Fix/emover graphql api

[sosweetham]

Description of change

shifts emover to use the idiomatic graphql api

Issue Number

Closes #767

Type of change

• Update (a change which updates existing functionality)

How the change has been tested

manual

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

Release Notes

• New Features

  • Added bulk creation for metadata envelopes with custom identifier support via GraphQL mutation.
  • Implemented token-authenticated migration workflow using GraphQL-based operations.

• Refactor

  • Updated migration approach from legacy database operations to GraphQL-centric design.
  • Removed legacy migration endpoint; migrations now use enhanced authentication layer.

[coderabbitai]

Warning

Rate limit exceeded

@sosweetham has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 49 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

The PR introduces GraphQL-based bulk envelope creation and refactors the data migration flow, replacing the direct /emover HTTP endpoint with idiomatic GraphQL mutations and adding support for custom ID assignment in envelope storage.

Changes

Cohort / File(s)	Summary
Database Layer infrastructure/evault-core/src/core/db/db.service.ts	Added storeMetaEnvelopeWithId method to support custom or generated ID assignment during MetaEnvelope creation, enabling envelope creation with explicit identifiers for migration scenarios.
GraphQL Schema infrastructure/evault-core/src/core/protocol/typedefs.ts	Introduced bulk creation types: BulkCreateResult, BulkCreateMetaEnvelopesPayload, BulkMetaEnvelopeInput, and new bulkCreateMetaEnvelopes mutation supporting optional ID specification and webhook skipping for authorized migrations.
GraphQL Resolver infrastructure/evault-core/src/core/protocol/graphql-server.ts	Implemented bulkCreateMetaEnvelopes mutation resolver with per-item envelope creation via storeMetaEnvelopeWithId, conditional webhook delivery based on migration context, operation logging for each envelope, and aggregated error/success tracking.
HTTP & Middleware infrastructure/evault-core/src/core/http/server.ts, infrastructure/evault-core/src/core/protocol/vault-access-guard.ts	Removed legacy POST /emover migration endpoint; enhanced vault-access-guard with registry URL environment variable flexibility for JWKS resolution and token payload propagation to context for store operations.
Migration Service platforms/emover-api/src/services/MigrationService.ts	Replaced direct Neo4j/HTTP-based envelope transfer with GraphQL-centric flow: added private helpers for platform token retrieval, paginated envelope fetching, and batched bulk creation on target eVault with per-batch logging and error handling.

Sequence Diagram

sequenceDiagram
    actor Client
    participant GraphQL as GraphQLServer
    participant DB as DbService
    participant Webhooks as Webhook Delivery
    participant Logging as Operation Logging
    participant Registry as Registry/JWKS

    Client->>GraphQL: bulkCreateMetaEnvelopes(inputs, skipWebhooks)
    GraphQL->>GraphQL: Validate X-ENAME header & auth
    
    loop For each input
        GraphQL->>DB: storeMetaEnvelopeWithId(meta, acl, id?)
        DB-->>GraphQL: Created envelope with id
        GraphQL->>Logging: appendEnvelopeOperationLog("create", ...)
        Logging-->>GraphQL: Logged
        
        alt skipWebhooks not set & authorized migration
            GraphQL->>Webhooks: deliverWebhooks(webhookPayload)
            Webhooks-->>GraphQL: Fire-and-forget with error logging
        end
        
        GraphQL->>GraphQL: Accumulate result { id, success/error }
    end
    
    GraphQL-->>Client: { results[], successCount, errorCount, errors[] }

Loading

sequenceDiagram
    actor Migration as Migration Process
    participant MigrationService
    participant OldRegistry as Old eVault Registry
    participant GraphQL as New eVault GraphQL API
    participant Auth as Platform Auth

    Migration->>MigrationService: copyMetaEnvelopes(oldUri, newUri)
    MigrationService->>Auth: getPlatformToken()
    Auth-->>MigrationService: platformToken
    
    MigrationService->>OldRegistry: fetchAllMetaEnvelopes(paginated GraphQL)
    OldRegistry-->>MigrationService: Envelope batches
    
    loop For each batch
        MigrationService->>GraphQL: bulkCreateOnNewEvault(envelopes, token)
        GraphQL-->>MigrationService: { successCount, errorCount }
        MigrationService->>MigrationService: Log batch progress & save state
    end
    
    MigrationService-->>Migration: Migration complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• feat: idiomatic graphql api #769: Both PRs modify GraphQL mutations/resolvers and schema typedefs for bulk/create operations, adding similar mutation and result type structures.
• feat: implement envelope operation logging with cursor pagination #764: The main PR's bulk envelope creation integrates envelope-operation logging (appendEnvelopeOperationLog) which is implemented in #764.
• Fix/evault access guard permission issue #646: Both PRs modify VaultAccessGuard middleware authentication/authorization logic and token propagation for store operations.

Suggested labels

evault-refactor

Suggested reviewers

• coodos
• ananyayaya129

---

🐰 ✨ A GraphQL dance replaces the Neo4j way,
Bulk envelopes created in a modern display,
Webhooks skip when migrations pass through,
From registry tokens to the eVault so true,
The emover endpoint takes its final bow! 🎭

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is vague and generic, using non-descriptive placeholder language ('Fix/emover') that doesn't clearly convey the main change of migrating Emover to use GraphQL API.	Use a more descriptive title such as 'Migrate Emover to use idiomatic GraphQL API' to clearly communicate the primary change.
Linked Issues check	❓ Inconclusive	The code changes implement the primary objective of migrating Emover to GraphQL API [#767]. However, the changes do not clearly demonstrate implementation of the Awareness Protocol suppression requirement via the 'createdBy' field detection.	Verify that the 'createdBy' field is populated with the Emover platform token and that webhook/event suppression logic is implemented to address the Awareness Protocol requirement.
Out of Scope Changes check	❓ Inconclusive	Most changes are directly related to migrating Emover to GraphQL API. However, modifications to vault-access-guard.ts include formatting changes and token handling updates that extend beyond the core migration scope.	Clarify whether the token handling and formatting changes in vault-access-guard.ts are necessary for the GraphQL API migration or if they should be separated into a distinct change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers the required template sections and indicates the change is complete with checklists marked; however, it lacks detail about how the GraphQL API integration addresses the Awareness Protocol suppression requirement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/emover-graphql-api

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coodos]

need tests for new mutation + docs

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

infrastructure/evault-core/src/core/protocol/vault-access-guard.ts (1)

231-253: ⚠️ Potential issue | 🟠 Major

Paginated MetaEnvelope connections bypass ACL filtering.

When a resolver returns a connection object (e.g., metaEnvelopes), the middleware doesn’t filter edges[].node by ACL—so any authenticated caller can enumerate all metaEnvelopes. Consider detecting connection shapes and filtering edges via filterEnvelopesByAccess, or enforce ACL constraints in the DB query.

🤖 Fix all issues with AI agents

In `@infrastructure/evault-core/src/core/db/db.service.ts`:
- Around line 143-225: storeMetaEnvelopeWithId uses CREATE for the MetaEnvelope
(and currently creates Envelope nodes with CREATE), which causes duplicate-node
errors on retries; change the Cypher to use MERGE for the MetaEnvelope node
(MERGE (m:MetaEnvelope { id: $metaId })) and for each envelope node MERGE on the
id (MERGE (eX:Envelope { id: $eX_id })) and then use ON CREATE SET to assign
ontology, value, valueType and ON MATCH DO NOTHING (or avoid overwriting) so the
operation becomes idempotent; update the cypher strings built in
storeMetaEnvelopeWithId (referencing metaId, envelopeParams and the alias like
e0/e1) and keep using runQueryInternal to execute the merged query.

In `@infrastructure/evault-core/src/core/protocol/vault-access-guard.ts`:
- Around line 220-226: The isStoreOperation heuristic in vault-access-guard.ts
currently treats any args.input with ontology/payload/acl and no args.id as a
store operation (variable isStoreOperation), which inadvertently matches
createMetaEnvelope and bypasses Bearer-token checks; update the check to only
mark true for the actual storeMetaEnvelope call (either by checking the
resolver/method name passed into the guard or by using an explicit flag you set
when wrapping storeMetaEnvelope), e.g. refine isStoreOperation to also verify
the resolver name is "storeMetaEnvelope" or read a dedicated isStoreOperation
flag on the resolver context before skipping token auth so createMetaEnvelope
remains authenticated.

In `@platforms/emover-api/src/services/MigrationService.ts`:
- Around line 403-489: The bulkCreateOnNewEvault function currently sets acl:
["*"] which widens access; change it to preserve original ACLs by reading each
envelope's ACL (e.g., env.acl or env.parsed?.acl) and pass that into the inputs
for bulkCreateMetaEnvelopes, falling back to a safe default (e.g., empty or
existing eVault default) only when no ACL is present; if preservation requires
privileged transfer, accept/obtain a privileged token or flag and use that path
instead of forcing public ACLs (update references in bulkCreateOnNewEvault to
use the envelope ACL field and adjust callers if you add a
preserveAcl/privilegedToken parameter).
- Around line 317-401: fetchAllMetaEnvelopes currently queries the standard
GraphQL metaEnvelopes (via graphqlUrl, Authorization and X-ENAME headers) which
is subject to ACL filtering and can omit private envelopes; change the call in
fetchAllMetaEnvelopes to use a privileged migration export path or an
access-guard bypass that returns all envelopes (e.g. swap to a dedicated export
endpoint or include a certified migration token/header instead of the current
platform token), update the request headers/URL used in axios.post (replace
graphqlUrl/Authorization/X-ENAME usage) and ensure the server-side recognizes
and validates the migration credential so results are not ACL-filtered.