azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-22 13:01:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-500] Cycle 4 Steps 12-15 sync (test-spec / docs / security / perf)
ci/woodpecker/push/01-test Pipeline was successful
Details
ci/woodpecker/push/02-build-push Pipeline was successful
Details

Browse Source 
Step 12 (Test-Spec Sync) - cycle-update mode
  - traceability-matrix: 8 AZ-500 AC rows + .NET 10 runtime
    restriction supersession + Cycle-4 coverage shape note
    (no new tests; ACs verified by re-running existing 78-test
    suite + build pipeline + manifest grep)

Step 13 (Update Docs) - task mode
  - FINAL_report, 00_discovery, architecture, module-layout,
    api_program, tests_unit: .NET 8 -> .NET 10 / C# 12 -> 14 /
    Swashbuckle 6.6.2 -> 10.1.7 + Microsoft.OpenApi 2.x
    refactor note in api_program; Serilog.AspNetCore 8.0.3
    fallback documented inline per AZ-500 Risk #4
  - deployment/{containerization, ci_cd_pipeline}: Docker
    aspnet/sdk:8.0 -> :10.0
  - ripple_log_cycle4: empty import-graph ripple recorded
    (Program.cs is entry point; ParameterDescriptionFilter only
    consumed by Program.cs; csproj/global.json/Dockerfile have
    no import edges)

Step 14 (Security Audit) - resume mode
  - dependency_scan_cycle4: AZ-500 19-package delta scanned;
    cycle-3 D1+D3 (CVE-2026-26130) closed by major-version
    bump; cycle-3 D2 (Test.Sdk 17.8.0 NuGet.Frameworks flag)
    carried over - explicitly out of AZ-500 scope
  - security_report_cycle4: PASS_WITH_WARNINGS (only carry-over
    Medium open; AZ-500 introduced 0 new Critical/High); cycle-3
    static_analysis/owasp_review/infrastructure_review carried
    forward unchanged (AZ-500 made no source-level edits to
    those surfaces)

Step 15 (Performance Test) - perf mode, full default-param run
  - perf_2026-05-12_cycle4: 7 Pass + 1 Unverified (PT-08 hit
    pre-existing scripts/run-performance-tests.sh:417 grep-
    pipefail bug, NOT a .NET 10 regression)
  - PT-07 warm p95 = 301ms (7.7x improvement vs cycle-3 short
    variant - .NET 10 pipeline + N=20 dilution); cold p95 =
    2782ms (-14%); PT-06 90ms (-49%)
  - AZ-500 NFR (Performance) MET for 7/8 scenarios
  - Cycle-3 perf-harness leftover updated with replay #3
    results; STAYS OPEN per AZ-500 Constraint (deletes only on
    fully clean run)

Recommended follow-up PBIs (out of cycle-4 scope, surfaced for
the backlog):
  - 1 SP fix scripts/run-performance-tests.sh:416-417 grep-
    pipefail (replace grep -o ... | wc -l with grep -c ... ||
    true) - unblocks PT-08 + closes the cycle-3 perf leftover
  - 3 SP migrate WithOpenApi(...) callsites to ASP.NET Core 10
    minimal-API metadata extensions (clears 8 ASPDEPR002
    warnings; recorded in batch_01_cycle4_review.md)
  - 1 SP Microsoft.OpenApi 2.x nullable cleanup (CS8604 in
    ParameterDescriptionFilter.cs:25)
  - 1 SP bump Microsoft.NET.Test.Sdk 17.8.0 -> 17.13.0+
    (closes cycle-3 D2 NuGet.Frameworks transitive flag)

