4cbe58fc80
Sprint SPRINT_20260408_004 AUDIT-002, second completion criterion
("at least write endpoints decorated with AuditActionAttribute").
Vertical slice using the existing .Audited(module, action, resourceType)
helper from AuditedRouteGroupExtensions:
- Graph.Api (4 endpoints):
* POST /api/graphs/builds -> graph.create graph_build
* POST /api/graphs/overlays -> graph.create graph_overlay
* POST /graphs/{g}/saved-views -> graph.create graph_saved_view
* DELETE /graphs/{g}/saved-views/{v} -> graph.delete graph_saved_view
- SbomService (4 endpoints):
* POST /sbom/upload + /api/v1/sbom/upload -> sbom.create sbom
* POST /entrypoints -> sbom.update sbom_entrypoint
* POST /internal/orchestrator/sources -> sbom.create orchestrator_source
* POST /internal/orchestrator/control -> sbom.update orchestrator_control
- Policy.Gateway ExceptionApproval (4 governance endpoints):
* POST /exception/request -> policy.create exception_approval_request
* POST /exception/{id}/approve -> policy.approve ""
* POST /exception/{id}/reject -> policy.reject ""
* POST /exception/{id}/cancel -> policy.cancel ""
- Notifier EscalationEndpoints (9 endpoints):
* policies CRUD -> notifier.{create,update,delete} escalation_policy
* on-call schedules CRUD -> notifier.{create,update,delete} oncall_schedule
* escalation start/escalate/stop -> notifier.execute incident_escalation
All 4 projects build clean. Events will flow to Timeline
/api/v1/audit/ingest once the services boot and execute these endpoints.
BinaryIndex uses MVC controllers — audit decoration for that style
requires a different wiring approach and is deferred to a follow-up.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Graph
Container(s): stellaops-graph-api Slot: 20 | Port: 8080 | Consumer Group: graph Resource Tier: medium
Note: Cartographer (Slot 21) has been merged into graph-api. The
cartographer.stella-ops.localhostname is now a network alias on the graph-api container for backwards compatibility. The Scheduler'sCartographer.BaseAddressconfig now points tohttp://graph.stella-ops.local.
Purpose
The Graph API service provides a dependency and service graph for the Stella Ops platform. It supports graph search, path queries, diff computation, lineage tracking, overlay projections, saved views, and export functionality. It serves as the central topology store for understanding relationships between components, images, and services.
It also hosts the Graph Indexer pipeline (SBOM ingestion, analytics, incremental change-stream processing) and the Cartographer-compatible build/overlay endpoints consumed by the Scheduler Worker.
API Surface
graph(via Router) — graph search, path queries, diff, lineage, overlay, saved views, export (GEXF/DOT/JSON), edge metadata, audit log, rate-limited access/api/graphs/builds(POST, GET) — Cartographer-compatible build endpoints (Scheduler contract)/api/graphs/overlays(POST, GET) — Cartographer-compatible overlay endpoints (Scheduler contract)
Storage
PostgreSQL (via Postgres:Graph for saved views and graph data); falls back to in-memory repository when no Postgres connection is configured.
Graph Indexer Persistence writes to graph.graph_nodes and graph.graph_edges tables.
Background Workers
GraphSavedViewsMigrationHostedService— migrates saved views on startupGraphAnalyticsHostedService— runs graph analytics pipeline (centrality, clustering)GraphChangeStreamProcessor— processes incremental graph change events