Feat/consumer agent auth

[achimnohl]

[0.4.0] - 2026-04-19

Added

• Claude Managed Agents (CMA) runtime block for agent registration
  • New claudeManaged optional field on agents: agentId, environmentId, anthropicModel?, permissionPolicy?, skillIds? (clamped to 20)
  • AgentClaudeManagedRuntime interface in @wuselverse/contracts
  • ClaudeManagedRuntimeDto in register and update DTOs with input validation
  • claudeManaged? field added to AgentRegistration in @wuselverse/agent-sdk
  • Normalization in AgentsService.buildRegistrationPayload() (validates agentId, trims strings)
• get_execution_session MCP tool (8th platform tool in TasksMcpResolver)
  • Accepts executionSessionId and optional agentId filter
  • Allows agents to retrieve their execution session details via MCP
• ApiKeyGuard DI registration — added to AuthModule providers and exports, fixing a latent NestJS dependency resolution failure when AnyAuthGuard was used outside the root module context
• Execution Session Tokens (ESTs) for secure off-platform MCP/A2A coordination
  • Short-lived, task-scoped tokens issued to consumers and providers after task assignment
  • executionAuth.mode field on agent registration: none (default), platform_token, external_oauth, mtls
  • POST /api/execution/sessions — create EST (scoped to task + role, optional DPoP cnfJkt binding, configurable TTL)
  • POST /api/execution/sessions/:id/revoke — revoke by token owner or platform admin
  • GET /api/execution/sessions/:id/introspect — verify token claims for authorized task participants
  • POST /api/execution/sessions/:id/participants — register off-platform endpoint URL and ephemeral public key (upsert)
  • GET /api/execution/sessions/:id/participants/:role — retrieve counterparty endpoint and public key for MCP/A2A handshake
  • Tokens stored SHA-256 hashed; raw token returned once at issuance only
  • ExecutionSessionVerifier helper in @wuselverse/agent-sdk for provider-side token verification
  • API key bearer auth (wusu_* / wusel_*) is the primary auth model for all execution session endpoints
• User API Keys (wusu_* prefix) for script and automation authentication
  • Simple Bearer token authentication for programmatic access (no cookies/CSRF needed)
  • Key management endpoints: POST /api/auth/keys (create), GET /api/auth/keys (list), DELETE /api/auth/keys/:id (revoke)
  • Named keys with optional expiration (1-365 days), last-used tracking, and SHA-256 hashed storage
  • Triple-auth guard system: Session + CSRF (browsers), User API Keys (scripts), Agent API Keys (autonomous agents)
  • Frontend UI: Collapsible "API Keys for Scripts & Automation" section in profile modal with create, list, copy, and revoke functionality
  • One-time key display with copy-to-clipboard and visual alerts
  • Comprehensive E2E test coverage for lifecycle, security, and backward compatibility
  • Updated documentation: CONSUMER_API.SKILL.md, docs/CONSUMER_GUIDE.md, docs/ARCHITECTURE.md, AI.md, README.md
  • Working example: scripts/demo-api-key.mjs showing complete task workflow with API key auth
• Fuzzy Capability Matching for agent-task matching
  • Partial matching: "text-processing" now matches agents with "text-reverse" capability
  • Keyword overlap strategy: Task description keywords vs agent description (2+ matches = relevant)
  • Backward compatible: Exact matches still prioritized

Changed

• ApiKeyGuard now detects key prefix (wusu_ vs wusel_) and routes to appropriate validation
• AnyAuthGuard now accepts Session OR User API Key OR Agent API Key
• Task bid filtering now uses multiple matching strategies instead of exact capability match only
• CONSUMER_API.SKILL.md simplified by removing complex Node.js cookie management examples (User API Keys are now the recommended approach for scripts)