Skip to content

IMPROVEMENTS.md

Latest commit

 

History

History
1060 lines (892 loc) · 69.3 KB

IMPROVEMENTS.md

File metadata and controls

1060 lines (892 loc) · 69.3 KB

LiteGraph Next Release Improvement Plan

Status Key: [ ] Not started | [~] In progress | [x] Complete | [!] Blocked | [?] Needs decision

Last updated: 2026-04-17

Release target: Next LiteGraph release

Audience: Public roadmap plus maintainer execution plan

Release Goal

This release is a strategic architecture release. The goal is to make LiteGraph more useful as a production graph database by adding:

  • a native graph query capability with familiar graph-query syntax
  • graph-scoped transactional mutations
  • provider-neutral storage with SQLite as the default and PostgreSQL as the recommended production backend
  • RBAC and scoped credentials at REST/MCP boundaries
  • production observability with Prometheus and OpenTelemetry

All five areas are P1 for this release. The release should be planned as one coordinated effort because these items overlap at the repository, request handling, authorization, testing, and SDK/MCP surfaces.

Non-Negotiable Constraints

  • SQLite remains the default zero-config backend.
  • PostgreSQL is the recommended production backend.
  • The storage architecture must be designed so MySQL and SQL Server can be added without redesign.
  • Storage backend implementations live inside the main LiteGraph project, following the provider folder pattern used in C:\code\Verbex\Verbex\src\Verbex\Database.
  • Query execution should prefer repository-level planning/execution. LiteGraphClient methods may be used where they are the correct abstraction.
  • Transactions are limited to one tenant and one graph.
  • Transactions can mutate graph child objects only: nodes, edges, labels, tags, and vectors.
  • Query mutations can mutate graph child objects only and must not update graph metadata.
  • Vector search in the query language accepts supplied embeddings/vectors. LiteGraph will not generate embeddings in this release.
  • RBAC is enforced at REST and MCP boundaries only. Core LiteGraphClient and repository APIs remain permission-agnostic.
  • Existing users and credentials must retain effective full access after migration.
  • Request history remains supported and should be used as a subordinate source for observability.
  • Test coverage should be built into Test.Shared and exposed through Test.Automated, Test.Xunit, and Test.Nunit.
  • SDK, MCP, and dashboard work is required where the feature has a relevant user-facing surface.

Release Sequencing

The work should be delivered in this order, even though all items are P1:

  1. Storage architecture and request lifecycle foundations.
  2. Transactions and repository execution primitives.
  3. Query language design decisions, then parser/planner/executor.
  4. RBAC and scoped credential enforcement at REST/MCP boundaries.
  5. Observability instrumentation, metrics, traces, and dashboard/docs.
  6. SDK, MCP, dashboard, and full test matrix completion.

This ordering reduces rework. Query execution, transactions, RBAC, and observability all depend on the storage and request lifecycle work.

0. Release Architecture Gates

Priority: P1 Status: [x] Complete for release gating; implementation is now unblocked Impact: Prevents incompatible implementations across query, storage, RBAC, SDKs, and MCP

0.1 Query Language Direction

Decision:

  • Selected profile: Cypher/GQL-inspired LiteGraph-native query profile.
  • Use Cypher-style graph pattern syntax for user familiarity.
  • Align with ISO GQL where practical.
  • Do not claim full openCypher, Neo4j Cypher, or ISO GQL conformance in this release.
  • Gremlin, SPARQL, SQL/PGQ, and GraphQL are not native query-language targets for this release.
  • Feature name in code and docs: native graph query or LiteGraph native graph query. Do not use "LiteQL" unless a separate naming decision revives it later.

Decision criteria:

  • familiar to graph database users
  • practical to implement in this release
  • maps cleanly to LiteGraph nodes, edges, labels, tags, data, and vectors
  • supports mutations without forcing graph metadata changes
  • supports repository-level planning
  • does not lock LiteGraph into Neo4j-specific behavior unless explicitly chosen

Deliverables:

  • Short design note comparing candidate query syntax options.
  • Final decision on syntax compatibility target.
  • Final naming decision for the feature.
    • 20+ example queries covering reads, traversals, filters, vector search, and mutations.
  • Query feature marked unblocked only after this decision is recorded.

0.2 Query Parameter Model

Decision:

  • allow inline literals for simple constants
  • support separate parameters for user input, vectors, large JSON payloads, and reusable queries
  • require errors for missing parameters
  • preserve JSON/object parameter values instead of forcing string interpolation

Why separate parameters may be needed:

  • avoids string escaping bugs in generated queries
  • improves safety for mutation queries
  • preserves value types for GUIDs, numbers, booleans, arrays, objects, and vectors
  • avoids embedding large vector arrays directly in query text
  • enables query plan caching later
  • creates a cleaner SDK and MCP contract for user-provided values

Possible request shape:

{
  "Query": "MATCH (n:Person) WHERE n.data.age > $age RETURN n",
  "Parameters": {
    "age": 30
  }
}

Deliverables:

  • Decide whether parameter binding is required for this release.
  • Decide whether inline literals are supported.
  • Define parameter value types.
  • Define error behavior for missing, unused, or type-invalid parameters.
  • Define SDK/MCP request models after the decision.

Acceptance Criteria

  • Query language implementation started only after 0.1 and 0.2 were resolved.
  • The selected query syntax is documented with examples before full parser work begins.
  • SDK, MCP, REST, and tests all use the same query request contract when each surface is added.

1. Provider-Neutral Storage Backends

Priority: P1 Effort: Very Large Status: [x] Completed for SQLite and PostgreSQL; MySQL and SQL Server remain explicit placeholders behind the provider-neutral contract Impact: Removes SQLite-only architecture assumptions and enables production deployment on PostgreSQL

Why This Matters

  • SQLite is excellent as the zero-config default.
  • Production deployments need server-backed storage, write concurrency, operational tooling, replication, and backup workflows.
  • PostgreSQL is the first production backend.
  • MySQL and SQL Server should be supported by architecture, settings, and provider boundaries without forcing a later redesign.

Implementation Steps

  • 1.1 Introduce provider-neutral database settings and type selection.

    • Add DatabaseTypeEnum: Sqlite, Postgresql, Mysql, SqlServer.
    • Add provider-neutral settings modeled after Verbex DatabaseSettings.
    • Preserve backward compatibility with LiteGraph.GraphRepositoryFilename.
    • Support environment variables for database type, filename, host, port, database, username, password, schema, pool size, and command timeout.
    • Redact passwords and connection strings from logs.

  • 1.2 Add a repository factory.

    • File: src/LiteGraph/GraphRepositories/GraphRepositoryFactory.cs
    • Create repositories from settings.
    • Update LiteGraph.Server startup to use the factory instead of directly constructing SqliteGraphRepository.
    • Keep LiteGraphClient(GraphRepositoryBase repo, ...) working.

  • 1.3 Refactor repository base primitives.

    • Add async initialization/close patterns where needed without breaking current public behavior.
    • Add explicit transaction primitives on GraphRepositoryBase: begin, commit, rollback, transaction-active state.
    • Add provider-neutral query execution hooks needed by query planning and observability.
      • Core repository operation telemetry event and LiteGraph meter/activity names are provider-neutral.
      • SQLite execution primitives emit repository operation telemetry for read, write, transaction, and batch work.
      • PostgreSQL execution primitives emit repository operation telemetry for read, write, transaction, and batch work.
    • Remove SQLite-specific assumptions from shared interfaces and comments where practical.

  • 1.4 Normalize provider-specific query generation.

