Tau.Acuvim

giteaadmin/Tau.Acuvim

Fork 0

Commit Graph

Author	SHA1	Message	Date
Diseri Pearson	e2cbb83397	Portal: Client Dashboard, Measurements page, Excel exports, Grafana auth, RLS A bundle of related portal work — picked up while ensuring per-customer isolation actually works end-to-end and replacing the placeholder Client landing page. Build green, full test suite 66/66. Frontend — Client surface - DashboardPage: replace placeholder with 4 KPI cards (kWh, current kW, active devices, estimated cost), 24h active-power ECharts mini-chart, per-device "today/range" table, and a date-range picker with shortcuts (Today / 7d / 30d / This month / Custom). 30s auto-refresh. - New Measurements page (/measurements, Client mode, any authenticated user) with multi-select device filter, full date range incl. an "All time" shortcut, server-paginated preview, and Excel export. - "Export to Excel" buttons on: Client Dashboard summary, Client Dashboard raw measurements, Admin fleet dashboard, Admin customer-detail Cost tab. - DashboardsPage sidebar items: let the menu item grow and reset line-height so the two-line title+description doesn't crush. Frontend — Admin / user mgmt - RestrictedAdmin role: admin who only sees their assigned customers. New UserFormDrawer choice + CustomerAccessModal for granting/revoking per-customer access; surfaced from the Users page. Backend - ClosedXML 0.104.2 + ExcelExportService (pure formatter; frozen header, currency/kWh/kW/date number formats, AdjustToContents). - DashboardSummaryService computes per-device totals + estimated cost (hourly bucketing × site's municipality's active tariff, mirroring FleetCostService for the Admin side). - New endpoints: GET /api/dashboard/summary[+/export.xlsx] GET /api/measurements/raw[+/export.xlsx] (deviceIds, paginated) GET /api/sites/devices (flat list w/ site name) GET /api/fleet/dashboard/export.xlsx GET /api/fleet/customers/{id}/cost/export.xlsx GET /api/auth/check (cookie-only liveness) - AdminCustomerAccess: per-user customer scoping for RestrictedAdmin via Postgres-row-level filter — RlsContext (per-DI-scope state) + CustomerFilterMiddleware (populates from claims after auth) + fleet.* DbSets gain HasQueryFilter expressions. Bootstrappers Elevate() to bypass the filter for trusted system code. - Migration: 20260518095759_AddAdminCustomerAccess (mapping table, composite PK on UserId+CustomerId). Infra / templating (the "spin it up via the template" piece) - docker-compose.prod.yml + docker-compose.yml: pass WhiteLabel__, Application__RunMode, FleetIngest__ through to the container as ${VAR:-default} substitutions. Previously these were silently dropped in prod — a customer's .env settings for branding/fleet-push never reached the running process. Latent bug, fixed. - docker-compose.prod.yml: forwardAuth middleware labels on the Grafana router pointing at /api/auth/check. Option (a) from the README's three prod-auth modes — every Grafana request now gates on a valid portal cookie. Anonymous stays off. - .env.example rewritten with a Client section, optional FleetIngest block, and an Admin variant block — annotated on what's required vs. optional and where the seed-only-on-first-boot caveat applies. - README "Grafana embedding" table: option (a) now marked active with an inline note on how to switch modes later. - OPERATIONS.md step 3 includes the white-label pre-brand .env snippet; step 4 (formerly "decide Grafana auth mode") updated to reflect that auth is wired by default. Tests - New BrandingSeedFromOptionsTests (5 tests) pins the env-var → IOptions → DB seed contract: first read seeds from options; subsequent reads return the DB row (UI edits survive restarts); EnsureSeededAsync is idempotent; UpdateAsync falls back to options for blanked fields. - CustomerTokenGraceTests helper: pass the new RlsContext to AdminDbContext (SetAll() so existing semantics hold). Verified end-to-end - Real Docker spin-up with WhiteLabel__* in a throwaway .env → /api/branding returned all six fields verbatim (ApplicationName, LogoUrl, three colors, FooterText). - curl login → /api/dashboard/summary returned valid JSON → /api/dashboard/summary/export.xlsx returned a 6.9 KB file the `file` command identifies as "Microsoft Excel 2007+". - /api/measurements/raw with and without deviceIds filter returned correct paginated rows; /export.xlsx with filter produced a valid 7.1 KB xlsx with the meter count in the filename. - Frontend tsc -b clean; backend dotnet build 0/0; xunit 66/66. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 09:15:44 +02:00
Diseri Pearson	3333202f3a	Dual-token rotation grace window (24h default) Token rotation used to be immediate cutover — push gap from when ops rotates to when the customer's .env is updated and portal restarted. Now the old token keeps working for 24h after rotation, so customer ops has a full workday to swap it in without dropping a single push tick. Backend - Customer entity gains PreviousTokenHash + PreviousTokenExpiresAt (both nullable). Non-unique index on PreviousTokenHash so the OR-lookup in FindByTokenAsync stays cheap. - CustomerService.RotateTokenAsync(id, graceWindow=null, ct): copies the existing TokenHash into PreviousTokenHash with PreviousTokenExpiresAt = now + graceWindow (default 24h, lifted to CustomerService.DefaultTokenGracePeriod), then issues a new current token. Second rotation overwrites the previous slot — at most one previous token is ever honoured. - CustomerService.FindByTokenAsync matches either current OR (previous AND PreviousTokenExpiresAt > now). IsActive=false still rejects both. - DTO exposes PreviousTokenExpiresAt so the UI can render the grace window status. - New EF migration AddPreviousTokenGraceWindow on AdminDbContext. Frontend - Customers table "Token" column shows an "Old token valid until …" orange tag with a tooltip whenever the grace window is active, plus the issue/rotation date as before. - TokenShownOnceModal mentions the 24h grace window so ops knows they have time to update .env without urgency. - Rotate-token popconfirm copy updated to reflect the new behavior. Tests (+5, 61/61 passing) - CustomerTokenGraceTests covers: create doesn't set previous; rotate moves current into previous slot with future expiry; zero grace window rejects original immediately; second rotation overwrites previous (original dies, first-rotation becomes the new previous); inactive customer rejects both current AND previous. Verified end-to-end on the dev host - Migration applied cleanly on the existing admin_fleet DB (existing DEV0001 customer got NULL previous columns, no data loss). - Created GRACE01 → got token1. - Rotated → got token2. PreviousTokenExpiresAt = +24h. Both token1 and token2 push successfully (200). - Rotated again → got token3. token1 push now returns 401 (gone). token2 push still 200 (now the previous). token3 push 200 (current). Docs - FLEET-DESIGN.md §6 rewritten — no longer "immediate cutover". - §11 "open seams" row for this feature marked as shipped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 10:45:31 +02:00

Author

SHA1

Message

Date

Diseri Pearson

e2cbb83397

Portal: Client Dashboard, Measurements page, Excel exports, Grafana auth, RLS

A bundle of related portal work — picked up while ensuring per-customer
isolation actually works end-to-end and replacing the placeholder Client
landing page. Build green, full test suite 66/66.

Frontend — Client surface
- DashboardPage: replace placeholder with 4 KPI cards (kWh, current kW,
  active devices, estimated cost), 24h active-power ECharts mini-chart,
  per-device "today/range" table, and a date-range picker with shortcuts
  (Today / 7d / 30d / This month / Custom). 30s auto-refresh.
- New Measurements page (/measurements, Client mode, any authenticated
  user) with multi-select device filter, full date range incl. an
  "All time" shortcut, server-paginated preview, and Excel export.
- "Export to Excel" buttons on: Client Dashboard summary, Client Dashboard
  raw measurements, Admin fleet dashboard, Admin customer-detail Cost tab.
- DashboardsPage sidebar items: let the menu item grow and reset
  line-height so the two-line title+description doesn't crush.

Frontend — Admin / user mgmt
- RestrictedAdmin role: admin who only sees their assigned customers.
  New UserFormDrawer choice + CustomerAccessModal for granting/revoking
  per-customer access; surfaced from the Users page.

Backend
- ClosedXML 0.104.2 + ExcelExportService (pure formatter; frozen header,
  currency/kWh/kW/date number formats, AdjustToContents).
- DashboardSummaryService computes per-device totals + estimated cost
  (hourly bucketing × site's municipality's active tariff, mirroring
  FleetCostService for the Admin side).
- New endpoints:
    GET  /api/dashboard/summary[+/export.xlsx]
    GET  /api/measurements/raw[+/export.xlsx]   (deviceIds, paginated)
    GET  /api/sites/devices                     (flat list w/ site name)
    GET  /api/fleet/dashboard/export.xlsx
    GET  /api/fleet/customers/{id}/cost/export.xlsx
    GET  /api/auth/check                        (cookie-only liveness)
- AdminCustomerAccess: per-user customer scoping for RestrictedAdmin via
  Postgres-row-level filter — RlsContext (per-DI-scope state) +
  CustomerFilterMiddleware (populates from claims after auth) +
  fleet.* DbSets gain HasQueryFilter expressions. Bootstrappers
  Elevate() to bypass the filter for trusted system code.
- Migration: 20260518095759_AddAdminCustomerAccess (mapping table,
  composite PK on UserId+CustomerId).

Infra / templating (the "spin it up via the template" piece)
- docker-compose.prod.yml + docker-compose.yml: pass WhiteLabel__*,
  Application__RunMode, FleetIngest__* through to the container as
  ${VAR:-default} substitutions. Previously these were silently dropped
  in prod — a customer's .env settings for branding/fleet-push never
  reached the running process. Latent bug, fixed.
- docker-compose.prod.yml: forwardAuth middleware labels on the
  Grafana router pointing at /api/auth/check. Option (a) from the
  README's three prod-auth modes — every Grafana request now gates on
  a valid portal cookie. Anonymous stays off.
- .env.example rewritten with a Client section, optional FleetIngest
  block, and an Admin variant block — annotated on what's required vs.
  optional and where the seed-only-on-first-boot caveat applies.
- README "Grafana embedding" table: option (a) now marked active with
  an inline note on how to switch modes later.
- OPERATIONS.md step 3 includes the white-label pre-brand .env snippet;
  step 4 (formerly "decide Grafana auth mode") updated to reflect
  that auth is wired by default.

Tests
- New BrandingSeedFromOptionsTests (5 tests) pins the env-var → IOptions
  → DB seed contract: first read seeds from options; subsequent reads
  return the DB row (UI edits survive restarts); EnsureSeededAsync is
  idempotent; UpdateAsync falls back to options for blanked fields.
- CustomerTokenGraceTests helper: pass the new RlsContext to
  AdminDbContext (SetAll() so existing semantics hold).

Verified end-to-end
- Real Docker spin-up with WhiteLabel__* in a throwaway .env →
  /api/branding returned all six fields verbatim (ApplicationName,
  LogoUrl, three colors, FooterText).
- curl login → /api/dashboard/summary returned valid JSON →
  /api/dashboard/summary/export.xlsx returned a 6.9 KB file the
  `file` command identifies as "Microsoft Excel 2007+".
- /api/measurements/raw with and without deviceIds filter returned
  correct paginated rows; /export.xlsx with filter produced a valid
  7.1 KB xlsx with the meter count in the filename.
- Frontend tsc -b clean; backend dotnet build 0/0; xunit 66/66.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-19 09:15:44 +02:00

Diseri Pearson

3333202f3a

Dual-token rotation grace window (24h default)

Token rotation used to be immediate cutover — push gap from when
ops rotates to when the customer's .env is updated and portal
restarted. Now the old token keeps working for 24h after rotation,
so customer ops has a full workday to swap it in without dropping a
single push tick.

Backend
- Customer entity gains PreviousTokenHash + PreviousTokenExpiresAt
  (both nullable). Non-unique index on PreviousTokenHash so the
  OR-lookup in FindByTokenAsync stays cheap.
- CustomerService.RotateTokenAsync(id, graceWindow=null, ct):
  copies the existing TokenHash into PreviousTokenHash with
  PreviousTokenExpiresAt = now + graceWindow (default 24h, lifted
  to CustomerService.DefaultTokenGracePeriod), then issues a new
  current token. Second rotation overwrites the previous slot —
  at most one previous token is ever honoured.
- CustomerService.FindByTokenAsync matches either current OR
  (previous AND PreviousTokenExpiresAt > now). IsActive=false
  still rejects both.
- DTO exposes PreviousTokenExpiresAt so the UI can render the
  grace window status.
- New EF migration AddPreviousTokenGraceWindow on AdminDbContext.

Frontend
- Customers table "Token" column shows an "Old token valid until …"
  orange tag with a tooltip whenever the grace window is active,
  plus the issue/rotation date as before.
- TokenShownOnceModal mentions the 24h grace window so ops knows
  they have time to update .env without urgency.
- Rotate-token popconfirm copy updated to reflect the new behavior.

Tests (+5, 61/61 passing)
- CustomerTokenGraceTests covers: create doesn't set previous;
  rotate moves current into previous slot with future expiry;
  zero grace window rejects original immediately; second rotation
  overwrites previous (original dies, first-rotation becomes the
  new previous); inactive customer rejects both current AND previous.

Verified end-to-end on the dev host
- Migration applied cleanly on the existing admin_fleet DB (existing
  DEV0001 customer got NULL previous columns, no data loss).
- Created GRACE01 → got token1.
- Rotated → got token2. PreviousTokenExpiresAt = +24h. Both token1
  and token2 push successfully (200).
- Rotated again → got token3. token1 push now returns 401 (gone).
  token2 push still 200 (now the previous). token3 push 200 (current).

Docs
- FLEET-DESIGN.md §6 rewritten — no longer "immediate cutover".
- §11 "open seams" row for this feature marked as shipped.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 10:45:31 +02:00

2 Commits