devops/compose: docker-compose.stella-ops.legacy.yml +
docker-compose.stella-services.yml receive small service wiring updates.
Playwright: refreshed auth-state/report fixtures from the latest
integrations + setup-wizard + policy-runtime live runs. Includes a new
playwright-report-integrations/ bundle.
Docs: SPRINT_20260410_001 (runtime no-mocks) significantly expanded with
additional NOMOCK tasks reflecting the Postgres-backed work shipped across
Policy, Graph, Excititor, VexLens, Scanner, VexHub. SPRINT_20260413_004
(UI-only setup bootstrap closure) log updates.
Gitignore: narrow the earlier `output/` rule to `/output/` so the tracked
src/Web/StellaOps.Web/output/playwright fixtures continue to be picked up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
app.config: wiring updates for VEX hub statement providers + integration
hub DI.
VEX hub client: large refactor and expansion of vex-hub.client.ts (+spec)
with the shape needed by the statement detail panel and the new
noise-gating surfaces. vex-statement-detail-panel.component aligned with
the new client contract.
Integration hub component: extends the bootstrap + verification flow
(browser-backed, no mocks) and updates the spec coverage accordingly.
New tooling:
- scripts/run-policy-orchestrator-proof-e2e.mjs to drive the orchestrator
proof flow from outside the Angular test harness.
- src/tests/triage/noise-gating-api.providers.spec.ts covers the DI
providers wiring for the triage noise-gating surface.
- tests/e2e/integrations/policy-orchestrator.e2e.spec.ts exercises the
policy orchestrator UI end-to-end.
- tsconfig.spec.vex.json isolates the VEX spec compile so it does not
fight the main triage configs.
- angular.json + package.json wire the new spec/e2e targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Authority: StellaOpsLocalHostnameExtensions gains additional local aliases
for the IssuerDirectory service; new StellaOpsLocalHostnameExtensionsTests
cover the alias table. IssuerDirectory.WebService Program.cs wires the
IssuerDirectory host against the shared auth integration.
Scanner: WebService swaps in-memory score replay tracking for
PersistedScoreReplayRepositories (Postgres-backed) in Program.cs.
Docs: scanner architecture page updated.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Excititor: new migration 003_vex_claim_store.sql and PostgresVexClaimStore
replace the in-memory claim tracking. ExcititorPersistenceExtensions wires
the store; ExcititorMigrationTests updated. Archives S001 demo seed.
VexLens: new migration 002_noise_gating_state.sql with
PostgresGatingStatisticsStore, PostgresSnapshotStore, and
PostgresNoiseGatingJson bring noise-gating state onto disk. New
VexLensRuntimeDatabaseOptions + AuthorityIssuerDirectoryAdapter +
VexHubStatementProvider provide the runtime wiring. WebService tests cover
the persistence, the issuer-directory adapter, and the statement provider.
VexHub: WebService Program, endpoints, middleware, models, and policies
tightened; VexExportCompatibilityTests exercise the Concelier↔VexHub export
contract.
Docs: excititor, vex-hub (architecture + integration guide), and vex-lens
architecture pages updated to match the new persistence and verification
paths.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduces IGraphRuntimeRepository + PostgresGraphRuntimeRepository that back
runtime-path graph reads with real persistence. Graph.Api Program.cs wires
the new repository into the DI graph. InMemory* services get small cleanups
so they remain viable for tests and local dev.
CompatibilityEndpoints: extends the integration-test surface.
Tests: GraphPostgresRuntimeIntegrationTests,
GraphRuntimeRepositoryRegistrationTests, expanded
GraphCompatibilityEndpointsIntegrationTests.
Docs: graph architecture page updated.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ignore .codex-*.mjs scratch scripts used by Codex agents, the top-level
output/ scratch dir, and accidentally-created duplicate source trees
(src/src/ and src/Web.StellaOps.Web/) so they stop appearing as untracked.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
docs/modules/workflow/analyzer.md — user-facing reference for
WF001-WF006 + WF010: one section per rule with a "bad" example and
the canonical fix. Covers activation, scope (Spec property is the
entry point; helpers walked transitively), trusted-assembly prefix
rule, cross-project WF010 indirection, and non-goals (no source
generator, no severity config, no escape hatch).
The DiagnosticDescriptors' HelpLinkUri already points at sections in
this doc (e.g., #wf005), so users who hit a build error can click
through to the exact rule explanation.
Golden tests (GoldenWorkflowShapeTests) exercise three patterns
lifted from the Bulstrad corpus:
1. static readonly LegacyRabbitAddress fields + nested
WhenExpression(Gt, Len, ...) + .Call + OnComplete with
WhenExpression(Eq, ...) + ActivateTask/Complete
2. SetBusinessReference(new WorkflowBusinessReferenceDeclaration
{ KeyExpression, Parts = new WorkflowNamedExpressionDefinition[] { ... } })
3. WorkflowExpr.Func("bulstrad.normalizeCustomer", path)
— custom runtime function dispatch
Each asserts zero WF* diagnostics. A regression that rejects these
patterns would break the entire Serdica corpus.
30/30 tests pass.
WF006 catches reads of fields/properties on metadata-only types.
This closes a real hole: `WorkflowExpr.Number(DateTime.UtcNow.Year)`
would previously bake the build-time year into the canonical JSON,
because property reads on DateTime (System.Private.CoreLib) weren't
detected — only method calls were (WF003).
Allowed:
* `IsConst` fields on any type (compile-time literal, no runtime
state): `int.MaxValue`, user `public const string Route = "/x"`.
* Static readonly fields/properties on types in current compilation
or project-ref source (walkable): `SharedAddresses.QueryAddress`.
* Builder members: `WorkflowFlowBuilder<T>.Something` — trusted
containing assembly prefix.
Not allowed (WF006):
* `DateTime.UtcNow`, `DateTime.Now.Year`, `Environment.MachineName`,
`Guid.NewGuid` (method, WF003), any non-const NuGet/BCL member.
Two related fixes to avoid false positives exposed by the new tests:
* `nameof(X.Y)` — the analyzer now short-circuits inside `nameof`
invocations. The argument tree has no runtime semantics; walking
it would otherwise flag its internal member-access chain.
* `someFunc()` where `someFunc` is a delegate variable — invoking
a delegate resolves to `Func<T>.Invoke` / `Action.Invoke` in
System.Private.CoreLib. That's a transparent dispatch, not a
foreign method call. The actual lambda body is walked inline, so
skipping the Invoke step is safe.
Tests: 27/27 pass (20 existing + 7 new covering WF006 positive and
negative cases including nameof + delegate invoke).
Corpus: Bulstrad 179-workflow plugin and the engine service still
produce 0 diagnostics.
The vendored copy of StellaOps.Workflow in Serdica uses a parallel
namespace (Ablera.Serdica.Workflow.Abstractions). The analyzer now
looks up well-known types in both namespaces and treats both
assembly-name prefixes (StellaOps.Workflow.* and
Ablera.Serdica.Workflow.*) as trusted leaves.
Activation still requires the Abstractions assembly to be in the
compilation; absent either namespace's IDeclarativeWorkflow<T>, the
analyzer is a no-op.
20/20 analyzer tests still pass.
Transparent C# compiler extension that rejects workflow code that
cannot be serialized to canonical JSON. Activates automatically when
a compilation references StellaOps.Workflow.Abstractions; no opt-in
needed in consumer projects.
Scope: walks the `Spec` property of every IDeclarativeWorkflow<T>
class plus transitively reachable helper methods. Same-compilation
and project-reference helpers are walked via DeclaringSyntaxReferences;
metadata-only calls are rejected since the analyzer cannot verify
their bodies.
Diagnostics (all Error severity):
WF001 imperative control flow (if/for/foreach/while/switch-stmt/
try/throw/lock/using/goto/yield/do)
WF002 async/await
WF003 call into non-trusted assembly (not StellaOps.Workflow.*,
not source-walkable)
WF004 object creation of non-trusted type
WF005 C# ?:, ??, ?. operators in workflow code
WF010 reachable helper contains WF001-WF005 violation (surfaced
at the call site with additional location in the helper)
Non-goals for v1: no source generator / compile-time JSON emission;
runtime WorkflowCanonicalDefinitionCompiler remains the single source
of truth for canonical JSON. Analyzer only validates.
Ships as a Roslyn component (netstandard2.0) under
src/Workflow/__Libraries/StellaOps.Workflow.Analyzer. Consumer
projects pick it up via ProjectReference; NuGet packaging deferred
until the allowlist stabilizes in-field.
Tests: 20/20 pass. Covers each rule positively, plus
negative cases (plain canonical workflow produces zero diagnostics,
code outside IDeclarativeWorkflow<T> is ignored, pure project-ref
helper walks cleanly, impure project-ref helper surfaces WF010).
BPMN is not a viable source format for Stella workflow definitions — the installed
canonical JSONs are generated from IDeclarativeWorkflow<T> C# specs, not from BPMN, and
BPMN cannot carry the typed metadata the canonical needs (startRequest.contractName,
schema, businessReference, initializeStateExpression, function-call references).
- Delete BpmnXmlSourceConverter + BpmnCanonicalMapping
- Drop BpmnXmlSourceConverter DI registration; comment updated
- Delete BpmnXmlSourceConverterTests; WorkflowSourceFormatRegistryTests no longer includes the BPMN converter in the ordering fixture
- Abstractions comments updated to stop referencing bpmn-xml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- WorkflowRetentionRunRequest: add RunningOlderThanDays / CompletedOlderThanDays
- WorkflowRetentionOverride record: carries pre-computed UTC thresholds through IWorkflowProjectionRetentionStore.RunAsync
- EntityFrameworkWorkflowProjectionRetentionStore: when override is set, also marks-stale by CreatedOnUtc and purges running/stale instances and completed rows by age — bypasses pre-computed StaleAfterUtc/PurgeAfterUtc so a single retention pass both marks AND purges matching rows
- WorkflowEndpoints: translate request days → WorkflowRetentionOverride with AddDays(-X)
- Postgres + Mongo projection stores: accept the new parameter (kept as a no-op for now — Oracle EF is the active projection)
- Hosted retention service: pass cancellationToken by name so the new optional override param doesn't shift positional args
- Tests: add 3 overrides cases to WorkflowRetentionServiceTests (RunningOlderThan, CompletedOlderThan, without-override smoke); NoopWorkflowProjectionRetentionStore fixture updated to the new signature — 5/5 pass
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mirror of the Ablera-side contract fix. sc-table-view's REST body sends
`{filters: [...], page, pageSize, sortModel: {prop, direction}}`; renaming the contract
field from `Sort` to `SortModel` and adding an ignored `Filters` collection lets the gateway's
NJsonSchema validator accept the body instead of 400-ing on "Unsupported node" for all 4 keys.
- Rename `Sort` → `SortModel` on 4 list requests (definitions, instances, tasks, dead-letters).
- Add `IReadOnlyCollection<object>? Filters` on the same 4 requests.
- Update store-layer consumers (`ResolveDeadLetterOrderBy`, `BuildDeadLetterSort`,
`ApplyInMemorySort`, projection-store sort helpers) to read `request.SortModel`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Contracts: four list requests + dead-letter request gain optional `Page` and
`PageSize` (1-based) alongside existing `Skip`/`Take`. When both are > 0 the
server derives `Skip = (Page - 1) * PageSize` and `Take = PageSize`, taking
precedence over explicit Skip/Take. Matches the payload shape sc-table-view
emits natively, so clients don't need a beforeRequest shim to compute skip/take.
- Projection store's GetTasksAsync / GetInstancesAsync gain a `ResolveSkipTake`
helper with the new precedence. Dead-letter drivers (Postgres, MongoDB,
OracleAq) apply the same precedence at the top of `GetDeadLettersAsync` /
`GetMessagesAsync`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New shared `WorkflowSortModel { Prop, Direction }` record; 4 list requests
gain an optional `Sort` property and the dead-letter request gains `Skip/Take`
plus `TotalCount` on the response. Matches the `sortModel: { prop, direction }`
convention that sc-table-view emits, so client payloads bind directly.
- `WorkflowSortExpressions` whitelist helper (public) applies sort on instance
and task queries with a PK tie-breaker for stable pagination. Unknown columns
raise `BaseResultException(WorkflowSortColumnNotAllowed, ...)` rather than
leaking into the ORDER BY. Projection store picks up the helper on both the
instance and task list paths.
- Dead-letter stores uplifted per driver:
* PostgreSQL: OFFSET/LIMIT + whitelisted ORDER BY, separate COUNT(*) query.
* MongoDB: Skip/Limit/Sort builder + CountDocumentsAsync for total.
* Oracle AQ: browse to a 500-cap, filter+sort+page in process, TotalCount =
post-filter length (queue-browse can't offset/sort natively).
- New StellaOps.Workflow.Engine.Tests cover the sort helper whitelist + tie-
breaker behaviour; all 9 tests pass alongside the 24 earlier converter +
OnComplete tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Introduce IWorkflowSourceFormatConverter + IWorkflowSourceFormatRegistry
in Abstractions, with CanonicalJson / CanonicalYaml / CanonicalBundle (ZIP)
/ BpmnXml converters registered via DI.
- WorkflowDefinitionDeploymentService gains ImportMultiAsync, ExportMultiAsync,
GetSupportedFormats, and GetRenderGraphAsync. GetDefinitionByIdAsync now
checks the runtime catalog first (source="catalog") and falls back to the
persistent store (source="store"); ExportMultiAsync synthesises a record
from the catalog when the store has no entry.
- WorkflowRenderGraphCompiler grafts each task's OnComplete sequence after
the task node (fixes the 3-node diagram bug), and reactivations of an
already-rendered task draw a loop-back edge (reopen pattern).
- WebService adds GET /api/workflow/definitions/{id}/render-graph,
GET /api/workflow/supported-formats, POST /api/workflow/definitions/import-multi,
POST /api/workflow/definitions/export-multi.
- Contracts: new Source field on WorkflowDefinitionByIdResponse and the
render-graph / multi-format request+response records.
- Test coverage: WorkflowSourceFormatRegistryTests, format-specific converter
tests (JSON/YAML/Bundle/BPMN), and WorkflowRenderGraphCompilerOnCompleteTests
covering OnComplete grafting and the reopen loop-back guard.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewire the setup wizard UI to the persistent session endpoints:
resume-aware state service, truthful step status (draft / applying /
applied / failed), and wizard shell that no longer treats
test-connection as completion. Refresh the integrations hub to expose
Secrets / Feed Mirrors / Object Storage categories and align the
onboarding wizard validation with the backend contract for
optional-auth local connectors.
Modernize the release-orchestrator environments pages against the new
environment/target API (models + client), plus adjacent navigation,
route-surface, and test-surface refresh. Add Playwright harnesses for
live setup-wizard bootstrap / integrations bootstrap / state truth
checks, and commit their evidence.
Closes UISETUP-* from SPRINT_20260413_003 and the UI-facing tasks of
SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rework SetupCommandHandler to talk to the new persistent setup wizard
endpoints (list/resume sessions, run individual steps, surface real
apply state) instead of the previous optimistic session flow, and add
BackendOperationsClient + SetupModels to encapsulate the on-wire
contracts. Add IntegrationsCommandGroup so the CLI can exercise the
same integration onboarding surfaces the UI now uses.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add SecretAuthorityService + endpoints so the setup wizard and
integrations hub can stage secret bundles and bind authref URIs
directly from the UI, instead of requiring out-of-band Vault seeding.
Wire the new service behind IntegrationPolicies, expose
SecretAuthorityDtos on the contracts library, and register an
UpsertSecretBundle audit action for the emission library.
Closes BOOTSTRAP-006 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ReleaseOrchestratorEnvironmentEndpoints so the Platform setup wizard
can provision environments and targets against a real orchestrator
instead of in-process stubs. Add PostgresDeploymentCompatibilityStore
and migration 002_deployments.sql to persist deployment compatibility
state, plus ReleaseEnvironmentIdentityAccessor for identity envelope
propagation on env/script endpoints.
Extend Target / TargetConnectionConfig serialization to cover new API
enum values and add integration tests for persistence and
infrastructure registration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the in-memory setup-wizard store with a Postgres-backed store
(migration 063_PlatformSetupSessions) so setup progress survives
service restarts and can be resumed truthfully. Split step semantics
into draft/provision/apply with real per-step validation instead of
optimistic pass results, and let Finalize mark setup complete only
after required steps have converged.
Add RemoteReleaseOrchestratorEnvironmentClient and
RemoteReleaseOrchestratorScriptService so the Platform WebService can
delegate environment and script provisioning to the ReleaseOrchestrator
service over HTTP with identity envelopes, instead of in-process stubs.
New integration tests cover resume, restart persistence, failed apply,
and finalize semantics, plus the remote clients.
Closes BOOTSTRAP-002 through BOOTSTRAP-005 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The exact-path rule for /api/v1/setup matched only the bare path, so
sub-paths like /api/v1/setup/sessions fell through to the generic
/api/v1/{svc}/* rule and the gateway tried to dispatch to a synthetic
"setup" microservice. Swap the exact route for a prefix-aware route
that sends /api/v1/setup* to platform, add integration/smoke coverage,
and refresh the local frontdoor config accordingly.
Closes BOOTSTRAP-001 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Integration hub: extends integration.models with fields needed by the wizard
(capabilities, credentials, readiness), updates the shell and list components,
adds routing for the new hub flow, and broadens the integration-list spec.
Integration wizard: new integrations-hub.component, extended wizard with
capability/credential handling, updated template + type models, and broader
spec coverage.
Sprint docs: SPRINT_20260413_003 (UI-driven local setup rerun) updated with
wiring notes; SPRINT_20260410_001 (no-mocks) adjusted. ReleaseOrchestrator
architecture doc gets a minor clarification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- SPRINT_20260408_005_Audit_endpoint_filters_deprecation: FILTER-004, -006,
-008 marked DONE with commit 54e7f871a; FILTER-005, -007 DONE with
d4d75200c; FILTER-010 DONE with 665bd6db4. DEPRECATE-001/002/003 still
TODO with mandatory 30-day + 90-day wait windows; CAPSULE-001 stays
BLOCKED. Sprint cannot be archived until the verification windows pass.
- SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge: corrected VXLM-003
and VXLM-004 from DONE → DOING. Adapters still back VEX decisions,
fix verifications, and audit bundles with ConcurrentDictionary; the
VulnExplorer.Api and VulnExplorer.WebService project directories were not
deleted; migration 010 is present but unused. Execution log records the
finding; commit 414049ef8 message was misleading.
- SPRINT_20260408_004_Timeline_unified_audit_sink: scope confirmation logged.
AUDIT-002 through AUDIT-007 remain TODO (~15–25 hr breadth work); too
large for a single session. Sprint stays active.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TASK-013: SchedulerPersistenceExtensions now calls AddStartupMigrations so
the embedded SQL files (including 007 job_kind + 008 doctor_trends) run on
every cold start. Deletes duplicate migrations 007_add_job_kind_plugin_config
(kept 007_add_schedule_job_kind.sql with tenant-scoped index) and
008_doctor_trends_table (kept 008_add_doctor_trends.sql with RLS + BRIN
time-series index).
TASK-010: Doctor UI trend service now calls
/api/v1/scheduler/doctor/trends/categories/{category} (was
/api/v1/doctor/scheduler/...) so it routes through the scheduler plugin
endpoints rather than the deprecated standalone doctor-scheduler path.
TASK-009: New DoctorJobPluginTests exercises plugin lifecycle: identity,
config validation for full/quick/categories/plugins modes, plan creation,
JSON schema shape, and PluginConfig round-trip (including alerts). 10 tests
added, all pass (26/26 in Plugin.Tests project).
Archives the sprint — all 13 tasks now DONE — and archives the platform
retest sprint (SPRINT_20260409_002) whose RETEST-008 completed via the
earlier feed-mirror cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Platform: new ReleaseOrchestratorScriptService translates the Platform-level
script API surface into calls against the ReleaseOrchestrator scripts module
so clients that still target /api/scripts on Platform continue to work during
the transition. Program.cs wires the shim. ScriptApiModels gets a minor
contract alignment.
ReleaseOrchestrator: ScriptsEndpoints + ScriptRegistry + ScriptModels updated
to expose and persist script variables correctly. New integration test
(ScriptRegistryVariablePersistenceTests) covers the persistence round-trip;
new unit test (ReleaseOrchestratorScriptServiceTests) covers the Platform
shim behavior.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ignore Claude Code scheduler lockfile, Codex temp directory, Playwright CLI
cache, Concelier runtime export outputs, and Workflow plugin binary artifacts
so they don't show up as untracked on a clean workspace.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updated auth state, report JSON, and screenshot snapshots captured from
the latest live-stack run of the mirror operator journey and front-door
auth flows. Includes tmp-feedmirror-auth/state fixtures used by the
feed-mirror UI verification path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds PowerShell helpers to seed the local Stella Ops stack with a working
GitLab + integrations configuration:
- bootstrap-local-gitlab-secrets.ps1 provisions GitLab's JWT signing secret
and admin PAT into Vault/Authority.
- register-local-integrations.ps1 POSTs the canonical integration records
(GitLab, Jenkins, Harbor, Gitea, Nexus, etc.) against the Integrations
service for first-run local environments.
Docs: INSTALL_GUIDE.md + integrations/LOCAL_SERVICES.md document the new
helpers. devops/compose README and router-gateway-local.json get the
corresponding route wiring. Two new sprint files track the follow-on work
(SPRINT_20260413_002, SPRINT_20260413_003).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Deletes the Angular seed client and trims feed-mirror.client.ts of its
fabricated responses (-579 lines), letting the real backend drive the UI.
app.config.ts drops the mock provider bindings. Simplifies usage settings
page to read from real platform data. Setup wizard, command palette, and
keyboard-shortcuts components get small cleanups along with the
mirror-dashboard search model trim.
Closes NOMOCK-002.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Platform: extends ReleaseOrchestratorCompatibilityIdentityAccessor to pass
tenant-aware identity through the compatibility shim and updates Program.cs
wiring accordingly. Authority: StellaOpsLocalHostnameExtensions emits more
service aliases (scheduler/doctor/findings/graph/timeline/vexhub/etc.) so
local bearer-audience validation succeeds for services addressed via their
short hostname inside the container network.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduces persistent stores for the ReleaseOrchestrator.Environment module:
PostgresEnvironmentStore, PostgresRegionStore, PostgresTargetStore,
PostgresFreezeWindowStore, PostgresInfrastructureBindingStore,
PostgresTopologyPointStatusStore, PostgresPendingDeletionStore, and
PostgresTopologyAgentCatalog. New migration 004_runtime_storage_alignment.sql
aligns column naming with runtime expectations. Adds a
SocketTargetConnectionTester for real TCP probes and a
ScriptCompatibilityEvaluator with its integration test companion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaces the in-memory mirror config and domain stores with
PostgresMirrorManagementStores backed by a new migration (006) that adds the
mirror_domains, mirror_configs, bundle_versions, and version_locks tables
under the concelier schema. Adds FeedMirrorManagementEndpoints that consumes
the real stores and returns empty / problem responses when no state exists
rather than fabricating demo payloads. Hooks ConcelierTopologyIdentityAccessor
so topology operations get tenant-aware identity from the request envelope.
Test suite updated with real-DB expectations.
Closes NOMOCK-003.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewrites migration 002 to use ALTER TABLE ... IF EXISTS with per-column guards
and a data-migration DO block that backfills document_json/written_at/batch_id
from the older (tenant_id, data, created_at) layout when present. Updates
GraphChangeStreamProcessor + SavedViewsMigrationHostedService for the aligned
schema and extends the incremental processor tests for the new path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wraps ENUM type creation in findings.ledger schema with DO blocks that catch
duplicate_object so migration 001 can re-run on a partially-provisioned DB
without crashing. Minor corrections to 002 and 005 (syntax alignment).
Updates RLS contract + operations docs to reflect the replay-safe semantics.
WebService + persistence csproj get the Infrastructure.Postgres migration
reference needed for StartupMigrationHost wiring.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Renames date-prefixed migrations (20260107_002, 20260408_003, 20260409_004)
to plain sequential numbers (002, 003, 004) to match the convention used by
other service migration directories. Adds TimelineCoreMigrationCategoryTests
to verify the unified-audit migration registers under the correct category
for the StartupMigrationHost transaction classifier.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds MigrationSqlTransactionClassifier to recognize migration SQL that opens
its own transactions (BEGIN/COMMIT/ROLLBACK) so MigrationRunner can skip
wrapping those files in an outer transaction. StartupMigrationHost now surfaces
a MigrationCategory indicator for runtime-aligned bootstrap. Test harness
extended with an explicit-transaction fixture and execution scenario coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three Doctor trend endpoints (/trends/checks/{checkId}, /trends/categories/{category},
/trends/degrading) were missing the [FromServices] attribute on the
IDoctorTrendRepository? parameter, causing ASP.NET minimal-APIs to attempt model
binding from route/query instead of resolving from DI. Verified fix with HTTP 200
responses against all four trend endpoints via the gateway.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop FeedMirrorManagementEndpoints.cs (660 lines of seeded mock data)
as part of the no-mocks initiative. Feed mirror state will be served
from real source/read-model queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Scripts module now owns its PostgreSQL schema lifecycle: ScriptsPostgresOptions,
ServiceCollectionExtensions.AddReleaseOrchestratorScripts(), embedded SQL migration,
and MigrationServiceExtensions fix to register multiple IHostedService migrations
without deduplication. Fresh installs auto-converge the scripts catalog without
depending on Scheduler-owned bootstrap SQL.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GetBySnapshotIdAsync and ListBySourceIdAsync provide the read-model
queries needed to replace seeded feed-mirror responses with real state.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
StandardPluginBootstrapper now retries up to 15 times (2s delay) so the
admin user and client seeds converge after PostgreSQL becomes reachable.
Exceptions bubble through the retry loop instead of being swallowed per-step.
Tests cover the retry path with a FlakyUserRepository that fails once then
succeeds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mount router-gateway-local.json as appsettings.json (not appsettings.local.json)
so it fully replaces the baked-in config instead of merging. Add Node, Transports,
Routing, and OpenApi sections to make the file self-contained. Test validates all
required top-level sections are present.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
DoctorTrendEndpoints used IDoctorTrendRepository and TimeProvider as
MapGet handler parameters without [FromServices], causing ASP.NET to
infer them as body parameters — crashing the scheduler on startup with
"Body was inferred but the method does not allow inferred body parameters."
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
