using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Routing;
using StellaOps.Auth.ServerIntegration.Tenancy;
using StellaOps.Platform.WebService.Constants;
using StellaOps.Platform.WebService.Contracts;
using StellaOps.Platform.WebService.Services;
using System;
using System.Collections.Generic;
using System.Linq;
namespace StellaOps.Platform.WebService.Endpoints;
///
/// Pack-driven adapter endpoints for Dashboard, Platform Ops, and Administration views.
///
public static class PackAdapterEndpoints
{
private static readonly DateTimeOffset SnapshotAt = DateTimeOffset.Parse("2026-02-19T03:15:00Z");
public static IEndpointRouteBuilder MapPackAdapterEndpoints(this IEndpointRouteBuilder app)
{
app.MapGet("/api/v1/dashboard/summary", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var payload = BuildDashboardSummary();
return Results.Ok(new PlatformItemResponse(
requestContext!.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
payload));
})
.WithTags("Dashboard")
.WithName("GetDashboardSummary")
.WithSummary("Pack v2 dashboard summary projection.")
.RequireAuthorization(PlatformPolicies.HealthRead);
var platform = app.MapGroup("/api/v1/platform")
.WithTags("Platform Ops")
.RequireAuthorization(PlatformPolicies.HealthRead)
.RequireTenant();
platform.MapGet("/data-integrity/summary", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var payload = BuildDataIntegritySummary();
return Results.Ok(new PlatformItemResponse(
requestContext!.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
payload));
})
.WithName("GetDataIntegritySummary")
.WithSummary("Pack v2 data-integrity card summary.")
.RequireAuthorization(PlatformPolicies.HealthRead);
platform.MapGet("/data-integrity/report", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var payload = BuildDataIntegrityReport();
return Results.Ok(new PlatformItemResponse(
requestContext!.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
payload));
})
.WithName("GetDataIntegrityReport")
.WithSummary("Pack v2 nightly data-integrity report projection.")
.RequireAuthorization(PlatformPolicies.HealthRead);
platform.MapGet("/feeds/freshness", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var feeds = BuildFeedFreshness();
return Results.Ok(new PlatformListResponse(
requestContext!.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
feeds,
feeds.Count));
})
.WithName("GetFeedsFreshness")
.WithSummary("Pack v2 advisory/feed freshness projection.")
.RequireAuthorization(PlatformPolicies.HealthRead);
platform.MapGet("/scan-pipeline/health", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var payload = BuildScanPipelineHealth();
return Results.Ok(new PlatformItemResponse(
requestContext!.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
payload));
})
.WithName("GetScanPipelineHealth")
.WithSummary("Pack v2 scan-pipeline health projection.")
.RequireAuthorization(PlatformPolicies.HealthRead);
platform.MapGet("/reachability/ingest-health", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var payload = BuildReachabilityIngestHealth();
return Results.Ok(new PlatformItemResponse(
requestContext!.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
payload));
})
.WithName("GetReachabilityIngestHealth")
.WithSummary("Pack v2 reachability ingest health projection.")
.RequireAuthorization(PlatformPolicies.HealthRead);
var administration = app.MapGroup("/api/v1/administration")
.WithTags("Administration")
.RequireTenant();
administration.MapGet("/summary", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
return BuildAdministrationItem(context, resolver, BuildAdministrationSummary);
})
.WithName("GetAdministrationSummary")
.WithSummary("Pack v2 administration overview cards.")
.RequireAuthorization(PlatformPolicies.SetupRead);
administration.MapGet("/identity-access", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
return BuildAdministrationItem(context, resolver, BuildAdministrationIdentityAccess);
})
.WithName("GetAdministrationIdentityAccess")
.WithSummary("Pack v2 administration A1 identity and access projection.")
.RequireAuthorization(PlatformPolicies.SetupRead);
administration.MapGet("/tenant-branding", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
return BuildAdministrationItem(context, resolver, BuildAdministrationTenantBranding);
})
.WithName("GetAdministrationTenantBranding")
.WithSummary("Pack v2 administration A2 tenant and branding projection.")
