Refactor routes - finish authguards

[aaronlmathis]

No description provided.

[Copilot]

Pull Request Overview

This pull request refactors the routes implementation by extracting the Server struct and handlers from internal/api into a new internal/server package to resolve circular import issues. The refactor introduces a contract-based architecture where handlers are organized by tiers (public, admin, read, write, apply, system, static) and the server package exports all handler methods for clean interface compliance.

Key changes:

• Extracted Server struct and all handlers from internal/api to internal/server package
• Renamed all private handler methods (handleXxx) to exported methods (HandleXxx)
• Added HPA (HorizontalPodAutoscaler) support with timeseries integration and WebSocket broadcasting
• Implemented interface-based routing contracts to eliminate circular imports

Reviewed Changes

Copilot reviewed 141 out of 145 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
internal/server/	New package containing extracted Server struct and all handlers with exported method names
internal/timeseries/keys.go	Added HPA-level metric base keys for tracking replica counts and scale events
internal/k8s/informers/	Added HPA informer support with event handling and timeseries integration
internal/metrics/prometheus.go	Added HPA-specific Prometheus metrics for monitoring
proposed_reorganization.md	Removed comprehensive API reorganization proposal documentation
internal/authz/phase4_e2e_test.go	Removed end-to-end authorization tests

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

[nitpick] Remove the TODO comment as it doesn't provide actionable information. The comment acknowledges a previous state but doesn't indicate what needs to be done or if any action is required.

Suggested change

	responses = append(responses, s.endpointsToResponse(endpoint)) // TODO: This was calling response formatter from api package.
	responses = append(responses, s.endpointsToResponse(endpoint))

[Copilot]

The removed import of context on line 4 appears to be used in the dryRunRBACConfiguration and applyRBACConfiguration methods which now take an *http.Request parameter instead of context.Context. Verify that the context is properly extracted from the request in these methods.

Suggested change

	import (
	import (
	"context"

[Copilot]

The modification from always checking user bindings to only checking when authz.mode == \"user_bindings\" changes the behavior. Ensure this change is intentional and doesn't break existing functionality for other authorization modes.

[Copilot]

Using an empty struct auth.CSPNonceKey{} as a context key creates a new instance each time. This should typically be a package-level variable or constant to ensure the same key is used consistently across the application.

Suggested change

	if nonceValue := r.Context().Value(auth.CSPNonceKey{}); nonceValue != nil {
	if nonceValue := r.Context().Value(auth.CSPNonceKey); nonceValue != nil {

[Copilot]

[nitpick] The capability service TTL configuration is sourced from s.config.Caching.SummaryTTL but this is conceptually about capability caching, not summary caching. Consider using a more specific configuration field like s.config.Caching.CapabilityTTL or documenting why SummaryTTL is being reused.