Conversation
Test Results3 918 tests +976 3 904 ✅ +975 18m 36s ⏱️ + 12m 26s For more details on these failures, see this check. Results for commit 7fed64c. ± Comparison against base commit f6c2dea. This pull request removes 225 and adds 1201 tests. Note that renamed tests count towards both.♻️ This comment has been updated with latest results. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR bundles several long-running feature and stability tracks across MeshWeaver core + Memex: social publishing foundations, in-process #r "nuget:..." compilation support (node-type + interactive markdown), move-operation performance/timeout hardening, and multiple UI/stream reliability improvements. It also standardizes the code folder naming from _Source/_Test to Source/Test across code, tests, docs, and samples.
Changes:
- Introduces
MeshWeaver.Social(options, DI wiring, publish queue, credential model) plus initial Memex wiring (LinkedIn connect entry points + user menu hooks). - Adds
MeshWeaver.NuGetresolver + directive parser and integrates it into script compilation (#r "nuget:Pkg, Version"), including cache backends and tests. - Improves operational robustness: parallelized recursive moves, default 30s mesh-op timeout, “no endless spinner” navigation status UI, and remote stream resubscribe behavior.
Reviewed changes
Copilot reviewed 159 out of 265 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/MeshWeaver.StorageImport.Test/StorageImporterTests.cs | Updates test expectations/docs to Source/ naming. |
| test/MeshWeaver.Social.Test/PostStatsRefresherTest.cs | Adds stats refresher test coverage (needs deterministic timeout handling). |
| test/MeshWeaver.Social.Test/MeshWeaver.Social.Test.csproj | Adds new Social test project referencing Social + Fixture. |
| test/MeshWeaver.Social.Test/InMemoryPublishQueueTest.cs | Adds unit tests for publish queue due-drain + dedup. |
| test/MeshWeaver.Persistence.Test/FileSystemPersistenceTest.cs | Updates partition tests to Source/ naming. |
| test/MeshWeaver.MathDemo.Test/TestPaths.cs | Adds helper paths for MathDemo sample test assets. |
| test/MeshWeaver.MathDemo.Test/MeshWeaver.MathDemo.Test.csproj | Adds MathDemo test project and copies sample graph data to output. |
| test/MeshWeaver.Hosting.PostgreSql.Test/SatelliteQueryTests.cs | Updates code-path routing tests to Source/ naming. |
| test/MeshWeaver.Hosting.Monolith.Test/UserActivityAreaTest.cs | Updates regression test docs to Source/ naming. |
| test/MeshWeaver.Hosting.Blazor.Test/NavigationServiceTest.cs | Adjusts test to assert “no 404 flash” during retries. |
| test/MeshWeaver.Graph.Test/NuGetDirectiveParserTest.cs | Adds unit tests for parsing/stripping #r "nuget:...". |
| test/MeshWeaver.Graph.Test/NuGetAssemblyResolverTest.cs | Adds networked NuGet restore end-to-end tests (skippable via env var). |
| test/MeshWeaver.Graph.Test/MeshWeaver.Graph.Test.csproj | References new MeshWeaver.NuGet project. |
| test/MeshWeaver.FutuRe.Test/MeshWeaver.FutuRe.Test.csproj | Updates compile-included sample sources to Source/ paths. |
| test/MeshWeaver.Content.Test/CompilationErrorTest.cs | Updates broken-code test to Source/ path. |
| test/MeshWeaver.AI.Test/MeshPluginTest.cs | Updates MCP tool count expectations (adds RunTests/Move/Copy). |
| src/MeshWeaver.Social/SocialOptions.cs | Adds configurable knobs for publishing/stats/ingest scheduling. |
| src/MeshWeaver.Social/SocialExtensions.cs | Adds DI wiring for social publishing subsystem and hosted services. |
| src/MeshWeaver.Social/PlatformCredential.cs | Adds credential record model (access/refresh/expiry metadata). |
| src/MeshWeaver.Social/MeshWeaver.Social.csproj | Introduces Social library project. |
| src/MeshWeaver.Social/IPublishQueue.cs | Adds publish queue abstraction + in-memory implementation. |
| src/MeshWeaver.Social/IApprovalPublishBridge.cs | Defines bridge contract and PublishableSnapshot model. |
| src/MeshWeaver.NuGet/ResolvedPackageSet.cs | Adds resolver output model (assemblies, probing dirs, versions). |
| src/MeshWeaver.NuGet/NuGetServiceCollectionExtensions.cs | Adds DI extension to register resolver + cache. |
| src/MeshWeaver.NuGet/NuGetPackageReference.cs | Adds package reference model (id + version range). |
| src/MeshWeaver.NuGet/NuGetDirectiveParser.cs | Implements #r "nuget:..." extraction + source stripping. |
| src/MeshWeaver.NuGet/MeshWeaver.NuGet.csproj | Introduces NuGet resolver project and dependencies. |
| src/MeshWeaver.NuGet/INuGetPackageCache.cs | Adds optional persistent cache interface + null implementation. |
| src/MeshWeaver.NuGet/INuGetAssemblyResolver.cs | Adds resolver interface returning ResolvedPackageSet. |
| src/MeshWeaver.NuGet.AzureBlob/MeshWeaver.NuGet.AzureBlob.csproj | Adds Azure Blob cache backend project. |
| src/MeshWeaver.NuGet.AzureBlob/BlobNuGetPackageCacheExtensions.cs | Adds DI helper to register blob-backed cache. |
| src/MeshWeaver.Mesh.Contract/Services/MeshOperationOptions.cs | Adds mesh operation timeout options (default 30s). |
| src/MeshWeaver.Mesh.Contract/Services/IStorageAdapter.cs | Updates docs/examples to Source/ naming. |
| src/MeshWeaver.Mesh.Contract/Services/INavigationService.cs | Adds Status observable contract for UI progress reporting. |
| src/MeshWeaver.Mesh.Contract/Services/IIconGenerator.cs | Adds icon generator abstraction returning an observable SVG. |
| src/MeshWeaver.Mesh.Contract/PartitionDefinition.cs | Updates standard table mappings (Source/Test → code) and clarifies semantics. |
| src/MeshWeaver.Mesh.Contract/MeshExtensions.cs | Adds timeout override + move timeout enforcement + grain dispose on delete. |
| src/MeshWeaver.Mesh.Contract/CodeConfiguration.cs | Updates docs to Source/ naming. |
| src/MeshWeaver.Kernel.Hub/MeshWeaver.Kernel.Hub.csproj | Removes Interactive package mgmt dependency; references MeshWeaver.NuGet. |
| src/MeshWeaver.Hosting/Persistence/MigrationUtility.cs | Updates migration heuristics to include Source/Test + legacy _Source/_Test. |
| src/MeshWeaver.Hosting/Persistence/FileSystemStorageAdapter.cs | Treats Source/Test as code paths + keeps legacy compatibility. |
| src/MeshWeaver.Hosting/Persistence/FileSystemPersistenceService.cs | Parallelizes descendant move I/O (with concurrency implications). |
| src/MeshWeaver.Hosting/Persistence/CachingStorageAdapter.cs | Updates code sub-namespace detection (Source/Test + legacy). |
| src/MeshWeaver.Hosting.PostgreSql/PostgreSqlPartitionedStoreFactory.cs | Guards against source/test mistakenly becoming schemas. |
| src/MeshWeaver.Hosting.PostgreSql/PostgreSqlCrossSchemaQueryProvider.cs | Filters malformed parameters to avoid NRE during SQL interpolation. |
| src/MeshWeaver.Hosting.Blazor/MeshWeaver.Hosting.Blazor.csproj | Adds NU1510 suppression. |
| src/MeshWeaver.Graph/PartitionTypeSource.cs | Updates docs to Source/ naming. |
| src/MeshWeaver.Graph/MeshWeaver.Graph.csproj | References MeshWeaver.NuGet. |
| src/MeshWeaver.Graph/MeshNodeLayoutAreas.cs | Improves create href behavior + reactive/grouped children catalog. |
| src/MeshWeaver.Graph/MeshDataSource.cs | Updates docs to Source/ naming. |
| src/MeshWeaver.Graph/Configuration/ScriptCompilationService.cs | Integrates NuGet directive parsing + resolver into compilation. |
| src/MeshWeaver.Graph/Configuration/NodeTypeDefinition.cs | Updates docs/examples to Source/ naming. |
| src/MeshWeaver.Graph/Configuration/MeshDataSourceNodeType.cs | Changes sources namespace constant to Source. |
| src/MeshWeaver.Graph/Configuration/GraphConfigurationExtensions.cs | Registers NuGet resolver and uses Source code path. |
| src/MeshWeaver.Graph/Configuration/CodeNodeType.cs | Treats Code nodes as primary content; defines Source/Test constants. |
| src/MeshWeaver.Documentation/Data/DataMesh/UnifiedPath.md | Documents @/ semantics and HTML-href pitfalls. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Profile/Source/SocialMediaProfileLayoutAreas.cs | Adds SocialMedia profile layout areas example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Profile/Source/SocialMediaProfile.cs | Adds SocialMedia profile content model example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Post/Source/SocialMediaPost.cs | Adds SocialMedia post content model example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Post/Source/Platform.cs | Adds SocialMedia platform reference-data example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia.md | Updates docs to Source/ naming and authoring guidance. |
