stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Complete release compatibility and host inventory sprints

Browse Source 
Signed-off-by: master <>
This commit is contained in:
master
2026-03-31 23:53:45 +03:00
parent b6bf113b99
commit f96c6cb9ed
33 changed files with 2322 additions and 362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md Normal file
View File

@@ -0,0 +1,120 @@
# Sprint 20260323-001 - Release API Proxy Fix + Missing Backend Endpoints
## Topic & Scope
- Close the Console release-management compatibility gaps across proxying, deployment monitoring, evidence inspection, environment management, dashboard actions, and registry search.
- Keep the implementation deterministic and local-first so Console flows work without introducing external service dependencies.
- Working directory: `src/JobEngine/`.
- Expected evidence: targeted xUnit verification for JobEngine, Platform, ReleaseOrchestrator, and Scanner compatibility surfaces plus route inspection for the console proxy rewrites.
## Dependencies & Concurrency
- TASK-001 is the route-discovery prerequisite for Console compatibility.
- TASK-002 through TASK-006 were safe to execute in parallel once the route map was verified.
- Cross-module edits were explicitly allowed in `devops/docker/Dockerfile.console`, `src/Platform/StellaOps.Platform.WebService/`, `src/ReleaseOrchestrator/`, and `src/Scanner/`.
## Documentation Prerequisites
- `docs/modules/release-orchestrator/architecture.md`
- `docs/modules/platform/platform-service.md`
- `docs/modules/jobengine/architecture.md`
- `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ReleaseEndpoints.cs`
- `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ApprovalEndpoints.cs`
## Delivery Tracker
### TASK-001 - Fix nginx proxy routes for release APIs
Status: DONE
Dependency: none
Owners: DevOps / FE
Task description:
- Verified the existing Console proxy rewrites in `devops/docker/Dockerfile.console` for `/api/v2/releases/*`, `/api/v1/release-control/*`, and `/api/v1/registries/*`.
- No additional proxy or Web client edits were required during sprint closeout because the release-compatible routes were already present.
Completion criteria:
- [x] Console proxy contains release/read-model rewrites for `/api/v2/releases/*`
- [x] Console proxy contains release-control rewrites for `/api/v1/release-control/*`
- [x] Console proxy contains Scanner rewrites for `/api/v1/registries/*`
- [x] No further proxy edits were required to complete the backend compatibility work
### TASK-002 - Deployment monitoring endpoints (11 endpoints)
Status: DONE
Dependency: TASK-001
Owners: BE (JobEngine)
Task description:
- Deployment monitoring compatibility endpoints under `/api/v1/release-orchestrator/deployments/*` were already implemented in JobEngine and were verified as part of sprint closeout.
- Verification focused on list/detail and lifecycle routes used by the Console release-management surface.
Completion criteria:
- [x] All 11 deployment compatibility endpoints return non-404 responses
- [x] `GET /api/v1/release-orchestrator/deployments` returns a list payload
- [x] Lifecycle routes such as `pause` return success responses
- [x] Auth policies remain enforced on read vs operate routes
### TASK-003 - Evidence management endpoints (6 endpoints)
Status: DONE
Dependency: TASK-001
Owners: BE (JobEngine)
Task description:
- Completed deterministic evidence verification/export behavior in JobEngine.
- `verify`, `export`, and `raw` now all operate on the same raw payload bytes and use stable hash recomputation.
Completion criteria:
- [x] All 6 evidence compatibility endpoints return valid responses
- [x] Verify endpoint recomputes and checks hash integrity
- [x] Export returns a downloadable deterministic bundle
### TASK-004 - Environment/Target management endpoints (15 endpoints)
Status: DONE
Dependency: TASK-001
Owners: BE (Platform)
Task description:
- Added a Platform-hosted compatibility facade for `/api/v1/release-orchestrator/environments/*`.
- The facade exposes environment CRUD, target CRUD with health-check, and freeze-window CRUD using deterministic in-memory Release Orchestrator services.
Completion criteria:
- [x] Environment CRUD works
- [x] Target CRUD within environments works
- [x] Health check returns target status
- [x] Freeze window CRUD works
### TASK-005 - Release dashboard endpoint (3 endpoints)
Status: DONE
Dependency: TASK-001
Owners: BE (JobEngine)
Task description:
- Completed the release dashboard compatibility surface in JobEngine.
- Promotion approve/reject actions now persist state in a per-app-instance decision overlay instead of returning static seed data.
Completion criteria:
- [x] Dashboard returns aggregated stats
- [x] Approve/reject promotion updates approval status
### TASK-006 - Registry image search in Scanner service
Status: DONE
Dependency: none
Owners: BE (Scanner)
Task description:
- Verified the Scanner registry search endpoints and removed non-deterministic unknown-repository digest generation.
- Unknown repositories now derive fallback digests from the repository name, keeping wizard flows stable across requests.
Completion criteria:
- [x] Search returns image results for common queries
- [x] Digests returns tags plus SHA digests for a repository
- [x] Registry search/digest responses are deterministic across requests
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-23 | Sprint created. TASK-001 identified as the route compatibility prerequisite. | Planning |
| 2026-03-31 | Verified existing Console proxy rewrites in `devops/docker/Dockerfile.console`; no new proxy edits were required in this closeout. | Developer (BE) |
| 2026-03-31 | Shipped Platform environment compatibility endpoints, deterministic JobEngine evidence/dashboard updates, and deterministic Scanner registry fallback digests. | Developer (BE) |
| 2026-03-31 | Verification completed with targeted xUnit runners: Platform `6/6`, JobEngine `3/3`, Scanner `2/2`, ReleaseOrchestrator environment coverage `27/27`. | Developer (BE) |
## Decisions & Risks
- TASK-001 was resolved by validating existing proxy rewrites rather than introducing more Console changes late in the sprint.
- Environment/target/freeze-window compatibility is hosted in Platform for now and documented in `docs/modules/platform/platform-service.md`.
- Dashboard and evidence compatibility remain in JobEngine and are documented in `docs/modules/jobengine/architecture.md`.
- Full Playwright Console regression was not rerun in this closeout; backend compatibility was verified with targeted endpoint tests instead.
- Release Orchestrator compatibility docs were updated in `docs/modules/release-orchestrator/architecture.md` to reflect the current multi-service HTTP surface.
## Next Checkpoints
- Archive after project-manager review confirms no follow-up UI-only work is required.
- If Console regression coverage is needed later, run a dedicated Playwright sweep against the now-complete backend compatibility surface.

87
docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260331_002_BE_host_infrastructure_and_inventory.md Normal file
View File

@@ -0,0 +1,87 @@
# Sprint 20260331-002 - Host Infrastructure: SSH/WinRM Targets, Inventory Collection, Topology Enrichment
## Topic & Scope
- Add SSH and WinRM as first-class Release Orchestrator target connection types.
- Replace the stub inventory collector with an agent-dispatched collector that can parse Docker inventory output and return explicit error snapshots.
- Enrich Platform topology host projections with deterministic probe metadata derived from the topology snapshot.
- Working directory: `src/ReleaseOrchestrator/`.
- Expected evidence: dotnet build success plus targeted xUnit verification for SSH/WinRM config round-trips, inventory parsing/error handling, and topology probe projection fields.
## Dependencies & Concurrency
- No upstream sprint dependency; safe to execute in parallel with other release-control cleanup work.
- Sprint 003 (host UI + environment verification) depends on these APIs and contracts.
- Cross-module edits are explicitly allowed in `src/Platform/StellaOps.Platform.WebService/` for topology projection and compatibility wiring.
## Documentation Prerequisites
- `docs/modules/release-orchestrator/architecture.md`
- `docs/modules/platform/platform-service.md`
- `src/ReleaseOrchestrator/__Agents/StellaOps.Agent.Ssh/SshCapability.cs`
- `src/ReleaseOrchestrator/__Agents/StellaOps.Agent.WinRM/WinRmCapability.cs`
- `src/Signals/StellaOps.Signals.RuntimeAgent/`
## Delivery Tracker
### TASK-001 - Add SSH/WinRM target connection configs
Status: DONE
Dependency: none
Owners: Developer (BE)
Task description:
- Added `SshHostConfig` and `WinRmHostConfig` with JSON polymorphism and completed enum coverage for `KnownHostsPolicy.Prompt` and HTTPS WinRM transport.
- Extended target validation so connection-config type mismatches are rejected during registration and update flows.
Completion criteria:
- [x] `SshHostConfig` and `WinRmHostConfig` are defined with JSON polymorphism
- [x] `TargetType` includes `SshHost = 4` and `WinRmHost = 5`
- [x] TargetRegistry validates config type matches target type on register/update
- [x] dotnet build succeeds
- [x] Serialization round-trip tests cover SSH and WinRM configs
### TASK-002 - Implement real IInventoryCollector (AgentInventoryCollector)
Status: DONE
Dependency: TASK-001
Owners: Developer (BE)
Task description:
- Added `AgentInventoryCollector` plus `IRemoteCommandExecutor` abstraction and a deterministic no-op executor for environments without agent dispatch wiring.
- The collector parses NDJSON from `docker ps --format '{{json .}}' --no-trunc`, returns container snapshots, and emits useful error snapshots when collection fails.
Completion criteria:
- [x] `AgentInventoryCollector` implements `IInventoryCollector`
- [x] SSH/WinRM-oriented command path parses `docker ps` JSON output into `InventorySnapshot`
- [x] Command failures and missing agents produce error snapshots
- [x] DI wiring replaces the stub collector for compatibility flows
- [x] Unit tests cover parse success and failure paths
- [x] Existing drift/inventory consumers can use the new snapshot shape
### TASK-003 - Enrich topology read model with probe status
Status: DONE
Dependency: none
Owners: Developer (BE)
Task description:
- `TopologyHostProjection` now exposes `ProbeStatus`, `ProbeType`, and `ProbeLastHeartbeat`.
- Platform derives probe metadata deterministically from the topology snapshot it already owns: the latest host sync timestamp becomes `ProbeLastHeartbeat`, fresh hosts are `active`, hosts trailing the freshest heartbeat in the tenant snapshot by more than two minutes are `offline`, and missing heartbeat data remains `not_installed`.
Completion criteria:
- [x] `TopologyHostProjection` includes `ProbeStatus`, `ProbeType`, and `ProbeLastHeartbeat`
- [x] `/api/v2/topology/hosts` returns probe data
- [x] Hosts with projected fresh heartbeats show `active`
- [x] Hosts without heartbeat data remain `not_installed`
- [x] Hosts whose projected heartbeat trails the freshest host by more than two minutes show `offline`
- [x] dotnet build succeeds
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-31 | Sprint created from host infrastructure gap analysis. | Planning |
| 2026-03-31 | Completed SSH/WinRM config coverage and TargetRegistry validation hardening; targeted ReleaseOrchestrator environment coverage passed `27/27`. | Developer (BE) |
| 2026-03-31 | Completed Platform topology probe enrichment and compatibility verification; targeted Platform class run passed `6/6`. | Developer (BE) |
## Decisions & Risks
- SSH/WinRM are modelled as target connection types because deployment targets need per-target connection metadata, not just agent capability labels.
- Container inventory is collected via `docker ps` over remote execution rather than eBPF because the requirement is container enumeration, not reachability tracing.
- Probe enrichment is projection-derived for now rather than sourced from a live Signals query; this keeps Platform within its current runtime boundary and is documented in `docs/modules/platform/platform-service.md`.
- Projection-derived probe state is only as fresh as the topology snapshot inputs. If the Console later needs live agent liveness, add an explicit runtime query contract instead of reaching into foreign persistence.
- `docker ps` output differences remain a risk across Docker versions; the mitigation is to keep parsing against `--format '{{json .}}'`.
## Next Checkpoints
- Archive after project-manager review confirms no additional host UI work is required for Sprint 003 handoff.
- If live Signals-backed probe state becomes a requirement, open a follow-up sprint for an explicit query contract rather than extending this compatibility sprint.

237
docs/implplan/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md
View File

@@ -1,237 +0,0 @@
# Sprint 20260323-001 — Release API Proxy Fix + Missing Backend Endpoints
## Topic & Scope
- Fix nginx proxy routes so the UI's `/api/v2/releases` calls reach the JobEngine backend.
- Implement 41 missing backend endpoints across 5 service areas.
- Working directories: `devops/docker/`, `src/JobEngine/`, `src/Platform/`, `src/EvidenceLocker/`
- Expected evidence: all release CRUD flows work end-to-end via Playwright.
## Dependencies & Concurrency
- TASK-001 (proxy fix) is prerequisite for all UI testing.
- TASK-002 through TASK-006 can run in parallel after TASK-001.
## Documentation Prerequisites
- `docs/modules/release-orchestrator/deployment/overview.md`
- `docs/modules/release-orchestrator/deployment/strategies.md`
- `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ReleaseEndpoints.cs`
- `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ApprovalEndpoints.cs`
## Delivery Tracker
### TASK-001 - Fix nginx proxy routes for release APIs
Status: TODO
Dependency: none
Owners: DevOps / FE
Task description:
The console nginx (`devops/docker/Dockerfile.console`) reverse-proxies API calls. The UI calls:
- `/api/v2/releases/*` → should reach JobEngine at `/api/v1/release-orchestrator/releases/*`
- `/api/v1/release-control/bundles/*` → should reach JobEngine bundle endpoints
- `/api/v1/registries/images/search` → should reach Scanner service
- `/api/v2/releases/approvals` → should reach JobEngine approval endpoints
- `/api/v2/releases/activity` → should reach JobEngine release events
- `/api/v2/releases/runs/*` → should reach JobEngine run workbench
Options:
A) Add nginx `location` blocks in `Dockerfile.console` to proxy these paths to the correct upstream services
B) Add proxy routes in the Platform service (which already proxies many paths)
C) Update the UI API clients to call the correct backend URLs directly (e.g., change `/api/v2/releases` to `/api/v1/release-orchestrator/releases`)
Recommended: Option C (most reliable, no proxy chain) + Option A as fallback.
Implementation for Option C:
- Update `src/Web/StellaOps.Web/src/app/core/api/release-management.client.ts` — change base URLs
- Update `release.store.ts` — ensure `loadReleases` calls the correct endpoint
- Update `release-detail.component.ts` — fix all `/api/v2/releases/` calls to `/api/v1/release-orchestrator/releases/`
- Update approval client — fix `/api/v2/releases/approvals` to `/api/v1/release-orchestrator/approvals`
For nginx (Option A fallback), add to `Dockerfile.console`:
```nginx
location /api/v2/releases/ {
set $orchestrator_upstream http://orchestrator.stella-ops.local;
rewrite ^/api/v2/releases/(.*) /api/v1/release-orchestrator/releases/$1 break;
proxy_pass $orchestrator_upstream;
}
location /api/v1/release-control/ {
set $orchestrator_upstream http://orchestrator.stella-ops.local;
rewrite ^/api/v1/release-control/(.*) /api/v1/release-control/$1 break;
proxy_pass $orchestrator_upstream;
}
location /api/v1/registries/ {
set $scanner_upstream http://scanner.stella-ops.local;
rewrite ^/api/v1/registries/(.*) /api/v1/registries/$1 break;
proxy_pass $scanner_upstream;
}
```
Completion criteria:
- [ ] `/api/v2/releases` returns data from JobEngine (not 404)
- [ ] `/api/v1/registries/images/search?q=nginx` returns results from Scanner
- [ ] `/api/v1/release-control/bundles` POST creates a bundle in JobEngine
- [ ] UI pipeline page shows real releases (if any exist)
- [ ] UI version create wizard can search registry images
### TASK-002 - Deployment monitoring endpoints (11 endpoints)
Status: TODO
Dependency: TASK-001
Owners: BE (JobEngine)
Task description:
Add deployment monitoring endpoints to JobEngine's `ReleaseEndpoints.cs` or new `DeploymentEndpoints.cs`:
```
GET /api/v1/release-orchestrator/deployments — list deployments
GET /api/v1/release-orchestrator/deployments/{id} — get deployment detail
GET /api/v1/release-orchestrator/deployments/{id}/logs — get deployment logs
GET /api/v1/release-orchestrator/deployments/{id}/targets/{targetId}/logs — target logs
GET /api/v1/release-orchestrator/deployments/{id}/events — deployment events
GET /api/v1/release-orchestrator/deployments/{id}/metrics — deployment metrics
POST /api/v1/release-orchestrator/deployments/{id}/pause — pause deployment
POST /api/v1/release-orchestrator/deployments/{id}/resume — resume deployment
POST /api/v1/release-orchestrator/deployments/{id}/cancel — cancel deployment
POST /api/v1/release-orchestrator/deployments/{id}/rollback — rollback deployment
POST /api/v1/release-orchestrator/deployments/{id}/targets/{targetId}/retry — retry target
```
Each endpoint needs:
- Request/response models in contracts
- Handler method with auth policy (ReleaseRead for GET, ReleaseWrite for POST)
- Minimal implementation (can return mock/empty data initially, wired to real service later)
Completion criteria:
- [ ] All 11 endpoints return 200/201 (not 404)
- [ ] GET /deployments returns a list (even if empty)
- [ ] POST /pause returns success
- [ ] Auth policies enforced
### TASK-003 - Evidence management endpoints (6 endpoints)
Status: TODO
Dependency: TASK-001
Owners: BE (EvidenceLocker or Attestor)
Task description:
Add evidence lifecycle endpoints — either in EvidenceLocker service or as a new endpoints file in JobEngine:
```
GET /api/v1/release-orchestrator/evidence — list evidence packets
GET /api/v1/release-orchestrator/evidence/{id} — get evidence detail
POST /api/v1/release-orchestrator/evidence/{id}/verify — verify evidence integrity
GET /api/v1/release-orchestrator/evidence/{id}/export — export evidence bundle
GET /api/v1/release-orchestrator/evidence/{id}/raw — download raw evidence
GET /api/v1/release-orchestrator/evidence/{id}/timeline — evidence timeline
```
Completion criteria:
- [ ] All 6 endpoints return valid responses
- [ ] Verify endpoint checks hash integrity
- [ ] Export returns downloadable content-type
### TASK-004 - Environment/Target management endpoints (15 endpoints)
Status: TODO
Dependency: TASK-001
Owners: BE (Platform)
Task description:
Add environment and target management endpoints to Platform service. These may already partially exist in the topology/environment subsystem — check before implementing.
