stela ops usage fixes roles propagation and timoeut, one account to support multi tenants, migrations consolidation, search to support documentation, doctor and open api vector db search

src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Authorization/AuthorizationMiddlewareTests.cs

@@ -46,7 +46,7 @@ public sealed class AuthorizationMiddlewareTests
     public async Task InvokeAsync_NoClaims_CallsNext()
     {
         // Arrange
-        var context = CreateHttpContextWithEndpoint();
+        var context = CreateHttpContextWithEndpoint([new Claim("sub", "alice")]);
         _claimsStore
             .Setup(s => s.GetEffectiveClaims("test-service", "GET", "/api/test"))
             .Returns(Array.Empty<ClaimRequirement>());
@@ -59,6 +59,27 @@ public sealed class AuthorizationMiddlewareTests
         context.Response.StatusCode.Should().NotBe(403);
     }
 
+    [Fact]
+    public async Task InvokeAsync_LegacyMetadataWithoutAuthFlag_FailsClosedWith401()
+    {
+        var endpoint = new EndpointDescriptor
+        {
+            ServiceName = "test-service",
+            Version = "1.0.0",
+            Method = "GET",
+            Path = "/api/test",
+            AllowAnonymous = false,
+            RequiresAuthentication = false
+        };
+
+        var context = CreateHttpContextWithEndpoint(endpoint: endpoint);
+
+        await _middleware.InvokeAsync(context);
+
+        _next.Verify(n => n(It.IsAny<HttpContext>()), Times.Never);
+        context.Response.StatusCode.Should().Be(401);
+    }
+
     [Fact]
     public async Task InvokeAsync_UserHasRequiredClaims_CallsNext()
     {
@@ -215,7 +236,7 @@ public sealed class AuthorizationMiddlewareTests
     public async Task InvokeAsync_ForbiddenResponse_ContainsErrorDetails()
     {
         // Arrange
-        var context = CreateHttpContextWithEndpoint();
+        var context = CreateHttpContextWithEndpoint([new Claim("sub", "alice")]);
         context.Response.Body = new MemoryStream();
 
         _claimsStore
@@ -233,18 +254,39 @@ public sealed class AuthorizationMiddlewareTests
         context.Response.ContentType.Should().Contain("application/json");
     }
 
+    [Fact]
+    public async Task InvokeAsync_AllowAnonymousEndpoint_CallsNextWithoutAuthentication()
+    {
+        var endpoint = new EndpointDescriptor
+        {
+            ServiceName = "test-service",
+            Version = "1.0.0",
+            Method = "GET",
+            Path = "/api/test",
+            AllowAnonymous = true
+        };
+
+        var context = CreateHttpContextWithEndpoint(endpoint: endpoint);
+
+        await _middleware.InvokeAsync(context);
+
+        _next.Verify(n => n(context), Times.Once);
+    }
+
     private static HttpContext CreateHttpContext()
     {
         var context = new DefaultHttpContext();
         return context;
     }
 
-    private static HttpContext CreateHttpContextWithEndpoint(Claim[]? userClaims = null)
+    private static HttpContext CreateHttpContextWithEndpoint(
+        Claim[]? userClaims = null,
+        EndpointDescriptor? endpoint = null)
     {
         var context = new DefaultHttpContext();
 
         // Set resolved endpoint
-        var endpoint = new EndpointDescriptor
+        endpoint ??= new EndpointDescriptor
         {
             ServiceName = "test-service",
             Version = "1.0.0",