docs, api, other stuff update

[HardMax71]

---

Summary by cubic

Revamped docs for easier onboarding and security clarity: new Getting Started guide, streamlined references, and added supply chain security coverage. Also improved SSE testing guidance and updated site navigation.

• New Features

  • Added a Getting Started guide with local deploy, first run, and troubleshooting.
  • Added Supply Chain Security docs (SBOM via Syft, Grype scanning, how to run locally).
  • Documented SSE testing with async-asgi-testclient and shared auth fixtures.

• Refactors

  • Simplified Security policy: private disclosure, CI scanning, runtime hardening; linked supply chain and network isolation.
  • Streamlined API Reference by removing large endpoint tables; rely on embedded Swagger UI.
  • Reworked Environment Variables to pull from backend/.env, grouped by area, and reduced duplication.
  • Removed deprecated WebSocket configuration from env and settings; standardized on SSE (SSE_CONSUMER_POOL_SIZE, SSE_HEARTBEAT_INTERVAL).
  • Cleaned up Home page with a tighter quick start and doc cards; removed sample code.
  • Updated mkdocs navigation: added Getting Started, split Security into Policy, Network Isolation, and Supply Chain.

^{Written for commit 4fa933b. Summary will update on new commits.}

Summary by CodeRabbit

• Documentation
  • Added comprehensive Getting Started guide for local Docker development
  • Reorganized docs with new navigation and feature/service cards
  • Added Supply Chain & SBOM security documentation
  • Enhanced SSE endpoint testing guidance
  • Restructured Environment Variables reference into environment-driven guide
  • Simplified Security policy to a brief secret-management note
  • Trimmed the API Reference quick reference sections

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Restructures documentation site (landing page, nav), adds Getting Started and supply-chain/SBOM docs, consolidates reference docs, expands SSE architecture with testing guidance, simplifies SECURITY.md to a single secret-management line, and removes WebSocket settings in favor of SSE-related config.

Changes

Cohort / File(s)	Summary
Documentation Restructuring docs/index.md, mkdocs.yml	Reworked landing page (branding banner, doc card grid), removed Quick Start/sample code and Architecture block; updated mkdocs nav to add Getting Started and reorganize Security entries.
New Guides docs/getting-started.md, docs/security/supply-chain.md	Added Getting Started guide (local Docker, health checks, UI, flows) and Supply Chain & SBOM doc (Syft/Grype workflow, tooling).
Reference Consolidation docs/reference/api-reference.md, docs/reference/environment-variables.md, docs/reference/openapi.json	Removed Quick Reference from API reference; rewrote environment-variables to an environment-driven guide with legend and code blocks; added trailing newline to openapi.json.
SSE Architecture & Testing docs/components/sse/sse-architecture.md, backend/.env, backend/.env.test, backend/app/settings.py	Added "Testing SSE endpoints" guidance (httpx ASGITransport limitation, use async-asgi-testclient, session sharing via cookies/CSRF) and replaced WebSocket env/settings with SSE-related variables; removed four WebSocket settings from Settings.
Security Policy Simplification docs/SECURITY.md	Replaced comprehensive security policy content with a single-line note that secrets must be managed outside the repo; removed reporting, scanning, SBOM, and remediation guidance.

Sequence Diagram(s)

sequenceDiagram
    participant Tester as Test Runner
    participant ASGIClient as async-asgi-testclient
    participant Server as App Server
    participant SSE as SSE Stream

    Tester->>ASGIClient: start streaming request (with cookies/CSRF)
    ASGIClient->>Server: open SSE connection
    Server->>SSE: emit events
    SSE-->>ASGIClient: stream events chunked
    ASGIClient-->>Tester: provide streamed events for assertions

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: precommit checks + added missing docs #88: Directly related to SECURITY.md / policy & SBOM content; likely overlaps/conflicts with this PR's SECURITY.md simplification.
• chore: better documentation about workers #61: Related to SSE docs and environment/config changes; likely overlaps with SSE testing guidance and env var edits.
• Adding docs #5: Related to mkdocs.yml and documentation site structure modifications.

Poem

🐰 I nibbled through pages, tidy and neat,

New guides and SBOMs for every seat,
SSE streams now tested with care,
Secrets stay out — keep them elsewhere! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'docs, api, other stuff update' is vague and uses non-descriptive generic terms ('other stuff') that do not convey meaningful information about the changeset, despite the PR making substantial documentation revamps.	Provide a more specific title that captures the main changes, such as 'Refactor documentation structure with Getting Started guide and Supply Chain security docs' or 'Update docs, API reference, and environment configuration for SSE migration'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

3 issues found across 9 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="mkdocs.yml">

<violation number="1" location="mkdocs.yml:107">
P2: Nav entry points to a missing `getting-started.md`, which will break MkDocs builds. Add the file under docs/ or update the path to an existing document.</violation>

