Conversation
Test Results 40 files + 4 40 suites +4 24m 47s ⏱️ + 18m 37s For more details on these failures, see this check. Results for commit e561175. ± Comparison against base commit f6c2dea. This pull request removes 297 and adds 1495 tests. Note that renamed tests count towards both.This pull request removes 7 skipped tests and adds 5 skipped tests. Note that renamed tests count towards both.This pull request skips 1 and un-skips 5 tests.♻️ This comment has been updated with latest results. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR bundles several long-running feature and stability tracks across MeshWeaver core + Memex: social publishing foundations, in-process #r "nuget:..." compilation support (node-type + interactive markdown), move-operation performance/timeout hardening, and multiple UI/stream reliability improvements. It also standardizes the code folder naming from _Source/_Test to Source/Test across code, tests, docs, and samples.
Changes:
- Introduces
MeshWeaver.Social(options, DI wiring, publish queue, credential model) plus initial Memex wiring (LinkedIn connect entry points + user menu hooks). - Adds
MeshWeaver.NuGetresolver + directive parser and integrates it into script compilation (#r "nuget:Pkg, Version"), including cache backends and tests. - Improves operational robustness: parallelized recursive moves, default 30s mesh-op timeout, “no endless spinner” navigation status UI, and remote stream resubscribe behavior.
Reviewed changes
Copilot reviewed 159 out of 265 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/MeshWeaver.StorageImport.Test/StorageImporterTests.cs | Updates test expectations/docs to Source/ naming. |
| test/MeshWeaver.Social.Test/PostStatsRefresherTest.cs | Adds stats refresher test coverage (needs deterministic timeout handling). |
| test/MeshWeaver.Social.Test/MeshWeaver.Social.Test.csproj | Adds new Social test project referencing Social + Fixture. |
| test/MeshWeaver.Social.Test/InMemoryPublishQueueTest.cs | Adds unit tests for publish queue due-drain + dedup. |
| test/MeshWeaver.Persistence.Test/FileSystemPersistenceTest.cs | Updates partition tests to Source/ naming. |
| test/MeshWeaver.MathDemo.Test/TestPaths.cs | Adds helper paths for MathDemo sample test assets. |
| test/MeshWeaver.MathDemo.Test/MeshWeaver.MathDemo.Test.csproj | Adds MathDemo test project and copies sample graph data to output. |
| test/MeshWeaver.Hosting.PostgreSql.Test/SatelliteQueryTests.cs | Updates code-path routing tests to Source/ naming. |
| test/MeshWeaver.Hosting.Monolith.Test/UserActivityAreaTest.cs | Updates regression test docs to Source/ naming. |
| test/MeshWeaver.Hosting.Blazor.Test/NavigationServiceTest.cs | Adjusts test to assert “no 404 flash” during retries. |
| test/MeshWeaver.Graph.Test/NuGetDirectiveParserTest.cs | Adds unit tests for parsing/stripping #r "nuget:...". |
| test/MeshWeaver.Graph.Test/NuGetAssemblyResolverTest.cs | Adds networked NuGet restore end-to-end tests (skippable via env var). |
| test/MeshWeaver.Graph.Test/MeshWeaver.Graph.Test.csproj | References new MeshWeaver.NuGet project. |
| test/MeshWeaver.FutuRe.Test/MeshWeaver.FutuRe.Test.csproj | Updates compile-included sample sources to Source/ paths. |
| test/MeshWeaver.Content.Test/CompilationErrorTest.cs | Updates broken-code test to Source/ path. |
| test/MeshWeaver.AI.Test/MeshPluginTest.cs | Updates MCP tool count expectations (adds RunTests/Move/Copy). |
| src/MeshWeaver.Social/SocialOptions.cs | Adds configurable knobs for publishing/stats/ingest scheduling. |
| src/MeshWeaver.Social/SocialExtensions.cs | Adds DI wiring for social publishing subsystem and hosted services. |
| src/MeshWeaver.Social/PlatformCredential.cs | Adds credential record model (access/refresh/expiry metadata). |
| src/MeshWeaver.Social/MeshWeaver.Social.csproj | Introduces Social library project. |
| src/MeshWeaver.Social/IPublishQueue.cs | Adds publish queue abstraction + in-memory implementation. |
| src/MeshWeaver.Social/IApprovalPublishBridge.cs | Defines bridge contract and PublishableSnapshot model. |
| src/MeshWeaver.NuGet/ResolvedPackageSet.cs | Adds resolver output model (assemblies, probing dirs, versions). |
| src/MeshWeaver.NuGet/NuGetServiceCollectionExtensions.cs | Adds DI extension to register resolver + cache. |
| src/MeshWeaver.NuGet/NuGetPackageReference.cs | Adds package reference model (id + version range). |
| src/MeshWeaver.NuGet/NuGetDirectiveParser.cs | Implements #r "nuget:..." extraction + source stripping. |
| src/MeshWeaver.NuGet/MeshWeaver.NuGet.csproj | Introduces NuGet resolver project and dependencies. |
| src/MeshWeaver.NuGet/INuGetPackageCache.cs | Adds optional persistent cache interface + null implementation. |
| src/MeshWeaver.NuGet/INuGetAssemblyResolver.cs | Adds resolver interface returning ResolvedPackageSet. |
| src/MeshWeaver.NuGet.AzureBlob/MeshWeaver.NuGet.AzureBlob.csproj | Adds Azure Blob cache backend project. |
| src/MeshWeaver.NuGet.AzureBlob/BlobNuGetPackageCacheExtensions.cs | Adds DI helper to register blob-backed cache. |
| src/MeshWeaver.Mesh.Contract/Services/MeshOperationOptions.cs | Adds mesh operation timeout options (default 30s). |
| src/MeshWeaver.Mesh.Contract/Services/IStorageAdapter.cs | Updates docs/examples to Source/ naming. |
| src/MeshWeaver.Mesh.Contract/Services/INavigationService.cs | Adds Status observable contract for UI progress reporting. |
| src/MeshWeaver.Mesh.Contract/Services/IIconGenerator.cs | Adds icon generator abstraction returning an observable SVG. |
| src/MeshWeaver.Mesh.Contract/PartitionDefinition.cs | Updates standard table mappings (Source/Test → code) and clarifies semantics. |
| src/MeshWeaver.Mesh.Contract/MeshExtensions.cs | Adds timeout override + move timeout enforcement + grain dispose on delete. |
| src/MeshWeaver.Mesh.Contract/CodeConfiguration.cs | Updates docs to Source/ naming. |
| src/MeshWeaver.Kernel.Hub/MeshWeaver.Kernel.Hub.csproj | Removes Interactive package mgmt dependency; references MeshWeaver.NuGet. |
| src/MeshWeaver.Hosting/Persistence/MigrationUtility.cs | Updates migration heuristics to include Source/Test + legacy _Source/_Test. |
| src/MeshWeaver.Hosting/Persistence/FileSystemStorageAdapter.cs | Treats Source/Test as code paths + keeps legacy compatibility. |
| src/MeshWeaver.Hosting/Persistence/FileSystemPersistenceService.cs | Parallelizes descendant move I/O (with concurrency implications). |
| src/MeshWeaver.Hosting/Persistence/CachingStorageAdapter.cs | Updates code sub-namespace detection (Source/Test + legacy). |
| src/MeshWeaver.Hosting.PostgreSql/PostgreSqlPartitionedStoreFactory.cs | Guards against source/test mistakenly becoming schemas. |
| src/MeshWeaver.Hosting.PostgreSql/PostgreSqlCrossSchemaQueryProvider.cs | Filters malformed parameters to avoid NRE during SQL interpolation. |
| src/MeshWeaver.Hosting.Blazor/MeshWeaver.Hosting.Blazor.csproj | Adds NU1510 suppression. |
| src/MeshWeaver.Graph/PartitionTypeSource.cs | Updates docs to Source/ naming. |
| src/MeshWeaver.Graph/MeshWeaver.Graph.csproj | References MeshWeaver.NuGet. |
| src/MeshWeaver.Graph/MeshNodeLayoutAreas.cs | Improves create href behavior + reactive/grouped children catalog. |
| src/MeshWeaver.Graph/MeshDataSource.cs | Updates docs to Source/ naming. |
| src/MeshWeaver.Graph/Configuration/ScriptCompilationService.cs | Integrates NuGet directive parsing + resolver into compilation. |
| src/MeshWeaver.Graph/Configuration/NodeTypeDefinition.cs | Updates docs/examples to Source/ naming. |
| src/MeshWeaver.Graph/Configuration/MeshDataSourceNodeType.cs | Changes sources namespace constant to Source. |
| src/MeshWeaver.Graph/Configuration/GraphConfigurationExtensions.cs | Registers NuGet resolver and uses Source code path. |
| src/MeshWeaver.Graph/Configuration/CodeNodeType.cs | Treats Code nodes as primary content; defines Source/Test constants. |
| src/MeshWeaver.Documentation/Data/DataMesh/UnifiedPath.md | Documents @/ semantics and HTML-href pitfalls. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Profile/Source/SocialMediaProfileLayoutAreas.cs | Adds SocialMedia profile layout areas example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Profile/Source/SocialMediaProfile.cs | Adds SocialMedia profile content model example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Post/Source/SocialMediaPost.cs | Adds SocialMedia post content model example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia/Post/Source/Platform.cs | Adds SocialMedia platform reference-data example. |
| src/MeshWeaver.Documentation/Data/DataMesh/SocialMedia.md | Updates docs to Source/ naming and authoring guidance. |
| src/MeshWeaver.Documentation/Data/DataMesh/SatelliteEntities.md | Clarifies Source/Test are primary content, not satellites. |
| src/MeshWeaver.Documentation/Data/DataMesh/NodeTypes.md | Adds Node Types documentation index page. |
| src/MeshWeaver.Documentation/Data/DataMesh/NodeTypeConfiguration.md | Updates docs to Source/ naming. |
| src/MeshWeaver.Documentation/Data/DataMesh/NodeOperations.md | Updates docs to Source/ naming. |
| src/MeshWeaver.Documentation/Data/DataMesh/DataConfiguration.md | Updates docs to Source/ naming. |
| src/MeshWeaver.Documentation/Data/DataMesh/CreatingNodeTypes.md | Updates docs to Source/Test naming throughout. |
| src/MeshWeaver.Documentation/Data/DataMesh.md | Updates TOC links and adds NuGet packages bullet. |
| src/MeshWeaver.Documentation/Data/Architecture/PartitionedPersistence.md | Updates persistence routing docs for Source/Test. |
| src/MeshWeaver.Documentation/Data/Architecture/MeshGraph.md | Updates examples to Source/ naming. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionSampleData.cs | Adds cession sample dataset for docs/demo. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionResultsArea.cs | Adds reactive charting layout area example. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionEngine.cs | Adds pure business logic sample for cession calculations. |
| src/MeshWeaver.Documentation/Data/Architecture/BusinessRules/Cession/Source/CessionData.cs | Adds content models for cession example. |
| src/MeshWeaver.Data/Serialization/SyncStreamOptions.cs | Adds configurable heartbeat interval for sync streams. |
| src/MeshWeaver.Data/Serialization/JsonSynchronizationStream.cs | Implements resubscribe-on-owner-dispose logic. |
| src/MeshWeaver.Blazor/Pages/ApplicationPage.razor | Switches to NavigationStatus-driven progress/not-found/error UI. |
| src/MeshWeaver.Blazor/Components/NavigationProgressBar.razor.css | Adds styling for full-page vs compact overlay progress bar. |
| src/MeshWeaver.Blazor/Components/NavigationProgressBar.razor | Adds reusable “spinner + message” component. |
| src/MeshWeaver.Blazor/Components/MeshSearchView.razor.cs | Adds Category grouping fallback to NodeType. |
| src/MeshWeaver.Blazor/Components/LayoutAreaView.razor.cs | Adds stream lifecycle logging and additional diagnostics. |
| src/MeshWeaver.Blazor/Components/LayoutAreaView.razor | Surfaces compilation progress indicator before first stream emission. |
| src/MeshWeaver.Blazor/Components/CompileProgressIndicator.razor.css | Adds styling for compilation progress banner. |
| src/MeshWeaver.Blazor/Components/CompileProgressIndicator.razor | Adds polling UI component for active NodeType compilation. |
| src/MeshWeaver.Blazor.Portal/MeshWeaver.Blazor.Portal.csproj | Adds NU1510 suppression. |
| src/MeshWeaver.Blazor.AI/MeshWeaver.Blazor.AI.csproj | Adds NU1510 suppression. |
| src/MeshWeaver.Blazor.AI/McpMeshPlugin.cs | Adds Patch/Move/Copy MCP tools and improves tool descriptions. |
| src/MeshWeaver.AI/ThreadLayoutAreas.cs | Adds debug logging around streaming view emission. |
| src/MeshWeaver.AI/IconGenerator.cs | Adds default AI-backed IIconGenerator implementation. |
| src/MeshWeaver.AI/DelegationCompletedEvent.cs | Removes delegation tracker/event types. |
| src/MeshWeaver.AI/Data/Agent/Worker.md | Updates @/ link guidance (no raw HTML href with @/). |
| src/MeshWeaver.AI/Data/Agent/ToolsReference.md | Updates @/ link guidance and provides correct/incorrect table. |
| src/MeshWeaver.AI/Data/Agent/Orchestrator.md | Updates @/ link guidance for agent outputs. |
| src/MeshWeaver.AI/AIExtensions.cs | Removes old type registration; registers IIconGenerator. |
| memex/aspire/Memex.Portal.Distributed/Program.cs | Registers blob-backed NuGet package cache in distributed deployment. |
| memex/aspire/Memex.Portal.Distributed/Memex.Portal.Distributed.csproj | References MeshWeaver.NuGet.AzureBlob. |
| memex/aspire/Memex.Database.Migration/Program.cs | Adds source/test to reserved schema list. |
| memex/aspire/Memex.AppHost/Program.cs | Adds LinkedIn secret/env wiring + sets NUGET_PACKAGES cache dir. |
| memex/Memex.Portal.Shared/Social/SocialMediaUserMenuProvider.cs | Adds “Social Media” shortcut on a user’s own node (lazy hub creation). |
| memex/Memex.Portal.Shared/Social/ApiCredentialNodeType.cs | Adds NodeType for PlatformCredential stored under _ApiCredentials. |
| memex/Memex.Portal.Shared/Pages/Login.razor | Adds “Connect LinkedIn for publishing” CTA on login page. |
| memex/Memex.Portal.Shared/OrganizationNodeType.cs | Switches to default layout areas registration. |
| memex/Memex.Portal.Shared/MemexConfiguration.cs | Adds LinkedIn publisher wiring, @/ redirect middleware, and routes. |
| memex/Memex.Portal.Shared/Memex.Portal.Shared.csproj | References MeshWeaver.Social. |
| memex/Memex.Portal.Monolith/appsettings.Development.json | Enables debug logging for LayoutAreaView. |
| MeshWeaver.slnx | Adds new projects (NuGet, NuGet.AzureBlob, Social, new test projects). |
| Directory.Packages.props | Adds NuGet.* package versions for resolver implementation. |
| CLAUDE.md | Documents @/ local-only rule and href/URL restrictions. |
| (Various) samples/Graph/... | Adds/updates many sample NodeTypes and content under Source/ to reflect new conventions and demos. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rbuergi
added a commit
that referenced
this pull request
Apr 22, 2026
…+ test helpers Recursive DeleteNodeRequest handled on a node's own hub was deadlocking: the final DeleteSelfFromStorage posted Ok and DisposeRequest from the dying hub, so the Ok raced callback disposal on the caller and was lost. Introduce CommitNodeDeletionMessage and forward the terminal commit (storage delete + reply + grain dispose) to the resolved mesh hub (walking ParentHub upward) — Sender becomes the stable mesh hub, FIFO on the caller's inbound queue guarantees Ok resolves the RegisterCallback before DisposeRequest arrives. Also addresses two Copilot review comments on PR #95: - FileSystemStorageAdapter.DeleteAsync empty-directory ascent is now concurrency- tolerant: wraps the enumerate + Directory.Delete in try/catch, swallowing the DirectoryNotFoundException race and breaking on IOException (non-empty / in-use). Required because FileSystemPersistenceService.MoveNodeAsync now parallelizes descendant deletes via Task.WhenAll. - PostStatsRefresherTest.WaitUntilAsync throws TimeoutException with a descriptive message instead of returning silently on deadline, so the test cannot green-tick a stats-refresh that never happened. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
Resolved. The merge with Conflicts resolved:
|
Contributor
Author
Code review — recent stability batch
Manual review of the last ~20 commits since Correctness — should fix before merge1. ✅ foreach (var (k, v) in perParams)
{
var newKey = "@" + prefix + k.TrimStart('@');
renamedSql = renamedSql.Replace(k, newKey);
renamedParams[newKey] = v;
}
Fix: single regex pass keyed on 2. ✅ Fix: 3. ✅ Fix: parse every query in 4. ✅ Fix: Race / lifecycle hazards5. ✅ Fix: drop the time-based heuristic in favour of a structural one — skip recovery only when the thread is still an auto-execute candidate ( 6. ✅ 7. ✅ 8. ✅ Fix: pre-allocate the Style / consistency9. ✅ 10. ✅ 11. ✅ Fix: drop the per-query Limit injection. Limit is enforced post-union via ✅ Looks good (no action needed)
|
Contributor
Author
Code review — part 2: rest of the PR
Continuing review on the bulk of the PR (everything before the recent stability batch). Focused on the new projects ( Correctness — should fix before merge12. ✅ return _cache.GetOrAdd(key, _ => ResolveCoreAsync(requested, framework, ct));If Fix: evict faulted/cancelled tasks from the cache before returning. Also pass 13. ✅ Fix: switched to 14. ✅ Fix: post-hydration, the resolver opens the package folder via 15. ✅ Fix: defensive 16. ✅ Race / lifecycle hazards17. ✅ 18. ✅ 19. ✅ Fix: replaced with a single bounded Style / consistency20. ✅ Fix: register the publisher as a true singleton via 21. ✅ Fix: gate hosted-service registration on 22. ✅ 23. ✅ ✅ Looks good (no action needed)
Areas not covered in this reviewPersistence-service refactors ( |
Contributor
Author
Review fixes applied — all 23 items addressed5 commits, organised by batch. Locally committed, not pushed yet.
Verification
Notes
Ready to push when you want. |
Contributor
Author
|
Done — review item #14 is now closed in commit |
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
…fix DI lifetimes, redact PII, drop dynamic - ThreadExecution: collapse triple-stacked <summary> blocks on WatchForExecution and NotifyParentCompletion. Tooling kept the last one anyway; the dead scaffolding was just noise. - SocialExtensions: register LinkedInPublisher / XPublisher as TRUE singletons (factory-resolved with named HttpClient). The previous AddHttpClient<T>+AddSingleton<IPlatformPublisher> mix made the concrete type transient while the interface alias was singleton — direct vs via-interface resolution returned different instances. Also gate hosted-service registration on at least one platform being configured (the "all-or-nothing" comment was wrong; with zero platforms the four hosted services started anyway and faulted on first tick). - LinkedInPublisher: replace `(dynamic)media.shareMediaCategory` peek with two concrete payload shapes — typo turns into a compile error instead of a RuntimeBinderException. - LinkedIn / X publishers: cap error-body logs at 200 chars to bound PII exposure (the body can echo the user's post text on validation rejection). Full body still goes to PublishResult.Error for the caller. Addresses PR #95 review items #9, #20, #21, #22, #23. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
… in-memory engines
PostgreSqlStorageAdapter.QueryNodesAsync(IReadOnlyList<ParsedQuery>):
- Replace order-dependent `string.Replace` parameter rename with a
single `Regex.Replace` keyed on @<name> word boundary that gates
on perParams.ContainsKey. Sequential Replace was mangling adjacent
tokens (renaming `@p` after `@p1` produced `@q0_q0_p1`) and could
clobber `@…` substrings inside string literals / JSONB paths.
- Switch from `UNION` to `UNION ALL` wrapped in
`SELECT DISTINCT ON (namespace, id) ... ORDER BY namespace, id, last_modified DESC`.
Plain UNION dedupes whole rows — two queries observing the same
node at slightly-different last_modified would BOTH appear in the
output. Path-keyed dedup (= MeshNode identity) with newest-wins
tie-break collapses them correctly.
PostgreSqlMeshQuery.ObserveQuery<T>:
- Parse EVERY query in request.EffectiveQueries and build per-query
(basePath, scope) filters; the change-notifier subscription
OR-joins them so multi-query observations get delta refreshes
triggered by ANY query's path/scope, not just query #0's. The
previous shape silently lost live updates from queries #1+.
PostgreSqlMeshQuery.QueryNodesUnionAsync + MeshQueryEngine:
- Drop the per-query `parsedList[0].Limit = request.Limit` injection.
Query #0 hit its limit before yielding the union's most relevant
rows, while queries #1+ contributed unbounded — making the result
iteration-order dependent. Limit is now enforced post-union via
MinLimit(request.Limit, firstParsed.Limit) so a request-level cap
can't be circumvented and an in-query `limit:N` still wins when
smaller.
- MeshQueryEngine: CollectMatchedAsync returns the LIST of every
query's basePath; the source:activity post-filter scans every
base path's descendants and unions activity-main-paths so
queries #1+ aren't filtered against query #0's subtree only.
Addresses PR #95 review items #1, #2, #3, #4, #11.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
…ThreadExecution stability fixes ThreadExecution.cs (already in commit 478fdaa — recapping here for the review-item index): - RecoverStaleExecutingThread: drop the 2-minute "fresh execution" window in favour of a structural check (skip when PendingUserMessage + ActiveMessageId are still set, i.e. the thread is an auto-execute candidate WatchForExecution will pick up). Closes the "long-running agent crashed at minute 5 → IsExecuting=true forever" gap; the time-based heuristic contradicted commit 6dc436b's "no time limits" stance. - Subject<StreamingSnapshot>: declare with `using var` so the Subject itself disposes alongside its subscription. Minor leak per execution previously. - HandleSubmitMessage: pre-allocate the per-round CancellationTokenSource and store it on the thread hub BEFORE posting SubmitMessageResponse — closes the race where an early Stop click between IsExecuting=true and ExecuteMessageAsync's `parentHub.Set(executionCts)` found a null CTS slot and silently no-op'd. ExecuteMessageAsync now reuses the pre-allocated CTS (with a fallback for the auto-execute path that bypasses HandleSubmitMessage). IsExecutingLifecycleTest.cs: - Migrate the response-text wait from text-pattern matching (skipping placeholders "Allocating agent..." etc.) to `ThreadMessage.CompletedAt is not null`, which ExecuteMessageAsync sets only on the terminal PushToResponseMessage call. Same pattern adopted in ChatHistoryTest in commit ab3af8b. - Add a regression assertion that final ThreadMessage.Status == Completed. The terminal-status guard in PushToResponseMessage prevents the late Sample(100ms)-flushed Streaming push from regressing the cell from Completed back to Streaming; this assertion catches any future regression of that guard. Addresses PR #95 review items #5, #6, #7, #8, #10. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
…, parallelism, backoff)
NuGetAssemblyResolver:
- Evict faulted/cancelled tasks from the per-key cache before
returning. A transient feed failure (network, throttle, cancelled
in-flight resolve) used to poison the cache for the resolver's
lifetime — every subsequent call replayed the same exception.
- Pass CancellationToken.None to the shared core task so a single
caller's cancellation can't take down the resolution for
others; per-caller `ct` projects via `task.WaitAsync(ct)`.
- Switch DependencyBehavior from `Lowest` to `HighestMinor` so
`#r` directives pick up patch-level security fixes via
transitive dependencies without silently jumping major/minor.
- Document that hydrated cache content is trusted to match
(id, version) — flag for future content-hash verification if
cache poisoning becomes a concern.
LinkedInPublisher / XPublisher (LinkedIn already committed in batch A
for the dynamic+PII parts; this commit adds the 401 retry):
- SendWith401RetryAsync: on the FIRST 401 response from a publish,
force-refresh the token (zero ExpiresAt before EnsureFreshAsync)
and retry once. Closes the race where the access token's TTL
expired between EnsureFreshAsync and the actual API call.
PostStatsRefresher:
- Process due-refresh targets via Parallel.ForEachAsync bounded
by SocialOptions.StatsRefreshDegreeOfParallelism (default 8),
so a slow API + large refresh window can't let one tick
overshoot the next interval.
- Per-target failure backoff via a ConcurrentDictionary of
last-failure timestamps — targets that failed within
StatsRefreshFailureBackoff (default 15 min) skip the next tick.
Stops a degraded platform from generating thousands of repeat
warnings every cycle while the underlying issue is fixed.
Success clears the backoff entry.
SocialOptions: add StatsRefreshDegreeOfParallelism (8) and
StatsRefreshFailureBackoff (15 min) knobs.
Addresses PR #95 review items #12, #13, #14, #16, #17, #18.
(#15 XPublisher defensive parse + the LinkedIn dynamic / PII items
were already in commit 478fdaa.)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
… file lock The MESHWEAVER_DISPOSE_TRACE=1 trace took a global lock per call (`File.AppendAllText` under `lock (DisposeTraceLogLock)`), serialising hub teardown under load when many hubs disposed concurrently. Replaced with a single bounded `Channel<string>` (capacity 4096, FullMode = DropWrite) drained by one writer task started in the type initialiser. Producers `TryWrite` non-blocking — if the disk is slow / locked, lines drop on full instead of putting back-pressure on dispose. Single-reader semantics avoid contention on the file handle. Addresses PR #95 review item #19. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rbuergi
added a commit
that referenced
this pull request
May 10, 2026
Replaces the TODO from commit 512adb4. After a successful INuGetPackageCache.TryHydrateAsync, the resolver now opens the hydrated folder via PackageFolderReader and compares the package's own .nuspec-declared (id, version) against the expected (id, version). On mismatch the directory is purged and the resolver falls back to the feed. This catches the failure modes #14 was about: wrong package stored under right key (cross-tenant blob, accidental copy, drift after a manual edit). The .nuspec is the canonical NuGet source of truth, so a tampered cache entry can't fake the identity without rewriting the nuspec — which we'd then catch at hydration time. No INuGetPackageCache contract change; validation lives entirely in the resolver. Closes the last open item from PR #95 review (item #14). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
…read flake `ApplyAgents` wiped the `agents` dict to empty BEFORE `CreateAgentsSync` rebuilt it one entry at a time via `agents = agents.SetItem(...)`. Any concurrent `SelectAgent` call landing inside the rebuild window saw a PARTIAL dict — biased toward agents added first (Researcher, Versioning, DescriptionWriter, …) because `OrderAgentsForCreation` puts the default LAST. SelectAgent's fallback `agents.Values.FirstOrDefault()` then returned a non-default agent. In `SubThreadHangRepro`, that non-default agent maps to `HangingSubAgentChatClient` (which `Task.Delay(Timeout.InfiniteTimeSpan)`), not `DelegatingParentChatClient` (which yields the `delegate_to_agent` FCC). Result: parent never delegated, `WaitForDelegationPath` timed out at 30s — every second [Fact] in the class failed deterministically. Two-part fix: 1. `CreateAgentsSync` builds the new dict LOCALLY (`createdAgents`) and ATOMIC-SWAPS into `agents` at the end. No more per-iteration writes to the shared field; readers see EITHER the previous full dict OR the new full dict, never a half-built one. Same pattern in the obsolete `CreateAgentsAsync` left untouched (dead code). 2. Removed the pre-wipe `agents = Empty` in `ApplyAgents`. With the atomic-swap, the old dict can stay live during the rebuild window — concurrent SelectAgent gets the previous batch's agents (still valid in nearly all cases — agent set rarely shrinks across re-emissions) instead of an empty intermediate. Without this, the test surfaced as "No suitable agent found to handle the request." in the response cell. 3. `SelectAgent` now prefers the configuration-marked default agent (`IsDefault=true`) over the `loadedAgents[0]` relevance-ordered fallback. Defense in depth — even if a race exposes a partial state, the default is preferred over whichever non-default happens to be at the head of the ordering. Verified: full `MeshWeaver.Threading.Test` suite — 114 passed, 0 failed (53s). Both formerly-failing SubThreadHangRepro Facts pass solo AND in-suite. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`UpdateRemote` was blocking OnCompleted waiting for the owner's
`PatchDataResponse` so structured errors (AccessDenied, Validation,
Deserialization) could propagate on the Rx OnError stream. Worked in
Monolith (~10ms response round-trip). Broke Orleans:
- Cross-grain routing + cold-start grain activation routinely exceed
the 30s response timeout. Subscriber sees TimeoutException → OnError
→ caller's `.Subscribe(_, ex => log)` logs warning → write
appears to fail even though the owner committed the patch.
- Any caller bridging `await stream.Update().FirstAsync()` on a hub
action block deadlocks — the response delivery needs the same
action block to dispatch.
Concrete symptom: 13 Orleans tests in CI 26630118759 failed with
"Expected Messages count = 2, got 0". OrleansChatTest's SubmitMessage
posted the user message, the AppendUserInput's `stream.Update(...)`
chain timed out at 30s on the response wait, AppendUserInput logged a
warning and gave up. PendingUserMessages stayed empty; submission
watcher never triggered; agent never executed; test asserted 0 messages.
Revert: emit OnNext optimistically with the locally-computed `updated`
snapshot, then fire-and-forget the response check. Owner-side failures
land in the `MeshWeaver.Mesh.MeshNodeStreamHandle` diagnostic log
channel — observable to operators but not on the Rx pipeline.
Trade-off (documented in code): structured errors no longer propagate
on Rx OnError end-to-end. The patch is RFC 7396 deterministic against
owner state, so the optimistic snapshot matches what the owner commits
on success. For strict consistency callers re-read via
`GetMeshNodeStream(path).Take(1)` — that does go to the owner.
The inner Subscribe IS captured in `composite` so disposal still tears
down the hub-level callback (no leaked Observe per Update).
Verified locally: OrleansChatTest.CreateThread_AndSubmitMessage_ProducesThreadMessages
passes in 35s (was failing in 48s with the wait-for-response).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After reverting wait-for-PatchDataResponse to fix Orleans, the canary test regressed at hop4_update_onnext — expected the caller's AccessContext but saw 'system-security'. Root cause: the optimistic OnNext fires inside `initialSub.Subscribe`'s callback, which runs on the remote-stream emission thread — opened under `ImpersonateAsSystem` (MeshNodeStreamExtensions.cs:109-114) for infrastructure routing. So AsyncLocal Context = system-security at that point. CarryAccessContext (wrapping the outer chain) doesn't compensate because it captures only `Context`, not `CircuitContext` — pure CircuitContext callers (Blazor circuits, tests using SetCircuitContext) see system-security. Fix: wrap the OnNext + OnCompleted in a `SwitchAccessContext` scope keyed to the eagerly-captured `capturedContextAtEntry` (which already does the `Context ?? CircuitContext` fallback used elsewhere). Now the caller's Subscribe(_ => …) callback runs under their identity, not the infrastructure system identity. Verified locally: - AccessContext_PreservedAcrossSubscribeAndUpdateHops canary: PASS - DelegationWriteCountTest.Delegation_ParentToolCalls_...: PASS Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CI consistently tripped the 60s `[Fact(Timeout)]` even though the test passes locally in ~13s. The cost is Roslyn cold-start on Linux runners — two sequential C# compiles (LinkedInProfile + LinkedInTelemetryImport) routinely take 40-60s on shared runners, leaving zero headroom for the post-compile render. The per-test-class `.mesh-cache` directory is unique-per-process (`MeshWeaverLinkedInTelemetryTests/.mesh-cache` under temp), so every CI run pays the full first-compile cost. Wall bumped to 120s. The inner `ct = new CancellationTokenSource(60s)` keeps the application-level budget at 60s for the in-test waits — only the outer xUnit wall is relaxed to absorb cold-start variance. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… gate) Prep for retiring UpdateNodeRequest. Verified RLS IS enforced on the stream.Update / PatchDataRequest path (a no-Update-rights write is denied, node unchanged), but the optimistic emit (UpdateRemote deliberately does NOT await the owner — Orleans / thread-pool deadlock avoidance) SWALLOWED the denial so the caller saw a fake success. - MeshNodeStreamCache.Update: add a client-side CACHE-ONLY write gate mirroring the read gate — when the caller's effective permissions for the path are already cached (warm from a prior read, the realistic read-then-edit flow), require Permission.Update and throw UnauthorizedAccessException before the optimistic emit. Cache-only by design: a per-write GetPermissionRequest probe doubled write latency and timed out on cold owning hubs (Acme bulk 2.5m -> 5m); the owner still enforces RLS authoritatively, the denial just isn't surfaced on the Rx stream for a cold write. Extract the permission probe into ProbeEffectivePermissions, shared by both gates. - RlsIntegrationTests.StreamUpdate_WithoutUpdateRights_IsDeniedAndErrors: viewer reads then attempts stream.Update -> denied (node unchanged) AND surfaces the error. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Prep for retiring UpdateNodeRequest. HandleUpdateNodeRequest stamped LastModifiedBy from the request's UpdatedBy; the stream.Update path stamped LastModified but NOT LastModifiedBy, so migrating writes off UpdateNodeRequest would drop the "who last modified" audit field. - UpdateRemote: alongside the existing LastModified auto-stamp, stamp LastModifiedBy from the caller's AUTHENTICATED identity (capturedContextAtEntry) when the lambda left it untouched — the same AccessContext stamped on the outgoing patch, so a client cannot forge a different author. CreatedBy/CreatedDate stay untouched (immutable, preserved through the patch). - MeshNodeAuditingTest: migrate UpdateNodeRequest_Preserves... to stream.Update as a distinct user; asserts CreatedBy/CreatedDate immutable + LastModifiedBy stamped from the caller. 3/3 green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…view + unscoped query defer #16 matview: rebuild_top_level_index() now selects exactly the partition ROOT per schema (namespace='' AND id=<schema_name>) so path (a generated column = id when namespace='') is globally unique — the prior (namespace,id)/(path) UNIQUE index collided on non-root top-level nodes repeating ids across partitions. atioz migration completes; matview = one row per real partition. #20 (partial): StorageAdapterMeshQueryProvider defers UNSCOPED queries to the native partitioned provider's SQL fan-out (partitioned PG only, via StorageAdapterQueryProviderOptions). Removes the pedestrian's slow cross-partition ListChildPaths walk for the onboarding middleware's unscoped 'nodeType:User content.email:X' lookup (the 20s timeout). Scoped/satellite queries untouched (pedestrian is the real server for _Access reads) — 452/452 PG tests pass. Absent-partition scoped-walk slowness (_Access/User/_UserActivity) is a separate routing-layer fast-fail, tracked next. RoutingConvergenceTests: PG regression guards that ResolvePath/GetQuery converge to empty (no hang) for absent partitions + non-matches. Docs: CLAUDE.md + Deployment.md rewritten to the AKS image-update deploy (dotnet publish -t:PublishContainer → az aks command invoke set image/rollout); deploy.sh = first-time env setup only; bare aspire deploy = legacy. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… stream.Update Completes retiring the verb-shaped UpdateNodeRequest/UpdateNodeResponse mutation API in favour of the canonical stream.Update. RLS + auditing were already moved onto the stream.Update/patch path (01182bd, 9e1e37b), so this removal is safe. - Delete UpdateNodeRequest + UpdateNodeResponse + NodeUpdateRejectionReason, the HandleUpdateNodeRequest handler + its registration + type-registry entries. - HandleCreateOrUpdateNodeRequest: apply the update branch via hub.GetMeshNodeStream(path).Update(_ => merged) instead of forwarding UpdateNodeRequest. - MeshService.UpdateNode / HubNodePersistence.UpdateNode: same IObservable<MeshNode> surface, now stream.Update internally (optimistic emit; owner re-validates RLS + stamps auditing). - RlsNodeValidator / PartitionWriteGuardValidator: drop the UpdateNodeRequest arm; Update permission for writes is enforced on the patch path (RlsDataValidator). Create/Delete unchanged. - Migrate tests (RlsIntegration, OrleansGetDataRequestPropagation, ContentPropertySync, MeshNodeTypeSource) and update 7 Architecture/DataMesh docs to the stream.Update path. Full solution builds 0 errors / 0 warnings. Affected suites green: RLS 22, content/ nodetype 12, auditing 3, create-or-update 3. NOTE: CLAUDE.md's Data Access Patterns table ("Update | UpdateNodeRequest") still needs the same update but is mid-edit by another agent on this branch — left for that change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…eTable) + routing design + deploy-route docs Foundation for the partition-provisioning redesign (Doc/Architecture/PartitionStorageRouting.md): partitions matter only for (1) queries — fan to every adapter, absent partition → empty; (2) object→adapter routing — longest-prefix-match across adapters (no registry); create-of-partition-object → adapter makes the schema + creator Admin; partition absent → refuse the write (root-cause fix for lazy-schema corruption). The NodeType definition is the single source of truth, loaded on create. This commit adds the declarative config (additive, no behavior change yet): - NodeTypeDefinition.OwnsPartition (bool) + StorageTable (string?) — storage shape declared on the type definition. - Declared OwnsPartition=true on Space + User (own a partition); StorageTable=user_activities on UserActivity (own a table). Knowledge centralized on the NodeType definitions; the central StandardTableMappings/NodeTypeToSuffix dicts + _Thread/_Access path-suffix matching get retired in the follow-up behavior-change pass (create-path provisioning, remove lazy schema creation, prefix-match routing, query fan-to-all). Docs: split Deployment into DeploymentAKS.md (AKS cluster route) + DeploymentContainerApps.md (Aspire test/prod → ACA route) — both first-class, neither legacy — with Deployment.md as index; CLAUDE.md reframed accordingly. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…UpdateNodeRequest UpdateNodeRequest was deleted (3218ce6); the table row pointed agents at the removed API. Now points at workspace.GetMeshNodeStream(path).Update(...), matching the ABSOLUTE "GetMeshNodeStream().Update() is the ONLY mutation API" rule above. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…nsPartition NodeTypes
The PG path router lazily CREATE SCHEMA'd ANY first path segment on write, so
NodeType names / reserved words / request-URL segments each spawned a ghost
schema (atioz: 45 ghosts → DB corruption). Schema creation is now gated to ONE path.
- OwnsPartitionProvisioningValidator: the single schema-creation trigger. Reads
NodeTypeDefinition.OwnsPartition (User, Space), requires top-level, provisions
the schema BEFORE the root write. Replaces SpaceTopLevelValidator (deleted) and
User-onboarding's lazy reliance. Registered centrally in AddRowLevelSecurity.
- IPartitionStorageProvider.EnsurePartitionProvisioned: reactive IObservable<Unit>
(was Task), promise-cache + IIoPool.Run on a per-adapter pg:{adapter} pool
(cap 1 = one Npgsql connection). NO Observable.FromAsync at any call site.
- PostgreSqlPathRoutingAdapter: deleted lazy EnsureSchemaForPartitionSync from
RouteWrite + CreateAdapterForTable. Unprovisioned write → 42P01 ("no partition,
no write"), never a ghost schema.
- DefaultPartitionProvider: cut Portal/Kernel/_Activity/_UserActivity/_Thread +
seed grants (kernel work is Activities; system gets Permission.All from the
evaluator fast-path). KEPT _Access — global/root-scope grants are load-bearing.
- Migration + test fixture eagerly create auth + system_access (V27 only renames
user→auth, a no-op on a fresh DB; router no longer lazy-creates).
- NavigationService: never track activity under the system identity (it was
writing a system-security ghost partition).
- Docs (CLAUDE.md, ControlledIoPooling.md, AsynchronousCalls.md): Observable.FromAsync
is NEVER tolerated — Postgres/storage carve-out rescinded. PartitionStorageRouting.md
marked implemented.
