fix(m7.1): correct middleware layer order so JwksState is visible

Axum applies layers outermost-first. With the previous ordering (`Extension(jwks_state)` first, `require_jwt_auth` last), the JWT middleware ran before the Extension layer attached `JwksState` to the request, so `request.extensions().get::<JwksState>()` always returned None and the middleware silently passed through every request as if Keycloak weren't configured. Verified end-to-end against the local CERTifAI Keycloak realm: - no token / bad token -> 401 - active / trial -> 200 read, write reaches handler - frozen -> 200 read, 402 on writes - archived -> 410 on every method The bug was invisible to the unit + integration tests because they construct the layer stack manually; only the live wiring exhibited it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat(m7.1): wire tenant claims, status enforcement, and db scoping helper
2026-05-20 17:20:37 +02:00 · 2026-05-20 10:10:42 +02:00 · 2026-05-13 11:44:22 +00:00 · 2026-05-13 10:01:05 +00:00 · 2026-05-13 07:30:26 +00:00
17 changed files with 1014 additions and 34 deletions
@@ -687,6 +687,7 @@ dependencies = [
 "tokio-cron-scheduler",
 "tokio-stream",
 "tokio-tungstenite 0.26.2",
+ "tower",
 "tower-http",
 "tracing",
 "tracing-subscriber",
@@ -52,4 +52,5 @@ mongodb = { workspace = true }
 uuid = { workspace = true }
 secrecy = { workspace = true }
 axum = "0.8"
+tower = { version = "0.5", features = ["util"] }
 tower-http = { version = "0.6", features = ["cors"] }
@@ -1,10 +1,29 @@
+//! M7.1 — JWT validation + tenant context propagation.
+//!
+//! `require_jwt_auth` validates a Bearer JWT against Keycloak's JWKS and
+//! attaches a `TenantContext` to the request extensions. Downstream
+//! middleware (`require_tenant_status`) and Axum extractors (`TenantCtx`)
+//! read it from there.
+//!
+//! Skipped paths:
+//! * `/api/v1/health` — Kubernetes liveness; never authenticated.
+//!
+//! Failure modes:
+//! * No `JwksState` extension → pass-through (single-tenant dev mode).
+//! * Missing / malformed Bearer header → 401.
+//! * Signature / expiry invalid → 401.
+//! * Claims present but tenant_id missing → 401 (treated as a malformed
+//!   token; the realm must always issue tenant_id).
+
 use std::sync::Arc;

 use axum::{
    extract::Request,
+    http::Method,
    middleware::Next,
    response::{IntoResponse, Response},
 };
+use compliance_core::{OrgRole, TenantContext, TenantStatus};
 use jsonwebtoken::{decode, decode_header, jwk::JwkSet, DecodingKey, Validation};
 use reqwest::StatusCode;
 use serde::Deserialize;
@@ -17,20 +36,39 @@ pub struct JwksState {
    pub jwks_url: String,
 }

+/// Raw shape of the JWT payload — matches the breakpilot-dev realm's
+/// protocol-mapper output. Missing fields default to "" / empty so a
+/// realm that hasn't been fully wired yet still validates.
 #[derive(Debug, Deserialize)]
 struct Claims {
-    #[allow(dead_code)]
    sub: String,
+    #[serde(default)]
+    name: Option<String>,
+    #[serde(default)]
+    preferred_username: Option<String>,
+    #[serde(default)]
+    tenant_id: String,
+    #[serde(default)]
+    tenant_slug: String,
+    #[serde(default)]
+    org_roles: Vec<String>,
+    #[serde(default)]
+    products: Vec<String>,
+    #[serde(default)]
+    plan: String,
+    #[serde(default)]
+    tenant_status: Option<TenantStatus>,
 }

 const PUBLIC_ENDPOINTS: &[&str] = &["/api/v1/health"];

-/// Middleware that validates Bearer JWT tokens against Keycloak's JWKS.
+/// Middleware that validates Bearer JWT tokens against Keycloak's JWKS
+/// and attaches a `TenantContext` extension on success.
 ///
-/// Skips validation for health check endpoints.
-/// If `JwksState` is not present as an extension (keycloak not configured),
-/// all requests pass through.
-pub async fn require_jwt_auth(request: Request, next: Next) -> Response {
+/// Skips validation for the health endpoint.
+/// If `JwksState` is not present (Keycloak not configured), requests
+/// pass through and downstream code must handle the missing context.
+pub async fn require_jwt_auth(mut request: Request, next: Next) -> Response {
    let path = request.uri().path();

    if PUBLIC_ENDPOINTS.contains(&path) {
@@ -53,7 +91,10 @@ pub async fn require_jwt_auth(request: Request, next: Next) -> Response {
    };

    match validate_token(token, &jwks_state).await {
-        Ok(()) => next.run(request).await,
+        Ok(ctx) => {
+            request.extensions_mut().insert(ctx);
+            next.run(request).await
+        }
        Err(e) => {
            tracing::warn!("JWT validation failed: {e}");
            (StatusCode::UNAUTHORIZED, "Invalid token").into_response()
@@ -61,7 +102,47 @@ pub async fn require_jwt_auth(request: Request, next: Next) -> Response {
    }
 }

