33e1802e6d
feat(sms): make FromNumber optional — support Twilio Messaging-Service-only configs (UI-Med-2)
...
Code-review finding UI-Med-2: the design doc + delivery adapter treat FromNumber and
MessagingServiceSid as either-or, but the entity ctor, EF schema, UI and CLI all hard-
required FromNumber — so a Messaging-Service-only Twilio config (a normal production
setup) could not be created. Bring the implementation into line with the spec:
- Commons: SmsConfiguration.FromNumber -> string? (ctor fromNumber optional);
UpdateSmsConfigCommand.FromNumber -> string?.
- ConfigurationDatabase: FromNumber.IsRequired(false) + migration SmsFromNumberOptional
(ALTER COLUMN nullable, idempotent; Down backfills '' — harmless, MsgSid keeps it
deliverable) + regenerated model snapshot.
- Transport: SmsConfigDto.FromNumber -> string? (round-trips a Messaging-Service-only config).
- CentralUI: form validation requires AccountSid + at-least-one-of(FromNumber, MsgSid);
nullable create/edit paths; From-number help text.
- CLI: --from-number no longer Required; BuildUpdateSmsConfigCommand validates the either-or.
- Adapter: From branch null-forgiving (guarded by the existing incomplete-config check).
Tests: ManagementActor MsgSid-only persists null FromNumber; CLI MsgSid-only builds +
neither-throws + contract (--from-number not Required); CentralUI MsgSid-only save.
2026-06-19 15:19:40 -04:00
a9393c8913
test(sms): regression tests for code-review fixes
...
Lock the behaviors changed by the review-fix commit + the security invariants:
- ManagementActorTests: UpdateSms/SmtpConfig now require Administrator (updated the
existing success cases from Designer); + UpdateSmsConfig_WithDesignerRole_Returns
Unauthorized and _WithEmptyAuthToken_PreservesExistingToken regression tests.
- SecretEncryptionTests: SmsConfiguration.AuthToken stored-encrypted round-trip +
null round-trip (AccountSid stays plaintext) — guards ApplySecretColumnEncryption.
- ArtifactDiffTests: CompareSmsConfiguration New/Identical/Modified + the secret
presence-only invariant (value never echoed, presence-flip shows <present> only).
- UpdateCommandContractTests: notification sms update core fields Required, --auth-token optional.
- NotificationListsPageTests: SMS recipient badge shows phone, not "Name <>".
- NotificationOutboxActorDispatchTests: SMS-typed notification routes to the SMS
adapter (StubAdapter.Type made configurable), not the Email adapter.
- NotificationRecipientTests (new): ForEmail/ForSms + public-ctor invariants.
2026-06-19 15:09:47 -04:00
538117d114
fix(sms): reject notification-list Type change on update (S6 review follow-up)
2026-06-19 10:51:58 -04:00
73df322a66
feat(sms): CLI list --type/--phones + notification sms group + channel-aware recipients (S6)
2026-06-19 10:40:09 -04:00
609bdb37ef
feat(sms): list Type + SMS-config management commands/handlers (S5)
2026-06-19 10:12:55 -04:00
8f85cce298
fix(ui): schema-library delete-audit name + busy guard + edit-row guard + sanitized create-race test ( #260 )
2026-06-19 03:28:11 -04:00
69e0d546b5
fix(audit): route SecuredWrite audit via ICentralAuditWriter for SourceNode stamping ( #206 )
2026-06-19 02:37:48 -04:00
454e47ea38
fix(mgmt): pass sharedScripts to design-time template $ref validation ( #259 )
2026-06-19 02:21:15 -04:00
71a2bca4df
feat(m9/T32c): schema-library CRUD commands + handlers + Central UI page + read-accessor
2026-06-18 12:32:31 -04:00
dbe51e5f25
fix(m9/T24a): scope move-guard native-alarm scan to source-site templates (Ordinal); purpose-built include; add guard-4 + repo tests
2026-06-18 11:38:31 -04:00
48111b50fd
feat(m9/T24a): guarded move-data-connection-between-sites command + handler
2026-06-18 11:20:58 -04:00
565d53d0fe
feat(transport): import name-map plumbing via CLI + ManagementActor (M8 D3)
2026-06-18 07:08:33 -04:00
bdbf5cdab0
feat(transport): export site/instance selection end-to-end via CLI + ManagementActor (M8 B4)
2026-06-18 06:14:39 -04:00
0c7774acdc
fix(mgmt): re-assert MxGateway protocol at secured-write execute (D2 TOCTOU guard, T14b)
2026-06-18 04:24:53 -04:00
b08bfae329
feat(audit): SecuredWrite audit kinds + best-effort per-lifecycle central direct-write; guard approve Decode (T14b)
2026-06-18 03:17:56 -04:00
1f7bb7ace3
feat(mgmt): secured-write approve relays to site MxGateway write with CAS race guard (T14b)
2026-06-18 02:59:43 -04:00
25c9240415
feat(mgmt): secured-write submit/reject/list handlers + Operator/Verifier gating (T14b)
2026-06-18 02:29:29 -04:00
55630b48b6
feat(audit): M5.6 SourceNode sentinel backfill (purge-role) + CLI + runbook note (T5)
2026-06-16 22:02:21 -04:00
0569c5ff23
feat(audit): M5.1 audit tree endpoint + CLI audit tree (T8)
...