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 06:05:29 +03:00
parent de609cffa1
commit af4219fce6
15 changed files with 331 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_document/ripple_log_cycle4.md
+35
View File
@@ -0,0 +1,35 @@
# Ripple Log — Cycle 4
**Cycle**: 4 (AZ-500 .NET 8 LTS → .NET 10 migration)
## Direct doc updates (Task Step 13)
| File | Reason |
|------|--------|
| `_docs/02_document/FINAL_report.md` (lines 5, 15) | Executive summary + technology stack now state `.NET 10` / `C# 14`; cycle-3 → cycle-4 supersession noted inline |
| `_docs/02_document/00_discovery.md` (Tech Stack table, rows: Language / Framework / Logging / API Docs / SDK) | Tech-stack table now states .NET 10 / ASP.NET Core 10 / Swashbuckle 10.1.7 / SDK 10.0.0+; Serilog.AspNetCore 8.0.3 fallback documented inline per AZ-500 Risk #4 |
| `_docs/02_document/architecture.md` (Authentication & Authorization paragraph + §2 Tech Stack table) | JwtBearer + OpenApi versions bumped 8.0.25 → 10.0.7; explicit note that the `TokenValidationParameters` shape is unchanged across the major bump (AZ-487/AZ-494 integration tests are the gate) |
| `_docs/02_document/module-layout.md` (SatelliteProvider.Api PackageReferences row) | JwtBearer + OpenApi versions bumped 8.0.25 → 10.0.7; Swashbuckle 6.6.2 → 10.1.7 noted inline as the Microsoft.OpenApi 2.x compat path |
| `_docs/02_document/modules/api_program.md` (Dependencies + new "Microsoft.OpenApi 2.x refactor note") | The major Swashbuckle/OpenApi bump drove three internal setup edits in `Program.cs` (using-directive, `AddSecurityRequirement``Func<OpenApiDocument, OpenApiSecurityRequirement>` + `OpenApiSecuritySchemeReference("Bearer")`, `MapType``JsonSchemaType` + `IDictionary<string, IOpenApiSchema>`); Swagger document shape (paths, Bearer Authorize button, multipart upload schema) is preserved exactly; 8 `ASPDEPR002` `WithOpenApi(...)` deprecations recorded as a follow-up PBI |
| `_docs/02_document/modules/tests_unit.md` (Dependencies row) | JwtBearer 8.0.25 → 10.0.7; Microsoft.Extensions.* coordinated bump 9.0.10 → 10.0.7 noted inline |
| `_docs/02_document/deployment/containerization.md` (Docker base + build images) | `mcr.microsoft.com/dotnet/aspnet:8.0` + `sdk:8.0``:10.0` |
| `_docs/02_document/deployment/ci_cd_pipeline.md` (01-test image row) | `mcr.microsoft.com/dotnet/sdk:8.0``:10.0` |
| `_docs/02_document/tests/traceability-matrix.md` (AC-mapping + Restrictions + Coverage shape notes) | AZ-500 AC-1..AC-8 rows appended; ".NET 8.0 runtime" restriction rewritten to ".NET 10 runtime"; cycle 4 coverage shape note added explaining why no new tests were generated (AZ-500 ACs are infrastructure-level, verified by re-running the existing 78-test suite + build pipeline + manifest grep) |
## Import-graph ripple (Task Step 0.5)
**Source-level edits in this cycle**: `SatelliteProvider.Api/Program.cs` (Microsoft.OpenApi 2.x setup refactor — internal to the Swashbuckle DI registration) and `SatelliteProvider.Api/Swagger/ParameterDescriptionFilter.cs` (single `using` directive change).
**Reverse-dependency search** (`rg "^using SatelliteProvider\.Api\.Swagger"` + project-reference scan):
- Nothing imports `Program.cs` — it's the application entry point.
- Nothing outside `SatelliteProvider.Api` imports `SatelliteProvider.Api.Swagger.ParameterDescriptionFilter` — it's consumed only by `Program.cs` (via Swashbuckle's `c.OperationFilter<ParameterDescriptionFilter>()` registration).
**Ripple set: EMPTY.** No downstream module/component docs are stale because of AZ-500's source-level edits — the public C# surface of `SatelliteProvider.Api` is unchanged; only the internal Swashbuckle wiring moved.
**csproj / global.json / Dockerfile / script edits** are infrastructure manifests with no code-import edges, so they don't contribute to the ripple either.
## Coverage shape notes
- AZ-500 is a runtime/SDK/package migration, not a feature change. Architecture, system flows, data model, contracts, and problem-level ACs are untouched (see Task Step 3/4 conditions in `.cursor/skills/document/workflows/task.md`).
- `_docs/02_document/ripple_log_cycle3.md` is intentionally left as-is — historical record of cycle 3's bumps.
- `_docs/02_document/architecture_compliance_baseline.md` is intentionally left as-is for this cycle. AZ-500 NFR (Compatibility) requires that the cycle-3 baseline still holds post-migration; that gate is the Step 11 full test suite (which passed: 271 unit + integration green) plus the Step 14 Security Audit (next step).