# ViolentUTF API Architectural Verification - Issue #49

## Executive Summary

This notebook provides comprehensive verification of the **22 CRITICAL** and **25 HIGH** non-security architectural violations reported in GitHub issue #49 for the ViolentUTF API.

**Assessment Date:** August 6, 2025  
**GitHub Issue:** [#49 - Validate and resolve other Critical ADR Issues](https://github.com/GSA-TTS/violentutf-api/issues/49)  
**Source Report:** `docs/reports/ADRaudit-02AUG25-Analysis/criticalViolations_others.md`  
**ADR Compliance Score:** 44.35% (FAILING)

### Architectural Violations Distribution

| Category | CRITICAL Count | Related HIGH Count | Impact Level |
|----------|----------------|-------------------|-------------|
| API Endpoints | 8 | 7 | **CRITICAL** - Core functionality missing |
| Dependencies & Infrastructure | 4 | 5 | **CRITICAL** - Cannot deploy system |
| Data Models & Database | 3 | 8 | **HIGH** - No data persistence |
| Plugin Architecture | 3 | 2 | **HIGH** - No extensibility framework |
| Configuration | 4 | 3 | **MEDIUM** - Incomplete settings |

## Prerequisites

**IMPORTANT:** This notebook requires the ViolentUTF API to be running. Please ensure:
1. The API is accessible at the configured endpoint
2. You have valid credentials for testing
3. The database is properly initialized

### Setup Instructions

```bash
# Start the ViolentUTF API
cd /path/to/violentutf-api
./setup_macos.sh  # or setup_linux.sh for Linux
docker-compose up -d
```

## 1. Environment Setup and Configuration

In [1]:
# Install required packages if not already installed
import subprocess
import sys
import os

def install_package(package):
    """Install a package using pip if not already installed."""
    try:
        __import__(package.split('[')[0] if '[' in package else package)
    except ImportError:
        print(f"Installing {package}...")
        subprocess.check_call([sys.executable, "-m", "pip", "install", package])

# Required packages
packages = [
    "requests",
    "pydantic",
    "python-jose",
    "sqlalchemy",
    "asyncpg",
    "pytest",
    "faker",
    "python-dotenv",
    "colorama",
    "tabulate",
    "pandas",
    "matplotlib",
    "seaborn",
    "pyyaml"
]

for package in packages:
    install_package(package)

print("✅ All required packages installed")

Installing python-jose...



[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m A new release of pip is available: [0m[31;49m25.1.1[0m[39;49m -> [0m[32;49m25.2[0m
[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m To update, run: [0m[32;49mpip install --upgrade pip[0m


Installing python-dotenv...



[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m A new release of pip is available: [0m[31;49m25.1.1[0m[39;49m -> [0m[32;49m25.2[0m
[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m To update, run: [0m[32;49mpip install --upgrade pip[0m


Installing pyyaml...
✅ All required packages installed



[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m A new release of pip is available: [0m[31;49m25.1.1[0m[39;49m -> [0m[32;49m25.2[0m
[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m To update, run: [0m[32;49mpip install --upgrade pip[0m


In [2]:
import os
import json
import time
import uuid
import hashlib
import secrets
import warnings
import subprocess
import importlib.util
import ast
import yaml
from datetime import datetime, timedelta
from typing import Dict, List, Optional, Any, Tuple
from dataclasses import dataclass, field
from enum import Enum
from pathlib import Path
import asyncio
import base64

import requests
from requests.auth import HTTPBasicAuth
from faker import Faker
from colorama import init, Fore, Back, Style
from tabulate import tabulate
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
from dotenv import load_dotenv

# Initialize colorama for cross-platform colored output
init(autoreset=True)

# Load environment variables
load_dotenv()

# Suppress warnings for cleaner output
warnings.filterwarnings('ignore')

# Initialize Faker for test data generation
fake = Faker()

# Get project root
PROJECT_ROOT = Path.cwd().parent.parent if 'docs' in str(Path.cwd()) else Path.cwd()
print(f"Project root: {PROJECT_ROOT}")

print("✅ Environment setup complete")

Project root: /Users/tamnguyen/Documents/GitHub/violentutf-api
✅ Environment setup complete


In [3]:
# Configuration with .api_credentials loading
import os
from pathlib import Path

def load_api_credentials():
    """Load credentials from .api_credentials file."""
    creds = {}
    cred_file = Path.cwd().parent.parent / ".api_credentials" if 'docs' in str(Path.cwd()) else Path.cwd() / ".api_credentials"
    
    if cred_file.exists():
        print(f"📁 Loading credentials from {cred_file}")
        with open(cred_file, 'r') as f:
            for line in f:
                line = line.strip()
                if line and not line.startswith('#') and '=' in line:
                    key, value = line.split('=', 1)
                    creds[key] = value
        print(f"   ✅ Loaded {len(creds)} credential values")
    else:
        print(f"⚠️ .api_credentials file not found at {cred_file}")
    
    return creds

# Load credentials from file first
api_creds = load_api_credentials()

@dataclass
class TestConfig:
    """Configuration for architectural testing."""
    
    # Load from .api_credentials file first, then environment, then defaults
    def __init__(self):
        # API Configuration
        self.api_base_url = api_creds.get('API_URL') or os.getenv('VIOLENTUTF_API_URL', os.getenv('API_BASE_URL', 'http://localhost:8000'))
        self.api_version = os.getenv('API_VERSION', 'v1')
        
        # Authentication - Load from .api_credentials, then environment
        self.admin_username = api_creds.get('ADMIN_USERNAME') or os.getenv('VIOLENTUTF_USERNAME', os.getenv('ADMIN_USERNAME', ''))
        self.admin_password = api_creds.get('ADMIN_PASSWORD') or os.getenv('VIOLENTUTF_PASSWORD', os.getenv('ADMIN_PASSWORD', ''))
        self.api_key = api_creds.get('API_KEY') or os.getenv('VIOLENTUTF_API_KEY', '')
        
        # Database credentials (optional)
        self.db_host = api_creds.get('DB_HOST', 'localhost')
        self.db_port = api_creds.get('DB_PORT', '5432')
        self.db_name = api_creds.get('DB_NAME', 'violentutf')
        self.db_user = api_creds.get('DB_USER', 'violentutf')
        self.db_password = api_creds.get('DB_PASSWORD', '')
        
        # Service URLs
        self.health_url = api_creds.get('HEALTH_URL')
        self.docs_url = api_creds.get('DOCS_URL')
        
        # Project paths
        self.project_root = PROJECT_ROOT
        self.app_dir = self.project_root / "app"
        self.requirements_file = self.project_root / "requirements.txt"
        
        # Test Parameters
        self.request_timeout = 30
        self.max_retries = 3
        self.verify_ssl = False  # Set to True in production
    
    @property
    def api_url(self) -> str:
        """Full API URL."""
        return f"{self.api_base_url}/api/{self.api_version}"

# Initialize configuration
config = TestConfig()

# Only prompt for credentials if not loaded from file
if not config.admin_username or not config.admin_password:
    print("\n⚠️ Credentials not found in .api_credentials or environment variables.")
    print("Please provide credentials:")
    print("\nYou can also create a .api_credentials file with:")
    print("  ADMIN_USERNAME=your_username")
    print("  ADMIN_PASSWORD=your_password")
    print("  API_KEY=your_api_key")
    print("  API_URL=http://localhost:8000")
    print("\nOr enter credentials now (press Enter for defaults):\n")
    
    username_input = input(f"Username [{config.admin_username or 'admin'}]: ").strip()
    config.admin_username = username_input if username_input else (config.admin_username or 'admin')
    
    from getpass import getpass
    password_input = getpass(f"Password [{'*' * len(config.admin_password) if config.admin_password else 'admin123'}]: ").strip()
    config.admin_password = password_input if password_input else (config.admin_password or 'admin123')
    
    # Optional API key
    api_key_input = input("API Key (optional, press Enter to skip): ").strip()
    if api_key_input:
        config.api_key = api_key_input
else:
    print("\n✅ Credentials loaded from .api_credentials file")

print(f"\n🔧 Configuration loaded")
print(f"   API URL: {config.api_url}")
print(f"   Username: {config.admin_username}")
print(f"   Password: {'*' * len(config.admin_password) if config.admin_password else '(not set)'}")
print(f"   API Key: {'*' * 20 + '...' if config.api_key else 'Not set'}")
print(f"   Project Root: {config.project_root}")
print(f"   Database: {config.db_user}@{config.db_host}:{config.db_port}/{config.db_name}")

📁 Loading credentials from /Users/tamnguyen/Documents/GitHub/violentutf-api/.api_credentials
   ✅ Loaded 12 credential values

✅ Credentials loaded from .api_credentials file

🔧 Configuration loaded
   API URL: http://localhost:8000/api/v1
   Username: admin
   Password: ****************
   API Key: ********************...
   Project Root: /Users/tamnguyen/Documents/GitHub/violentutf-api
   Database: violentutf@localhost:5432/violentutf


In [4]:
# Architectural Violation Tracking
class ViolationType(Enum):
    """Types of architectural violations."""
    API_ENDPOINT = "API Endpoint"
    INFRASTRUCTURE = "Infrastructure"
    DATA_MODEL = "Data Model"
    PLUGIN = "Plugin Architecture"
    CONFIGURATION = "Configuration"
    ERROR_HANDLING = "Error Handling"

class Severity(Enum):
    """Violation severity levels."""
    CRITICAL = "CRITICAL"
    HIGH = "HIGH"
    MEDIUM = "MEDIUM"
    LOW = "LOW"
    INFO = "INFO"

@dataclass
class ArchitecturalViolation:
    """Represents an architectural violation."""
    
    violation_id: str
    violation_type: ViolationType
    severity: Severity
    title: str
    description: str
    adr_violated: str
    file_location: str
    expected_component: str
    actual_state: str
    test_result: str
    evidence: Dict[str, Any]
    recommendation: str
    verified: bool = False
    timestamp: datetime = field(default_factory=datetime.now)
    
    def to_dict(self) -> Dict[str, Any]:
        """Convert to dictionary for reporting."""
        return {
            "violation_id": self.violation_id,
            "type": self.violation_type.value,
            "severity": self.severity.value,
            "title": self.title,
            "description": self.description,
            "adr_violated": self.adr_violated,
            "file_location": self.file_location,
            "expected": self.expected_component,
            "actual": self.actual_state,
            "test_result": self.test_result,
            "evidence": self.evidence,
            "recommendation": self.recommendation,
            "verified": self.verified,
            "timestamp": self.timestamp.isoformat()
        }

class ArchitecturalTestResults:
    """Collector for architectural test results."""
    
    def __init__(self):
        self.violations: List[ArchitecturalViolation] = []
        self.test_start_time = datetime.now()
        
    def add_violation(self, violation: ArchitecturalViolation):
        """Add an architectural violation."""
        self.violations.append(violation)
        
    def get_summary(self) -> Dict[str, Any]:
        """Get summary statistics."""
        severity_counts = {}
        for severity in Severity:
            severity_counts[severity.value] = sum(
                1 for v in self.violations if v.severity == severity
            )
        
        type_counts = {}
        for vtype in ViolationType:
            type_counts[vtype.value] = sum(
                1 for v in self.violations if v.violation_type == vtype
            )
        
        return {
            "total_violations": len(self.violations),
            "verified_violations": sum(1 for v in self.violations if v.verified),
            "severity_distribution": severity_counts,
            "type_distribution": type_counts,
            "test_duration": str(datetime.now() - self.test_start_time),
            "adrs_violated": list(set(v.adr_violated for v in self.violations))
        }
    
    def display_summary(self):
        """Display formatted summary."""
        summary = self.get_summary()
        
        print("\n" + "="*80)
        print(f"{Fore.CYAN}ARCHITECTURAL TEST RESULTS SUMMARY")
        print("="*80)
        
        print(f"\n📊 Overall Statistics:")
        print(f"   Total Violations: {summary['total_violations']}")
        print(f"   Verified: {summary['verified_violations']}")
        print(f"   Test Duration: {summary['test_duration']}")
        
        print(f"\n🔴 Severity Distribution:")
        for severity, count in summary['severity_distribution'].items():
            if count > 0:
                color = Fore.RED if severity == "CRITICAL" else \
                        Fore.YELLOW if severity == "HIGH" else \
                        Fore.BLUE if severity == "MEDIUM" else \
                        Fore.GREEN
                print(f"   {color}{severity}: {count}")
        
        print(f"\n📁 Violation Types:")
        for vtype, count in summary['type_distribution'].items():
            if count > 0:
                print(f"   • {vtype}: {count}")
        
        print(f"\n📋 ADRs Violated:")
        for adr in summary['adrs_violated']:
            print(f"   • {adr}")

# Initialize results collector
results = ArchitecturalTestResults()
print("✅ Architectural test framework initialized")

✅ Architectural test framework initialized


In [5]:
# Helper Functions
class APIClient:
    """API client for architectural testing."""
    
    def __init__(self, config: TestConfig):
        self.config = config
        self.session = requests.Session()
        self.session.verify = config.verify_ssl
        self.token: Optional[str] = None
        self.refresh_token: Optional[str] = None
        
        # Set API key header if available
        if config.api_key:
            self.session.headers.update({
                'X-API-Key': config.api_key
            })
        
    def authenticate(self, username: str = None, password: str = None, use_api_key: bool = False) -> bool:
        """Authenticate and obtain JWT token or use API key."""
        username = username or self.config.admin_username
        password = password or self.config.admin_password
        
        # If API key is set and requested, skip JWT auth
        if use_api_key and self.config.api_key:
            print(f"🔑 Using API key authentication")
            return True
        
        try:
            # Try different auth endpoints
            auth_endpoints = [
                f"{self.config.api_url}/auth/login",
                f"{self.config.api_url}/auth/token",
                f"{self.config.api_base_url}/token",
                f"{self.config.api_base_url}/api/auth/login"
            ]
            
            for auth_url in auth_endpoints:
                try:
                    response = self.session.post(
                        auth_url,
                        json={"username": username, "password": password},
                        timeout=self.config.request_timeout
                    )
                    
                    if response.status_code == 200:
                        data = response.json()
                        self.token = data.get('access_token') or data.get('token')
                        self.refresh_token = data.get('refresh_token')
                        if self.token:
                            self.session.headers.update({
                                'Authorization': f'Bearer {self.token}'
                            })
                            return True
                except:
                    continue
                    
            # If none worked, try the first one again for error message
            response = self.session.post(
                auth_endpoints[0],
                json={"username": username, "password": password},
                timeout=self.config.request_timeout
            )
            
            if response.status_code == 401:
                print(f"❌ Authentication failed: Invalid credentials")
            else:
                print(f"❌ Authentication failed: Status {response.status_code}")
                
        except Exception as e:
            print(f"❌ Authentication failed: {e}")
        
        return False
    
    def make_request(self, method: str, endpoint: str, **kwargs) -> requests.Response:
        """Make an API request with error handling."""
        url = f"{self.config.api_url}{endpoint}"
        
        for attempt in range(self.config.max_retries):
            try:
                response = self.session.request(
                    method=method,
                    url=url,
                    timeout=self.config.request_timeout,
                    **kwargs
                )
                return response
            except requests.exceptions.RequestException as e:
                if attempt == self.config.max_retries - 1:
                    raise
                time.sleep(2 ** attempt)  # Exponential backoff

def check_file_exists(file_path: Path) -> bool:
    """Check if a file exists."""
    return file_path.exists()

def check_import_in_file(file_path: Path, import_name: str) -> bool:
    """Check if a specific import exists in a Python file."""
    if not file_path.exists():
        return False
    
    try:
        with open(file_path, 'r') as f:
            content = f.read()
            tree = ast.parse(content)
            
        for node in ast.walk(tree):
            if isinstance(node, ast.Import):
                for alias in node.names:
                    if import_name in alias.name:
                        return True
            elif isinstance(node, ast.ImportFrom):
                if node.module and import_name in node.module:
                    return True
                for alias in node.names:
                    if import_name in alias.name:
                        return True
    except:
        pass
    
    return False

def check_class_in_file(file_path: Path, class_name: str) -> bool:
    """Check if a specific class exists in a Python file."""
    if not file_path.exists():
        return False
    
    try:
        with open(file_path, 'r') as f:
            content = f.read()
            tree = ast.parse(content)
            
        for node in ast.walk(tree):
            if isinstance(node, ast.ClassDef) and node.name == class_name:
                return True
    except:
        pass
    
    return False

def check_function_in_file(file_path: Path, function_name: str) -> bool:
    """Check if a specific function exists in a Python file."""
    if not file_path.exists():
        return False
    
    try:
        with open(file_path, 'r') as f:
            content = f.read()
            tree = ast.parse(content)
            
        for node in ast.walk(tree):
            if isinstance(node, ast.FunctionDef) and node.name == function_name:
                return True
    except:
        pass
    
    return False

def check_dependency_in_requirements(dependency: str) -> bool:
    """Check if a dependency exists in requirements.txt."""
    req_file = config.project_root / "requirements.txt"
    if not req_file.exists():
        return False
    
    with open(req_file, 'r') as f:
        content = f.read().lower()
        return dependency.lower() in content

# Initialize API client
api_client = APIClient(config)
print("✅ Helper functions and API client initialized")

✅ Helper functions and API client initialized


In [7]:
# Test the API connection
def test_api_connection():
    """Test if the API is accessible."""
    try:
        # Include API key if available
        headers = {}
        if config.api_key:
            headers['X-API-Key'] = config.api_key
        
