kekkai-cli 1.1.0__py3-none-any.whl → 1.1.1__py3-none-any.whl

kekkai/triage/loader.py

@@ -0,0 +1,196 @@
+"""Triage findings loader with scanner format detection.
+
+Supports loading findings from:
+- Native triage JSON (list or {"findings": [...]})
+- Raw scanner outputs (Semgrep/Trivy/Gitleaks)
+- Run directories (aggregates all *-results.json)
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import TYPE_CHECKING, Any
+
+if TYPE_CHECKING:
+    from ..scanners.base import Finding
+    from ..scanners.base import Severity as ScannerSeverity
+
+from .models import FindingEntry
+from .models import Severity as TriageSeverity
+
+__all__ = [
+    "load_findings_from_path",
+]
+
+# Size limits for DoS mitigation (ASVS V10.3.3)
+MAX_FILE_SIZE_MB = 200
+WARN_FILE_SIZE_MB = 50
+
+
+def load_findings_from_path(
+    path: Path,
+) -> tuple[list[FindingEntry], list[str]]:
+    """Load findings from file or directory.
+
+    Supports:
+    - Unified report (kekkai-report.json) - PREFERRED
+    - Native triage JSON (list or {"findings": [...]})
+    - Raw scanner outputs (Semgrep/Trivy/Gitleaks)
+    - Run directories (aggregates all *-results.json)
+
+    Priority:
+    1. kekkai-report.json (unified report)
+    2. *-results.json (individual scanner outputs)
+    3. Any other JSON files (excluding metadata)
+
+    Args:
+        path: Path to findings file or run directory.
+
+    Returns:
+        Tuple of (findings, error_messages).
+        Error messages include filename only (no full paths) per ASVS V7.4.1.
+    """
+    errors: list[str] = []
+
+    # Determine input type
+    if path.is_dir():
+        # Priority 1: Check for unified report first
+        unified_report = path / "kekkai-report.json"
+        if unified_report.exists():
+            files = [unified_report]
+        else:
+            # Priority 2: Prefer canonical scan outputs
+            files = sorted(path.glob("*-results.json"))
+            if not files:
+                # Priority 3: Fallback to all JSON (excluding metadata files)
+                files = sorted(
+                    [
+                        p
+                        for p in path.glob("*.json")
+                        if p.name not in ("run.json", "policy-result.json")
+                    ]
+                )
+    else:
+        files = [path]
+
+    findings: list[FindingEntry] = []
+    for file in files:
+        # Check if file exists first
+        if not file.exists():
+            errors.append(f"{file.name}: OSError")
+            continue
+
+        # Size check (DoS mitigation per ASVS V10.3.3)
+        size_mb = file.stat().st_size / (1024 * 1024)
+        if size_mb > MAX_FILE_SIZE_MB:
+            msg = f"{file.name}: file too large ({size_mb:.1f} MB, max {MAX_FILE_SIZE_MB} MB)"
+            errors.append(msg)
+            continue
+
+        try:
+            content = file.read_text(encoding="utf-8")
+            if not content.strip():
+                continue
+            data = json.loads(content)
+        except (OSError, json.JSONDecodeError) as exc:
+            # ASVS V7.4.1: Don't leak full path, only filename
+            errors.append(f"{file.name}: {type(exc).__name__}")
+            continue
+
+        # Detect format and parse
+        try:
+            batch = _parse_findings(data, file.stem)
+            findings.extend(batch)
+        except Exception as exc:
+            errors.append(f"{file.name}: unsupported format ({str(exc)[:50]})")
+
+    # Deduplicate by stable key
+    seen: set[str] = set()
+    deduped: list[FindingEntry] = []
+    for f in findings:
+        key = f"{f.scanner}:{f.rule_id}:{f.file_path}:{f.line}"
+        if key not in seen:
+            seen.add(key)
+            deduped.append(f)
+
+    return deduped, errors
+
+
+def _parse_findings(data: Any, stem: str) -> list[FindingEntry]:
+    """Parse findings from JSON data.
+
+    Args:
+        data: Parsed JSON data.
+        stem: File stem (used to detect scanner type).
+
+    Returns:
+        List of FindingEntry objects.
+
+    Raises:
+        ValueError: If format is unknown or scanner not found.
+    """
+    # Try native triage format first (ASVS V5.1.2: strongly typed validation)
+    if isinstance(data, list) and data and isinstance(data[0], dict) and "scanner" in data[0]:
+        return [FindingEntry.from_dict(item) for item in data]
+
+    if isinstance(data, dict) and "findings" in data:
+        findings_data = data["findings"]
+        if isinstance(findings_data, list):
+            return [FindingEntry.from_dict(item) for item in findings_data]
+
+    # Try scanner-specific format
+    scanner_name = stem.replace("-results", "")
+
+    # Lazy import to avoid circular dependency
+    from ..cli import _create_scanner
+
+    scanner = _create_scanner(scanner_name)
+    if not scanner:
+        raise ValueError(f"Unknown scanner: {scanner_name}")
+
+    # Use canonical scanner parser (reuses validated logic)
+    raw_json = json.dumps(data)
+    canonical_findings = scanner.parse(raw_json)
+
+    # Convert to triage format
+    return [_finding_to_entry(f) for f in canonical_findings]
+
+
+def _finding_to_entry(f: Finding) -> FindingEntry:
+    """Convert scanner Finding to triage FindingEntry.
+
+    Args:
+        f: Scanner Finding object.
+
+    Returns:
+        Triage FindingEntry object.
+    """
+    return FindingEntry(
+        id=f.dedupe_hash(),
+        title=f.title,
+        severity=_map_severity(f.severity),
+        scanner=f.scanner,
+        file_path=f.file_path or "",
+        line=f.line,
+        description=f.description,
+        rule_id=f.rule_id or "",
+    )
+
+
+def _map_severity(s: ScannerSeverity) -> TriageSeverity:
+    """Map scanner Severity to triage Severity.
+
+    Both use the same enum values, just different type namespaces.
+
+    Args:
+        s: Scanner severity enum.
+
+    Returns:
+        Triage severity enum.
+    """
+    try:
+        return TriageSeverity(s.value)
+    except ValueError:
+        # Fallback to INFO for unknown severities
+        return TriageSeverity.INFO

{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 1.1.0
+Version: 1.1.1
 Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown
@@ -28,7 +28,7 @@ Requires-Dist: httpx>=0.24.0
 
 Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
 
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-demo.gif)
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-start.gif)
 
 ---
 
@@ -104,6 +104,8 @@ kekkai upload
 
 Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
 
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-threatflow.gif)
+
 ```bash
 # Ollama (recommended - easy setup, privacy-preserving)
 ollama pull mistral
@@ -177,6 +179,10 @@ kekkai triage
 
 Automate security enforcement in your pipelines.
 
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-scan.png" alt="Kekkai Scanning" width="650"/>
+</p>
+
 ```bash
 # Fail on any critical or high findings
 kekkai scan --ci --fail-on high
@@ -212,6 +218,10 @@ kekkai scan --ci --fail-on medium --max-findings 5
 
 Spin up a complete vulnerability management platform locally.
 
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo.png" alt="Kekkai Dojo" width="650"/>
+</p>
+
 ```bash
 kekkai dojo up --wait    # Start DefectDojo (Nginx, Postgres, Redis, Celery)
 kekkai dojo status       # Check service health
@@ -225,6 +235,14 @@ kekkai dojo down         # Stop and clean up (removes volumes)
 - Pre-configured for Kekkai imports
 - Clean teardown (no orphaned volumes)
 
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/Active-Engagements-kekkai-dojo.png" alt="Kekkai Dojo" width="850"/>
+</p>
+
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo-dashboard-findings.png" alt="Kekkai Dojo" width="850"/>
+</p
+
 [Full Dojo Documentation →](docs/dojo/dojo.md)
 
 ---
@@ -283,24 +301,26 @@ pip install kekkai-cli
 
 ---
 
-## Enterprise Features — Kekkai Portal
+## Enterprise Features
 
-For teams that need centralized management, **Kekkai Portal** provides:
+For organizations that need advanced capabilities, **Kekkai Enterprise** provides:
 
 | Feature | Description |
 |---------|-------------|
-| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace ([Setup Guide](docs/portal/saml-setup.md)) |
-| **Role-Based Access Control** | Fine-grained permissions per team/project ([RBAC Guide](docs/portal/rbac.md)) |
-| **Multi-Tenant Architecture** | Isolated environments per organization ([Architecture](docs/portal/multi-tenant.md)) |
-| **Aggregated Dashboards** | Centralized view of all CLI scan results |
+| **Multi-Tenant Portal** | Web dashboard for managing multiple teams/projects ([Learn More](docs/portal/README.md)) |
+| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace |
+| **Role-Based Access Control** | Fine-grained permissions per team/project |
+| **Advanced Operations** | Automated backup/restore, monitoring, zero-downtime upgrades ([Learn More](docs/ops/README.md)) |
+| **Compliance Reporting** | Map findings to OWASP, PCI-DSS, HIPAA, SOC 2 |
 | **Audit Logging** | Cryptographically signed compliance trails |
 
-**Upgrade Path:**
-- CLI users can sync results to Portal: `kekkai upload` ([Sync Guide](docs/portal/cli-sync.md))
-- Portal provides dashboards for security managers
-- Self-hosted or Kademos-managed options ([Deployment Guide](docs/portal/deployment.md))
+**Architecture:**
+- Open-source CLI remains fully functional standalone
+- Enterprise features available in separate private repository for licensed customers
+- Optional integration: CLI can sync results to enterprise portal
+- Self-hosted or Kademos-managed deployment options
 
-[Contact us for Portal access →](mailto:sales@kademos.org)
+[Contact us for enterprise access →](mailto:sales@kademos.org)
 
 ---
 

{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/RECORD

@@ -1,10 +1,10 @@
 kekkai/__init__.py,sha256=_VrBvJRyqHiXs31S8HOhATk_O2iy-ac0_9X7rHH75j8,143
