save checkpoint

2026-02-11 01:32:14 +02:00
parent 5593212b41
commit cf5b72974f
2316 changed files with 68799 additions and 3808 deletions
--- a/src/Graph/StellaOps.Graph.Api/Program.cs
+++ b/src/Graph/StellaOps.Graph.Api/Program.cs
@@ -5,14 +5,14 @@ using StellaOps.Graph.Api.Services;
 var builder = WebApplication.CreateBuilder(args);

 builder.Services.AddMemoryCache();
-builder.Services.AddSingleton<InMemoryGraphRepository>();
+builder.Services.AddSingleton(_ => new InMemoryGraphRepository());
 builder.Services.AddScoped<IGraphSearchService, InMemoryGraphSearchService>();
 builder.Services.AddScoped<IGraphQueryService, InMemoryGraphQueryService>();
 builder.Services.AddScoped<IGraphPathService, InMemoryGraphPathService>();
 builder.Services.AddScoped<IGraphDiffService, InMemoryGraphDiffService>();
 builder.Services.AddScoped<IGraphLineageService, InMemoryGraphLineageService>();
 builder.Services.AddScoped<IOverlayService, InMemoryOverlayService>();
-builder.Services.AddScoped<IGraphExportService, InMemoryGraphExportService>();
+builder.Services.AddSingleton<IGraphExportService, InMemoryGraphExportService>();
 builder.Services.AddSingleton<IRateLimiter>(_ => new RateLimiterService(limitPerWindow: 120));
 builder.Services.AddSingleton<IAuditLogger, InMemoryAuditLogger>();
 builder.Services.AddSingleton<IGraphMetrics, GraphMetrics>();
@@ -351,16 +351,52 @@ app.MapPost("/graph/export", async (HttpContext context, GraphExportRequest requ
    return Results.Ok(manifest);
 });

-app.MapGet("/graph/export/{jobId}", (string jobId, HttpContext context, IGraphExportService service) =>
+app.MapGet("/graph/export/{jobId}", async (string jobId, HttpContext context, IGraphExportService service, CancellationToken ct) =>
 {
-    var job = service.Get(jobId);
-    if (job is null)
+    var sw = System.Diagnostics.Stopwatch.StartNew();
+    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault();
+    if (string.IsNullOrWhiteSpace(tenant))
    {
+        await WriteError(context, StatusCodes.Status400BadRequest, "GRAPH_VALIDATION_FAILED", "Missing X-Stella-Tenant header", ct);
+        LogAudit(context, "/graph/export/download", StatusCodes.Status400BadRequest, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    if (!context.Request.Headers.ContainsKey("Authorization"))
+    {
+        await WriteError(context, StatusCodes.Status401Unauthorized, "GRAPH_UNAUTHORIZED", "Missing Authorization header", ct);
+        LogAudit(context, "/graph/export/download", StatusCodes.Status401Unauthorized, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    var scopes = context.Request.Headers["X-Stella-Scopes"]
+        .SelectMany(v => v?.Split(new[] { ' ', ',', ';' }, StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>())
+        .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+    if (!scopes.Contains("graph:export"))
+    {
+        await WriteError(context, StatusCodes.Status403Forbidden, "GRAPH_FORBIDDEN", "Missing graph:export scope", ct);
+        LogAudit(context, "/graph/export/download", StatusCodes.Status403Forbidden, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    if (!RateLimit(context, "/graph/export/download"))
+    {
+        await WriteError(context, StatusCodes.Status429TooManyRequests, "GRAPH_RATE_LIMITED", "Too many requests", ct);
+        LogAudit(context, "/graph/export/download", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    var job = service.Get(jobId);
+    if (job is null || !string.Equals(job.Tenant, tenant, StringComparison.Ordinal))
+    {
+        LogAudit(context, "/graph/export/download", StatusCodes.Status404NotFound, sw.ElapsedMilliseconds);
        return Results.NotFound(new ErrorResponse { Error = "GRAPH_EXPORT_NOT_FOUND", Message = "Export job not found" });
    }

    context.Response.Headers.ContentLength = job.Payload.Length;
    context.Response.Headers["X-Content-SHA256"] = job.Sha256;
+    LogAudit(context, "/graph/export/download", StatusCodes.Status200OK, sw.ElapsedMilliseconds);
    return Results.File(job.Payload, job.ContentType, $"graph-export-{job.JobId}.{job.Format}");
 });