-async fn validate_token(token: &str, state: &JwksState) -> Result<(), String> {
+/// Middleware that enforces the M7.1 `tenant_status` contract.
+///
+/// * `Active` / `Trial` / `Demo` — pass through.
+/// * `Frozen` — read-only after cancel / non-payment. Writes return 402.
+/// * `Archived` — data-retention window closed. Every request returns 410.
+///
+/// Pass-through when no `TenantContext` is present (single-tenant dev or
+/// the upstream JWT middleware ran without `JwksState`).
+pub async fn require_tenant_status(request: Request, next: Next) -> Response {
+    let ctx = match request.extensions().get::<TenantContext>() {
+        Some(c) => c.clone(),
+        None => return next.run(request).await,
+    };
+
+    if ctx.status.is_archived() {
+        return (
+            StatusCode::GONE,
+            "Tenant archived — data retention window closed",
+        )
+            .into_response();
+    }
+
+    if ctx.status.is_frozen() && is_write(request.method()) {
+        return (
+            StatusCode::PAYMENT_REQUIRED,
+            "Tenant frozen — read-only. Re-activate to resume writes.",
+        )
+            .into_response();
+    }
+
+    next.run(request).await
+}
+
+/// Treat anything other than GET/HEAD/OPTIONS as a write. Good enough for
+/// REST. The few exceptions (e.g. read-side POSTs) can opt out at the
+/// handler level once we have them.
+fn is_write(m: &Method) -> bool {
+    !matches!(m, &Method::GET | &Method::HEAD | &Method::OPTIONS)
+}
+
+async fn validate_token(token: &str, state: &JwksState) -> Result<TenantContext, String> {
    let header = decode_header(token).map_err(|e| format!("failed to decode JWT header: {e}"))?;

    let kid = header
@@ -83,10 +164,37 @@ async fn validate_token(token: &str, state: &JwksState) -> Result<(), String> {
    validation.validate_exp = true;
    validation.validate_aud = false;

-    decode::<Claims>(token, &decoding_key, &validation)
+    let data = decode::<Claims>(token, &decoding_key, &validation)
        .map_err(|e| format!("token validation failed: {e}"))?;

-    Ok(())
+    claims_to_context(data.claims)
+}
+
+/// Map the decoded JWT payload into the platform-wide `TenantContext`.
+/// Pulled out for unit testing — no I/O.
+fn claims_to_context(c: Claims) -> Result<TenantContext, String> {
+    if c.tenant_id.is_empty() {
+        return Err("JWT is missing tenant_id claim".to_string());
+    }
+
+    let status = c.tenant_status.unwrap_or_else(|| {
+        tracing::warn!(
+            "JWT missing tenant_status claim for tenant {} — defaulting to Trial",
+            c.tenant_id
+        );
+        TenantStatus::Trial
+    });
+
+    Ok(TenantContext {
+        tenant_id: c.tenant_id,
+        tenant_slug: c.tenant_slug,
+        org_roles: c.org_roles.iter().map(|r| OrgRole::parse(r)).collect(),
+        products: c.products,
+        plan: c.plan,
+        status,
+        user_id: c.sub,
+        user_name: c.name.or(c.preferred_username),
+    })
 }

 async fn fetch_or_get_jwks(state: &JwksState) -> Result<JwkSet, String> {
@@ -111,3 +219,87 @@ async fn fetch_or_get_jwks(state: &JwksState) -> Result<JwkSet, String> {

    Ok(jwks)
 }
+
+#[cfg(test)]
+#[allow(clippy::expect_used, clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    fn base_claims() -> Claims {
+        Claims {
+            sub: "user-123".to_string(),
+            name: Some("Alice Acme".to_string()),
+            preferred_username: None,
+            tenant_id: "00000000-0000-0000-0000-000000000001".to_string(),
+            tenant_slug: "acme".to_string(),
+            org_roles: vec!["IT_ADMIN".to_string()],
+            products: vec!["compliance".to_string()],
+            plan: "professional".to_string(),
+            tenant_status: Some(TenantStatus::Active),
+        }
+    }
+
+    #[test]
+    fn claims_to_context_happy_path() {
+        let ctx = claims_to_context(base_claims()).expect("should map");
+        assert_eq!(ctx.tenant_id, "00000000-0000-0000-0000-000000000001");
+        assert_eq!(ctx.tenant_slug, "acme");
+        assert_eq!(ctx.org_roles, vec![OrgRole::ItAdmin]);
+        assert_eq!(ctx.products, vec!["compliance"]);
+        assert_eq!(ctx.plan, "professional");
+        assert_eq!(ctx.status, TenantStatus::Active);
+        assert_eq!(ctx.user_id, "user-123");
+        assert_eq!(ctx.user_name.as_deref(), Some("Alice Acme"));
+    }
+
+    #[test]
+    fn claims_to_context_rejects_missing_tenant_id() {
+        let mut c = base_claims();
+        c.tenant_id = "".to_string();
+        let err = claims_to_context(c).expect_err("should reject");
+        assert!(err.contains("tenant_id"));
+    }
+
+    #[test]
+    fn claims_to_context_defaults_status_when_missing() {
+        let mut c = base_claims();
+        c.tenant_status = None;
+        let ctx = claims_to_context(c).expect("should map");
+        assert_eq!(ctx.status, TenantStatus::Trial);
+    }
+
+    #[test]
+    fn claims_to_context_falls_back_to_preferred_username() {
+        let mut c = base_claims();
+        c.name = None;
+        c.preferred_username = Some("alice@acme.dev".to_string());
+        let ctx = claims_to_context(c).expect("should map");
+        assert_eq!(ctx.user_name.as_deref(), Some("alice@acme.dev"));
+    }
+
+    #[test]
+    fn claims_to_context_parses_multiple_roles() {
+        let mut c = base_claims();
+        c.org_roles = vec![
+            "IT_ADMIN".to_string(),
+            "CXO".to_string(),
+            "GARBAGE".to_string(),
+        ];
+        let ctx = claims_to_context(c).expect("should map");
+        assert_eq!(
+            ctx.org_roles,
+            vec![OrgRole::ItAdmin, OrgRole::Cxo, OrgRole::Unknown]
+        );
+    }
+
+    #[test]
+    fn is_write_detects_methods() {
+        assert!(!is_write(&Method::GET));
+        assert!(!is_write(&Method::HEAD));
+        assert!(!is_write(&Method::OPTIONS));
+        assert!(is_write(&Method::POST));
+        assert!(is_write(&Method::PUT));
+        assert!(is_write(&Method::PATCH));
+        assert!(is_write(&Method::DELETE));
+    }
+}
@@ -2,5 +2,7 @@ pub mod auth_middleware;
 pub mod handlers;
 pub mod routes;
 pub mod server;
+pub mod tenant_ctx;

 pub use server::start_api_server;
+pub use tenant_ctx::TenantCtx;
@@ -8,7 +8,7 @@ use tower_http::set_header::SetResponseHeaderLayer;
 use tower_http::trace::TraceLayer;

 use crate::agent::ComplianceAgent;
-use crate::api::auth_middleware::{require_jwt_auth, JwksState};
+use crate::api::auth_middleware::{require_jwt_auth, require_tenant_status, JwksState};
 use crate::api::routes;
 use crate::error::AgentError;

@@ -44,9 +44,14 @@ pub async fn start_api_server(agent: ComplianceAgent, port: u16) -> Result<(), A
            jwks_url,
        };
        tracing::info!("Keycloak JWT auth enabled for realm '{kc_realm}'");
+        // Layers execute outermost-first. The Extension must run before
+        // require_jwt_auth so that middleware can read JwksState from
+        // request extensions, and the status gate must run after the
+        // JWT auth so TenantContext is in extensions.
        app = app
-            .layer(Extension(jwks_state))
-            .layer(middleware::from_fn(require_jwt_auth));
+            .layer(middleware::from_fn(require_tenant_status))
+            .layer(middleware::from_fn(require_jwt_auth))
+            .layer(Extension(jwks_state));
    } else {
        tracing::warn!("Keycloak not configured - API endpoints are unprotected");
    }
@@ -0,0 +1,94 @@
+//! Axum extractor for the per-request `TenantContext`.
+//!
+//! Handlers consume it as a normal extractor argument:
+//!
+//! ```ignore
+//! async fn list_findings(TenantCtx(ctx): TenantCtx) -> Json<...> {
+//!     let filter = compliance_core::db::tenant_filter(&ctx);
+//!     ...
+//! }
+//! ```
+//!
+//! The middleware (`require_jwt_auth`) is responsible for inserting the
+//! context into the request extensions. If it's missing on a route that
+//! uses this extractor, that's a bug in the wiring — we return 401 so the
+//! caller sees an auth failure rather than a 500.
+
+use axum::{
+    extract::FromRequestParts,
+    http::{request::Parts, StatusCode},
+    response::{IntoResponse, Response},
+};
+use compliance_core::TenantContext;
+
+#[derive(Debug, Clone)]
+pub struct TenantCtx(pub TenantContext);
+
+#[derive(Debug)]
+pub struct TenantCtxRejection;
+
+impl IntoResponse for TenantCtxRejection {
+    fn into_response(self) -> Response {
+        (
+            StatusCode::UNAUTHORIZED,
+            "Missing tenant context — request was not authenticated",
+        )
+            .into_response()
+    }
+}
+
+impl<S> FromRequestParts<S> for TenantCtx
+where
+    S: Send + Sync,
+{
+    type Rejection = TenantCtxRejection;
+
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        parts
+            .extensions
+            .get::<TenantContext>()
+            .cloned()
+            .map(TenantCtx)
+            .ok_or(TenantCtxRejection)
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::expect_used, clippy::unwrap_used)]
+mod tests {
+    use super::*;
+    use axum::http::Request;
+    use compliance_core::TenantStatus;
+
+    fn ctx() -> TenantContext {
+        TenantContext {
+            tenant_id: "t-1".to_string(),
+            tenant_slug: "acme".to_string(),
+            org_roles: vec![],
+            products: vec![],
+            plan: "starter".to_string(),
+            status: TenantStatus::Active,
+            user_id: "u-1".to_string(),
+            user_name: None,
+        }
+    }
+
+    #[tokio::test]
+    async fn extracts_context_when_present() {
+        let mut req = Request::new(());
+        req.extensions_mut().insert(ctx());
+        let (mut parts, _) = req.into_parts();
+        let TenantCtx(found) = TenantCtx::from_request_parts(&mut parts, &())
+            .await
+            .expect("extractor should succeed");
+        assert_eq!(found.tenant_id, "t-1");
+    }
+
+    #[tokio::test]
+    async fn rejects_when_missing() {
+        let req: Request<()> = Request::new(());
+        let (mut parts, _) = req.into_parts();
+        let err = TenantCtx::from_request_parts(&mut parts, &()).await;
+        assert!(err.is_err());
+    }
+}
@@ -19,12 +19,17 @@ impl LlmClient {
        model: String,
        embed_model: String,
    ) -> Self {
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(300))
+            .connect_timeout(std::time::Duration::from_secs(10))
+            .build()
+            .unwrap_or_default();
        Self {
            base_url,
            api_key,
            model,
            embed_model,
-            http: reqwest::Client::new(),
+            http,
        }
    }

@@ -6,11 +6,16 @@ use compliance_core::models::embedding::{CodeEmbedding, EmbeddingBuildRun, Embed
 use compliance_core::models::graph::CodeNode;
 use compliance_graph::graph::chunking::extract_chunks;
 use compliance_graph::graph::embedding_store::EmbeddingStore;
+use futures_util::stream::{FuturesUnordered, StreamExt};
 use tracing::{error, info};

 use crate::error::AgentError;
 use crate::llm::LlmClient;

+const EMBED_BATCH_SIZE: usize = 20;
+const EMBED_CONCURRENCY: usize = 4;
+const EMBED_FLUSH_EVERY: usize = 200;
+
 /// RAG pipeline for building embeddings and performing retrieval
 pub struct RagPipeline {
    llm: Arc<LlmClient>,
@@ -77,25 +82,33 @@ impl RagPipeline {
            .await
            .map_err(|e| AgentError::Other(format!("Failed to delete old embeddings: {e}")))?;

-        // Step 3: Batch embed (small batches to stay within model limits)
-        let batch_size = 20;
-        let mut all_embeddings = Vec::new();
+        // Step 3: Batch embed with bounded concurrency. Flush to Mongo and
+        // update progress periodically so the dashboard can show live status.
+        let mut pending = Vec::with_capacity(EMBED_FLUSH_EVERY);
        let mut embedded_count = 0u32;

