feat: auth middleware, brain data layer, Valkey queue (P1-002, P1-003, P1-004)

Auth middleware (P1-002):
- DatabaseModule provides Db instance with graceful shutdown
- AuthModule mounts BetterAuth at /api/auth/* via toNodeHandler
- AuthGuard validates sessions via BetterAuth API
- CurrentUser decorator extracts user from request

Brain data layer (P1-003):
- CRUD repositories for projects, missions, tasks, conversations
- createBrain(db) factory returns all repositories
- Re-exports drizzle-orm query helpers from @mosaic/db to avoid
  duplicate package resolution

Queue (P1-004):
- ioredis-based Valkey client with createQueue/createQueueClient
- Enqueue/dequeue, pub/sub, queue length operations

Closes #11, Closes #12, Closes #13

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/gateway/package.json

@@ -13,6 +13,8 @@
   },
   "dependencies": {
     "@mariozechner/pi-coding-agent": "~0.57.1",
+    "@mosaic/auth": "workspace:^",
+    "@mosaic/db": "workspace:^",
     "@nestjs/common": "^11.0.0",
     "@nestjs/core": "^11.0.0",
     "@nestjs/platform-fastify": "^11.0.0",
@@ -25,6 +27,7 @@
     "@opentelemetry/sdk-metrics": "^2.6.0",
     "@opentelemetry/sdk-node": "^0.213.0",
     "@opentelemetry/semantic-conventions": "^1.40.0",
+    "better-auth": "^1.5.5",
     "fastify": "^5.0.0",
     "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.0",

apps/gateway/src/app.module.ts

@@ -1,10 +1,12 @@
 import { Module } from '@nestjs/common';
 import { HealthController } from './health/health.controller.js';
+import { DatabaseModule } from './database/database.module.js';
+import { AuthModule } from './auth/auth.module.js';
 import { AgentModule } from './agent/agent.module.js';
 import { ChatModule } from './chat/chat.module.js';
 
 @Module({
-  imports: [AgentModule, ChatModule],
+  imports: [DatabaseModule, AuthModule, AgentModule, ChatModule],
   controllers: [HealthController],
 })
 export class AppModule {}

apps/gateway/src/auth/auth.controller.ts

@@ -0,0 +1,20 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import { All, Controller, Inject, Req, Res } from '@nestjs/common';
+import type { FastifyReply, FastifyRequest } from 'fastify';
+import { toNodeHandler } from 'better-auth/node';
+import type { Auth } from '@mosaic/auth';
+import { AUTH } from './auth.module.js';
+
+@Controller('api/auth')
+export class AuthController {
+  private readonly handler: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
+
+  constructor(@Inject(AUTH) auth: Auth) {
+    this.handler = toNodeHandler(auth);
+  }
+
+  @All('*path')
+  async handleAuth(@Req() req: FastifyRequest, @Res() res: FastifyReply): Promise<void> {
+    await this.handler(req.raw, res.raw);
+  }
+}

apps/gateway/src/auth/auth.guard.ts

@@ -0,0 +1,32 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  Inject,
+  Injectable,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { fromNodeHeaders } from 'better-auth/node';
+import type { Auth } from '@mosaic/auth';
+import type { FastifyRequest } from 'fastify';
+import { AUTH } from './auth.module.js';
+
+@Injectable()
+export class AuthGuard implements CanActivate {
+  constructor(@Inject(AUTH) private readonly auth: Auth) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest<FastifyRequest>();
+    const headers = fromNodeHeaders(request.raw.headers);
+
+    const result = await this.auth.api.getSession({ headers });
+
+    if (!result) {
+      throw new UnauthorizedException('Invalid or expired session');
+    }
+
+    (request as FastifyRequest & { user: unknown; session: unknown }).user = result.user;
+    (request as FastifyRequest & { user: unknown; session: unknown }).session = result.session;
+
+    return true;
+  }
+}

apps/gateway/src/auth/auth.module.ts

@@ -0,0 +1,26 @@
+import { Global, Module } from '@nestjs/common';
+import { createAuth, type Auth } from '@mosaic/auth';
+import type { Db } from '@mosaic/db';
+import { DB } from '../database/database.module.js';
+import { AuthController } from './auth.controller.js';
+
+export const AUTH = 'AUTH';
+
+@Global()
+@Module({
+  providers: [
+    {
+      provide: AUTH,
+      useFactory: (db: Db): Auth =>
+        createAuth({
+          db,
+          baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
+          secret: process.env['BETTER_AUTH_SECRET'],
+        }),
+      inject: [DB],
+    },
+  ],
+  controllers: [AuthController],
+  exports: [AUTH],
+})
+export class AuthModule {}

apps/gateway/src/auth/current-user.decorator.ts

@@ -0,0 +1,7 @@
+import { createParamDecorator, type ExecutionContext } from '@nestjs/common';
+import type { FastifyRequest } from 'fastify';
+
+export const CurrentUser = createParamDecorator((_data: unknown, ctx: ExecutionContext) => {
+  const request = ctx.switchToHttp().getRequest<FastifyRequest & { user?: unknown }>();
+  return request.user;
+});

apps/gateway/src/database/database.module.ts

@@ -0,0 +1,28 @@
+import { Global, Inject, Module, type OnApplicationShutdown } from '@nestjs/common';
+import { createDb, type Db, type DbHandle } from '@mosaic/db';
+
+export const DB_HANDLE = 'DB_HANDLE';
+export const DB = 'DB';
+
+@Global()
+@Module({
+  providers: [
+    {
+      provide: DB_HANDLE,
+      useFactory: (): DbHandle => createDb(),
+    },
+    {
+      provide: DB,
+      useFactory: (handle: DbHandle): Db => handle.db,
+      inject: [DB_HANDLE],
+    },
+  ],
+  exports: [DB],
+})
+export class DatabaseModule implements OnApplicationShutdown {
+  constructor(@Inject(DB_HANDLE) private readonly handle: DbHandle) {}
+
+  async onApplicationShutdown(): Promise<void> {
+    await this.handle.close();
+  }
+}