feat(auth): Implementa plugin de autenticação Cognito para Context Forge #3

vavasilva · 2026-01-22T14:17:26Z

Summary

Implementa a arquitetura de autenticação para agents federados conforme descrito na issue #2.

Adiciona plugin tcloud_cognito_auth que valida JWTs do AWS Cognito
Integra com TCloud API para buscar permissões do usuário
Implementa cache Redis para permissões (TTL 5 min)
Propaga headers X-User-Email e X-User-Customers para agents downstream

Estrutura do Plugin

plugins/tcloud_cognito_auth/
├── __init__.py
├── config.py              # Configuração via env vars
├── cognito.py             # Validação JWT com JWKS
├── tcloud_api.py          # Cliente TCloud API
├── cache.py               # Cache Redis
├── tcloud_cognito_auth.py # Plugin principal
├── models.py              # Modelos de dados
├── exceptions.py          # Exceções customizadas
└── tests/                 # Testes unitários

Hooks Implementados

Hook	Descrição
`http_auth_resolve_user`	Valida JWT e resolve permissões
`agent_pre_invoke`	Injeta headers antes de chamar agents
`tool_pre_invoke`	Injeta headers antes de chamar tools

Configuração

Requer Kubernetes Secret tcloud-cognito-auth-secret com:

COGNITO_USER_POOL_ID
COGNITO_REGION
COGNITO_APP_CLIENT_ID
TCLOUD_API_URL
TCLOUD_API_KEY

Test Plan

Executar testes unitários: make test-plugin
Deploy do ConfigMap: make deploy-plugin-configmap ENV=dev
Redeploy Context Forge: make deploy-context-forge ENV=dev
Testar autenticação com token Cognito válido
Verificar headers propagados nos logs dos agents

Closes #2

…to auth

…TCloud Cognito Authentication

…ecret.yaml template

…n configuration

…on and user permissions fetching from TCloud API

… Plugin

…thentication errors

…issions

…ndencies

…ontext-forge

… client

…s configuration

…validation and TCloud API permissions (✅ Deployed)

…AuthResolveUserPayload object

vavasilva added 30 commits January 22, 2026 11:16

feat(.serena/memories): add authentication plugin

7565947

feat(templates): add plugin management commands and secrets for Cogni…

dba08e8

…to auth

feat(docs): add authentication architecture documentation

a4ae535

feat(infrastructure/context-forge): add plugin-configmap.yaml

c829432

feat(infrastructure/context-forge): add new plugin configuration for …

4fd872e

…TCloud Cognito Authentication

feat(infrastructure/context-forge/secrets): add tcloud-cognito-auth-s…

80fa69e

…ecret.yaml template

feat( infrastructure/context-forge): update tcloud-cognito-auth plugi…

9cb5e69

…n configuration

build: add .env.example for TCloud Cognito Auth

91385e8

fix(plugins/tcloud_cognito_auth): add README.md

d000a1a

feat(tcloud_cognito_auth): add initial implementation of JWT validati…

fc22ea4

…on and user permissions fetching from TCloud API

fix(cache): add Redis cache for user permissions

7788df7

feat(cognito_auth): add AWS Cognito JWT validation

ebdb91b

fix(config): add new configuration management for TCloud Cognito Auth…

d900bcc

… Plugin

fix(plugins/tcloud_cognito_auth): add custom exceptions for TCloud au…

782c6dd

…thentication errors

fix(tcloud_cognito_auth/models.py): add new data models and user perm…

7a6c193

…issions

feat(tcloud_cognito_auth): add plugin manifest configuration and depe…

f3d088a

…ndencies

build: update dependencies

7c3dfb0

fix(tcloud_cognito_auth): add new TCloud API client

7a408db

feat(tcloud_cognito_auth): add TCloud Cognito authentication plugin

dfea14b

build(test): add TCloud Cognito Auth tests

711e622

feat(tests): add test fixtures for TCloud Cognito Auth Plugin tests

8a1f107

fix(test_cache): add tests for Redis cache

0ebeb72

fix(tcloud_cognito_auth): add test_cognito.py

4c7b481

fix(test_plugin): add tests for TCloudCognitoAuthPlugin

cb5586a

fix(tcloud_cognito_auth): add tests for API client

83ac6a5

chore:

b1d7bee

fix(plugins/tcloud_cognito_auth): add tcloud_cognito_auth plugin to c…

489186f

…ontext-forge

fix(tcloud_cognito_auth): update Cognito JWT validator and TCloud API…

8b6df05

… client

fix(infrastructure/context-forge): update plugin configuration

2dd2139

refactor(infrastructure/context-forge): remove class name from ingres…

46ceb27

…s configuration

vavasilva added 3 commits January 23, 2026 13:12

build: add plugin configmap with Cognito authentication capabilities

4a65272

feat(CLAUDE.md): update authentication plugin to include Cognito JWT …

161fa16

…validation and TCloud API permissions (✅ Deployed)

fix(tcloud_cognito_auth): update credential extraction to handle Http…

f6d0be5

…AuthResolveUserPayload object

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(auth): Implementa plugin de autenticação Cognito para Context Forge #3

feat(auth): Implementa plugin de autenticação Cognito para Context Forge #3

Uh oh!

vavasilva commented Jan 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

feat(auth): Implementa plugin de autenticação Cognito para Context Forge #3

Are you sure you want to change the base?

feat(auth): Implementa plugin de autenticação Cognito para Context Forge #3

Uh oh!

Conversation

vavasilva commented Jan 22, 2026

Summary

Estrutura do Plugin

Hooks Implementados

Configuração

Test Plan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants