Coverage for src / documint_mcp / server.py: 0%

1"""FastAPI application for the Documint control plane.""" 

2 

3from __future__ import annotations 

4 

5import hmac 

6import json 

7import time 

8from collections.abc import AsyncGenerator, Awaitable, Callable 

9from contextlib import asynccontextmanager 

10from dataclasses import dataclass 

11from datetime import UTC, datetime 

12from pathlib import Path 

13from typing import Any, cast 

14 

15import jwt 

16import structlog 

17from fastapi import Depends, FastAPI, Header, HTTPException, Request, Response 

18from fastapi.encoders import jsonable_encoder 

19from fastapi.middleware.cors import CORSMiddleware 

20from fastapi.middleware.gzip import GZipMiddleware 

21from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer 

22from prometheus_client import Counter, Histogram, generate_latest 

23from slowapi import Limiter, _rate_limit_exceeded_handler 

24from slowapi.errors import RateLimitExceeded 

25from slowapi.util import get_remote_address 

26 

27from .config import settings 

28from .db import EarlyAccessTokenRecord, WaitlistSignupRecord, get_engine, init_db 

29from .db import session_scope as db_session_scope 

30from .check_runs import CheckRunManager 

31from .github import analyze_github_webhook, github_app_manifest, verify_github_signature 

32from .jobs import ( 

33 close_arq_pool, 

34 dispatch_drift, 

35 dispatch_installation_sync, 

36 dispatch_patch, 

37 dispatch_publish, 

38 dispatch_pull_request, 

39 get_arq_pool, 

40) 

41from .models import ( 

42 CLIExchangeRequest, 

43 DriftJobRequest, 

44 MCPRequest, 

45 MCPTool, 

46 PatchCreateRequest, 

47 ProjectCreateRequest, 

48 PublishRequest, 

49 PullRequestCreateRequest, 

50 QueuedJob, 

51 RevalidateRequest, 

52 TokenCreateRequest, 

53 WorkspaceCreateRequest, 

54) 

55from .connectors.notifications import get_notification_dispatcher 

56from .repository import get_service 

57from .utils.cache import get_cache 

58 

59structlog.configure( 

60 processors=[ 

61 structlog.stdlib.filter_by_level, 

62 structlog.stdlib.add_logger_name, 

63 structlog.stdlib.add_log_level, 

64 structlog.stdlib.PositionalArgumentsFormatter(), 

65 structlog.processors.TimeStamper(fmt="iso"), 

66 structlog.processors.StackInfoRenderer(), 

67 structlog.processors.format_exc_info, 

68 structlog.processors.UnicodeDecoder(), 

69 structlog.processors.JSONRenderer(), 

70 ], 

71 context_class=dict, 

72 logger_factory=structlog.stdlib.LoggerFactory(), 

73 wrapper_class=structlog.stdlib.BoundLogger, 

74 cache_logger_on_first_use=True, 

75) 

76 

77logger = structlog.get_logger() 

78REQUEST_COUNT = Counter( 

79 "http_requests_total", "Total HTTP requests", ["method", "endpoint"] 

80) 

81REQUEST_DURATION = Histogram("http_request_duration_seconds", "HTTP request duration") 

82limiter = Limiter(key_func=get_remote_address) 

83security = HTTPBearer(auto_error=False) 

84_jwks_clients: dict[str, jwt.PyJWKClient] = {} 

85 

86 

87@dataclass(frozen=True) 

88class AuthContext: 

89 credential_source: str 

90 user_id: str | None = None 

91 workspace_ids: tuple[str, ...] = () 

92 scopes: tuple[str, ...] = () 

93 is_service: bool = False 

94 

95 

96def _tool_definitions() -> list[MCPTool]: 

97 return [ 

98 MCPTool( 

99 name="list_projects", 

100 description="List persisted Documint projects visible to the current workspace.", 

101 input_schema={ 

102 "type": "object", 

103 "properties": {"workspace_id": {"type": "string"}}, 

104 }, 

105 ), 

106 MCPTool( 

107 name="analyze_repository", 

108 description="Return the current project snapshot, including findings, PRs, and publish history.", 

