Skip to content

Near-term wins: cache TTL config, Dependabot, AGENTS.md, AuthorizationFilter tests#321

Merged
namedgraph merged 5 commits into
developfrom
near-term-wins
Jul 13, 2026
Merged

Near-term wins: cache TTL config, Dependabot, AGENTS.md, AuthorizationFilter tests#321
namedgraph merged 5 commits into
developfrom
near-term-wins

Conversation

@namedgraph

Copy link
Copy Markdown
Member

Roadmap P1 near-term wins (see AUDIT-ROADMAP.md), each a self-contained commit. Merges current develop, so it builds on the security work (#320).

Changes

  • Configurable cache TTLs (P1.3) — the WebID and JWKS caches now read their expiration from WEBID_CACHE_EXPIRATION / JWKS_CACHE_EXPIRATION (default 86400s), wired through CATALINA_OPTS exactly like the CLIENT_* timeouts. Resolves the hardcoded-1-day TO-DO; lowering the WebID TTL bounds how long a revoked WebID stays cached. Behaviour unchanged at the default.
  • Dependabot (P1.7) — weekly update PRs for Maven (routine minor/patch grouped), the Docker base image, and GitHub Actions.
  • AGENTS.md (P1.6) — an agent-facing HTTP API guide: document-as-named-graph, WebID auth, the write discipline (POST/PUT/PATCH on document URLs vs the read-only SPARQL endpoint), content/dataspace model, and bin/ + Web-Algebra tooling.
  • AuthorizationFilter unit tests (P1.2) — cover the pure decision logic that had no coverage: the HTTP-method → ACL access-mode contract (GET/HEAD→Read, POST→Append, PUT/DELETE/PATCH→Write), getAuthorizationByMode lookup, and the owner Read/Write/Append grant. No SPARQL or JAX-RS mocking.

Verify

  • mvn test — the new AuthorizationFilter tests and the cache-TTL change.
  • http-tests suite via run.sh.

Open question

AGENTS.md is placed at repo root (matching REST-VKG's convention). If it should instead be a served webapp resource or live under docs/, happy to move it.

🤖 Generated with Claude Code

The WebID model cache and JWKS cache had a hardcoded 1-day expiration (the
TO-DO on the webIDmodelCache field). Read the TTL (seconds) from the
com.atomgraph.linkeddatahub.{webIDCacheExpiration,jwksCacheExpiration} system
properties, wired from WEBID_CACHE_EXPIRATION / JWKS_CACHE_EXPIRATION env vars
via CATALINA_OPTS in the entrypoint, mirroring the CLIENT_* timeout mechanism.
Default stays 86400 (1 day), so behaviour is unchanged; lowering the WebID TTL
bounds how long a revoked WebID stays authenticated.
Weekly update PRs for Maven dependencies (grouping routine minor/patch bumps),
the Docker base image, and GitHub Actions. The client 4.3.0 -> 5.x drift went
unnoticed for a full major version; automating this prevents a recurrence.
A machine-readable capability manifest for LLM/HTTP agents driving a running
LinkedDataHub instance: the document-as-named-graph model, WebID-TLS auth, the
write discipline (POST/PUT to create, PATCH with application/sparql-update to
update, DELETE to remove — never the read-only SPARQL endpoint), the content
and dataspace model, and the bin/ + Web-Algebra tooling. Mirrors the per-service
AGENTS.md convention REST-VKG already serves.
Cover the pure decision logic that had no unit coverage: the HTTP-method to
ACL access-mode contract (GET/HEAD->Read, POST->Append, PUT/DELETE/PATCH->Write),
getAuthorizationByMode lookup, and createOwnerAuthorization granting the owner
Read/Write/Append. No SPARQL or JAX-RS mocking needed.
# Conflicts:
#	CHANGELOG.md
@namedgraph namedgraph merged commit 8a56f16 into develop Jul 13, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant