merge develop -> main (#71)

* deps: Bump the all-dependencies group with 9 updates (#62)

Bumps Aspire.Hosting.AppHost from 13.0.1 to 13.0.2
Bumps Aspire.Hosting.RabbitMQ from 13.0.1 to 13.0.2
Bumps Aspire.Hosting.Redis from 13.0.1 to 13.0.2
Bumps Aspire.Hosting.SqlServer from 13.0.1 to 13.0.2
Bumps Aspire.RabbitMQ.Client from 13.0.1 to 13.0.2
Bumps AWSSDK.Extensions.NETCore.Setup from 4.0.3.14 to 4.0.3.15
Bumps AWSSDK.S3 from 4.0.13.1 to 4.0.14.1
Bumps AWSSDK.SecurityToken from 4.0.5.1 to 4.0.5.2
Bumps Sentry.Serilog from 6.0.0-preview.2-prerelease to 6.0.0-rc.2-prerelease

---
updated-dependencies:
- dependency-name: Aspire.Hosting.AppHost
  dependency-version: 13.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: Aspire.Hosting.RabbitMQ
  dependency-version: 13.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: Aspire.Hosting.Redis
  dependency-version: 13.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: Aspire.Hosting.SqlServer
  dependency-version: 13.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: Aspire.RabbitMQ.Client
  dependency-version: 13.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: AWSSDK.Extensions.NETCore.Setup
  dependency-version: 4.0.3.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: AWSSDK.S3
  dependency-version: 4.0.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: AWSSDK.SecurityToken
  dependency-version: 4.0.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: Sentry.Serilog
  dependency-version: 6.0.0-rc.2-prerelease
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Enforce dedicated scopes for Visualiser (#69)

Enforces dedicated visualiser scopes.

Updates the API to use dedicated scopes for the visualiser application.

This change improves security by isolating the permissions required for visualiser functionality from the core data management system (DMS).

* Update readme (#68)

* Updates README to more accurately reflect architecture

* Updates Entra app registration instructions

Clarifies that Implicit grant and hybrid flows do not need to be configured during Entra app registration.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: samgibsonmoj

Directory.Packages.props

@@ -3,18 +3,18 @@
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
   </PropertyGroup>
   <ItemGroup>
-    <PackageVersion Include="Aspire.Hosting.AppHost" Version="13.0.1" />
-    <PackageVersion Include="Aspire.Hosting.RabbitMQ" Version="13.0.1" />
-    <PackageVersion Include="Aspire.Hosting.Redis" Version="13.0.1" />
-    <PackageVersion Include="Aspire.Hosting.SqlServer" Version="13.0.1" />
-    <PackageVersion Include="Aspire.RabbitMQ.Client" Version="13.0.1" />
-    <PackageVersion Include="AWSSDK.Extensions.NETCore.Setup" Version="4.0.3.14" />
-    <PackageVersion Include="AWSSDK.SecurityToken" Version="4.0.5.1" />
+    <PackageVersion Include="Aspire.Hosting.AppHost" Version="13.0.2" />
+    <PackageVersion Include="Aspire.Hosting.RabbitMQ" Version="13.0.2" />
+    <PackageVersion Include="Aspire.Hosting.Redis" Version="13.0.2" />
+    <PackageVersion Include="Aspire.Hosting.SqlServer" Version="13.0.2" />
+    <PackageVersion Include="Aspire.RabbitMQ.Client" Version="13.0.2" />
+    <PackageVersion Include="AWSSDK.Extensions.NETCore.Setup" Version="4.0.3.15" />
+    <PackageVersion Include="AWSSDK.SecurityToken" Version="4.0.5.2" />
     <PackageVersion Include="CommunityToolkit.Aspire.Hosting.Minio" Version="13.0.0" />
     <PackageVersion Include="CommunityToolkit.Aspire.Hosting.SqlDatabaseProjects" Version="13.0.0" />
     <PackageVersion Include="Autofac" Version="9.0.0" />
     <PackageVersion Include="Autofac.Extensions.DependencyInjection" Version="10.0.0" />
-    <PackageVersion Include="AWSSDK.S3" Version="4.0.13.1" />
+    <PackageVersion Include="AWSSDK.S3" Version="4.0.14.1" />
     <PackageVersion Include="CommunityToolkit.Aspire.Minio.Client" Version="13.0.0" />
     <PackageVersion Include="coverlet.collector" Version="6.0.4">
       <PrivateAssets>all</PrivateAssets>
@@ -59,7 +59,7 @@
     <PackageVersion Include="Rebus" Version="8.9.0" />
     <PackageVersion Include="Rebus.RabbitMq" Version="10.1.0" />
     <PackageVersion Include="Rebus.ServiceProvider" Version="10.7.0" />
-    <PackageVersion Include="Sentry.Serilog" Version="6.0.0-preview.2-prerelease" />
+    <PackageVersion Include="Sentry.Serilog" Version="6.0.0-rc.2-prerelease" />
     <PackageVersion Include="Serilog.Extensions.Hosting" Version="10.0.0" />
     <PackageVersion Include="Serilog.Settings.Configuration" Version="10.0.0" />
     <PackageVersion Include="Serilog.Sinks.Console" Version="6.1.1" />

README.md

@@ -11,19 +11,24 @@ HMPPS CFO DMS
 HMPPS Creating Future Opportunities (CFO) - Data Management System (DMS). It is intended for internal use only and is used to process PNOMIS and NDelius offender data to supply CATS (Case Assessment and Tracking System - also used by HMPPS CFO) with accurate offender movements and updates.
 