@@ -371,15 +407,37 @@ app.MapGet("/graph/export/{jobId}", (string jobId, HttpContext context, IGraphEx
 app.MapPost("/graph/edges/metadata", async (EdgeMetadataRequest request, HttpContext context, IEdgeMetadataService service, CancellationToken ct) =>
 {
    var sw = System.Diagnostics.Stopwatch.StartNew();
-    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault() ?? "default";
-    
-    if (!RateLimit(context, "/graph/edges/metadata"))
+    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault();
+    if (string.IsNullOrWhiteSpace(tenant))
    {
-        LogAudit(context, "/graph/edges/metadata", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
-        return Results.StatusCode(StatusCodes.Status429TooManyRequests);
+        await WriteError(context, StatusCodes.Status400BadRequest, "GRAPH_VALIDATION_FAILED", "Missing X-Stella-Tenant header", ct);
+        return Results.Empty;
    }

-    var response = await service.GetEdgeMetadataAsync(tenant, request, ct);
+    if (!context.Request.Headers.ContainsKey("Authorization"))
+    {
+        await WriteError(context, StatusCodes.Status401Unauthorized, "GRAPH_UNAUTHORIZED", "Missing Authorization header", ct);
+        return Results.Empty;
+    }
+
+    if (!RateLimit(context, "/graph/edges/metadata"))
+    {
+        await WriteError(context, StatusCodes.Status429TooManyRequests, "GRAPH_RATE_LIMITED", "Too many requests", ct);
+        LogAudit(context, "/graph/edges/metadata", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    var scopes = context.Request.Headers["X-Stella-Scopes"]
+        .SelectMany(v => v?.Split(new[] { ' ', ',', ';' }, StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>())
+        .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+    if (!scopes.Contains("graph:read") && !scopes.Contains("graph:query"))
+    {
+        await WriteError(context, StatusCodes.Status403Forbidden, "GRAPH_FORBIDDEN", "Missing graph:read or graph:query scope", ct);
+        return Results.Empty;
+    }
+
+    var response = await service.GetEdgeMetadataAsync(tenant!, request, ct);
    LogAudit(context, "/graph/edges/metadata", StatusCodes.Status200OK, sw.ElapsedMilliseconds);
    return Results.Ok(response);
 });
@@ -387,15 +445,37 @@ app.MapPost("/graph/edges/metadata", async (EdgeMetadataRequest request, HttpCon
 app.MapGet("/graph/edges/{edgeId}/metadata", async (string edgeId, HttpContext context, IEdgeMetadataService service, CancellationToken ct) =>
 {
    var sw = System.Diagnostics.Stopwatch.StartNew();
-    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault() ?? "default";
-    
-    if (!RateLimit(context, "/graph/edges/metadata"))
+    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault();
+    if (string.IsNullOrWhiteSpace(tenant))
    {
-        LogAudit(context, "/graph/edges/metadata", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
-        return Results.StatusCode(StatusCodes.Status429TooManyRequests);
+        await WriteError(context, StatusCodes.Status400BadRequest, "GRAPH_VALIDATION_FAILED", "Missing X-Stella-Tenant header", ct);
+        return Results.Empty;
    }

