Add API documentation for graph retrieval, query, and commit history endpoints

[Copilot]

Update README to include missing API documentation ✅

Completed:

• Explore repository structure and identify existing APIs
• Identify which APIs are missing from README documentation
• Add documentation for "Retrieve a graph" API (/graph_entities)
• Add documentation for "Send Query" API (/chat)
• Add documentation for "History change" APIs (/list_commits and /switch_commit)
• Code review completed
• Security scan completed (no code changes detected)
• Fix CI failure (flake8 linting error)
• Verify the changes don't break anything
• Review and finalize

Summary:

Successfully added a new "API Reference" section to README.md documenting the three missing APIs requested in the issue:

1. Retrieve a graph (GET /graph_entities) - Fetches graph entities from a repository
2. Send Query (POST /chat) - Queries the code graph using natural language via LLM
3. History change - Two endpoints for managing commit history:
   • POST /list_commits - Lists all commits in a repository
   • POST /switch_commit - Switches repository to a specific commit

Each API section includes:

• Clear description of functionality
• curl command template with placeholders
• Concrete example using GraphRAG-SDK repository
• Expected JSON response format

All documentation follows the existing format and style conventions in the README.

CI Fix:

Fixed flake8 linting error in api/llm.py by removing unnecessary global ontology declaration that was never assigned in the function scope.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update README to include the missing APIs</issue_title>
<issue_description>1. Retrieve a graph
2. Send Query
3. History change</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Update README to include the missing APIs #83

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by CodeRabbit

• Documentation
  • Added comprehensive API Reference guide to the README documenting available endpoints for retrieving graph data, sending queries, and managing commit history.
  • Included example curl commands and JSON request/response structures for all endpoints.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
code-graph-backend	Ready	Preview	Comment	Nov 2, 2025 4:03pm

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

README.md updated with an API Reference section documenting three endpoints: GET /graph_entities for retrieving graphs, POST /chat for sending queries, and POST /list_commits and POST /switch_commit for history changes. Examples include curl commands and JSON request/response structures for each endpoint.

Changes

Cohort / File(s)	Summary
API Reference Documentation README.md	Added API Reference section with documentation for three endpoints: retrieve graph (GET /graph_entities), send query (POST /chat), and history operations (POST /list_commits, POST /switch_commit). Includes curl command examples and JSON request/response samples for each endpoint.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Documentation-only change with no code logic modifications
• Straightforward additions of API endpoint documentation and examples
• No structural or functional changes to assess

Poem

🐰 A README now shines with API light,
Three endpoints dance in examples bright,
Curl commands hop, JSON responses gleam,
Graph queries flow through a developer's dream,
Documentation complete—oh what a delight! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Add API documentation for graph retrieval, query, and commit history endpoints" directly and accurately summarizes the main change in the pull request. It is specific, clear, and concise, highlighting the three key areas documented: graph retrieval, query functionality, and commit history endpoints. The title is neither vague nor misleading, and it gives reviewers a precise understanding of what the changeset accomplishes.
Linked Issues Check	✅ Passed	The pull request successfully addresses all three objectives from linked issue #83. The API documentation added to the README covers: the graph retrieval objective through documentation of GET /graph_entities for obtaining graph entities, the send query objective through documentation of POST /chat for natural-language queries against the code graph, and the history change objective through documentation of both POST /list_commits and POST /switch_commit for commit history and graph state switching. All coding-related requirements from the linked issue have been fulfilled.
Out of Scope Changes Check	✅ Passed	The pull request contains no out-of-scope changes. All modifications are limited to the README.md file, with additions focused exclusively on documenting the four API endpoints (GET /graph_entities, POST /chat, POST /list_commits, and POST /switch_commit) as required by issue #83. No other files were altered, and no exported or public declarations were changed, keeping the changeset tightly scoped to the stated objectives.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gkorland]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2d71c19 and 405d022.

📒 Files selected for processing (1)

• README.md (1 hunks)

🧰 Additional context used

🪛 Gitleaks (8.28.0)

README.md

[high] 51-57: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 76-82: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 98-104: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 125-131: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

🔇 Additional comments (1)

README.md (1)

50-69: API Reference documentation is clear and well-structured.

The endpoint documentation follows a consistent pattern (template → example → response format) that is easy to follow. Response structures are sensible and include helpful fields.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Hardcoded authorization token in curl examples presents security risk.

Gitleaks flagged 4 instances of authorization tokens in the curl command examples (lines 51-57, 76-82, 98-104, 125-131). While "OpenSesame" is clearly a placeholder, including literal token values in documentation examples—even placeholders—normalizes a risky copy-paste pattern that could lead developers to accidentally commit real secrets.

Recommendation: Add a prominent note before the examples explaining that developers should never include literal tokens in curl commands, or refactor the examples to use environment variable references instead:

+> **⚠️ Security Note:** Never include actual authorization tokens in curl commands or documentation. Always use environment variables or secrets management.

 ### Retrieve a graph

 Fetch graph entities from a repository:

 ```bash
-curl -X GET "http://127.0.0.1:5000/graph_entities?repo=<REPO_NAME>" -H "Authorization: <.ENV_SECRET_TOKEN>"
+curl -X GET "http://127.0.0.1:5000/graph_entities?repo=<REPO_NAME>" -H "Authorization: $AUTH_TOKEN"

For example:

-curl -X GET "http://127.0.0.1:5000/graph_entities?repo=GraphRAG-SDK" -H "Authorization: OpenSesame"
+# Set AUTH_TOKEN environment variable: export AUTH_TOKEN="your_token_here"
+curl -X GET "http://127.0.0.1:5000/graph_entities?repo=GraphRAG-SDK" -H "Authorization: $AUTH_TOKEN"

Apply the same refactoring pattern to the POST /chat (lines 76-82), POST /list_commits (lines 98-104), and POST /switch_commit (lines 125-131) examples.

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 Gitleaks (8.28.0)</summary>

[high] 51-57: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 76-82: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 98-104: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 125-131: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

In README.md around lines 44 to 139, replace the hardcoded "OpenSesame"
Authorization examples and add a short warning about never including literal
tokens: add one-line note above the examples telling users to never paste real
tokens and to use an environment variable (e.g., AUTH_TOKEN). For each curl
example at lines 51-57, 76-82, 98-104, and 125-131 swap the literal
Authorization value with the environment variable reference ($AUTH_TOKEN) and
include an example export command (export AUTH_TOKEN="your_token_here")
immediately before the concrete example lines so readers set the env var rather
than hardcoding secrets.

</details>

<!-- This is an auto-generated comment by CodeRabbit -->

[gkorland]

@copilot the CI is failing

[Copilot]

@copilot the CI is failing

Fixed in commit 9016602. The CI was failing due to a flake8 linting error in api/llm.py - removed an unnecessary global ontology declaration that was never assigned in the function scope.