CodeGraph REST API Documentation¶
Complete documentation for the CodeGraph REST API server.
Table of Contents¶
- Overview
- Quick Start
- 1. Install Dependencies
- 2. Configure Environment
- 3. Initialize Database
- 4. Create Admin User
- 5. Start Server
- Environment Variables
- Required
- Server Settings
- Authentication
- OAuth2 Providers
- LDAP/Active Directory
- Rate Limiting
- Demo Endpoint
- Authentication
- JWT Token Authentication
- API Key Authentication
- OAuth2 Authentication
- LDAP Authentication
- API Endpoints
- Demo (Public - No Auth Required)
- Chat
- Scenarios
- Available Scenarios (21 total)
- Code Review
- Sessions
- History
- Query (SQL)
- Project Import
- Groups
- Projects
- Stats
- Health
- File Editing (S17)
- Code Optimization (S18)
- Standards Check (S19)
- Dependencies (S20)
- Composition
- Documentation Generation
- Structural Pattern Operations
- WebSocket Endpoints
- /ws/chat
- /ws/jobs/{job_id}
- /ws/notifications
- Rate Limiting
- Default Limits
- Endpoint-Specific Limits
- Rate Limit Headers
- Using Redis for Rate Limiting
- RBAC Roles
- Database Setup
- PostgreSQL Connection
- Alembic Migrations
- Database Schema
- CLI Commands
- Example Usage (curl)
- Demo Endpoint (No Auth)
- Login
- Chat with JWT
- List Scenarios
- Create API Key
- Use API Key
- Review Patch
- Error Responses
- Common HTTP Status Codes
- Related Documentation
Overview¶
- Framework: FastAPI
- Base URL:
http://localhost:8000/api/v1 - OpenAPI Docs:
/docs(Swagger UI),/redoc(ReDoc) - Authentication: JWT tokens, API keys, OAuth2, LDAP
Quick Start¶
1. Install Dependencies¶
pip install -r requirements.txt
2. Configure Environment¶
Create .env file (see Environment Variables):
cp .env.example .env
# Edit .env with your settings
3. Initialize Database¶
# Create tables
python -m src.api.cli init-db
# Run migrations
python -m src.api.cli migrate
4. Create Admin User¶
python -m src.api.cli create-admin --username admin --password your-secure-password
5. Start Server¶
python -m src.api.cli run --host 0.0.0.0 --port 8000
Environment Variables¶
Required¶
| Variable | Description | Default |
|---|---|---|
DATABASE_URL |
PostgreSQL connection string | postgresql+asyncpg://postgres:postgres@localhost:5432/codegraph |
API_JWT_SECRET |
JWT signing secret (64+ chars) | change-me-in-production... |
Server Settings¶
| Variable | Description | Default |
|---|---|---|
API_HOST |
Server bind address | 0.0.0.0 |
API_PORT |
Server port | 8000 |
API_WORKERS |
Number of workers | 4 |
API_DEBUG |
Debug mode | false |
Authentication¶
| Variable | Description | Default |
|---|---|---|
API_JWT_ALGORITHM |
JWT algorithm | HS256 |
API_ADMIN_USERNAME |
Default admin username | admin |
API_ADMIN_PASSWORD |
Default admin password | admin |
OAuth2 Providers¶
GitHub¶
| Variable | Description |
|---|---|
OAUTH_GITHUB_CLIENT_ID |
GitHub OAuth App Client ID |
OAUTH_GITHUB_CLIENT_SECRET |
GitHub OAuth App Client Secret |
Google¶
| Variable | Description |
|---|---|
OAUTH_GOOGLE_CLIENT_ID |
Google OAuth Client ID |
OAUTH_GOOGLE_CLIENT_SECRET |
Google OAuth Client Secret |
Keycloak¶
| Variable | Description |
|---|---|
OAUTH_KEYCLOAK_SERVER_URL |
Keycloak server URL |
OAUTH_KEYCLOAK_REALM |
Keycloak realm |
OAUTH_KEYCLOAK_CLIENT_ID |
Keycloak client ID |
OAUTH_KEYCLOAK_CLIENT_SECRET |
Keycloak client secret |
LDAP/Active Directory¶
| Variable | Description |
|---|---|
LDAP_SERVER |
LDAP server hostname |
LDAP_BASE_DN |
Base DN for searches |
LDAP_BIND_USER |
Bind user DN |
LDAP_BIND_PASSWORD |
Bind user password |
LDAP_USER_SEARCH_BASE |
User search base |
LDAP_GROUP_SEARCH_BASE |
Group search base |
Rate Limiting¶
| Variable | Description | Default |
|---|---|---|
RATE_LIMIT_STORAGE |
Storage backend (memory or redis://...) |
memory |
Demo Endpoint¶
| Variable | Description | Default |
|---|---|---|
DEMO_ENABLED |
Enable demo endpoint | true |
DEMO_RATE_LIMIT |
Demo rate limit | 30/minute |
Authentication¶
JWT Token Authentication¶
Login (Get Token)¶
POST /api/v1/auth/token
Content-Type: application/json
{
"username": "admin",
"password": "your-password"
}
Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer",
"expires_in": 1800
}
Refresh Token¶
POST /api/v1/auth/refresh
Content-Type: application/json
{
"refresh_token": "eyJhbGciOiJIUzI1NiIs..."
}
Using JWT in Requests¶
Authorization: Bearer <access_token>
API Key Authentication¶
Create API Key¶
POST /api/v1/auth/api-keys
Authorization: Bearer <token>
Content-Type: application/json
{
"name": "my-integration",
"expires_days": 365,
"scopes": ["scenarios:read", "query:execute"]
}
Response:
{
"id": "key_abc123",
"name": "my-integration",
"key": "rak_xxxxxxxxxxxxxxxxxxxx",
"prefix": "rak_xxxx",
"scopes": ["scenarios:read", "query:execute"],
"expires_at": "2025-12-09T00:00:00Z",
"created_at": "2024-12-09T00:00:00Z"
}
Using API Key in Requests¶
X-API-Key: rak_xxxxxxxxxxxxxxxxxxxx
List API Keys¶
GET /api/v1/auth/api-keys
Authorization: Bearer <token>
Delete API Key¶
DELETE /api/v1/auth/api-keys/{key_id}
Authorization: Bearer <token>
OAuth2 Authentication¶
Start OAuth Flow¶
GET /api/v1/auth/oauth/{provider}/authorize
Supported providers: github, google, gitlab, keycloak
OAuth Callback¶
GET /api/v1/auth/oauth/{provider}/callback?code=xxx&state=xxx
LDAP Authentication¶
POST /api/v1/auth/ldap
Content-Type: application/json
{
"username": "jdoe",
"password": "ldap-password"
}
API Endpoints¶
Demo (Public - No Auth Required)¶
POST /api/v1/demo/chat¶
Public demo endpoint for landing page integration. Rate limited by IP address.
Request:
{
"query": "Как работает MVCC?",
"language": "ru"
}
Response:
{
"answer": "MVCC (Multi-Version Concurrency Control)...",
"scenario_id": "onboarding",
"processing_time_ms": 1523.45
}
Rate Limit: 30 requests per minute per IP
GET /api/v1/demo/status¶
Check demo endpoint status.
Response:
{
"enabled": true,
"rate_limit": "30/minute",
"max_query_length": 500,
"allowed_scenarios": ["onboarding"]
}
Chat¶
POST /api/v1/chat¶
Send a query to the CodeGraph system.
Request:
{
"query": "Find SQL injection vulnerabilities",
"session_id": "optional-session-id",
"scenario_id": "security",
"language": "en"
}
Response:
{
"answer": "Found 3 potential SQL injection vulnerabilities...",
"scenario_id": "security",
"confidence": 0.85,
"evidence": [
{
"type": "code",
"source": "src/executor.c:123",
"content": "sprintf(query, \"SELECT * FROM %s\", user_input);",
"relevance": 0.95
}
],
"session_id": "sess_abc123",
"request_id": "req_xyz789",
"processing_time_ms": 2341.5
}
POST /api/v1/chat/stream¶
Send a query and receive streaming response via Server-Sent Events (SSE).
Request: Same as /chat
Response: SSE stream
data: {"type": "start", "session_id": "sess_abc123"}
data: {"type": "chunk", "content": "Found 3 potential "}
data: {"type": "chunk", "content": "SQL injection vulnerabilities..."}
data: {"type": "end", "scenario_id": "security"}
Scenarios¶
GET /api/v1/scenarios¶
List all 21 available analysis scenarios.
Response:
[
{
"id": "onboarding",
"name": "Onboarding",
"description": "Get started with a codebase - find functions, trace call graphs",
"category": "Learning",
"keywords": ["find", "where", "what", "how", "explain"],
"example_queries": ["Where is the main() function?", "What does exec_simple_query do?"]
},
{
"id": "security",
"name": "Security Audit",
"description": "Find security vulnerabilities - SQL injection, buffer overflows",
"category": "Security",
"keywords": ["vulnerability", "injection", "unsafe"],
"example_queries": ["Find SQL injection vulnerabilities"]
}
// ... 14 more scenarios
]
GET /api/v1/scenarios/{scenario_id}¶
Get information about a specific scenario.
POST /api/v1/scenarios/{scenario_id}/query¶
Send a query to a specific scenario.
Request:
{
"query": "Find buffer overflow vulnerabilities",
"session_id": "optional-session-id",
"language": "en"
}
Available Scenarios (21 total)¶
| ID | Name | Category | Description |
|---|---|---|---|
onboarding |
Onboarding | Learning | Get started with codebase |
security |
Security Audit | Security | Find vulnerabilities |
documentation |
Documentation | Documentation | Generate docs |
feature_dev |
Feature Development | Development | Find integration points |
refactoring |
Refactoring | Quality | Identify code smells |
performance |
Performance Analysis | Performance | Find bottlenecks |
test_coverage |
Test Coverage | Testing | Analyze test coverage |
compliance |
Compliance Check | Quality | Check coding standards |
code_review |
Code Review | Review | Automated code review |
cross_repo |
Cross-Repository | Architecture | Analyze dependencies |
architecture |
Architecture Violations | Architecture | Detect violations |
tech_debt |
Technical Debt | Quality | Quantify tech debt |
mass_refactoring |
Mass Refactoring | Development | Large-scale changes |
security_incident |
Security Incident | Security | Incident response |
debugging |
Debugging Support | Development | Find logging points |
entry_points |
Entry Points | Security | Find attack surface |
file_editing |
File Editing | Development | Programmatic code editing |
code_optimization |
Code Optimization | Development | AI-powered optimization |
standards_check |
Standards Check | Quality | Reference-guided standards |
dependencies |
Dependencies | Security | Dependency analysis |
Code Review¶
POST /api/v1/review/patch¶
Review a git patch/diff.
Request:
{
"patch_content": "diff --git a/src/file.c b/src/file.c\n...",
"task_description": "Fix memory leak in transaction handler",
"dod_items": ["No memory leaks", "Unit tests pass"],
"output_format": "json"
}
Response:
{
"recommendation": "REQUEST_CHANGES",
"confidence": 0.82,
"findings": [
{
"category": "error",
"severity": "high",
"location": {"file": "src/file.c", "line_start": 45},
"message": "Potential memory leak: allocated memory not freed on error path",
"suggested_fix": "Add free(ptr) before return statement"
}
],
"dod_status": [
{"description": "No memory leaks", "satisfied": false, "evidence": "Found 1 potential leak"}
],
"summary": "Found 1 high-severity issue that should be addressed."
}
POST /api/v1/review/github-pr¶
Review a GitHub Pull Request.
Request:
{
"owner": "postgres",
"repo": "postgres",
"pr_number": 123,
"github_token": "ghp_xxx"
}
POST /api/v1/review/gitlab-mr¶
Review a GitLab Merge Request.
Request:
{
"project_id": "123",
"mr_iid": 456,
"gitlab_token": "glpat-xxx",
"gitlab_url": "https://gitlab.com"
}
Sessions¶
GET /api/v1/sessions¶
List user sessions.
POST /api/v1/sessions¶
Create new session.
GET /api/v1/sessions/{session_id}¶
Get session details.
DELETE /api/v1/sessions/{session_id}¶
Delete session.
History¶
GET /api/v1/history¶
Get conversation history.
Query Parameters:
- session_id - Filter by session
- limit - Number of items (default: 50)
- offset - Pagination offset
GET /api/v1/history/{message_id}¶
Get specific message.
GET /api/v1/history/export¶
Export conversation history.
Query Parameters:
- format - Export format (json, csv, markdown)
- session_id - Filter by session
Query (SQL)¶
POST /api/v1/query/execute¶
Execute a SQL query against the CPG database directly.
Request:
{
"query": "SELECT name, file FROM nodes_method WHERE name LIKE '%transaction%' LIMIT 10",
"timeout_ms": 30000
}
Response:
{
"results": [
{"name": "StartTransaction", "file": "xact.c"},
{"name": "CommitTransaction", "file": "xact.c"}
],
"row_count": 2,
"execution_time_ms": 45.2
}
Project Import¶
Import new codebases into the CodeGraph system.
Detailed documentation: See Project Import Guide for comprehensive usage examples.
GET /api/v1/import/languages¶
Get list of supported programming languages.
Response:
{
"languages": [
{
"id": "c",
"name": "C",
"extensions": [".c", ".h", ".cpp", ".hpp"],
"gocpg_lang": "c",
"gocpg_flag": "C"
},
{
"id": "java",
"name": "JAVA",
"extensions": [".java"],
"gocpg_lang": "java",
"gocpg_flag": "JAVASRC"
}
]
}
Supported Languages (11):
| ID | Name | GoCPG Language | Extensions |
|---|---|---|---|
c |
C | c | .c, .h |
cpp |
C++ | cpp | .cpp, .hpp, .cc, .cxx |
csharp |
C# | csharp | .cs |
go |
Go | go | .go |
java |
Java | java | .java |
javascript |
JavaScript | javascript | .js, .jsx, .mjs |
typescript |
TypeScript | typescript | .ts, .tsx |
kotlin |
Kotlin | kotlin | .kt, .kts |
php |
PHP | php | .php |
python |
Python | python | .py, .pyw |
onec |
1C:Enterprise | onec | .bsl, .os |
POST /api/v1/import/start¶
Start asynchronous import of a new codebase.
Request:
{
"repo_url": "https://github.com/postgres/postgres",
"branch": "master",
"shallow_clone": true,
"language": null,
"mode": "full",
"include_paths": ["src/backend", "src/include"],
"exclude_paths": ["test", "tests"],
"create_domain_plugin": true,
"import_docs": true,
"gocpg_memory_gb": 16,
"batch_size": 10000
}
Request Parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
repo_url |
string | - | Git repository URL (required if no local_path) |
local_path |
string | - | Local path (required if no repo_url) |
branch |
string | "main" |
Git branch to clone |
shallow_clone |
boolean | true |
Use shallow clone |
shallow_depth |
int | 1 |
Shallow clone depth |
language |
string | null |
Language ID (auto-detect if null) |
mode |
string | "full" |
Import mode: full, selective, incremental |
include_paths |
list | [] |
Paths to include |
exclude_paths |
list | [] |
Paths to exclude |
create_domain_plugin |
boolean | true |
Generate Domain Plugin |
domain_name |
string | null |
Custom domain name |
import_docs |
boolean | true |
Import documentation |
import_readme |
boolean | true |
Index README files |
import_comments |
boolean | true |
Import code comments |
gocpg_memory_gb |
int | 16 |
Memory for GoCPG (GB) |
batch_size |
int | 10000 |
DuckDB batch size |
Response:
{
"job_id": "550e8400-e29b-41d4-a716-446655440000",
"status": "pending",
"message": "Import started. Use job_id to track progress."
}
GET /api/v1/import/status/{job_id}¶
Get current status of an import job.
Response:
{
"job_id": "550e8400-e29b-41d4-a716-446655440000",
"project_name": "postgres",
"status": "in_progress",
"steps": [
{"name": "Clone Repository", "status": "completed", "progress": 100},
{"name": "Detect Language", "status": "completed", "progress": 100},
{"name": "Create CPG", "status": "in_progress", "progress": 45, "message": "Creating CPG nodes..."},
{"name": "Export to DuckDB", "status": "pending", "progress": 0},
{"name": "Validate CPG", "status": "pending", "progress": 0},
{"name": "Import Documentation", "status": "pending", "progress": 0},
{"name": "Setup Domain Plugin", "status": "pending", "progress": 0}
],
"current_step": "gocpg_parse",
"overall_progress": 35,
"created_at": "2024-12-09T10:00:00Z",
"updated_at": "2024-12-09T10:05:00Z"
}
Import Status Values:
- pending - Waiting to start
- in_progress - Currently running
- completed - Successfully finished
- failed - Error occurred
- cancelled - Cancelled by user
GET /api/v1/import/jobs¶
List all import jobs.
Query Parameters:
- status_filter - Filter by status (e.g., in_progress, completed)
- limit - Maximum number of jobs (default: 20)
Response: Array of ProjectImportStatus objects.
DELETE /api/v1/import/cancel/{job_id}¶
Cancel a running import job.
Response:
{
"job_id": "550e8400-e29b-41d4-a716-446655440000",
"status": "cancelled"
}
POST /api/v1/import/step¶
Run a single step of the import pipeline.
