aegis-api/Aegis.API/Program.cs

using Aegis.API.Auth;
using Aegis.Application.Abstractions;
using Aegis.Application.DataStores.ListDataStores;
using Aegis.Repository.Caching;
using Aegis.Repository.Crypto;
using Aegis.Repository.SQLite;
using Aegis.Repository.SQLite.Repositories;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddOpenApi();

builder.Services.AddMemoryCache();

var authority = builder.Configuration["Auth:Authority"]
                ?? throw new InvalidOperationException("Missing config: Auth:Authority");
var audience = builder.Configuration["Auth:Audience"]
               ?? throw new InvalidOperationException("Missing config: Auth:Audience");

builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(o =>
    {
        o.Authority = authority;
        o.Audience = audience;

        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,

            NameClaimType = "name",
            RoleClaimType = "roles"
        };
    });

builder.Services.AddAuthorization();

var cs = builder.Configuration.GetConnectionString("AegisManifest")
         ?? "Data Source=aegis_manifest.db;Cache=Shared;";
builder.Services.AddSingleton(new SqliteConnectionFactory(cs));

// Resolve (iss, sub) -> user_id (1x por TTL)
builder.Services.AddScoped<IUserIdentityRepository, UserIdentityRepository>();

// ListDatastores
builder.Services.AddScoped<IDataStoreReadRepository, DataStoreReadRepository>();

// Unlocked cache (status)
builder.Services.AddSingleton<MemoryUnlockedDatastoreCache>();
builder.Services.AddSingleton<IUnlockedDataStoreCache>(sp => sp.GetRequiredService<MemoryUnlockedDatastoreCache>());

// Label key / crypto (LK)
var serverSecretB64 = builder.Configuration["Aegis:LabelKey:ServerSecretB64"]
                      ?? throw new InvalidOperationException("Missing config: Aegis:LabelKey:ServerSecretB64");
var serverSecret = Convert.FromBase64String(serverSecretB64);

builder.Services.AddSingleton<ILabelKeyProvider>(new ServerSecretLabelKeyProvider(serverSecret));
builder.Services.AddSingleton<ILabelCrypto, AesGcmLabelCrypto>();

// Use case
builder.Services.AddScoped<ListDataStoresUseCase>();

// Helpers API
builder.Services.AddHttpContextAccessor();
builder.Services.AddScoped<CurrentUserAccessor>();

var app = builder.Build();

app.UseHttpsRedirection();

// Auth pipeline
app.UseAuthentication();
app.UseMiddleware<UserResolutionMiddleware>(); // injeta claim aegis_uid via cache/DB
app.UseAuthorization();

app.MapControllers();

app.Run();