test(lethe): register savedsearch repo+handler in e2e steward graph
savedsearch: add /api/v1/saved-searches CRUD with 0002 migration
auth: fix OIDCVerifier injection wiring + OIDCDevStub root attachment
Surfaced by the first end-to-end smoke of `auth.oidc.enabled=true`:
- `OIDCVerifier.Cfg` was typed `config.OIDCConfig`, but only `AuthConfig`
is registered as a `config-section:""` (config.go:31-37). Steward's
type-keyed injection threw `failed to find dependency` at `mgr.Inject`,
panicking the daemon. Latent since 80b1c09 — never reached because no
prior verified path enabled OIDC. Retyped to `config.AuthConfig`,
Init now reads `Cfg.OIDC.{Issuer,Audience,UsernameClaim}`. Sibling-
consistent with `Authenticator` and `OIDCDevStub`.
- `OIDCDevStub` had no dependents and no `steward.Root()` modifier, so
steward logged `ERR empty dependents asset without root option` and
skipped it in lifecycle bookkeeping (Destroy never called on shutdown).
Added `steward.Root()` to its registration; shutdown log now shows
`destroying component component=auth.OIDCDevStub`.
auth: integrate oidcstub as opt-in dev OP under auth.oidc.dev_stub
stats: add /api/v1/stats aggregate endpoint
Implements Phase 2 of lethe-web-ui-aggregates: a single-round-trip
/api/v1/stats endpoint that bundles per-tool rollup, daily time-series,
84-cell activity heatmap, top-cwd ranking, hour-of-day distribution, and
host split. All six aggregations run fresh per request; no server cache.
- internal/domain/stats/buckets.go: pure helpers DailyWindow, FillDaily,
HeatmapWindow, HourWindow — fully deterministic, tested independently.
- internal/domain/stats/repository.go: Filter/Stats types and Repository.Stats
— six SQL queries joined via sessions+turns, owner scope via OwnerScope
(AllOwners / SpecificOwner / default), sparkline capped at 60 buckets.
- internal/domain/stats/handler.go: Handler.List — ?range=7d|30d|90d|all
(default 30d); ?range=<other> → 400 INVALID; ?owner= non-admin → 403.
- internal/server/server.go: register *stats.Handler alongside project/sessions.
- cmd/lethe/main.go: add statsRepo/statsHnd to var block and steward graph.
- cmd/lethe/main_e2e_test.go: add stats.Repository/Handler to e2e graph.
project: add /api/v1/projects aggregation; sessions: add ?cwd= filter
- session.ListFilter gains Cwd *string; List appends working_dir = ?
clause between Host and Since in fixed order (parameterised, column
name is a literal)
- session.Handler reads ?cwd= and threads it to filter.Cwd; empty
string treated as absent, consistent with other optional filters
- new package internal/domain/project:
- Repository.List groups sessions by non-NULL working_dir in a single
SQL round-trip; correlated subquery picks top_tool with tie-broken
by tool ASC; Hosts/Tools deduped and sorted in Go after
GROUP_CONCAT
- Handler mounts GET /projects; resolveScope/clampLimit/clampOffset
duplicated from session handler; ?owner= admin gating identical
- server.Server gains Projects *project.Handler inject field; mounted
in /api/v1 Route block
- main.go and e2e test register projectRepo + projectHnd with steward
feat(cmd): wire server with /healthz /readyz /metrics + authed /api/v1
Phase 9 of lethe-server: thin main.go that loads config, registers every
steward asset, and orchestrates Inject -> Init -> Start -> wait -> Stop ->
Destroy. Compensates for the Phase 4 finding (steward.Manager does not
unwind on Init failure) by tracking destroyer-implementing assets in a
parallel slice and invoking Destroy in reverse registration order with a
per-call timeout when Init or Start fails.
Server.Start now opens its TCP listener synchronously and exposes the
bound address via Addr(), so the e2e smoke can bind to 127.0.0.1:0 and
discover the kernel-assigned port.
Adds an end-to-end smoke test that drives the real steward graph
(in-memory SQLite, real loopback listener, forward-auth) through ingest +
sessions list/detail for two users with the same composite session key,
proving owner isolation reaches all the way through the trust boundary.
Deletes internal/platform/health/steward_unwind_test.go: the canary's
purpose was to surface the unwind gap so Phase 9 could compensate, which
it now does.
README updated with consolidated curl quickstart (forward-auth + OIDC
bearer variants), trust-chain diagram and the proxy-must-strip-Remote-*
spoofing note, response-shape documentation for the API surface, and an
operational notes section covering health, metrics, lifecycle and logs.
feat: bootstrap lethe server skeleton + wire contract