chore(deps): bump .NET 10 + MAF + Aspire to latest patches#18
Merged
Conversation
Extract SignupValidation static helper consumed by both Blazor Signup page and /tenants/register endpoint so form-side and server-side rules cannot drift. Slug regex per plan: lowercase, internal hyphens only, 1-32 chars. Password: ≥12 chars + upper/lower/digit/symbol. Email via MailAddress round-trip. 16 new test cases. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Wire MailHog into Aspire AppHost (SMTP 1025, UI 8025) and point the realm smtpServer block at it. Set realm verifyEmail:true so unverified users cannot log in. KeycloakAdminClient: when sendVerifyEmail flips on, leave emailVerified=false and trigger Keycloak's execute-actions- email; for self-signup (password supplied) the action list drops UPDATE_PASSWORD and keeps only VERIFY_EMAIL. Signup page now passes sendVerifyEmail:true and lands on /signup/verify-email with a hint pointing dev users at MailHog. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ITenantSignupService dispatches invite / slug / auto-create by request
shape. Keycloak-first ordering so a registry-row failure can roll back
the Keycloak user (new DeleteUserAsync on the admin client).
Invitations are stateless DataProtection time-limited tokens — no DB
table — issued by /tenants/{id}/invitations (admin) and decoded by
/tenants/invitations/preview (public). Trade-off: tokens cannot be
revoked before TTL; keep TTL short for high-trust environments.
Signup page now accepts ?invite=<token>, pre-fills the email from the
invitation, and the Workspace ID field becomes optional (blank →
auto-generated slug). 7 new service tests + saga rollback verified
via NSubstitute.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the four red flags called out in the Epic D plan: 1. agentic-web client: directAccessGrantsEnabled flipped to false so Keycloak no longer accepts ROPC on the code-flow client. 2. RequireHttpsMetadata defaults to true; only flipped off in appsettings.Development.json. Same change in JwtAuthExtensions. 3. Cookie SecurePolicy = Always in non-Development, SameAsRequest in Development (Aspire pins http://localhost:5180 there). 4. agentic-web-dev-secret and admin/admin no longer hardcoded in any .cs file. AppHost surfaces them as Aspire Parameters with dev defaults in appsettings.json; Web Program throws at startup if ClientSecret is missing outside Development. Standalone `dotnet run --project src/AgentOs.Web` now expects user-secrets to supply the dev secret (Aspire AppHost injects it automatically). grep agentic-web-dev-secret\|admin/admin --include=*.cs → no matches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds GET /tenants/{id}/members guarded by Admin policy AND a runtime
ITenantContext match (so an Admin in tenant A cannot list tenant B).
KeycloakAdminClient gains ListUsersByTenantAsync — paged GET + client-
side filter on the tenant attribute, plus a follow-up role-mappings
fetch per user. Bounded by max=200 for v1; larger realms need a
server-side q-search rewrite.
Two new Razor pages under /admin: Members.razor lists the tenant
roster and mints DataProtection invitation URLs (admin pastes them
into chat/email); Settings.razor shows tenant id + name + created-at
read-only.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New IAuditLog (EF + Null impls) writes append-only rows to
tenants.audit_events for signup-completed, tenant-created, member-
invited, and invitation-minted actions. Writes are best-effort —
audit failure logs a warning but never breaks the surrounding flow.
Reads are tenant-scoped at the repository, then re-checked at the
endpoint against ITenantContext (Admin in tenant A cannot peek at
tenant B's trail).
GET /tenants/{id}/audit + /admin/audit Razor page show newest-first
rows. login.failed action is reserved for a follow-up — wiring it
through cookie / JWT events lands separately.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
KeycloakAdminClient: 4 tests for DeleteUserAsync (no-content, 404 swallowed, 500 throws) and ListUsersByTenantAsync (filter + role-mapping fetch). HttpTenantContext: 5 tests for the claims projection — missing-claim default, normal user, role flattening, IsAdmin off-by-role, and the multi-value tenant claim edge case. Epic D delta now sits at ~32 new tests (validation 16 + signup service 7 + admin REST 4 + tenant context 5). Full unit suite stays green (218 passed, 5 skipped live-smoke). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Microsoft.Extensions.* 10.0.0 → 10.0.8 - Microsoft.Extensions.Http.Resilience 10.0.0 → 10.6.0 - Microsoft.Extensions.Logging.Abstractions 10.0.6 → 10.0.8 - Microsoft.AspNetCore.* (OpenIdConnect / JwtBearer / OpenApi / SignalR Client / DataProtection.Abstractions) 10.0.0 → 10.0.8 - Microsoft.EntityFrameworkCore (+ .Design / .InMemory) 10.0.0 → 10.0.8 - Npgsql.EntityFrameworkCore.PostgreSQL 10.0.0 → 10.0.2 - Microsoft.Agents.AI* 1.7.0 → 1.8.0 - Aspire.Hosting* 13.3.3 → 13.3.5 (Keycloak preview stays on 13.3.3) - Microsoft.Playwright 1.49.0 → 1.60.0 Three csproj files gain explicit Microsoft.EntityFrameworkCore + .Relational PackageReference at 10.0.8 — without the pin, MAF's transitive 10.0.4 wins the conflict resolution, ModuleLoader ReflectionTypeLoadException blows up loading Relational 10.0.8 from Npgsql 10.0.2. Deferred (major bumps, separate PR): - xunit.v3 1.1 → 3.2 - Microsoft.NET.Test.Sdk 17.13 → 18.6 - coverlet.collector 6.0.4 → 10.0.1 - JsonSchema.Net 7.x → 9.2.1 Build: 0 warnings, 0 errors. Tests: 218 passed, 5 skipped (live-smoke). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change description
Mechanical NuGet bumps — safe patch / minor only. Major bumps (xunit v3 3.x, NET.Test.Sdk 18, coverlet 10, JsonSchema.Net 9) stay on a separate PR because they touch test surface.
Aspire.Hosting.Keycloakstays on13.3.3-preview.1.26264.13— its>=13.3.3floor is satisfied and no newer preview is published on that line.Why the EFCore pin
Microsoft.Agents.AI*pullsMicrosoft.EntityFrameworkCore10.0.4 transitively. Without an explicit project-level pin to 10.0.8, MSBuild picks 10.0.4 as the "primary" winner — but Npgsql 10.0.2 + EFCore.Design 10.0.8 deployMicrosoft.EntityFrameworkCore.Relational10.0.8 into the output folder, which then can't load Core 10.0.4 at runtime.ModuleLoader.DiscoverModulesblows up withReflectionTypeLoadException.Fix: explicit
<PackageReference>toMicrosoft.EntityFrameworkCore+.Relationalin the three modules that own a DbContext (AppConfig, Pipeline, Tenants). 0 warnings, 0 errors after.Type of change
Checklist
dotnet buildRelease: 0 warnings, 0 errorsdotnet test: 218 passed, 5 skipped (live-smoke)