Features/refine membase

[iceljc]

PR Type

Enhancement, Refactoring

---

Description

• Extract code execution config logic into reusable utility class

• Add edge management support to Membase graph API

• Implement custom authentication handler for Membase API

• Add embedding support to node creation and update models

• Clean up code formatting and remove unused imports

---

Diagram Walkthrough

flowchart LR
  A["Code Execution Config"] -->|Extract to Utility| B["CodingUtil.GetCodeExecutionConfig"]
  B -->|Used by| C["RuleEngine"]
  B -->|Used by| D["InstructService"]
  B -->|Used by| E["PyProgrammerFn"]
  F["Membase API"] -->|Add Edge Operations| G["Edge CRUD"]
  F -->|Add Graph Info| H["GraphInfo"]
  I["MembaseAuthHandler"] -->|Centralized Auth| F
  J["Node Model"] -->|Add Embedding| K["EmbeddingInfo"]

Loading

File Walkthrough

	Relevant files
Refactoring	4 files CodingUtil.cs Extract code execution config utility method                          +21/-0    RuleEngine.cs Use centralized CodingUtil for config retrieval                    +2/-13    InstructService.Execute.cs Use centralized CodingUtil for config retrieval                    +2/-17    PyProgrammerFn.cs Use centralized CodingUtil for config retrieval                    +2/-15
Formatting	5 files CyperGraphModels.cs Remove blank lines for code formatting                                      +0/-3      MembaseController.cs Remove unused import statement                                                      +0/-1      CypherQueryRequest.cs Remove blank lines for code formatting                                      +0/-3      CypherQueryResponse.cs Remove blank line for code formatting                                        +0/-1      MembaseService.cs Clean up unused imports                                                                    +0/-3
Enhancement	12 files MembasePlugin.cs Refactor DI registration with auth handler                              +10/-10  EdgeCreationModel.cs Add edge creation model for graph operations                          +12/-0    EdgeUpdateModel.cs Add edge update model for graph operations                              +6/-0      NodeCreationModel.cs Add embedding support to node creation                                      +8/-0      NodeUpdateModel.cs Add embedding support to node updates                                        +2/-2      Edge.cs Add edge response model for graph operations                          +15/-0    EdgeDeleteResponse.cs Add edge delete response model                                                      +6/-0      GraphInfo.cs Add graph information response model                                          +18/-0    Node.cs Add embedding support and clean up imports                              +1/-10    NodeDeleteResponse.cs Add node delete response model                                                      +6/-0      IMembaseApi.cs Add edge CRUD and graph info endpoints                                      +24/-7    MembaseAuthHandler.cs Add custom HTTP message handler for authentication              +32/-0
Configuration changes	1 files Using.cs Add global using for Membase models                                            +1/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Sensitive data logging Description: The handler reads and logs the full raw HTTP response body (rawResponse) in #if DEBUG, which may expose sensitive data (e.g., user/graph content or secrets returned by the API) into application logs if debug builds are deployed or logs are collected in shared environments. MembaseAuthHandler.cs [20-28] Referred Code protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage requestMessage, CancellationToken cancellationToken) { requestMessage.Headers.TryAddWithoutValidation("Authorization", $"Bearer {_settings.ApiKey}"); var response = await base.SendAsync(requestMessage, cancellationToken).ConfigureAwait(false); #if DEBUG var rawResponse = await response.Content.ReadAsStringAsync(); _logger.LogDebug(rawResponse); #endif