        # Try different health check endpoints
        health_endpoints = [
            f"{config.api_base_url}/health",
            f"{config.api_base_url}/api/health",
            f"{config.api_url}/health",
            f"{config.api_base_url}/ping"
        ]
        
        for health_url in health_endpoints:
            try:
                response = requests.get(
                    health_url,
                    timeout=5,
                    verify=False,
                    headers=headers
                )
                
                if response.status_code == 200:
                    print(f"✅ API is accessible at {config.api_base_url}")
                    print(f"   Health check endpoint: {health_url}")
                    try:
                        print(f"   Response: {response.json()}")
                    except:
                        print(f"   Response: {response.text[:100]}")
                    return True
            except:
                continue
        
        print(f"⚠️ API health check failed at {config.api_base_url}")
        return False
        
    except requests.exceptions.ConnectionError:
        print(f"❌ Cannot connect to API at {config.api_base_url}")
        print("   Please ensure the ViolentUTF API is running")
        return False
    except Exception as e:
        print(f"❌ Unexpected error: {e}")
        return False

# Test connection
api_available = test_api_connection()

if not api_available:
    print("\n⚠️ IMPORTANT: The API is not accessible")
    print("This notebook will perform static code analysis for violations.")
    print("\nTo start the API:")
    print("  cd /path/to/violentutf-api")
    print("  docker-compose up -d")
    print("\nOr set the correct API URL:")
    print("  export VIOLENTUTF_API_URL=https://your-api-url.com")
else:
    # Try to authenticate if API is available
    print("\n🔐 Testing authentication...")
    if config.api_key:
        print("   Using API key authentication")
        auth_success = True
    else:
        auth_success = api_client.authenticate()
        if auth_success:
            print("   ✅ Authentication successful")
        else:
            print("   ❌ Authentication failed - check credentials")
            print("   Tests requiring authentication will be skipped")

✅ API is accessible at http://localhost:8000
   Health check endpoint: http://localhost:8000/api/v1/health
   Response: {'status': 'healthy', 'timestamp': '2025-08-06T20:07:42.132692+00:00', 'service': 'ViolentUTF API', 'version': '1.0.0', 'environment': 'development'}

🔐 Testing authentication...
   Using API key authentication


## 2. API Endpoints Missing (8 CRITICAL + 7 HIGH)

Testing for missing critical API endpoints required by ADRs.

In [8]:
def test_async_task_endpoints():
    """Test for missing async task endpoints (CRITICAL Violation #1)."""
    
    print(f"\n{Fore.YELLOW}Testing Async Task Endpoints (Violation #1)...")
    print("="*60)
    
    # Check if endpoints exist in routes.py
    routes_file = config.app_dir / "api" / "routes.py"
    
    print(f"📁 Checking {routes_file}...")
    
    if routes_file.exists():
        with open(routes_file, 'r') as f:
            content = f.read()
            
        # Check for task/scan endpoints
        has_tasks = 'tasks' in content.lower()
        has_scans = 'scans' in content.lower()
        
        print(f"   Task endpoints mentioned: {has_tasks}")
        print(f"   Scan endpoints mentioned: {has_scans}")
    else:
        has_tasks = False
        has_scans = False
        print(f"   {Fore.RED}❌ routes.py not found")
    
    # Test API endpoints if available
    if api_available:
        print(f"\n🔍 Testing API endpoints...")
        
        required_endpoints = [
            ("/api/v1/scans", "POST", "Scan initiation"),
            ("/api/v1/tasks", "GET", "Task listing"),
            ("/api/v1/tasks/{task_id}", "GET", "Task status polling")
        ]
        
        missing_endpoints = []
        
        for endpoint, method, description in required_endpoints:
            test_endpoint = endpoint.replace("{task_id}", "test-id")
            
            try:
                response = api_client.make_request(method, test_endpoint)
                
                if response.status_code == 404:
                    print(f"   {Fore.RED}❌ Missing: {method} {endpoint} - {description}")
                    missing_endpoints.append(endpoint)
                else:
                    print(f"   {Fore.GREEN}✅ Found: {method} {endpoint}")
            except:
                print(f"   {Fore.RED}❌ Error testing {endpoint}")
                missing_endpoints.append(endpoint)
        
        is_missing = len(missing_endpoints) > 0
    else:
        is_missing = not has_tasks and not has_scans
        missing_endpoints = ["Cannot test - API not available"]
    
    # Check for task endpoint files
    task_endpoint_file = config.app_dir / "api" / "endpoints" / "tasks.py"
    scan_endpoint_file = config.app_dir / "api" / "endpoints" / "scans.py"
    
    print(f"\n📁 Checking endpoint files...")
    print(f"   tasks.py exists: {task_endpoint_file.exists()}")
    print(f"   scans.py exists: {scan_endpoint_file.exists()}")
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-001",
        violation_type=ViolationType.API_ENDPOINT,
        severity=Severity.CRITICAL,
        title="No Async Task Endpoints",
        description="No async task endpoints implemented. ADR requires /api/v1/scans and /api/v1/tasks endpoints for HTTP Polling pattern but these are completely missing.",
        adr_violated="ADR-007 (Async Task Processing)",
        file_location="app/api/routes.py:1",
        expected_component="Task and scan endpoints with 202 Accepted responses",
        actual_state="No task or scan endpoints found",
        test_result="MISSING" if is_missing else "FOUND",
        evidence={
            "routes_file_exists": routes_file.exists(),
            "has_task_mentions": has_tasks,
            "has_scan_mentions": has_scans,
            "missing_endpoints": missing_endpoints,
            "task_endpoint_file_exists": task_endpoint_file.exists(),
            "scan_endpoint_file_exists": scan_endpoint_file.exists()
        },
        recommendation="Implement async task endpoints with 202 Accepted status and polling pattern as per ADR-007",
        verified=is_missing
    )
    
    results.add_violation(violation)
    
    if is_missing:
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   No async task endpoints implemented")
        print(f"   Impact: Cannot execute long-running operations")
    else:
        print(f"\n{Fore.GREEN}✅ Task endpoints appear to be implemented")

# Run the test
test_async_task_endpoints()


Testing Async Task Endpoints (Violation #1)...
📁 Checking /Users/tamnguyen/Documents/GitHub/violentutf-api/app/api/routes.py...
   Task endpoints mentioned: False
   Scan endpoints mentioned: False

🔍 Testing API endpoints...
   ✅ Found: POST /api/v1/scans
   ✅ Found: GET /api/v1/tasks
   ✅ Found: GET /api/v1/tasks/{task_id}

📁 Checking endpoint files...
   tasks.py exists: False
   scans.py exists: False

✅ Task endpoints appear to be implemented


In [9]:
def test_all_missing_endpoints():
    """Test for all missing critical endpoints (Violations #2-8)."""
    
    print(f"\n{Fore.YELLOW}Testing All Missing Critical Endpoints (Violations #2-8)...")
    print("="*60)
    
    # Define all required endpoints
    required_endpoints = [
        ("CRIT-002", "scans", "Scan Initiation", "ADR-007, ADR-F1-2"),
        ("CRIT-003", "tasks", "Task Status Polling", "ADR-007"),
        ("CRIT-004", "reports", "Report Generation", "ADR-F3-2"),
        ("CRIT-005", "orchestration", "Orchestration", "ADR-F1-2"),
        ("CRIT-006", "templates", "Template Rendering", "ADR-F1-1"),
        ("CRIT-007", "scoring", "Scoring Results", "ADR-F3-1"),
        ("CRIT-008", "plugins", "Plugin Management", "ADR-F1-3")
    ]
    
    endpoints_dir = config.app_dir / "api" / "endpoints"
    
    print(f"📁 Checking endpoint files in {endpoints_dir}...\n")
    
    # List existing endpoint files
    if endpoints_dir.exists():
        existing_files = [f.name for f in endpoints_dir.glob("*.py")]
        print(f"Existing endpoint files:")
        for file in existing_files:
            print(f"   ✓ {file}")
        print()
    else:
        existing_files = []
        print(f"{Fore.RED}❌ Endpoints directory not found")
    
    # Check each required endpoint
    for violation_id, endpoint_name, description, adr in required_endpoints:
        endpoint_file = endpoints_dir / f"{endpoint_name}.py"
        exists = endpoint_file.exists()
        
        print(f"[{violation_id}] {description} ({endpoint_name}.py):")
        print(f"   File exists: {exists}")
        
        # Test API if available
        api_found = False
        if api_available and api_client.token:
            try:
                response = api_client.make_request("GET", f"/{endpoint_name}")
                api_found = response.status_code != 404
                print(f"   API endpoint: {'Found' if api_found else 'Missing'} (status: {response.status_code})")
            except:
                print(f"   API endpoint: Error testing")
        
        is_missing = not exists and not api_found
        
        violation = ArchitecturalViolation(
            violation_id=violation_id,
            violation_type=ViolationType.API_ENDPOINT,
            severity=Severity.CRITICAL,
            title=f"No {description} Endpoints",
            description=f"No {endpoint_name} endpoints exist. ADR requires these for {description.lower()}.",
            adr_violated=adr,
            file_location=f"app/api/endpoints/{endpoint_name}.py:Missing",
            expected_component=f"{endpoint_name}.py with REST endpoints",
            actual_state="File and endpoints missing",
            test_result="MISSING" if is_missing else "FOUND",
            evidence={
                "file_exists": exists,
                "api_endpoint_found": api_found,
                "endpoint_name": endpoint_name
            },
            recommendation=f"Create {endpoint_name}.py with required endpoints per {adr}",
            verified=is_missing
        )
        
        results.add_violation(violation)
        
        if is_missing:
            print(f"   {Fore.RED}❌ CRITICAL: Missing")
        else:
            print(f"   {Fore.GREEN}✅ Found")
        print()
    
    # Summary
    missing_count = sum(1 for v in results.violations if v.verified and v.violation_id in [f"CRIT-00{i}" for i in range(2, 9)])
    
    print(f"\n{Fore.CYAN}Summary:")
    print(f"   Critical endpoints missing: {missing_count}/7")
    print(f"   Impact: Core functionality unavailable")

# Run the test
test_all_missing_endpoints()


Testing All Missing Critical Endpoints (Violations #2-8)...
📁 Checking endpoint files in /Users/tamnguyen/Documents/GitHub/violentutf-api/app/api/endpoints...

