wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10

2026-02-23 15:30:50 +02:00
parent bd8fee6ed8
commit e746577380
1424 changed files with 81225 additions and 25251 deletions
--- a/src/__Libraries/StellaOps.Verdict/Api/VerdictEndpoints.cs
+++ b/src/__Libraries/StellaOps.Verdict/Api/VerdictEndpoints.cs
@@ -42,68 +42,68 @@ public static class VerdictEndpoints
            .WithName("verdict.create")
            .Produces<VerdictResponse>(StatusCodes.Status201Created)
            .Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Create);

        // GET /v1/verdicts/{id} - Get verdict by ID
        group.MapGet("/{id}", HandleGet)
            .WithName("verdict.get")
            .Produces<StellaVerdict>(StatusCodes.Status200OK)
            .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);

        // GET /v1/verdicts - Query verdicts
        group.MapGet("/", HandleQuery)
            .WithName("verdict.query")
            .Produces<VerdictQueryResponse>(StatusCodes.Status200OK)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);

        // POST /v1/verdicts/build - Build deterministic verdict with CGS (CGS-003)
        group.MapPost("/build", HandleBuild)
            .WithName("verdict.build")
            .Produces<CgsVerdictResult>(StatusCodes.Status200OK)
            .Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Create);

        // GET /v1/verdicts/cgs/{cgsHash} - Replay verdict by CGS hash (CGS-004)
        group.MapGet("/cgs/{cgsHash}", HandleReplay)
            .WithName("verdict.replay")
            .Produces<CgsVerdictResult>(StatusCodes.Status200OK)
            .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);

        // POST /v1/verdicts/diff - Compute verdict delta (CGS-005)
        group.MapPost("/diff", HandleDiff)
            .WithName("verdict.diff")
            .Produces<VerdictDelta>(StatusCodes.Status200OK)
            .Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);

        // POST /v1/verdicts/{id}/verify - Verify verdict signature
        group.MapPost("/{id}/verify", HandleVerify)
            .WithName("verdict.verify")
            .Produces<VerdictVerifyResponse>(StatusCodes.Status200OK)
            .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);

        // GET /v1/verdicts/{id}/download - Download signed JSON-LD
        group.MapGet("/{id}/download", HandleDownload)
            .WithName("verdict.download")
            .Produces<StellaVerdict>(StatusCodes.Status200OK, "application/ld+json")
            .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);

        // GET /v1/verdicts/latest - Get latest verdict for PURL+CVE
        group.MapGet("/latest", HandleGetLatest)
            .WithName("verdict.latest")
            .Produces<StellaVerdict>(StatusCodes.Status200OK)
            .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);

        // DELETE /v1/verdicts/expired - Clean up expired verdicts
        group.MapDelete("/expired", HandleDeleteExpired)
            .WithName("verdict.deleteExpired")
            .Produces<ExpiredDeleteResponse>(StatusCodes.Status200OK)
-            .RequireAuthorization("verdict:admin");
+            .RequireAuthorization(VerdictPolicies.Admin);
    }

    private static async Task<IResult> HandleCreate(
--- a/src/__Libraries/StellaOps.Verdict/Api/VerdictPolicies.cs
+++ b/src/__Libraries/StellaOps.Verdict/Api/VerdictPolicies.cs
@@ -0,0 +1,20 @@
+// Copyright (c) StellaOps. Licensed under the BUSL-1.1.
+
+namespace StellaOps.Verdict.Api;
+
+/// <summary>
+/// Named authorization policy constants for Verdict endpoints.
+/// Consuming services must register these policies (e.g., via AddStellaOpsScopePolicy)
+/// mapping them to the appropriate scopes (evidence:read, evidence:create).
+/// </summary>
+public static class VerdictPolicies
+{
+    /// <summary>Policy for reading verdicts, querying, replaying, verifying, and downloading. Maps to evidence:read scope.</summary>
+    public const string Read = "Verdict.Read";
+
+    /// <summary>Policy for creating verdicts and building deterministic verdicts via CGS. Maps to evidence:create scope.</summary>
+    public const string Create = "Verdict.Create";
+
+    /// <summary>Policy for administrative verdict operations such as deleting expired verdicts. Maps to verdict:admin scope.</summary>
+    public const string Admin = "Verdict.Admin";
+}