fix(core): JWKS refresh-on-failure in M7.1 auth middleware

Without this, every Keycloak signing-key rotation produces a silent 401 storm against every request until the agent restarts — the cached JWKS is held forever and never reconciled against KC. Now: when `kid` isn't in the cached JWKS or the matching key fails signature verification, we classify the failure as Stale, force a JWKS refresh, and retry once. Anything else (expired, malformed, missing tenant_id) is Permanent and short-circuits straight to 401. * Splits the path into a pure `try_validate(token, header, kid, jwks)` helper returning a `ValidationError { Stale | Permanent }` enum. * `fetch_or_get_jwks(state, force)` takes a force flag and holds the write lock across the network fetch so concurrent refreshers don't all hammer Keycloak when keys rotate (the second writer reuses what the first put in cache). * Adds a unit test for the kid-not-found Stale classification. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
M7.1 smoke harness: lift auth to compliance-core + compliance-smoke service (#83 )
2026-06-04 16:40:55 +02:00 · 2026-06-04 14:38:35 +00:00 · 2026-05-13 11:44:22 +00:00 · 2026-05-13 10:01:05 +00:00 · 2026-05-13 07:30:26 +00:00 · 2026-05-12 11:27:24 +00:00
49 changed files with 2537 additions and 171 deletions
@@ -0,0 +1,10 @@
 [advisories]
 ignore = [
    # hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
    # MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
    # upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
    # requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
    # not a realistic attack surface here. Revisit when mongodb bumps hickory.
    "RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
    "RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
 ]
@@ -145,13 +145,20 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.agent == 'true'
    container:
-      image: alpine:latest
+      image: docker:27-cli
    steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
        run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_AGENT }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
          IMAGE=registry.meghsakha.com/compliance-agent
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.agent -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy agent"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-dashboard:
    name: Deploy Dashboard
@@ -159,13 +166,20 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.dashboard == 'true'
    container:
-      image: alpine:latest
+      image: docker:27-cli
    steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
        run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DASHBOARD }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
          IMAGE=registry.meghsakha.com/compliance-dashboard
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.dashboard -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy dashboard"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-docs:
    name: Deploy Docs
@@ -173,13 +187,20 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.docs == 'true'
    container:
-      image: alpine:latest
+      image: docker:27-cli
    steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
        run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DOCS }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
          IMAGE=registry.meghsakha.com/compliance-docs
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.docs -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy docs"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-mcp:
    name: Deploy MCP
@@ -187,10 +208,17 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.mcp == 'true'
    container:
-      image: alpine:latest
+      image: docker:27-cli
    steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
        run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_MCP }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
          IMAGE=registry.meghsakha.com/compliance-mcp
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.mcp -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy mcp"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
@@ -700,19 +700,23 @@ dependencies = [
 name = "compliance-core"
 version = "0.1.0"
 dependencies = [
 "axum",
 "bson",
 "chrono",
 "hex",
 "jsonwebtoken",
 "mongodb",
 "opentelemetry",
 "opentelemetry-appender-tracing",
 "opentelemetry-otlp",
 "opentelemetry_sdk",
 "reqwest",
 "secrecy",
 "serde",
 "serde_json",
 "sha2",
 "thiserror 2.0.18",
 "tokio",
 "tracing",
 "tracing-opentelemetry",
 "tracing-subscriber",
@@ -826,6 +830,20 @@ dependencies = [
 "tracing-subscriber",
 ]
 [[package]]
 name = "compliance-smoke"
 version = "0.1.0"
 dependencies = [
 "axum",
 "compliance-core",
 "reqwest",
 "serde",
 "serde_json",
 "tokio",
 "tracing",
 "tracing-subscriber",
 ]
 [[package]]
 name = "console_error_panic_hook"
 version = "0.1.7"
@@ -3524,9 +3542,9 @@ checksum = "224484c5d09285a7b8cb0a0c117e847ebd14cb6e4470ecf68cdb89c503b0edb9"
 [[package]]
 name = "mongodb"
-version = "3.5.1"
+version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "803dd859e8afa084c255a8effd8000ff86f7c8076a50cd6d8c99e8f3496f75c2"
+checksum = "1ef2c933617431ad0246fb5b43c425ebdae18c7f7259c87de0726d93b0e7e91b"
 dependencies = [
 "base64",
 "bitflags",
@@ -3570,9 +3588,9 @@ dependencies = [
 [[package]]
 name = "mongodb-internal-macros"
-version = "3.5.1"
+version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a973ef3dd3dbc6f6e65bbdecfd9ec5e781b9e7493b0f369a7c62e35d8e5ae2c8"
+checksum = "9e5758dc828eb2d02ec30563cba365609d56ddd833190b192beaee2b475a7bb3"
 dependencies = [
 "macro_magic",
 "proc-macro2",
@@ -4699,9 +4717,9 @@ dependencies = [
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
 "ring",
 "rustls-pki-types",
@@ -6,6 +6,7 @@ members = [
    "compliance-graph",
    "compliance-dast",
    "compliance-mcp",
    "compliance-smoke",
 ]
 resolver = "2"
@@ -33,9 +33,15 @@ RUN pip3 install --break-system-packages ruff
 COPY --from=builder /app/target/release/compliance-agent /usr/local/bin/compliance-agent
 # Copy documentation for the help chat assistant
 COPY --from=builder /app/README.md /app/README.md
 COPY --from=builder /app/docs /app/docs
 ENV HELP_DOCS_PATH=/app
 # Ensure SSH key directory exists
 RUN mkdir -p /data/compliance-scanner/ssh
 EXPOSE 3001 3002
 ENTRYPOINT ["compliance-agent"]
@@ -1,6 +1,6 @@
 FROM rust:1.94-bookworm AS builder
-RUN cargo install dioxus-cli --version 0.7.4
+RUN cargo install dioxus-cli --version 0.7.3 --locked
 ARG DOCS_URL=/docs
@@ -20,3 +20,4 @@ ENV IP=0.0.0.0
 EXPOSE 8080
 ENTRYPOINT ["./compliance-dashboard"]
@@ -12,3 +12,4 @@ RUN rm /etc/nginx/conf.d/default.conf
 COPY docs/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/.vitepress/dist /usr/share/nginx/html
 EXPOSE 80
@@ -14,3 +14,4 @@ EXPOSE 8090
 ENV MCP_PORT=8090
 ENTRYPOINT ["compliance-mcp"]
@@ -25,7 +25,7 @@ uuid = { workspace = true }
 secrecy = { workspace = true }
 regex = { workspace = true }
 axum = "0.8"
-tower-http = { version = "0.6", features = ["cors", "trace"] }
+tower-http = { version = "0.6", features = ["cors", "trace", "set-header"] }
 git2 = "0.20"
 octocrab = "0.44"
 tokio-cron-scheduler = "0.13"
@@ -35,11 +35,16 @@ impl ComplianceAgent {
            config.litellm_model.clone(),
            config.litellm_embed_model.clone(),
        ));
        let http = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(30))
            .connect_timeout(std::time::Duration::from_secs(10))
            .build()
            .unwrap_or_default();
        Self {
            config,
            db,
            llm,
-            http: reqwest::Client::new(),
+            http,
            session_streams: Arc::new(DashMap::new()),
            session_pause: Arc::new(DashMap::new()),
            session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),
@@ -104,28 +104,58 @@ fn load_docs(root: &Path) -> String {
 /// Returns a reference to the cached doc context string, initialised on
 /// first call via `OnceLock`.
 ///
 /// Discovery order:
 /// 1. `HELP_DOCS_PATH` env var (explicit override)
 /// 2. Walk up from the binary location
 /// 3. Current working directory
 /// 4. Common Docker paths (/app, /opt/compliance-scanner)
 fn doc_context() -> &'static str {
    DOC_CONTEXT.get_or_init(|| {
        // 1. Explicit env var
        if let Ok(path) = std::env::var("HELP_DOCS_PATH") {
            let p = PathBuf::from(&path);
            if p.join("README.md").is_file() || p.join("docs").is_dir() {
                tracing::info!("help_chat: loading docs from HELP_DOCS_PATH={path}");
                return load_docs(&p);
            }
            tracing::warn!("help_chat: HELP_DOCS_PATH={path} has no README.md or docs/");
        }
        // 2. Walk up from binary location
        let start = std::env::current_exe()
            .ok()
            .and_then(|p| p.parent().map(Path::to_path_buf))
            .unwrap_or_else(|| PathBuf::from("."));
-        match find_project_root(&start) {
+        if let Some(root) = find_project_root(&start) {
-            Some(root) => load_docs(&root),
+            return load_docs(&root);
-            None => {
+        }
-                // Fallback: try current working directory
+
-                let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
+        // 3. Current working directory
        if let Ok(cwd) = std::env::current_dir() {
            if let Some(root) = find_project_root(&cwd) {
                return load_docs(&root);
            }
            if cwd.join("README.md").is_file() {
                return load_docs(&cwd);
            }
        }
        // 4. Common Docker/deployment paths
        for candidate in ["/app", "/opt/compliance-scanner", "/srv/compliance-scanner"] {
            let p = PathBuf::from(candidate);
            if p.join("README.md").is_file() || p.join("docs").is_dir() {
                tracing::info!("help_chat: found docs at {candidate}");
                return load_docs(&p);
            }
        }
        tracing::error!(
-                    "help_chat: could not locate project root from {}; doc context will be empty",
+            "help_chat: could not locate project root; doc context will be empty. \
-                    start.display()
+             Set HELP_DOCS_PATH to the directory containing README.md and docs/"
        );
        String::new()
            }
        }
    })
 }
@@ -6,6 +6,7 @@ pub mod graph;
 pub mod health;
 pub mod help_chat;
 pub mod issues;
 pub mod notifications;
 pub mod pentest_handlers;
 pub use pentest_handlers as pentest;
 pub mod repos;
@@ -0,0 +1,178 @@
 use axum::extract::Extension;
 use axum::http::StatusCode;
 use axum::Json;
 use mongodb::bson::doc;
 use serde::Deserialize;
 use compliance_core::models::notification::CveNotification;
 use super::dto::{AgentExt, ApiResponse};
 /// GET /api/v1/notifications — List CVE notifications (newest first)
 #[tracing::instrument(skip_all)]
 pub async fn list_notifications(
    Extension(agent): AgentExt,
    axum::extract::Query(params): axum::extract::Query<NotificationFilter>,
 ) -> Result<Json<ApiResponse<Vec<CveNotification>>>, StatusCode> {
    let mut filter = doc! {};
    // Filter by status (default: show new + read, exclude dismissed)
    match params.status.as_deref() {
        Some("all") => {}
        Some(s) => {
            filter.insert("status", s);
        }
        None => {
            filter.insert("status", doc! { "$in": ["new", "read"] });
        }
    }
    // Filter by severity
    if let Some(ref sev) = params.severity {
        filter.insert("severity", sev.as_str());
    }
    // Filter by repo
    if let Some(ref repo_id) = params.repo_id {
        filter.insert("repo_id", repo_id.as_str());
    }
    let page = params.page.unwrap_or(1).max(1);
    let limit = params.limit.unwrap_or(50).min(200);
    let skip = (page - 1) * limit as u64;
    let total = agent
        .db
        .cve_notifications()
        .count_documents(filter.clone())
        .await
        .unwrap_or(0);
    let notifications: Vec<CveNotification> = match agent
        .db
        .cve_notifications()
        .find(filter)
        .sort(doc! { "created_at": -1 })
        .skip(skip)
        .limit(limit)
        .await
    {
        Ok(cursor) => {
            use futures_util::StreamExt;
            let mut items = Vec::new();
            let mut cursor = cursor;
            while let Some(Ok(n)) = cursor.next().await {
                items.push(n);
            }
            items
        }
        Err(e) => {
            tracing::error!("Failed to list notifications: {e}");
            return Err(StatusCode::INTERNAL_SERVER_ERROR);
        }
    };
    Ok(Json(ApiResponse {
        data: notifications,
        total: Some(total),
        page: Some(page),
    }))
 }
 /// GET /api/v1/notifications/count — Count of unread notifications
 #[tracing::instrument(skip_all)]
 pub async fn notification_count(
    Extension(agent): AgentExt,
 ) -> Result<Json<serde_json::Value>, StatusCode> {
    let count = agent
        .db
        .cve_notifications()
        .count_documents(doc! { "status": "new" })
        .await
        .unwrap_or(0);
    Ok(Json(serde_json::json!({ "count": count })))
 }
 /// PATCH /api/v1/notifications/:id/read — Mark a notification as read
 #[tracing::instrument(skip_all, fields(id = %id))]
 pub async fn mark_read(
    Extension(agent): AgentExt,
    axum::extract::Path(id): axum::extract::Path<String>,
 ) -> Result<Json<serde_json::Value>, StatusCode> {
    let oid = mongodb::bson::oid::ObjectId::parse_str(&id).map_err(|_| StatusCode::BAD_REQUEST)?;
    let result = agent
        .db
        .cve_notifications()
        .update_one(
            doc! { "_id": oid },
            doc! { "$set": {
                "status": "read",
                "read_at": mongodb::bson::DateTime::now(),
            }},
        )
        .await
        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
    if result.matched_count == 0 {
        return Err(StatusCode::NOT_FOUND);
    }
    Ok(Json(serde_json::json!({ "status": "read" })))
 }
 /// PATCH /api/v1/notifications/:id/dismiss — Dismiss a notification
 #[tracing::instrument(skip_all, fields(id = %id))]
 pub async fn dismiss_notification(
    Extension(agent): AgentExt,
    axum::extract::Path(id): axum::extract::Path<String>,