.RequireAuthorization(PlatformPolicies.SetupRead);
administration.MapGet("/notifications", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
return BuildAdministrationItem(context, resolver, BuildAdministrationNotifications);
})
.WithName("GetAdministrationNotifications")
.WithSummary("Pack v2 administration A3 notifications projection.")
.RequireAuthorization(PlatformPolicies.SetupRead);
administration.MapGet("/usage-limits", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
return BuildAdministrationItem(context, resolver, BuildAdministrationUsageLimits);
})
.WithName("GetAdministrationUsageLimits")
.WithSummary("Pack v2 administration A4 usage and limits projection.")
.RequireAuthorization(PlatformPolicies.SetupRead);
administration.MapGet("/policy-governance", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
return BuildAdministrationItem(context, resolver, BuildAdministrationPolicyGovernance);
})
.WithName("GetAdministrationPolicyGovernance")
.WithSummary("Pack v2 administration A5 policy governance projection.")
.RequireAuthorization(PlatformPolicies.SetupRead);
administration.MapGet("/trust-signing", async (
HttpContext context,
PlatformRequestContextResolver resolver,
IAdministrationTrustSigningStore trustSigningStore,
CancellationToken cancellationToken) =>
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var payload = await BuildAdministrationTrustSigningAsync(
requestContext!.TenantId,
trustSigningStore,
cancellationToken).ConfigureAwait(false);
return Results.Ok(new PlatformItemResponse(
requestContext.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
payload));
})
.WithName("GetAdministrationTrustSigning")
.WithSummary("Pack v2 administration A6 trust and signing projection.")
.RequireAuthorization(PlatformPolicies.TrustRead);
administration.MapGet("/system", (
HttpContext context,
PlatformRequestContextResolver resolver) =>
{
return BuildAdministrationItem(context, resolver, BuildAdministrationSystem);
})
.WithName("GetAdministrationSystem")
.WithSummary("Pack v2 administration A7 system projection.")
.RequireAuthorization(PlatformPolicies.SetupRead);
return app;
}
private static DashboardSummaryDto BuildDashboardSummary()
{
var confidence = BuildConfidenceBadge();
var environments = new[]
{
new EnvironmentRiskSnapshotDto("apac-prod", CriticalReachable: 0, HighReachable: 0, SbomState: "fresh"),
new EnvironmentRiskSnapshotDto("eu-prod", CriticalReachable: 0, HighReachable: 1, SbomState: "fresh"),
new EnvironmentRiskSnapshotDto("us-prod", CriticalReachable: 2, HighReachable: 1, SbomState: "stale"),
new EnvironmentRiskSnapshotDto("us-uat", CriticalReachable: 1, HighReachable: 2, SbomState: "stale"),
}.OrderBy(item => item.Environment, StringComparer.Ordinal).ToList();
var topDrivers = new[]
{
new DashboardDriverDto("CVE-2026-1234", "user-service", "critical", "reachable"),
new DashboardDriverDto("CVE-2026-2222", "billing-worker", "critical", "reachable"),
new DashboardDriverDto("CVE-2026-9001", "api-gateway", "high", "not_reachable"),
};
return new DashboardSummaryDto(
DataConfidence: confidence,
EnvironmentsWithCriticalReachable: 2,
TotalCriticalReachable: 3,
SbomCoveragePercent: 98.0m,
VexCoveragePercent: 62.0m,
BlockedApprovals: 2,
ExceptionsExpiringSoon: 4,
EnvironmentRisk: environments,
TopDrivers: topDrivers);
}
private static DataIntegritySummaryDto BuildDataIntegritySummary()
{
var cards = new[]
