fix(backend): simplify Finbuckle namespace imports and register DB interceptors

- Use consolidated Finbuckle.MultiTenant namespace instead of separate imports - Switch TenantProvider to use untyped IMultiTenantContextAccessor (Finbuckle 9.x pattern) - Register TenantDbConnectionInterceptor and SaveChangesTenantInterceptor as singletons - Add interceptors to DbContext configuration for RLS tenant context support - Update evidence files for Task 7 and Task 8 verification
2026-03-03 18:52:35 +01:00
parent c9cb629ddb
commit 3a82933fd5
11 changed files with 562 additions and 1134 deletions
--- a/.sisyphus/evidence/task-7-build-success.txt
+++ b/.sisyphus/evidence/task-7-build-success.txt
@@ -0,0 +1,105 @@
+Task 7: PostgreSQL Schema + EF Core Migrations + RLS Policies
+Build Verification Evidence
+Generated: 2026-03-03 17:10 CET
+
+=== BUILD STATUS ===
+✅ ALL PROJECTS BUILD SUCCESSFULLY (0 errors)
+
+Build command: dotnet build WorkClub.slnx
+Working directory: /Users/mastermito/Dev/opencode/backend
+
+Projects built successfully:
+1. WorkClub.Domain -> bin/Debug/net10.0/WorkClub.Domain.dll
+2. WorkClub.Application -> bin/Debug/net10.0/WorkClub.Application.dll  
+3. WorkClub.Infrastructure -> bin/Debug/net10.0/WorkClub.Infrastructure.dll
+4. WorkClub.Api -> bin/Debug/net10.0/WorkClub.Api.dll
+5. WorkClub.Tests.Unit -> bin/Debug/net10.0/WorkClub.Tests.Unit.dll
+6. WorkClub.Tests.Integration -> bin/Debug/net10.0/WorkClub.Tests.Integration.dll
+
+Warnings: 6 (BouncyCastle.Cryptography 2.2.1 security vulnerabilities - transitive dependency from Testcontainers)
+Errors: 0
+
+=== IMPLEMENTATION COMPLETED ===
+
+✅ AppDbContext created with DbSets for all 5 entities
+✅ Entity configurations via IEntityTypeConfiguration<T> pattern
+✅ PostgreSQL xmin concurrency tokens on WorkItem and Shift
+✅ TenantDbConnectionInterceptor with SET LOCAL for RLS
+✅ SaveChangesTenantInterceptor for auto-assigning TenantId
+✅ EF Core migration generated: 20260303132952_InitialCreate
+✅ RLS policies SQL script created: add-rls-policies.sql
+✅ Interceptors registered in Program.cs DI container
+✅ Finbuckle.MultiTenant v10 API compatibility verified
+
+=== CHANGES MADE ===
+
+Modified Files:
+- backend/WorkClub.Api/Program.cs
+  * Added singleton registrations for both interceptors
+  * Updated DbContext registration to use service provider and .AddInterceptors()
+  
+- backend/WorkClub.Infrastructure/Services/TenantProvider.cs  
+  * Updated to Finbuckle v10 API (IMultiTenantContextAccessor without generic)
+
+- backend/WorkClub.Domain/Entities/WorkItem.cs
+  * Changed RowVersion type from byte[]? to uint for xmin
+
+- backend/WorkClub.Domain/Entities/Shift.cs
+  * Changed RowVersion type from byte[]? to uint for xmin
+
+Created Files:
+- backend/WorkClub.Infrastructure/Data/AppDbContext.cs
+- backend/WorkClub.Infrastructure/Data/Configurations/*.cs (5 configuration classes)
+- backend/WorkClub.Infrastructure/Data/Interceptors/*.cs (2 interceptor classes)
+- backend/WorkClub.Infrastructure/Migrations/20260303132952_InitialCreate.*
+- backend/WorkClub.Infrastructure/Migrations/add-rls-policies.sql
+- backend/WorkClub.Tests.Integration/Data/MigrationTests.cs
+- backend/WorkClub.Tests.Integration/Data/RlsTests.cs
+
+=== PENDING TASKS ===
+
+⏳ Database setup blocked by Docker/Colima issues:
+- Colima VM failed to start (disk attachment error)
+- Docker Desktop not installed
+- PostgreSQL not available locally
+
+Manual steps required (when Docker is available):
+1. Start PostgreSQL: docker compose up -d postgres
+2. Apply migration: cd backend && dotnet ef database update --project WorkClub.Infrastructure --startup-project WorkClub.Api
+3. Apply RLS: psql -h localhost -U app_admin -d workclub -f backend/WorkClub.Infrastructure/Migrations/add-rls-policies.sql
+4. Run tests: dotnet test backend/WorkClub.Tests.Integration --filter "FullyQualifiedName~MigrationTests|RlsTests"
+
+=== VERIFICATION STATUS ===
+
+✅ Code compiles without errors
+✅ All dependencies resolved
+✅ Interceptor pattern correctly implemented with SET LOCAL (transaction-scoped)
+✅ Finbuckle v10 compatibility verified
+⏳ Integration tests pending (require PostgreSQL)
+⏳ Migration application pending (require PostgreSQL)
+⏳ RLS policies pending (require PostgreSQL)
+
+=== SECURITY NOTES ===
+
+✅ CRITICAL REQUIREMENT MET: Using SET LOCAL (transaction-scoped) not SET (session-scoped)
+  - Prevents cross-tenant data leaks with connection pooling
+  - Implementation in TenantDbConnectionInterceptor line 33
+
+✅ RLS policies use current_setting('app.current_tenant_id', true)::text
+  - Second parameter returns NULL instead of error when unset
+  - Prevents crashes when tenant context not available
+
+✅ ShiftSignups RLS uses subquery pattern (no direct TenantId)
+  - Policy: "ShiftId" IN (SELECT "Id" FROM shifts WHERE "TenantId" = ...)