Existing endpoint files:
   ✓ mfa.py
   ✓ auth.py
   ✓ sessions.py
   ✓ upload.py
   ✓ users.py
   ✓ roles.py
   ✓ health.py
   ✓ __init__.py
   ✓ auth_validated.py
   ✓ mfa_policies.py
   ✓ health_auth.py
   ✓ api_keys.py
   ✓ audit_logs.py
   ✓ oauth.py

[CRIT-002] Scan Initiation (scans.py):
   File exists: False
   ❌ CRITICAL: Missing

[CRIT-003] Task Status Polling (tasks.py):
   File exists: False
   ❌ CRITICAL: Missing

[CRIT-004] Report Generation (reports.py):
   File exists: False
   ❌ CRITICAL: Missing

[CRIT-005] Orchestration (orchestration.py):
   File exists: False
   ❌ CRITICAL: Missing

[CRIT-006] Template Rendering (templates.py):
   File exists: False
   ❌ CRITICAL: Missing

[CRIT-007] Scoring Results (scoring.py):
   File exists: False
   ❌ CRITICAL: Missing

[CRIT-008] Plugin Management (plugins.py):
   Fil

## 3. Dependencies & Infrastructure (4 CRITICAL + 5 HIGH)

Testing for missing critical infrastructure components and dependencies.

In [10]:
def test_celery_infrastructure():
    """Test for missing Celery task queue (CRITICAL Violations #9-10)."""
    
    print(f"\n{Fore.YELLOW}Testing Celery Task Queue Infrastructure (Violations #9-10)...")
    print("="*60)
    
    # Check requirements.txt for Celery
    print(f"📋 Checking dependencies...")
    
    required_deps = [
        ("celery", "Task queue system"),
        ("flower", "Task monitoring"),
        ("kombu", "Message transport"),
        ("billiard", "Process pool")
    ]
    
    missing_deps = []
    
    for dep, description in required_deps:
        exists = check_dependency_in_requirements(dep)
        print(f"   {dep}: {'Found' if exists else 'Missing'} - {description}")
        if not exists:
            missing_deps.append(dep)
    
    # Check for Celery app configuration
    print(f"\n📁 Checking Celery configuration...")
    
    celery_app_file = config.app_dir / "core" / "celery_app.py"
    celery_config_file = config.app_dir / "core" / "celery_config.py"
    tasks_dir = config.app_dir / "tasks"
    workers_dir = config.app_dir / "workers"
    
    print(f"   celery_app.py exists: {celery_app_file.exists()}")
    print(f"   celery_config.py exists: {celery_config_file.exists()}")
    print(f"   tasks/ directory exists: {tasks_dir.exists()}")
    print(f"   workers/ directory exists: {workers_dir.exists()}")
    
    # Check configuration for Celery settings
    print(f"\n📋 Checking configuration for Celery settings...")
    
    config_file = config.app_dir / "core" / "config.py"
    has_celery_config = False
    
    if config_file.exists():
        with open(config_file, 'r') as f:
            content = f.read()
            
        celery_settings = [
            "CELERY_BROKER_URL",
            "CELERY_RESULT_BACKEND",
            "TASK_TIME_LIMIT"
        ]
        
        for setting in celery_settings:
            if setting in content:
                has_celery_config = True
                print(f"   {setting}: Found")
            else:
                print(f"   {setting}: Missing")
    else:
        print(f"   {Fore.RED}❌ config.py not found")
    
    # Violation #9
    violation_9 = ArchitecturalViolation(
        violation_id="CRIT-009",
        violation_type=ViolationType.INFRASTRUCTURE,
        severity=Severity.CRITICAL,
        title="Celery Task Queue Missing",
        description="Redis dependency exists but no Celery task queue system implemented. ADR mandates Celery for backend task processing.",
        adr_violated="ADR-007 (Async Processing)",
        file_location="requirements.txt:28",
        expected_component="Celery with Redis broker",
        actual_state="No Celery dependencies or configuration",
        test_result="MISSING" if missing_deps else "PARTIAL",
        evidence={
            "missing_dependencies": missing_deps,
            "celery_app_exists": celery_app_file.exists(),
            "has_celery_config": has_celery_config
        },
        recommendation="Install Celery dependencies and create celery_app.py configuration",
        verified=len(missing_deps) > 0
    )
    
    results.add_violation(violation_9)
    
    # Violation #10
    infrastructure_missing = not celery_app_file.exists() and not tasks_dir.exists()
    
    violation_10 = ArchitecturalViolation(
        violation_id="CRIT-010",
        violation_type=ViolationType.INFRASTRUCTURE,
        severity=Severity.CRITICAL,
        title="Task Infrastructure Missing",
        description="Missing async task processing infrastructure - no Celery/Redis task queue implementation despite ADR requirements.",
        adr_violated="ADR-007",
        file_location="app/:0",
        expected_component="Complete task processing infrastructure",
        actual_state="No task infrastructure found",
        test_result="MISSING" if infrastructure_missing else "FOUND",
        evidence={
            "celery_app_exists": celery_app_file.exists(),
            "tasks_dir_exists": tasks_dir.exists(),
            "workers_dir_exists": workers_dir.exists()
        },
        recommendation="Create app/core/celery_app.py and app/tasks/ directory with task definitions",
        verified=infrastructure_missing
    )
    
    results.add_violation(violation_10)
    
    if missing_deps or infrastructure_missing:
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATIONS CONFIRMED")
        print(f"   Celery task queue not implemented")
        print(f"   Impact: Cannot process background tasks")
    else:
        print(f"\n{Fore.GREEN}✅ Task infrastructure appears configured")

# Run the test
test_celery_infrastructure()


Testing Celery Task Queue Infrastructure (Violations #9-10)...
📋 Checking dependencies...
   celery: Missing - Task queue system
   flower: Missing - Task monitoring
   kombu: Missing - Message transport
   billiard: Missing - Process pool

📁 Checking Celery configuration...
   celery_app.py exists: False
   celery_config.py exists: False
   tasks/ directory exists: False
   workers/ directory exists: False

📋 Checking configuration for Celery settings...
   CELERY_BROKER_URL: Missing
   CELERY_RESULT_BACKEND: Missing
   TASK_TIME_LIMIT: Missing

❌ CRITICAL VIOLATIONS CONFIRMED
   Celery task queue not implemented
   Impact: Cannot process background tasks


In [11]:
def test_docker_infrastructure():
    """Test for Docker infrastructure completeness (CRITICAL Violation #12)."""
    
    print(f"\n{Fore.YELLOW}Testing Docker Infrastructure (Violation #12)...")
    print("="*60)
    
    docker_compose_file = config.project_root / "docker-compose.yml"
    
    print(f"📁 Checking Docker configuration...")
    print(f"   docker-compose.yml exists: {docker_compose_file.exists()}")
    
    has_worker_container = False
    has_redis_container = False
    has_celery_beat = False
    
    if docker_compose_file.exists():
        with open(docker_compose_file, 'r') as f:
            try:
                docker_config = yaml.safe_load(f)
                services = docker_config.get('services', {})
                
                print(f"\n   Services defined:")
                for service_name in services.keys():
                    print(f"      • {service_name}")
                    
                    if 'worker' in service_name.lower():
                        has_worker_container = True
                    if 'redis' in service_name.lower():
                        has_redis_container = True
                    if 'beat' in service_name.lower() or 'scheduler' in service_name.lower():
                        has_celery_beat = True
                
                print(f"\n   Required services check:")
                print(f"      Worker container: {'Found' if has_worker_container else 'Missing'}")
                print(f"      Redis container: {'Found' if has_redis_container else 'Missing'}")
                print(f"      Celery beat: {'Found' if has_celery_beat else 'Missing'}")
                
            except yaml.YAMLError as e:
                print(f"   {Fore.RED}❌ Error parsing docker-compose.yml: {e}")
    else:
        print(f"   {Fore.RED}❌ docker-compose.yml not found")
    
    # Check for Dockerfile.worker
    dockerfile_worker = config.project_root / "Dockerfile.worker"
    print(f"\n   Dockerfile.worker exists: {dockerfile_worker.exists()}")
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-012",
        violation_type=ViolationType.INFRASTRUCTURE,
        severity=Severity.CRITICAL,
        title="Docker Infrastructure Incomplete",
        description="No worker container definitions for task processing.",
        adr_violated="ADR-007",
        file_location="docker-compose.yml:Missing",
        expected_component="Worker containers for Celery tasks",
        actual_state="No worker containers defined",
        test_result="INCOMPLETE" if not has_worker_container else "COMPLETE",
        evidence={
            "docker_compose_exists": docker_compose_file.exists(),
            "has_worker_container": has_worker_container,
            "has_redis_container": has_redis_container,
            "has_celery_beat": has_celery_beat,
            "dockerfile_worker_exists": dockerfile_worker.exists()
        },
        recommendation="Add worker service to docker-compose.yml with Celery worker command",
        verified=not has_worker_container
    )
    
    results.add_violation(violation)
    
    if not has_worker_container:
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   Docker infrastructure incomplete for task processing")
        print(f"   Impact: Cannot deploy task workers")
    else:
        print(f"\n{Fore.GREEN}✅ Docker infrastructure appears complete")

# Run the test
test_docker_infrastructure()


Testing Docker Infrastructure (Violation #12)...
📁 Checking Docker configuration...
   docker-compose.yml exists: True

   Services defined:
      • api
      • db
      • redis
      • nginx

   Required services check:
      Worker container: Missing
      Redis container: Found
      Celery beat: Missing

   Dockerfile.worker exists: False

❌ CRITICAL VIOLATION CONFIRMED
   Docker infrastructure incomplete for task processing
   Impact: Cannot deploy task workers


## 4. Data Models & Database (3 CRITICAL + 8 HIGH)

Testing for missing critical data models and database components.

In [None]:
def test_task_model():
    """Test for missing Task model (CRITICAL Violation #13)."""
    
    print(f"\n{Fore.YELLOW}Testing Task Model (Violation #13)...")
    print("="*60)
    
    models_dir = config.app_dir / "models"
    task_model_file = models_dir / "task.py"
    models_init_file = models_dir / "__init__.py"
    
    print(f"📁 Checking Task model...")
    print(f"   task.py exists: {task_model_file.exists()}")
    
    # Check if Task is imported in __init__.py
    has_task_import = False
    if models_init_file.exists():
        with open(models_init_file, 'r') as f:
            content = f.read()
            if 'Task' in content or 'task' in content.lower():
                has_task_import = True
        print(f"   Task imported in __init__.py: {has_task_import}")
    
    # Check for TaskStatus enum
    has_task_status = False
    if task_model_file.exists():
        has_task_status = check_class_in_file(task_model_file, "TaskStatus")
        print(f"   TaskStatus enum exists: {has_task_status}")
        
        # Check for required fields
        with open(task_model_file, 'r') as f:
            content = f.read()
            
        required_fields = [
            "task_type",
            "status",
            "input_data",
            "result_data",
            "progress",
            "webhook_url"
        ]
        
        print(f"\n   Required fields check:")
        for field in required_fields:
            if field in content:
                print(f"      ✓ {field}")
            else:
                print(f"      ✗ {field}")
    
    # Check for related models
    print(f"\n📁 Checking related models...")
    
    related_models = [
        ("red_team_session.py", "RedTeamSession"),
        ("scoring_result.py", "ScoringResult"),
        ("orchestration_job.py", "OrchestrationJob"),
        ("generator.py", "Generator"),
        ("evidence.py", "Evidence")
    ]
    
    missing_models = []
    for filename, model_name in related_models:
        model_file = models_dir / filename
        exists = model_file.exists()
        print(f"   {model_name}: {'Found' if exists else 'Missing'}")
        if not exists:
            missing_models.append(model_name)
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-013",
        violation_type=ViolationType.DATA_MODEL,
        severity=Severity.CRITICAL,
        title="Task Model Missing",
        description="No Task model exists for tracking async jobs. ADR requires task records in database with PENDING/RUNNING/SUCCESS states.",
        adr_violated="ADR-007",
        file_location="app/models/__init__.py:20",
        expected_component="Task model with status tracking",
        actual_state="Task model not found",
        test_result="MISSING" if not task_model_file.exists() else "FOUND",
        evidence={
            "task_model_exists": task_model_file.exists(),
            "has_task_import": has_task_import,
            "has_task_status_enum": has_task_status,
            "missing_related_models": missing_models
        },
        recommendation="Create app/models/task.py with TaskStatus enum and required fields per ADR-007",
        verified=not task_model_file.exists()
    )
    
    results.add_violation(violation)
    
    if not task_model_file.exists():
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   Task model missing - cannot track async operations")
        print(f"   Impact: No persistence for background tasks")
    else:
        print(f"\n{Fore.GREEN}✅ Task model found")

# Run the test
test_task_model()

In [None]:
def test_error_model_compliance():
    """Test for RFC 7807 compliance in error model (CRITICAL Violation #14)."""
    
    print(f"\n{Fore.YELLOW}Testing Error Model RFC 7807 Compliance (Violation #14)...")
    print("="*60)
    
    errors_file = config.app_dir / "core" / "errors.py"
    
    print(f"📁 Checking error handling...")
    print(f"   errors.py exists: {errors_file.exists()}")
    
    is_rfc7807_compliant = False
    has_problem_json = False
    
    if errors_file.exists():
        with open(errors_file, 'r') as f:
            content = f.read()
        
        # Check for RFC 7807 fields
        rfc7807_fields = [
            "type",
            "title",
            "status",
            "detail",
            "instance"
        ]
        
        print(f"\n   RFC 7807 field check:")
        fields_found = 0
        for field in rfc7807_fields:
            # Look for field definitions
            if f'{field}:' in content or f'{field} =' in content:
                print(f"      ✓ {field}")
                fields_found += 1
            else:
                print(f"      ✗ {field}")
        
        is_rfc7807_compliant = fields_found >= 4
        
        # Check for problem+json content type
        has_problem_json = 'application/problem+json' in content
        print(f"\n   Uses 'application/problem+json': {has_problem_json}")
        
        # Check current error model
        has_error_detail = check_class_in_file(errors_file, "ErrorDetail")
        print(f"   Has ErrorDetail class: {has_error_detail}")
    
    # Test API error responses if available
    if api_available:
        print(f"\n🔍 Testing API error response format...")
        try:
            # Trigger a 404 error
            response = api_client.make_request("GET", "/nonexistent")
            
            if response.status_code == 404:
                content_type = response.headers.get('Content-Type', '')
                print(f"   Content-Type: {content_type}")
                
                if 'application/problem+json' in content_type:
                    print(f"   {Fore.GREEN}✅ Uses RFC 7807 content type")
                    has_problem_json = True
                else:
                    print(f"   {Fore.YELLOW}⚠️ Not using RFC 7807 content type")
                
                # Check response structure
                try:
                    error_data = response.json()
                    print(f"\n   Response fields: {list(error_data.keys())}")
                except:
                    pass
        except:
            print(f"   Could not test API error responses")
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-014",
        violation_type=ViolationType.ERROR_HANDLING,
        severity=Severity.CRITICAL,
        title="Error Model Non-Compliant",
        description="ErrorDetail model uses custom format instead of RFC 7807 structure.",
        adr_violated="ADR-009 (Error Responses)",
        file_location="app/core/errors.py:15",
        expected_component="RFC 7807 compliant error model",
        actual_state="Custom error format",
        test_result="NON_COMPLIANT" if not is_rfc7807_compliant else "COMPLIANT",
        evidence={
            "errors_file_exists": errors_file.exists(),
            "is_rfc7807_compliant": is_rfc7807_compliant,
            "has_problem_json_content_type": has_problem_json
        },
        recommendation="Implement RFC 7807 error model with application/problem+json content type",
        verified=not is_rfc7807_compliant
    )
    
    results.add_violation(violation)
    
    if not is_rfc7807_compliant:
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   Error model not RFC 7807 compliant")
        print(f"   Impact: Non-standard error responses")
    else:
        print(f"\n{Fore.GREEN}✅ Error model appears RFC 7807 compliant")

# Run the test
test_error_model_compliance()

In [None]:
def test_document_storage():
    """Test for document storage configuration (CRITICAL Violation #15)."""
    
    print(f"\n{Fore.YELLOW}Testing Document Storage Configuration (Violation #15)...")
    print("="*60)
    
    config_file = config.app_dir / "core" / "config.py"
    
    print(f"📁 Checking configuration...")
    