109 input_schema={ 

110 "type": "object", 

111 "properties": {"project_id": {"type": "string"}}, 

112 }, 

113 ), 

114 MCPTool( 

115 name="detect_doc_drift", 

116 description="Run deterministic doc drift detection for a project.", 

117 input_schema={ 

118 "type": "object", 

119 "properties": { 

120 "project_id": {"type": "string"}, 

121 "signal_type": {"type": "string"}, 

122 "changed_files": {"type": "array", "items": {"type": "string"}}, 

123 }, 

124 "required": ["project_id"], 

125 }, 

126 ), 

127 MCPTool( 

128 name="generate_doc_patch", 

129 description="Draft a reviewable patch for a finding or artifact.", 

130 input_schema={ 

131 "type": "object", 

132 "properties": { 

133 "project_id": {"type": "string"}, 

134 "artifact_id": {"type": "string"}, 

135 "finding_id": {"type": "string"}, 

136 "policy": {"type": "string"}, 

137 }, 

138 }, 

139 ), 

140 MCPTool( 

141 name="review_doc_patch", 

142 description="Return the stored patch draft and its linked artifact trace.", 

143 input_schema={ 

144 "type": "object", 

145 "properties": { 

146 "project_id": {"type": "string"}, 

147 "patch_id": {"type": "string"}, 

148 "artifact_id": {"type": "string"}, 

149 }, 

150 "required": ["project_id"], 

151 }, 

152 ), 

153 MCPTool( 

154 name="publish_preview", 

155 description="Publish repo-backed markdown into Documint-hosted public docs pages.", 

156 input_schema={ 

157 "type": "object", 

158 "properties": {"project_id": {"type": "string"}}, 

159 "required": ["project_id"], 

160 }, 

161 ), 

162 MCPTool( 

163 name="explain_doc_trace", 

164 description="Explain which source files drive a documentation artifact.", 

165 input_schema={ 

166 "type": "object", 

167 "properties": { 

168 "project_id": {"type": "string"}, 

169 "artifact_id": {"type": "string"}, 

170 }, 

171 "required": ["artifact_id"], 

172 }, 

173 ), 

174 MCPTool( 

175 name="get_project_activity", 

176 description="Return the project activity timeline for scans, patches, PRs, and publishes.", 

177 input_schema={ 

178 "type": "object", 

179 "properties": {"project_id": {"type": "string"}}, 

180 "required": ["project_id"], 

181 }, 

182 ), 

183 ] 

184 

185 

186async def verify_token( 

187 request: Request, 

188 credentials: HTTPAuthorizationCredentials | None = Depends(security), 

189) -> AuthContext: 

190 """Verify operator credentials against service, API-token, or Clerk tokens.""" 

191 

192 if credentials is None or not credentials.credentials: 

193 _localhost_hosts = ("127.0.0.1", "::1", "localhost", "testclient") 

194 client_host = getattr(request.client, "host", "") if request.client else "" 

195 if settings.debug and client_host in _localhost_hosts: 

196 return AuthContext( 

197 credential_source="debug", 

198 user_id=( 

199 settings.default_user_id 

200 if settings.auto_bootstrap_defaults 

201 else None 

202 ), 

203 ) 

204 if not settings.auth_token and not settings.clerk_jwks_url: 

205 return AuthContext( 

206 credential_source="debug", 

207 user_id=( 

208 settings.default_user_id 

209 if settings.auto_bootstrap_defaults 

210 else None 

211 ), 

212 ) 

213 raise HTTPException(status_code=401, detail="Authentication required") 

214 

215 token = credentials.credentials 

216 if settings.auth_token and hmac.compare_digest(token, settings.auth_token): 

217 return AuthContext(credential_source="service", is_service=True) 

218 api_token = get_service().authenticate_api_token(token) 

219 if api_token is not None: 

220 return AuthContext( 

221 credential_source="api", 

222 user_id=api_token.user_id, 

223 workspace_ids=(api_token.workspace_id,), 

224 scopes=tuple(api_token.scopes), 

225 ) 

226 claims = _verify_clerk_jwt(token) 

227 if claims is not None: 

228 user = get_service().ensure_clerk_user(claims) 