{
new DataIntegritySignalDto("feeds", "Advisory feeds", "warning", "NVD mirror stale by 3h.", "/api/v1/platform/feeds/freshness"),
new DataIntegritySignalDto("reachability", "Reachability ingest", "warning", "Runtime ingest lag exceeds policy threshold.", "/api/v1/platform/reachability/ingest-health"),
new DataIntegritySignalDto("scan-pipeline", "Scan pipeline", "warning", "Pending SBOM rescans create stale risk windows.", "/api/v1/platform/scan-pipeline/health"),
new DataIntegritySignalDto("sbom", "SBOM coverage", "warning", "12 digests missing a fresh scan snapshot.", "/api/v1/platform/data-integrity/report"),
}.OrderBy(card => card.Id, StringComparer.Ordinal).ToList();
return new DataIntegritySummaryDto(
Confidence: BuildConfidenceBadge(),
Signals: cards);
}
private static DataIntegrityReportDto BuildDataIntegrityReport()
{
var sections = new[]
{
new DataIntegrityReportSectionDto(
"advisory-feeds",
"warning",
"NVD and vendor feed freshness lag detected.",
["nvd stale by 3h", "vendor feed retry budget exceeded once"]),
new DataIntegrityReportSectionDto(
"scan-pipeline",
"warning",
"Scan backlog increased due to transient worker degradation.",
["pending sbom rescans: 12", "oldest pending digest age: 26h"]),
new DataIntegrityReportSectionDto(
"reachability",
"warning",
"Runtime attestations delayed in one region.",
["us-east runtime agents degraded", "eu-west ingest healthy"]),
}.OrderBy(section => section.SectionId, StringComparer.Ordinal).ToList();
return new DataIntegrityReportDto(
ReportId: "ops-nightly-2026-02-19",
GeneratedAt: SnapshotAt,
Window: "2026-02-18T03:15:00Z/2026-02-19T03:15:00Z",
Sections: sections,
RecommendedActions:
[
"Prioritize runtime ingest queue drain in us-east.",
"Force-feed refresh for NVD source before next approval window.",
"Trigger high-risk SBOM rescan profile for stale production digests.",
]);
}
private static IReadOnlyList BuildFeedFreshness()
{
return new[]
{
new FeedFreshnessDto("NVD", "warning", LastSyncedAt: "2026-02-19T00:12:00Z", FreshnessHours: 3, SlaHours: 1),
new FeedFreshnessDto("OSV", "healthy", LastSyncedAt: "2026-02-19T03:02:00Z", FreshnessHours: 0, SlaHours: 1),
new FeedFreshnessDto("Vendor advisories", "healthy", LastSyncedAt: "2026-02-19T02:48:00Z", FreshnessHours: 0, SlaHours: 2),
}.OrderBy(feed => feed.Source, StringComparer.Ordinal).ToList();
}
private static ScanPipelineHealthDto BuildScanPipelineHealth()
{
var stages = new[]
{
new PipelineStageHealthDto("ingest", "healthy", QueueDepth: 12, OldestAgeMinutes: 8),
new PipelineStageHealthDto("normalize", "healthy", QueueDepth: 3, OldestAgeMinutes: 4),
new PipelineStageHealthDto("rescan", "warning", QueueDepth: 12, OldestAgeMinutes: 1570),
}.OrderBy(stage => stage.Stage, StringComparer.Ordinal).ToList();
return new ScanPipelineHealthDto(
Status: "warning",
PendingDigests: 12,
FailedJobs24h: 3,
Stages: stages);
}
private static ReachabilityIngestHealthDto BuildReachabilityIngestHealth()
{
var regions = new[]
{
new RegionIngestHealthDto("apac", "healthy", Backlog: 7, FreshnessMinutes: 6),
new RegionIngestHealthDto("eu-west", "healthy", Backlog: 11, FreshnessMinutes: 7),
new RegionIngestHealthDto("us-east", "warning", Backlog: 1230, FreshnessMinutes: 42),
}.OrderBy(region => region.Region, StringComparer.Ordinal).ToList();
return new ReachabilityIngestHealthDto(
Status: "warning",
RuntimeCoveragePercent: 41,
Regions: regions);
}