    • Keep provider-specific SQL in provider folders.
    • Preserve Interfaces/, Implementations/, Queries/, Sanitizer.cs, and converter patterns.
    • Move JSON expression translation behind provider-specific components.
    • Do not leak SQLite JSON path assumptions into user-facing docs for provider-neutral features.

  • 1.5 Implement PostgreSQL backend.

    • Folder: src/LiteGraph/GraphRepositories/Postgresql/
    • Replace the provider placeholder with an executable repository wired through GraphRepositoryFactory.
    • Use NpgsqlDataSource.
    • Implement schema creation and indexes in the configured PostgreSQL schema.
    • Implement repository interfaces for tenants, users, credentials, graphs, nodes, edges, labels, tags, vectors, vector indexes, request history, batch, and admin operations.
    • Implement transaction primitives.
    • Implement PostgreSQL JSON data filtering.
      • Translate provider JSON expressions to PostgreSQL jsonb extraction at execution.
      • Live PostgreSQL JSON filter coverage with a configured PostgreSQL test database.
      • Numeric and boolean JSON comparisons are translated to PostgreSQL casts.
    • Verify concurrent writer behavior.
      • Use server-side connection pooling and database transactions.
      • Live concurrent writer coverage with a configured PostgreSQL test database.

  • 1.6 Prepare MySQL and SQL Server support.

    • Add provider folders and settings support.
    • Add explicit unsupported-operation errors until full implementation is finished.
    • Ensure architecture and tests can add these providers without changing public contracts.

  • 1.7 Migration and backup tools.

    • Export/import SQLite to PostgreSQL through the provider-neutral StorageMigrationManager.
    • Verification tool compares entity counts and sampled records.
    • Document large database migration strategy.
      • Added migration usage, verification behavior, and PostgreSQL target guidance to STORAGE.md.

  • 1.8 Tests.

    • Add backend-neutral storage foundation suites in Test.Shared.
    • Run the core provider functional tests against SQLite and PostgreSQL.
      • PostgreSQL SQL translation unit coverage verifies schema qualification, GUID primary keys, BYTEA, JSON field filters, and blob literal translation.
      • PostgreSQL live provider smoke covers initialization, tenant/graph/node/edge/label/tag/vector CRUD, JSON filters, concurrent writes, and graph transaction commit/rollback when LITEGRAPH_TEST_POSTGRESQL_CONNECTION_STRING is configured.
      • Storage migration round-trip coverage verifies tenants, users, credentials, graphs, nodes, edges, labels, tags, vectors, custom roles, user role assignments, credential scopes, counts, sampled records, and async disposal cleanup.
    • Add provider implementation test for PostgreSQL and provider placeholder tests for MySQL and SQL Server.
    • Expose via Test.Automated, Test.Xunit, and Test.Nunit.

Verification

  • dotnet build src\LiteGraph.sln -f net8.0
  • dotnet run --project src\Test.Automated\Test.Automated.csproj --framework net8.0 with LITEGRAPH_TEST_POSTGRESQL_CONNECTION_STRING against a disposable PostgreSQL 16 container: 429 total, 427 passed, 0 failed, 2 skipped (Mysql, SqlServer placeholder suites).

Acceptance Criteria

  • SQLite remains default and backward compatible.
  • PostgreSQL passes the same core repository test suite as SQLite.
  • Server startup selects storage backend by configuration.
  • PostgreSQL supports concurrent writes from multiple server instances.
  • Existing LiteGraph data can be migrated from SQLite to PostgreSQL with verification.
  • MySQL and SQL Server can be added without changing public repository contracts.

2. Graph-Scoped Transactions

Priority: P1 Effort: Large Status: [x] Complete; graph-scoped transaction model, execution, SDK helpers, MCP, dashboard API Explorer support, and transaction coverage are implemented Impact: Provides all-or-nothing graph child mutations

Why This Matters

  • Creating a meaningful graph change often requires multiple node, edge, label, tag, and vector writes.
  • Today, failure in the middle of a multi-step workflow can leave partial graph state.
  • Transactions are required for reliable imports, migrations, agent operations, and query-language mutations.

Scope

Transactions are limited to:

  • one tenant
  • one graph
  • graph child objects only: nodes, edges, labels, tags, vectors

Transactions do not include:

  • tenant creation/update/delete
  • graph creation/update/delete
  • user or credential management
  • backup/restore
  • cross-graph operations
  • cross-tenant operations

Implementation Steps

  • 2.1 Define generic transaction operation model.

    • TransactionRequest
    • TransactionOperation
    • TransactionResult
    • TransactionOperationResult
    • Operation types for create, update, and delete.
    • Attach, detach, and upsert operation types where appropriate.
      • Attach and Detach support labels, tags, and vectors as node/edge subordinate records.
      • Upsert supports nodes, edges, labels, tags, and vectors by GUID within the transaction graph.
    • Payloads are typed internally after JSON conversion; C#, Python, JavaScript, REST, MCP, and dashboard request templates share the implemented operation shapes.
    • Maximum operations per transaction: configurable, default 1000.
    • Transaction timeout: configurable, default 60 seconds.

  • 2.2 Add REST endpoint.

    • POST /v1.0/tenants/{tenantGuid}/graphs/{graphGuid}/transaction
    • Request body is a generic operation list.
    • Response includes per-operation results when successful.
    • Failure response identifies the failed operation index, operation type, and reason.

  • 2.3 Implement repository transaction execution.

    • Use provider transaction primitives.
    • Roll back all DB writes on failure in SQLite.
    • Respect cancellation tokens and timeout in the C# transaction executor.
    • Ensure validation happens before writes when practical.
      • Structural operation validation now runs before opening a graph transaction.
    • Ensure repository operations can participate in an active transaction in SQLite.
    • Public transaction and query mutation entry points reject accidental nested/concurrent use of an active repository transaction.

  • 2.4 Handle vector index consistency.

    • DB atomicity is required.
    • Vector index rollback is not required.
    • If vector index update fails after DB commit, mark the affected graph index dirty or schedule repair.
      • Graphs now persist vector index dirty state, dirty timestamp, and dirty reason.
      • Dirty indexes are surfaced through vector index statistics and are bypassed by indexed search so brute-force search remains correct until repair.
      • Graph transaction rollback or commit failure after vector index mutation marks the graph index dirty.
    • Provide rebuild/repair guidance and tests.
      • TRANSACTIONS.md documents dirty index behavior and repair through rebuild.
      • Touchstone coverage verifies post-commit index failure fallback/repair and transaction rollback dirty marking.

  • 2.5 Add SDK support.

    • C#: transaction request builder.
      • Builder includes typed attach, detach, and upsert helpers.
    • Python: transaction helper/context-style API where appropriate.
    • JavaScript: async transaction builder.

  • 2.6 Add MCP support.

    • graph/transaction graph-scoped tool for MCP HTTP, TCP, and WebSocket surfaces.
    • Enforce RBAC at tool boundary by routing through the REST transaction endpoint; per-tool MCP authorization coverage is complete under Section 4.7.

  • 2.7 Add dashboard support where appropriate.

    • Transaction execution is exposed through API Explorer rather than as a primary dashboard workflow.
    • Add API Explorer examples and request templates.
    • Surface transaction failures clearly when dashboard invokes transaction-capable APIs.

  • 2.8 Tests.

    • Rollback and commit coverage for node create in SQLite.
    • Rollback on failed node create.
    • Rollback after mixed operations include an edge create.
    • Rollback/commit coverage for mixed node/edge operations.
    • Rollback on mixed node/edge/label/tag/vector operations.
    • Pre-write structural validation coverage.
    • Attach, detach, and upsert coverage for node, edge, label, tag, and vector transaction paths.
    • Operation limit enforcement.
    • Timeout/cancellation behavior.
      • Pre-cancelled transaction leaves no graph child writes.
      • Timeout during a long-running transaction rolls back and clears active repository state.
    • Concurrent transaction behavior for SQLite and PostgreSQL.
      • SQLite active-transaction guard prevents transaction API and query mutations from joining an already-active repository transaction.
      • PostgreSQL live provider coverage verifies concurrent graph transactions through separate repository instances.
    • Vector index dirty/repair behavior when index update fails.

Acceptance Criteria

  • Multi-operation graph child mutations succeed or fail atomically at the database layer.
  • Transactions cannot cross tenant or graph boundaries.
  • Failed transactions leave no partial DB mutations.
  • Failure response identifies the failing operation.
  • Vector index consistency is recoverable through dirty marking or rebuild.
  • SDK and MCP support is available where appropriate.

3. Native Graph Query Language

Priority: P1 Effort: Very Large Status: [x] Complete; parser/planner/executor-backed reads, fixed and bounded variable-length traversals, shortest and optional matches, graph-child CREATE/UPDATE/DELETE mutations, supplied-vector search, REST, C#/Python/JavaScript SDK helpers, MCP, API Explorer support, DSL docs, console execution, and shared test coverage are implemented Impact: Enables one-call graph traversal, filtering, vector search, and mutation

Why This Matters

  • Traversals often require multiple REST calls today.
  • A native query endpoint lets users express graph intent in a single request.
  • AI agents benefit from structured query and mutation capabilities.
  • The query language should use syntax familiar to the larger graph database user base while preserving LiteGraph-native behavior.

Scope

The query language must support:

  • graph-scoped execution only
  • reads and traversals
  • filtering by labels, tags, name, data fields, and vector similarity
  • returning full LiteGraph objects
  • mutations of nodes, edges, labels, tags, and vectors
  • repository-level planning and execution where possible
  • cancellation and timeout

The query language must not support:

  • cross-tenant queries
  • cross-graph queries in this release
  • graph metadata mutation
  • tenant/user/credential/admin mutation
  • embedding generation

Implementation Steps

  • 3.1 Complete language design after Section 0 decisions.

    • Select Cypher/GQL-inspired LiteGraph-native profile.
    • Define supported read clauses for the initial profile.
    • Define supported mutation clauses.
      • Graph-child CREATE, SET, and DELETE for nodes, edges, labels, tags, and vectors.
    • Define supported operators.
      • Equality for GUID, name, and data.<field> predicates in implemented query paths.
      • Numeric comparison operators for data.<field> predicates: >, >=, <, <=.
      • String predicate operators for supported name and data.<field> filters: CONTAINS, STARTS WITH, ENDS WITH.
      • AND-combined predicate lists for implemented node, edge, and fixed-path match paths.
      • Basic ORDER BY support for returned scalar values and supported LiteGraph object fields.
      • OR/NOT, list, tag, and aggregation operators.
        • OR/NOT predicate expressions with AND precedence, parentheses, planner scan warnings, and executor fallback evaluation.
        • IN list predicates for literal lists, parameter lists, GUIDs, names, and data.<field> values.
        • Tag-aware predicates using tags.<key> for node and edge tag records.
        • Aggregate RETURN operators for read-only node, edge, and fixed-path MATCH: COUNT, SUM, AVG, MIN, and MAX.
        • Bounded variable-length path ranges with *min..max.
        • MATCH SHORTEST over bounded path candidates.
        • Top-level read-only OPTIONAL MATCH with null-row behavior.
    • Define graph pattern syntax for node and edge pattern reads.
    • Define vector search syntax using supplied vectors/parameters.
    • Define parameter behavior if parameter binding is selected.
    • Define unsupported syntax and error messages for the initial profile.
    • Publish examples before implementation.

  • 3.2 Define query request/response models.

    • GraphQueryRequest
    • GraphQueryResponse
    • GraphQueryResult
    • Include execution time, row count/object count, warnings, and optional profile data.
    • Request includes opt-in IncludeProfile for query phase timings.
    • Response includes optional ExecutionProfile with parse, plan, execute, and total timings.
    • Return full LiteGraph objects for implemented node, edge, label, tag, vector, and vector-search rows.

  • 3.3 Implement lexer/tokenizer.

    • File: src/LiteGraph/Query/Lexer.cs
    • Token types for identifiers/keywords, operators, literals, parameters, and punctuation in the initial profile.
    • Line/column error reporting.
    • Initial unit tests for supported token types and invalid tokens.

  • 3.4 Implement parser and AST.

    • File: src/LiteGraph/Query/Parser.cs
    • Folder: src/LiteGraph/Query/Ast/
    • AST nodes for query, pattern, node, edge, AND-combined filters, return, order, limit, vector search, and create/update/delete mutation operations.
    • AST predicate-expression tree for AND, OR, NOT, parentheses, and IN list operands.
    • AST aggregate return items for COUNT, SUM, AVG, MIN, and MAX, with aliases.
    • Helpful syntax errors with line/column positions.
    • Unit tests for valid and invalid queries, including 20+ documented DSL examples.

  • 3.5 Implement planner.

    • File: src/LiteGraph/Query/Planner.cs
    • Convert AST into provider-neutral execution plan.
    • Push filters to repository operations where possible.
      • Planner selects repository seed hints for node GUID/name, edge GUID/name/source/target, and fixed-path segment edge/source/target equality predicates.
      • Planner avoids unsafe seed pushdown for OR/NOT predicate expressions and emits scan warnings.
    • Use vector indexes where available.
      • Vector search plans use a VectorIndex seed and execution routes through client.Vector.Search(...), which uses configured graph vector indexes when eligible.
    • Estimate plan cost enough to reject obviously dangerous queries.
      • Planner emits aggregate scan warnings and assigns aggregate scan cost.
      • Planner emits variable-length, shortest-path, optional-match, and unbounded-order warnings and assigns higher traversal expansion cost.
    • Detect unsupported cross-graph or graph-metadata operations.
      • Parser/executor expose no cross-tenant, cross-graph, graph metadata, tenant, user, credential, or admin mutation syntax in this release profile.

  • 3.6 Implement executor.

    • File: src/LiteGraph/Query/Executor.cs
    • Route QueryMethods.Execute through planner and executor components.
    • Execute implemented plans against repository-level APIs, except vector search.
    • Evaluate OR/NOT predicate expressions, IN list predicates, and tags.<key> predicates for node, edge, and fixed-path match queries.
    • Execute aggregate scalar rows for node, edge, and fixed-path match queries over object fields, data fields, edge cost, and tag values.
    • Execute bounded variable-length path queries and shortest bounded path queries.
    • Execute top-level read-only OPTIONAL MATCH with null-row behavior.
    • Use LiteGraphClient only where it is the correct abstraction.
      • Query vector search routes through client.Vector.Search(...) so graph vector-index configuration remains centralized.
    • Stream internal results where practical.
      • Repository-backed node/edge/vector reads use async enumeration and early limit checks; bounded path expansion materializes only bounded candidate state where traversal semantics require it.
    • Respect cancellation tokens in implemented query paths.
    • Enforce query timeout: configurable, default 30 seconds.
    • Route implemented mutation queries through transaction infrastructure.
    • Move execution helper logic out of the public QueryMethods facade into QueryExecutionEngine.

  • 3.7 Add REST endpoint.

    • POST /v1.0/tenants/{tenantGuid}/graphs/{graphGuid}/query
    • No tenant-level cross-graph query endpoint in this release.
    • Enforce graph allow-list and read/write credential scopes before execution.

  • 3.8 Add SDK support.

