feat: Spec enrichment, prometheus metrics

.github/workflows/documentation.yml

@@ -2,11 +2,11 @@ name: Documentation
 
 on:
   push:
-    branches: 
-      - documentation
+    branches:
+      - development
   pull_request:
-    branches: 
-      - documentation
+    branches:
+      - development
 
 jobs:
   deploy:
@@ -22,7 +22,7 @@ jobs:
       - name: List directory structure
         run: |
           ls -la
-          ls -la website/
+          ls -la docusaurus/
 
       # Generate SVG files using PlantUML
       - name: plantuml
@@ -38,7 +38,7 @@ jobs:
         id: deploy
         uses: redkubes/docusaurus-deploy-action@v1.2
         with:
-          source-folder: website
+          source-folder: docusaurus
           git-user: ${{ github.actor }}
           git-password: ${{ secrets.GITHUB_TOKEN }}
           deployment-branch: gh-pages

.github/workflows/sbom.yml

@@ -0,0 +1,91 @@
+name: SBOM
+
+on:
+  push:
+    branches: [main, development, feature/**, bugfix/**, hotfix/**]
+  pull_request:
+    branches: [main, development]
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    name: "SBOM Generation & Validation"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.3"
+          extensions: mbstring, intl, zip, gd, curl, xml, json
+          tools: composer:v2
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: vendor
+          key: ${{ runner.os }}-composer-${{ hashFiles('composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install Composer dependencies
+        run: composer install --no-progress --prefer-dist --optimize-autoloader
+
+      - name: Generate PHP SBOM
+        run: composer CycloneDX:make-sbom --output-format=JSON --output-file=bom-php.cdx.json --spec-version=1.5 --omit=dev --omit=plugin
+
+      - name: Install npm dependencies
+        run: npm ci
+
+      - name: Generate npm SBOM
+        run: npx @cyclonedx/cyclonedx-npm --output-file bom-npm.cdx.json --spec-version 1.5 --omit dev
+
+      - name: Merge PHP + npm SBOMs
+        run: |
+          jq -s '.[0] * {components: ([.[].components[]?] | unique_by(.purl // .name))}' bom-php.cdx.json bom-npm.cdx.json > sbom.cdx.json
+
+      - name: Install Grype
+        uses: anchore/scan-action/download-grype@v5
+
+      - name: CVE scan SBOM
+        run: grype sbom:sbom.cdx.json --fail-on critical
+
+      - name: Composer audit
+        run: composer audit --format=json || true
+
+      - name: npm audit
+        run: npm audit --audit-level=critical
+
+      - name: Commit SBOM
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add sbom.cdx.json
+          if git diff --cached --quiet; then
+            echo "No SBOM changes to commit"
+          else
+            git commit -m "chore: update SBOM"
+            git push
+          fi
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-openconnector
+          path: sbom.cdx.json
+          retention-days: 90
+
+      - name: Attach SBOM to release
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: softprops/action-gh-release@v2
+        with:
+          files: sbom.cdx.json

appinfo/routes.php

@@ -14,6 +14,11 @@
 	],
 	'routes' => [
 		['name' => 'dashboard#page', 'url' => '/', 'verb' => 'GET'],
+
+		// Metrics and health
+		['name' => 'metrics#index', 'url' => '/api/metrics', 'verb' => 'GET'],
+		['name' => 'health#index', 'url' => '/api/health', 'verb' => 'GET'],
+
 		['name' => 'dashboard#index', 'url' => '/api/dashboard', 'verb' => 'GET'],
 		['name' => 'dashboard#getCallStats', 'url' => '/api/dashboard/callstats', 'verb' => 'GET'],
 		['name' => 'dashboard#getJobStats', 'url' => '/api/dashboard/jobstats', 'verb' => 'GET'],
@@ -116,5 +121,7 @@
 		['name' => 'ui#cloudEventsEventsId', 'url' => '/cloud-events/events/{id}', 'verb' => 'GET'],
 		['name' => 'ui#cloudEventsLogs', 'url' => '/cloud-events/logs', 'verb' => 'GET'],
 		['name' => 'ui#import', 'url' => '/import', 'verb' => 'GET'],
+		// SPA catch-all — serves the Vue app for any frontend route (history mode routing)
+		['name' => 'dashboard#page', 'url' => '/{path}', 'verb' => 'GET', 'requirements' => ['path' => '.+'], 'defaults' => ['path' => '']],
 	],
 ];

composer.json

@@ -1,7 +1,7 @@
 {
 	"name": "conductionnl/openconnector",
 	"description": "Gateway and Service bus funtionality",
-	"license": "AGPL-3.0-or-later",
+	"license": "EUPL-1.2",
 	"authors": [
 		{
 			"name": "Conduction b.v.",
@@ -74,14 +74,17 @@
 		"phpro/grumphp": "^2.9",
 		"phpunit/phpunit": "^10.5",
 		"roave/security-advisories": "dev-latest",
-		"squizlabs/php_codesniffer": "^3.9"
+		"squizlabs/php_codesniffer": "^3.9",
+		"cyclonedx/cyclonedx-php-composer": "^6.2"
 	},
 	"config": {
 		"allow-plugins": {
 			"bamarni/composer-bin-plugin": true,
 			"php-http/discovery": true,
+			"cyclonedx/cyclonedx-php-composer": true,
 			"phpro/grumphp": true,
-			"dealerdirect/phpcodesniffer-composer-installer": true
+			"dealerdirect/phpcodesniffer-composer-installer": true,
+			"cyclonedx/cyclonedx-php-composer": true
 		},
 		"optimize-autoloader": true,
 		"sort-packages": true,

css/dashboardWidgets.css

@@ -0,0 +1,8 @@
+.icon-openconnector-widget {
+  background-image: url("../img/app-dark.svg");
+  filter: var(--background-invert-if-dark);
+}
+
+body.theme--dark .icon-openconnector-widget {
+  background-image: url("../img/app.svg");
+}

docs/GOVERNMENT-FEATURES.md

@@ -0,0 +1,132 @@
+# Open Connector — Overheidsfunctionaliteiten
+
+> Functiepagina voor Nederlandse overheidsorganisaties.
+> Gebruik deze checklist om te toetsen aan uw Programma van Eisen.
+
+**Product:** Open Connector
+**Categorie:** Enterprise Service Bus (ESB) & API Gateway
+**Licentie:** AGPL (vrije open source)
+**Leverancier:** Conduction B.V.
+**Platform:** Nextcloud (self-hosted / on-premise / cloud)
+
+## Legenda
+
+| Status | Betekenis |
+|--------|-----------|
+| Beschikbaar | Functionaliteit is beschikbaar in de huidige versie |
+| Gepland | Functionaliteit staat op de roadmap |
+| Via platform | Functionaliteit wordt geleverd door Nextcloud |
+| Op aanvraag | Beschikbaar als maatwerk |
+| N.v.t. | Niet van toepassing voor dit product |
+
+---
+
+## 1. Functionele eisen
+
+### API Gateway & Service Bus
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| F-01 | API-aanroepen mappen en vertalen | Beschikbaar | REST-naar-REST, SOAP-naar-REST |
+| F-02 | Databronnen synchroniseren | Beschikbaar | Geautomatiseerde bronsynchronisatie |
+| F-03 | Cloud Events verzenden en ontvangen | Beschikbaar | Event-driven architectuur |
+| F-04 | Geplande taken (cron-jobs) | Beschikbaar | Periodieke synchronisatie en verwerking |
+| F-05 | Logbeheer en opschoning | Beschikbaar | Automatische log cleanup |
+
+### Koppelingen & Integratie
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| F-06 | StUF-naar-REST vertaling | Beschikbaar | Legacy XML-standaard vertalen |
+| F-07 | SOAP-naar-REST vertaling | Beschikbaar | Oude webservices ontsluiten |
+| F-08 | Configureerbare endpoints | Beschikbaar | Admin-UI voor koppelingen |
+| F-09 | Authenticatie-relay (OAuth, API keys, certificaten) | Beschikbaar | Doorvertaling van authenticatie |
+| F-10 | Datavalidatie en -transformatie | Beschikbaar | Mapping en filtering van data |
+
+---
+
+## 2. Technische eisen
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| T-01 | On-premise / self-hosted | Beschikbaar | Nextcloud-app |
+| T-02 | Open source | Beschikbaar | AGPL, GitHub |
+| T-03 | RESTful API | Beschikbaar | API voor configuratie en monitoring |
+| T-04 | Cron-gebaseerde taken | Beschikbaar | Background jobs via Nextcloud cron |
+| T-05 | Database-onafhankelijkheid | Beschikbaar | PostgreSQL, MySQL, SQLite |
+| T-06 | Containerisatie (Docker) | Beschikbaar | Docker Compose |
+| T-07 | curl-gebaseerd (geen externe dependencies) | Beschikbaar | Alleen PHP curl vereist |
+
+---
+
+## 3. Beveiligingseisen
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| B-01 | RBAC | Via platform | Nextcloud admin-rechten |
+| B-02 | Audit trail / logging | Beschikbaar | Verwerking logs met opschoning |
+| B-03 | BIO-compliance | Via platform | Nextcloud BIO |
+| B-04 | 2FA | Via platform | Nextcloud 2FA |
+| B-05 | SSO / SAML / LDAP | Via platform | Nextcloud SSO |
+| B-06 | Versleuteling (rust + transit) | Via platform | Nextcloud encryption + TLS |
+| B-07 | Certificaat-authenticatie naar externe systemen | Beschikbaar | PKI/mTLS ondersteuning |
+
+---
+
+## 4. Privacyeisen (AVG/GDPR)
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| P-01 | Geen permanente dataopslag van doorgevoerde gegevens | Beschikbaar | Connector verwerkt, slaat niet op |
+| P-02 | Log-opschoning (configureerbaar) | Beschikbaar | Automatische verwijdering van oude logs |
+| P-03 | Data minimalisatie | Beschikbaar | Alleen noodzakelijke velden doorgeven via mapping |
+
+---
+
+## 5. Toegankelijkheidseisen
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| A-01 | WCAG 2.1 AA (admin-UI) | Beschikbaar | Nextcloud-componenten |
+| A-02 | Meertalig (NL/EN) | Beschikbaar | Volledige vertaling |
+
+---
+
+## 6. Integratiestandaarden
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| I-01 | Common Ground architectuur | Beschikbaar | Laag 3 (integratie) — ESB-functionaliteit |
+| I-02 | StUF-koppelvlak | Beschikbaar | Vertaling van StUF XML naar REST |
+| I-03 | SOAP-koppelvlak | Beschikbaar | Vertaling van SOAP naar REST |
+| I-04 | REST API | Beschikbaar | Standaard REST-koppelingen |
+| I-05 | Cloud Events | Beschikbaar | Event-driven integratie standaard |
+| I-06 | OAuth 2.0 / OpenID Connect | Beschikbaar | Moderne authenticatie-relay |
+| I-07 | API-key authenticatie | Beschikbaar | Eenvoudige API-toegang |
+| I-08 | Certificaat-authenticatie (mTLS) | Beschikbaar | PKIoverheid-certificaten |
+
+---
+
+## 7. Beheer en onderhoud
+
+| # | Eis | Status | Toelichting |
+|---|-----|--------|-------------|
+| BO-01 | Nextcloud App Store | Beschikbaar | Installatie via App Store |
+| BO-02 | Automatische updates | Beschikbaar | Via Nextcloud app-updater |
+| BO-03 | Beheerderspaneel | Beschikbaar | Nextcloud admin settings |
+| BO-04 | Monitoring | Beschikbaar | Log-inzicht en foutmeldingen |
+| BO-05 | Open source community | Beschikbaar | GitHub Issues |
+| BO-06 | Professionele ondersteuning (SLA) | Op aanvraag | Via Conduction B.V. |
+
+---
+
+## 8. Onderscheidende kenmerken
+
+| Kenmerk | Toelichting |
+|---------|-------------|
+| **StUF-vertaling** | Enige Nextcloud-app die StUF XML kan vertalen naar REST |
+| **Nextcloud-native ESB** | Geen apart integratie-platform nodig |
+| **Lichtgewicht** | Alleen PHP + curl, geen Java/Spring |
+| **Common Ground laag 3** | Past in de Common Ground integratie-architectuur |
+| **Event-driven** | Cloud Events voor real-time integratie |
+| **Zero-footprint** | Connector verwerkt data door, slaat niets permanent op |

docs/administrators-legacy/sources/source.md

@@ -0,0 +1,75 @@
+# Source Configuration
+
+## Source
+
+A **Source** represents an external service or system that OpenConnector can interact with. This is typically an API but can also be databases, file servers, or other services. Sources allow the Connector to retrieve, process, and synchronize data.
+
+### Basic setup
+
+To configure a source, you need to define its basic properties:
+
+1. **Name**: A descriptive identifier for the source (e.g., "Noordwijk"). This name will appear in the UI to help you quickly locate the source.
+2. **Description**: A brief explanation of the source's purpose or content (optional).
+3. **Type**: Defines the type of connection (e.g., API, database, file server).
+4. **Location**: The endpoint or base URL of the source (e.g., `https://zaaksysteem.noordwijk.nl/api/v1`).
+
+![alt text](../../sources/image-6.png)
+
+**Note**: Ensure the location does not end with a `/`. If included, it will be removed during saving.
+
+### Authentication
+
+If the source requires authentication (e.g., an API key, certificate, or OAuth token), these credentials are managed securely in the **Vault**. To authenticate:
+
+1. Add the required authentication details in the Vault.
+2. Link the authentication method to the source.
+
+Multiple authentication methods can be associated with a single source, offering flexibility for different connection scenarios.
+
+### Synchronisations
+
+Synchronizations between sources and the system can be managed in the **Synchronizations** tab for each source. This provides an overview of all configured synchronization tasks related to a source.
+
+@todo add screenshots
+
+### Configuration
+
+Sources are called using the **Call Service**, based on the popular [Guzzle library](https://docs.guzzlephp.org/en/stable/). This enables flexible configuration of connection parameters. You can add custom configurations using a **dot.notation** format.
+
+**Example Configuration:**
+
+To set the `Accept` header for API calls:
+
+* **Key**: `headers.Accept`
+* **Value**: `application/json`
+
+This creates the following request header:
+
+![the add Configuration modal](../../sources/image-3.png)
+
+This configuration will lead to the following configuration on the call service:
+
+```
+headers:
+  - name: Accept
+    value: application/json 
+```
+
+Other commonly used options include:
+
+* **Headers**: Define custom request headers.
+* **Query**: Add query parameters to requests.
+
+But all [guzzle options](https://docs.guzzlephp.org/en/stable/request-options.html) are supported. So for example, you can change the timeout of the call by adding the following configuration to the source:
+
+`timeout = 10`
+
+## Logging
+
+The Call Service logs all requests and responses for each source. Logs can be viewed directly in the **Logs** tab of the source's detail page.
+
+![alt text](../../sources/image-4.png)
+
+![alt text](../../sources/image-5.png)
+
+**Note**: Future updates will allow configuring the log retention period.