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Ambiguous tuple return: GetCodeExecutionConfig returns an unnamed (bool, bool, int) tuple which is not self-documenting and can easily lead to misuse at call sites. Referred Code public static (bool, bool, int) GetCodeExecutionConfig(CodingSettings settings, int defaultTimeoutSeconds = 3) { var codeExecution = settings.CodeExecution; var useLock = codeExecution?.UseLock ?? false; var useProcess = codeExecution?.UseProcess ?? false; var timeoutSeconds = codeExecution?.TimeoutSeconds > 0 ? codeExecution.TimeoutSeconds : defaultTimeoutSeconds; return (useLock, useProcess, timeoutSeconds); Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Logs raw HTTP body: The handler logs rawResponse directly (_logger.LogDebug(rawResponse)), which is unstructured and may expose sensitive data returned by the Membase API. Referred Code var rawResponse = await response.Content.ReadAsStringAsync(); _logger.LogDebug(rawResponse); #endif Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logging: New Membase graph capabilities (node/edge CRUD and graph info retrieval) are introduced without any visible audit logging that records actor/context/outcome for these critical actions. Referred Code [Get("/graph/{graphId}")] Task<GraphInfo> GetGraphInfoAsync(string graphId); [Post("/cypher/execute")] Task<CypherQueryResponse> CypherQueryAsync([Query] string graphId, CypherQueryRequest request); #region Node [Get("/graph/{graphId}/node/{nodeId}")] Task<Node> GetNodeAsync(string graphId, string nodeId); [Post("/graph/{graphId}/node")] Task<Node> CreateNodeAsync(string graphId, [Body] NodeCreationModel node); [Put("/graph/{graphId}/node/{nodeId}")] Task<Node> UpdateNodeAsync(string graphId, string nodeId, [Body] NodeUpdateModel node); [Put("/graph/{graphId}/node/{nodeId}/merge")] Task<Node> MergeNodeAsync(string graphId, string nodeId, [Body] NodeUpdateModel node); [Delete("/graph/{graphId}/node/{nodeId}")] Task<NodeDeleteResponse?> DeleteNodeAsync(string graphId, string nodeId); ... (clipped 15 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No non-success handling: The new HTTP auth handler forwards responses without checking or enriching handling for non-success HTTP statuses, so failures may propagate without actionable context unless handled elsewhere. Referred Code protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage requestMessage, CancellationToken cancellationToken) { requestMessage.Headers.TryAddWithoutValidation("Authorization", $"Bearer {_settings.ApiKey}"); var response = await base.SendAsync(requestMessage, cancellationToken).ConfigureAwait(false); #if DEBUG var rawResponse = await response.Content.ReadAsStringAsync(); _logger.LogDebug(rawResponse); #endif return response; } Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No request validation: New request DTOs (e.g., EdgeCreationModel, NodeCreationModel with EmbeddingInfo) introduce externally supplied fields without any visible validation/sanitization constraints, so correctness and security depend on validation elsewhere. Referred Code public class EdgeCreationModel { public string? Id { get; set; } public string SourceNodeId { get; set; } = null!; public string TargetNodeId { get; set; } = null!; public string Type { get; set; } = null!; public bool Directed { get; set; } = true; public float? Weight { get; set; } = 1.0f; public object? Properties { get; set; } } Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	✅ Annotate request body parameter Suggestion Impact: The CypherQueryAsync method signature was updated to annotate the request parameter with [Body], ensuring it is serialized into the POST request body. code diff: [Post("/cypher/execute")] - Task<CypherQueryResponse> CypherQueryAsync([Query] string graphId, CypherQueryRequest request); + Task<CypherQueryResponse> CypherQueryAsync([Query] string graphId, [Body] CypherQueryRequest request); Add the [Body] attribute to the request parameter in the CypherQueryAsync method to ensure it's sent in the HTTP request body. src/Plugins/BotSharp.Plugin.Membase/Services/IMembaseApi.cs [15] -Task<CypherQueryResponse> CypherQueryAsync([Query] string graphId, CypherQueryRequest request); +Task<CypherQueryResponse> CypherQueryAsync([Query] string graphId, [Body] CypherQueryRequest request); [Suggestion processed] Suggestion importance[1-10]: 9 __ Why: The suggestion correctly points out the missing [Body] attribute, which is critical for the POST request to function correctly by sending the request object in the body.	High