+
+=== NEXT SESSION REQUIREMENTS ===
+
+To complete Task 7, next session must:
+1. Fix Docker/Colima environment or install PostgreSQL locally
+2. Apply migration and RLS policies
+3. Run integration tests (MigrationTests + RlsTests)
+4. Verify tests pass (TDD green phase)
+5. Save test evidence
+6. Update learnings.md with Finbuckle v10 migration notes
+
+DO NOT COMMIT - Task 7 and Task 8 will be committed together per directive.
--- a/.sisyphus/evidence/task-8-cross-tenant-denied.txt
+++ b/.sisyphus/evidence/task-8-cross-tenant-denied.txt
@@ -0,0 +1,40 @@
+  Wiederherzustellende Projekte werden ermittelt...
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
+  Alle Projekte sind für die Wiederherstellung auf dem neuesten Stand.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
+  WorkClub.Domain -> /Users/mastermito/Dev/opencode/backend/WorkClub.Domain/bin/Debug/net10.0/WorkClub.Domain.dll
+  WorkClub.Application -> /Users/mastermito/Dev/opencode/backend/WorkClub.Application/bin/Debug/net10.0/WorkClub.Application.dll
+  WorkClub.Infrastructure -> /Users/mastermito/Dev/opencode/backend/WorkClub.Infrastructure/bin/Debug/net10.0/WorkClub.Infrastructure.dll
+  WorkClub.Api -> /Users/mastermito/Dev/opencode/backend/WorkClub.Api/bin/Debug/net10.0/WorkClub.Api.dll
+  WorkClub.Tests.Integration -> /Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll
+Testlauf für "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll" (.NETCoreApp,Version=v10.0)
+VSTest-Version 18.0.1 (arm64)
+
+Die Testausführung wird gestartet, bitte warten...
+Insgesamt 1 Testdateien stimmten mit dem angegebenen Muster überein.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll
+[xUnit.net 00:00:00.00] xUnit.net VSTest Adapter v3.1.4+50e68bbb8b (64-bit .NET 10.0.0)
+[xUnit.net 00:00:00.05]   Discovering: WorkClub.Tests.Integration
+[xUnit.net 00:00:00.07]   Discovered:  WorkClub.Tests.Integration
+[xUnit.net 00:00:00.08]   Starting:    WorkClub.Tests.Integration
+info: Microsoft.Hosting.Lifetime[0]
+      Application started. Press Ctrl+C to shut down.
+info: Microsoft.Hosting.Lifetime[0]
+      Hosting environment: Testing
+info: Microsoft.Hosting.Lifetime[0]
+      Content root path: /Users/mastermito/Dev/opencode/backend/WorkClub.Api
+warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
+      Failed to determine the https port for redirect.
+info: Microsoft.Hosting.Lifetime[0]
+      Application is shutting down...
+[xUnit.net 00:00:00.38]   Finished:    WorkClub.Tests.Integration
+  Bestanden WorkClub.Tests.Integration.Middleware.TenantValidationTests.Request_WithNonMemberTenantId_Returns403 [274 ms]
+
+Der Testlauf war erfolgreich.
+Gesamtzahl Tests: 1
+     Bestanden: 1
+ Gesamtzeit: 0,7569 Sekunden
--- a/.sisyphus/evidence/task-8-green-phase-success.txt
+++ b/.sisyphus/evidence/task-8-green-phase-success.txt
--- a/.sisyphus/evidence/task-8-missing-header.txt
+++ b/.sisyphus/evidence/task-8-missing-header.txt
@@ -0,0 +1,40 @@
+  Wiederherzustellende Projekte werden ermittelt...