-        for batch_start in (0..chunks.len()).step_by(batch_size) {
-            let batch_end = (batch_start + batch_size).min(chunks.len());
-            let batch_chunks = &chunks[batch_start..batch_end];
+        // Build the list of batch indices to process.
+        let batches: Vec<(usize, usize)> = (0..chunks.len())
+            .step_by(EMBED_BATCH_SIZE)
+            .map(|start| (start, (start + EMBED_BATCH_SIZE).min(chunks.len())))
+            .collect();

-            // Prepare texts: context_header + content
-            let texts: Vec<String> = batch_chunks
-                .iter()
-                .map(|c| format!("{}\n{}", c.context_header, c.content))
-                .collect();
+        let mut batch_iter = batches.into_iter();
+        let mut in_flight = FuturesUnordered::new();

-            match self.llm.embed(texts).await {
-                Ok(vectors) => {
+        // Prime up to EMBED_CONCURRENCY batches.
+        for _ in 0..EMBED_CONCURRENCY {
+            if let Some((start, end)) = batch_iter.next() {
+                in_flight.push(self.embed_batch(&chunks[start..end], start, end));
+            }
+        }
+
+        while let Some(result) = in_flight.next().await {
+            match result {
+                Ok((start, end, vectors)) => {
+                    let batch_chunks = &chunks[start..end];
                    for (chunk, embedding) in batch_chunks.iter().zip(vectors) {
-                        all_embeddings.push(CodeEmbedding {
+                        pending.push(CodeEmbedding {
                            id: None,
                            repo_id: repo_id.to_string(),
                            graph_build_id: graph_build_id.to_string(),
@@ -113,9 +126,45 @@ impl RagPipeline {
                        });
                    }
                    embedded_count += batch_chunks.len() as u32;
+
+                    // Flush pending embeddings to Mongo periodically and update progress.
+                    if pending.len() >= EMBED_FLUSH_EVERY {
+                        self.embedding_store
+                            .store_embeddings(&pending)
+                            .await
+                            .map_err(|e| {
+                                AgentError::Other(format!("Failed to store embeddings: {e}"))
+                            })?;
+                        pending.clear();
+                    }
+
+                    // Always update the progress counter on the build doc — even if
+                    // we haven't flushed embeddings yet — so the UI shows movement.
+                    if let Err(e) = self
+                        .embedding_store
+                        .update_build(
+                            repo_id,
+                            graph_build_id,
+                            EmbeddingBuildStatus::Running,
+                            embedded_count,
+                            None,
+                        )
+                        .await
+                    {
+                        error!("[{repo_id}] Failed to update build progress: {e}");
+                    }
+
+                    // Queue the next batch to keep concurrency saturated.
+                    if let Some((s, e)) = batch_iter.next() {
+                        in_flight.push(self.embed_batch(&chunks[s..e], s, e));
+                    }
                }
                Err(e) => {
                    error!("[{repo_id}] Embedding batch failed: {e}");
+                    // Flush whatever we have so partial progress isn't lost.
+                    if !pending.is_empty() {
+                        let _ = self.embedding_store.store_embeddings(&pending).await;
+                    }
                    build.status = EmbeddingBuildStatus::Failed;
                    build.error_message = Some(e.to_string());
                    build.completed_at = Some(Utc::now());
@@ -134,11 +183,13 @@ impl RagPipeline {
            }
        }

-        // Step 4: Store all embeddings
-        self.embedding_store
-            .store_embeddings(&all_embeddings)
-            .await
-            .map_err(|e| AgentError::Other(format!("Failed to store embeddings: {e}")))?;
+        // Step 4: Flush any remaining embeddings
+        if !pending.is_empty() {
+            self.embedding_store
+                .store_embeddings(&pending)
+                .await
+                .map_err(|e| AgentError::Other(format!("Failed to store embeddings: {e}")))?;
+        }

        // Step 5: Update build status
        build.status = EmbeddingBuildStatus::Completed;
@@ -161,4 +212,21 @@ impl RagPipeline {
        );
        Ok(build)
    }
+
+    /// Embed one batch of chunks. Returns the (start, end, vectors) tuple so
+    /// out-of-order completion from `FuturesUnordered` can still be reconciled
+    /// against the original chunk slice.
+    async fn embed_batch(
+        &self,
+        batch_chunks: &[compliance_graph::graph::chunking::CodeChunk],
+        start: usize,
+        end: usize,
+    ) -> Result<(usize, usize, Vec<Vec<f64>>), AgentError> {
+        let texts: Vec<String> = batch_chunks
+            .iter()
+            .map(|c| format!("{}\n{}", c.context_header, c.content))
+            .collect();
+        let vectors = self.llm.embed(texts).await?;
+        Ok((start, end, vectors))
+    }
 }
@@ -0,0 +1,123 @@
+//! M7.1 — integration tests for `require_tenant_status`.
+//!
+//! Exercises the middleware end-to-end through an Axum router so we
+//! catch wiring bugs (extension propagation, method matching) that pure
+//! unit tests would miss.
+
+#![allow(clippy::expect_used, clippy::unwrap_used)]
+
+use axum::{
+    body::Body,
+    extract::Request,
+    http::{Method, StatusCode},
+    middleware::{from_fn, Next},
+    response::Response,
+    routing::{get, post},
+    Router,
+};
+use compliance_agent::api::auth_middleware::require_tenant_status;
+use compliance_core::{TenantContext, TenantStatus};
+use tower::ServiceExt;
+
+fn ctx_with(status: TenantStatus) -> TenantContext {
+    TenantContext {
+        tenant_id: "t-1".to_string(),
+        tenant_slug: "acme".to_string(),
+        org_roles: vec![],
+        products: vec![],
+        plan: "starter".to_string(),
+        status,
+        user_id: "u-1".to_string(),
+        user_name: None,
+    }
+}
+
+fn router_with_ctx(ctx: Option<TenantContext>) -> Router {
+    let injector = move |mut req: Request, next: Next| {
+        let ctx = ctx.clone();
+        async move {
+            if let Some(c) = ctx {
+                req.extensions_mut().insert(c);
+            }
+            next.run(req).await
+        }
+    };
+
+    Router::new()
+        .route("/r", get(|| async { "read" }))
+        .route("/w", post(|| async { "write" }))
+        .layer(from_fn(require_tenant_status))
+        .layer(from_fn(injector))
+}
+
+async fn call(router: Router, method: Method, path: &str) -> Response {
+    let req = Request::builder()
+        .method(method)
+        .uri(path)
+        .body(Body::empty())
+        .expect("request build");
+    router.oneshot(req).await.expect("oneshot")
+}
+
+#[tokio::test]
+async fn active_tenant_can_read_and_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Active)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn trial_tenant_can_read_and_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Trial)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn demo_tenant_can_read_and_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Demo)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn frozen_tenant_can_read_but_not_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Frozen)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(
+        call(r, Method::POST, "/w").await.status(),
+        StatusCode::PAYMENT_REQUIRED
+    );
+}
+
+#[tokio::test]
+async fn archived_tenant_is_gone_on_every_method() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Archived)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::GONE
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::GONE);
+}
+
+#[tokio::test]
+async fn no_context_passes_through() {
+    let r = router_with_ctx(None);
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}
@@ -0,0 +1,75 @@
+//! Database helpers shared across the workspace.
+//!
+//! `tenant_filter` returns the BSON filter that every query and update
+//! against a tenant-scoped collection MUST include. Centralising it here
+//! makes the rule grep-able and keeps query call-sites from accidentally
+//! omitting it.
+//!
+//! Future work (M7.2+): each collection model grows a `tenant_id` field
+//! and every `find` / `update_*` / `delete_*` call gets this filter
+//! merged in. The migration to per-collection scoping is tracked
+//! separately — this helper is the building block.
+
+use bson::{doc, Document};
+
+use crate::TenantContext;
+
+/// Returns `{ "tenant_id": <ctx.tenant_id> }`. Merge this into every
+/// query filter against a tenant-scoped collection.
+///
+/// Use [`tenant_filter_merge`] when you need to combine it with other
+/// query conditions — it preserves both halves without overwriting.
+pub fn tenant_filter(ctx: &TenantContext) -> Document {
+    doc! { "tenant_id": &ctx.tenant_id }
+}
+
+/// Returns the tenant filter merged with caller-supplied conditions.
+/// The tenant_id always wins on key conflict — callers cannot
+/// accidentally override the scoping.
+pub fn tenant_filter_merge(ctx: &TenantContext, mut extra: Document) -> Document {
+    extra.insert("tenant_id", &ctx.tenant_id);
+    extra
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::TenantStatus;
+
+    fn ctx() -> TenantContext {
+        TenantContext {
+            tenant_id: "t-abc".to_string(),
+            tenant_slug: "acme".to_string(),
+            org_roles: vec![],
+            products: vec![],
+            plan: "starter".to_string(),
+            status: TenantStatus::Active,
+            user_id: "u-1".to_string(),
+            user_name: None,
+        }
+    }
+
+    #[test]
+    fn produces_tenant_id_filter() {
+        let f = tenant_filter(&ctx());
+        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
+        assert_eq!(f.len(), 1);
+    }
+
+    #[test]
+    fn merge_preserves_extra_conditions() {
+        let extra = doc! { "status": "open", "severity": "high" };
+        let f = tenant_filter_merge(&ctx(), extra);
+        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
+        assert_eq!(f.get_str("status"), Ok("open"));
+        assert_eq!(f.get_str("severity"), Ok("high"));
+    }
+
+    #[test]
+    fn merge_overrides_caller_tenant_id() {
+        let extra = doc! { "tenant_id": "evil-other", "status": "open" };
+        let f = tenant_filter_merge(&ctx(), extra);
+        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
+        assert_eq!(f.get_str("status"), Ok("open"));
+    }
+}
@@ -1,9 +1,12 @@
 pub mod config;
+pub mod db;
 pub mod error;
 pub mod models;
 #[cfg(feature = "telemetry")]
 pub mod telemetry;
+pub mod tenant;
 pub mod traits;

 pub use config::{AgentConfig, DashboardConfig};
 pub use error::CoreError;
+pub use tenant::{OrgRole, TenantContext, TenantStatus};
@@ -0,0 +1,165 @@
+//! Tenant context propagated through every authenticated request.
+//!
+//! This module is the M7.1 single source of truth for "who is this request
+//! for". Claims come from a Keycloak-issued JWT and land here via
+//! `compliance-agent`'s `require_jwt_auth` middleware. Handlers reach into
+//! the request extensions with the `TenantCtx` Axum extractor.
+//!
+//! The shape mirrors the JWT claim names the breakpilot-platform realm
+//! emits (see `platform/orca-platform/dev/keycloak/realm-export.json`).
+//! Stable contract — adding fields is fine; renaming is a breaking
+//! change for every downstream product.
+
+use serde::{Deserialize, Serialize};
+
+/// Tenant lifecycle status from `PLATFORM_ARCHITECTURE.md §5c`.
+///
+/// Drives the `tenant_status` middleware:
+/// * `Demo` / `Trial` / `Active` — full access.
+/// * `Frozen` — read-only after cancel / non-payment. Mutating endpoints
+///   return 402.
+/// * `Archived` — data-retention window closed. Every endpoint returns 410.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum TenantStatus {
+    Demo,
+    Trial,
+    Active,
+    Frozen,
+    Archived,
+}
+
+impl TenantStatus {
+    /// True for statuses that block write paths.
+    pub fn is_frozen(&self) -> bool {
+        matches!(self, TenantStatus::Frozen)
+    }
+    /// True for statuses that block every request.
+    pub fn is_archived(&self) -> bool {
+        matches!(self, TenantStatus::Archived)
+    }
+    /// True for the shared demo tenant — metering, billing, and audit
+    /// export are skipped.
+    pub fn is_demo(&self) -> bool {
+        matches!(self, TenantStatus::Demo)
+    }
+}
+
+impl std::fmt::Display for TenantStatus {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::Demo => write!(f, "demo"),
+            Self::Trial => write!(f, "trial"),
+            Self::Active => write!(f, "active"),
+            Self::Frozen => write!(f, "frozen"),
+            Self::Archived => write!(f, "archived"),
+        }
+    }
+}
+
+/// Org-level role baked into the JWT by the realm's protocol mapper.
+/// `PLATFORM_ARCHITECTURE.md §6` is the canonical list.
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "UPPERCASE")]
+pub enum OrgRole {
+    ItAdmin,
+    Cxo,
+    Finance,
+    Legal,
+    User,
+    /// Anything we haven't enumerated yet — forwards-compatible.
+    #[serde(other)]
+    Unknown,
+}
+
+impl OrgRole {
+    /// Parses a single role string (Keycloak emits these as `IT_ADMIN`,
+    /// `CXO`, etc.). Round-trips with the JSON layer.
+    pub fn parse(s: &str) -> Self {
+        match s {
+            "IT_ADMIN" => OrgRole::ItAdmin,
+            "CXO" => OrgRole::Cxo,
+            "FINANCE" => OrgRole::Finance,
+            "LEGAL" => OrgRole::Legal,
+            "USER" => OrgRole::User,
+            _ => OrgRole::Unknown,
+        }
+    }
+}
+
+/// Everything `compliance-agent` knows about the requesting tenant at the
+/// moment a request lands. Cheap to clone (every field is owned + small).
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TenantContext {
+    /// `tenants.id` from the platform's tenant-registry (UUID).
+    pub tenant_id: String,
+    /// Lowercase URL-safe slug. Useful for log lines + audit emit.
+    pub tenant_slug: String,
+    /// Org-level roles the authenticated user holds inside this tenant.
+    /// Drives the per-handler RBAC in `M7.1-followup` PRs.
+    pub org_roles: Vec<OrgRole>,
+    /// Products this tenant is currently entitled to. Used to short-circuit
+    /// MCP / API calls for unsubscribed products.
+    pub products: Vec<String>,
+    /// Customer plan (`starter` / `professional` / `enterprise`) — gates
+    /// per-plan feature flags (e.g., MCP server is enterprise-only).
+    pub plan: String,
+    /// Lifecycle status — read by `require_tenant_status` middleware.
+    pub status: TenantStatus,
+    /// Keycloak user id of the requester (`sub` claim). Required for audit
+    /// emit so we know WHO did the thing, not just WHICH tenant.
+    pub user_id: String,
+    /// Optional user-facing name from the `name` / `preferred_username`
+    /// claim. Only used in audit + log lines.
+    pub user_name: Option<String>,
+}
+
+impl TenantContext {
+    /// True if the caller holds at least one of the listed roles.
+    pub fn has_any_role(&self, roles: &[OrgRole]) -> bool {
+        self.org_roles.iter().any(|r| roles.contains(r))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn org_role_parses_known_values() {
+        assert_eq!(OrgRole::parse("IT_ADMIN"), OrgRole::ItAdmin);
+        assert_eq!(OrgRole::parse("CXO"), OrgRole::Cxo);
+        assert_eq!(OrgRole::parse("USER"), OrgRole::User);
+    }
+
+    #[test]
+    fn org_role_unknown_is_forward_compat() {
+        assert_eq!(OrgRole::parse("FUTURE_ROLE"), OrgRole::Unknown);
+    }
+
+    #[test]
+    fn tenant_status_predicates() {
+        assert!(TenantStatus::Frozen.is_frozen());
+        assert!(!TenantStatus::Active.is_frozen());
+        assert!(TenantStatus::Archived.is_archived());
+        assert!(TenantStatus::Demo.is_demo());
+        assert!(!TenantStatus::Active.is_demo());
+    }
+
+    #[test]
+    fn has_any_role_matches() {
+        let ctx = TenantContext {
+            tenant_id: "t1".into(),
+            tenant_slug: "acme".into(),
+            org_roles: vec![OrgRole::ItAdmin],
+            products: vec![],
+            plan: "professional".into(),
+            status: TenantStatus::Active,
+            user_id: "u".into(),
+            user_name: None,
+        };
+        assert!(ctx.has_any_role(&[OrgRole::ItAdmin]));
+        assert!(ctx.has_any_role(&[OrgRole::Cxo, OrgRole::ItAdmin]));
+        assert!(!ctx.has_any_role(&[OrgRole::User, OrgRole::Cxo]));
+    }
+}
@@ -51,7 +51,7 @@ thiserror = { workspace = true }

 # Web-only
 reqwest = { workspace = true, optional = true }
-web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Window"] }
+web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Element", "Window", "Storage", "MediaQueryList"] }
 js-sys = { version = "0.3", optional = true }
 wasm-bindgen = { version = "0.2", optional = true }
 gloo-timers = { version = "0.3", features = ["futures"], optional = true }
@@ -61,6 +61,77 @@
    --ease-spring: cubic-bezier(0.34, 1.56, 0.64, 1);
 }

