909 lines
38 KiB
C#
909 lines
38 KiB
C#
using Microsoft.AspNetCore.Builder;
|
|
using Microsoft.AspNetCore.Http;
|
|
using Microsoft.AspNetCore.Routing;
|
|
using StellaOps.Auth.ServerIntegration.Tenancy;
|
|
using StellaOps.Platform.WebService.Constants;
|
|
using StellaOps.Platform.WebService.Contracts;
|
|
using StellaOps.Platform.WebService.Services;
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
|
|
namespace StellaOps.Platform.WebService.Endpoints;
|
|
|
|
/// <summary>
|
|
/// Pack-driven adapter endpoints for Dashboard, Platform Ops, and Administration views.
|
|
/// </summary>
|
|
public static class PackAdapterEndpoints
|
|
{
|
|
private static readonly DateTimeOffset SnapshotAt = DateTimeOffset.Parse("2026-02-19T03:15:00Z");
|
|
|
|
public static IEndpointRouteBuilder MapPackAdapterEndpoints(this IEndpointRouteBuilder app)
|
|
{
|
|
app.MapGet("/api/v1/dashboard/summary", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var payload = BuildDashboardSummary();
|
|
return Results.Ok(new PlatformItemResponse<DashboardSummaryDto>(
|
|
requestContext!.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
payload));
|
|
})
|
|
.WithTags("Dashboard")
|
|
.WithName("GetDashboardSummary")
|
|
.WithSummary("Pack v2 dashboard summary projection.")
|
|
.RequireAuthorization(PlatformPolicies.HealthRead);
|
|
|
|
var platform = app.MapGroup("/api/v1/platform")
|
|
.WithTags("Platform Ops")
|
|
.RequireAuthorization(PlatformPolicies.HealthRead)
|
|
.RequireTenant();
|
|
|
|
platform.MapGet("/data-integrity/summary", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var payload = BuildDataIntegritySummary();
|
|
return Results.Ok(new PlatformItemResponse<DataIntegritySummaryDto>(
|
|
requestContext!.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
payload));
|
|
})
|
|
.WithName("GetDataIntegritySummary")
|
|
.WithSummary("Pack v2 data-integrity card summary.")
|
|
.RequireAuthorization(PlatformPolicies.HealthRead);
|
|
|
|
platform.MapGet("/data-integrity/report", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var payload = BuildDataIntegrityReport();
|
|
return Results.Ok(new PlatformItemResponse<DataIntegrityReportDto>(
|
|
requestContext!.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
payload));
|
|
})
|
|
.WithName("GetDataIntegrityReport")
|
|
.WithSummary("Pack v2 nightly data-integrity report projection.")
|
|
.RequireAuthorization(PlatformPolicies.HealthRead);
|
|
|
|
platform.MapGet("/feeds/freshness", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var feeds = BuildFeedFreshness();
|
|
return Results.Ok(new PlatformListResponse<FeedFreshnessDto>(
|
|
requestContext!.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
feeds,
|
|
feeds.Count));
|
|
})
|
|
.WithName("GetFeedsFreshness")
|
|
.WithSummary("Pack v2 advisory/feed freshness projection.")
|
|
.RequireAuthorization(PlatformPolicies.HealthRead);
|
|
|
|
platform.MapGet("/scan-pipeline/health", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var payload = BuildScanPipelineHealth();
|
|
return Results.Ok(new PlatformItemResponse<ScanPipelineHealthDto>(
|
|
requestContext!.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
payload));
|
|
})
|
|
.WithName("GetScanPipelineHealth")
|
|
.WithSummary("Pack v2 scan-pipeline health projection.")
|
|
.RequireAuthorization(PlatformPolicies.HealthRead);
|
|
|
|
platform.MapGet("/reachability/ingest-health", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var payload = BuildReachabilityIngestHealth();
|
|
return Results.Ok(new PlatformItemResponse<ReachabilityIngestHealthDto>(
|
|
requestContext!.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
payload));
|
|
})
|
|
.WithName("GetReachabilityIngestHealth")
|
|
.WithSummary("Pack v2 reachability ingest health projection.")
|
|
.RequireAuthorization(PlatformPolicies.HealthRead);
|
|
|
|
var administration = app.MapGroup("/api/v1/administration")
|
|
.WithTags("Administration")
|
|
.RequireTenant();
|
|
|
|
administration.MapGet("/summary", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
return BuildAdministrationItem(context, resolver, BuildAdministrationSummary);
|
|
})
|
|
.WithName("GetAdministrationSummary")
|
|
.WithSummary("Pack v2 administration overview cards.")
|
|
.RequireAuthorization(PlatformPolicies.SetupRead);
|
|
|
|
administration.MapGet("/identity-access", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
return BuildAdministrationItem(context, resolver, BuildAdministrationIdentityAccess);
|
|
})
|
|
.WithName("GetAdministrationIdentityAccess")
|
|
.WithSummary("Pack v2 administration A1 identity and access projection.")