Request:
{
"step_id": "validate",
"context": {
"duckdb_path": "./workspace/project.duckdb"
}
}
Valid Steps:
- clone - Clone repository
- detect_language - Auto-detect programming language
- gocpg_parse - Create CPG with GoCPG (outputs DuckDB directly)
- validate - Validate CPG quality
- chromadb_import - Import documentation to ChromaDB
- domain_setup - Create Domain Plugin
Response:
{
"step": "validate",
"status": "completed",
"result": {
"validation_report": {
"status": "passed",
"quality_score": 85,
"metrics": {...}
}
}
}
WebSocket: Progress Tracking¶
const ws = new WebSocket('ws://localhost:8000/ws/v1/jobs/550e8400-e29b-41d4-a716-446655440000');
ws.onmessage = (event) => {
const msg = JSON.parse(event.data);
switch (msg.type) {
case 'job.progress':
console.log(`Progress: ${msg.payload.progress}% - ${msg.payload.message}`);
break;
case 'job.completed':
console.log('Import completed:', msg.payload.result);
break;
case 'job.failed':
console.error('Import failed:', msg.payload.error);
break;
}
};
Groups¶
Manage project groups and user access control.
GET /api/v1/groups¶
List project groups accessible by the current user.
Query Parameters:
- limit - Maximum number of groups (default: 100)
- offset - Pagination offset (default: 0)
Response:
{
"groups": [
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "PostgreSQL Development",
"description": "PostgreSQL core development projects",
"created_at": "2024-12-01T10:00:00Z",
"updated_at": "2024-12-09T15:30:00Z",
"project_count": 3
}
],
"total": 1
}
POST /api/v1/groups¶
Create a new project group. Admin only.
Request:
{
"name": "PostgreSQL Development",
"description": "PostgreSQL core development projects"
}
Response: 201 Created
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "PostgreSQL Development",
"description": "PostgreSQL core development projects",
"created_at": "2024-12-09T10:00:00Z",
"updated_at": "2024-12-09T10:00:00Z",
"project_count": 0
}
GET /api/v1/groups/{group_id}¶
Get details of a specific group.
PUT /api/v1/groups/{group_id}¶
Update a group. Admin or group editor only.
Request:
{
"name": "Updated Name",
"description": "Updated description"
}
DELETE /api/v1/groups/{group_id}¶
Delete a group. Admin only.
Response: 204 No Content
GET /api/v1/groups/{group_id}/users¶
List users with access to a group.
Response:
{
"users": [
{
"id": "user-123",
"user_id": "user-456",
"username": "jdoe",
"role": "editor",
"created_at": "2024-12-01T10:00:00Z"
}
],
"total": 1
}
POST /api/v1/groups/{group_id}/users¶
Add user access to a group. Admin or group admin only.
Request:
{
"user_id": "user-456",
"role": "viewer"
}
Role Values: viewer, editor, admin
DELETE /api/v1/groups/{group_id}/users/{user_id}¶
Remove user access from a group. Admin or group admin only.
Projects¶
Manage projects within groups.
GET /api/v1/projects¶
List projects accessible by the current user.
Query Parameters:
- group_id - Filter by group (optional)
- limit - Maximum number of projects (default: 100)
- offset - Pagination offset (default: 0)
Response:
{
"projects": [
{
"id": "proj-123",
"group_id": "group-456",
"name": "PostgreSQL 17",
"db_path": "./workspace/postgresql.duckdb",
"cpg_path": "./workspace/postgresql.cpg",
"source_path": "./workspace/postgresql",
"language": "c",
"domain": "postgresql_v2",
"description": "PostgreSQL 17.0 source code",
"is_active": true,
"metadata": {"version": "17.0"},
"created_at": "2024-12-01T10:00:00Z",
"updated_at": "2024-12-09T15:30:00Z"
}
],
"total": 1
}
POST /api/v1/projects¶
Create a new project. Requires editor access to the group.
Request:
{
"group_id": "group-456",
"name": "PostgreSQL 17",
"db_path": "./workspace/postgresql.duckdb",
"cpg_path": "./workspace/postgresql.cpg",
"source_path": "./workspace/postgresql",
"language": "c",
"domain": "postgresql_v2",
"description": "PostgreSQL 17.0 source code",
"metadata": {"version": "17.0"}
}
Response: 201 Created
GET /api/v1/projects/{project_id}¶
Get details of a specific project.
PUT /api/v1/projects/{project_id}¶
Update a project. Requires editor access.
Request:
{
"name": "Updated Name",
"domain": "postgresql_v2",
"description": "Updated description",
"metadata": {"version": "17.1"}
}
DELETE /api/v1/projects/{project_id}¶
Delete a project. Requires admin access.
Response: 204 No Content
POST /api/v1/projects/{project_id}/activate¶
Set a project as the active project for queries.
Response:
{
"id": "proj-123",
"name": "PostgreSQL 17",
"is_active": true,
"message": "Project activated successfully"
}
Stats¶
GET /api/v1/stats¶
Get system statistics.
Response:
{
"total_queries": 12345,
"queries_today": 234,
"average_response_time_ms": 1523.4,
"scenarios_usage": {
"onboarding": 4521,
"security": 2341
}
}
Health¶
GET /api/v1/health¶
Full health check with component status.
Response:
{
"status": "healthy",
"version": "1.0.0",
"uptime_seconds": 3600.5,
"timestamp": "2024-12-09T12:00:00Z",
"components": {
"database": {"status": "healthy", "latency_ms": 5.2},
"llm": {"status": "healthy", "provider": "gigachat"},
"cpg": {"status": "healthy", "db_path": "data/projects/postgres.duckdb"}
}
}
GET /api/v1/health/live¶
Kubernetes liveness probe.
Response: 200 OK if service is running.
{"status": "ok"}
GET /api/v1/health/ready¶
Kubernetes readiness probe.
Response: 200 OK if ready, 503 if not ready.
{"status": "ready"}
GET /api/v1/health/version¶
Get API version.
{
"version": "1.0.0",
"name": "CodeGraph API"
}
File Editing (S17)¶
POST /api/v1/edit/find¶
Find a function, class, or method for editing.
Request:
{
"target": "validate_input",
"file": "src/utils.py",
"type": "function"
}
Response:
{
"found": true,
"target": {
"name": "validate_input",
"type": "function",
"file": "src/utils.py",
"line_start": 45,
"line_end": 58,
"code": "def validate_input(data):\n ..."
}
}
POST /api/v1/edit/apply¶
Apply code changes to a target.