    • C#: client.Query.Execute(...)
    • Python: query resource/helper.
    • JavaScript: query helper.
    • Typed result deserialization for full LiteGraph object lists where the SDK has model classes; row payloads preserve full returned objects.

  • 3.9 Add MCP support.

    • graph/query tool for MCP HTTP, TCP, and WebSocket surfaces.
    • Query request model matches REST/SDK model by accepting a GraphQueryRequest payload and forwarding it unchanged to REST.
    • Enforce RBAC at MCP boundary by routing query execution through the REST query endpoint and its credential-scope checks. Full per-tool MCP authorization for all existing tools remains under Section 4.7.

  • 3.10 Add dashboard support where appropriate.

    • API Explorer examples.
    • Optional query console if scope allows.
      • Dashboard scope uses API Explorer for query execution; the dedicated terminal query console is LiteGraphConsole.
    • Display query errors with line/column information.

  • 3.11 Add terminal query console.

    • Project: src/LiteGraphConsole/LiteGraphConsole.csproj.
    • Add LiteGraphConsole to src/LiteGraph.sln.
    • Package as a .NET global tool with command name lg.
    • Add install/reinstall/remove scripts modeled after the Armada global-tool scripts.
    • Support local SQLite database files through --database / --file.
    • Support remote LiteGraph endpoints through --endpoint.
    • Accept --tenant, --graph, --token, --max-results, --timeout, and script/file execution arguments where appropriate.
    • Provide an interactive shell similar to sqlite3: prompt, multiline query input, dot commands, readable JSON output, and non-interactive execution.
    • Keep graph execution scoped to one tenant and one graph per session.

  • 3.12 Tests and benchmarks.

    • Initial lexer tests.
    • Parser tests.
    • Documented DSL example parser coverage.
    • Initial parameter error and query cancellation tests.
    • Initial planner tests for seed selection, mutation classification, vector search, warnings, and cost.
    • Initial node and edge read query integration tests.
    • Initial fixed directed multi-hop path query integration tests.
    • Initial node and edge data.<field> equality and numeric comparison filter tests.
    • Node, edge, and fixed-path OR/NOT/parenthesized predicate, IN list predicate, and tag-aware predicate integration tests.
    • Aggregate parser, planner, and node/edge/fixed-path execution coverage for COUNT, SUM, AVG, MIN, and MAX.
    • Initial mutation query transaction tests.
    • Initial node/edge update and delete query integration tests.
    • Initial label/tag/vector update and delete query integration tests.
    • Vector query tests with supplied embeddings for node, edge, graph-scoped vector search, and vector-indexed node search.
    • Bounded variable-length path, shortest path, optional match, parser, planner, and executor tests.
    • Python SDK query helper and model tests.
    • JavaScript SDK query helper and model tests.
    • Dashboard API Explorer query template and line/column error-summary tests.
    • RBAC tests for query endpoint/tool.
    • SQLite and PostgreSQL backend tests.
      • SQLite native query coverage runs in the shared query suites.
      • PostgreSQL native query smoke is included in the environment-gated PostgreSQL provider suite.
    • Benchmarks against equivalent multi-call sequences.
      • Benchmark scenarios are documented in DSL.md for one-hop, fixed two-hop, bounded variable-length traversal, data-filtered lookup, and supplied-vector search comparisons.

Acceptance Criteria

  • A user can execute a single graph-scoped query that matches patterns, filters data, performs vector similarity, and returns full LiteGraph objects.
  • A user can execute graph child object mutations through the query endpoint.
  • Mutation queries are database-atomic through transaction infrastructure.
  • Syntax errors include line and column.
  • Query timeout prevents runaway queries.
  • Query execution uses repository-level planning where practical.
  • Query language decision and parameter model are documented before implementation.

4. RBAC and Scoped Credentials

Priority: P1 Effort: Large Status: [x] Complete; credential scopes, graph allow-lists, stored role/assignment policies, effective-permission caching/invalidation, authorization audit, REST role/scope management endpoints, MCP role/scope tools, MCP boundary enforcement for existing tools, PostgreSQL schema support, dashboard management UI, and dashboard tests are implemented Impact: Provides enterprise-grade access control at REST and MCP boundaries

Why This Matters

  • Current authorization primarily enforces tenant isolation.
  • Enterprises need read-only users, graph-level restrictions, scoped service credentials, and auditability.
  • RBAC must be added without breaking existing deployments.

Scope

RBAC applies to:

  • REST requests
  • MCP tools
  • dashboard workflows that call REST APIs

RBAC does not apply inside:

  • LiteGraphClient
  • repository interfaces
  • direct embedded use of LiteGraph

Implementation Steps

  • 4.1 Define permission model.

    • Built-in roles: TenantAdmin, GraphAdmin, Editor, Viewer, Custom.
    • Permissions: Read, Write, Delete, Admin.
    • Resource scopes: tenant, graph.
    • Resource types: graph, node, edge, label, tag, vector, query, transaction, admin where applicable.
    • Define inheritance rules.
    • Define default migration behavior.

  • 4.2 Add role and scope storage.

    • Stored role records through authorizationroles.
    • Stored user-role assignments through userroleassignments.
    • Stored credential-scope assignments through credentialscopeassignments.
    • Repository and embedded client access through AuthorizationRoles.
    • SQLite initialization seeds and refreshes global built-in role records.
    • authorizationaudit table and repository/client access for denied authorization records.
    • Provider-specific schema for SQLite and PostgreSQL.
      • SQLite role, user-role assignment, and credential-scope assignment schema and indices.
      • SQLite authorization audit schema and indices.
      • PostgreSQL role, user-role assignment, and credential-scope assignment schema.
      • PostgreSQL authorization audit schema.
    • SQLite credentials persist Scopes and graph GUID allow-lists on the existing credential record.

  • 4.3 Preserve existing access on migration.

    • Existing users receive effective full access in their tenant by migration policy definition.
    • Existing credentials receive effective full access in their tenant because null/empty scopes and graph allow-lists preserve full access.
    • Admin bearer token remains admin by migration policy definition.
    • SQLite credential scope column migration is idempotent.
    • SQLite built-in role seeding is idempotent and preserves existing built-in role GUIDs.
    • Legacy SQLite credential migration test verifies scope/graph allow-list columns, role/scope/audit tables, built-in role seed idempotency, and unrestricted compatibility access.

  • 4.4 Implement authorization service.

    • Centralized policy evaluation for the existing REST tenant, credential scope, and graph allow-list checks.
    • Effective user-role and credential-scope assignment evaluation where stored assignments exist.
    • Built-in role-name fallback for stored assignments using AuthorizationPolicyDefinitions.
    • Graph query route re-checks effective access after parser-backed read/write classification.
    • Resolve graph context for label/tag/vector GUID routes before policy evaluation so graph allow-lists apply to graph child objects.
    • Extend centralized policy evaluation to all existing MCP tools.
      • REST-proxy MCP enforcement is in place for graph query, graph transaction, batch existence, graph child-object tools, node list/bulk/enumeration/traversal tools, edge list/bulk/enumeration/search/existence/node-edge traversal tools, label/tag/vector list/bulk/enumeration/existence/search and graph/node/edge child-object tools, admin/flush, and tenant/user/credential admin-sensitive plus read/list/enumeration tools.
      • Complete role/scope MCP tool review and expose only authenticated REST-proxy role/scope tools.
    • Cache effective permissions.
    • Invalidate cache on role/scope changes.
    • Audit denied REST requests with request ID, correlation ID, trace ID, tenant, graph, user, credential, request type, reason, required scope, and status code where available.
    • Return authorization errors with machine-readable context for reason, required scope, request type, tenant, and graph where available.

  • 4.5 Implement scoped credentials.

    • Restrict credentials by operation and graph at REST.
    • Support read-only service credentials at REST.
    • Support graph-specific credentials at REST.
    • Query endpoint classifies parser-backed mutation queries, including MATCH ... SET and MATCH ... DELETE, as write operations.
    • Log denied credential usage for graph allow-list and missing-scope denials.

  • 4.6 Add role management REST endpoints.

    • CRUD roles.
    • Assign/revoke user roles.
    • Assign/revoke credential scopes.
    • List effective permissions.
    • Require admin permission for role management.

  • 4.7 Add MCP enforcement and tools where appropriate.

    • Enforce permissions for all existing MCP tools.
      • Route graph/query and graph/transaction through authenticated REST endpoints for query/transaction RBAC.
      • Route batch/existence through the authenticated REST graph existence endpoint so scoped credentials and graph allow-lists are honored.
      • Route representative graph/get, graph/create, graph/update, graph/delete, node/get, node/create, node/update, node/delete, edge/get, edge/create, edge/update, edge/delete, label/get, label/create, label/update, label/delete, tag/get, tag/create, tag/update, tag/delete, vector/get, vector/create, vector/update, vector/delete, and admin/flush MCP tools through authenticated REST calls so scoped credentials and graph allow-lists are honored.
      • Route node/all, node/readallintenant, node/readallingraph, node/readmostconnected, node/readleastconnected, node/getmany, node/exists, node/search, node/readfirst, node/enumerate, node/parents, node/children, node/neighbors, node/traverse, node/createmany, node/deletemany, node/deleteall, and node/deleteallintenant through authenticated REST calls so scoped credentials and graph allow-lists are honored.
      • Route edge/all, edge/readallintenant, edge/readallingraph, edge/getmany, edge/exists, edge/search, edge/readfirst, edge/enumerate, edge/nodeedges, edge/fromnode, edge/tonode, edge/betweennodes, edge/createmany, edge/deletemany, edge/deletenodeedges, edge/deleteallingraph, edge/deleteallintenant, and edge/deletenodeedgesmany through authenticated REST calls so scoped credentials and graph allow-lists are honored.
      • Route label/all, label/readallintenant, label/readallingraph, label/readmanygraph, label/readmanynode, label/readmanyedge, label/getmany, label/exists, label/enumerate, label/createmany, label/deletemany, label/deleteallintenant, label/deleteallingraph, label/deletegraphlabels, label/deletenodelabels, and label/deleteedgelabels through authenticated REST calls so scoped credentials and graph allow-lists are honored.
      • Route tag/readmany, tag/readallintenant, tag/readallingraph, tag/readmanygraph, tag/readmanynode, tag/readmanyedge, tag/getmany, tag/exists, tag/enumerate, tag/createmany, tag/deletemany, tag/deleteallintenant, tag/deleteallingraph, tag/deletegraphlabels, tag/deletenodelabels, and tag/deleteedgetags through authenticated REST calls so scoped credentials and graph allow-lists are honored.
      • Route vector/all, vector/readallintenant, vector/readallingraph, vector/readmanygraph, vector/readmanynode, vector/readmanyedge, vector/getmany, vector/exists, vector/enumerate, vector/search, vector/createmany, vector/deletemany, vector/deleteallintenant, vector/deleteallingraph, vector/deletegraphvectors, vector/deletenodevectors, and vector/deleteedgevectors through authenticated REST calls so scoped credentials and graph allow-lists are honored.
      • Route tenant/create, tenant/get, tenant/update, tenant/delete, user/create, user/get, user/update, user/delete, credential/create, credential/get, credential/getbybearertoken, credential/update, credential/delete, credential/deletebyuser, and credential/deleteallintenant through authenticated REST calls so admin requirements, tenant boundaries, and authorization audit behavior are honored.
      • Route tenant/all, tenant/enumerate, tenant/exists, tenant/statistics, tenant/statisticsall, tenant/getmany, user/all, user/enumerate, user/exists, user/getmany, credential/all, credential/enumerate, credential/exists, and credential/getmany through authenticated REST calls so admin requirements and same-tenant read policies are honored.
      • Route authorization/role/*, authorization/userrole/*, authorization/credentialscope/*, authorization/user/permissions, and authorization/credential/permissions through authenticated REST calls so role/scope management remains behind the REST RBAC and audit boundary.
    • Add role/scoping tools only if safe and useful.

  • 4.8 Identity boundary.

    • RBAC is based on LiteGraph-native users and credentials.
    • Do not map arbitrary external identities to LiteGraph users.
    • Do not auto-provision users from external identities.
    • Do not add email/claim heuristics for external identity mapping.
    • If JWT-formatted tokens are supported, they must represent LiteGraph-controlled users or credentials by an explicit LiteGraph identifier.
    • Treat external identity federation as out of scope unless a separate design explicitly adds it.

  • 4.9 Dashboard support.

    • Role management page under the admin dashboard.
    • Built-in roles are visible and immutable; custom roles can be created, edited, and deleted where authorized.
    • User role assignment UI supports tenant and graph scopes.
    • Credential scope UI supports role-backed and direct permission/resource grants.
    • Effective user and credential permissions are visible from the dashboard.
    • Permission-aware hiding/disabling of restricted operations.

  • 4.10 Tests.

    • Permission matrix tests in Test.Shared.
    • REST boundary tests.
    • MCP boundary tests.
    • Permission model definition tests for built-in roles, permissions, resource scopes/types, inheritance intent, clone protection, and migration defaults.
    • Role and assignment storage tests for built-in seeding plus create, read, search, update, pagination, filtering, and delete across roles, user-role assignments, and credential-scope assignments.
    • Effective role and credential-scope authorization tests for compatibility fallback, graph scoping, missing permission denials, tenant-role inheritance, direct credential permissions, and query mutation scope.
    • Credential scope and graph allow-list persistence tests in Test.Shared.
    • Authorization service tests for credential scope, graph allow-list, unrestricted-credential compatibility, and tenant decisions.
    • Authorization failure response context tests.
    • Authorization audit persistence/search/delete tests with tenant, graph, user, credential, request ID, correlation ID, trace ID, request type, reason, scope, time window, and pagination filters.
    • Live REST denied-query test verifies a missing-scope denial writes an authorization audit record.
    • Live REST role-management coverage for role CRUD, built-in role immutability, user-role assignment CRUD, credential-scope assignment CRUD, effective permission listing, TenantAdmin access, Viewer denial, and unassigned-user admin denial.
    • Live MCP role/scope management coverage for authorization role CRUD/list, user-role assignment CRUD/list/effective permissions, credential-scope assignment CRUD/list/effective permissions, and admin-token delete results.
    • Live MCP scoped-credential boundary coverage for allowed graph/node/edge/label/tag/vector/query/batch-existence reads plus same-tenant tenant statistics, allowed node and edge list/read-all/search/read-first/enumerate/existence/traversal paths, allowed label/tag/vector list/read-all/enumerate/existence/graph/node/edge paths, allowed vector search, and denied graph create/update/delete, node create/update/delete/bulk-create/bulk-delete/delete-all, edge create/update/delete/bulk-create/bulk-delete/delete-all/node-edge-delete, label/tag/vector create/update/delete/bulk-create/bulk-delete/delete-all/graph-child-delete/node-child-delete/edge-child-delete, mutation queries, transactions, graph allow-list violations including batch existence, node/edge/label/tag/vector list/enumeration/traversal/search, label/tag/vector GUID routes, admin tools, tenant/user/credential admin-boundary and list/enumeration/exists/getmany routes, authorization role/scope/effective-permission admin-boundary routes, and authorization-audit records.
    • Migration/backward compatibility tests for legacy SQLite credentials and authorization schema initialization.
    • Cache invalidation tests for effective policy cache reuse plus role create/update/delete, user-role create/update/delete, and credential-scope create/update/delete invalidation.
    • Query and transaction authorization tests.
      • Query scope classification test for read, vector search, create, MATCH ... SET, and MATCH ... DELETE.
      • Transaction request type/resource mapping tests cover required Write permission over Transaction.
      • Effective role and credential-scope tests cover graph transaction allow/deny behavior.
      • Live MCP scoped-credential boundary tests cover transaction denial paths and matching authorization-audit records.
    • Dashboard authorization tests for role management, credential scopes, effective permissions, and permission-aware disabled actions.

Acceptance Criteria

  • Viewer and Editor roles work out of the box.
  • Graph-level permissions isolate restricted graphs within a tenant.
  • API credentials can be scoped to least privilege.
  • Existing deployments retain effective access after migration.
  • Authorization is enforced consistently at REST and MCP boundaries.
  • Permission checks add minimal request overhead when cached.

5. Observability

Priority: P1 Effort: Large Status: [x] Complete for this release slice; Prometheus, OpenTelemetry/OTLP, profiling, request-history correlation, JSON request logs, dashboard, docs, and tests are implemented Impact: Enables production debugging, metrics, tracing, and performance analysis

Why This Matters

  • Production users need standard monitoring and tracing.
  • Prometheus and OpenTelemetry are the priority targets.
  • Existing request history should be used as supporting operational data, not replaced.

Implementation Steps

  • 5.1 Add request lifecycle foundation.

    • Pass meaningful cancellation tokens from REST handlers into service/repository work.
      • REST authentication, generic agnostic handlers, native query execution, and graph transaction execution now receive request timeout cancellation tokens.
      • Request-history list, summary, read, detail, delete, and bulk-delete routes now pass request timeout cancellation tokens into repository work.
      • Authorization management, token detail, graph update, GEXF export, and vector-index routes now pass request timeout cancellation tokens into service/repository work.
      • REST handler coverage asserts no CancellationToken.None remains in the REST handler partials.
    • Add request timeout settings where missing.
      • Settings.RequestTimeoutSeconds defaults to 60 seconds and can be overridden by LITEGRAPH_REQUEST_TIMEOUT_SECONDS.
    • Ensure query and transaction timeouts are enforced.
      • REST native query and transaction endpoints return HTTP 408 with RequestTimeout when the request timeout token fires.
      • Add correlation/request ID propagation.
      • REST emits x-request-id and x-correlation-id response headers.
      • REST accepts incoming x-request-id, x-correlation-id, traceparent, and tracestate headers.

  • 5.2 Add OpenTelemetry tracing.

    • Add OpenTelemetry-compatible Meter and ActivitySource foundation.
    • Trace REST request lifecycle.
      • Server activity per REST request with method, path, request ID, correlation ID, tenant, graph, status, and duration tags.
    • Trace authentication and authorization.
    • Trace repository operations.
      • Core LiteGraph ActivitySource emits repository operation spans tagged by provider, operation, transactional state, statement count, row count, success, and duration.
    • Trace transactions.
    • Trace query parse/plan/execute phases.
      • REST query activity includes required scope, success, mutation, row count, query kind, and vector-search tags.
      • Core LiteGraph ActivitySource emits dedicated native query, parse, plan, and executor spans for direct client, REST, MCP, and console query execution.
    • Trace vector search and vector index usage.
      • Native query vector search adds vector domain and result count tags to the query activity.
      • Core vector search spans include domain, search type, dimensions, filters, top-k, and result count tags.
      • SQLite HNSW vector index search spans include index type, dirty state, used/skip reason, top-k, and result count tags.
    • Propagate incoming trace context.
    • Export via OTLP configuration.
      • ObservabilitySettings includes opt-in built-in OTLP exporter settings for endpoint, protocol, headers, timeout, and service name.
      • LiteGraph Server subscribes the OTLP tracer and meter providers to both the configured server source/meter and the core LiteGraph source/meter.
      • LITEGRAPH_OTLP_* and standard OTEL_* environment variables are supported where appropriate.

  • 5.3 Add Prometheus metrics.

    • GET /metrics
    • Endpoint can be unauthenticated initially.
    • Request count by route, method, and status.
    • Request duration histograms.
      • Prometheus exposes HTTP request duration bucket, sum, and count samples by method, path, and status code.
    • Query count/duration/failure metrics.
    • Transaction count/duration/rollback metrics.
    • Repository operation count/duration by provider.
      • Prometheus exposes repository operation count and duration summaries by provider, operation, and success.
    • Vector search latency and result count.
    • Authorization allow/deny counters.
    • Storage backend info gauge.
    • Storage backend and connection/pool gauges where available.
      • Prometheus and .NET meters expose configured storage provider, max connection pool size, and command timeout; live pool utilization remains provider-specific future work.
    • Entity count gauges where efficient.
      • Prometheus and .NET meters expose low-cardinality latest-observed entity counts from tenant and graph statistics responses.

  • 5.4 Use request history as observability support.

    • Keep existing request capture and retention.
    • Add links between request history records and correlation/trace IDs.
      • Request history persists request ID, correlation ID, and trace ID.
      • Request history search supports request ID, correlation ID, and trace ID filters.
    • Use request history for recent error/debug views.
      • Request history search supports a success filter, dashboard request-history views include an outcome filter, and the dashboard SDK exposes a recent-errors helper.
    • Ensure sensitive headers and bodies remain redacted/truncated.

  • 5.5 Add structured operational logging where needed.

    • Keep existing logging behavior compatible.
    • Add JSON log output as an option if practical.
      • Settings.Logging.JsonLogOutput enables supported REST request completion logs as single-line JSON records.
    • Include correlation/request IDs.
      • REST request log lines include request ID, correlation ID, and trace ID when available.
    • Avoid logging credentials, tokens, passwords, connection strings, or vector payloads by default.
      • Operational log and trace URL redaction covers bearer-token route segments, sensitive query-string keys, sensitive headers, and vector payload key names.
      • REST debug request logging now emits a sanitized request summary and omits request bodies.

  • 5.6 Add query/request profiling.

    • Profiling request option.
    • Include parse, plan, auth, repository, vector search, transaction, and serialization timing.
      • Query response profile includes parse, plan, execute, and total timings.
      • Scoped query profiling now includes repository operation time/count, vector search time/count, and mutation transaction timing.
      • REST query profiling adds authorization and response serialization timings.
    • Ensure profiling is off by default.
    • Keep overhead low when profiling is disabled.

  • 5.7 Dashboard and documentation.

    • Grafana dashboard JSON template.
      • Added assets/grafana/litegraph-observability-dashboard.json with Prometheus panels for HTTP, query, transaction, vector search, repository, entity count, storage, and auth metrics.
    • Prometheus scrape docs.
    • OpenTelemetry instrumentation docs.
      • Document server and core Meter/ActivitySource names, native query phase spans, vector search spans, vector index search spans, and repository operation spans.
      • Document built-in OTLP exporter settings and environment variables.
    • Dashboard views may use request history for recent request/error inspection.
      • The request-history dashboard view can filter all requests, successful requests, or errors.

  • 5.8 Tests.

