Implement Galaxy filters and API key constraints

docs/Authentication.md

@@ -91,12 +91,15 @@ return ApiKeyVerificationResult.Success(new ApiKeyIdentity(
     KeyId: storedKey.KeyId,
     KeyPrefix: storedKey.KeyPrefix,
     DisplayName: storedKey.DisplayName,
-    Scopes: storedKey.Scopes));
+    Scopes: storedKey.Scopes,
+    Constraints: storedKey.Constraints));
 ```
 
 `ApiKeyVerificationResult` carries either an `ApiKeyIdentity` or a discriminated `ApiKeyVerificationFailure` value. The failure enum distinguishes parse errors, missing pepper, missing or revoked keys, and secret mismatch so the calling middleware can emit precise audit detail without leaking which check failed to the client.
 
-`ApiKeyIdentity` exposes only non-secret fields (`KeyId`, `KeyPrefix`, `DisplayName`, `Scopes`) and is the type downstream authorization code consumes.
+`ApiKeyIdentity` exposes only non-secret fields (`KeyId`, `KeyPrefix`,
+`DisplayName`, `Scopes`, and `Constraints`) and is the type downstream
+authorization code consumes.
 
 ## Storage
 
@@ -131,7 +134,9 @@ public SqliteConnection CreateConnection()
 
 `SqliteAuthSchema` declares table names and the current schema version as constants. Three tables are involved:
 
-- `api_keys` stores `key_id`, `key_prefix`, the `secret_hash` blob, `display_name`, serialized `scopes`, and the `created_utc`, `last_used_utc`, and `revoked_utc` timestamps.
+- `api_keys` stores `key_id`, `key_prefix`, the `secret_hash` blob,
+  `display_name`, serialized `scopes`, optional serialized `constraints`, and
+  the `created_utc`, `last_used_utc`, and `revoked_utc` timestamps.
 - `api_key_audit` is an append-only log keyed by an autoincrement `audit_id` with `key_id`, `event_type`, `remote_address`, `created_utc`, and `details` columns.
 - `schema_version` carries a single row whose `version` column is matched against `SqliteAuthSchema.CurrentVersion`.
 
@@ -150,9 +155,10 @@ public static ApiKeyRecord Read(SqliteDataReader reader)
         SecretHash: (byte[])reader["secret_hash"],
         DisplayName: reader.GetString(3),
         Scopes: ApiKeyScopeSerializer.Deserialize(reader.GetString(4)),
-        CreatedUtc: DateTimeOffset.Parse(reader.GetString(5), System.Globalization.CultureInfo.InvariantCulture),
-        LastUsedUtc: ReadNullableDateTimeOffset(reader, 6),
-        RevokedUtc: ReadNullableDateTimeOffset(reader, 7));
+        Constraints: ApiKeyConstraintSerializer.Deserialize(reader.IsDBNull(5) ? null : reader.GetString(5)),
+        CreatedUtc: DateTimeOffset.Parse(reader.GetString(6), System.Globalization.CultureInfo.InvariantCulture),
+        LastUsedUtc: ReadNullableDateTimeOffset(reader, 7),
+        RevokedUtc: ReadNullableDateTimeOffset(reader, 8));
 }
 ```
 
@@ -193,8 +199,8 @@ The supported subcommands match `ApiKeyAdminCommandKind` exactly:
 | Subcommand | Required options | Behaviour |
 |------------|------------------|-----------|
 | `init-db` | none | Runs the migrator and records an audit entry. |
-| `create-key` | `--key-id`, `--display-name` | Generates a new secret, stores its peppered hash, and prints the assembled `mxgw_<keyId>_<secret>` token. |
-| `list-keys` | none | Lists every stored key with its scopes and revocation state. |
+| `create-key` | `--key-id`, `--display-name` | Generates a new secret, stores its peppered hash and optional constraints, and prints the assembled `mxgw_<keyId>_<secret>` token. |
+| `list-keys` | none | Lists every stored key with its scopes, constraints, and revocation state. |
 | `revoke-key` | `--key-id` | Sets `revoked_utc` if the key is currently active. |
 | `rotate-key` | `--key-id` | Replaces the secret hash and prints the new token. |
 