| src/MeshWeaver.Documentation/Data/DataMesh/SatelliteEntities.md | Clarifies Source/Test are primary content, not satellites. |
| src/MeshWeaver.Documentation/Data/DataMesh/NodeTypes.md | Adds Node Types documentation index page. |
| src/MeshWeaver.Documentation/Data/DataMesh/NodeTypeConfiguration.md | Updates docs to Source/ naming. |
| src/MeshWeaver.Documentation/Data/DataMesh/NodeOperations.md | Updates docs to Source/ naming. |
| src/MeshWeaver.Documentation/Data/DataMesh/DataConfiguration.md | Updates docs to Source/ naming. |
| src/MeshWeaver.Documentation/Data/DataMesh/CreatingNodeTypes.md | Updates docs to Source/Test naming throughout. |
| src/MeshWeaver.Documentation/Data/DataMesh.md | Updates TOC links and adds NuGet packages bullet. |
| src/MeshWeaver.Documentation/Data/Architecture/PartitionedPersistence.md | Updates persistence routing docs for Source/Test. |
| src/MeshWeaver.Documentation/Data/Architecture/MeshGraph.md | Updates examples to Source/ naming. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionSampleData.cs | Adds cession sample dataset for docs/demo. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionResultsArea.cs | Adds reactive charting layout area example. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionEngine.cs | Adds pure business logic sample for cession calculations. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionData.cs | Adds content models for cession example. |
| src/MeshWeaver.Data/Serialization/SyncStreamOptions.cs | Adds configurable heartbeat interval for sync streams. |
| src/MeshWeaver.Data/Serialization/JsonSynchronizationStream.cs | Implements resubscribe-on-owner-dispose logic. |
| src/MeshWeaver.Blazor/Pages/ApplicationPage.razor | Switches to NavigationStatus-driven progress/not-found/error UI. |
| src/MeshWeaver.Blazor/Components/NavigationProgressBar.razor.css | Adds styling for full-page vs compact overlay progress bar. |
| src/MeshWeaver.Blazor/Components/NavigationProgressBar.razor | Adds reusable “spinner + message” component. |
| src/MeshWeaver.Blazor/Components/MeshSearchView.razor.cs | Adds Category grouping fallback to NodeType. |
| src/MeshWeaver.Blazor/Components/LayoutAreaView.razor.cs | Adds stream lifecycle logging and additional diagnostics. |
| src/MeshWeaver.Blazor/Components/LayoutAreaView.razor | Surfaces compilation progress indicator before first stream emission. |
| src/MeshWeaver.Blazor/Components/CompileProgressIndicator.razor.css | Adds styling for compilation progress banner. |
| src/MeshWeaver.Blazor/Components/CompileProgressIndicator.razor | Adds polling UI component for active NodeType compilation. |
| src/MeshWeaver.Blazor.Portal/MeshWeaver.Blazor.Portal.csproj | Adds NU1510 suppression. |
| src/MeshWeaver.Blazor.AI/MeshWeaver.Blazor.AI.csproj | Adds NU1510 suppression. |
| src/MeshWeaver.Blazor.AI/McpMeshPlugin.cs | Adds Patch/Move/Copy MCP tools and improves tool descriptions. |
| src/MeshWeaver.AI/ThreadLayoutAreas.cs | Adds debug logging around streaming view emission. |
| src/MeshWeaver.AI/IconGenerator.cs | Adds default AI-backed IIconGenerator implementation. |
| src/MeshWeaver.AI/DelegationCompletedEvent.cs | Removes delegation tracker/event types. |
| src/MeshWeaver.AI/Data/Agent/Worker.md | Updates @/ link guidance (no raw HTML href with @/). |
| src/MeshWeaver.AI/Data/Agent/ToolsReference.md | Updates @/ link guidance and provides correct/incorrect table. |
| src/MeshWeaver.AI/Data/Agent/Orchestrator.md | Updates @/ link guidance for agent outputs. |
| src/MeshWeaver.AI/AIExtensions.cs | Removes old type registration; registers IIconGenerator. |
| memex/aspire/Memex.Portal.Distributed/Program.cs | Registers blob-backed NuGet package cache in distributed deployment. |
| memex/aspire/Memex.Portal.Distributed/Memex.Portal.Distributed.csproj | References MeshWeaver.NuGet.AzureBlob. |
| memex/aspire/Memex.Database.Migration/Program.cs | Adds source/test to reserved schema list. |
| memex/aspire/Memex.AppHost/Program.cs | Adds LinkedIn secret/env wiring + sets NUGET_PACKAGES cache dir. |
| memex/Memex.Portal.Shared/Social/SocialMediaUserMenuProvider.cs | Adds “Social Media” shortcut on a user’s own node (lazy hub creation). |
| memex/Memex.Portal.Shared/Social/ApiCredentialNodeType.cs | Adds NodeType for PlatformCredential stored under _ApiCredentials. |
| memex/Memex.Portal.Shared/Pages/Login.razor | Adds “Connect LinkedIn for publishing” CTA on login page. |
| memex/Memex.Portal.Shared/OrganizationNodeType.cs | Switches to default layout areas registration. |
| memex/Memex.Portal.Shared/MemexConfiguration.cs | Adds LinkedIn publisher wiring, @/ redirect middleware, and routes. |
| memex/Memex.Portal.Shared/Memex.Portal.Shared.csproj | References MeshWeaver.Social. |
| memex/Memex.Portal.Monolith/appsettings.Development.json | Enables debug logging for LayoutAreaView. |
| MeshWeaver.slnx | Adds new projects (NuGet, NuGet.AzureBlob, Social, new test projects). |
| Directory.Packages.props | Adds NuGet.* package versions for resolver implementation. |
| CLAUDE.md | Documents @/ local-only rule and href/URL restrictions. |
| (Various) samples/Graph/... | Adds/updates many sample NodeTypes and content under Source/ to reflect new conventions and demos. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rbuergi
added a commit
that referenced
this pull request
Apr 22, 2026
…+ test helpers Recursive DeleteNodeRequest handled on a node's own hub was deadlocking: the final DeleteSelfFromStorage posted Ok and DisposeRequest from the dying hub, so the Ok raced callback disposal on the caller and was lost. Introduce CommitNodeDeletionMessage and forward the terminal commit (storage delete + reply + grain dispose) to the resolved mesh hub (walking ParentHub upward) — Sender becomes the stable mesh hub, FIFO on the caller's inbound queue guarantees Ok resolves the RegisterCallback before DisposeRequest arrives. Also addresses two Copilot review comments on PR #95: - FileSystemStorageAdapter.DeleteAsync empty-directory ascent is now concurrency- tolerant: wraps the enumerate + Directory.Delete in try/catch, swallowing the DirectoryNotFoundException race and breaking on IOException (non-empty / in-use). Required because FileSystemPersistenceService.MoveNodeAsync now parallelizes descendant deletes via Task.WhenAll. - PostStatsRefresherTest.WaitUntilAsync throws TimeoutException with a descriptive message instead of returning silently on deadline, so the test cannot green-tick a stats-refresh that never happened. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
Resolved. The merge with Conflicts resolved:
|
Contributor
Author
Code review — recent stability batch
Manual review of the last ~20 commits since Correctness — should fix before merge1. ✅ foreach (var (k, v) in perParams)
{
var newKey = "@" + prefix + k.TrimStart('@');
renamedSql = renamedSql.Replace(k, newKey);
renamedParams[newKey] = v;
}
Fix: single regex pass keyed on 2. ✅ Fix: 3. ✅ Fix: parse every query in 4. ✅ Fix: Race / lifecycle hazards5. ✅ Fix: drop the time-based heuristic in favour of a structural one — skip recovery only when the thread is still an auto-execute candidate ( 6. ✅ 7. ✅ 8. ✅ Fix: pre-allocate the Style / consistency9. ✅ 10. ✅ 11. ✅ Fix: drop the per-query Limit injection. Limit is enforced post-union via ✅ Looks good (no action needed)
|
Contributor
Author
Code review — part 2: rest of the PR
Continuing review on the bulk of the PR (everything before the recent stability batch). Focused on the new projects ( Correctness — should fix before merge12. ✅ return _cache.GetOrAdd(key, _ => ResolveCoreAsync(requested, framework, ct));If Fix: evict faulted/cancelled tasks from the cache before returning. Also pass 13. ✅ Fix: switched to 14. ✅ Fix: post-hydration, the resolver opens the package folder via 15. ✅ Fix: defensive 16. ✅ Race / lifecycle hazards17. ✅ 18. ✅ 19. ✅ Fix: replaced with a single bounded Style / consistency20. ✅ Fix: register the publisher as a true singleton via 21. ✅ Fix: gate hosted-service registration on 22. ✅ 23. ✅ ✅ Looks good (no action needed)
Areas not covered in this reviewPersistence-service refactors ( |
Contributor
Author
Review fixes applied — all 23 items addressed5 commits, organised by batch. Locally committed, not pushed yet.
Verification
Notes
Ready to push when you want. |
Contributor
Author
|
Done — review item #14 is now closed in commit |
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
…fix DI lifetimes, redact PII, drop dynamic - ThreadExecution: collapse triple-stacked <summary> blocks on WatchForExecution and NotifyParentCompletion. Tooling kept the last one anyway; the dead scaffolding was just noise. - SocialExtensions: register LinkedInPublisher / XPublisher as TRUE singletons (factory-resolved with named HttpClient). The previous AddHttpClient<T>+AddSingleton<IPlatformPublisher> mix made the concrete type transient while the interface alias was singleton — direct vs via-interface resolution returned different instances. Also gate hosted-service registration on at least one platform being configured (the "all-or-nothing" comment was wrong; with zero platforms the four hosted services started anyway and faulted on first tick). - LinkedInPublisher: replace `(dynamic)media.shareMediaCategory` peek with two concrete payload shapes — typo turns into a compile error instead of a RuntimeBinderException. - LinkedIn / X publishers: cap error-body logs at 200 chars to bound PII exposure (the body can echo the user's post text on validation rejection). Full body still goes to PublishResult.Error for the caller. Addresses PR #95 review items #9, #20, #21, #22, #23. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
… in-memory engines
PostgreSqlStorageAdapter.QueryNodesAsync(IReadOnlyList<ParsedQuery>):
- Replace order-dependent `string.Replace` parameter rename with a
single `Regex.Replace` keyed on @<name> word boundary that gates
on perParams.ContainsKey. Sequential Replace was mangling adjacent
tokens (renaming `@p` after `@p1` produced `@q0_q0_p1`) and could
clobber `@…` substrings inside string literals / JSONB paths.
- Switch from `UNION` to `UNION ALL` wrapped in
`SELECT DISTINCT ON (namespace, id) ... ORDER BY namespace, id, last_modified DESC`.
Plain UNION dedupes whole rows — two queries observing the same
node at slightly-different last_modified would BOTH appear in the
output. Path-keyed dedup (= MeshNode identity) with newest-wins
tie-break collapses them correctly.
PostgreSqlMeshQuery.ObserveQuery<T>:
- Parse EVERY query in request.EffectiveQueries and build per-query
(basePath, scope) filters; the change-notifier subscription
OR-joins them so multi-query observations get delta refreshes
triggered by ANY query's path/scope, not just query #0's. The
previous shape silently lost live updates from queries #1+.
PostgreSqlMeshQuery.QueryNodesUnionAsync + MeshQueryEngine:
- Drop the per-query `parsedList[0].Limit = request.Limit` injection.
Query #0 hit its limit before yielding the union's most relevant
rows, while queries #1+ contributed unbounded — making the result
iteration-order dependent. Limit is now enforced post-union via
MinLimit(request.Limit, firstParsed.Limit) so a request-level cap
can't be circumvented and an in-query `limit:N` still wins when
smaller.
- MeshQueryEngine: CollectMatchedAsync returns the LIST of every
query's basePath; the source:activity post-filter scans every
base path's descendants and unions activity-main-paths so
queries #1+ aren't filtered against query #0's subtree only.
Addresses PR #95 review items #1, #2, #3, #4, #11.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
…ThreadExecution stability fixes ThreadExecution.cs (already in commit 478fdaa — recapping here for the review-item index): - RecoverStaleExecutingThread: drop the 2-minute "fresh execution" window in favour of a structural check (skip when PendingUserMessage + ActiveMessageId are still set, i.e. the thread is an auto-execute candidate WatchForExecution will pick up). Closes the "long-running agent crashed at minute 5 → IsExecuting=true forever" gap; the time-based heuristic contradicted commit 6dc436b's "no time limits" stance. - Subject<StreamingSnapshot>: declare with `using var` so the Subject itself disposes alongside its subscription. Minor leak per execution previously. - HandleSubmitMessage: pre-allocate the per-round CancellationTokenSource and store it on the thread hub BEFORE posting SubmitMessageResponse — closes the race where an early Stop click between IsExecuting=true and ExecuteMessageAsync's `parentHub.Set(executionCts)` found a null CTS slot and silently no-op'd. ExecuteMessageAsync now reuses the pre-allocated CTS (with a fallback for the auto-execute path that bypasses HandleSubmitMessage). IsExecutingLifecycleTest.cs: - Migrate the response-text wait from text-pattern matching (skipping placeholders "Allocating agent..." etc.) to `ThreadMessage.CompletedAt is not null`, which ExecuteMessageAsync sets only on the terminal PushToResponseMessage call. Same pattern adopted in ChatHistoryTest in commit ab3af8b. - Add a regression assertion that final ThreadMessage.Status == Completed. The terminal-status guard in PushToResponseMessage prevents the late Sample(100ms)-flushed Streaming push from regressing the cell from Completed back to Streaming; this assertion catches any future regression of that guard. Addresses PR #95 review items #5, #6, #7, #8, #10. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
…, parallelism, backoff)
NuGetAssemblyResolver:
- Evict faulted/cancelled tasks from the per-key cache before
returning. A transient feed failure (network, throttle, cancelled
in-flight resolve) used to poison the cache for the resolver's
lifetime — every subsequent call replayed the same exception.
- Pass CancellationToken.None to the shared core task so a single
caller's cancellation can't take down the resolution for
others; per-caller `ct` projects via `task.WaitAsync(ct)`.
- Switch DependencyBehavior from `Lowest` to `HighestMinor` so
`#r` directives pick up patch-level security fixes via
transitive dependencies without silently jumping major/minor.
- Document that hydrated cache content is trusted to match
(id, version) — flag for future content-hash verification if
cache poisoning becomes a concern.
LinkedInPublisher / XPublisher (LinkedIn already committed in batch A
for the dynamic+PII parts; this commit adds the 401 retry):
- SendWith401RetryAsync: on the FIRST 401 response from a publish,
force-refresh the token (zero ExpiresAt before EnsureFreshAsync)
and retry once. Closes the race where the access token's TTL
expired between EnsureFreshAsync and the actual API call.
PostStatsRefresher:
- Process due-refresh targets via Parallel.ForEachAsync bounded
by SocialOptions.StatsRefreshDegreeOfParallelism (default 8),
so a slow API + large refresh window can't let one tick
overshoot the next interval.
