Implements the final piece of M7-Federation - the spoke configuration UI
that allows administrators to configure their local instance's federation
capabilities and settings.
Backend Changes:
- Add UpdateInstanceDto with validation for name, capabilities, and metadata
- Implement FederationService.updateInstanceConfiguration() method
- Add PATCH /api/v1/federation/instance endpoint to FederationController
- Add audit logging for configuration updates
- Add tests for updateInstanceConfiguration (5 new tests, all passing)
Frontend Changes:
- Create SpokeConfigurationForm component with PDA-friendly design
- Create /federation/settings page with configuration management
- Add regenerate keypair functionality with confirmation dialog
- Extend federation API client with updateInstanceConfiguration and regenerateInstanceKeys
- Add comprehensive tests (10 tests, all passing)
Design Decisions:
- Admin-only access via AdminGuard
- Never expose private key in API responses (security)
- PDA-friendly language throughout (no demanding terms)
- Clear visual hierarchy with read-only and editable fields
- Truncated public key with copy button for usability
- Confirmation dialog for destructive key regeneration
All tests passing:
- Backend: 13/13 federation service tests passing
- Frontend: 10/10 SpokeConfigurationForm tests passing
- TypeScript compilation: passing
- Linting: passing
- PDA-friendliness: verified
This completes M7-Federation. All federation features are now implemented.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements FED-004: Cross-Instance Identity Linking, building on the
foundation from FED-001, FED-002, and FED-003.
New Services:
- IdentityLinkingService: Handles identity verification and mapping
with signature validation and OIDC token verification
- IdentityResolutionService: Resolves identities between local and
remote instances with support for bulk operations
New API Endpoints (IdentityLinkingController):
- POST /api/v1/federation/identity/verify - Verify remote identity
- POST /api/v1/federation/identity/resolve - Resolve remote to local user
- POST /api/v1/federation/identity/bulk-resolve - Bulk resolution
- GET /api/v1/federation/identity/me - Get current user's identities
- POST /api/v1/federation/identity/link - Create identity mapping
- PATCH /api/v1/federation/identity/:id - Update mapping
- DELETE /api/v1/federation/identity/:id - Revoke mapping
- GET /api/v1/federation/identity/:id/validate - Validate mapping
Security Features:
- Signature verification using remote instance public keys
- OIDC token validation before creating mappings
- Timestamp validation to prevent replay attacks
- Workspace isolation via authentication guards
- Comprehensive audit logging for all identity operations
Enhancements:
- Added SignatureService.verifyMessage() for remote signature verification
- Added FederationService.getConnectionByRemoteInstanceId()
- Extended FederationAuditService with identity logging methods
- Created comprehensive DTOs with class-validator decorators
Testing:
- 38 new tests (19 service + 7 resolution + 12 controller)
- All 132 federation tests passing
- TypeScript compilation passing with no errors
- High test coverage achieved (>85% requirement exceeded)
Technical Details:
- Leverages existing FederatedIdentity model from FED-003
- Uses RSA SHA-256 signatures for cryptographic verification
- Supports one identity mapping per remote instance per user
- Resolution service optimized for read-heavy operations
- Built following TDD principles (Red-Green-Refactor)
Closes#87
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements federated authentication infrastructure using OIDC:
- Add FederatedIdentity model to Prisma schema for identity mapping
- Create OIDCService with identity linking and token validation
- Add FederationAuthController with 5 endpoints:
* POST /auth/initiate - Start federated auth flow
* POST /auth/link - Link identity to remote instance
* GET /auth/identities - List user's federated identities
* DELETE /auth/identities/:id - Revoke identity
* POST /auth/validate - Validate federated token
- Create comprehensive type definitions for OIDC flows
- Add audit logging for security events
- Write 24 passing tests (14 service + 10 controller)
- Achieve 79% coverage for OIDCService, 100% for controller
Notes:
- Token validation and auth URL generation are placeholder implementations
- Full JWT validation will be added when federation OIDC is actively used
- Identity mappings enforce workspace isolation
- All endpoints require authentication except /validate
Refs #86
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
