docs: sync project docs with FastAPI implementation

gkorland · Copilot · gkorland · commit c46427e975f3 · 2026-03-13T16:09:14.000+02:00
Update the README, environment template, and reference docs so they match the current FastAPI/Uvicorn runtime, /api endpoints, supported analyzers, and auth/env behavior.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.env.template b/.env.template
@@ -2,15 +2,28 @@
 FALKORDB_HOST=localhost
 FALKORDB_PORT=6379
 
-# OpenAI API key for LLM features
-OPENAI_API_KEY=<YOUR_OPENAI_API_KEY>
+# Optional FalkorDB authentication
+FALKORDB_USERNAME=
+FALKORDB_PASSWORD=
 
-# Secret token for API authentication
+# Token checked by authenticated endpoints. If left empty, the current
+# implementation accepts requests without an Authorization header.
 SECRET_TOKEN=<YOUR_SECRET_TOKEN>
 
-# Flask server settings
-FLASK_RUN_HOST=0.0.0.0
-FLASK_RUN_PORT=5000
-
-# Set to 1 to enable public access for analyze_repo/switch_commit endpoints
+# Set to 1 to make read-only endpoints public.
 CODE_GRAPH_PUBLIC=0
+
+# Limit /api/analyze_folder to this directory tree. Leave commented to use
+# the repository root as the default allowed directory.
+# ALLOWED_ANALYSIS_DIR=/absolute/path/to/projects
+
+# LiteLLM model used by /api/chat
+MODEL_NAME=gemini/gemini-flash-lite-latest
+
+# Provider credential for the default Gemini model. Change this to the
+# appropriate provider key if you change MODEL_NAME.
+GEMINI_API_KEY=<YOUR_GEMINI_API_KEY>
+
+# Optional Uvicorn bind settings used by start.sh / make run-*
+HOST=0.0.0.0
+PORT=5000
diff --git a/ARCHITECTURE_ANALYSIS.md b/ARCHITECTURE_ANALYSIS.md
@@ -0,0 +1,248 @@
+# CodeGraph FastAPI Backend - Architecture Analysis
+
+## Executive Summary
+
+CodeGraph currently exposes a **FastAPI** backend from `api.index:app` and serves the built React UI from the same process when `app/dist` exists.
+
+The framework-specific HTTP code is concentrated in `api/index.py`. Most of the backend domain modules (`graph.py`, `project.py`, `analyzers/`, `git_utils/`, `info.py`, `llm.py`) are reusable Python components that do not depend on FastAPI.
+
+## 1. Backend Layout
+
+```
+api/
+├── __init__.py                     # Public package exports
+├── index.py                        # FastAPI app, auth dependencies, routes, SPA serving
+├── graph.py                        # FalkorDB graph access (sync + async helpers)
+├── llm.py                          # GraphRAG + LiteLLM chat integration
+├── info.py                         # Repository metadata stored in Redis/FalkorDB
+├── project.py                      # Clone/local repo analysis orchestration
+├── auto_complete.py                # Prefix search helper
+├── prompts.py                      # Chat/Cypher prompt templates
+│
+├── analyzers/
+│   ├── analyzer.py                 # Abstract analyzer base class
+│   ├── source_analyzer.py          # File scanning + analyzer dispatch
+│   ├── python/analyzer.py          # Python analyzer
+│   ├── java/analyzer.py            # Java analyzer
+│   ├── csharp/analyzer.py          # C# analyzer
+│   └── c/analyzer.py               # Present in tree, but not registered
+│
+├── entities/                       # Entity/File wrappers and encoders
+├── git_utils/                      # Git history graph and repo utilities
+└── code_coverage/                  # Coverage helpers
+```
+
+## 2. HTTP Layer (`api/index.py`)
+
+### 2.1 Application and routing
+
+- The backend app is `FastAPI()`.
+- All API routes are mounted under `/api/...`.
+- A catch-all route serves static files from `app/dist` and falls back to `index.html` for the React SPA.
