feat: add GET /projects/{id}/ontology/index-status endpoint

[JohnRDOrazio]

Summary

This PR started as a fix for issue #48 (missing GET index-status endpoint) but expanded to address several related improvements discovered during implementation and code review.

New endpoints

• GET /projects/{id}/ontology/index-status — returns index status fields (status, entity_count, indexed_at, commit_hash, error_message); 404 if no record exists
• WS /projects/{id}/ontology/index-ws — real-time WebSocket for index_started, index_complete, index_failed events via Redis pubsub (mirrors lint WS pattern)

Bug fixes

• Fix git ontology file path resolution — worker and embedding service used getattr(project, "git_ontology_path", None) which always returned None (field only exists on ProjectResponse, not the ORM model). Extracted get_git_ontology_path() into models/project.py and eagerly load github_integration relationship
• Relax source_file_path guard — worker and embedding service now allow projects with github_integration but no source_file_path to proceed with git-based loading
• Add token-based auth to both WebSocket endpoints — lint and index WebSockets now require a token query parameter, validated via Zitadel JWT + ProjectService.get access check (previously unauthenticated)

Refactoring

• FastAPI DI for all route-level services — replaced direct Service(db) construction with Depends() factories:
  • OntologyIndexService (2 instances in projects.py)
  • EmbeddingService (7 instances across embeddings.py, semantic_search.py)
  • ChangeEventService (5 instances across analytics.py, projects.py)

Tests

• 30+ new tests covering: index-status route, WebSocket manager, WebSocket endpoint (auth, message forwarding, filtering, malformed JSON, cleanup), DI factories, get_git_ontology_path, worker/embedding edge cases
• 1372 total tests, 89% overall coverage

Closes #48

Test plan

• All 1372 tests pass
• ruff, ruff format, and mypy all pass
• Verified end-to-end: settings page loads index status, rebuild index works with correct file path (15,173 entities indexed), status updates display correctly
• CI passes (lint, test, build, codecov/patch)

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • GET endpoint to fetch ontology index status (status, entity count, indexed timestamp, commit, error).
  • WebSocket for real-time ontology indexing updates with token-based authentication and per-project filtering.

• Refactoring

  • Centralized ontology file path resolution and streamlined service dependency injection across API routes.

• Tests

  • Added extensive unit tests covering index status, WebSocket flows, DI factories, embedding edge cases, and auth.

[coderabbitai]

Warning

Rate limit exceeded

@JohnRDOrazio has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 29 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 4 minutes and 29 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4624ac5f-8c00-4346-8a77-333e5e59b4eb

📥 Commits

Reviewing files that changed from the base of the PR and between c690a2f and 74bd473.

📒 Files selected for processing (3)

• ontokit/api/routes/lint.py
• ontokit/api/routes/projects.py
• tests/unit/test_ws_auth.py

📝 Walkthrough

Walkthrough

Added DI factories for index/change/embedding services; implemented GET /{project_id}/ontology/index-status; added an ontology index WebSocket /{project_id}/ontology/index-ws with token auth, Redis pub/sub, and per-project connection manager; introduced get_git_ontology_path helper; updated embedding/worker fallbacks; and added unit tests for DI, index endpoints, websockets, embedding, and helpers.

Changes

Cohort / File(s)	Summary
Project routes & WS ontokit/api/routes/projects.py	Added get_index & get_change_events DI providers; implemented GET /{project_id}/ontology/index-status; added WS /{project_id}/ontology/index-ws with token auth, per-project IndexConnectionManager, Redis pub/sub subscribe/unsubscribe, and cleanup/error paths.
Analytics & Embeddings & Semantic Search routes ontokit/api/routes/analytics.py, ontokit/api/routes/embeddings.py, ontokit/api/routes/semantic_search.py	Added DI factories (get_change_events, get_embeddings) and updated route handlers to accept injected services instead of constructing them inline.
Lint WS changes ontokit/api/routes/lint.py	Switched lint WS auth to use authenticate_ws(...) with optional token query param; adjusted connection manager accept semantics and replaced local channel constant usage with core constants.
WebSocket auth util ontokit/api/utils/ws_auth.py	New authenticate_ws(websocket, project_id, token) helper implementing token validation, user enrichment, project access check, websocket close codes, and logging.
Model helper ontokit/models/project.py	Added get_git_ontology_path(project) to centralize ontology filename/path selection (github integration paths → source file basename → "ontology.ttl").
Embedding & Worker ontokit/services/embedding_service.py, ontokit/worker.py	Eager-load Project.github_integration, use get_git_ontology_path() for filename resolution, tighten fallback/validation logic (require either source_file_path or github_integration), and import Redis channel constants from ontokit.core.constants.
Core constants ontokit/core/constants.py	Added Redis channel name constants: LINT_UPDATES_CHANNEL, NORMALIZATION_UPDATES_CHANNEL, ONTOLOGY_INDEX_UPDATES_CHANNEL, REMOTE_SYNC_UPDATES_CHANNEL.
Tests: DI / Index / WS / Embedding / Utils tests/unit/test_di_factories.py, tests/unit/test_index_status_route.py, tests/unit/test_index_ws.py, tests/unit/test_embedding_service.py, tests/unit/test_get_git_ontology_path.py, tests/unit/test_worker.py, tests/unit/test_lint_ws.py, tests/unit/test_ws_auth.py	Added/updated unit tests covering DI factories, GET index-status (branch/default/404), IndexConnectionManager and WS auth/forwarding/cleanup, embedding load/fallback/error cases, get_git_ontology_path behavior, worker failure modes, and authenticate_ws outcomes. Review mocks, pubsub/unsubscribe paths, and auth close-code mappings.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Frontend Client
    participant API as Projects API
    participant ProjectSvc as ProjectService/GitService
    participant IndexSvc as OntologyIndexService
    participant DB as Database

    Client->>API: GET /projects/{id}/ontology/index-status?branch=...
    API->>ProjectSvc: get(project_id)
    ProjectSvc->>DB: SELECT Project
    DB-->>ProjectSvc: Project
    alt branch not provided
        API->>ProjectSvc: get_default_branch(project_id)
        ProjectSvc-->>API: branch
    end
    API->>IndexSvc: get_index_status(project_id, branch)
    IndexSvc->>DB: SELECT OntologyIndexStatus
    DB-->>IndexSvc: record | null
    IndexSvc-->>API: record | None
    alt record found
        API-->>Client: 200 {status, entity_count, indexed_at, commit_hash, error_message}
    else no record
        API-->>Client: 404 {"detail":"No index status found"}
    end

Loading

sequenceDiagram
    participant Client as Frontend (WS)
    participant WS as API WebSocket Handler
    participant Manager as IndexConnectionManager
    participant Redis as Redis Pub/Sub
    participant Pub as Redis Pubsub Loop
    participant DB as Database

    Client->>WS: Open WS /projects/{id}/ontology/index-ws?token=...
    WS->>WS: authenticate_ws(websocket, project_id, token)
    alt auth & access ok
        WS->>Manager: connect(project_id, websocket)
        Manager-->>WS: registered
        WS->>Redis: subscribe "ontology_index:updates"
        loop poll pubsub
            Pub->>WS: message JSON
            alt message.project_id == connected project_id
                WS->>Client: send_json(payload)
            else
                Note right of WS: ignore message
            end
        end
    else auth failed
        WS-->>Client: close(code=4001/4003/4004/1011)
    end
    Note right of WS: on disconnect/error -> unsubscribe, Manager.disconnect()

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• #48: Add GET /projects/{id}/ontology/index-status — This PR implements the GET index-status endpoint, matching the issue requirements (branch handling, 404 on missing record, response shape).
• feat: use WebSocket for real-time ontology index status updates ontokit-web#137 — Frontend expects index-status endpoint and WS updates; this PR provides the backend endpoint, WS, and Redis channel used by that frontend change.

Possibly related PRs

• feat: PostgreSQL index tables for ontology query optimization #10 — Overlaps indexing surface, worker reindexing, and API/WS wiring.
• refactor: rename 'upstream sync' to 'remote sync' / 'Sync from Remote' #33 — Related changes to Redis pub/sub channel constants and worker imports.
• Release v0.2.0 — API Infrastructure & Suggestion Sessions #1 — Related DI and path-resolution changes touching similar modules.

Suggested labels

enhancement

Suggested reviewers

• damienriehl

Poem

🐰 Hopping through commits with a tiny drum,

Paths tidy, webs singing — index updates come.
Tokens checked, branches found, messages race,
Connections kept tidy in a warm memory space.
A rabbit's small cheer for routes now in place.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes scope creep beyond #48: WebSocket endpoint, auth refactoring (authenticate_ws), service injection refactoring across multiple routes, and git ontology path consolidation across embedding/worker services.	Focus PR on implementing issue #48 requirements only. Move WebSocket endpoint, auth refactoring, service injection changes, and git path consolidation to separate PRs with their own issue tracking.
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.75% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: adding a GET endpoint for ontology index status.
Linked Issues check	✅ Passed	The PR implements all required objectives from issue #48: GET endpoint with optional branch parameter, OntologyIndexService.get_index_status() integration, correct response fields, 404 handling, and viewer access requirement.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/index-status-endpoint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 93.78882% with 10 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
ontokit/api/utils/ws_auth.py	86.66%	5 Missing and 1 partial ⚠️
ontokit/api/routes/projects.py	94.44%	2 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ontokit/api/routes/projects.py`:
- Around line 1423-1432: The route currently instantiates OntologyIndexService
directly; change it to accept the service via FastAPI DI by adding a parameter
like index_service: OntologyIndexService = Depends(get_ontology_index_service)
(or a factory that itself depends on AsyncSession) and remove the direct
construction in the handler; then call
index_service.get_index_status(project.id, resolved_branch) as before. Ensure
the get_ontology_index_service provider (or factory) injects the AsyncSession
(get_db) so overrides/mock wiring will work in tests.

In `@ontokit/services/embedding_service.py`:
- Around line 260-264: The code rejects projects early by checking
Project.source_file_path before attempting git-backed resolution; update the
logic around the proj_result handling so that if Project.source_file_path is
falsy you call get_git_ontology_path(project) and/or attempt load_from_git(...)
to derive a path and only raise the error if both the explicit source_file_path
and the git-derived path are missing; apply the same change to the second
occurrence noted (around the later source_file_path check) and reference
Project.source_file_path, get_git_ontology_path, and load_from_git in the
updated flow.

In `@ontokit/worker.py`:
- Around line 65-70: The current eager project load in worker.py checks Project
and its github_integration but still requires source_file_path before attempting
git-based index loading; update the logic in the project-loading/indexing path
(look for select(Project).options(selectinload(Project.github_integration)) and
any subsequent checks of source_file_path) to only enforce source_file_path when
performing file-system or import-specific indexing, and instead branch to use
Project.github_integration metadata when present to drive git-based indexing;
ensure the code path that handles github_integration is reached even if
source_file_path is None and add a clear conditional that prefers
github_integration when available.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2dd413b5-80cb-4b80-bc71-0688f55d4287

📥 Commits

Reviewing files that changed from the base of the PR and between 1629529 and a117328.

📒 Files selected for processing (5)

• ontokit/api/routes/projects.py
• ontokit/models/project.py
• ontokit/services/embedding_service.py
• ontokit/worker.py
• tests/unit/test_index_status_route.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ontokit/api/routes/projects.py`:
- Around line 1533-1553: The WebSocket handler ontology_index_websocket
currently only checks project existence and allows unauthenticated access;
change it to require and validate the authenticated user via FastAPI dependency
injection and ProjectService.get before accepting the socket: add a dependency
parameter for the current user (e.g., user: User = Depends(get_current_user))
and replace the manual db lookup with a call to await
ProjectService.get(project_id, user) (or call it after fetching to enforce
access), and if ProjectService.get raises NotFound/Unauthorized or returns None
then close the websocket with an appropriate code/reason instead of calling
index_ws_manager.connect; finally only call index_ws_manager.connect(websocket,
project_id_str) after ProjectService.get confirms access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b3d71484-6e53-47ab-ac74-2db6d19d0afd

📥 Commits

Reviewing files that changed from the base of the PR and between a117328 and 33c0811.

📒 Files selected for processing (12)

• ontokit/api/routes/analytics.py
• ontokit/api/routes/embeddings.py
• ontokit/api/routes/projects.py
• ontokit/api/routes/semantic_search.py
• ontokit/services/embedding_service.py
• ontokit/worker.py
• tests/unit/test_di_factories.py
• tests/unit/test_embedding_service.py
• tests/unit/test_get_git_ontology_path.py
• tests/unit/test_index_status_route.py
• tests/unit/test_index_ws.py
• tests/unit/test_worker.py

✅ Files skipped from review due to trivial changes (1)

• tests/unit/test_index_status_route.py

🚧 Files skipped from review as they are similar to previous changes (1)

• ontokit/services/embedding_service.py

[JohnRDOrazio]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

ontokit/api/routes/lint.py (1)

550-583: Extract the WebSocket auth/access gate into a shared helper.

This block is now duplicated almost verbatim here and in ontokit/api/routes/projects.py, and it opens its own session / constructs ProjectService inside the route. Centralizing it behind a reusable helper or dependency will keep the two sockets from drifting and restore the API-layer DI pattern.

As per coding guidelines ontokit/api/**/*.py: "Use dependency injection via FastAPI's Depends() for service access".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ontokit/api/routes/lint.py` around lines 550 - 583, The WebSocket auth and
project-access logic in this route is duplicated and should be extracted into a
shared helper/dependency; create a reusable async helper (e.g.,
websocket_auth_and_authorize) that encapsulates token validation
(validate_token), userinfo fetching (fetch_userinfo), CurrentUser construction,
opening a DB session via async_session_maker, and project access check using
ProjectService.get, and have the route call/await that helper instead of
duplicating the block and constructing ProjectService inline; ensure the helper
returns the CurrentUser and the opened DB/session or raises/returns appropriate
errors so the route can close the websocket with the same codes/reasons used
here (4001 for auth failures) and keep existing semantics.

ontokit/api/routes/projects.py (1)

1506-1506: Import the channel name from ontokit.worker instead of re-declaring it.

The worker already publishes on ONTOLOGY_INDEX_UPDATES_CHANNEL. Duplicating the raw string here means the publisher and subscriber can silently drift apart on the next rename.

Suggested fix

+from ontokit.worker import ONTOLOGY_INDEX_UPDATES_CHANNEL
...
-ONTOLOGY_INDEX_UPDATES_CHANNEL = "ontology_index:updates"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ontokit/api/routes/projects.py` at line 1506, The constant
ONTOLOGY_INDEX_UPDATES_CHANNEL is being redeclared in projects.py which can
drift from the publisher; remove the local declaration and import
ONTOLOGY_INDEX_UPDATES_CHANNEL from ontokit.worker (where the worker publishes)
and update any references in this file to use the imported symbol so publisher
and subscriber use the same canonical channel name.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ontokit/api/routes/lint.py`:
- Around line 560-585: The current blanket except Exception around
validate_token/fetch_userinfo/CurrentUser construction and around
ProjectService.get collapses server-side failures into client errors; change
these to explicitly catch the framework's HTTPException for expected auth/access
failures (from validate_token and ProjectService.get) and handle those by
closing the websocket with the existing client-facing codes (e.g., keep the 4001
for auth failures and 4004 for access failures), but let other exceptions
propagate or catch them separately and close the websocket with an
internal-error code (e.g., 1011) and/or log the full exception; update the
try/except blocks around validate_token/fetch_userinfo/CurrentUser and the
async_session_maker()/ProjectService.get call to reflect this separation.

In `@ontokit/api/routes/projects.py`:
- Around line 1432-1445: The route handler get_ontology_index_status is using
RequiredUser which prevents anonymous viewers from accessing public project
index status; change the user parameter type to OptionalUser so visibility rules
in ProjectService.get(project_id, user) can apply and allow read-only access for
viewers/anonymous users. Update the function signature to accept user:
OptionalUser (and add or adjust the import for OptionalUser if missing), keep
calling service.get(project_id, user) and leave all other logic
(resolved_branch, index_service.get_index_status) unchanged.

---

Nitpick comments:
In `@ontokit/api/routes/lint.py`:
- Around line 550-583: The WebSocket auth and project-access logic in this route
is duplicated and should be extracted into a shared helper/dependency; create a
reusable async helper (e.g., websocket_auth_and_authorize) that encapsulates
token validation (validate_token), userinfo fetching (fetch_userinfo),
CurrentUser construction, opening a DB session via async_session_maker, and
project access check using ProjectService.get, and have the route call/await
that helper instead of duplicating the block and constructing ProjectService
inline; ensure the helper returns the CurrentUser and the opened DB/session or
raises/returns appropriate errors so the route can close the websocket with the
same codes/reasons used here (4001 for auth failures) and keep existing
semantics.

In `@ontokit/api/routes/projects.py`:
- Line 1506: The constant ONTOLOGY_INDEX_UPDATES_CHANNEL is being redeclared in
projects.py which can drift from the publisher; remove the local declaration and
import ONTOLOGY_INDEX_UPDATES_CHANNEL from ontokit.worker (where the worker
publishes) and update any references in this file to use the imported symbol so
publisher and subscriber use the same canonical channel name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68053c22-15c7-4475-b8db-91a810937a83

📥 Commits

Reviewing files that changed from the base of the PR and between 33c0811 and 9acdfa2.

📒 Files selected for processing (4)

• ontokit/api/routes/lint.py
• ontokit/api/routes/projects.py
• tests/unit/test_index_ws.py
• tests/unit/test_lint_ws.py

✅ Files skipped from review due to trivial changes (1)

• tests/unit/test_index_ws.py

[JohnRDOrazio]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

ontokit/api/routes/projects.py (1)

1259-1410: Inject EmbeddingService via Depends() for consistency.

Line 1388 instantiates EmbeddingService(db) directly instead of via FastAPI's Depends(). The route already injects ChangeEventService this way, so the auto-embed path should follow the same pattern for consistency and testability.

<summary>Line 1388 example:</summary>
embed_config = await EmbeddingService(db).get_config(project_id)

Per coding guideline ontokit/api/**/*.py: "Use dependency injection via FastAPI's Depends() for service access".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ontokit/api/routes/projects.py` around lines 1259 - 1410, The route directly
constructs EmbeddingService(db) (see embed_config = await
EmbeddingService(db).get_config(project_id)); change this to inject
EmbeddingService via FastAPI Depends by adding a parameter like
embedding_service: Annotated[EmbeddingService, Depends(get_embedding_service)]
to save_source_content and replace the direct instantiation with embed_config =
await embedding_service.get_config(project_id); ensure you import or use the
existing provider function (get_embedding_service) consistent with other
injected services and update any references to EmbeddingService(db) in this
function to use the injected embedding_service instead.

ontokit/api/utils/ws_auth.py (1)

72-75: Inject ProjectService via dependency injection instead of constructing it directly.