private static AdministrationSummaryDto BuildAdministrationSummary()
{
var domains = new[]
{
new AdministrationDomainCardDto("identity", "Identity & Access", "healthy", "Role assignments and API tokens are within policy.", "/administration/identity-access"),
new AdministrationDomainCardDto("notifications", "Notifications", "healthy", "All configured notification providers are operational.", "/administration/notifications"),
new AdministrationDomainCardDto("policy", "Policy Governance", "warning", "One policy bundle update is pending review.", "/administration/policy-governance"),
new AdministrationDomainCardDto("system", "System", "healthy", "Control plane services report healthy heartbeat.", "/administration/system"),
new AdministrationDomainCardDto("tenant", "Tenant & Branding", "healthy", "Tenant branding and domain mappings are current.", "/administration/tenant-branding"),
new AdministrationDomainCardDto("trust", "Trust & Signing", "warning", "One certificate expires within 10 days.", "/administration/trust-signing"),
new AdministrationDomainCardDto("usage", "Usage & Limits", "warning", "Scanner quota at 65% with upward trend.", "/administration/usage"),
}.OrderBy(domain => domain.DomainId, StringComparer.Ordinal).ToList();
return new AdministrationSummaryDto(
Domains: domains,
ActiveIncidents:
[
"trust/certificate-expiry-warning",
"usage/scanner-quota-warning",
]);
}
private static AdministrationIdentityAccessDto BuildAdministrationIdentityAccess()
{
var tabs = new[]
{
new AdministrationFacetTabDto("api-tokens", "API Tokens", Count: 12, Status: "warning", ActionPath: "/administration/identity-access/tokens"),
new AdministrationFacetTabDto("oauth-clients", "OAuth/SSO Clients", Count: 6, Status: "healthy", ActionPath: "/administration/identity-access/clients"),
new AdministrationFacetTabDto("roles", "Roles", Count: 18, Status: "healthy", ActionPath: "/administration/identity-access/roles"),
new AdministrationFacetTabDto("tenants", "Tenants", Count: 4, Status: "healthy", ActionPath: "/administration/identity-access/tenants"),
new AdministrationFacetTabDto("users", "Users", Count: 146, Status: "healthy", ActionPath: "/administration/identity-access/users"),
}.OrderBy(tab => tab.TabId, StringComparer.Ordinal).ToList();
var actors = new[]
{
new IdentityAccessActorDto("alice@core.example", "release-approver", "active", "2026-02-19T01:22:00Z"),
new IdentityAccessActorDto("jenkins-bot", "ci-bot", "active", "2026-02-19T02:17:00Z"),
new IdentityAccessActorDto("security-admin@core.example", "security-admin", "active", "2026-02-19T02:59:00Z"),
}.OrderBy(actor => actor.Actor, StringComparer.Ordinal).ToList();
var aliases = BuildAdministrationAliases(
[
new AdministrationRouteAliasDto("/settings/admin/clients", "/administration/identity-access/clients", "redirect"),
new AdministrationRouteAliasDto("/settings/admin/roles", "/administration/identity-access/roles", "redirect"),
new AdministrationRouteAliasDto("/settings/admin/tenants", "/administration/identity-access/tenants", "redirect"),
new AdministrationRouteAliasDto("/settings/admin/tokens", "/administration/identity-access/tokens", "redirect"),
new AdministrationRouteAliasDto("/settings/admin/users", "/administration/identity-access/users", "redirect"),
]);
return new AdministrationIdentityAccessDto(
Tabs: tabs,
RecentActors: actors,
LegacyAliases: aliases,
AuditLogPath: "/evidence-audit/audit");
}
private static AdministrationTenantBrandingDto BuildAdministrationTenantBranding()
{
var tenants = new[]
{
new AdministrationTenantDto("apac-core", "Core APAC", "apac.core.example", "core-pack-v7", "active"),
new AdministrationTenantDto("eu-core", "Core EU", "eu.core.example", "core-pack-v7", "active"),
new AdministrationTenantDto("us-core", "Core US", "us.core.example", "core-pack-v7", "active"),
}.OrderBy(tenant => tenant.TenantId, StringComparer.Ordinal).ToList();
var aliases = BuildAdministrationAliases(
[
new AdministrationRouteAliasDto("/settings/admin/branding", "/administration/tenant-branding", "redirect"),
]);
return new AdministrationTenantBrandingDto(
Tenants: tenants,
BrandingDefaults: new TenantBrandingDefaultsDto(
Theme: "light",
SupportUrl: "https://support.core.example",
LegalFooterVersion: "2026.02"),
LegacyAliases: aliases);
}
private static AdministrationNotificationsDto BuildAdministrationNotifications()
{
var rules = new[]
{
new AdministrationNotificationRuleDto("critical-reachable", "Critical reachable finding", "high", "active"),
new AdministrationNotificationRuleDto("gate-blocked", "Gate blocked release", "high", "active"),
new AdministrationNotificationRuleDto("quota-warning", "Quota warning", "medium", "active"),
}.OrderBy(rule => rule.RuleId, StringComparer.Ordinal).ToList();
var channels = new[]
{
new AdministrationNotificationChannelDto("email", "healthy", "2026-02-19T02:40:00Z"),
new AdministrationNotificationChannelDto("slack", "healthy", "2026-02-19T02:41:00Z"),
new AdministrationNotificationChannelDto("webhook", "warning", "2026-02-19T01:58:00Z"),
}.OrderBy(channel => channel.ChannelId, StringComparer.Ordinal).ToList();
var aliases = BuildAdministrationAliases(
[
new AdministrationRouteAliasDto("/admin/notifications", "/administration/notifications", "redirect"),
new AdministrationRouteAliasDto("/operations/notifications", "/administration/notifications", "redirect"),
new AdministrationRouteAliasDto("/settings/notifications/*", "/administration/notifications/*", "redirect"),
]);
return new AdministrationNotificationsDto(
Rules: rules,
Channels: channels,
ChannelManagementPath: "/integrations/notifications",
LegacyAliases: aliases);
}
private static AdministrationUsageLimitsDto BuildAdministrationUsageLimits()
{
var meters = new[]
{
new AdministrationUsageMeterDto("api-calls", "API calls", Used: 15000, Limit: 100000, Unit: "calls"),
new AdministrationUsageMeterDto("evidence-packets", "Evidence packets", Used: 2800, Limit: 10000, Unit: "packets"),
new AdministrationUsageMeterDto("scanner-runs", "Scanner runs", Used: 6500, Limit: 10000, Unit: "runs"),
new AdministrationUsageMeterDto("storage", "Storage", Used: 42, Limit: 100, Unit: "GB"),
}.OrderBy(meter => meter.MeterId, StringComparer.Ordinal).ToList();
var policies = new[]
{
new AdministrationUsagePolicyDto("api-burst", "API burst throttle", "enabled"),
new AdministrationUsagePolicyDto("integration-cap", "Per-integration cap", "enabled"),
new AdministrationUsagePolicyDto("scanner-quota", "Scanner daily quota", "warning"),
}.OrderBy(policy => policy.PolicyId, StringComparer.Ordinal).ToList();
var aliases = BuildAdministrationAliases(
[
new AdministrationRouteAliasDto("/settings/admin/:page", "/administration/:page", "redirect"),
]);
return new AdministrationUsageLimitsDto(
Meters: meters,
Policies: policies,
OperationsDrilldownPath: "/platform-ops/quotas",
LegacyAliases: aliases);
}
private static AdministrationPolicyGovernanceDto BuildAdministrationPolicyGovernance()
{
var baselines = new[]
{
new AdministrationPolicyBaselineDto("dev", "core-pack-v7", "active"),
new AdministrationPolicyBaselineDto("prod", "core-pack-v7", "active"),
new AdministrationPolicyBaselineDto("stage", "core-pack-v7", "active"),
}.OrderBy(baseline => baseline.Environment, StringComparer.Ordinal).ToList();
var signals = new[]
{
new AdministrationPolicySignalDto("exception-workflow", "warning", "2 pending exception approvals"),
new AdministrationPolicySignalDto("governance-rules", "healthy", "Reachable-critical gate enforced"),
new AdministrationPolicySignalDto("simulation", "healthy", "Last what-if simulation completed successfully"),
}.OrderBy(signal => signal.SignalId, StringComparer.Ordinal).ToList();
var aliases = BuildAdministrationAliases(
[
new AdministrationRouteAliasDto("/admin/policy/governance", "/administration/policy-governance", "redirect"),
new AdministrationRouteAliasDto("/admin/policy/simulation", "/administration/policy-governance/simulation", "redirect"),
new AdministrationRouteAliasDto("/policy/exceptions/*", "/administration/policy-governance/exceptions/*", "redirect"),
new AdministrationRouteAliasDto("/policy/governance", "/administration/policy-governance", "redirect"),
new AdministrationRouteAliasDto("/policy/packs/*", "/administration/policy-governance/packs/*", "redirect"),
]);
return new AdministrationPolicyGovernanceDto(
Baselines: baselines,
Signals: signals,
LegacyAliases: aliases,
CrossLinks:
[
"/release-control/approvals",
"/administration/policy/exceptions",
]);
}
private static async Task BuildAdministrationTrustSigningAsync(
string tenantId,
IAdministrationTrustSigningStore trustSigningStore,
CancellationToken cancellationToken)
{
var keys = await trustSigningStore.ListKeysAsync(tenantId, 500, 0, cancellationToken).ConfigureAwait(false);
var issuers = await trustSigningStore.ListIssuersAsync(tenantId, 500, 0, cancellationToken).ConfigureAwait(false);
var certificates = await trustSigningStore.ListCertificatesAsync(tenantId, 500, 0, cancellationToken).ConfigureAwait(false);
var transparencyConfig = await trustSigningStore.GetTransparencyLogConfigAsync(tenantId, cancellationToken).ConfigureAwait(false);
var expiringCertificateCount = certificates.Count(certificate =>
!string.Equals(certificate.Status, "revoked", StringComparison.OrdinalIgnoreCase)
&& certificate.NotAfter <= SnapshotAt.AddDays(10));
var signals = new[]
{
new AdministrationTrustSignalDto("audit-log", "healthy", "Trust-signing configuration changes are being recorded."),
new AdministrationTrustSignalDto(
"certificate-expiry",
expiringCertificateCount > 0 ? "warning" : "healthy",
expiringCertificateCount > 0
? $"{expiringCertificateCount} certificate{(expiringCertificateCount == 1 ? string.Empty : "s")} expire within 10 days."
: "No certificate expirations are due in the next 10 days."),
new AdministrationTrustSignalDto(
"transparency-log",
transparencyConfig is null ? "warning" : "healthy",
transparencyConfig is null
? "Transparency log is not configured for this tenant."
: $"Transparency log witness points to {transparencyConfig.LogUrl}."),
new AdministrationTrustSignalDto(
"trust-scoring",
issuers.Count == 0 ? "warning" : "healthy",
issuers.Count == 0
? "No trusted issuers are registered yet."
: "Issuer trust inventory is available for scoring and review."),
}.OrderBy(signal => signal.SignalId, StringComparer.Ordinal).ToList();
var aliases = BuildAdministrationAliases(
[
new AdministrationRouteAliasDto("/admin/issuers", "/administration/trust-signing/issuers", "redirect"),
new AdministrationRouteAliasDto("/admin/trust/*", "/administration/trust-signing/*", "redirect"),
new AdministrationRouteAliasDto("/settings/trust/*", "/administration/trust-signing/*", "redirect"),
]);
return new AdministrationTrustSigningDto(
Inventory: new AdministrationTrustInventoryDto(Keys: keys.Count, Issuers: issuers.Count, Certificates: certificates.Count),
Signals: signals,
LegacyAliases: aliases,
EvidenceConsumerPath: "/evidence-audit/proofs");
}
private static AdministrationSystemDto BuildAdministrationSystem()
{
var controls = new[]
{
new AdministrationSystemControlDto("background-jobs", "warning", "1 paused job family awaiting manual resume."),
new AdministrationSystemControlDto("doctor", "healthy", "Last diagnostics run passed."),
new AdministrationSystemControlDto("health-check", "healthy", "All core control-plane services are healthy."),
new AdministrationSystemControlDto("slo-config", "healthy", "SLO thresholds are synchronized."),
}.OrderBy(control => control.ControlId, StringComparer.Ordinal).ToList();
var aliases = BuildAdministrationAliases(
[
new AdministrationRouteAliasDto("/operations/status", "/administration/system/status", "redirect"),
new AdministrationRouteAliasDto("/settings/configuration-pane", "/administration/system/configuration", "redirect"),
new AdministrationRouteAliasDto("/settings/workflows/*", "/administration/system/workflows", "redirect"),
]);
return new AdministrationSystemDto(
OverallStatus: "healthy",
Controls: controls,
LegacyAliases: aliases,
Drilldowns:
[
"/platform-ops/health",
"/platform-ops/orchestrator/jobs",
"/platform-ops/data-integrity",
]);
}
private static IReadOnlyList BuildAdministrationAliases(
AdministrationRouteAliasDto[] aliases)
{
return aliases
.OrderBy(alias => alias.LegacyPath, StringComparer.Ordinal)
.ToList();
}
private static DataConfidenceBadgeDto BuildConfidenceBadge()
{
return new DataConfidenceBadgeDto(
Status: "warning",
Summary: "NVD freshness and runtime ingest lag reduce confidence.",
NvdStalenessHours: 3,
StaleSbomDigests: 12,
RuntimeDlqDepth: 1230);
}
private static IResult BuildAdministrationItem(
HttpContext context,
PlatformRequestContextResolver resolver,
Func payloadFactory)
{
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
{
return failure!;
}
var payload = payloadFactory();
return Results.Ok(new PlatformItemResponse(
requestContext!.TenantId,
requestContext.ActorId,
SnapshotAt,
Cached: false,
CacheTtlSeconds: 0,
payload));
}
private static bool TryResolveContext(
HttpContext context,
PlatformRequestContextResolver resolver,
out PlatformRequestContext? requestContext,
out IResult? failure)
{
if (resolver.TryResolve(context, out requestContext, out var error))
{
failure = null;
return true;
}
failure = Results.BadRequest(new { error = error ?? "tenant_missing" });
return false;
}
}
public sealed record DashboardSummaryDto(
DataConfidenceBadgeDto DataConfidence,
int EnvironmentsWithCriticalReachable,
int TotalCriticalReachable,
decimal SbomCoveragePercent,
decimal VexCoveragePercent,
int BlockedApprovals,
int ExceptionsExpiringSoon,
IReadOnlyList EnvironmentRisk,
IReadOnlyList TopDrivers);
public sealed record EnvironmentRiskSnapshotDto(
string Environment,
int CriticalReachable,
int HighReachable,
string SbomState);
public sealed record DashboardDriverDto(
string Cve,
string Component,
string Severity,
string Reachability);
public sealed record DataIntegritySummaryDto(
DataConfidenceBadgeDto Confidence,
IReadOnlyList Signals);
public sealed record DataIntegritySignalDto(
string Id,
string Label,
string Status,
string Summary,
string ActionPath);
