Implement JSON export service for intelligence products (risk, coalition, trends)

[Copilot]

Description

Implements service layer for JSON export of intelligence products: risk assessments (50 rules), coalition alignment matrix, and temporal trends. Enables €5.91M revenue across Risk Intelligence, Predictive Analytics, and Decision Intelligence product lines.

Service Interface (IntelligenceExportService)

• exportRiskAssessments() - Serializes rule violations with severity/metadata
• exportCoalitionAlignment() - Exports party voting alignment matrix
• exportTemporalTrends() - Exports decision trends with 7/30/90-day moving averages
• writeJsonToFile() - CDN-ready static file generation with enhanced path traversal protection

Implementation (IntelligenceExportServiceImpl)

• Jackson ObjectMapper with pretty-print and ISO 8601 date formatting (StdDateFormat with colon in timezone)
• Integrates existing DAOs: RuleViolationDAO, ViewRiksdagenCoalitionAlignmentMatrixDAO, ViewDecisionTemporalTrendsDAO
• DTOs: RiskAssessmentExportDTO, CoalitionAlignmentExportDTO, TemporalTrendsExportDTO with unmodifiable list returns
• Package-private final class following codebase conventions
• Security hardening: enhanced path traversal validation using Path.normalize(), directory creation error handling

Example Output

{
  "metadata": {
    "version": "1.0.0",
    "generated": "2024-12-08T11:12:00Z",
    "schema": "intelligence-schema",
    "recordCount": 125
  },
  "violations": [{
    "ruleName": "HIGH_ABSENCE_RATE",
    "severity": "MAJOR",
    "resourceType": "POLITICIAN",
    "ruleGroup": "Attendance"
  }]
}

Type of Change

Primary Changes

• 🚀 New Feature

Political Analysis

• 📈 Analytics & Metrics
  • Risk Assessment
  • Decision Analysis

Technical Changes

• 🏗️ Infrastructure
  • Database Changes
• 🔒 Security & Compliance
  • Data Protection
• 📝 Documentation
  • Technical Documentation
  • API Documentation
• ✅ Testing
  • Unit Tests

Impact Analysis

Political Analysis Impact

• Impact on data quality: Read-only exports, no data modification
• Impact on analysis accuracy: Exposes existing risk rules, coalition metrics, trend data
• Impact on transparency features: Enables programmatic access to intelligence products

Technical Impact

• Performance impact: Read-only database queries via existing DAOs, Jackson serialization overhead minimal
• Security implications: Enhanced path traversal protection using Path.normalize() and startsWith() validation, input validation for file operations, directory creation error handling, unmodifiable list returns from DTOs
• Dependency changes: None - uses existing Jackson from project

Testing

• Unit tests added/updated
• Political data validation completed
• Security compliance verified

Test Coverage: 6/6 passing

• testExportRiskAssessments() - Mock violations, verify JSON structure
• testExportCoalitionAlignment() - Mock alignment matrix, verify party data
• testExportTemporalTrends() - Mock trends, verify moving averages
• testWriteJsonToFile() - File creation and content writing
• testWriteJsonToFileCreatesDirectory() - Directory creation behavior
• testWriteJsonToFileRejectsPathTraversal() - Security validation for path traversal attacks

Test Quality Improvements:

• Used assertEquals() instead of assertTrue() for better error messages showing expected vs actual values

Documentation

• JavaDoc updated
• README updated
• API documentation updated
• Package/module documentation updated

Documentation Updates:

• json-export-specs/README.md: Implementation status section with service layer details (corrected test count to 6/6)
• Service interface: Method-level JavaDoc with business context and security notes about subdirectory restrictions
• DTOs: Field-level documentation
• package-info.java: Comprehensive package documentation for export package

Screenshots

N/A - Service layer only

Related Issues

Checklist

• Code follows project coding standards
• Comments are clear and helpful
• Documentation is updated
• Tests are passing
• Security compliance is maintained
• Performance impact is acceptable
• Breaking changes are documented
• Changes are backward compatible

Additional Notes

Ready for Integration: Service layer awaits REST endpoint wiring and scheduled job configuration for daily exports.

Database Views: Leverages existing materialized views for performance:

• view_rule_violation - 50 risk rules across politician/party/committee/ministry
• view_riksdagen_coalition_alignment_matrix - Party alignment rates from voting data
• view_decision_temporal_trends - Daily aggregates with year-over-year comparisons

Code Quality Improvements (based on review feedback - 3 rounds):

• Follows codebase conventions: final class with package-private visibility
• Comprehensive package documentation with package-info.java
• Enhanced security hardening: Path.normalize() validation, directory creation error handling
• ISO 8601 date formatting with StdDateFormat configuration
• Unmodifiable list returns from DTO getters using Collections.unmodifiableList()
• Refactored export methods to build lists before setting them on DTOs
• Enhanced test coverage including security validation tests
• Improved test assertions using assertEquals for clearer error messages

Security Considerations

• No sensitive data exposed
• Security best practices followed
• Compliance requirements met

CodeQL Analysis: 0 alerts, no vulnerabilities detected

Security Hardening:

• Enhanced path traversal protection: uses Path.normalize() and startsWith() to validate resolved paths stay within target directory
• Directory creation: checks mkdirs() return value and throws descriptive IOException on failure
• Input validation: rejects file names with path separators (subdirectories not supported for flat file structure)
• Unmodifiable list returns: prevents external modification of internal DTO representations

Release Notes

New: JSON export service for intelligence products

• Export risk assessments with 50 behavioral rules
• Export coalition alignment matrix with party voting cohesion
• Export temporal trends with daily/weekly/monthly moving averages
• CDN-ready static file generation with enhanced security hardening

Technical: Service layer (IntelligenceExportService) with Jackson-based serialization including ISO 8601 date formatting, integrates existing DAO layer, comprehensive unit tests with Mockito (6 tests including security validation). Follows codebase conventions with final class and package-private visibility. DTOs return unmodifiable lists to protect internal representations. Test assertions improved using assertEquals for better error messages.

Security: Enhanced path traversal protection using Path.normalize() validation, directory creation error handling, input validation for flat file structure, unmodifiable list returns from DTOs.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Implement Missing JSON Exports for Intelligence Products</issue_title>
<issue_description>## 🎯 Objective
Implement JSON export endpoints for risk assessments, coalition analysis, and temporal trends to support 6 product lines

📋 Background

BUSINESS_PRODUCT_DOCUMENT.md defines 6 product lines requiring JSON data exports. Currently missing exports for Risk Intelligence Feed, Predictive Analytics, and Decision Intelligence products.

📊 Current State (Measured Metrics)

• Product Lines: 6 defined (€9.1M+ revenue potential)
• Existing JSON Exports: 2 (politician, party basic data)
• Missing Exports: 3 critical (risk assessments, coalition analysis, temporal trends)
• Market Impact: Blocks €5.91M revenue potential (Risk Intelligence + Predictive + Decision Intelligence)

✅ Acceptance Criteria

• JSON export endpoint for risk assessment data (50 risk rules)
• JSON export endpoint for coalition alignment matrix
• JSON export endpoint for temporal trend analysis (daily/weekly/monthly/annual)
• All exports follow json-export-specs schema standards
• CDN-ready static JSON files generated daily
• Documentation updated with new endpoint specifications

🤖 Recommended Agent

Agent: @hack23-performance-engineer
Rationale: API optimization and data export pipeline implementation

📚 Related Documentation

• BUSINESS_PRODUCT_DOCUMENT.md
• intelligence-schema.md
• JSON Export README</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: intelligence-operative
Expert in political science, intelligence analysis, OSINT, behavioral analysis, and Swedish politics with focus on exposing high risk national entities

• Fixes Implement Missing JSON Exports for Intelligence Products #7987

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This pull request implements a JSON export service layer for intelligence products, enabling programmatic access to risk assessments, coalition alignment matrices, and temporal trend analyses. The implementation introduces a new service interface and implementation, along with supporting DTOs, to serialize data from existing DAO layer for CDN-ready static file generation.