Opening a fresh session and building ProjectService inside the helper bypasses the API-layer DI pattern established elsewhere. Have the websocket route inject the service via Depends() and pass it into authenticate_ws(...) instead, matching the HTTP auth pattern in the codebase. This improves testability and consistency with the guideline for ontokit/api/**/*.py: "Use dependency injection via FastAPI's Depends() for service access".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ontokit/api/utils/ws_auth.py` around lines 72 - 75, The helper
authenticate_ws currently opens a fresh session and constructs ProjectService
via async_session_maker/ProjectService; change authenticate_ws to accept a
ProjectService instance injected from the FastAPI route (use
Depends(ProjectService) in the websocket route) and remove the local
async_session_maker/ProjectService construction; inside authenticate_ws call the
injected svc.get(project_id, user) instead. Update the websocket route to
declare a parameter svc: ProjectService = Depends(...) and pass that svc into
authenticate_ws so the function follows the API-layer DI pattern and becomes
testable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ontokit/api/routes/projects.py`:
- Around line 1553-1584: The realtime setup can fail
(get_arq_pool()/pubsub/subscribe) after authenticate_ws has accepted the
connection, so ensure the WebSocket is deterministically closed with a close
code and reason whenever setup or the pubsub loop raises before normal
operation: in the try/except around get_arq_pool(), pool.pubsub(), and await
pubsub.subscribe(...) (and in the top-level except Exception e block) call await
websocket.close(code=1011, reason=f"realtime setup failed: {e}" or a static
reason when pool is None) before letting the function proceed to finally; keep
index_ws_manager.disconnect(websocket, project_id_str) and the
pubsub.unsubscribe logic in finally so disconnection is still tracked and
resources cleaned up.

In `@tests/unit/test_ws_auth.py`:
- Around line 29-152: Add assertions that the WebSocket was accepted before
being closed (or left open) in each test that calls authenticate_ws: for tests
test_no_token_closes_4001, test_invalid_token_http_exception_closes_4001,
test_unexpected_auth_error_closes_1011, test_project_not_found_closes_4004,
test_access_denied_closes_4003, test_unexpected_project_error_closes_1011, and
test_success_returns_true, assert that the AsyncMock WebSocket's accept() was
awaited (e.g., ws.accept.assert_awaited_once() or assert_awaited) prior to
checking close behavior so the test verifies the helper calls ws.accept() before
closing or leaving the socket open.

---

Nitpick comments:
In `@ontokit/api/routes/projects.py`:
- Around line 1259-1410: The route directly constructs EmbeddingService(db) (see
embed_config = await EmbeddingService(db).get_config(project_id)); change this
to inject EmbeddingService via FastAPI Depends by adding a parameter like
embedding_service: Annotated[EmbeddingService, Depends(get_embedding_service)]
to save_source_content and replace the direct instantiation with embed_config =
await embedding_service.get_config(project_id); ensure you import or use the
existing provider function (get_embedding_service) consistent with other
injected services and update any references to EmbeddingService(db) in this
function to use the injected embedding_service instead.

In `@ontokit/api/utils/ws_auth.py`:
- Around line 72-75: The helper authenticate_ws currently opens a fresh session
and constructs ProjectService via async_session_maker/ProjectService; change
authenticate_ws to accept a ProjectService instance injected from the FastAPI
route (use Depends(ProjectService) in the websocket route) and remove the local
async_session_maker/ProjectService construction; inside authenticate_ws call the
injected svc.get(project_id, user) instead. Update the websocket route to
declare a parameter svc: ProjectService = Depends(...) and pass that svc into
authenticate_ws so the function follows the API-layer DI pattern and becomes
testable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e380fada-93a8-42ee-ae8c-43bf260c3242

📥 Commits

Reviewing files that changed from the base of the PR and between 9acdfa2 and c690a2f.

📒 Files selected for processing (9)

• ontokit/api/routes/lint.py
• ontokit/api/routes/projects.py
• ontokit/api/utils/ws_auth.py
• ontokit/core/constants.py
• ontokit/worker.py
• tests/unit/test_index_ws.py
• tests/unit/test_lint_routes_extended.py
• tests/unit/test_lint_ws.py
• tests/unit/test_ws_auth.py

✅ Files skipped from review due to trivial changes (2)

• ontokit/core/constants.py
• tests/unit/test_lint_ws.py

🚧 Files skipped from review as they are similar to previous changes (1)

• ontokit/api/routes/lint.py