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
+  Alle Projekte sind für die Wiederherstellung auf dem neuesten Stand.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
+  WorkClub.Domain -> /Users/mastermito/Dev/opencode/backend/WorkClub.Domain/bin/Debug/net10.0/WorkClub.Domain.dll
+  WorkClub.Application -> /Users/mastermito/Dev/opencode/backend/WorkClub.Application/bin/Debug/net10.0/WorkClub.Application.dll
+  WorkClub.Infrastructure -> /Users/mastermito/Dev/opencode/backend/WorkClub.Infrastructure/bin/Debug/net10.0/WorkClub.Infrastructure.dll
+  WorkClub.Api -> /Users/mastermito/Dev/opencode/backend/WorkClub.Api/bin/Debug/net10.0/WorkClub.Api.dll
+  WorkClub.Tests.Integration -> /Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll
+Testlauf für "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll" (.NETCoreApp,Version=v10.0)
+VSTest-Version 18.0.1 (arm64)
+
+Die Testausführung wird gestartet, bitte warten...
+Insgesamt 1 Testdateien stimmten mit dem angegebenen Muster überein.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll
+[xUnit.net 00:00:00.00] xUnit.net VSTest Adapter v3.1.4+50e68bbb8b (64-bit .NET 10.0.0)
+[xUnit.net 00:00:00.05]   Discovering: WorkClub.Tests.Integration
+[xUnit.net 00:00:00.07]   Discovered:  WorkClub.Tests.Integration
+[xUnit.net 00:00:00.08]   Starting:    WorkClub.Tests.Integration
+info: Microsoft.Hosting.Lifetime[0]
+      Application started. Press Ctrl+C to shut down.
+info: Microsoft.Hosting.Lifetime[0]
+      Hosting environment: Testing
+info: Microsoft.Hosting.Lifetime[0]
+      Content root path: /Users/mastermito/Dev/opencode/backend/WorkClub.Api
+warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
+      Failed to determine the https port for redirect.
+info: Microsoft.Hosting.Lifetime[0]
+      Application is shutting down...
+[xUnit.net 00:00:00.34]   Finished:    WorkClub.Tests.Integration
+  Bestanden WorkClub.Tests.Integration.Middleware.TenantValidationTests.Request_WithoutTenantIdHeader_Returns400 [235 ms]
+
+Der Testlauf war erfolgreich.
+Gesamtzahl Tests: 1
+     Bestanden: 1
+ Gesamtzeit: 0,6955 Sekunden
--- a/.sisyphus/evidence/task-8-valid-tenant.txt
+++ b/.sisyphus/evidence/task-8-valid-tenant.txt
@@ -0,0 +1,40 @@
+  Wiederherzustellende Projekte werden ermittelt...
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
+  Alle Projekte sind für die Wiederherstellung auf dem neuesten Stand.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
+  WorkClub.Domain -> /Users/mastermito/Dev/opencode/backend/WorkClub.Domain/bin/Debug/net10.0/WorkClub.Domain.dll
+  WorkClub.Application -> /Users/mastermito/Dev/opencode/backend/WorkClub.Application/bin/Debug/net10.0/WorkClub.Application.dll
+  WorkClub.Infrastructure -> /Users/mastermito/Dev/opencode/backend/WorkClub.Infrastructure/bin/Debug/net10.0/WorkClub.Infrastructure.dll
+  WorkClub.Api -> /Users/mastermito/Dev/opencode/backend/WorkClub.Api/bin/Debug/net10.0/WorkClub.Api.dll
+  WorkClub.Tests.Integration -> /Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll
+Testlauf für "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll" (.NETCoreApp,Version=v10.0)
+VSTest-Version 18.0.1 (arm64)
+
+Die Testausführung wird gestartet, bitte warten...
+Insgesamt 1 Testdateien stimmten mit dem angegebenen Muster überein.
+/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/bin/Debug/net10.0/WorkClub.Tests.Integration.dll
+[xUnit.net 00:00:00.00] xUnit.net VSTest Adapter v3.1.4+50e68bbb8b (64-bit .NET 10.0.0)
+[xUnit.net 00:00:00.08]   Discovering: WorkClub.Tests.Integration
+[xUnit.net 00:00:00.12]   Discovered:  WorkClub.Tests.Integration
+[xUnit.net 00:00:00.16]   Starting:    WorkClub.Tests.Integration
+info: Microsoft.Hosting.Lifetime[0]
+      Application started. Press Ctrl+C to shut down.
+info: Microsoft.Hosting.Lifetime[0]
+      Hosting environment: Testing
+info: Microsoft.Hosting.Lifetime[0]
+      Content root path: /Users/mastermito/Dev/opencode/backend/WorkClub.Api
+warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
+      Failed to determine the https port for redirect.
+info: Microsoft.Hosting.Lifetime[0]
+      Application is shutting down...
+[xUnit.net 00:00:00.59]   Finished:    WorkClub.Tests.Integration
+  Bestanden WorkClub.Tests.Integration.Middleware.TenantValidationTests.Request_WithValidTenantId_Returns200 [396 ms]
+
+Der Testlauf war erfolgreich.
+Gesamtzahl Tests: 1
+     Bestanden: 1
+ Gesamtzeit: 1,1703 Sekunden