feat: add user auth, agent playground, provider console, and community features (Phase 7)

Implement the complete C-side marketplace functionality:

- User authentication system with JWT (register/login/refresh/logout/API keys)
- Agent invocation endpoint with SSE streaming support and rate limiting
- Provider console for publishing, managing, and analyzing agents
- Community features: reviews/ratings, categories, abuse reports, trusted badge
- Full React frontend: auth UI, playground chat, provider dashboard, publish wizard,
  review section, category filters, report dialog

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: gcmsg

cmd/peerclawd/main.go

@@ -25,6 +25,9 @@ import (
 	"github.com/peerclaw/peerclaw-server/internal/router"
 	"github.com/peerclaw/peerclaw-server/internal/server"
 	"github.com/peerclaw/peerclaw-server/internal/signaling"
+	"github.com/peerclaw/peerclaw-server/internal/invocation"
+	"github.com/peerclaw/peerclaw-server/internal/review"
+	"github.com/peerclaw/peerclaw-server/internal/userauth"
 	"github.com/peerclaw/peerclaw-server/internal/verification"
 	goredis "github.com/redis/go-redis/v9"
 )
@@ -109,6 +112,62 @@ func main() {
 		logger.Info("endpoint verification initialized")
 	}
 
+	// Initialize user authentication.
+	var userAuthService *userauth.Service
+	if cfg.UserAuth.Enabled && sqlDB != nil {
+		uaStore := userauth.NewStore(cfg.Database.Driver, sqlDB)
+		if err := uaStore.Migrate(context.Background()); err != nil {
+			logger.Error("failed to migrate userauth tables", "error", err)
+			os.Exit(1)
+		}
+
+		jwtSecret := cfg.UserAuth.JWTSecret
+		if jwtSecret == "" {
+			jwtSecret = "peerclaw-dev-secret-change-me"
+			logger.Warn("using default JWT secret — set user_auth.jwt_secret in config for production")
+		}
+
+		accessTTL, err := time.ParseDuration(cfg.UserAuth.AccessTTL)
+		if err != nil {
+			accessTTL = 15 * time.Minute
+		}
+		refreshTTL, err := time.ParseDuration(cfg.UserAuth.RefreshTTL)
+		if err != nil {
+			refreshTTL = 168 * time.Hour
+		}
+
+		jwtMgr := userauth.NewJWTManager(jwtSecret, accessTTL, refreshTTL)
+		userAuthService = userauth.NewService(uaStore, jwtMgr, cfg.UserAuth.BcryptCost, logger)
+		logger.Info("user authentication initialized",
+			"access_ttl", accessTTL,
+			"refresh_ttl", refreshTTL,
+		)
+	}
+
+	// Initialize invocation store.
+	var invocationService *invocation.Service
+	if sqlDB != nil {
+		invStore := invocation.NewStore(cfg.Database.Driver, sqlDB)
+		if err := invStore.Migrate(context.Background()); err != nil {
+			logger.Error("failed to migrate invocation tables", "error", err)
+			os.Exit(1)
+		}
+		invocationService = invocation.NewService(invStore, logger)
+		logger.Info("invocation tracking initialized")
+	}
+
+	// Initialize review service.
+	var reviewService *review.Service
+	if sqlDB != nil {
+		revStore := review.NewStore(cfg.Database.Driver, sqlDB)
+		if err := revStore.Migrate(context.Background()); err != nil {
+			logger.Error("failed to migrate review tables", "error", err)
+			os.Exit(1)
+		}
+		reviewService = review.NewService(revStore, repEngine, logger)
+		logger.Info("review service initialized")
+	}
+
 	// Initialize services.
 	regService := registry.NewService(store, logger)
 	routeTable := router.NewTable()
@@ -210,6 +269,20 @@ func main() {
 	if fedService != nil {
 		httpServer.SetFederation(fedService)
 	}
+	if userAuthService != nil {
+		httpServer.SetUserAuth(userAuthService)
+	}
+	if reviewService != nil {
+		httpServer.SetReviewService(reviewService)
+	}
+	if invocationService != nil {
+		httpServer.SetInvocation(invocationService)
+		// Anonymous: 10 calls/hour/IP, Authenticated: 100 calls/hour.
+		invokeRL := server.NewIPRateLimiter(10.0/3600.0, 3)
+		stopInvokeCleanup := invokeRL.StartCleanup(time.Minute)
+		defer stopInvokeCleanup()
+		httpServer.SetInvokeRateLimiter(invokeRL)
+	}
 	if sigHub != nil {
 		sigHub.SetAudit(auditLogger)
 		sigHub.SetMetrics(otelMetrics)

