +1,120 @@
 /**
 * ConnectionList Component Tests
 * Following TDD - write tests first!
 */
 import { describe, it, expect, vi } from "vitest";
 import { render, screen } from "@testing-library/react";
 import { ConnectionList } from "./ConnectionList";
 import { FederationConnectionStatus, type ConnectionDetails } from "@/lib/api/federation";
 describe("ConnectionList", (): void => {
  const mockConnections: ConnectionDetails[] = [
    {
      id: "conn-1",
      workspaceId: "workspace-1",
      remoteInstanceId: "instance-work-001",
      remoteUrl: "https://mosaic.work.example.com",
      remotePublicKey: "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
      remoteCapabilities: {
        supportsQuery: true,
        supportsCommand: true,
        supportsEvent: true,
        supportsAgentSpawn: true,
        protocolVersion: "1.0",
      },
      status: FederationConnectionStatus.ACTIVE,
      metadata: {
        name: "Work Instance",
        description: "Corporate Mosaic instance",
      },
      createdAt: new Date("2026-02-01").toISOString(),
      updatedAt: new Date("2026-02-01").toISOString(),
      connectedAt: new Date("2026-02-01").toISOString(),
      disconnectedAt: null,
    },
    {
      id: "conn-2",
      workspaceId: "workspace-1",
      remoteInstanceId: "instance-partner-001",
      remoteUrl: "https://mosaic.partner.example.com",
      remotePublicKey: "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
      remoteCapabilities: {
        supportsQuery: true,
        supportsCommand: false,
        supportsEvent: true,
        supportsAgentSpawn: false,
        protocolVersion: "1.0",
      },
      status: FederationConnectionStatus.PENDING,
      metadata: {
        name: "Partner Instance",
        description: "Awaiting acceptance",
      },
      createdAt: new Date("2026-02-02").toISOString(),
      updatedAt: new Date("2026-02-02").toISOString(),
      connectedAt: null,
      disconnectedAt: null,
    },
  ];
  const mockOnAccept = vi.fn();
  const mockOnReject = vi.fn();
  const mockOnDisconnect = vi.fn();
  it("should render loading state", (): void => {
    render(<ConnectionList connections={[]} isLoading={true} />);
    expect(screen.getByText(/loading/i)).toBeInTheDocument();
  });
  it("should render empty state when no connections", (): void => {
    render(<ConnectionList connections={[]} isLoading={false} />);
    expect(screen.getByText(/no federation connections/i)).toBeInTheDocument();
  });
  it("should render PDA-friendly empty state message", (): void => {
    render(<ConnectionList connections={[]} isLoading={false} />);
    expect(screen.getByText(/ready to connect/i)).toBeInTheDocument();
  });
  it("should render all connections", (): void => {
    render(<ConnectionList connections={mockConnections} isLoading={false} />);
    expect(screen.getByText("Work Instance")).toBeInTheDocument();
    expect(screen.getByText("Partner Instance")).toBeInTheDocument();
  });
  it("should group connections by status", (): void => {
    render(<ConnectionList connections={mockConnections} isLoading={false} />);
    expect(screen.getByRole("heading", { name: "Active" })).toBeInTheDocument();
    expect(screen.getByRole("heading", { name: "Pending" })).toBeInTheDocument();
  });
  it("should pass handlers to connection cards", (): void => {
    render(
      <ConnectionList
        connections={mockConnections}
        isLoading={false}
        onAccept={mockOnAccept}
        onReject={mockOnReject}
        onDisconnect={mockOnDisconnect}
      />
    );
    const acceptButtons = screen.getAllByRole("button", { name: /accept/i });
    const disconnectButtons = screen.getAllByRole("button", { name: /disconnect/i });
    expect(acceptButtons.length).toBeGreaterThan(0);
    expect(disconnectButtons.length).toBeGreaterThan(0);
  });
  it("should handle null connections array", (): void => {
    render(<ConnectionList connections={null} isLoading={false} />);
    expect(screen.getByText(/no federation connections/i)).toBeInTheDocument();
  });
  it("should render with compact layout when compact prop is true", (): void => {
    render(<ConnectionList connections={mockConnections} isLoading={false} compact={true} />);
    // Verify connections are rendered
    expect(screen.getByText("Work Instance")).toBeInTheDocument();
  });
 });
--- a/Show More
+++ b/Show More