dohertj2/lmxopcua
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 6.2 exit gate - compliance script real-checks + phase doc = SHIPPED (core) #88

Merged
dohertj2 merged 1 commits from phase-6-2-exit-gate into v2 2026-04-19 09:48:00 -04:00
Conversation 0 Commits 1 Files Changed 3 +112 -40
dohertj2 commented 2026-04-19 09:47:48 -04:00
Owner
Copy Link

Final PR for Phase 6.2 core shipment. Compliance script turns 23 stubs into real checks + updates phase doc status to SHIPPED (core).

Summary

  • 23 checks across Stream A (entity+enum+service+invariant+migration), Stream B (evaluator + trie + builder + cache + state + flag defaults + HistoryRead-own-bit), control/data-plane separation (text-absence sweep for LdapGroupRoleMapping across every data-plane evaluator file per decision #150), Stream C foundation (gate + StrictMode), Stream D data layer (validator + exception + None rejection).
  • Two deferred follow-up surfaces shown as [DEFERRED] with explicit task IDs: dispatch wiring (task #143) + Admin UI (task #144).
  • IPermissionEvaluator doc-comment reworded to not mention the literal LdapGroupRoleMapping type — the compliance sweep is textual.
  • Phase doc: SHIPPED (core) 2026-04-19 across PRs #84-87 + this PR.
  • Net: 1042 pre-Phase-6.2 → 1097 passing (+55).

Test plan

  • powershell.exe -File scripts/compliance/phase-6-2-compliance.ps1 returns exit 0 with all 23 real checks green + 2 Deferred.

🤖 Generated with Claude Code

Final PR for Phase 6.2 core shipment. Compliance script turns 23 stubs into real checks + updates phase doc status to SHIPPED (core). ## Summary - 23 checks across Stream A (entity+enum+service+invariant+migration), Stream B (evaluator + trie + builder + cache + state + flag defaults + HistoryRead-own-bit), control/data-plane separation (text-absence sweep for LdapGroupRoleMapping across every data-plane evaluator file per decision #150), Stream C foundation (gate + StrictMode), Stream D data layer (validator + exception + None rejection). - Two deferred follow-up surfaces shown as `[DEFERRED]` with explicit task IDs: dispatch wiring (task #143) + Admin UI (task #144). - IPermissionEvaluator doc-comment reworded to not mention the literal `LdapGroupRoleMapping` type — the compliance sweep is textual. - Phase doc: **SHIPPED (core)** 2026-04-19 across PRs #84-87 + this PR. - Net: 1042 pre-Phase-6.2 → 1097 passing (+55). ## Test plan - [x] `powershell.exe -File scripts/compliance/phase-6-2-compliance.ps1` returns exit 0 with all 23 real checks green + 2 Deferred. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
dohertj2 added 1 commit 2026-04-19 09:47:49 -04:00
Phase 6.2 exit gate — compliance script real-checks + phase doc = SHIPPED (core) bd53ebd192 
scripts/compliance/phase-6-2-compliance.ps1 replaces the stub TODOs with 23
real checks spanning:
- Stream A: LdapGroupRoleMapping entity + AdminRole enum + ILdapGroupRoleMappingService
  + impl + write-time invariant + EF migration all present.
- Stream B: OpcUaOperation enum + NodeScope + AuthorizationDecision tri-state
  + IPermissionEvaluator + PermissionTrie + Builder + Cache keyed on
  GenerationId + UserAuthorizationState with MembershipFreshnessInterval=15m
  and AuthCacheMaxStaleness=5m + TriePermissionEvaluator + HistoryRead uses
  its own flag.
- Control/data-plane separation: the evaluator + trie + cache + builder +
  interface all have zero references to LdapGroupRoleMapping (decision #150).
- Stream C foundation: ILdapGroupsBearer + AuthorizationGate with StrictMode
  knob. DriverNodeManager dispatch-path wiring (11 surfaces) is Deferred,
  tracked as task #143.
- Stream D data layer: ValidatedNodeAclAuthoringService + exception type +
  rejects None permissions. Blazor UI pieces (RoleGrantsTab, AclsTab,
  SignalR invalidation, draft diff) are Deferred, tracked as task #144.
- Cross-cutting: full solution dotnet test runs; 1097 >= 1042 baseline;
  tolerates the one pre-existing Client.CLI Subscribe flake.

IPermissionEvaluator doc-comment reworded to avoid mentioning the literal
type name "LdapGroupRoleMapping" — the compliance check does a text-absence
sweep for that identifier across the data-plane files.

docs/v2/implementation/phase-6-2-authorization-runtime.md status updated from
DRAFT to SHIPPED (core). Two deferred follow-ups explicitly called out so
operators see what's still pending for the "Phase 6.2 fully wired end-to-end"
milestone.

`Phase 6.2 compliance: PASS` — exit 0. Any regression that deletes a class
or re-introduces an LdapGroupRoleMapping reference into the data-plane
evaluator turns a green check red + exit non-zero.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dohertj2 merged commit d269dcaa1b into v2 2026-04-19 09:48:00 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dohertj2
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dohertj2/lmxopcua#88
Delete Branch "phase-6-2-exit-gate"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?