release satellite

docs/development/backend/api-security.mdx

@@ -234,6 +234,10 @@ requireOwnershipOrAdmin(getUserIdFromRequest) // User owns resource OR is admin
 // Dual authentication (Cookie + OAuth2)
 requireAuthenticationAny()                    // Accept either cookie or OAuth2 Bearer token
 requireOAuthScope('scope.name')               // Enforce OAuth2 scope requirements
+
+// Satellite authentication (API key-based)
+requireSatelliteAuth()                        // Validates satellite API keys using argon2
+requireUserOrSatelliteAuth()                  // Accept either user auth or satellite API key
 ```
 
 ### Dual Authentication Support
@@ -265,6 +269,79 @@ export default async function dualAuthRoute(server: FastifyInstance) {
 
 For detailed OAuth2 implementation, see the [Backend OAuth Implementation Guide](/development/backend/oauth-providers) and [Backend Security Policy](/development/backend/security#oauth2-server-security).
 
+### Satellite Authentication
+
+For endpoints that need to authenticate DeployStack Satellite instances, use the satellite authentication middleware. Satellites use API key-based authentication with argon2 hash verification.
+
+```typescript
+import { requireSatelliteAuth, requireUserOrSatelliteAuth } from '../../middleware/satelliteAuthMiddleware';
+
+export default async function satelliteRoute(server: FastifyInstance) {
+  // Satellite-only endpoint
+  server.post('/satellites/:satelliteId/heartbeat', {
+    preValidation: [requireSatelliteAuth()], // Only satellites can access
+    schema: {
+      security: [{ bearerAuth: [] }] // API key via Bearer token
+    }
+  }, async (request, reply) => {
+    // Access satellite context
+    const satellite = request.satellite!;
+    const satelliteId = satellite.id;
+    const satelliteType = satellite.satellite_type; // 'global' or 'team'
+  });
+
+  // Hybrid endpoint (users OR satellites)
+  server.get('/satellites/:satelliteId/status', {
+    preValidation: [requireUserOrSatelliteAuth()], // Accept either auth method
+    schema: {
+      security: [
+        { cookieAuth: [] },    // User authentication
+        { bearerAuth: [] }     // Satellite API key
+      ]
+    }
+  }, async (request, reply) => {
+    // Check authentication type
+    if (request.satellite) {
+      // Authenticated as satellite
+      const satelliteId = request.satellite.id;
+    } else if (request.user) {
+      // Authenticated as user
+      const userId = request.user.id;
+    }
+  });
+}
+```
+
+#### Satellite Authentication Flow
+
+The satellite authentication middleware performs these steps:
+
+1. **Bearer Token Extraction**: Extracts API key from Authorization header
+2. **Database Lookup**: Retrieves all satellite records from database
+3. **Hash Verification**: Uses argon2.verify() to validate API key against stored hashes
+4. **Context Setting**: Sets satellite information on request object for route handlers
+
+#### Satellite Context Object
+
+When satellite authentication succeeds, the middleware sets `request.satellite` with:
+
+```typescript
+interface SatelliteContext {
+  id: string;                                    // Satellite unique identifier
+  name: string;                                  // Human-readable satellite name
+  satellite_type: 'global' | 'team';           // Deployment type
+  team_id: string | null;                       // Associated team (null for global)
+  status: 'active' | 'inactive' | 'maintenance' | 'error'; // Current status
+}
+```
+
+#### Security Considerations
+
+- **API Key Storage**: Satellite API keys are stored as argon2 hashes in the database
+- **Key Generation**: 32-byte cryptographically secure random keys (base64url encoded)
+- **Key Rotation**: New API key generated on each satellite registration
+- **Scope Isolation**: Satellites can only access their own resources and endpoints
+
 ### Team-Aware Permission System
 
 For endpoints that operate within team contexts (e.g., `/teams/:teamId/resource`), use the team-aware permission middleware:

docs/development/backend/index.mdx

@@ -9,7 +9,7 @@ import { Database, Shield, Plug, Settings, Mail, TestTube, Wrench, BookOpen, Ter
 
 # DeployStack Backend Development
 
-The DeployStack backend is a modern, high-performance Node.js application built with **Fastify**, **TypeScript**, and **Drizzle ORM**. It's specifically designed for managing MCP (Model Context Protocol) server configurations with enterprise-grade features including authentication, role-based access control, and an extensible plugin system.
+The DeployStack backend is a modern, high-performance Node.js application built with **Fastify**, **TypeScript**, and **Drizzle ORM**. It serves as the central control plane managing MCP server catalogs, team configurations, satellite orchestration, and user authentication with enterprise-grade features.
 
 ## Technology Stack
 
@@ -18,7 +18,7 @@ The DeployStack backend is a modern, high-performance Node.js application built
 - **Database**: SQLite (default) or PostgreSQL with Drizzle ORM
 - **Validation**: Zod for request/response validation and OpenAPI generation
 - **Plugin System**: Extensible architecture with security isolation
-- **Authentication**: Cookie-based sessions with role-based access control
+- **Authentication**: Dual authentication system - cookie-based sessions for frontend and OAuth 2.1 for satellite access
 
 ## Quick Start
 
@@ -99,10 +99,10 @@ The development server starts at `http://localhost:3000` with API documentation
 
   <Card 
     icon={<Terminal />} 
-    href="/deploystack/development/backend/gateway-client-config" 
-    title="Gateway Client Configuration"
+    href="/deploystack/development/backend/satellite-communication" 
+    title="Satellite Communication"
   >
-    API endpoint for generating client-specific gateway configuration files with dual authentication support.
+    API endpoints for satellite registration, configuration management, and command orchestration with polling-based communication.
   </Card>
 </Cards>
 

docs/development/backend/logging.mdx

@@ -1,7 +1,7 @@
 ---
-title: Backend Logging  & Log Level Configuration
+title: Backend Logging & Log Level Configuration
 description: Complete guide to configuring and using log levels in the DeployStack backend for development and production environments.
-sidebar: Backend Development
+sidebar: Logging
 ---
 
 import { Callout } from 'fumadocs-ui/components/callout';