Sprint SPRINT_20260415_001 — track execution across the cutover
sub-sprints and record per-module evidence.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New StellaOps.Workflow.ArtifactExporter project: a post-build console app that
reads the generator's bundled workflow registry from the compiled plugin DLL and
writes canonical JSON (authoritative, fail-build) plus SVG/PNG visual artifacts
(graceful warn) next to each *Workflow.cs source file. Replaces per-csproj
rendering boilerplate with a single targets import.
Key design choices:
- Console app invoked via <Exec>, not an MSBuild ITask DLL — easier to debug,
no rendering-lib loading into the MSBuild process.
- Links WorkflowRenderGraphCompiler.cs from Engine as a compiled file instead of
ProjectReference, avoiding EF Core + Oracle transitive deps in the tool.
- Parallel.ForEachAsync across workflows with file-lock + PID-sentinel
"latest-wins" cross-process coordinator (FileShare.None + FileOptions
.DeleteOnClose — no thread-affinity issues unlike Mutex).
- Hash-based cache: expected canonical-hash marker injected into
.definition.json; unchanged workflows skip re-render. First build 167
workflows in ~143s; no-change rebuild in ~0.1s.
- Atomic write-via-rename on every artifact.
Targets file (StellaOps.Workflow.ArtifactExporter.targets) plugins can import
to get: analyzer wiring + JSON/SVG/PNG export in one <Import>. Configurable via
StellaOpsWorkflowArtifactExport / StellaOpsWorkflowSkipSvg /
StellaOpsWorkflowSkipPng properties. Also surfaces CanonicalTemplates/*.json as
AdditionalFiles so the analyzer's fragment loader can inline runtime-loaded
fragments at compile time.
Verified: builds clean against upstream Abstractions/Contracts/Renderer.ElkSharp/
Renderer.Svg (net10.0, 0 warnings, 0 errors).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Port analyzer improvements developed downstream that extend canonical artifact
emission and non-trusted-call exemptions:
- WorkflowCanonicalArtifactGenerator: SubWorkflow / Fork / WhenStateEquals /
WhenPayloadEquals step handlers; Call desugaring with
WorkflowHandledBranchAction; HelperContext with parent chain and
ResolveParameter identifier chase for multi-hop parameter forwarding;
fluent-helper inliner (TryInlineFluentHelper + WalkFluentHelper*); spec-level
inliner (TryInlineSpecHelper); JSON-fragment loader surfaced via
AdditionalFiles (TryResolveLazyFragmentValue + TryResolveDirectFragmentCall);
ContinueWith HelperContext threading; null-coalesce support; const-name in
ParseNamedExpr; conditional-spread via TryExpandConditionalSpread.
- CanonicalSteps: add SubWorkflowStep and ForkStep IR classes.
- CanonicalJsonFragmentParser (new): minimal recursive-descent JSON→CanonicalExpr
parser to support compile-time inlining of pre-built
WorkflowExpressionDefinition fragments loaded at runtime via LoadFragment<T>.
- WorkflowCanonicalityAnalyzer: helpers returning trusted workflow types
(WorkflowSpec<T>, WorkflowExpressionDefinition, etc.) are now treated as
compile-time construction factories and exempt from WF010 — needed for the
fluent-helper inliner to cover real-world plugin patterns.
- Tests: AnalyzerTestHarness gains an additionalTexts overload (with
InMemoryAdditionalText); GeneratorStepsTests adds coverage for the new
handlers and inliners; NonTrustedCallTests inverts
CallingHelperThatHasImperative to assert the new WF010 exemption for helpers
returning trusted workflow types.
Verified: 51/51 analyzer tests pass (net10.0).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
37 of the 179 Bulstrad workflow start-request types carry
[WorkflowBusinessId] / [WorkflowBusinessReferencePart] attributes
which the runtime compiler surfaces as the top-level `businessReference`
canonical JSON field. Until now the generator omitted this field and
would have broken byte-parity on every one of those workflows during
the split.
Generator changes:
* BuildBusinessReference(INamedTypeSymbol) walks TStartRequest's
public instance properties collecting attributes:
Ablera.Serdica.Workflow.Abstractions.WorkflowBusinessIdAttribute
StellaOps.Workflow.Abstractions.WorkflowBusinessIdAttribute
Ablera.Serdica.Workflow.Abstractions.WorkflowBusinessReferencePartAttribute
StellaOps.Workflow.Abstractions.WorkflowBusinessReferencePartAttribute
* Emits null when neither attribute is present (matches the runtime's
`SingleOrDefault => null` path). Only emits when at least one is found.
* KeyExpression = WorkflowExpr.Path("start.{camelCased-or-JsonPropertyName}")
from the property tagged with [WorkflowBusinessId].
* Parts[] = one NamedExpr per [WorkflowBusinessReferencePart] property,
Name = attribute's partName arg or property name if null,
Expression = WorkflowExpr.Path("start.{camelCased-or-JsonPropertyName}").