@@ -203,11 +209,18 @@ Examples:
 ```bash
 mxgateway apikey init-db
 mxgateway apikey create-key --key-id ops.alice --display-name "Alice (ops)" --scopes read,write
+mxgateway apikey create-key --key-id area1.reader --display-name "Area 1 reader" --scopes invoke:read,metadata:read --read-subtree "Area1/*" --browse-subtree "Area1/*"
 mxgateway apikey list-keys --json
 mxgateway apikey revoke-key --key-id ops.alice
 mxgateway apikey rotate-key --key-id ops.alice
 ```
 
+Constraint flags are optional. `--read-subtree`, `--write-subtree`,
+`--read-tag-glob`, `--write-tag-glob`, and `--browse-subtree` are repeatable.
+`--max-write-classification` accepts one integer. `--read-alarm-only` and
+`--read-historized-only` are boolean flags. Existing rows with null
+constraints remain fully unconstrained after migration.
+
 Key ids are restricted by the parser to ASCII letters, digits, periods, and hyphens so they remain safe to embed in the token format and in URL paths used by administrative tooling.
 
 ## Scope Serialization

docs/Authorization.md

@@ -1,6 +1,8 @@
 # Gateway gRPC Authorization
 
-The authorization subsystem enforces per-RPC scope checks against the authenticated `ApiKeyIdentity` produced by the authentication layer, so service implementations never need to repeat permission logic.
+The authorization subsystem has two layers. The gRPC interceptor enforces the
+verb scope required by the RPC. Service-layer constraint checks then narrow
+what an authenticated API key can browse, read, or write inside the Galaxy.
 
 ## Overview
 
@@ -12,6 +14,8 @@ The participating types live under `src/MxGateway.Server/Security/Authorization/
 - `GatewayGrpcScopeResolver` maps a request message (and, for `MxCommandRequest`, the inner `MxCommandKind`) to the scope string that must be present on the caller.
 - `GatewayScopes` exposes the canonical scope constants used by the resolver and any downstream consumer.
 - `GatewayRequestIdentityAccessor` and `IGatewayRequestIdentityAccessor` expose the verified identity to handlers and any service code that runs inside the call.
+- `IConstraintEnforcer` applies optional API-key constraints against the
+  cached Galaxy hierarchy from service bodies.
 - `GrpcAuthorizationServiceCollectionExtensions` wires the components into the DI container and the gRPC pipeline.
 
 The `ApiKeyIdentity` consumed here is produced by the authentication layer; see [Authentication](./Authentication.md) for how it is built and how scopes are persisted.
@@ -21,7 +25,9 @@ The `ApiKeyIdentity` consumed here is produced by the authentication layer; see
 Centralizing the policy in `GatewayGrpcAuthorizationInterceptor` produces three concrete benefits:
 
 1. Every RPC defined in `MxAccessGatewayService` is covered by construction. A new RPC inherits the check the moment its request type is added to `GatewayGrpcScopeResolver`, instead of relying on each service method to remember to call an authorization helper.
-2. The service class stays a thin translator between proto contracts and domain calls. RPC methods do not branch on identity or scope, which keeps the AGENTS.md guideline that gRPC handlers contain no policy.
+2. Verb-scope policy stays centralized. Request-specific constraints still run
+   in service bodies because they need command payloads, item handles, and
+   Galaxy metadata that the interceptor should not inspect.
 3. Authentication and authorization happen in one place, so the gRPC `Status` mapping is consistent. A failed key check always returns `Unauthenticated`, and a missing scope always returns `PermissionDenied` with the offending scope name.
 
 ## Interceptor Flow
@@ -131,6 +137,43 @@ private static string ResolveCommandScope(MxCommandKind kind)
 
 Reads (`Register`, `AddItem`, `Advise`, and any other unspecified kind) fall through to `InvokeRead`, which keeps the matrix small while still separating reads from writes, secured writes, metadata lookups, event drains, and worker shutdown.
 