|
|
.RequireAuthorization(PlatformPolicies.SetupRead);
|
|
|
|
administration.MapGet("/tenant-branding", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
return BuildAdministrationItem(context, resolver, BuildAdministrationTenantBranding);
|
|
})
|
|
.WithName("GetAdministrationTenantBranding")
|
|
.WithSummary("Pack v2 administration A2 tenant and branding projection.")
|
|
.RequireAuthorization(PlatformPolicies.SetupRead);
|
|
|
|
administration.MapGet("/notifications", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
return BuildAdministrationItem(context, resolver, BuildAdministrationNotifications);
|
|
})
|
|
.WithName("GetAdministrationNotifications")
|
|
.WithSummary("Pack v2 administration A3 notifications projection.")
|
|
.RequireAuthorization(PlatformPolicies.SetupRead);
|
|
|
|
administration.MapGet("/usage-limits", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
return BuildAdministrationItem(context, resolver, BuildAdministrationUsageLimits);
|
|
})
|
|
.WithName("GetAdministrationUsageLimits")
|
|
.WithSummary("Pack v2 administration A4 usage and limits projection.")
|
|
.RequireAuthorization(PlatformPolicies.SetupRead);
|
|
|
|
administration.MapGet("/policy-governance", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
return BuildAdministrationItem(context, resolver, BuildAdministrationPolicyGovernance);
|
|
})
|
|
.WithName("GetAdministrationPolicyGovernance")
|
|
.WithSummary("Pack v2 administration A5 policy governance projection.")
|
|
.RequireAuthorization(PlatformPolicies.SetupRead);
|
|
|
|
administration.MapGet("/trust-signing", async (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver,
|
|
IAdministrationTrustSigningStore trustSigningStore,
|
|
CancellationToken cancellationToken) =>
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var payload = await BuildAdministrationTrustSigningAsync(
|
|
requestContext!.TenantId,
|
|
trustSigningStore,
|
|
cancellationToken).ConfigureAwait(false);
|
|
|
|
return Results.Ok(new PlatformItemResponse<AdministrationTrustSigningDto>(
|
|
requestContext.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
payload));
|
|
})
|
|
.WithName("GetAdministrationTrustSigning")
|
|
.WithSummary("Pack v2 administration A6 trust and signing projection.")
|
|
.RequireAuthorization(PlatformPolicies.TrustRead);
|
|
|
|
administration.MapGet("/system", (
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver) =>
|
|
{
|
|
return BuildAdministrationItem(context, resolver, BuildAdministrationSystem);
|
|
})
|
|
.WithName("GetAdministrationSystem")
|
|
.WithSummary("Pack v2 administration A7 system projection.")
|
|
.RequireAuthorization(PlatformPolicies.SetupRead);
|
|
|
|
return app;
|
|
}
|
|
|
|
private static DashboardSummaryDto BuildDashboardSummary()
|
|
{
|
|
var confidence = BuildConfidenceBadge();
|
|
var environments = new[]
|
|
{
|
|
new EnvironmentRiskSnapshotDto("apac-prod", CriticalReachable: 0, HighReachable: 0, SbomState: "fresh"),
|
|
new EnvironmentRiskSnapshotDto("eu-prod", CriticalReachable: 0, HighReachable: 1, SbomState: "fresh"),
|
|
new EnvironmentRiskSnapshotDto("us-prod", CriticalReachable: 2, HighReachable: 1, SbomState: "stale"),
|
|
new EnvironmentRiskSnapshotDto("us-uat", CriticalReachable: 1, HighReachable: 2, SbomState: "stale"),
|
|
}.OrderBy(item => item.Environment, StringComparer.Ordinal).ToList();
|
|
|
|
var topDrivers = new[]
|
|
{
|
|
new DashboardDriverDto("CVE-2026-1234", "user-service", "critical", "reachable"),
|
|
new DashboardDriverDto("CVE-2026-2222", "billing-worker", "critical", "reachable"),
|
|
new DashboardDriverDto("CVE-2026-9001", "api-gateway", "high", "not_reachable"),
|
|
};
|
|
|
|
return new DashboardSummaryDto(
|
|
DataConfidence: confidence,
|
|
EnvironmentsWithCriticalReachable: 2,
|
|
TotalCriticalReachable: 3,
|
|
SbomCoveragePercent: 98.0m,
|
|
VexCoveragePercent: 62.0m,
|
|
BlockedApprovals: 2,
|
|
ExceptionsExpiringSoon: 4,
|
|
EnvironmentRisk: environments,
|
|
TopDrivers: topDrivers);
|
|
}
|
|
|
|
private static DataIntegritySummaryDto BuildDataIntegritySummary()
|
|
{
|
|
var cards = new[]
|
|
{
|
|
new DataIntegritySignalDto("feeds", "Advisory feeds", "warning", "NVD mirror stale by 3h.", "/api/v1/platform/feeds/freshness"),
|
|
new DataIntegritySignalDto("reachability", "Reachability ingest", "warning", "Runtime ingest lag exceeds policy threshold.", "/api/v1/platform/reachability/ingest-health"),
|
|
new DataIntegritySignalDto("scan-pipeline", "Scan pipeline", "warning", "Pending SBOM rescans create stale risk windows.", "/api/v1/platform/scan-pipeline/health"),
|
|
new DataIntegritySignalDto("sbom", "SBOM coverage", "warning", "12 digests missing a fresh scan snapshot.", "/api/v1/platform/data-integrity/report"),
|
|
}.OrderBy(card => card.Id, StringComparer.Ordinal).ToList();
|
|
|
|
return new DataIntegritySummaryDto(
|
|
Confidence: BuildConfidenceBadge(),
|
|
Signals: cards);
|
|
}
|
|
|
|
private static DataIntegrityReportDto BuildDataIntegrityReport()
|
|
{
|
|
var sections = new[]
|
|
{
|
|
new DataIntegrityReportSectionDto(
|
|
"advisory-feeds",
|
|
"warning",
|
|
"NVD and vendor feed freshness lag detected.",
|
|
["nvd stale by 3h", "vendor feed retry budget exceeded once"]),
|
|
new DataIntegrityReportSectionDto(
|
|
"scan-pipeline",
|
|
"warning",
|
|
"Scan backlog increased due to transient worker degradation.",
|
|
["pending sbom rescans: 12", "oldest pending digest age: 26h"]),
|
|
new DataIntegrityReportSectionDto(
|
|
"reachability",
|
|
"warning",
|
|
"Runtime attestations delayed in one region.",
|
|
["us-east runtime agents degraded", "eu-west ingest healthy"]),
|
|
}.OrderBy(section => section.SectionId, StringComparer.Ordinal).ToList();
|
|
|
|
return new DataIntegrityReportDto(
|
|
ReportId: "ops-nightly-2026-02-19",
|
|
GeneratedAt: SnapshotAt,
|
|
Window: "2026-02-18T03:15:00Z/2026-02-19T03:15:00Z",
|
|
Sections: sections,
|
|
RecommendedActions:
|
|
[
|
|
"Prioritize runtime ingest queue drain in us-east.",
|
|
"Force-feed refresh for NVD source before next approval window.",
|
|
"Trigger high-risk SBOM rescan profile for stale production digests.",
|
|
]);
|
|
}
|
|
|
|
private static IReadOnlyList<FeedFreshnessDto> BuildFeedFreshness()
|
|
{
|
|
return new[]
|
|
{
|
|
new FeedFreshnessDto("NVD", "warning", LastSyncedAt: "2026-02-19T00:12:00Z", FreshnessHours: 3, SlaHours: 1),
|
|
new FeedFreshnessDto("OSV", "healthy", LastSyncedAt: "2026-02-19T03:02:00Z", FreshnessHours: 0, SlaHours: 1),
|
|
new FeedFreshnessDto("Vendor advisories", "healthy", LastSyncedAt: "2026-02-19T02:48:00Z", FreshnessHours: 0, SlaHours: 2),
|
|
}.OrderBy(feed => feed.Source, StringComparer.Ordinal).ToList();
|
|
}
|
|
|
|
private static ScanPipelineHealthDto BuildScanPipelineHealth()
|
|
{
|
|
var stages = new[]
|
|
{
|
|
new PipelineStageHealthDto("ingest", "healthy", QueueDepth: 12, OldestAgeMinutes: 8),
|
|
new PipelineStageHealthDto("normalize", "healthy", QueueDepth: 3, OldestAgeMinutes: 4),
|
|
new PipelineStageHealthDto("rescan", "warning", QueueDepth: 12, OldestAgeMinutes: 1570),
|
|
}.OrderBy(stage => stage.Stage, StringComparer.Ordinal).ToList();
|
|
|
|
return new ScanPipelineHealthDto(
|
|
Status: "warning",
|
|
PendingDigests: 12,
|
|
FailedJobs24h: 3,
|
|
Stages: stages);
|
|
}
|
|
|
|
private static ReachabilityIngestHealthDto BuildReachabilityIngestHealth()
|
|
{
|
|
var regions = new[]
|
|
{
|
|
new RegionIngestHealthDto("apac", "healthy", Backlog: 7, FreshnessMinutes: 6),
|
|
new RegionIngestHealthDto("eu-west", "healthy", Backlog: 11, FreshnessMinutes: 7),
|
|
new RegionIngestHealthDto("us-east", "warning", Backlog: 1230, FreshnessMinutes: 42),
|
|
}.OrderBy(region => region.Region, StringComparer.Ordinal).ToList();
|
|
|
|
return new ReachabilityIngestHealthDto(
|
|
Status: "warning",
|
|
RuntimeCoveragePercent: 41,
|
|
Regions: regions);
|
|
}
|
|
|
|
private static AdministrationSummaryDto BuildAdministrationSummary()
|
|
{
|
|
var domains = new[]
|
|
{
|
|
new AdministrationDomainCardDto("identity", "Identity & Access", "healthy", "Role assignments and API tokens are within policy.", "/administration/identity-access"),
|
|
new AdministrationDomainCardDto("notifications", "Notifications", "healthy", "All configured notification providers are operational.", "/administration/notifications"),
|
|
new AdministrationDomainCardDto("policy", "Policy Governance", "warning", "One policy bundle update is pending review.", "/administration/policy-governance"),
|
|
new AdministrationDomainCardDto("system", "System", "healthy", "Control plane services report healthy heartbeat.", "/administration/system"),
|
|
new AdministrationDomainCardDto("tenant", "Tenant & Branding", "healthy", "Tenant branding and domain mappings are current.", "/administration/tenant-branding"),
|
|
new AdministrationDomainCardDto("trust", "Trust & Signing", "warning", "One certificate expires within 10 days.", "/administration/trust-signing"),
|
|
new AdministrationDomainCardDto("usage", "Usage & Limits", "warning", "Scanner quota at 65% with upward trend.", "/administration/usage"),
|
|
}.OrderBy(domain => domain.DomainId, StringComparer.Ordinal).ToList();
|
|
|
|
return new AdministrationSummaryDto(
|
|
Domains: domains,
|
|
ActiveIncidents:
|
|
[
|
|
"trust/certificate-expiry-warning",
|
|
"usage/scanner-quota-warning",
|
|
]);
|
|
}
|
|
|
|
private static AdministrationIdentityAccessDto BuildAdministrationIdentityAccess()
|
|
{
|
|
var tabs = new[]
|
|
{
|
|
new AdministrationFacetTabDto("api-tokens", "API Tokens", Count: 12, Status: "warning", ActionPath: "/administration/identity-access/tokens"),
|
|
new AdministrationFacetTabDto("oauth-clients", "OAuth/SSO Clients", Count: 6, Status: "healthy", ActionPath: "/administration/identity-access/clients"),
|
|
new AdministrationFacetTabDto("roles", "Roles", Count: 18, Status: "healthy", ActionPath: "/administration/identity-access/roles"),
|
|
new AdministrationFacetTabDto("tenants", "Tenants", Count: 4, Status: "healthy", ActionPath: "/administration/identity-access/tenants"),
|
|
new AdministrationFacetTabDto("users", "Users", Count: 146, Status: "healthy", ActionPath: "/administration/identity-access/users"),
|
|
}.OrderBy(tab => tab.TabId, StringComparer.Ordinal).ToList();
|
|
|
|
var actors = new[]
|
|
{
|
|
new IdentityAccessActorDto("alice@core.example", "release-approver", "active", "2026-02-19T01:22:00Z"),
|
|
new IdentityAccessActorDto("jenkins-bot", "ci-bot", "active", "2026-02-19T02:17:00Z"),
|
|
new IdentityAccessActorDto("security-admin@core.example", "security-admin", "active", "2026-02-19T02:59:00Z"),
|
|
}.OrderBy(actor => actor.Actor, StringComparer.Ordinal).ToList();
|
|
|
|
var aliases = BuildAdministrationAliases(
|
|
[
|
|
new AdministrationRouteAliasDto("/settings/admin/clients", "/administration/identity-access/clients", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/admin/roles", "/administration/identity-access/roles", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/admin/tenants", "/administration/identity-access/tenants", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/admin/tokens", "/administration/identity-access/tokens", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/admin/users", "/administration/identity-access/users", "redirect"),
|
|
]);
|
|
|
|
return new AdministrationIdentityAccessDto(
|
|
Tabs: tabs,
|
|
RecentActors: actors,
|
|
LegacyAliases: aliases,
|
|
AuditLogPath: "/evidence-audit/audit");
|
|
}
|
|
|
|
private static AdministrationTenantBrandingDto BuildAdministrationTenantBranding()
|
|
{
|
|
var tenants = new[]
|
|
{
|
|
new AdministrationTenantDto("apac-core", "Core APAC", "apac.core.example", "core-pack-v7", "active"),
|
|
new AdministrationTenantDto("eu-core", "Core EU", "eu.core.example", "core-pack-v7", "active"),
|
|
new AdministrationTenantDto("us-core", "Core US", "us.core.example", "core-pack-v7", "active"),
|
|
}.OrderBy(tenant => tenant.TenantId, StringComparer.Ordinal).ToList();
|
|
|
|
var aliases = BuildAdministrationAliases(
|
|
[
|
|
new AdministrationRouteAliasDto("/settings/admin/branding", "/administration/tenant-branding", "redirect"),
|
|
]);
|
|
|
|
return new AdministrationTenantBrandingDto(
|
|
Tenants: tenants,
|
|
BrandingDefaults: new TenantBrandingDefaultsDto(
|
|
Theme: "light",
|
|
SupportUrl: "https://support.core.example",
|
|
LegalFooterVersion: "2026.02"),
|
|
LegacyAliases: aliases);
|
|
}
|
|
|
|
private static AdministrationNotificationsDto BuildAdministrationNotifications()
|
|
{
|
|
var rules = new[]
|
|
{
|
|
new AdministrationNotificationRuleDto("critical-reachable", "Critical reachable finding", "high", "active"),
|
|
new AdministrationNotificationRuleDto("gate-blocked", "Gate blocked release", "high", "active"),
|
|
new AdministrationNotificationRuleDto("quota-warning", "Quota warning", "medium", "active"),
|
|
}.OrderBy(rule => rule.RuleId, StringComparer.Ordinal).ToList();
|
|
|
|
var channels = new[]
|
|
{
|
|
new AdministrationNotificationChannelDto("email", "healthy", "2026-02-19T02:40:00Z"),
|
|
new AdministrationNotificationChannelDto("slack", "healthy", "2026-02-19T02:41:00Z"),
|
|
new AdministrationNotificationChannelDto("webhook", "warning", "2026-02-19T01:58:00Z"),
|
|
}.OrderBy(channel => channel.ChannelId, StringComparer.Ordinal).ToList();
|
|
|
|
var aliases = BuildAdministrationAliases(
|
|
[
|
|
new AdministrationRouteAliasDto("/admin/notifications", "/administration/notifications", "redirect"),
|
|
new AdministrationRouteAliasDto("/operations/notifications", "/administration/notifications", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/notifications/*", "/administration/notifications/*", "redirect"),
|
|
]);
|
|
|
|
return new AdministrationNotificationsDto(
|
|
Rules: rules,
|
|
Channels: channels,
|
|
ChannelManagementPath: "/integrations/notifications",
|
|
LegacyAliases: aliases);
|
|
}
|
|
|
|
private static AdministrationUsageLimitsDto BuildAdministrationUsageLimits()
|
|
{
|
|
var meters = new[]
|
|
{
|
|
new AdministrationUsageMeterDto("api-calls", "API calls", Used: 15000, Limit: 100000, Unit: "calls"),
|
|
new AdministrationUsageMeterDto("evidence-packets", "Evidence packets", Used: 2800, Limit: 10000, Unit: "packets"),
|
|
new AdministrationUsageMeterDto("scanner-runs", "Scanner runs", Used: 6500, Limit: 10000, Unit: "runs"),
|
|
new AdministrationUsageMeterDto("storage", "Storage", Used: 42, Limit: 100, Unit: "GB"),
|
|
}.OrderBy(meter => meter.MeterId, StringComparer.Ordinal).ToList();
|
|
|
|
var policies = new[]
|
|
{
|
|
new AdministrationUsagePolicyDto("api-burst", "API burst throttle", "enabled"),
|
|
new AdministrationUsagePolicyDto("integration-cap", "Per-integration cap", "enabled"),
|
|
new AdministrationUsagePolicyDto("scanner-quota", "Scanner daily quota", "warning"),
|
|
}.OrderBy(policy => policy.PolicyId, StringComparer.Ordinal).ToList();
|
|
|
|
var aliases = BuildAdministrationAliases(
|
|
[
|
|
new AdministrationRouteAliasDto("/settings/admin/:page", "/administration/:page", "redirect"),
|
|
]);
|
|
|
|
return new AdministrationUsageLimitsDto(
|
|
Meters: meters,
|
|
Policies: policies,
|
|
OperationsDrilldownPath: "/platform-ops/quotas",
|
|
LegacyAliases: aliases);
|
|
}
|
|
|
|
private static AdministrationPolicyGovernanceDto BuildAdministrationPolicyGovernance()
|
|
{
|
|
var baselines = new[]
|
|
{
|
|
new AdministrationPolicyBaselineDto("dev", "core-pack-v7", "active"),
|
|
new AdministrationPolicyBaselineDto("prod", "core-pack-v7", "active"),
|
|
new AdministrationPolicyBaselineDto("stage", "core-pack-v7", "active"),
|
|
}.OrderBy(baseline => baseline.Environment, StringComparer.Ordinal).ToList();
|
|
|
|
var signals = new[]
|
|
{
|
|
new AdministrationPolicySignalDto("exception-workflow", "warning", "2 pending exception approvals"),
|
|
new AdministrationPolicySignalDto("governance-rules", "healthy", "Reachable-critical gate enforced"),
|
|
new AdministrationPolicySignalDto("simulation", "healthy", "Last what-if simulation completed successfully"),
|
|
}.OrderBy(signal => signal.SignalId, StringComparer.Ordinal).ToList();
|
|
|
|
var aliases = BuildAdministrationAliases(
|
|
[
|
|
new AdministrationRouteAliasDto("/admin/policy/governance", "/administration/policy-governance", "redirect"),
|
|
new AdministrationRouteAliasDto("/admin/policy/simulation", "/administration/policy-governance/simulation", "redirect"),
|
|
new AdministrationRouteAliasDto("/policy/exceptions/*", "/administration/policy-governance/exceptions/*", "redirect"),
|
|
new AdministrationRouteAliasDto("/policy/governance", "/administration/policy-governance", "redirect"),
|
|
new AdministrationRouteAliasDto("/policy/packs/*", "/administration/policy-governance/packs/*", "redirect"),
|
|
]);
|
|
|
|
return new AdministrationPolicyGovernanceDto(
|
|
Baselines: baselines,
|
|
Signals: signals,
|
|
LegacyAliases: aliases,
|
|
CrossLinks:
|
|
[
|
|
"/release-control/approvals",
|
|
"/administration/policy/exceptions",
|
|
]);
|
|
}
|
|
|
|
private static async Task<AdministrationTrustSigningDto> BuildAdministrationTrustSigningAsync(
|
|
string tenantId,
|
|
IAdministrationTrustSigningStore trustSigningStore,
|
|
CancellationToken cancellationToken)
|
|
{
|
|
var keys = await trustSigningStore.ListKeysAsync(tenantId, 500, 0, cancellationToken).ConfigureAwait(false);
|
|
var issuers = await trustSigningStore.ListIssuersAsync(tenantId, 500, 0, cancellationToken).ConfigureAwait(false);
|
|
var certificates = await trustSigningStore.ListCertificatesAsync(tenantId, 500, 0, cancellationToken).ConfigureAwait(false);
|
|
var transparencyConfig = await trustSigningStore.GetTransparencyLogConfigAsync(tenantId, cancellationToken).ConfigureAwait(false);
|
|
|
|
var expiringCertificateCount = certificates.Count(certificate =>
|
|
!string.Equals(certificate.Status, "revoked", StringComparison.OrdinalIgnoreCase)
|
|
&& certificate.NotAfter <= SnapshotAt.AddDays(10));
|
|
|
|
var signals = new[]
|
|
{
|
|
new AdministrationTrustSignalDto("audit-log", "healthy", "Trust-signing configuration changes are being recorded."),
|
|
new AdministrationTrustSignalDto(
|
|
"certificate-expiry",
|
|
expiringCertificateCount > 0 ? "warning" : "healthy",
|
|
expiringCertificateCount > 0
|
|
? $"{expiringCertificateCount} certificate{(expiringCertificateCount == 1 ? string.Empty : "s")} expire within 10 days."
|
|
: "No certificate expirations are due in the next 10 days."),
|
|
new AdministrationTrustSignalDto(
|
|
"transparency-log",
|
|
transparencyConfig is null ? "warning" : "healthy",
|
|
transparencyConfig is null
|
|
? "Transparency log is not configured for this tenant."
|
|
: $"Transparency log witness points to {transparencyConfig.LogUrl}."),
|
|
new AdministrationTrustSignalDto(
|
|
"trust-scoring",
|
|
issuers.Count == 0 ? "warning" : "healthy",
|
|
issuers.Count == 0
|
|
? "No trusted issuers are registered yet."
|
|
: "Issuer trust inventory is available for scoring and review."),
|
|
}.OrderBy(signal => signal.SignalId, StringComparer.Ordinal).ToList();
|
|
|
|
var aliases = BuildAdministrationAliases(
|
|
[
|
|
new AdministrationRouteAliasDto("/admin/issuers", "/administration/trust-signing/issuers", "redirect"),
|
|
new AdministrationRouteAliasDto("/admin/trust/*", "/administration/trust-signing/*", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/trust/*", "/administration/trust-signing/*", "redirect"),
|
|
]);
|
|
|
|
return new AdministrationTrustSigningDto(
|
|
Inventory: new AdministrationTrustInventoryDto(Keys: keys.Count, Issuers: issuers.Count, Certificates: certificates.Count),
|
|
Signals: signals,
|
|
LegacyAliases: aliases,
|
|
EvidenceConsumerPath: "/evidence-audit/proofs");
|
|
}
|
|
|
|
private static AdministrationSystemDto BuildAdministrationSystem()
|
|
{
|
|
var controls = new[]
|
|
{
|
|
new AdministrationSystemControlDto("background-jobs", "warning", "1 paused job family awaiting manual resume."),
|
|
new AdministrationSystemControlDto("doctor", "healthy", "Last diagnostics run passed."),
|
|
new AdministrationSystemControlDto("health-check", "healthy", "All core control-plane services are healthy."),
|
|
new AdministrationSystemControlDto("slo-config", "healthy", "SLO thresholds are synchronized."),
|
|
}.OrderBy(control => control.ControlId, StringComparer.Ordinal).ToList();
|
|
|
|
var aliases = BuildAdministrationAliases(
|
|
[
|
|
new AdministrationRouteAliasDto("/operations/status", "/administration/system/status", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/configuration-pane", "/administration/system/configuration", "redirect"),