    • /metrics service renderer exposes expected metrics.
    • Live /metrics endpoint smoke test verifies unauthenticated access and Prometheus output.
    • Request metrics increment correctly in service-level coverage.
    • HTTP request duration histogram bucket coverage.
    • Query and transaction metrics render correctly in service-level coverage.
    • Vector search metrics render correctly in service-level coverage.
    • Authentication/authorization metrics render correctly in service-level coverage.
    • Storage backend info metric renders correctly in service-level coverage.
    • Trace instrumentation can be enabled without breaking requests.
    • Native query tracing verifies query, parse, plan, execute, vector search, and vector index activity hierarchy and tags.
    • Repository operation metrics render in Prometheus output.
    • Repository operation tracing verifies provider and success tags under native query execution.
    • Storage connection pool and command timeout metrics render in service-level and live /metrics coverage.
    • Entity count metrics render in service-level coverage.
    • Request history includes correlation/trace IDs.
    • Request history success/failure search coverage.
    • Request history redaction and body truncation coverage.
    • Operational log redaction coverage for sensitive URL, header, scalar, connection-string, and vector payload values.
    • Request timeout setting, bounds, environment variable, and HTTP 408 API error coverage.
    • Grafana dashboard template parses and covers exported Prometheus metric families.
    • Dashboard SDK request-history recent-error helper coverage.
    • OTLP exporter settings and provider initialization coverage.
    • Query profile coverage for repository, vector search, transaction, authorization, and serialization timings.
    • JSON operational request log formatting coverage.

Acceptance Criteria

  • Prometheus metrics cover the primary operational signals.
  • OpenTelemetry traces cover REST, auth, repository, query, transaction, and vector search work.
  • /metrics works out of the box.
  • Request history remains available and is correlated with observability IDs.
  • Sensitive data is not exposed in metrics, traces, logs, or request history.

6. SDK, MCP, Dashboard, and Documentation Integration

Priority: P1 Effort: Medium to Large Impact: Makes the release usable across all LiteGraph entry points

Implementation Steps

  • 6.1 C# SDK updates.

    • Query execution.
    • Transaction request models and execution.
    • Transaction request builder.
    • Role and credential scope management through LiteGraphClient.AuthorizationRoles.
    • Storage-related admin models where relevant; embedded C# callers use DatabaseSettings, DatabaseTypeEnum, and GraphRepositoryFactory, and no runtime storage-admin REST model is required for this release.
    • Observability docs/examples where relevant.

  • 6.2 Python SDK updates.

    • Query execution.
    • Transaction helper.
    • Role and credential scope management where appropriate.

  • 6.3 JavaScript SDK updates.

    • Query execution.
    • Transaction helper.
    • Role and credential scope management where appropriate.

  • 6.4 MCP tools.

    • graph/query
    • graph-scoped transaction tool
    • RBAC enforcement for all existing tools
      • Authenticated REST proxy coverage for representative graph/node/edge/label/tag/vector read/write/delete and admin tools, including child-object update/delete denial paths.
      • Authenticated REST proxy coverage for batch/existence graph read checks.
      • Authenticated REST proxy coverage for tenant/user/credential create/read/update/delete and credential bearer/bulk-delete admin-boundary tools.
      • Authenticated REST proxy coverage for tenant/user/credential list/enumerate/exists/getmany plus tenant statistics tools.
      • Authenticated REST proxy coverage for node list/read-all/search/read-first/enumerate/existence/traversal and bulk create/delete tools.
      • Authenticated REST proxy coverage for edge list/read-all/search/read-first/enumerate/existence/node-edge traversal and bulk create/delete tools.
      • Authenticated REST proxy coverage for label list/read-all/enumerate/existence/graph/node/edge and bulk create/delete tools.
      • Authenticated REST proxy coverage for tag/vector list/read-all/enumerate/existence/search/graph/node/edge and bulk create/delete tools.
      • Live MCP scoped-credential boundary coverage for representative read/write/query/transaction/batch-existence/admin tools, node, edge, label, tag, and vector list/bulk/enumeration/traversal/search-style tools, plus tenant/user/credential admin-boundary and list/enumeration tools.
    • Role/scope tools only where safe.
      • authorization/role/*, authorization/userrole/*, authorization/credentialscope/*, authorization/user/permissions, and authorization/credential/permissions are authenticated REST-proxy tools on HTTP, TCP, and WebSocket MCP transports.

  • 6.5 Dashboard.

    • API Explorer examples for query and transaction.
      • Transaction request template and failure summary.
      • Query request template.
      • Query line/column error summary.
    • Role and credential scope management where appropriate.
    • Permission-aware UI behavior.
    • Request history observability enhancements.
    • Metrics/tracing setup docs or links.

  • 6.6 Documentation.

    • Storage backend configuration.
    • PostgreSQL production setup and production hardening.
    • SQLite-to-PostgreSQL migration; target sequence, provider-neutral migration tooling, and verification behavior are documented.
    • Create DSL.md with thorough native graph query language syntax, semantics, examples, parameters, result shape, and current limitations.
    • Transaction API guide.
    • RBAC and scoped credential guide for currently implemented scoped credentials and current RBAC limits.
    • Prometheus and OpenTelemetry guide for currently implemented metrics/instrumentation.
    • LiteGraphConsole usage and global-tool install guide.
    • Upgrade/migration guide for existing deployments.

Acceptance Criteria

  • Each new user-facing feature has REST documentation.
  • SDKs expose the features where appropriate.
  • MCP exposes the features where appropriate.
  • Dashboard includes support where appropriate.
  • Documentation includes migration and operational setup guidance.

7. Test Strategy

Priority: P1 Effort: Large Impact: Ensures the release is safe across backends and entry points

Required Test Suites

  • 7.1 Storage backend suites.

    • SQLite.
    • PostgreSQL.
      • Factory coverage verifies the PostgreSQL repository implementation is selected.
      • SQL translation unit coverage verifies core provider dialect rewrites.
      • Environment-gated live smoke covers initialization, core graph child CRUD, and graph transaction commit/rollback.
      • Full SQLite parity suite against PostgreSQL.
    • MySQL and SQL Server placeholders or preview suites if applicable.
    • PostgreSQL, MySQL, and SQL Server provider suites are registered with explicit dependency skip reasons when test connection strings are not configured.

  • 7.2 Transaction suites.

    • Successful mixed operation commit.
    • Rollback on failure.
    • Attach, detach, and upsert operation coverage.
    • Timeout/cancellation.
      • Pre-cancelled transaction coverage.
      • Long-running transaction timeout rollback coverage.
    • Concurrent transaction behavior.
      • SQLite active-transaction guard coverage for transaction API and query mutation rejection.
      • PostgreSQL live concurrent transaction coverage through separate repository instances.
    • Vector index dirty/repair behavior.

  • 7.3 Query suites.

    • Initial lexer coverage.
    • Parser.
    • Planner.
      • Initial planner seed/warning/mutation tests in Test.Shared.
      • OR/NOT scan-warning and seed-avoidance coverage.
      • Aggregate scan-warning and cost coverage.
    • Read queries.
      • Initial node, edge, fixed multi-hop, data filter, string predicate, and ordering coverage.
      • OR/NOT, parentheses, IN list, and tag-aware predicate coverage for node, edge, and fixed-path reads.
      • Aggregate read coverage for node, edge, fixed-path, data-field, cost, and tag-value aggregates.
    • Mutation queries.
      • Initial node, edge, label, tag, and vector create/update/delete coverage.
    • Vector queries.
      • Node, edge, graph-scoped, and vector-indexed node search through native query CALL.
    • Error messages.
      • Initial parser, missing parameter, invalid GUID parameter, and unsupported return-variable messages.
    • Timeout/cancellation.
      • Initial pre-cancelled query execution coverage.
    • Opt-in query execution profile coverage.
    • Bounded variable-length path, shortest path, optional match, and query execution engine extraction coverage.
    • Environment-gated PostgreSQL native-query smoke coverage.

