ScadaBridge

dohertj2/ScadaBridge

Fork 0

Commit Graph

Author	SHA1	Message	Date
Joseph Doherty	77cb0ad0e2	fix(api-surface): close Theme 9 — 27 naming / dead-code / config / hygiene findings The largest themed batch — small mechanical fixes across 11 modules. API / message hygiene: - Comm-020: SiteAddressCacheLoaded now carries IReadOnlyDictionary / IReadOnlyList — Akka messages must be immutable. - Commons-016: BundleSession.MaxUnlockAttempts named constant replaces magic 3. - Commons-018: IOperationTrackingStore + IPartitionMaintenance moved from Interfaces/ root to Interfaces/Services/ (namespace preserved — 9 consumers exceeded the in-prompt move threshold). - Commons-023: TrackingStatusSnapshot.SourceNode now consistent with the trailing-optional-with-default pattern used elsewhere. - SR-022: AuditingDbCommand.DbConnection.set no longer uses reflection — exposes AuditingDbConnection.Inner via internal API surface. Dead code / config cleanup: - ClusterInfra-011: decorative SectionName constant deleted. - ClusterInfra-014: dead AddClusterInfrastructureActors method + its "throws-when-called" test deleted. - Host-021: Microsoft Logging:LogLevel block deleted from appsettings.json (dead under Serilog). Fail-loud over fail-silent: - DM-021: ResolveSiteIdentifierAsync throws on missing site (was silently substituting a DB id). - DM-022: dropped transient Pending write — record now lands directly in InProgress (no UI flicker, one fewer DB write). - Host-020: LoggerConfigurationFactory emits a Console.Error warning when both Serilog:MinimumLevel and ScadaLink:Logging:MinimumLevel are set (ScadaLink remains truth per Host-011). - SnF-022: NotifyCachedCallObserverAsync logs Warning on unparseable TrackedOperationId (was silently dropping). - SnF-023: empty siteId default replaced with $unknown-site sentinel + constructor normalisation. Correctness: - SCA-001: SupervisorStrategy XML rewritten to match actual DefaultDecider/Restart semantics (was claiming Resume). - SCA-003: OnUpsertAsync now restamps IngestedAtUtc on every upsert. - SR-021: HandleDeployArtifacts now dispatches an internal ApplyArtifactDataConnectionsToDcl message after the SQLite write so system-wide artifact-deploy data-connection changes go live immediately (was requiring a site restart). - SnF-020: RetryParkedMessageAsync captures the parked row BEFORE the local write so a concurrent delete can't skip standby replication. Sentinels / naming collisions: - HM-021: CentralSiteId changed from "central" to "$central" (uncollideable — leading $ is forbidden in real SiteIdentifiers). Doc / surface cleanups: - SEL-018: FailedWriteCount promoted to ISiteEventLogger; XML softened to "Available for future Health Monitoring integration". - SnF-019: VERIFY outcome — documented parking-after-DefaultMaxRetries in Component-StoreAndForward.md + DefaultMaxRetries XML (uniform cap; maxRetries:0 is the unbounded escape hatch). - SnF-021: Component-StoreAndForward.md no longer claims the tracking table lives in SnF — it's in SiteRuntime, the interface is in Commons. - CLI-020: bundle export response parse guarded with try/catch on JsonException / KeyNotFoundException / FormatException — emits a clean INVALID_RESPONSE exit instead of a stack trace. Config: - ClusterInfra-013: intent comment added to "catastrophic config" test. - Host-016: appsettings.Site.json second CentralContactPoints entry removed (was pointing at the SITE's own port); doc-key explains how to extend. - Host-018: NodeName added to both shipped per-role configs (was causing SourceNode to be null on audit rows). UI: - CentralUI-029: replaced JS.InvokeAsync<int>("eval", …) with an ES module import (new wwwroot/js/browser-time.js). - CentralUI-032: AuditResultsGrid gains a Previous button backed by a cursor stack. 10+ new regression tests across the affected projects. Build clean; all suites green. README regenerated: 6 open (was 33). Session-to-date: 130 of 136 originally-open Theme findings closed.	2026-05-28 08:39:01 -04:00