+## Constraint Enforcement
+
+`ApiKeyIdentity.Constraints` is optional. Empty constraints preserve the
+previous behavior: the key is authorized only by its verb scopes. Non-empty
+constraints are stored as JSON in `api_keys.constraints` and are applied by
+`IConstraintEnforcer` after the interceptor succeeds.
+
+Supported constraints are:
+
+| Constraint | Meaning |
+|------------|---------|
+| `read_subtrees` | Contained-path globs allowed for read/subscription commands. |
+| `write_subtrees` | Contained-path globs allowed for write commands. |
+| `read_tag_globs` | Tag-address globs allowed for read/subscription commands. |
+| `write_tag_globs` | Tag-address globs allowed for write commands. |
+| `max_write_classification` | Maximum Galaxy attribute `security_classification` a key may write. |
+| `browse_subtrees` | Contained-path globs used to filter Galaxy browse results and deploy-event counts. |
+| `read_alarm_only` | Read/subscription commands must target objects with alarm-bearing attributes. |
+| `read_historized_only` | Read/subscription commands must target objects with historized attributes. |
+
+Glob matching is anchored, case-insensitive, and supports `*` and `?`.
+Subtree and tag glob lists are alternatives: matching either list allows that
+scope dimension. Empty lists mean unconstrained for that dimension.
+
+The service checks read constraints for `AddItem`, `AddItem2`, `AddItemBulk`,
+`SubscribeBulk`, and `AdviseItemBulk`. It checks write constraints for
+`Write`, `Write2`, `WriteSecured`, and `WriteSecured2`. Successful item
+registrations are tracked per session so later item-handle commands resolve
+back to the original tag address. If a constrained key presents an unknown item
+handle, the gateway fails closed.
+
+Non-bulk constraint failures return gRPC `PermissionDenied`. Bulk read
+commands preserve input order and return a failed `SubscribeResult` for each
+denied item while still forwarding allowed items to the worker. Every denial
+adds an `api_key_audit` entry with the key id, command kind, target, and
+blocking constraint; secured values and raw credentials are never logged.
+
 ## Scope Catalog
 
 `GatewayScopes` is the single source of truth for scope strings. Every entry is currently mapped by either the resolver or another security component:

docs/GalaxyRepository.md

@@ -37,10 +37,19 @@ The service is defined in
 
 `DiscoverHierarchy` is a paged unary RPC. The raw request accepts `page_size`
 and `page_token`; the server defaults omitted page size to 1000 objects and
-caps every page at 5000 objects. Invalid page tokens and negative page sizes
-return `InvalidArgument`. Official high-level clients preserve the older
+caps every page at 5000 objects. Page tokens bind to the cache sequence and the
+active filter set, so changing filters between pages returns `InvalidArgument`
+instead of mixing snapshots. Official high-level clients preserve the older
 "return the full hierarchy" behavior by looping pages internally.
 
+The request can also slice the cached hierarchy without running new SQL. A
+caller may choose one root (`root_gobject_id`, `root_tag_name`, or
+`root_contained_path`) and may combine that with `max_depth`, category ids,
+template-chain substring filters, an anchored case-insensitive tag-name glob,
+alarm-only, historized-only, and `include_attributes = false` for a skeleton
+tree. All filters are applied with AND semantics, and `total_object_count`
+reports the post-filter count.
+
 ## Hierarchy Cache
 
 The gateway holds a single shared `IGalaxyHierarchyCache`
@@ -145,7 +154,19 @@ message GalaxyAttribute {
 
 message DiscoverHierarchyRequest {
   int32 page_size = 1;    // omitted/0 uses the server default of 1000
-  string page_token = 2;  // opaque offset token returned by the previous page
+  string page_token = 2;  // opaque token returned by the previous page
+  oneof root {
+    int32 root_gobject_id = 3;
+    string root_tag_name = 4;
+    string root_contained_path = 5;
+  }
+  google.protobuf.Int32Value max_depth = 6;
+  repeated int32 category_ids = 7;
+  repeated string template_chain_contains = 8;
+  string tag_name_glob = 9;
+  optional bool include_attributes = 10;
+  bool alarm_bearing_only = 11;
+  bool historized_only = 12;
 }
 
 message DiscoverHierarchyReply {
@@ -249,6 +270,11 @@ privilege to `MxCommandKind.GetSessionState` or `MxCommandKind.GetWorkerInfo`.
 The mapping lives in `GatewayGrpcScopeResolver`; see
 [Authorization](./Authorization.md) for the full scope catalog.
 
+API keys can also carry `browse_subtrees` constraints. `DiscoverHierarchy`
+intersects those contained-path globs with the caller's request filters.
+`WatchDeployEvents` still emits deploy notifications, but its object and
+attribute counts are scoped to the caller's browsable subtrees.
+
 A request without an API key returns `Unauthenticated`. A request with a key
 that lacks `metadata:read` returns `PermissionDenied` with the missing scope
 embedded in the status detail.