Extract the verbatim-duplicated SiteCallOperationalDto -> SiteCall mapper
into a single public SiteCallDtoMapper static class in
ScadaLink.Communication.Grpc, mirroring AuditEventDtoMapper. Replaces three
identical private copies (SiteStreamGrpcServer.MapSiteCallFromDto,
ClusterClientSiteAuditClient.MapSiteCall, and the test-infra
DirectActorSiteStreamAuditClient.MapSiteCallFromDto), removes the now-stale
doc comment that justified the duplication, and drops the using directives
that became unused. Adds SiteCallDtoMapperTests for field-by-field coverage.
Only the FromDto direction is provided: nothing maps SiteCall back onto the
wire, so a ToDto would be dead code.
The /notifications/report detail modal showed only NotificationSummary
fields. Added a NotificationDetailRequest query (mirrors the existing
outbox query plumbing — Commons contract + NotificationOutboxActor
handler + CommunicationService method) that fetches the full Notification
entity. The modal now fetches on open and renders the message Body
(preformatted plain text, never MarkupString) and resolved recipients
(ResolvedTargets, with a list-name fallback note when not yet resolved).
6 new tests.
Double-clicking a row on /notifications/report opens a Bootstrap modal
showing the notification's full detail (untruncated ID, full LastError,
SourceInstanceId, exact timestamps) — fields the grid truncates or omits.
Parked notifications also get Retry/Discard buttons in the modal footer.
Inline no-JS modal, in-memory NotificationSummary, no extra query.
Both central nodes ran on the NotificationOutboxOptions code defaults
(100 / 10s = 600/min) because the mounted per-node appsettings.Central.json
had no ScadaLink:NotificationOutbox section. Add the section with
DispatchBatchSize 1000 + DispatchInterval 5s — measured ~6,000/min after
restart (sweep duration becomes the binding constraint, which is fine:
the no-overlap guard self-regulates). Dev-cluster tuning only.
Closes the gap found while debugging notification delivery: SmtpConfiguration
has TlsMode + Credentials fields, but no non-SQL path could set them.
- UpdateSmtpConfigCommand carries optional TlsMode + Credentials (nullable,
preserve-if-null in HandleUpdateSmtpConfig — non-breaking for existing
5-arg callers).
- CLI 'notification smtp update' gains optional --tls-mode (validated
None/StartTLS/SSL) and --credentials.
- Central UI SMTP form gains a TLS Mode select (None/StartTLS/SSL) —
previously the form had no TlsMode field at all.
- docs/test_infra/test_infra_smtp.md: replaced the invalid AuthMode:None
example with a working Basic config (TlsMode None, dummy credentials);
corrected the prose (delivery requires Basic/OAuth2, no anonymous mode)
and noted the scadalink-smtp container hostname for in-cluster use.
4 commits, 13 new tests. Full solution green.
The appsettings example used AuthMode 'None', which the delivery code
(MailKitSmtpClientWrapper) rejects — only Basic and OAuth2 are valid.
Switch to a working Basic config with Credentials and TlsMode None, and
document that Server must be the container name scadalink-smtp when the
Notification Service runs inside the docker cluster.
Add a TlsMode read-only row and a None/StartTLS/SSL select to the SMTP
Configuration page edit form. New configs default to None; edits load
and persist the chosen mode through the repository.
Expose the two previously-unreachable SmtpConfiguration fields on the
CLI. Both flags are optional — omitting them sends null so the server
preserves the existing value. --tls-mode is constrained to the canonical
{None, StartTLS, SSL} set via AcceptOnlyFromAmong for fast-fail.
Add two optional nullable fields (TlsMode, Credentials) to the
UpdateSmtpConfigCommand record. The handler applies preserve-if-null
semantics: an update that omits a field leaves the existing value
intact, so existing 5-arg callers remain non-breaking.
ASP.NET Data Protection ciphertext is non-deterministic and bound to the
source key ring, so encrypted secret columns (ExternalSystemDefinitions
.AuthConfiguration, SmtpConfigurations.Credentials, DatabaseConnection
Definitions.ConnectionString) cannot be replayed from a static SQL dump —
the app would fail to decrypt them. dump_seed.py now emits those columns
as NULL; reseed.sh adds a post-seed stage that recreates the values
through the ScadaLink CLI so the EF value converter re-encrypts against
the target cluster's key ring.
