wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10

src/Unknowns/StellaOps.Unknowns.WebService/Endpoints/GreyQueueEndpoints.cs

@@ -8,6 +8,7 @@ using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 using StellaOps.Unknowns.Core.Models;
 using StellaOps.Unknowns.Core.Repositories;
+using StellaOps.Unknowns.WebService.Security;
 
 namespace StellaOps.Unknowns.WebService.Endpoints;
 
@@ -22,7 +23,8 @@ public static class GreyQueueEndpoints
     public static IEndpointRouteBuilder MapGreyQueueEndpoints(this IEndpointRouteBuilder routes)
     {
         var group = routes.MapGroup("/api/grey-queue")
-            .WithTags("GreyQueue");
+            .WithTags("GreyQueue")
+            .RequireAuthorization(UnknownsPolicies.Read);
 
         // List and query
         group.MapGet("/", ListEntries)
@@ -61,37 +63,43 @@ public static class GreyQueueEndpoints
             .WithSummary("Get entries triggered by CVE update")
             .WithDescription("Returns entries that should be reprocessed due to a CVE update.");
 
-        // Actions
+        // Actions (require write scope)
         group.MapPost("/", EnqueueEntry)
             .WithName("EnqueueGreyQueueEntry")
             .WithSummary("Enqueue a new grey queue entry")
-            .WithDescription("Creates a new grey queue entry with evidence bundle and trigger conditions.");
+            .WithDescription("Creates a new grey queue entry with evidence bundle and trigger conditions.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapPost("/{id:guid}/process", StartProcessing)
             .WithName("StartGreyQueueProcessing")
             .WithSummary("Mark entry as processing")
-            .WithDescription("Marks an entry as currently being processed.");
+            .WithDescription("Marks an entry as currently being processed.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapPost("/{id:guid}/result", RecordResult)
             .WithName("RecordGreyQueueResult")
             .WithSummary("Record processing result")
-            .WithDescription("Records the result of a processing attempt.");
+            .WithDescription("Records the result of a processing attempt.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapPost("/{id:guid}/resolve", ResolveEntry)
             .WithName("ResolveGreyQueueEntry")
             .WithSummary("Resolve a grey queue entry")
-            .WithDescription("Marks an entry as resolved with resolution type and reference.");
+            .WithDescription("Marks an entry as resolved with resolution type and reference.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapPost("/{id:guid}/dismiss", DismissEntry)
             .WithName("DismissGreyQueueEntry")
             .WithSummary("Dismiss a grey queue entry")
-            .WithDescription("Manually dismisses an entry from the queue.");
+            .WithDescription("Manually dismisses an entry from the queue.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
-        // Maintenance
+        // Maintenance (require write scope)
         group.MapPost("/expire", ExpireOldEntries)
             .WithName("ExpireGreyQueueEntries")
             .WithSummary("Expire old entries")
-            .WithDescription("Expires entries that have exceeded their TTL.");
+            .WithDescription("Expires entries that have exceeded their TTL.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         // Statistics
         group.MapGet("/summary", GetSummary)
@@ -99,26 +107,30 @@ public static class GreyQueueEndpoints
             .WithSummary("Get grey queue summary statistics")
             .WithDescription("Returns summary counts by status, reason, and performance metrics.");
 
-        // Sprint: SPRINT_20260118_018 (UQ-005) - New state transitions
+        // Sprint: SPRINT_20260118_018 (UQ-005) - New state transitions (require write scope)
         group.MapPost("/{id:guid}/assign", AssignForReview)
             .WithName("AssignGreyQueueEntry")
             .WithSummary("Assign entry for review")
-            .WithDescription("Assigns an entry to a reviewer, transitioning to UnderReview state.");
+            .WithDescription("Assigns an entry to a reviewer, transitioning to UnderReview state.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapPost("/{id:guid}/escalate", EscalateEntry)
             .WithName("EscalateGreyQueueEntry")
             .WithSummary("Escalate entry to security team")
-            .WithDescription("Escalates an entry to the security team, transitioning to Escalated state.");
+            .WithDescription("Escalates an entry to the security team, transitioning to Escalated state.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapPost("/{id:guid}/reject", RejectEntry)
             .WithName("RejectGreyQueueEntry")
             .WithSummary("Reject a grey queue entry")
-            .WithDescription("Marks an entry as rejected (invalid or not actionable).");
+            .WithDescription("Marks an entry as rejected (invalid or not actionable).")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapPost("/{id:guid}/reopen", ReopenEntry)
             .WithName("ReopenGreyQueueEntry")
             .WithSummary("Reopen a closed entry")
-            .WithDescription("Reopens a rejected, failed, or dismissed entry back to pending.");
+            .WithDescription("Reopens a rejected, failed, or dismissed entry back to pending.")
+            .RequireAuthorization(UnknownsPolicies.Write);
 
         group.MapGet("/{id:guid}/transitions", GetValidTransitions)
             .WithName("GetValidTransitions")