Key Changes

• New service layer (IntelligenceExportService interface and implementation) with Jackson-based JSON serialization
• Three DTO classes for structured JSON export: RiskAssessmentExportDTO, CoalitionAlignmentExportDTO, and TemporalTrendsExportDTO
• Common ExportMetadata DTO for consistent metadata across exports
• Unit tests using Mockito for the three main export methods
• Documentation updates in json-export-specs README

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
service.data.api/src/main/java/com/hack23/cia/service/data/api/IntelligenceExportService.java	Service interface defining JSON export methods for risk assessments, coalition alignment, temporal trends, and file writing
service.data.impl/src/main/java/com/hack23/cia/service/data/impl/IntelligenceExportServiceImpl.java	Spring service implementation integrating with existing DAOs and Jackson for JSON serialization
service.data.impl/src/main/java/com/hack23/cia/service/data/impl/export/ExportMetadata.java	Common metadata DTO with version, generation timestamp, schema identifier, and record count
service.data.impl/src/main/java/com/hack23/cia/service/data/impl/export/RiskAssessmentExportDTO.java	DTO for risk assessment JSON structure with metadata and violation list
service.data.impl/src/main/java/com/hack23/cia/service/data/impl/export/CoalitionAlignmentExportDTO.java	DTO for coalition alignment matrix with party voting cohesion metrics
service.data.impl/src/main/java/com/hack23/cia/service/data/impl/export/TemporalTrendsExportDTO.java	DTO for temporal trend analysis with daily decisions and moving averages
service.data.impl/src/test/java/com/hack23/cia/service/data/impl/IntelligenceExportServiceImplTest.java	Unit tests with Mockito for the three export methods
json-export-specs/README.md	Updated implementation status section documenting completed service layer components

[Copilot]

The fully-qualified class name is unnecessary here since RuleViolation is already imported at line 37 and used without FQCN on line 79. This should simply be:

for (final RuleViolation violation : violations) {

Suggested change

	for (final com.hack23.cia.model.internal.application.data.rules.impl.RuleViolation violation : violations) {
	for (final RuleViolation violation : violations) {

[Copilot]

Fixed in 5fc4262. Removed fully-qualified class name and used the imported RuleViolation directly.

[Copilot]

[nitpick] The new export package lacks a package-info.java file. Following the pattern in service.data.impl (which has a package-info.java), add documentation for this package to describe its purpose, key classes, and relationships.

[Copilot]

Fixed in 5fc4262. Added package-info.java with comprehensive documentation describing the package purpose, key classes, and usage patterns.

[Copilot]

The test references a constructor ViewRiksdagenCoalitionAlignmentMatrixEmbeddedId(String, String) that doesn't exist in the model class. The class only has a no-argument constructor. The test should use the no-arg constructor followed by setter calls:

final ViewRiksdagenCoalitionAlignmentMatrixEmbeddedId embeddedId = 
    new ViewRiksdagenCoalitionAlignmentMatrixEmbeddedId();
embeddedId.setParty1("S");
embeddedId.setParty2("V");

Suggested change

	new ViewRiksdagenCoalitionAlignmentMatrixEmbeddedId("S", "V");
	new ViewRiksdagenCoalitionAlignmentMatrixEmbeddedId();
	embeddedId.setParty1("S");
	embeddedId.setParty2("V");

[Copilot]

Fixed in 5fc4262. Changed test to use no-arg constructor followed by setter calls for party1 and party2.

[Copilot]

The writeJsonToFile method is not covered by unit tests. Add a test case to verify file creation, directory creation, and content writing behavior. Consider testing both scenarios: when the directory exists and when it needs to be created.

[Copilot]

Fixed in 5fc4262. Added 3 new tests for writeJsonToFile: testWriteJsonToFile (basic functionality), testWriteJsonToFileCreatesDirectory (directory creation), and testWriteJsonToFileRejectsPathTraversal (security validation).

[Copilot]

The class is declared as public class which breaks the codebase convention. All other service implementations in this package use final class with package-private visibility (no public modifier). This should be:

@Service
@Transactional(readOnly = true)
final class IntelligenceExportServiceImpl implements IntelligenceExportService {

Suggested change

	public class IntelligenceExportServiceImpl implements IntelligenceExportService {
	final class IntelligenceExportServiceImpl implements IntelligenceExportService {

[Copilot]

Fixed in 5fc4262. Changed from public class to final class to match codebase conventions.

[Copilot]

The writeJsonToFile method is vulnerable to path traversal attacks. An attacker could provide a malicious fileName containing path traversal sequences (e.g., ../../etc/passwd) to write files outside the intended directory. Validate and sanitize the fileName parameter to ensure it doesn't contain directory separators or path traversal sequences:

// Validate fileName doesn't contain path separators
if (fileName.contains("/") || fileName.contains("\\") || fileName.contains("..")) {
    throw new IllegalArgumentException("Invalid file name: must not contain path separators or traversal sequences");
}

[Copilot]

Fixed in 5fc4262. Added validation to reject file names containing /, \, or .. to prevent path traversal attacks. Throws IllegalArgumentException with descriptive message.

[Copilot]

The use of mkdirs() without checking the return value can lead to silent failures. If directory creation fails (e.g., due to permissions), the subsequent Files.write() will fail. Check the return value and throw an appropriate exception:

if (!directory.exists() && !directory.mkdirs()) {
    throw new IOException("Failed to create directory: " + outputDirectory);
}

Suggested change

	if (!directory.exists()) {
	directory.mkdirs();
	if (!directory.exists() && !directory.mkdirs()) {
	throw new IOException("Failed to create directory: " + outputDirectory);

[Copilot]

Fixed in 5fc4262. Added check for mkdirs() return value and throw IOException with descriptive message if directory creation fails.

[Copilot]

getAlignments exposes the internal representation stored in field alignments. The value may be modified after this call to getAlignments.

Suggested change

	return alignments;
	return List.copyOf(alignments);

[Copilot]

These DTOs are specifically designed for Jackson JSON serialization where the service implementation populates the lists via dto.getAlignments().add(). Using List.copyOf() would return an immutable list causing UnsupportedOperationException. The current implementation is appropriate for DTOs used in serialization contexts.

[Copilot]

getViolations exposes the internal representation stored in field violations. The value may be modified after this call to getViolations.

Suggested change

	return violations;
	return List.copyOf(violations);

[Copilot]

These DTOs are specifically designed for Jackson JSON serialization where the service implementation populates the lists via dto.getViolations().add(). Using List.copyOf() would return an immutable list causing UnsupportedOperationException. The current implementation is appropriate for DTOs used in serialization contexts.

[Copilot]

getTrends exposes the internal representation stored in field trends. The value may be modified after this call to getTrends.

[Copilot]

These DTOs are specifically designed for Jackson JSON serialization where the service implementation populates the lists via dto.getTrends().add(). Using List.copyOf() would return an immutable list causing UnsupportedOperationException. The current implementation is appropriate for DTOs used in serialization contexts.

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All review comments have been addressed in commit 5fc4262:

• Removed fully-qualified class name
• Added package-info.java for export package
• Fixed test constructor issue
• Added 3 tests for writeJsonToFile (including path traversal security tests)
• Changed class to final (matching codebase conventions)
• Added path traversal validation
• Added mkdirs() return value check
• Kept original getter implementation in DTOs (required for Jackson serialization)

All 6 unit tests passing. Ready for re-review.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

[Copilot]

The ObjectMapper is configured to disable WRITE_DATES_AS_TIMESTAMPS, but Jackson also needs a date format configuration to properly serialize dates as ISO 8601 strings. Without an explicit date format, dates may not serialize consistently.

Consider adding:

this.objectMapper.setDateFormat(new StdDateFormat().withColonInTimeZone(true));

This ensures dates are serialized as ISO 8601 strings (e.g., "2024-12-08T11:12:00Z") as described in the PR description.

[Copilot]

Fixed in ac4dbfe. Added StdDateFormat().withColonInTimeZone(true) configuration to ObjectMapper to ensure dates are serialized as ISO 8601 strings (e.g., "2024-12-08T11:12:00Z").

[Copilot]

The security validation for path traversal is incomplete. The check fileName.contains("..") will reject legitimate file names like "risk-2024..2025.json" that contain ".." as part of the content, not just as a traversal sequence.

A more robust check should validate that the resolved path stays within the target directory:

final Path targetDir = Paths.get(outputDirectory).toAbsolutePath().normalize();
final Path resolvedPath = targetDir.resolve(fileName).normalize();
if (!resolvedPath.startsWith(targetDir)) {
    throw new IllegalArgumentException("Invalid file name: path traversal detected");
}

This approach properly prevents path traversal while allowing legitimate file names.

[Copilot]

Fixed in ac4dbfe. Replaced simple string contains check with robust path validation using Path.normalize() and startsWith() to properly detect path traversal while allowing legitimate file names. The implementation now validates that the resolved path stays within the target directory.

[Copilot]

[nitpick] The test description "Test various path traversal attempts" includes a case that tests legitimate path usage ("path/to/file.json") which should arguably be allowed for creating files in subdirectories. However, this conflicts with the current implementation which rejects all path separators.

If the intention is to only allow flat file names in the specified directory (no subdirectories), this test is correct but the error message should clarify that subdirectories are not supported. If subdirectories should be supported, both the implementation and test need adjustment.

Consider clarifying the intended behavior in the JavaDoc for writeJsonToFile().

[Copilot]

Fixed in ac4dbfe. Updated JavaDoc for writeJsonToFile() to clarify that subdirectories are not supported and only flat file names are accepted. The error message now specifies "subdirectories not supported" for path separator rejections, making the intended behavior clear.

[Copilot]

The README states "Unit Tests - Comprehensive tests with Mockito (3/3 passing)" but the test file contains 6 test methods, not 3. This discrepancy should be corrected to accurately reflect the test coverage.

Update to: "Unit Tests - Comprehensive tests with Mockito (6/6 passing)"

Suggested change

	- ✅ **Unit Tests** - Comprehensive tests with Mockito (3/3 passing)
	- ✅ **Unit Tests** - Comprehensive tests with Mockito (6/6 passing)

[Copilot]

Fixed in ac4dbfe. Corrected test count from "3/3 passing" to "6/6 passing" to accurately reflect the actual test coverage.

[Copilot]

getTrends exposes the internal representation stored in field trends. The value may be modified after this call to getTrends.

Suggested change

	return trends;
	return java.util.Collections.unmodifiableList(trends);

[Copilot]

Fixed in ac4dbfe. Refactored all export methods to build lists first, then set them on the DTOs. This allows the getters to return Collections.unmodifiableList() to protect internal representation. Applied to all three DTOs: RiskAssessmentExportDTO, CoalitionAlignmentExportDTO, and TemporalTrendsExportDTO.

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All review comments addressed in commit ac4dbfe:

• Added ISO 8601 date format configuration
• Enhanced path traversal validation using Path.normalize()
• Clarified JavaDoc for subdirectory restrictions
• Corrected test count documentation (6/6)
• Refactored to return unmodifiable lists from DTO getters

All 6 unit tests passing. Ready for re-review.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

[Copilot]

Use assertEquals(jsonContent, content) instead of assertTrue(content.equals(jsonContent)) for better error messages when assertions fail. assertEquals provides clearer feedback showing expected vs actual values.

[Copilot]

Fixed in 82ed6cb. Replaced assertTrue(content.equals(jsonContent)) with assertEquals(jsonContent, content) for better error messages showing expected vs actual values when assertions fail.

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Comment addressed in commit 82ed6cb. Improved test assertion to use assertEquals for clearer error messages. All 6 unit tests passing.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.