feat(device-agent): implement device registration and authentication flow (#2281)

- Added DeviceAgentAuthService to handle device authentication, including generating and exchanging authorization codes.
- Implemented device registration logic with and without serial numbers, ensuring proper organization validation.
- Created new DTOs for device registration, check-in, and authorization code exchange.
- Updated DeviceAgentController to include endpoints for generating auth codes, registering devices, and checking in.
- Introduced proxy functionality in the portal to forward device-agent requests to the NestJS API, enhancing security and session management.
- Enhanced error handling and validation across new features, ensuring robust API interactions.

Tests included for all new functionalities to ensure reliability and maintainability.

Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>

Author: github-actions[bot]

.github/workflows/device-agent-release.yml

@@ -18,6 +18,7 @@ jobs:
       tag_name: ${{ steps.version.outputs.tag_name }}
       is_prerelease: ${{ steps.version.outputs.is_prerelease }}
       portal_url: ${{ steps.version.outputs.portal_url }}
+      api_url: ${{ steps.version.outputs.api_url }}
       release_name: ${{ steps.version.outputs.release_name }}
       auto_update_url: ${{ steps.version.outputs.auto_update_url }}
       s3_env: ${{ steps.version.outputs.s3_env }}
@@ -50,12 +51,14 @@ jobs:
             TAG_NAME="device-agent-v${NEXT_VERSION}"
             IS_PRERELEASE="false"
             PORTAL_URL="https://portal.trycomp.ai"
+            API_URL="https://api.trycomp.ai"
             RELEASE_NAME="Device Agent v${NEXT_VERSION}"
             S3_ENV="production"
           else
             TAG_NAME="device-agent-v${NEXT_VERSION}-staging.${GITHUB_RUN_NUMBER}"
             IS_PRERELEASE="true"
             PORTAL_URL="https://portal.staging.trycomp.ai"
+            API_URL="https://api.staging.trycomp.ai"
             RELEASE_NAME="Device Agent v${NEXT_VERSION} (Staging #${GITHUB_RUN_NUMBER})"
             S3_ENV="staging"
           fi
@@ -67,6 +70,7 @@ jobs:
           echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT
           echo "is_prerelease=$IS_PRERELEASE" >> $GITHUB_OUTPUT
           echo "portal_url=$PORTAL_URL" >> $GITHUB_OUTPUT
+          echo "api_url=$API_URL" >> $GITHUB_OUTPUT
           echo "release_name=$RELEASE_NAME" >> $GITHUB_OUTPUT
           echo "auto_update_url=$AUTO_UPDATE_URL" >> $GITHUB_OUTPUT
           echo "s3_env=$S3_ENV" >> $GITHUB_OUTPUT
@@ -77,6 +81,7 @@ jobs:
           echo "Tag name: $TAG_NAME"
           echo "Pre-release: $IS_PRERELEASE"
           echo "Portal URL: $PORTAL_URL"
+          echo "API URL: $API_URL"
           echo "Auto-update URL: $AUTO_UPDATE_URL"
           echo "S3 env: $S3_ENV"
 
@@ -112,6 +117,7 @@ jobs:
       - name: Build
         env:
           PORTAL_URL: ${{ needs.detect-version.outputs.portal_url }}
+          API_URL: ${{ needs.detect-version.outputs.api_url }}
           AGENT_VERSION: ${{ needs.detect-version.outputs.version }}
         run: bun run build
 
@@ -170,6 +176,7 @@ jobs:
       - name: Build
         env:
           PORTAL_URL: ${{ needs.detect-version.outputs.portal_url }}
+          API_URL: ${{ needs.detect-version.outputs.api_url }}
           AGENT_VERSION: ${{ needs.detect-version.outputs.version }}
         run: bun run build
 
@@ -319,6 +326,7 @@ jobs:
       - name: Build
         env:
           PORTAL_URL: ${{ needs.detect-version.outputs.portal_url }}
+          API_URL: ${{ needs.detect-version.outputs.api_url }}
           AGENT_VERSION: ${{ needs.detect-version.outputs.version }}
         run: bun run build
 

CLAUDE.md

@@ -34,10 +34,13 @@ packages/
 
 ## Authentication & Session
 
-- **Session-based auth only.** No JWT tokens. All requests use `credentials: 'include'` to send httpOnly session cookies.
+- **Auth lives in `apps/api` (NestJS).** The API is the single source of truth for authentication via better-auth. All apps and packages that need to authenticate (app, portal, device-agent, etc.) MUST go through the API — never run a local better-auth instance or handle auth directly in a frontend app.
+- **Session-based auth only.** No JWT tokens. Cross-subdomain cookies (`.trycomp.ai`) allow sessions to work across all apps.
 - **HybridAuthGuard** supports 3 methods in order: API Key (`x-api-key`), Service Token (`x-service-token`), Session (cookies). `@Public()` skips auth.
-- **Client-side**: `apiClient` from `@/lib/api-client` (always sends cookies).
-- **Server-side**: `serverApi` from `@/lib/api-server.ts`.
+- **Client-side auth**: `authClient` (better-auth client) with `baseURL` pointing to the API, NOT the current app.
+- **Client-side data**: `apiClient` from `@/lib/api-client` (always sends cookies).
+- **Server-side data**: `serverApi` from `@/lib/api-server.ts`.
+- **Server-side session checks**: Proxy to the API's `/api/auth/get-session` endpoint — do NOT instantiate better-auth locally.
 - **Raw `fetch()` to API**: MUST include `credentials: 'include'`, otherwise 401.
 
 ## API Architecture

apps/api/src/auth/auth.server.ts

@@ -5,6 +5,7 @@ import { db } from '@trycompai/db';
 import { betterAuth } from 'better-auth';
 import { prismaAdapter } from 'better-auth/adapters/prisma';
 import {
+  bearer,
   emailOTP,
   magicLink,
   multiSession,
@@ -302,6 +303,7 @@ export const auth = betterAuth({
       },
     }),
     multiSession(),
+    bearer(),
   ],
   socialProviders,
   user: {