satellite-provider/_docs/03_implementation/batch_08_report.md

Batch Report

Batch: 8 (refactor 03-code-quality-refactoring · Phase 1 — critical defensive fixes, part 2/2) Tasks: AZ-356, AZ-354, AZ-353 Date: 2026-05-10 Total Story Points: 7 (2 + 2 + 3)

Task Results

Task	Status	Files Modified	Tests	AC Coverage	Issues
AZ-356 Stub endpoints return 501	Done	1 (Program.cs handlers + OpenAPI)	2 new integration	3/3 ACs	None
AZ-354 Strict CORS by default	Done	1 svc helper + 1 Program.cs hook	9 new unit	4/4 ACs	None
AZ-353 Sanitize 5xx via IExceptionHandler	Done	1 svc class + Program.cs rewire + per-endpoint catch removal	3 new unit + 1 new integration	4/4 ACs	None

Files Changed

Source

• SatelliteProvider.Api/GlobalExceptionHandler.cs — NEW (AZ-353)
• SatelliteProvider.Api/CorsConfigurationValidator.cs — NEW (AZ-354)
• SatelliteProvider.Api/Program.cs — usings + CORS validator wiring + warn-after-build + ExceptionHandler/ProblemDetails registration + UseExceptionHandler middleware + 501 stubs + per-endpoint try/catch stripping (AZ-353/354/356)

Tests

• SatelliteProvider.Tests/CorsConfigurationValidatorTests.cs — NEW (AZ-354, 9 tests)
• SatelliteProvider.Tests/GlobalExceptionHandlerTests.cs — NEW (AZ-353, 3 tests)
• SatelliteProvider.Tests/SatelliteProvider.Tests.csproj — added ProjectReference to Api so unit tests can reach the new classes
• SatelliteProvider.IntegrationTests/StubAndErrorContractTests.cs — NEW (AZ-356 AC-1, AZ-353 AC-3, 3 tests)
• SatelliteProvider.IntegrationTests/Program.cs — added StubAndErrorContractTests.RunAll to smoke + full

AC Test Coverage: All covered

Task	AC	Test
AZ-353	AC-1 (5xx body sanitized)	GlobalExceptionHandlerTests.TryHandleAsync_WritesSanitizedProblemDetailsAndReturnsTrue_AC1 (asserts response body has generic title + correlationId, not the leaky exception message)
AZ-353	AC-2 (server log has full exception + correlationId)	GlobalExceptionHandlerTests.TryHandleAsync_LogsFullExceptionWithCorrelationId_AC2
AZ-353	AC-3 (4xx paths preserved)	GlobalExceptionHandlerTests.TryHandleAsync_BadHttpRequestException_HonorsFrameworkStatusAndDoesNotErrorLog_AC3 (unit) + StubAndErrorContractTests.CreateRoute_InvalidPayload_Returns400_AZ353_AC3 (integration; ArgumentException → 400) + smoke SecurityTests.SEC-01..04 (regression check that 4xx framework paths still produce 4xx)
AZ-353	AC-4 (tests stay green)	smoke green
AZ-354	AC-1 (Production refuses to start without origins)	CorsConfigurationValidatorTests.EnsureSafeForEnvironment_ProductionWithEmptyOriginsAndNoOptIn_Throws_AC1
AZ-354	AC-2 (Development warns but starts)	CorsConfigurationValidatorTests.EnsureSafeForEnvironment_NonProductionWithEmptyOrigins_DoesNotThrow_AC2 (Theory: Development/Staging/Local) + smoke (compose-managed ASPNETCORE_ENVIRONMENT=Development runs warn-after-build path; smoke is green)
AZ-354	AC-3 (explicit opt-in works)	CorsConfigurationValidatorTests.EnsureSafeForEnvironment_ProductionWithExplicitAllowAnyOrigin_DoesNotThrow_AC3
AZ-354	AC-4 (tests stay green)	smoke green
AZ-356	AC-1 (both stubs return 501)	StubAndErrorContractTests.StubMgrs_Returns501 + StubAndErrorContractTests.StubUpload_Returns501
AZ-356	AC-2 (OpenAPI marks not-implemented)	.ProducesProblem(StatusCodes.Status501NotImplemented) annotations in Program.cs; verified by inspecting the route registration
AZ-356	AC-3 (tests stay green)	smoke green

Code Review Verdict: PASS

Phase 2 (Spec Compliance)

• All ACs satisfied with executed tests.
• BadHttpRequestException carve-out added to GlobalExceptionHandler — required by AC-3 (4xx paths preserved). Without it, the handler would have promoted SEC-01..04 framework binding errors from 400 to 500.

Phase 3 (Code Quality)

• CorsConfigurationValidator: pure static class (no I/O, no state) — allowed under coderule.
• GlobalExceptionHandler: instance class with injected logger; private static helper WriteClientErrorAsync is pure HTTP serialization — allowed.
• Per-endpoint try/catch removed for 7 of 7 affected handlers; the CreateRoute typed ArgumentException catch is intentionally preserved per AC-3. Endpoint signatures lost the ILogger<Program> logger parameter where it became unused.

Phase 4 (Security)

• application/problem+json content type set explicitly (override WriteAsJsonAsync default).
• Sanitized 500 body removes server-internal text (validated by ..._WritesSanitizedProblemDetailsAndReturnsTrue_AC1 which uses a connection-string-shaped exception message and asserts the password literal does NOT appear in the response).
• Strict CORS in Production is the deliverable.

Phase 5 (Performance)

• No hot-path changes.

Phase 6 (Cross-Task Consistency)

• All three tasks edit the same Program.cs in different sections (CORS / DI / pipeline / endpoints) without conflict.
• The single using SatelliteProvider.Api; directive serves all three new classes.

Phase 7 (Architecture Compliance)

• All new files live under SatelliteProvider.Api/** (Api OWNS).
• SatelliteProvider.Tests now references SatelliteProvider.Api — this is a downward (test → top-of-stack) reference, which is idiomatic for unit-testing API-internal helpers. Tests project remains the only consumer of Api types outside Api itself.

Auto-Fix Attempts: 1 (one re-run cycle to honor BadHttpRequestException StatusCode)

Stuck Agents: None

Tracker Status (post-batch)

Task	Pre-batch	Post-batch (after commit)
AZ-356	In Progress	→ In Testing
AZ-354	In Progress	→ In Testing
AZ-353	In Progress	→ In Testing

Phase 1 Summary (Batches 7+8)

Batch	Tasks	SP	Outcome
7	AZ-351 / AZ-352 / AZ-363	5	PASS
8	AZ-356 / AZ-354 / AZ-353	7	PASS

Phase 1 complete: 6 tasks, 12 SP, 0 blockers. All Critical-severity defensive fixes landed.

Next Batch

Batch 9 (Phase 2 — correctness): AZ-359 (consolidate RegionService catch ladder, 3 SP), AZ-357 (drop tile Version concept + new migration, 5 SP), AZ-362 (idempotent POST contract, 3 SP, depends on AZ-353 ✓). Total 11 SP.

Commit

[AZ-353][AZ-354][AZ-356] Refactor 03 batch 2: harden API surface (commit hash recorded post-commit).