* ResolveJsonPropertyName mirrors the runtime: [JsonPropertyName] wins,
else camelCase of the CLR property name.
Test fixture BusinessKeyedRequest + BusinessReferenceWorkflow
exercises the full path. Added as a third byte-parity test alongside
PureExpressionWorkflow + StartWithDecisionWorkflow. All 3 pass.
Other risk flagged in the migration manifest (nameof() in WorkflowName
/ WorkflowVersion / DisplayName): a grep across the Bulstrad plugin
returned zero matches — no workflow builds its name via nameof().
Namespace changes during the split cannot drift JSON. Risk #1
eliminated by evidence, no code needed.
Tests: 39/39 pass in both repos.
New net10.0 library that reads bundled canonical workflows out of
plugin assemblies (via the source generator's
_BundledCanonicalWorkflowRegistry) and POSTs each one to the workflow
service's /Orchestration/definition-import endpoint on microservice
startup. Server handles dedup + auto +N versioning; publisher just
drives the roundtrip and logs the outcome.
Public surface:
* WorkflowPublisherOptions — appsettings-bindable config
(Enabled, Endpoint, CommandPath, ServiceName, AuthToken, Timeout,
MaxRetriesPerWorkflow, RetryBaseDelay, FailOnError, DryRun)
* BundledWorkflow record
* IBundledWorkflowProvider + ReflectionBundledWorkflowProvider
(reads StellaOps.Workflow.Generated._BundledCanonicalWorkflowRegistry
from any assembly in a provided list; AppDomain.CurrentDomain
fallback at DI resolution)
* WorkflowPublisher — orchestrator with retry/backoff/summary
* WorkflowPublisherHostedService — IHostedService adapter that
runs PublishAllAsync on startup
* PublisherServiceCollectionExtensions.AddWorkflowPublisher()
Behaviour:
* Enabled=false -> no requests, summary DisabledReason set
* DryRun=true -> logs what would POST, no network
* Endpoint missing -> each workflow counted failed, DisabledReason
set, no HTTP calls; FailOnError=true throws
* Non-2xx 5xx -> exponential retry MaxRetriesPerWorkflow times
* 4xx / persistent 5xx -> FailOnError=false logs+continues,
FailOnError=true throws
* Server response's WasImported=false (hash match) -> counted as
HashSkipped
* AuthToken propagates as Authorization: Bearer
* ServiceName propagates into WorkflowDefinitionImportRequest.ImportedBy
as "{ServiceName}/publisher"
Consumer wiring example (a microservice's Program.cs):
services
.Configure<WorkflowPublisherOptions>(
builder.Configuration.GetSection(nameof(WorkflowPublisherOptions)))
.AddWorkflowPublisher();
Tests: 11/11 pass using an in-memory HttpMessageHandler fake.
Covers disabled, empty provider, missing endpoint, happy path,
hash-match skip, dry-run, transient retry, persistent failure
(FailOnError false + true), auth header, ImportedBy.
Extends WorkflowCanonicalArtifactGenerator to produce canonical JSON
byte-identical to what WorkflowCanonicalDefinitionCompiler +
WorkflowCanonicalJsonSerializer produce at runtime, so the server's
SHA-256 content-hash dedup sees generator-emitted JSON and runtime-
emitted JSON as the same content.
Drift points resolved:
* startRequest (new CanonicalStartRequest.cs) — generator walks
TStartRequest's public instance IPropertySymbols, maps CLR types
to JSON-schema types (string / boolean / number / string for
enums / array with items / string for DateTime[Offset] / object
fallback), converts property names to camelCase, unwraps
Nullable<T>, detects IEnumerable<T>, emits enum constants from
enum type members. Matches BuildStartRequestContract +
BuildPropertiesSchema exactly.
* requiredModules (new RequiredModule IR) — generator walks the
IR and seeds `workflow.dsl.core`, adds `workflow.functions.core`
on any FunctionExpr, adds transport modules on LegacyRabbit /
Microservice addresses. Sorted alphabetically. Each module has
`versionExpression = ">=1.0.0"` + `optional = false` matching
the runtime's WorkflowRequiredModuleDeclaration record defaults.
* Brace / array formatting — BeginObject/BeginArray now inline
directly after a property colon (`"prop": {`) instead of
inserting newline+indent before the `{` / `[`. Matches
System.Text.Json WriteIndented behavior.
* String escaping — AppendEscapedString now matches
JavaScriptEncoder.Default: escapes <, >, &, ', +, ` and all
non-ASCII printable (>0x7E) as uppercase \uXXXX. Runtime's
System.Text.Json uses this encoder by default; without these
escapes every `">=1.0.0"` version string differs.
* Task emission (CanonicalTask.cs) — always emits
routeExpression (defaulting to WorkflowExpr.String(route)) and
payloadExpression (defaulting to Null) since the runtime's
BuildTask applies `??= WorkflowExpr.String(...)` /
`??= WorkflowExpr.Null()`. Always emits onComplete (defaulting
to empty sequence).
* Top-level field order — startRequest slots in after displayName,
workflowRoles after, businessReference between workflowRoles and
start — matching the runtime record's property declaration order.
Tests: 38 pass, 2 parity tests previously [Explicit] now active.
Generator produces byte-identical JSON for both parity fixtures:
expression-only workflow + step/task workflow with Set +
WhenExpression + AddTask + OnComplete.
Still deferred (future commits as Bulstrad corpus surfaces them):
* businessReference emission when TStartRequest has
[WorkflowBusinessId] / [WorkflowBusinessReferencePart] attributes.
Current fixture has neither; field omits via WhenWritingNull.
* Fork / Repeat / Wait / WaitForSignal / ContinueWith /
SubWorkflow / HttpAddress / GraphqlAddress — WF020 until
extended. Each requires a small visitor addition + tests.
Wires the analyzer + source generator into the analyzer test project
so parity tests can compare the generator's bundled JSON against what
the runtime WorkflowCanonicalDefinitionCompiler produces for the same
workflow class instance.
Changes:
* WorkflowCanonicalJsonSerializer.SerializerOptions: explicitly pin
`NewLine = "\n"` so canonical-JSON bytes are identical across build
platforms. Default would be Environment.NewLine = \r\n on Windows,
\n on Unix — unstable for hash-dedup across CI runners.
* Test project now consumes StellaOps.Workflow.Analyzer via <Analyzer>
item with a pre-build MSBuild Target that builds the analyzer csproj
first, so generator output is available in-assembly.
* New Fixtures/ParityFixtureWorkflows.cs with two canonical fixtures
exercising expression-only + step/task builder chains.
* New GeneratorByteParityTests.cs with diagnostic output showing the
exact byte-offset of first drift + visible-char window around it.
Parity tests are marked [Explicit] because the runtime compiler
populates `startRequest`, `businessReference`, and `requiredModules`
via CLR reflection — fields the generator does not yet emit
(replicating them symbolically requires significant work). The drift
surface is documented in the test class doc comment.
The next architectural decision is captured in the plan file: either
(A) extend the generator to reimplement those reflection paths
symbolically, or (B) pivot to a hybrid where the generator emits
metadata + type registry and the publisher calls the runtime
compiler at startup. Option B eliminates the parity gap entirely
with publisher overhead of ~1-5 ms per workflow on first boot.
Test status: 36 passing, 2 explicit-skipped (parity).
Extends WorkflowCanonicalArtifactGenerator (ships alongside the existing
analyzer in the same Roslyn component) to walk the real-world builder
surface used by the Bulstrad corpus.
New step visitors (inside StartWith(flow => ...) lambdas and
OnComplete(flow => ...) lambdas):
* Set(key, expr) and SetIfHasValue(key, expr) -> set-state
* ActivateTask(name) -> activate-task
* Complete() -> complete
* WhenExpression(name, cond, whenTrue, whenElse?) -> decision with
nested whenTrue/whenElse step sequences (lambdas walked recursively)
* Call(stepName, address, payload?, resultKey?, whenFailure?,
whenTimeout?, timeoutSeconds?) -> call-transport
Address resolution covers:
* new LegacyRabbitAddress("cmd") and new LegacyRabbitAddress("cmd", mode)
* new Address("serviceName", "command")
* Referenced static readonly fields -- walks the field's declarator
initializer and emits the address there (matches real Bulstrad pattern
"private static readonly LegacyRabbitAddress FooAddress = new(...)").
AddTask chains:
WorkflowHumanTask.For<T>("name", "type", "route")
.WithRoles(...) / .WithTimeout(...) / .WithRoute(expr)
/ .WithPayload(expr) / .OnComplete(flow => ...)
The generator walks each segment and appends a CanonicalTask to
definition.tasks[].
IR extended:
* CanonicalSteps.cs -- SetStateStep, ActivateTaskStep, CompleteStep,
DecisionStep, TransportCallStep, AssignBusinessReferenceStep,
StepSequence
* CanonicalAddress.cs -- MicroserviceAddress, LegacyRabbitAddress
* CanonicalTask.cs -- CanonicalTask
* CanonicalDefinition now emits the full top-level shape
(workflowRoles[], start{initializeStateExpression, initialTaskName,
initialSequence}, tasks[], requiredModules[], requiredCapabilities[]).
Tests: 36/36 pass (31 existing + 5 new covering the step/task surface,
including a WF020 fallback test for the not-yet-supported Fork().
Still not supported (WF020 continues to fire): Fork, Repeat, Wait,
WaitForSignal, ContinueWith, SubWorkflow, SetBusinessReference with
object-initialiser syntax, QueryGraphql, HttpAddress / GraphqlAddress.
Follow-up commits extend these as the corpus migration surfaces them.
Archived sprint files inherit the rename without the post-move status edits
since git recorded the rename against pre-edit content. Applies the
OBSOLETE/DONE annotations directly on the archived copies so the record is
internally consistent.
Integration-detail component + spec: small polish pass. integration-hub-ui
spec: trivial assertion tweak. Playwright: refreshed live-frontdoor-auth
snapshot.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds SPRINT_20260415_001_DOCS_real_service_cutover_plan tracking the doc
work needed to finalize the no-mocks / real-service migration.
Archives SPRINT_20260415_002_FE_integration_hub_truthful_status_and_button_styling
— both tasks complete (truthful integration status + button styling fix
landed in the earlier Web UI commit).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge via Option B:
- Phase 1 (VXPM-001..005) marked OBSOLETE. The separate vulnexplorer
schema was superseded by commit 6b15d9827 (direct merger into Findings
Ledger); there is no separate Postgres schema to build.
- Phase 2 corrections: VXLM-003/004/005 flipped to DONE. The adapter
ConcurrentDictionary pattern is accepted as the VXLM-003 closure — these
are read-side projections over Ledger events; durability comes from the
append-only event log, not from the adapter. Two follow-ups logged in
Decisions & Risks (FOLLOW-A: write-through Ledger event emission;
FOLLOW-B: /api/v1/vulnerabilities gateway route alignment).
- Deletes stale VulnExplorer project trees:
- src/Findings/StellaOps.VulnExplorer.Api/ (entire service)
- src/Findings/StellaOps.VulnExplorer.WebService/ (shell + migrated contracts)
- src/Findings/__Tests/StellaOps.VulnExplorer.Api.Tests/ (tests targeted
SampleData IDs that no longer exist under Ledger)
- src/Findings/StellaOps.Findings.Ledger.WebService/Services/
VulnExplorerRepositories.cs (33-line placeholder with a misleading
header comment; the actual Postgres path was never wired)
- Updates StellaOps.sln and Findings.sln to drop the removed project GUIDs
and their 24 configuration entries. dotnet build
src/Findings/StellaOps.Findings.sln passes 0 warnings / 0 errors.
Also archives the 4 previously-closed sprints:
- SPRINT_20260408_002 Findings VulnExplorer merger (above)
- SPRINT_20260410_001 Web runtime no-mocks (21/21 tasks done via earlier
Postgres persistence commits)
- SPRINT_20260413_002 Integrations GitLab bootstrap automation
- SPRINT_20260413_003 Web UI-driven local setup rerun
- SPRINT_20260413_004 Platform UI-only setup bootstrap closure
Active sprints reduced to 2: SPRINT_20260408_004 Timeline unified audit
sink (15-25hr breadth work) and SPRINT_20260408_005 Audit endpoint filters
deprecation (mandatory 30/90-day verification windows).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devops/compose: docker-compose.stella-ops.legacy.yml +
docker-compose.stella-services.yml receive small service wiring updates.
Playwright: refreshed auth-state/report fixtures from the latest
integrations + setup-wizard + policy-runtime live runs. Includes a new
playwright-report-integrations/ bundle.
Docs: SPRINT_20260410_001 (runtime no-mocks) significantly expanded with
additional NOMOCK tasks reflecting the Postgres-backed work shipped across
Policy, Graph, Excititor, VexLens, Scanner, VexHub. SPRINT_20260413_004
(UI-only setup bootstrap closure) log updates.
Gitignore: narrow the earlier `output/` rule to `/output/` so the tracked
src/Web/StellaOps.Web/output/playwright fixtures continue to be picked up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
app.config: wiring updates for VEX hub statement providers + integration
hub DI.
VEX hub client: large refactor and expansion of vex-hub.client.ts (+spec)
with the shape needed by the statement detail panel and the new
noise-gating surfaces. vex-statement-detail-panel.component aligned with
the new client contract.
Integration hub component: extends the bootstrap + verification flow
(browser-backed, no mocks) and updates the spec coverage accordingly.
New tooling:
- scripts/run-policy-orchestrator-proof-e2e.mjs to drive the orchestrator
proof flow from outside the Angular test harness.
- src/tests/triage/noise-gating-api.providers.spec.ts covers the DI
providers wiring for the triage noise-gating surface.
- tests/e2e/integrations/policy-orchestrator.e2e.spec.ts exercises the
policy orchestrator UI end-to-end.
- tsconfig.spec.vex.json isolates the VEX spec compile so it does not
fight the main triage configs.
- angular.json + package.json wire the new spec/e2e targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Authority: StellaOpsLocalHostnameExtensions gains additional local aliases
for the IssuerDirectory service; new StellaOpsLocalHostnameExtensionsTests
cover the alias table. IssuerDirectory.WebService Program.cs wires the
IssuerDirectory host against the shared auth integration.
Scanner: WebService swaps in-memory score replay tracking for
PersistedScoreReplayRepositories (Postgres-backed) in Program.cs.
Docs: scanner architecture page updated.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Excititor: new migration 003_vex_claim_store.sql and PostgresVexClaimStore
replace the in-memory claim tracking. ExcititorPersistenceExtensions wires
the store; ExcititorMigrationTests updated. Archives S001 demo seed.
VexLens: new migration 002_noise_gating_state.sql with
PostgresGatingStatisticsStore, PostgresSnapshotStore, and
PostgresNoiseGatingJson bring noise-gating state onto disk. New
VexLensRuntimeDatabaseOptions + AuthorityIssuerDirectoryAdapter +
VexHubStatementProvider provide the runtime wiring. WebService tests cover
the persistence, the issuer-directory adapter, and the statement provider.
VexHub: WebService Program, endpoints, middleware, models, and policies
tightened; VexExportCompatibilityTests exercise the Concelier↔VexHub export
contract.
Docs: excititor, vex-hub (architecture + integration guide), and vex-lens
architecture pages updated to match the new persistence and verification
paths.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduces IGraphRuntimeRepository + PostgresGraphRuntimeRepository that back
runtime-path graph reads with real persistence. Graph.Api Program.cs wires
the new repository into the DI graph. InMemory* services get small cleanups
so they remain viable for tests and local dev.
CompatibilityEndpoints: extends the integration-test surface.
Tests: GraphPostgresRuntimeIntegrationTests,
GraphRuntimeRepositoryRegistrationTests, expanded
GraphCompatibilityEndpointsIntegrationTests.
Docs: graph architecture page updated.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ignore .codex-*.mjs scratch scripts used by Codex agents, the top-level
output/ scratch dir, and accidentally-created duplicate source trees
(src/src/ and src/Web.StellaOps.Web/) so they stop appearing as untracked.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
docs/modules/workflow/analyzer.md — user-facing reference for
WF001-WF006 + WF010: one section per rule with a "bad" example and
the canonical fix. Covers activation, scope (Spec property is the
entry point; helpers walked transitively), trusted-assembly prefix
rule, cross-project WF010 indirection, and non-goals (no source
generator, no severity config, no escape hatch).
The DiagnosticDescriptors' HelpLinkUri already points at sections in
this doc (e.g., #wf005), so users who hit a build error can click
through to the exact rule explanation.
Golden tests (GoldenWorkflowShapeTests) exercise three patterns
lifted from the Bulstrad corpus:
1. static readonly LegacyRabbitAddress fields + nested
WhenExpression(Gt, Len, ...) + .Call + OnComplete with
WhenExpression(Eq, ...) + ActivateTask/Complete
2. SetBusinessReference(new WorkflowBusinessReferenceDeclaration
{ KeyExpression, Parts = new WorkflowNamedExpressionDefinition[] { ... } })
3. WorkflowExpr.Func("bulstrad.normalizeCustomer", path)
— custom runtime function dispatch
Each asserts zero WF* diagnostics. A regression that rejects these
patterns would break the entire Serdica corpus.
30/30 tests pass.
WF006 catches reads of fields/properties on metadata-only types.
This closes a real hole: `WorkflowExpr.Number(DateTime.UtcNow.Year)`
would previously bake the build-time year into the canonical JSON,
because property reads on DateTime (System.Private.CoreLib) weren't
detected — only method calls were (WF003).
Allowed:
* `IsConst` fields on any type (compile-time literal, no runtime
state): `int.MaxValue`, user `public const string Route = "/x"`.
* Static readonly fields/properties on types in current compilation
or project-ref source (walkable): `SharedAddresses.QueryAddress`.
* Builder members: `WorkflowFlowBuilder<T>.Something` — trusted
containing assembly prefix.
Not allowed (WF006):
* `DateTime.UtcNow`, `DateTime.Now.Year`, `Environment.MachineName`,
`Guid.NewGuid` (method, WF003), any non-const NuGet/BCL member.
Two related fixes to avoid false positives exposed by the new tests:
* `nameof(X.Y)` — the analyzer now short-circuits inside `nameof`
invocations. The argument tree has no runtime semantics; walking
it would otherwise flag its internal member-access chain.
* `someFunc()` where `someFunc` is a delegate variable — invoking
a delegate resolves to `Func<T>.Invoke` / `Action.Invoke` in
System.Private.CoreLib. That's a transparent dispatch, not a
foreign method call. The actual lambda body is walked inline, so
skipping the Invoke step is safe.
Tests: 27/27 pass (20 existing + 7 new covering WF006 positive and
negative cases including nameof + delegate invoke).
Corpus: Bulstrad 179-workflow plugin and the engine service still
produce 0 diagnostics.
The vendored copy of StellaOps.Workflow in Serdica uses a parallel
namespace (Ablera.Serdica.Workflow.Abstractions). The analyzer now
looks up well-known types in both namespaces and treats both
assembly-name prefixes (StellaOps.Workflow.* and
Ablera.Serdica.Workflow.*) as trusted leaves.
Activation still requires the Abstractions assembly to be in the
compilation; absent either namespace's IDeclarativeWorkflow<T>, the
analyzer is a no-op.
20/20 analyzer tests still pass.
Transparent C# compiler extension that rejects workflow code that
cannot be serialized to canonical JSON. Activates automatically when
a compilation references StellaOps.Workflow.Abstractions; no opt-in
needed in consumer projects.
Scope: walks the `Spec` property of every IDeclarativeWorkflow<T>
class plus transitively reachable helper methods. Same-compilation
and project-reference helpers are walked via DeclaringSyntaxReferences;
metadata-only calls are rejected since the analyzer cannot verify
their bodies.
Diagnostics (all Error severity):
WF001 imperative control flow (if/for/foreach/while/switch-stmt/
try/throw/lock/using/goto/yield/do)
WF002 async/await
WF003 call into non-trusted assembly (not StellaOps.Workflow.*,
not source-walkable)
WF004 object creation of non-trusted type
WF005 C# ?:, ??, ?. operators in workflow code
WF010 reachable helper contains WF001-WF005 violation (surfaced
at the call site with additional location in the helper)
Non-goals for v1: no source generator / compile-time JSON emission;
runtime WorkflowCanonicalDefinitionCompiler remains the single source
of truth for canonical JSON. Analyzer only validates.
Ships as a Roslyn component (netstandard2.0) under
src/Workflow/__Libraries/StellaOps.Workflow.Analyzer. Consumer
projects pick it up via ProjectReference; NuGet packaging deferred
until the allowlist stabilizes in-field.
Tests: 20/20 pass. Covers each rule positively, plus
negative cases (plain canonical workflow produces zero diagnostics,
code outside IDeclarativeWorkflow<T> is ignored, pure project-ref
helper walks cleanly, impure project-ref helper surfaces WF010).
BPMN is not a viable source format for Stella workflow definitions — the installed
canonical JSONs are generated from IDeclarativeWorkflow<T> C# specs, not from BPMN, and
BPMN cannot carry the typed metadata the canonical needs (startRequest.contractName,
schema, businessReference, initializeStateExpression, function-call references).
- Delete BpmnXmlSourceConverter + BpmnCanonicalMapping
- Drop BpmnXmlSourceConverter DI registration; comment updated
- Delete BpmnXmlSourceConverterTests; WorkflowSourceFormatRegistryTests no longer includes the BPMN converter in the ordering fixture
- Abstractions comments updated to stop referencing bpmn-xml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- WorkflowRetentionRunRequest: add RunningOlderThanDays / CompletedOlderThanDays
- WorkflowRetentionOverride record: carries pre-computed UTC thresholds through IWorkflowProjectionRetentionStore.RunAsync
- EntityFrameworkWorkflowProjectionRetentionStore: when override is set, also marks-stale by CreatedOnUtc and purges running/stale instances and completed rows by age — bypasses pre-computed StaleAfterUtc/PurgeAfterUtc so a single retention pass both marks AND purges matching rows
- WorkflowEndpoints: translate request days → WorkflowRetentionOverride with AddDays(-X)
- Postgres + Mongo projection stores: accept the new parameter (kept as a no-op for now — Oracle EF is the active projection)
- Hosted retention service: pass cancellationToken by name so the new optional override param doesn't shift positional args
- Tests: add 3 overrides cases to WorkflowRetentionServiceTests (RunningOlderThan, CompletedOlderThan, without-override smoke); NoopWorkflowProjectionRetentionStore fixture updated to the new signature — 5/5 pass
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mirror of the Ablera-side contract fix. sc-table-view's REST body sends
`{filters: [...], page, pageSize, sortModel: {prop, direction}}`; renaming the contract
field from `Sort` to `SortModel` and adding an ignored `Filters` collection lets the gateway's
NJsonSchema validator accept the body instead of 400-ing on "Unsupported node" for all 4 keys.
- Rename `Sort` → `SortModel` on 4 list requests (definitions, instances, tasks, dead-letters).
- Add `IReadOnlyCollection<object>? Filters` on the same 4 requests.
- Update store-layer consumers (`ResolveDeadLetterOrderBy`, `BuildDeadLetterSort`,
`ApplyInMemorySort`, projection-store sort helpers) to read `request.SortModel`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Contracts: four list requests + dead-letter request gain optional `Page` and
`PageSize` (1-based) alongside existing `Skip`/`Take`. When both are > 0 the
server derives `Skip = (Page - 1) * PageSize` and `Take = PageSize`, taking
precedence over explicit Skip/Take. Matches the payload shape sc-table-view
emits natively, so clients don't need a beforeRequest shim to compute skip/take.
- Projection store's GetTasksAsync / GetInstancesAsync gain a `ResolveSkipTake`
helper with the new precedence. Dead-letter drivers (Postgres, MongoDB,
OracleAq) apply the same precedence at the top of `GetDeadLettersAsync` /
`GetMessagesAsync`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New shared `WorkflowSortModel { Prop, Direction }` record; 4 list requests
gain an optional `Sort` property and the dead-letter request gains `Skip/Take`
plus `TotalCount` on the response. Matches the `sortModel: { prop, direction }`
convention that sc-table-view emits, so client payloads bind directly.
- `WorkflowSortExpressions` whitelist helper (public) applies sort on instance
and task queries with a PK tie-breaker for stable pagination. Unknown columns
raise `BaseResultException(WorkflowSortColumnNotAllowed, ...)` rather than
leaking into the ORDER BY. Projection store picks up the helper on both the
instance and task list paths.
- Dead-letter stores uplifted per driver:
* PostgreSQL: OFFSET/LIMIT + whitelisted ORDER BY, separate COUNT(*) query.
* MongoDB: Skip/Limit/Sort builder + CountDocumentsAsync for total.
* Oracle AQ: browse to a 500-cap, filter+sort+page in process, TotalCount =
post-filter length (queue-browse can't offset/sort natively).
- New StellaOps.Workflow.Engine.Tests cover the sort helper whitelist + tie-
breaker behaviour; all 9 tests pass alongside the 24 earlier converter +
OnComplete tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Introduce IWorkflowSourceFormatConverter + IWorkflowSourceFormatRegistry
in Abstractions, with CanonicalJson / CanonicalYaml / CanonicalBundle (ZIP)
/ BpmnXml converters registered via DI.
- WorkflowDefinitionDeploymentService gains ImportMultiAsync, ExportMultiAsync,
GetSupportedFormats, and GetRenderGraphAsync. GetDefinitionByIdAsync now
checks the runtime catalog first (source="catalog") and falls back to the
persistent store (source="store"); ExportMultiAsync synthesises a record
from the catalog when the store has no entry.
- WorkflowRenderGraphCompiler grafts each task's OnComplete sequence after
the task node (fixes the 3-node diagram bug), and reactivations of an
already-rendered task draw a loop-back edge (reopen pattern).
- WebService adds GET /api/workflow/definitions/{id}/render-graph,
GET /api/workflow/supported-formats, POST /api/workflow/definitions/import-multi,
POST /api/workflow/definitions/export-multi.
- Contracts: new Source field on WorkflowDefinitionByIdResponse and the
render-graph / multi-format request+response records.
- Test coverage: WorkflowSourceFormatRegistryTests, format-specific converter
tests (JSON/YAML/Bundle/BPMN), and WorkflowRenderGraphCompilerOnCompleteTests
covering OnComplete grafting and the reopen loop-back guard.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewire the setup wizard UI to the persistent session endpoints:
resume-aware state service, truthful step status (draft / applying /
applied / failed), and wizard shell that no longer treats
test-connection as completion. Refresh the integrations hub to expose
Secrets / Feed Mirrors / Object Storage categories and align the
onboarding wizard validation with the backend contract for
optional-auth local connectors.
Modernize the release-orchestrator environments pages against the new
environment/target API (models + client), plus adjacent navigation,
route-surface, and test-surface refresh. Add Playwright harnesses for
live setup-wizard bootstrap / integrations bootstrap / state truth
checks, and commit their evidence.
Closes UISETUP-* from SPRINT_20260413_003 and the UI-facing tasks of
SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rework SetupCommandHandler to talk to the new persistent setup wizard
endpoints (list/resume sessions, run individual steps, surface real
apply state) instead of the previous optimistic session flow, and add
BackendOperationsClient + SetupModels to encapsulate the on-wire
contracts. Add IntegrationsCommandGroup so the CLI can exercise the
same integration onboarding surfaces the UI now uses.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add SecretAuthorityService + endpoints so the setup wizard and
integrations hub can stage secret bundles and bind authref URIs
directly from the UI, instead of requiring out-of-band Vault seeding.
Wire the new service behind IntegrationPolicies, expose
SecretAuthorityDtos on the contracts library, and register an
UpsertSecretBundle audit action for the emission library.
Closes BOOTSTRAP-006 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ReleaseOrchestratorEnvironmentEndpoints so the Platform setup wizard
can provision environments and targets against a real orchestrator
instead of in-process stubs. Add PostgresDeploymentCompatibilityStore
and migration 002_deployments.sql to persist deployment compatibility
state, plus ReleaseEnvironmentIdentityAccessor for identity envelope
propagation on env/script endpoints.
Extend Target / TargetConnectionConfig serialization to cover new API
enum values and add integration tests for persistence and
infrastructure registration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the in-memory setup-wizard store with a Postgres-backed store
(migration 063_PlatformSetupSessions) so setup progress survives
service restarts and can be resumed truthfully. Split step semantics
into draft/provision/apply with real per-step validation instead of
optimistic pass results, and let Finalize mark setup complete only
after required steps have converged.
Add RemoteReleaseOrchestratorEnvironmentClient and
RemoteReleaseOrchestratorScriptService so the Platform WebService can
delegate environment and script provisioning to the ReleaseOrchestrator
service over HTTP with identity envelopes, instead of in-process stubs.
New integration tests cover resume, restart persistence, failed apply,
and finalize semantics, plus the remote clients.
Closes BOOTSTRAP-002 through BOOTSTRAP-005 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The exact-path rule for /api/v1/setup matched only the bare path, so
sub-paths like /api/v1/setup/sessions fell through to the generic
/api/v1/{svc}/* rule and the gateway tried to dispatch to a synthetic
"setup" microservice. Swap the exact route for a prefix-aware route
that sends /api/v1/setup* to platform, add integration/smoke coverage,
and refresh the local frontdoor config accordingly.
Closes BOOTSTRAP-001 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Integration hub: extends integration.models with fields needed by the wizard
(capabilities, credentials, readiness), updates the shell and list components,
adds routing for the new hub flow, and broadens the integration-list spec.
Integration wizard: new integrations-hub.component, extended wizard with
capability/credential handling, updated template + type models, and broader
spec coverage.
Sprint docs: SPRINT_20260413_003 (UI-driven local setup rerun) updated with
wiring notes; SPRINT_20260410_001 (no-mocks) adjusted. ReleaseOrchestrator
architecture doc gets a minor clarification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- SPRINT_20260408_005_Audit_endpoint_filters_deprecation: FILTER-004, -006,
-008 marked DONE with commit 54e7f871a; FILTER-005, -007 DONE with
d4d75200c; FILTER-010 DONE with 665bd6db4. DEPRECATE-001/002/003 still
TODO with mandatory 30-day + 90-day wait windows; CAPSULE-001 stays
BLOCKED. Sprint cannot be archived until the verification windows pass.
- SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge: corrected VXLM-003
and VXLM-004 from DONE → DOING. Adapters still back VEX decisions,
fix verifications, and audit bundles with ConcurrentDictionary; the
VulnExplorer.Api and VulnExplorer.WebService project directories were not
deleted; migration 010 is present but unused. Execution log records the
finding; commit 414049ef8 message was misleading.
- SPRINT_20260408_004_Timeline_unified_audit_sink: scope confirmation logged.
AUDIT-002 through AUDIT-007 remain TODO (~15–25 hr breadth work); too
large for a single session. Sprint stays active.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TASK-013: SchedulerPersistenceExtensions now calls AddStartupMigrations so
the embedded SQL files (including 007 job_kind + 008 doctor_trends) run on
every cold start. Deletes duplicate migrations 007_add_job_kind_plugin_config
(kept 007_add_schedule_job_kind.sql with tenant-scoped index) and
008_doctor_trends_table (kept 008_add_doctor_trends.sql with RLS + BRIN
time-series index).
TASK-010: Doctor UI trend service now calls
/api/v1/scheduler/doctor/trends/categories/{category} (was
/api/v1/doctor/scheduler/...) so it routes through the scheduler plugin
endpoints rather than the deprecated standalone doctor-scheduler path.
TASK-009: New DoctorJobPluginTests exercises plugin lifecycle: identity,
config validation for full/quick/categories/plugins modes, plan creation,
JSON schema shape, and PluginConfig round-trip (including alerts). 10 tests
added, all pass (26/26 in Plugin.Tests project).
Archives the sprint — all 13 tasks now DONE — and archives the platform
retest sprint (SPRINT_20260409_002) whose RETEST-008 completed via the
earlier feed-mirror cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Platform: new ReleaseOrchestratorScriptService translates the Platform-level
script API surface into calls against the ReleaseOrchestrator scripts module
so clients that still target /api/scripts on Platform continue to work during
the transition. Program.cs wires the shim. ScriptApiModels gets a minor
contract alignment.
ReleaseOrchestrator: ScriptsEndpoints + ScriptRegistry + ScriptModels updated
to expose and persist script variables correctly. New integration test
(ScriptRegistryVariablePersistenceTests) covers the persistence round-trip;
new unit test (ReleaseOrchestratorScriptServiceTests) covers the Platform
shim behavior.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ignore Claude Code scheduler lockfile, Codex temp directory, Playwright CLI
cache, Concelier runtime export outputs, and Workflow plugin binary artifacts
so they don't show up as untracked on a clean workspace.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updated auth state, report JSON, and screenshot snapshots captured from
the latest live-stack run of the mirror operator journey and front-door
auth flows. Includes tmp-feedmirror-auth/state fixtures used by the
feed-mirror UI verification path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
