fix: OpenAPI schema improvements and test suite updates (#121)

* fix(api): update MinimalCell example and userinfo test for OIDC compliance

- Add missing security_boundary field to MinimalCell schema example
- Fix integration test symlink to point to correct OpenAPI spec location
- Update OAuth userinfo test to validate OIDC-compliant response with 'sub' field

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(build): stop CATS process before cleaning artifacts

The clean-files target now kills any running CATS processes before
attempting to remove test/outputs/cats directory. This prevents
"Directory not empty" errors that occur when CATS is actively
writing files during cleanup.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore: regenerate API code and update integration test dependencies

- Regenerated api/api.go from updated OpenAPI specification
- Updated test/integration go.mod and go.sum

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): resolve OpenAPI validation warnings and add missing examples

- Add null to token_type_hint enum for proper nullable enum handling
- Add 400 response to GET /me/preferences and POST /me/logout
- Add requestBody descriptions to POST/PUT /me/preferences
- Add ThreatModel examples to POST/GET/PUT/PATCH responses
- Fix JsonPatchDocument value property with oneOf types and maxItems

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(security): harden API input validation based on CATS fuzzer analysis

- Add comprehensive input validation for /me/client_credentials endpoint
  to reject zero-width chars, control chars, and problematic Unicode,
  converting 500 errors to 400 Bad Request responses
- Add input validation for /oauth2/revoke endpoint including token_type_hint
  enum validation per RFC 7009
- Add OpenAPI vendor extensions (x-skip-deleted-resource-check,
  x-skip-idor-check) to mark endpoints with expected behaviors
- Update CATS fuzzer config to skip false positive fuzzers on marked endpoints

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs(testing): add CATS issues summary for Endava review

Add comprehensive documentation of CATS fuzzer issues discovered during
API security testing, organized by severity and endpoint. Includes
analysis of false positives vs genuine issues and recommendations for
fixes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(api): add 503 Service Unavailable responses to OpenAPI spec

Add ServiceUnavailable response component and 503 responses to endpoints
that depend on external services (auth, database, cache):

- OAuth endpoints (/oauth2/*)
- OIDC discovery endpoints (/.well-known/*)
- Webhook endpoints (/webhooks/*)
- Client credentials endpoints (/me/client_credentials/*)
- User profile endpoints (/me)

The ServiceUnavailable response includes:
- Retry-After header for client retry guidance
- Standard rate limit headers
- Example responses for different failure scenarios

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): improve HTTP status codes for error responses

- Change user identity/authentication errors from 500 to 401
- Change UUID parse failures in auth context to 401
- Change service not initialized errors to 503
- Change feature not supported errors to 501
- Add NotImplementedError() and ServiceUnavailableError() helpers
- Add Retry-After header for 503 responses
- Update tests to expect correct status codes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor(server): remove dead code from cmd/server/main.go

Remove 50+ unused handler methods from main.Server struct that were
never called. The routing uses api.Server via RegisterHandlersWithOptions,
making these duplicate methods dead code. All endpoints are already
fully implemented in api/server.go and the respective handler files.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(api): implement filtering query parameters for GET /threat_models

Add 8 filtering parameters already documented in OpenAPI spec:
- owner: partial match on owner email/display name
- name: partial match on threat model name
- description: partial match on description
- issue_uri: partial match on issue URI
- created_after/before: date range filtering on created_at
- modified_after/before: date range filtering on modified_at

All string filters are case-insensitive. Filters combine with AND logic
and work alongside existing pagination (limit/offset) and authorization.

Closes #56

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore(deps): bump dependencies to latest patch and minor versions

Patch updates:
- alicebob/miniredis/v2: 2.36.0 → 2.36.1
- bytedance/sonic: 1.14.2 → 1.15.0
- bytedance/sonic/loader: 0.4.0 → 0.5.0
- Azure/azure-sdk-for-go/sdk/internal: 1.11.1 → 1.11.2

Minor updates:
- microcosm-cc/bluemonday: 1.0.25 → 1.0.27 (fixes retracted version)
- Azure/azure-sdk-for-go/sdk/azcore: 1.18.1 → 1.21.0
- Azure/azure-sdk-for-go/sdk/azidentity: 1.10.1 → 1.13.1
- Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: 1.3.1 → 1.4.0
- AzureAD/microsoft-authentication-library-for-go: 1.4.2 → 1.6.0
- golang.org/x/time: 0.5.0 → 0.14.0
- gorilla/securecookie: 1.1.1 → 1.1.2
- gorilla/sessions: 1.2.1 → 1.4.0
- onsi/gomega: 1.18.1 → 1.39.0
- labstack/echo/v4: 4.11.4 → 4.15.0