M8 — the final milestone — ships the operator CLI surface:
- ManagementService /api/audit/query + /api/audit/export endpoints
(minimal-API, HTTP Basic + LDAP auth, OperationalAudit / AuditExport
role gates reusing M7's AuthorizationPolicies role sets).
- scadalink audit command group:
- audit query: full UI-parity filter set, keyset-cursor paging
(--all follows nextCursor), JSON (default) / table output,
AcceptOnlyFromAmong fast-fail validation on channel/kind/status.
- audit export: streams server CSV / JSONL to --output (parquet → 501
per v1.x deferral), required-flag enforcement.
- audit verify-chain: v1 no-op stub (hash-chain deferred to v1.x);
validates --month, prints the deferral message, exits 0.
- Table output formatter for audit events.
- Pre-existing audit-log config-change command renamed audit-config;
audit-log retained as a deprecation alias (stderr warning).
- CLI README documents the audit group, the rename, permissions.
Review fix: corrected --channel/--kind/--status help + README to the
real enum names (ApiOutbound/DbOutbound/Notification/ApiInbound, etc.)
and added AcceptOnlyFromAmong so a bad value fails fast instead of
silently returning unfiltered results; removed the dead --instance flag
(AuditLogQueryFilter has no instance column).
Shipped: 10 commits, ~62 net new tests.
=== Audit Log #23 — implementation complete (M1-M8) ===
Full solution: 24 test projects, 2,993 tests, 0 failures, 0 skipped.
dotnet build ScadaLink.slnx clean. infra/* never touched on any of the
8 milestone branches. alog.md changed exactly once (M1 vocabulary
reconciliation, committed before the dependent code merge per the
ordering invariant).
Bundle G (#23 M7-T15): replace the temporary Admin-only gate on the Audit
Log surface with two new permission policies — OperationalAudit (read) and
AuditExport (bulk-export) — so the read path and the forensic-export path
can be delegated independently.
ScadaLink.Security
- AuthorizationPolicies: add OperationalAudit + AuditExport policy
constants; register them via RequireClaim with an explicit role allow-list
(OperationalAuditRoles, AuditExportRoles) so the role-to-permission
mapping is documented in one place.
- Default mapping: Admin and Audit roles grant both policies; AuditReadOnly
grants OperationalAudit only (read access without bulk export); Design
and Deployment grant neither.
ScadaLink.CentralUI
- AuditLogPage: switch the page-level [Authorize] to the OperationalAudit
policy and wrap the Export-CSV button in an AuthorizeView gated on
AuditExport so an OperationalAudit-only operator still sees the page +
filters but cannot trigger the CSV pull.
- ConfigurationAuditLog: switch from RequireAdmin to OperationalAudit so
both pages under the Audit nav group share the same gate.
- NavMenu: the Audit nav group now gates on OperationalAudit so the
section header + both child links match the per-page policies.
- AuditExportEndpoints: switch RequireAuthorization from RequireAdmin to
AuditExport — this is the authoritative gate; the AuthorizeView on the
button is just a UX affordance.
Tests
- New AuditLogPagePermissionTests covers the 5 brief-mandated cases plus
defence-in-depth for Admin-alone and AuditReadOnly users on the endpoint.
- SecurityTests: add policy-level coverage for the new role→permission
matrix (Theory rows pin every role/policy combination).
- AuditExportEndpointsTests: switch to AddScadaLinkAuthorization() so the
test host exercises the real production wiring under the new gate.
- AuditLogPageScaffoldTests: wrap the page render in a
CascadingAuthenticationState so the new in-page AuthorizeView resolves
the principal.
Adds three KPI tiles to the central Health dashboard for the Audit channel:
volume (rows in the last hour), error rate (Failed/Parked/Discarded over
total), and backlog (sum of SiteAuditBacklog.PendingCount across all sites).