-    var result = await service.GetSingleEdgeMetadataAsync(tenant, edgeId, ct);
+    if (!context.Request.Headers.ContainsKey("Authorization"))
+    {
+        await WriteError(context, StatusCodes.Status401Unauthorized, "GRAPH_UNAUTHORIZED", "Missing Authorization header", ct);
+        return Results.Empty;
+    }
+
+    if (!RateLimit(context, "/graph/edges/metadata"))
+    {
+        await WriteError(context, StatusCodes.Status429TooManyRequests, "GRAPH_RATE_LIMITED", "Too many requests", ct);
+        LogAudit(context, "/graph/edges/metadata", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    var scopes = context.Request.Headers["X-Stella-Scopes"]
+        .SelectMany(v => v?.Split(new[] { ' ', ',', ';' }, StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>())
+        .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+    if (!scopes.Contains("graph:read") && !scopes.Contains("graph:query"))
+    {
+        await WriteError(context, StatusCodes.Status403Forbidden, "GRAPH_FORBIDDEN", "Missing graph:read or graph:query scope", ct);
+        return Results.Empty;
+    }
+
+    var result = await service.GetSingleEdgeMetadataAsync(tenant!, edgeId, ct);
    if (result is null)
    {
        LogAudit(context, "/graph/edges/metadata", StatusCodes.Status404NotFound, sw.ElapsedMilliseconds);
@@ -409,15 +489,37 @@ app.MapGet("/graph/edges/{edgeId}/metadata", async (string edgeId, HttpContext c
 app.MapGet("/graph/edges/path/{sourceNodeId}/{targetNodeId}", async (string sourceNodeId, string targetNodeId, HttpContext context, IEdgeMetadataService service, CancellationToken ct) =>
 {
    var sw = System.Diagnostics.Stopwatch.StartNew();
-    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault() ?? "default";
-    
-    if (!RateLimit(context, "/graph/edges/path"))
+    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault();
+    if (string.IsNullOrWhiteSpace(tenant))
    {
-        LogAudit(context, "/graph/edges/path", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
-        return Results.StatusCode(StatusCodes.Status429TooManyRequests);
+        await WriteError(context, StatusCodes.Status400BadRequest, "GRAPH_VALIDATION_FAILED", "Missing X-Stella-Tenant header", ct);
+        return Results.Empty;
    }

-    var edges = await service.GetPathEdgesWithMetadataAsync(tenant, sourceNodeId, targetNodeId, ct);
+    if (!context.Request.Headers.ContainsKey("Authorization"))
+    {
+        await WriteError(context, StatusCodes.Status401Unauthorized, "GRAPH_UNAUTHORIZED", "Missing Authorization header", ct);
+        return Results.Empty;
+    }
+
+    if (!RateLimit(context, "/graph/edges/path"))
+    {
+        await WriteError(context, StatusCodes.Status429TooManyRequests, "GRAPH_RATE_LIMITED", "Too many requests", ct);
+        LogAudit(context, "/graph/edges/path", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    var scopes = context.Request.Headers["X-Stella-Scopes"]
+        .SelectMany(v => v?.Split(new[] { ' ', ',', ';' }, StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>())
+        .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+    if (!scopes.Contains("graph:query"))
+    {
+        await WriteError(context, StatusCodes.Status403Forbidden, "GRAPH_FORBIDDEN", "Missing graph:query scope", ct);
+        return Results.Empty;
+    }
+
+    var edges = await service.GetPathEdgesWithMetadataAsync(tenant!, sourceNodeId, targetNodeId, ct);
    LogAudit(context, "/graph/edges/path", StatusCodes.Status200OK, sw.ElapsedMilliseconds);
    return Results.Ok(new { sourceNodeId, targetNodeId, edges = edges.ToList() });
 });
@@ -425,12 +527,34 @@ app.MapGet("/graph/edges/path/{sourceNodeId}/{targetNodeId}", async (string sour
 app.MapGet("/graph/edges/by-reason/{reason}", async (string reason, int? limit, string? cursor, HttpContext context, IEdgeMetadataService service, CancellationToken ct) =>
 {
    var sw = System.Diagnostics.Stopwatch.StartNew();
-    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault() ?? "default";
-    
+    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault();
+    if (string.IsNullOrWhiteSpace(tenant))
+    {
+        await WriteError(context, StatusCodes.Status400BadRequest, "GRAPH_VALIDATION_FAILED", "Missing X-Stella-Tenant header", ct);
+        return Results.Empty;
+    }
+
+    if (!context.Request.Headers.ContainsKey("Authorization"))
+    {
+        await WriteError(context, StatusCodes.Status401Unauthorized, "GRAPH_UNAUTHORIZED", "Missing Authorization header", ct);
+        return Results.Empty;
+    }
+
    if (!RateLimit(context, "/graph/edges/by-reason"))
    {
+        await WriteError(context, StatusCodes.Status429TooManyRequests, "GRAPH_RATE_LIMITED", "Too many requests", ct);
        LogAudit(context, "/graph/edges/by-reason", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
-        return Results.StatusCode(StatusCodes.Status429TooManyRequests);
+        return Results.Empty;
+    }
+
+    var scopes = context.Request.Headers["X-Stella-Scopes"]
+        .SelectMany(v => v?.Split(new[] { ' ', ',', ';' }, StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>())
+        .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+    if (!scopes.Contains("graph:read") && !scopes.Contains("graph:query"))
+    {
+        await WriteError(context, StatusCodes.Status403Forbidden, "GRAPH_FORBIDDEN", "Missing graph:read or graph:query scope", ct);
+        return Results.Empty;
    }