+/* ── Light theme tokens ──
+   Applied when the user has explicitly chosen light (`data-theme="light"`)
+   OR when their OS prefers light AND they have made no explicit choice. */
+:root[data-theme="light"] {
+    --bg-primary: #f5f7fb;
+    --bg-secondary: #ffffff;
+    --bg-card: rgba(255, 255, 255, 0.85);
+    --bg-card-solid: #ffffff;
+    --bg-card-hover: #f1f5fb;
+    --bg-elevated: #f8fafc;
+
+    --text-primary: #0c1426;
+    --text-secondary: #475569;
+    --text-tertiary: #8a9bb4;
+
+    --accent: #0070d4;
+    --accent-hover: #0080f0;
+    --accent-muted: rgba(0, 112, 212, 0.10);
+    --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
+
+    --border: #e2e8f0;
+    --border-bright: #cbd5e1;
+    --border-accent: rgba(0, 112, 212, 0.30);
+
+    --danger: #dc2626;
+    --danger-bg: rgba(220, 38, 38, 0.08);
+    --warning: #d97706;
+    --warning-bg: rgba(217, 119, 6, 0.08);
+    --success: #16a34a;
+    --success-bg: rgba(22, 163, 74, 0.08);
+    --info: #2563eb;
+    --info-bg: rgba(37, 99, 235, 0.08);
+    --orange: #ea580c;
+    --orange-bg: rgba(234, 88, 12, 0.08);
+}
+
+@media (prefers-color-scheme: light) {
+    :root:not([data-theme="dark"]) {
+        --bg-primary: #f5f7fb;
+        --bg-secondary: #ffffff;
+        --bg-card: rgba(255, 255, 255, 0.85);
+        --bg-card-solid: #ffffff;
+        --bg-card-hover: #f1f5fb;
+        --bg-elevated: #f8fafc;
+
+        --text-primary: #0c1426;
+        --text-secondary: #475569;
+        --text-tertiary: #8a9bb4;
+
+        --accent: #0070d4;
+        --accent-hover: #0080f0;
+        --accent-muted: rgba(0, 112, 212, 0.10);
+        --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
+
+        --border: #e2e8f0;
+        --border-bright: #cbd5e1;
+        --border-accent: rgba(0, 112, 212, 0.30);
+
+        --danger: #dc2626;
+        --danger-bg: rgba(220, 38, 38, 0.08);
+        --warning: #d97706;
+        --warning-bg: rgba(217, 119, 6, 0.08);
+        --success: #16a34a;
+        --success-bg: rgba(22, 163, 74, 0.08);
+        --info: #2563eb;
+        --info-bg: rgba(37, 99, 235, 0.08);
+        --orange: #ea580c;
+        --orange-bg: rgba(234, 88, 12, 0.08);
+    }
+}
+

 /* ── Reset & Base ── */

@@ -396,6 +467,44 @@ code {
    background: rgba(0, 200, 255, 0.06);
 }

+.theme-toggle {
+    background: none;
+    border: none;
+    border-top: 1px solid var(--border);
+    color: var(--text-secondary);
+    padding: 11px 18px;
+    cursor: pointer;
+    display: flex;
+    align-items: center;
+    gap: 11px;
+    font-family: var(--font-body);
+    font-size: 13.5px;
+    font-weight: 500;
+    transition: color 0.2s, background 0.2s;
+    width: 100%;
+    text-align: left;
+}
+
+.theme-toggle:hover {
+    color: var(--accent);
+    background: var(--accent-muted);
+}
+
+.theme-toggle svg {
+    flex-shrink: 0;
+    opacity: 0.75;
+    transition: opacity 0.2s;
+}
+
+.theme-toggle:hover svg {
+    opacity: 1;
+}
+
+.sidebar.collapsed .theme-toggle {
+    justify-content: center;
+    padding: 11px 0;
+}
+
 .sidebar.collapsed .sidebar-header {
    padding: 22px 0;
    justify-content: center;
@@ -3889,3 +3998,33 @@ tbody tr:last-child td {
 .copyable code, .copyable .mono { flex: 1; min-width: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
 .code-snippet-wrapper { position: relative; }
 .code-snippet-header { display: flex; align-items: center; justify-content: space-between; margin-bottom: 4px; gap: 8px; }
+
+
+/* ═══════════════════════════════════════════════════════════════
+   LIGHT THEME — surface overrides for the few hardcoded dark
+   colors that don't go through CSS custom properties.
+   ═══════════════════════════════════════════════════════════════ */
+
+:root[data-theme="light"] .main-content {
+    background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
+}
+:root[data-theme="light"] .code-block {
+    background: #f8fafc;
+    color: #0c1426;
+}
+:root[data-theme="light"] .graph-stab-overlay {
+    background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
+}
+
+@media (prefers-color-scheme: light) {
+    :root:not([data-theme="dark"]) .main-content {
+        background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
+    }
+    :root:not([data-theme="dark"]) .code-block {
+        background: #f8fafc;
+        color: #0c1426;
+    }
+    :root:not([data-theme="dark"]) .graph-stab-overlay {
+        background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
+    }
+}
@@ -12,4 +12,5 @@ pub mod pentest_wizard;
 pub mod severity_badge;
 pub mod sidebar;
 pub mod stat_card;
+pub mod theme_toggle;
 pub mod toast;
@@ -4,6 +4,7 @@ use dioxus_free_icons::icons::bs_icons::*;
 use dioxus_free_icons::Icon;

 use crate::app::Route;
+use crate::components::theme_toggle::ThemeToggle;