- Tests: new GhostSchemaInvariantTests; 5 lazy-create-reliant PG tests updated to
provision-first. PG suite 454/454 green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…_nodes The pedestrian StorageAdapterMeshQueryProvider's ListChildPaths scope-walk was the 60-70s onboarding/storm stall. PostgreSqlPartitionedMeshQuery now OWNS scoped primary-content serving by delegating to a per-schema PostgreSqlMeshQuery over the CACHED adapter (live deltas, no walk): - PostgreSqlPathRoutingAdapter.GetSchemaAdapter / provider.GetSchemaAdapter expose the cached per-schema adapter (shared in-process Changes feed). - PostgreSqlPartitionedMeshQuery: scoped mesh_nodes Query/QueryAsync/Select/within- partition Autocomplete delegate to a per-schema PostgreSqlMeshQuery (one per cached adapter → live deltas). Gated by !NeedsFanOut. - Pedestrian DeferToNativeProvider: defers unscoped/wildcard (→ native cross-schema fan-out) and scoped mesh_nodes (→ delegate); KEEPS scoped-satellite. The per-schema delegate's satellite Query Initial under-returns pre-existing rows (the live-delta path works; Initial-with-preexisting is a follow-up). Satellite reads to an absent partition are now fast anyway (42P01-tolerant, post-ghost-fix), so not a storm path. Renamed DeferUnscopedAndSatelliteToNativeProvider -> DeferToNativeProvider. PG suite 454/454. Doc: PartitionStorageRouting.md updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…, RLS denial, read-after-write The UpdateNodeRequest deletion (3218ce6) dropped three behaviours the synchronous handler provided. Restored them without reintroducing the verb-shaped request. Cat 1 — Update validation: - RlsNodeValidator: re-add the Update arm (SupportedOperations + Validate switch). - New IOwnerEnforcedNodeValidator marker on RlsNodeValidator + PartitionWriteGuardValidator so the client-side update pipeline skips them (RLS stays owner-authoritative, not re-checked on the caller's hub — that was the cache-only-gate flake). - NodeUpdatePipeline (MeshService.UpdateNode): existence check (→ InvalidOperationException "Node not found"), app-integrity INodeValidator(Update) run (→ UnauthorizedAccessException), version bump (Math.Max(existing,incoming)+1 — VersionWritingStorageAdapter dedupes same version, so without this history never records V2/V3), then stream.Update under the caller's identity (Observable.Using + SwitchAccessContext so the read continuation can't drop the AccessContext and let a viewer's write slip through un-denied). Cat 2 — RLS denial surfacing: - UpdateRemote: terminal emission is now driven by the owner's PatchDataResponse / DeliveryFailure (30s optimistic fallback) instead of an eager optimistic emit. RLS denial (DeliveryFailure Unauthorized) → UnauthorizedAccessException; deserialization/validation NodeError → MeshNodeStreamException. Deadlock-safe: emission fires from the reactive Observe callback, never a blocking bridge. Deleted the flaky cache-only write gate in MeshNodeStreamCache. Cat 3 — read-after-write: - New IPostCommitFlush hook: HandlePatchDataRequest chains its ack off a durable WriteAndPublishUpdated (persist + IMeshChangeFeed.Updated for workspace cache eviction) instead of the in-memory commit, so a subsequent Query / GetRemoteStream sees the write. Verified green: NodeOperations validators 6/6, Security 15/15 (McpUpdate, CacheIdentity, RlsNodeValidator), Hosting.Monolith freshness/cache/copy/move/resubscribe + cross-hub-persist repro, Content VersionHistory 5/5, Persistence ProjectViews, AI MeshPlugin FullCrud. Full solution builds 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…, not RlsDataValidator The deletion-era doc edits claimed the cross-hub stream.Update patch path "re-validates RLS via RlsDataValidator" and emitted optimistically with a cache-only write gate. Neither is true after the fix-forward: the owner enforces Permission.Update via the [RequiresPermission(Update)] pipeline, and UpdateRemote drives the caller's terminal emission off the owner's response (surfacing denial as UnauthorizedAccessException). Also documents that app-integrity INodeValidators run client-side while IOwnerEnforcedNodeValidator (RLS/partition) ones are skipped there. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…_access; V05 reads the matview not the dead `user` schema A truly-fresh atioz (admin/db_version wiped) ran the legacy `user`-schema repair chain (V05+) and aborted at V05 with `42P01: relation "user".mesh_nodes does not exist`. Root cause: 0ceba04 added ensure_partition_schema('auth')/('system_access') to SchemaInitialization, creating auth.mesh_nodes/system_access.mesh_nodes BEFORE DetectFreshDbAsync — so the fresh DB looked non-fresh and MigrationRunner ran the legacy chain instead of fast-forwarding past it. - SchemaInitialization: remove the eager auth/system_access creation (the portal's PostgreSqlPartitionSubscriptionHostedService provisions them at boot, before any user write). Harden DetectFreshDbAsync to exclude framework schemas (admin/auth/system_*/ portal/kernel) so they can never make a fresh DB look non-fresh. - V05: source Users from the central index (public.top_level_index matview — Users ARE partition roots), write the self-Admin grant into the user's OWN partition's `access` table at {id}/_Access (smallint state=2=Active). No `user` schema reference. - Test: MigrationUserBackfillFromIndexTests pins the matview-sourced backfill + no `user`. - Doc: PartitionStorageRouting.md — auth/system_access provisioned at portal boot (not the migration); fresh-DB fast-forward note (the other legacy `user` migrations are skipped on fresh DBs and only ran on legacy incremental DBs where `user` existed). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ot the workspace-less _Exec hub
ExecuteMessageAsync read/wrote two MeshNodes via hub.GetMeshNodeStream(...)
where `hub` is the _Exec hosted hub. That extension calls hub.GetWorkspace(),
but _Exec is created with no AddData, so it threw:
InvalidOperationException: Configuration of message hub is inconsistent:
AddData was not called.
at Workspace..ctor → WorkspaceExtensions.GetWorkspace
→ MeshNodeStreamExtensions.GetMeshNodeStream(IMessageHub, String)
at ThreadExecution.ExecuteMessageAsync
The throw escaped on the WhenInitialized onNext path (not the Rx error
channel), so the init-stall onError never fired and the thread sat Executing
forever — every round wedged, presenting as a timeout/"deadlock". Since
PushToResponseMessage runs on every round, this broke every thread submission:
all of Threading.Test, AI.Test, Security.Test, and the Orleans delegation
tests timed out.
Regression from a4df4fc, which mechanically swapped cache.GetStream/Update
(a process-wide singleton, no workspace needed) for hub.GetMeshNodeStream.
Fix: route both sites through parentHub (the thread hub, which owns the
workspace and resolves the identical process-wide IMeshNodeStreamCache), so
the cross-hub patch still flows through the same shared handle the GUI reads.
Verified: Threading.Test 114/115 (1 skipped; the lone SubThreadHangRepro
sequencing flake passes in isolation), AI.Test + Security.Test thread tests
green after rebuild.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… synchronous submit failures
Onboarding submit hung on a fresh atioz: HandleSubmit's Observable.Using factory called
AccessService.ImpersonateAsHub(portal/{user}), and AccessContext rejects a hub-shaped
principal ("hub-shaped principal must never happen") — thrown SYNCHRONOUSLY during Subscribe,
bypassing the Rx onError, escaping HandleSubmit unhandled, leaving the form stuck at isSaving
with no message.
- Onboarding.razor: ImpersonateAsHub(PortalApplication.Hub) -> ImpersonateAsSystem(). Onboarding
creates the user's own partition root + self/platform grants — infrastructure writes the
not-yet-onboarded user can't authorize (canonical ImpersonateAsSystem case, like
SpacePostCreationHandler / OwnsPartitionProvisioningValidator).
- Onboarding.razor: wrap the Subscribe in try/catch -> OnOnboardingFailed, so a synchronous
subscribe failure surfaces in the error bar instead of silently hanging the form (the GUI
must never swallow an onboarding failure).
- StorageAdapterMeshQueryProvider: fix the stale DefersToNativeProvider XML doc (cref +
description) left from the DeferUnscopedAndSatellite -> DeferToNativeProvider rename.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…posed hub
The cross-test-class memory leak behind the bug_fix capacity flakes (MeshHubDisposalLeakTest
et al. pass in isolation, fail under the full suite). CI ClrMD GC-root analysis named it
exactly:
[StrongHandle] Object[] → Timer → TimerHolder → TimerQueueTimer → TimerCallback
→ KernelContainer+<>c__DisplayClass9_0 (closure) → MessageHub [RunLevel=6]
KernelContainer.DisposeOnTimeout created a PERIODIC Timer (period = DisconnectTimeout) whose
callback closure `_ => hub.Dispose()` captures the kernel MessageHub, and never disposed it.
The TimerQueue (a GC strong-handle root) therefore kept the timer — and through it the
DISPOSED hub (RunLevel=6) — alive forever; every kernel hub accumulated across test classes,
and on the 2-core CI runner that memory pressure surfaced as the shifting thread/AI/disposal
flake set.
Fix: one-shot timer (period = Timeout.InfiniteTimeSpan, reset per message for the idle
window) + hub.RegisterForDisposal((IDisposable)timer) so the timer dies with the hub. Other
src timers (FileSystemChangeWatcher, ActivityLogBundler — stores hub PATH not the hub,
MeshNodeTypeSource) verified safe.
Verified: full solution builds 0 errors; kernel-using tests + MeshHub_IsCollected run together
(kernel hubs created first) → hub collects cleanly, 9/9, no survivor.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…gate race - SettingsLayoutArea: flex-fill the content pane. A prior 'hardening' set inline height:100%; max-height:calc(100dvh-48px), which overrode the working .settings-content-pane flex-fill class and understated the ~86px header, clipping the bottom out of reach. Match the class (flex:1 1 auto; min-height:0; overflow-y:auto). - ModelsSettingsTab: move the magic Sparkle to the AI GROUP header (GroupIcon, first non-null in a group wins) so the group is no longer indented+iconless; the item gets BrainCircuit and is renamed 'Language Models'. - AdminMenuGate: wait for the first emission granting Permission.All instead of FirstAsync(). The root grant is a runtime AccessAssignment, not static, so GetEffectivePermissions emits an empty static seed first; FirstAsync captured that premature empty -> gate always false -> Invitations/Inbox never appeared. Validated by EffectivePermissionPostgresTest (3/3, incl RootScopeAdminGrant). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…, source, importer, spec) Foundation for materializing a build-time static repo (embedded docs, sample graphs) into its mesh partition via the canonical create pipeline (content + prerender), exactly once per content-version, tracked as a content-addressed Activity. Replaces the bespoke content-NULL DocumentationBackfill model where docs were a search index only and not served from the DB. - StaticRepoImport.md: spec + pattern doc (fingerprint, content-addressed activity lock, main-node marker, single-execution, import/export symmetry, phased plan). - PartitionSourceFingerprint: deterministic, order-independent content-version hash; (path,version) for versioned partitions, (path,contentHash) for unversioned. 6/6 unit tests. - IStaticRepoSource: per-partition import-source contract. DocumentationStaticRepoSource: embedded docs as the Doc source. - StaticRepoImporter: content-addressed activity lock + fingerprint short-circuit + CreateOrUpdate upsert + prerender via the shared MarkdownContent.Parse + activity status. Foundation only -- inert until activation (no IStaticRepoSource is registered yet). Activation = StaticRepoImport.md Phase 3-4 (a generic AddGraph init hook + opting the PG/distributed path into partition-served docs), gated behind a deployment flag to avoid regressing monolith's embedded serving. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- StaticRepoImport.md: add the 5-step recipe + 'when to use', reconcile the status section with what's committed (Phase 1-2 done+inert; Phase 3-4 = the monolith-safe gated activation). - LocalDevWorkflow.md + CLAUDE.md: document aspire start --no-build (background, no rebuild) alongside aspire run, with aspire ps/stop and the 'reuses last build' caveat. - PartitionStorageRouting.md: cross-link content partitions (Doc, samples) to the Static-Repo Import pattern (DB-served, not in-memory overlay). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…cess through GetMeshNodeStream The single-node GetRemoteStream<MeshNode, MeshNodeReference> mirror does not converge reliably: an ad-hoc remote subscription tears its upstream down when the short-lived reader unsubscribes, so the owner stops posting and the mirror freezes at its initial frame. This was the deterministic root cause behind the Orleans resubmit/chat deadlocks and the MeshPlugin update failure — the read-modify-write read a stale (empty) node. The shared IMeshNodeStreamCache keeps ONE upstream alive for process lifetime, so its mirror converges. Make hub/workspace.GetMeshNodeStream(path) the single canonical API to read/write a mesh node by path (it routes through the cache), and make Workspace.GetRemoteStream<MeshNode> THROW so every callsite is caught and migrated. The cache + reduce-callback plumbing open the raw reduce via the internal GetRemoteStreamUnchecked escape hatch; framework cache-identity tests (ReferenceEquals on _remoteStreamCache) use it via InternalsVisibleTo. - Workspace: ThrowIfMeshNode guard + internal GetRemoteStreamUnchecked - MeshNodeStreamHandle: explicit bypassCache flag; non-own writes require the cache - Migrate ~70 callsites across src + test to GetMeshNodeStream - ToolCallsVisibilityTest: measure the layout feedback loop via handle emission count instead of the raw sync-stream Hub.Version - Docs: CqrsAndContentAccess / DataAccessPatterns call out the ban Fixes: OrleansResubmitDeadlock, OrleansChat CreateThread, MeshPlugin_Update_RestoresAccessContext, ThreeNodePropagation (Orleans + Monolith) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…n test; quiet disposal-timeout log StringDeltaPatch: a field-level patch that ships ONLY what changed between a base and an updated object — and for changed string fields, only the splice (via the existing StringDelta), never the whole value. The "big strings → submit only the delta, in the patch" optimization (a 100 KB markdown body that gained one char travels as a few bytes). Apply() replays string splices onto the target's CURRENT text, so a disjoint concurrent edit on the owner survives — same merge semantics as StreamConflictResolution. Round-trip + concurrent-merge tests included. NOTE: this is the transmittable payload; wiring it into the subscriber→owner DataChangeRequest transport (today it ships the whole changed entity) is the next step, and that typed payload will need TypeRegistry registration. StreamVersionMonotonicityTest: pins that the OWNING hub assigns strictly increasing versions across sequential updates — off the per-stream sync hub clock (which ticks per update), not the host's global clock (which can sit still while the stream ticks). An equal/lower version would be dropped by the monotonicity guard and the view would not refresh. MessageHub: the disposal-watchdog's ObjectDisposedException (the watchdog CTS is disposed by the completion continuation the instant disposal finishes — the SUCCESS path) is now caught as benign instead of logged as a fail. Killed the noisy "Error in disposal safety timeout" at startup for short-lived sync/activity sub-hubs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… land
A Full is the owner's complete authoritative state, normally a roll-back (the owner re-asserting truth after rejecting a client's optimistic change). Version-guarding Fulls dropped roll-back / re-sync frames, leaving a confused subscriber stuck on stale state ("blank layout" after a refresh). Now only patches are version-gated; a Full applies regardless of version — the property that makes reject->rollback undo and RequestFreshSnapshot recovery work.
Adds DataSyncAndCrdt.md: the full sync-stream contract — version assignment in the owning hub queue, the patches-only guard, version + string-splice conflict resolution, reject->rollback via Full, and the minimal-bytes transport.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rom merge-sync Foundation for activating static-repo sync (Doc done; Agents/Models/samples next). - MeshNode.SyncBehavior enum (Include default / ExcludeThisOnly / ExcludeThisAndChildren): how a node participates in static-repo import/export. A user "claims" an imported node/subtree by editing it (ExcludeThis*) so the next import won't clobber it. - Overwrite(MeshNode) write primitive: asserts the FULL authoritative node as a ChangeType.Full, bypassing the RFC-7396 merge-patch that Update ships. Lands on every mirror unconditionally and persists via the owner write-back (Updates populated). Added on the stream handle, the cache (serial per-path queue), and the sync stream (SetFull / BuildFullChangeItem). - SynchronizationStream monotonicity guard: a Full now lands regardless of version (owner re-asserting truth) — the enabling half of Overwrite. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…Agent/Model sources, Permission.Sync Builds on the SyncBehavior/Overwrite primitive (3e7619a) to materialize build-time static content into its DB partition, served from there. - StaticRepoImporter: multi-partition aware (a source may span partitions, e.g. the model catalog: _Policy under "Model", content under "_Provider"). Per source node it skips nodes the user has claimed (SyncBehavior.ExcludeThisOnly / ExcludeThisAndChildren subtrees), CreateNodes absent ones, and Overwrites existing ones as a Full (decoupled from merge-sync). Prune (full-replace) removes stale Include, non-governance, non-claimed targets. ImportAll(hub) is the "sync context init": runs every registered IStaticRepoSource under system identity. - AgentStaticRepoSource + ModelStaticRepoSource: emit all their nodes (content + governance) into the partition. - Permission.Sync: a write-authoriser distinct from user write — a partition whose _Policy is read-only to users (Agent/Model) still admits a sync overwrite when the caller holds Sync. RlsNodeValidator authorizes writes by the required perm OR Sync; GetPermissionCap already preserves Sync on a read-only policy. "Sync is not a user write." - GUI: Stop/Resume synchronization toggle on the node menu flips SyncBehavior — how a user claims an imported node so the next import won't clobber their edit. Activation (registering sources + demoting the read-only static providers on the PG host so Postgres serves + accepts the writes) is gated/PG-only and not flipped here. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…lesale Mirrors ThreeNodePropagationTest but exercises the new Overwrite primitive: a cross-hub GetMeshNodeStream(path).Overwrite(node) lands the full authoritative node on the owner as a ChangeType.Full and propagates to another mirror, and a field set before the overwrite is gone after (full replace, not a field merge). Passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rn-business section cards
The settings content pane wasn't scrolling — clipped under an `overflow:hidden`. Root cause was an
inline `height:100%` on .settings-content-pane justified by a WRONG comment claiming the
FluentMultiSplitter pane is shadow DOM. Verified against the FluentUI source: the pane is LIGHT DOM
(a plain <div class="fluent-multi-splitter-pane">), so the stylesheet's
`.settings-splitter .fluent-multi-splitter-pane` rules DO reach it (definite-height flex column +
content wrapper), and `.settings-content-pane { flex:1 1 auto; overflow-y:auto }` scrolls within —
the same proven pattern PortalLayoutBase uses for .body-splitter. The inline override is removed and
the styling lives in standard-page-layout.css (one place).