  • 7.4 RBAC suites.

    • Built-in roles.
      • Built-in role definition coverage.
      • Request type, permission, resource type, and role matrix coverage.
      • SQLite built-in role seeding and role storage coverage.
      • Effective built-in role assignment coverage through AuthorizationService.
    • Graph-level permissions.
      • Effective graph-scope assignment coverage through AuthorizationService.
    • Scoped credentials.
      • Persistence coverage for credential scopes and graph allow-lists.
      • User-role assignment and credential-scope assignment storage coverage.
      • Effective credential-scope assignment coverage through AuthorizationService.
      • Central authorization service coverage for credential scope, graph allow-list, unrestricted-credential compatibility, and tenant decisions.
      • Effective-permission cache reuse and invalidation coverage for role/scope mutation paths.
      • Authorization audit storage and live REST missing-scope denial coverage.
    • Existing deployment migration coverage for legacy SQLite credentials and authorization schema initialization.
    • REST enforcement.
      • Live REST graph-query missing-scope denial coverage.
      • Live REST role-management coverage for role CRUD, assignment CRUD, effective permission listing, built-in immutability, TenantAdmin access, Viewer denial, and unassigned-user admin denial.
    • MCP enforcement.
      • Live MCP scoped-credential coverage for allowed graph/node/edge/label/tag/vector/query/batch-existence reads plus same-tenant tenant statistics, allowed node and edge list/read-all/search/read-first/enumerate/existence/traversal paths, allowed label/tag/vector list/read-all/enumerate/existence/graph/node/edge paths, allowed vector search, denied graph create/update/delete, node create/update/delete/bulk-create/bulk-delete/delete-all, edge create/update/delete/bulk-create/bulk-delete/delete-all/node-edge-delete, label/tag/vector create/update/delete/bulk-create/bulk-delete/delete-all/graph-child-delete/node-child-delete/edge-child-delete, mutation query, graph transaction, graph allow-list violations including batch existence, node/edge/label/tag/vector list/enumeration/traversal/search, and child-object GUID routes, admin flush, tenant/user/credential admin-boundary/list/enumeration tools, authorization role/scope/effective-permission admin-boundary tools, and matching authorization audit records.
      • Live MCP admin-token role/scope tool coverage for role CRUD/list, user-role CRUD/list/effective permissions, and credential-scope CRUD/list/effective permissions.

  • 7.5 Observability suites.

    • Metrics endpoint.
    • Metrics values after representative requests.
      • Service-level HTTP, query, vector search, transaction, and auth metric rendering.
    • Trace enablement smoke tests.
    • Request history correlation.
    • Sensitive data redaction.

  • 7.6 SDK/MCP/dashboard tests.

    • SDK request/response model tests.
      • Python query request/result model and execution helper tests.
      • JavaScript query request/result model and execution helper tests.
      • Python transaction request builder, execution, and context helper tests.
      • JavaScript transaction builder, execution, and rollback-detail tests.
      • Python authorization role, user-role, credential-scope, and effective-permission helper tests.
      • JavaScript authorization role, user-role, credential-scope, and effective-permission helper tests.
    • C# transaction request builder test in Test.Shared.
    • MCP tool tests.
    • MCP graph/query live-host test in Test.Shared.
    • MCP graph/transaction live-host test in Test.Shared.
    • MCP authorization role/scope live-host tests in Test.Shared.
    • Dashboard unit/integration tests where UI changes exist.
      • Authorization dashboard tests cover role list immutability, user role assignment display, credential scope display, effective-permission display, and disabled mutation actions without admin permission.
      • API Explorer tests cover query request templates and query line/column error summaries.
      • Request history observability tests cover metrics/tracing links and visible request statistics.

Runner Requirements

  • Test descriptors live in src/Test.Shared.
  • Console execution through src/Test.Automated.
  • xUnit exposure through src/Test.Xunit.
  • NUnit exposure through src/Test.Nunit.
  • Tests create and clean up their own data.
  • Provider-specific tests can be skipped with clear skip reasons when dependencies are unavailable.

Acceptance Criteria

  • The same core behavior tests run against SQLite and PostgreSQL.
  • Release blockers are visible from Test.Automated.
  • xUnit and NUnit runners expose the shared suites.
  • Performance and benchmark tests are documented even if not run on every commit.

Release Acceptance Criteria

The release is complete when:

  • SQLite remains backward compatible and default.
  • PostgreSQL is production-ready and documented.
  • Storage architecture can support MySQL and SQL Server without redesign.
  • Graph-scoped transactions work for nodes, edges, labels, tags, and vectors.
  • Native query endpoint supports reads, traversals, vector search, and child-object mutations.
  • Query language syntax and parameter model decisions are documented in DSL.md.
  • LiteGraphConsole is available as a solution project and can be installed as the lg global tool for local database or remote endpoint sessions.
  • RBAC and scoped credentials are enforced at REST and MCP boundaries.
  • Existing users and credentials retain effective full access after migration.
  • Prometheus metrics and OpenTelemetry tracing work out of the box.
  • Request history is correlated with observability IDs.
  • SDK, MCP, dashboard, and docs are updated where appropriate.
  • Tests are implemented in Test.Shared and exposed through automated, xUnit, and NUnit runners.

Remaining Query Work

  • Choose the familiar graph-query syntax target.
  • Decide the query parameter model.
  • Expand examples to 20+ covered queries.
  • Replace the initial regex-backed implementation with the full lexer/parser/planner/executor pipeline.
    • Query execution now routes through Planner and Executor components.
  • Add supplied-vector search coverage.
    • Native query vector search covers node, edge, graph-scoped graph vector, and vector-indexed node domains.
  • Add edge/label/tag/vector create mutation coverage.
  • Add update/delete mutation query coverage.
    • Node and edge update/delete via MATCH ... WHERE <var>.guid = ... SET/DELETE ... RETURN ....
    • Label, tag, and vector update/delete via MATCH LABEL|TAG|VECTOR ... WHERE <var>.guid = ... SET/DELETE ... RETURN ....
  • Add deeper traversal and multi-hop pattern coverage.
    • Fixed directed multi-hop patterns such as (a)-[e1]->(b)-[e2]->(c).
    • Bounded variable-length paths, shortest path, optional matches, and richer traversal operators.
  • Create and maintain DSL.md as the canonical query-language guide.
  • Create LiteGraphConsole and package it as the lg global tool for interactive and scripted query execution.
  • Add MCP graph/query execution through the REST query endpoint.
  • Move execution into dedicated planner/executor components.
    • Added GraphQueryPlan, Planner, and Executor.
    • Removed obsolete direct QueryMethods.ExecuteParsed dispatcher.
    • Move remaining execution helper logic out of QueryMethods.

The query language is no longer blocked by product decisions. The current implementation is a parser-backed Cypher/GQL-inspired LiteGraph-native profile for node MATCH, edge MATCH, fixed directed multi-hop MATCH, bounded variable-length path MATCH, MATCH SHORTEST, top-level read-only OPTIONAL MATCH, equality predicates over GUID/name/data fields, numeric comparison predicates over data fields, string predicates over supported name/data fields, OR/NOT/AND predicate expressions, list predicates, tag predicates, aggregate returns, ORDER BY, node/edge/label/tag/vector CREATE, graph-child SET and DELETE mutations, supplied-vector search through CALL litegraph.vector.searchNodes(...), REST execution, C#/Python/JavaScript SDK execution, MCP graph/query, API Explorer execution templates, and LiteGraphConsole execution.