 struct NavItem {
    label: &'static str,
@@ -106,6 +107,7 @@ pub fn Sidebar() -> Element {
            }
            // Spacer pushes footer to the bottom
            div { class: "sidebar-spacer" }
+            ThemeToggle { collapsed: collapsed() }
            button {
                class: "sidebar-toggle",
                onclick: move |_| collapsed.set(!collapsed()),
@@ -0,0 +1,104 @@
+use dioxus::prelude::*;
+use dioxus_free_icons::icons::bs_icons::{BsMoonStars, BsSun};
+use dioxus_free_icons::Icon;
+
+#[cfg(feature = "web")]
+const STORAGE_KEY: &str = "compliance-scanner.theme";
+
+/// Sidebar-footer theme toggle. Reads the initial state on mount from
+/// localStorage (explicit user choice) or `prefers-color-scheme` (OS default),
+/// then writes back to both the `<html data-theme="...">` attribute and
+/// localStorage on every click.
+#[component]
+pub fn ThemeToggle(collapsed: bool) -> Element {
+    // `None` until the on-mount effect resolves the real value, so SSR doesn't
+    // render the wrong icon for the user's actual theme.
+    let mut is_dark = use_signal(|| None::<bool>);
+
+    use_effect(move || {
+        let (dark, from_storage) = initial_theme();
+        is_dark.set(Some(dark));
+        // If the user already made an explicit choice (in localStorage), assert it
+        // on the DOM so an OS-vs-stored mismatch can't briefly show the wrong theme.
+        if from_storage {
+            apply_theme(dark);
+        }
+    });
+
+    let label = if collapsed {
+        ""
+    } else if is_dark().unwrap_or(true) {
+        "Light mode"
+    } else {
+        "Dark mode"
+    };
+
+    let title = if is_dark().unwrap_or(true) {
+        "Switch to light mode"
+    } else {
+        "Switch to dark mode"
+    };
+
+    rsx! {
+        button {
+            class: "theme-toggle",
+            r#type: "button",
+            title: "{title}",
+            "aria-label": "{title}",
+            onclick: move |_| {
+                let next_dark = !is_dark().unwrap_or(true);
+                is_dark.set(Some(next_dark));
+                apply_theme(next_dark);
+            },
+            if is_dark().unwrap_or(true) {
+                Icon { icon: BsSun, width: 16, height: 16 }
+            } else {
+                Icon { icon: BsMoonStars, width: 16, height: 16 }
+            }
+            if !collapsed {
+                span { class: "theme-toggle-label", "{label}" }
+            }
+        }
+    }
+}
+
+/// Returns `(is_dark, from_storage)`. `from_storage` is true when an explicit
+/// user choice is in localStorage; false when we fell back to OS preference
+/// (or to the dark default).
+#[cfg(feature = "web")]
+fn initial_theme() -> (bool, bool) {
+    if let Some(window) = web_sys::window() {
+        if let Ok(Some(storage)) = window.local_storage() {
+            if let Ok(Some(value)) = storage.get_item(STORAGE_KEY) {
+                return (value == "dark", true);
+            }
+        }
+        if let Ok(Some(mql)) = window.match_media("(prefers-color-scheme: dark)") {
+            return (mql.matches(), false);
+        }
+    }
+    (true, false)
+}
+
+#[cfg(not(feature = "web"))]
+fn initial_theme() -> (bool, bool) {
+    (true, false)
+}
+
+#[cfg(feature = "web")]
+fn apply_theme(dark: bool) {
+    let theme = if dark { "dark" } else { "light" };
+    if let Some(window) = web_sys::window() {
+        if let Some(document) = window.document() {
+            if let Some(root) = document.document_element() {
+                let _ = root.set_attribute("data-theme", theme);
+            }
+        }
+        if let Ok(Some(storage)) = window.local_storage() {
+            let _ = storage.set_item(STORAGE_KEY, theme);
+        }
+    }
+}
+
+#[cfg(not(feature = "web"))]
+fn apply_theme(_dark: bool) {}
Author	SHA1	Message	Date
Sharang Parnerkar	cb7b1b86f5	fix(m7.1): correct middleware layer order so JwksState is visible CI / Check (pull_request) Successful in 11m31s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been skipped Details CI / Deploy Dashboard (pull_request) Has been skipped Details CI / Deploy Docs (pull_request) Has been skipped Details CI / Deploy MCP (pull_request) Has been skipped Details Axum applies layers outermost-first. With the previous ordering (`Extension(jwks_state)` first, `require_jwt_auth` last), the JWT middleware ran before the Extension layer attached `JwksState` to the request, so `request.extensions().get::<JwksState>()` always returned None and the middleware silently passed through every request as if Keycloak weren't configured. Verified end-to-end against the local CERTifAI Keycloak realm: - no token / bad token -> 401 - active / trial -> 200 read, write reaches handler - frozen -> 200 read, 402 on writes - archived -> 410 on every method The bug was invisible to the unit + integration tests because they construct the layer stack manually; only the live wiring exhibited it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-20 17:20:37 +02:00
Sharang Parnerkar	05c01ea547	feat(m7.1): wire tenant claims, status enforcement, and db scoping helper CI / Check (pull_request) Successful in 10m50s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been skipped Details CI / Deploy Dashboard (pull_request) Has been skipped Details CI / Deploy Docs (pull_request) Has been skipped Details CI / Deploy MCP (pull_request) Has been skipped Details Lays the platform-wide multi-tenancy infrastructure on top of the existing Keycloak signature validation. JWTs now carry tenant_id, tenant_slug, org_roles, products, plan, and tenant_status; the middleware decodes them into a TenantContext and attaches it to the request extensions. A TenantCtx Axum extractor exposes the context to handlers, and a tenant_status middleware enforces the §5c lifecycle (frozen tenants are 402 on writes; archived tenants are 410 on every method). A db::tenant_filter helper in compliance-core gives every future collection a single grep-able pattern for tenant-scoped queries. Per-collection wiring (adding tenant_id to each model + threading the filter through every find/update/delete call) lands in a follow-up. Tests: 6 inline unit tests for claims→context mapping, 2 for the extractor, 6 integration tests for status middleware, 3 for db filter. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-20 10:10:42 +02:00
sharang	a8cef58e02	feat(dashboard): add light/dark theme with sidebar toggle (#81 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Has been skipped Details CI / Deploy Dashboard (push) Successful in 9m46s Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details	2026-05-13 11:44:22 +00:00
sharang	927fbc8ecb	fix: live progress + concurrency for embedding builds (#80 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Successful in 7m59s Details CI / Deploy Dashboard (push) Has been skipped Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details	2026-05-13 10:01:05 +00:00
sharang	e67a13535a	fix: add HTTP timeout to reqwest client and CVE stage timeout (#79 ) CI / Check (push) Has been skipped Details CI / Detect Changes (push) Successful in 5s Details CI / Deploy Agent (push) Successful in 8m26s Details CI / Deploy Dashboard (push) Has been skipped Details CI / Deploy Docs (push) Has been skipped Details CI / Deploy MCP (push) Has been skipped Details	2026-05-13 07:30:26 +00:00