feat: add taxonomy service auth boundary

[BhagyaAmarasinghe]

fixes ENG-1155

Summary

• Add Hub taxonomy auth configuration for TAXONOMY_SERVICE_URL, TAXONOMY_SERVICE_TOKEN, and HUB_INTERNAL_API_TOKEN.
• Mount /internal/v1/taxonomy/auth-check behind the internal Hub token when configured.
• Add a Hub outbound taxonomy client that sends the taxonomy service Bearer token and propagates X-Request-ID.
• Wire Helm values/secrets and .env.example documentation for the beta taxonomy service boundary.

Why

ENG-1155 defines the beta auth boundary between Hub and the standalone taxonomy service. Hub remains the API/data authority, while the Python taxonomy service calls only Hub internal APIs using a separate internal token.

Validation

• go test -count=1 ./cmd/api ./internal/config ./internal/api/handlers ./internal/service
• helm template hub ./charts/hub --set secrets.stringData.DATABASE_URL=postgres://user:pass@db:5432/hub --set secrets.stringData.API_KEY=hub-api-key --set config.data.TAXONOMY_SERVICE_URL=http://taxonomy.default.svc.cluster.local:8000 --set secrets.stringData.TAXONOMY_SERVICE_TOKEN=taxonomy-service-token --set secrets.stringData.HUB_INTERNAL_API_TOKEN=hub-internal-token

[coderabbitai]

Walkthrough

This pull request adds optional taxonomy service integration to Hub. The changes introduce a new TaxonomyConfig with validation for the service URL, an internal HTTP endpoint (/internal/v1/taxonomy/auth-check) protected by token authentication, a client to communicate with the external taxonomy service, and complete Kubernetes/Helm deployment support. All code paths include tests verifying configuration validation, authentication behavior, header propagation, and error handling.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description covers the main changes, rationale, and provides validation steps, but does not include explicit testing instructions or a comprehensive pre-merge checklist as required by the template.	Complete the 'How should this be tested?' section with detailed testing steps and check off all applicable items in the Required and Appreciated checklist sections.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add taxonomy service auth boundary' clearly and concisely summarizes the main change in the changeset, following Conventional Commits specification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/api/app_test.go`:
- Line 300: The linter fails because there is no blank line before the recorder
declaration after creating the request; add a single blank line between the
request := httptest.NewRequestWithContext(...) statement and the recorder
declaration (e.g., recorder := httptest.NewRecorder()) so the wsl whitespace
rule is satisfied and the build passes.

In `@cmd/api/app.go`:
- Line 396: Add a blank line immediately before the conditional that checks
cfg.Taxonomy.HubInternalAPIToken (the if statement starting with "if
cfg.Taxonomy.HubInternalAPIToken != \"\"") to satisfy the wsl linter; locate
this conditional in app.go (around the handler/initialization section where cfg
is used) and insert a single empty line above it so the linter no longer flags
missing whitespace.

In `@internal/api/handlers/taxonomy_internal_handler.go`:
- Around line 17-23: Update the doc comment on the AuthCheck method of
TaxonomyInternalHandler to state that authentication is enforced by middleware
rather than by this handler; specifically, change the comment to indicate
AuthCheck simply returns a 200 OK JSON confirming successful
authentication/authorization (the actual token validation is performed by
middleware.Auth applied to the route), and ensure the comment references the
middleware.Auth enforcement and the AuthCheck handler name so readers understand
responsibility separation.

In `@internal/service/taxonomy_client.go`:
- Around line 15-18: Add a godoc comment immediately above the exported error
ErrTaxonomyServiceURLRequired describing what it means and when it is returned
(e.g., "ErrTaxonomyServiceURLRequired is returned when the TAXONOMY_SERVICE_URL
environment variable is not set."); place the comment above the var block (next
to ErrTaxonomyServiceTokenRequired if desired) so the documentation generator
picks it up and the intent of ErrTaxonomyServiceURLRequired is clear.
- Around line 58-88: Define a package-level sentinel error (e.g.,
ErrTaxonomyNon2xx) near the top of the file and replace the dynamic error
returned in TaxonomyClient.StartRun when resp.StatusCode is not 2xx with a
wrapped error that uses the sentinel (for example, fmt.Errorf("%w: taxonomy
service returned status %d", ErrTaxonomyNon2xx, resp.StatusCode)); this
preserves a stable sentinel for error checks while still including the status
code as diagnostic context.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ce1291db-9450-424b-9cc3-a5b572fa89e7

📥 Commits

Reviewing files that changed from the base of the PR and between 602726b and 325e64b.

📒 Files selected for processing (11)

• .env.example
• charts/hub/templates/NOTES.txt
• charts/hub/templates/secret.yaml
• charts/hub/values.yaml
• cmd/api/app.go
• cmd/api/app_test.go
• internal/api/handlers/taxonomy_internal_handler.go
• internal/config/config.go
• internal/config/config_test.go
• internal/service/taxonomy_client.go
• internal/service/taxonomy_client_test.go

[xernobyl]

Nothing other than the coderabbit comments :)

[xernobyl]

LGTM