<violation number="2" location="mkdocs.yml:170">
P2: Nav entry points to a missing `security/supply-chain.md`. Add the document under docs/security/ or update the nav to an existing file.</violation>
</file>

<file name="docs/reference/environment-variables.md">

<violation number="1" location="docs/reference/environment-variables.md:53">
P2: The legend defaults contradict the actual values in `backend/.env` that are included in the same doc, which can mislead users who copy the file. Align the legend defaults with the real `.env` values or clarify that the legend is only illustrative.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@docs/components/sse/sse-architecture.md`:
- Around line 88-92: Update the SSE testing guidance to warn that the
recommended dependency async-asgi-testclient appears unmaintained (last updated
June 2022) and may be incompatible with current Python/dependency versions;
mention this maintenance caveat alongside the existing explanation of
httpx.AsyncClient/ASGITransport buffering behavior and SSE streaming
limitations, and add brief alternatives to try (for example, Falcon's
ASGIConductor or testing against a real server with httpx-sse). Reference the
exact symbols in the doc (httpx.AsyncClient, ASGITransport,
async-asgi-testclient, SSE) so readers can locate the affected section and
verify compatibility before adopting the recommendation.

In `@docs/index.md`:
- Around line 22-25: Add a short, explicit "dev-only" warning immediately after
the default credentials line that notes these credentials are for local/dev only
and must be changed before deploying to any non-local environment; update the
sentence that currently reads "log in with `user` / `user123`" to keep the
example but append one concise caution (e.g., "Warning: these default
credentials are for development only — change them before deploying to
production") and optionally link to existing security or configuration docs for
changing credentials.

In `@docs/reference/environment-variables.md`:
- Around line 63-77: The docs section titled "WebSocket & SSE" is misleading and
lists unused `WEBSOCKET_*` settings; update the docs and code to reflect current
SSE usage: rename the section to "SSE (Server-Sent Events)" or "Real-time
Connections", remove or mark `WEBSOCKET_PING_INTERVAL`,
`WEBSOCKET_PING_TIMEOUT`, `WEBSOCKET_MAX_CONNECTIONS_PER_USER`, and
`WEBSOCKET_STALE_CONNECTION_TIMEOUT` as deprecated/legacy both in the docs and
in settings.py, and instead document the actual SSE settings
`SSE_HEARTBEAT_INTERVAL` and `SSE_CONSUMER_POOL_SIZE` (ensure their names match
the symbols in settings.py and the SSE service implementation).

🧹 Nitpick comments (4)

docs/getting-started.md (1)

75-95: Consider using proper headings instead of bold emphasis for troubleshooting items.

The troubleshooting section uses bold text (**text**) for what are effectively subheadings. This triggers MD036 (no-emphasis-as-heading) from markdownlint. Using proper #### headings improves accessibility, enables proper navigation/TOC generation, and follows markdown best practices.

Suggested fix

 ## Troubleshooting
 
-**CPU/memory metrics show as `null`**
+#### CPU/memory metrics show as `null`
 
 The metrics server isn't installed by default in most local Kubernetes setups. Enable it:
 
 ```bash
 kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

-Certificate warnings in browser
+#### Certificate warnings in browser

Expected - the stack uses self-signed certs for local development. Accept the warning and continue.

-Services failing to start
+#### Services failing to start

Check logs for the specific service: docker compose logs backend or docker compose logs kafka. Most issues are either port conflicts (something else using 443, 5001, or 9092) or Docker running out of resources.

-Kafka connection errors
+#### Kafka connection errors

Kafka takes longer to initialize than most services. Give it a minute after deploy.sh dev finishes, or watch docker compose logs kafka until you see "started" messages.

</details>

</blockquote></details>
<details>
<summary>docs/reference/environment-variables.md (1)</summary><blockquote>

`38-40`: **`RATE_LIMITS` appears misplaced in the Kubernetes section.**

This variable controls API rate limiting, which is a general backend concern rather than Kubernetes-specific. Consider moving it to the Server section or creating an API section.

</blockquote></details>
<details>
<summary>docs/security/supply-chain.md (1)</summary><blockquote>

`27-37`: **Consider noting security implications of `curl | sh` pattern.**

While these are official Anchore installation scripts, piping curl directly to shell is a known security concern. Consider adding a brief note about verifying checksums or using package managers where available (e.g., `brew install syft grype` on macOS).

</blockquote></details>
<details>
<summary>docs/index.md (1)</summary><blockquote>

`1-12`: **Consider replacing inline styling with a CSS class.**

Keeps theming consistent and avoids inline overrides.  


<details>
<summary>♻️ Example refactor</summary>

```diff
-<div style="text-align: center;" markdown>
+<div class="hero-banner" markdown>

Add the class to your theme/extra CSS.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud