docs(federation): S21 tracking — DEPLOY-01/02 done, IMG-FIX in flight, M2-01 in remediation

- TASKS.md: mark DEPLOY-01 (image verify) + DEPLOY-02 (stack template, PR #485) done
- TASKS.md: add DEPLOY-IMG-FIX row (gateway Dockerfile pnpm-deploy fix in flight)
- TASKS.md: DEPLOY-03/04 → blocked on IMG-FIX; M2-01 → needs-qa (PR #486 in remediation)
- scratchpads/mvp-20260312.md: Session 20 entry (M2 kickoff, workstream split, Portainer access)
- scratchpads/mvp-20260312.md: Session 21 entry (DEPLOY-02 merged, gateway image runtime bug
  discovered via stripped-container test, M2-01 review verdict + remediation in flight,
  process notes on branch races + worktree isolation rule)

apps/gateway/src/federation/scope-schema.spec.ts

@@ -1,187 +0,0 @@
-/**
- * Unit tests for FederationScopeSchema and parseFederationScope.
- *
- * Coverage:
- *  - Valid: minimal scope
- *  - Valid: full PRD §8.1 example
- *  - Valid: resources + excluded_resources (no overlap)
- *  - Invalid: empty resources
- *  - Invalid: unknown resource value
- *  - Invalid: resources / excluded_resources intersection
- *  - Invalid: filter key not in resources
- *  - Invalid: max_rows_per_query = 0
- *  - Invalid: max_rows_per_query = 10001
- *  - Invalid: not an object / null
- *  - Defaults: include_personal defaults to true; excluded_resources defaults to []
- *  - Sentinel: console.warn fires for sensitive resources
- */
-
-import { describe, it, expect, vi, afterEach } from 'vitest';
-import {
-  parseFederationScope,
-  FederationScopeError,
-  FederationScopeSchema,
-} from './scope-schema.js';
-
-afterEach(() => {
-  vi.restoreAllMocks();
-});
-
-describe('parseFederationScope — valid inputs', () => {
-  it('accepts a minimal scope (resources + max_rows_per_query only)', () => {
-    const scope = parseFederationScope({
-      resources: ['tasks'],
-      max_rows_per_query: 100,
-    });
-    expect(scope.resources).toEqual(['tasks']);
-    expect(scope.max_rows_per_query).toBe(100);
-    expect(scope.excluded_resources).toEqual([]);
-    expect(scope.filters).toBeUndefined();
-  });
-
-  it('accepts the full PRD §8.1 example', () => {
-    const scope = parseFederationScope({
-      resources: ['tasks', 'notes', 'memory'],
-      filters: {
-        tasks: { include_teams: ['team_uuid_1', 'team_uuid_2'], include_personal: true },
-        notes: { include_personal: true, include_teams: [] },
-        memory: { include_personal: true },
-      },
-      excluded_resources: ['credentials', 'api_keys'],
-      max_rows_per_query: 500,
-    });
-    expect(scope.resources).toEqual(['tasks', 'notes', 'memory']);
-    expect(scope.excluded_resources).toEqual(['credentials', 'api_keys']);
-    expect(scope.filters?.tasks?.include_teams).toEqual(['team_uuid_1', 'team_uuid_2']);
-    expect(scope.max_rows_per_query).toBe(500);
-  });
-
-  it('accepts a scope with excluded_resources and no filter overlap', () => {
-    const scope = parseFederationScope({
-      resources: ['tasks', 'notes'],
-      excluded_resources: ['memory'],
-      max_rows_per_query: 250,
-    });
-    expect(scope.resources).toEqual(['tasks', 'notes']);
-    expect(scope.excluded_resources).toEqual(['memory']);
-  });
-});
-
-describe('parseFederationScope — defaults', () => {
-  it('defaults excluded_resources to []', () => {
-    const scope = parseFederationScope({ resources: ['tasks'], max_rows_per_query: 1 });
-    expect(scope.excluded_resources).toEqual([]);
-  });
-
-  it('defaults include_personal to true when filter is provided without it', () => {
-    const scope = parseFederationScope({
-      resources: ['tasks'],
-      filters: { tasks: { include_teams: ['t1'] } },
-      max_rows_per_query: 10,
-    });
-    expect(scope.filters?.tasks?.include_personal).toBe(true);
-  });
-});
-
-describe('parseFederationScope — invalid inputs', () => {
-  it('throws FederationScopeError for empty resources array', () => {
-    expect(() => parseFederationScope({ resources: [], max_rows_per_query: 100 })).toThrow(
-      FederationScopeError,
-    );
-  });
-
-  it('throws for unknown resource value in resources', () => {
-    expect(() =>
-      parseFederationScope({ resources: ['unknown_resource'], max_rows_per_query: 100 }),
-    ).toThrow(FederationScopeError);
-  });
-
-  it('throws when resources and excluded_resources intersect', () => {
-    expect(() =>
-      parseFederationScope({
-        resources: ['tasks', 'memory'],
-        excluded_resources: ['memory'],
-        max_rows_per_query: 100,
-      }),
-    ).toThrow(FederationScopeError);
-  });
-
-  it('throws when filters references a resource not in resources', () => {
-    expect(() =>
-      parseFederationScope({
-        resources: ['tasks'],
-        filters: { notes: { include_personal: true } },
-        max_rows_per_query: 100,
-      }),
-    ).toThrow(FederationScopeError);
-  });
-
-  it('throws for max_rows_per_query = 0', () => {
-    expect(() => parseFederationScope({ resources: ['tasks'], max_rows_per_query: 0 })).toThrow(
-      FederationScopeError,
-    );
-  });
-
-  it('throws for max_rows_per_query = 10001', () => {
-    expect(() => parseFederationScope({ resources: ['tasks'], max_rows_per_query: 10001 })).toThrow(
-      FederationScopeError,
-    );
-  });
-
-  it('throws for null input', () => {
-    expect(() => parseFederationScope(null)).toThrow(FederationScopeError);
-  });
-
-  it('throws for non-object input (string)', () => {
-    expect(() => parseFederationScope('not-an-object')).toThrow(FederationScopeError);
-  });
-});
-
-describe('parseFederationScope — sentinel warning', () => {
-  it('emits console.warn when resources includes "credentials"', () => {
-    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
-    parseFederationScope({
-      resources: ['tasks', 'credentials'],
-      max_rows_per_query: 100,
-    });
-    expect(warnSpy).toHaveBeenCalledWith(
-      expect.stringContaining(
-        '[FederationScope] WARNING: scope grants sensitive resource "credentials"',
-      ),
-    );
-  });
-
-  it('emits console.warn when resources includes "api_keys"', () => {
-    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
-    parseFederationScope({
-      resources: ['tasks', 'api_keys'],
-      max_rows_per_query: 100,
-    });
-    expect(warnSpy).toHaveBeenCalledWith(
-      expect.stringContaining(
-        '[FederationScope] WARNING: scope grants sensitive resource "api_keys"',
-      ),
-    );
-  });
-
-  it('does NOT emit console.warn for non-sensitive resources', () => {
-    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
-    parseFederationScope({ resources: ['tasks', 'notes', 'memory'], max_rows_per_query: 100 });
-    expect(warnSpy).not.toHaveBeenCalled();
-  });
-});
-
-describe('FederationScopeSchema — boundary values', () => {
-  it('accepts max_rows_per_query = 1 (lower bound)', () => {
-    const result = FederationScopeSchema.safeParse({ resources: ['tasks'], max_rows_per_query: 1 });
-    expect(result.success).toBe(true);
-  });
-
-  it('accepts max_rows_per_query = 10000 (upper bound)', () => {
-    const result = FederationScopeSchema.safeParse({
-      resources: ['tasks'],
-      max_rows_per_query: 10000,
-    });
-    expect(result.success).toBe(true);
-  });
-});

apps/gateway/src/federation/scope-schema.ts

@@ -1,147 +0,0 @@
-/**
- * Federation grant scope schema and validator.
- *
- * Source of truth: docs/federation/PRD.md §8.1
- *
- * This module is intentionally pure — no DB, no NestJS, no CA wiring.
- * It is reusable from grant CRUD (M2-06) and scope enforcement (M3+).
- */
-
-import { z } from 'zod';
-
-// ---------------------------------------------------------------------------
-// Allowlist of federation resources (canonical — M3+ will extend this list)
-// ---------------------------------------------------------------------------
-export const FEDERATION_RESOURCE_VALUES = [
-  'tasks',
-  'notes',
-  'memory',
-  'credentials',
-  'api_keys',
-] as const;
-
-export type FederationResource = (typeof FEDERATION_RESOURCE_VALUES)[number];
-
-/**
- * Sensitive resources require explicit admin approval (PRD §8.4).
- * The parser warns when these appear in `resources`; M2-06 grant CRUD
- * will add a hard gate on top of this warning.
- */
-const SENSITIVE_RESOURCES: ReadonlySet<FederationResource> = new Set(['credentials', 'api_keys']);
-
-// ---------------------------------------------------------------------------
-// Sub-schemas
-// ---------------------------------------------------------------------------
-
-const ResourceArraySchema = z
-  .array(z.enum(FEDERATION_RESOURCE_VALUES))
-  .nonempty({ message: 'resources must contain at least one value' })
-  .refine((arr) => new Set(arr).size === arr.length, {
-    message: 'resources must not contain duplicate values',
-  });
-
-const ResourceFilterSchema = z.object({
-  include_teams: z.array(z.string()).optional(),
-  include_personal: z.boolean().default(true),
-});
-
-// ---------------------------------------------------------------------------
-// Top-level schema
-// ---------------------------------------------------------------------------
-
-export const FederationScopeSchema = z
-  .object({
-    resources: ResourceArraySchema,
-
-    excluded_resources: z
-      .array(z.enum(FEDERATION_RESOURCE_VALUES))
-      .default([])
-      .refine((arr) => new Set(arr).size === arr.length, {
-        message: 'excluded_resources must not contain duplicate values',
-      }),
-
-    filters: z.record(z.string(), ResourceFilterSchema).optional(),
-
-    max_rows_per_query: z
-      .number()
-      .int({ message: 'max_rows_per_query must be an integer' })
-      .min(1, { message: 'max_rows_per_query must be at least 1' })
-      .max(10000, { message: 'max_rows_per_query must be at most 10000' }),
-  })
-  .superRefine((data, ctx) => {
-    const resourceSet = new Set(data.resources);
-
-    // Intersection guard: a resource cannot be both granted and excluded
-    for (const r of data.excluded_resources) {
-      if (resourceSet.has(r)) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          message: `Resource "${r}" appears in both resources and excluded_resources`,
-          path: ['excluded_resources'],
-        });
-      }
-    }
-
-    // Filter keys must be a subset of resources
-    if (data.filters) {
-      for (const key of Object.keys(data.filters)) {
-        if (!resourceSet.has(key as FederationResource)) {
-          ctx.addIssue({
-            code: z.ZodIssueCode.custom,
-            message: `filters key "${key}" references a resource not present in resources`,
-            path: ['filters', key],
-          });
-        }
-      }
-    }
-  });
-
-export type FederationScope = z.infer<typeof FederationScopeSchema>;
-
-// ---------------------------------------------------------------------------
-// Error class
-// ---------------------------------------------------------------------------
-
-export class FederationScopeError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = 'FederationScopeError';
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Typed parser
-// ---------------------------------------------------------------------------
-
-/**
- * Parse and validate an unknown value as a FederationScope.
- *
- * Throws `FederationScopeError` with aggregated Zod issues on failure.
- *
- * Emits `console.warn` when sensitive resources (`credentials`, `api_keys`)
- * are present in `resources` — per PRD §8.4, these require explicit admin
- * approval. M2-06 grant CRUD will add a hard gate on top of this warning.
- */
-export function parseFederationScope(input: unknown): FederationScope {
-  const result = FederationScopeSchema.safeParse(input);
-
-  if (!result.success) {
-    const issues = result.error.issues
-      .map((e) => `  - [${e.path.join('.') || 'root'}] ${e.message}`)
-      .join('\n');
-    throw new FederationScopeError(`Invalid federation scope:\n${issues}`);
-  }
-
-  const scope = result.data;
-
-  // Sentinel warning for sensitive resources (PRD §8.4)
-  for (const resource of scope.resources) {
-    if (SENSITIVE_RESOURCES.has(resource)) {
-      console.warn(
-        `[FederationScope] WARNING: scope grants sensitive resource "${resource}". Per PRD §8.4 this requires explicit admin approval and is logged.`,
-      );
-    }
-  }
-
-  return scope;
-}

docker/gateway.Dockerfile

@@ -5,27 +5,18 @@ RUN corepack enable
 
 FROM base AS builder
 WORKDIR /app
-# Copy workspace manifests first for layer-cached install
 COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
 COPY apps/gateway/package.json ./apps/gateway/
 COPY packages/ ./packages/
-COPY plugins/ ./plugins/
 RUN pnpm install --frozen-lockfile
 COPY . .
-# Build gateway and all of its workspace dependencies via turbo dependency graph
-RUN pnpm turbo run build --filter @mosaicstack/gateway...
-# Produce a self-contained deploy artifact: flat node_modules, no pnpm symlinks
-# --legacy is required for pnpm v10 when inject-workspace-packages is not set
-RUN pnpm --filter @mosaicstack/gateway --prod deploy --legacy /deploy
+RUN pnpm --filter @mosaic/gateway build
 
 FROM base AS runner
 WORKDIR /app
 ENV NODE_ENV=production
-# Use the pnpm deploy output — resolves all deps into a flat, self-contained node_modules
-COPY --from=builder /deploy/node_modules ./node_modules
-COPY --from=builder /deploy/package.json ./package.json
-# dist is declared in package.json "files" so pnpm deploy copies it into /deploy;
-# copy from builder explicitly as belt-and-suspenders
 COPY --from=builder /app/apps/gateway/dist ./dist
+COPY --from=builder /app/apps/gateway/package.json ./package.json
+COPY --from=builder /app/node_modules ./node_modules
 EXPOSE 4000
 CMD ["node", "dist/main.js"]

packages/db/drizzle/0008_smart_lyja.sql

@@ -1,75 +0,0 @@
-CREATE TYPE "public"."grant_status" AS ENUM('active', 'revoked', 'expired');--> statement-breakpoint
-CREATE TYPE "public"."peer_state" AS ENUM('pending', 'active', 'suspended', 'revoked');--> statement-breakpoint
-CREATE TABLE "admin_tokens" (
-	"id" text PRIMARY KEY NOT NULL,
-	"user_id" text NOT NULL,
-	"token_hash" text NOT NULL,
-	"label" text NOT NULL,
-	"scope" text DEFAULT 'admin' NOT NULL,
-	"expires_at" timestamp with time zone,
-	"last_used_at" timestamp with time zone,
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL
-);
---> statement-breakpoint
-CREATE TABLE "federation_audit_log" (
-	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
-	"request_id" text NOT NULL,
-	"peer_id" uuid,
-	"subject_user_id" text,
-	"grant_id" uuid,
-	"verb" text NOT NULL,
-	"resource" text NOT NULL,
-	"status_code" integer NOT NULL,
-	"result_count" integer,
-	"denied_reason" text,
-	"latency_ms" integer,
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"query_hash" text,
-	"outcome" text,
-	"bytes_out" integer
-);
---> statement-breakpoint
-CREATE TABLE "federation_grants" (
-	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
-	"subject_user_id" text NOT NULL,
-	"peer_id" uuid NOT NULL,
-	"scope" jsonb NOT NULL,
-	"status" "grant_status" DEFAULT 'active' NOT NULL,
-	"expires_at" timestamp with time zone,
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"revoked_at" timestamp with time zone,
-	"revoked_reason" text
-);
---> statement-breakpoint
-CREATE TABLE "federation_peers" (
-	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
-	"common_name" text NOT NULL,
-	"display_name" text NOT NULL,
-	"cert_pem" text NOT NULL,
-	"cert_serial" text NOT NULL,
-	"cert_not_after" timestamp with time zone NOT NULL,
-	"client_key_pem" text,
-	"state" "peer_state" DEFAULT 'pending' NOT NULL,
-	"endpoint_url" text,
-	"last_seen_at" timestamp with time zone,
-	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
-	"revoked_at" timestamp with time zone,
-	CONSTRAINT "federation_peers_common_name_unique" UNIQUE("common_name"),
-	CONSTRAINT "federation_peers_cert_serial_unique" UNIQUE("cert_serial")
-);
---> statement-breakpoint
-ALTER TABLE "admin_tokens" ADD CONSTRAINT "admin_tokens_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "federation_audit_log" ADD CONSTRAINT "federation_audit_log_peer_id_federation_peers_id_fk" FOREIGN KEY ("peer_id") REFERENCES "public"."federation_peers"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "federation_audit_log" ADD CONSTRAINT "federation_audit_log_subject_user_id_users_id_fk" FOREIGN KEY ("subject_user_id") REFERENCES "public"."users"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "federation_audit_log" ADD CONSTRAINT "federation_audit_log_grant_id_federation_grants_id_fk" FOREIGN KEY ("grant_id") REFERENCES "public"."federation_grants"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "federation_grants" ADD CONSTRAINT "federation_grants_subject_user_id_users_id_fk" FOREIGN KEY ("subject_user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "federation_grants" ADD CONSTRAINT "federation_grants_peer_id_federation_peers_id_fk" FOREIGN KEY ("peer_id") REFERENCES "public"."federation_peers"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-CREATE INDEX "admin_tokens_user_id_idx" ON "admin_tokens" USING btree ("user_id");--> statement-breakpoint
-CREATE UNIQUE INDEX "admin_tokens_hash_idx" ON "admin_tokens" USING btree ("token_hash");--> statement-breakpoint
-CREATE INDEX "federation_audit_log_peer_created_at_idx" ON "federation_audit_log" USING btree ("peer_id","created_at" DESC NULLS LAST);--> statement-breakpoint
-CREATE INDEX "federation_audit_log_subject_created_at_idx" ON "federation_audit_log" USING btree ("subject_user_id","created_at" DESC NULLS LAST);--> statement-breakpoint
-CREATE INDEX "federation_audit_log_created_at_idx" ON "federation_audit_log" USING btree ("created_at" DESC NULLS LAST);--> statement-breakpoint
-CREATE INDEX "federation_grants_subject_status_idx" ON "federation_grants" USING btree ("subject_user_id","status");--> statement-breakpoint
-CREATE INDEX "federation_grants_peer_status_idx" ON "federation_grants" USING btree ("peer_id","status");--> statement-breakpoint
-CREATE INDEX "federation_peers_cert_serial_idx" ON "federation_peers" USING btree ("cert_serial");--> statement-breakpoint
-CREATE INDEX "federation_peers_state_idx" ON "federation_peers" USING btree ("state");

packages/db/drizzle/meta/_journal.json

@@ -57,13 +57,6 @@
       "when": 1774227064500,
       "tag": "0006_swift_shen",
       "breakpoints": true
-    },
-    {
-      "idx": 8,
-      "version": "7",
-      "when": 1776822435828,
-      "tag": "0008_smart_lyja",
-      "breakpoints": true
     }
   ]
-}
+}

packages/db/src/federation.integration.test.ts

@@ -1,424 +0,0 @@
-/**
- * FED-M2-01 — Integration test: federation DB schema (peers / grants / audit_log).
- *
- * Prereq: docker compose -f docker-compose.federated.yml --profile federated up -d
- *         (or any postgres with the mosaic schema already applied)
- * Run:    FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/db test src/federation.integration.test.ts
- *
- * Skipped when FEDERATED_INTEGRATION !== '1'.
- *
- * Strategy:
- *  - Applies the federation migration SQL directly (idempotent: CREATE TYPE/TABLE
- *    with IF NOT EXISTS guards applied via inline SQL before the migration DDL).
- *  - Assumes the base schema (users table etc.) already exists in the target DB.
- *  - All test rows use the `fed-m2-01-` prefix; cleanup in afterAll.
- *
- * Coverage:
- *  1. Federation tables + enums apply cleanly against the existing schema.
- *  2. Insert a sample user + peer + grant + audit row; verify round-trip.
- *  3. FK cascade: deleting the user cascades to federation_grants.
- *  4. FK set-null: deleting the peer sets federation_audit_log.peer_id to NULL.
- *  5. Enum constraint: inserting an invalid status/state value throws a DB error.
- *  6. Unique constraint: duplicate cert_serial throws a DB error.
- */
-
-import postgres from 'postgres';
-import { afterAll, beforeAll, describe, expect, it } from 'vitest';
-
-const run = process.env['FEDERATED_INTEGRATION'] === '1';
-
-const PG_URL = process.env['DATABASE_URL'] ?? 'postgresql://mosaic:mosaic@localhost:5433/mosaic';
-
-/** Recognisable test-row prefix for safe cleanup without full-table truncation. */
-const T = 'fed-m2-01';
-
-// Deterministic IDs (UUID format required for uuid PK columns: 8-4-4-4-12 hex digits).
-const PEER1_ID = `f2000001-0000-4000-8000-000000000001`;
-const PEER2_ID = `f2000002-0000-4000-8000-000000000002`;
-const USER1_ID = `${T}-user-1`;
-
-let sql: ReturnType<typeof postgres> | undefined;
-
-beforeAll(async () => {
-  if (!run) return;
-  sql = postgres(PG_URL, { max: 1, connect_timeout: 10, idle_timeout: 10 });
-
-  // Apply the federation enums and tables idempotently.
-  // This mirrors the migration file but uses IF NOT EXISTS guards so it can run
-  // against a DB that may not have had drizzle migrations tracked.
-  await sql`
-    DO $$ BEGIN
-      CREATE TYPE peer_state AS ENUM ('pending', 'active', 'suspended', 'revoked');
-    EXCEPTION WHEN duplicate_object THEN NULL;
-    END $$
-  `;
-  await sql`
-    DO $$ BEGIN
-      CREATE TYPE grant_status AS ENUM ('active', 'revoked', 'expired');
-    EXCEPTION WHEN duplicate_object THEN NULL;
-    END $$
-  `;
-  await sql`
-    CREATE TABLE IF NOT EXISTS federation_peers (
-      id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-      common_name     text NOT NULL,
-      display_name    text NOT NULL,
-      cert_pem        text NOT NULL,
-      cert_serial     text NOT NULL,
-      cert_not_after  timestamp with time zone NOT NULL,
-      client_key_pem  text,
-      state           peer_state NOT NULL DEFAULT 'pending',
-      endpoint_url    text,
-      last_seen_at    timestamp with time zone,
-      created_at      timestamp with time zone NOT NULL DEFAULT now(),
-      revoked_at      timestamp with time zone,
-      CONSTRAINT federation_peers_common_name_unique UNIQUE (common_name),
-      CONSTRAINT federation_peers_cert_serial_unique UNIQUE (cert_serial)
-    )
-  `;
-  await sql`
-    CREATE INDEX IF NOT EXISTS federation_peers_cert_serial_idx ON federation_peers (cert_serial)
-  `;
-  await sql`
-    CREATE INDEX IF NOT EXISTS federation_peers_state_idx ON federation_peers (state)
-  `;
-  await sql`
-    CREATE TABLE IF NOT EXISTS federation_grants (
-      id               uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-      subject_user_id  text NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-      peer_id          uuid NOT NULL REFERENCES federation_peers(id) ON DELETE CASCADE,
-      scope            jsonb NOT NULL,
-      status           grant_status NOT NULL DEFAULT 'active',
-      expires_at       timestamp with time zone,
-      created_at       timestamp with time zone NOT NULL DEFAULT now(),
-      revoked_at       timestamp with time zone,
-      revoked_reason   text
-    )
-  `;
-  await sql`
-    CREATE INDEX IF NOT EXISTS federation_grants_subject_status_idx ON federation_grants (subject_user_id, status)
-  `;
-  await sql`
-    CREATE INDEX IF NOT EXISTS federation_grants_peer_status_idx ON federation_grants (peer_id, status)
-  `;
-  await sql`
-    CREATE TABLE IF NOT EXISTS federation_audit_log (
-      id               uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-      request_id       text NOT NULL,
-      peer_id          uuid REFERENCES federation_peers(id) ON DELETE SET NULL,
-      subject_user_id  text REFERENCES users(id) ON DELETE SET NULL,
