Jarvis 53ee36239b feat(federation): mTLS AuthGuard with OID-based grant resolution (FED-M3-03) ...

Adds FederationAuthGuard that validates inbound mTLS client certs on
federation API routes. Extracts custom OIDs (grantId, subjectUserId),
loads the grant+peer from DB in one query, asserts active status, and
validates cert serial as defense-in-depth. Attaches FederationContext
to requests on success and uses federation wire-format error envelopes
(not raw NestJS exceptions) for 401/403 responses.

New files:
- apps/gateway/src/federation/oid.util.ts — shared OID extraction (no dupe ASN.1 logic)
- apps/gateway/src/federation/server/federation-auth.guard.ts — guard impl
- apps/gateway/src/federation/server/federation-context.ts — FederationContext type + module augment
- apps/gateway/src/federation/server/index.ts — barrel export
- apps/gateway/src/federation/server/__tests__/federation-auth.guard.spec.ts — 11 unit tests

Modified:
- apps/gateway/src/federation/grants.service.ts — adds getGrantWithPeer() with join
- apps/gateway/src/federation/federation.module.ts — registers FederationAuthGuard as provider

Closes #462

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-23 22:17:54 -05:00

..

src

feat(federation): mTLS AuthGuard with OID-based grant resolution (FED-M3-03)

2026-04-23 22:17:54 -05:00

package.json

feat(federation): Step-CA client service for grant certs (FED-M2-04) (#494)

2026-04-22 03:34:37 +00:00

tsconfig.json

fix: add vitest.config.ts to eslint allowDefaultProject (#440 build fix) (#441)

2026-04-05 22:01:57 +00:00

tsconfig.typecheck.json

fix: rename all packages from @mosaic/* to @mosaicstack/*

2026-04-04 21:43:23 -05:00

vitest.config.ts

fix: bootstrap hotfix — DTO erasure, wizard failure, port prefill, Pi SDK copy (mosaic-v0.0.26) (#440)

2026-04-05 21:43:30 +00:00