 ) -> Result<Json<serde_json::Value>, StatusCode> {
    let oid = mongodb::bson::oid::ObjectId::parse_str(&id).map_err(|_| StatusCode::BAD_REQUEST)?;
    let result = agent
        .db
        .cve_notifications()
        .update_one(
            doc! { "_id": oid },
            doc! { "$set": { "status": "dismissed" } },
        )
        .await
        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
    if result.matched_count == 0 {
        return Err(StatusCode::NOT_FOUND);
    }
    Ok(Json(serde_json::json!({ "status": "dismissed" })))
 }
 /// POST /api/v1/notifications/read-all — Mark all new notifications as read
 #[tracing::instrument(skip_all)]
 pub async fn mark_all_read(
    Extension(agent): AgentExt,
 ) -> Result<Json<serde_json::Value>, StatusCode> {
    let result = agent
        .db
        .cve_notifications()
        .update_many(
            doc! { "status": "new" },
            doc! { "$set": {
                "status": "read",
                "read_at": mongodb::bson::DateTime::now(),
            }},
        )
        .await
        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
    Ok(Json(
        serde_json::json!({ "updated": result.modified_count }),
    ))
 }
 #[derive(Debug, Deserialize)]
 pub struct NotificationFilter {
    pub status: Option<String>,
    pub severity: Option<String>,
    pub repo_id: Option<String>,
    pub page: Option<u64>,
    pub limit: Option<i64>,
 }
@@ -101,6 +101,27 @@ pub fn build_router() -> Router {
        )
        // Help chat (documentation-grounded Q&A)
        .route("/api/v1/help/chat", post(handlers::help_chat::help_chat))
        // CVE notification endpoints
        .route(
            "/api/v1/notifications",
            get(handlers::notifications::list_notifications),
        )
        .route(
            "/api/v1/notifications/count",
            get(handlers::notifications::notification_count),
        )
        .route(
            "/api/v1/notifications/read-all",
            post(handlers::notifications::mark_all_read),
        )
        .route(
            "/api/v1/notifications/{id}/read",
            patch(handlers::notifications::mark_read),
        )
        .route(
            "/api/v1/notifications/{id}/dismiss",
            patch(handlers::notifications::dismiss_notification),
        )
        // Pentest API endpoints
        .route(
            "/api/v1/pentest/lookup-repo",
@@ -1,8 +1,10 @@
 use std::sync::Arc;
 use axum::http::HeaderValue;
 use axum::{middleware, Extension};
 use tokio::sync::RwLock;
 use tower_http::cors::CorsLayer;
 use tower_http::set_header::SetResponseHeaderLayer;
 use tower_http::trace::TraceLayer;
 use crate::agent::ComplianceAgent;
@@ -14,7 +16,24 @@ pub async fn start_api_server(agent: ComplianceAgent, port: u16) -> Result<(), A
    let mut app = routes::build_router()
        .layer(Extension(Arc::new(agent.clone())))
        .layer(CorsLayer::permissive())
-        .layer(TraceLayer::new_for_http());
+        .layer(TraceLayer::new_for_http())
        // Security headers (defense-in-depth, primary enforcement via Traefik)
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::STRICT_TRANSPORT_SECURITY,
            HeaderValue::from_static("max-age=31536000; includeSubDomains"),
        ))
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::X_FRAME_OPTIONS,
            HeaderValue::from_static("DENY"),
        ))
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::X_CONTENT_TYPE_OPTIONS,
            HeaderValue::from_static("nosniff"),
        ))
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::REFERRER_POLICY,
            HeaderValue::from_static("strict-origin-when-cross-origin"),
        ));
    if let (Some(kc_url), Some(kc_realm)) =
        (&agent.config.keycloak_url, &agent.config.keycloak_realm)
@@ -42,7 +42,7 @@ pub fn load_config() -> Result<AgentConfig, AgentError> {
            .unwrap_or(3001),
        scan_schedule: env_var_opt("SCAN_SCHEDULE").unwrap_or_else(|| "0 0 */6 * * *".to_string()),
        cve_monitor_schedule: env_var_opt("CVE_MONITOR_SCHEDULE")
-            .unwrap_or_else(|| "0 0 0 * * *".to_string()),
+            .unwrap_or_else(|| "0 0 * * * *".to_string()),
        git_clone_base_path: env_var_opt("GIT_CLONE_BASE_PATH")
            .unwrap_or_else(|| "/tmp/compliance-scanner/repos".to_string()),
        ssh_key_path: env_var_opt("SSH_KEY_PATH")
@@ -78,6 +78,25 @@ impl Database {
            )
            .await?;
        // cve_notifications: unique cve_id + repo_id + package, status filter
        self.cve_notifications()
            .create_index(
                IndexModel::builder()
                    .keys(
                        doc! { "cve_id": 1, "repo_id": 1, "package_name": 1, "package_version": 1 },
                    )
                    .options(IndexOptions::builder().unique(true).build())
                    .build(),
            )
            .await?;
        self.cve_notifications()
            .create_index(
                IndexModel::builder()
                    .keys(doc! { "status": 1, "created_at": -1 })
                    .build(),
            )
            .await?;
        // tracker_issues: unique finding_id
        self.tracker_issues()
            .create_index(
@@ -222,6 +241,12 @@ impl Database {
        self.inner.collection("cve_alerts")
    }
    pub fn cve_notifications(
        &self,
    ) -> Collection<compliance_core::models::notification::CveNotification> {
        self.inner.collection("cve_notifications")
    }
    pub fn tracker_issues(&self) -> Collection<TrackerIssue> {
        self.inner.collection("tracker_issues")
    }
@@ -19,12 +19,17 @@ impl LlmClient {
        model: String,
        embed_model: String,
    ) -> Self {
        let http = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(300))
            .connect_timeout(std::time::Duration::from_secs(10))
            .build()
            .unwrap_or_default();
        Self {
            base_url,
            api_key,
            model,
            embed_model,
-            http: reqwest::Client::new(),
+            http,
        }
    }
@@ -4,7 +4,7 @@ use compliance_agent::{agent, api, config, database, scheduler, ssh, webhooks};
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    match dotenvy::dotenv() {
        Ok(path) => eprintln!("[dotenv] Loaded from: {}", path.display()),
-        Err(e) => eprintln!("[dotenv] FAILED: {e}"),
+        Err(_) => eprintln!("[dotenv] No .env file found, using environment variables"),
    }
    let _telemetry_guard = compliance_core::telemetry::init_telemetry("compliance-agent");
@@ -19,7 +19,9 @@ impl Scanner for GitleaksScanner {
    #[tracing::instrument(skip_all)]
    async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::process::Command::new("gitleaks")
+        let output = tokio::time::timeout(
            std::time::Duration::from_secs(300),
            tokio::process::Command::new("gitleaks")
                .args([
                    "detect",
                    "--source",
@@ -33,8 +35,13 @@ impl Scanner for GitleaksScanner {
                    "0",
                ])
                .current_dir(repo_path)
-            .output()
+                .output(),
        )
        .await
        .map_err(|_| CoreError::Scanner {
            scanner: "gitleaks".to_string(),
            source: "timed out after 5 minutes".into(),
        })?
        .map_err(|e| CoreError::Scanner {
            scanner: "gitleaks".to_string(),
            source: Box::new(e),
@@ -174,19 +174,26 @@ impl PipelineOrchestrator {
                k.expose_secret().to_string()
            }),
        );
-        let cve_alerts = match async {
+        let cve_alerts = match tokio::time::timeout(
            std::time::Duration::from_secs(600),
            async {
                cve_scanner
                    .scan_dependencies(&repo_id, &mut sbom_entries)
                    .await
            }
-        .instrument(tracing::info_span!("stage_cve_scanning"))
+            .instrument(tracing::info_span!("stage_cve_scanning")),
        )
        .await
        {
-            Ok(alerts) => alerts,
+            Ok(Ok(alerts)) => alerts,
-            Err(e) => {
+            Ok(Err(e)) => {
                tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                Vec::new()
            }
            Err(_) => {
                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
                Vec::new()
            }
        };
        // Stage 4: Pattern Scanning (GDPR + OAuth)
@@ -315,8 +322,15 @@ impl PipelineOrchestrator {
                .await?;
        }
-        // Persist CVE alerts (upsert by cve_id + repo_id)
+        // Persist CVE alerts and create notifications
        {
            use compliance_core::models::notification::{parse_severity, CveNotification};
            let repo_name = repo.name.clone();
            let mut new_notif_count = 0u32;
            for alert in &cve_alerts {
                // Upsert the alert
                let filter = doc! {
                    "cve_id": &alert.cve_id,
                    "repo_id": &alert.repo_id,
@@ -329,6 +343,46 @@ impl PipelineOrchestrator {
                    .update_one(filter, update)
                    .upsert(true)
                    .await?;
                // Create notification (dedup by cve_id + repo + package + version)
                let notif_filter = doc! {
                    "cve_id": &alert.cve_id,
                    "repo_id": &alert.repo_id,
                    "package_name": &alert.affected_package,
                    "package_version": &alert.affected_version,
                };
                let severity = parse_severity(alert.severity.as_deref(), alert.cvss_score);
                let mut notification = CveNotification::new(
                    alert.cve_id.clone(),
                    repo_id.clone(),
                    repo_name.clone(),
                    alert.affected_package.clone(),
                    alert.affected_version.clone(),
                    severity,
                );
                notification.cvss_score = alert.cvss_score;
                notification.summary = alert.summary.clone();
                notification.url = Some(format!("https://osv.dev/vulnerability/{}", alert.cve_id));
                let notif_update = doc! {
                    "$setOnInsert": mongodb::bson::to_bson(&notification).unwrap_or_default()
                };
                if let Ok(result) = self
                    .db
                    .cve_notifications()
                    .update_one(notif_filter, notif_update)
                    .upsert(true)
                    .await
                {
                    if result.upserted_id.is_some() {
                        new_notif_count += 1;
                    }
                }
            }
            if new_notif_count > 0 {
                tracing::info!("[{repo_id}] Created {new_notif_count} CVE notification(s)");
            }
        }
        // Stage 6: Issue Creation
@@ -5,16 +5,22 @@ use compliance_core::CoreError;
 #[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
 pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
-    let output = tokio::process::Command::new("syft")
+    let output = tokio::time::timeout(
        std::time::Duration::from_secs(300),
        tokio::process::Command::new("syft")
            .arg(repo_path)
            .args(["-o", "cyclonedx-json"])
        // Enable remote license lookups for all ecosystems
            .env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
            .env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
            .env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
            .env("SYFT_JAVA_USE_NETWORK", "true")
-        .output()
+            .output(),
    )
    .await
    .map_err(|_| CoreError::Scanner {
        scanner: "syft".to_string(),
        source: "timed out after 5 minutes".into(),
    })?
    .map_err(|e| CoreError::Scanner {
        scanner: "syft".to_string(),
        source: Box::new(e),
@@ -19,11 +19,26 @@ impl Scanner for SemgrepScanner {
    #[tracing::instrument(skip_all)]
    async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::process::Command::new("semgrep")
+        let output = tokio::time::timeout(
-            .args(["--config=auto", "--json", "--quiet"])
+            std::time::Duration::from_secs(600),
            tokio::process::Command::new("semgrep")
                .args([
                    "--config=auto",
                    "--json",
                    "--quiet",
                    "--max-memory",
                    "500",
                    "--jobs",
                    "1",
                ])
                .arg(repo_path)
-            .output()
+                .output(),
        )
        .await
        .map_err(|_| CoreError::Scanner {
            scanner: "semgrep".to_string(),
            source: "timed out after 10 minutes".into(),
        })?
        .map_err(|e| CoreError::Scanner {
            scanner: "semgrep".to_string(),
            source: Box::new(e),
@@ -6,11 +6,16 @@ use compliance_core::models::embedding::{CodeEmbedding, EmbeddingBuildRun, Embed
 use compliance_core::models::graph::CodeNode;
 use compliance_graph::graph::chunking::extract_chunks;
 use compliance_graph::graph::embedding_store::EmbeddingStore;
 use futures_util::stream::{FuturesUnordered, StreamExt};
 use tracing::{error, info};
 use crate::error::AgentError;
 use crate::llm::LlmClient;
 const EMBED_BATCH_SIZE: usize = 20;
 const EMBED_CONCURRENCY: usize = 4;
 const EMBED_FLUSH_EVERY: usize = 200;
 /// RAG pipeline for building embeddings and performing retrieval
 pub struct RagPipeline {
    llm: Arc<LlmClient>,
@@ -77,25 +82,33 @@ impl RagPipeline {
            .await
            .map_err(|e| AgentError::Other(format!("Failed to delete old embeddings: {e}")))?;
-        // Step 3: Batch embed (small batches to stay within model limits)
+        // Step 3: Batch embed with bounded concurrency. Flush to Mongo and
-        let batch_size = 20;
+        // update progress periodically so the dashboard can show live status.
-        let mut all_embeddings = Vec::new();
+        let mut pending = Vec::with_capacity(EMBED_FLUSH_EVERY);
        let mut embedded_count = 0u32;
-        for batch_start in (0..chunks.len()).step_by(batch_size) {
+        // Build the list of batch indices to process.
