Harden runtime HTTP transport lifecycles

src/__Libraries/__Tests/StellaOps.Infrastructure.Postgres.Tests/RuntimePostgresConstructionConventionTests.cs

@@ -0,0 +1,167 @@
+using FluentAssertions;
+using StellaOps.TestKit;
+using Xunit;
+
+namespace StellaOps.Infrastructure.Postgres.Tests;
+
+[Trait("Category", TestCategories.Unit)]
+public sealed class RuntimePostgresConstructionConventionTests
+{
+    private static readonly string RepoRoot = FindRepoRoot();
+    private static readonly HashSet<string> AllowedRuntimeRawConnectionFiles = new(StringComparer.Ordinal)
+    {
+        "src/Cli/__Libraries/StellaOps.Cli.Plugins.Aoc/AocVerificationService.cs",
+        "src/Cli/StellaOps.Cli/Commands/Setup/Steps/Implementations/DatabaseSetupStep.cs",
+        "src/Cli/StellaOps.Cli/Services/MigrationCommandService.cs",
+        "src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/Checks/PostgresConnectionPoolCheck.cs",
+        "src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/Checks/PostgresConnectivityCheck.cs",
+        "src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/Checks/PostgresMigrationStatusCheck.cs",
+        "src/Platform/StellaOps.Platform.WebService/Services/PlatformMigrationAdminService.cs",
+        "src/Workflow/__Libraries/StellaOps.Workflow.DataStore.PostgreSQL/PostgresWorkflowDatabase.cs",
+        "src/__Libraries/StellaOps.Doctor.Plugins.Database/Checks/DatabaseCheckBase.cs",
+        "src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationRunner.cs",
+        "src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/StartupMigrationHost.cs",
+    };
+    private static readonly HashSet<string> AllowedRuntimeValkeyConnectionFiles = new(StringComparer.Ordinal)
+    {
+        "src/Cli/StellaOps.Cli/Commands/Setup/Steps/Implementations/CacheSetupStep.cs",
+        "src/Tools/NotifySmokeCheck/NotifySmokeCheckRunner.cs",
+        "src/__Libraries/StellaOps.TestKit/Fixtures/ValkeyFixture.cs",
+    };
+    private static readonly string[] KnownHttpLifecycleHotspots =
+    [
+        "src/Attestor/__Libraries/StellaOps.Attestor.TrustRepo/TrustRepoServiceCollectionExtensions.cs",
+        "src/Attestor/__Libraries/StellaOps.Attestor.TrustRepo/TrustRepoServiceCollectionExtensions.Offline.cs",
+        "src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/Oci/TrustVerdictOciAttacher.cs",
+        "src/Integrations/StellaOps.Integrations.WebService/FeedMirrorConnectorPlugins.cs",
+        "src/Integrations/StellaOps.Integrations.WebService/ObjectStorageConnectorPlugins.cs",
+        "src/Platform/StellaOps.Platform.WebService/Services/IdentityProviderManagementService.cs",
+        "src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.IntegrationHub/Connectors/Registry/AcrConnector.cs",
+        "src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.IntegrationHub/Connectors/Registry/DockerHubConnector.cs",
+        "src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.IntegrationHub/Connectors/Registry/EcrConnector.cs",
+        "src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.IntegrationHub/Connectors/Registry/GcrConnector.cs",
+        "src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.IntegrationHub/Connectors/Vault/AwsSecretsManagerConnector.cs",
+        "src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.IntegrationHub/Connectors/Vault/AzureKeyVaultConnector.cs",
+        "src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.IntegrationHub/Connectors/Vault/HashiCorpVaultConnector.cs",
+        "src/__Libraries/StellaOps.Artifact.Core/Api/ArtifactController.FetchHttp.cs",
+        "src/__Libraries/StellaOps.Verdict/Oci/OciAttestationPublisher.cs",
+    ];
+
+    [Fact]
+    public void Runtime_code_does_not_use_anonymous_NpgsqlDataSource_Create()
+    {
+        var offenders = EnumerateRuntimeSourceFiles()
+            .Where(file => File.ReadAllText(file).Contains("NpgsqlDataSource.Create(", StringComparison.Ordinal))
+            .Select(ToRelativePath)
+            .ToList();
+
+        offenders.Should().BeEmpty(
+            "runtime PostgreSQL callers should use a named data source or the shared PostgreSQL policy path");
+    }
+
+    [Fact]
+    public void Runtime_data_source_builders_must_apply_runtime_attribution()
+    {
+        var offenders = EnumerateRuntimeSourceFiles()
+            .Where(file =>
+            {
+                var content = File.ReadAllText(file);
+                return content.Contains("new NpgsqlDataSourceBuilder(", StringComparison.Ordinal)
+                    && !content.Contains("ApplicationName", StringComparison.Ordinal)
+                    && !content.Contains("PostgresConnectionStringPolicy", StringComparison.Ordinal);
+            })
+            .Select(ToRelativePath)
+            .ToList();
+
+        offenders.Should().BeEmpty(
+            "runtime NpgsqlDataSourceBuilder call sites must stamp ApplicationName explicitly or flow through PostgresConnectionStringPolicy");
+    }
+
+    [Fact]
+    public void Runtime_code_does_not_use_raw_NpgsqlConnection_outside_allowlist()
+    {
+        var offenders = EnumerateRuntimeSourceFiles()
+            .Where(file => File.ReadAllText(file).Contains("new NpgsqlConnection(", StringComparison.Ordinal))
+            .Select(ToRelativePath)
+            .Where(file => !AllowedRuntimeRawConnectionFiles.Contains(file))
+            .ToList();
+
+        offenders.Should().BeEmpty(
+            "runtime PostgreSQL callers should use named data sources unless they are an explicit CLI/setup/migration/diagnostic exception");
+    }
+
+    [Fact]
+    public void Runtime_valkey_connections_must_stamp_client_name()
+    {
+        var offenders = EnumerateRuntimeSourceFiles()
+            .Where(file =>
+            {
+                var content = File.ReadAllText(file);
+                var relativePath = ToRelativePath(file);
+                var usesValkeyMultiplexer =
+                    content.Contains("ConnectionMultiplexer.Connect(", StringComparison.Ordinal)
+                    || content.Contains("ConnectionMultiplexer.ConnectAsync(", StringComparison.Ordinal);
+
+                if (!usesValkeyMultiplexer || AllowedRuntimeValkeyConnectionFiles.Contains(relativePath))
+                {
+                    return false;
+                }
+
+                return !content.Contains("ClientName", StringComparison.Ordinal);
+            })
+            .Select(ToRelativePath)
+            .ToList();
+
+        offenders.Should().BeEmpty(
+            "runtime Valkey callers should stamp a stable ClientName unless they are an explicit CLI/tooling exception");
+    }
+
+    [Fact]
+    public void Known_runtime_http_hotspots_do_not_allocate_ad_hoc_HttpClient()
+    {
+        var offenders = EnumerateRuntimeSourceFiles()
+            .Where(file => KnownHttpLifecycleHotspots.Contains(ToRelativePath(file)))
+            .Where(file => File.ReadAllText(file).Contains("new HttpClient(", StringComparison.Ordinal))
+            .Select(ToRelativePath)
+            .ToList();
+
+        offenders.Should().BeEmpty(
+            "the scoped HTTP hardening waves removed raw runtime HttpClient allocation from the known host-owned hotspots");
+    }
+
+    private static IEnumerable<string> EnumerateRuntimeSourceFiles()
+    {
+        var srcRoot = Path.Combine(RepoRoot, "src");
+        return Directory.EnumerateFiles(srcRoot, "*.cs", SearchOption.AllDirectories)
+            .Where(file => !PathSegments(file).Any(segment => segment.EndsWith(".Tests", StringComparison.Ordinal)))
+            .Where(file => !PathSegments(file).Any(segment => segment.EndsWith(".Benchmarks", StringComparison.Ordinal)))
+            .Where(file => !file.Contains($"{Path.DirectorySeparatorChar}Testing{Path.DirectorySeparatorChar}", StringComparison.Ordinal))
+            .Where(file => !file.Contains($"{Path.DirectorySeparatorChar}__Tests{Path.DirectorySeparatorChar}", StringComparison.Ordinal))
+            .Where(file => !file.Contains($"{Path.DirectorySeparatorChar}bin{Path.DirectorySeparatorChar}", StringComparison.Ordinal))
+            .Where(file => !file.Contains($"{Path.DirectorySeparatorChar}obj{Path.DirectorySeparatorChar}", StringComparison.Ordinal));
+    }
+
+    private static string FindRepoRoot()
+    {
+        var current = new DirectoryInfo(AppContext.BaseDirectory);
+        while (current is not null)
+        {
+            var srcPath = Path.Combine(current.FullName, "src");
+            var docsPath = Path.Combine(current.FullName, "docs");
+            if (Directory.Exists(srcPath) && Directory.Exists(docsPath))
+            {
+                return current.FullName;
+            }
+
+            current = current.Parent;
+        }
+
+        throw new InvalidOperationException("Failed to locate the Stella Ops repository root from the test output directory.");
+    }
+
+    private static string ToRelativePath(string fullPath)
+        => Path.GetRelativePath(RepoRoot, fullPath).Replace('\\', '/');
+
+    private static IEnumerable<string> PathSegments(string fullPath)
+        => fullPath.Split(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
+}

src/__Libraries/__Tests/StellaOps.Infrastructure.Postgres.Tests/TASKS.md

@@ -5,6 +5,7 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
 
 | Task ID | Status | Notes |
 | --- | --- | --- |
+| SPRINT_20260405_011-XPORT-GUARD | DONE | `docs/implplan/SPRINT_20260405_011___Libraries_transport_pooling_and_attribution_hardening.md`: shared PostgreSQL/Valkey transport policy tests and static guardrails for runtime transport construction plus the scoped second-wave HTTP hotspot regressions. |
 | AUDIT-0028-M | DONE | Revalidated 2026-01-08; open findings tracked in audit report. |
 | AUDIT-0028-T | DONE | Revalidated 2026-01-08; open findings tracked in audit report. |
 | AUDIT-0028-A | DONE | Waived (test project; revalidated 2026-01-08). |