-kekkai/cli.py,sha256=uCqs5KBqmOjNn9dCkj04H3Vq2lixQRsy2R4lCf_TJv8,60141
+kekkai/cli.py,sha256=-Kix3HMEsroCgtOLu-QCtPwi7OqOSi3YzXzboT5tGvU,63529
 kekkai/config.py,sha256=LE7bKsmv5dim5KnZya0V7_LtviNQ1V0pMN_6FyAsMpc,13084
 kekkai/dojo.py,sha256=erLdTMOioTyzVhXYW8xgdbU5Ro-KQx1OcTQN7_zemmY,18634
-kekkai/dojo_import.py,sha256=oI-vwpLITA7-U2_MxhaTp_PYfr5HqvcFy3VzKsWA6IY,6911
+kekkai/dojo_import.py,sha256=D0ZQM_0JYHqUqJA3l4nKD-RkpvcOcgj-4zv59HRcQ6k,7274
 kekkai/manifest.py,sha256=Ph5xGDKuVxMW1GVIisRhxUelaiVZQe-W5sZWsq4lHqs,1887
-kekkai/output.py,sha256=R-yyJm6tdD_uTA_8LoD6JHHO518vsQqZc4_jT7mGV-I,5500
+kekkai/output.py,sha256=nPKsf3FjWtWf_nHj4HVpgqeZtLpPOtZoLJElVLSyPK4,5500
 kekkai/paths.py,sha256=EcyG3CEOQFQygowu7O5Mp85dKkXWWvnm1h0j_BetGxY,1190
 kekkai/policy.py,sha256=0XCUH-SbnO1PsM-exjSFHYHRnLkiNa50QfkyPakwNko,9792
 kekkai/runner.py,sha256=MBFUiJ4sSVEGNbJ6cv-8p1WHaHqjio6yWEfr_K4GuTs,2037
@@ -35,6 +35,7 @@ kekkai/report/compliance_matrix.py,sha256=WOz7Fr6Hkfl7agY2DKea7Ir0z6PtC2qT0RQgfU
 kekkai/report/generator.py,sha256=E1hMqUm_tB1jFLa6yWQFytukl4w-LIgTQ9gsA1LpCsc,11893
 kekkai/report/html.py,sha256=6VJoyW08qPUWotzA0pDoO3s1Ll8E-2ypA7ldwBD_Pig,2363
 kekkai/report/pdf.py,sha256=zGwfEQo6419MpNz2TeB5sgLG_bsLsok0v6ellCMd0FA,1751
+kekkai/report/unified.py,sha256=2MaqwTuNRAQtGl-CtSXmsaxSLjuxh7aN1kTe7eD0mRM,6623
 kekkai/scanners/__init__.py,sha256=uKJqnBgcf47eJlDB3mvHpLsobR6M6N6uO2L0Dor1MaE,1552
 kekkai/scanners/base.py,sha256=uy7HgOaQxNcp6-X1gfXAecSYpKXaEsuVeluf6SwkbwM,2678
 kekkai/scanners/container.py,sha256=A_qBZkUNVAowWeEQUVn8VPW4obRM8KtOk9rSqX7GQUA,5328
@@ -57,10 +58,11 @@ kekkai/threatflow/model_adapter.py,sha256=Vl0wBWvBUxEGTmFghjwpp-N7Zt3qkpUSxrPVjK
 kekkai/threatflow/prompts.py,sha256=lgbj7FJ1c3UYj4ofGnlLoRmywYBfdAKY0QEHmIB_JFw,8525
 kekkai/threatflow/redaction.py,sha256=mGUcNQB6YPVKArtMrEYcXCWslgUiCkloiowY9IlZ1iY,7622
 kekkai/threatflow/sanitizer.py,sha256=uQsxYZ5VDXutZoj-WMl7fo5T07uHuQZqgVzoVMoaKec,22688
-kekkai/triage/__init__.py,sha256=5La5HUnO6ehoUoRbOfZ_QvRj0U4ud4W2o79oraBhpCg,798
+kekkai/triage/__init__.py,sha256=gYf4XPIYZTthU0Q0kaptbgMKulkjLxWQWG0HQvtlu-o,2182
 kekkai/triage/app.py,sha256=MU2tBI50d8sOdDKESGNrWYiREG9bBtrSccaMoiMv5gM,5027
 kekkai/triage/audit.py,sha256=UVaSKKC6tZkHxEoMcnIZkMOT_ngj7QzHWYuDAHas_sc,5842
 kekkai/triage/ignore.py,sha256=uBKM7zKyzORj9LJ5AAnoYWZQTRy57P0ZofSapiDWcfI,7305
+kekkai/triage/loader.py,sha256=vywhS8fcre7PiBX3H2CpKXFxzvO7LcDnIHIB0kzG3R4,5850
 kekkai/triage/models.py,sha256=nRmWtELMqHWHX1NqZ2upH2ZAJVeBxa3Wh8f3kkB9WYo,5384
 kekkai/triage/screens.py,sha256=6eEiHvuuS_gGESS_K3NjPiQx8G7CR18-j9upU1p5nRg,11004
 kekkai/triage/widgets.py,sha256=eOF6Qoo5uBqjxiEkbpgcO1tbIOGBQBKn75wP9Jw_AaE,4733
@@ -82,26 +84,8 @@ kekkai_core/windows/chocolatey.py,sha256=tF5S5eN-HeENRt6yQ4TZgwng0oRMX_ScskQ3-eb
