# Audit - StellaOps.ReachGraph.WebService

## Project
- Path: `src/ReachGraph/StellaOps.ReachGraph.WebService/StellaOps.ReachGraph.WebService.csproj`
- Module: `ReachGraph`
- Kind: `WebService`
- SDK: `Microsoft.NET.Sdk.Web`
- TargetFramework: `net10.0`
- Audit date (UTC): 2026-01-30

## Coding Standards Findings
- Status: FAIL
- Nullable: enable
- TreatWarningsAsErrors: explicit true
- Deterministic: inherited true
- 100-line rule violations: 9
- Service locator usage (BuildServiceProvider/GetService): 0
- Analyzer enforcement: missing repo-wide (see summary).

### Details
- 100-line files:
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/CveMappingController.cs` (548 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` (521 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/ReachGraphController.cs` (251 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/PaginationService.cs` (194 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphStoreService.cs` (175 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/CveMapping/ICveSymbolMappingService.cs` (151 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` (146 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphReplayService.cs` (138 lines)
  - `src/ReachGraph/StellaOps.ReachGraph.WebService/Program.cs` (120 lines)
- Service locator matches:
  - none

### Fix Guidance
- Split files over 100 lines into smaller types or partials.

## Testing Fullness Findings
- Status: FAIL
- Expected layers: Unit, Integration, Security, Offline
- Detected test projects: src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/StellaOps.ReachGraph.WebService.Tests.csproj [Unit]
- Missing layers: Integration, Security, Offline

### Manual checks required
- Observability contract tests for WebService/Worker.
- Offline execution (tests must run without network access).

### Fix Guidance
- Add integration tests for cross-component flows.
- Add security tests for authn/authz or input validation.
- Add offline/airgap coverage with fixtures only.