- Per-target failure backoff via a ConcurrentDictionary of
last-failure timestamps — targets that failed within
StatsRefreshFailureBackoff (default 15 min) skip the next tick.
Stops a degraded platform from generating thousands of repeat
warnings every cycle while the underlying issue is fixed.
Success clears the backoff entry.
SocialOptions: add StatsRefreshDegreeOfParallelism (8) and
StatsRefreshFailureBackoff (15 min) knobs.
Addresses PR #95 review items #12, #13, #14, #16, #17, #18.
(#15 XPublisher defensive parse + the LinkedIn dynamic / PII items
were already in commit 478fdaa.)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
… file lock The MESHWEAVER_DISPOSE_TRACE=1 trace took a global lock per call (`File.AppendAllText` under `lock (DisposeTraceLogLock)`), serialising hub teardown under load when many hubs disposed concurrently. Replaced with a single bounded `Channel<string>` (capacity 4096, FullMode = DropWrite) drained by one writer task started in the type initialiser. Producers `TryWrite` non-blocking — if the disk is slow / locked, lines drop on full instead of putting back-pressure on dispose. Single-reader semantics avoid contention on the file handle. Addresses PR #95 review item #19. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
Replaces the TODO from commit 512adb4. After a successful INuGetPackageCache.TryHydrateAsync, the resolver now opens the hydrated folder via PackageFolderReader and compares the package's own .nuspec-declared (id, version) against the expected (id, version). On mismatch the directory is purged and the resolver falls back to the feed. This catches the failure modes #14 was about: wrong package stored under right key (cross-tenant blob, accidental copy, drift after a manual edit). The .nuspec is the canonical NuGet source of truth, so a tampered cache entry can't fake the identity without rewriting the nuspec — which we'd then catch at hydration time. No INuGetPackageCache contract change; validation lives entirely in the resolver. Closes the last open item from PR #95 review (item #14). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ot RequestedReleaseAt The a59763a first-build kickoff set `RequestedReleaseAt = DateTimeOffset.UtcNow` to trigger compile, but RequestedReleaseAt is the USER-DRIVEN release trigger (Compile button + dirty re-build). Misattributing the kickoff to "user action": 1. Trips CodeEditRecompileTest.PressingCompileButton_SetsRequestedReleaseAt_… which asserts `RequestedReleaseAt is null` immediately after first-build (kickoff should bypass the release trigger). 2. Pollutes audit logs — the activity record claims a user pressed Compile when actually the framework first-built on grain activation. Fix: kickoff flips CompilationStatus = Pending directly. The watcher (InstallCompileWatcher) already drives Pending → Compiling → Ok/Error on the regular path; bypassing the release trigger is the correct infrastructure shape. Per-user recompile (Compile button) still flows through RequestedReleaseAt as the explicit user action. Local verification: - CodeEditRecompileTest.PressingCompileButton_… now passes - NodeType_RequestedReleasePath_PinsToHistoricalRelease passes (in isolation) - BackgroundActivation_OfDynamicNodeType_DoesNotLoopRecompiles still passes Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Git Bash's PATH lookup doesn't expand .cmd extensions, so 'aspire' (no suffix) returns 'command not found' even after dotnet tool install -g Aspire.Cli drops aspire.cmd into ~/.dotnet/tools. The script's 'aspire deploy' line silently aborted on Windows hosts and the wrapper returned exit 0 anyway — the load-bearing db_version polling never ran, the deploy didn't happen, and the operator thought it succeeded. Resolve the aspire binary explicitly: command -v aspire || aspire.cmd || ~/.dotnet/tools/aspire.cmd. Fail loud with install instructions if none are present. Works on Linux/macOS (picks 'aspire' from PATH) and Windows + Git Bash (picks 'aspire.cmd'). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…rop projection mirror
Three precision fixes to the thread execution preparation + streaming flow,
prompted by the 2026-05-21 prod symptom on add-markus-kleiner-... (Status
stuck at StartingExecution after a deploy; pendingUserMessages never
drained; no response cell created; GUI hangs).
Part A — Single source of truth for response path
Thread.ActiveMessageId xmldoc updated: the canonical handle is the id;
full response path always derives as {threadPath}/{ActiveMessageId}. No
separate ActiveResponsePath schema field — derive at the use site. Stamped
by DispatchRound at round commit; cleared on round end. Every actor
(_Exec, parent's delegation watcher, cancel watcher, GUI status bar)
reads ActiveMessageId off the live thread node.
Part B — _Exec routes through IMeshNodeStreamCache (read + write)
ExecuteMessageAsync: dropped workspace.GetRemoteStream<MeshNode,
MeshNodeReference>(responsePath) handle. Reads responseMsgId from
request.ResponseMessageId, derives responsePath as
{threadPath}/{responseMsgId}, writes streaming chunks via
cache.Update(responsePath, fn). Same shared upstream handle the GUI
(ThreadMessageItemView + DelegationToolCallCardView) reads from — no
more read/write handle-split between server streaming and GUI views.
UpdateResponseCell signature changed: takes IMeshNodeStreamCache instead
of IWorkspace. All callsites (RecoverStaleExecutingThread,
WatchForExecution.StartExecution, HandleSubmitMessageLegacy,
init-stall-unstick, ThreadSubmission.DispatchRound) updated.
SubmitMessageRequest: ResponsePath property removed. Was redundant once
the id was the canonical handle.
Part C — Failure rollback in HandleStartExecutionOnExec
The prod symptom's root cause: DispatchAfterClaim accepted onFailure but
the call site passed null, so any error in user-cell / response-cell
creation OR the round-commit UpdateMeshNode silently left Status stuck at
StartingExecution forever. Wire a real onFailure that rolls Status back
to Idle via cache.Update so the submission watcher re-dispatches on the
next tick. Guards inside the lambda against clobbering if another actor
already moved Status forward. DispatchAfterClaim signature gains the
onFailure parameter (defaulted to null for legacy callers).
Part D — Drop per-tick projection mirror; sub-thread streams direct
Per user direction "we don't need to duplicate in tool call entry — just
stream from sub-thread": ChatClientAgentFactory.ExecuteDelegationAsync
no longer writes a last-10-lines preview onto the parent's ToolCallEntry
on every emission. Renamed ProjectOntoParentToolCall → StampTerminalOn-
ParentToolCall. ONE write per delegation lifecycle now: terminal Status
+ Result = full accumulated text (the FunctionResultContent FCC delivers
to the parent agent). Subscriptions to sub-thread + response cell stay,
but they exist ONLY to detect terminal; no body mirroring.
DelegationToolCallCardView gains a third subscription: when the sub-
thread node emits ActiveMessageId, open cache.GetStream({delegationPath}/
{activeMsgId}) and render its live Text as the card body (last 10 lines).
GUI streams sub-thread output directly from the sub-thread cell — single
source of truth, no mirror-staleness, no risk of duplicate ToolCallEntry
rendering.
