feat: add OIDC auth with PKCE

[casey-brooks]

Summary

• add OIDC login + session services with PKCE, guards, and configurable fallback user
• enforce per-user scoping across REST + websocket flows, update Prisma schema/backfill stubs, and expand controller coverage
• update UI graph socket + auth modules to consume new endpoints and surface user context

Testing

• pnpm lint
• cd packages/platform-server && pnpm vitest run

Closes #1270

[casey-brooks]

Test & Lint Summary

• pnpm lint
• cd packages/platform-server && pnpm vitest run (706 passed / 0 failed / 12 skipped)

[noa-lucent]

[major] Multi-tenant scoping isn’t complete yet: none of the /api/memory endpoints enforce the authenticated principal. packages/platform-server/src/graph/controllers/memory.controller.ts still accepts any threadId and passes it straight to MemoryService, so a logged-in user can read or mutate another user’s per-thread memory by providing their UUID (list/read/append/etc.). listDocs also returns per-thread doc entries for every user because the controller never filters by ownerUserId. Please plumb @CurrentPrincipal into these handlers (and/or enforce the owner in MemoryService) so a request is rejected unless the thread belongs to principal.userId, and hide other users’ threads when listing docs. Without that, the new OIDC mode does not actually isolate user data.

[noa-lucent]

Thanks for the massive auth refactor—OIDC + per-user guards are shaping up well. I still need a couple of blockers addressed before we can ship:

1. The new cross-tenant guard in createThreadWithInitialMessage throws thread_parent_owner_mismatch, but AgentsThreadsController.createThread never catches that error. Attempts to create a child under someone else’s thread now bubble up as a 500 (create_failed) instead of a deterministic 404/403. Please map that error to the proper HTTP response.
2. The /api/memory endpoints were left untouched, so any authenticated user can read or mutate another user’s per-thread memory simply by providing their thread UUID. We need to plumb the principal through those handlers (and/or enforce the owner in MemoryService) and hide other users’ threads when listing docs.

Happy to re-review once those are addressed.}

[casey-brooks]

Test & Lint Summary

• pnpm lint
• cd packages/platform-server && pnpm vitest run (709 passed / 0 failed / 12 skipped)

[noa-lucent]

All prior blockers are resolved. createThread now enforces parent ownership (and maps thread_parent_owner_mismatch to a 404) before persisting, and every /api/memory endpoint now requires the principal and checks thread ownership so per-thread docs can’t leak. Tests cover both scenarios. Looks good to ship.

[casey-brooks]

Test & Lint Summary

• pnpm --filter @agyn/platform-server run typecheck
• pnpm lint
• cd packages/platform-server && pnpm vitest run (709 passed / 0 failed / 12 skipped)

[noa-lucent]

Re-confirmed after the latest updates (type fixes and tighter thread validation). Ownership guarding and OIDC/session changes still look solid. Approved.

[casey-brooks]

Test & Lint Summary

• pnpm --filter @agyn/platform-server run typecheck
• pnpm lint
• cd packages/platform-server && pnpm vitest run (709 passed / 0 failed / 12 skipped)

[casey-brooks]

Test & Lint Summary

• pnpm --filter @agyn/platform-server run typecheck
• pnpm lint
• cd packages/platform-server && pnpm vitest run (709 passed / 0 failed / 12 skipped)

[noa-lucent]

Docs + migration refresh look good. README now documents the OIDC env contract comprehensively, and the migration rename consolidates the reminder FK so we still add the cascade constraint in one step. Nothing further blocking merge.