Joseph Doherty	6ae0fea558	fix(error-handling): close Theme 4 — 18 cancellation / fire-and-forget findings Async cancellation hygiene, fire-and-forget observability, retry/shutdown semantics, and audit-row coverage across 9 modules. Highlights: Cancellation & lifecycle: - AuditLog-006: SqliteAuditWriter.Dispose hops to thread pool, escaping the captured SyncContext that risked sync-over-async deadlock. - AuditLog-010: SiteAuditTelemetryActor owns a private lifecycle CTS, threaded through drain paths instead of CancellationToken.None. - Comm-019: CentralCommunicationActor adds lifecycle CTS for repo calls. - Host-019: Migration StartupRetry forwards ApplicationStopping so SIGTERM during the bounded-retry window aborts cleanly. Cursor / retry / counter correctness: - AuditLog-004: SiteAuditReconciliationActor's cursor now holds at `since` when any row's idempotent insert is still being retried (per-EventId retry counter, MaxPermanentInsertAttempts=5 escape valve with LogCritical abandon). No more silent abandonment of permanently-failing rows. - ConfigDB-019: Dropped the catch-and-continue on EnsureLookaheadAsync's SPLIT loop — by class-doc construction the catch could only mask real failures and let the next iteration create permanent partition holes. - HM-017/018: HealthReportSender + CentralHealthReportLoop snapshot per-interval counters before sending, restore via new ISiteHealthCollector.AddIntervalCounters on transport failure so counts aren't silently lost. Fire-and-forget / shutdown waits: - InboundAPI-018: AuditWriteMiddleware observes faulted audit-write tasks via OnlyOnFaulted continuation (Warning log; response unchanged). - SnF-024: StoreAndForwardService.StopAsync awaits in-flight retry sweep with a bounded SweepShutdownWaitTimeout (10s). Leak / refactor: - Comm-021: SiteStreamGrpcServer.SubscribeInstance wraps Subscribe in its own try/catch so a throw doesn't leak the relay actor or _activeStreams entry. - Comm-022: VERIFIED already-closed by Comm-016's dead-code purge. - CLI-017: BundleCommands' three subcommands delegate to ExecuteCommandAsync (auth-failure exit-code contract unified). Defensive / validation: - CLI-021: CliConfig.Load wraps file-read/JSON parse so malformed config prints a warning and returns defaults instead of crashing the CLI. - Host-022: ParseLevel emits stderr one-shot warning for unrecognised MinimumLevel instead of silently coercing to Information. - ESG-019: ExternalSystemClient sets HttpClient.Timeout=Infinite so the per-call CTS is the sole timeout source (was clipped to 100s by .NET). - Security-020: New SecurityOptionsValidator (IValidateOptions) rejects empty LdapServer/LdapSearchBase with ValidateOnStart. - DM-019: Lifecycle command timeouts now emit DisableTimedOut/EnableTimedOut/ DeleteTimedOut audit entries (mirrors DeployFailed pattern). Plus reconciled stale per-module Open-findings counters that had drifted from prior sessions. 20+ new regression tests across 11 test projects; build clean; affected suites all green. README regenerated: 75 open (was 93).	2026-05-28 07:13:28 -04:00
Joseph Doherty	8664cdf940	fix(host): resolve Host-005..011 — async startup, HOCON escaping, port-conflict check, dead-config cleanup, migration retry, log-level wiring; Host-002 flagged	2026-05-16 22:24:03 -04:00

