Merge pull request #3 from abdebek/dev

feat(templates): tighten auth layering + docs/version alignment

Author: abdebek

.github/workflows/nuget.yml

@@ -5,10 +5,12 @@ on:
     tags:
       - 'v*'
     branches:
+      - dev
       - main
       - master
   pull_request:
     branches:
+      - dev
       - main
       - master
   workflow_dispatch:
@@ -93,100 +95,8 @@ jobs:
 
   validate-templates:
     needs: build-and-test
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        include:
-          - name: multi-default
-            args: "-n McaDefault"
-            project: "McaDefault"
-            buildPath: "McaDefault.sln"
-            buildTests: "false"
-          - name: multi-all-sql
-            args: "-n McaAllSql --all --db sqlserver"
-            project: "McaAllSql"
-            buildPath: "McaAllSql.sln"
-            buildTests: "true"
-          - name: single-default
-            args: "-n McaSingle --single-project"
-            project: "McaSingle"
-            buildPath: "McaSingle.csproj"
-            buildTests: "false"
-          - name: single-all-pg
-            args: "-n McaSingleAllPg --single-project --all --db postgres"
-            project: "McaSingleAllPg"
-            buildPath: "McaSingleAllPg.csproj"
-            buildTests: "true"
-          - name: multi-tests-pg
-            args: "-n McaTestsPg --tests --db postgres"
-            project: "McaTestsPg"
-            buildPath: "McaTestsPg.sln"
-            buildTests: "true"
-
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Setup .NET 10.0
-      uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: '10.0.x'
-
-    - name: Pack libraries for local validation
-      run: |
-        mkdir -p ./local-packages
-        dotnet pack src/MinimalCleanArch/MinimalCleanArch.csproj -c Release -o ./local-packages
-        dotnet pack src/MinimalCleanArch.DataAccess/MinimalCleanArch.DataAccess.csproj -c Release -o ./local-packages
-        dotnet pack src/MinimalCleanArch.Extensions/MinimalCleanArch.Extensions.csproj -c Release -o ./local-packages
-        dotnet pack src/MinimalCleanArch.Validation/MinimalCleanArch.Validation.csproj -c Release -o ./local-packages
-        dotnet pack src/MinimalCleanArch.Security/MinimalCleanArch.Security.csproj -c Release -o ./local-packages
-        dotnet pack src/MinimalCleanArch.Messaging/MinimalCleanArch.Messaging.csproj -c Release -o ./local-packages
-        dotnet pack src/MinimalCleanArch.Audit/MinimalCleanArch.Audit.csproj -c Release -o ./local-packages
-
-    - name: Resolve MCA package version
-      id: mca-version
-      shell: bash
-      run: |
-        version=$(grep -o '<PackageVersion>[^<]*</PackageVersion>' src/Directory.Build.props | sed 's/<[^>]*>//g')
-        echo "version=$version" >> "$GITHUB_OUTPUT"
-        echo "MCA package version: $version"
-
-    - name: Configure Local NuGet Source
-      run: |
-        dotnet nuget add source ${{ github.workspace }}/local-packages -n LocalCI
-
-    - name: Install template from repo
-      run: dotnet new install templates/mca --force
-
-    - name: Scaffold and build ${{ matrix.name }}
-      shell: bash
-      run: |
-        set -euo pipefail
-        ROOT="$(mktemp -d)"
-        SCENARIO_DIR="$ROOT/${{ matrix.name }}"
-        mkdir -p "$SCENARIO_DIR"
-        pushd "$SCENARIO_DIR"
-
-        echo "Scaffolding: dotnet new mca ${{ matrix.args }}"
-        dotnet new mca ${{ matrix.args }} --mcaVersion "${{ steps.mca-version.outputs.version }}"
-
-        PROJECT_ROOT="$SCENARIO_DIR/${{ matrix.project }}"
-        pushd "$PROJECT_ROOT"
-
-        echo "Restoring..."
-        dotnet restore
-
-        echo "Building ${{ matrix.buildPath }}..."
-        dotnet build ${{ matrix.buildPath }} --configuration Release --nologo
-
-        if [ "${{ matrix.buildTests }}" = "true" ] && [ -d tests ]; then
-          echo "Building tests..."
-          find tests -name "*.csproj" -print0 | xargs -0 -I{} dotnet build "{}" --configuration Release --nologo
-        fi
-
-        popd
-        popd
-        echo "Artifacts at $SCENARIO_DIR"
+    uses: ./.github/workflows/validate-templates.yml
+    secrets: inherit
 
   pack:
     needs: [build-and-test, validate-templates]
@@ -346,7 +256,7 @@ jobs:
         if-no-files-found: ignore
 
   publish:
-    needs: pack
+    needs: [pack, security-scan]
     runs-on: ubuntu-latest
     if: |
       (startsWith(github.ref, 'refs/tags/v') || github.event.inputs.publish == 'true') && 
@@ -508,7 +418,7 @@ jobs:
 
   security-scan:
     runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
+    if: startsWith(github.ref, 'refs/tags/v') || github.event.inputs.publish == 'true'
 
     steps:
     - name: Checkout code

.github/workflows/validate-templates.yml

@@ -1,12 +1,8 @@
 name: Validate Templates
 
 on:
+  workflow_call:
   workflow_dispatch:
-  pull_request:
-    paths:
-      - "templates/**"
-      - ".github/workflows/validate-templates.yml"
-      - "temp/**"
 
 jobs:
   validate:

README.md

@@ -48,6 +48,7 @@ Use the auth walkthrough in [`templates/README.md`](templates/README.md).
 
 ## Documentation Map
 - Templates: [`templates/README.md`](templates/README.md)
+- Generated app architecture: [`templates/README.md#architecture-overview`](templates/README.md#architecture-overview)
 - Sample app: [`samples/MinimalCleanArch.Sample/README.md`](samples/MinimalCleanArch.Sample/README.md)
 - Core: [`src/MinimalCleanArch/README.md`](src/MinimalCleanArch/README.md)
 - DataAccess: [`src/MinimalCleanArch.DataAccess/README.md`](src/MinimalCleanArch.DataAccess/README.md)

templates/README.md

@@ -244,6 +244,32 @@ MyApp/
 |- Endpoints/
 ```
 
+## Architecture Overview
+
+Generated apps follow Clean Architecture with DDD-style domain modeling and CQRS-style handlers.
+
+### Layer Responsibilities
+
+- `Domain`: entities, value objects, domain events, repository contracts, core rules. No infrastructure dependencies.
+- `Application`: commands/queries, handlers, and orchestration of use-cases using domain contracts.
+- `Infrastructure`: EF Core, Identity/OpenIddict wiring, email providers, repository implementations, external integrations.
+- `Api` (multi-project) or `Endpoints` + `Program.cs` (single-project): HTTP transport, endpoint mapping, auth policies, middleware.
+
+### Dependency Direction
+
+- `Domain` depends on nothing else.
+- `Application` depends on `Domain`.
+- `Infrastructure` depends on `Application` and `Domain`.
+- `Api` depends on all required layers and composes the app at startup.
+
+### Typical Request Flow
+
+1. Endpoint receives HTTP request and maps payload to command/query.
+2. Application handler executes use-case through domain contracts/repositories.
+3. Domain entities enforce invariants and may raise domain events.
+4. Infrastructure persists state and publishes/handles events.
+5. Result is mapped to consistent HTTP responses/ProblemDetails.
+
 ## Auth and Security Notes
 
 - `--auth` automatically enables `--security`.

templates/mca/.template.config/template.json

@@ -128,7 +128,7 @@
     "mcaVersion": {
       "type": "parameter",
       "datatype": "string",
-      "defaultValue": "0.1.13-preview",
+      "defaultValue": "0.1.14",
       "description": "MinimalCleanArch package version to reference",
       "replaces": "__MCA_VERSION__"
     },
@@ -278,7 +278,7 @@
       "modifiers": [
         { "condition": "(!UseMessaging)", "exclude": ["**/Events/**", "**/Handlers/*EventHandler.cs"] },
         { "condition": "(!UseValidation)", "exclude": ["**/Validation/**"] },
-        { "condition": "(!UseAuth)", "exclude": ["**/Identity/**", "**/Endpoints/*AuthEndpoints.cs", "**/Endpoints/OpenIddictEndpoints.cs", "**/Endpoints/OAuthEndpoints.cs", "**/Configuration/IdentityServiceExtensions.cs", "**/Configuration/OpenIddict*.cs", "**/Configuration/ConfigureOpenIddictServerOptions.cs", "**/Configuration/CertificateLoader.cs", "**/Configuration/EmailSettings.cs", "**/Services/CustomClaimsPrincipalFactory.cs", "**/Services/PkceService.cs", "**/Services/OpenIddictTokenService.cs", "**/Services/*Email*.cs", "**/Providers/AuthEmailTemplateProvider.cs", "**/Providers/EmailLayouts.cs", "**/Interfaces/ITokenService.cs", "**/Interfaces/IEmailService.cs", "**/Commands/Auth*.cs", "**/Handlers/*PasswordHandler.cs", "**/Handlers/*EmailHandler.cs", "**/Handlers/Register*Handler.cs", "**/Handlers/AuthEventHandler.cs", "**/Events/UserRegisteredEvent.cs", "**/Constants/Roles.cs", "**/Entities/ApplicationUser.cs"] },
+        { "condition": "(!UseAuth)", "exclude": ["**/Identity/**", "**/Endpoints/*AuthEndpoints.cs", "**/Endpoints/OpenIddictEndpoints.cs", "**/Endpoints/OAuthEndpoints.cs", "**/Configuration/IdentityServiceExtensions.cs", "**/Configuration/OpenIddict*.cs", "**/Configuration/ConfigureOpenIddictServerOptions.cs", "**/Configuration/CertificateLoader.cs", "**/Configuration/EmailSettings.cs", "**/Services/CustomClaimsPrincipalFactory.cs", "**/Services/PkceService.cs", "**/Services/OpenIddictTokenService.cs", "**/Services/*Email*.cs", "**/Services/*Auth*.cs", "**/Providers/AuthEmailTemplateProvider.cs", "**/Providers/EmailLayouts.cs", "**/Interfaces/ITokenService.cs", "**/Interfaces/IEmailService.cs", "**/Interfaces/I*Auth*.cs", "**/Commands/Auth*.cs", "**/Handlers/*Auth*Handler.cs", "**/Handlers/*PasswordHandler.cs", "**/Handlers/*EmailHandler.cs", "**/Handlers/Register*Handler.cs", "**/Events/UserRegisteredEvent.cs", "**/Constants/Roles.cs", "**/Entities/ApplicationUser.cs"] },
         { "exclude": ["**/bin/**", "**/obj/**", "**/Configuration/AuthSettings.cs"] }
       ]
     },
@@ -290,7 +290,7 @@
