azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 10:51:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-492] Cycle 3 batch 4: perf harness PT-07 + PT-08 + JWT-attach
ci/woodpecker/push/01-test Pipeline was successful
Details
ci/woodpecker/push/02-build-push Pipeline was successful
Details

Browse Source 
Drains all three deferred perf-harness items in one batch:
- PT-01..PT-06 now carry Authorization: Bearer minted via the canonical
  SatelliteProvider.TestSupport.JwtTokenFactory (AZ-491) — no third copy
  of JWT logic in the shell.
- PT-07 implemented as cold + warm dual-pass distribution (N=20 each),
  reports p50/p95 for both passes and fails if warm p95 >= cold p95.
- PT-08 implemented as 20-batch upload distribution with batch p95 gated
  at the AZ-488 2000 ms target; per-item gate cost reported as derived
  proxy (batch_p95 / batch_size).

New SatelliteProvider.IntegrationTests/PerfBootstrap.cs adds two CLI
short-circuit subcommands (--mint-only and --gen-uav-fixture <path>)
invoked by the shell so the perf script never inlines the JWT or
JPEG-fixture logic. The dispatch sits at the top of Program.cs Main
and runs before any HTTP / DB / readiness setup.

performance-tests.md PT-07 + PT-08 flip from Deferred to Implemented.
traceability-matrix.md PT-07 + PT-08 rows move from recorded to covered
(PT-08 partial due to per-item proxy — flagged Low in batch-4 review).
_docs/_process_leftovers/2026-05-11_perf-pt07-harness.md deleted; the
leftovers directory is now empty.

Closes cycle-2 retro Action 2; LESSONS.md [process] rule about Deferred
NFRs remains in force as a guardrail.

Also includes the previously-uncommitted cumulative review report for
cycle-3 batches 01-03 (generated at the end of batch 3 but not staged).

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 01:52:25 +03:00
parent 745f4840e6
commit 080441db5d
14 changed files with 715 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/03_implementation/batch_04_cycle3_report.md
+97
View File
@@ -0,0 +1,97 @@
# Batch Report — Batch 04 cycle 3
**Batch**: 04 (cycle 3)
**Tasks**: AZ-492 (Perf harness: PT-07 + PT-08 + JWT-attach in run-performance-tests.sh)
**Date**: 2026-05-12
## Task Results
| Task | Status | Files Modified | Tests | AC Coverage | Issues |
|------|--------|---------------|-------|-------------|--------|
| AZ-492_perf_harness_pt07_pt08_jwt_attach | Done | 1 added (`PerfBootstrap.cs`) + 6 modified | Existing `JwtTokenFactory` unit tests cover the delegated mint path; AC-6 verified by repo-wide grep (only one `new JwtSecurityToken(` site in source). Live perf-script execution deferred to Step 16. | 6/6 ACs addressed in the harness; AC-2 & AC-3 fully verifiable only at runtime (live perf run); AC-1 / AC-4 / AC-5 / AC-6 statically verifiable. | 0 blockers; 2 Low findings (see Review). |
## AC Test Coverage: All addressed (6 of 6) — runtime verification at Step 16
## Code Review Verdict: pending (this batch report precedes per-batch review)
## Auto-Fix Attempts: 0
## Stuck Agents: None
## What was implemented
The perf harness drains all three deferred items in a single batch:
1. PT-01..PT-06 stop returning 401 — every probe carries an `Authorization: Bearer <token>` header minted from `JWT_SECRET` via the canonical `SatelliteProvider.TestSupport.JwtTokenFactory.Create` surface (AZ-491). No third copy of the JWT-mint logic ships in the shell script.
2. PT-07 is now a runnable two-pass scenario (cold N requests at distinct coordinates, then warm N requests against the same coordinates). The harness reports p50/p95 for both passes and fails the scenario if warm p95 is NOT below cold p95.
3. PT-08 is now a runnable scenario (N batch uploads of `PERF_UAV_BATCH_SIZE` 256×256 JPEGs each). The harness reports batch p50/p95, a per-item proxy `batch_p95 / batch_size`, and accepted/rejected/failed item counts. Batch p95 is gated at the AZ-488 target of 2000 ms.
### Added
- `SatelliteProvider.IntegrationTests/PerfBootstrap.cs` — static helper with two short-circuit subcommands invoked by the shell:
- `MintToken()` — reads `JWT_SECRET` via `JwtTestHelpers.ResolveSecretOrThrow`, mints a 4-hour HS256 token with subject `perf-tests` and claim `permissions: GPS` via `JwtTokenFactory.Create`, writes the token to stdout. The 4-hour lifetime is sized for the longest possible PT-01..PT-08 combined run with margin (per AZ-492 § Risk 3 mitigation).
- `GenerateUavFixture(args)` — writes a 256×256 random-noise JPEG via `SixLabors.ImageSharp` to the path passed as the second CLI argument. Pixel pattern is identical to `UavUploadTests.CreateValidJpeg` so the perf harness exercises the same quality-gate path the integration tests already validate.