Request:
{
"file": "src/utils.py",
"target": "validate_input",
"new_code": "def validate_input(data):\n return data.strip()",
"preview": false
}
Response:
{
"success": true,
"edit_id": "edit_abc123",
"changes": {
"file": "src/utils.py",
"lines_changed": 13,
"diff": "..."
}
}
POST /api/v1/edit/undo¶
Undo a previous edit.
Request:
{
"edit_id": "edit_abc123"
}
Code Optimization (S18)¶
POST /api/v1/optimize/analyze¶
Analyze code for optimization opportunities.
Request:
{
"path": "src/api/",
"categories": ["performance", "security", "readability"]
}
Response:
{
"session_id": "opt_abc123",
"suggestions": [
{
"id": "sug_001",
"category": "performance",
"severity": "medium",
"file": "src/api/handlers.py",
"line": 45,
"title": "Replace loop with list comprehension",
"description": "This loop can be optimized using a list comprehension",
"current_code": "result = []\nfor x in data:\n result.append(x*2)",
"suggested_code": "result = [x*2 for x in data]",
"impact": "~15% performance improvement"
}
],
"total": 12
}
GET /api/v1/optimize/suggestions¶
List pending optimization suggestions.
Query Parameters:
- session_id - Filter by optimization session
- status - Filter by status (pending, approved, rejected)
POST /api/v1/optimize/approve¶
Approve an optimization suggestion.
Request:
{
"suggestion_id": "sug_001"
}
POST /api/v1/optimize/reject¶
Reject an optimization suggestion.
Request:
{
"suggestion_id": "sug_001",
"reason": "Not applicable to our use case"
}
POST /api/v1/optimize/apply¶
Apply all approved optimizations.
Request:
{
"session_id": "opt_abc123"
}
Response:
{
"applied": 5,
"skipped": 2,
"changes": [
{"file": "src/api/handlers.py", "lines_changed": 3}
]
}
Standards Check (S19)¶
POST /api/v1/standards/import¶
Import a standards document.
Request:
{
"document_path": "company_standards.yaml"
}
Response:
{
"success": true,
"document_name": "Company Coding Standards v2.0",
"rules_imported": 15,
"categories": ["naming", "security", "style", "documentation"]
}
GET /api/v1/standards/rules¶
List imported rules.
Query Parameters:
- category - Filter by category (e.g., security, naming)
Response:
{
"rules": [
{
"id": "SEC-001",
"title": "Use parameterized queries",
"category": "security",
"severity": "error",
"description": "All database queries must use parameterized queries"
}
],
"total": 15
}
POST /api/v1/standards/check¶
Check code against imported standards.
Request:
{
"path": "src/",
"severity": "error",
"category": "security"
}
Response:
{
"session_id": "std_abc123",
"violations": [
{
"rule_id": "SEC-001",
"title": "SQL injection risk",
"severity": "error",
"file": "src/api/user_handler.py",
"line": 67,
"code": "cursor.execute(\"SELECT * FROM users WHERE id = %s\" % user_id)",
"suggestion": "Use cursor.execute(query, params) with placeholders",
"reference": {
"url": "https://owasp.org/Top10/A03_2021-Injection/",
"document": "OWASP Top 10 2021"
}
}
],
"summary": {
"total": 23,
"errors": 5,
"warnings": 12,
"info": 6
}
}
GET /api/v1/standards/violations/{session_id}¶
Get violations from a standards check session.
Dependencies (S20)¶
POST /api/v1/deps/scan¶
Scan project dependencies.
Request:
{
"project_path": ".",
"include_dev": true
}
Response:
{
"session_id": "deps_abc123",
"overview": {
"total_dependencies": 127,
"direct_dependencies": 23,
"dev_dependencies": 45,
"files_analyzed": 3
},
"dependencies": [
{
"name": "fastapi",
"version": "0.104.1",
"type": "direct",
"license": "MIT"
}
]
}
POST /api/v1/deps/audit¶
Check dependencies for vulnerabilities.
Request:
{
"session_id": "deps_abc123",
"severity": ["critical", "high"]
}
Response:
{
"vulnerabilities": [
{
"package": "requests",
"version": "2.28.0",
"cve": "CVE-2024-12345",
"severity": "critical",
"title": "Remote Code Execution in HTTP redirect handling",
"fixed_in": "2.32.0",
"cvss_score": 9.8
}
],
"summary": {
"critical": 1,
"high": 2,
"medium": 3,
"low": 5
}
}
GET /api/v1/deps/graph¶
Get dependency graph.
Query Parameters:
- session_id - Dependency scan session ID
- format - Output format (json, dot)
Response:
{
"nodes": [
{"id": "fastapi", "version": "0.104.1", "type": "direct"},
{"id": "pydantic", "version": "2.5.2", "type": "transitive"}
],
"edges": [
{"from": "fastapi", "to": "pydantic"}
]
}
POST /api/v1/deps/sbom¶
Generate Software Bill of Materials.
Request:
{
"session_id": "deps_abc123",
"format": "cyclonedx",
"include_vulnerabilities": true
}
Response:
{
"format": "CycloneDX 1.4",
"output_file": "sbom.json",
"components": 127,
"metadata": {
"generated": "2024-12-09T14:35:21Z",
"tool": "CodeGraph v1.0"
}
}
Composition¶
POST /api/v1/composition/query¶
Run a composite query with orchestrator.
Request:
{
"query": "Optimize the authentication module",
"orchestrator": "s18",
"scenarios": ["s02", "s08"],
"context": {
"file_paths": ["src/auth/"]
}
}
Response:
{
"session_id": "comp_abc123",
"orchestrator": "s18",
"findings": [
{
"id": "find_001",
"source_scenario": "s02",
"type": "vulnerability",
"severity": "high",
"file": "src/auth/login.py",
"line": 45,
"message": "SQL injection vulnerability detected"
},
{
"id": "find_002",
"source_scenario": "s08",
"type": "compliance",
"severity": "medium",
"file": "src/auth/validator.py",
"line": 23,
"message": "Missing input validation"
}
],
"summary": {
"total_findings": 12,
"by_scenario": {"s02": 5, "s08": 7}
}
}
POST /api/v1/composition/apply¶
Apply a finding from composite analysis.