-      grant_id         uuid REFERENCES federation_grants(id) ON DELETE SET NULL,
-      verb             text NOT NULL,
-      resource         text NOT NULL,
-      status_code      integer NOT NULL,
-      result_count     integer,
-      denied_reason    text,
-      latency_ms       integer,
-      created_at       timestamp with time zone NOT NULL DEFAULT now(),
-      query_hash       text,
-      outcome          text,
-      bytes_out        integer
-    )
-  `;
-  await sql`
-    CREATE INDEX IF NOT EXISTS federation_audit_log_peer_created_at_idx
-      ON federation_audit_log (peer_id, created_at DESC NULLS LAST)
-  `;
-  await sql`
-    CREATE INDEX IF NOT EXISTS federation_audit_log_subject_created_at_idx
-      ON federation_audit_log (subject_user_id, created_at DESC NULLS LAST)
-  `;
-  await sql`
-    CREATE INDEX IF NOT EXISTS federation_audit_log_created_at_idx
-      ON federation_audit_log (created_at DESC NULLS LAST)
-  `;
-});
-
-afterAll(async () => {
-  if (!sql) return;
-
-  // Cleanup in FK-safe order (children before parents).
-  await sql`DELETE FROM federation_audit_log WHERE request_id LIKE ${T + '%'}`.catch(() => {});
-  await sql`
-    DELETE FROM federation_grants
-    WHERE subject_user_id LIKE ${T + '%'}
-       OR revoked_reason LIKE ${T + '%'}
-  `.catch(() => {});
-  await sql`DELETE FROM federation_peers WHERE common_name LIKE ${T + '%'}`.catch(() => {});
-  await sql`DELETE FROM users WHERE id LIKE ${T + '%'}`.catch(() => {});
-  await sql.end({ timeout: 3 }).catch(() => {});
-});
-
-describe.skipIf(!run)('federation schema — integration', () => {
-  // ── 1. Insert sample rows ──────────────────────────────────────────────────
-
-  it('inserts a user, peer, grant, and audit row without constraint violation', async () => {
-    const certPem = '-----BEGIN CERTIFICATE-----\nMIItest\n-----END CERTIFICATE-----';
-
-    // User — BetterAuth users.id is text (any string, not uuid).
-    await sql!`
-      INSERT INTO users (id, name, email, email_verified, created_at, updated_at)
-      VALUES (${USER1_ID}, ${'M2-01 Test User'}, ${USER1_ID + '@example.com'}, false, now(), now())
-      ON CONFLICT (id) DO NOTHING
-    `;
-
-    // Peer
-    await sql!`
-      INSERT INTO federation_peers
-        (id, common_name, display_name, cert_pem, cert_serial, cert_not_after, state, created_at)
-      VALUES (
-        ${PEER1_ID},
-        ${T + '-gateway-example-com'},
-        ${'Test Peer'},
-        ${certPem},
-        ${T + '-serial-001'},
-        now() + interval '1 year',
-        ${'active'},
-        now()
-      )
-      ON CONFLICT (id) DO NOTHING
-    `;
-
-    // Grant — scope is jsonb; pass as JSON string and cast server-side.
-    const scopeJson = JSON.stringify({
-      resources: ['tasks', 'notes'],
-      operations: ['list', 'get'],
-    });
-    const grants = await sql!`
-      INSERT INTO federation_grants
-        (subject_user_id, peer_id, scope, status, created_at)
-      VALUES (
-        ${USER1_ID},
-        ${PEER1_ID},
-        ${scopeJson}::jsonb,
-        ${'active'},
-        now()
-      )
-      RETURNING id
-    `;
-    expect(grants).toHaveLength(1);
-    const grantId = grants[0]!['id'] as string;
-
-    // Audit log row
-    await sql!`
-      INSERT INTO federation_audit_log
-        (request_id, peer_id, subject_user_id, grant_id, verb, resource, status_code, created_at)
-      VALUES (
-        ${T + '-req-001'},
-        ${PEER1_ID},
-        ${USER1_ID},
-        ${grantId},
-        ${'list'},
-        ${'tasks'},
-        ${200},
-        now()
-      )
-    `;
-
-    // Verify the audit row is present and has correct data.
-    const auditRows = await sql!`
-      SELECT * FROM federation_audit_log WHERE request_id = ${T + '-req-001'}
-    `;
-    expect(auditRows).toHaveLength(1);
-    expect(auditRows[0]!['status_code']).toBe(200);
-    expect(auditRows[0]!['verb']).toBe('list');
-    expect(auditRows[0]!['resource']).toBe('tasks');
-  }, 30_000);
-
-  // ── 2. FK cascade: user delete cascades grants ─────────────────────────────
-
-  it('cascade-deletes federation_grants when the subject user is deleted', async () => {
-    const cascadeUserId = `${T}-cascade-user`;
-    await sql!`
-      INSERT INTO users (id, name, email, email_verified, created_at, updated_at)
-      VALUES (${cascadeUserId}, ${'Cascade User'}, ${cascadeUserId + '@example.com'}, false, now(), now())
-      ON CONFLICT (id) DO NOTHING
-    `;
-    const scopeJson = JSON.stringify({ resources: ['tasks'] });
-    await sql!`
-      INSERT INTO federation_grants
-        (subject_user_id, peer_id, scope, status, revoked_reason, created_at)
-      VALUES (
-        ${cascadeUserId},
-        ${PEER1_ID},
-        ${scopeJson}::jsonb,
-        ${'active'},
-        ${T + '-cascade-test'},
-        now()
-      )
-    `;
-
-    const before = await sql!`
-      SELECT count(*)::int AS cnt FROM federation_grants WHERE subject_user_id = ${cascadeUserId}
-    `;
-    expect(before[0]!['cnt']).toBe(1);
-
-    // Delete user → grants should cascade-delete.
-    await sql!`DELETE FROM users WHERE id = ${cascadeUserId}`;
-
-    const after = await sql!`