Author

SHA1

Message

Date

Joseph Doherty

77cb0ad0e2

fix(api-surface): close Theme 9 — 27 naming / dead-code / config / hygiene findings

The largest themed batch — small mechanical fixes across 11 modules.

API / message hygiene:
- Comm-020: SiteAddressCacheLoaded now carries IReadOnlyDictionary /
  IReadOnlyList — Akka messages must be immutable.
- Commons-016: BundleSession.MaxUnlockAttempts named constant replaces
  magic 3.
- Commons-018: IOperationTrackingStore + IPartitionMaintenance moved from
  Interfaces/ root to Interfaces/Services/ (namespace preserved — 9
  consumers exceeded the in-prompt move threshold).
- Commons-023: TrackingStatusSnapshot.SourceNode now consistent with the
  trailing-optional-with-default pattern used elsewhere.
- SR-022: AuditingDbCommand.DbConnection.set no longer uses reflection —
  exposes AuditingDbConnection.Inner via internal API surface.

Dead code / config cleanup:
- ClusterInfra-011: decorative SectionName constant deleted.
- ClusterInfra-014: dead AddClusterInfrastructureActors method + its
  "throws-when-called" test deleted.
- Host-021: Microsoft Logging:LogLevel block deleted from appsettings.json
  (dead under Serilog).

Fail-loud over fail-silent:
- DM-021: ResolveSiteIdentifierAsync throws on missing site (was silently
  substituting a DB id).
- DM-022: dropped transient Pending write — record now lands directly in
  InProgress (no UI flicker, one fewer DB write).
- Host-020: LoggerConfigurationFactory emits a Console.Error warning when
  both Serilog:MinimumLevel and ScadaLink:Logging:MinimumLevel are set
  (ScadaLink remains truth per Host-011).
- SnF-022: NotifyCachedCallObserverAsync logs Warning on unparseable
  TrackedOperationId (was silently dropping).
- SnF-023: empty siteId default replaced with $unknown-site sentinel
  + constructor normalisation.

Correctness:
- SCA-001: SupervisorStrategy XML rewritten to match actual
  DefaultDecider/Restart semantics (was claiming Resume).
- SCA-003: OnUpsertAsync now restamps IngestedAtUtc on every upsert.
- SR-021: HandleDeployArtifacts now dispatches an internal
  ApplyArtifactDataConnectionsToDcl message after the SQLite write so
  system-wide artifact-deploy data-connection changes go live
  immediately (was requiring a site restart).
- SnF-020: RetryParkedMessageAsync captures the parked row BEFORE the
  local write so a concurrent delete can't skip standby replication.

Sentinels / naming collisions:
- HM-021: CentralSiteId changed from "central" to "$central"
  (uncollideable — leading $ is forbidden in real SiteIdentifiers).

Doc / surface cleanups:
- SEL-018: FailedWriteCount promoted to ISiteEventLogger; XML softened
  to "Available for future Health Monitoring integration".
- SnF-019: VERIFY outcome — documented parking-after-DefaultMaxRetries
  in Component-StoreAndForward.md + DefaultMaxRetries XML (uniform
  cap; maxRetries:0 is the unbounded escape hatch).
- SnF-021: Component-StoreAndForward.md no longer claims the tracking
  table lives in SnF — it's in SiteRuntime, the interface is in Commons.
- CLI-020: bundle export response parse guarded with try/catch on
  JsonException / KeyNotFoundException / FormatException — emits a
  clean INVALID_RESPONSE exit instead of a stack trace.

Config:
- ClusterInfra-013: intent comment added to "catastrophic config" test.
- Host-016: appsettings.Site.json second CentralContactPoints entry
  removed (was pointing at the SITE's own port); doc-key explains how
  to extend.
- Host-018: NodeName added to both shipped per-role configs (was
  causing SourceNode to be null on audit rows).

UI:
- CentralUI-029: replaced JS.InvokeAsync<int>("eval", …) with an ES
  module import (new wwwroot/js/browser-time.js).
- CentralUI-032: AuditResultsGrid gains a Previous button backed by a
  cursor stack.