+
+### 2.2 Authentication dependencies
+
+`api/index.py` defines two FastAPI dependencies:
+
+- `public_or_auth`: used by read-only endpoints. If `CODE_GRAPH_PUBLIC=1`, the request is allowed without auth; otherwise it checks the `Authorization` header against `SECRET_TOKEN`.
+- `token_required`: used by mutating endpoints and always checks the `Authorization` header against `SECRET_TOKEN`.
+
+The current `_verify_token()` helper also treats a missing `SECRET_TOKEN` as allowing requests with no `Authorization` header.
+
+### 2.3 Request models
+
+The API uses Pydantic request models for POST bodies, including:
+
+- `RepoRequest`
+- `NeighborsRequest`
+- `AutoCompleteRequest`
+- `FindPathsRequest`
+- `ChatRequest`
+- `AnalyzeFolderRequest`
+- `AnalyzeRepoRequest`
+- `SwitchCommitRequest`
+
+### 2.4 Endpoint inventory
+
+**Read endpoints** (`public_or_auth`):
+
+- `GET /api/graph_entities`
+- `POST /api/get_neighbors`
+- `POST /api/auto_complete`
+- `GET /api/list_repos`
+- `POST /api/repo_info`
+- `POST /api/find_paths`
+- `POST /api/chat`
+- `POST /api/list_commits`
+
+**Mutating endpoints** (`token_required`):
+
+- `POST /api/analyze_folder`
+- `POST /api/analyze_repo`
+- `POST /api/switch_commit`
+
+### 2.5 Async behavior
+
+The FastAPI handlers are `async def`, but several heavy operations are still blocking and are moved off the event loop with `asyncio.get_running_loop().run_in_executor(...)`:
+
+- local folder analysis
+- repository clone + analysis
+- LLM chat work
+- commit switching
+
+## 3. Domain Modules
+
+### 3.1 `graph.py`
+
+`Graph` is the core FalkorDB interface used for code-graph mutations and queries. It also exposes helpers such as:
+
+- `get_sub_graph()`
+- `get_neighbors()`
+- `add_entity()`
+- `connect_entities()`
+- `find_paths()`
+- `stats()`
+- backlog helpers used during git-history processing
+
+Async route handlers use `AsyncGraphQuery` and `async_get_repos()` for non-blocking access patterns.
+
+### 3.2 `project.py`
+
+`Project` represents either:
+
+- a cloned git repository via `Project.from_git_repository(url)`, or
+- a local repository via `Project.from_local_repository(path)`.
+
+Its two main orchestration steps are:
+
+- `analyze_sources(ignore)`
+- `process_git_history(ignore)`
+
+### 3.3 `analyzers/source_analyzer.py`
+
+`SourceAnalyzer` walks the repository tree, picks a registered analyzer by file extension, and builds the code graph.
+
+Registered analyzers in the current code:
+
+- `.py` -> `PythonAnalyzer`
+- `.java` -> `JavaAnalyzer`
+- `.cs` -> `CSharpAnalyzer`
+
+The C analyzer source exists, but `.c` and `.h` registrations are commented out.
+
+### 3.4 `git_utils/`
+
+Git history is modeled as a separate FalkorDB graph per repository (for example `{repo_name}_git`).
+
+Key pieces:
+
+- `GitGraph` / `AsyncGitGraph`
+- `build_commit_graph(...)`
+- `switch_commit(...)`
+- helper functions for diff classification and ignore checks
+
+### 3.5 `info.py`
+
+Repository metadata is stored via Redis-compatible access backed by FalkorDB connection settings. Stored fields include:
+
+- `repo_url`
+- `commit`
+
+### 3.6 `llm.py`
+
+Chat requests use GraphRAG-SDK with LiteLLM:
+
+- default `MODEL_NAME` is `gemini/gemini-flash-lite-latest`
+- the backend creates a `KnowledgeGraph` bound to the repository graph
+- `ask()` offloads the synchronous chat session call to a worker thread
+
+## 4. Runtime and Environment
+
+### 4.1 Local development
+
+Typical backend dev command:
+
+```bash
+uv run uvicorn api.index:app --host 127.0.0.1 --port 5000 --reload
+```
+
+Typical frontend dev command:
+
+```bash
+cd app && npm run dev
+```
+
+`app/vite.config.ts` proxies `/api` requests to `http://127.0.0.1:5000` during frontend development.
+
+### 4.2 Production/container startup
+
+The checked-in production entrypoints use Uvicorn, not Flask:
+
+- `make run-prod`
+- `start.sh`
+- Docker image entrypoint (`/start.sh`)
+
+### 4.3 Important environment variables
+
+- `FALKORDB_HOST`
+- `FALKORDB_PORT`
+- `FALKORDB_USERNAME`
+- `FALKORDB_PASSWORD`
+- `SECRET_TOKEN`
+- `CODE_GRAPH_PUBLIC`
+- `ALLOWED_ANALYSIS_DIR`
+- `MODEL_NAME`
+- provider-specific LiteLLM credential(s), such as `GEMINI_API_KEY` for the default model
+
+## 5. Storage Model
+
+### 5.1 Code graph
+
+The main repository graph lives in FalkorDB and contains entities such as:
+
+- `File`
+- `Class`
+- `Function`
+- `Interface`
+
+Relationships include:
+
+- `DEFINES`
+- `CALLS`
+- `EXTENDS`
+- `IMPLEMENTS`
+
+### 5.2 Git graph
+
+Commit history is stored in a second graph named `{repo_name}_git`, with commit metadata and parent/child edges.
+
+### 5.3 Repository metadata
+
+Repository URL and current commit are stored in Redis-style hashes keyed as `{repo_name}_info`.
+
+## 6. Request Flows
+
+### 6.1 `POST /api/analyze_repo`
+
+1. FastAPI validates the request body with `AnalyzeRepoRequest`.
+2. `token_required` checks the `Authorization` header.
+3. `Project.from_git_repository()` clones the repo locally.
+4. `analyze_sources()` builds the code graph.
+5. `process_git_history()` builds the repository's git graph.
+6. The endpoint returns `{"status": "success"}`.
+
+### 6.2 `POST /api/chat`
+
+1. FastAPI validates `repo` and `msg`.
+2. `public_or_auth` enforces auth/public rules.
+3. `ask()` creates a GraphRAG chat session for the repository graph.
+4. LiteLLM generates Cypher and a natural-language response.
+5. The endpoint returns `{"status": "success", "response": ...}`.
+
+## 7. Key Takeaways
+
+- The backend is now FastAPI + Uvicorn, not Flask.
+- All public API paths are under `/api/...`.
+- The React app can be served by the backend from `app/dist`.
+- Most backend logic remains framework-agnostic and reusable.
+- Supported analyzers are currently Python, Java, and C#.