Request:
{
"session_id": "comp_abc123",
"finding_id": "find_001",
"preview": true
}
Response:
{
"success": true,
"preview": true,
"changes": {
"file": "src/auth/login.py",
"diff": "..."
}
}
GET /api/v1/composition/conflicts/{session_id}¶
Check for conflicts between findings.
Response:
{
"conflicts": [
{
"finding_a": "find_001",
"finding_b": "find_003",
"file": "src/auth/login.py",
"lines": [45, 47],
"resolution_options": ["keep_a", "keep_b", "merge"]
}
]
}
GET /api/v1/composition/session/{session_id}¶
Get composition session details.
GET /api/v1/composition/config¶
Get composition configuration.
Response:
{
"orchestrators": ["s18", "s19"],
"available_scenarios": ["s02", "s08", "s17"],
"merge_strategies": ["priority", "chronological", "interactive"]
}
Documentation Generation¶
Batch documentation generation with ChromaDB indexing for semantic search.
POST /api/v1/documentation/generate¶
Generate full project documentation (all 8 sections). Runs handlers in sequence, saves markdown to disk, and indexes chunks in ChromaDB.
Request Body:
{
"language": "en",
"output_dir": "./docs/generated",
"index_in_chromadb": true,
"sections": ["mvd_doc", "module_overview", "function_doc", "pipeline_doc", "business_logic_doc", "type_doc", "coverage_doc", "diagram_doc"]
}
| Field | Type | Default | Description |
|---|---|---|---|
language |
string |
"en" |
Language code (en or ru) |
output_dir |
string? |
config value | Output directory for files |
index_in_chromadb |
bool |
true |
Whether to index in ChromaDB |
sections |
string[]? |
all | Specific sections to generate |
Response (200):
{
"request_id": "uuid",
"generated_at": "2025-01-01T12:00:00",
"language": "en",
"sections": [
{
"section_type": "mvd_doc",
"display_name": "Project Overview (MVD)",
"success": true,
"content_length": 5432,
"retrieved_functions_count": 15
}
],
"combined_document_length": 42000,
"chromadb_chunks_indexed": 85,
"output_files": {"markdown": "./docs/generated/documentation_en_20250101_120000.md"},
"processing_time_ms": 15000.0
}
POST /api/v1/documentation/generate/{section}¶
Generate a single documentation section.
Path Parameters: section - One of: mvd_doc, module_overview, function_doc, pipeline_doc, business_logic_doc, type_doc, coverage_doc, diagram_doc
Request Body:
{
"language": "en"
}
Response (200):
{
"section_type": "mvd_doc",
"content": "## Project Overview\n...",
"language": "en",
"processing_time_ms": 2500.0
}
GET /api/v1/documentation/stats¶
Get ChromaDB collection statistics for generated documentation.
Response (200):
{
"total_chunks": 85,
"section_counts": {
"mvd_doc": 5,
"module_overview": 20,
"function_doc": 30,
"coverage_doc": 8,
"diagram_doc": 12,
"type_doc": 10
},
"collection_name": "generated_documentation"
}
POST /api/v1/documentation/search¶
Semantic search across generated documentation indexed in ChromaDB.
Request Body:
{
"query": "buffer management functions",
"n_results": 10,
"section_type_filter": "function_doc",
"language_filter": "en"
}
Response (200):
{
"query": "buffer management functions",
"results": [
{
"id": "doc_function_doc_3",
"content": "## BufferAlloc\nAllocates a shared buffer...",
"section_type": "function_doc",
"subsystem": "",
"heading": "BufferAlloc",
"score": 0.87
}
],
"total_results": 5
}
GoCPG Operations¶
Endpoints for interacting with the GoCPG code property graph engine. All endpoints require authentication and are prefixed with /api/v1/gocpg/.
GET /api/v1/gocpg/stats¶
Get CPG statistics (node/edge counts, database size).
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
db_path |
string (optional) | DuckDB file path |
Response (200):
{
"total_nodes": 140000,
"total_edges": 1200000,
"methods": 52000,
"calls": 111000,
"files": 8500,
"type_decls": 3200,
"db_size_mb": 245.7,
"tables": {
"nodes_method": 52000,
"nodes_call": 111000,
"edges_call": 808000
}
}
GET /api/v1/gocpg/quality-stats¶
Get cross-language code quality metrics: method/call counts by language, entry points, test coverage ratio, complexity distribution, dead code candidates, and type resolution breakdown.
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
db_path |
string (optional) | DuckDB file path |
top |
integer (optional, default: 20) | Number of top dead code candidates to return |
Response (200):
{
"methods_by_language": [
{"language": "Python", "count": 12500},
{"language": "Go", "count": 8200}
],
"calls_by_language": [
{"language": "Python", "count": 45000},
{"language": "Go", "count": 31000}
],
"entry_points": {
"total": 20700,
"entry_points": 1250,
"regular": 19450
},
"test_coverage": {
"total_methods": 20700,
"test_methods": 3100,
"ratio_percent": 14.97
},
"complexity_distribution": {
"low_1_5": 16800,
"medium_6_10": 2900,
"high_11_20": 750,
"very_high_21_50": 200,
"critical_50_plus": 50
},
"dead_code_candidates": [
{
"name": "unused_helper",
"filename": "src/utils/helpers.py",
"line": 42
}
],
"type_origin_by_language": [
{"language": "Python", "origin": "inferred", "count": 30000},
{"language": "Python", "origin": "unresolved", "count": 15000},
{"language": "Go", "origin": "declared", "count": 25000}
]
}
POST /api/v1/gocpg/query¶
Execute an SQL query against the CPG database.
Request Body:
{
"sql": "SELECT COUNT(*) FROM nodes_method",
"db_path": null
}
| Field | Type | Required | Description |
|---|---|---|---|
sql |
string | yes | SQL query to execute |
db_path |
string | no | DuckDB file path |
Response (200):
{
"columns": ["count_star()"],
"rows": [[52000]],
"row_count": 1
}
GET /api/v1/gocpg/frontends¶
List available language frontends.
Response (200):
[
{
"name": "c2cpg",
"available": true,
"extensions": [".c", ".h"]
},
{
"name": "gosrc2cpg",
"available": true,
"extensions": [".go"]
}
]
POST /api/v1/gocpg/metrics¶
Run metrics validation on source files.
Request Body:
{
"input_path": ".",
"verbose": false
}
| Field | Type | Required | Description |
|---|---|---|---|
input_path |
string | no | Source file or directory (default: .) |
verbose |
boolean | no | Show per-file details (default: false) |
GET /api/v1/gocpg/branches¶
List tracked CPG branches.
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
db_path |
string (optional) | DuckDB file path |
Response (200):
[
{
"branch_name": "main",
"commit_sha": "abc12345",
"file_count": 8500,
"node_count": 140000,
"is_active": true
}
]
POST /api/v1/gocpg/branches/switch¶
Switch the active CPG branch.
Request Body:
{
"branch_name": "feature-branch",
"db_path": null
}
Response (200):
{
"status": "ok",
"branch": "feature-branch"
}
POST /api/v1/gocpg/branches/prune¶
Prune stale branches no longer present in the git repository.
Request Body:
{
"input_path": ".",
"db_path": null
}
Response (200):
{
"status": "ok",
"pruned_count": 2
}
GET /api/v1/gocpg/hooks/status¶
Get git hook installation status.
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
repo_path |
string (optional) | Repository path (default: .) |
Response (200):
[
{
"hook_name": "pre-commit",
"installed": true
},
{
"hook_name": "post-commit",
"installed": false
}
]
POST /api/v1/gocpg/hooks/install¶
Install git hooks for automatic CPG updates.
Request Body:
{
"repo_path": ".",
"db_path": null,
"hook_types": null,
"async_hooks": true,
"language": null
}
| Field | Type | Required | Description |
|---|---|---|---|
repo_path |
string | no | Repository path (default: .) |
db_path |
string | no | DuckDB file path |
hook_types |
string | no | Comma-separated hook types |
async_hooks |
boolean | no | Run hooks asynchronously (default: true) |
language |
string | no | Language frontend |
POST /api/v1/gocpg/hooks/uninstall¶
Remove installed git hooks.
Request Body:
{
"repo_path": "."
}
POST /api/v1/gocpg/index¶
Create or recreate DuckDB indexes for optimized query performance.
Request Body:
{
"db_path": null
}
GET /api/v1/gocpg/submodules¶
List tracked submodules.
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
db_path |
string (optional) | DuckDB file path |
Response (200):
[
{
"path": "contrib/pgcrypto",
"commit_sha": "abc123456789",
"initialized": true,
"recursive": false
}
]
POST /api/v1/gocpg/submodules/prune¶
Prune stale submodules.
Request Body:
{
"input_path": ".",
"db_path": null
}
Response (200):
{
"status": "ok",
"pruned_count": 1
}
POST /api/v1/gocpg/watch/start¶
Start a file watcher (background process) for live CPG updates.
Request Body:
{
"input_path": "/path/to/source",
"output_path": null,
"language": null,
"debounce_ms": null,
"extensions": null,
"webhook_url": null
}
| Field | Type | Required | Description |
|---|---|---|---|
input_path |
string | yes | Directory to watch |
output_path |
string | no | DuckDB file path |
language |
string | no | Language frontend |
debounce_ms |
integer | no | Debounce interval in ms |
extensions |
string | no | File extensions to watch |
webhook_url |
string | no | Webhook URL for notifications |
Response (200):
{
"status": "started",
"pid": 12345,
"input_path": "/path/to/source"
}
Error (409): Watcher already running.
POST /api/v1/gocpg/watch/stop¶
Stop the running file watcher.
Response (200):
{
"status": "stopped",
"pid": 12345
}
Error (404): No active watcher running.
GET /api/v1/gocpg/watch/status¶
Get current watcher status.
Response (200):
{
"running": true,
"pid": 12345,
"input_path": "/path/to/source",
"output_path": "data/projects/myproject.duckdb"
}
GoCPG Error Responses¶
| Status Code | Error Type | Description |
|---|---|---|
| 500 | GoCPGProcessError |
GoCPG command failed (non-zero exit code) |
| 504 | GoCPGTimeoutError |
GoCPG command timed out |
| 409 | Conflict | Watcher already running (watch/start only) |
| 404 | Not Found | No active watcher (watch/stop only) |
Structural Pattern Operations¶
Endpoints for structural code pattern search, scanning results, and LLM-powered rule generation. All endpoints require authentication and use the /api/v1/patterns/ prefix.
POST /api/v1/patterns/search¶
Ad-hoc structural pattern search using AST-based matching.
Request Body:
{
"pattern": "malloc($SIZE)",
"language": "c",
"max_results": 100
}
| Field | Type | Required | Description |
|---|---|---|---|
pattern |
string | yes | Structural pattern with metavariables (e.g. "malloc($SIZE)") |
language |
string | yes | Source language (c, go, python, javascript, etc.) |
max_results |
integer | no | Maximum results to return (default: 100) |
Response (200):
{
"pattern": "malloc($SIZE)",
"language": "c",
"files_searched": 8500,
"matches": [
{
"file": "src/backend/utils/mmgr/aset.c",
"line_start": 142,
"line_end": 142,
"col_start": 12,
"col_end": 28,
"matched_text": "malloc(size)",
"metavars": {"SIZE": "size"}
}
],
"count": 1
}
GET /api/v1/patterns/findings¶
Query persisted pattern findings from the CPG database (populated by gocpg scan).
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
rule_id |
string (optional) | Filter by rule ID |
severity |
string (optional) | Filter by severity (error, warning, info, hint) |
filename |
string (optional) | Filter by source file path (substring match) |
category |
string (optional) | Filter by rule category |
limit |
integer (optional) | Maximum results (default: 100) |
Response (200):
{
"findings": [
{
"id": 1,
"rule_id": "no-unchecked-malloc",
"severity": "warning",
"category": "security",
"rule_message": "Unchecked return value from malloc",
"filename": "src/backend/utils/mmgr/aset.c",
"line_start": 142,
"line_end": 142,
"col_start": 12,
"col_end": 28,
"matched_text": "malloc(size)",
"message": "Return value of malloc is not checked for NULL",
"metavars": {"SIZE": "size"},
"fix_applied": false,
"has_cpg": true
}
],
"count": 1
}
GET /api/v1/patterns/stats¶
Aggregated pattern matching statistics.
Response (200):
{
"total_findings": 57,
"by_severity": {
"error": 12,
"warning": 30,
"info": 15
},
"by_category": {
"security": 20,
"performance": 15,
"correctness": 22
},
"by_rule": {
"no-unchecked-malloc": {"message": "Unchecked malloc return", "count": 8},
"sql-string-concat": {"message": "SQL concatenation detected", "count": 12}
}
}
GET /api/v1/patterns/rules¶
List loaded pattern rules from the CPG database.
Response (200):
{
"rules": [
{
"rule_id": "no-unchecked-malloc",
"severity": "warning",
"category": "security",
"message": "Unchecked return value from malloc",
"language": "c",
"has_fix": true
}
],
"count": 1
}
POST /api/v1/patterns/generate¶
LLM-generate a YAML rule from a natural language description.
Request Body:
{
"description": "Find unchecked malloc calls that could return NULL",
"language": "c"
}
| Field | Type | Required | Description |
|---|---|---|---|
description |
string | yes | Natural language rule description |
language |
string | yes | Target language |
Response (200):
{
"yaml_content": "id: unchecked-malloc\nlanguage: c\nseverity: warning\n..."
}
Patterns Error Responses¶
| Status Code | Error Type | Description |
|---|---|---|
| 400 | Validation Error | Invalid pattern syntax or missing required fields |
| 500 | Internal Error | Pattern matching or LLM generation failed |
WebSocket Endpoints¶
/ws/chat¶
Real-time chat connection.
Connect:
const ws = new WebSocket('ws://localhost:8000/ws/v1/chat?token=<jwt_token>');
ws.onmessage = (event) => {
const data = JSON.parse(event.data);
console.log('Received:', data);
};
ws.send(JSON.stringify({
type: 'query',
query: 'Find SQL injection vulnerabilities',
scenario_id: 'security'
}));
/ws/jobs/{job_id}¶
Monitor background job progress.
/ws/notifications¶
Receive real-time notifications.
Rate Limiting¶
Default Limits¶
- Global: 100 requests/minute, 1000 requests/hour
Endpoint-Specific Limits¶
| Endpoint | Limit |
|---|---|
/api/v1/review/* |
10/minute |
/api/v1/chat |
60/minute |
/api/v1/chat/stream |
30/minute |
/api/v1/query/execute |
30/minute |
/api/v1/demo/chat |
30/minute per IP |
Rate Limit Headers¶
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1702123456
Using Redis for Rate Limiting¶
For production with multiple instances, use Redis:
RATE_LIMIT_STORAGE=redis://localhost:6379
RBAC Roles¶
| Role | Permissions |
|---|---|
viewer |
Read scenarios, view history |
analyst |
All viewer + execute queries, create sessions |
reviewer |
All analyst + code review, patch review |
admin |
Full access including user management |
Database Setup¶
PostgreSQL Connection¶
Requires PostgreSQL 12+ with async support.
# Create database
createdb codegraph
# Set connection string
export DATABASE_URL="postgresql+asyncpg://postgres:password@localhost:5432/codegraph"
Alembic Migrations¶
# Apply all migrations
python -m src.api.cli migrate
# Migrate to specific revision
python -m src.api.cli migrate --revision abc123
Database Schema¶
Main tables:
- users - User accounts
- api_keys - API key storage
- sessions - Chat sessions
- messages - Message history
- jobs - Background job status
CLI Commands¶
# Run API server
python -m src.api.cli run [--host HOST] [--port PORT] [--workers N] [--reload]
# Initialize database
python -m src.api.cli init-db
# Run migrations
python -m src.api.cli migrate [--revision REV]
# Create admin user
python -m src.api.cli create-admin --username USER --password PASS [--email EMAIL]
Example Usage (curl)¶
Demo Endpoint (No Auth)¶
curl -X POST http://localhost:8000/api/v1/demo/chat \
-H "Content-Type: application/json" \
-d '{"query": "Как работает MVCC?", "language": "ru"}'
Login¶
curl -X POST http://localhost:8000/api/v1/auth/token \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "secret"}'
Chat with JWT¶
export TOKEN="eyJhbGciOiJIUzI1NiIs..."
curl -X POST http://localhost:8000/api/v1/chat \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"query": "Find SQL injection vulnerabilities", "scenario_id": "security"}'
List Scenarios¶
curl http://localhost:8000/api/v1/scenarios \
-H "Authorization: Bearer $TOKEN"
Create API Key¶
curl -X POST http://localhost:8000/api/v1/auth/api-keys \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "my-integration", "expires_days": 365}'
Use API Key¶
curl http://localhost:8000/api/v1/scenarios \
-H "X-API-Key: rak_xxxxxxxxxxxxxxxxxxxx"
Review Patch¶
curl -X POST http://localhost:8000/api/v1/review/patch \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"patch_content": "diff --git a/src/file.c ...",
"task_description": "Fix memory leak",
"output_format": "json"
}'
Error Responses¶
All errors return JSON with the following structure:
{
"detail": "Error message here",
"error_code": "VALIDATION_ERROR",
"request_id": "req_abc123"
}
Common HTTP Status Codes¶
| Code | Description |
|---|---|
400 |
Bad Request - Invalid input |
401 |
Unauthorized - Missing or invalid auth |
403 |
Forbidden - Insufficient permissions |
404 |
Not Found |
429 |
Too Many Requests - Rate limit exceeded |
500 |
Internal Server Error |
503 |
Service Unavailable |