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): prevent mass assignment and align integration tests with schema

- Add strict JSON binding to /me/client_credentials endpoint to reject
  unknown fields, preventing mass assignment vulnerabilities
- Add strict JSON/form binding to /oauth2/revoke endpoint with field
  allowlist validation for both content types
- Fix diagram_crud_test.go to use correct field name "type" instead of
  "diagram_type"
- Fix integration test framework client.go to send correct Content-Type
  for PATCH requests (application/json-patch+json)
- Fix schema_loader.go to find project root by looking for api-schema
  directory instead of go.mod
- Add new integration tests for client_credentials, documents, assets,
  webhooks, and addons endpoints
- Update CLAUDE.md with CATS output locations documentation
- Fix OpenAPI schema issues: JsonPatchDocument array items, timestamp
  maxLength, ThreatModelBase additionalProperties

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(db): add configurable connection pool settings

Add environment variable and config file support for database connection
pool tuning:
- DB_MAX_OPEN_CONNS (default: 10)
- DB_MAX_IDLE_CONNS (default: 2)
- DB_CONN_MAX_LIFETIME (default: 240 seconds)
- DB_CONN_MAX_IDLE_TIME (default: 30 seconds)

Also configurable via config.yml under database.connection_pool section.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(oracle): improve OCI test suite reliability

- Add legacy table names to drop-oracle-tables.go whitelist
  (WEBHOOK_URL_DENY_LIST, REFRESH_TOKENS, USER_PREFERENCES)
- Handle Oracle duplicate key errors in cats-seed admin grant
- Add --maxRequestsPerMinute rate limiting to CATS fuzzing script
  (default: 3000 = 50 req/sec) to prevent overwhelming slower backends

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore(api): regenerate API code

Regenerated api/api.go from OpenAPI specification.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(docker): remove invalid migrations COPY from server Dockerfile

The Dockerfile referenced a non-existent /app/auth/migrations directory.
TMI uses GORM AutoMigrate for database migrations (schema defined in Go
code), not SQL file-based migrations.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): address CATS security fuzzing errors and warnings

- Add Oracle FK constraint error detection in request_utils.go
- Fix PATCH /admin/users error handling for wrapped errors
- Enhance OAuth2 revoke strict JSON binding to detect duplicate keys
  and trailing garbage
- Add false positive rules for CheckDeletedResourcesNotAvailable on
  list endpoints and RemoveFields on oneOf endpoints

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): prevent panic on empty ThreatModelID in webhook store

Add empty string check before calling uuid.MustParse to prevent panic
when ThreatModelID is an empty string (not nil).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

.version

@@ -1,5 +1,5 @@
 {
   "major": 0,
-  "minor": 273,
-  "patch": 0
+  "minor": 276,
+  "patch": 5
 }

CLAUDE.md

@@ -158,6 +158,12 @@ CATS (Contract-driven Automatic Testing Suite) performs security fuzzing of the
 - **Query Results**: `make query-cats-results` - Display summary statistics (excludes OAuth false positives)
 - **Full Analysis**: `make analyze-cats-results` - Parse and query in one command
 
+**Output Locations**:
+
+- Individual test results: `test/outputs/cats/report/` (JSON files per test)
+- SQLite database: `test/outputs/cats/cats-results.db` (parsed results for analysis)
+- Test data configuration: `test/outputs/cats/cats-test-data.json`
+
 **OAuth False Positives**: CATS may flag legitimate 401/403 OAuth responses as "errors". The parse script automatically detects and filters these:
 
 - Uses `is_oauth_false_positive` flag to mark expected auth responses

Dockerfile.server

@@ -45,8 +45,7 @@ LABEL org.opencontainers.image.name="tmi/tmi-server"
 # Copy binary from builder
 COPY --from=builder /app/tmiserver /tmiserver
 
-# Copy any required static files (migrations, etc.)
-COPY --from=builder /app/auth/migrations /auth/migrations
+# Note: No static files needed - migrations use GORM AutoMigrate (schema from Go code)
 
 # Set working directory
 WORKDIR /

Makefile

@@ -414,6 +414,8 @@ clean-files:
 	fi
 	@$(MAKE) -f $(MAKEFILE_LIST) clean-logs
 	$(call log_info,"Cleaning CATS artifacts...")
+	@pkill -f "cats" 2>/dev/null || true
+	@sleep 1
 	@rm -rf test/outputs/cats
 	@rm -rf cats-report
 	$(call log_success,"File cleanup completed")