    has_mongodb = False
    has_dynamodb = False
    has_blob_storage = False
    
    if config_file.exists():
        with open(config_file, 'r') as f:
            content = f.read()
        
        # Check for document storage configurations
        storage_configs = [
            ("MONGODB_URL", "MongoDB"),
            ("DYNAMODB_", "DynamoDB"),
            ("S3_BUCKET", "S3/Blob Storage"),
            ("AZURE_STORAGE", "Azure Blob"),
            ("GCS_BUCKET", "Google Cloud Storage")
        ]
        
        print(f"   Document storage configurations:")
        for config_key, storage_type in storage_configs:
            if config_key in content:
                print(f"      ✓ {storage_type}")
                if "MONGO" in config_key:
                    has_mongodb = True
                elif "DYNAMO" in config_key:
                    has_dynamodb = True
                elif "S3" in config_key or "AZURE" in config_key or "GCS" in config_key:
                    has_blob_storage = True
            else:
                print(f"      ✗ {storage_type}")
        
        # Check for PostgreSQL (should exist)
        has_postgres = "DATABASE_URL" in content or "POSTGRES" in content
        print(f"\n   PostgreSQL configured: {has_postgres}")
    else:
        print(f"   {Fore.RED}❌ config.py not found")
    
    # Check for document store service
    document_store_file = config.app_dir / "services" / "document_store.py"
    print(f"\n   Document store service exists: {document_store_file.exists()}")
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-015",
        violation_type=ViolationType.CONFIGURATION,
        severity=Severity.CRITICAL,
        title="Document Storage Missing",
        description="Only PostgreSQL configured. Missing MongoDB/DynamoDB for session_evidence document storage.",
        adr_violated="ADR-F3-1",
        file_location="app/core/config.py:59",
        expected_component="Document storage configuration (MongoDB/DynamoDB)",
        actual_state="Only relational database configured",
        test_result="MISSING" if not (has_mongodb or has_dynamodb) else "CONFIGURED",
        evidence={
            "has_mongodb": has_mongodb,
            "has_dynamodb": has_dynamodb,
            "has_blob_storage": has_blob_storage,
            "document_store_exists": document_store_file.exists()
        },
        recommendation="Add MongoDB or DynamoDB configuration for document storage per ADR-F3-1",
        verified=not (has_mongodb or has_dynamodb)
    )
    
    results.add_violation(violation)
    
    if not (has_mongodb or has_dynamodb):
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   No document storage configured")
        print(f"   Impact: Cannot store session evidence documents")
    else:
        print(f"\n{Fore.GREEN}✅ Document storage configured")

# Run the test
test_document_storage()

## 5. Plugin Architecture (3 CRITICAL + 2 HIGH)

Testing for missing plugin architecture components.

In [None]:
def test_plugin_architecture():
    """Test for plugin architecture implementation (CRITICAL Violations #16-18)."""
    
    print(f"\n{Fore.YELLOW}Testing Plugin Architecture (Violations #16-18)...")
    print("="*60)
    
    plugins_dir = config.app_dir / "plugins"
    core_plugins_dir = config.app_dir / "core" / "plugins"
    
    print(f"📁 Checking plugin directories...")
    print(f"   app/plugins/ exists: {plugins_dir.exists()}")
    print(f"   app/core/plugins/ exists: {core_plugins_dir.exists()}")
    
    # Violation #16: ProviderPlugin Interface
    print(f"\n[CRIT-016] Checking ProviderPlugin interface...")
    
    provider_interface_file = core_plugins_dir / "provider_interface.py"
    has_provider_interface = False
    
    if provider_interface_file.exists():
        has_provider_interface = check_class_in_file(provider_interface_file, "ProviderPlugin")
        print(f"   ProviderPlugin class exists: {has_provider_interface}")
        
        # Check for required methods
        with open(provider_interface_file, 'r') as f:
            content = f.read()
        
        required_methods = [
            "plugin_name",
            "supported_models",
            "send_chat_completion",
            "list_available_models",
            "validate_credentials"
        ]
        
        print(f"   Required methods:")
        for method in required_methods:
            if method in content:
                print(f"      ✓ {method}")
            else:
                print(f"      ✗ {method}")
    else:
        print(f"   {Fore.RED}❌ provider_interface.py not found")
    
    violation_16 = ArchitecturalViolation(
        violation_id="CRIT-016",
        violation_type=ViolationType.PLUGIN,
        severity=Severity.CRITICAL,
        title="ProviderPlugin Interface Missing",
        description="Missing ProviderPlugin abstract interface implementation. No abstract base class defining required plugin methods.",
        adr_violated="ADR-F1-3 (Plugin Architecture)",
        file_location="app/main.py:1",
        expected_component="ProviderPlugin abstract base class",
        actual_state="No plugin interface found",
        test_result="MISSING" if not has_provider_interface else "FOUND",
        evidence={
            "provider_interface_exists": provider_interface_file.exists(),
            "has_provider_plugin_class": has_provider_interface
        },
        recommendation="Create app/core/plugins/provider_interface.py with ProviderPlugin ABC",
        verified=not has_provider_interface
    )
    
    results.add_violation(violation_16)
    
    # Violation #17: Plugin Implementations
    print(f"\n[CRIT-017] Checking plugin implementations...")
    
    expected_plugins = [
        ("openai_plugin.py", "OpenAI"),
        ("anthropic_plugin.py", "Anthropic"),
        ("ollama_plugin.py", "Ollama")
    ]
    
    implemented_plugins = []
    
    if plugins_dir.exists():
        for filename, provider in expected_plugins:
            plugin_file = plugins_dir / filename
            if plugin_file.exists():
                implemented_plugins.append(provider)
                print(f"   {provider} plugin: Found")
            else:
                print(f"   {provider} plugin: Missing")
    else:
        for _, provider in expected_plugins:
            print(f"   {provider} plugin: Missing (no plugins directory)")
    
    violation_17 = ArchitecturalViolation(
        violation_id="CRIT-017",
        violation_type=ViolationType.PLUGIN,
        severity=Severity.CRITICAL,
        title="No Plugin Implementations",
        description="No concrete plugin implementations for OpenAI, Anthropic, or Ollama as mentioned in ADR.",
        adr_violated="ADR-F1-3",
        file_location="app/:1",
        expected_component="Concrete plugin implementations",
        actual_state="No plugin implementations found",
        test_result="MISSING" if len(implemented_plugins) == 0 else "PARTIAL",
        evidence={
            "plugins_dir_exists": plugins_dir.exists(),
            "implemented_plugins": implemented_plugins
        },
        recommendation="Create plugin implementations for AI providers in app/plugins/",
        verified=len(implemented_plugins) == 0
    )
    
    results.add_violation(violation_17)
    
    # Violation #18: ScorerPlugin
    print(f"\n[CRIT-018] Checking ScorerPlugin interface...")
    
    scorer_interface_file = core_plugins_dir / "scorer_interface.py"
    has_scorer_interface = False
    
    if scorer_interface_file.exists():
        has_scorer_interface = check_class_in_file(scorer_interface_file, "ScorerPlugin")
        print(f"   ScorerPlugin class exists: {has_scorer_interface}")
    else:
        print(f"   {Fore.RED}❌ scorer_interface.py not found")
    
    violation_18 = ArchitecturalViolation(
        violation_id="CRIT-018",
        violation_type=ViolationType.PLUGIN,
        severity=Severity.CRITICAL,
        title="ScorerPlugin Missing",
        description="Missing ScorerPlugin abstract base class with SCORER_TYPE, SCORER_NAME, and score() method.",
        adr_violated="ADR-F3-1",
        file_location="app/:0",
        expected_component="ScorerPlugin abstract base class",
        actual_state="No scorer plugin interface found",
        test_result="MISSING" if not has_scorer_interface else "FOUND",
        evidence={
            "scorer_interface_exists": scorer_interface_file.exists(),
            "has_scorer_plugin_class": has_scorer_interface
        },
        recommendation="Create app/core/plugins/scorer_interface.py with ScorerPlugin ABC",
        verified=not has_scorer_interface
    )
    
    results.add_violation(violation_18)
    
    if not has_provider_interface and len(implemented_plugins) == 0:
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATIONS CONFIRMED")
        print(f"   Plugin architecture completely missing")
        print(f"   Impact: Cannot integrate AI providers")
    else:
        print(f"\n{Fore.GREEN}✅ Some plugin architecture components found")

# Run the test
test_plugin_architecture()

## 6. Configuration & Other (4 CRITICAL)

Testing for configuration and other critical architectural violations.

