chore(management): log debug-stream push failures; fix event-log filter docs; refresh stale SourceNode note (arch-review S5/C7/C8)

Claude-Session: https://claude.ai/code/session_01MtdgwpEeCUn6cUA5f1LMPj
This commit is contained in:
Joseph Doherty
2026-07-10 06:07:19 -04:00
parent d6bad1738e
commit 4887461b64
4 changed files with 25 additions and 5 deletions
+1 -1
View File
@@ -191,7 +191,7 @@ Other peers in the `scadaproj` family (see `scadaproj/CLAUDE.md` for details): `
- Cookie+JWT hybrid sessions: HttpOnly/Secure cookie carries an embedded JWT (HMAC-SHA256 shared symmetric key), 15-minute expiry with sliding refresh, 30-minute idle timeout. Cookies are the correct transport for Blazor Server (SignalR circuits).
- LDAP failure: new logins fail; active sessions continue with current roles.
- Load balancer in front of central UI; cookie-embedded JWT + shared Data Protection keys for failover transparency.
- Two-person MxGateway secured writes (M7): two new global roles — `Operator` (initiates) + `Verifier` (approves) — added alongside the canonical `Administrator`/`Designer`/`Deployer`/`Viewer`, with `RequireOperator`/`RequireVerifier` policies. An Operator submits a secured write from the Central UI Secured Writes page (`/operations/secured-writes`); it stays a `Pending` `PendingSecuredWrite` row until a *distinct* Verifier approves it (no-self-approval enforced server-side in the ManagementActor, plus a compare-and-swap race guard). Approval relays a `WriteTagRequest` to the site MxGateway; MxGateway-protocol connections only; each lifecycle event (submit/approve/reject/execute) emits a best-effort `AuditChannel.SecuredWrite` / `AuditKind.SecuredWrite*` central-direct-write row sharing the row id as `CorrelationId`. (SecuredWrite audit rows currently leave `SourceNode` NULL — a logged follow-up.) Pending secured writes expire server-side after a configurable TTL (`ManagementServiceOptions.SecuredWritePendingTtl`, default 24 h): an overdue `Pending` row is CAS'd to `Expired` (never relayed) — enforced at approve/reject and swept opportunistically on list (arch-review S2, `AuditKind.SecuredWriteExpire`).
- Two-person MxGateway secured writes (M7): two new global roles — `Operator` (initiates) + `Verifier` (approves) — added alongside the canonical `Administrator`/`Designer`/`Deployer`/`Viewer`, with `RequireOperator`/`RequireVerifier` policies. An Operator submits a secured write from the Central UI Secured Writes page (`/operations/secured-writes`); it stays a `Pending` `PendingSecuredWrite` row until a *distinct* Verifier approves it (no-self-approval enforced server-side in the ManagementActor, plus a compare-and-swap race guard). Approval relays a `WriteTagRequest` to the site MxGateway; MxGateway-protocol connections only; each lifecycle event (submit/approve/reject/execute) emits a best-effort `AuditChannel.SecuredWrite` / `AuditKind.SecuredWrite*` central-direct-write row sharing the row id as `CorrelationId`. (SecuredWrite audit rows stamp `SourceNode` via `ICentralAuditWriter`/`INodeIdentityProvider`.) Pending secured writes expire server-side after a configurable TTL (`ManagementServiceOptions.SecuredWritePendingTtl`, default 24 h): an overdue `Pending` row is CAS'd to `Expired` (never relayed) — enforced at approve/reject and swept opportunistically on list (arch-review S2, `AuditKind.SecuredWriteExpire`).
### Cluster & Failover
- Keep-oldest split-brain resolver with `down-if-alone = on`, 15s stable-after.
@@ -5,6 +5,11 @@ namespace ZB.MOM.WW.ScadaBridge.Commons.Messages.RemoteQuery;
/// Supports filtering by event type, severity, instance, time range, and keyword search.
/// Uses keyset pagination via continuation token (last event ID).
/// </summary>
/// <param name="InstanceId">
/// Instance filter matched against the site event log's <c>instance_id</c> column,
/// which stores the instance <b>UniqueName</b> (InstanceActor.LogLifecycleEvent passes
/// <c>_instanceUniqueName</c>; EventLogQueryService matches <c>instance_id = $instanceId</c>).
/// </param>
public record EventLogQueryRequest(
string CorrelationId,
string SiteId,
@@ -198,13 +198,15 @@ public class DebugStreamHub : Hub
// Use IHubContext for callbacks — the hub instance is transient (disposed after method returns),
// but IHubContext is a singleton that remains valid for the lifetime of the connection.
var hubClients = _hubContext.Clients;
// Capture the logger into a local: the callbacks outlive this (transient)
// hub instance, and ILogger is a singleton, so this is safe to hold.
var logger = _logger;
var session = await _debugStreamService.StartStreamAsync(
instanceId,
onEvent: evt =>
{
// Fire-and-forget — if the client disconnects, SendAsync will fail silently
_ = evt switch
var send = evt switch
{
AttributeValueChanged changed =>
hubClients.Client(connectionId).SendAsync("OnAttributeChanged", changed),
@@ -214,10 +216,20 @@ public class DebugStreamHub : Hub
hubClients.Client(connectionId).SendAsync("OnSnapshot", snapshot),
_ => Task.CompletedTask
};
// Fire-and-forget (deliberate — a slow/dead client must not block the
// stream), but log the push failure rather than swallowing it silently.
_ = send.ContinueWith(
t => logger.LogWarning(t.Exception?.GetBaseException(),
"Debug stream push to connection {ConnectionId} failed", connectionId),
CancellationToken.None, TaskContinuationOptions.OnlyOnFaulted, TaskScheduler.Default);
},
onTerminated: () =>
{
_ = hubClients.Client(connectionId).SendAsync("OnStreamTerminated", "Site disconnected");
_ = hubClients.Client(connectionId).SendAsync("OnStreamTerminated", "Site disconnected")
.ContinueWith(
t => logger.LogWarning(t.Exception?.GetBaseException(),
"Debug stream termination push to connection {ConnectionId} failed", connectionId),
CancellationToken.None, TaskContinuationOptions.OnlyOnFaulted, TaskScheduler.Default);
});
Context.Items[SessionIdKey] = session.SessionId;
@@ -3007,7 +3007,10 @@ public class ManagementActor : ReceiveActor
cmd.SiteIdentifier,
cmd.From, cmd.To,
cmd.EventType, cmd.Severity,
cmd.InstanceName, // InstanceId filter
// Instance unique-name filter — the site event log's instance_id column
// stores the instance UniqueName (InstanceActor.LogLifecycleEvent passes
// _instanceUniqueName; EventLogQueryService matches instance_id = $instanceId).
cmd.InstanceName,
cmd.Keyword,
null, // ContinuationToken
cmd.PageSize,