 kekkai_core/windows/installer.py,sha256=MePAywHH3JTIAENv52XtkUMOGqmYqZqkH77VW5PST8o,6945
 kekkai_core/windows/scoop.py,sha256=lvothICrAoB3lGfkvhqVeNTB50eMmVGA0BE7JNCfHdI,5284
 kekkai_core/windows/validators.py,sha256=45xUuAbHcKc0WLIZ-0rByPeDD88MAV8KvopngyYBHpQ,6525
-portal/__init__.py,sha256=vLjCqUgIqzHbT-oIMMWuWQ-lDA5jvuOOEa9qdBRLcIY,507
-portal/api.py,sha256=4_hQwkUnP8P3EjCdB5Tb7uRcuH3H7M6GxTvwTTmhLv4,4066
-portal/auth.py,sha256=4K_Ya9W_2sZl2MF0FNVr9QASjTOKAO3CMdgGUuYbb9s,3102
-portal/tenants.py,sha256=91SOqzjGefcHXodfN8LIHER8boeSB-Jb-WoHPTWI5GI,11394
-portal/uploads.py,sha256=WhosreaTKFYHNKXW9F4jOmB_OwUl1YGtT5DeaXnRMqk,7352
-portal/web.py,sha256=_9td07YYRiuCZZTpTzeKeoZzRBIwCXfWrjA7RBtJ5_8,14495
-portal/enterprise/__init__.py,sha256=V_JYiIaVv46MynUAhXs_w2aWjfY9x_WZ9tjOqUESaeQ,1000
-portal/enterprise/audit.py,sha256=VTm-M4gVKOxcBREqIJBs4r5wyqqqf1eCOsHi3FFiDcI,13772
-portal/enterprise/licensing.py,sha256=RSs_gPrJ33a3DDfAQY8VDJj51uXg4av43AgNsaGl-1Q,13775
-portal/enterprise/rbac.py,sha256=vrZoyIVmWM0C90CIgZaprwqhiDbAM-ggNNg36Zu-5lU,8548
-portal/enterprise/saml.py,sha256=TXHBbILI7qMe0ertcFPnuSUSPbJzEeBiHmZzhY9-Ix8,20367
-portal/ops/__init__.py,sha256=ZyEYmFM_4LFWfQfgp9Kh2vqmolSjVKFdk1vX1vkhjqc,1391
-portal/ops/backup.py,sha256=eLUnZcUtS0svEoagb0jQQmT7TcAGjBA3fUlM2YoCfLg,20102
-portal/ops/log_shipper.py,sha256=Age3YfvsJ5YWrPQYdHELr4Qa9jJCATHiwv3Q-rMJwJs,15237
-portal/ops/monitoring.py,sha256=xhLbKjVaob709K4x0dEsOo4lh7Ddm2A4UE2ZmhfmMtI,17908
-portal/ops/restore.py,sha256=rgzKoBIilgoPPv5gZhSSBuLKG1skKw5ryoCRR3d7CPQ,17058
-portal/ops/secrets.py,sha256=wu2bUfJGctbGjyuGUgvUc_Y6IH1SCW16dExtqcKu_kg,14338
-portal/ops/upgrade.py,sha256=fXsIXCJYYABdWDECDXkt7F2PidzNtO6Zr-g0Y5PLlVU,20106
-kekkai_cli-1.1.0.dist-info/METADATA,sha256=-5dvVJg243pTFzu4MPaQQPICRaWzIwZTPXMH0h9hvC0,10828
-kekkai_cli-1.1.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-kekkai_cli-1.1.0.dist-info/entry_points.txt,sha256=WUEX6IISnRcwlQAdhisPfIIV3Us2MYCwtJoyPpLJO44,75
-kekkai_cli-1.1.0.dist-info/top_level.txt,sha256=u0J4T-Rnb0cgs0LfzZAUNt6nx1d5l7wKn8vOuo9FBEY,26
-kekkai_cli-1.1.0.dist-info/RECORD,,
+kekkai_cli-1.1.1.dist-info/METADATA,sha256=_Wt5_uAwnvnEK-Hmc7RxwZozkiwU_6JpLFD_xTpgDTM,11667
+kekkai_cli-1.1.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+kekkai_cli-1.1.1.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
+kekkai_cli-1.1.1.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
+kekkai_cli-1.1.1.dist-info/RECORD,,

{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/entry_points.txt

@@ -1,3 +1,2 @@
 [console_scripts]
 kekkai = kekkai.cli:main
-kekkai-portal = portal.web:main

{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/top_level.txt

@@ -1,3 +1,2 @@
 kekkai
 kekkai_core
-portal

portal/__init__.py

@@ -1,19 +0,0 @@
-"""Kekkai Hosted Portal - DefectDojo-backed multi-tenant security dashboard."""