In [None]:
def test_blob_storage_configuration():
    """Test for blob storage configuration (CRITICAL Violation #19)."""
    
    print(f"\n{Fore.YELLOW}Testing Blob Storage Configuration (Violation #19)...")
    print("="*60)
    
    config_file = config.app_dir / "core" / "config.py"
    
    print(f"📁 Checking blob storage configuration...")
    
    has_s3 = False
    has_azure = False
    has_gcs = False
    
    if config_file.exists():
        with open(config_file, 'r') as f:
            content = f.read()
        
        # Check for blob storage settings
        blob_configs = [
            ("S3_BUCKET_NAME", "AWS S3"),
            ("S3_ACCESS_KEY_ID", "AWS Credentials"),
            ("AWS_ACCESS_KEY_ID", "AWS Credentials"),
            ("AZURE_STORAGE_ACCOUNT", "Azure Blob Storage"),
            ("GCS_BUCKET_NAME", "Google Cloud Storage")
        ]
        
        print(f"   Blob storage settings:")
        for config_key, storage_type in blob_configs:
            if config_key in content:
                print(f"      ✓ {storage_type}: {config_key}")
                if "S3" in config_key or "AWS" in config_key:
                    has_s3 = True
                elif "AZURE" in config_key:
                    has_azure = True
                elif "GCS" in config_key:
                    has_gcs = True
            else:
                print(f"      ✗ {storage_type}: {config_key}")
    
    has_blob_storage = has_s3 or has_azure or has_gcs
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-019",
        violation_type=ViolationType.CONFIGURATION,
        severity=Severity.CRITICAL,
        title="Blob Storage Not Configured",
        description="No S3/blob storage configuration found. ADR requires blob storage for cost-effective archival.",
        adr_violated="ADR-F2-2 (Data Storage)",
        file_location="app/core/config.py:60",
        expected_component="Blob storage configuration (S3/Azure/GCS)",
        actual_state="No blob storage configured",
        test_result="MISSING" if not has_blob_storage else "CONFIGURED",
        evidence={
            "has_s3": has_s3,
            "has_azure": has_azure,
            "has_gcs": has_gcs
        },
        recommendation="Add S3 or other blob storage configuration for archival per ADR-F2-2",
        verified=not has_blob_storage
    )
    
    results.add_violation(violation)
    
    if not has_blob_storage:
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   No blob storage configured")
        print(f"   Impact: Cannot archive data cost-effectively")
    else:
        print(f"\n{Fore.GREEN}✅ Blob storage configured")

# Run the test
test_blob_storage_configuration()

In [None]:
def test_task_service_layer():
    """Test for task service layer (CRITICAL Violation #20)."""
    
    print(f"\n{Fore.YELLOW}Testing Task Service Layer (Violation #20)...")
    print("="*60)
    
    services_dir = config.app_dir / "services"
    task_service_file = services_dir / "task_service.py"
    scan_service_file = services_dir / "scan_service.py"
    orchestration_service_file = services_dir / "orchestration_service.py"
    
    print(f"📁 Checking service layer...")
    print(f"   task_service.py exists: {task_service_file.exists()}")
    print(f"   scan_service.py exists: {scan_service_file.exists()}")
    print(f"   orchestration_service.py exists: {orchestration_service_file.exists()}")
    
    # List existing services
    if services_dir.exists():
        existing_services = [f.name for f in services_dir.glob("*.py")]
        print(f"\n   Existing services:")
        for service in existing_services:
            print(f"      • {service}")
    
    has_task_service = task_service_file.exists() or scan_service_file.exists() or orchestration_service_file.exists()
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-020",
        violation_type=ViolationType.INFRASTRUCTURE,
        severity=Severity.CRITICAL,
        title="Task Service Layer Missing",
        description="No task service layer for managing async operations as required by ADR-007.",
        adr_violated="ADR-007",
        file_location="app/services/:1",
        expected_component="Task service layer for async operations",
        actual_state="No task-related services found",
        test_result="MISSING" if not has_task_service else "FOUND",
        evidence={
            "task_service_exists": task_service_file.exists(),
            "scan_service_exists": scan_service_file.exists(),
            "orchestration_service_exists": orchestration_service_file.exists()
        },
        recommendation="Create app/services/task_service.py to manage async operations",
        verified=not has_task_service
    )
    
    results.add_violation(violation)
    
    if not has_task_service:
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   Task service layer missing")
        print(f"   Impact: No business logic for async operations")
    else:
        print(f"\n{Fore.GREEN}✅ Task service layer found")

# Run the test
test_task_service_layer()

In [None]:
def test_cicd_pipeline():
    """Test CI/CD pipeline completeness (CRITICAL Violation #22)."""
    
    print(f"\n{Fore.YELLOW}Testing CI/CD Pipeline (Violation #22)...")
    print("="*60)
    
    workflows_dir = config.project_root / ".github" / "workflows"
    pr_validation_file = workflows_dir / "pr-validation.yml"
    
    print(f"📁 Checking CI/CD configuration...")
    print(f"   pr-validation.yml exists: {pr_validation_file.exists()}")
    
    has_pip_audit = False
    is_blocking = False
    
    if pr_validation_file.exists():
        with open(pr_validation_file, 'r') as f:
            content = f.read()
        
        # Check for pip-audit
        has_pip_audit = 'pip-audit' in content or 'pip audit' in content
        print(f"   Has pip-audit step: {has_pip_audit}")
        
        if has_pip_audit:
            # Check if it's a blocking step
            # Look for continue-on-error: false or lack of continue-on-error
            lines = content.split('\n')
            for i, line in enumerate(lines):
                if 'pip-audit' in line or 'pip audit' in line:
                    # Check next few lines for continue-on-error
                    context = '\n'.join(lines[max(0, i-5):min(len(lines), i+10)])
                    if 'continue-on-error: true' not in context:
                        is_blocking = True
                    break
            
            print(f"   pip-audit is blocking: {is_blocking}")
        
        # Check for other quality gates
        quality_gates = [
            "pytest",
            "mypy",
            "black",
            "flake8",
            "bandit"
        ]
        
        print(f"\n   Other quality gates:")
        for gate in quality_gates:
            if gate in content:
                print(f"      ✓ {gate}")
            else:
                print(f"      ✗ {gate}")
    
    violation = ArchitecturalViolation(
        violation_id="CRIT-022",
        violation_type=ViolationType.INFRASTRUCTURE,
        severity=Severity.CRITICAL,
        title="CI/CD Pipeline Incomplete",
        description="pip-audit is not implemented as a blocking CI/CD step. ADR mandates pip-audit as mandatory quality gate.",
        adr_violated="ADR-010",
        file_location=".github/workflows/pr-validation.yml:62",
        expected_component="pip-audit as blocking CI step",
        actual_state="pip-audit not blocking or missing",
        test_result="INCOMPLETE" if not (has_pip_audit and is_blocking) else "COMPLETE",
        evidence={
            "pr_validation_exists": pr_validation_file.exists(),
            "has_pip_audit": has_pip_audit,
            "is_blocking": is_blocking
        },
        recommendation="Add pip-audit as a mandatory blocking step in CI/CD pipeline",
        verified=not (has_pip_audit and is_blocking)
    )
    
    results.add_violation(violation)
    
    if not (has_pip_audit and is_blocking):
        print(f"\n{Fore.RED}❌ CRITICAL VIOLATION CONFIRMED")
        print(f"   pip-audit not properly configured in CI/CD")
        print(f"   Impact: Security vulnerabilities may pass quality gates")
    else:
        print(f"\n{Fore.GREEN}✅ pip-audit properly configured")

# Run the test
test_cicd_pipeline()

## 7. Results Summary and Impact Analysis

In [None]:
# Display comprehensive results summary
results.display_summary()

print("\n" + "="*80)
print(f"{Fore.CYAN}DETAILED ARCHITECTURAL VIOLATIONS")
print("="*80)

# Group violations by type
by_type = {}
for violation in results.violations:
    vtype = violation.violation_type.value
    if vtype not in by_type:
        by_type[vtype] = []
    by_type[vtype].append(violation)

for vtype, violations in by_type.items():
    verified_count = sum(1 for v in violations if v.verified)
    
    print(f"\n{Fore.YELLOW}📁 {vtype} ({verified_count}/{len(violations)} verified)")
    print("-"*60)
    
    for violation in violations:
        if violation.verified:
            color = Fore.RED if violation.severity == Severity.CRITICAL else Fore.YELLOW
            print(f"\n{color}[{violation.violation_id}] {violation.title}")
            print(f"   Severity: {violation.severity.value}")
            print(f"   ADR: {violation.adr_violated}")
            print(f"   Location: {violation.file_location}")
            print(f"   Status: {violation.test_result}")
            print(f"   Impact: {violation.description[:100]}...")