229 workspaces = get_service().list_workspaces(user.id) 

230 return AuthContext( 

231 credential_source="clerk", 

232 user_id=user.id, 

233 workspace_ids=tuple(item.id for item in workspaces), 

234 ) 

235 raise HTTPException(status_code=401, detail="Invalid token") 

236 

237 

238def _verify_clerk_jwt(token: str) -> dict[str, Any] | None: 

239 if not settings.clerk_jwks_url or not settings.clerk_issuer: 

240 return None 

241 client = _jwks_clients.get(settings.clerk_jwks_url) 

242 if client is None: 

243 client = jwt.PyJWKClient(settings.clerk_jwks_url) 

244 _jwks_clients[settings.clerk_jwks_url] = client 

245 try: 

246 signing_key = client.get_signing_key_from_jwt(token) 

247 decoded = jwt.decode( 

248 token, 

249 signing_key.key, 

250 algorithms=["RS256"], 

251 audience=settings.clerk_audience, 

252 issuer=settings.clerk_issuer, 

253 ) 

254 except Exception: 

255 return None 

256 return decoded 

257 

258 

259def verify_internal_secret( 

260 x_documint_internal: str | None = Header(default=None), 

261) -> None: 

262 if not settings.internal_revalidate_secret: 

263 if settings.debug: 

264 return 

265 raise HTTPException(status_code=503, detail="Internal secret not configured") 

266 if not x_documint_internal or not hmac.compare_digest( 

267 x_documint_internal, settings.internal_revalidate_secret 

268 ): 

269 raise HTTPException(status_code=401, detail="Invalid internal secret") 

270 

271 

272async def _validate_runtime_dependencies() -> None: 

273 errors = settings.production_validation_errors() 

274 if errors: 

275 raise RuntimeError( 

276 "Production configuration is invalid: " + "; ".join(errors) 

277 ) 

278 if not settings.is_production_runtime(): 

279 return 

280 engine = get_engine() 

281 with engine.connect() as connection: 

282 connection.exec_driver_sql("SELECT 1") 

283 cache = await get_cache() 

284 redis_connected = bool(cache.get_stats()["redis_cache"].get("connected")) 

285 if not redis_connected: 

286 raise RuntimeError("Production requires a reachable Redis cache") 

287 await get_arq_pool() 

288 

289 

290@asynccontextmanager 

291async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]: 

292 logger.info("starting_documint_backend", repo_root=str(settings.repo_root)) 

293 await _validate_runtime_dependencies() 

294 init_db() 

295 cache = await get_cache() 

296 try: 

297 logger.info("cache_initialized", stats=cache.get_stats()) 

298 yield 

299 finally: 

300 await close_arq_pool() 

301 await cache.close() 

302 logger.info("shutting_down_documint_backend") 

303 

304 

305def create_app() -> FastAPI: 

306 app = FastAPI( 

307 title="Documint V1", 

308 description="Persistent control plane for repo-native documentation operations.", 

309 version="0.3.0", 

310 lifespan=lifespan, 

311 docs_url="/docs" if settings.debug else None, 

312 redoc_url="/redoc" if settings.debug else None, 

313 ) 

314 app.add_middleware( 

315 CORSMiddleware, 

316 allow_origins=( 

317 ["http://localhost:3000", "http://127.0.0.1:3000"] 

318 if settings.debug 

319 else [ 

320 "https://documint.xyz", 

321 "https://www.documint.xyz", 

322 settings.app_base_url, 

323 ] 

324 ), 

325 allow_credentials=True, 

326 allow_methods=["DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT"], 

327 allow_headers=["*"], 

328 ) 

329 app.add_middleware(GZipMiddleware, minimum_size=1000) 

330 app.state.limiter = limiter 

331 app.add_exception_handler( 

332 RateLimitExceeded, 

333 cast(Callable[[Request, Exception], Response], _rate_limit_exceeded_handler), 

334 ) 

335 app.add_exception_handler( 

336 PermissionError, 

337 lambda _request, exc: Response( 

338 content=json.dumps({"detail": str(exc)}), 

339 status_code=403, 

340 media_type="application/json", 

341 ), 

342 ) 

343 

344 @app.middleware("http") 

345 async def security_headers( 

346 request: Request, call_next: Callable[[Request], Awaitable[Response]] 

347 ) -> Response: 

348 response = await call_next(request) 

349 response.headers["X-Content-Type-Options"] = "nosniff" 

350 response.headers["X-Frame-Options"] = "DENY" 

351 response.headers["Strict-Transport-Security"] = ( 

352 "max-age=31536000; includeSubDomains" 

353 ) 

354 response.headers["Content-Security-Policy"] = "default-src 'self'" 

355 return response 

356 

357 @app.middleware("http") 

358 async def metrics_middleware( 

359 request: Request, call_next: Callable[[Request], Awaitable[Response]] 

360 ) -> Response: 

361 start_time = time.time() 

362 response = await call_next(request) 

363 # Use route template to avoid high-cardinality labels from path params 

364 route = request.scope.get("route") 

365 endpoint = route.path if route is not None else request.url.path 

366 REQUEST_COUNT.labels(method=request.method, endpoint=endpoint).inc() 

367 REQUEST_DURATION.observe(time.time() - start_time) 

368 return response 

369 

370 @app.get("/") 

371 async def root() -> dict[str, str]: 

372 return { 

373 "name": "Documint V1", 

374 "project": settings.project_name, 

375 "site": settings.public_base_url, 

376 } 

377 

378 @app.get("/health") 

379 async def health_check() -> dict[str, Any]: 

380 cache = await get_cache() 

381 runtime = get_service().runtime_status() 

382 return { 

383 "status": "healthy", 

384 "project_id": settings.project_id, 

385 "repo_root": runtime.repo_root, 

386 "docs_root": runtime.docs_root, 

387 "cache": cache.get_stats(), 

388 "runtime": jsonable_encoder(runtime), 

389 } 

390 

391 @app.post("/waitlist") 

392 @limiter.limit("5/minute") 

393 async def join_waitlist(request: Request) -> dict[str, str]: 

394 body = await request.json() 

395 email = body.get("email", "").strip().lower() 

396 source = body.get("source", "landing")[:64] 

397 if not email or "@" not in email: 

398 raise HTTPException(status_code=422, detail="Valid email required") 

399 try: 

400 from sqlalchemy import select as _select 

401 with db_session_scope() as session: 

402 existing = session.scalar( 

403 _select(WaitlistSignupRecord).where(WaitlistSignupRecord.email == email) 

404 ) 

405 if existing is None: 

406 session.add(WaitlistSignupRecord(email=email, source=source)) 

407 logger.info("waitlist_signup", email=email, source=source) 

408 except Exception as exc: 

409 logger.warning("waitlist_db_error", error=str(exc)) 

410 return {"status": "ok", "message": "You're on the list!"} 

411 

412 @app.post("/early-access") 

413 @limiter.limit("10/minute") 

414 async def early_access(request: Request) -> dict[str, str]: 

415 import secrets as _secrets 

416 body = await request.json() 

417 email = body.get("email", "").strip().lower() 

418 answer = body.get("answer", "").strip().replace(" ", "") 

419 

420 if not email or "@" not in email: 

421 raise HTTPException(status_code=422, detail="Valid email required.") 

422 

423 # The Look and Say sequence: 1 → 11 → 21 → 1211 → 111221 → 312211 

424 correct_answer = "312211" 

425 

426 if answer == correct_answer: 

427 token = "dm_early_" + _secrets.token_urlsafe(24) 

428 try: 

429 with db_session_scope() as session: 

430 existing = session.query(EarlyAccessTokenRecord).filter_by(email=email).first() 

431 if existing: 

432 return { 

433 "status": "access_granted", 

434 "token": existing.token, 

435 "message": "You already have access.", 

436 } 

437 import uuid as _uuid 

438 record = EarlyAccessTokenRecord( 

439 id=_uuid.uuid4().hex, 

440 token=token, 

441 email=email, 

442 source="brain_teaser", 

443 ) 

444 session.add(record) 

445 logger.info("early_access_granted", email=email, token=token[:12]) 

446 except Exception as exc: 

