added artifacts

internal/api/router.go

@@ -20,12 +20,15 @@ import (
 	"github.com/forgeo/forgebucket/internal/api/middleware"
 	"github.com/forgeo/forgebucket/internal/config"
 	"github.com/forgeo/forgebucket/internal/domain/sbom"
+	"github.com/forgeo/forgebucket/internal/domain/oci"
+	"github.com/forgeo/forgebucket/internal/domain/scanning"
 	"github.com/forgeo/forgebucket/internal/domain/signing"
+	"github.com/forgeo/forgebucket/internal/domain/vulnscan"
 	"github.com/forgeo/forgebucket/internal/events"
 	"github.com/forgeo/forgebucket/internal/observability"
 )
 
-func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus events.EventBus, artifactRoot string, staticFiles fs.FS, keys signing.KeyStore, sbomGen *sbom.Generator) http.Handler {
+func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus events.EventBus, artifactRoot string, staticFiles fs.FS, keys signing.KeyStore, sbomGen *sbom.Generator, ociRegistry *oci.Registry, scanner *scanning.Scanner, vulnScanner *vulnscan.Scanner) http.Handler {
 	r := chi.NewRouter()
 
 	r.Use(chimiddleware.Logger)
@@ -73,6 +76,9 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 	workspaceH  := handlers.NewWorkspaceHandler(engine, cfg)
 	secretH     := handlers.NewSecretHandler(engine, cfg.SessionSecret)
 	sbomH       := handlers.NewSBOMHandler(engine, sbomGen)
+	ociH        := handlers.NewOCIRegistryHandler(engine, ociRegistry)
+	scanH       := handlers.NewScanningHandler(engine, scanner)
+	vulnH       := handlers.NewVulnScanHandler(engine, vulnScanner)
 
 	// ── Git smart-HTTP transport ───────────────────────────────────────────────
 	// Regex constraint ensures only *.git paths match, so asset/SPA URLs
@@ -118,6 +124,8 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 			r.Get("/me", userH.Me)
 			r.Get("/dashboard", dashH.Get)
 			r.Get("/audit", auditH.List)
+			r.Get("/secrets/leaks", scanH.ListAllSecrets)
+			r.Get("/vulnerabilities", vulnH.ListAll)
 			r.Get("/pipelines/runs", pipeH.ListRecentRuns)
 
 			// Workspace routes
@@ -251,6 +259,11 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 				r.Get("/secrets", secretH.ListRepoSecrets)
 				r.With(csrf).Post("/secrets", secretH.UpsertRepoSecret)
 				r.With(csrf).Delete("/secrets/{name}", secretH.DeleteRepoSecret)
+				r.Get("/secrets/leaks", scanH.ListSecrets)
+				r.With(csrf).Post("/secrets/leaks/{leakID}/dismiss", scanH.DismissSecrets)
+				r.Get("/vulnerabilities", vulnH.List)
+				r.With(csrf).Post("/vulnerabilities/scan", vulnH.Scan)
+				r.With(csrf).Post("/vulnerabilities/{findingID}/dismiss", vulnH.Dismiss)
 				r.Get("/lfs-settings", lfsH.Get)
 				r.With(csrf).Put("/lfs-settings", lfsH.Update)
 				r.Get("/health", repoHealthH.Get)
@@ -290,6 +303,16 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 
 	r.With(auth.Optional).Get("/ws", wsH.Hub)
 
+	// ── OCI Registry (Distribution Spec v1.1) ─────────────────────────────────
+	r.HandleFunc("/v2", ociH.ServeOCI)
+	r.HandleFunc("/v2/*", ociH.ServeOCI)
+
+	// ── ForgeFed Repository Actors (cross-instance PRs) ───────────────────────
+	// These must sit outside the auth-protected group since remote instances
+	// deliver activities without session cookies.
+	r.Get("/repos/{owner}/{repo}/actor", fedH.RepoActor)
+	r.Post("/repos/{owner}/{repo}/inbox", fedH.RepoInbox)
+
 	// ── ActivityPub / federation (root-level, no auth) ────────────────────────
 	// Must be registered before the /* catch-all so they are not proxied to Vite.
 	r.Get("/.well-known/webfinger", fedH.WebFinger)