-            let batch_end = (batch_start + batch_size).min(chunks.len());
+        let batches: Vec<(usize, usize)> = (0..chunks.len())
-            let batch_chunks = &chunks[batch_start..batch_end];
+            .step_by(EMBED_BATCH_SIZE)
-
+            .map(|start| (start, (start + EMBED_BATCH_SIZE).min(chunks.len())))
            // Prepare texts: context_header + content
            let texts: Vec<String> = batch_chunks
                .iter()
                .map(|c| format!("{}\n{}", c.context_header, c.content))
            .collect();
-            match self.llm.embed(texts).await {
+        let mut batch_iter = batches.into_iter();
-                Ok(vectors) => {
+        let mut in_flight = FuturesUnordered::new();
        // Prime up to EMBED_CONCURRENCY batches.
        for _ in 0..EMBED_CONCURRENCY {
            if let Some((start, end)) = batch_iter.next() {
                in_flight.push(self.embed_batch(&chunks[start..end], start, end));
            }
        }
        while let Some(result) = in_flight.next().await {
            match result {
                Ok((start, end, vectors)) => {
                    let batch_chunks = &chunks[start..end];
                    for (chunk, embedding) in batch_chunks.iter().zip(vectors) {
-                        all_embeddings.push(CodeEmbedding {
+                        pending.push(CodeEmbedding {
                            id: None,
                            repo_id: repo_id.to_string(),
                            graph_build_id: graph_build_id.to_string(),
@@ -113,9 +126,45 @@ impl RagPipeline {
                        });
                    }
                    embedded_count += batch_chunks.len() as u32;
                    // Flush pending embeddings to Mongo periodically and update progress.
                    if pending.len() >= EMBED_FLUSH_EVERY {
                        self.embedding_store
                            .store_embeddings(&pending)
                            .await
                            .map_err(|e| {
                                AgentError::Other(format!("Failed to store embeddings: {e}"))
                            })?;
                        pending.clear();
                    }
                    // Always update the progress counter on the build doc — even if
                    // we haven't flushed embeddings yet — so the UI shows movement.
                    if let Err(e) = self
                        .embedding_store
                        .update_build(
                            repo_id,
                            graph_build_id,
                            EmbeddingBuildStatus::Running,
                            embedded_count,
                            None,
                        )
                        .await
                    {
                        error!("[{repo_id}] Failed to update build progress: {e}");
                    }
                    // Queue the next batch to keep concurrency saturated.
                    if let Some((s, e)) = batch_iter.next() {
                        in_flight.push(self.embed_batch(&chunks[s..e], s, e));
                    }
                }
                Err(e) => {
                    error!("[{repo_id}] Embedding batch failed: {e}");
                    // Flush whatever we have so partial progress isn't lost.
                    if !pending.is_empty() {
                        let _ = self.embedding_store.store_embeddings(&pending).await;
                    }
                    build.status = EmbeddingBuildStatus::Failed;
                    build.error_message = Some(e.to_string());
                    build.completed_at = Some(Utc::now());
@@ -134,11 +183,13 @@ impl RagPipeline {
            }
        }
-        // Step 4: Store all embeddings
+        // Step 4: Flush any remaining embeddings
        if !pending.is_empty() {
            self.embedding_store
-            .store_embeddings(&all_embeddings)
+                .store_embeddings(&pending)
                .await
                .map_err(|e| AgentError::Other(format!("Failed to store embeddings: {e}")))?;
        }
        // Step 5: Update build status
        build.status = EmbeddingBuildStatus::Completed;
@@ -161,4 +212,21 @@ impl RagPipeline {
        );
        Ok(build)
    }
    /// Embed one batch of chunks. Returns the (start, end, vectors) tuple so
    /// out-of-order completion from `FuturesUnordered` can still be reconciled
    /// against the original chunk slice.
    async fn embed_batch(
        &self,
        batch_chunks: &[compliance_graph::graph::chunking::CodeChunk],
        start: usize,
        end: usize,
    ) -> Result<(usize, usize, Vec<Vec<f64>>), AgentError> {
        let texts: Vec<String> = batch_chunks
            .iter()
            .map(|c| format!("{}\n{}", c.context_header, c.content))
            .collect();
        let vectors = self.llm.embed(texts).await?;
        Ok((start, end, vectors))
    }
 }
@@ -82,24 +82,158 @@ async fn scan_all_repos(agent: &ComplianceAgent) {
 }
 async fn monitor_cves(agent: &ComplianceAgent) {
    use compliance_core::models::notification::{parse_severity, CveNotification};
    use compliance_core::models::SbomEntry;
    use futures_util::StreamExt;
-    // Re-scan all SBOM entries for new CVEs
+    // Fetch all SBOM entries grouped by repo
    let cursor = match agent.db.sbom_entries().find(doc! {}).await {
        Ok(c) => c,
        Err(e) => {
-            tracing::error!("Failed to list SBOM entries for CVE monitoring: {e}");
+            tracing::error!("CVE monitor: failed to list SBOM entries: {e}");
            return;
        }
    };
-
+    let entries: Vec<SbomEntry> = cursor.filter_map(|r| async { r.ok() }).collect().await;
    let entries: Vec<_> = cursor.filter_map(|r| async { r.ok() }).collect().await;
    if entries.is_empty() {
        tracing::debug!("CVE monitor: no SBOM entries, skipping");
        return;
    }
-    tracing::info!("CVE monitor: checking {} dependencies", entries.len());
+    tracing::info!(
-    // The actual CVE checking is handled by the CveScanner in the pipeline
+        "CVE monitor: checking {} dependencies for new CVEs",
-    // This is a simplified version that just logs the activity
+        entries.len()
    );
    // Build a repo_id → repo_name lookup
    let repo_ids: std::collections::HashSet<String> =
        entries.iter().map(|e| e.repo_id.clone()).collect();
    let mut repo_names: std::collections::HashMap<String, String> =
        std::collections::HashMap::new();
    for rid in &repo_ids {
        if let Ok(oid) = mongodb::bson::oid::ObjectId::parse_str(rid) {
            if let Ok(Some(repo)) = agent.db.repositories().find_one(doc! { "_id": oid }).await {
                repo_names.insert(rid.clone(), repo.name.clone());
            }
        }
    }
    // Use the existing CveScanner to query OSV.dev
    let nvd_key = agent.config.nvd_api_key.as_ref().map(|k| {
        use secrecy::ExposeSecret;
        k.expose_secret().to_string()
    });
    let scanner = crate::pipeline::cve::CveScanner::new(
        agent.http.clone(),
        agent.config.searxng_url.clone(),
        nvd_key,
    );
    // Group entries by repo for scanning
    let mut entries_by_repo: std::collections::HashMap<String, Vec<SbomEntry>> =
        std::collections::HashMap::new();
    for entry in entries {
        entries_by_repo
            .entry(entry.repo_id.clone())
            .or_default()
            .push(entry);
    }
    let mut new_notifications = 0u32;
    for (repo_id, mut repo_entries) in entries_by_repo {
        let repo_name = repo_names
            .get(&repo_id)
            .cloned()
            .unwrap_or_else(|| repo_id.clone());
        // Scan dependencies for CVEs
        let alerts = match scanner.scan_dependencies(&repo_id, &mut repo_entries).await {
            Ok(a) => a,
            Err(e) => {
                tracing::warn!("CVE monitor: scan failed for {repo_name}: {e}");
                continue;
            }
        };
        // Upsert CVE alerts (existing logic)
        for alert in &alerts {
            let filter = doc! { "cve_id": &alert.cve_id, "repo_id": &alert.repo_id };
            let update = doc! { "$setOnInsert": mongodb::bson::to_bson(alert).unwrap_or_default() };
            let _ = agent
                .db
                .cve_alerts()
                .update_one(filter, update)
                .upsert(true)
                .await;
        }
        // Update SBOM entries with discovered vulnerabilities
        for entry in &repo_entries {
            if entry.known_vulnerabilities.is_empty() {
                continue;
            }
            if let Some(entry_id) = &entry.id {
                let _ = agent
                    .db
                    .sbom_entries()
                    .update_one(
                        doc! { "_id": entry_id },
                        doc! { "$set": {
                            "known_vulnerabilities": mongodb::bson::to_bson(&entry.known_vulnerabilities).unwrap_or_default(),
                            "updated_at": mongodb::bson::DateTime::now(),
                        }},
                    )
                    .await;
            }
        }
        // Create notifications for NEW CVEs (dedup against existing notifications)
        for alert in &alerts {
            let filter = doc! {
                "cve_id": &alert.cve_id,
                "repo_id": &alert.repo_id,
                "package_name": &alert.affected_package,
                "package_version": &alert.affected_version,
            };
            // Only insert if not already exists (upsert with $setOnInsert)
            let severity = parse_severity(alert.severity.as_deref(), alert.cvss_score);
            let mut notification = CveNotification::new(
                alert.cve_id.clone(),
                repo_id.clone(),
                repo_name.clone(),
                alert.affected_package.clone(),
                alert.affected_version.clone(),
                severity,
            );
            notification.cvss_score = alert.cvss_score;
            notification.summary = alert.summary.clone();
            notification.url = Some(format!("https://osv.dev/vulnerability/{}", alert.cve_id));
            let update = doc! {
                "$setOnInsert": mongodb::bson::to_bson(&notification).unwrap_or_default()
            };
            match agent
                .db
                .cve_notifications()
                .update_one(filter, update)
                .upsert(true)
                .await
            {
                Ok(result) if result.upserted_id.is_some() => {
                    new_notifications += 1;
                }
                Err(e) => {
                    tracing::warn!("CVE monitor: failed to create notification: {e}");
                }
                _ => {} // Already exists
            }
        }
    }
    if new_notifications > 0 {
        tracing::info!("CVE monitor: created {new_notifications} new notification(s)");
    } else {
        tracing::info!("CVE monitor: no new CVEs found");
    }
 }
@@ -18,6 +18,15 @@ telemetry = [
    "dep:tracing-subscriber",
    "dep:tracing",
 ]
 # Pulls in the M7.1 Axum middleware + extractor. Consumers that don't
 # embed an HTTP server (e.g. the wasm dashboard frontend) leave it off.
 axum = [
    "dep:axum",
    "dep:jsonwebtoken",
    "dep:reqwest",
    "dep:tokio",
    "dep:tracing",
 ]
 [dependencies]
 serde = { workspace = true }
@@ -37,3 +46,7 @@ opentelemetry-appender-tracing = { version = "0.29", optional = true }
 tracing-opentelemetry = { version = "0.30", optional = true }
 tracing-subscriber = { workspace = true, optional = true }
 tracing = { workspace = true, optional = true }
 axum = { version = "0.8", optional = true }
 jsonwebtoken = { version = "9", optional = true }
 reqwest = { workspace = true, optional = true }
 tokio = { workspace = true, optional = true }
@@ -0,0 +1,390 @@
 //! M7.1 — JWT validation + tenant context propagation.
 //!
 //! `require_jwt_auth` validates a Bearer JWT against Keycloak's JWKS and
 //! attaches a [`TenantContext`] to the request extensions. Downstream
 //! middleware ([`require_tenant_status`]) and Axum extractors
 //! ([`crate::tenant_ctx::TenantCtx`]) read it from there.
 //!
 //! Skipped paths:
 //! * `/api/v1/health` — Kubernetes liveness; never authenticated.
 //!
 //! Failure modes:
 //! * No `JwksState` extension → pass-through (single-tenant dev mode).
 //! * Missing / malformed Bearer header → 401.
 //! * Signature / expiry invalid → 401.
 //! * Claims present but tenant_id missing → 401 (treated as a malformed
 //!   token; the realm must always issue tenant_id).
 use std::sync::Arc;
 use axum::{
    extract::Request,
    http::Method,
    middleware::Next,
    response::{IntoResponse, Response},
 };
 use jsonwebtoken::{decode, decode_header, jwk::JwkSet, DecodingKey, Validation};
 use reqwest::StatusCode;
 use serde::Deserialize;
 use tokio::sync::RwLock;
 use crate::{OrgRole, TenantContext, TenantStatus};
 /// Cached JWKS from Keycloak for token validation.
 #[derive(Clone)]
 pub struct JwksState {
    pub jwks: Arc<RwLock<Option<JwkSet>>>,
    pub jwks_url: String,
 }
 /// Raw shape of the JWT payload — matches the breakpilot-dev realm's
 /// protocol-mapper output. Missing fields default to "" / empty so a
 /// realm that hasn't been fully wired yet still validates.
 #[derive(Debug, Deserialize)]
 struct Claims {
    sub: String,
    #[serde(default)]
    name: Option<String>,
    #[serde(default)]
    preferred_username: Option<String>,
    #[serde(default)]
    tenant_id: String,
    #[serde(default)]
    tenant_slug: String,
    #[serde(default)]
    org_roles: Vec<String>,
    #[serde(default)]
    products: Vec<String>,
    #[serde(default)]
    plan: String,
    #[serde(default)]
    tenant_status: Option<TenantStatus>,
 }
 const PUBLIC_ENDPOINTS: &[&str] = &["/api/v1/health"];
 /// Middleware that validates Bearer JWT tokens against Keycloak's JWKS
 /// and attaches a `TenantContext` extension on success.
 ///
 /// Skips validation for the health endpoint.
 /// If `JwksState` is not present (Keycloak not configured), requests
 /// pass through and downstream code must handle the missing context.
 pub async fn require_jwt_auth(mut request: Request, next: Next) -> Response {
    let path = request.uri().path();
    if PUBLIC_ENDPOINTS.contains(&path) {
        return next.run(request).await;
    }
    let jwks_state = match request.extensions().get::<JwksState>() {
        Some(s) => s.clone(),
        None => return next.run(request).await,
    };
    let auth_header = match request.headers().get("authorization") {
        Some(h) => h,
        None => return (StatusCode::UNAUTHORIZED, "Missing authorization header").into_response(),
    };
    let token = match auth_header.to_str() {
        Ok(s) if s.starts_with("Bearer ") => &s[7..],
        _ => return (StatusCode::UNAUTHORIZED, "Invalid authorization header").into_response(),
    };
    match validate_token(token, &jwks_state).await {
        Ok(ctx) => {
            request.extensions_mut().insert(ctx);
            next.run(request).await
        }
        Err(e) => {
            tracing::warn!("JWT validation failed: {e}");
            (StatusCode::UNAUTHORIZED, "Invalid token").into_response()
        }
    }
 }
 /// Middleware that enforces the M7.1 `tenant_status` contract.
 ///
 /// * `Active` / `Trial` / `Demo` — pass through.
 /// * `Frozen` — read-only after cancel / non-payment. Writes return 402.
 /// * `Archived` — data-retention window closed. Every request returns 410.
 ///
 /// Pass-through when no `TenantContext` is present (single-tenant dev or
 /// the upstream JWT middleware ran without `JwksState`).
 pub async fn require_tenant_status(request: Request, next: Next) -> Response {
    let ctx = match request.extensions().get::<TenantContext>() {
        Some(c) => c.clone(),
        None => return next.run(request).await,
    };
    if ctx.status.is_archived() {
        return (
            StatusCode::GONE,
            "Tenant archived — data retention window closed",
        )
            .into_response();
    }
    if ctx.status.is_frozen() && is_write(request.method()) {
        return (
            StatusCode::PAYMENT_REQUIRED,
            "Tenant frozen — read-only. Re-activate to resume writes.",
        )
            .into_response();
    }
    next.run(request).await
 }
 /// Treat anything other than GET/HEAD/OPTIONS as a write. Good enough for
 /// REST. The few exceptions (e.g. read-side POSTs) can opt out at the
 /// handler level once we have them.
 fn is_write(m: &Method) -> bool {
    !matches!(m, &Method::GET | &Method::HEAD | &Method::OPTIONS)
 }
 async fn validate_token(token: &str, state: &JwksState) -> Result<TenantContext, String> {
    let header = decode_header(token).map_err(|e| format!("failed to decode JWT header: {e}"))?;
    let kid = header
        .kid
        .clone()
        .ok_or_else(|| "JWT missing kid header".to_string())?;
    // First try against whatever's currently cached. If the kid isn't
    // there or the signature doesn't verify, the cached JWKS is most
    // likely stale (KC rotated keys) — refresh once and retry before
    // giving up. Without this every key rotation produces a silent 401
    // storm that only goes away when the agent restarts.
    let jwks = fetch_or_get_jwks(state, false).await?;
    match try_validate(token, &header, &kid, &jwks) {
        Ok(ctx) => Ok(ctx),
        Err(ValidationError::Permanent(e)) => Err(e),
        Err(ValidationError::Stale(reason)) => {
            tracing::info!(
                kid = %kid,
                reason = %reason,
                "JWKS appears stale — forcing refresh and retrying"
            );
            let jwks = fetch_or_get_jwks(state, true).await?;
            try_validate(token, &header, &kid, &jwks).map_err(|e| match e {
                ValidationError::Stale(s) | ValidationError::Permanent(s) => s,
            })
        }
    }
 }
 #[derive(Debug)]
 enum ValidationError {
    /// Refresh-eligible: cached JWKS may be stale.
    Stale(String),
    /// Refusing the token regardless of JWKS freshness.
    Permanent(String),
 }
 fn try_validate(
    token: &str,
    header: &jsonwebtoken::Header,
    kid: &str,
    jwks: &JwkSet,
 ) -> Result<TenantContext, ValidationError> {
    let jwk = match jwks
        .keys
        .iter()
        .find(|k| k.common.key_id.as_deref() == Some(kid))
    {
        Some(j) => j,
        None => {
            return Err(ValidationError::Stale(
                "no matching key found in JWKS".to_string(),
            ))
        }
    };
    let decoding_key = DecodingKey::from_jwk(jwk)
        .map_err(|e| ValidationError::Permanent(format!("failed to create decoding key: {e}")))?;
    let mut validation = Validation::new(header.alg);
    validation.validate_exp = true;
    validation.validate_aud = false;
    let data = match decode::<Claims>(token, &decoding_key, &validation) {
        Ok(d) => d,
        Err(e) => {
            // Signature mismatch is the other refresh-eligible failure:
            // the matching kid is present but the key bytes don't match.
            // Everything else (expired, malformed, etc.) is permanent.
            return Err(
                if matches!(e.kind(), jsonwebtoken::errors::ErrorKind::InvalidSignature) {
                    ValidationError::Stale(format!("token validation failed: {e}"))
                } else {
                    ValidationError::Permanent(format!("token validation failed: {e}"))
                },
            );
        }
    };
    claims_to_context(data.claims).map_err(ValidationError::Permanent)
 }
 /// Map the decoded JWT payload into the platform-wide `TenantContext`.
 /// Pulled out for unit testing — no I/O.
 fn claims_to_context(c: Claims) -> Result<TenantContext, String> {
    if c.tenant_id.is_empty() {
        return Err("JWT is missing tenant_id claim".to_string());
    }
    let status = c.tenant_status.unwrap_or_else(|| {
        tracing::warn!(
            "JWT missing tenant_status claim for tenant {} — defaulting to Trial",
            c.tenant_id
        );
        TenantStatus::Trial
    });
    Ok(TenantContext {
        tenant_id: c.tenant_id,
        tenant_slug: c.tenant_slug,
        org_roles: c.org_roles.iter().map(|r| OrgRole::parse(r)).collect(),
        products: c.products,
        plan: c.plan,
        status,
        user_id: c.sub,
        user_name: c.name.or(c.preferred_username),
    })
 }
 async fn fetch_or_get_jwks(state: &JwksState, force: bool) -> Result<JwkSet, String> {
    if !force {
        let cached = state.jwks.read().await;
        if let Some(ref jwks) = *cached {
            return Ok(jwks.clone());
        }
    }
    // Hold the write lock across the fetch so concurrent refreshers
    // don't all hammer Keycloak when keys rotate. If another writer
    // already populated a fresh JWKS while we were waiting (and we
    // weren't asked to force), use theirs.
    let mut cached = state.jwks.write().await;
    if !force {
        if let Some(ref jwks) = *cached {
            return Ok(jwks.clone());
        }
    }
    let resp = reqwest::get(&state.jwks_url)
        .await
        .map_err(|e| format!("failed to fetch JWKS: {e}"))?;
    let jwks: JwkSet = resp
        .json()
        .await
        .map_err(|e| format!("failed to parse JWKS: {e}"))?;
    *cached = Some(jwks.clone());
    Ok(jwks)
 }
 #[cfg(test)]
 #[allow(clippy::expect_used, clippy::unwrap_used)]
 mod tests {
    use super::*;
    fn base_claims() -> Claims {
        Claims {
            sub: "user-123".to_string(),
            name: Some("Alice Acme".to_string()),
            preferred_username: None,
            tenant_id: "00000000-0000-0000-0000-000000000001".to_string(),
            tenant_slug: "acme".to_string(),
            org_roles: vec!["IT_ADMIN".to_string()],
            products: vec!["compliance".to_string()],
            plan: "professional".to_string(),
            tenant_status: Some(TenantStatus::Active),
        }
    }
    #[test]
    fn claims_to_context_happy_path() {
        let ctx = claims_to_context(base_claims()).expect("should map");
        assert_eq!(ctx.tenant_id, "00000000-0000-0000-0000-000000000001");
        assert_eq!(ctx.tenant_slug, "acme");
        assert_eq!(ctx.org_roles, vec![OrgRole::ItAdmin]);
        assert_eq!(ctx.products, vec!["compliance"]);
        assert_eq!(ctx.plan, "professional");
        assert_eq!(ctx.status, TenantStatus::Active);
        assert_eq!(ctx.user_id, "user-123");
        assert_eq!(ctx.user_name.as_deref(), Some("Alice Acme"));
    }
    #[test]
    fn claims_to_context_rejects_missing_tenant_id() {
        let mut c = base_claims();
        c.tenant_id = "".to_string();
        let err = claims_to_context(c).expect_err("should reject");
        assert!(err.contains("tenant_id"));
    }
    #[test]
    fn claims_to_context_defaults_status_when_missing() {
        let mut c = base_claims();
        c.tenant_status = None;
        let ctx = claims_to_context(c).expect("should map");
        assert_eq!(ctx.status, TenantStatus::Trial);
    }
    #[test]
    fn claims_to_context_falls_back_to_preferred_username() {
        let mut c = base_claims();
        c.name = None;
        c.preferred_username = Some("alice@acme.dev".to_string());
        let ctx = claims_to_context(c).expect("should map");
        assert_eq!(ctx.user_name.as_deref(), Some("alice@acme.dev"));
    }
    #[test]
    fn claims_to_context_parses_multiple_roles() {
        let mut c = base_claims();
        c.org_roles = vec![
            "IT_ADMIN".to_string(),
            "CXO".to_string(),
            "GARBAGE".to_string(),
        ];
        let ctx = claims_to_context(c).expect("should map");
        assert_eq!(
            ctx.org_roles,
            vec![OrgRole::ItAdmin, OrgRole::Cxo, OrgRole::Unknown]
        );
    }
    #[test]
    fn try_validate_returns_stale_when_kid_missing_from_jwks() {
        // Empty JWKS — the kid we ask for can't possibly match. The error
        // must classify as Stale so the caller refreshes JWKS and retries.
        let jwks = JwkSet { keys: vec![] };
        let header = jsonwebtoken::Header {
            alg: jsonwebtoken::Algorithm::RS256,
            kid: Some("kid-rotated-out".to_string()),
            ..Default::default()
        };
        let err = try_validate("ignored.token.value", &header, "kid-rotated-out", &jwks)
            .expect_err("should fail");
        match err {
            ValidationError::Stale(s) => assert!(s.contains("no matching key")),
            ValidationError::Permanent(s) => panic!("must be Stale, got Permanent: {s}"),
        }
    }
    #[test]
    fn is_write_detects_methods() {
        assert!(!is_write(&Method::GET));
        assert!(!is_write(&Method::HEAD));
        assert!(!is_write(&Method::OPTIONS));
        assert!(is_write(&Method::POST));
        assert!(is_write(&Method::PUT));
        assert!(is_write(&Method::PATCH));
        assert!(is_write(&Method::DELETE));
    }
 }
@@ -0,0 +1,75 @@
 //! Database helpers shared across the workspace.
 //!
 //! `tenant_filter` returns the BSON filter that every query and update
 //! against a tenant-scoped collection MUST include. Centralising it here
 //! makes the rule grep-able and keeps query call-sites from accidentally
 //! omitting it.
 //!
 //! Future work (M7.2+): each collection model grows a `tenant_id` field
 //! and every `find` / `update_*` / `delete_*` call gets this filter
 //! merged in. The migration to per-collection scoping is tracked
 //! separately — this helper is the building block.
 use bson::{doc, Document};
 use crate::TenantContext;
 /// Returns `{ "tenant_id": <ctx.tenant_id> }`. Merge this into every
 /// query filter against a tenant-scoped collection.
 ///
 /// Use [`tenant_filter_merge`] when you need to combine it with other
 /// query conditions — it preserves both halves without overwriting.
 pub fn tenant_filter(ctx: &TenantContext) -> Document {
    doc! { "tenant_id": &ctx.tenant_id }
 }
 /// Returns the tenant filter merged with caller-supplied conditions.
 /// The tenant_id always wins on key conflict — callers cannot
 /// accidentally override the scoping.
 pub fn tenant_filter_merge(ctx: &TenantContext, mut extra: Document) -> Document {
    extra.insert("tenant_id", &ctx.tenant_id);
    extra
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use crate::TenantStatus;
    fn ctx() -> TenantContext {
        TenantContext {
            tenant_id: "t-abc".to_string(),
            tenant_slug: "acme".to_string(),
            org_roles: vec![],
            products: vec![],
            plan: "starter".to_string(),
            status: TenantStatus::Active,
            user_id: "u-1".to_string(),
            user_name: None,
        }
    }
    #[test]
    fn produces_tenant_id_filter() {
        let f = tenant_filter(&ctx());
        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
        assert_eq!(f.len(), 1);
    }
    #[test]
    fn merge_preserves_extra_conditions() {
        let extra = doc! { "status": "open", "severity": "high" };
        let f = tenant_filter_merge(&ctx(), extra);
        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
        assert_eq!(f.get_str("status"), Ok("open"));
        assert_eq!(f.get_str("severity"), Ok("high"));
    }
    #[test]
    fn merge_overrides_caller_tenant_id() {
        let extra = doc! { "tenant_id": "evil-other", "status": "open" };
        let f = tenant_filter_merge(&ctx(), extra);
        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
        assert_eq!(f.get_str("status"), Ok("open"));
    }
 }
@@ -1,9 +1,17 @@
 pub mod config;
 pub mod db;
 pub mod error;
 pub mod models;
 #[cfg(feature = "telemetry")]
 pub mod telemetry;
 pub mod tenant;
 pub mod traits;
 #[cfg(feature = "axum")]
 pub mod auth;
 #[cfg(feature = "axum")]
 pub mod tenant_ctx;
 pub use config::{AgentConfig, DashboardConfig};
 pub use error::CoreError;
 pub use tenant::{OrgRole, TenantContext, TenantStatus};
@@ -7,6 +7,7 @@ pub mod finding;
 pub mod graph;
 pub mod issue;
 pub mod mcp;
 pub mod notification;
 pub mod pentest;
 pub mod repository;
 pub mod sbom;
@@ -27,6 +28,7 @@ pub use graph::{
 };
 pub use issue::{IssueStatus, TrackerIssue, TrackerType};
 pub use mcp::{McpServerConfig, McpServerStatus, McpTransport};
 pub use notification::{CveNotification, NotificationSeverity, NotificationStatus};
 pub use pentest::{
    AttackChainNode, AttackNodeStatus, AuthMode, CodeContextHint, Environment, IdentityProvider,
    PentestAuthConfig, PentestConfig, PentestEvent, PentestMessage, PentestSession, PentestStats,
@@ -0,0 +1,103 @@
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 /// Status of a CVE notification
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(rename_all = "lowercase")]
 pub enum NotificationStatus {
    /// Newly created, not yet seen by the user
    New,
    /// User has seen it (e.g., opened the notification panel)
    Read,
    /// User has explicitly acknowledged/dismissed it
    Dismissed,
 }
 /// Severity level for notification filtering
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
 #[serde(rename_all = "lowercase")]
 pub enum NotificationSeverity {
    Low,
    Medium,
    High,
    Critical,
 }
 /// A notification about a newly discovered CVE affecting a tracked dependency.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct CveNotification {
    #[serde(rename = "_id", skip_serializing_if = "Option::is_none")]
    pub id: Option<bson::oid::ObjectId>,
    /// The CVE/GHSA identifier
    pub cve_id: String,
    /// Repository where the vulnerable dependency is used
    pub repo_id: String,
    /// Repository name (denormalized for display)
    pub repo_name: String,
    /// Affected package name
    pub package_name: String,
    /// Affected version
    pub package_version: String,
    /// Human-readable severity
    pub severity: NotificationSeverity,
    /// CVSS score if available
    pub cvss_score: Option<f64>,
    /// Short summary of the vulnerability
    pub summary: Option<String>,
    /// Link to vulnerability details
    pub url: Option<String>,
    /// Notification lifecycle status
    pub status: NotificationStatus,
    /// When the CVE was first detected for this dependency
    #[serde(with = "super::serde_helpers::bson_datetime")]
    pub created_at: DateTime<Utc>,
    /// When the user last interacted with this notification
    pub read_at: Option<DateTime<Utc>>,
 }
 impl CveNotification {
    pub fn new(
        cve_id: String,
        repo_id: String,
        repo_name: String,
        package_name: String,
        package_version: String,
        severity: NotificationSeverity,
    ) -> Self {
        Self {
            id: None,
            cve_id,
            repo_id,
            repo_name,
            package_name,
            package_version,
            severity,
            cvss_score: None,
            summary: None,
            url: None,
            status: NotificationStatus::New,
            created_at: Utc::now(),
            read_at: None,
        }
    }
 }
 /// Map an OSV/NVD severity string to our notification severity
 pub fn parse_severity(s: Option<&str>, cvss: Option<f64>) -> NotificationSeverity {
    // Prefer CVSS score if available
    if let Some(score) = cvss {
        return match score {
            s if s >= 9.0 => NotificationSeverity::Critical,
            s if s >= 7.0 => NotificationSeverity::High,
            s if s >= 4.0 => NotificationSeverity::Medium,
            _ => NotificationSeverity::Low,
        };
    }
    // Fall back to string severity
    match s.map(|s| s.to_uppercase()).as_deref() {
        Some("CRITICAL") => NotificationSeverity::Critical,
        Some("HIGH") => NotificationSeverity::High,
        Some("MODERATE" | "MEDIUM") => NotificationSeverity::Medium,
        _ => NotificationSeverity::Low,
    }
 }
@@ -0,0 +1,165 @@
 //! Tenant context propagated through every authenticated request.
 //!
 //! M7.1 single source of truth for "who is this request for". Claims come
 //! from a Keycloak-issued JWT and land here via [`crate::auth::require_jwt_auth`]
 //! (enabled with the `axum` feature). Handlers reach into the request
 //! extensions with the [`crate::tenant_ctx::TenantCtx`] extractor.
 //!
 //! The shape mirrors the JWT claim names the breakpilot-platform realm
 //! emits (see `platform/orca-platform/dev/keycloak/realm-export.json`).
 //! Stable contract — adding fields is fine; renaming is a breaking
 //! change for every downstream product.
 use serde::{Deserialize, Serialize};
 /// Tenant lifecycle status from `PLATFORM_ARCHITECTURE.md §5c`.
 ///
 /// Drives the `tenant_status` middleware:
 /// * `Demo` / `Trial` / `Active` — full access.
 /// * `Frozen` — read-only after cancel / non-payment. Mutating endpoints
 ///   return 402.
 /// * `Archived` — data-retention window closed. Every endpoint returns 410.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "lowercase")]
 pub enum TenantStatus {
    Demo,
    Trial,
    Active,
    Frozen,
    Archived,
 }
 impl TenantStatus {
    /// True for statuses that block write paths.
    pub fn is_frozen(&self) -> bool {
        matches!(self, TenantStatus::Frozen)
    }
    /// True for statuses that block every request.
    pub fn is_archived(&self) -> bool {
        matches!(self, TenantStatus::Archived)
    }
    /// True for the shared demo tenant — metering, billing, and audit
    /// export are skipped.
    pub fn is_demo(&self) -> bool {
        matches!(self, TenantStatus::Demo)
    }
 }
 impl std::fmt::Display for TenantStatus {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Demo => write!(f, "demo"),
            Self::Trial => write!(f, "trial"),
            Self::Active => write!(f, "active"),
            Self::Frozen => write!(f, "frozen"),
            Self::Archived => write!(f, "archived"),
        }
    }
 }
 /// Org-level role baked into the JWT by the realm's protocol mapper.
 /// `PLATFORM_ARCHITECTURE.md §6` is the canonical list.
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "UPPERCASE")]
 pub enum OrgRole {
    ItAdmin,
    Cxo,
    Finance,
    Legal,
    User,
    /// Anything we haven't enumerated yet — forwards-compatible.
    #[serde(other)]
    Unknown,
 }
 impl OrgRole {
    /// Parses a single role string (Keycloak emits these as `IT_ADMIN`,
    /// `CXO`, etc.). Round-trips with the JSON layer.
    pub fn parse(s: &str) -> Self {
        match s {
            "IT_ADMIN" => OrgRole::ItAdmin,
            "CXO" => OrgRole::Cxo,
            "FINANCE" => OrgRole::Finance,
            "LEGAL" => OrgRole::Legal,
            "USER" => OrgRole::User,
            _ => OrgRole::Unknown,
        }
    }
 }
 /// Everything we know about the requesting tenant at the moment a request
 /// lands. Cheap to clone (every field is owned + small).
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TenantContext {
    /// `tenants.id` from the platform's tenant-registry (UUID).
    pub tenant_id: String,
    /// Lowercase URL-safe slug. Useful for log lines + audit emit.
    pub tenant_slug: String,
    /// Org-level roles the authenticated user holds inside this tenant.
    /// Drives the per-handler RBAC in `M7.1-followup` PRs.
    pub org_roles: Vec<OrgRole>,
    /// Products this tenant is currently entitled to. Used to short-circuit
    /// MCP / API calls for unsubscribed products.
    pub products: Vec<String>,
    /// Customer plan (`starter` / `professional` / `enterprise`) — gates
    /// per-plan feature flags (e.g., MCP server is enterprise-only).
    pub plan: String,
    /// Lifecycle status — read by `require_tenant_status` middleware.
    pub status: TenantStatus,
    /// Keycloak user id of the requester (`sub` claim). Required for audit
    /// emit so we know WHO did the thing, not just WHICH tenant.
    pub user_id: String,
    /// Optional user-facing name from the `name` / `preferred_username`
    /// claim. Only used in audit + log lines.
    pub user_name: Option<String>,
 }
 impl TenantContext {
    /// True if the caller holds at least one of the listed roles.
    pub fn has_any_role(&self, roles: &[OrgRole]) -> bool {
        self.org_roles.iter().any(|r| roles.contains(r))
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn org_role_parses_known_values() {
        assert_eq!(OrgRole::parse("IT_ADMIN"), OrgRole::ItAdmin);
        assert_eq!(OrgRole::parse("CXO"), OrgRole::Cxo);
        assert_eq!(OrgRole::parse("USER"), OrgRole::User);
    }
    #[test]
    fn org_role_unknown_is_forward_compat() {
        assert_eq!(OrgRole::parse("FUTURE_ROLE"), OrgRole::Unknown);
    }
    #[test]
    fn tenant_status_predicates() {
        assert!(TenantStatus::Frozen.is_frozen());
        assert!(!TenantStatus::Active.is_frozen());
        assert!(TenantStatus::Archived.is_archived());
        assert!(TenantStatus::Demo.is_demo());
        assert!(!TenantStatus::Active.is_demo());
    }
    #[test]
    fn has_any_role_matches() {
        let ctx = TenantContext {
            tenant_id: "t1".into(),
            tenant_slug: "acme".into(),
            org_roles: vec![OrgRole::ItAdmin],
            products: vec![],
            plan: "professional".into(),
            status: TenantStatus::Active,
            user_id: "u".into(),
            user_name: None,
        };
        assert!(ctx.has_any_role(&[OrgRole::ItAdmin]));
        assert!(ctx.has_any_role(&[OrgRole::Cxo, OrgRole::ItAdmin]));
        assert!(!ctx.has_any_role(&[OrgRole::User, OrgRole::Cxo]));
    }
 }
@@ -0,0 +1,95 @@
 //! Axum extractor for the per-request `TenantContext`.
 //!
 //! Handlers consume it as a normal extractor argument:
 //!
 //! ```ignore
 //! async fn list_findings(TenantCtx(ctx): TenantCtx) -> Json<...> {
 //!     let filter = compliance_core::db::tenant_filter(&ctx);
 //!     ...
 //! }
 //! ```
 //!
 //! The middleware ([`crate::auth::require_jwt_auth`]) is responsible for
 //! inserting the context into the request extensions. If it's missing on
 //! a route that uses this extractor, that's a bug in the wiring — we
 //! return 401 so the caller sees an auth failure rather than a 500.
 use axum::{
    extract::FromRequestParts,
    http::{request::Parts, StatusCode},
    response::{IntoResponse, Response},
 };
 use crate::TenantContext;
 #[derive(Debug, Clone)]
 pub struct TenantCtx(pub TenantContext);
 #[derive(Debug)]
 pub struct TenantCtxRejection;
 impl IntoResponse for TenantCtxRejection {
    fn into_response(self) -> Response {
        (
            StatusCode::UNAUTHORIZED,
            "Missing tenant context — request was not authenticated",
        )
            .into_response()
    }
 }
 impl<S> FromRequestParts<S> for TenantCtx
 where
    S: Send + Sync,
 {
    type Rejection = TenantCtxRejection;
    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        parts
            .extensions
            .get::<TenantContext>()
            .cloned()
            .map(TenantCtx)
            .ok_or(TenantCtxRejection)
    }
 }
 #[cfg(test)]
 #[allow(clippy::expect_used, clippy::unwrap_used)]
 mod tests {
    use super::*;
    use crate::TenantStatus;
    use axum::http::Request;
    fn ctx() -> TenantContext {
        TenantContext {
            tenant_id: "t-1".to_string(),
            tenant_slug: "acme".to_string(),
            org_roles: vec![],
            products: vec![],
            plan: "starter".to_string(),
            status: TenantStatus::Active,
            user_id: "u-1".to_string(),
            user_name: None,
        }
    }
    #[tokio::test]
    async fn extracts_context_when_present() {
        let mut req = Request::new(());
        req.extensions_mut().insert(ctx());
        let (mut parts, _) = req.into_parts();
        let TenantCtx(found) = TenantCtx::from_request_parts(&mut parts, &())
            .await
            .expect("extractor should succeed");
        assert_eq!(found.tenant_id, "t-1");
    }
    #[tokio::test]
    async fn rejects_when_missing() {
        let req: Request<()> = Request::new(());
        let (mut parts, _) = req.into_parts();
        let err = TenantCtx::from_request_parts(&mut parts, &()).await;
        assert!(err.is_err());
    }
 }
@@ -51,7 +51,7 @@ thiserror = { workspace = true }
 # Web-only
 reqwest = { workspace = true, optional = true }
-web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Window"] }
+web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Element", "Window", "Storage", "MediaQueryList"] }
 js-sys = { version = "0.3", optional = true }
 wasm-bindgen = { version = "0.2", optional = true }
 gloo-timers = { version = "0.3", features = ["futures"], optional = true }
@@ -61,6 +61,77 @@
    --ease-spring: cubic-bezier(0.34, 1.56, 0.64, 1);
 }
 /* ── Light theme tokens ──
   Applied when the user has explicitly chosen light (`data-theme="light"`)
   OR when their OS prefers light AND they have made no explicit choice. */
 :root[data-theme="light"] {
    --bg-primary: #f5f7fb;
    --bg-secondary: #ffffff;
    --bg-card: rgba(255, 255, 255, 0.85);
    --bg-card-solid: #ffffff;
    --bg-card-hover: #f1f5fb;
    --bg-elevated: #f8fafc;
    --text-primary: #0c1426;
    --text-secondary: #475569;
    --text-tertiary: #8a9bb4;
    --accent: #0070d4;
    --accent-hover: #0080f0;
    --accent-muted: rgba(0, 112, 212, 0.10);
    --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
    --border: #e2e8f0;
    --border-bright: #cbd5e1;
    --border-accent: rgba(0, 112, 212, 0.30);
    --danger: #dc2626;
    --danger-bg: rgba(220, 38, 38, 0.08);
    --warning: #d97706;
    --warning-bg: rgba(217, 119, 6, 0.08);
    --success: #16a34a;
    --success-bg: rgba(22, 163, 74, 0.08);
    --info: #2563eb;
    --info-bg: rgba(37, 99, 235, 0.08);
    --orange: #ea580c;
    --orange-bg: rgba(234, 88, 12, 0.08);
 }
@media (prefers-color-scheme: light) {
    :root:not([data-theme="dark"]) {
        --bg-primary: #f5f7fb;
        --bg-secondary: #ffffff;
        --bg-card: rgba(255, 255, 255, 0.85);
        --bg-card-solid: #ffffff;
        --bg-card-hover: #f1f5fb;
        --bg-elevated: #f8fafc;
        --text-primary: #0c1426;
        --text-secondary: #475569;
        --text-tertiary: #8a9bb4;
        --accent: #0070d4;
        --accent-hover: #0080f0;
        --accent-muted: rgba(0, 112, 212, 0.10);
        --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
        --border: #e2e8f0;
        --border-bright: #cbd5e1;
        --border-accent: rgba(0, 112, 212, 0.30);
        --danger: #dc2626;
        --danger-bg: rgba(220, 38, 38, 0.08);
        --warning: #d97706;
        --warning-bg: rgba(217, 119, 6, 0.08);
        --success: #16a34a;
        --success-bg: rgba(22, 163, 74, 0.08);
        --info: #2563eb;
        --info-bg: rgba(37, 99, 235, 0.08);
        --orange: #ea580c;
        --orange-bg: rgba(234, 88, 12, 0.08);
    }
 }
 /* ── Reset & Base ── */
@@ -396,6 +467,44 @@ code {
    background: rgba(0, 200, 255, 0.06);
 }
 .theme-toggle {
    background: none;
    border: none;
    border-top: 1px solid var(--border);
    color: var(--text-secondary);
    padding: 11px 18px;
    cursor: pointer;
    display: flex;
    align-items: center;
    gap: 11px;
    font-family: var(--font-body);
    font-size: 13.5px;
    font-weight: 500;
    transition: color 0.2s, background 0.2s;
    width: 100%;
    text-align: left;
 }
 .theme-toggle:hover {
    color: var(--accent);
    background: var(--accent-muted);
 }
 .theme-toggle svg {
    flex-shrink: 0;
    opacity: 0.75;
    transition: opacity 0.2s;
 }
 .theme-toggle:hover svg {
    opacity: 1;
 }
 .sidebar.collapsed .theme-toggle {
    justify-content: center;
    padding: 11px 0;
 }
 .sidebar.collapsed .sidebar-header {
    padding: 22px 0;
    justify-content: center;
@@ -3847,3 +3956,75 @@ tbody tr:last-child td {
 .help-chat-send:not(:disabled):hover {
    background: var(--accent-hover);
 }
 /* ═══════════════════════════════════════════════════════════════
   NOTIFICATION BELL — CVE alert dropdown
   ═══════════════════════════════════════════════════════════════ */
 .notification-bell-wrapper { position: fixed; top: 16px; right: 28px; z-index: 48; }
 .notification-bell-btn { position: relative; background: var(--bg-elevated); border: 1px solid var(--border); border-radius: 10px; padding: 8px 10px; color: var(--text-secondary); cursor: pointer; display: flex; align-items: center; transition: color 0.15s, border-color 0.15s; }
 .notification-bell-btn:hover { color: var(--text-primary); border-color: var(--border-bright); }
 .notification-badge { position: absolute; top: -4px; right: -4px; background: var(--danger); color: #fff; font-size: 10px; font-weight: 700; min-width: 18px; height: 18px; border-radius: 9px; display: flex; align-items: center; justify-content: center; padding: 0 4px; font-family: 'Outfit', sans-serif; }
 .notification-panel { position: absolute; top: 44px; right: 0; width: 380px; max-height: 480px; background: var(--bg-secondary); border: 1px solid var(--border-bright); border-radius: 12px; overflow: hidden; box-shadow: 0 12px 48px rgba(0,0,0,0.5); display: flex; flex-direction: column; }
 .notification-panel-header { display: flex; align-items: center; justify-content: space-between; padding: 12px 16px; border-bottom: 1px solid var(--border); font-family: 'Outfit', sans-serif; font-weight: 600; font-size: 14px; color: var(--text-primary); }
 .notification-close-btn { background: none; border: none; color: var(--text-secondary); cursor: pointer; padding: 2px; }
 .notification-panel-body { overflow-y: auto; flex: 1; padding: 8px; }
 .notification-loading, .notification-empty { display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 32px 16px; color: var(--text-secondary); font-size: 13px; gap: 8px; }
 .notification-item { padding: 10px 12px; border-radius: 8px; margin-bottom: 4px; background: var(--bg-card); border: 1px solid var(--border); transition: border-color 0.15s; }
 .notification-item:hover { border-color: var(--border-bright); }
 .notification-item-header { display: flex; align-items: center; gap: 8px; margin-bottom: 4px; }
 .notification-sev { font-size: 10px; font-weight: 700; padding: 2px 6px; border-radius: 4px; text-transform: uppercase; letter-spacing: 0.5px; font-family: 'Outfit', sans-serif; }
 .notification-sev.sev-critical { background: var(--danger-bg); color: var(--danger); }
 .notification-sev.sev-high { background: rgba(255,140,0,0.12); color: #ff8c00; }
 .notification-sev.sev-medium { background: var(--warning-bg); color: var(--warning); }
 .notification-sev.sev-low { background: rgba(0,200,255,0.08); color: var(--accent); }
 .notification-cve-id { font-size: 12px; font-weight: 600; color: var(--text-primary); font-family: 'JetBrains Mono', monospace; }
 .notification-cve-id a { color: var(--accent); text-decoration: none; }
 .notification-cve-id a:hover { text-decoration: underline; }
 .notification-cvss { font-size: 10px; color: var(--text-secondary); margin-left: auto; font-family: 'JetBrains Mono', monospace; }
 .notification-dismiss-btn { background: none; border: none; color: var(--text-tertiary); cursor: pointer; padding: 2px; margin-left: 4px; }
 .notification-dismiss-btn:hover { color: var(--danger); }
 .notification-item-pkg { font-size: 12px; color: var(--text-primary); font-family: 'JetBrains Mono', monospace; }
 .notification-item-repo { font-size: 11px; color: var(--text-secondary); margin-bottom: 4px; }
 .notification-item-summary { font-size: 11px; color: var(--text-secondary); line-height: 1.4; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; overflow: hidden; }
 /* ═══════════════════════════════════════════════════════════════
   COPY BUTTON — Reusable clipboard copy component
   ═══════════════════════════════════════════════════════════════ */
 .copy-btn { background: none; border: 1px solid var(--border); border-radius: 6px; padding: 5px 7px; color: var(--text-secondary); cursor: pointer; display: inline-flex; align-items: center; transition: color 0.15s, border-color 0.15s, background 0.15s; flex-shrink: 0; }
 .copy-btn:hover { color: var(--accent); border-color: var(--accent); background: var(--accent-muted); }
 .copy-btn-sm { padding: 3px 5px; border-radius: 4px; }
 /* Copyable inline field pattern: value + copy button side by side */
 .copyable { display: flex; align-items: center; gap: 6px; }
 .copyable code, .copyable .mono { flex: 1; min-width: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
 .code-snippet-wrapper { position: relative; }
 .code-snippet-header { display: flex; align-items: center; justify-content: space-between; margin-bottom: 4px; gap: 8px; }
 /* ═══════════════════════════════════════════════════════════════
   LIGHT THEME — surface overrides for the few hardcoded dark
   colors that don't go through CSS custom properties.
   ═══════════════════════════════════════════════════════════════ */
 :root[data-theme="light"] .main-content {
    background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
 }
 :root[data-theme="light"] .code-block {
    background: #f8fafc;
    color: #0c1426;
 }
 :root[data-theme="light"] .graph-stab-overlay {
    background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
 }
@media (prefers-color-scheme: light) {
    :root:not([data-theme="dark"]) .main-content {
        background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
    }
    :root:not([data-theme="dark"]) .code-block {
        background: #f8fafc;
        color: #0c1426;
    }
    :root:not([data-theme="dark"]) .graph-stab-overlay {
        background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
    }
 }
@@ -2,6 +2,7 @@ use dioxus::prelude::*;
 use crate::app::Route;
 use crate::components::help_chat::HelpChat;
 use crate::components::notification_bell::NotificationBell;
 use crate::components::sidebar::Sidebar;
 use crate::components::toast::{ToastContainer, Toasts};
 use crate::infrastructure::auth_check::check_auth;
@@ -21,6 +22,7 @@ pub fn AppShell() -> Element {
                    main { class: "main-content",
                        Outlet::<Route> {}
                    }
                    NotificationBell {}
                    ToastContainer {}
                    HelpChat {}
                }
@@ -30,7 +32,7 @@ pub fn AppShell() -> Element {
            // Not authenticated — redirect to Keycloak login
            rsx! {
                document::Script {
-                    dangerous_inner_html: "window.location.href = '/auth';"
+                    "window.location.href = '/auth';"
                }
            }
        }
@@ -1,5 +1,7 @@
 use dioxus::prelude::*;
 use crate::components::copy_button::CopyButton;
 #[component]
 pub fn CodeSnippet(
    code: String,
@@ -7,16 +9,19 @@ pub fn CodeSnippet(
    #[props(default)] line_number: u32,
 ) -> Element {
    rsx! {
-        div {
+        div { class: "code-snippet-wrapper",
            div { class: "code-snippet-header",
                if !file_path.is_empty() {
-                div {
+                    span {
-                    style: "font-size: 12px; color: var(--text-secondary); margin-bottom: 4px; font-family: monospace;",
+                        style: "font-size: 12px; color: var(--text-secondary); font-family: monospace;",
                        "{file_path}"
                        if line_number > 0 {
                            ":{line_number}"
                        }
                    }
                }
                CopyButton { value: code.clone(), small: true }
            }
            pre { class: "code-block", "{code}" }
        }
    }
@@ -0,0 +1,49 @@
 use dioxus::prelude::*;
 use dioxus_free_icons::icons::bs_icons::*;
 use dioxus_free_icons::Icon;
 /// A small copy-to-clipboard button that shows a checkmark after copying.
 ///
 /// Usage: `CopyButton { value: "text to copy" }`
 #[component]
 pub fn CopyButton(value: String, #[props(default = false)] small: bool) -> Element {
    let mut copied = use_signal(|| false);
    let size = if small { 12 } else { 14 };
    let class = if small {
        "copy-btn copy-btn-sm"
    } else {
        "copy-btn"
    };
    rsx! {
        button {
            class: class,
            title: if copied() { "Copied!" } else { "Copy to clipboard" },
            onclick: move |_| {
                let val = value.clone();
                // Escape for JS single-quoted string
                let escaped = val
                    .replace('\\', "\\\\")
                    .replace('\'', "\\'")
                    .replace('\n', "\\n")
                    .replace('\r', "\\r");
                let js = format!("navigator.clipboard.writeText('{escaped}')");
                document::eval(&js);
                copied.set(true);
                spawn(async move {
                    #[cfg(feature = "web")]
                    gloo_timers::future::TimeoutFuture::new(2000).await;
                    #[cfg(not(feature = "web"))]
                    tokio::time::sleep(std::time::Duration::from_secs(2)).await;
                    copied.set(false);
                });
            },
            if copied() {
                Icon { icon: BsCheckLg, width: size, height: size }
            } else {
                Icon { icon: BsClipboard, width: size, height: size }
            }
        }
    }
 }
@@ -2,12 +2,15 @@ pub mod app_shell;
 pub mod attack_chain;
 pub mod code_inspector;
 pub mod code_snippet;
 pub mod copy_button;
 pub mod file_tree;
 pub mod help_chat;
 pub mod notification_bell;
 pub mod page_header;
 pub mod pagination;
 pub mod pentest_wizard;
 pub mod severity_badge;
 pub mod sidebar;
 pub mod stat_card;
 pub mod theme_toggle;
 pub mod toast;
@@ -0,0 +1,155 @@
 use dioxus::prelude::*;
 use dioxus_free_icons::icons::bs_icons::*;
 use dioxus_free_icons::Icon;
 use crate::infrastructure::notifications::{
    dismiss_notification, fetch_notification_count, fetch_notifications,
    mark_all_notifications_read,
 };
 #[component]
 pub fn NotificationBell() -> Element {
    let mut is_open = use_signal(|| false);
    let mut count = use_signal(|| 0u64);
    let mut notifications = use_signal(Vec::new);
    let mut is_loading = use_signal(|| false);
    // Poll notification count every 30 seconds
    use_resource(move || async move {
        loop {
            if let Ok(c) = fetch_notification_count().await {
                count.set(c);
            }
            #[cfg(feature = "web")]
            {
                gloo_timers::future::TimeoutFuture::new(30_000).await;
            }
            #[cfg(not(feature = "web"))]
            {
                tokio::time::sleep(std::time::Duration::from_secs(30)).await;
            }
        }
    });
    // Load notifications when panel opens
    let load_notifications = move |_| {
        is_open.set(!is_open());
        if !is_open() {
            return;
        }
        is_loading.set(true);
        spawn(async move {
            if let Ok(resp) = fetch_notifications().await {
                notifications.set(resp.data);
            }
            // Mark all as read when panel opens
            let _ = mark_all_notifications_read().await;
            count.set(0);
            is_loading.set(false);
        });
    };
    let on_dismiss = move |id: String| {
        spawn(async move {
            let _ = dismiss_notification(id.clone()).await;
            notifications.write().retain(|n| {
                n.id.as_ref()
                    .and_then(|v| v.get("$oid"))
                    .and_then(|v| v.as_str())
                    != Some(&id)
            });
        });
    };
    rsx! {
        div { class: "notification-bell-wrapper",
            // Bell button
            button {
                class: "notification-bell-btn",
                onclick: load_notifications,
                title: "CVE Alerts",
                Icon { icon: BsBell, width: 18, height: 18 }
                if count() > 0 {
                    span { class: "notification-badge", "{count()}" }
                }
            }
            // Dropdown panel
            if is_open() {
                div { class: "notification-panel",
                    div { class: "notification-panel-header",
                        span { "CVE Alerts" }
                        button {
                            class: "notification-close-btn",
                            onclick: move |_| is_open.set(false),
                            Icon { icon: BsX, width: 16, height: 16 }
                        }
                    }
                    div { class: "notification-panel-body",
                        if is_loading() {
                            div { class: "notification-loading", "Loading..." }
                        } else if notifications().is_empty() {
                            div { class: "notification-empty",
                                Icon { icon: BsShieldCheck, width: 32, height: 32 }
                                p { "No CVE alerts" }
                            }
                        } else {
                            for notif in notifications().iter() {
                                {
                                    let id = notif.id.as_ref()
                                        .and_then(|v| v.get("$oid"))
                                        .and_then(|v| v.as_str())
                                        .unwrap_or("")
                                        .to_string();
                                    let sev_class = match notif.severity.as_str() {
                                        "critical" => "sev-critical",
                                        "high" => "sev-high",
                                        "medium" => "sev-medium",
                                        _ => "sev-low",
                                    };
                                    let dismiss_id = id.clone();
                                    rsx! {
                                        div { class: "notification-item",
                                            div { class: "notification-item-header",
                                                span { class: "notification-sev {sev_class}",
                                                    "{notif.severity.to_uppercase()}"
                                                }
                                                span { class: "notification-cve-id",
                                                    if let Some(ref url) = notif.url {
                                                        a { href: "{url}", target: "_blank", "{notif.cve_id}" }
                                                    } else {
                                                        "{notif.cve_id}"
                                                    }
                                                }
                                                if let Some(score) = notif.cvss_score {
                                                    span { class: "notification-cvss", "CVSS {score:.1}" }
                                                }
                                                button {
                                                    class: "notification-dismiss-btn",
                                                    title: "Dismiss",
                                                    onclick: move |_| on_dismiss(dismiss_id.clone()),
                                                    Icon { icon: BsXCircle, width: 14, height: 14 }
                                                }
                                            }
                                            div { class: "notification-item-pkg",
                                                "{notif.package_name} {notif.package_version}"
                                            }
                                            div { class: "notification-item-repo",
                                                "{notif.repo_name}"
                                            }
                                            if let Some(ref summary) = notif.summary {
                                                div { class: "notification-item-summary",
                                                    "{summary}"
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
 }
@@ -4,6 +4,7 @@ use dioxus_free_icons::icons::bs_icons::*;
 use dioxus_free_icons::Icon;
 use crate::app::Route;
 use crate::components::theme_toggle::ThemeToggle;
 struct NavItem {
    label: &'static str,
@@ -106,6 +107,7 @@ pub fn Sidebar() -> Element {
            }
            // Spacer pushes footer to the bottom
            div { class: "sidebar-spacer" }
            ThemeToggle { collapsed: collapsed() }
            button {
                class: "sidebar-toggle",
                onclick: move |_| collapsed.set(!collapsed()),
@@ -0,0 +1,104 @@
 use dioxus::prelude::*;
 use dioxus_free_icons::icons::bs_icons::{BsMoonStars, BsSun};
 use dioxus_free_icons::Icon;
 #[cfg(feature = "web")]
 const STORAGE_KEY: &str = "compliance-scanner.theme";
 /// Sidebar-footer theme toggle. Reads the initial state on mount from
 /// localStorage (explicit user choice) or `prefers-color-scheme` (OS default),
 /// then writes back to both the `<html data-theme="...">` attribute and
 /// localStorage on every click.
 #[component]
 pub fn ThemeToggle(collapsed: bool) -> Element {
    // `None` until the on-mount effect resolves the real value, so SSR doesn't
    // render the wrong icon for the user's actual theme.
    let mut is_dark = use_signal(|| None::<bool>);
    use_effect(move || {
        let (dark, from_storage) = initial_theme();
        is_dark.set(Some(dark));
        // If the user already made an explicit choice (in localStorage), assert it
        // on the DOM so an OS-vs-stored mismatch can't briefly show the wrong theme.
        if from_storage {
            apply_theme(dark);
        }
    });
    let label = if collapsed {
        ""
    } else if is_dark().unwrap_or(true) {
        "Light mode"
    } else {
        "Dark mode"
    };
    let title = if is_dark().unwrap_or(true) {
        "Switch to light mode"
    } else {
        "Switch to dark mode"
    };
    rsx! {
        button {
            class: "theme-toggle",
            r#type: "button",
            title: "{title}",
            "aria-label": "{title}",
            onclick: move |_| {
                let next_dark = !is_dark().unwrap_or(true);
                is_dark.set(Some(next_dark));
                apply_theme(next_dark);
            },
            if is_dark().unwrap_or(true) {
                Icon { icon: BsSun, width: 16, height: 16 }
            } else {
                Icon { icon: BsMoonStars, width: 16, height: 16 }
            }
            if !collapsed {
                span { class: "theme-toggle-label", "{label}" }
            }
        }
    }
 }
 /// Returns `(is_dark, from_storage)`. `from_storage` is true when an explicit
 /// user choice is in localStorage; false when we fell back to OS preference
 /// (or to the dark default).
 #[cfg(feature = "web")]
 fn initial_theme() -> (bool, bool) {
    if let Some(window) = web_sys::window() {
        if let Ok(Some(storage)) = window.local_storage() {
            if let Ok(Some(value)) = storage.get_item(STORAGE_KEY) {
                return (value == "dark", true);
            }
        }
        if let Ok(Some(mql)) = window.match_media("(prefers-color-scheme: dark)") {
            return (mql.matches(), false);
        }
    }
    (true, false)
 }
 #[cfg(not(feature = "web"))]
 fn initial_theme() -> (bool, bool) {
    (true, false)
 }
 #[cfg(feature = "web")]
 fn apply_theme(dark: bool) {
    let theme = if dark { "dark" } else { "light" };
    if let Some(window) = web_sys::window() {
        if let Some(document) = window.document() {
            if let Some(root) = document.document_element() {
                let _ = root.set_attribute("data-theme", theme);
            }
        }
        if let Ok(Some(storage)) = window.local_storage() {
            let _ = storage.set_item(STORAGE_KEY, theme);
        }
    }
 }
 #[cfg(not(feature = "web"))]
 fn apply_theme(_dark: bool) {}
@@ -8,6 +8,7 @@ pub mod graph;
 pub mod help_chat;
 pub mod issues;
 pub mod mcp;
 pub mod notifications;
 pub mod pentest;
 #[allow(clippy::too_many_arguments)]
 pub mod repositories;
@@ -0,0 +1,91 @@
 use dioxus::prelude::*;
 use serde::{Deserialize, Serialize};
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct NotificationListResponse {
    pub data: Vec<CveNotificationData>,
    #[serde(default)]
    pub total: Option<u64>,
 }
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct CveNotificationData {
    #[serde(rename = "_id")]
    pub id: Option<serde_json::Value>,
    pub cve_id: String,
    pub repo_name: String,
    pub package_name: String,
    pub package_version: String,
    pub severity: String,
    pub cvss_score: Option<f64>,
    pub summary: Option<String>,
    pub url: Option<String>,
    pub status: String,
    #[serde(default)]
    pub created_at: Option<serde_json::Value>,
 }
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct NotificationCountResponse {
    pub count: u64,
 }
 #[server]
 pub async fn fetch_notification_count() -> Result<u64, ServerFnError> {
    let state: super::server_state::ServerState =
        dioxus_fullstack::FullstackContext::extract().await?;
    let url = format!("{}/api/v1/notifications/count", state.agent_api_url);
    let resp = reqwest::get(&url)
        .await
        .map_err(|e| ServerFnError::new(e.to_string()))?;
    let body: NotificationCountResponse = resp
        .json()
        .await
        .map_err(|e| ServerFnError::new(e.to_string()))?;
    Ok(body.count)
 }
 #[server]
 pub async fn fetch_notifications() -> Result<NotificationListResponse, ServerFnError> {
    let state: super::server_state::ServerState =
        dioxus_fullstack::FullstackContext::extract().await?;
    let url = format!("{}/api/v1/notifications?limit=20", state.agent_api_url);
    let resp = reqwest::get(&url)
        .await
        .map_err(|e| ServerFnError::new(e.to_string()))?;
    let body: NotificationListResponse = resp
        .json()
        .await
        .map_err(|e| ServerFnError::new(e.to_string()))?;
    Ok(body)
 }
 #[server]
 pub async fn mark_all_notifications_read() -> Result<(), ServerFnError> {
    let state: super::server_state::ServerState =
        dioxus_fullstack::FullstackContext::extract().await?;
    let url = format!("{}/api/v1/notifications/read-all", state.agent_api_url);
    reqwest::Client::new()
        .post(&url)
        .send()
        .await
        .map_err(|e| ServerFnError::new(e.to_string()))?;
    Ok(())
 }
 #[server]
 pub async fn dismiss_notification(id: String) -> Result<(), ServerFnError> {
    let state: super::server_state::ServerState =
        dioxus_fullstack::FullstackContext::extract().await?;
    let url = format!("{}/api/v1/notifications/{id}/dismiss", state.agent_api_url);
    reqwest::Client::new()
        .patch(&url)
        .send()
        .await
        .map_err(|e| ServerFnError::new(e.to_string()))?;
    Ok(())
 }
@@ -259,7 +259,10 @@ pub fn McpServersPage() -> Element {
                                                div { class: "mcp-detail-row",
                                                    Icon { icon: BsGlobe, width: 13, height: 13 }
                                                    span { class: "mcp-detail-label", "Endpoint" }
                                                    div { class: "copyable",
                                                        code { class: "mcp-detail-value", "{server.endpoint_url}" }
                                                        crate::components::copy_button::CopyButton { value: server.endpoint_url.clone(), small: true }
                                                    }
                                                }
                                                div { class: "mcp-detail-row",
                                                    Icon { icon: BsHddNetwork, width: 13, height: 13 }
@@ -137,13 +137,20 @@ pub fn RepositoriesPage() -> Element {
                                "For SSH URLs: add this deploy key (read-only) to your repository"
                            }
                            div {
-                                style: "margin-top: 4px; padding: 8px; background: var(--bg-secondary); border-radius: 4px; font-family: monospace; font-size: 11px; word-break: break-all; user-select: all;",
+                                class: "copyable",
                                style: "margin-top: 4px; padding: 8px; background: var(--bg-secondary); border-radius: 4px;",
                                code {
                                    style: "font-size: 11px; word-break: break-all; user-select: all;",
                                    if ssh_public_key().is_empty() {
                                        "Loading..."
                                    } else {
                                        "{ssh_public_key}"
                                    }
                                }
                                if !ssh_public_key().is_empty() {
                                    crate::components::copy_button::CopyButton { value: ssh_public_key(), small: true }
                                }
                            }
                        }
                        // HTTPS auth fields
@@ -390,29 +397,38 @@ pub fn RepositoriesPage() -> Element {
                        }
                        div { class: "form-group",
                            label { "Webhook URL" }
-                            input {
+                            {
                                r#type: "text",
                                readonly: true,
                                style: "font-family: monospace; font-size: 12px;",
                                value: {
                                #[cfg(feature = "web")]
                                let origin = web_sys::window()
                                    .and_then(|w: web_sys::Window| w.location().origin().ok())
                                    .unwrap_or_default();
                                #[cfg(not(feature = "web"))]
                                let origin = String::new();
-                                    format!("{origin}/webhook/{}/{eid}", edit_webhook_tracker())
+                                let webhook_url = format!("{origin}/webhook/{}/{eid}", edit_webhook_tracker());
-                                },
+                                rsx! {
                                    div { class: "copyable",
                                        input {
                                            r#type: "text",
                                            readonly: true,
                                            style: "font-family: monospace; font-size: 12px; flex: 1;",
                                            value: "{webhook_url}",
                                        }
                                        crate::components::copy_button::CopyButton { value: webhook_url.clone() }
                                    }
                                }
                            }
                        }
                        div { class: "form-group",
                            label { "Webhook Secret" }
                            div { class: "copyable",
                                input {
                                    r#type: "text",
                                    readonly: true,
-                                style: "font-family: monospace; font-size: 12px;",
+                                    style: "font-family: monospace; font-size: 12px; flex: 1;",
                                    value: "{secret}",
                                }
                                crate::components::copy_button::CopyButton { value: secret.clone() }
                            }
                        }
                    }
                    div { class: "modal-actions",
@@ -0,0 +1,22 @@
 [package]
 name = "compliance-smoke"
 version = "0.1.0"
 edition = "2021"
 description = "Tiny Axum service exercising compliance-core M7.1 tenant gating. Run smoke.sh against it before merging anything that touches the auth/tenant path."
 [lints]
 workspace = true
 [[bin]]
 name = "compliance-smoke"
 path = "src/main.rs"
 [dependencies]
 compliance-core = { workspace = true, features = ["axum"] }
 axum = "0.8"
 tokio = { workspace = true }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 reqwest = { workspace = true }
@@ -0,0 +1,111 @@
 //! M7.1 smoke service.
 //!
 //! A standalone Axum binary whose only job is to host the
 //! [`compliance_core::auth`] middleware + [`compliance_core::tenant_ctx`]
 //! extractor on three endpoints, so `scripts/smoke.sh` can prove the
 //! tenant-gating contract end-to-end before any auth-path PR merges.
 //!
 //! Endpoints:
 //! * `GET  /api/v1/health` — public, never authenticated.
 //! * `GET  /api/v1/echo`   — protected read; returns the [`TenantContext`].
 //! * `POST /api/v1/echo`   — protected write; exercises the `Frozen → 402`
 //!   gate on the same handler.
 //!
 //! Configuration (env):
 //! * `KEYCLOAK_URL`   — e.g. `http://localhost:8080`. Required.
 //! * `KEYCLOAK_REALM` — e.g. `certifai`. Required.
 //! * `SMOKE_PORT`     — defaults to `3010`.
 use std::sync::Arc;
 use axum::{middleware, routing::get, Extension, Json, Router};
 use compliance_core::{
    auth::{require_jwt_auth, require_tenant_status, JwksState},
    tenant_ctx::TenantCtx,
 };
 use serde::Serialize;
 use tokio::sync::RwLock;
 #[derive(Serialize)]
 struct EchoResponse {
    method: &'static str,
    tenant_id: String,
    tenant_slug: String,
    plan: String,
    status: String,
    products: Vec<String>,
    org_roles: Vec<String>,
    user_id: String,
    user_name: Option<String>,
 }
 async fn health() -> Json<serde_json::Value> {
    Json(serde_json::json!({ "ok": true }))
 }
 async fn echo_read(TenantCtx(ctx): TenantCtx) -> Json<EchoResponse> {
    Json(echo(ctx, "GET"))
 }
 async fn echo_write(TenantCtx(ctx): TenantCtx) -> Json<EchoResponse> {
    Json(echo(ctx, "POST"))
 }
 fn echo(ctx: compliance_core::TenantContext, method: &'static str) -> EchoResponse {
    EchoResponse {
        method,
        tenant_id: ctx.tenant_id,
        tenant_slug: ctx.tenant_slug,
        plan: ctx.plan,
        status: ctx.status.to_string(),
        products: ctx.products,
        org_roles: ctx.org_roles.iter().map(|r| format!("{r:?}")).collect(),
        user_id: ctx.user_id,
        user_name: ctx.user_name,
    }
 }
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    tracing_subscriber::fmt()
        .with_env_filter(
            tracing_subscriber::EnvFilter::try_from_default_env()
                .unwrap_or_else(|_| tracing_subscriber::EnvFilter::new("info")),
        )
        .init();
    let kc_url = std::env::var("KEYCLOAK_URL")
        .map_err(|_| "KEYCLOAK_URL is required (e.g. http://localhost:8080)")?;
    let kc_realm = std::env::var("KEYCLOAK_REALM")
        .map_err(|_| "KEYCLOAK_REALM is required (e.g. certifai)")?;
    let port: u16 = std::env::var("SMOKE_PORT")
        .ok()
        .and_then(|s| s.parse().ok())
        .unwrap_or(3010);
    let jwks_url = format!("{kc_url}/realms/{kc_realm}/protocol/openid-connect/certs");
    let jwks_state = JwksState {
        jwks: Arc::new(RwLock::new(None)),
        jwks_url: jwks_url.clone(),
    };
    // Layers execute outermost-first. The Extension must be registered
    // before `require_jwt_auth` so the middleware can read JwksState; the
    // status gate must run after JWT so `TenantContext` is in extensions.
