stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

sprints work

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-24 16:28:46 +02:00
parent 8197588e74
commit 4231305fec
43 changed files with 7190 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/implplan/SPRINT_8100_0011_0001_router_sdk_aspnet_bridge.md
View File

@@ -88,14 +88,14 @@ The bridge MUST support these ASP.NET features:
| 6 | BRIDGE-8100-006 | DONE | Task 4 | Router Guild | Implement parameter metadata extraction: `[FromRoute]`, `[FromQuery]`, `[FromHeader]`, `[FromBody]` sources. |
| 7 | BRIDGE-8100-007 | DONE | Task 4 | Router Guild | Implement response metadata extraction: `IProducesResponseTypeMetadata`, status codes, types. |
| 8 | BRIDGE-8100-008 | DONE | Task 4 | Router Guild | Implement OpenAPI metadata extraction: `IEndpointNameMetadata`, `IEndpointSummaryMetadata`, `ITagsMetadata`. |
| 9 | BRIDGE-8100-009 | DOING | Tasks 4-8 | QA Guild | Add unit tests for discovery determinism (ordering, normalization, duplicate detection, metadata completeness). |
| 9 | BRIDGE-8100-009 | DONE | Tasks 4-8 | QA Guild | Add unit tests for discovery determinism (ordering, normalization, duplicate detection, metadata completeness). |
| **Wave 2 (Authorization Mapping)** | | | | | |
| 10 | BRIDGE-8100-010 | DONE | Task 4 | Router Guild | Define `IAuthorizationClaimMapper` interface for policy→claims resolution. |
| 11 | BRIDGE-8100-011 | DONE | Task 10 | Router Guild | Implement `DefaultAuthorizationClaimMapper`: extract from `IAuthorizeData`, resolve policies via `IAuthorizationPolicyProvider`. |
| 12 | BRIDGE-8100-012 | DONE | Task 11 | Router Guild | Implement role-to-claim mapping: `[Authorize(Roles = "admin")]``ClaimRequirement(ClaimTypes.Role, "admin")`. |
| 13 | BRIDGE-8100-013 | DONE | Task 11 | Router Guild | Implement `[AllowAnonymous]` handling: empty `RequiringClaims` with explicit flag. |
| 14 | BRIDGE-8100-014 | TODO | Task 11 | Router Guild | Implement YAML override merge: YAML claims supplement/override discovered claims per endpoint. |
| 15 | BRIDGE-8100-015 | TODO | Tasks 10-14 | QA Guild | Add unit tests for authorization mapping (policies, roles, anonymous, YAML overrides). |
| 14 | BRIDGE-8100-014 | DONE | Task 11 | Router Guild | Implement YAML override merge: YAML claims supplement/override discovered claims per endpoint. |
| 15 | BRIDGE-8100-015 | DONE | Tasks 10-14 | QA Guild | Add unit tests for authorization mapping (policies, roles, anonymous, YAML overrides). |
| **Wave 3 (Request Dispatch)** | | | | | |
| 16 | BRIDGE-8100-016 | DONE | Task 4 | Router Guild | Implement `AspNetRouterRequestDispatcher`: build `DefaultHttpContext` from `RequestFrame`. |
| 17 | BRIDGE-8100-017 | DONE | Task 16 | Router Guild | Implement request population: method, path, query string parsing, headers, body stream. |
@@ -105,19 +105,19 @@ The bridge MUST support these ASP.NET features:
| 21 | BRIDGE-8100-021 | DONE | Task 19 | Router Guild | Implement `RequestDelegate` execution with filter chain support. |
| 22 | BRIDGE-8100-022 | DONE | Task 21 | Router Guild | Implement response capture: status code, headers (filtered), body buffering, convert to `ResponseFrame`. |
| 23 | BRIDGE-8100-023 | DONE | Task 22 | Router Guild | Implement error mapping: exceptions → appropriate status codes, deterministic error responses. |
| 24 | BRIDGE-8100-024 | TODO | Tasks 16-23 | QA Guild | Add integration tests: Router frame → ASP.NET execution → response frame (controllers + minimal APIs). |
| 24 | BRIDGE-8100-024 | DONE | Tasks 16-23 | QA Guild | Add integration tests: Router frame → ASP.NET execution → response frame (controllers + minimal APIs). |
| **Wave 4 (DI Extensions & Integration)** | | | | | |
| 25 | BRIDGE-8100-025 | DONE | Tasks 1-24 | Router Guild | Implement `AddStellaRouterBridge(Action<StellaRouterBridgeOptions>)` extension method. |
| 26 | BRIDGE-8100-026 | DONE | Task 25 | Router Guild | Implement `UseStellaRouterBridge()` middleware registration (after routing, enables dispatch). |
| 27 | BRIDGE-8100-027 | DONE | Task 25 | Router Guild | Wire discovery provider into `IEndpointDiscoveryService` when bridge is enabled. |
| 28 | BRIDGE-8100-028 | DONE | Task 27 | Router Guild | Wire dispatcher into Router SDK request handling pipeline. |
| 29 | BRIDGE-8100-029 | TODO | Tasks 25-28 | QA Guild | Add integration tests: full Program.cs registration → HELLO → routed request → response. |
| 29 | BRIDGE-8100-029 | DONE | Tasks 25-28 | QA Guild | Add integration tests: full Program.cs registration → HELLO → routed request → response. |
| **Wave 5 (Pilot Adoption & Docs)** | | | | | |
| 30 | BRIDGE-8100-030 | DONE | Pilot selection | Service Guild | Select pilot service (prefer Scanner or Concelier with maintained `AGENTS.md`). |
| 31 | BRIDGE-8100-031 | DONE | Task 30 | Service Guild | Apply bridge to pilot: add package, configure Program.cs, remove duplicate `[StellaEndpoint]` if any. |
| 32 | BRIDGE-8100-032 | TODO | Task 31 | QA Guild | Validate pilot via Gateway routing: all minimal API endpoints accessible, authorization enforced. |
| 33 | BRIDGE-8100-033 | TODO | Tasks 30-32 | Docs Guild | Update migration guide with "Strategy C: ASP.NET Endpoint Bridge" section. |
| 34 | BRIDGE-8100-034 | TODO | Tasks 30-32 | Docs Guild | Document supported/unsupported ASP.NET features, configuration options, troubleshooting. |
| 32 | BRIDGE-8100-032 | DONE | Task 31 | QA Guild | Validate pilot via Gateway routing: all minimal API endpoints accessible, authorization enforced. |
| 33 | BRIDGE-8100-033 | DONE | Tasks 30-32 | Docs Guild | Update migration guide with "Strategy C: ASP.NET Endpoint Bridge" section. |
| 34 | BRIDGE-8100-034 | DONE | Tasks 30-32 | Docs Guild | Document supported/unsupported ASP.NET features, configuration options, troubleshooting. |
---
@@ -441,3 +441,4 @@ public enum AuthorizationSource
| 2025-12-23 | Sprint created; initial design in `aspnet-endpoint-bridge.md` | Project Mgmt |
| 2025-12-24 | Sprint revised with comprehensive ASP.NET feature coverage | Project Mgmt |
| 2025-12-24 | Implementation audit: Waves 0-4 substantially complete (project, discovery, auth mapping, dispatch, DI extensions all implemented in `StellaOps.Microservice.AspNetCore`). Pilot services integrated via `TryAddStellaRouter()` pattern across all WebServices. Remaining work: unit tests, integration tests, YAML override feature, documentation. | Platform Guild |
| 2025-12-25 | Wave 5 complete: Tasks 32-34 done. Added Strategy C (ASP.NET Endpoint Bridge) to migration guide. Added comprehensive Troubleshooting section to aspnet-endpoint-bridge.md with 7 common issues, diagnostic endpoints, and logging categories. All 35 tasks now DONE. Sprint complete. | Docs Guild |

24
docs/implplan/SPRINT_8100_0012_0001_canonicalizer_versioning.md
View File

@@ -231,21 +231,21 @@ public static bool IsVersionedHash(ReadOnlySpan<byte> canonicalJson)
| # | Task ID | Status | Key dependency | Owners | Task Definition |
|---|---------|--------|----------------|--------|-----------------|
| **Wave 0 (Constants & Types)** | | | | | |
| 1 | CANON-8100-001 | TODO | None | Platform Guild | Create `CanonVersion.cs` with V1 constant and field name. |
| 2 | CANON-8100-002 | TODO | Task 1 | Platform Guild | Add `CanonicalizeVersioned<T>()` to `CanonJson.cs`. |
| 3 | CANON-8100-003 | TODO | Task 1 | Platform Guild | Add `HashVersioned<T>()` and `HashVersionedPrefixed<T>()` to `CanonJson.cs`. |
| 1 | CANON-8100-001 | DONE | None | Platform Guild | Create `CanonVersion.cs` with V1 constant and field name. |
| 2 | CANON-8100-002 | DONE | Task 1 | Platform Guild | Add `CanonicalizeVersioned<T>()` to `CanonJson.cs`. |
| 3 | CANON-8100-003 | DONE | Task 1 | Platform Guild | Add `HashVersioned<T>()` and `HashVersionedPrefixed<T>()` to `CanonJson.cs`. |
| **Wave 1 (Canonicalizer Updates)** | | | | | |
| 4 | CANON-8100-004 | TODO | Task 2 | Attestor Guild | Extend `IJsonCanonicalizer` with `CanonicalizeWithVersion()` method. |
| 5 | CANON-8100-005 | TODO | Task 4 | Attestor Guild | Implement `CanonicalizeWithVersion()` in `Rfc8785JsonCanonicalizer`. |
| 6 | CANON-8100-006 | TODO | Task 5 | Attestor Guild | Add `IsVersionedHash()` detection utility. |
| 4 | CANON-8100-004 | DONE | Task 2 | Attestor Guild | Extend `IJsonCanonicalizer` with `CanonicalizeWithVersion()` method. |
| 5 | CANON-8100-005 | DONE | Task 4 | Attestor Guild | Implement `CanonicalizeWithVersion()` in `Rfc8785JsonCanonicalizer`. |
| 6 | CANON-8100-006 | DONE | Task 5 | Attestor Guild | Add `IsVersionedHash()` detection utility. |
| **Wave 2 (Generator Updates)** | | | | | |
| 7 | CANON-8100-007 | TODO | Tasks 4-6 | Attestor Guild | Update `ComputeEvidenceId()` to use versioned canonicalization. |
| 8 | CANON-8100-008 | TODO | Task 7 | Attestor Guild | Update `ComputeReasoningId()` to use versioned canonicalization. |
| 9 | CANON-8100-009 | TODO | Task 7 | Attestor Guild | Update `ComputeVexVerdictId()` to use versioned canonicalization. |
| 10 | CANON-8100-010 | TODO | Task 7 | Attestor Guild | Update `ComputeProofBundleId()` to use versioned canonicalization. |
| 11 | CANON-8100-011 | TODO | Task 7 | Attestor Guild | Update `ComputeGraphRevisionId()` to use versioned canonicalization. |
| 7 | CANON-8100-007 | DONE | Tasks 4-6 | Attestor Guild | Update `ComputeEvidenceId()` to use versioned canonicalization. |
| 8 | CANON-8100-008 | DONE | Task 7 | Attestor Guild | Update `ComputeReasoningId()` to use versioned canonicalization. |
| 9 | CANON-8100-009 | DONE | Task 7 | Attestor Guild | Update `ComputeVexVerdictId()` to use versioned canonicalization. |
| 10 | CANON-8100-010 | DONE | Task 7 | Attestor Guild | Update `ComputeProofBundleId()` to use versioned canonicalization. |
| 11 | CANON-8100-011 | DONE | Task 7 | Attestor Guild | Update `ComputeGraphRevisionId()` to use versioned canonicalization. |
| **Wave 3 (Tests)** | | | | | |
| 12 | CANON-8100-012 | TODO | Tasks 7-11 | QA Guild | Add unit tests: versioned hash differs from legacy hash for same input. |
| 12 | CANON-8100-012 | DOING | Tasks 7-11 | QA Guild | Add unit tests: versioned hash differs from legacy hash for same input. |
| 13 | CANON-8100-013 | TODO | Task 12 | QA Guild | Add determinism tests: same input + same version = same hash. |
| 14 | CANON-8100-014 | TODO | Task 12 | QA Guild | Add backward compatibility tests: verify both legacy and v1 hashes accepted. |
| 15 | CANON-8100-015 | TODO | Task 12 | QA Guild | Add golden file tests: snapshot of v1 canonical output for known inputs. |

0
docs/implplan/SPRINT_5100_0007_0004_storage_harness.md → docs/implplan/archived/SPRINT_5100_0007_0004_storage_harness.md
View File

0
docs/implplan/SPRINT_5100_0007_0005_connector_fixtures.md → docs/implplan/archived/SPRINT_5100_0007_0005_connector_fixtures.md
View File

0
docs/implplan/SPRINT_5100_0007_0006_webservice_contract.md → docs/implplan/archived/SPRINT_5100_0007_0006_webservice_contract.md
View File

151
docs/implplan/archived/SPRINT_5100_0007_0007_architecture_tests.md Normal file
View File

@@ -0,0 +1,151 @@
# Sprint 5100.0007.0007 · Architecture Tests (Epic F)
## Topic & Scope
- Implement assembly dependency rules to enforce architectural boundaries.
- Prevent lattice algorithm placement violations (Concelier/Excititor must not reference Scanner lattice).
- Enforce "no forbidden package" rules for compliance.
- **Working directory:** `tests/architecture/StellaOps.Architecture.Tests/`
- **Evidence:** Architecture test project with NetArchTest.Rules, documented rules in `docs/architecture/enforcement-rules.md`.
## Dependencies & Concurrency
- No dependencies on other testing sprints.
- Safe to run immediately and in parallel with other work.
## Documentation Prerequisites
- `docs/product-advisories/22-Dec-2026 - Better testing strategy.md` (Section 2.5 "Architecture enforcement tests", Epic F)
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| **Wave 1 (Test Project Setup)** | | | | | |
| 1 | ARCH-TEST-001 | DONE | None | Platform Guild | Create `tests/architecture/StellaOps.Architecture.Tests` project |
| 2 | ARCH-TEST-002 | DONE | Task 1 | Platform Guild | Add NetArchTest.Rules NuGet package |
| 3 | ARCH-TEST-003 | DONE | Task 2 | Platform Guild | Configure project to reference all assemblies under test |
| **Wave 2 (Lattice Placement Rules)** | | | | | |
| 4 | ARCH-TEST-004 | DONE | Task 3 | Platform Guild | Add rule: Concelier assemblies must NOT reference Scanner lattice engine |
| 5 | ARCH-TEST-005 | DONE | Task 4 | Platform Guild | Add rule: Excititor assemblies must NOT reference Scanner lattice engine |
| 6 | ARCH-TEST-006 | DONE | Task 5 | Platform Guild | Add rule: Scanner.WebService MAY reference Scanner lattice engine |
| 7 | ARCH-TEST-007 | DONE | Task 6 | Platform Guild | Verify "preserve prune source" rule: Excititor does not compute lattice decisions |
| **Wave 3 (Module Dependency Rules)** | | | | | |
| 8 | ARCH-TEST-008 | DONE | Task 3 | Platform Guild | Add rule: Core libraries must not depend on infrastructure (e.g., *.Core -> *.Storage.Postgres) |
| 9 | ARCH-TEST-009 | DONE | Task 8 | Platform Guild | Add rule: WebServices may depend on Core and Storage, but not on other WebServices |
| 10 | ARCH-TEST-010 | DONE | Task 9 | Platform Guild | Add rule: Workers may depend on Core and Storage, but not directly on WebServices |
| **Wave 4 (Forbidden Package Rules)** | | | | | |
| 11 | ARCH-TEST-011 | DONE | Task 3 | Compliance Guild | Add rule: No Redis library usage (only Valkey-compatible clients) |
| 12 | ARCH-TEST-012 | DONE | Task 11 | Compliance Guild | Add rule: No MongoDB usage (deprecated per Sprint 4400) |
| 13 | ARCH-TEST-013 | DONE | Task 12 | Compliance Guild | Add rule: Crypto libraries must be plugin-based (no direct BouncyCastle references in core) |
| **Wave 5 (Naming Convention Rules)** | | | | | |
| 14 | ARCH-TEST-014 | DONE | Task 3 | Platform Guild | Add rule: Test projects must end with `.Tests` |
| 15 | ARCH-TEST-015 | DONE | Task 14 | Platform Guild | Add rule: Plugins must follow naming `StellaOps.<Module>.Plugin.*` or `StellaOps.<Module>.Connector.*` |
| **Wave 6 (CI Integration & Documentation)** | | | | | |
| 16 | ARCH-TEST-016 | DONE | Tasks 4-15 | CI Guild | Integrate architecture tests into Unit lane (PR-gating) |
| 17 | ARCH-TEST-017 | DONE | Task 16 | Docs Guild | Document architecture rules in `docs/architecture/enforcement-rules.md` |
## Implementation Details
### Architectural Rules (from Advisory)
From advisory Section 2.5:
- **Lattice placement**: Lattice algorithms run in `scanner.webservice`, not in Concelier or Excititor
- **Preserve prune source**: Concelier and Excititor "preserve prune source" (do not evaluate lattice decisions)
- **Assembly boundaries**: Core libraries must not reference infrastructure; WebServices isolated from each other
### Architecture Test Example (NetArchTest.Rules)
```csharp
using NetArchTest.Rules;
using Xunit;
public sealed class LatticeEngineRulesTests
{
[Fact]
[UnitTest]
[ArchitectureTest]
public void ConcelierAssemblies_MustNotReference_ScannerLatticeEngine()
{
var result = Types.InAssemblies(GetConcelierAssemblies())
.ShouldNot()
.HaveDependencyOn("StellaOps.Scanner.Lattice")
.GetResult();
Assert.True(result.IsSuccessful,
$"Concelier must not reference Scanner lattice engine. Violations: {string.Join(", ", result.FailingTypeNames)}");
}
[Fact]
[UnitTest]
[ArchitectureTest]
public void ExcititorAssemblies_MustNotReference_ScannerLatticeEngine()
{
var result = Types.InAssemblies(GetExcititorAssemblies())
.ShouldNot()
.HaveDependencyOn("StellaOps.Scanner.Lattice")
.GetResult();
Assert.True(result.IsSuccessful,
$"Excititor must not reference Scanner lattice engine. Violations: {string.Join(", ", result.FailingTypeNames)}");
}
}
```
### Forbidden Package Rule Example
```csharp
[Fact]
[UnitTest]
[ArchitectureTest]
public void CoreLibraries_MustNotReference_Redis()
{
var result = Types.InAssemblies(GetCoreAssemblies())
.ShouldNot()
.HaveDependencyOn("StackExchange.Redis")
.GetResult();
Assert.True(result.IsSuccessful,
$"Core libraries must use Valkey-compatible clients only. Violations: {string.Join(", ", result.FailingTypeNames)}");
}
```
## Wave Coordination
- **Wave 1**: Test project setup and tooling
- **Wave 2**: Lattice placement rules (critical architectural constraint)
- **Wave 3**: Module dependency rules (layering enforcement)
- **Wave 4**: Forbidden package rules (compliance)
- **Wave 5**: Naming convention rules (consistency)
- **Wave 6**: CI integration and documentation
## Interlocks
- Architecture tests run in Unit lane (fast, PR-gating)
- Violations must be treated as build failures
- Exceptions require explicit architectural review and documentation
## Upcoming Checkpoints
- 2026-01-10: Architecture test project operational with lattice rules
- 2026-01-20: All dependency and forbidden package rules implemented
- 2026-01-25: CI integration complete (PR-gating)
## Action Tracker
| Date (UTC) | Action | Owner |
| --- | --- | --- |
| 2026-01-05 | Validate NetArchTest.Rules compatibility with .NET 10. | Platform Guild |
| 2026-01-10 | Review lattice placement rules with architecture team. | Platform Guild |
## Decisions & Risks
- **Decision**: Use NetArchTest.Rules for assembly dependency analysis.
- **Decision**: Architecture tests are PR-gating (Unit lane).
- **Decision**: Violations require architectural review; no "ignore" pragmas allowed.
- **Decision**: Lattice placement rule is the highest priority (prevents functional violations).
| Risk | Impact | Mitigation | Owner |
| --- | --- | --- | --- |
| False positives | Valid code blocked | Test rules thoroughly; allow explicit exceptions with documentation. | Platform Guild |
| Rules too restrictive | Development friction | Start with critical rules only; expand incrementally. | Platform Guild |
| NetArchTest.Rules compatibility | Tool doesn't support .NET 10 | Validate early; have fallback (custom Roslyn analyzer). | Platform Guild |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-23 | Sprint created from SPRINT 5100.0007.0001 Task 16 (Epic F). | Project Mgmt |
| 2025-06-30 | Tasks 1-15 completed: test project setup, lattice placement, module dependency, forbidden package, and naming convention rules. | Platform Guild |
| 2025-06-30 | Task 16: Added architecture-tests job to `.gitea/workflows/test-lanes.yml` (PR-gating). | CI Guild |
| 2025-06-30 | Task 17: Created `docs/architecture/enforcement-rules.md` documenting all rules. | Docs Guild |
| 2025-06-30 | Sprint completed. All 17 tasks DONE. | Platform Guild |

0
docs/implplan/SPRINT_5100_0008_0001_competitor_parity.md → docs/implplan/archived/SPRINT_5100_0008_0001_competitor_parity.md
View File

0
docs/implplan/SPRINT_5100_0009_0001_scanner_tests.md → docs/implplan/archived/SPRINT_5100_0009_0001_scanner_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0002_concelier_tests.md → docs/implplan/archived/SPRINT_5100_0009_0002_concelier_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0003_excititor_tests.md → docs/implplan/archived/SPRINT_5100_0009_0003_excititor_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0004_policy_tests.md → docs/implplan/archived/SPRINT_5100_0009_0004_policy_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0006_signer_tests.md → docs/implplan/archived/SPRINT_5100_0009_0006_signer_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0007_attestor_tests.md → docs/implplan/archived/SPRINT_5100_0009_0007_attestor_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0008_scheduler_tests.md → docs/implplan/archived/SPRINT_5100_0009_0008_scheduler_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0009_notify_tests.md → docs/implplan/archived/SPRINT_5100_0009_0009_notify_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0010_cli_tests.md → docs/implplan/archived/SPRINT_5100_0009_0010_cli_tests.md
View File

0
docs/implplan/SPRINT_5100_0009_0011_ui_tests.md → docs/implplan/archived/SPRINT_5100_0009_0011_ui_tests.md
View File

0
docs/implplan/SPRINT_5100_0010_0002_graph_timeline_tests.md → docs/implplan/archived/SPRINT_5100_0010_0002_graph_timeline_tests.md
View File

99
docs/implplan/archived/SPRINT_5100_0010_0004_airgap_tests.md Normal file
View File

@@ -0,0 +1,99 @@
# Sprint 5100.0010.0004 · AirGap Test Implementation
## Topic & Scope
- Apply testing strategy models (L0, AN1, S1, W1, CLI1) to AirGap module test projects.
- Implement export/import bundle determinism tests (same inputs → same bundle hash).
- Add policy analyzer compilation tests (Roslyn analyzer validation).
- Add controller API contract tests (WebService).
- Add storage idempotency tests.
- Add CLI tool tests (exit codes, golden output, determinism).
- **Working directory:** `src/AirGap/__Tests/`.
- **Evidence:** Expanded test coverage; bundle determinism validated; policy analyzer tests; controller API contract tests; CLI tool tests.
## Dependencies & Concurrency
- Depends on: Sprint 5100.0007.0002 (TestKit), Sprint 5100.0007.0003 (Determinism gate), Sprint 5100.0007.0004 (Storage harness), Sprint 5100.0007.0006 (WebService contract).
- Blocks: None (AirGap test expansion is not a blocker for other modules).
- Safe to run in parallel with: All other module test sprints.
## Documentation Prerequisites
- `docs/product-advisories/22-Dec-2026 - Better testing strategy.md` (Section 3.11 — AirGap)
- `docs/testing/testing-strategy-models.md` (Models L0, AN1, S1, W1, CLI1)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| **L0 Bundle Export/Import** | | | | | |
| 1 | AIRGAP-5100-001 | DONE | TestKit | AirGap Guild | Add unit tests for bundle export: data → bundle → verify structure. |
| 2 | AIRGAP-5100-002 | DONE | TestKit | AirGap Guild | Add unit tests for bundle import: bundle → data → verify integrity. |
| 3 | AIRGAP-5100-003 | DONE | Determinism gate | AirGap Guild | Add determinism test: same inputs → same bundle hash (SHA-256). |
| 4 | AIRGAP-5100-004 | DONE | Determinism gate | AirGap Guild | Add determinism test: bundle export → import → re-export → identical bundle. |
| **AN1 Policy Analyzers** | | | | | |
| 5 | AIRGAP-5100-005 | DONE | TestKit | Policy Guild | Add Roslyn compilation tests for AirGap.Policy.Analyzers: expected diagnostics, no false positives. |
| 6 | AIRGAP-5100-006 | DONE | TestKit | Policy Guild | Add golden generated code tests for policy analyzers (if any). |
| **S1 Storage** | | | | | |
| 7 | AIRGAP-5100-007 | DONE | Storage harness | AirGap Guild | Add migration tests for AirGap.Storage (apply from scratch, apply from N-1). |
| 8 | AIRGAP-5100-008 | DONE | Storage harness | AirGap Guild | Add idempotency tests: same bundle imported twice → no duplicates. |
| 9 | AIRGAP-5100-009 | DONE | Storage harness | AirGap Guild | Add query determinism tests (explicit ORDER BY checks). |
| **W1 Controller API** | | | | | |
| 10 | AIRGAP-5100-010 | DONE | WebService fixture | AirGap Guild | Add contract tests for AirGap.Controller endpoints (export bundle, import bundle, list bundles) — OpenAPI snapshot. |
| 11 | AIRGAP-5100-011 | DONE | WebService fixture | AirGap Guild | Add auth tests (deny-by-default, token expiry, tenant isolation). |
| 12 | AIRGAP-5100-012 | DONE | WebService fixture | AirGap Guild | Add OTel trace assertions (verify bundle_id, tenant_id, operation tags). |
| **CLI1 AirGap Tools** | | | | | |
| 13 | AIRGAP-5100-013 | DONE | TestKit | AirGap Guild | Add exit code tests for AirGap CLI tool: successful export → exit 0; errors → non-zero. |
| 14 | AIRGAP-5100-014 | DONE | TestKit | AirGap Guild | Add golden output tests for AirGap CLI tool: export command → stdout snapshot. |
| 15 | AIRGAP-5100-015 | DONE | Determinism gate | AirGap Guild | Add determinism test for CLI tool: same inputs → same output bundle. |
| **Integration Tests** | | | | | |
| 16 | AIRGAP-5100-016 | DONE | Storage harness | AirGap Guild | Add integration test: export bundle (online env) → import bundle (offline env) → verify data integrity. |
| 17 | AIRGAP-5100-017 | DONE | Storage harness | AirGap Guild | Add integration test: policy export → policy import → policy evaluation → verify identical verdict. |
## Wave Coordination
- **Wave 1 (L0 Bundle + AN1 Analyzers):** Tasks 1-6.
- **Wave 2 (S1 Storage + W1 Controller):** Tasks 7-12.
- **Wave 3 (CLI1 Tools + Integration):** Tasks 13-17.
## Wave Detail Snapshots
- **Wave 1 evidence:** Bundle export/import tests passing; determinism tests passing; policy analyzer tests passing.
- **Wave 2 evidence:** Storage idempotency tests passing; controller API contract tests passing.
- **Wave 3 evidence:** CLI tool tests passing; integration tests (online → offline) passing.
## Interlocks
- Determinism tests depend on Sprint 5100.0007.0003 (Determinism gate).
- Storage tests depend on Sprint 5100.0007.0004 (Storage harness — PostgresFixture).
- WebService tests depend on Sprint 5100.0007.0006 (WebService fixture).
- Policy analyzer tests coordinate with Sprint 5100.0009.0004 (Policy tests).
## Upcoming Checkpoints
- 2026-09-17: Bundle and policy analyzer tests complete (Wave 1).
- 2026-10-01: Storage and controller API tests complete (Wave 2).
- 2026-10-15: CLI tool and integration tests complete (Wave 3).
## Action Tracker
| Date (UTC) | Action | Owner |
| --- | --- | --- |
| 2026-09-17 | Review bundle determinism tests and policy analyzer tests. | AirGap Guild + Policy Guild |
| 2026-10-01 | Review storage idempotency tests and controller API contract tests. | AirGap Guild |
| 2026-10-15 | Review CLI tool tests and online→offline integration tests. | AirGap Guild + Platform Guild |
## Decisions & Risks
- **Decision:** Bundle determinism is critical: same inputs → same bundle hash (SHA-256).
- **Decision:** Bundle export → import → re-export must produce identical bundle (roundtrip test).
- **Decision:** AirGap CLI tool follows same exit code conventions as main CLI (0=success, 1=user error, 2=system error).
- **Decision:** Integration tests verify full online→offline→online workflow.
| Risk | Impact | Mitigation | Owner |
| --- | --- | --- | --- |
| Bundle format changes break determinism | Tests fail unexpectedly | Explicit versioning for bundle format; deprecation warnings. | AirGap Guild |
| Policy analyzer compilation slow | Test suite timeout | Limit analyzer test scope; use caching. | Policy Guild |
| Integration tests require multiple environments | Test complexity | Use Docker Compose for multi-environment setup. | AirGap Guild |
| Bundle size too large | Import/export slow | Compression tests; size limit validation. | AirGap Guild |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-23 | Sprint created for AirGap test implementation based on advisory Section 3.11. | Project Mgmt |
| 2025-06-17 | Tasks 1-4 DONE: BundleExportImportTests.cs created covering L0 bundle export/import and determinism tests. | Agent |
| 2025-06-17 | Tasks 5-6 DONE: PolicyAnalyzerRoslynTests.cs created covering AN1 Roslyn compilation tests and golden generated code tests for HttpClientUsageAnalyzer. | Agent |
| 2025-06-17 | Tasks 7-9 DONE: AirGapStorageIntegrationTests.cs created covering S1 migration, idempotency, and query determinism tests. | Agent |
| 2025-06-17 | Tasks 10-12 DONE: AirGapControllerContractTests.cs created covering W1 API contract, auth, and OTel trace tests. | Agent |
| 2025-06-17 | Tasks 13-15 DONE: AirGapCliToolTests.cs created covering CLI1 exit code, golden output, and determinism tests. | Agent |
| 2025-06-17 | Tasks 16-17 DONE: AirGapIntegrationTests.cs created covering online→offline bundle transfer and policy export/import integration tests. All 17 tasks complete. | Agent |

444
docs/implplan/archived/SPRINT_8100_0011_0001_router_sdk_aspnet_bridge.md Normal file
View File

@@ -0,0 +1,444 @@
# Sprint 8100.0011.0001 · Router SDK ASP.NET Endpoint Bridge
## Topic & Scope
Eliminate dual-route maintenance by treating **standard ASP.NET endpoint registration** (controllers/minimal APIs) as the single source of truth for Router endpoint registration. This sprint delivers:
1. **ASP.NET Endpoint Discovery**: Discover endpoints from `EndpointDataSource`, extract full metadata (authorization, parameters, responses, OpenAPI), and convert to Router `EndpointDescriptor`s.
2. **Router→ASP.NET Dispatch**: Execute incoming Router requests through the ASP.NET pipeline with full fidelity (filters, model binding, authorization).
3. **Authorization Mapping**: Convert ASP.NET authorization policies/roles to Router `ClaimRequirement`s automatically, with YAML override support.
4. **Program.cs Integration**: Provide opt-in extension methods (`AddStellaRouterBridge`, `UseStellaRouterBridge`) for seamless integration.
**Working directory:** `src/__Libraries/StellaOps.Microservice.AspNetCore/` (new), `src/__Libraries/__Tests/StellaOps.Microservice.AspNetCore.Tests/` (tests), plus one pilot service.
**Evidence:** Deterministic endpoint discovery with full ASP.NET metadata; Router requests execute ASP.NET endpoints with correct model binding, authorization, and filters; pilot service registers via bridge without `[StellaEndpoint]` duplicates.
---
## Dependencies & Concurrency
- **Depends on:** `docs/modules/router/aspnet-endpoint-bridge.md` (design), `StellaOps.Microservice` SDK, pilot service with maintained `AGENTS.md`.
- **Recommended to land before:** Sprint 8100.0011.0002 (Gateway identity header policy) and Sprint 8100.0011.0003 (Valkey messaging transport).
- **Safe to run in parallel with:** Transport wiring (0003) and header hardening (0002) as long as shared contracts remain stable.
---
## Documentation Prerequisites
- `docs/modules/router/architecture.md`
- `docs/modules/router/migration-guide.md`
- `docs/modules/router/aspnet-endpoint-bridge.md`
- `docs/modules/gateway/identity-header-policy.md`
---
## ASP.NET Feature Coverage Matrix
The bridge MUST support these ASP.NET features:
| Category | Feature | Discovery | Dispatch | Router Mapping |
|----------|---------|-----------|----------|----------------|
| **Authorization** | `[Authorize(Policy = "...")]` | ✓ Extract | ✓ Execute | `RequiringClaims` via policy resolution |
| **Authorization** | `[Authorize(Roles = "...")]` | ✓ Extract | ✓ Execute | `ClaimRequirement(Role, value)` |
| **Authorization** | `[AllowAnonymous]` | ✓ Extract | ✓ Execute | Empty `RequiringClaims` |
| **Authorization** | `.RequireAuthorization(...)` | ✓ Extract | ✓ Execute | Policy/claim resolution |
| **Model Binding** | `[FromBody]` (implicit/explicit) | ✓ Type info | ✓ Deserialize | `SchemaInfo.RequestSchema` |
| **Model Binding** | `[FromRoute]` / `{id}` params | ✓ Extract | ✓ Populate | Path parameter metadata |
| **Model Binding** | `[FromQuery]` | ✓ Extract | ✓ Populate | Query parameter metadata |
| **Model Binding** | `[FromHeader]` | ✓ Extract | ✓ Populate | Header parameter metadata |
| **Model Binding** | `[FromServices]` (DI) | N/A | ✓ Inject | N/A (internal) |
| **Responses** | `.Produces<T>(statusCode)` | ✓ Extract | N/A | `SchemaInfo.ResponseSchemas` |
| **Responses** | `[ProducesResponseType]` | ✓ Extract | N/A | `SchemaInfo.ResponseSchemas` |
| **OpenAPI** | `.WithName(operationId)` | ✓ Extract | N/A | `OperationId` |
| **OpenAPI** | `.WithSummary(...)` | ✓ Extract | N/A | `Summary` |
| **OpenAPI** | `.WithDescription(...)` | ✓ Extract | N/A | `Description` |
| **OpenAPI** | `.WithTags(...)` | ✓ Extract | N/A | `Tags[]` |
| **Routing** | Route groups (`MapGroup`) | ✓ Compose paths | ✓ Match | Path prefix composition |
| **Routing** | Route constraints `{id:int}` | ✓ Normalize | ✓ Match | Stripped but semantics preserved |
| **Routing** | Catch-all `{**path}` | ✓ Normalize | ✓ Match | Explicit support |
| **Filters** | Endpoint filters | N/A | ✓ Execute | N/A (internal) |
| **Filters** | Authorization filters | N/A | ✓ Execute | N/A (internal) |
| **Special** | `CancellationToken` | N/A | ✓ Wire | From Router frame |
| **Special** | `HttpContext` | N/A | ✓ Build | Synthetic from frame |
### Explicitly NOT Supported (v0.1)
| Feature | Reason | Mitigation |
|---------|--------|------------|
| `SignalR` / `WebSocket` | Different protocol | Use native ASP.NET |
| gRPC endpoints | Different protocol | Use native gRPC |
| Streaming request bodies | Router SDK buffering | Future enhancement |
| Custom route constraints | Complexity | Document as limitation |
| API versioning (header/query) | Complexity | Use path-based versioning |
---
## Delivery Tracker
| # | Task ID | Status | Key dependency | Owners | Task Definition |
|---|---------|--------|----------------|--------|-----------------|
| **Wave 0 (Project Setup & API Design)** | | | | | |
| 0 | BRIDGE-8100-000 | DONE | Design doc | Platform Guild | Finalize `aspnet-endpoint-bridge.md` with full API design and feature matrix. |
| 1 | BRIDGE-8100-001 | DONE | Task 0 | Router Guild | Create `StellaOps.Microservice.AspNetCore` project with dependencies on `Microsoft.AspNetCore.App` and `StellaOps.Microservice`. |
| 2 | BRIDGE-8100-002 | DONE | Task 1 | Router Guild | Define `StellaRouterBridgeOptions` with configuration properties (see API Design section). |
| **Wave 1 (Endpoint Discovery)** | | | | | |
| 3 | BRIDGE-8100-003 | DONE | Task 1 | Router Guild | Define `AspNetEndpointDescriptor` record extending `EndpointDescriptor` with full metadata (parameters, responses, OpenAPI, authorization). |
| 4 | BRIDGE-8100-004 | DONE | Task 3 | Router Guild | Implement `AspNetCoreEndpointDiscoveryProvider`: enumerate `EndpointDataSource.Endpoints.OfType<RouteEndpoint>()`, extract all metadata. |
| 5 | BRIDGE-8100-005 | DONE | Task 4 | Router Guild | Implement route template normalization (strip constraints, compose group prefixes, stable leading slash). |
| 6 | BRIDGE-8100-006 | DONE | Task 4 | Router Guild | Implement parameter metadata extraction: `[FromRoute]`, `[FromQuery]`, `[FromHeader]`, `[FromBody]` sources. |
| 7 | BRIDGE-8100-007 | DONE | Task 4 | Router Guild | Implement response metadata extraction: `IProducesResponseTypeMetadata`, status codes, types. |
| 8 | BRIDGE-8100-008 | DONE | Task 4 | Router Guild | Implement OpenAPI metadata extraction: `IEndpointNameMetadata`, `IEndpointSummaryMetadata`, `ITagsMetadata`. |
| 9 | BRIDGE-8100-009 | DONE | Tasks 4-8 | QA Guild | Add unit tests for discovery determinism (ordering, normalization, duplicate detection, metadata completeness). |
| **Wave 2 (Authorization Mapping)** | | | | | |
| 10 | BRIDGE-8100-010 | DONE | Task 4 | Router Guild | Define `IAuthorizationClaimMapper` interface for policy→claims resolution. |
| 11 | BRIDGE-8100-011 | DONE | Task 10 | Router Guild | Implement `DefaultAuthorizationClaimMapper`: extract from `IAuthorizeData`, resolve policies via `IAuthorizationPolicyProvider`. |
| 12 | BRIDGE-8100-012 | DONE | Task 11 | Router Guild | Implement role-to-claim mapping: `[Authorize(Roles = "admin")]``ClaimRequirement(ClaimTypes.Role, "admin")`. |
| 13 | BRIDGE-8100-013 | DONE | Task 11 | Router Guild | Implement `[AllowAnonymous]` handling: empty `RequiringClaims` with explicit flag. |
| 14 | BRIDGE-8100-014 | DONE | Task 11 | Router Guild | Implement YAML override merge: YAML claims supplement/override discovered claims per endpoint. |
| 15 | BRIDGE-8100-015 | DONE | Tasks 10-14 | QA Guild | Add unit tests for authorization mapping (policies, roles, anonymous, YAML overrides). |
| **Wave 3 (Request Dispatch)** | | | | | |
| 16 | BRIDGE-8100-016 | DONE | Task 4 | Router Guild | Implement `AspNetRouterRequestDispatcher`: build `DefaultHttpContext` from `RequestFrame`. |
| 17 | BRIDGE-8100-017 | DONE | Task 16 | Router Guild | Implement request population: method, path, query string parsing, headers, body stream. |
| 18 | BRIDGE-8100-018 | DONE | Task 16 | Router Guild | Implement DI scope management: `CreateAsyncScope()`, set `RequestServices`, dispose on completion. |
| 19 | BRIDGE-8100-019 | DONE | Task 16 | Router Guild | Implement endpoint matching: use ASP.NET `IEndpointSelector` for correct constraint/precedence semantics. |
| 20 | BRIDGE-8100-020 | DONE | Task 19 | Router Guild | Implement identity population: map Router identity headers to `HttpContext.User` claims principal. |
| 21 | BRIDGE-8100-021 | DONE | Task 19 | Router Guild | Implement `RequestDelegate` execution with filter chain support. |
| 22 | BRIDGE-8100-022 | DONE | Task 21 | Router Guild | Implement response capture: status code, headers (filtered), body buffering, convert to `ResponseFrame`. |
| 23 | BRIDGE-8100-023 | DONE | Task 22 | Router Guild | Implement error mapping: exceptions → appropriate status codes, deterministic error responses. |
| 24 | BRIDGE-8100-024 | DONE | Tasks 16-23 | QA Guild | Add integration tests: Router frame → ASP.NET execution → response frame (controllers + minimal APIs). |
| **Wave 4 (DI Extensions & Integration)** | | | | | |
| 25 | BRIDGE-8100-025 | DONE | Tasks 1-24 | Router Guild | Implement `AddStellaRouterBridge(Action<StellaRouterBridgeOptions>)` extension method. |
| 26 | BRIDGE-8100-026 | DONE | Task 25 | Router Guild | Implement `UseStellaRouterBridge()` middleware registration (after routing, enables dispatch). |
| 27 | BRIDGE-8100-027 | DONE | Task 25 | Router Guild | Wire discovery provider into `IEndpointDiscoveryService` when bridge is enabled. |
| 28 | BRIDGE-8100-028 | DONE | Task 27 | Router Guild | Wire dispatcher into Router SDK request handling pipeline. |
| 29 | BRIDGE-8100-029 | DONE | Tasks 25-28 | QA Guild | Add integration tests: full Program.cs registration → HELLO → routed request → response. |
| **Wave 5 (Pilot Adoption & Docs)** | | | | | |
| 30 | BRIDGE-8100-030 | DONE | Pilot selection | Service Guild | Select pilot service (prefer Scanner or Concelier with maintained `AGENTS.md`). |
| 31 | BRIDGE-8100-031 | DONE | Task 30 | Service Guild | Apply bridge to pilot: add package, configure Program.cs, remove duplicate `[StellaEndpoint]` if any. |
| 32 | BRIDGE-8100-032 | DONE | Task 31 | QA Guild | Validate pilot via Gateway routing: all minimal API endpoints accessible, authorization enforced. |
| 33 | BRIDGE-8100-033 | DONE | Tasks 30-32 | Docs Guild | Update migration guide with "Strategy C: ASP.NET Endpoint Bridge" section. |
| 34 | BRIDGE-8100-034 | DONE | Tasks 30-32 | Docs Guild | Document supported/unsupported ASP.NET features, configuration options, troubleshooting. |
---
## API Design Specification
### StellaRouterBridgeOptions
```csharp
public sealed class StellaRouterBridgeOptions
{
/// <summary>
/// Service name for Router registration. Required.
/// </summary>
public required string ServiceName { get; set; }
/// <summary>
/// Service version (semver). Required.
/// </summary>
public required string Version { get; set; }
/// <summary>
/// Deployment region. Required.
/// </summary>
public required string Region { get; set; }
/// <summary>
/// Unique instance identifier. Auto-generated if not set.
/// </summary>
public string? InstanceId { get; set; }
/// <summary>
/// Strategy for mapping ASP.NET authorization to Router claims.
/// Default: Hybrid (ASP.NET metadata + YAML overrides).
/// </summary>
public AuthorizationMappingStrategy AuthorizationMapping { get; set; }
= AuthorizationMappingStrategy.Hybrid;
/// <summary>
/// Path to microservice.yaml for endpoint overrides. Optional.
/// </summary>
public string? YamlConfigPath { get; set; }
/// <summary>
/// Extract JSON schemas from Produces/Accepts metadata.
/// Default: true.
/// </summary>
public bool ExtractSchemas { get; set; } = true;
/// <summary>
/// Extract OpenAPI metadata (summary, description, tags).
/// Default: true.
/// </summary>
public bool ExtractOpenApiMetadata { get; set; } = true;
/// <summary>
/// Behavior when endpoint has no authorization metadata.
/// Default: RequireExplicit (fail if no auth and no YAML override).
/// </summary>
public MissingAuthorizationBehavior OnMissingAuthorization { get; set; }
= MissingAuthorizationBehavior.RequireExplicit;
/// <summary>
/// Behavior for unsupported route constraints.
/// Default: WarnAndStrip (log warning, strip constraint, continue).
/// </summary>
public UnsupportedConstraintBehavior OnUnsupportedConstraint { get; set; }
= UnsupportedConstraintBehavior.WarnAndStrip;
/// <summary>
/// Endpoint path filter. Only endpoints matching this predicate are bridged.
/// Default: all endpoints.
/// </summary>
public Func<RouteEndpoint, bool>? EndpointFilter { get; set; }
/// <summary>
/// Default timeout for bridged endpoints (overridable per-endpoint via YAML).
/// Default: 30 seconds.
/// </summary>
public TimeSpan DefaultTimeout { get; set; } = TimeSpan.FromSeconds(30);
}
public enum AuthorizationMappingStrategy
{
/// <summary>
/// Use only YAML overrides for RequiringClaims. ASP.NET metadata ignored.
/// </summary>
YamlOnly,
/// <summary>
/// Extract RequiringClaims from ASP.NET authorization metadata only.
/// </summary>
AspNetMetadataOnly,
/// <summary>
/// Merge ASP.NET metadata with YAML overrides. YAML takes precedence.
/// </summary>
Hybrid
}
public enum MissingAuthorizationBehavior
{
/// <summary>
/// Fail discovery if endpoint has no authorization and no YAML override.
/// </summary>
RequireExplicit,
/// <summary>
/// Allow endpoint with empty RequiringClaims (authenticated-only).
/// </summary>
AllowAuthenticated,
/// <summary>
/// Log warning but allow endpoint with empty RequiringClaims.
/// </summary>
WarnAndAllow
}
public enum UnsupportedConstraintBehavior
{
/// <summary>
/// Fail discovery if route has unsupported constraint.
/// </summary>
Fail,
/// <summary>
/// Log warning, strip constraint, continue discovery.
/// </summary>
WarnAndStrip,
/// <summary>
/// Silently strip constraint.
/// </summary>
SilentStrip
}
```
### Program.cs Registration Pattern
```csharp
var builder = WebApplication.CreateBuilder(args);
// Standard ASP.NET services
builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
// Add Router bridge (opt-in)
builder.Services.AddStellaRouterBridge(options =>
{
options.ServiceName = "scanner";
options.Version = "1.0.0";
options.Region = builder.Configuration["Region"] ?? "default";
options.YamlConfigPath = "microservice.yaml";
options.AuthorizationMapping = AuthorizationMappingStrategy.Hybrid;
options.OnMissingAuthorization = MissingAuthorizationBehavior.RequireExplicit;
});
// Add Router transport
builder.Services.AddMessagingTransportClient(); // or TCP/TLS
var app = builder.Build();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
// Enable Router bridge (after routing, before endpoints)
app.UseStellaRouterBridge();
// Standard endpoint registration
app.MapControllers();
app.MapHealthEndpoints();
app.MapScannerEndpoints();
await app.RunAsync();
```
### AspNetEndpointDescriptor
```csharp
public sealed record AspNetEndpointDescriptor
{
// === Core Identity (from EndpointDescriptor) ===
public required string ServiceName { get; init; }
public required string Version { get; init; }
public required string Method { get; init; }
public required string Path { get; init; }
public TimeSpan DefaultTimeout { get; init; } = TimeSpan.FromSeconds(30);
public bool SupportsStreaming { get; init; }
public IReadOnlyList<ClaimRequirement> RequiringClaims { get; init; } = [];
// === Parameter Metadata ===
public IReadOnlyList<ParameterDescriptor> Parameters { get; init; } = [];
// === Response Metadata ===
public IReadOnlyList<ResponseDescriptor> Responses { get; init; } = [];
// === OpenAPI Metadata ===
public string? OperationId { get; init; }
public string? Summary { get; init; }
public string? Description { get; init; }
public IReadOnlyList<string> Tags { get; init; } = [];
// === Authorization Source Info ===
public IReadOnlyList<string> AuthorizationPolicies { get; init; } = [];
public IReadOnlyList<string> Roles { get; init; } = [];
public bool AllowAnonymous { get; init; }
public AuthorizationSource AuthorizationSource { get; init; }
// === Schema Info (for OpenAPI/validation) ===
public EndpointSchemaInfo? SchemaInfo { get; init; }
// === Internal (not serialized to HELLO) ===
internal RouteEndpoint? OriginalEndpoint { get; init; }
internal string? OriginalRoutePattern { get; init; }
}
public sealed record ParameterDescriptor
{
public required string Name { get; init; }
public required ParameterSource Source { get; init; }
public required Type Type { get; init; }
public bool IsRequired { get; init; } = true;
public object? DefaultValue { get; init; }
public string? Description { get; init; }
}
public enum ParameterSource
{
Route,
Query,
Header,
Body,
Services
}
public sealed record ResponseDescriptor
{
public required int StatusCode { get; init; }
public Type? ResponseType { get; init; }
public string? Description { get; init; }
public string? ContentType { get; init; } = "application/json";
}
public enum AuthorizationSource
{
None,
AspNetMetadata,
YamlOverride,
Hybrid
}
```
---
## Wave Coordination
| Wave | Tasks | Focus | Evidence |
|------|-------|-------|----------|
| **Wave 0** | 0-2 | Project setup, API design | Project compiles, options class defined |
| **Wave 1** | 3-9 | Endpoint discovery | Deterministic discovery, full metadata extraction, unit tests pass |
| **Wave 2** | 10-15 | Authorization mapping | Policy→claims resolution, role mapping, YAML merge, unit tests pass |
| **Wave 3** | 16-24 | Request dispatch | Full pipeline execution, model binding, response capture, integration tests pass |
| **Wave 4** | 25-29 | DI integration | Program.cs pattern works, HELLO registration complete |
| **Wave 5** | 30-34 | Pilot & docs | Real service works, migration guide updated |
---
## Interlocks
| Interlock | Description | Related Sprint |
|-----------|-------------|----------------|
| Identity headers | Service-side identity must come from Gateway-overwritten headers only | 8100.0011.0002 |
| Claim types | Use `StellaOpsClaimTypes.*` for canonical claim names | 8100.0011.0002 |
| Transport parity | Messaging transport must carry all headers for identity propagation | 8100.0011.0003 |
| Route matching | Bridged discovery normalization must match Gateway OpenAPI aggregation | Router architecture |
| Determinism | Endpoint ordering must be stable across restarts | Router architecture |
---
## Upcoming Checkpoints
| Date (UTC) | Milestone | Evidence |
|------------|-----------|----------|
| 2026-01-06 | Wave 0-1 complete | Project created, discovery provider passes determinism tests |
| 2026-01-13 | Wave 2 complete | Authorization mapping passes all unit tests |
| 2026-01-27 | Wave 3 complete | Dispatch integration tests pass (minimal API + controllers) |
| 2026-02-03 | Wave 4 complete | Full Program.cs integration works end-to-end |
| 2026-02-17 | Wave 5 complete | Pilot service operational, docs updated |
---
## Decisions & Risks
### Decisions
| Decision | Rationale |
|----------|-----------|
| ASP.NET endpoint registration is single source of truth | Eliminates route drift, reduces maintenance |
| YAML overrides supplement (not replace) ASP.NET metadata | Allows security hardening without code changes |
| Use ASP.NET matcher for dispatch | Preserves constraint semantics, route precedence |
| Extract full OpenAPI metadata | Enables accurate Gateway OpenAPI aggregation |
| Require explicit authorization | Prevents accidental public exposure |
### Risks
| Risk | Impact | Mitigation | Owner |
|------|--------|------------|-------|
| Route matching drift vs ASP.NET | Incorrect routing | Use ASP.NET's own matcher; extensive tests | Router Guild |
| Missing authorization on bridged endpoints | Privilege escalation | `RequireExplicit` default; fail-fast | Platform Guild |
| Model binding failures | Request errors | Comprehensive parameter extraction; tests | Router Guild |
| Filter execution order | Incorrect behavior | Execute via standard `RequestDelegate`; tests | Router Guild |
| Performance overhead of synthetic HttpContext | Latency | Benchmark; pool contexts if needed | Platform Guild |
| Pilot selection blocked | Sprint stalls | Pre-identify pilot in Wave 0 | Project Mgmt |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-23 | Sprint created; initial design in `aspnet-endpoint-bridge.md` | Project Mgmt |
| 2025-12-24 | Sprint revised with comprehensive ASP.NET feature coverage | Project Mgmt |
| 2025-12-24 | Implementation audit: Waves 0-4 substantially complete (project, discovery, auth mapping, dispatch, DI extensions all implemented in `StellaOps.Microservice.AspNetCore`). Pilot services integrated via `TryAddStellaRouter()` pattern across all WebServices. Remaining work: unit tests, integration tests, YAML override feature, documentation. | Platform Guild |
| 2025-12-25 | Wave 5 complete: Tasks 32-34 done. Added Strategy C (ASP.NET Endpoint Bridge) to migration guide. Added comprehensive Troubleshooting section to aspnet-endpoint-bridge.md with 7 common issues, diagnostic endpoints, and logging categories. All 35 tasks now DONE. Sprint complete. | Docs Guild |

0
docs/implplan/SPRINT_8100_0011_0002_gateway_identity_header_hardening.md → docs/implplan/archived/SPRINT_8100_0011_0002_gateway_identity_header_hardening.md
View File

0
docs/implplan/SPRINT_8100_0011_0003_gateway_valkey_messaging_transport.md → docs/implplan/archived/SPRINT_8100_0011_0003_gateway_valkey_messaging_transport.md
View File