-
-from __future__ import annotations
-
-__all__ = [
-    "AuthMethod",
-    "AuthResult",
-    "SAMLTenantConfig",
-    "Tenant",
-    "TenantStore",
-    "UploadResult",
-    "authenticate_request",
-    "process_upload",
-    "validate_upload",
-]
-
-from .auth import AuthResult, authenticate_request
-from .tenants import AuthMethod, SAMLTenantConfig, Tenant, TenantStore
-from .uploads import UploadResult, process_upload, validate_upload

portal/api.py

@@ -1,155 +0,0 @@
-"""Portal API endpoints for programmatic access.
-
-Provides REST API endpoints that expose the same data visible in the UI.
-All endpoints require authentication and enforce tenant isolation.
-"""
-
-from __future__ import annotations
-
-import json
-import logging
-import os
-from dataclasses import dataclass
-from pathlib import Path
-from typing import Any
-
-from .tenants import Tenant
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass(frozen=True)
-class UploadInfo:
-    """Information about an upload."""
-
-    upload_id: str
-    filename: str
-    timestamp: str
-    file_hash: str
-    size_bytes: int
-
-
-@dataclass(frozen=True)
-class TenantStats:
-    """Statistics for a tenant."""
-
-    total_uploads: int
-    total_size_bytes: int
-    last_upload_time: str | None
-
-
-def get_tenant_info(tenant: Tenant) -> dict[str, Any]:
-    """Get tenant information for API response.
-
-    Args:
-        tenant: The authenticated tenant
-
-    Returns:
-        Dictionary containing tenant metadata
-    """
-    return {
-        "id": tenant.id,
-        "name": tenant.name,
-        "dojo_product_id": tenant.dojo_product_id,
-        "dojo_engagement_id": tenant.dojo_engagement_id,
-        "enabled": tenant.enabled,
-        "max_upload_size_mb": tenant.max_upload_size_mb,
-        "auth_method": tenant.auth_method.value,
-        "default_role": tenant.default_role,
-    }
-
-
-def list_uploads(tenant: Tenant, limit: int = 50) -> list[dict[str, Any]]:
-    """List recent uploads for a tenant.
-
-    Args:
-        tenant: The authenticated tenant
-        limit: Maximum number of uploads to return
-
-    Returns:
-        List of upload metadata dictionaries
-    """
-    upload_dir = Path(os.environ.get("PORTAL_UPLOAD_DIR", "/var/lib/kekkai-portal/uploads"))
-    tenant_dir = upload_dir / tenant.id
-
-    if not tenant_dir.exists():
-        return []
-
-    uploads: list[dict[str, Any]] = []
-
-    # Get all upload files for this tenant
-    try:
-        upload_files = sorted(
-            tenant_dir.glob("*.json"),
-            key=lambda p: p.stat().st_mtime,
-            reverse=True,
-        )[:limit]
-
-        for upload_file in upload_files:
-            stat = upload_file.stat()
-            uploads.append(
-                {
-                    "upload_id": upload_file.stem,
-                    "filename": upload_file.name,
-                    "timestamp": str(int(stat.st_mtime)),
-                    "size_bytes": stat.st_size,
-                }
-            )
-    except (OSError, PermissionError) as e:
-        logger.warning("Failed to list uploads for tenant %s: %s", tenant.id, e)
-
-    return uploads
-
-
-def get_tenant_stats(tenant: Tenant) -> dict[str, Any]:
-    """Get statistics for a tenant.
-
-    Args:
-        tenant: The authenticated tenant
-
-    Returns:
-        Dictionary containing tenant statistics
-    """
-    upload_dir = Path(os.environ.get("PORTAL_UPLOAD_DIR", "/var/lib/kekkai-portal/uploads"))
-    tenant_dir = upload_dir / tenant.id
-
-    if not tenant_dir.exists():
-        return {
-            "total_uploads": 0,
-            "total_size_bytes": 0,
-            "last_upload_time": None,
-        }
-
-    total_uploads = 0
-    total_size_bytes = 0
-    last_upload_time: int | None = None
-
-    try:
-        for upload_file in tenant_dir.glob("*.json"):
-            stat = upload_file.stat()
-            total_uploads += 1
-            total_size_bytes += stat.st_size
-
-            if last_upload_time is None or stat.st_mtime > last_upload_time:
-                last_upload_time = int(stat.st_mtime)
-
-    except (OSError, PermissionError) as e:
-        logger.warning("Failed to get stats for tenant %s: %s", tenant.id, e)
-
-    return {
-        "total_uploads": total_uploads,
-        "total_size_bytes": total_size_bytes,
-        "last_upload_time": str(last_upload_time) if last_upload_time else None,
-    }
-
-
-def serialize_api_response(data: dict[str, Any]) -> bytes:
-    """Serialize API response to JSON bytes.
-
-    Args:
-        data: Response data dictionary
-
-    Returns:
-        JSON-encoded bytes
-    """
-    return json.dumps(data, indent=2).encode("utf-8")

portal/auth.py

@@ -1,103 +0,0 @@
-"""Authentication middleware for portal API.
-
-Security controls:
-- ASVS V16.3.2: Log failed authorization attempts
-- Constant-time API key comparison to prevent timing attacks
-"""
-
-from __future__ import annotations
-
-import logging
-import re
-from dataclasses import dataclass
-from typing import TYPE_CHECKING
-
-from kekkai_core import redact
-
-from .tenants import Tenant, TenantStore
-
-if TYPE_CHECKING:
-    from collections.abc import Mapping
-
-logger = logging.getLogger(__name__)
-
-BEARER_PATTERN = re.compile(r"^Bearer\s+(\S+)$", re.IGNORECASE)
-
-
-@dataclass(frozen=True)
-class AuthResult:
-    """Result of authentication attempt."""
-
-    authenticated: bool
-    tenant: Tenant | None = None
-    error: str | None = None
-
-
-def authenticate_request(
-    headers: Mapping[str, str],
-    tenant_store: TenantStore,
-    client_ip: str = "unknown",
-) -> AuthResult:
-    """Authenticate a request using Bearer token.
-
-    Args:
-        headers: Request headers (case-insensitive lookup)
-        tenant_store: Tenant storage for API key verification
-        client_ip: Client IP for logging failed attempts
-
-    Returns:
-        AuthResult with tenant if authenticated, error otherwise
-    """
-    auth_header = _get_header(headers, "Authorization")
-    if not auth_header:
-        _log_auth_failure(client_ip, "missing_header")
-        return AuthResult(authenticated=False, error="Missing Authorization header")
-
-    match = BEARER_PATTERN.match(auth_header)
-    if not match:
-        _log_auth_failure(client_ip, "invalid_format")
-        return AuthResult(authenticated=False, error="Invalid Authorization format")
-
-    api_key = match.group(1)
-    if not api_key:
-        _log_auth_failure(client_ip, "empty_token")
-        return AuthResult(authenticated=False, error="Empty API token")
-
-    tenant = tenant_store.get_by_api_key(api_key)
-    if not tenant:
-        _log_auth_failure(client_ip, "invalid_token", api_key_prefix=api_key[:8])
-        return AuthResult(authenticated=False, error="Invalid API key")
-
-    if not tenant.enabled:
-        _log_auth_failure(client_ip, "tenant_disabled", tenant_id=tenant.id)
-        return AuthResult(authenticated=False, error="Tenant is disabled")
-
-    logger.info(
-        "auth.success client_ip=%s tenant_id=%s",
-        redact(client_ip),
-        tenant.id,
-    )
-    return AuthResult(authenticated=True, tenant=tenant)
-
-
-def _get_header(headers: Mapping[str, str], name: str) -> str | None:
-    """Get header value with case-insensitive lookup."""
-    for key, value in headers.items():
-        if key.lower() == name.lower():
-            return value
-    return None
-
-
-def _log_auth_failure(
-    client_ip: str,
-    reason: str,
-    tenant_id: str | None = None,
-    api_key_prefix: str | None = None,
-) -> None:
-    """Log authentication failure for security monitoring (ASVS V16.3.2)."""
-    parts = [f"auth.failure reason={reason}", f"client_ip={redact(client_ip)}"]
-    if tenant_id:
-        parts.append(f"tenant_id={tenant_id}")
-    if api_key_prefix:
-        parts.append(f"api_key_prefix={api_key_prefix}...")
-    logger.warning(" ".join(parts))