archive audit attempts

docs-archived/implplan-blocked/audits/csproj-standards/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.md

@@ -0,0 +1,69 @@
+# Audit - StellaOps.Policy.Gateway
+
+## Project
+- Path: `src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj`
+- Module: `Policy`
+- Kind: `WebService`
+- SDK: `Microsoft.NET.Sdk.Web`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 24
+- Service locator usage (BuildServiceProvider/GetService): 3
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/GatesEndpoints.cs` (1002 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/GovernanceEndpoints.cs` (931 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ExceptionApprovalEndpoints.cs` (874 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Program.cs` (664 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/ExceptionService.cs` (605 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ExceptionEndpoints.cs` (559 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ScoreGateEndpoints.cs` (550 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Contracts/ExceptionContracts.cs` (466 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Contracts/ScoreGateContracts.cs` (445 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/RegistryWebhookEndpoints.cs` (406 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/GateEndpoints.cs` (400 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/DeltasEndpoints.cs` (373 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Options/PolicyGatewayOptions.cs` (323 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Contracts/DeltaContracts.cs` (293 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/ApprovalWorkflowService.cs` (275 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Clients/PolicyEngineClient.cs` (256 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Contracts/GateContracts.cs` (243 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/PolicyGatewayDpopProofGenerator.cs` (239 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/ExceptionExpiryWorker.cs` (235 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/IExceptionService.cs` (234 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/ExceptionQueryService.cs` (227 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ToolLatticeEndpoints.cs` (209 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/InMemoryGateEvaluationQueue.cs` (184 lines)
+  - `src/Policy/StellaOps.Policy.Gateway/Services/PolicyEngineTokenProvider.cs` (123 lines)
+- Service locator matches:
+  - `src/Policy/StellaOps.Policy.Gateway/Services/InMemoryGateEvaluationQueue.cs`:147 var evaluator = scope.ServiceProvider.GetRequiredService<IDriftGateEvaluator>();
+  - `src/Policy/StellaOps.Policy.Gateway/Program.cs`:246 var egressPolicy = serviceProvider.GetService<IEgressPolicy>();
+  - `src/Policy/StellaOps.Policy.Gateway/Program.cs`:598 var loggerFactory = provider.GetService<ILoggerFactory>();
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: src/Policy/__Tests/StellaOps.Policy.Gateway.Tests/StellaOps.Policy.Gateway.Tests.csproj [Unit]
+- Missing layers: Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Intent tagging required for regulatory modules.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.