|
|
new AdministrationRouteAliasDto("/settings/workflows/*", "/administration/system/workflows", "redirect"),
|
|
]);
|
|
|
|
return new AdministrationSystemDto(
|
|
OverallStatus: "healthy",
|
|
Controls: controls,
|
|
LegacyAliases: aliases,
|
|
Drilldowns:
|
|
[
|
|
"/platform-ops/health",
|
|
"/platform-ops/orchestrator/jobs",
|
|
"/platform-ops/data-integrity",
|
|
]);
|
|
}
|
|
|
|
private static IReadOnlyList<AdministrationRouteAliasDto> BuildAdministrationAliases(
|
|
AdministrationRouteAliasDto[] aliases)
|
|
{
|
|
return aliases
|
|
.OrderBy(alias => alias.LegacyPath, StringComparer.Ordinal)
|
|
.ToList();
|
|
}
|
|
|
|
private static DataConfidenceBadgeDto BuildConfidenceBadge()
|
|
{
|
|
return new DataConfidenceBadgeDto(
|
|
Status: "warning",
|
|
Summary: "NVD freshness and runtime ingest lag reduce confidence.",
|
|
NvdStalenessHours: 3,
|
|
StaleSbomDigests: 12,
|
|
RuntimeDlqDepth: 1230);
|
|
}
|
|
|
|
private static IResult BuildAdministrationItem<T>(
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver,
|
|
Func<T> payloadFactory)
|
|
{
|
|
if (!TryResolveContext(context, resolver, out var requestContext, out var failure))
|
|
{
|
|
return failure!;
|
|
}
|
|
|
|
var payload = payloadFactory();
|
|
return Results.Ok(new PlatformItemResponse<T>(
|
|
requestContext!.TenantId,
|
|
requestContext.ActorId,
|
|
SnapshotAt,
|
|
Cached: false,
|
|
CacheTtlSeconds: 0,
|
|
payload));
|
|
}
|
|
|
|
private static bool TryResolveContext(
|
|
HttpContext context,
|
|
PlatformRequestContextResolver resolver,
|
|
out PlatformRequestContext? requestContext,
|
|
out IResult? failure)
|
|
{
|
|
if (resolver.TryResolve(context, out requestContext, out var error))
|
|
{
|
|
failure = null;
|
|
return true;
|
|
}
|
|
|
|
failure = Results.BadRequest(new { error = error ?? "tenant_missing" });
|
|
return false;
|
|
}
|
|
}
|
|
|
|
public sealed record DashboardSummaryDto(
|
|
DataConfidenceBadgeDto DataConfidence,
|
|
int EnvironmentsWithCriticalReachable,
|
|
int TotalCriticalReachable,
|
|
decimal SbomCoveragePercent,
|
|
decimal VexCoveragePercent,
|
|
int BlockedApprovals,
|
|
int ExceptionsExpiringSoon,
|
|
IReadOnlyList<EnvironmentRiskSnapshotDto> EnvironmentRisk,
|
|
IReadOnlyList<DashboardDriverDto> TopDrivers);
|
|
|
|
public sealed record EnvironmentRiskSnapshotDto(
|
|
string Environment,
|
|
int CriticalReachable,
|
|
int HighReachable,
|
|
string SbomState);
|
|
|
|
public sealed record DashboardDriverDto(
|
|
string Cve,
|
|
string Component,
|
|
string Severity,
|
|
string Reachability);
|
|
|
|
public sealed record DataIntegritySummaryDto(
|
|
DataConfidenceBadgeDto Confidence,
|
|
IReadOnlyList<DataIntegritySignalDto> Signals);
|
|
|
|
public sealed record DataIntegritySignalDto(
|
|
string Id,
|
|
string Label,
|
|
string Status,
|
|
string Summary,
|
|
string ActionPath);
|
|
|
|
public sealed record DataIntegrityReportDto(
|
|
string ReportId,
|
|
DateTimeOffset GeneratedAt,
|
|
string Window,
|
|
IReadOnlyList<DataIntegrityReportSectionDto> Sections,
|
|
IReadOnlyList<string> RecommendedActions);
|
|
|
|
public sealed record DataIntegrityReportSectionDto(
|
|
string SectionId,
|
|
string Status,
|
|
string Summary,
|
|
IReadOnlyList<string> Highlights);
|
|
|
|
public sealed record FeedFreshnessDto(
|
|
string Source,
|
|
string Status,
|
|
string LastSyncedAt,
|
|
int FreshnessHours,
|
|
int SlaHours);
|
|
|
|
public sealed record ScanPipelineHealthDto(
|
|
string Status,
|
|
int PendingDigests,
|
|
int FailedJobs24h,
|
|
IReadOnlyList<PipelineStageHealthDto> Stages);
|
|
|
|
public sealed record PipelineStageHealthDto(
|
|
string Stage,
|
|
string Status,
|
|
int QueueDepth,
|
|
int OldestAgeMinutes);
|
|
|
|
public sealed record ReachabilityIngestHealthDto(
|
|
string Status,
|
|
int RuntimeCoveragePercent,
|
|
IReadOnlyList<RegionIngestHealthDto> Regions);
|
|
|
|
public sealed record RegionIngestHealthDto(
|
|
string Region,
|
|
string Status,
|
|
int Backlog,
|
|
int FreshnessMinutes);
|
|
|
|
public sealed record AdministrationSummaryDto(
|
|