-      SELECT count(*)::int AS cnt FROM federation_grants WHERE subject_user_id = ${cascadeUserId}
-    `;
-    expect(after[0]!['cnt']).toBe(0);
-  }, 15_000);
-
-  // ── 3. FK set-null: peer delete sets audit_log.peer_id to NULL ────────────
-
-  it('sets federation_audit_log.peer_id to NULL when the peer is deleted', async () => {
-    // Insert a throwaway peer for this specific cascade test.
-    await sql!`
-      INSERT INTO federation_peers
-        (id, common_name, display_name, cert_pem, cert_serial, cert_not_after, state, created_at)
-      VALUES (
-        ${PEER2_ID},
-        ${T + '-gateway-throwaway-com'},
-        ${'Throwaway Peer'},
-        ${'cert-pem-placeholder'},
-        ${T + '-serial-002'},
-        now() + interval '1 year',
-        ${'active'},
-        now()
-      )
-      ON CONFLICT (id) DO NOTHING
-    `;
-    const reqId = `${T}-req-setnull`;
-    await sql!`
-      INSERT INTO federation_audit_log
-        (request_id, peer_id, subject_user_id, verb, resource, status_code, created_at)
-      VALUES (
-        ${reqId},
-        ${PEER2_ID},
-        ${USER1_ID},
-        ${'get'},
-        ${'tasks'},
-        ${200},
-        now()
-      )
-    `;
-
-    await sql!`DELETE FROM federation_peers WHERE id = ${PEER2_ID}`;
-
-    const rows = await sql!`
-      SELECT peer_id FROM federation_audit_log WHERE request_id = ${reqId}
-    `;
-    expect(rows).toHaveLength(1);
-    expect(rows[0]!['peer_id']).toBeNull();
-  }, 15_000);
-
-  // ── 4. Enum constraint: invalid grant_status rejected ─────────────────────
-
-  it('rejects an invalid grant_status value with a DB error', async () => {
-    const scopeJson = JSON.stringify({ resources: ['tasks'] });
-    await expect(
-      sql!`
-        INSERT INTO federation_grants
-          (subject_user_id, peer_id, scope, status, created_at)
-        VALUES (
-          ${USER1_ID},
-          ${PEER1_ID},
-          ${scopeJson}::jsonb,
-          ${'invalid_status'},
-          now()
-        )
-      `,
-    ).rejects.toThrow();
-  }, 10_000);
-
-  // ── 5. Enum constraint: invalid peer_state rejected ───────────────────────
-
-  it('rejects an invalid peer_state value with a DB error', async () => {
-    await expect(
-      sql!`
-        INSERT INTO federation_peers
-          (common_name, display_name, cert_pem, cert_serial, cert_not_after, state, created_at)
-        VALUES (
-          ${'bad-state-peer'},
-          ${'Bad State'},
-          ${'pem'},
-          ${'bad-serial-999'},
-          now() + interval '1 year',
-          ${'invalid_state'},
-          now()
-        )
-      `,
-    ).rejects.toThrow();
-  }, 10_000);
-
-  // ── 6. Unique constraint: duplicate cert_serial rejected ──────────────────
-
-  it('rejects a duplicate cert_serial with a unique constraint violation', async () => {
-    await expect(
-      sql!`
-        INSERT INTO federation_peers
-          (common_name, display_name, cert_pem, cert_serial, cert_not_after, state, created_at)
-        VALUES (
-          ${T + '-dup-cn'},
-          ${'Dup Peer'},
-          ${'pem'},
-          ${T + '-serial-001'},
-          now() + interval '1 year',
-          ${'pending'},
-          now()
-        )
-      `,
-    ).rejects.toThrow();
-  }, 10_000);
-
-  // ── 7. FK cascade: peer delete cascades to federation_grants ─────────────
-
-  it('cascade-deletes federation_grants when the owning peer is deleted', async () => {
-    const PEER3_ID = `f2000003-0000-4000-8000-000000000003`;
-    const cascadeGrantUserId = `${T}-cascade-grant-user`;
-
-    // Insert a dedicated user and peer for this test.
-    await sql!`
-      INSERT INTO users (id, name, email, email_verified, created_at, updated_at)
-      VALUES (${cascadeGrantUserId}, ${'Cascade Grant User'}, ${cascadeGrantUserId + '@example.com'}, false, now(), now())
-      ON CONFLICT (id) DO NOTHING
-    `;
-    await sql!`
-      INSERT INTO federation_peers
-        (id, common_name, display_name, cert_pem, cert_serial, cert_not_after, state, created_at)
-      VALUES (
-        ${PEER3_ID},
-        ${T + '-gateway-cascade-peer'},
-        ${'Cascade Peer'},
-        ${'cert-pem-cascade'},
-        ${T + '-serial-003'},
-        now() + interval '1 year',
-        ${'active'},
-        now()
-      )
-      ON CONFLICT (id) DO NOTHING
-    `;
-
-    const scopeJson = JSON.stringify({ resources: ['tasks'] });
-    await sql!`
-      INSERT INTO federation_grants
-        (subject_user_id, peer_id, scope, status, created_at)
-      VALUES (
-        ${cascadeGrantUserId},
-        ${PEER3_ID},
-        ${scopeJson}::jsonb,
-        ${'active'},
-        now()
-      )
-    `;
-
-    const before = await sql!`
-      SELECT count(*)::int AS cnt FROM federation_grants WHERE peer_id = ${PEER3_ID}
-    `;
-    expect(before[0]!['cnt']).toBe(1);
-
-    // Delete peer → grants should cascade-delete.
-    await sql!`DELETE FROM federation_peers WHERE id = ${PEER3_ID}`;
-
-    const after = await sql!`
-      SELECT count(*)::int AS cnt FROM federation_grants WHERE peer_id = ${PEER3_ID}
-    `;
-    expect(after[0]!['cnt']).toBe(0);
-
-    // Cleanup
-    await sql!`DELETE FROM users WHERE id = ${cascadeGrantUserId}`.catch(() => {});
-  }, 15_000);
-});