In [None]:
# Calculate compliance score
total_violations = len(results.violations)
verified_violations = sum(1 for v in results.violations if v.verified)
critical_violations = sum(1 for v in results.violations if v.verified and v.severity == Severity.CRITICAL)

# ADR compliance calculation
expected_components = 22  # Based on the report
missing_components = verified_violations
compliance_score = ((expected_components - missing_components) / expected_components * 100) if expected_components > 0 else 0
compliance_score = max(0, compliance_score)  # Ensure non-negative

print("\n" + "="*80)
print(f"{Fore.CYAN}ARCHITECTURAL COMPLIANCE ASSESSMENT")
print("="*80)

print(f"\n📊 Compliance Metrics:")
print(f"   Total Violations Tested: {total_violations}")
print(f"   Verified Violations: {verified_violations}")
print(f"   Critical Violations: {critical_violations}")
print(f"   ADR Compliance Score: {compliance_score:.1f}%")

if compliance_score < 50:
    status_color = Fore.RED
    status = "CRITICAL - NOT DEPLOYABLE"
elif compliance_score < 70:
    status_color = Fore.YELLOW
    status = "FAILING - MAJOR GAPS"
elif compliance_score < 90:
    status_color = Fore.BLUE
    status = "NEEDS IMPROVEMENT"
else:
    status_color = Fore.GREEN
    status = "ACCEPTABLE"

print(f"\n{status_color}Architecture Status: {status}")

# Impact Assessment
print(f"\n{Fore.CYAN}IMPACT ASSESSMENT")
print("-"*60)

impacts = {
    "Cannot execute long-running operations": critical_violations >= 8,
    "Cannot process background tasks": critical_violations >= 4,
    "Cannot persist operational data": critical_violations >= 3,
    "Cannot integrate AI providers": critical_violations >= 3,
    "Cannot track security vulnerabilities": verified_violations >= 10,
    "Cannot scale horizontally": verified_violations >= 15,
    "Cannot meet federal compliance": compliance_score < 70
}

for impact, condition in impacts.items():
    if condition:
        print(f"   {Fore.RED}❌ {impact}")
    else:
        print(f"   {Fore.GREEN}✓ {impact}")

In [None]:
# Generate implementation roadmap
print("\n" + "="*80)
print(f"{Fore.CYAN}IMPLEMENTATION ROADMAP")
print("="*80)

roadmap = [
    {
        "phase": "Phase 1: Infrastructure (Week 1-2)",
        "priority": "CRITICAL",
        "tasks": [
            "Install Celery dependencies (celery[redis], flower, kombu)",
            "Create app/core/celery_app.py configuration",
            "Set up Redis container in docker-compose.yml",
            "Add worker container definitions",
            "Configure task queue settings in config.py"
        ]
    },
    {
        "phase": "Phase 2: API Layer (Week 2-3)",
        "priority": "CRITICAL",
        "tasks": [
            "Create app/api/endpoints/tasks.py with polling endpoints",
            "Create app/api/endpoints/scans.py with 202 Accepted responses",
            "Implement report generation endpoints",
            "Add orchestration endpoints",
            "Create template rendering endpoints"
        ]
    },
    {
        "phase": "Phase 3: Data Layer (Week 3-4)",
        "priority": "CRITICAL",
        "tasks": [
            "Create app/models/task.py with TaskStatus enum",
            "Add related models (RedTeamSession, ScoringResult, etc.)",
            "Configure MongoDB for document storage",
            "Set up S3/blob storage configuration",
            "Create database migrations"
        ]
    },
    {
        "phase": "Phase 4: Plugin System (Week 4-5)",
        "priority": "HIGH",
        "tasks": [
            "Create app/core/plugins/provider_interface.py",
            "Implement concrete plugins (OpenAI, Anthropic, Ollama)",
            "Create plugin discovery mechanism",
            "Add ScorerPlugin interface",
            "Test plugin integration"
        ]
    },
    {
        "phase": "Phase 5: Configuration & Quality (Week 5-6)",
        "priority": "HIGH",
        "tasks": [
            "Update error handling to RFC 7807 compliance",
            "Add pip-audit to CI/CD pipeline",
            "Complete configuration settings",
            "Add comprehensive testing",
            "Update documentation"
        ]
    }
]

for phase in roadmap:
    color = Fore.RED if phase['priority'] == 'CRITICAL' else Fore.YELLOW
    
    print(f"\n{color}📅 {phase['phase']} (Priority: {phase['priority']})")
    for task in phase['tasks']:
        print(f"   • {task}")

In [None]:
# Export results to JSON
import json
from datetime import datetime

# Prepare export data
export_data = {
    "assessment_date": datetime.now().isoformat(),
    "github_issue": "#49",
    "api_endpoint": config.api_url,
    "summary": results.get_summary(),
    "compliance_score": compliance_score,
    "violations": [v.to_dict() for v in results.violations],
    "impacts": {k: v for k, v in impacts.items() if v},
    "implementation_roadmap": roadmap
}

# Save to file
output_file = "ISSUE_49_Verification_Results.json"
with open(output_file, 'w') as f:
    json.dump(export_data, f, indent=2)

print(f"\n{Fore.GREEN}✅ Results exported to {output_file}")

# Generate markdown report
markdown_report = f"""# ViolentUTF API Architectural Verification Report

**Date:** {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
**GitHub Issue:** #49
**ADR Compliance Score:** {compliance_score:.1f}%
**Architecture Status:** {status}

## Executive Summary

Verification testing confirmed **{verified_violations} of {total_violations}** reported architectural violations.

### Critical Findings
- **API Endpoints:** 8 CRITICAL endpoints completely missing
- **Infrastructure:** No task queue or worker containers
- **Data Models:** Core business models absent
- **Plugin System:** No extensibility framework
- **Configuration:** Missing critical settings

## Immediate Actions Required

1. **Install** Celery and task queue dependencies
2. **Create** async task endpoints with 202 Accepted
3. **Implement** Task model and related data models
4. **Configure** document and blob storage
5. **Build** plugin architecture for AI providers

## Impact Assessment

The system is **NOT DEPLOYABLE** in its current state due to:
- Cannot execute long-running operations
- Cannot process background tasks
- Cannot integrate AI providers
- Cannot meet federal compliance requirements

## Recommendation

Implement the 6-week roadmap provided to achieve production readiness.

## Full Report

See `ISSUE_49_Verification_Results.json` for complete findings and implementation plan.
"""

with open("ISSUE_49_Verification_Report.md", 'w') as f:
    f.write(markdown_report)

print(f"{Fore.GREEN}✅ Markdown report saved to ISSUE_49_Verification_Report.md")

In [None]:
# Final recommendations
print("\n" + "="*80)
print(f"{Fore.CYAN}FINAL RECOMMENDATIONS FOR US GOVERNMENT DEPLOYMENT")
print("="*80)

print(f"""
{Fore.RED}⚠️ CRITICAL ARCHITECTURAL ADVISORY ⚠️

Based on this comprehensive architectural assessment, the ViolentUTF API is
{Fore.RED}NOT READY FOR PRODUCTION DEPLOYMENT{Style.RESET_ALL} in its current state.

{Fore.CYAN}KEY ARCHITECTURAL GAPS:{Style.RESET_ALL}

1. {Fore.RED}CRITICAL:{Style.RESET_ALL} No async task processing capability.
   The system cannot handle any long-running operations.

2. {Fore.RED}CRITICAL:{Style.RESET_ALL} Core API endpoints missing.
   8 critical endpoint groups required by ADRs are absent.

3. {Fore.RED}CRITICAL:{Style.RESET_ALL} No data persistence strategy.
   Missing Task model and related business models.

4. {Fore.RED}CRITICAL:{Style.RESET_ALL} No plugin architecture.
   Cannot integrate with AI providers (OpenAI, Anthropic, etc.)

{Fore.CYAN}PRODUCTION READINESS ASSESSMENT:{Style.RESET_ALL}

• {Fore.RED}Functionality:{Style.RESET_ALL} Core features not implementable
• {Fore.RED}Scalability:{Style.RESET_ALL} Cannot scale without task queue
• {Fore.RED}Reliability:{Style.RESET_ALL} No async processing or error handling
• {Fore.RED}Maintainability:{Style.RESET_ALL} Missing plugin architecture
• {Fore.RED}Compliance:{Style.RESET_ALL} Does not meet federal requirements

{Fore.CYAN}REQUIRED INVESTMENT:{Style.RESET_ALL}

• **Development Time:** 6-10 weeks with dedicated team
• **Team Size:** 3-4 senior engineers
• **Focus Areas:** Infrastructure, API, Data, Plugins
• **Testing:** Additional 2-3 weeks for comprehensive testing

{Fore.GREEN}POSITIVE NOTES:{Style.RESET_ALL}

• The authentication/authorization foundation is solid
• The codebase structure supports adding required components
• The ADRs provide clear architectural guidance
• The violations are well-documented and fixable

{Fore.CYAN}RECOMMENDATION:{Style.RESET_ALL}

Allocate a dedicated architecture team for 6-10 weeks to implement
all critical components before any production deployment. This is not
optional - the system literally cannot function without these components.

The ViolentUTF API currently provides only authentication and authorization.
To become a functional AI red-teaming platform, it requires the complete
implementation of the architectural components identified in this assessment.
""")

print("\n" + "="*80)
print(f"{Fore.GREEN}✅ Architectural verification complete. Results saved.")
print("="*80)