fix: per-service JWT in Kong, fix auth-service tenant-aware repos

- Replace global JWT plugin with per-service JWT (skip auth-service)
  to fix auth routes being blocked by global JWT in DB-less mode
- Fix UserRepository and ApiKeyRepository to use standard TypeORM
  instead of TenantAwareRepository (users are global, not per-schema)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/gateway/config/kong.yml

@@ -106,12 +106,7 @@ services:
         strip_path: false
 
 plugins:
-  - name: jwt
+  # ===== Global plugins (apply to ALL routes) =====
-    config:
-      key_claim_name: kid
-      claims_to_verify:
-        - exp
-
   - name: cors
     config:
       origins:
@@ -143,10 +138,64 @@ plugins:
       path: /dev/stdout
       reopen: true
 
+  # ===== JWT per-service (NOT on auth-service) =====
   - name: jwt
-    route: auth-routes
+    service: agent-service
-    enabled: false
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
 
+  - name: jwt
+    service: agent-config-service
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
+
+  - name: jwt
+    service: ops-service
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
+
+  - name: jwt
+    service: inventory-service
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
+
+  - name: jwt
+    service: monitor-service
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
+
+  - name: jwt
+    service: comm-service
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
+
+  - name: jwt
+    service: voice-service
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
+
+  - name: jwt
+    service: audit-service
+    config:
+      key_claim_name: kid
+      claims_to_verify:
+        - exp
+
+  # ===== Route-specific overrides =====
   - name: rate-limiting
     route: agent-ws
     config:

packages/services/auth-service/src/infrastructure/repositories/api-key.repository.ts

@@ -1,21 +1,24 @@
 import { Injectable } from '@nestjs/common';
-import { DataSource } from 'typeorm';
+import { InjectRepository } from '@nestjs/typeorm';
-import { TenantAwareRepository } from '@it0/database';
+import { Repository } from 'typeorm';
 import { ApiKey } from '../../domain/entities/api-key.entity';
 
 @Injectable()
-export class ApiKeyRepository extends TenantAwareRepository<ApiKey> {
+export class ApiKeyRepository {
-  constructor(dataSource: DataSource) {
+  constructor(
-    super(dataSource, ApiKey);
+    @InjectRepository(ApiKey)
-  }
+    private readonly repo: Repository<ApiKey>,
+  ) {}
 
   async findByKeyHash(keyHash: string): Promise<ApiKey | null> {
-    const repo = await this.getRepository();
+    return this.repo.findOneBy({ keyHash });
-    return repo.findOneBy({ keyHash } as any);
   }
 
   async findByUserId(userId: string): Promise<ApiKey[]> {
-    const repo = await this.getRepository();
+    return this.repo.find({ where: { userId } });
-    return repo.find({ where: { userId } as any });
+  }
+
+  async save(apiKey: ApiKey): Promise<ApiKey> {
+    return this.repo.save(apiKey);
   }
 }

packages/services/auth-service/src/infrastructure/repositories/user.repository.ts

@@ -1,16 +1,24 @@
 import { Injectable } from '@nestjs/common';
-import { DataSource } from 'typeorm';
+import { InjectRepository } from '@nestjs/typeorm';
-import { TenantAwareRepository } from '@it0/database';
+import { Repository } from 'typeorm';
 import { User } from '../../domain/entities/user.entity';
 
 @Injectable()
-export class UserRepository extends TenantAwareRepository<User> {
+export class UserRepository {
-  constructor(dataSource: DataSource) {
+  constructor(
-    super(dataSource, User);
+    @InjectRepository(User)
-  }
+    private readonly repo: Repository<User>,
+  ) {}
 
   async findByEmail(email: string): Promise<User | null> {
-    const repo = await this.getRepository();
+    return this.repo.findOneBy({ email });
-    return repo.findOneBy({ email } as any);
+  }
+
+  async findById(id: string): Promise<User | null> {
+    return this.repo.findOneBy({ id });
+  }
+
+  async save(user: User): Promise<User> {
+    return this.repo.save(user);
   }
 }