	Avoid consuming the response stream Avoid consuming the response stream when logging. After reading the response content for logging, replace it with a new StringContent so it can be read again by the caller. src/Plugins/BotSharp.Plugin.Membase/Services/MembaseAuthHandler.cs [20-31] protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage requestMessage, CancellationToken cancellationToken) { requestMessage.Headers.TryAddWithoutValidation("Authorization", $"Bearer {_settings.ApiKey}"); var response = await base.SendAsync(requestMessage, cancellationToken).ConfigureAwait(false); #if DEBUG - var rawResponse = await response.Content.ReadAsStringAsync(); - _logger.LogDebug(rawResponse); + if (response.Content != null) + { + var rawResponse = await response.Content.ReadAsStringAsync(cancellationToken); + _logger.LogDebug(rawResponse); + + // Re-wrap the content to make it readable again by the caller. + response.Content = new StringContent(rawResponse, System.Text.Encoding.UTF8, response.Content.Headers.ContentType?.MediaType ?? "application/json"); + } #endif return response; } Apply / Chat Suggestion importance[1-10]: 8 __ Why: This suggestion correctly identifies a critical bug where logging the response body consumes the content stream, which would cause deserialization to fail for the actual caller.	Medium
	Ensure handler uses updated settings To ensure MembaseAuthHandler uses the latest settings if they become reloadable, register it using a factory in AddHttpMessageHandler to resolve it per request. src/Plugins/BotSharp.Plugin.Membase/MembasePlugin.cs [18-24] +services.AddTransient<MembaseAuthHandler>(); +services.AddRefitClient<IMembaseApi>(new RefitSettings + { + CollectionFormat = CollectionFormat.Multi + }) + .AddHttpMessageHandler<MembaseAuthHandler>() + .ConfigureHttpClient(c => c.BaseAddress = new Uri(settings.Host)); - Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies a potential DI lifecycle issue with DelegatingHandler, but the problem it describes (stale settings) won't occur with the current singleton registration of MembaseSettings.	Low
General	Initialize embedding properties Initialize the Model and Vector properties in the EmbeddingInfo class to default values to prevent potential null reference issues. src/Plugins/BotSharp.Plugin.Membase/Models/Requests/NodeCreationModel.cs [24-28] public class EmbeddingInfo { - public string Model { get; set; } - public float[] Vector { get; set; } + public string Model { get; set; } = string.Empty; + public float[] Vector { get; set; } = Array.Empty<float>(); } Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion improves robustness by initializing properties to non-null defaults, preventing potential NullReferenceException issues during object creation or deserialization.	Low
	Name tuple return elements Improve readability by naming the return tuple elements in the GetCodeExecutionConfig method signature (e.g., (bool useLock, bool useProcess, int timeoutSeconds)). src/Infrastructure/BotSharp.Abstraction/Coding/Utils/CodingUtil.cs [11] -public static (bool, bool, int) GetCodeExecutionConfig(CodingSettings settings, int defaultTimeoutSeconds = 3) +public static (bool useLock, bool useProcess, int timeoutSeconds) GetCodeExecutionConfig(CodingSettings settings, int defaultTimeoutSeconds = 3) Apply / Chat Suggestion importance[1-10]: 4 __ Why: This is a good suggestion for improving code readability and maintainability by naming the elements of the returned tuple, making the method's signature more self-documenting.	Low
Learned best practice	Validate auth header and cancellation Validate the API key before adding the Authorization header and pass the provided cancellation token when reading the response content. src/Plugins/BotSharp.Plugin.Membase/Services/MembaseAuthHandler.cs [20-31] protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage requestMessage, CancellationToken cancellationToken) { - requestMessage.Headers.TryAddWithoutValidation("Authorization", $"Bearer {_settings.ApiKey}"); + if (!string.IsNullOrWhiteSpace(_settings.ApiKey)) + { + requestMessage.Headers.TryAddWithoutValidation("Authorization", $"Bearer {_settings.ApiKey}"); + } + var response = await base.SendAsync(requestMessage, cancellationToken).ConfigureAwait(false); #if DEBUG - var rawResponse = await response.Content.ReadAsStringAsync(); + var rawResponse = await response.Content.ReadAsStringAsync(cancellationToken); _logger.LogDebug(rawResponse); #endif return response; } Apply / Chat Suggestion importance[1-10]: 5 __ Why: Relevant best practice - Improve defensive coding with precise null and state checks to prevent incorrect behavior.	Low
Update