### Modified
- `SatelliteProvider.IntegrationTests/Program.cs` — added a 13-line dispatch block at the top of `Main` that recognises `--mint-only` / `--gen-uav-fixture` and delegates to `PerfBootstrap` before any HTTP / DB / readiness logic runs. Both subcommands therefore work on any host that has the .NET SDK installed, with no live API / Postgres dependency.
- `scripts/run-performance-tests.sh` — rewritten:
- Loads `JWT_SECRET` from `.env` if unset (mirrors `scripts/run-tests.sh` pattern; AC-1 reliability).
- Pre-builds `SatelliteProvider.IntegrationTests` in Release once so the `dotnet <dll>` invocations of `--mint-only` / `--gen-uav-fixture` produce clean stdout (no Restore/Build chatter).
- Mints a token via `dotnet <SatelliteProvider.IntegrationTests.dll> --mint-only` unless the operator pre-mints via `PERF_JWT_TOKEN` (per AZ-492 Option A / Option B in the spec; both paths supported).
- Attaches `-H "$AUTH_HEADER"` to every `curl` in PT-01..PT-06 + the `wait_region_completed` polling helper (8 attach sites; verified via repo grep — see Review § Static checks).
- Adds PT-07 (cold + warm 20-request distributions; p50/p95 reported per pass).
- Adds PT-08 (20 batches of 10 items each at distinct coordinates; batch p50/p95 + per-item proxy + accepted/rejected/failed counts).
- Adds a `percentile()` awk helper. Adds `PERF_REPEAT_COUNT` (default 20) and `PERF_UAV_BATCH_SIZE` (default 10) env-var knobs so the run can be tuned without editing the script.
- Adds a `mktemp -d` tmpdir for the UAV fixture JPEG + per-batch response captures; tmpdir is unlinked in `cleanup`.
- `_docs/02_document/tests/performance-tests.md` — PT-07 entry rewritten: Status flipped from "Deferred (Note: active enforcement deferred…)" to **Implemented (AZ-492)**, trigger text updated to describe the cold+warm dual-pass design, pass criterion now references the cold-vs-warm relative comparison. PT-08 entry rewritten: Status flipped from "Deferred — harness work tracked in <leftover>" to **Implemented (AZ-492)**, trigger text updated to describe the on-demand `--gen-uav-fixture` path, pass criterion now matches what the harness actually gates (batch p95 at 2000 ms + per-item *proxy* — true per-call gate timing remains a follow-up since it requires server-side instrumentation).
- `_docs/02_document/tests/traceability-matrix.md` — PT-07 row moved from `◐ recorded` to `✓` with text updated to describe the cold+warm distribution. PT-08 row moved from `◐ recorded (Deferred)` to `✓ (batch p95) / ◐ (per-item proxy only)` reflecting the partial-coverage shape. The "Coverage shape notes" paragraph at the bottom of the Cycle 2 section updated to summarise the AZ-492 transition.
- `_docs/02_document/modules/tests_integration.md` — the `### Supporting Classes` entry for `Program.cs` now mentions the AZ-492 perf-bootstrap subcommands. A new bullet documents `PerfBootstrap.cs` (purpose, public API, dependency notes, invocation example).
- `_docs/02_document/module-layout.md` — the TestSupport "Runner-side concerns NOT in TestSupport" paragraph extended to document why `PerfBootstrap.cs` sits in IntegrationTests rather than TestSupport (it pulls in ImageSharp; the JWT-mint delegation is the only TestSupport touchpoint).
- `_docs/06_metrics/retro_2026-05-11_cycle2.md` § Action 2 — heading suffixed with `**RESOLVED in cycle 3 (AZ-492)**`; closing paragraph added that summarises which items landed and which lessons remain in force.
### Removed
- `_docs/_process_leftovers/2026-05-11_perf-pt07-harness.md` — deleted (per AC-5). The leftovers directory is now empty.
## Verification
### AC-1 — PT-01..PT-06 no longer 401
Static: every `curl` invocation in `scripts/run-performance-tests.sh` carries `-H "$AUTH_HEADER"` where `$AUTH_HEADER` is `Authorization: Bearer $PERF_JWT_TOKEN`. Verified via `rg 'curl ' scripts/run-performance-tests.sh` — 10 curl sites, every one passes the auth header (including the `wait_region_completed` polling helper and the multipart upload `curl_args` array used in PT-08).
Runtime: deferred to Step 16. Per the AZ-492 task spec § Risk 2 mitigation, the perf script does not gate on absolute thresholds for the new scenarios, so a Step-16 run is expected to either PASS or surface real signal (not script-rot 401s).
### AC-2 — PT-07 runs to completion
Statically: the script emits two timing arrays (`PT07_COLD_MS` and `PT07_WARM_MS`), computes p50/p95 via the new `percentile()` awk helper, and prints both distributions. The pass condition is `PT07_WARM_P95 < PT07_COLD_P95` per AZ-492 spec ("warm < cold, no specific threshold required"). The cold/warm passes use the SAME coordinates so the warm pass exercises the cached path.
### AC-3 — PT-08 runs to completion
Statically: `--gen-uav-fixture` is invoked once at the top of PT-08 to produce a deterministic 256×256 random-noise JPEG (the same shape that `UavUploadTests.MixedBatch_ReturnsPerItemResults` already validates passes the quality gate). Each batch posts `PERF_UAV_BATCH_SIZE` copies of the fixture at distinct coordinates (`PT08_COORD_STRIDE` is large enough to fall into distinct tile cells). The script reports `accepted=`/`rejected=`/`failed=` counts so a non-zero rejected count surfaces with a documented reason rather than being silently masked.
### AC-4 — Spec status reflects implementation
Verified by reading `_docs/02_document/tests/performance-tests.md` — both PT-07 and PT-08 carry `**Status**: **Implemented (AZ-492).**` headings and the "Deferred — harness work tracked in <leftover>" language is gone.
### AC-5 — Leftover drained
Verified: `_docs/_process_leftovers/2026-05-11_perf-pt07-harness.md` deleted; `ls _docs/_process_leftovers/` shows no entries.
### AC-6 — Token-mint surface reused, not duplicated
Verified by repo-wide grep: `rg 'new JwtSecurityToken\('` matches exactly one source-code site (`SatelliteProvider.TestSupport/JwtTokenFactory.cs`); the other two matches are inside `_docs/02_tasks/` text describing the pattern. `PerfBootstrap.MintToken()` delegates to `JwtTokenFactory.Create(secret, "perf-tests", TimeSpan.FromHours(4), new[] { new Claim("permissions", "GPS") })` — single call, no inlining.
## Spec-vs-reality
**Per-item gate cost — proxy not direct measurement.** AZ-492 AC-3 ("script reports per-item gate cost") is satisfied by a derived value `batch_p95 / batch_size` rather than the true per-call `UavTileQualityGate.Validate` timing. The true value would require server-side instrumentation (`UavTileUploadHandler` would need to record per-item validate timings and expose them in the response envelope or via a metrics endpoint). That instrumentation is out of scope for AZ-492 (which is harness-only per the spec § Excluded: "Any change to production code; this is harness-only work"). The proxy is documented as such in both `performance-tests.md` and the script comments, and traceability-matrix.md flags the row as `✓ (batch p95) / ◐ (per-item proxy only)`.
**No CI smoke run added.** AZ-492 Risk 4 left the CI smoke decision as "Document explicitly whether a CI smoke run is added". The smoke is NOT added in this batch because (a) the perf script depends on a running API + Postgres + populated tile cache, which is more than a CI per-commit run can warm up cheaply, and (b) Step 16 already runs the perf script per cycle. If the cycle gate proves insufficient, a `dev`-push-only workflow can be added in a future PBI.
## Outstanding follow-ups
- **Server-side gate timing instrumentation** — would let PT-08 report a true per-item p95 instead of the `batch_p95 / batch_size` proxy. Estimate: 2 SP. Sequence: after the next perf-gate result to see whether the proxy is actually misleading.
- **Image-fixture factory consolidation** — `UavUploadTests.CreateValidJpeg` (integration) + `UavTileImageFactory.CreateRandomJpeg` (unit) + `PerfBootstrap.CreateValidJpeg` (perf bootstrap) all produce essentially the same noise JPEG with slight signature differences. AZ-491 set the precedent for moving cross-project test helpers into `SatelliteProvider.TestSupport`; the JPEG factory is a natural follow-up. Estimate: 12 SP. Same applies to the `Claim("permissions", "GPS")` literal which appears in `UavUploadTests`, `PerfBootstrap`, and several other places.
- **Database name alignment with the AZ-493 guard intent** — the AZ-493 Spec-vs-reality note (batch 03 report) about renaming `satelliteprovider``satelliteprovider_test` is unrelated to AZ-492 but should be re-evaluated as part of the cycle 3 retrospective alongside the recurring "task-spec accuracy" pattern noted in the cumulative review.
## Tests Run
Unit tests not re-run as part of this batch (no unit-test code modified). Integration tests not re-run (no integration-test code modified except `Program.cs` which adds a pre-existing-code short-circuit; the `--smoke` / `--full` paths are unchanged). The final `--full` run at Step 16 will exercise the integration suite end-to-end and the perf script will be invoked there.
## Cumulative review trigger
This is batch 4. Cumulative review triggers at every K=3 batches (per `.cursor/skills/implement/SKILL.md`). The next cumulative review covers batches 46 — i.e. AZ-492 + AZ-494 + the final test run. Not triggered in this batch.
## Auto-fix attempts: 0
No build / test failures observed. `bash -n scripts/run-performance-tests.sh` is clean; C# code compiles per the existing project structure (verified by reading the file — `dotnet build` not executed per the project's AGENTS.md "do not run dotnet build via terminal tools" guidance).