Add GET /api/audit/tree endpoint that accepts executionId query param,
authenticates via HTTP Basic + LDAP (OperationalAudit permission), calls
IAuditLogRepository.GetExecutionTreeAsync, and returns a JSON array of
ExecutionTreeNode. Returns 400 for missing/invalid GUID, 401/403 as normal.
Add `scadabridge audit tree --execution-id <guid> [--format table|json]`
CLI subcommand in AuditCommands.Build(). Adds AuditTreeHelpers with:
- BuildUrl: constructs the relative URL + query string
- RunTreeAsync: calls the endpoint, dispatches to table or JSON renderer
- WriteTable: indented ASCII tree (root → children, [*] marks queried node)
- WriteJson: pretty-printed JSON array pass-through
Tests: 7 new ManagementService endpoint tests (valid id, empty, 400, 401,
403, Viewer allowed, wrong role), 18 new CLI tests (parse, render, HTTP
error codes, JSON output, multi-level indentation, queried-node marker).
2026-06-16 21:20:54 -04:00
d312dfb139
fix(management): honor DisableLogin on the Basic-Auth CLI surfaces
...
DisableLogin only swapped the cookie auth scheme (AutoLoginAuthenticationHandler),
which covers the interactive UI. The CLI authenticates POST /management, the audit
REST endpoints, and the SignalR debug-stream hub with HTTP Basic, and each ran its
own hardcoded Basic->LDAP check that ignored DisableLogin. In a login-disabled (e.g.
no-LDAP) deployment that locked the CLI out: every call returned 401 AUTH_FAILED.
Add ManagementAuthenticator, which centralizes the management/CLI auth flow:
when ScadaBridge:Security:Auth:DisableLogin is true it synthesizes the same dev
principal as AutoLoginAuthenticationHandler (configured user, all roles, system-wide)
and bypasses Basic->LDAP; otherwise the unchanged Basic->LDAP flow runs. Wired into
ManagementEndpoints (delegates), AuditEndpoints (delegates), and DebugStreamHub
(bypass branch). +6 unit tests; ManagementService.Tests green (140).
2026-06-16 17:12:17 -04:00
0164f8a0d6
fix(mgmt): MV-10 review fixes (ElementDataType fixed-field in LockEnforcer; graceful bad-DataType error; message consistency)
2026-06-16 16:13:38 -04:00
1525670fe7
feat(mgmt): accept + validate ElementDataType on attribute add/update
2026-06-16 16:05:05 -04:00
db707bb0de
feat(audit)!: ScadaBridge C3 — swap to canonical ZB.MOM.WW.Audit.AuditEvent across seams/emitters/DTO/redactor wiring; transitional 24-col storage shim (Task 2.5)
2026-06-02 12:37:50 -04:00
b104760b3a
feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)
...
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
Admin -> Administrator
Design -> Designer
Deployment -> Deployer
Audit -> Administrator (COLLAPSE; accepted privilege escalation)
AuditReadOnly-> Viewer (COLLAPSE; keeps audit-read, no export)
SoD: OperationalAuditRoles = { Administrator, Viewer },
AuditExportRoles = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).
Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
operator-added rows. Down is lossy on the collapse (documented in-file).
No pending model changes.
Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.
CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
2026-06-02 08:00:47 -04:00
afa55981d5
feat(auth)!: ScadaBridge retire SQL Server ApiKey entity + ApprovedApiKeyIds + legacy hashing; EF migration RetireInboundApiKeyStore; re-issue runbook + CHANGELOG (re-arch C5/E) — BREAKING: X-API-Key -> Bearer sbk_, keys re-issued
2026-06-02 05:39:59 -04:00
731cfd3bfc
feat(auth): ScadaBridge TransportExport excludes inbound API keys (re-arch C4; methods-only, import ignores legacy key sections); keys re-issued per environment
2026-06-02 05:06:40 -04:00
8219b8ee18
fix(auth): C2 review — not-found throws (no spurious audit) on update/delete/set-methods, reject empty methods (unusable-key/stealth-disable), richer set-methods response, token advisory to stderr
2026-06-02 04:21:28 -04:00
6518e93424
feat(auth): ScadaBridge ManagementActor + CLI + Commons messages onto IInboundApiKeyAdmin seam (re-arch C2; int->string keyId, +Methods, +SetApiKeyMethods)
2026-06-02 04:11:44 -04:00
ac34dac479
feat(auth): cut ScadaBridge over to ZB.MOM.WW.Auth.Ldap; nest+rename Ldap config; roles+sitescope via IGroupRoleMapper (Task 1.2/1.4)
2026-06-02 01:04:34 -04:00
3bf1d26d79
feat(management): handlers for native alarm source CRUD
2026-05-31 02:23:17 -04:00
7b0b9c7365
refactor: rename ScadaLink → ZB.MOM.WW.ScadaBridge (code + projects + namespaces)
...
Solution + 23 src projects + 26 test projects renamed; folders, csproj,
namespaces, and ScadaLinkDbContext/ScadaBridgeDbContext class updated.
ActorSystem "scadalink" → "scadabridge", Akka seed-node URLs migrated.
SQL roles/logins, LDAP domains, CLI command name, and CLI config dir
(~/.scadalink → ~/.scadabridge) also renamed.
Build green; 5 Host.Tests fail awaiting SQL login rename in next commit.
Pre-existing StaleTagMonitor timing flakes unchanged.
Rename script committed at tools/rename-to-scadabridge.sh.
2026-05-28 09:37:45 -04:00
Joseph Doherty