Tests fixes, audit progress, UI completions

src/__Libraries/StellaOps.Audit.ReplayToken/AGENTS.md

@@ -0,0 +1,22 @@
+# Audit ReplayToken AGENTS
+
+## Purpose & Scope
+- Working directory: `src/__Libraries/StellaOps.Audit.ReplayToken/`.
+- Roles: backend engineer, QA automation.
+- Focus: deterministic replay token generation, canonicalization, expiration handling, and replay CLI snippet generation.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep token generation deterministic (stable ordering, invariant formatting).
+- Preserve offline/air-gap posture (no network calls).
+- Validate inputs explicitly and use stable error semantics.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions; prefer deterministic fixtures.
+- Cover canonicalization, parsing, expiration, and CLI snippet formatting.

src/__Libraries/StellaOps.Audit.ReplayToken/TASKS.md

@@ -0,0 +1,10 @@
+# Audit ReplayToken Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0073-M | DONE | Maintainability audit for StellaOps.Audit.ReplayToken. |
+| AUDIT-0073-T | DONE | Test coverage audit for StellaOps.Audit.ReplayToken. |
+| AUDIT-0073-A | TODO | Pending approval for changes. |

src/__Libraries/StellaOps.AuditPack/AGENTS.md

@@ -0,0 +1,22 @@
+# AuditPack AGENTS
+
+## Purpose & Scope
+- Working directory: `src/__Libraries/StellaOps.AuditPack/`.
+- Roles: backend engineer, QA automation.
+- Focus: audit pack creation/import/export, offline bundles, DSSE signing, and replay determinism.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep outputs deterministic (stable ordering, time/ID injection).
+- Preserve offline/air-gap posture; avoid network calls in replay paths.
+- Validate archive extraction paths and signature verification explicitly.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions.
+- Cover bundle writer/reader/importer, signing verification, and replay determinism.

src/__Libraries/StellaOps.AuditPack/Services/AuditPackBuilder.cs

@@ -176,12 +176,14 @@ public sealed class AuditPackBuilder : IAuditPackBuilder
         await TarFile.CreateFromDirectoryAsync(sourceDir, tarPath, includeBaseDirectory: false, ct);
 
         // Compress to tar.gz
-        using var tarStream = File.OpenRead(tarPath);
-        using var gzStream = File.Create(outputPath);
-        using var gzip = new GZipStream(gzStream, CompressionLevel.Optimal);
-        await tarStream.CopyToAsync(gzip, ct);
+        using (var tarStream = File.OpenRead(tarPath))
+        using (var gzStream = File.Create(outputPath))
+        using (var gzip = new GZipStream(gzStream, CompressionLevel.Optimal))
+        {
+            await tarStream.CopyToAsync(gzip, ct);
+        }
 
-        // Clean up uncompressed tar
+        // Clean up uncompressed tar after streams are closed.
         File.Delete(tarPath);
     }
 

src/__Libraries/StellaOps.AuditPack/TASKS.md

@@ -0,0 +1,10 @@
+# AuditPack Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0075-M | DONE | Maintainability audit for StellaOps.AuditPack. |
+| AUDIT-0075-T | DONE | Test coverage audit for StellaOps.AuditPack. |
+| AUDIT-0075-A | TODO | Pending approval for changes. |

src/__Libraries/StellaOps.Auth.Security/AGENTS.md

@@ -0,0 +1,23 @@
+# Auth Security AGENTS
+
+## Purpose & Scope
+- Working directory: `src/__Libraries/StellaOps.Auth.Security/`.
+- Roles: backend engineer, QA automation.
+- Focus: DPoP proof validation, nonce issuance/consumption, replay cache strategies, and security primitives.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/authority/architecture.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep validation deterministic (TimeProvider) and avoid nondeterministic RNG in tests.
+- Normalize inputs consistently across nonce stores; avoid mutable shared state.
+- Respect offline/air-gap posture and keep secrets out of logs.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit.
+- Cover DPoP validation (algorithms, htm/htu/nonce, clock skew, replay), nonce stores, and replay cache behavior.

src/__Libraries/StellaOps.Auth.Security/TASKS.md

@@ -0,0 +1,10 @@
+# Auth Security Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0082-M | DONE | Maintainability audit for StellaOps.Auth.Security. |
+| AUDIT-0082-T | DONE | Test coverage audit for StellaOps.Auth.Security. |
+| AUDIT-0082-A | TODO | Pending approval for changes. |

src/__Libraries/StellaOps.Canonical.Json.Tests/AGENTS.md

@@ -0,0 +1,28 @@
+# Canonical Json Tests Charter
+
+## Mission
+Own test coverage for canonical JSON serialization and hashing. Keep tests deterministic and offline-friendly.
+
+## Responsibilities
+- Maintain `StellaOps.Canonical.Json.Tests`.
+- Validate canonicalization and versioning behavior with stable inputs.
+- Surface open work on `TASKS.md`; update statuses (TODO/DOING/DONE/BLOCKED/REVIEW).
+
+## Key Paths
+- `CanonJsonTests.cs`
+- `CanonVersionTests.cs`
+
+## Coordination
+- Canonical Json library owners.
+- Attestor/Proof teams for hash and canonicalization contracts.
+
+## Required Reading
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both corresponding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

src/__Libraries/StellaOps.Canonical.Json.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Canonical Json Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0131-M | DONE | Maintainability audit for StellaOps.Canonical.Json.Tests. |
+| AUDIT-0131-T | DONE | Test coverage audit for StellaOps.Canonical.Json.Tests. |
+| AUDIT-0131-A | TODO | Pending approval for changes. |

src/__Libraries/StellaOps.Canonical.Json/AGENTS.md

@@ -0,0 +1,29 @@
+# Canonical Json Charter
+
+## Mission
+Own deterministic canonical JSON serialization and hashing for content-addressed proofs.
+
+## Responsibilities
+- Maintain `StellaOps.Canonical.Json` canonicalization logic and version markers.
+- Keep outputs deterministic, spec-aligned, and offline-friendly.
+- Surface open work on `TASKS.md`; update statuses (TODO/DOING/DONE/BLOCKED/REVIEW).
+
+## Key Paths
+- `CanonJson.cs`
+- `CanonVersion.cs`
+- `README.md`
+
+## Coordination
+- Attestor and Proof/Evidence owners for canonicalization contracts.
+- Scanner and Policy teams for hash usage.
+
+## Required Reading
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both corresponding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

src/__Libraries/StellaOps.Canonical.Json/TASKS.md

@@ -0,0 +1,10 @@
+# Canonical Json Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0130-M | DONE | Maintainability audit for StellaOps.Canonical.Json. |
+| AUDIT-0130-T | DONE | Test coverage audit for StellaOps.Canonical.Json. |
+| AUDIT-0130-A | TODO | Pending approval for changes. |

src/__Libraries/StellaOps.Canonicalization/AGENTS.md

@@ -0,0 +1,30 @@
+# Canonicalization Charter
+
+## Mission
+Own canonicalization helpers for ordering and deterministic JSON serialization.
+
+## Responsibilities
+- Maintain `StellaOps.Canonicalization` ordering, culture, and JSON helpers.
+- Keep deterministic behavior consistent across environments.
+- Surface open work on `TASKS.md`; update statuses (TODO/DOING/DONE/BLOCKED/REVIEW).
+
+## Key Paths
+- `Json/CanonicalJsonSerializer.cs`
+- `Ordering/Orderers.cs`
+- `Culture/InvariantCulture.cs`
+- `Verification/DeterminismVerifier.cs`
+
+## Coordination
+- Canonical Json library owners for overlapping JSON rules.
+- Attestor/Proof teams for deterministic hashing expectations.
+
+## Required Reading
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both corresponding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

src/__Libraries/StellaOps.Canonicalization/TASKS.md

@@ -0,0 +1,10 @@
+# Canonicalization Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0132-M | DONE | Maintainability audit for StellaOps.Canonicalization. |
+| AUDIT-0132-T | DONE | Test coverage audit for StellaOps.Canonicalization. |
+| AUDIT-0132-A | TODO | Pending approval for changes. |

src/__Libraries/StellaOps.Infrastructure.Postgres/Connections/DataSourceBase.cs

@@ -40,7 +40,7 @@ public abstract class DataSourceBase : IAsyncDisposable
         Options = options;
         _logger = logger;
 
-        var builder = new NpgsqlDataSourceBuilder(options.ConnectionString)
+        var builder = new NpgsqlDataSourceBuilder(BuildConnectionString(options))
         {
             Name = ModuleName
         };
@@ -239,4 +239,16 @@ public abstract class DataSourceBase : IAsyncDisposable
 
         return connection;
     }
+
+    private static string BuildConnectionString(PostgresOptions options)
+    {
+        var builder = new NpgsqlConnectionStringBuilder(options.ConnectionString)
+        {
+            Pooling = options.Pooling,
+            MaxPoolSize = options.MaxPoolSize,
+            MinPoolSize = options.MinPoolSize
+        };
+
+        return builder.ToString();
+    }
 }

src/__Libraries/__Tests/StellaOps.AuditPack.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# AuditPack Tests (Libraries) AGENTS
+
+## Purpose & Scope
+- Working directory: `src/__Libraries/__Tests/StellaOps.AuditPack.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: integration and unit coverage for audit bundle writer/reader/exporter and replay flows.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic (fixed time/IDs, stable fixtures).
+- Categorize integration/E2E tests distinctly from unit suites.
+- Clean up temp artifacts and avoid cross-test coupling.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit.
+- Prefer isolated temp directories with explicit cleanup.

src/__Libraries/__Tests/StellaOps.AuditPack.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AuditPack Tests (Libraries) Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0076-M | DONE | Maintainability audit for StellaOps.AuditPack.Tests (libraries). |
+| AUDIT-0076-T | DONE | Test coverage audit for StellaOps.AuditPack.Tests (libraries). |
+| AUDIT-0076-A | TODO | Pending approval for changes. |

src/__Libraries/__Tests/StellaOps.Canonicalization.Tests/AGENTS.md

@@ -0,0 +1,28 @@
+# Canonicalization Tests Charter
+
+## Mission
+Own test coverage for canonicalization utilities and ordering helpers.
+
+## Responsibilities
+- Maintain `StellaOps.Canonicalization.Tests`.
+- Validate determinism, ordering, and JSON output stability.
+- Surface open work on `TASKS.md`; update statuses (TODO/DOING/DONE/BLOCKED/REVIEW).
+
+## Key Paths
+- `CanonicalJsonSerializerTests.cs`
+- `Properties/CanonicalJsonProperties.cs`
+
+## Coordination
+- Canonicalization library owners.
+- Canonical Json library owners for shared semantics.
+
+## Required Reading
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Working Agreement
+- 1. Update task status to `DOING`/`DONE` in both corresponding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

src/__Libraries/__Tests/StellaOps.Canonicalization.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Canonicalization Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0133-M | DONE | Maintainability audit for StellaOps.Canonicalization.Tests. |
+| AUDIT-0133-T | DONE | Test coverage audit for StellaOps.Canonicalization.Tests. |
+| AUDIT-0133-A | TODO | Pending approval for changes. |