Also a modern-business styling pass (in CSS, not inline): card sections with subtle shadow + hover,
uppercase section headers, a centered comfortable content column. Section markup uses
.settings-section[-header|-body] classes instead of inline borders/padding.
Needs a visual check in the running portal.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…dup; backfill doc headers DataSyncSetup.md: the source->target model (transient sync source vs persisted, owning-hub-authoritative target), version gating, sync-from-anywhere (static repo / another instance / public GitHub repo), and admin-partition PartitionSync config nodes + breaking the sync to take over a partition. ReleaseProcess.md: one central PlatformVersion, two channels (CONTINUOUS for CI/local, build-numbered; RELEASED for CD, clean), and the RC->official->next workflow for NuGet + Docker. DataSyncAndCrdt.md: add the single-source principle (owning hub is the only source -> no value-equal redundant frames -> the SetCurrent dedup is unnecessary). Backfill the rich YAML headers (NodeType/Name/Abstract/Icon-SVG/Thumbnail/Authors/Tags, or Name/Category/Description/Icon for GUI) on five docs that shipped without one: ExecutiveAssistant, TeamsBot, DebuggingDisposalAndLeaks, EmailIngestionAndNotifications, NotificationPreferences. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…eased channels One maintained version (PlatformVersion) in Directory.Build.props, overridable at build time (-p:PlatformVersion=... from the Docker image / CI). Two channels via the PublicRelease flag: CONTINUOUS (default, CI + local dev) -> 3.0.0-rc1.ci.<build> so dev packages are distinguishable and a local-deploy build always carries a build number; RELEASED (-p:PublicRelease=true, CD) -> clean 3.0.0-rc1 on NuGet AND the Docker image. AssemblyVersion/FileVersion = 3.0.0.<build> (numeric; the -rc1 label is stripped), still bumped every build for the CopyToOutputDirectory heuristic. InformationalVersion keeps +build.<ticks> so NodeTypeCompilationHelpers.FrameworkVersion stays distinct per build (cache invalidation). The version doubles as the data-sync content-version (DataSyncSetup.md). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…sed data-sync release-images.yml now passes -p:Version=$VERSION to every container publish, so a released image's binaries carry the clean tag version (3.0.0-rc1) instead of the continuous 3.0.0-rc1.ci.<build> default — which is also the version data-sync reads to pick its tag. release-packages.yml: setup-dotnet 9.x -> 10.x (a 9.x SDK can't build net10.0). DataSyncSetup.md + ReleaseProcess.md: resolve the GitHub chicken-and-egg — a build cannot embed its OWN commit SHA (it doesn't exist until after the commit), so a deployed binary syncs from the immutable release TAG v$(PlatformVersion), created after the commit and resolved tag->commit by GitHub at sync time. One v* tag drives code + image + synced content; cutting a release = pushing that tag. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Snapshots the full working tree at request. Bundles the concurrent cross-hub reject→rollback recovery (ISynchronizationStream.RequestFreshSnapshot, JsonSynchronizationStream, SynchronizationStream, StreamRejectRollbackTest) and the DataSync*/AI/GUI doc updates, plus the trailing XML-doc cref fix on SynchronizationStream. Not all authored in this agent's task — this is a tree checkpoint so nothing is left uncommitted. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…adStreamingIdentityTest snapshot Two compile errors were failing the CI Build step: - NodeTypeEnrichmentDoubleCallTest.HangingStreamCache (a test IMeshNodeStreamCache double) didn't implement the new Overwrite(string, MeshNode, JsonSerializerOptions) interface member — add it (returns Observable.Never, consistent with the hanging-cache theme). Mine: completes the Overwrite interface addition from 3cb068d. - ThreadStreamingIdentityTest referenced an undefined `snapshots` (×3); the lambda param is `snapshot` (an IReadOnlyDictionary) — fixed to `snapshot.Values`. From the concurrent reject→rollback refactor. Full-solution compile now clean (the other 86 "errors" in a local full build were MSB3021 file-locks from the running Aspire portal — not real, absent in CI). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… tests for StopSync Two regressions from the static-repo-sync work, caught once the build was unblocked and tests ran: 1. Permission.Sync was in Permission.All. GetPermissionCap() has no Sync=false switch, so a read-only _Policy PRESERVES Sync; an Admin (granted All ⊇ Sync) on a read-only-capped namespace kept Sync, and RlsNodeValidator treats Sync as a write-authoriser → the Admin could write a read-only partition. Broke StaticNamespacePolicyTests, PartitionAccessPolicyTests.PolicyCapsAdmin, RlsIntegration / McpAccessControl negative-write tests. Fix: Sync is NOT part of All — it's a privileged grant only (the import runs under System, which bypasses RLS regardless). Local Security.Test: 11 failures → 3 (the remaining 3 are pre-existing shared-mesh-cascade, unaffected by this change — my gate is provably equivalent for non-Sync users). 2. The new "Stop synchronization" node-menu item changed the default menu set; updated the Admin (12→13) and Editor expected-label sets in MenuAccessControlTest. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
77 commits of long-running work on
bug_fix— grouped by theme:MeshWeaver.Social+ LinkedIn publisher + scheduled publishing pipeline (engine/queue/stats), LinkedIn OAuth connect + past-post ingest in Memex portal, per-user linked-account menu items.#r "nuget:Pkg, Version"at the top of_Source/*.csresolves via public NuGet.Protocol without an SDK on the container. Same resolver serves interactive markdown code cells.FileSystemPersistenceService.MoveNodeAsyncruns per-descendantWriteAsync/DeleteAsyncthroughTask.WhenAll; newMeshOperationOptions(defaultTimeout = 30s) +WithMeshOperationTimeout(TimeSpan)override;HandleMoveNodeRequestchains.Timeout()on the persistence Observable so a stuck adapter can't hang the caller. Prod repro: DAV2026 subtree move that took 240 s and killed the MCP session — now bounded.CompilationCacheService,_Source/edit re-invalidates owning NodeType, cross-silo broadcast viaMeshChangeFeed, grain-dispose on node delete, live "Compiling … (Ns)" progress inLayoutAreaView.Category(falls back toNodeType), reactive Children catalog, self-as-default create location for non-NodeType nodes, sample orgs →Markdownfor search visibility.MeshChangeFeedevents, resubscribe on owner dispose,DeleteLayoutAreaemits a placeholder immediately and times out slow streams.IAsyncEnumerableaggregator fixes (satellite-safeGatherInputsAsync), xunit methodTimeout 30 s → 60 s, Anthropic Opus bump, icon generator, etc.New test suites (selected)
test/MeshWeaver.Persistence.Test/MoveNodeRecursiveTest.cs— 10 tests: recursion, parallelism, source missing / target exists / storage throws / cancellation (all must not hang), RxTimeout()contract, default-30s config.test/MeshWeaver.Social.Test/*—InMemoryPublishQueueTest,LinkedInPublisherEngagementTest,PostStatsRefresherTest,ScheduledPostPublisherTest,FakePublisher.test/MeshWeaver.Persistence.Test/WorkspaceCacheEvictionTest.cs,ResubscribeOnOwnerDisposeTest.cs,DeleteLayoutAreaIntegrationTest.cs.test/MeshWeaver.Markdown.Test/PathUtilsTest.cs,test/MeshWeaver.MathDemo.Test/MatrixViewsTest.cs.Contributors
dist/cleanup, fix: sample orgs invisible in search due to wrong NodeType #94 sample-org search-visibility fixUpstream already merged into this branch
refactor: reactive persistence — IMeshStorage writes return IObservable(merged)Test plan
dotnet buildsucceedsdotnet test test/MeshWeaver.Persistence.Test --filter MoveNodeRecursiveTest— 10/10 green (~8 s)dotnet test test/MeshWeaver.Hosting.Monolith.Test --filter MoveNodeAsync— 5/5 green (regression guard)dotnet test test/MeshWeaver.Social.Test— publish queue / scheduling / stats green_Source/*.csusing#r "nuget:MathNet.Numerics, 5.0.0"— compiles & renders (cold + warm cache)/social/connect/linkedin→ profile linked; menu shows connected accountScheduledPostPublisher→ LinkedIn publisher posts;PostStatsRefresherpulls stats🤖 Generated with Claude Code