 ## Architecture
-CFO DMS is built as a microservices architecture using .NET Aspire for orchestration. Data flows through the following pipeline:
+CFO DMS is built as a distributed microservices architecture. Data flows through the following pipeline:
 
-**File Ingestion → Parsing/Cleaning → Staging → Import → Running Picture → Blocking/Matching → Clustering**
+**File Ingestion → Parsing/Cleaning → Staging → Import → Running Picture → Blocking/Matching → Clustering → Data Consumption**
 
-1. **FileSync** monitors MinIO/S3/FileSystem storage and syncs incoming files
-2. **Parsers/Cleaners** (Offloc, Delius) transform raw PNOMIS and NDelius files into structured records in staging databases
-3. **Import** validates and migrates data from staging to running picture databases
-4. **Matching Engine** identifies and links related offender records across systems
-5. **Cluster database** maintains grouped offender data
-6. **API** exposes the processed data via REST endpoints for downstream consumers (e.g., CATS)
-7. **Visualiser** provides a web UI for exploring and visualising relationships between offender data
+### Pipeline Applications
+1. **File Ingestion** - [**FileSync**](src/FileSync) monitors MinIO/S3/FileSystem storage and syncs incoming files
+2. **Parsing/Cleaning** - [**Offloc.Parser**](src/Offloc.Parser), [**Offloc.Cleaner**](src/Offloc.Cleaner), [**Delius.Parser**](src/Delius.Parser) transform raw p-NOMIS and nDelius files into structured records
+3. **Staging/Import/Running Picture** - [**Import**](src/Import) validates and migrates data from staging to running picture databases
+4. **Blocking/Matching** - [**Blocking**](src/Blocking) generates candidate record pairs, [**Matching.Engine**](src/Matching.Engine) identifies and links related offender records across systems
+5. **Clustering** - [**Matching.Engine**](src/Matching.Engine) groups related records into clusters representing unique individuals
+6. **Data Consumption** - [**API**](src/API) exposes the processed data via REST endpoints for downstream consumers (e.g., CATS), [**Visualiser**](src/Visualiser) provides a web UI for exploring and visualising relationships between offender data
 
-Supporting services include **DbInteractions** (complex database operations), **Blocking** (matching rules), **Cleanup** (data maintenance), and **Logging**. Services communicate asynchronously via RabbitMQ message queues.
+### Supporting Applications
+- [**Cleanup**](src/Cleanup) - Performs data maintenance tasks
+- [**DbInteractions**](src/DbInteractions) handles complex database operations
+- [**Logging**](src/Logging) - Centralised logging service
+
+Services communicate asynchronously via RabbitMQ message queues. See the Message Flow Diagram below for detailed service interactions.
 
 # Development Setup and Execution Guide
 

src/API/Endpoints/VisualisationEndpoints.cs

@@ -22,9 +22,9 @@ public static IEndpointRouteBuilder RegisterVisualisationEndpoints(this IEndpoin
 
         group.MapPost("/Save", SaveNetworkAsync)
             .ProducesProblem(StatusCodes.Status500InternalServerError)
-            .RequireAuthorization("write");
+            .RequireAuthorization("visualisation-write");
 
-        group.RequireAuthorization("read");
+        group.RequireAuthorization("visualisation-read");
 
         return routes;
     }

src/API/Program.cs

@@ -73,6 +73,17 @@
 {
     options.AddPolicy("read", policy => policy.RequireScope("dms.read"));
     options.AddPolicy("write", policy => policy.RequireScope("dms.write"));
+
+    options.AddPolicy("visualisation-read", policy => 
+        policy.RequireAuthenticatedUser()
+              .RequireScope("visualiser.read")
+              .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
+
+    options.AddPolicy("visualisation-write", policy => 
+        policy.RequireAuthenticatedUser()
+              .RequireScope("visualiser.write")
+              .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
+
     options.FallbackPolicy = options.DefaultPolicy;
 });
 

src/Visualiser/README.md

@@ -3,6 +3,7 @@
 1. New app registration in Entra
 	- Supported account types: Single tenant
 	- Redirect URI: Platform = web, URI = https://localhost:7123/signin-oidc
+	- NOTE: You do not need to configure Implicit grant and hybrid flows
 2.	Register permissions under "API Permissions" section. Configure scopes:
 	- `email`
 	- `openid`

src/Visualiser/appsettings.Development.json

@@ -11,8 +11,8 @@
   },
   "API": {
     "Scopes": [
-      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.read",
-      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.write"
+      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.read",
+      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.write"
     ]
   }
 }

src/Visualiser/appsettings.json

@@ -17,7 +17,7 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
   "API": {
     "BaseUrl": "https://localhost:7013",
     "Scopes": [
-      // E.g. "api://{api_client_id}/dms.read" and "api://{api_client_id}/dms.write"
+      // E.g. "api://{api_client_id}/visualiser.read" and "api://{api_client_id}/visualiser.write"
     ]
   },
   "Serilog": {