feat(auth): Implementa plugin de autenticação Cognito para Context Forge

.serena/memories/project_overview.md

@@ -80,6 +80,18 @@ tcloud-mcp-platform/
   - Email: admin@example.com
   - Password: `kubectl -n mcp-dev get secret mcp-stack-gateway-secret -o jsonpath="{.data.BASIC_AUTH_PASSWORD}" | base64 -d`
 
+## Authentication Plugin
+
+| Plugin | Purpose | Status |
+|--------|---------|--------|
+| tcloud_cognito_auth | JWT validation via Cognito + TCloud API permissions | ✅ Implemented |
+
+**Location:** `plugins/tcloud_cognito_auth/`
+
+**Headers Propagated:**
+- `X-User-Email` - User email
+- `X-User-Customers` - JSON array of cloud_ids
+
 ## Registered Agents
 
 | Agent | URL | Status |

CLAUDE.md

@@ -0,0 +1,106 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+TCloud MCP Platform is a centralized orchestration platform for MCP (Model Context Protocol) Agents. It manages the MCP Context Forge gateway deployment (IBM) and provides templates for teams to create new agents.
+
+## Common Commands
+
+```bash
+# Deploy Context Forge gateway
+make deploy-context-forge ENV=dev    # or ENV=prod
+
+# Check deployment status
+make status ENV=dev
+
+# View gateway logs
+make logs ENV=dev
+
+# Port forward for local testing
+make port-forward ENV=dev            # Access at http://localhost:9080
+
+# Test endpoints
+make test-health                     # Requires port-forward first
+make test-mcp                        # Test MCP tools/list
+
+# Create new agent from template
+make new-agent NAME=my-agent
+
+# Plugin management
+make test-plugin                     # Run plugin unit tests
+make build-plugin-configmap          # Build ConfigMap from plugin code
+make deploy-plugin-configmap ENV=dev # Deploy plugin to cluster
+
+# Render Helm templates locally (dry-run)
+make template ENV=dev
+```
+
+## Architecture
+
+```
+Clients → Orchestrator Agent → MCP Context Forge (Gateway) → Specialist Agents
+                                      │
+                    ┌─────────────────┼─────────────────┐
+                    ↓                 ↓                 ↓
+              CPU/RAM Agent      DB Agent         App Agent
+```
+
+**Key Components:**
+- **MCP Context Forge**: Central gateway that federates multiple MCP servers (IBM upstream chart)
+- **Specialist Agents**: Domain-specific agents (CPU/RAM, Database, Network, etc.)
+- **Authentication Plugin**: `plugins/tcloud_cognito_auth/` - Cognito JWT validation + TCloud API permissions (✅ Deployed)
+
+**Docker Image (with plugin):** `ghcr.io/tcloud-dev/mcp-context-forge:with-auth`
+
+## Project Structure
+
+- `infrastructure/context-forge/` - Helm values for Context Forge deployment
+  - `values.yaml` - Base configuration
+  - `values-dev.yaml` - Dev environment overrides
+  - `values-prod.yaml` - Prod environment overrides
+- `plugins/tcloud_cognito_auth/` - Authentication plugin (Cognito + TCloud API)
+- `templates/mcp-agent-docker/` - Template for creating new MCP agents
+- `docs/` - Architecture, agent creation guide, authentication docs
+
+## Environments
+
+| Environment | Namespace | Gateway URL |
+|-------------|-----------|-------------|
+| Dev | mcp-dev | https://mcp-gateway.tbf8b9d.k8s.sp06.te.tks.sh |
+| Prod | mcp | https://mcp-gateway.tcloud.internal (planned) |
+
+## Important Configuration Notes
+
+**Dev Ingress:**
+- Do NOT set `ingressClassName` in values-dev.yaml (external controller picks up ingresses without class)
+- TLS should be `false` - external ingress handles HTTPS automatically
+
+**Common Issues:**
+- Migration job stuck: `kubectl -n mcp-dev delete job mcp-stack-migration` then deploy with `--no-hooks`
+- Redis 8.4 crash: Remove inline comments from redis configmap (e.g., `save 900 1 # comment` → separate lines)
+- PVC multi-attach: Scale down old replicaset before new pods can attach
+
+## Code Conventions
+
+**MCP Agent Tool Response Format** (all diagnostic tools must use):
+```python
+{
+    "agent": "agent-name",
+    "timestamp": "ISO8601",
+    "severity": "critical|warning|normal",
+    "summary": "One-line summary",
+    "findings": [{"type": "...", "severity": "...", "details": "...", "evidence": {}}],
+    "recommendations": ["Action 1", "Action 2"]
+}
+```
+
+**Git**: Use conventional commits (`feat:`, `fix:`, `docs:`, `chore:`)
+
+## Serena MCP Integration
+
+This project has Serena MCP configured. When Serena is active, memories are available in `.serena/memories/`:
+- `project_overview` - Architecture and structure
+- `suggested_commands` - Common kubectl and make commands
+- `code_style_conventions` - Code style guidelines