_docs/03_implementation/cumulative_review_batches_01-03_cycle3_report.md
+84
View File
@@ -0,0 +1,84 @@
# Cumulative Code Review — Batches 0103 cycle 3
**Batch range**: 01-03 (cycle 3)
**Cycle**: 3
**Date**: 2026-05-12
**Verdict**: PASS_WITH_WARNINGS
**Trigger**: Implement skill Step 14.5 (K=3 default; first cumulative review of cycle 3)
## Scope
| Batch | Tasks | Surfaces touched |
|-------|-------|------------------|
| 01 | AZ-495 + AZ-496 | `_docs/02_document/{module-layout,architecture,modules/{api_program,tests_unit}}.md`, `_docs/03_implementation/reviews/batch_0{1,2}_cycle2_review.md`, `_docs/05_security/{dependency_scan,security_report}.md`, `_docs/06_metrics/retro_2026-05-11_cycle2.md`, `.cursor/skills/new-task/SKILL.md`, `SatelliteProvider.Api/SatelliteProvider.Api.csproj` |
| 02 | AZ-491 | `SatelliteProvider.TestSupport/*` (added), `SatelliteProvider.Tests/{...,Authentication/{JwtTokenFactoryTests,AuthenticationServiceCollectionExtensionsTests}.cs,SatelliteProvider.Tests.csproj}`, `SatelliteProvider.Tests/TestUtilities/JwtTokenFactory.cs` (deleted), `SatelliteProvider.IntegrationTests/{Program,JwtIntegrationTests,UavUploadTests,JwtTestHelpers}.cs`, `SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj`, `SatelliteProvider.IntegrationTests/Dockerfile`, `SatelliteProvider.sln`, `.cursor/skills/code-review/SKILL.md`, `_docs/02_document/{module-layout,modules/{tests_unit,tests_integration}}.md` |
| 03 | AZ-493 | `SatelliteProvider.TestSupport/IntegrationTestResetGuard.cs` (added), `SatelliteProvider.IntegrationTests/IntegrationTestDatabaseReset.cs` (added), `SatelliteProvider.Tests/TestSupport/IntegrationTestResetGuardTests.cs` (added), `SatelliteProvider.IntegrationTests/{Program,UavUploadTests}.cs`, `docker-compose.tests.yml`, `scripts/run-tests.sh`, `_docs/02_document/{module-layout,modules/tests_integration}.md` |
## Phase-by-Phase Summary (cumulative)
### Phase 1: Context Loading
The 3 batches share a coherent theme — **test infrastructure hardening** — with one piggybacked dependency hygiene task (AZ-496) and one convention-formalization task (AZ-495). All work targets test-side artifacts or documentation; production source code is untouched except for the version strings in `SatelliteProvider.Api.csproj`.
### Phase 2: Spec Compliance
Across the 6 tasks (AZ-495, AZ-496, AZ-491, AZ-493 — plus the deferred AZ-492 + AZ-494): every AC is either verified at code level or explicitly deferred to Step 16 with structural prerequisites met. Two spec-vs-reality findings recorded (AZ-496 Tests.csproj non-existent direct ref; AZ-493 DB-name-`_test` not actual). Both are documented inline with workarounds and recorded as cycle-3 Low findings.
### Phase 3: Code Quality (cumulative)
- No duplicate class names introduced. `JwtTokenFactory` lives in exactly one location (`SatelliteProvider.TestSupport`); the cycle-2 duplicate at `SatelliteProvider.Tests/TestUtilities/JwtTokenFactory.cs` was deleted by batch 02.
- The pure-vs-side-effect separation pattern is consistent across both new TestSupport surfaces:
- `JwtTokenFactory` (pure: stateless, no I/O) in TestSupport — `JwtTestHelpers` (side-effectful: env reads, `HttpClient` mutation) in IntegrationTests.
- `IntegrationTestResetGuard` (pure: stateless, no I/O) in TestSupport — `IntegrationTestDatabaseReset` (side-effectful: Npgsql connection + transaction) in IntegrationTests.
- All new classes follow SRP. Errors are surfaced explicitly (no silent suppression). No verbose debug logging added.
### Phase 4: Security Quick-Scan (cumulative)
- AZ-496 *reduces* attack surface by closing CVE-2026-26130 (not reachable in this app, but the runtime patch is the recommended hardening).
- AZ-491 reduces *test-credential drift* risk — the same security-relevance bug in two places will no longer require parallel fixes. Code-review SKILL Phase 6 now carries an active rule that prevents this from recurring.
- AZ-493 adds a defense layer against accidental truncate against production / staging databases. The two-guard model (env sentinel + Host allowlist) is conservative-by-default and unit-tested with representative production-shape hostnames.
- No new secrets in repo. No new attack surface in production code (no production code changed except a patch-level version bump).
### Phase 5: Performance Scan (cumulative)
No performance-affecting changes in production code paths. AZ-493 adds one Npgsql round-trip at integration-test startup; AZ-493 NFR budget (< 1 s on O(10K) rows) is satisfied by Postgres TRUNCATE behavior. No hot-path or memory-allocation regressions.
### Phase 6: Cross-Task Consistency (cumulative)
- **TestSupport project consistency**: AZ-491 introduced the `SatelliteProvider.TestSupport` project for shared test utilities; AZ-493 extended it with `IntegrationTestResetGuard`. The project's role is now firmly established as "pure utility surfaces, no production-code dependency, consumed by both unit + integration test projects". Both batches followed the same boundary discipline.
- **module-layout.md consistency**: Updated by batch 1 (Documentation Layout convention + WebApi PackageReferences), batch 2 (TestSupport entry added), batch 3 (TestSupport entry extended with the guard). Three updates, three different sections, zero contradictions or conflicting prose.