diff --git a/QUICK_REFERENCE.txt b/QUICK_REFERENCE.txt
@@ -0,0 +1,97 @@
+╔════════════════════════════════════════════════════════════════════════════╗
+║                 CodeGraph FastAPI Backend - QUICK REFERENCE               ║
+╚════════════════════════════════════════════════════════════════════════════╝
+
+BACKEND SNAPSHOT
+─────────────────────────────────────────────────────────────────────────────
+Backend app:         api.index:app
+Framework:           FastAPI
+Server:              Uvicorn
+Frontend:            React + Vite in app/
+Built UI serving:    FastAPI serves app/dist when it exists
+Supported analyzers: Python, Java, C#
+C analyzer:          Present in source tree, but currently disabled
+
+KEY PATHS
+─────────────────────────────────────────────────────────────────────────────
+api/index.py                 FastAPI app, auth deps, API routes, SPA serving
+api/project.py               Repo clone/local analysis orchestration
+api/analyzers/source_analyzer.py
+                             Registered analyzers (.py, .java, .cs)
+api/llm.py                   GraphRAG + LiteLLM chat integration
+api/graph.py                 FalkorDB graph access
+api/git_utils/               Git history graph + commit switching
+app/vite.config.ts           Dev proxy from /api -> http://127.0.0.1:5000
+Makefile                     Common install/build/run/test/lint commands
+start.sh                     Container entrypoint (starts uvicorn)
+
+COMMON COMMANDS
+─────────────────────────────────────────────────────────────────────────────
+Install backend deps:   uv sync --all-extras
+Install frontend deps:  npm install --prefix ./app
+Install e2e deps:       npm install
+
+Backend dev server:     uv run uvicorn api.index:app --host 127.0.0.1 --port 5000 --reload
+Frontend dev server:    cd app && npm run dev
+Prod-style serve:       npm --prefix ./app run build && uv run uvicorn api.index:app --host 0.0.0.0 --port 5000
+
+Make targets:           make install | build-dev | build-prod | run-dev |
+                            run-prod | test | lint | e2e | clean
+
+AUTHENTICATION RULES
+─────────────────────────────────────────────────────────────────────────────
+Header format:          Authorization: Bearer <SECRET_TOKEN>
+                        (raw token string also works)
+Read endpoints:         public_or_auth dependency
+Mutating endpoints:     token_required dependency
+Public mode:            CODE_GRAPH_PUBLIC=1 skips auth on read endpoints
+Important detail:       If SECRET_TOKEN is unset, requests without an
+                        Authorization header are accepted by the current
+                        implementation
+
+IMPORTANT ENV VARS
+─────────────────────────────────────────────────────────────────────────────
+FALKORDB_HOST           FalkorDB hostname (default: localhost)
+FALKORDB_PORT           FalkorDB port (default: 6379)
+FALKORDB_USERNAME       Optional FalkorDB username
+FALKORDB_PASSWORD       Optional FalkorDB password
+SECRET_TOKEN            Token checked by protected endpoints
+CODE_GRAPH_PUBLIC       Set to 1 to make read endpoints public
+ALLOWED_ANALYSIS_DIR    Limits /api/analyze_folder to one directory tree
+MODEL_NAME              LiteLLM model for /api/chat
+                        default: gemini/gemini-flash-lite-latest
+GEMINI_API_KEY          Example provider credential for the default model
+HOST / PORT             Optional bind settings for start.sh / make run-*
+
+API ENDPOINTS
+─────────────────────────────────────────────────────────────────────────────
+GET    /api/list_repos
+GET    /api/graph_entities?repo=<name>
+POST   /api/get_neighbors
+POST   /api/auto_complete
+POST   /api/repo_info
+POST   /api/find_paths
+POST   /api/chat
+POST   /api/list_commits
+POST   /api/analyze_folder      (requires token dependency)
+POST   /api/analyze_repo        (requires token dependency)
+POST   /api/switch_commit       (requires token dependency)
+
+ANALYSIS NOTES
+─────────────────────────────────────────────────────────────────────────────
+/api/analyze_folder     The requested path must be inside ALLOWED_ANALYSIS_DIR
+/api/analyze_repo       Clones the repository, analyzes sources, then builds
+                        git history
+/api/chat               Uses GraphRAG-SDK + LiteLLM against the repo graph
+/api/list_commits       Reads from the separate {repo_name}_git graph
+
+DEVELOPMENT NOTES
+─────────────────────────────────────────────────────────────────────────────
+Vite dev URL:           http://localhost:3000
+Backend API URL:        http://127.0.0.1:5000/api/...
+Built app URL:          http://localhost:5000
+Root package.json:      Playwright only
+app/package.json:       Frontend build/lint/dev scripts
+Tests:                  make test runs pytest, but some legacy analyzer/
+                        git-history tests still need maintenance on a
+                        clean checkout
diff --git a/README.md b/README.md