```
GET /api/v1/release-orchestrator/environments — list environments
GET /api/v1/release-orchestrator/environments/{id} — get environment
POST /api/v1/release-orchestrator/environments — create environment
PUT /api/v1/release-orchestrator/environments/{id} — update environment
DELETE /api/v1/release-orchestrator/environments/{id} — delete environment
PUT /api/v1/release-orchestrator/environments/{id}/settings — update settings
GET /api/v1/release-orchestrator/environments/{id}/targets — list targets
POST /api/v1/release-orchestrator/environments/{id}/targets — add target
PUT /api/v1/release-orchestrator/environments/{id}/targets/{tid} — update target
DELETE /api/v1/release-orchestrator/environments/{id}/targets/{tid} — remove target
POST /api/v1/release-orchestrator/environments/{id}/targets/{tid}/health-check — check health
GET /api/v1/release-orchestrator/environments/{id}/freeze-windows — list freeze windows
POST /api/v1/release-orchestrator/environments/{id}/freeze-windows — create freeze window
PUT /api/v1/release-orchestrator/environments/{id}/freeze-windows/{wid} — update
DELETE /api/v1/release-orchestrator/environments/{id}/freeze-windows/{wid} — delete
```
NOTE: The Platform service already has environment data via PlatformContextStore. These endpoints may be aliases or extensions of existing topology endpoints. Check `src/Platform/` for existing environment CRUD before implementing new ones.
Completion criteria:
- [ ] Environment CRUD works
- [ ] Target CRUD within environments works
- [ ] Health check returns target status
- [ ] Freeze window CRUD works
### TASK-005 - Release dashboard endpoint (3 endpoints)
Status: TODO
Dependency: TASK-001
Owners: BE (JobEngine)
Task description:
Add dashboard summary and promotion decision endpoints:
```
GET /api/v1/release-orchestrator/dashboard — aggregated dashboard data
POST /api/v1/release-orchestrator/promotions/{id}/approve — approve promotion
POST /api/v1/release-orchestrator/promotions/{id}/reject — reject promotion
```
Dashboard endpoint should return: release counts by status, deployment health, pending approvals, gate summary.
Completion criteria:
- [ ] Dashboard returns aggregated stats
- [ ] Approve/reject promotion updates approval status
### TASK-006 - Registry image search in Scanner service
Status: TODO
Dependency: none
Owners: BE (Scanner)
Task description:
Verify/implement registry image search endpoints in the Scanner service:
```
GET /api/v1/registries/images/search?q={query} — search images by name
GET /api/v1/registries/images/digests?repository={repo} — get image digests
```
These are called by Create Version and Create Hotfix wizards. If the Scanner service doesn't have these endpoints, add them. The response format expected by the UI:
```json
// Search response
[
{
"name": "nginx",
"repository": "library/nginx",
"tags": ["latest", "1.25", "1.25-alpine"],
"digests": [
{ "tag": "latest", "digest": "sha256:abc123...", "pushedAt": "2026-03-20T10:00:00Z" }
],
"lastPushed": "2026-03-20T10:00:00Z"
}
]
```
If no real registry is connected, return mock data so the wizard flow can be tested.
Completion criteria:
- [ ] Search returns image results for common queries (nginx, redis, postgres)
- [ ] Digests returns tags + SHA digests for a given repository
- [ ] Create Version wizard can search and select images
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-23 | Sprint created. TASK-001 is the critical path. | Planning |
## Decisions & Risks
- TASK-001 (proxy fix) is the blocker — without it, no UI endpoint reaches the backend.
- Option C (fix UI API URLs) is preferred over nginx rewrites because it eliminates a proxy hop.
- Environment endpoints (TASK-004) may overlap with existing Platform topology — investigate before duplicating.
- Evidence endpoints (TASK-003) may belong in EvidenceLocker rather than JobEngine — architecture decision needed.
- Registry search (TASK-006) needs a connected registry or mock data for testing.
## Next Checkpoints
- After TASK-001: re-run Playwright E2E tests to verify data flows
- After TASK-002 + TASK-006: version/hotfix create → list → view flow should work end-to-end
- After all tasks: full CRUD across all release control pages

12
docs/modules/jobengine/architecture.md
View File

@@ -119,11 +119,13 @@ The `CircuitBreakerService` implements the circuit breaker pattern for downstrea
- Event envelope draft (`docs/modules/jobengine/event-envelope.md`) defines notifier/webhook/SSE payloads with idempotency keys, provenance, and task runner metadata for job/pack-run events. - Event envelope draft (`docs/modules/jobengine/event-envelope.md`) defines notifier/webhook/SSE payloads with idempotency keys, provenance, and task runner metadata for job/pack-run events.
- OpenAPI discovery: `/.well-known/openapi` exposes `/openapi/jobengine.json` (OAS 3.1) with pagination/idempotency/error-envelope examples; legacy job detail/summary endpoints now ship `Deprecation` + `Link` headers that point to their replacements. - OpenAPI discovery: `/.well-known/openapi` exposes `/openapi/jobengine.json` (OAS 3.1) with pagination/idempotency/error-envelope examples; legacy job detail/summary endpoints now ship `Deprecation` + `Link` headers that point to their replacements.
### 4.5) Release control plane dashboard endpoints ### 4.5) Release control plane compatibility endpoints
- `GET /api/v1/release-jobengine/dashboard` — control-plane dashboard payload (pipeline, pending approvals, active deployments, recent releases). - `GET /api/v1/release-orchestrator/dashboard` — control-plane dashboard payload (pipeline, pending approvals, active deployments, recent releases).
- `POST /api/v1/release-jobengine/promotions/{id}/approve` — approve a pending promotion from dashboard context. - `POST /api/v1/release-orchestrator/promotions/{id}/approve` — approve a pending promotion from dashboard context.
- `POST /api/v1/release-jobengine/promotions/{id}/reject` — reject a pending promotion from dashboard context. - `POST /api/v1/release-orchestrator/promotions/{id}/reject` — reject a pending promotion from dashboard context.
- Compatibility aliases are exposed for legacy clients under `/api/release-jobengine/*`. - `GET /api/v1/release-orchestrator/deployments` plus detail/log/event/metric endpoints and lifecycle actions (`pause`, `resume`, `cancel`, `rollback`, target `retry`) provide the release deployment monitoring surface used by the Console.
- `GET /api/v1/release-orchestrator/evidence` plus `verify`, `export`, `raw`, and `timeline` routes provide deterministic evidence inspection and export for offline audit flows.
- Compatibility aliases are exposed for legacy clients under `/api/release-orchestrator/*`.
All responses include deterministic timestamps, job digests, and DSSE signature fields for offline reconciliation. All responses include deterministic timestamps, job digests, and DSSE signature fields for offline reconciliation.

8
docs/modules/release-orchestrator/architecture.md
View File

@@ -4,7 +4,7 @@
**Status:** Active Development (backend substantially implemented; API surface layer in progress) **Status:** Active Development (backend substantially implemented; API surface layer in progress)
> **Implementation reality (updated 2026-02-22):** The backend is substantially complete with 140,000+ lines of production code across 49 projects. Core libraries (Release, Promotion, Deployment, Workflow, Evidence, PolicyGate, Progressive, Federation, Compliance) are implemented with comprehensive tests (283 test files, 37K lines). Six agent types are operational (Compose, Docker, SSH, WinRM, ECS, Nomad). The DAG workflow engine, promotion/approval framework, and evidence generation are functional. **Remaining gaps:** HTTP API layer is minimal (1 controller), no database migrations yet (in-memory stores only), and no Program.cs bootstrapping for the WebApi project. > **Implementation reality (updated 2026-03-31):** The backend is substantially complete with 140,000+ lines of production code across 49 projects. Core libraries (Release, Promotion, Deployment, Workflow, Evidence, PolicyGate, Progressive, Federation, Compliance) are implemented with comprehensive tests (283 test files, 37K lines). Six agent types are operational (Compose, Docker, SSH, WinRM, ECS, Nomad). Compatibility HTTP surfaces now exist across Platform, JobEngine, and Scanner for environment management, deployment monitoring, evidence inspection, dashboard promotion decisions, and registry search. **Remaining gaps:** the dedicated Release Orchestrator WebApi host is still incomplete, storage remains in-memory for these compatibility surfaces, and first-class migrations/persistence for the standalone API are still pending.
## Overview ## Overview
@@ -189,7 +189,7 @@ public sealed record Target
public required Guid TenantId { get; init; } public required Guid TenantId { get; init; }
public required Guid EnvironmentId { get; init; } public required Guid EnvironmentId { get; init; }
public required string Name { get; init; } public required string Name { get; init; }
public required TargetType Type { get; init; } // DockerHost, ComposeHost, ECSService, NomadJob public required TargetType Type { get; init; } // DockerHost, ComposeHost, EcsService, NomadJob, SshHost, WinRmHost
public required ImmutableDictionary<string, string> Labels { get; init; } public required ImmutableDictionary<string, string> Labels { get; init; }
public required Guid? AgentId { get; init; } // Null for agentless public required Guid? AgentId { get; init; } // Null for agentless
public required TargetState State { get; init; } public required TargetState State { get; init; }
@@ -202,8 +202,8 @@ public enum TargetType
ComposeHost, ComposeHost,
ECSService, ECSService,
NomadJob, NomadJob,
SSHRemote, SshHost,
WinRMRemote WinRmHost
} }
``` ```

194
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Tests/ControlPlane/ReleaseCompatibilityEndpointsTests.cs Normal file
View File

@@ -0,0 +1,194 @@
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.TestHost;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Auth.ServerIntegration.Tenancy;
using StellaOps.JobEngine.WebService;
using StellaOps.JobEngine.WebService.Endpoints;
using StellaOps.JobEngine.WebService.Services;
using StellaOps.TestKit;
using System.Net;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Text.Encodings.Web;
using System.Text.Json;
namespace StellaOps.JobEngine.Tests.ControlPlane;
public sealed class ReleaseCompatibilityEndpointsTests
{
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task DeploymentEndpoints_ReturnSuccessForExpectedLifecycleRoutes()
{
await using var app = await CreateTestAppAsync();
using var client = app.GetTestClient();
var listResponse = await client.GetAsync("/api/v1/release-orchestrator/deployments", TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.OK, listResponse.StatusCode);
var detailResponse = await client.GetAsync("/api/v1/release-orchestrator/deployments/dep-002", TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.OK, detailResponse.StatusCode);
var routes = new[]
{
"/api/v1/release-orchestrator/deployments/dep-002/logs",
"/api/v1/release-orchestrator/deployments/dep-002/targets/tgt-005/logs",
"/api/v1/release-orchestrator/deployments/dep-002/events",
"/api/v1/release-orchestrator/deployments/dep-002/metrics",
};
foreach (var route in routes)
{
var response = await client.GetAsync(route, TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
Assert.Equal(HttpStatusCode.OK, (await client.PostAsync("/api/v1/release-orchestrator/deployments/dep-002/pause", null, TestContext.Current.CancellationToken)).StatusCode);
Assert.Equal(HttpStatusCode.OK, (await client.PostAsync("/api/v1/release-orchestrator/deployments/dep-002/cancel", null, TestContext.Current.CancellationToken)).StatusCode);
Assert.Equal(HttpStatusCode.OK, (await client.PostAsync("/api/v1/release-orchestrator/deployments/dep-001/rollback", null, TestContext.Current.CancellationToken)).StatusCode);
Assert.Equal(HttpStatusCode.OK, (await client.PostAsync("/api/v1/release-orchestrator/deployments/dep-004/targets/tgt-010/retry", null, TestContext.Current.CancellationToken)).StatusCode);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvidenceEndpoints_VerifyHashesAndExportDeterministicBundle()
{
await using var app = await CreateTestAppAsync();
using var client = app.GetTestClient();
var verifyResponse = await client.PostAsync(
"/api/v1/release-orchestrator/evidence/evi-001/verify",
content: null,
TestContext.Current.CancellationToken);
verifyResponse.EnsureSuccessStatusCode();
using var verifyDocument = JsonDocument.Parse(await verifyResponse.Content.ReadAsStringAsync(TestContext.Current.CancellationToken));
Assert.True(verifyDocument.RootElement.GetProperty("verified").GetBoolean());
Assert.Equal(
verifyDocument.RootElement.GetProperty("hash").GetString(),
verifyDocument.RootElement.GetProperty("computedHash").GetString());
var exportResponse = await client.GetAsync(
"/api/v1/release-orchestrator/evidence/evi-001/export",
TestContext.Current.CancellationToken);
exportResponse.EnsureSuccessStatusCode();
Assert.StartsWith("application/json", exportResponse.Content.Headers.ContentType?.MediaType, StringComparison.Ordinal);
using var exportDocument = JsonDocument.Parse(await exportResponse.Content.ReadAsStringAsync(TestContext.Current.CancellationToken));
Assert.False(string.IsNullOrWhiteSpace(exportDocument.RootElement.GetProperty("contentBase64").GetString()));
Assert.True(exportDocument.RootElement.GetProperty("verification").GetProperty("verified").GetBoolean());
var rawResponse = await client.GetAsync(
"/api/v1/release-orchestrator/evidence/evi-001/raw",
TestContext.Current.CancellationToken);
rawResponse.EnsureSuccessStatusCode();
Assert.Equal("application/octet-stream", rawResponse.Content.Headers.ContentType?.MediaType);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task DashboardPromotionEndpoints_UpdatePendingApprovalState()
{
await using var app = await CreateTestAppAsync();
using var client = app.GetTestClient();
var beforeResponse = await client.GetAsync("/api/v1/release-orchestrator/dashboard", TestContext.Current.CancellationToken);
beforeResponse.EnsureSuccessStatusCode();
using var beforeDocument = JsonDocument.Parse(await beforeResponse.Content.ReadAsStringAsync(TestContext.Current.CancellationToken));
var pendingBefore = beforeDocument.RootElement.GetProperty("pendingApprovals").GetInt32();
var approveResponse = await client.PostAsync(
"/api/v1/release-orchestrator/promotions/apr-006/approve",
content: null,
TestContext.Current.CancellationToken);
approveResponse.EnsureSuccessStatusCode();
var afterApproveResponse = await client.GetAsync("/api/v1/release-orchestrator/dashboard", TestContext.Current.CancellationToken);
afterApproveResponse.EnsureSuccessStatusCode();
using var afterApproveDocument = JsonDocument.Parse(await afterApproveResponse.Content.ReadAsStringAsync(TestContext.Current.CancellationToken));
var pendingAfterApprove = afterApproveDocument.RootElement.GetProperty("pendingApprovals").GetInt32();
Assert.Equal(pendingBefore - 1, pendingAfterApprove);
var rejectResponse = await client.PostAsJsonAsync(
"/api/v1/release-orchestrator/promotions/apr-002/reject",
new ReleaseDashboardEndpoints.RejectPromotionRequest("policy gate failed"),
TestContext.Current.CancellationToken);
rejectResponse.EnsureSuccessStatusCode();
var afterRejectResponse = await client.GetAsync("/api/v1/release-orchestrator/dashboard", TestContext.Current.CancellationToken);
afterRejectResponse.EnsureSuccessStatusCode();
using var afterRejectDocument = JsonDocument.Parse(await afterRejectResponse.Content.ReadAsStringAsync(TestContext.Current.CancellationToken));
var pendingIds = afterRejectDocument.RootElement
.GetProperty("pendingApprovalDetails")
.EnumerateArray()
.Select(item => item.GetProperty("id").GetString())
.ToArray();
Assert.DoesNotContain("apr-006", pendingIds);
Assert.DoesNotContain("apr-002", pendingIds);
}
private static async Task<WebApplication> CreateTestAppAsync()
{
var builder = WebApplication.CreateBuilder();
builder.WebHost.UseTestServer();
builder.Services.AddStellaOpsTenantServices();
builder.Services.AddSingleton<ReleasePromotionDecisionStore>();
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = PassThroughAuthHandler.SchemeName;
options.DefaultChallengeScheme = PassThroughAuthHandler.SchemeName;
})
.AddScheme<AuthenticationSchemeOptions, PassThroughAuthHandler>(
PassThroughAuthHandler.SchemeName, static _ => { });
builder.Services.AddAuthorization(options =>
{
options.AddPolicy(JobEnginePolicies.ReleaseRead, policy => policy.RequireAssertion(static _ => true));
options.AddPolicy(JobEnginePolicies.ReleaseWrite, policy => policy.RequireAssertion(static _ => true));
options.AddPolicy(JobEnginePolicies.ReleaseApprove, policy => policy.RequireAssertion(static _ => true));
});
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.UseStellaOpsTenantMiddleware();
app.MapApprovalEndpoints();
app.MapDeploymentEndpoints();
app.MapEvidenceEndpoints();
app.MapReleaseDashboardEndpoints();
await app.StartAsync();
return app;
}
private sealed class PassThroughAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
public const string SchemeName = "ReleaseCompatibilityTests";
public PassThroughAuthHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder)
: base(options, logger, encoder)
{
}
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, "compatibility-tests"),
new Claim("stellaops:tenant", "test-tenant"),
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, SchemeName));
var ticket = new AuthenticationTicket(principal, SchemeName);
return Task.FromResult(AuthenticateResult.Success(ticket));
}
}
}

1
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Tests/TASKS.md
View File

@@ -5,6 +5,7 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
| Task ID | Status | Notes | | Task ID | Status | Notes |
| --- | --- | --- | | --- | --- | --- |
| SPRINT_20260323_001-TASK-002-005-T | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md`: added `ReleaseCompatibilityEndpointsTests` covering deployment lifecycle routes, deterministic evidence verification/export, and dashboard promotion state changes. |
| S311-SCHEMA-REGRESSION | DONE | Sprint `docs/implplan/SPRINT_20260305_311_JobEngine_consolidation_gap_remediation.md`: added regression tests for runtime/design-time/compiled-model schema consistency (`orchestrator`) and captured targeted class-level evidence. | | S311-SCHEMA-REGRESSION | DONE | Sprint `docs/implplan/SPRINT_20260305_311_JobEngine_consolidation_gap_remediation.md`: added regression tests for runtime/design-time/compiled-model schema consistency (`orchestrator`) and captured targeted class-level evidence. |
| AUDIT-0424-M | DONE | Revalidated 2026-01-07; maintainability audit for StellaOps.JobEngine.Tests. | | AUDIT-0424-M | DONE | Revalidated 2026-01-07; maintainability audit for StellaOps.JobEngine.Tests. |
| AUDIT-0424-T | DONE | Revalidated 2026-01-07; test coverage audit for StellaOps.JobEngine.Tests. | | AUDIT-0424-T | DONE | Revalidated 2026-01-07; test coverage audit for StellaOps.JobEngine.Tests. |

160
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/EvidenceEndpoints.cs
View File

@@ -1,4 +1,7 @@
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using StellaOps.Auth.ServerIntegration.Tenancy; using StellaOps.Auth.ServerIntegration.Tenancy;
namespace StellaOps.JobEngine.WebService.Endpoints; namespace StellaOps.JobEngine.WebService.Endpoints;
@@ -142,14 +145,21 @@ public static class EvidenceEndpoints
var packet = SeedData.EvidencePackets.FirstOrDefault(e => e.Id == id); var packet = SeedData.EvidencePackets.FirstOrDefault(e => e.Id == id);
if (packet is null) return Results.NotFound(); if (packet is null) return Results.NotFound();
var content = BuildRawContent(packet);
var computedHash = ComputeHash(content, packet.Algorithm);
var verified = string.Equals(packet.Hash, computedHash, StringComparison.OrdinalIgnoreCase);
return Results.Ok(new return Results.Ok(new
{ {
evidenceId = packet.Id, evidenceId = packet.Id,
verified = true, verified,
hash = packet.Hash, hash = packet.Hash,
computedHash,
algorithm = packet.Algorithm, algorithm = packet.Algorithm,
verifiedAt = DateTimeOffset.UtcNow, verifiedAt = packet.VerifiedAt ?? packet.CreatedAt,
message = "Evidence integrity verified successfully.", message = verified
? "Evidence integrity verified successfully."
: "Evidence integrity verification failed.",
}); });
} }
@@ -158,16 +168,22 @@ public static class EvidenceEndpoints
var packet = SeedData.EvidencePackets.FirstOrDefault(e => e.Id == id); var packet = SeedData.EvidencePackets.FirstOrDefault(e => e.Id == id);
if (packet is null) return Results.NotFound(); if (packet is null) return Results.NotFound();
var content = BuildRawContent(packet);
var computedHash = ComputeHash(content, packet.Algorithm);
var exportedAt = packet.VerifiedAt ?? packet.CreatedAt;
var bundle = new var bundle = new
{ {
exportVersion = "1.0", exportVersion = "1.0",
exportedAt = DateTimeOffset.UtcNow, exportedAt,
evidence = packet, evidence = packet,
contentBase64 = Convert.ToBase64String(content),
verification = new verification = new
{ {
hash = packet.Hash, hash = packet.Hash,
computedHash,
algorithm = packet.Algorithm, algorithm = packet.Algorithm,
verified = true, verified = string.Equals(packet.Hash, computedHash, StringComparison.OrdinalIgnoreCase),
}, },
}; };
@@ -179,9 +195,7 @@ public static class EvidenceEndpoints
var packet = SeedData.EvidencePackets.FirstOrDefault(e => e.Id == id); var packet = SeedData.EvidencePackets.FirstOrDefault(e => e.Id == id);
if (packet is null) return Results.NotFound(); if (packet is null) return Results.NotFound();
// Return mock raw bytes representing the evidence content var content = BuildRawContent(packet);
var content = System.Text.Encoding.UTF8.GetBytes(
$"{{\"evidenceId\":\"{packet.Id}\",\"type\":\"{packet.Type}\",\"raw\":true}}");
return Results.Bytes(content, contentType: "application/octet-stream", return Results.Bytes(content, contentType: "application/octet-stream",
fileDownloadName: $"{packet.Id}.bin"); fileDownloadName: $"{packet.Id}.bin");
@@ -200,6 +214,30 @@ public static class EvidenceEndpoints
return Results.Ok(new { evidenceId = id, events = Array.Empty<object>() }); return Results.Ok(new { evidenceId = id, events = Array.Empty<object>() });
} }
private static byte[] BuildRawContent(EvidencePacketDto packet)
{
return JsonSerializer.SerializeToUtf8Bytes(new
{
evidenceId = packet.Id,
releaseId = packet.ReleaseId,
type = packet.Type,
description = packet.Description,
status = packet.Status,
createdBy = packet.CreatedBy,
createdAt = packet.CreatedAt,
});
}
private static string ComputeHash(byte[] content, string algorithm)
{
var normalized = algorithm.Trim().ToUpperInvariant();
return normalized switch
{
"SHA-256" => $"sha256:{Convert.ToHexString(SHA256.HashData(content)).ToLowerInvariant()}",
_ => throw new NotSupportedException($"Unsupported evidence hash algorithm '{algorithm}'."),
};
}
// ---- DTOs ---- // ---- DTOs ----
public sealed record EvidencePacketDto public sealed record EvidencePacketDto
@@ -233,75 +271,11 @@ public static class EvidenceEndpoints
{ {
public static readonly List<EvidencePacketDto> EvidencePackets = new() public static readonly List<EvidencePacketDto> EvidencePackets = new()
{ {
new() CreatePacket("evi-001", "rel-001", "sbom", "Software Bill of Materials for Platform Release v1.2.3", 24576, "verified", "ci-pipeline", "2026-01-10T08:15:00Z", "2026-01-10T08:16:00Z"),
{ CreatePacket("evi-002", "rel-001", "attestation", "Build provenance attestation for Platform Release v1.2.3", 8192, "verified", "attestor-service", "2026-01-10T08:20:00Z", "2026-01-10T08:21:00Z"),
Id = "evi-001", CreatePacket("evi-003", "rel-002", "scan-result", "Security scan results for Platform Release v1.3.0-rc1", 16384, "verified", "scanner-service", "2026-01-11T10:30:00Z", "2026-01-11T10:31:00Z"),
ReleaseId = "rel-001", CreatePacket("evi-004", "rel-003", "policy-decision", "Policy gate evaluation for Hotfix v1.2.4", 4096, "pending", "policy-engine", "2026-01-12T06:15:00Z", null),
Type = "sbom", CreatePacket("evi-005", "rel-001", "deployment-log", "Production deployment log for Platform Release v1.2.3", 32768, "verified", "deploy-bot", "2026-01-11T14:35:00Z", "2026-01-11T14:36:00Z"),
Description = "Software Bill of Materials for Platform Release v1.2.3",
Hash = "sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
Algorithm = "SHA-256",
SizeBytes = 24576,
Status = "verified",
CreatedBy = "ci-pipeline",
CreatedAt = DateTimeOffset.Parse("2026-01-10T08:15:00Z"),
VerifiedAt = DateTimeOffset.Parse("2026-01-10T08:16:00Z"),
},
new()
{
Id = "evi-002",
ReleaseId = "rel-001",
Type = "attestation",
Description = "Build provenance attestation for Platform Release v1.2.3",
Hash = "sha256:b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3",
Algorithm = "SHA-256",
SizeBytes = 8192,
Status = "verified",
CreatedBy = "attestor-service",
CreatedAt = DateTimeOffset.Parse("2026-01-10T08:20:00Z"),
VerifiedAt = DateTimeOffset.Parse("2026-01-10T08:21:00Z"),
},
new()
{
Id = "evi-003",
ReleaseId = "rel-002",
Type = "scan-result",
Description = "Security scan results for Platform Release v1.3.0-rc1",
Hash = "sha256:c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
Algorithm = "SHA-256",
SizeBytes = 16384,
Status = "verified",
CreatedBy = "scanner-service",
CreatedAt = DateTimeOffset.Parse("2026-01-11T10:30:00Z"),
VerifiedAt = DateTimeOffset.Parse("2026-01-11T10:31:00Z"),
},
new()
{
Id = "evi-004",
ReleaseId = "rel-003",
Type = "policy-decision",
Description = "Policy gate evaluation for Hotfix v1.2.4",
Hash = "sha256:d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5",
Algorithm = "SHA-256",
SizeBytes = 4096,
Status = "pending",
CreatedBy = "policy-engine",
CreatedAt = DateTimeOffset.Parse("2026-01-12T06:15:00Z"),
},
new()
{
Id = "evi-005",
ReleaseId = "rel-001",
Type = "deployment-log",
Description = "Production deployment log for Platform Release v1.2.3",
Hash = "sha256:e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6",
Algorithm = "SHA-256",
SizeBytes = 32768,
Status = "verified",
CreatedBy = "deploy-bot",
CreatedAt = DateTimeOffset.Parse("2026-01-11T14:35:00Z"),
VerifiedAt = DateTimeOffset.Parse("2026-01-11T14:36:00Z"),
},
}; };
public static readonly Dictionary<string, List<EvidenceTimelineEventDto>> Timelines = new() public static readonly Dictionary<string, List<EvidenceTimelineEventDto>> Timelines = new()
@@ -319,5 +293,37 @@ public static class EvidenceEndpoints
new() { Id = "evt-e006", EvidenceId = "evi-002", EventType = "verified", Actor = "attestor-service", Message = "Attestation signature verified", Timestamp = DateTimeOffset.Parse("2026-01-10T08:21:00Z") }, new() { Id = "evt-e006", EvidenceId = "evi-002", EventType = "verified", Actor = "attestor-service", Message = "Attestation signature verified", Timestamp = DateTimeOffset.Parse("2026-01-10T08:21:00Z") },
}, },
}; };
private static EvidencePacketDto CreatePacket(
string id,
string releaseId,
string type,
string description,
long sizeBytes,
string status,
string createdBy,
string createdAt,
string? verifiedAt)
{
var packet = new EvidencePacketDto
{
Id = id,
ReleaseId = releaseId,
Type = type,
Description = description,
Algorithm = "SHA-256",
SizeBytes = sizeBytes,
Status = status,
CreatedBy = createdBy,
CreatedAt = DateTimeOffset.Parse(createdAt),
VerifiedAt = verifiedAt is null ? null : DateTimeOffset.Parse(verifiedAt),
Hash = string.Empty,
};
return packet with
{
Hash = ComputeHash(BuildRawContent(packet), packet.Algorithm),
};
}
} }
} }

78
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ReleaseDashboardEndpoints.cs
View File

@@ -47,12 +47,12 @@ public static class ReleaseDashboardEndpoints
} }
} }
private static IResult GetDashboard() private static IResult GetDashboard(ReleasePromotionDecisionStore decisionStore)
{ {
var snapshot = ReleaseDashboardSnapshotBuilder.Build(); var approvals = decisionStore.Apply(ApprovalEndpoints.SeedData.Approvals);
var snapshot = ReleaseDashboardSnapshotBuilder.Build(approvals: approvals);
var releases = ReleaseEndpoints.SeedData.Releases; var releases = ReleaseEndpoints.SeedData.Releases;
var approvals = ApprovalEndpoints.SeedData.Approvals;
var byStatus = new Dictionary<string, int>(StringComparer.OrdinalIgnoreCase) var byStatus = new Dictionary<string, int>(StringComparer.OrdinalIgnoreCase)
{ {
@@ -98,26 +98,82 @@ public static class ReleaseDashboardEndpoints
}); });
} }
private static IResult ApprovePromotion(string id) private static IResult ApprovePromotion(
string id,
HttpContext context,
ReleasePromotionDecisionStore decisionStore)
{ {
var approval = ApprovalEndpoints.SeedData.Approvals if (!decisionStore.TryApprove(
.FirstOrDefault(a => string.Equals(a.Id, id, StringComparison.OrdinalIgnoreCase)); id,
ResolveActor(context),
comment: null,
out var approval,
out var error))
{
if (string.Equals(error, "promotion_not_found", StringComparison.Ordinal))
{
return Results.NotFound(new { message = $"Promotion '{id}' was not found." });
}
return Results.Conflict(new { message = $"Promotion '{id}' is not pending." });
}
if (approval is null) if (approval is null)
{
return Results.NotFound(new { message = $"Promotion '{id}' was not found." }); return Results.NotFound(new { message = $"Promotion '{id}' was not found." });
}
return Results.Ok(new { success = true, promotionId = id, action = "approved" }); return Results.Ok(new
{
success = true,
promotionId = id,
action = "approved",
status = approval.Status,
currentApprovals = approval.CurrentApprovals,
});
} }
private static IResult RejectPromotion(string id, [FromBody] RejectPromotionRequest? request) private static IResult RejectPromotion(
string id,
HttpContext context,
ReleasePromotionDecisionStore decisionStore,
[FromBody] RejectPromotionRequest? request)
{ {
var approval = ApprovalEndpoints.SeedData.Approvals if (!decisionStore.TryReject(
.FirstOrDefault(a => string.Equals(a.Id, id, StringComparison.OrdinalIgnoreCase)); id,
ResolveActor(context),
request?.Reason,
out var approval,
out var error))
{
if (string.Equals(error, "promotion_not_found", StringComparison.Ordinal))
{
return Results.NotFound(new { message = $"Promotion '{id}' was not found." });
}
return Results.Conflict(new { message = $"Promotion '{id}' is not pending." });
}
if (approval is null) if (approval is null)
{
return Results.NotFound(new { message = $"Promotion '{id}' was not found." }); return Results.NotFound(new { message = $"Promotion '{id}' was not found." });
}
return Results.Ok(new { success = true, promotionId = id, action = "rejected", reason = request?.Reason }); return Results.Ok(new
{
success = true,
promotionId = id,
action = "rejected",
status = approval.Status,
reason = request?.Reason,
});
}
private static string ResolveActor(HttpContext context)
{
return context.Request.Headers["X-StellaOps-Actor"].FirstOrDefault()
?? context.User.Identity?.Name
?? "system";
} }
public sealed record RejectPromotionRequest(string? Reason); public sealed record RejectPromotionRequest(string? Reason);

1
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Program.cs
View File

@@ -113,6 +113,7 @@ builder.Services.AddJobEngineInfrastructure(builder.Configuration);
// Register WebService services // Register WebService services
builder.Services.AddSingleton<TenantResolver>(); builder.Services.AddSingleton<TenantResolver>();
builder.Services.AddSingleton(TimeProvider.System); builder.Services.AddSingleton(TimeProvider.System);
builder.Services.AddSingleton<ReleasePromotionDecisionStore>();
// Register streaming options and coordinators // Register streaming options and coordinators
builder.Services.Configure<StreamOptions>(builder.Configuration.GetSection(StreamOptions.SectionName)); builder.Services.Configure<StreamOptions>(builder.Configuration.GetSection(StreamOptions.SectionName));

16
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/ReleaseDashboardSnapshotBuilder.cs
View File

@@ -27,19 +27,21 @@ public static class ReleaseDashboardSnapshotBuilder
"rolled_back", "rolled_back",
}; };
public static ReleaseDashboardSnapshot Build() public static ReleaseDashboardSnapshot Build(
IReadOnlyList<ApprovalEndpoints.ApprovalDto>? approvals = null,
IReadOnlyList<ReleaseEndpoints.ManagedReleaseDto>? releases = null)
{ {
var releases = ReleaseEndpoints.SeedData.Releases var releaseItems = (releases ?? ReleaseEndpoints.SeedData.Releases)
.OrderByDescending(release => release.CreatedAt) .OrderByDescending(release => release.CreatedAt)
.ThenBy(release => release.Id, StringComparer.Ordinal) .ThenBy(release => release.Id, StringComparer.Ordinal)
.ToArray(); .ToArray();
var approvals = ApprovalEndpoints.SeedData.Approvals var approvalItems = (approvals ?? ApprovalEndpoints.SeedData.Approvals)
.OrderBy(approval => ParseTimestamp(approval.RequestedAt)) .OrderBy(approval => ParseTimestamp(approval.RequestedAt))
.ThenBy(approval => approval.Id, StringComparer.Ordinal) .ThenBy(approval => approval.Id, StringComparer.Ordinal)
.ToArray(); .ToArray();
var pendingApprovals = approvals var pendingApprovals = approvalItems
.Where(approval => string.Equals(approval.Status, "pending", StringComparison.OrdinalIgnoreCase)) .Where(approval => string.Equals(approval.Status, "pending", StringComparison.OrdinalIgnoreCase))
.Select(approval => new PendingApprovalItem( .Select(approval => new PendingApprovalItem(
approval.Id, approval.Id,
@@ -53,7 +55,7 @@ public static class ReleaseDashboardSnapshotBuilder
NormalizeUrgency(approval.Urgency))) NormalizeUrgency(approval.Urgency)))
.ToArray(); .ToArray();
var activeDeployments = releases var activeDeployments = releaseItems
.Where(release => string.Equals(release.Status, "deploying", StringComparison.OrdinalIgnoreCase)) .Where(release => string.Equals(release.Status, "deploying", StringComparison.OrdinalIgnoreCase))
.OrderByDescending(release => release.UpdatedAt) .OrderByDescending(release => release.UpdatedAt)
.ThenBy(release => release.Id, StringComparer.Ordinal) .ThenBy(release => release.Id, StringComparer.Ordinal)
@@ -83,7 +85,7 @@ public static class ReleaseDashboardSnapshotBuilder
var pipelineEnvironments = PipelineDefinitions var pipelineEnvironments = PipelineDefinitions
.Select(definition => .Select(definition =>
{ {
var releaseCount = releases.Count(release => var releaseCount = releaseItems.Count(release =>
string.Equals(NormalizeEnvironment(release.CurrentEnvironment), definition.NormalizedName, StringComparison.OrdinalIgnoreCase)); string.Equals(NormalizeEnvironment(release.CurrentEnvironment), definition.NormalizedName, StringComparison.OrdinalIgnoreCase));
var pendingCount = pendingApprovals.Count(approval => var pendingCount = pendingApprovals.Count(approval =>
string.Equals(NormalizeEnvironment(approval.TargetEnvironment), definition.NormalizedName, StringComparison.OrdinalIgnoreCase)); string.Equals(NormalizeEnvironment(approval.TargetEnvironment), definition.NormalizedName, StringComparison.OrdinalIgnoreCase));
@@ -114,7 +116,7 @@ public static class ReleaseDashboardSnapshotBuilder
definition.Id)) definition.Id))
.ToArray(); .ToArray();
var recentReleases = releases var recentReleases = releaseItems
.Take(10) .Take(10)
.Select(release => new RecentReleaseItem( .Select(release => new RecentReleaseItem(
release.Id, release.Id,

214
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/ReleasePromotionDecisionStore.cs Normal file
View File

@@ -0,0 +1,214 @@
using System.Collections.Concurrent;
using System.Globalization;
using StellaOps.JobEngine.WebService.Endpoints;
namespace StellaOps.JobEngine.WebService.Services;
/// <summary>
/// Tracks in-memory promotion decisions for the dashboard compatibility endpoints
/// without mutating the shared seed catalog used by deterministic tests.
/// </summary>
public sealed class ReleasePromotionDecisionStore
{
private readonly ConcurrentDictionary<string, ApprovalEndpoints.ApprovalDto> overrides =
new(StringComparer.OrdinalIgnoreCase);
public IReadOnlyList<ApprovalEndpoints.ApprovalDto> Apply(IEnumerable<ApprovalEndpoints.ApprovalDto> approvals)
{
return approvals
.Select(Apply)
.ToArray();
}
public ApprovalEndpoints.ApprovalDto Apply(ApprovalEndpoints.ApprovalDto approval)
{
return overrides.TryGetValue(approval.Id, out var updated)
? updated
: approval;
}
public bool TryApprove(
string approvalId,
string actor,
string? comment,
out ApprovalEndpoints.ApprovalDto? approval,
out string? error)
{
lock (overrides)
{
var current = ResolveCurrentApproval(approvalId);
if (current is null)
{
approval = null;
error = "promotion_not_found";
return false;
}
if (string.Equals(current.Status, "rejected", StringComparison.OrdinalIgnoreCase))
{
approval = null;
error = "promotion_not_pending";
return false;
}
if (string.Equals(current.Status, "approved", StringComparison.OrdinalIgnoreCase))
{
approval = current;
error = null;
return true;
}
var approvedAt = NextTimestamp(current);
var currentApprovals = Math.Min(current.RequiredApprovals, current.CurrentApprovals + 1);
var status = currentApprovals >= current.RequiredApprovals ? "approved" : current.Status;
approval = current with
{
CurrentApprovals = currentApprovals,
Status = status,
Actions = AppendAction(current.Actions, new ApprovalEndpoints.ApprovalActionRecordDto
{
Id = BuildActionId(current.Id, current.Actions.Count + 1),
ApprovalId = current.Id,
Action = "approved",
Actor = actor,
Comment = comment ?? string.Empty,
Timestamp = approvedAt,
}),
Approvers = ApplyApprovalToApprovers(current.Approvers, actor, approvedAt),
};
overrides[approval.Id] = approval;
error = null;
return true;
}
}
public bool TryReject(
string approvalId,
string actor,
string? comment,
out ApprovalEndpoints.ApprovalDto? approval,
out string? error)
{
lock (overrides)
{
var current = ResolveCurrentApproval(approvalId);
if (current is null)
{
approval = null;
error = "promotion_not_found";
return false;
}
if (string.Equals(current.Status, "approved", StringComparison.OrdinalIgnoreCase))
{
approval = null;
error = "promotion_not_pending";
return false;
}
if (string.Equals(current.Status, "rejected", StringComparison.OrdinalIgnoreCase))
{
approval = current;
error = null;
return true;
}
var rejectedAt = NextTimestamp(current);
approval = current with
{
Status = "rejected",
Actions = AppendAction(current.Actions, new ApprovalEndpoints.ApprovalActionRecordDto
{
Id = BuildActionId(current.Id, current.Actions.Count + 1),
ApprovalId = current.Id,
Action = "rejected",
Actor = actor,
Comment = comment ?? string.Empty,
Timestamp = rejectedAt,
}),
};
overrides[approval.Id] = approval;
error = null;
return true;
}
}
private ApprovalEndpoints.ApprovalDto? ResolveCurrentApproval(string approvalId)
{
if (overrides.TryGetValue(approvalId, out var updated))
{
return updated;
}
return ApprovalEndpoints.SeedData.Approvals
.FirstOrDefault(item => string.Equals(item.Id, approvalId, StringComparison.OrdinalIgnoreCase));
}
private static List<ApprovalEndpoints.ApproverDto> ApplyApprovalToApprovers(
List<ApprovalEndpoints.ApproverDto> approvers,
string actor,
string approvedAt)
{
var updated = approvers
.Select(item =>
{
var matchesActor =
string.Equals(item.Id, actor, StringComparison.OrdinalIgnoreCase)
|| string.Equals(item.Email, actor, StringComparison.OrdinalIgnoreCase)
|| string.Equals(item.Name, actor, StringComparison.OrdinalIgnoreCase);
return matchesActor
? item with { HasApproved = true, ApprovedAt = approvedAt }
: item;
})
.ToList();
if (updated.Any(item => item.HasApproved && string.Equals(item.ApprovedAt, approvedAt, StringComparison.Ordinal)))
{
return updated;
}
updated.Add(new ApprovalEndpoints.ApproverDto
{
Id = actor,
Name = actor,
Email = actor.Contains('@', StringComparison.Ordinal) ? actor : $"{actor}@local",
HasApproved = true,
ApprovedAt = approvedAt,
});
return updated;
}
private static List<ApprovalEndpoints.ApprovalActionRecordDto> AppendAction(
List<ApprovalEndpoints.ApprovalActionRecordDto> actions,
ApprovalEndpoints.ApprovalActionRecordDto action)
{
var updated = actions.ToList();
updated.Add(action);
return updated;
}
private static string BuildActionId(string approvalId, int index)
=> $"{approvalId}-action-{index:D2}";
private static string NextTimestamp(ApprovalEndpoints.ApprovalDto approval)
{
var latestTimestamp = approval.Actions
.Select(action => ParseTimestamp(action.Timestamp))
.Append(ParseTimestamp(approval.RequestedAt))
.Max();
return latestTimestamp.AddMinutes(1).ToString("O", CultureInfo.InvariantCulture);
}
private static DateTimeOffset ParseTimestamp(string value)
{
return DateTimeOffset.TryParse(value, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal, out var parsed)
? parsed
: DateTimeOffset.UnixEpoch;
}
}

3
src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/TASKS.md
View File

@@ -5,6 +5,9 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
| Task ID | Status | Notes | | Task ID | Status | Notes |
| --- | --- | --- | | --- | --- | --- |
| SPRINT_20260323_001-TASK-002 | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md`: deployment monitoring compatibility endpoints under `/api/v1/release-orchestrator/deployments/*` were verified as implemented and reachable. |
| SPRINT_20260323_001-TASK-003 | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md`: evidence compatibility endpoints now verify hashes against deterministic raw payloads and export stable offline bundles. |
| SPRINT_20260323_001-TASK-005 | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md`: dashboard approval/rejection endpoints now persist in-memory promotion decisions per app instance for Console compatibility flows. |
| U-002-ORCH-DEADLETTER | DOING | Sprint `docs/implplan/SPRINT_20260218_004_Platform_local_setup_usability_hardening.md`: add/fix deadletter API behavior used by console actions (including export route) and validate local setup usability paths. | | U-002-ORCH-DEADLETTER | DOING | Sprint `docs/implplan/SPRINT_20260218_004_Platform_local_setup_usability_hardening.md`: add/fix deadletter API behavior used by console actions (including export route) and validate local setup usability paths. |
| AUDIT-0425-M | DONE | Revalidated 2026-01-07; maintainability audit for StellaOps.JobEngine.WebService. | | AUDIT-0425-M | DONE | Revalidated 2026-01-07; maintainability audit for StellaOps.JobEngine.WebService. |
| AUDIT-0425-T | DONE | Revalidated 2026-01-07; test coverage audit for StellaOps.JobEngine.WebService. | | AUDIT-0425-T | DONE | Revalidated 2026-01-07; test coverage audit for StellaOps.JobEngine.WebService. |

5
src/Platform/StellaOps.Platform.WebService/Contracts/TopologyReadModels.cs
View File

@@ -50,7 +50,10 @@ public sealed record TopologyHostProjection(
string Status, string Status,
string AgentId, string AgentId,
int TargetCount, int TargetCount,
DateTimeOffset? LastSeenAt); DateTimeOffset? LastSeenAt,
string? ProbeStatus = null,
string? ProbeType = null,
DateTimeOffset? ProbeLastHeartbeat = null);
public sealed record TopologyAgentProjection( public sealed record TopologyAgentProjection(
string AgentId, string AgentId,

87
src/Platform/StellaOps.Platform.WebService/Endpoints/AssistantEndpoints.cs
View File

@@ -24,12 +24,16 @@ public static class AssistantEndpoints
group.MapGet("/tips", async Task<IResult>( group.MapGet("/tips", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
[FromQuery] string route, [FromQuery] string route,
[FromQuery] string? locale, [FromQuery] string? locale,
[FromQuery] string? contexts, [FromQuery] string? contexts,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var effectiveLocale = locale ?? "en-US"; var effectiveLocale = locale ?? "en-US";
var contextList = string.IsNullOrWhiteSpace(contexts) var contextList = string.IsNullOrWhiteSpace(contexts)
@@ -46,11 +50,15 @@ public static class AssistantEndpoints
group.MapGet("/glossary", async Task<IResult>( group.MapGet("/glossary", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
[FromQuery] string? locale, [FromQuery] string? locale,
[FromQuery] string? terms, [FromQuery] string? terms,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var effectiveLocale = locale ?? "en-US"; var effectiveLocale = locale ?? "en-US";
var termList = string.IsNullOrWhiteSpace(terms) var termList = string.IsNullOrWhiteSpace(terms)
@@ -67,9 +75,13 @@ public static class AssistantEndpoints
group.MapGet("/user-state", async Task<IResult>( group.MapGet("/user-state", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var (userId, tenantId) = ResolveUserContext(httpContext); var (userId, tenantId) = ResolveUserContext(httpContext);
var state = await store.GetUserStateAsync(userId, tenantId, ct); var state = await store.GetUserStateAsync(userId, tenantId, ct);
return state is not null ? Results.Ok(state) : Results.Ok(new AssistantUserStateDto( return state is not null ? Results.Ok(state) : Results.Ok(new AssistantUserStateDto(
@@ -80,10 +92,14 @@ public static class AssistantEndpoints
group.MapPut("/user-state", async Task<IResult>( group.MapPut("/user-state", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
AssistantUserStateDto state, AssistantUserStateDto state,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var (userId, tenantId) = ResolveUserContext(httpContext); var (userId, tenantId) = ResolveUserContext(httpContext);
await store.UpsertUserStateAsync(userId, tenantId, state, ct); await store.UpsertUserStateAsync(userId, tenantId, state, ct);
return Results.Ok(); return Results.Ok();
@@ -96,11 +112,15 @@ public static class AssistantEndpoints
group.MapGet("/tours", async Task<IResult>( group.MapGet("/tours", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
[FromQuery] string? locale, [FromQuery] string? locale,
[FromQuery] string? tourKey, [FromQuery] string? tourKey,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var effectiveLocale = locale ?? "en-US"; var effectiveLocale = locale ?? "en-US";
var result = await store.GetToursAsync(effectiveLocale, tenantId, tourKey, ct); var result = await store.GetToursAsync(effectiveLocale, tenantId, tourKey, ct);
@@ -117,10 +137,14 @@ public static class AssistantEndpoints
admin.MapPost("/tips", async Task<IResult>( admin.MapPost("/tips", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
UpsertAssistantTipRequest request, UpsertAssistantTipRequest request,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var actor = ResolveUserId(httpContext); var actor = ResolveUserId(httpContext);
var id = await store.UpsertTipAsync(tenantId, request, actor, ct); var id = await store.UpsertTipAsync(tenantId, request, actor, ct);
@@ -130,10 +154,15 @@ public static class AssistantEndpoints
.WithSummary("Create or update a tip"); .WithSummary("Create or update a tip");
admin.MapDelete("/tips/{tipId}", async Task<IResult>( admin.MapDelete("/tips/{tipId}", async Task<IResult>(
HttpContext httpContext,
string tipId, string tipId,
PostgresAssistantStore store,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
await store.DeactivateTipAsync(tipId, ct); await store.DeactivateTipAsync(tipId, ct);
return Results.Ok(); return Results.Ok();
}) })
@@ -142,11 +171,15 @@ public static class AssistantEndpoints
admin.MapGet("/tips", async Task<IResult>( admin.MapGet("/tips", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
[FromQuery] string? locale, [FromQuery] string? locale,
[FromQuery] string? route, [FromQuery] string? route,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var result = await store.ListAllTipsAsync(tenantId, locale ?? "en-US", route, ct); var result = await store.ListAllTipsAsync(tenantId, locale ?? "en-US", route, ct);
return Results.Ok(result); return Results.Ok(result);
@@ -156,10 +189,14 @@ public static class AssistantEndpoints
admin.MapGet("/tours", async Task<IResult>( admin.MapGet("/tours", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
[FromQuery] string? locale, [FromQuery] string? locale,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var result = await store.ListAllToursAsync(tenantId, locale ?? "en-US", ct); var result = await store.ListAllToursAsync(tenantId, locale ?? "en-US", ct);
return Results.Ok(result); return Results.Ok(result);
@@ -169,10 +206,14 @@ public static class AssistantEndpoints
admin.MapPost("/tours", async Task<IResult>( admin.MapPost("/tours", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
UpsertTourRequest request, UpsertTourRequest request,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var id = await store.UpsertTourAsync(tenantId, request, ct); var id = await store.UpsertTourAsync(tenantId, request, ct);
return Results.Ok(new { tourId = id }); return Results.Ok(new { tourId = id });
@@ -183,10 +224,14 @@ public static class AssistantEndpoints
admin.MapGet("/tours/{tourKey}", async Task<IResult>( admin.MapGet("/tours/{tourKey}", async Task<IResult>(
string tourKey, string tourKey,
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
[FromQuery] string? locale, [FromQuery] string? locale,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var tour = await store.GetTourByKeyAsync(tenantId, tourKey, locale ?? "en-US", ct); var tour = await store.GetTourByKeyAsync(tenantId, tourKey, locale ?? "en-US", ct);
return tour is not null ? Results.Ok(tour) : Results.NotFound(); return tour is not null ? Results.Ok(tour) : Results.NotFound();
@@ -196,10 +241,14 @@ public static class AssistantEndpoints
admin.MapPost("/glossary", async Task<IResult>( admin.MapPost("/glossary", async Task<IResult>(
HttpContext httpContext, HttpContext httpContext,
PostgresAssistantStore store,
UpsertGlossaryTermRequest request, UpsertGlossaryTermRequest request,
CancellationToken ct) => CancellationToken ct) =>
{ {
if (!TryResolveStore(httpContext, out var store))
{
return AssistantStoreUnavailable();
}
var tenantId = ResolveTenantId(httpContext); var tenantId = ResolveTenantId(httpContext);
var id = await store.UpsertGlossaryTermAsync(tenantId, request, ct); var id = await store.UpsertGlossaryTermAsync(tenantId, request, ct);
return Results.Ok(new { termId = id }); return Results.Ok(new { termId = id });
@@ -215,6 +264,20 @@ public static class AssistantEndpoints
?? ctx.User.FindFirst("stellaops:user_id")?.Value ?? ctx.User.FindFirst("stellaops:user_id")?.Value
?? "anonymous"; ?? "anonymous";
private static bool TryResolveStore(HttpContext context, out PostgresAssistantStore store)
{
store = context.RequestServices.GetService<PostgresAssistantStore>()!;
return store is not null;
}
private static IResult AssistantStoreUnavailable()
{
return Results.Problem(
detail: "Assistant persistence is unavailable because the Platform service is running without PostgreSQL.",
statusCode: StatusCodes.Status503ServiceUnavailable,
title: "assistant_store_unavailable");
}
private static string ResolveTenantId(HttpContext ctx) private static string ResolveTenantId(HttpContext ctx)
=> ctx.Request.Headers["X-Tenant-Id"].FirstOrDefault() ?? "_system"; => ctx.Request.Headers["X-Tenant-Id"].FirstOrDefault() ?? "_system";

456
src/Platform/StellaOps.Platform.WebService/Endpoints/ReleaseOrchestratorEnvironmentEndpoints.cs Normal file
View File

@@ -0,0 +1,456 @@
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Routing;
using StellaOps.Auth.ServerIntegration.Tenancy;
using StellaOps.Platform.WebService.Constants;
using StellaOps.ReleaseOrchestrator.Environment.FreezeWindow;
using StellaOps.ReleaseOrchestrator.Environment.Models;
using StellaOps.ReleaseOrchestrator.Environment.Services;
using StellaOps.ReleaseOrchestrator.Environment.Target;
namespace StellaOps.Platform.WebService.Endpoints;
public static class ReleaseOrchestratorEnvironmentEndpoints
{
public static IEndpointRouteBuilder MapReleaseOrchestratorEnvironmentEndpoints(this IEndpointRouteBuilder app)
{
var environments = app.MapGroup("/api/v1/release-orchestrator/environments")
.WithTags("Release Orchestrator Environments")
.RequireAuthorization(PlatformPolicies.ReleaseControlRead)
.RequireTenant();
environments.MapGet(string.Empty, ListEnvironments)
.WithName("ListReleaseOrchestratorEnvironments")
.WithSummary("List release orchestrator environments");
environments.MapGet("/{id:guid}", GetEnvironment)
.WithName("GetReleaseOrchestratorEnvironment")
.WithSummary("Get a release orchestrator environment");
environments.MapPost(string.Empty, CreateEnvironment)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("CreateReleaseOrchestratorEnvironment")
.WithSummary("Create a release orchestrator environment");
environments.MapPut("/{id:guid}", UpdateEnvironment)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("UpdateReleaseOrchestratorEnvironment")
.WithSummary("Update a release orchestrator environment");
environments.MapDelete("/{id:guid}", DeleteEnvironment)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("DeleteReleaseOrchestratorEnvironment")
.WithSummary("Delete a release orchestrator environment");
environments.MapPut("/{id:guid}/settings", UpdateEnvironmentSettings)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("UpdateReleaseOrchestratorEnvironmentSettings")
.WithSummary("Update environment release settings");
environments.MapGet("/{id:guid}/targets", ListTargets)
.WithName("ListReleaseOrchestratorEnvironmentTargets")
.WithSummary("List environment targets");
environments.MapPost("/{id:guid}/targets", CreateTarget)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("CreateReleaseOrchestratorEnvironmentTarget")
.WithSummary("Create an environment target");
environments.MapPut("/{id:guid}/targets/{targetId:guid}", UpdateTarget)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("UpdateReleaseOrchestratorEnvironmentTarget")
.WithSummary("Update an environment target");
environments.MapDelete("/{id:guid}/targets/{targetId:guid}", DeleteTarget)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("DeleteReleaseOrchestratorEnvironmentTarget")
.WithSummary("Delete an environment target");
environments.MapPost("/{id:guid}/targets/{targetId:guid}/health-check", CheckTargetHealth)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("HealthCheckReleaseOrchestratorEnvironmentTarget")
.WithSummary("Run a target health check");
environments.MapGet("/{id:guid}/freeze-windows", ListFreezeWindows)
.WithName("ListReleaseOrchestratorFreezeWindows")
.WithSummary("List environment freeze windows");
environments.MapPost("/{id:guid}/freeze-windows", CreateFreezeWindow)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("CreateReleaseOrchestratorFreezeWindow")
.WithSummary("Create an environment freeze window");
environments.MapPut("/{id:guid}/freeze-windows/{freezeWindowId:guid}", UpdateFreezeWindow)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("UpdateReleaseOrchestratorFreezeWindow")
.WithSummary("Update an environment freeze window");
environments.MapDelete("/{id:guid}/freeze-windows/{freezeWindowId:guid}", DeleteFreezeWindow)
.RequireAuthorization(PlatformPolicies.ReleaseControlOperate)
.WithName("DeleteReleaseOrchestratorFreezeWindow")
.WithSummary("Delete an environment freeze window");
return app;
}
private static async Task<IResult> ListEnvironments(
IEnvironmentService environmentService,
CancellationToken cancellationToken)
{
var items = await environmentService.ListOrderedAsync(cancellationToken).ConfigureAwait(false);
return Results.Ok(items);
}
private static async Task<IResult> GetEnvironment(
Guid id,
IEnvironmentService environmentService,
CancellationToken cancellationToken)
{
var environment = await environmentService.GetAsync(id, cancellationToken).ConfigureAwait(false);
return environment is not null
? Results.Ok(environment)
: Results.NotFound(new { error = "environment_not_found", id });
}
private static async Task<IResult> CreateEnvironment(
CreateEnvironmentRequest request,
IEnvironmentService environmentService,
CancellationToken cancellationToken)
{
try
{
var created = await environmentService.CreateAsync(request, cancellationToken).ConfigureAwait(false);
return Results.Created($"/api/v1/release-orchestrator/environments/{created.Id:D}", created);
}
catch (ValidationException ex)
{
return Results.BadRequest(new { error = "environment_validation_failed", details = ex.Errors });
}
}
private static async Task<IResult> UpdateEnvironment(
Guid id,
UpdateEnvironmentRequest request,
IEnvironmentService environmentService,
CancellationToken cancellationToken)
{
try
{
var updated = await environmentService.UpdateAsync(id, request, cancellationToken).ConfigureAwait(false);
return Results.Ok(updated);
}
catch (EnvironmentNotFoundException)
{
return Results.NotFound(new { error = "environment_not_found", id });
}
catch (ValidationException ex)
{
return Results.BadRequest(new { error = "environment_validation_failed", details = ex.Errors });
}
}
private static Task<IResult> UpdateEnvironmentSettings(
Guid id,
UpdateEnvironmentSettingsRequest request,
IEnvironmentService environmentService,
CancellationToken cancellationToken)
{
return UpdateEnvironment(
id,
new UpdateEnvironmentRequest(
RequiredApprovals: request.RequiredApprovals,
RequireSeparationOfDuties: request.RequireSeparationOfDuties,
AutoPromoteFrom: request.AutoPromoteFrom,
DeploymentTimeoutSeconds: request.DeploymentTimeoutSeconds),
environmentService,
cancellationToken);
}
private static async Task<IResult> DeleteEnvironment(
Guid id,
IEnvironmentService environmentService,
ITargetRegistry targetRegistry,
CancellationToken cancellationToken)
{
var targets = await targetRegistry.ListByEnvironmentAsync(id, cancellationToken).ConfigureAwait(false);
if (targets.Count > 0)
{
return Results.Conflict(new { error = "environment_has_targets", id, targetCount = targets.Count });
}
try
{
await environmentService.DeleteAsync(id, cancellationToken).ConfigureAwait(false);
return Results.NoContent();
}
catch (EnvironmentNotFoundException)
{
return Results.NotFound(new { error = "environment_not_found", id });
}
catch (InvalidOperationException ex)
{
return Results.Conflict(new { error = "environment_delete_blocked", message = ex.Message });
}
}
private static async Task<IResult> ListTargets(
Guid id,
IEnvironmentService environmentService,
ITargetRegistry targetRegistry,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
var targets = await targetRegistry.ListByEnvironmentAsync(id, cancellationToken).ConfigureAwait(false);
return Results.Ok(targets);
}
private static async Task<IResult> CreateTarget(
Guid id,
CreateTargetRequest request,
IEnvironmentService environmentService,
ITargetRegistry targetRegistry,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
try
{
var created = await targetRegistry.RegisterAsync(
new RegisterTargetRequest(
id,
request.Name,
request.DisplayName,
request.Type,
request.ConnectionConfig,
request.AgentId),
cancellationToken).ConfigureAwait(false);
return Results.Created(
$"/api/v1/release-orchestrator/environments/{id:D}/targets/{created.Id:D}",
created);
}
catch (ValidationException ex)
{
return Results.BadRequest(new { error = "target_validation_failed", details = ex.Errors });
}
}
private static async Task<IResult> UpdateTarget(
Guid id,
Guid targetId,
UpdateTargetRequest request,
IEnvironmentService environmentService,
ITargetRegistry targetRegistry,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
var target = await targetRegistry.GetAsync(targetId, cancellationToken).ConfigureAwait(false);
if (target is null || target.EnvironmentId != id)
{
return Results.NotFound(new { error = "target_not_found", environmentId = id, targetId });
}
try
{
var updated = await targetRegistry.UpdateAsync(targetId, request, cancellationToken).ConfigureAwait(false);
return Results.Ok(updated);
}
catch (ValidationException ex)
{
return Results.BadRequest(new { error = "target_validation_failed", details = ex.Errors });
}
}
private static async Task<IResult> DeleteTarget(
Guid id,
Guid targetId,
IEnvironmentService environmentService,
ITargetRegistry targetRegistry,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
var target = await targetRegistry.GetAsync(targetId, cancellationToken).ConfigureAwait(false);
if (target is null || target.EnvironmentId != id)
{
return Results.NotFound(new { error = "target_not_found", environmentId = id, targetId });
}
try
{
await targetRegistry.UnregisterAsync(targetId, cancellationToken).ConfigureAwait(false);
return Results.NoContent();
}
catch (InvalidOperationException ex)
{
return Results.Conflict(new { error = "target_delete_blocked", message = ex.Message });
}
}
private static async Task<IResult> CheckTargetHealth(
Guid id,
Guid targetId,
IEnvironmentService environmentService,
ITargetRegistry targetRegistry,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
var target = await targetRegistry.GetAsync(targetId, cancellationToken).ConfigureAwait(false);
if (target is null || target.EnvironmentId != id)
{
return Results.NotFound(new { error = "target_not_found", environmentId = id, targetId });
}
var result = await targetRegistry.TestConnectionAsync(targetId, cancellationToken).ConfigureAwait(false);
return Results.Ok(result);
}
private static async Task<IResult> ListFreezeWindows(
Guid id,
IEnvironmentService environmentService,
IFreezeWindowService freezeWindowService,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
var windows = await freezeWindowService.ListByEnvironmentAsync(id, cancellationToken).ConfigureAwait(false);
return Results.Ok(windows);
}
private static async Task<IResult> CreateFreezeWindow(
Guid id,
CreateFreezeWindowBody request,
IEnvironmentService environmentService,
IFreezeWindowService freezeWindowService,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
try
{
var created = await freezeWindowService.CreateAsync(
new CreateFreezeWindowRequest(
id,
request.Name,
request.StartAt,
request.EndAt,
request.Reason,
request.IsRecurring,
request.RecurrenceRule),
cancellationToken).ConfigureAwait(false);
return Results.Created(
$"/api/v1/release-orchestrator/environments/{id:D}/freeze-windows/{created.Id:D}",
created);
}
catch (ArgumentException ex)
{
return Results.BadRequest(new { error = "freeze_window_validation_failed", message = ex.Message });
}
}
private static async Task<IResult> UpdateFreezeWindow(
Guid id,
Guid freezeWindowId,
UpdateFreezeWindowRequest request,
IEnvironmentService environmentService,
IFreezeWindowService freezeWindowService,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
var window = await freezeWindowService.GetAsync(freezeWindowId, cancellationToken).ConfigureAwait(false);
if (window is null || window.EnvironmentId != id)
{
return Results.NotFound(new { error = "freeze_window_not_found", environmentId = id, freezeWindowId });
}
try
{
var updated = await freezeWindowService.UpdateAsync(freezeWindowId, request, cancellationToken).ConfigureAwait(false);
return Results.Ok(updated);
}
catch (FreezeWindowNotFoundException)
{
return Results.NotFound(new { error = "freeze_window_not_found", environmentId = id, freezeWindowId });
}
}
private static async Task<IResult> DeleteFreezeWindow(
Guid id,
Guid freezeWindowId,
IEnvironmentService environmentService,
IFreezeWindowService freezeWindowService,
CancellationToken cancellationToken)
{
if (!await EnvironmentExistsAsync(id, environmentService, cancellationToken).ConfigureAwait(false))
{
return Results.NotFound(new { error = "environment_not_found", id });
}
var window = await freezeWindowService.GetAsync(freezeWindowId, cancellationToken).ConfigureAwait(false);
if (window is null || window.EnvironmentId != id)
{
return Results.NotFound(new { error = "freeze_window_not_found", environmentId = id, freezeWindowId });
}
await freezeWindowService.DeleteAsync(freezeWindowId, cancellationToken).ConfigureAwait(false);
return Results.NoContent();
}
private static async Task<bool> EnvironmentExistsAsync(
Guid environmentId,
IEnvironmentService environmentService,
CancellationToken cancellationToken)
{
return await environmentService.GetAsync(environmentId, cancellationToken).ConfigureAwait(false) is not null;
}
public sealed record CreateTargetRequest(
string Name,
string DisplayName,
TargetType Type,
TargetConnectionConfig ConnectionConfig,
Guid? AgentId = null);
public sealed record UpdateEnvironmentSettingsRequest(
int? RequiredApprovals = null,
bool? RequireSeparationOfDuties = null,
Guid? AutoPromoteFrom = null,
int? DeploymentTimeoutSeconds = null);
public sealed record CreateFreezeWindowBody(
string Name,
DateTimeOffset StartAt,
DateTimeOffset EndAt,
string? Reason = null,
bool IsRecurring = false,
string? RecurrenceRule = null);
}

41
src/Platform/StellaOps.Platform.WebService/Program.cs
View File

@@ -52,6 +52,7 @@ builder.Services.AddOptions<PlatformServiceOptions>()
builder.Services.AddSingleton<IPostConfigureOptions<PlatformServiceOptions>, StellaOpsEnvVarPostConfigure>(); builder.Services.AddSingleton<IPostConfigureOptions<PlatformServiceOptions>, StellaOpsEnvVarPostConfigure>();
builder.Services.AddStellaOpsTenantServices(); builder.Services.AddStellaOpsTenantServices();
builder.Services.AddHttpContextAccessor();
builder.Services.AddStellaOpsCors(builder.Environment, builder.Configuration); builder.Services.AddStellaOpsCors(builder.Environment, builder.Configuration);
builder.Services.AddRouting(options => options.LowercaseUrls = true); builder.Services.AddRouting(options => options.LowercaseUrls = true);
builder.Services.AddEndpointsApiExplorer(); builder.Services.AddEndpointsApiExplorer();
@@ -162,6 +163,7 @@ builder.Services.AddAuthorization(options =>
}); });
builder.Services.AddSingleton<PlatformRequestContextResolver>(); builder.Services.AddSingleton<PlatformRequestContextResolver>();
builder.Services.AddSingleton<ReleaseOrchestratorCompatibilityIdentityAccessor>();
builder.Services.AddSingleton<PlatformCache>(); builder.Services.AddSingleton<PlatformCache>();
builder.Services.AddSingleton<PlatformAggregationMetrics>(); builder.Services.AddSingleton<PlatformAggregationMetrics>();
builder.Services.AddSingleton<LegacyAliasTelemetry>(); builder.Services.AddSingleton<LegacyAliasTelemetry>();
@@ -206,6 +208,44 @@ builder.Services.AddHttpClient("HarborFixture", client =>
builder.Services.AddSingleton<PlatformMetadataService>(); builder.Services.AddSingleton<PlatformMetadataService>();
builder.Services.AddSingleton<PlatformContextService>(); builder.Services.AddSingleton<PlatformContextService>();
builder.Services.AddSingleton<IPlatformContextQuery>(sp => sp.GetRequiredService<PlatformContextService>()); builder.Services.AddSingleton<IPlatformContextQuery>(sp => sp.GetRequiredService<PlatformContextService>());
builder.Services.AddSingleton(sp => new StellaOps.ReleaseOrchestrator.Environment.Store.InMemoryEnvironmentStore(
() => sp.GetRequiredService<ReleaseOrchestratorCompatibilityIdentityAccessor>().GetTenantId()));
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.Store.IEnvironmentStore>(sp =>
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.Store.InMemoryEnvironmentStore>());
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.Services.IEnvironmentService>(sp =>
new StellaOps.ReleaseOrchestrator.Environment.Services.EnvironmentService(
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.Store.IEnvironmentStore>(),
sp.GetRequiredService<TimeProvider>(),
sp.GetRequiredService<ILoggerFactory>().CreateLogger<StellaOps.ReleaseOrchestrator.Environment.Services.EnvironmentService>(),
sp.GetRequiredService<ReleaseOrchestratorCompatibilityIdentityAccessor>().GetTenantId,
sp.GetRequiredService<ReleaseOrchestratorCompatibilityIdentityAccessor>().GetActorId));
builder.Services.AddSingleton(sp => new StellaOps.ReleaseOrchestrator.Environment.Target.InMemoryTargetStore(
() => sp.GetRequiredService<ReleaseOrchestratorCompatibilityIdentityAccessor>().GetTenantId()));
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.Target.ITargetStore>(sp =>
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.Target.InMemoryTargetStore>());
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.Target.ITargetConnectionTester,
StellaOps.ReleaseOrchestrator.Environment.Target.NoOpTargetConnectionTester>();
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.Target.ITargetRegistry>(sp =>
new StellaOps.ReleaseOrchestrator.Environment.Target.TargetRegistry(
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.Target.ITargetStore>(),
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.Store.IEnvironmentStore>(),
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.Target.ITargetConnectionTester>(),
sp.GetRequiredService<TimeProvider>(),
sp.GetRequiredService<ILoggerFactory>().CreateLogger<StellaOps.ReleaseOrchestrator.Environment.Target.TargetRegistry>(),
sp.GetRequiredService<ReleaseOrchestratorCompatibilityIdentityAccessor>().GetTenantId));
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.FreezeWindow.InMemoryFreezeWindowStore>();
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.FreezeWindow.IFreezeWindowStore>(sp =>
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.FreezeWindow.InMemoryFreezeWindowStore>());
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.FreezeWindow.IFreezeWindowService>(sp =>
new StellaOps.ReleaseOrchestrator.Environment.FreezeWindow.FreezeWindowService(
sp.GetRequiredService<StellaOps.ReleaseOrchestrator.Environment.FreezeWindow.IFreezeWindowStore>(),
sp.GetRequiredService<TimeProvider>(),
sp.GetRequiredService<ILoggerFactory>().CreateLogger<StellaOps.ReleaseOrchestrator.Environment.FreezeWindow.FreezeWindowService>(),
sp.GetRequiredService<ReleaseOrchestratorCompatibilityIdentityAccessor>().GetActorId));
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.Inventory.IRemoteCommandExecutor,
StellaOps.ReleaseOrchestrator.Environment.Inventory.NoOpRemoteCommandExecutor>();
builder.Services.AddSingleton<StellaOps.ReleaseOrchestrator.Environment.Inventory.IInventoryCollector,
StellaOps.ReleaseOrchestrator.Environment.Inventory.AgentInventoryCollector>();
builder.Services.AddSingleton<TopologyReadModelService>(); builder.Services.AddSingleton<TopologyReadModelService>();
builder.Services.AddSingleton<StellaOps.ElkSharp.IElkLayoutEngine, StellaOps.ElkSharp.ElkSharpLayeredLayoutEngine>(); builder.Services.AddSingleton<StellaOps.ElkSharp.IElkLayoutEngine, StellaOps.ElkSharp.ElkSharpLayeredLayoutEngine>();
builder.Services.AddSingleton<TopologyLayoutService>(); builder.Services.AddSingleton<TopologyLayoutService>();
@@ -350,6 +390,7 @@ app.MapScoreEndpoints();
app.MapFunctionMapEndpoints(); app.MapFunctionMapEndpoints();
app.MapPolicyInteropEndpoints(); app.MapPolicyInteropEndpoints();
app.MapReleaseControlEndpoints(); app.MapReleaseControlEndpoints();
app.MapReleaseOrchestratorEnvironmentEndpoints();
app.MapReleaseReadModelEndpoints(); app.MapReleaseReadModelEndpoints();
app.MapTopologyReadModelEndpoints(); app.MapTopologyReadModelEndpoints();
app.MapSecurityReadModelEndpoints(); app.MapSecurityReadModelEndpoints();

60
src/Platform/StellaOps.Platform.WebService/Services/ReleaseOrchestratorCompatibilityIdentityAccessor.cs Normal file
View File

@@ -0,0 +1,60 @@
using Microsoft.AspNetCore.Http;
using System.Security.Cryptography;
using System.Text;
namespace StellaOps.Platform.WebService.Services;
/// <summary>
/// Provides deterministic GUID identities for compatibility services that
/// store tenant and actor keys as GUID values.
/// </summary>
public sealed class ReleaseOrchestratorCompatibilityIdentityAccessor
{
private const string DefaultTenant = "_system";
private const string DefaultActor = "anonymous";
private readonly IHttpContextAccessor httpContextAccessor;
private readonly PlatformRequestContextResolver requestContextResolver;
public ReleaseOrchestratorCompatibilityIdentityAccessor(
IHttpContextAccessor httpContextAccessor,
PlatformRequestContextResolver requestContextResolver)
{
this.httpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
this.requestContextResolver = requestContextResolver ?? throw new ArgumentNullException(nameof(requestContextResolver));
}
public Guid GetTenantId()
{
var key = TryResolveRequestContext(out var context)
? context!.TenantId
: DefaultTenant;
return CreateDeterministicGuid($"tenant:{key}");
}
public Guid GetActorId()
{
var key = TryResolveRequestContext(out var context)
? context!.ActorId
: DefaultActor;
return CreateDeterministicGuid($"actor:{key}");
}
private bool TryResolveRequestContext(out PlatformRequestContext? requestContext)
{
requestContext = null;
var httpContext = httpContextAccessor.HttpContext;
return httpContext is not null
&& requestContextResolver.TryResolve(httpContext, out requestContext, out _);
}
internal static Guid CreateDeterministicGuid(string value)
{
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(value));
Span<byte> bytes = stackalloc byte[16];
hash.AsSpan(0, 16).CopyTo(bytes);
return new Guid(bytes);
}
}

7
src/Platform/StellaOps.Platform.WebService/Services/TopologyReadModelService.cs
View File

@@ -358,9 +358,10 @@ public sealed class TopologyReadModelService
.GroupBy(target => target.HostId, StringComparer.Ordinal) .GroupBy(target => target.HostId, StringComparer.Ordinal)
.Select(group => .Select(group =>
{ {
var first = group var orderedTargets = group
.OrderBy(target => target.TargetId, StringComparer.Ordinal) .OrderBy(target => target.TargetId, StringComparer.Ordinal)
.First(); .ToArray();
var first = orderedTargets[0];
var hostStatus = ResolveHostStatus(group.Select(target => target.HealthStatus)); var hostStatus = ResolveHostStatus(group.Select(target => target.HealthStatus));
var lastSeen = MaxTimestamp(group.Select(target => target.LastSyncAt)); var lastSeen = MaxTimestamp(group.Select(target => target.LastSyncAt));
@@ -372,7 +373,7 @@ public sealed class TopologyReadModelService
RuntimeType: first.TargetType, RuntimeType: first.TargetType,
Status: hostStatus, Status: hostStatus,
AgentId: first.AgentId, AgentId: first.AgentId,
TargetCount: group.Count(), TargetCount: orderedTargets.Length,
LastSeenAt: lastSeen, LastSeenAt: lastSeen,
ProbeStatus: "not_installed", ProbeStatus: "not_installed",
ProbeType: null, ProbeType: null,

1
src/Platform/StellaOps.Platform.WebService/StellaOps.Platform.WebService.csproj
View File

@@ -25,6 +25,7 @@
<ProjectReference Include="..\..\Router\__Libraries\StellaOps.Router.AspNet\StellaOps.Router.AspNet.csproj" /> <ProjectReference Include="..\..\Router\__Libraries\StellaOps.Router.AspNet\StellaOps.Router.AspNet.csproj" />
<ProjectReference Include="..\..\Router\__Libraries\StellaOps.Messaging\StellaOps.Messaging.csproj" /> <ProjectReference Include="..\..\Router\__Libraries\StellaOps.Messaging\StellaOps.Messaging.csproj" />
<ProjectReference Include="..\..\ReleaseOrchestrator\__Libraries\StellaOps.ReleaseOrchestrator.EvidenceThread\StellaOps.ReleaseOrchestrator.EvidenceThread.csproj" /> <ProjectReference Include="..\..\ReleaseOrchestrator\__Libraries\StellaOps.ReleaseOrchestrator.EvidenceThread\StellaOps.ReleaseOrchestrator.EvidenceThread.csproj" />
<ProjectReference Include="..\..\ReleaseOrchestrator\__Libraries\StellaOps.ReleaseOrchestrator.Environment\StellaOps.ReleaseOrchestrator.Environment.csproj" />
<ProjectReference Include="..\StellaOps.Platform.Analytics\StellaOps.Platform.Analytics.csproj" /> <ProjectReference Include="..\StellaOps.Platform.Analytics\StellaOps.Platform.Analytics.csproj" />
<ProjectReference Include="..\..\Scanner\__Libraries\StellaOps.Scanner.Reachability\StellaOps.Scanner.Reachability.csproj" /> <ProjectReference Include="..\..\Scanner\__Libraries\StellaOps.Scanner.Reachability\StellaOps.Scanner.Reachability.csproj" />
<ProjectReference Include="..\..\Signals\StellaOps.Signals\StellaOps.Signals.csproj" /> <ProjectReference Include="..\..\Signals\StellaOps.Signals\StellaOps.Signals.csproj" />

4
src/Platform/StellaOps.Platform.WebService/TASKS.md
View File

@@ -16,8 +16,8 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
| B22-04 | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: shipped `/api/v2/security/{findings,disposition/{findingId},sbom-explorer}` read contracts, `platform.security.read` policy mapping, and migration `050_SecurityDispositionProjection.sql` integration. | | B22-04 | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: shipped `/api/v2/security/{findings,disposition/{findingId},sbom-explorer}` read contracts, `platform.security.read` policy mapping, and migration `050_SecurityDispositionProjection.sql` integration. |
| B22-05 | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: shipped `/api/v2/integrations/{feeds,vex-sources}` contracts with deterministic source type/status/freshness/last-sync metadata and migration `051_IntegrationSourceHealth.sql`. | | B22-05 | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: shipped `/api/v2/integrations/{feeds,vex-sources}` contracts with deterministic source type/status/freshness/last-sync metadata and migration `051_IntegrationSourceHealth.sql`. |
| B22-06 | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: shipped `/api/v1/*` compatibility aliases for Pack 22 critical surfaces and deterministic deprecation telemetry for alias usage. | | B22-06 | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: shipped `/api/v1/*` compatibility aliases for Pack 22 critical surfaces and deterministic deprecation telemetry for alias usage. |
| SPRINT_20260323_001-TASK-004 | DONE | Sprint `docs/implplan/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md`: added `/api/v1/release-orchestrator/environments/*` compatibility endpoints for environment, target, and freeze-window CRUD using deterministic in-memory Release Orchestrator services. | | SPRINT_20260323_001-TASK-004 | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md`: added `/api/v1/release-orchestrator/environments/*` compatibility endpoints for environment, target, and freeze-window CRUD using deterministic in-memory Release Orchestrator services. |
| SPRINT_20260331_002-TASK-003 | DONE | Sprint `docs/implplan/SPRINT_20260331_002_BE_host_infrastructure_and_inventory.md`: topology host projections now expose projection-derived `ProbeStatus`, `ProbeType`, and `ProbeLastHeartbeat` fields for Console host inventory views. | | SPRINT_20260331_002-TASK-003 | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260331_002_BE_host_infrastructure_and_inventory.md`: topology host projections now expose projection-derived `ProbeStatus`, `ProbeType`, and `ProbeLastHeartbeat` fields for Console host inventory views. |
| U-002-PLATFORM-COMPAT | DOING | Sprint `docs/implplan/SPRINT_20260218_004_Platform_local_setup_usability_hardening.md`: unblock local console usability by fixing legacy compatibility endpoint auth failures for authenticated admin usage. | | U-002-PLATFORM-COMPAT | DOING | Sprint `docs/implplan/SPRINT_20260218_004_Platform_local_setup_usability_hardening.md`: unblock local console usability by fixing legacy compatibility endpoint auth failures for authenticated admin usage. |
| QA-PLATFORM-VERIFY-001 | DONE | run-002 verification completed; feature terminalized as `not_implemented` due missing advisory lock and LISTEN/NOTIFY implementation signals in `src/Platform` (materialized-view/rollup behaviors verified). | | QA-PLATFORM-VERIFY-001 | DONE | run-002 verification completed; feature terminalized as `not_implemented` due missing advisory lock and LISTEN/NOTIFY implementation signals in `src/Platform` (materialized-view/rollup behaviors verified). |
| QA-PLATFORM-VERIFY-002 | DONE | run-001 verification passed with maintenance, endpoint (503 + success), service caching, and schema integration evidence; feature moved to `docs/features/checked/platform/materialized-views-for-analytics.md`. | | QA-PLATFORM-VERIFY-002 | DONE | run-001 verification passed with maintenance, endpoint (503 + success), service caching, and schema integration evidence; feature moved to `docs/features/checked/platform/materialized-views-for-analytics.md`. |

174
src/Platform/__Tests/StellaOps.Platform.WebService.Tests/ReleaseOrchestratorEnvironmentEndpointsTests.cs Normal file
View File

@@ -0,0 +1,174 @@
using Microsoft.Extensions.DependencyInjection;
using StellaOps.Platform.WebService.Endpoints;
using StellaOps.ReleaseOrchestrator.Environment.FreezeWindow;
using StellaOps.ReleaseOrchestrator.Environment.Inventory;
using StellaOps.ReleaseOrchestrator.Environment.Models;
using StellaOps.ReleaseOrchestrator.Environment.Services;
using StellaOps.ReleaseOrchestrator.Environment.Target;
using StellaOps.TestKit;
using System.Net;
using System.Net.Http.Json;
using RoEnvironment = StellaOps.ReleaseOrchestrator.Environment.Models.Environment;
using RoFreezeWindow = StellaOps.ReleaseOrchestrator.Environment.Models.FreezeWindow;
using RoTarget = StellaOps.ReleaseOrchestrator.Environment.Models.Target;
namespace StellaOps.Platform.WebService.Tests;
public sealed class ReleaseOrchestratorEnvironmentEndpointsTests : IClassFixture<PlatformWebApplicationFactory>
{
private readonly PlatformWebApplicationFactory factory;
public ReleaseOrchestratorEnvironmentEndpointsTests(PlatformWebApplicationFactory factory)
{
this.factory = factory;
}
[Trait("Category", TestCategories.Integration)]
[Fact]
public async Task EnvironmentLifecycle_CreateTargetFreezeWindowAndDelete_Works()
{
using var client = CreateTenantClient("tenant-env-lifecycle");
var createEnvironmentResponse = await client.PostAsJsonAsync(
"/api/v1/release-orchestrator/environments",
new CreateEnvironmentRequest(
Name: "prod-eu",
DisplayName: "Production EU",
Description: "Primary production environment",
OrderIndex: 2,
IsProduction: true,
RequiredApprovals: 2,
RequireSeparationOfDuties: true,
AutoPromoteFrom: null,
DeploymentTimeoutSeconds: 900),
TestContext.Current.CancellationToken);
createEnvironmentResponse.EnsureSuccessStatusCode();
var environment = await createEnvironmentResponse.Content.ReadFromJsonAsync<RoEnvironment>(
TestContext.Current.CancellationToken);
Assert.NotNull(environment);
var list = await client.GetFromJsonAsync<List<RoEnvironment>>(
"/api/v1/release-orchestrator/environments",
TestContext.Current.CancellationToken);
Assert.NotNull(list);
Assert.Contains(list!, item => item.Id == environment!.Id);
var updateSettingsResponse = await client.PutAsJsonAsync(
$"/api/v1/release-orchestrator/environments/{environment!.Id:D}/settings",
new ReleaseOrchestratorEnvironmentEndpoints.UpdateEnvironmentSettingsRequest(
RequiredApprovals: 3,
RequireSeparationOfDuties: true,
DeploymentTimeoutSeconds: 1200),
TestContext.Current.CancellationToken);
updateSettingsResponse.EnsureSuccessStatusCode();
var updatedEnvironment = await updateSettingsResponse.Content.ReadFromJsonAsync<RoEnvironment>(
TestContext.Current.CancellationToken);
Assert.NotNull(updatedEnvironment);
Assert.Equal(3, updatedEnvironment!.RequiredApprovals);
Assert.Equal(1200, updatedEnvironment.DeploymentTimeoutSeconds);
var createTargetResponse = await client.PostAsJsonAsync(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/targets",
new ReleaseOrchestratorEnvironmentEndpoints.CreateTargetRequest(
Name: "prod-eu-ssh-01",
DisplayName: "Prod EU SSH 01",
Type: TargetType.SshHost,
ConnectionConfig: new SshHostConfig
{
Host = "ssh.prod-eu.internal",
Username = "deploy",
PrivateKeySecretRef = "secret://ssh/prod-eu",
KnownHostsPolicy = KnownHostsPolicy.Prompt,
}),
TestContext.Current.CancellationToken);
createTargetResponse.EnsureSuccessStatusCode();
var target = await createTargetResponse.Content.ReadFromJsonAsync<RoTarget>(
TestContext.Current.CancellationToken);
Assert.NotNull(target);
Assert.Equal(TargetType.SshHost, target!.Type);
var healthCheckResponse = await client.PostAsync(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/targets/{target.Id:D}/health-check",
content: null,
TestContext.Current.CancellationToken);
healthCheckResponse.EnsureSuccessStatusCode();
var healthCheck = await healthCheckResponse.Content.ReadFromJsonAsync<ConnectionTestResult>(
TestContext.Current.CancellationToken);
Assert.NotNull(healthCheck);
Assert.True(healthCheck!.Success);
var targets = await client.GetFromJsonAsync<List<RoTarget>>(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/targets",
TestContext.Current.CancellationToken);
Assert.NotNull(targets);
Assert.Contains(targets!, item => item.Id == target.Id);
var createFreezeWindowResponse = await client.PostAsJsonAsync(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/freeze-windows",
new ReleaseOrchestratorEnvironmentEndpoints.CreateFreezeWindowBody(
Name: "Weekend Freeze",
StartAt: new DateTimeOffset(2026, 4, 4, 0, 0, 0, TimeSpan.Zero),
EndAt: new DateTimeOffset(2026, 4, 6, 0, 0, 0, TimeSpan.Zero),
Reason: "Weekend release freeze"),
TestContext.Current.CancellationToken);
createFreezeWindowResponse.EnsureSuccessStatusCode();
var freezeWindow = await createFreezeWindowResponse.Content.ReadFromJsonAsync<RoFreezeWindow>(
TestContext.Current.CancellationToken);
Assert.NotNull(freezeWindow);
var freezeWindows = await client.GetFromJsonAsync<List<RoFreezeWindow>>(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/freeze-windows",
TestContext.Current.CancellationToken);
Assert.NotNull(freezeWindows);
Assert.Contains(freezeWindows!, item => item.Id == freezeWindow!.Id);
var updateFreezeWindowResponse = await client.PutAsJsonAsync(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/freeze-windows/{freezeWindow!.Id:D}",
new UpdateFreezeWindowRequest(
Name: "Weekend Freeze Updated",
Reason: "Extended validation window"),
TestContext.Current.CancellationToken);
updateFreezeWindowResponse.EnsureSuccessStatusCode();
var updatedFreezeWindow = await updateFreezeWindowResponse.Content.ReadFromJsonAsync<RoFreezeWindow>(
TestContext.Current.CancellationToken);
Assert.NotNull(updatedFreezeWindow);
Assert.Equal("Weekend Freeze Updated", updatedFreezeWindow!.Name);
var deleteFreezeWindowResponse = await client.DeleteAsync(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/freeze-windows/{freezeWindow.Id:D}",
TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.NoContent, deleteFreezeWindowResponse.StatusCode);
var deleteTargetResponse = await client.DeleteAsync(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}/targets/{target.Id:D}",
TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.NoContent, deleteTargetResponse.StatusCode);
var deleteEnvironmentResponse = await client.DeleteAsync(
$"/api/v1/release-orchestrator/environments/{environment.Id:D}",
TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.NoContent, deleteEnvironmentResponse.StatusCode);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void CompatibilityServices_RegisterAgentInventoryCollector()
{
var collector = factory.Services.GetRequiredService<IInventoryCollector>();
Assert.IsType<AgentInventoryCollector>(collector);
}
private HttpClient CreateTenantClient(string tenantId)
{
var client = factory.CreateClient();
client.DefaultRequestHeaders.Add("X-StellaOps-Tenant", tenantId);
client.DefaultRequestHeaders.Add("X-StellaOps-Actor", "platform-compat-test");
return client;
}
}

2
src/Platform/__Tests/StellaOps.Platform.WebService.Tests/TASKS.md
View File

@@ -14,6 +14,8 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
| B22-04-T | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: added `SecurityReadModelEndpointsTests` + `SecurityDispositionMigrationScriptTests` for `/api/v2/security/{findings,disposition,sbom-explorer}` deterministic behavior, policy metadata, write-boundary checks, and migration `050` coverage. | | B22-04-T | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: added `SecurityReadModelEndpointsTests` + `SecurityDispositionMigrationScriptTests` for `/api/v2/security/{findings,disposition,sbom-explorer}` deterministic behavior, policy metadata, write-boundary checks, and migration `050` coverage. |
| B22-05-T | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: added `IntegrationsReadModelEndpointsTests` + `IntegrationSourceHealthMigrationScriptTests` for `/api/v2/integrations/{feeds,vex-sources}` deterministic behavior, policy metadata, consumer compatibility, and migration `051` coverage. | | B22-05-T | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: added `IntegrationsReadModelEndpointsTests` + `IntegrationSourceHealthMigrationScriptTests` for `/api/v2/integrations/{feeds,vex-sources}` deterministic behavior, policy metadata, consumer compatibility, and migration `051` coverage. |
| B22-06-T | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: added compatibility+telemetry contract tests covering both `/api/v1/*` aliases and `/api/v2/*` canonical routes for critical Pack 22 surfaces. | | B22-06-T | DONE | Sprint `docs/implplan/SPRINT_20260220_018_Platform_pack22_backend_contracts_and_migrations.md`: added compatibility+telemetry contract tests covering both `/api/v1/*` aliases and `/api/v2/*` canonical routes for critical Pack 22 surfaces. |
| SPRINT_20260323_001-TASK-004-T | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md`: added `ReleaseOrchestratorEnvironmentEndpointsTests` for environment, target, freeze-window, and compatibility DI wiring. |
| SPRINT_20260331_002-TASK-003-T | DONE | Sprint `docs-archived/implplan/2026-03-31-completed-sprints/SPRINT_20260331_002_BE_host_infrastructure_and_inventory.md`: extended `TopologyReadModelEndpointsTests` to verify host probe status/type/heartbeat projection fields. |
| AUDIT-0762-M | DONE | Revalidated 2026-01-07 (test project). | | AUDIT-0762-M | DONE | Revalidated 2026-01-07 (test project). |
| AUDIT-0762-T | DONE | Revalidated 2026-01-07. | | AUDIT-0762-T | DONE | Revalidated 2026-01-07. |
| AUDIT-0762-A | DONE | Waived (test project; revalidated 2026-01-07). | | AUDIT-0762-A | DONE | Waived (test project; revalidated 2026-01-07). |

215
src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Environment/Inventory/AgentInventoryCollector.cs Normal file
View File

@@ -0,0 +1,215 @@
// SPDX-License-Identifier: BUSL-1.1
// Copyright (c) 2025 StellaOps
// Sprint: SPRINT_20260331_002_BE_host_infrastructure_and_inventory
using Microsoft.Extensions.Logging;
using StellaOps.ReleaseOrchestrator.Environment.Models;
using System.Collections.Immutable;
using System.Text.Json;
namespace StellaOps.ReleaseOrchestrator.Environment.Inventory;
/// <summary>
/// Result of a remote command execution on a target host.
/// </summary>
public sealed record RemoteCommandResult(
bool Success,
string? Output,
string? Error,
TimeSpan Duration);
/// <summary>
/// Abstraction for executing commands on remote hosts via their assigned agents.
/// Implemented by the Deployment layer which has access to agent dispatch infrastructure.
/// </summary>
public interface IRemoteCommandExecutor
{
/// <summary>
/// Executes a shell command on the agent assigned to the target.
/// </summary>
Task<RemoteCommandResult> ExecuteAsync(
Models.Target target,
string command,
TimeSpan timeout,
CancellationToken ct = default);
}
/// <summary>
/// Default executor used when no agent dispatch integration is available.
/// </summary>
public sealed class NoOpRemoteCommandExecutor : IRemoteCommandExecutor
{
/// <inheritdoc />
public Task<RemoteCommandResult> ExecuteAsync(
Models.Target target,
string command,
TimeSpan timeout,
CancellationToken ct = default)
{
return Task.FromResult(new RemoteCommandResult(
Success: false,
Output: null,
Error: $"No remote command executor is configured for target '{target.Name}'.",
Duration: TimeSpan.Zero));
}
}
/// <summary>
/// Collects container inventory from deployment targets by dispatching
/// <c>docker ps --format json --no-trunc</c> via the target's assigned agent.
/// </summary>
public sealed class AgentInventoryCollector : IInventoryCollector
{
private readonly IRemoteCommandExecutor _executor;
private readonly TimeProvider _timeProvider;
private readonly ILogger<AgentInventoryCollector> _logger;
private static readonly TimeSpan CollectionTimeout = TimeSpan.FromSeconds(30);
private const string DockerPsCommand = "docker ps --format '{{json .}}' --no-trunc";
public AgentInventoryCollector(
IRemoteCommandExecutor executor,
TimeProvider timeProvider,
ILogger<AgentInventoryCollector> logger)
{
_executor = executor ?? throw new ArgumentNullException(nameof(executor));
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <inheritdoc />
public async Task<InventorySnapshot> CollectAsync(Models.Target target, CancellationToken ct = default)
{
ArgumentNullException.ThrowIfNull(target);
if (target.AgentId is null)
{
_logger.LogWarning(
"Target {TargetName} has no assigned agent — cannot collect inventory",
target.Name);
return ErrorSnapshot(target.Id, "No agent assigned to target");
}
try
{
var result = await _executor.ExecuteAsync(target, DockerPsCommand, CollectionTimeout, ct);
if (!result.Success || string.IsNullOrWhiteSpace(result.Output))
{
return ErrorSnapshot(target.Id, result.Error ?? "Command returned no data");
}
return ParseDockerPsOutput(target.Id, result.Output);
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to collect inventory from target {TargetName} ({TargetType})",
target.Name, target.Type);
return ErrorSnapshot(target.Id, ex.Message);
}
}
/// <summary>
/// Parses NDJSON output from <c>docker ps --format json</c> into an InventorySnapshot.
/// Each line is a JSON object with fields: ID, Names, Image, Status, Ports, Labels, CreatedAt.
/// </summary>
internal InventorySnapshot ParseDockerPsOutput(Guid targetId, string output)
{
var containers = new List<ContainerInfo>();
var lines = output.Split('\n', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
foreach (var line in lines)
{
if (string.IsNullOrWhiteSpace(line) || !line.StartsWith('{'))
continue;
try
{
using var doc = JsonDocument.Parse(line);
var root = doc.RootElement;
var id = root.TryGetProperty("ID", out var idProp) ? idProp.GetString() ?? "" : "";
var names = root.TryGetProperty("Names", out var namesProp) ? namesProp.GetString() ?? "" : "";
var image = root.TryGetProperty("Image", out var imageProp) ? imageProp.GetString() ?? "" : "";
var status = root.TryGetProperty("Status", out var statusProp) ? statusProp.GetString() ?? "" : "";
var createdAt = root.TryGetProperty("CreatedAt", out var createdProp) ? createdProp.GetString() ?? "" : "";
var labels = ImmutableDictionary<string, string>.Empty;
if (root.TryGetProperty("Labels", out var labelsProp) && labelsProp.ValueKind == JsonValueKind.String)
{
var labelsStr = labelsProp.GetString() ?? "";
var builder = ImmutableDictionary.CreateBuilder<string, string>();
foreach (var pair in labelsStr.Split(',', StringSplitOptions.RemoveEmptyEntries))
{
var kv = pair.Split('=', 2);
if (kv.Length == 2)
builder[kv[0].Trim()] = kv[1].Trim();
}
labels = builder.ToImmutable();
}
var ports = ImmutableArray<PortMapping>.Empty;
if (root.TryGetProperty("Ports", out var portsProp) && portsProp.ValueKind == JsonValueKind.String)
{
var portsStr = portsProp.GetString() ?? "";
var portsBuilder = ImmutableArray.CreateBuilder<PortMapping>();
foreach (var portSpec in portsStr.Split(',', StringSplitOptions.RemoveEmptyEntries))
{
var trimmed = portSpec.Trim();
if (trimmed.Contains("->"))
{
var parts = trimmed.Split("->");
var pubPart = parts[0].Split(':');
var privPart = parts[1].Split('/');
if (int.TryParse(privPart[0], out var priv))
{
int? pub = pubPart.Length > 1 && int.TryParse(pubPart[^1], out var p) ? p : null;
portsBuilder.Add(new PortMapping(priv, pub, privPart.Length > 1 ? privPart[1] : "tcp"));
}
}
}
ports = portsBuilder.ToImmutable();
}
DateTimeOffset? parsedCreated = DateTimeOffset.TryParse(createdAt, out var dt) ? dt : null;
containers.Add(new ContainerInfo(
Id: id,
Name: names.TrimStart('/'),
Image: image,
ImageDigest: "",
Status: status,
Labels: labels,
Ports: ports,
CreatedAt: parsedCreated ?? _timeProvider.GetUtcNow(),
StartedAt: status.StartsWith("Up", StringComparison.OrdinalIgnoreCase) ? parsedCreated : null));
}
catch (JsonException ex)
{
_logger.LogWarning(ex, "Failed to parse docker ps line: {Line}", line);
}
}
return new InventorySnapshot
{
Id = Guid.NewGuid(),
TargetId = targetId,
CollectedAt = _timeProvider.GetUtcNow(),
Containers = containers.ToImmutableArray(),
Networks = [],
Volumes = [],
};
}
private InventorySnapshot ErrorSnapshot(Guid targetId, string error) => new()
{
Id = Guid.NewGuid(),
TargetId = targetId,
CollectedAt = _timeProvider.GetUtcNow(),
Containers = [],
Networks = [],
Volumes = [],
CollectionError = error,
};
}

12
src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Environment/Models/Target.cs
View File

@@ -104,7 +104,17 @@ public enum TargetType
/// <summary> /// <summary>
/// HashiCorp Nomad job. /// HashiCorp Nomad job.
/// </summary> /// </summary>
NomadJob = 3 NomadJob = 3,
/// <summary>
/// SSH-managed host (bare-metal or VM).
/// </summary>
SshHost = 4,
/// <summary>
/// WinRM-managed Windows host.
/// </summary>
WinRmHost = 5
} }
/// <summary> /// <summary>

119
src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Environment/Models/TargetConnectionConfig.cs
View File

@@ -10,6 +10,8 @@ namespace StellaOps.ReleaseOrchestrator.Environment.Models;
[JsonDerivedType(typeof(ComposeHostConfig), "compose_host")] [JsonDerivedType(typeof(ComposeHostConfig), "compose_host")]
[JsonDerivedType(typeof(EcsServiceConfig), "ecs_service")] [JsonDerivedType(typeof(EcsServiceConfig), "ecs_service")]
[JsonDerivedType(typeof(NomadJobConfig), "nomad_job")] [JsonDerivedType(typeof(NomadJobConfig), "nomad_job")]
[JsonDerivedType(typeof(SshHostConfig), "ssh_host")]
[JsonDerivedType(typeof(WinRmHostConfig), "winrm_host")]
public abstract record TargetConnectionConfig public abstract record TargetConnectionConfig
{ {
/// <summary> /// <summary>
@@ -178,3 +180,120 @@ public sealed record NomadJobConfig : TargetConnectionConfig
/// </summary> /// </summary>
public bool UseTls { get; init; } = true; public bool UseTls { get; init; } = true;
} }
/// <summary>
/// Configuration for SSH host connection.
/// Used for bare-metal and VM targets managed via SSH.
/// </summary>
public sealed record SshHostConfig : TargetConnectionConfig
{
/// <inheritdoc />
public override TargetType TargetType => TargetType.SshHost;
/// <summary>
/// SSH host address (hostname or IP).
/// </summary>
public required string Host { get; init; }
/// <summary>
/// SSH port.
/// </summary>
public int Port { get; init; } = 22;
/// <summary>
/// SSH username.
/// </summary>
public required string Username { get; init; }
/// <summary>
/// Secret reference for private key.
/// </summary>
public string? PrivateKeySecretRef { get; init; }
/// <summary>
/// Secret reference for password (fallback if no key).
/// </summary>
public string? PasswordSecretRef { get; init; }
/// <summary>
/// Known hosts verification policy.
/// </summary>
public KnownHostsPolicy KnownHostsPolicy { get; init; } = KnownHostsPolicy.Accept;
}
/// <summary>
/// Configuration for WinRM host connection.
/// Used for Windows targets managed via WS-Management.
/// </summary>
public sealed record WinRmHostConfig : TargetConnectionConfig
{
/// <inheritdoc />
public override TargetType TargetType => TargetType.WinRmHost;
/// <summary>
/// WinRM host address (hostname or IP).
/// </summary>
public required string Host { get; init; }
/// <summary>
/// WinRM port.
/// </summary>
public int Port { get; init; } = 5985;
/// <summary>
/// Transport protocol.
/// </summary>
public WinRmTransport Transport { get; init; } = WinRmTransport.Http;
/// <summary>
/// Windows username.
/// </summary>
public required string Username { get; init; }
/// <summary>
/// Secret reference for password.
/// </summary>
public string? PasswordSecretRef { get; init; }
/// <summary>
/// Active Directory domain (if domain-joined).
/// </summary>
public string? Domain { get; init; }
}
/// <summary>
/// SSH known hosts verification policy.
/// </summary>
public enum KnownHostsPolicy
{
/// <summary>
/// Accept all host keys (least secure, simplest setup).
/// </summary>
Accept = 0,
/// <summary>
/// Strict verification against known_hosts file.
/// </summary>
Strict = 1,
/// <summary>
/// Prompt before trusting a new host key.
/// </summary>
Prompt = 2
}
/// <summary>
/// WinRM transport protocol.
/// </summary>
public enum WinRmTransport
{
/// <summary>
/// Plain HTTP (port 5985).
/// </summary>
Http = 0,
/// <summary>
/// HTTPS with TLS (port 5986).
/// </summary>
Https = 1
}

43
src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Environment/Target/TargetRegistry.cs
View File

@@ -89,6 +89,27 @@ public sealed partial class TargetRegistry : ITargetRegistry
var existing = await _store.GetAsync(id, ct) var existing = await _store.GetAsync(id, ct)
?? throw new TargetNotFoundException(id); ?? throw new TargetNotFoundException(id);
var errors = new List<string>();
if (request.DisplayName is not null && string.IsNullOrWhiteSpace(request.DisplayName))
{
errors.Add("Display name is required");
}
if (request.ConnectionConfig is not null)
{
if (request.ConnectionConfig.TargetType != existing.Type)
{
errors.Add($"Connection config type {request.ConnectionConfig.TargetType} does not match target type {existing.Type}");
}
ValidateConnectionConfig(request.ConnectionConfig, errors);
}
if (errors.Count > 0)
{
throw new ValidationException(errors);
}
var now = _timeProvider.GetUtcNow(); var now = _timeProvider.GetUtcNow();
var updated = existing with var updated = existing with
{ {
@@ -332,6 +353,28 @@ public sealed partial class TargetRegistry : ITargetRegistry
if (string.IsNullOrWhiteSpace(nomad.JobId)) if (string.IsNullOrWhiteSpace(nomad.JobId))
errors.Add("Nomad job ID is required"); errors.Add("Nomad job ID is required");
break; break;
case SshHostConfig ssh:
if (string.IsNullOrWhiteSpace(ssh.Host))
errors.Add("SSH host address is required");
if (ssh.Port < 1 || ssh.Port > 65535)
errors.Add("SSH port must be between 1 and 65535");
if (string.IsNullOrWhiteSpace(ssh.Username))
errors.Add("SSH username is required");
if (string.IsNullOrWhiteSpace(ssh.PrivateKeySecretRef) && string.IsNullOrWhiteSpace(ssh.PasswordSecretRef))
errors.Add("SSH requires either a private key or password secret reference");
break;
case WinRmHostConfig winrm:
if (string.IsNullOrWhiteSpace(winrm.Host))
errors.Add("WinRM host address is required");
if (winrm.Port < 1 || winrm.Port > 65535)
errors.Add("WinRM port must be between 1 and 65535");
if (string.IsNullOrWhiteSpace(winrm.Username))
errors.Add("WinRM username is required");
if (string.IsNullOrWhiteSpace(winrm.PasswordSecretRef))
errors.Add("WinRM password secret reference is required");
break;
} }
} }

114
src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Environment.Tests/Inventory/AgentInventoryCollectorTests.cs Normal file
View File

@@ -0,0 +1,114 @@
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Time.Testing;
using Moq;
using StellaOps.ReleaseOrchestrator.Environment.Inventory;
using StellaOps.ReleaseOrchestrator.Environment.Models;
using Xunit;
using ModelTarget = StellaOps.ReleaseOrchestrator.Environment.Models.Target;
namespace StellaOps.ReleaseOrchestrator.Environment.Tests.Inventory;
[Trait("Category", "Unit")]
public sealed class AgentInventoryCollectorTests
{
private readonly FakeTimeProvider timeProvider = new(new DateTimeOffset(2026, 3, 31, 9, 0, 0, TimeSpan.Zero));
[Fact]
public async Task CollectAsync_WithoutAssignedAgent_ReturnsErrorSnapshot()
{
var collector = new AgentInventoryCollector(
new FakeRemoteCommandExecutor(new RemoteCommandResult(true, string.Empty, null, TimeSpan.Zero)),
timeProvider,
Mock.Of<ILogger<AgentInventoryCollector>>());
var snapshot = await collector.CollectAsync(CreateTarget(agentId: null), TestContext.Current.CancellationToken);
snapshot.IsSuccessful.Should().BeFalse();
snapshot.CollectionError.Should().Contain("No agent assigned");
snapshot.TargetId.Should().NotBeEmpty();
}
[Fact]
public async Task CollectAsync_ParsesDockerPsJsonOutput()
{
var output = string.Join('\n', new[]
{
"{\"ID\":\"container-001\",\"Names\":\"/api\",\"Image\":\"stella/api:1.2.3\",\"Status\":\"Up 3 hours\",\"Ports\":\"0.0.0.0:8080->80/tcp, 8443->443/tcp\",\"Labels\":\"app=api,env=prod\",\"CreatedAt\":\"2026-03-31T05:00:00Z\"}",
"{\"ID\":\"container-002\",\"Names\":\"/worker\",\"Image\":\"stella/worker:1.2.3\",\"Status\":\"Exited (0) 10 minutes ago\",\"Ports\":\"\",\"Labels\":\"app=worker\",\"CreatedAt\":\"2026-03-31T04:30:00Z\"}",
});
var collector = new AgentInventoryCollector(
new FakeRemoteCommandExecutor(new RemoteCommandResult(true, output, null, TimeSpan.FromSeconds(2))),
timeProvider,
Mock.Of<ILogger<AgentInventoryCollector>>());
var snapshot = await collector.CollectAsync(CreateTarget(agentId: Guid.Parse("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa")), TestContext.Current.CancellationToken);
snapshot.IsSuccessful.Should().BeTrue();
snapshot.Containers.Should().HaveCount(2);
snapshot.Containers[0].Name.Should().Be("api");
snapshot.Containers[0].Labels["app"].Should().Be("api");
snapshot.Containers[0].Ports.Should().ContainSingle(port => port.PrivatePort == 80 && port.PublicPort == 8080);
snapshot.Containers[0].StartedAt.Should().Be(DateTimeOffset.Parse("2026-03-31T05:00:00Z"));
snapshot.Containers[1].Name.Should().Be("worker");
snapshot.Containers[1].StartedAt.Should().BeNull();
}
[Fact]
public async Task CollectAsync_CommandFailure_ReturnsErrorSnapshot()
{
var collector = new AgentInventoryCollector(
new FakeRemoteCommandExecutor(new RemoteCommandResult(false, null, "agent offline", TimeSpan.FromSeconds(1))),
timeProvider,
Mock.Of<ILogger<AgentInventoryCollector>>());
var snapshot = await collector.CollectAsync(CreateTarget(agentId: Guid.Parse("bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb")), TestContext.Current.CancellationToken);
snapshot.IsSuccessful.Should().BeFalse();
snapshot.CollectionError.Should().Be("agent offline");
snapshot.CollectedAt.Should().Be(timeProvider.GetUtcNow());
}
private ModelTarget CreateTarget(Guid? agentId)
{
return new ModelTarget
{
Id = Guid.Parse("11111111-1111-1111-1111-111111111111"),
TenantId = Guid.Parse("22222222-2222-2222-2222-222222222222"),
EnvironmentId = Guid.Parse("33333333-3333-3333-3333-333333333333"),
Name = "ssh-prod-01",
DisplayName = "SSH Prod 01",
Type = TargetType.SshHost,
ConnectionConfig = new SshHostConfig
{
Host = "ssh.example.internal",
Username = "deploy",
PrivateKeySecretRef = "secret://ssh/deploy",
},
AgentId = agentId,
HealthStatus = HealthStatus.Unknown,
CreatedAt = timeProvider.GetUtcNow(),
UpdatedAt = timeProvider.GetUtcNow(),
};
}
private sealed class FakeRemoteCommandExecutor : IRemoteCommandExecutor
{
private readonly RemoteCommandResult result;
public FakeRemoteCommandExecutor(RemoteCommandResult result)
{
this.result = result;
}
public Task<RemoteCommandResult> ExecuteAsync(
ModelTarget target,
string command,
TimeSpan timeout,
CancellationToken ct = default)
{
return Task.FromResult(result);
}
}
}

54
src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Environment.Tests/Models/TargetConnectionConfigSerializationTests.cs Normal file
View File

@@ -0,0 +1,54 @@
using FluentAssertions;
using StellaOps.ReleaseOrchestrator.Environment.Models;
using System.Text.Json;
using Xunit;
namespace StellaOps.ReleaseOrchestrator.Environment.Tests.Serialization;
[Trait("Category", "Unit")]
public sealed class TargetConnectionConfigSerializationTests
{
[Fact]
public void SshHostConfig_RoundTripsWithPromptKnownHostsPolicy()
{
TargetConnectionConfig config = new SshHostConfig
{
Host = "ssh.example.internal",
Username = "deploy",
PrivateKeySecretRef = "secret://ssh/deploy",
KnownHostsPolicy = KnownHostsPolicy.Prompt,
};
var json = JsonSerializer.Serialize(config);
var roundTrip = JsonSerializer.Deserialize<TargetConnectionConfig>(json);
json.Should().Contain("\"type\":\"ssh_host\"");
roundTrip.Should().BeOfType<SshHostConfig>();
roundTrip.As<SshHostConfig>().Host.Should().Be("ssh.example.internal");
roundTrip.As<SshHostConfig>().Username.Should().Be("deploy");
roundTrip.As<SshHostConfig>().KnownHostsPolicy.Should().Be(KnownHostsPolicy.Prompt);
}
[Fact]
public void WinRmHostConfig_RoundTripsWithHttpsTransport()
{
TargetConnectionConfig config = new WinRmHostConfig
{
Host = "winrm.example.internal",
Port = 5986,
Transport = WinRmTransport.Https,
Username = "ops-admin",
PasswordSecretRef = "secret://winrm/password",
Domain = "CORP",
};
var json = JsonSerializer.Serialize(config);
var roundTrip = JsonSerializer.Deserialize<TargetConnectionConfig>(json);
json.Should().Contain("\"type\":\"winrm_host\"");
roundTrip.Should().BeOfType<WinRmHostConfig>();
roundTrip.As<WinRmHostConfig>().Host.Should().Be("winrm.example.internal");
roundTrip.As<WinRmHostConfig>().Transport.Should().Be(WinRmTransport.Https);
roundTrip.As<WinRmHostConfig>().Domain.Should().Be("CORP");
}
}

57
src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Environment.Tests/Target/TargetRegistryTests.cs
View File

@@ -125,6 +125,30 @@ public sealed class TargetRegistryTests
result.ConnectionConfig.Should().BeOfType<EcsServiceConfig>(); result.ConnectionConfig.Should().BeOfType<EcsServiceConfig>();
} }
[Fact]
public async Task Register_ValidSshTarget_Succeeds()
{
var ct = TestContext.Current.CancellationToken;
var request = new RegisterTargetRequest(
EnvironmentId: _environmentId,
Name: "ssh-host-1",
DisplayName: "SSH Host 1",
Type: TargetType.SshHost,
ConnectionConfig: new SshHostConfig
{
Host = "ssh.example.internal",
Username = "deploy",
PrivateKeySecretRef = "secret://ssh/deploy",
KnownHostsPolicy = KnownHostsPolicy.Prompt,
});
var result = await _registry.RegisterAsync(request, ct);
result.Type.Should().Be(TargetType.SshHost);
result.ConnectionConfig.Should().BeOfType<SshHostConfig>();
result.ConnectionConfig.As<SshHostConfig>().KnownHostsPolicy.Should().Be(KnownHostsPolicy.Prompt);
}
[Fact] [Fact]
public async Task Register_DuplicateName_Fails() public async Task Register_DuplicateName_Fails()
{ {
@@ -261,6 +285,39 @@ public sealed class TargetRegistryTests
await act.Should().ThrowAsync<TargetNotFoundException>(); await act.Should().ThrowAsync<TargetNotFoundException>();
} }
[Fact]
public async Task Update_WithInvalidConnectionConfig_Fails()
{
var ct = TestContext.Current.CancellationToken;
var created = await _registry.RegisterAsync(
new RegisterTargetRequest(
_environmentId,
"ssh-host-2",
"SSH Host 2",
TargetType.SshHost,
new SshHostConfig
{
Host = "ssh-2.example.internal",
Username = "deploy",
PrivateKeySecretRef = "secret://ssh/deploy",
}),
ct);
var act = () => _registry.UpdateAsync(
created.Id,
new UpdateTargetRequest(
ConnectionConfig: new WinRmHostConfig
{
Host = "winrm.example.internal",
Username = "ops",
PasswordSecretRef = "secret://winrm/password",
}),
ct);
await act.Should().ThrowAsync<ValidationException>()
.WithMessage("*does not match target type*");
}
[Fact] [Fact]
public async Task Unregister_WithoutActiveDeployments_Succeeds() public async Task Unregister_WithoutActiveDeployments_Succeeds()
{ {

10
src/Scanner/StellaOps.Scanner.WebService/Endpoints/RegistryEndpoints.cs
View File

@@ -7,6 +7,8 @@
using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Routing; using Microsoft.AspNetCore.Routing;
using StellaOps.Scanner.WebService.Security; using StellaOps.Scanner.WebService.Security;
using System.Security.Cryptography;
using System.Text;
namespace StellaOps.Scanner.WebService.Endpoints; namespace StellaOps.Scanner.WebService.Endpoints;
@@ -90,7 +92,7 @@ internal static class RegistryEndpoints
new RegistryDigestEntry new RegistryDigestEntry
{ {
Tag = "latest", Tag = "latest",
Digest = $"sha256:{Guid.NewGuid():N}", Digest = CreateDeterministicDigest(repository),
PushedAt = "2026-03-20T10:00:00Z" PushedAt = "2026-03-20T10:00:00Z"
} }
} }
@@ -256,4 +258,10 @@ internal static class RegistryEndpoints
LastPushed = "2026-03-20T15:00:00Z" LastPushed = "2026-03-20T15:00:00Z"
}, },
}; };
private static string CreateDeterministicDigest(string repository)
{
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(repository.Trim().ToLowerInvariant()));
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
} }

90
src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/RegistryEndpointsTests.cs Normal file
View File

@@ -0,0 +1,90 @@
using System.Net;
using System.Net.Http.Json;
using StellaOps.TestKit;
namespace StellaOps.Scanner.WebService.Tests;
public sealed class RegistryEndpointsTests
{
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task RegistrySearchAndDigestEndpoints_ReturnExpectedResults()
{
await using var factory = ScannerApplicationFactory.CreateLightweight();
await factory.InitializeAsync();
using var client = factory.CreateClient();
var searchResponse = await client.GetAsync(
"/api/v1/registries/images/search?q=nginx",
TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.OK, searchResponse.StatusCode);
var searchPayload = await searchResponse.Content.ReadFromJsonAsync<RegistrySearchResponse>(
cancellationToken: TestContext.Current.CancellationToken);
Assert.NotNull(searchPayload);
Assert.Contains(searchPayload!.Items, item => item.Repository == "library/nginx");
var digestResponse = await client.GetAsync(
"/api/v1/registries/images/digests?repository=library/nginx",
TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.OK, digestResponse.StatusCode);
var digestPayload = await digestResponse.Content.ReadFromJsonAsync<RegistryDigestResponse>(
cancellationToken: TestContext.Current.CancellationToken);
Assert.NotNull(digestPayload);
Assert.Equal("library/nginx", digestPayload!.Repository);
Assert.NotEmpty(digestPayload.Digests);
Assert.All(digestPayload.Digests, item => Assert.StartsWith("sha256:", item.Digest, StringComparison.Ordinal));
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task UnknownRepositoryDigest_IsDeterministicAcrossRequests()
{
await using var factory = ScannerApplicationFactory.CreateLightweight();
await factory.InitializeAsync();
using var client = factory.CreateClient();
var first = await client.GetFromJsonAsync<RegistryDigestResponse>(
"/api/v1/registries/images/digests?repository=example/custom-service",
TestContext.Current.CancellationToken);
var second = await client.GetFromJsonAsync<RegistryDigestResponse>(
"/api/v1/registries/images/digests?repository=example/custom-service",
TestContext.Current.CancellationToken);
Assert.NotNull(first);
Assert.NotNull(second);
Assert.Equal(first!.Digests[0].Digest, second!.Digests[0].Digest);
}
public sealed class RegistrySearchResponse
{
public RegistryImageDto[] Items { get; set; } = [];
public int TotalCount { get; set; }
public string? RegistryId { get; set; }
}
public sealed class RegistryDigestResponse
{
public string Name { get; set; } = string.Empty;
public string Repository { get; set; } = string.Empty;
public string[] Tags { get; set; } = [];
public RegistryDigestEntry[] Digests { get; set; } = [];
}
public sealed class RegistryImageDto
{
public string Name { get; set; } = string.Empty;
public string Repository { get; set; } = string.Empty;
public string[] Tags { get; set; } = [];
public RegistryDigestEntry[] Digests { get; set; } = [];
public string LastPushed { get; set; } = string.Empty;
}
public sealed class RegistryDigestEntry
{
public string Tag { get; set; } = string.Empty;
public string Digest { get; set; } = string.Empty;
public string PushedAt { get; set; } = string.Empty;
}
}