packages/db/src/federation.ts

@@ -1,20 +0,0 @@
-/**
- * Federation schema re-exports.
- *
- * The actual table and enum definitions live in schema.ts (alongside all other
- * Drizzle tables) to avoid CJS/ESM cross-import issues when drizzle-kit loads
- * schema files via esbuild-register.  Application code that wants named imports
- * for federation symbols should import from this file.
- *
- * M2-01: DB tables and enums only. No business logic.
- * M2-03 will add JSON schema validation for the `scope` column.
- * M4 will write rows to federation_audit_log.
- */
-
-export {
-  peerStateEnum,
-  grantStatusEnum,
-  federationPeers,
-  federationGrants,
-  federationAuditLog,
-} from './schema.js';

packages/db/src/index.ts

@@ -2,7 +2,6 @@ export { createDb, type Db, type DbHandle } from './client.js';
 export { createPgliteDb } from './client-pglite.js';
 export { runMigrations } from './migrate.js';
 export * from './schema.js';
-export * from './federation.js';
 export {
   eq,
   and,

packages/db/src/schema.ts

@@ -5,7 +5,6 @@
 
 import {
   pgTable,
-  pgEnum,
   text,
   timestamp,
   boolean,
@@ -586,194 +585,3 @@ export const summarizationJobs = pgTable(
   },
   (t) => [index('summarization_jobs_status_idx').on(t.status)],
 );
-
-// ─── Federation ──────────────────────────────────────────────────────────────
-// Enums declared before tables that reference them.
-// All federation definitions live in this file (avoids CJS/ESM cross-import
-// issues when drizzle-kit loads schema files via esbuild-register).
-// Application code imports from `federation.ts` which re-exports from here.
-
-/**
- * Lifecycle state of a federation peer.
- * - pending:   registered but not yet approved / TLS handshake not confirmed
- * - active:    fully operational; mTLS verified
- * - suspended: temporarily blocked; cert still valid
- * - revoked:   cert revoked; no traffic allowed
- */
-export const peerStateEnum = pgEnum('peer_state', ['pending', 'active', 'suspended', 'revoked']);
-
-/**
- * Lifecycle state of a federation grant.
- * - active:  grant is in effect
- * - revoked: manually revoked before expiry
- * - expired: natural expiry (expires_at passed)
- */
-export const grantStatusEnum = pgEnum('grant_status', ['active', 'revoked', 'expired']);
-
-/**
- * A registered peer gateway identified by its Step-CA certificate CN.
- * Represents both inbound peers (other gateways querying us) and outbound
- * peers (gateways we query — identified by client_key_pem being set).
- */
-export const federationPeers = pgTable(
-  'federation_peers',
-  {
-    id: uuid('id').primaryKey().defaultRandom(),
-
-    /** Certificate CN, e.g. "gateway-uscllc-com". Unique — one row per peer identity. */
-    commonName: text('common_name').notNull().unique(),
-
-    /** Human-friendly label shown in admin UI. */
-    displayName: text('display_name').notNull(),
-
-    /** Pinned PEM certificate used for mTLS verification. */
-    certPem: text('cert_pem').notNull(),
-
-    /** Certificate serial number — used for CRL / revocation lookup. */
-    certSerial: text('cert_serial').notNull().unique(),
-
-    /** Certificate expiry — used by the renewal scheduler (FED-M6). */
-    certNotAfter: timestamp('cert_not_after', { withTimezone: true }).notNull(),
-
-    /**
-     * Sealed (encrypted) private key for outbound connections TO this peer.
-     * NULL for inbound-only peer rows (we serve them; we don't call them).
-     */
-    clientKeyPem: text('client_key_pem'),
-
-    /** Current peer lifecycle state. */
-    state: peerStateEnum('state').notNull().default('pending'),
-
-    /** Base URL for outbound queries, e.g. "https://woltje.com:443". NULL for inbound-only peers. */
-    endpointUrl: text('endpoint_url'),
-
-    /** Timestamp of the most recent successful inbound or outbound request. */
-    lastSeenAt: timestamp('last_seen_at', { withTimezone: true }),
-
-    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
-
-    /** Populated when the cert is revoked; NULL while the peer is active. */
-    revokedAt: timestamp('revoked_at', { withTimezone: true }),
-  },
-  (t) => [
-    // CRL / revocation lookups by serial.
-    index('federation_peers_cert_serial_idx').on(t.certSerial),
-    // Filter peers by state (e.g. find all active peers for outbound routing).
-    index('federation_peers_state_idx').on(t.state),
-  ],
-);
-
-/**