    if (!Enum.TryParse<EdgeReason>(reason, ignoreCase: true, out var edgeReason))
@@ -439,7 +563,7 @@ app.MapGet("/graph/edges/by-reason/{reason}", async (string reason, int? limit,
        return Results.BadRequest(new ErrorResponse { Error = "INVALID_REASON", Message = $"Unknown edge reason: {reason}" });
    }

-    var response = await service.QueryByReasonAsync(tenant, edgeReason, limit ?? 100, cursor, ct);
+    var response = await service.QueryByReasonAsync(tenant!, edgeReason, limit ?? 100, cursor, ct);
    LogAudit(context, "/graph/edges/by-reason", StatusCodes.Status200OK, sw.ElapsedMilliseconds);
    return Results.Ok(response);
 });
@@ -447,15 +571,37 @@ app.MapGet("/graph/edges/by-reason/{reason}", async (string reason, int? limit,
 app.MapGet("/graph/edges/by-evidence", async (string evidenceType, string evidenceRef, HttpContext context, IEdgeMetadataService service, CancellationToken ct) =>
 {
    var sw = System.Diagnostics.Stopwatch.StartNew();
-    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault() ?? "default";
-    
-    if (!RateLimit(context, "/graph/edges/by-evidence"))
+    var tenant = context.Request.Headers["X-Stella-Tenant"].FirstOrDefault();
+    if (string.IsNullOrWhiteSpace(tenant))
    {
-        LogAudit(context, "/graph/edges/by-evidence", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
-        return Results.StatusCode(StatusCodes.Status429TooManyRequests);
+        await WriteError(context, StatusCodes.Status400BadRequest, "GRAPH_VALIDATION_FAILED", "Missing X-Stella-Tenant header", ct);
+        return Results.Empty;
    }

-    var edges = await service.QueryByEvidenceAsync(tenant, evidenceType, evidenceRef, ct);
+    if (!context.Request.Headers.ContainsKey("Authorization"))
+    {
+        await WriteError(context, StatusCodes.Status401Unauthorized, "GRAPH_UNAUTHORIZED", "Missing Authorization header", ct);
+        return Results.Empty;
+    }
+
+    if (!RateLimit(context, "/graph/edges/by-evidence"))
+    {
+        await WriteError(context, StatusCodes.Status429TooManyRequests, "GRAPH_RATE_LIMITED", "Too many requests", ct);
+        LogAudit(context, "/graph/edges/by-evidence", StatusCodes.Status429TooManyRequests, sw.ElapsedMilliseconds);
+        return Results.Empty;
+    }
+
+    var scopes = context.Request.Headers["X-Stella-Scopes"]
+        .SelectMany(v => v?.Split(new[] { ' ', ',', ';' }, StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>())
+        .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+    if (!scopes.Contains("graph:read") && !scopes.Contains("graph:query"))
+    {
+        await WriteError(context, StatusCodes.Status403Forbidden, "GRAPH_FORBIDDEN", "Missing graph:read or graph:query scope", ct);
+        return Results.Empty;
+    }
+
+    var edges = await service.QueryByEvidenceAsync(tenant!, evidenceType, evidenceRef, ct);
    LogAudit(context, "/graph/edges/by-evidence", StatusCodes.Status200OK, sw.ElapsedMilliseconds);
    return Results.Ok(edges);
 });
@@ -501,3 +647,5 @@ static void LogAudit(HttpContext ctx, string route, int statusCode, long duratio
        StatusCode: statusCode,
        DurationMs: durationMs));
 }
+
+public partial class Program { }