Makefile

@@ -157,6 +157,71 @@ list-agents: ## List registered agents (run port-forward first)
 	@echo "📋 Listing registered agents..."
 	curl -s http://localhost:8080/admin/gateways | jq
 
+# ==================== Plugin Management ====================
+
+build-plugin-configmap: ## Build ConfigMap from plugin code
+	@echo "📦 Building plugin ConfigMap..."
+	@kubectl create configmap tcloud-cognito-auth-plugin \
+		--from-file=plugins/tcloud_cognito_auth/__init__.py \
+		--from-file=plugins/tcloud_cognito_auth/config.py \
+		--from-file=plugins/tcloud_cognito_auth/exceptions.py \
+		--from-file=plugins/tcloud_cognito_auth/models.py \
+		--from-file=plugins/tcloud_cognito_auth/cognito.py \
+		--from-file=plugins/tcloud_cognito_auth/tcloud_api.py \
+		--from-file=plugins/tcloud_cognito_auth/cache.py \
+		--from-file=plugins/tcloud_cognito_auth/tcloud_cognito_auth.py \
+		--from-file=plugins/tcloud_cognito_auth/plugin-manifest.yaml \
+		--dry-run=client -o yaml > infrastructure/context-forge/plugin-configmap.yaml
+	@echo "✅ ConfigMap saved to infrastructure/context-forge/plugin-configmap.yaml"
+
+deploy-plugin-configmap: build-plugin-configmap ## Deploy plugin ConfigMap (ENV=dev|prod)
+ifeq ($(ENV),prod)
+	kubectl apply -f infrastructure/context-forge/plugin-configmap.yaml -n $(NAMESPACE_PROD)
+else
+	kubectl apply -f infrastructure/context-forge/plugin-configmap.yaml -n $(NAMESPACE_DEV)
+endif
+	@echo "✅ Plugin ConfigMap deployed"
+
+create-auth-secret: ## Create TCloud Cognito auth secret (interactive)
+ifndef COGNITO_USER_POOL_ID
+	$(error COGNITO_USER_POOL_ID is required)
+endif
+ifndef COGNITO_APP_CLIENT_ID
+	$(error COGNITO_APP_CLIENT_ID is required)
+endif
+ifndef TCLOUD_API_URL
+	$(error TCLOUD_API_URL is required)
+endif
+ifndef TCLOUD_API_KEY
+	$(error TCLOUD_API_KEY is required)
+endif
+ifeq ($(ENV),prod)
+	@echo "🔐 Creating auth secret in PRODUCTION..."
+	kubectl create secret generic tcloud-cognito-auth-secret \
+		--from-literal=COGNITO_USER_POOL_ID="$(COGNITO_USER_POOL_ID)" \
+		--from-literal=COGNITO_REGION="$(COGNITO_REGION)" \
+		--from-literal=COGNITO_APP_CLIENT_ID="$(COGNITO_APP_CLIENT_ID)" \
+		--from-literal=TCLOUD_API_URL="$(TCLOUD_API_URL)" \
+		--from-literal=TCLOUD_API_KEY="$(TCLOUD_API_KEY)" \
+		-n $(NAMESPACE_PROD) --dry-run=client -o yaml | kubectl apply -f -
+else
+	@echo "🔐 Creating auth secret in DEV..."
+	kubectl create secret generic tcloud-cognito-auth-secret \
+		--from-literal=COGNITO_USER_POOL_ID="$(COGNITO_USER_POOL_ID)" \
+		--from-literal=COGNITO_REGION="$(COGNITO_REGION)" \
+		--from-literal=COGNITO_APP_CLIENT_ID="$(COGNITO_APP_CLIENT_ID)" \
+		--from-literal=TCLOUD_API_URL="$(TCLOUD_API_URL)" \
+		--from-literal=TCLOUD_API_KEY="$(TCLOUD_API_KEY)" \
+		-n $(NAMESPACE_DEV) --dry-run=client -o yaml | kubectl apply -f -
+endif
+	@echo "✅ Auth secret created"
+
+test-plugin: ## Run plugin unit tests
+	@echo "🧪 Running plugin tests..."
+	cd plugins/tcloud_cognito_auth && \
+		pip install -r requirements.txt -q && \
+		PYTHONPATH=.. pytest tests/ -v
+
 # ==================== Development ====================
 
 template: clone-chart ## Render Helm templates locally (ENV=dev|prod)