Add DAST, graph modules, toast notifications, and dashboard enhancements

Add DAST scanning and code knowledge graph features across the stack:
- compliance-dast and compliance-graph workspace crates
- Agent API handlers and routes for DAST targets/scans and graph builds
- Core models and traits for DAST and graph domains
- Dashboard pages for DAST targets/findings/overview and graph explorer/impact
- Toast notification system with auto-dismiss for async action feedback
- Button click animations and disabled states for better UX

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

compliance-agent/src/api/handlers/dast.rs

@@ -0,0 +1,226 @@
+use std::sync::Arc;
+
+use axum::extract::{Extension, Path, Query};
+use axum::http::StatusCode;
+use axum::Json;
+use mongodb::bson::doc;
+use serde::Deserialize;
+
+use compliance_core::models::dast::{DastFinding, DastScanRun, DastTarget, DastTargetType};
+
+use crate::agent::ComplianceAgent;
+
+use super::{collect_cursor_async, ApiResponse, PaginationParams};
+
+type AgentExt = Extension<Arc<ComplianceAgent>>;
+
+#[derive(Deserialize)]
+pub struct AddTargetRequest {
+    pub name: String,
+    pub base_url: String,
+    #[serde(default = "default_target_type")]
+    pub target_type: DastTargetType,
+    pub repo_id: Option<String>,
+    #[serde(default)]
+    pub excluded_paths: Vec<String>,
+    #[serde(default = "default_crawl_depth")]
+    pub max_crawl_depth: u32,
+    #[serde(default = "default_rate_limit")]
+    pub rate_limit: u32,
+    #[serde(default)]
+    pub allow_destructive: bool,
+}
+
+fn default_target_type() -> DastTargetType {
+    DastTargetType::WebApp
+}
+fn default_crawl_depth() -> u32 {
+    5
+}
+fn default_rate_limit() -> u32 {
+    10
+}
+
+/// GET /api/v1/dast/targets — List DAST targets
+pub async fn list_targets(
+    Extension(agent): AgentExt,
+    Query(params): Query<PaginationParams>,
+) -> Result<Json<ApiResponse<Vec<DastTarget>>>, StatusCode> {
+    let db = &agent.db;
+    let skip = (params.page.saturating_sub(1)) * params.limit as u64;
+    let total = db
+        .dast_targets()
+        .count_documents(doc! {})
+        .await
+        .unwrap_or(0);
+
+    let targets = match db
+        .dast_targets()
+        .find(doc! {})
+        .skip(skip)
+        .limit(params.limit)
+        .await
+    {
+        Ok(cursor) => collect_cursor_async(cursor).await,
+        Err(_) => Vec::new(),
+    };
+
+    Ok(Json(ApiResponse {
+        data: targets,
+        total: Some(total),
+        page: Some(params.page),
+    }))
+}
+
+/// POST /api/v1/dast/targets — Add a new DAST target
+pub async fn add_target(
+    Extension(agent): AgentExt,
+    Json(req): Json<AddTargetRequest>,
+) -> Result<Json<ApiResponse<DastTarget>>, StatusCode> {
+    let mut target = DastTarget::new(req.name, req.base_url, req.target_type);
+    target.repo_id = req.repo_id;
+    target.excluded_paths = req.excluded_paths;
+    target.max_crawl_depth = req.max_crawl_depth;
+    target.rate_limit = req.rate_limit;
+    target.allow_destructive = req.allow_destructive;
+
+    agent
+        .db
+        .dast_targets()
+        .insert_one(&target)
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    Ok(Json(ApiResponse {
+        data: target,
+        total: None,
+        page: None,
+    }))
+}
+
+/// POST /api/v1/dast/targets/:id/scan — Trigger DAST scan
+pub async fn trigger_scan(
+    Extension(agent): AgentExt,
+    Path(id): Path<String>,
+) -> Result<Json<serde_json::Value>, StatusCode> {
+    let oid =