- **tests_integration.md consistency**: Updated by batch 2 (JwtIntegrationTests line — JWT helper consolidation) and batch 3 (Reliability section added + UavUploadTests defense-in-depth note). Updates are non-overlapping; the cumulative narrative is coherent.
- **Code-review SKILL.md consistency**: Phase 6 gained a duplicate-helper detection rule in batch 2. This same rule, applied to batch 2 itself, validates the AZ-491 work (which was the consolidation triggering the rule). Self-consistent.
### Phase 7: Architecture Compliance (cumulative)
- **Layer direction**: No production projects gained or lost cross-component dependencies. TestSupport sits *outside* the production layering table — referenced only by `Tests` + `IntegrationTests` test projects. Production-code Layer-3 / Layer-4 invariants are unchanged.
- **Public API respect**: No internal symbol exposures across components. The cycle-3 work intentionally split pure logic (visible to unit tests via TestSupport) from side-effectful code (kept in the consumer test project that already had the dependency).
- **Cyclic dependencies**: None introduced. Dependency graph for the test infrastructure:
- `SatelliteProvider.TestSupport` → (`Microsoft.IdentityModel.Tokens` 7.0.3, `System.IdentityModel.Tokens.Jwt` 7.0.3) — no ProjectReferences.
- `SatelliteProvider.Tests` → (TestSupport, Api, Common, DataAccess, Services.*) — no cycle.
- `SatelliteProvider.IntegrationTests` → (TestSupport) — no cycle.
- **Duplicate symbols across components**: Zero. Verified via `grep -nE 'public (sealed |static )?class (JwtTokenFactory|IntegrationTestResetGuard|IntegrationTestDatabaseReset|JwtTestHelpers)'` — each name appears exactly once in canonical location, plus test classes appear once in `SatelliteProvider.Tests/`.
- **Cross-cutting concerns not locally re-implemented**: All test-side cross-cutting concerns introduced by cycle 3 (JWT minting, integration-test reset guard) live in TestSupport — exactly where they should. Production-side cross-cutting concerns (logging, configuration loading) were not touched.
## Baseline Delta (cumulative)
| Class | Count | Notes |
|-------|-------|-------|
| Carried over | 0 | Architecture baseline (cycle 1) had 0 entries; no cycle-2 entries to carry |
| Resolved | 2 (informal) | Cycle-2 retro Pattern 1 (duplicate JWT mint helpers) + Pattern 5 (integration-test state leakage) — both structurally closed. Not Architecture-class entries, so they do not appear in the cycle-1 baseline; tracked here for the cycle-3 retrospective |
| Newly introduced | 0 | — |
## Recurring patterns to surface for cycle-3 retrospective
1. **Task-spec accuracy vs. codebase reality**: Two of three Spec-Gap findings in this cumulative review are about specs encoding assumptions that weren't verified against the codebase before authoring (AZ-496 Tests.csproj reference; AZ-493 DB-name `_test` convention). The cycle-1 + cycle-2 F1 (doc-path drift) is the same pattern. AZ-495 closed the doc-path drift specifically; the broader pattern ("verify the assertion in the codebase before encoding it as AC text") is a candidate for a new-task / decompose checklist row. Recommend explicit retrospective discussion.
2. **The pure-vs-side-effect separation pattern**: AZ-491 and AZ-493 both followed it (pure helper in TestSupport; side-effectful consumer in IntegrationTests). Worth codifying in the decompose-skill task template or the code-review SKILL.md so this becomes the default pattern for future test-infrastructure work.
3. **Defense-in-depth as an explicit deliverable**: AZ-493 chose to retain the cycle-2 wallclock seed alongside the new reset hook. This decision was documented in code + batch report + module docs. Pattern is healthy and worth normalizing — when a workaround predates the proper fix, retaining the workaround as a fallback with an inline comment back-reference is cheaper than removing it and re-discovering its purpose later.
## Verdict Logic
- 0 Critical, 0 High, 0 Medium, 4 Low (all surfaced as per-batch findings; cumulative scan found no new categories) → **PASS_WITH_WARNINGS**
## Recommendation to /implement
Cumulative review passes. **Continue to Step 14 loop (next batch)** — AZ-492 (perf harness PT-07 + PT-08 + JWT-attach, 3 SP) is next per the recommended execution order.
