wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10

src/Timeline/StellaOps.Timeline.WebService/Endpoints/ExportEndpoints.cs

@@ -4,6 +4,7 @@ using Microsoft.AspNetCore.Http.HttpResults;
 using StellaOps.Timeline.Core;
 using StellaOps.Timeline.Core.Export;
 using StellaOps.HybridLogicalClock;
+using StellaOps.Timeline.WebService.Security;
 
 namespace StellaOps.Timeline.WebService.Endpoints;
 
@@ -18,7 +19,8 @@ public static class ExportEndpoints
     public static void MapExportEndpoints(this IEndpointRouteBuilder app)
     {
         var group = app.MapGroup("/api/v1/timeline")
-            .WithTags("Export");
+            .WithTags("Export")
+            .RequireAuthorization(TimelinePolicies.Write);
 
         group.MapPost("/{correlationId}/export", ExportTimelineAsync)
             .WithName("ExportTimeline")

src/Timeline/StellaOps.Timeline.WebService/Endpoints/ReplayEndpoints.cs

@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Http.HttpResults;
 using StellaOps.HybridLogicalClock;
 using StellaOps.Timeline.Core.Replay;
+using StellaOps.Timeline.WebService.Security;
 
 namespace StellaOps.Timeline.WebService.Endpoints;
 
@@ -18,7 +19,8 @@ public static class ReplayEndpoints
     public static void MapReplayEndpoints(this IEndpointRouteBuilder app)
     {
         var group = app.MapGroup("/api/v1/timeline")
-            .WithTags("Replay");
+            .WithTags("Replay")
+            .RequireAuthorization(TimelinePolicies.Write);
 
         group.MapPost("/{correlationId}/replay", InitiateReplayAsync)
             .WithName("InitiateReplay")

src/Timeline/StellaOps.Timeline.WebService/Endpoints/TimelineEndpoints.cs

@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Http.HttpResults;
 using StellaOps.HybridLogicalClock;
 using StellaOps.Timeline.Core;
+using StellaOps.Timeline.WebService.Security;
 
 namespace StellaOps.Timeline.WebService.Endpoints;
 
@@ -17,7 +18,8 @@ public static class TimelineEndpoints
     public static void MapTimelineEndpoints(this IEndpointRouteBuilder app)
     {
         var group = app.MapGroup("/api/v1/timeline")
-            .WithTags("Timeline");
+            .WithTags("Timeline")
+            .RequireAuthorization(TimelinePolicies.Read);
 
         group.MapGet("/{correlationId}", GetTimelineAsync)
             .WithName("GetTimeline")

src/Timeline/StellaOps.Timeline.WebService/Program.cs

@@ -1,8 +1,10 @@
+using StellaOps.Auth.Abstractions;
 using StellaOps.Auth.ServerIntegration;
 using StellaOps.Eventing;
 using StellaOps.Router.AspNet;
 using StellaOps.Timeline.Core;
 using StellaOps.Timeline.WebService.Endpoints;
+using StellaOps.Timeline.WebService.Security;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -24,6 +26,14 @@ builder.Services.AddSwaggerGen(options =>
 builder.Services.AddHealthChecks()
     .AddCheck<TimelineHealthCheck>("timeline");
 
+// Authentication and authorization
+builder.Services.AddStellaOpsResourceServerAuthentication(builder.Configuration);
+builder.Services.AddAuthorization(options =>
+{
+    options.AddStellaOpsScopePolicy(TimelinePolicies.Read, StellaOpsScopes.TimelineRead);
+    options.AddStellaOpsScopePolicy(TimelinePolicies.Write, StellaOpsScopes.TimelineWrite);
+});
+
 builder.Services.AddStellaOpsCors(builder.Environment, builder.Configuration);
 
 // Stella Router integration
@@ -45,6 +55,8 @@ if (app.Environment.IsDevelopment())
 }
 
 app.UseStellaOpsCors();
+app.UseAuthentication();
+app.UseAuthorization();
 app.TryUseStellaRouter(routerEnabled);
 
 // Map endpoints

src/Timeline/StellaOps.Timeline.WebService/Security/TimelinePolicies.cs

@@ -0,0 +1,16 @@
+// Copyright (c) StellaOps. Licensed under the BUSL-1.1.
+
+namespace StellaOps.Timeline.WebService.Security;
+
+/// <summary>
+/// Named authorization policy constants for the Timeline service.
+/// Policies are registered via AddStellaOpsScopePolicy in Program.cs.
+/// </summary>
+internal static class TimelinePolicies
+{
+    /// <summary>Policy for reading timeline events and replay status. Requires timeline:read scope.</summary>
+    public const string Read = "Timeline.Read";
+
+    /// <summary>Policy for exporting and triggering replay operations. Requires timeline:write scope.</summary>
+    public const string Write = "Timeline.Write";
+}