+        mongodb::bson::oid::ObjectId::parse_str(&id).map_err(|_| StatusCode::BAD_REQUEST)?;
+
+    let target = agent
+        .db
+        .dast_targets()
+        .find_one(doc! { "_id": oid })
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
+        .ok_or(StatusCode::NOT_FOUND)?;
+
+    let db = agent.db.clone();
+    tokio::spawn(async move {
+        let orchestrator = compliance_dast::DastOrchestrator::new(100);
+        match orchestrator.run_scan(&target, Vec::new()).await {
+            Ok((scan_run, findings)) => {
+                if let Err(e) = db.dast_scan_runs().insert_one(&scan_run).await {
+                    tracing::error!("Failed to store DAST scan run: {e}");
+                }
+                for finding in &findings {
+                    if let Err(e) = db.dast_findings().insert_one(finding).await {
+                        tracing::error!("Failed to store DAST finding: {e}");
+                    }
+                }
+                tracing::info!("DAST scan complete: {} findings", findings.len());
+            }
+            Err(e) => {
+                tracing::error!("DAST scan failed: {e}");
+            }
+        }
+    });
+
+    Ok(Json(serde_json::json!({ "status": "dast_scan_triggered" })))
+}
+
+/// GET /api/v1/dast/scan-runs — List DAST scan runs
+pub async fn list_scan_runs(
+    Extension(agent): AgentExt,
+    Query(params): Query<PaginationParams>,
+) -> Result<Json<ApiResponse<Vec<DastScanRun>>>, StatusCode> {
+    let db = &agent.db;
+    let skip = (params.page.saturating_sub(1)) * params.limit as u64;
+    let total = db
+        .dast_scan_runs()
+        .count_documents(doc! {})
+        .await
+        .unwrap_or(0);
+
+    let runs = match db
+        .dast_scan_runs()
+        .find(doc! {})
+        .sort(doc! { "started_at": -1 })
+        .skip(skip)
+        .limit(params.limit)
+        .await
+    {
+        Ok(cursor) => collect_cursor_async(cursor).await,
+        Err(_) => Vec::new(),
+    };
+
+    Ok(Json(ApiResponse {
+        data: runs,
+        total: Some(total),
+        page: Some(params.page),
+    }))
+}
+
+/// GET /api/v1/dast/findings — List DAST findings
+pub async fn list_findings(
+    Extension(agent): AgentExt,
+    Query(params): Query<PaginationParams>,
+) -> Result<Json<ApiResponse<Vec<DastFinding>>>, StatusCode> {
+    let db = &agent.db;
+    let skip = (params.page.saturating_sub(1)) * params.limit as u64;
+    let total = db
+        .dast_findings()
+        .count_documents(doc! {})
+        .await
+        .unwrap_or(0);
+
+    let findings = match db
+        .dast_findings()
+        .find(doc! {})
+        .sort(doc! { "created_at": -1 })
+        .skip(skip)
+        .limit(params.limit)
+        .await
+    {
+        Ok(cursor) => collect_cursor_async(cursor).await,
+        Err(_) => Vec::new(),
+    };
+
+    Ok(Json(ApiResponse {
+        data: findings,
+        total: Some(total),
+        page: Some(params.page),
+    }))
+}
+
+/// GET /api/v1/dast/findings/:id — Finding detail with evidence
+pub async fn get_finding(
+    Extension(agent): AgentExt,
+    Path(id): Path<String>,
+) -> Result<Json<ApiResponse<DastFinding>>, StatusCode> {
+    let oid =
+        mongodb::bson::oid::ObjectId::parse_str(&id).map_err(|_| StatusCode::BAD_REQUEST)?;
+
+    let finding = agent
+        .db
+        .dast_findings()
+        .find_one(doc! { "_id": oid })
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
+        .ok_or(StatusCode::NOT_FOUND)?;
+
+    Ok(Json(ApiResponse {
+        data: finding,
+        total: None,
+        page: None,
+    }))
+}