- * A grant lets a specific peer cert query a specific local user's data within
- * a defined scope. Scopes are validated by JSON Schema in M2-03; this table
- * stores them as raw jsonb.
- */
-export const federationGrants = pgTable(
-  'federation_grants',
-  {
-    id: uuid('id').primaryKey().defaultRandom(),
-
-    /**
-     * The local user whose data this grant exposes.
-     * Cascade delete: if the user account is deleted, revoke all their grants.
-     */
-    subjectUserId: text('subject_user_id')
-      .notNull()
-      .references(() => users.id, { onDelete: 'cascade' }),
-
-    /**
-     * The peer gateway holding the grant.
-     * Cascade delete: if the peer record is removed, the grant is moot.
-     */
-    peerId: uuid('peer_id')
-      .notNull()
-      .references(() => federationPeers.id, { onDelete: 'cascade' }),
-
-    /**
-     * Scope object — validated by JSON Schema (M2-03).
-     * Example: { "resources": ["tasks", "notes"], "operations": ["list", "get"] }
-     */
-    scope: jsonb('scope').notNull(),
-
-    /** Current grant lifecycle state. */
-    status: grantStatusEnum('status').notNull().default('active'),
-
-    /** Optional hard expiry. NULL means the grant does not expire automatically. */
-    expiresAt: timestamp('expires_at', { withTimezone: true }),
-
-    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
-
-    /** Populated when the grant is explicitly revoked. */
-    revokedAt: timestamp('revoked_at', { withTimezone: true }),
-
-    /** Human-readable reason for revocation (audit trail). */
-    revokedReason: text('revoked_reason'),
-  },
-  (t) => [
-    // Hot path: look up active grants for a subject user (auth middleware).
-    index('federation_grants_subject_status_idx').on(t.subjectUserId, t.status),
-    // Hot path: look up active grants held by a peer (inbound request check).
-    index('federation_grants_peer_status_idx').on(t.peerId, t.status),
-  ],
-);
-
-/**
- * Append-only audit log of all federation requests.
- * M4 writes rows here. M2 only creates the table.
- *
- * All FKs use SET NULL so audit rows survive peer/user/grant deletion.
- */
-export const federationAuditLog = pgTable(
-  'federation_audit_log',
-  {
-    id: uuid('id').primaryKey().defaultRandom(),
-
-    /** UUIDv7 from the X-Request-ID header — correlates with OTEL traces. */
-    requestId: text('request_id').notNull(),
-
-    /** Peer that made the request. SET NULL if the peer is later deleted. */
-    peerId: uuid('peer_id').references(() => federationPeers.id, { onDelete: 'set null' }),
-
-    /** Subject user whose data was queried. SET NULL if the user is deleted. */
-    subjectUserId: text('subject_user_id').references(() => users.id, { onDelete: 'set null' }),
-
-    /** Grant under which the request was authorised. SET NULL if the grant is deleted. */
-    grantId: uuid('grant_id').references(() => federationGrants.id, { onDelete: 'set null' }),
-
-    /** Request verb: "list" | "get" | "search". */
-    verb: text('verb').notNull(),
-
-    /** Resource type: "tasks" | "notes" | "memory" | etc. */
-    resource: text('resource').notNull(),
-
-    /** HTTP status code returned to the peer. */
-    statusCode: integer('status_code').notNull(),
-
-    /** Number of items returned (NULL for non-list requests or errors). */
-    resultCount: integer('result_count'),
-
-    /** Why the request was denied (NULL when allowed). */
-    deniedReason: text('denied_reason'),
-
-    /** End-to-end latency in milliseconds. */
-    latencyMs: integer('latency_ms'),
-
-    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
-
-    // Reserved for M4 — see PRD 7.3
-    /** SHA-256 of the normalised GraphQL/REST query string; written by M4 search. */
-    queryHash: text('query_hash'),
-    /** Request outcome: "allowed" | "denied" | "partial"; written by M4. */
-    outcome: text('outcome'),
-    /** Response payload size in bytes; written by M4. */
-    bytesOut: integer('bytes_out'),
-  },
-  (t) => [
-    // Per-peer request history in reverse chronological order.
-    index('federation_audit_log_peer_created_at_idx').on(t.peerId, t.createdAt.desc()),
-    // Per-user access log in reverse chronological order.
-    index('federation_audit_log_subject_created_at_idx').on(t.subjectUserId, t.createdAt.desc()),
-    // Global time-range scans (dashboards, rate-limit windows).
-    index('federation_audit_log_created_at_idx').on(t.createdAt.desc()),
-  ],
-);