public sealed record DataIntegrityReportDto(
string ReportId,
DateTimeOffset GeneratedAt,
string Window,
IReadOnlyList Sections,
IReadOnlyList RecommendedActions);
public sealed record DataIntegrityReportSectionDto(
string SectionId,
string Status,
string Summary,
IReadOnlyList Highlights);
public sealed record FeedFreshnessDto(
string Source,
string Status,
string LastSyncedAt,
int FreshnessHours,
int SlaHours);
public sealed record ScanPipelineHealthDto(
string Status,
int PendingDigests,
int FailedJobs24h,
IReadOnlyList Stages);
public sealed record PipelineStageHealthDto(
string Stage,
string Status,
int QueueDepth,
int OldestAgeMinutes);
public sealed record ReachabilityIngestHealthDto(
string Status,
int RuntimeCoveragePercent,
IReadOnlyList Regions);
public sealed record RegionIngestHealthDto(
string Region,
string Status,
int Backlog,
int FreshnessMinutes);
public sealed record AdministrationSummaryDto(
IReadOnlyList Domains,
IReadOnlyList ActiveIncidents);
public sealed record AdministrationDomainCardDto(
string DomainId,
string Label,
string Status,
string Summary,
string ActionPath);
public sealed record AdministrationIdentityAccessDto(
IReadOnlyList Tabs,
IReadOnlyList RecentActors,
IReadOnlyList LegacyAliases,
string AuditLogPath);
public sealed record AdministrationFacetTabDto(
string TabId,
string Label,
int Count,
string Status,
string ActionPath);
public sealed record IdentityAccessActorDto(
string Actor,
string Role,
string Status,
string LastSeenAt);
public sealed record AdministrationTenantBrandingDto(
IReadOnlyList Tenants,
TenantBrandingDefaultsDto BrandingDefaults,
IReadOnlyList LegacyAliases);
public sealed record AdministrationTenantDto(
string TenantId,
string DisplayName,
string PrimaryDomain,
string DefaultPolicyPack,
string Status);
public sealed record TenantBrandingDefaultsDto(
string Theme,
string SupportUrl,
string LegalFooterVersion);
public sealed record AdministrationNotificationsDto(
IReadOnlyList Rules,
IReadOnlyList Channels,
string ChannelManagementPath,
IReadOnlyList LegacyAliases);
public sealed record AdministrationNotificationRuleDto(
string RuleId,
string Label,
string Severity,
string Status);
public sealed record AdministrationNotificationChannelDto(
string ChannelId,
string Status,
string LastDeliveredAt);
public sealed record AdministrationUsageLimitsDto(
IReadOnlyList Meters,
IReadOnlyList Policies,
string OperationsDrilldownPath,
IReadOnlyList LegacyAliases);
public sealed record AdministrationUsageMeterDto(
string MeterId,
string Label,
int Used,
int Limit,
string Unit);
public sealed record AdministrationUsagePolicyDto(
string PolicyId,
string Label,
string Status);
public sealed record AdministrationPolicyGovernanceDto(
IReadOnlyList Baselines,
IReadOnlyList Signals,
IReadOnlyList LegacyAliases,
IReadOnlyList CrossLinks);
public sealed record AdministrationPolicyBaselineDto(
string Environment,
string PolicyPack,
string Status);
public sealed record AdministrationPolicySignalDto(
string SignalId,
string Status,
string Summary);
public sealed record AdministrationTrustSigningDto(
AdministrationTrustInventoryDto Inventory,
IReadOnlyList Signals,
IReadOnlyList LegacyAliases,
string EvidenceConsumerPath);
public sealed record AdministrationTrustInventoryDto(
int Keys,
int Issuers,
int Certificates);
public sealed record AdministrationTrustSignalDto(
string SignalId,
string Status,
string Summary);
public sealed record AdministrationSystemDto(
string OverallStatus,
IReadOnlyList Controls,
IReadOnlyList LegacyAliases,
IReadOnlyList Drilldowns);
public sealed record AdministrationSystemControlDto(
string ControlId,
string Status,
string Summary);
public sealed record AdministrationRouteAliasDto(
string LegacyPath,
string CanonicalPath,
string Action);
public sealed record DataConfidenceBadgeDto(
string Status,
string Summary,
int NvdStalenessHours,
int StaleSbomDigests,
int RuntimeDlqDepth);