Regression: OrleansThreadColdLoadHangTest 2/2 PASS (18s).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ation User input now has a vertical accent rail (3px left border), muted background, and slightly heavier sans-serif weight with whitespace-preserved body — same shape Claude Code uses for user prompts. Assistant output sits in the natural reading flow with default typography (so markdown blocks, code, lists render naturally). Specifics: * Author label: uppercase + accent color for user; baseline-aligned + model hint for assistant. * Pending submissions get a subtle 1.8s pulse animation on the background so it's clear something's in flight without a spinner. * Tool-call chips (non-delegation) reuse the existing pill shape; pending ones use the accent color, completed ones fade to hint color. Scoped per-component (.razor.css) — no global stylesheet bleed; FluentUI CSS variables (--accent-fill-rest, --neutral-foreground-rest, etc.) keep the dark/light theme parity automatic. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Pulls together the leftover server-side pieces of the delegation refactor: 1. MeshNodeStreamHandle auto-routes cross-hub reads/writes through `IMeshNodeStreamCache` when one is registered, so every cross-hub `workspace.GetMeshNodeStream(path)` goes through the singleton handle per path. `GetMeshNodeStreamBypassCache` is the cache's own escape hatch (avoids recursion). Single shared upstream per path, writes observed by every reader. 2. `ToolCallEntry` gains `CallId` — FCC's `FunctionCallContent.CallId`, stamped on the streaming-loop's bare append + propagated through the `FunctionResultContent` SetItem. Dedup in the FCC handler uses CallId as the primary key so FCC re-emitting the same FC in turn 2's stream (history echo) doesn't produce a duplicate entry. `pendingCalls` gets cleared on FRC, which made the prior `isDuplicate` check unreliable. 3. `StampTerminalOnParentToolCall` in `ExecuteDelegationAsync` becomes a no-op stub. Earlier shapes (cache.Update OR ForwardToolCall mirror) both raced with the streaming loop's writes — UpdateRemote captured stale `current` on concurrent calls (intermittent Result loss), or produced duplicate entries when the mirror fired before the bare append. The streaming-loop's FCC append → UpdateDelegationStatus stamp → FCC FunctionResultContent SetItem flow is the single canonical writer. 4. New `DelegationWriteCountTest` pins the structural invariant: one ToolCallEntry per DelegationPath, terminal Status (not Streaming). 10/10 stable in local repeats; covered the previous 0/10 flake. 5. ChatClientAgentFactory's function-invocation middleware comment marks it as effectively dead-weight today — AgentChatClient calls `agent.ChatClient.GetStreamingResponseAsync` directly, bypassing `agent.RunStreamingAsync` where Microsoft.Agents.AI middleware would fire. Result population now goes through FRC only. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…e auto-redirect 2026-05-22 prod incident: empty start screen, queries returning nothing after the deploy in commit 08e4c48. Root cause: the auto-redirect of MeshNodeStreamHandle.Subscribe + Update through IMeshNodeStreamCache shoved every cross-hub workspace.GetMeshNodeStream(path) caller — auth chain, NodeType resolution, partition discovery, layout area bootstrap, routing handles — through the cache's per-(path,user) Read-permission gate. Internal callers that previously read direct (no gate) were silently denied, leaving the UI with empty result sets. The cache stays as an opt-in optimisation: call cache.GetStream(path) / cache.Update(path, fn) when you want the shared upstream + write fan-out. Don't force every handle through it — it shifts the security boundary for a lot of code that wasn't designed for it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
… no cache auto-redirect" This reverts commit 59d34b1.
…eStream.Update
The old test posted `new DataChangeRequest { ChangedBy = X }.WithUpdates(meshNode)`
to verify the JsonSynchronizationStream echo filter (line 434). That pattern is
broken by design per CLAUDE.md (DataChangeRequest with a partial MeshNode fails
at TypeDefinition.GetKey "No key mapping for MeshNode"), which surfaced as 16
cascading SYNC_STREAM OnError warnings in CI logs and a wrong assertion in
local runs.
Rewrite as a single GetMeshNodeStreamUpdate_PropagatesToRemoteSubscriber test:
subscribe via GetRemoteStream<MeshNode, MeshNodeReference>, write via
workspace.GetMeshNodeStream(path).Update(...), assert the subscriber observes
the change. The cache stream's ClientId differs from the subscriber stream's
ClientId, so the server-side echo filter forwards the change rather than
suppressing it — exercises the same line-434 filter as the old test, but via
the canonical mutation API.
Result: passes in 7 s with zero sync-stream warnings and zero errors.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
… rename supersedes Markdown correction)
…imeout=30_000 The mass per-test [Fact(Timeout = 30_000)] I added was a regression: tests that legitimately need a longer wait window (SubThreadHangRepro's HungSubThread observation at 45s, DelegationWriteCountTest's 60s CT, my own ThreadControlPlaneConcurrencyTest's 90s CT) were cut at 30s and showed up in CI as timeouts. Restored to plain [Fact] and bumped the global methodTimeout in test/xunit.runner.json to 90s — matches the longest internal CT in the suite, kills anything that genuinely hangs without false-positive on tests that need a longer wait. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumping to 90s masked real hangs. 30s is the right per-test budget; tests that legitimately need more must set [Fact(Timeout=N)] explicitly on the affected method. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…mesh leak ConcurrentRequests_MultipleNodeTypes_AllLoadWithoutHanging was deadlocking when run as the 12th test in PageLoadingTest's shared-mesh suite, but passing in isolation. The 11 prior tests each create a client at the SAME address (client/1) without disposing it; RoutingService.RegisterStream overwrites streams[client/1] on every subsequent GetClient(). The abandoned per-test clients leak — but their server-side LayoutAreaReference sync streams stay alive on the per-node hubs (ACME, Cornerstone/Microsoft, Northwind) and emit DataChangedEvents addressed to client/1 forever. Those events route through streams[client/1] to whichever client owns that slot RIGHT NOW (the 12th one), and queue on its action block ahead of the 4 fresh SubscribeRequests + their initial LayoutArea emissions. Hence all 4 stream FirstAsyncs time out at 20s even though every Ping returns in <100ms. Verified: when run via `dotnet test --filter ConcurrentRequests` (just the one test class), the test passes in 4-8s. When run via `dotnet test --filter PageLoadingTest|ConcurrentRequests`, both classes get their own mesh — ConcurrentRequests passes (4s). Future-proofing note: the real fix would be to dispose abandoned clients (e.g. tag each GetClient() with the active test and dispose on test-method DisposeAsync, or give each client a unique address rather than reusing client/1). Either is a bigger refactor across many test classes; this commit isolates the symptom to unblock CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…nsions
Single source of truth for thread mutations — tests, GUI, and agents now all
call the same surface:
hub.StartThread(namespacePath, userText, ...);
hub.SubmitMessage(threadPath, userText, ...);
hub.ResubmitMessage(threadPath, userMessageId, ...);
hub.DeleteFromMessage(threadPath, atMessageId);
hub.MarkThreadDone(threadPath, done);
hub.RecordSubmissionFailure(threadPath, ...);
Every method writes the thread node via hub.GetWorkspace().GetMeshNodeStream(
threadPath).Update(...) (or CreateNodeRequest for new-thread lifecycle); the
per-thread submission watcher reacts to the resulting state changes. No
SubmitMessageRequest, no parameter-bag context records, no hub.Post shortcuts.
Deleted:
- SubmitContext, ResubmitContext records
- ThreadSubmission.Submit / CreateThreadAndSubmit / Resubmit static methods
- ThreadSubmission.ApplyResubmit / ApplyDeleteFromMessage /
ApplyRecordSubmissionFailure / MarkThreadDone (all moved to hub extensions)
- ThreadFlow.Submit wrapper (callers use hub.SubmitMessage directly)
Migrated 22 test files + 4 src files (ThreadChatView.razor.cs, ThreadFlow.cs,
ThreadLayoutAreas.cs, ThreadMessageLayoutAreas.cs). UserOnboardingServiceTests
updated to reflect that CreateUser now writes 2 rows (partition-root +
user-catalog mirror), not 3 — the Admin/Partition catalog entry was dropped in
the prior Space rename commit (lazy-create handles it).
New doc: Doc/Architecture/ThreadOperations.md. CLAUDE.md updated to point at it
and show the canonical surface.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ispatch internal Public surface for thread operations is now exclusively HubThreadExtensions on IMessageHub. ThreadSubmission / ThreadExecution / RoundDispatch are implementation details — no external code should reach into them. ResubmitIntent and FailureRecord stay public because they're property types of the public MeshThread record (CS0050 inconsistent-accessibility otherwise) — that's the next refactor target: the user wants the thread hub to subscribe to its own state and react, eliminating the intent-payload + per-operation watcher indirection entirely. InternalsVisibleTo extended to MeshWeaver.Threading.Test so its LoadConversationHistoryTest can keep exercising the LoadFullConversationHistoryFromMesh helper without it being part of the public surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…— inline the mutations
The thread hub no longer reacts to control-plane intent payloads
(ResubmitIntent / FailureRecord) sitting on the thread node. Every
HubThreadExtensions method now does the FULL state mutation inline inside one
stream.Update on the thread node — single canonical write path, single
subscription left on the thread hub (InstallServerWatcher for round dispatch).
