fix(dashboard): attach Keycloak token on agent API calls (#90)

compliance-agent/src/api/handlers/pentest_handlers/export.rs

@@ -13,10 +13,11 @@ use compliance_core::models::dast::DastFinding;
 use compliance_core::models::finding::Finding;
 use compliance_core::models::pentest::*;
 use compliance_core::models::sbom::SbomEntry;
+use compliance_core::tenant_ctx::TenantCtx;
 
 use crate::agent::ComplianceAgent;
 
-use super::super::dto::collect_cursor_async;
+use super::super::dto::{collect_cursor_async, tenant_db};
 
 type AgentExt = Extension<Arc<ComplianceAgent>>;
 
@@ -35,11 +36,15 @@ pub struct ExportBody {
 #[tracing::instrument(skip_all, fields(session_id = %id))]
 pub async fn export_session_report(
     Extension(agent): AgentExt,
+    tenant: TenantCtx,
     Path(id): Path<String>,
     Json(body): Json<ExportBody>,
 ) -> Result<axum::response::Response, (StatusCode, String)> {
     let oid = mongodb::bson::oid::ObjectId::parse_str(&id)
         .map_err(|_| (StatusCode::BAD_REQUEST, "Invalid session ID".to_string()))?;
+    let db = tenant_db(&agent, &tenant)
+        .await
+        .map_err(|s| (s, "failed to acquire tenant database".to_string()))?;
 
     if body.password.len() < 8 {
         return Err((
@@ -49,8 +54,7 @@ pub async fn export_session_report(
     }
 
     // Fetch session
-    let session = agent
-        .db
+    let session = db
         .pentest_sessions()
         .find_one(doc! { "_id": oid })
         .await
@@ -64,9 +68,7 @@ pub async fn export_session_report(
 
     // Resolve target name
     let target = if let Ok(tid) = mongodb::bson::oid::ObjectId::parse_str(&session.target_id) {
-        agent
-            .db
-            .dast_targets()
+        db.dast_targets()
             .find_one(doc! { "_id": tid })
             .await
             .ok()
@@ -84,8 +86,7 @@ pub async fn export_session_report(
         .unwrap_or_default();
 
     // Fetch attack chain nodes
-    let nodes: Vec<AttackChainNode> = match agent
-        .db
+    let nodes: Vec<AttackChainNode> = match db
         .attack_chain_nodes()
         .find(doc! { "session_id": &id })
         .sort(doc! { "started_at": 1 })
@@ -96,8 +97,7 @@ pub async fn export_session_report(
     };
 
     // Fetch DAST findings for this session, then deduplicate
-    let raw_findings: Vec<DastFinding> = match agent
-        .db
+    let raw_findings: Vec<DastFinding> = match db
         .dast_findings()
         .find(doc! { "session_id": &id })
         .sort(doc! { "severity": -1, "created_at": -1 })
@@ -122,8 +122,7 @@ pub async fn export_session_report(
         .or_else(|| target.as_ref().and_then(|t| t.repo_id.clone()));
 
     let (sast_findings, sbom_entries, code_context) = if let Some(ref rid) = repo_id {
-        let sast: Vec<Finding> = match agent
-            .db
+        let sast: Vec<Finding> = match db
             .findings()
             .find(doc! {
                 "repo_id": rid,
@@ -143,8 +142,7 @@ pub async fn export_session_report(
             Err(_) => Vec::new(),
         };
 
-        let sbom: Vec<SbomEntry> = match agent
-            .db
+        let sbom: Vec<SbomEntry> = match db
             .sbom_entries()
             .find(doc! {
                 "repo_id": rid,
@@ -164,8 +162,7 @@ pub async fn export_session_report(
         };
 
         // Build code context from graph nodes
-        let code_ctx: Vec<CodeContextHint> = match agent
-            .db
+        let code_ctx: Vec<CodeContextHint> = match db
             .graph_nodes()
             .find(doc! { "repo_id": rid, "is_entry_point": true })
             .limit(50)