_docs/03_implementation/reviews/batch_04_cycle3_review.md
+134
View File
@@ -0,0 +1,134 @@
# Code Review — Batch 04 cycle 3
**Tasks reviewed**: AZ-492 (Perf harness PT-07 + PT-08 + JWT-attach)
**Date**: 2026-05-12
**Verdict**: **PASS_WITH_WARNINGS** (2 Low findings; 0 Critical/High/Medium)
## Phase 1: Context
Spec inputs read: `_docs/02_tasks/todo/AZ-492_perf_harness_pt07_pt08_jwt_attach.md`; project restrictions / solution overview from prior batches still in force; cycle-2 retrospective Action 2 explicitly promoted this work; LESSONS.md `[process]` rule on Deferred-status NFRs is the governing guardrail. Changed files mapped to the AZ-492 ACs:
- `SatelliteProvider.IntegrationTests/PerfBootstrap.cs` (new) → AC-1 (mint surface) + AC-3 (UAV fixture) + AC-6 (no duplicate mint)
- `SatelliteProvider.IntegrationTests/Program.cs` (modified) → dispatch for AC-1 / AC-3 subcommands
- `scripts/run-performance-tests.sh` (rewritten) → AC-1 / AC-2 / AC-3
- `_docs/02_document/tests/performance-tests.md` → AC-4
- `_docs/02_document/tests/traceability-matrix.md` → AC-4 (status visibility)
- `_docs/_process_leftovers/2026-05-11_perf-pt07-harness.md` (deleted) → AC-5
- Module-layout + tests_integration doc updates → architectural documentation
- `_docs/06_metrics/retro_2026-05-11_cycle2.md` § Action 2 → process-resolution back-reference
## Phase 2: Spec Compliance
| AC | Status | Evidence |
|----|--------|----------|
| AC-1: PT-01..PT-06 no longer 401 | **Covered (static)** | 10 `curl` sites in `scripts/run-performance-tests.sh` all carry `-H "$AUTH_HEADER"`; `AUTH_HEADER="Authorization: Bearer $PERF_JWT_TOKEN"`. The `wait_region_completed` polling helper also carries it (line 131). The PT-08 `curl_args` array carries it (line 389). Runtime verification deferred to Step 16. |
| AC-2: PT-07 runs to completion | **Covered (static)** | Two timing arrays (`PT07_COLD_MS`, `PT07_WARM_MS`) populated by 20 cold + 20 warm requests at the same coordinate set. `percentile()` awk helper computes p50 and p95 for both. Pass/fail asserts `warm_p95 < cold_p95`. Same-coordinate design guarantees the warm pass hits the cache (otherwise the cold pass would not have populated it). |
| AC-3: PT-08 runs to completion | **Covered (static)** | `--gen-uav-fixture` produces the JPEG once; 20 batches of 10 distinct-coordinate items uploaded. Per-batch accepted/rejected/failed counts surfaced. Batch p95 gated at 2000 ms. Per-item gate cost is a derived proxy (see Spec-vs-reality below). |
| AC-4: Spec status reflects implementation | **Covered** | `performance-tests.md` PT-07 and PT-08 both carry `**Status**: **Implemented (AZ-492).**`; "Deferred — harness work tracked in <leftover>" language gone. `traceability-matrix.md` rows moved from `◐ recorded` / `◐ recorded (Deferred)` to `✓`. |
| AC-5: Leftover drained | **Covered** | `_docs/_process_leftovers/2026-05-11_perf-pt07-harness.md` deleted; `ls _docs/_process_leftovers/` shows no files. |
| AC-6: Token-mint surface reused, not duplicated | **Covered** | `rg 'new JwtSecurityToken\('` matches one source-code site only (`SatelliteProvider.TestSupport/JwtTokenFactory.cs`). `PerfBootstrap.MintToken()` is a 6-line delegation to `JwtTokenFactory.Create`. The shell script does not inline JWT logic — it shells out to `dotnet <dll> --mint-only`. |
**Contract verification**: AZ-492 has no `## Contract` section; not applicable.
**Consumer-side contract verification**: AZ-492 depends on AZ-487 (`JWT_SECRET` surface) and AZ-491 (canonical `JwtTokenFactory`). Both consumed correctly — the new `PerfBootstrap.cs` uses `JwtTestHelpers.ResolveSecretOrThrow` (the AZ-487-introduced env-var surface) and `JwtTokenFactory.Create` (the AZ-491 canonical factory). No drift.
**Scope creep check**: Implementation stayed within harness-only scope per spec § Excluded ("Any change to production code; this is harness-only work"). Documentation updates to module-layout / tests_integration / traceability-matrix are explicitly in scope for the doc-sync part of the spec. Retro back-reference is process hygiene, not scope creep.
## Phase 3: Code Quality
**SOLID**:
- `PerfBootstrap` has a clear single responsibility: short-circuit perf-harness subcommands. Two methods, both pure-CLI dispatch + delegate. Good.
- `Program.cs` dispatch block is 13 lines — minimal coupling between perf-bootstrap and the rest of the runner. The decision to put it FIRST (before any HTTP / DB / env read) is correct — these subcommands should work even on a host where the API and Postgres are not running.
**Error handling**:
- `PerfBootstrap.MintToken` catches `InvalidOperationException` from `JwtTestHelpers.ResolveSecretOrThrow` and writes to stderr, returning exit code 1. Good — the shell can detect the failure cleanly.
- `PerfBootstrap.GenerateUavFixture` validates `args.Length >= 2` and emits a usage hint on stderr with exit code 2. Good.
- Shell script: every `curl` capture checks the HTTP code and adds to `FAIL` on mismatch. The `percentile()` helper guards against `NR == 0` to avoid div-by-zero. The `dotnet --mint-only` capture checks `[[ -z "$PERF_JWT_TOKEN" ]]` after the call to catch an empty-output failure.