go.mod

@@ -27,11 +27,13 @@ require (
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/net v0.50.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect

go.sum

@@ -15,6 +15,8 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -69,6 +71,8 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
 golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=

internal/config/config.go

@@ -21,13 +21,23 @@ type Config struct {
 	AuditLog      AuditLogConfig      `yaml:"audit_log"`
 	Federation    FederationConfig    `yaml:"federation"`
 	Auth          AuthConfig          `yaml:"auth"`
+	UserAuth      UserAuthConfig      `yaml:"user_auth"`
 }
 
 // AuthConfig holds authentication settings.
 type AuthConfig struct {
 	Required bool `yaml:"required"` // When true, reject unauthenticated requests. Default false for transition.
 }
 
+// UserAuthConfig holds user authentication settings.
+type UserAuthConfig struct {
+	Enabled    bool   `yaml:"enabled"`     // default true
+	JWTSecret  string `yaml:"jwt_secret"`  // supports ${ENV_VAR}
+	AccessTTL  string `yaml:"access_ttl"`  // default "15m"
+	RefreshTTL string `yaml:"refresh_ttl"` // default "168h" (7 days)
+	BcryptCost int    `yaml:"bcrypt_cost"` // default 12
+}
+
 // ServerConfig holds HTTP and gRPC server settings.
 type ServerConfig struct {
 	HTTPAddr    string   `yaml:"http_addr"`
@@ -166,6 +176,12 @@ func DefaultConfig() *Config {
 		Federation: FederationConfig{
 			Enabled: false,
 		},
+		UserAuth: UserAuthConfig{
+			Enabled:    true,
+			AccessTTL:  "15m",
+			RefreshTTL: "168h",
+			BcryptCost: 12,
+		},
 	}
 }
 
@@ -200,6 +216,7 @@ func (c *Config) resolveSecrets() {
 	c.Database.DSN = resolveEnv(c.Database.DSN)
 	c.Signaling.TURN.Credential = resolveEnv(c.Signaling.TURN.Credential)
 	c.Federation.AuthToken = resolveEnv(c.Federation.AuthToken)
+	c.UserAuth.JWTSecret = resolveEnv(c.UserAuth.JWTSecret)
 	for i := range c.Federation.Peers {
 		c.Federation.Peers[i].Token = resolveEnv(c.Federation.Peers[i].Token)
 	}

internal/identity/trust.go

@@ -68,6 +68,8 @@ func ExtractBearerToken(authHeader string) (string, error) {
 type contextKey string
 
 const agentIDKey contextKey = "agent_id"
+const userIDKey contextKey = "user_id"
+const userRoleKey contextKey = "user_role"
 
 // WithAgentID stores the agent ID in the context.
 func WithAgentID(ctx context.Context, agentID string) context.Context {
@@ -79,3 +81,25 @@ func AgentIDFromContext(ctx context.Context) (string, bool) {
 	id, ok := ctx.Value(agentIDKey).(string)
 	return id, ok
 }
+
+// WithUserID stores the user ID in the context.
+func WithUserID(ctx context.Context, userID string) context.Context {
+	return context.WithValue(ctx, userIDKey, userID)
+}
+
+// UserIDFromContext retrieves the user ID from the context.
+func UserIDFromContext(ctx context.Context) (string, bool) {
+	id, ok := ctx.Value(userIDKey).(string)
+	return id, ok
+}
+
+// WithUserRole stores the user role in the context.
+func WithUserRole(ctx context.Context, role string) context.Context {
+	return context.WithValue(ctx, userRoleKey, role)
+}
+
+// UserRoleFromContext retrieves the user role from the context.
+func UserRoleFromContext(ctx context.Context) (string, bool) {
+	role, ok := ctx.Value(userRoleKey).(string)
+	return role, ok
+}

internal/invocation/factory.go

@@ -0,0 +1,13 @@
+package invocation
+
+import "database/sql"
+
+// NewStore creates a Store based on the driver name.
+func NewStore(driver string, db *sql.DB) Store {
+	switch driver {
+	case "postgres":
+		return NewPostgresStore(db)
+	default:
+		return NewSQLiteStore(db)
+	}
+}