Deleted:
- MeshThread.RequestedResubmit / RequestedDeleteFromMessageId / PendingFailures
fields
- ResubmitIntent + FailureRecord records (and their type registrations in
AIExtensions)
- ThreadSubmissionServer.InstallResubmitWatcher / InstallDeleteFromMessageWatcher
/ InstallFailureRecordWatcher + ProcessOneFailure helper
- The three matching ThreadExecution wrappers + WithInitialization
registrations
- ThreadControlPlaneConcurrencyTest.cs (tested the intent+watcher dance which
no longer exists; HubThreadExtensions coverage replaces it)
HubThreadExtensions.ResubmitMessage now performs the truncate + re-queue
mutation inline (mirroring what the old resubmit watcher did) and writes the
cell-text update to the per-message satellite via IMeshNodeStreamCache when
newUserText is supplied. DeleteFromMessage is a one-line truncation.
RecordSubmissionFailure chains CreateNode(errorCell) → stream.Update(thread).
Docs updated: ThreadOperations.md, RequestViaStreamUpdate.md, ActivityControlPlane.md
all reflect the inline-mutation pattern; the intent-row entries on the
ActivityControlPlane intent/state table are removed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
App Insights ingest cost analysis from CI run 26474008139 — top Information emitters: 910 MeshWeaver.Graph.SyncedQuery (per-query Initial + per-snapshot emission) 284 MeshWeaver.Hosting.Persistence.Query.StaticNodeQueryProvider (ctor) 200+ MeshWeaver.AI.AgentChatClient (per-round agent + model lists + factory pick) Every one of these fires on each test setup or each chat round; in production they were billing App Insights per ingest for traces that are only interesting during a focused debugging session. Demoted to Debug: - SyncedQueryMeshNodes.cs (lines 299, 344) — per-emission noise - StaticNodeQueryProvider.cs (line 98) — provider-count ctor trace - AgentChatClient.cs — [AgentChat]/[AgentChatClient] traces (every match) User-actionable Information lines (Switched/Resumed/Created thread) stay. Production App Insights config (memex/aspire/Memex.Portal.Distributed/appsettings.json): - Default raised back to Information (was Warning) so genuinely user-visible events surface in the dashboard. - ApplicationInsights filter caps known-chatty namespaces at Warning even when the top-level rises — defence-in-depth against future drift. - Removed the 2026-05-22 + 2026-05-24 diagnostic Debug overrides that were never cleaned up. Per-test file logging (XUnitFileOutputHelper) is now opt-in via MESHWEAVER_TEST_FILE_LOGS=1. Disabled by default so CI doesn't write thousands of per-method .log files. xUnit console output is unaffected; only the disk-resident test-logs/*.log files are gated. CLAUDE.md (already in 7c04fb5 via parallel session) + DebuggingMessageFlow.md document the rule: never edit Log level in src/ for a debug session — edit the bin/appsettings.json (reloadOnChange:true) instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…us extensions
Same shape as HubThreadExtensions. Replaces the five-line
hand-rolled GetMeshNodeStream(path).Update(curr => curr.Content is ActivityLog
log ? curr with { Content = log with { RequestedStatus = ... } } : curr).Subscribe(...)
sprawl with hub.CancelActivity(path) one-liners.
- hub.CancelActivity(activityPath) — RequestedStatus = Cancelled
- hub.RequestActivityStatus(path, status) — generic flip (Running, etc.)
Both no-op when the node's content isn't an ActivityLog or the request is
already pending. The activity hub's existing WatchControlPlane handler picks
up the patch and runs the internal transition (CTS trip / script start /
etc.) — no new subscription, no message types.
Migrated 4 call sites (RunningActivitiesStripe + 3 Overview/CancelButton/
Progress handlers in ActivityLayoutAreas + ScriptExecutionInUserHomeTest)
and the matching code blocks in ActivityControlPlane.md and
NodeTypeCompilation.md.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…sections New doc src/MeshWeaver.Documentation/Data/Architecture/ActivityOperations.md mirrors ThreadOperations.md: documents the IMessageHub extension surface (hub.CancelActivity / hub.RequestActivityStatus), how the activity hub's WatchControlPlane reacts, and where the boundary between application code and WatchControlPlane (the server-side helper) sits. Both ThreadOperations.md and ActivityOperations.md "Observing the result" sections now show the canonical Subscribe + Dispose pattern only — no FirstAsync().ToTask(ct) in production code (it deadlocks hub-touching paths; see AsynchronousCalls.md). The Task bridge belongs at the test edge, not in the application-code example. CLAUDE.md now mentions both files and shows the Activity extension surface inline alongside the Thread surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
PageLoadingTest hangs in CI were 3 separate flakes traced to the same root cause: cold Roslyn compile of custom NodeTypes (Cornerstone/Insured + Pricing + Article, ACME/Article + Project + Todo) is much slower on the CI Linux runners than locally. Diagnosed by running each failing test locally with Trace logging per DebuggingMessageFlow.md — every one passed in 300 ms or less. Stream-level Timeout: 20s → 50s. Per-test [Theory/Fact(Timeout)]: 60s → 120s. The wider budget is only burned on cold compile; cache-hit runs (every test after the first activation per NodeType) still finish in milliseconds. A genuine hub-activation hang still surfaces within 120s rather than running indefinitely. Same change applied to ConcurrentRequestsTest (sibling class in the file) since it depends on the same NodeType compilations. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ions extensions Match the shape of hub.CancelActivity / hub.StartThread / hub.SubmitMessage: application code asks the hub for an answer; the extension resolves the process-wide ISecurityService and forwards. No more layout areas reaching into DI for ISecurityService, no more PermissionHelper.GetEffectivePermissions static-class calls, no more hand-rolled `namespace:.../_Access` queries. Four methods on IMessageHub: IObservable<Permission> hub.GetEffectivePermissions(path) // ambient user IObservable<Permission> hub.GetEffectivePermissions(path, userId) // explicit user IObservable<bool> hub.CheckPermission(path, permission) IObservable<bool> hub.CheckPermission(path, userId, permission) All return IObservable<T> end-to-end. Tests bridge to Task at their edge. Behind the scenes ISecurityService composes against the process-wide IMeshNodeStreamCache under WellKnownUsers.System identity — one shared sync subscription per scope (AccessAssignment subtree + PartitionAccessPolicy chain), held alive via Observable.Using(ImpersonateAsSystem, …) so the identity scope doesn't exit before the subscription emits. Zero per-hub synced-query subscriptions for access lookups → zero "hub-shaped principal set as AccessContext — must never happen" errors (the CI 59-occurrence flake culprit, traced to SecurityService.ObserveScopeAssignments leaking the hub identity through the synced-query subscription thread). Documentation: PermissionApi.md. Follow-ups (not in this commit): - Wire SecurityService's two ObserveScope* methods through IMeshNodeStreamCache with held system impersonation. - Migrate the 16 application-code callers of PermissionHelper.GetEffectivePermissions to hub.CheckPermission. - Decide on PermissionHelper deprecation timeline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Header section directs application code to the hub.CheckPermission / hub.GetEffectivePermissions extensions (PermissionApi.md) and clarifies the rest of AccessControl.md covers the internals that back them. Removes the implicit invitation to resolve ISecurityService from DI in layout areas — that surface stays for framework-internal callers (the storage adapter's secured query path, the RLS node validator, the access-control pipeline) but is no longer the documented public API. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…NodeTypeAsync The two methods were [Obsolete]-marked legacy shims preserved only for the AgentSelectionTest class, which mocked IMeshService.ObserveQuery directly. Both production callers migrated to AgentPickerProjection.ObserveAgents (workspace-backed synced source) some time ago. Delete both methods and the test class. Coverage for the real flow lives in AgentChatClientNoSuitableAgentTest + AgentPickerProjectionTest, which exercise ObserveAgents end-to-end via a real workspace. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two test-infrastructure leaks rolled into one fix: 1. CreateClientAddress() returned a fixed `client/1` for every call. Under ShareMeshAcrossTests, each test's GetClient() overwrote streams[client/1] in RoutingService — the prior client hub stayed alive on the mesh, its server-side LayoutAreaReference / MeshNodeReference sync streams kept emitting DataChangedEvents addressed to client/1, and those events queued on the LATEST client/1's action block ahead of new SubscribeAcks + initial-state emissions. PageLoadingTest.ConcurrentRequests (commit 02dd88f) was the first symptom; the AI/Threading suite 6-min CI timeouts are the same shape at scale. Switched to `client/{guid12}` per call. Routing tables now partition per client; leaked traffic from a prior test lands at a dead slot and is dropped harmlessly. 2. GetClient() didn't track the hubs it created. The shared-mesh DisposeAsync skipped Mesh.Dispose entirely, so client hubs from prior tests stayed alive indefinitely (until process exit), each holding its routing-stream registration + workspace subscriptions. Added _clientsCreated list + DisposeTestClients() in DisposeAsync on both the shared-mesh and per-test paths. Each tracked client is disposed at end-of-test — the framework's Dispose hook unregisters the routing stream and cancels in-flight subscriptions, so the server-side sync streams complete cleanly without orphaned emission. Same fix shape applies to HubTestBase.CreateClientAddress (the sibling fixture base for HubTestBase-derived tests). Both call sites switched. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror of commit 8cc3479 (MonolithMeshTestBase) on the Orleans side: - CreateClientAddress() now returns `client/{12-char-guid}` instead of the fixed `client/1`. Each test gets its own routing slot; leaked traffic from a prior test's client lands at a dead address and is dropped harmlessly. - GetClientAsync() appends each created hub to a per-test list; DisposeAsync disposes them before tearing down the cluster. Closes the synchronization streams paired with each client cleanly, so the silo's hosted-hub registry doesn't carry stale per-node subscriptions across tests within a shared cluster. Same root cause as the Monolith fix; mirror cleanup. The Orleans dispose runs BEFORE Cluster.DisposeAsync so the hubs unsubscribe before grain teardown — otherwise grain-driven re-emissions during shutdown can race the cluster's own shutdown sequence and produce NullReferenceExceptions in Orleans.Streams.PersistentStreamPullingManager.Stop (the 82-NRE batch we saw in CI logs). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…mission, hold ImpersonateAsSystem across SecurityService synced subscriptions Three coupled fixes, single commit: 1. **Observable.Using on SecurityService synced subscriptions.** ObserveScopeAssignments + ObserveScopePolicies opened the ImpersonateAsSystem scope INSIDE a `using` block and assigned the resulting `workspace.GetQuery(...)` observable to a variable — but the observable subscription happens LATER (Replay(1).RefCount fires on first subscriber). By the time the upstream change-feed handlers run, the `using` block has long exited and AsyncLocal AccessContext is whatever the caller's context happens to be — usually the hub's own address. AccessService.SetContext then logs that as `[Error] SetContext: hub-shaped principal ... set as AccessContext — must never happen` (the 59-occurrence CI flake on commit 8af66d8). Switched both methods to `Observable.Using(() => accessSvc.ImpersonateAsSystem(), _ => workspace.GetQuery(...))`. The impersonation scope opens on Subscribe and disposes on the observable's Dispose — alive for every emission, every change-feed callback, every re-query. 2. **Marked ISecurityService [EditorBrowsable(Advanced)].** Application code MUST go through hub.CheckPermission / hub.GetEffectivePermissions (the extension surface introduced in commit 2ef5a8b). The interface stays public because framework-internal consumers (AccessControlPipeline, RlsNodeValidator, StorageAdapterMeshQueryProvider) still resolve it; the IDE just hides it from default IntelliSense so new callers reach for the extension first. 3. **Killed PermissionHelper entirely.** Static-class wrapper around `_securityService.GetEffectivePermissions(path)`; redundant with the hub extension and a competing surface. Migrated all 17 application-code call sites in src/MeshWeaver.Graph + MarkdownExportMenuProvider: PermissionHelper.GetEffectivePermissions(hub, path) → hub.GetEffectivePermissions(path) PermissionHelper.CanEdit(hub, path) → hub.CheckPermission(path, Permission.Update) PermissionHelper.CanCreate(hub, parentPath) → hub.CheckPermission(parentPath, Permission.Create) PermissionHelper.CanDelete(hub, path) → hub.CheckPermission(path, Permission.Delete) Deleted PermissionHelper.cs. Test-file comments updated. Solution builds clean (0 warnings, 0 errors). CI run will validate that the AccessContext-leak fix dropped the 59 "hub-shaped principal" errors and the cascade of timing-out tests that triggered. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds IMessageHub extension that mirrors the existing IWorkspace.GetQuery overloads (cached single-arg + get-or-create multi-arg). Same shape as hub.GetMeshNodeStream / hub.CheckPermission / hub.StartThread — application code resolves the hub once and chains everything off it instead of also threading workspace through call sites. Internally delegates to hub.GetWorkspace().GetQuery(...) — zero behavior change, single-line wrapper. The follow-up commits centralise the synced-query registry on IMeshNodeStreamCache so all GetQuery calls share one process-wide cache hosted on the cache hub. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…eStreamCache Replaces the legacy per-workspace ConditionalWeakTable<IWorkspace, SyncedQueryRegistry> with a process-wide registry on the IMeshNodeStreamCache singleton. Every workspace.GetQuery / hub.GetQuery call now delegates to the same cache, regardless of which hub the caller originates from. Key changes: - IMeshNodeStreamCache.GetQuery(id, queries) — new method, registers on the cache hub's workspace so the upstream subscription runs under MeshNodeCacheIdentity (Permission.Read only). The secured query surface short-circuits to raw upstream; no per-hub AsyncLocal AccessContext can leak in. - IMeshNodeStreamCache.GetQuery(id) — lookup-only overload. - IMeshNodeStreamCache.GetQuery(id, options, queries) — typed-content overload, round-trips each emitted MeshNode's Content through the caller's JsonSerializerOptions at the cache boundary (same shape as GetStream(path, options)). - workspace.GetQuery / hub.GetQuery → delegate to the cache via workspace.Hub.ServiceProvider.GetRequiredService<IMeshNodeStreamCache>(). - WithMeshQuery no longer registers into a per-workspace registry — the typesource attaches directly to its data source, and lookups from other hubs go through the central cache. - Deleted SyncedQueryRegistry class entirely (was only used by the removed ConditionalWeakTable path). Query execution itself was already on TaskPoolScheduler.Default via .SubscribeOn(...) in StorageAdapterMeshQueryProvider — nothing here moves it back onto a hub action block. Build: clean. Graph tests: 296/296 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ice + RlsSecurityService Application code never reached into ISecurityService directly — it always went through hub.CheckPermission/GetEffectivePermissions, and the interface only existed to bridge the Mesh.Contract↔Hosting project boundary. The interface form was hostile to the canonical `hub.GetService<SecurityService>()` shape shared by every other framework service. Replace with: - `public abstract class SecurityService` in MeshWeaver.Mesh.Contract.Security (same namespace as before; same public surface as the old interface) - `public sealed class RlsSecurityService : SecurityService` in MeshWeaver.Hosting.Security — the concrete RLS implementation - `public sealed class NullSecurityService : SecurityService` in MeshWeaver.Mesh.Contract.Security — fall-through "permission granted" used by satellite access rules when RLS isn't configured - DI: `services.TryAddScoped<SecurityService, RlsSecurityService>()` 45 consumer sites that referenced ISecurityService now reference the abstract class directly; no semantic change. Solution builds clean, AccessAssignment tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…Replay(1).RefCount + TaskPoolScheduler ConcurrentDictionary.GetOrAdd does NOT serialize its value factory across threads — when two callers race for the same id, both factories run, both allocate, both subscribe upstream, and only one wins the cache slot; the loser's work leaks. Replace with `ImmutableDictionary<object, IObservable<...