IReadOnlyList<AdministrationDomainCardDto> Domains,
|
|
IReadOnlyList<string> ActiveIncidents);
|
|
|
|
public sealed record AdministrationDomainCardDto(
|
|
string DomainId,
|
|
string Label,
|
|
string Status,
|
|
string Summary,
|
|
string ActionPath);
|
|
|
|
public sealed record AdministrationIdentityAccessDto(
|
|
IReadOnlyList<AdministrationFacetTabDto> Tabs,
|
|
IReadOnlyList<IdentityAccessActorDto> RecentActors,
|
|
IReadOnlyList<AdministrationRouteAliasDto> LegacyAliases,
|
|
string AuditLogPath);
|
|
|
|
public sealed record AdministrationFacetTabDto(
|
|
string TabId,
|
|
string Label,
|
|
int Count,
|
|
string Status,
|
|
string ActionPath);
|
|
|
|
public sealed record IdentityAccessActorDto(
|
|
string Actor,
|
|
string Role,
|
|
string Status,
|
|
string LastSeenAt);
|
|
|
|
public sealed record AdministrationTenantBrandingDto(
|
|
IReadOnlyList<AdministrationTenantDto> Tenants,
|
|
TenantBrandingDefaultsDto BrandingDefaults,
|
|
IReadOnlyList<AdministrationRouteAliasDto> LegacyAliases);
|
|
|
|
public sealed record AdministrationTenantDto(
|
|
string TenantId,
|
|
string DisplayName,
|
|
string PrimaryDomain,
|
|
string DefaultPolicyPack,
|
|
string Status);
|
|
|
|
public sealed record TenantBrandingDefaultsDto(
|
|
string Theme,
|
|
string SupportUrl,
|
|
string LegalFooterVersion);
|
|
|
|
public sealed record AdministrationNotificationsDto(
|
|
IReadOnlyList<AdministrationNotificationRuleDto> Rules,
|
|
IReadOnlyList<AdministrationNotificationChannelDto> Channels,
|
|
string ChannelManagementPath,
|
|
IReadOnlyList<AdministrationRouteAliasDto> LegacyAliases);
|
|
|
|
public sealed record AdministrationNotificationRuleDto(
|
|
string RuleId,
|
|
string Label,
|
|
string Severity,
|
|
string Status);
|
|
|
|
public sealed record AdministrationNotificationChannelDto(
|
|
string ChannelId,
|
|
string Status,
|
|
string LastDeliveredAt);
|
|
|
|
public sealed record AdministrationUsageLimitsDto(
|
|
IReadOnlyList<AdministrationUsageMeterDto> Meters,
|
|
IReadOnlyList<AdministrationUsagePolicyDto> Policies,
|
|
string OperationsDrilldownPath,
|
|
IReadOnlyList<AdministrationRouteAliasDto> LegacyAliases);
|
|
|
|
public sealed record AdministrationUsageMeterDto(
|
|
string MeterId,
|
|
string Label,
|
|
int Used,
|
|
int Limit,
|
|
string Unit);
|
|
|
|
public sealed record AdministrationUsagePolicyDto(
|
|
string PolicyId,
|
|
string Label,
|
|
string Status);
|
|
|
|
public sealed record AdministrationPolicyGovernanceDto(
|
|
IReadOnlyList<AdministrationPolicyBaselineDto> Baselines,
|
|
IReadOnlyList<AdministrationPolicySignalDto> Signals,
|
|
IReadOnlyList<AdministrationRouteAliasDto> LegacyAliases,
|
|
IReadOnlyList<string> CrossLinks);
|
|
|
|
public sealed record AdministrationPolicyBaselineDto(
|
|
string Environment,
|
|
string PolicyPack,
|
|
string Status);
|
|
|
|
public sealed record AdministrationPolicySignalDto(
|
|
string SignalId,
|
|
string Status,
|
|
string Summary);
|
|
|
|
public sealed record AdministrationTrustSigningDto(
|
|
AdministrationTrustInventoryDto Inventory,
|
|
IReadOnlyList<AdministrationTrustSignalDto> Signals,
|
|
IReadOnlyList<AdministrationRouteAliasDto> LegacyAliases,
|
|
string EvidenceConsumerPath);
|
|
|
|
public sealed record AdministrationTrustInventoryDto(
|
|
int Keys,
|
|
int Issuers,
|
|
int Certificates);
|
|
|
|
public sealed record AdministrationTrustSignalDto(
|
|
string SignalId,
|
|
string Status,
|
|
string Summary);
|
|
|
|
public sealed record AdministrationSystemDto(
|
|
string OverallStatus,
|
|
IReadOnlyList<AdministrationSystemControlDto> Controls,
|
|
IReadOnlyList<AdministrationRouteAliasDto> LegacyAliases,
|
|
IReadOnlyList<string> Drilldowns);
|
|
|
|
public sealed record AdministrationSystemControlDto(
|
|
string ControlId,
|
|
string Status,
|
|
string Summary);
|
|
|
|
public sealed record AdministrationRouteAliasDto(
|
|
string LegacyPath,
|
|
string CanonicalPath,
|
|
string Action);
|
|
|
|
public sealed record DataConfidenceBadgeDto(
|
|
string Status,
|
|
string Summary,
|
|
int NvdStalenessHours,
|
|
int StaleSbomDigests,
|
|
int RuntimeDlqDepth);
|