Repo + service:
- IAuditLogRepository.GetKpiSnapshotAsync(window, nowUtc) — single aggregate
SELECT over the trailing window returning total + error counts; nowUtc is
optional for production callers and pinned by integration tests against the
shared MSSQL fixture so the global counts are deterministic.
- AuditLogQueryService.GetKpiSnapshotAsync() — composes the repo aggregate
with a sum of SiteAuditBacklog.PendingCount read from ICentralHealthAggregator.
- AuditLogKpiSnapshot record in Commons/Types/.
UI:
- New AuditKpiTiles Blazor component (Components/Health/) — three Bootstrap
card-tiles, click navigates to /audit/log with the matching pre-filter.
- Health.razor wires the tiles in alongside the existing Notification Outbox
KPIs; LoadAuditKpis() runs on every 10s refresh tick and degrades to em
dashes + inline error if the query fails.
- AuditLogPage extended to parse ?status= so the error-rate tile drill-in
(?status=Failed) auto-loads the grid.
Tests:
- AuditLogRepositoryTests: GetKpiSnapshotAsync mixed-status + empty-window
cases against the MSSQL migration fixture.
- AuditLogQueryServiceTests: forwarding + backlog composition; sites with
null SiteAuditBacklog contribute zero.
- AuditKpiTilesTests: 9 bUnit tests covering tile render, error-rate maths
with safe zero-events handling, em-dash unavailable path, click-through
navigation, and warning/danger border thresholds.
- HealthPageTests: new Renders_AuditKpiTiles_WithValues plus IAuditLogQueryService
stub registration in the constructor so existing outbox tests still pass.
- AuditLogPageScaffoldTests: ?status=Failed auto-load + unknown status drop.
Adds "Recent audit activity" deep links from four edit/detail pages into
the central Audit Log, each with a pre-filter encoded in the query string
that the Audit Log page (Bundle D0) now parses on initialization:
- External Systems (Design/ExternalSystemForm) → ?target={Name}
- API Keys (Admin/ApiKeyForm) → ?actor={Name}&channel=ApiInbound
- Sites (Admin/SiteForm) → ?site={SiteIdentifier}
- Instances (Deployment/InstanceConfigure) → ?instance={UniqueName}
The link is suppressed on create/new flows where there is nothing to
drill into yet. Instance is UI-only on the filter bar (the repository
filter contract has no instance column), so the page-side prefill threads
through the InitialInstanceSearch seam on AuditFilterBar.
Site Calls (#22 M7-T11) drill-in is DEFERRED: the Central UI does not
yet host a Site Calls listing page, per M3 reality notes. Add the
drill-in when that page lands.
#23 M7-T12
Implements Bundle C (M7-T4 through M7-T8) of the Audit Log #23 M7
Central UI work: a right-side off-canvas drawer that opens from
AuditResultsGrid row clicks and renders one AuditEvent in full.
Cohesive single-component delivery:
- Read-only fields stacked (form-layout memory): Channel/Kind, Status,
HttpStatus, Target, Actor, Source* provenance, CorrelationId,
OccurredAtUtc, IngestedAtUtc, DurationMs.
- Channel-aware body renderer: DbOutbound {sql, parameters} payloads
render a code-block with CSS-only .language-sql class plus a
parameter <dl>; other channels JSON-pretty-print when parseable and
fall back to verbatim <pre>.
- Redaction badges on Request/Response when the body contains the
<redacted> or <redacted: redactor error> sentinels.
- Copy-as-cURL (API channels only) builds a curl command from Target
+ optional {method, headers, body} RequestSummary JSON and writes
it via navigator.clipboard.writeText.
- Show-all-events drill-back navigates to /audit/log?correlationId={id}
when the event carries a CorrelationId.
- Close button + backdrop-click both raise OnClose.
AuditLogPage wires Event/IsOpen/OnClose; row clicks now open the
drawer (HandleRowSelected pins _selectedEvent + _drawerOpen=true).
11 bUnit tests cover field rendering, JSON pretty-print, verbatim
fallback, SQL block, conditional buttons, redaction badges,
navigation drill-back, and clipboard interop. No third-party UI
libraries: Bootstrap offcanvas + scoped razor.css only.