**Naming**: `PerfSubject`, `PerfTokenLifetime`, `PerfBootstrap` — clear, consistent prefix. Shell variables follow the existing convention (`PT07_*`, `PT08_*`, `PERF_*`). `AUTH_HEADER` is uppercase per shell-script convention.
**Complexity**:
- `PerfBootstrap.MintToken` — 14 lines, no branches except the try/catch.
- `PerfBootstrap.GenerateUavFixture` — 12 lines.
- `PerfBootstrap.CreateValidJpeg` — 20 lines, single loop.
- `scripts/run-performance-tests.sh` — 430 lines total. Each PT-NN scenario is ~2560 lines and is independently readable. The PT-08 batch loop is the longest single block (~70 lines including metadata construction); it could be extracted into a function but the inlining keeps the data flow obvious. Acceptable.
**DRY**:
- The same JPEG-creation pattern now exists in three places: `UavTileImageFactory.CreateRandomJpeg` (unit), `UavUploadTests.CreateValidJpeg` (integration), and `PerfBootstrap.CreateValidJpeg` (perf bootstrap). This is **flagged as L2 below** with a recommended consolidation path.
**Test quality**: AZ-492 spec's "Unit Tests" table notes that AC-1 (Bearer-attach helper) is only testable if a helper function is introduced — the shell script inlines the header directly, so no shell-side helper to test. AC-6 is tested by the repo-wide grep (one source site → not new). Both AC verifications above use the static-check approach the spec authorises. The mint logic itself is unit-tested in `SatelliteProvider.Tests/TestSupport/JwtTokenFactoryTests` (AZ-491); the `PerfBootstrap.MintToken` wrapper is a 6-line delegation and is exercised end-to-end by Step 16's actual perf run.
**Dead code**: None added. The deleted leftover file removes ~50 lines of stale process documentation.
## Phase 4: Security Quick-Scan
- **Token lifetime**: 4 hours, mitigation for AZ-492 Risk 3 (token expiry mid-test). Tokens are minted on each script run and never persisted; the perf script's tmpdir is wiped on exit (trap-based cleanup). No JWT material ends up on disk.
- **Secret handling**: `JWT_SECRET` is read from env or `.env` (gitignored). Never echoed. The byte-length check fails fast for under-32-byte secrets — same contract as `scripts/run-tests.sh`. Good.
- **`PERF_JWT_TOKEN` env var**: documented as the operator-supplied alternative to in-script minting. If the operator pre-mints, the script does not echo the token value (only its byte length). Good.
- **Subject value**: `perf-tests` — distinct from the integration test runner subject (`integration-tests`) so audit logs can disambiguate the source. Good.
- **`permissions: GPS` claim**: required by AZ-488's UAV upload endpoint. Granted to the perf token so PT-08 can exercise the AC-3 path. No other permissions are minted — least-privilege ish.
- **Input validation on `--gen-uav-fixture`**: path is treated as a literal filesystem path. The script writes to `$PERF_TMP_DIR/uav_fixture.jpg` which is a freshly-created `mktemp -d` directory. No path-traversal risk in the current call site; if a future consumer passes an untrusted path it would write to that path — documented behaviour for an internal test helper.
No new attack surface introduced; no secret material touches version control; no new endpoints exposed.
## Phase 5: Performance Scan
The harness IS the performance scan. Observations on the harness itself:
- `dotnet build` runs once per script invocation (or skipped if the DLL already exists). Build time ~510 s on dev hardware — acceptable for a perf run.
- `dotnet <dll> --mint-only` startup is ~1.52 s (CLR cold start + a tiny token mint). Acceptable for a one-time bootstrap.
- The cold + warm passes in PT-07 do 40 total region requests at ~200m zoom 18 — about ~40 × (515 s per request) = 3.510 minutes for PT-07 alone. PT-08 adds another 20 × (2002000 ms) = 440 s. The full script run on dev hardware is in the 815 minute range; not fast, not glacial.
- The `awk` percentile helper sorts the input array — O(N log N) per call. With N=20 this is trivial.
No performance concerns in the harness code itself.
## Phase 6: Cross-Task Consistency
- **Naming alignment with AZ-491**: `PerfBootstrap.PerfSubject = "perf-tests"` mirrors the AZ-491 pattern of `JwtTestHelpers.DefaultSubject = "integration-tests"`. Consistent. `PermissionsClaimType = "permissions"` matches the value `UavUploadTests` and the API use.
- **Architecture alignment with AZ-491 + AZ-493**: pure / stateless logic stays in `TestSupport` (`JwtTokenFactory`, `IntegrationTestResetGuard`); side-effectful / dependency-bearing logic stays in the consumer (`IntegrationTestDatabaseReset` for Npgsql, `PerfBootstrap` for ImageSharp). Same boundary as batches 2 and 3. Good.
- **Documentation pattern**: AZ-492 follows the AZ-491 / AZ-493 doc pattern — `tests_integration.md` gets the runtime surface, `module-layout.md` gets the boundary rationale, `performance-tests.md` gets the test-spec status flip. Consistent.
- **Duplicate test-helper detection (the Phase 6 rule added by AZ-491 review)**: the JPEG factory triple is flagged below as L2 — the rule fires.