447 logger.warning("early_access_db_error", error=str(exc)) 

448 return { 

449 "status": "access_granted", 

450 "token": token, 

451 "message": "You think recursively. Access granted.", 

452 } 

453 else: 

454 # Wrong answer → add to waitlist 

455 try: 

456 with db_session_scope() as session: 

457 existing = session.query(WaitlistSignupRecord).filter_by(email=email).first() 

458 if existing is None: 

459 session.add(WaitlistSignupRecord(email=email, source="brain_teaser_failed")) 

460 logger.info("waitlist_signup_from_teaser", email=email) 

461 except Exception as exc: 

462 logger.warning("waitlist_db_error", error=str(exc)) 

463 return { 

464 "status": "waitlisted", 

465 "message": "Not quite. You're on the waitlist — we'll reach out when we expand access.", 

466 } 

467 

468 @app.get("/metrics") 

469 async def metrics() -> Response: 

470 return Response(generate_latest(), media_type="text/plain") 

471 

472 @app.get("/runtime") 

473 async def runtime() -> Any: 

474 return jsonable_encoder(get_service().runtime_status()) 

475 

476 @app.get("/snapshot") 

477 async def snapshot( 

478 project_id: str | None = None, 

479 actor: AuthContext = Depends(verify_token), 

480 ) -> Any: 

481 return jsonable_encoder( 

482 get_service().snapshot(project_id=project_id, user_id=_actor_user_id(actor)) 

483 ) 

484 

485 @app.get("/me") 

486 async def me(actor: AuthContext = Depends(verify_token)) -> Any: 

487 return jsonable_encoder(get_service().me(user_id=_actor_user_id(actor))) 

488 

489 @app.get("/workspaces") 

490 async def list_workspaces(actor: AuthContext = Depends(verify_token)) -> Any: 

491 return jsonable_encoder( 

492 get_service().list_workspaces(user_id=_actor_user_id(actor)) 

493 ) 

494 

495 @app.post("/workspaces") 

496 @limiter.limit("10/minute") 

497 async def create_workspace( 

498 request: Request, 

499 payload: WorkspaceCreateRequest, 

500 actor: AuthContext = Depends(verify_token), 

501 ) -> Any: 

502 del request 

503 return jsonable_encoder( 

504 get_service().create_workspace(payload, user_id=_actor_user_id(actor)) 

505 ) 

506 

507 @app.post("/admin/bootstrap-self") 

508 @limiter.limit("5/minute") 

509 async def bootstrap_self( 

510 request: Request, 

511 actor: AuthContext = Depends(verify_token), 

512 ) -> Any: 

513 del request 

514 if not actor.is_service and not settings.debug: 

515 raise HTTPException( 

516 status_code=403, detail="Bootstrap requires service auth" 

517 ) 

518 return jsonable_encoder(get_service().bootstrap_self()) 

519 

520 @app.get("/projects") 

521 async def list_projects( 

522 workspace_id: str | None = None, 

523 actor: AuthContext = Depends(verify_token), 

524 ) -> Any: 

525 return jsonable_encoder( 

526 get_service().list_projects( 

527 workspace_id=workspace_id, user_id=_actor_user_id(actor) 

528 ) 

529 ) 

530 

531 @app.post("/projects") 

532 @limiter.limit("10/minute") 

533 async def create_project( 

534 request: Request, 

535 payload: ProjectCreateRequest, 

536 actor: AuthContext = Depends(verify_token), 

537 ) -> Any: 

538 del request 

539 return jsonable_encoder( 

540 get_service().create_project(payload, user_id=_actor_user_id(actor)) 

541 ) 

542 

543 @app.get("/projects/{project_id}") 

544 async def get_project( 

545 project_id: str, 

546 actor: AuthContext = Depends(verify_token), 

547 ) -> Any: 

548 return jsonable_encoder( 

549 get_service().get_project(project_id, user_id=_actor_user_id(actor)) 

550 ) 

551 

552 @app.get("/jobs/{job_id}") 

553 async def get_job( 

554 job_id: str, 

555 actor: AuthContext = Depends(verify_token), 

556 ) -> Any: 

