# Scratchpad — FED-M3-06 get verb ## Objective Implement `POST /api/federation/v1/get/:resource/:id` for M3 inbound federation reads. ## Scope - `apps/gateway/src/federation/server/verbs/get.controller.ts` - `apps/gateway/src/federation/server/verbs/get-query.service.ts` - Unit coverage for controller pipeline + query service RBAC guardrails - Register controller/service in `FederationModule` ## Plan 1. Mirror the list verb pipeline: `FederationAuthGuard` → `FederationScopeService` → read-only query service. 2. Return one `_source: "local"` tagged item on success. 3. Return federation error envelopes: - `404 not_found` when the resource id does not exist. - `403 scope_violation` when the row exists but falls outside native RBAC/scope intersection. - `400 invalid_request` for malformed ids/scope requests. 4. Keep read audit persistence deferred to M4; no body or response persistence in M3. ## Verification Evidence - Rebased onto `origin/main` at `86e106fcc9a1dfa3a18f7846bb477be128794aad` after M3-05 merged; resolved `FederationModule` by registering both list and get verb controllers/services. - Review-change coverage added for comment 15971: - get note access now requires subject ownership AND authorized mission intersection. - missing federation context returns structured `401 unauthorized` envelope. - unsupported get resources fail closed with structured denial. - PGlite regressions cover cross-user note exclusion and subject-note unauthorized-mission exclusion. - `pnpm --filter @mosaicstack/gateway test -- src/federation/server/verbs/__tests__/get.controller.spec.ts src/federation/server/verbs/__tests__/get-query.service.spec.ts` — pass (2 files / 17 tests; re-run after review changes). - `pnpm --filter @mosaicstack/gateway build` — pass (re-run after review changes). - `pnpm build` — pass (23 successful tasks before review changes). - `pnpm typecheck` — pass (41 successful tasks; re-run after review changes). - `pnpm lint` — pass (23 successful tasks; re-run after review changes). - `pnpm format:check` — pass (re-run after review changes). - `~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted` — approve, 0 findings after review changes.