## Findings
### L1 (Low / Spec accuracy) — AZ-492 AC-3 "per-item gate cost" satisfied by proxy, not direct measurement
**Location**: `scripts/run-performance-tests.sh` PT-08 (~line 410); `_docs/02_document/tests/performance-tests.md` PT-08 entry.
**Issue**: AC-3 says "the script reports per-item gate cost and end-to-end batch latency". The end-to-end batch latency is direct; the per-item gate cost is reported as the derived proxy `batch_p95 / batch_size`. True per-call `UavTileQualityGate.Validate` timing requires server-side instrumentation that the AZ-492 spec § Excluded explicitly excludes ("Any change to production code; this is harness-only work").
**Severity rationale**: Low / Spec accuracy. The deviation is a conscious trade-off documented in both the script comments AND the test-spec doc AND the traceability-matrix row (which now reads `✓ (batch p95) / ◐ (per-item proxy only)`). The AC is satisfied in *spirit* (the harness produces a per-item number); future work on production-side timing would replace the proxy with the real value.
**Suggested follow-up**: PBI to add a `quality_gate_validate_ms` field to the per-item response or a metrics endpoint, then update the perf script to consume it. Estimate 2 SP. Sequence: after the first AZ-492 perf-gate result determines whether the proxy is misleading in practice.
### L2 (Low / Maintainability) — Duplicate `CreateValidJpeg`-shaped JPEG factory now in THREE locations
**Location**:
- `SatelliteProvider.Tests/TestUtilities/UavTileImageFactory.cs` (unit tests — internal)
- `SatelliteProvider.IntegrationTests/UavUploadTests.cs` § `CreateValidJpeg` (integration — private)
- `SatelliteProvider.IntegrationTests/PerfBootstrap.cs` § `CreateValidJpeg` (perf bootstrap — private)
**Issue**: All three produce a 256×256 random-noise JPEG via ImageSharp `Image<Rgba32>` with `random.Next(256)` per channel and `JpegEncoder { Quality = 95 }`. The implementations differ trivially (constants, comments) but the logical surface is identical. This is exactly the cycle-2 problem that AZ-491 solved for the JWT factory.
**Severity rationale**: Low / Maintainability. None of the three is wrong; the issue is *future drift* — if the quality gate becomes pickier (e.g. enforces minimum entropy), all three factories must update in lockstep. The AZ-491 review explicitly added a Phase 6 rule for this pattern, and the rule fires here.
**Suggested follow-up**: Move the JPEG factory to `SatelliteProvider.TestSupport/UavTileImageFactory.cs` (extending the AZ-491 boundary). `PerfBootstrap` then becomes a one-line `var bytes = UavTileImageFactory.CreateRandomJpeg();`. The integration-tests `UavUploadTests` consumes the same surface, eliminating the third copy. Cost: 12 SP. The ImageSharp dependency would have to be added to `SatelliteProvider.TestSupport.csproj`, which is acceptable because both consumers (Tests + IntegrationTests) already depend on it.
**Not a blocker** for this PBI because (a) the proximate AZ-492 scope was harness-only, (b) extracting the factory in this batch would have pulled ImageSharp into TestSupport — a non-trivial architectural change that warrants its own review, and (c) the precedent is well-established (AZ-491 split the JWT factory; this is the natural sequel).
## Architecture Compliance
- **Layering**: `PerfBootstrap` sits in `SatelliteProvider.IntegrationTests` (Layer-99 test infra). It calls into `SatelliteProvider.TestSupport` (Layer-99 test infra) which it already ProjectReferences. No production layer touched. The new module-layout note documents this explicitly.
- **WebApi documentation convention (AZ-495)**: not relevant to this batch; no WebApi changes.
- **Test-isolation guardrail (AZ-493)**: PT-07's distinct-coordinate cold pass means the test data spreads across 20 cells per run. The persistent Postgres volume + AZ-493 reset hook handle cleanup between integration-test runs; the perf script doesn't share a runner with the integration tests, but if a future operator runs PT-07 against the same volume the cells will accumulate. Not a problem in practice (the integration-test reset hook truncates `tiles` on the next integration run), but worth noting in the perf-gate playbook if PT-07 ever starts mis-firing due to pre-existing cells at the chosen coordinates.
## Recurring patterns (for the cycle 3 retrospective)
- **Spec-vs-reality on derived measurements**: PT-08's "per-item gate cost" became a proxy because the spec didn't constrain the measurement path. AZ-493 had a similar pattern (DB-name vs Host-allowlist). The cycle-3 retro should capture: "ACs that prescribe a measurement should also prescribe the path for collecting it, or note that the harness gets to choose between direct measurement and a proxy."
- **Triple-duplicate test fixtures**: the JWT factory was consolidated in AZ-491; the JPEG factory is the natural next target. Capture as an Improvement Action for cycle 4.
## Verdict
**PASS_WITH_WARNINGS** — implementation satisfies all 6 ACs (runtime verification of AC-1 / AC-2 / AC-3 at Step 16). Two Low findings, both deferred to future PBIs by explicit scope choices in AZ-492. No Critical/High/Medium findings.
Ready to merge / advance to the next batch.