feat(phase-6): WS3+WS4+WS6 — Analytics, API Tiers, AGNTCY Compliance

WS3 — Advanced Analytics Dashboard:
- DB migration: analytics_events table (tenant_id, date, metric_type, count)
- AnalyticsService: recordEvent (fire-and-forget), getTokenTrend, getAgentActivity, getAgentUsageSummary
- Analytics hooks in OAuth2Service (token_issued) and AgentService (agent_registered/deactivated)
- AnalyticsController + routes/analytics.ts (gated by ANALYTICS_ENABLED flag)
- Portal: TokenTrendChart (recharts LineChart), AgentHeatmap (recharts heatmap), /analytics page

WS4 — API Gateway Tiers:
- DB migration: tenant_tiers table; src/config/tiers.ts (free/pro/enterprise limits)
- TierService: getStatus, initiateUpgrade (Stripe), applyUpgrade; TierLimitError in errors.ts
- tierEnforcement middleware (Redis-backed daily call/token counters; TIER_ENFORCEMENT flag)
- Agent count enforcement in AgentService.create()
- Stripe webhook updated to call TierService.applyUpgrade() on checkout.session.completed
- TierController + routes/tiers.ts; Portal: /settings/tier page with upgrade flow

WS6 — AGNTCY Compliance Certification:
- ComplianceService: generateReport() (Redis-cached 5 min), exportAgentCards()
- Compliance sections: agent-identity (DID + credential expiry checks), audit-trail (Merkle chain)
- ComplianceController updated with getComplianceReport, exportAgentCards handlers
- routes/compliance.ts: new AGNTCY routes (gated by COMPLIANCE_ENABLED flag); SOC2 routes unaffected

QA:
- 28 new unit tests: AnalyticsService (8), TierService (9), ComplianceService (11) — all pass
- 673 total unit tests passing; 0 TypeScript errors across API and portal
- AGNTCY conformance test suite at tests/agntcy-conformance/ (4 protocol tests)
- Portal builds cleanly: 9 routes including /analytics and /settings/tier
- Feature flags verified: ANALYTICS_ENABLED, TIER_ENFORCEMENT, COMPLIANCE_ENABLED

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/controllers/ComplianceController.ts

@@ -1,15 +1,19 @@
 /**
- * ComplianceController — SOC 2 Type II compliance endpoints.
+ * ComplianceController — SOC 2 Type II and AGNTCY compliance endpoints.
  *
- * Handles two endpoints defined in docs/openapi/compliance.yaml:
- *   GET /api/v1/audit/verify       — Audit chain integrity verification (auth required)
+ * Handles endpoints defined in docs/openapi/compliance.yaml:
+ *   GET /api/v1/audit/verify        — Audit chain integrity verification (auth required)
  *   GET /api/v1/compliance/controls — SOC 2 control status summary (public)
+ *   GET /api/v1/compliance/report   — AGNTCY compliance report (auth required)
+ *   GET /api/v1/compliance/agent-cards — AGNTCY agent card export (auth required)
  */
 
 import { Request, Response, NextFunction } from 'express';
 import { AuditVerificationService } from '../services/AuditVerificationService.js';
+import { ComplianceService } from '../services/ComplianceService.js';
 import { getAllControlStatuses } from '../services/ComplianceStatusStore.js';
 import { ValidationError } from '../utils/errors.js';
+import { ITokenPayload } from '../types/index.js';
 
 // ============================================================================
 // Helpers
@@ -33,15 +37,18 @@ function isValidIsoDateTime(value: string): boolean {
 // ============================================================================
 
 /**
- * Controller for SOC 2 Type II compliance API endpoints.
- * Exposes audit chain verification and live control status reporting.
+ * Controller for SOC 2 Type II and AGNTCY compliance API endpoints.
+ * Exposes audit chain verification, live control status reporting,
+ * AGNTCY compliance report generation, and agent card export.
  */
 export class ComplianceController {
   /**
    * @param auditVerificationService - Service for cryptographic audit chain verification.
+   * @param complianceService - Service for AGNTCY compliance report and agent card generation.
    */
   constructor(
     private readonly auditVerificationService: AuditVerificationService,
+    private readonly complianceService: ComplianceService,
   ) {}
 
   // ──────────────────────────────────────────────────────────────────────────
@@ -127,4 +134,59 @@ export class ComplianceController {
       next(err);
     }
   }
+
+  /**
+   * GET /api/v1/compliance/report
+   *
+   * Generates and returns an AGNTCY compliance report for the authenticated tenant.
+   * The report covers agent-identity verification and audit-trail integrity.
+   * Reports are cached in Redis for 5 minutes; sets `X-Cache: HIT` when served from cache.
+   *
+   * Requires Bearer token authentication (tenant extracted from req.user.sub).
+   *
+   * @param req - Express request; tenant derived from authenticated user context.
+   * @param res - Express response.
+   * @param next - Express next function.
+   */
+  async getComplianceReport(req: Request, res: Response, next: NextFunction): Promise<void> {
+    try {
+      const user = req.user as ITokenPayload | undefined;
+      const tenantId = user?.organization_id ?? user?.sub ?? '';
+
+      const report = await this.complianceService.generateReport(tenantId);
+
+      if (report.from_cache === true) {
+        res.setHeader('X-Cache', 'HIT');
+      }
+
+      res.status(200).json(report);
+    } catch (err) {
+      next(err);
+    }
+  }
+
+  /**
+   * GET /api/v1/compliance/agent-cards
+   *
+   * Exports all active agents for the authenticated tenant as AGNTCY-standard
+   * agent card JSON objects.
+   *
+   * Requires Bearer token authentication (tenant extracted from req.user.sub).
+   *
+   * @param req - Express request; tenant derived from authenticated user context.
+   * @param res - Express response.
+   * @param next - Express next function.
+   */
+  async exportAgentCards(req: Request, res: Response, next: NextFunction): Promise<void> {
+    try {
+      const user = req.user as ITokenPayload | undefined;
+      const tenantId = user?.organization_id ?? user?.sub ?? '';
+
+      const cards = await this.complianceService.exportAgentCards(tenantId);
+
+      res.status(200).json(cards);
+    } catch (err) {
+      next(err);
+    }
+  }
 }