10+ new regression tests across the affected projects. Build clean;
all suites green. README regenerated: 6 open (was 33).

Session-to-date: 130 of 136 originally-open Theme findings closed.

2026-05-28 08:39:01 -04:00

Joseph Doherty

6ae0fea558

fix(error-handling): close Theme 4 — 18 cancellation / fire-and-forget findings

Async cancellation hygiene, fire-and-forget observability, retry/shutdown
semantics, and audit-row coverage across 9 modules. Highlights:

Cancellation & lifecycle:
- AuditLog-006: SqliteAuditWriter.Dispose hops to thread pool, escaping the
  captured SyncContext that risked sync-over-async deadlock.
- AuditLog-010: SiteAuditTelemetryActor owns a private lifecycle CTS,
  threaded through drain paths instead of CancellationToken.None.
- Comm-019: CentralCommunicationActor adds lifecycle CTS for repo calls.
- Host-019: Migration StartupRetry forwards ApplicationStopping so SIGTERM
  during the bounded-retry window aborts cleanly.

Cursor / retry / counter correctness:
- AuditLog-004: SiteAuditReconciliationActor's cursor now holds at `since`
  when any row's idempotent insert is still being retried (per-EventId
  retry counter, MaxPermanentInsertAttempts=5 escape valve with LogCritical
  abandon). No more silent abandonment of permanently-failing rows.
- ConfigDB-019: Dropped the catch-and-continue on EnsureLookaheadAsync's
  SPLIT loop — by class-doc construction the catch could only mask real
  failures and let the next iteration create permanent partition holes.
- HM-017/018: HealthReportSender + CentralHealthReportLoop snapshot
  per-interval counters before sending, restore via new
  ISiteHealthCollector.AddIntervalCounters on transport failure so counts
  aren't silently lost.

Fire-and-forget / shutdown waits:
- InboundAPI-018: AuditWriteMiddleware observes faulted audit-write tasks
  via OnlyOnFaulted continuation (Warning log; response unchanged).
- SnF-024: StoreAndForwardService.StopAsync awaits in-flight retry sweep
  with a bounded SweepShutdownWaitTimeout (10s).

Leak / refactor:
- Comm-021: SiteStreamGrpcServer.SubscribeInstance wraps Subscribe in its
  own try/catch so a throw doesn't leak the relay actor or _activeStreams
  entry.
- Comm-022: VERIFIED already-closed by Comm-016's dead-code purge.
- CLI-017: BundleCommands' three subcommands delegate to ExecuteCommandAsync
  (auth-failure exit-code contract unified).

Defensive / validation:
- CLI-021: CliConfig.Load wraps file-read/JSON parse so malformed config
  prints a warning and returns defaults instead of crashing the CLI.
- Host-022: ParseLevel emits stderr one-shot warning for unrecognised
  MinimumLevel instead of silently coercing to Information.
- ESG-019: ExternalSystemClient sets HttpClient.Timeout=Infinite so the
  per-call CTS is the sole timeout source (was clipped to 100s by .NET).
- Security-020: New SecurityOptionsValidator (IValidateOptions) rejects
  empty LdapServer/LdapSearchBase with ValidateOnStart.
- DM-019: Lifecycle command timeouts now emit DisableTimedOut/EnableTimedOut/
  DeleteTimedOut audit entries (mirrors DeployFailed pattern).

Plus reconciled stale per-module Open-findings counters that had drifted
from prior sessions.

20+ new regression tests across 11 test projects; build clean; affected
suites all green. README regenerated: 75 open (was 93).

2026-05-28 07:13:28 -04:00

Joseph Doherty

8664cdf940

fix(host): resolve Host-005..011 — async startup, HOCON escaping, port-conflict check, dead-config cleanup, migration retry, log-level wiring; Host-002 flagged

2026-05-16 22:24:03 -04:00

3 Commits