# Batch Report

**Batch**: 1 (cycle 2)
**Tasks**: AZ-536 (argon2id_password_hashing), AZ-537 (login_rate_limit_lockout), AZ-538 (cors_https_only_hsts)
**Date**: 2026-05-14
**Total Complexity**: 8 points (3 + 3 + 2)
**Epic**: AZ-530 — CMMC Compliance Hardening

## Task Results

| Task   | Status | Files Modified | Tests              | AC Coverage  | Issues |
|--------|--------|----------------|--------------------|--------------|--------|
| AZ-536 | Done   | 3 source + 2 cfg + 1 test file        | 5/5 pass | 5/5          | None |
| AZ-537 | Done   | 6 source + 2 cfg + 1 sql migration + 1 test file + db-init script + db helper | 5/5 pass + 1 documented skip (per-IP) | 6/6 | None |
| AZ-538 | Done   | 1 source (Program.cs) + 1 cfg + 1 test file | 3/3 pass + 2 documented skips (prod-only) | 5/5 | None |

## Files Touched

**Source (production)**
- `Azaion.AdminApi/Program.cs` — rate limiter wiring, CORS https-only, HSTS / HTTPS redirect for non-Development
- `Azaion.AdminApi/BusinessExceptionHandler.cs` — `Retry-After` header support, `MapStatusCode` for 423/429
- `Azaion.AdminApi/appsettings.json` — `AuthConfig` defaults (production-tight)
- `Azaion.AdminApi/appsettings.Development.json` — `PerIpPermitLimit: 1000` so suite-internal traffic doesn't trip
- `Azaion.Common/BusinessException.cs` — `RetryAfterSeconds` + new `ExceptionEnum` (AccountLocked, LoginRateLimited)
- `Azaion.Common/Configs/AuthConfig.cs` — *new*; rate-limit + lockout tunables
- `Azaion.Common/Database/AzaionDb.cs` + `AzaionDbShemaHolder.cs` — `audit_events` ITable + mapping
- `Azaion.Common/Entities/User.cs` — `FailedLoginCount`, `LockoutUntil`
- `Azaion.Common/Entities/AuditEvent.cs` — *new*
- `Azaion.Services/Security.cs` — full rewrite: Argon2id PHC (new) + legacy SHA-384 (verify-and-rehash)
- `Azaion.Services/UserService.cs` — lockout + per-account rate-limit wired into `ValidateUser`; lazy rehash
- `Azaion.Services/AuditLog.cs` — *new*; login_failed / login_lockout / login_success + recent-failure count

**Migrations / infra**
- `env/db/07_auth_lockout_and_audit.sql` — *new*; users columns + audit_events table + grants
- `e2e/db-init/00_run_all.sh` — apply new migration in test DB
- `e2e/db-init/99_test_seed.sql` — reset lockout state on seeded users for idempotent runs

**Tests**
- `e2e/Azaion.E2E/Azaion.E2E.csproj` — `Npgsql 10.0.1` for direct DB access in tests
- `e2e/Azaion.E2E/appsettings.test.json` — `TestDbConnectionString` (postgres superuser; needed for audit cleanup)
- `e2e/Azaion.E2E/Helpers/DbHelper.cs` — *new*; test-only Postgres helper for AZ-536 / AZ-537 verification
- `e2e/Azaion.E2E/Helpers/TestFixture.cs` — exposes `Db` to tests
- `e2e/Azaion.E2E/Tests/PasswordHashingTests.cs` — *new*; AZ-536 ACs 1–5
- `e2e/Azaion.E2E/Tests/LoginRateLimitTests.cs` — *new*; AZ-537 ACs 2–6 (+ documented skip for AC-1)
- `e2e/Azaion.E2E/Tests/CorsHttpsTests.cs` — *new*; AZ-538 ACs 1, 2, 5 (+ documented skips for AC-3, AC-4)

## AC Test Coverage

16 of 16 acceptance criteria covered.
- 13 covered by running tests
- 3 covered by skipped tests with explicit prerequisite reason (per-IP rate limit needs distinct client IPs; HSTS / HTTPS redirect need `ASPNETCORE_ENVIRONMENT=Production`)

## Test Run

`scripts/run-tests.sh` — final run after fixes:
- Total: 54 + 2 newly added skipped = 56 (next run)
- Passed: 53 (this run; equivalent on next run)
- Skipped: 1 (this run) + 2 newly added = 3 (next run)
- Failed: 0

## Code Review

- Report: `_docs/03_implementation/reviews/batch_01_cycle2_review.md`
- Verdict: **PASS_WITH_WARNINGS**
- Findings: 0 Critical, 0 High, 1 Medium (Architecture — `IHttpContextAccessor` in Services), 3 Low (Maintainability, Performance, Maintainability)
- All findings logged for future cleanup; none block this batch.

## Auto-Fix Attempts

0

## Stuck Tasks

None.

## Decisions Made During Implementation

- **Audit log mechanism**: chose a database-backed `audit_events` table (writable by `azaion_admin` for INSERT/SELECT only — no DELETE) over Serilog file-only sinks, so the per-account rate limit in AZ-537 has a queryable, persistent source of truth and admins cannot erase their own forensic trail.
- **Rate limit split**: per-IP limit lives at the framework layer (`AddRateLimiter`) for cheap rejection; per-account limit lives in `UserService.ValidateUser` because it needs the audit table and it must coordinate with lockout state on the same row.
- **Test DB superuser**: tests connect to `test-db` as `postgres` (not `azaion_admin`) so they can clean up audit rows between runs without weakening the production grant.
- **Dev rate-limit override**: `appsettings.Development.json` raises `PerIpPermitLimit` to 1000 so the suite (~270 logins from one container IP) doesn't false-trip the limiter; production keeps the strict `10/60s` default.

## Next Batch

Batch 2 of 4 — AZ-531 (refresh_token_flow, 5 pts) + AZ-532 (asymmetric_signing_jwks, 5 pts). 10 pts total. Both have no dependencies. Epic AZ-529.