Feature/Implement Companion Edition API and OpenCRE Endpoints

[prakhar0x01]

Related Issue : #2886

Summary

This PR implements the public API endpoints and OpenCRE mappings for the Companion Edition (AI/LLM threat modeling), bringing it into parity with the existing WebApp and MobileApp editions. It also introduces a new generic Language Metadata API and enhances the data loading resilience of the DeckService.

Changes

1. Core API Logic & Registration

• DeckService.ts: Registered the companion edition (v1.0, EN) in the central registry.
• CreController.ts: Added human-readable mapping for "OWASP Cornucopia Companion Edition" and the "AI / LLM Application" category tag.
• [edition]/[lang]/+server.ts: Updated the CRE route guard to allow companion as a valid edition.

2. New Endpoints

• GET /api/cre/companion: Returns metadata for the Companion edition.
• GET /api/cre/companion/en: Returns the Companion card deck with OpenCRE mappings.
• GET /api/lang/[edition]/[version]: A new generic endpoint providing language metadata for any version/edition (supporting /api/lang/companion/1.0).

3. Resilience & Bug Fixes

• Resilient Card Loading: Modified DeckService to handle missing markdown files gracefully. Instead of skipping cards when technical notes are missing, it now falls back to the YAML description, ensuring the Companion API remains functional even without full markdown documentation.
• Source Data Fix: Corrected a YAML indentation syntax error in source/companion-mappings-1.0.yaml at line 235 that was causing a YAMLException during build/dev.

4. Infrastructure & Documentation

• Security Headers: Updated script/headers.js and script/headers-stage.js to include the required CORS and Content-Type overrides for the new endpoints in production and staging environments.
• Prerendering: Updated svelte.config.js to include the new companion endpoints in the static build process.

• OpenAPI/Swagger: Fully documented the new endpoints and schemas in static/api/openapi.yaml.

Verification Results

• GET /api/cre/companion returns correct metadata.
• GET /api/cre/companion/en successfully returns the 1.0 card list.
• GET /api/lang/companion/1.0 returns versioned language info.
• Swagger UI at /api/docs reflects new companion endpoints.
• npm run build succeeds with correct _headers generation.

[prakhar0x01]

@sydseter ,

Please review the changes,

thanks,
@prakhar0x01

[sydseter]

There are some linting issues:

/home/runner/work/cornucopia/cornucopia/cornucopia.owasp.org/src/domain/cre/creController.test.ts
1:1 warning Unused eslint-disable directive (no problems were reported from '@typescript-eslint/no-explicit-any')

/home/runner/work/cornucopia/cornucopia/cornucopia.owasp.org/src/domain/cre/creController.ts
1:1 warning Unused eslint-disable directive (no problems were reported from '@typescript-eslint/no-explicit-any')
Error: 39:9 error Unexpected newline between object and [ of property access no-unexpected-multiline
Error: 46:9 error Unexpected newline between object and [ of property access no-unexpected-multiline

/home/runner/work/cornucopia/cornucopia/cornucopia.owasp.org/src/lib/filesystem/fileSystemHelper.test.ts
1:1 warning Unused eslint-disable directive (no problems were reported from '@typescript-eslint/no-explicit-any')

/home/runner/work/cornucopia/cornucopia/cornucopia.owasp.org/src/lib/services/deckService.ts
Error: 127:25 error 'parsed' is never reassigned. Use 'const' instead prefer-const
Error: 129:26 error 'e' is defined but never used. Allowed unused caught errors must match /^/u @typescript-eslint/no-unused-vars
Error: 138:26 error 'e' is defined but never used. Allowed unused caught errors must match /^/u @typescript-eslint/no-unused-vars

/home/runner/work/cornucopia/cornucopia/cornucopia.owasp.org/src/routes/api/cre/[edition]/[lang]/server.test.ts
1:1 warning Unused eslint-disable directive (no problems were reported from '@typescript-eslint/no-explicit-any')

✖ 9 problems (5 errors, 4 warnings)
1 error and 4 warnings potentially fixable with the --fix option.