557 return jsonable_encoder( 

558 get_service().get_job(job_id, user_id=_actor_user_id(actor)) 

559 ) 

560 

561 @app.get("/projects/{project_id}/jobs") 

562 async def list_project_jobs( 

563 project_id: str, 

564 actor: AuthContext = Depends(verify_token), 

565 ) -> Any: 

566 return jsonable_encoder( 

567 get_service().list_jobs(project_id, user_id=_actor_user_id(actor)) 

568 ) 

569 

570 @app.get("/sources") 

571 async def list_sources(actor: AuthContext = Depends(verify_token)) -> Any: 

572 return jsonable_encoder( 

573 get_service().list_sources(user_id=_actor_user_id(actor)) 

574 ) 

575 

576 @app.get("/projects/{project_id}/findings") 

577 async def list_findings( 

578 project_id: str, 

579 actor: AuthContext = Depends(verify_token), 

580 ) -> Any: 

581 return jsonable_encoder( 

582 get_service().list_findings(project_id, user_id=_actor_user_id(actor)) 

583 ) 

584 

585 @app.post("/projects/{project_id}/rescan") 

586 @limiter.limit("30/minute") 

587 async def rescan_project( 

588 request: Request, 

589 project_id: str, 

590 payload: DriftJobRequest | None = None, 

591 actor: AuthContext = Depends(verify_token), 

592 ) -> Any: 

593 del request 

594 drift_request = payload or DriftJobRequest(project_id=project_id) 

595 drift_request.project_id = project_id 

596 return jsonable_encoder( 

597 await dispatch_drift(drift_request, user_id=_actor_user_id(actor)) 

598 ) 

599 

600 @app.get("/projects/{project_id}/patches") 

601 async def list_patches( 

602 project_id: str, 

603 actor: AuthContext = Depends(verify_token), 

604 ) -> Any: 

605 return jsonable_encoder( 

606 get_service().list_patches(project_id, user_id=_actor_user_id(actor)) 

607 ) 

608 

609 @app.get("/projects/{project_id}/patches/{patch_id}") 

610 async def get_patch( 

611 project_id: str, 

612 patch_id: str, 

613 actor: AuthContext = Depends(verify_token), 

614 ) -> Any: 

615 return jsonable_encoder( 

616 get_service().get_patch(project_id, patch_id, user_id=_actor_user_id(actor)) 

617 ) 

618 

619 @app.post("/projects/{project_id}/findings/{finding_id}/patch") 

620 @limiter.limit("20/minute") 

621 async def create_patch( 

622 request: Request, 

623 project_id: str, 

624 finding_id: str, 

625 payload: PatchCreateRequest | None = None, 

626 actor: AuthContext = Depends(verify_token), 

627 ) -> Any: 

628 del request 

629 return jsonable_encoder( 

630 await dispatch_patch( 

631 project_id=project_id, 

632 finding_id=finding_id, 

633 policy=payload.policy if payload is not None else "on_demand", 

634 user_id=_actor_user_id(actor), 

635 ) 

636 ) 

637 

638 @app.post("/projects/{project_id}/patches/{patch_id}/approve") 

639 @limiter.limit("20/minute") 

640 async def approve_patch( 

641 request: Request, 

642 project_id: str, 

643 patch_id: str, 

644 actor: AuthContext = Depends(verify_token), 

645 ) -> Any: 

646 del request 

647 try: 

648 return jsonable_encoder( 

649 get_service().approve_patch( 

650 project_id=project_id, 

651 patch_id=patch_id, 

652 user_id=_actor_user_id(actor), 

653 ) 

654 ) 

655 except KeyError as exc: 

656 raise HTTPException(status_code=404, detail=str(exc)) from exc 

657 

658 @app.post("/projects/{project_id}/findings/{finding_id}/approve") 

659 @limiter.limit("20/minute") 

660 async def approve_patch_by_finding( 

661 request: Request, 

662 project_id: str, 

663 finding_id: str, 

664 actor: AuthContext = Depends(verify_token), 

665 ) -> Any: 

666 """Approve the patch associated with a finding (convenience for MCP agents).""" 