    let app = Router::new()
        .route("/api/v1/health", get(health))
        .route("/api/v1/echo", get(echo_read).post(echo_write))
        .layer(middleware::from_fn(require_tenant_status))
        .layer(middleware::from_fn(require_jwt_auth))
        .layer(Extension(jwks_state));
    let addr = format!("0.0.0.0:{port}");
    let listener = tokio::net::TcpListener::bind(&addr).await?;
    tracing::info!(
        port,
        jwks = %jwks_url,
        "compliance-smoke listening — try `scripts/smoke.sh`"
    );
    axum::serve(listener, app).await?;
    Ok(())
 }
@@ -0,0 +1,136 @@
 #!/usr/bin/env bash
 # M7.1 tenant-gating smoke test.
 #
 # Drives compliance-smoke against a live Keycloak realm with five test
 # users (one per tenant_status), asserts the response code on each
 # endpoint, and exits non-zero on any mismatch.
 #
 # Pre-reqs (one-time):
 #   * KC up at $KC_URL with realm $KC_REALM
 #   * Client $KC_CLIENT has direct-access-grants enabled
 #   * Users + tenant_status mappers per certifai/keycloak/realm-export.json
 #   * compliance-smoke binary running and reachable at $SMOKE_URL
 #
 # Usage:
 #   scripts/smoke.sh              # uses defaults below
 #   SMOKE_URL=... scripts/smoke.sh
 set -euo pipefail
 KC_URL="${KC_URL:-http://localhost:8080}"
 KC_REALM="${KC_REALM:-certifai}"
 KC_CLIENT="${KC_CLIENT:-certifai-dashboard}"
 SMOKE_URL="${SMOKE_URL:-http://localhost:3010}"
 readonly TOKEN_ENDPOINT="${KC_URL}/realms/${KC_REALM}/protocol/openid-connect/token"
 PASS=0
 FAIL=0
 red()    { printf '\033[31m%s\033[0m' "$*"; }
 green()  { printf '\033[32m%s\033[0m' "$*"; }
 yellow() { printf '\033[33m%s\033[0m' "$*"; }
 # Fetches an access token via direct access grant. Echoes the raw token.
 get_token() {
    local user="$1" pass="$2"
    curl -sS -X POST "$TOKEN_ENDPOINT" \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -d "grant_type=password" \
        -d "client_id=${KC_CLIENT}" \
        -d "username=${user}" \
        -d "password=${pass}" \
        -d "scope=openid" \
        | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p'
 }
 # Hits SMOKE_URL$path with the given method and (optional) bearer token,
 # asserts the response status code matches $want.
 assert_status() {
    local label="$1" method="$2" path="$3" want="$4" token="${5:-}"
    local args=(-sS -o /dev/null -w '%{http_code}' -X "$method" "${SMOKE_URL}${path}")
    if [[ -n "$token" ]]; then
        args+=(-H "Authorization: Bearer ${token}")
    fi
    local got
    got=$(curl "${args[@]}")
    if [[ "$got" == "$want" ]]; then
        printf '  %s %s %-4s %-15s → %s\n' "$(green PASS)" "$label" "$method" "$path" "$got"
        PASS=$((PASS + 1))
    else
        printf '  %s %s %-4s %-15s → got %s, want %s\n' "$(red FAIL)" "$label" "$method" "$path" "$got" "$want"
        FAIL=$((FAIL + 1))
    fi
 }
 header() {
    printf '\n%s %s\n' "$(yellow '##')" "$1"
 }
 # ---- Pre-flight ----------------------------------------------------------
 header "Pre-flight"
 if ! curl -sS -o /dev/null -w '%{http_code}\n' "${SMOKE_URL}/api/v1/health" | grep -q '^200$'; then
    printf '  %s smoke service not reachable at %s\n' "$(red ERR)" "$SMOKE_URL"
    exit 2
 fi
 if ! curl -sS -o /dev/null -w '%{http_code}\n' "${KC_URL}/realms/${KC_REALM}/.well-known/openid-configuration" | grep -q '^200$'; then
    printf '  %s Keycloak realm %s not reachable at %s\n' "$(red ERR)" "$KC_REALM" "$KC_URL"
    exit 2
 fi
 printf '  %s smoke service + Keycloak both up\n' "$(green OK)"
 # ---- Public endpoint --------------------------------------------------
 header "Public endpoint (no auth required)"
 assert_status anon GET  /api/v1/health 200
 # ---- Anonymous access to protected endpoints ----------------------------
 header "Anonymous → 401 on protected endpoints"
 assert_status anon GET  /api/v1/echo   401
 assert_status anon POST /api/v1/echo   401
 # ---- Bad token ----------------------------------------------------------
 header "Bad token → 401"
 assert_status bogus GET  /api/v1/echo  401 "not-a-real-jwt"
 assert_status bogus POST /api/v1/echo  401 "not-a-real-jwt"
 # ---- Active tenant (admin user) -----------------------------------------
 header "admin@certifai.local (active) → full access"
 TOKEN=$(get_token admin@certifai.local admin)
 if [[ -z "$TOKEN" ]]; then
    printf '  %s failed to fetch token for admin\n' "$(red ERR)"
    exit 2
 fi
 assert_status active GET  /api/v1/echo 200 "$TOKEN"
 assert_status active POST /api/v1/echo 200 "$TOKEN"
 # ---- Active tenant (USER role) ------------------------------------------
 header "user@certifai.local (active) → full access"
 TOKEN=$(get_token user@certifai.local user)
 assert_status active GET  /api/v1/echo 200 "$TOKEN"
 assert_status active POST /api/v1/echo 200 "$TOKEN"
 # ---- Trial tenant -------------------------------------------------------
 header "trial@acme.local (trial) → full access"
 TOKEN=$(get_token trial@acme.local trial)
 assert_status trial  GET  /api/v1/echo 200 "$TOKEN"
 assert_status trial  POST /api/v1/echo 200 "$TOKEN"
 # ---- Frozen tenant ------------------------------------------------------
 header "frozen@acme.local (frozen) → read-only, writes 402"
 TOKEN=$(get_token frozen@acme.local frozen)
 assert_status frozen GET  /api/v1/echo 200 "$TOKEN"
 assert_status frozen POST /api/v1/echo 402 "$TOKEN"
 # ---- Archived tenant ----------------------------------------------------
 header "archived@acme.local (archived) → 410 everywhere"
 TOKEN=$(get_token archived@acme.local archived)
 assert_status archived GET  /api/v1/echo 410 "$TOKEN"
 assert_status archived POST /api/v1/echo 410 "$TOKEN"
 # ---- Summary ------------------------------------------------------------
 printf '\n'
 if [[ "$FAIL" -gt 0 ]]; then
    printf '%s %d passed, %d failed\n' "$(red FAIL)" "$PASS" "$FAIL"
    exit 1
 fi
 printf '%s %d/%d assertions passed\n' "$(green PASS)" "$PASS" "$PASS"
Author	SHA1	Message	Date
Sharang Parnerkar	f474699279	fix(core): JWKS refresh-on-failure in M7.1 auth middleware CI / Check (pull_request) Successful in 8m17s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been skipped Details CI / Deploy Dashboard (pull_request) Has been skipped Details CI / Deploy Docs (pull_request) Has been skipped Details CI / Deploy MCP (pull_request) Has been skipped Details Without this, every Keycloak signing-key rotation produces a silent 401 storm against every request until the agent restarts — the cached JWKS is held forever and never reconciled against KC. Now: when `kid` isn't in the cached JWKS or the matching key fails signature verification, we classify the failure as Stale, force a JWKS refresh, and retry once. Anything else (expired, malformed, missing tenant_id) is Permanent and short-circuits straight to 401. * Splits the path into a pure `try_validate(token, header, kid, jwks)` helper returning a `ValidationError { Stale \| Permanent }` enum. * `fetch_or_get_jwks(state, force)` takes a force flag and holds the write lock across the network fetch so concurrent refreshers don't all hammer Keycloak when keys rotate (the second writer reuses what the first put in cache). * Adds a unit test for the kid-not-found Stale classification. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-04 16:40:55 +02:00
sharang	116293519d	M7.1 smoke harness: lift auth to compliance-core + compliance-smoke service (#83 ) CI / Check (push) Has been cancelled Details CI / Detect Changes (push) Has been cancelled Details CI / Deploy Agent (push) Has been cancelled Details CI / Deploy Dashboard (push) Has been cancelled Details CI / Deploy Docs (push) Has been cancelled Details CI / Deploy MCP (push) Has been cancelled Details	2026-06-04 14:38:35 +00:00
sharang	a8cef58e02	feat(dashboard): add light/dark theme with sidebar toggle (#81 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Has been skipped Details CI / Deploy Dashboard (push) Successful in 9m46s Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details	2026-05-13 11:44:22 +00:00
sharang	927fbc8ecb	fix: live progress + concurrency for embedding builds (#80 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Successful in 7m59s Details CI / Deploy Dashboard (push) Has been skipped Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details	2026-05-13 10:01:05 +00:00
sharang	e67a13535a	fix: add HTTP timeout to reqwest client and CVE stage timeout (#79 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Successful in 8m26s Details CI / Deploy Dashboard (push) Has been skipped Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details	2026-05-13 07:30:26 +00:00
sharang	df0063abc0	fix: scanner timeouts, semgrep memory cap, syft remote lookups, Script error (#78 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Successful in 9m41s Details CI / Deploy Dashboard (push) Successful in 15m19s Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Successful in 3m7s Details ## Summary - Scan produces no results in Orca — semgrep (`--config=auto`, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning. - Dashboard Script error spam — `document::Script` in Dioxus 0.7 needs a single text node child for inline scripts; `dangerous_inner_html` was invalid and spammed the error log on every unauthenticated page load. ## Changes \| File \| Change \| \|------\|--------\| \| `semgrep.rs` \| Add `--max-memory 500 --jobs 1`; 10-minute timeout \| \| `syft.rs` \| Remove remote license lookup env vars; 5-minute timeout \| \| `gitleaks.rs` \| 5-minute timeout \| \| `app_shell.rs` \| Fix `dangerous_inner_html` → text child in `document::Script` \| ## Test plan - [ ] Trigger a scan on a repo in Orca — findings and SBOM entries should now appear - [ ] Agent logs should show timeout/error warnings rather than silent empty results when tools are killed - [ ] Navigate to dashboard unauthenticated — Script error gone from logs - [ ] Verify scans work end-to-end with `docker compose up` --------- Co-authored-by: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Reviewed-on: #78	2026-05-12 11:27:24 +00:00
Sharang Parnerkar	5cafd13f44	ci: log orca webhook response so deploy steps arent silent CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Has been skipped Details CI / Deploy Dashboard (push) Has been skipped Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details Nightly E2E Tests / E2E Tests (push) Failing after 2m59s Details	2026-04-08 15:09:27 +02:00
Sharang Parnerkar	69209649a5	ci: trigger first orca build for all services CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 4s Details CI / Deploy Agent (push) Successful in 7m5s Details CI / Deploy Docs (push) Successful in 30s Details CI / Deploy MCP (push) Successful in 1m31s Details CI / Deploy Dashboard (push) Failing after 21m28s Details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 10:10:07 +02:00
Sharang Parnerkar	d5439adc0d	ci: trigger build of dashboard, docs, mcp images for orca CI / Check (push) Has been cancelled Details CI / Detect Changes (push) Has been cancelled Details CI / Deploy Agent (push) Has been cancelled Details CI / Deploy Dashboard (push) Has been cancelled Details CI / Deploy Docs (push) Has been cancelled Details CI / Deploy MCP (push) Has been cancelled Details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 10:09:49 +02:00
Sharang Parnerkar	bc7cdd35e4	ci: replace coolify webhook with orca deploy CI / Check (push) Has been cancelled Details CI / Detect Changes (push) Has been cancelled Details CI / Deploy Agent (push) Has been cancelled Details CI / Deploy Dashboard (push) Has been cancelled Details CI / Deploy Docs (push) Has been cancelled Details CI / Deploy MCP (push) Has been cancelled Details Each deploy job now builds the per-service image, pushes to the private registry as :latest and :sha, then triggers an HMAC-signed orca redeploy webhook. Coolify webhooks are no longer used. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 10:06:11 +02:00
Sharang Parnerkar	c062d834a1	fix: downgrade dotenv missing file from FAILED to info message CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 3s Details CI / Deploy Agent (push) Successful in 2s Details CI / Deploy Dashboard (push) Has been skipped Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details Nightly E2E Tests / E2E Tests (push) Failing after 2m16s Details Non-fatal in Docker where env vars come from container config. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 15:33:24 +02:00
sharang	23cf37b6c3	fix: CVE notifications during scan + help chat doc loading + Dockerfile (#55 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 3s Details CI / Deploy Agent (push) Successful in 2s Details CI / Deploy Dashboard (push) Successful in 2s Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details	2026-03-30 13:10:56 +00:00
sharang	49d5cd4e0a	feat: hourly CVE alerting with notification bell and API (#53 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 3s Details CI / Deploy Agent (push) Successful in 2s Details CI / Deploy Dashboard (push) Successful in 2s Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Successful in 2s Details	2026-03-30 10:39:39 +00:00
`@@ -14,3 +14,4 @@ EXPOSE 8090`
	`ENV MCP_PORT=8090`	`ENV MCP_PORT=8090`

	`ENTRYPOINT ["compliance-mcp"]`	`ENTRYPOINT ["compliance-mcp"]`