>>` swapped via `Interlocked.CompareExchange` — losers see the winner's stream on the next iteration's TryGetValue and discard the unused closure. The cached observable is `Observable.Defer(...).SubscribeOn(TaskPoolScheduler).Replay(1).RefCount()`: - First subscriber triggers the Defer body on a thread-pool thread, never on the calling hub's action block — concurrent GetQuery callers across many hubs no longer queue behind one SyncedQueryMeshNodes construction. - Replay(1) caches the latest snapshot for all later subscribers (this is the "cache" — earlier callers asked for it explicitly). - RefCount shares one upstream subscription. Docs: bulk-rename ISecurityService → SecurityService (the abstract class shipped in the prior commit) across AccessControl.md, AccessContextPropagation.md, ExtensibleDefaults.md, PermissionApi.md, and the 3_0_0-preview2 release notes. Tests: SyncedQueryCrossSiloTest migrated off the deleted per-workspace registry — `workspace.GetQuery(id, query)` (get-or-create) replaces `workspace.GetQuery(id)!` after `WithMeshQuery(query)`. All 22 SyncedQuery tests green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…tatic PermissionEvaluator + config-driven evaluator delegate Algorithm moved from the 1084-line RlsSecurityService class to a single static `PermissionEvaluator` in Mesh.Contract. Per-scope AccessAssignment and PartitionAccessPolicy walks now share one IMeshNodeStreamCache.GetQuery subscription per (scope) across the whole process — no per-hub IMemoryCache layer, no per-hub _warmupSubscriptions, no per-hub scoped service. Configuration is hub-level via the standard MessageHubConfiguration property bag: AddRowLevelSecurity() on the builder calls config.AddRowLevelSecurity() (Mesh.Contract extension) which sets an EffectivePermissionsDelegate that HubPermissionExtensions resolves on every check. When no delegate is configured, the default returns Permission.All — same lambda flows through whether RLS is on or off. Application code only sees hub.CheckPermission / hub.GetEffectivePermissions. Internal framework callers (RlsNodeValidator, AccessControlPipeline, SatelliteAccessRule, StorageAdapterMeshQueryProvider) go through the same extensions; no separate framework-internal surface. 8 of 228 Security tests still failing (Menu / HubPermissionRuleSet edge cases) — down from 99 after the algorithm port. Triage separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ry to thread pool IMeshNodeStreamCache.GetQuery used Replay(1).RefCount() — when subscriber count dropped to 0 between calls the Replay buffer was retained but the upstream synced query disconnected. The next FirstAsync after a runtime AccessAssignment write saw the STALE cached snapshot before the change feed's Added event landed. RuntimeCreateNode test hung 8m45s in silent deadlock under [Fact(Timeout = 20000)] because the xUnit timeout is cooperative cancellation and the test ignored the ct. Switch to .Replay(1).AutoConnect(0): upstream connects on the first accessor call and stays connected for the cache singleton's lifetime. Live AccessAssignment writes propagate to Replay(1) in real time. Also wrap MeshQuery.ObserveQuery / Query / IMeshQueryCore.ObserveQuery with .SubscribeOn(TaskPoolScheduler.Default) so DB connection pool / change feed subscriptions open on the thread pool, not on the calling hub's action block. Doc: OrleansTaskScheduler.md updated with the grain-hosted-cache rationale. Suite: Security.Test from 13m03s / 8 failures → 4m27s / 7 failures. The runtime AccessAssignment propagation tests now pass; remaining failures are Menu / HubPermissionRuleSet / SpaceCreation edge cases that require separate triage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…t / 60s hard) Tests targeted behavior explicitly removed in 77d9941 (Organization → Space): - HubPermissionRuleSetTest.WithPublicRead_AllowsAuthenticatedUserRead — Space NodeType doesn't have WithPublicRead - OrganizationHubAccessTest.Admin_HasReadOnOrganization_WithoutClaimBasedRoles — Organization NodeType doesn't exist - PartitionAccessTest.SpaceCreation_CreatesPartitionNode — per-tenant Partition auto-emission was explicitly removed in the rename commit Suite now 225/225 green. Also add a watchdog in MonolithMeshTestBase.DisposeAsync that catches the silent-deadlock pattern xUnit v3 misses: when a test ignores its CancellationToken, [Fact(Timeout=N)] is cooperative cancellation only — the await blocks past the deadline and xUnit reports Passed with the actual (often multi-minute) duration. The watchdog records the test-method start timestamp at the end of InitializeAsync and computes elapsed at the start of DisposeAsync; >30s logs a warning, >60s throws a TimeoutException naming the likely cause (uncooperative cancellation). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… Error HostedHubsCollection.DisposeHosted catches an outer disposal exception and then dumps the status of every task. The dump was at LogError unconditionally — including for tasks that completed cleanly (IsCompleted=True, IsFaulted= False, IsCanceled=False). One CI run produced thousands of these per test class; App Insights ingest cost + xUnit test-log size both blow up under it. Split the per-task arm: - IsFaulted → LogError (unchanged, with the actual exception) - IsCanceled → LogWarning - otherwise → LogDebug (this is the diagnostic-noise case) The outer parent-exception logging at LogError is unchanged — the real error signal stays. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
TestMemTrace at end of every test's DisposeAsync ran two passes of GC.Collect(2, Forced, blocking: true, compacting: true) + WaitForPendingFinalizers. ~1.5s × 225 tests = ~5 minutes of pure GC per suite. The forced GC is a leak-detection diagnostic; useful when chasing a memory regression, dead weight on every other run. Default OFF; set MESHWEAVER_TEST_FORCE_GC=1 to re-enable when memory delta lines need to reflect retained allocations rather than in-flight collectible garbage. Security.Test: 7m11s → 2m52s, 225/225 green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
77 commits of long-running work on
bug_fix— grouped by theme:MeshWeaver.Social+ LinkedIn publisher + scheduled publishing pipeline (engine/queue/stats), LinkedIn OAuth connect + past-post ingest in Memex portal, per-user linked-account menu items.#r "nuget:Pkg, Version"at the top of_Source/*.csresolves via public NuGet.Protocol without an SDK on the container. Same resolver serves interactive markdown code cells.FileSystemPersistenceService.MoveNodeAsyncruns per-descendantWriteAsync/DeleteAsyncthroughTask.WhenAll; newMeshOperationOptions(defaultTimeout = 30s) +WithMeshOperationTimeout(TimeSpan)override;HandleMoveNodeRequestchains.Timeout()on the persistence Observable so a stuck adapter can't hang the caller. Prod repro: DAV2026 subtree move that took 240 s and killed the MCP session — now bounded.CompilationCacheService,_Source/edit re-invalidates owning NodeType, cross-silo broadcast viaMeshChangeFeed, grain-dispose on node delete, live "Compiling … (Ns)" progress inLayoutAreaView.Category(falls back toNodeType), reactive Children catalog, self-as-default create location for non-NodeType nodes, sample orgs →Markdownfor search visibility.MeshChangeFeedevents, resubscribe on owner dispose,DeleteLayoutAreaemits a placeholder immediately and times out slow streams.IAsyncEnumerableaggregator fixes (satellite-safeGatherInputsAsync), xunit methodTimeout 30 s → 60 s, Anthropic Opus bump, icon generator, etc.New test suites (selected)
test/MeshWeaver.Persistence.Test/MoveNodeRecursiveTest.cs— 10 tests: recursion, parallelism, source missing / target exists / storage throws / cancellation (all must not hang), RxTimeout()contract, default-30s config.test/MeshWeaver.Social.Test/*—InMemoryPublishQueueTest,LinkedInPublisherEngagementTest,PostStatsRefresherTest,ScheduledPostPublisherTest,FakePublisher.test/MeshWeaver.Persistence.Test/WorkspaceCacheEvictionTest.cs,ResubscribeOnOwnerDisposeTest.cs,DeleteLayoutAreaIntegrationTest.cs.test/MeshWeaver.Markdown.Test/PathUtilsTest.cs,test/MeshWeaver.MathDemo.Test/MatrixViewsTest.cs.Contributors
dist/cleanup, fix: sample orgs invisible in search due to wrong NodeType #94 sample-org search-visibility fixUpstream already merged into this branch
refactor: reactive persistence — IMeshStorage writes return IObservable(merged)Test plan
dotnet buildsucceedsdotnet test test/MeshWeaver.Persistence.Test --filter MoveNodeRecursiveTest— 10/10 green (~8 s)dotnet test test/MeshWeaver.Hosting.Monolith.Test --filter MoveNodeAsync— 5/5 green (regression guard)dotnet test test/MeshWeaver.Social.Test— publish queue / scheduling / stats green_Source/*.csusing#r "nuget:MathNet.Numerics, 5.0.0"— compiles & renders (cold + warm cache)/social/connect/linkedin→ profile linked; menu shows connected accountScheduledPostPublisher→ LinkedIn publisher posts;PostStatsRefresherpulls stats🤖 Generated with Claude Code