667 del request 

668 from .db import DocPatchRecord as DPR 

669 

670 with db_session_scope() as session: 

671 patch_record = session.query(DPR).filter_by( 

672 project_id=project_id, finding_id=finding_id, 

673 ).order_by(DPR.created_at.desc()).first() 

674 if patch_record is None: 

675 raise HTTPException( 

676 status_code=404, 

677 detail=f"No patch found for finding {finding_id}", 

678 ) 

679 patch_id = patch_record.id 

680 try: 

681 return jsonable_encoder( 

682 get_service().approve_patch( 

683 project_id=project_id, 

684 patch_id=patch_id, 

685 user_id=_actor_user_id(actor), 

686 ) 

687 ) 

688 except KeyError as exc: 

689 raise HTTPException(status_code=404, detail=str(exc)) from exc 

690 

691 @app.get("/projects/{project_id}/findings/{finding_id}/symbol-diff") 

692 async def get_symbol_diff( 

693 project_id: str, 

694 finding_id: str, 

695 actor: AuthContext = Depends(verify_token), 

696 ) -> Any: 

697 """Return the symbol-level diff for a specific drift finding.""" 

698 from .db import DriftFindingRecord as DFR 

699 

700 with db_session_scope() as session: 

701 finding = session.get(DFR, finding_id) 

702 if finding is None or finding.project_id != project_id: 

703 raise HTTPException(status_code=404, detail="Finding not found") 

704 changed = getattr(finding, "changed_symbols", None) or [] 

705 return { 

706 "finding_id": finding_id, 

707 "project_id": project_id, 

708 "artifact_id": finding.artifact_key, 

709 "changes": changed, 

710 } 

711 

712 @app.post("/projects/{project_id}/patches/{patch_id}/pr") 

713 @limiter.limit("20/minute") 

714 async def open_pr( 

715 request: Request, 

716 project_id: str, 

717 patch_id: str, 

718 payload: PullRequestCreateRequest | None = None, 

719 actor: AuthContext = Depends(verify_token), 

720 ) -> Any: 

721 del request 

722 return jsonable_encoder( 

723 await dispatch_pull_request( 

724 project_id=project_id, 

725 patch_id=patch_id, 

726 title=payload.title if payload is not None else None, 

727 user_id=_actor_user_id(actor), 

728 ) 

729 ) 

730 

731 @app.get("/projects/{project_id}/publishes") 

732 async def list_publishes( 

733 project_id: str, 

734 actor: AuthContext = Depends(verify_token), 

735 ) -> Any: 

736 return jsonable_encoder( 

737 get_service().list_publishes(project_id, user_id=_actor_user_id(actor)) 

738 ) 

739 

740 @app.get("/projects/{project_id}/publishes/{deployment_id}") 

741 async def get_publish( 

742 project_id: str, 

743 deployment_id: str, 

744 actor: AuthContext = Depends(verify_token), 

745 ) -> Any: 

746 return jsonable_encoder( 

747 get_service().get_publish( 

748 project_id, deployment_id, user_id=_actor_user_id(actor) 

749 ) 

750 ) 

751 

752 @app.get("/projects/{project_id}/activity") 

753 async def get_project_activity( 

754 project_id: str, 

755 actor: AuthContext = Depends(verify_token), 

756 ) -> Any: 

757 return jsonable_encoder( 

758 get_service().list_activity(project_id, user_id=_actor_user_id(actor)) 

759 ) 

760 

761 @app.get("/projects/{project_id}/claude-md") 

762 async def get_claude_md( 

763 project_id: str, 

764 actor: AuthContext = Depends(verify_token), 

765 ) -> Any: 

766 """Get current CLAUDE.md content for a project.""" 

767 from .db import ProjectRecord 

768 

769 with db_session_scope() as session: 

770 project = session.get(ProjectRecord, project_id) 

771 if project is None: 

772 raise HTTPException(status_code=404, detail="Project not found") 

773 content = project.claude_md_content or ( 

774 "# CLAUDE.md\n\n> Generated by Documint\n\n" 

775 "No content yet — trigger a publish to generate." 

776 ) 

777 return {"content": content, "project_id": project_id} 

778 

779 @app.get("/projects/{project_id}/agents-md")