         { "condition": "(!UseDocker)", "exclude": ["Dockerfile", "docker-compose.yml", ".dockerignore"] },
         { "condition": "(!UseMessaging)", "exclude": ["**/Events/**", "**/Handlers/*EventHandler.cs"] },
         { "condition": "(!UseValidation)", "exclude": ["**/Validation/**"] },
-        { "condition": "(!UseAuth)", "exclude": ["**/Identity/**", "**/Endpoints/*AuthEndpoints.cs", "**/Endpoints/OpenIddictEndpoints.cs", "**/Endpoints/OAuthEndpoints.cs", "**/Configuration/IdentityServiceExtensions.cs", "**/Configuration/OpenIddict*.cs", "**/Configuration/ConfigureOpenIddictServerOptions.cs", "**/Configuration/CertificateLoader.cs", "**/Configuration/EmailSettings.cs", "**/Services/CustomClaimsPrincipalFactory.cs", "**/Services/PkceService.cs", "**/Services/OpenIddictTokenService.cs", "**/Services/*Email*.cs", "**/Providers/AuthEmailTemplateProvider.cs", "**/Providers/EmailLayouts.cs", "**/Interfaces/ITokenService.cs", "**/Interfaces/IEmailService.cs", "**/Commands/Auth*.cs", "**/Handlers/*PasswordHandler.cs", "**/Handlers/*EmailHandler.cs", "**/Handlers/Register*Handler.cs", "**/Handlers/AuthEventHandler.cs", "**/Events/UserRegisteredEvent.cs", "**/Constants/Roles.cs", "**/Entities/ApplicationUser.cs"] },
+        { "condition": "(!UseAuth)", "exclude": ["**/Identity/**", "**/Endpoints/*AuthEndpoints.cs", "**/Endpoints/OpenIddictEndpoints.cs", "**/Endpoints/OAuthEndpoints.cs", "**/Configuration/IdentityServiceExtensions.cs", "**/Configuration/OpenIddict*.cs", "**/Configuration/ConfigureOpenIddictServerOptions.cs", "**/Configuration/CertificateLoader.cs", "**/Configuration/EmailSettings.cs", "**/Services/CustomClaimsPrincipalFactory.cs", "**/Services/PkceService.cs", "**/Services/OpenIddictTokenService.cs", "**/Services/*Email*.cs", "**/Services/*Auth*.cs", "**/Providers/AuthEmailTemplateProvider.cs", "**/Providers/EmailLayouts.cs", "**/Interfaces/ITokenService.cs", "**/Interfaces/IEmailService.cs", "**/Interfaces/I*Auth*.cs", "**/Commands/Auth*.cs", "**/Handlers/*Auth*Handler.cs", "**/Handlers/*PasswordHandler.cs", "**/Handlers/*EmailHandler.cs", "**/Handlers/Register*Handler.cs", "**/Events/UserRegisteredEvent.cs", "**/Constants/Roles.cs", "**/Entities/ApplicationUser.cs"] },
         { "exclude": ["**/bin/**", "**/obj/**", "**/Configuration/AuthSettings.cs"] }
       ]
     }

templates/mca/multi/MCA.Api/Endpoints/AuthEndpoints.cs

@@ -1,8 +1,6 @@
 #if (UseAuth)
 using MCA.Application.Commands;
 using MCA.Application.Handlers;
-using MCA.Domain.Entities;
-using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using MinimalCleanArch.Domain.Common;
 using System.Security.Claims;
@@ -161,32 +159,32 @@ public static void MapAuthEndpoints(this IEndpointRouteBuilder app, bool isDevel
 
         // SSR login — signs in via cookie for the authorization code flow
         auth.MapPost("/login", async (
-            HttpContext httpContext,
             [FromBody] LoginRequest request,
-            [FromServices] SignInManager<ApplicationUser> signInManager,
-            [FromServices] UserManager<ApplicationUser> userManager) =>
+#if (UseMessaging)
+            IMessageBus bus,
+            CancellationToken cancellationToken) =>
+#else
+            [FromServices] AuthLoginHandler handler,
+            CancellationToken cancellationToken) =>
+#endif
         {
-            var user = await userManager.FindByEmailAsync(request.Email)
-                ?? await userManager.FindByNameAsync(request.Email);
-
-            if (user == null)
-                return Results.Unauthorized();
-
-            var result = await signInManager.CheckPasswordSignInAsync(user, request.Password, lockoutOnFailure: true);
+            var command = new AuthLoginCommand(request.Email, request.Password, request.ReturnUrl);
+#if (UseMessaging)
+            var result = await bus.InvokeAsync<Result<AuthLoginResult>>(command, cancellationToken);
+#else
+            var result = await handler.Handle(command, cancellationToken);
+#endif
+            if (result.IsSuccess)
+            {
+                return string.IsNullOrWhiteSpace(result.Value.RedirectUrl)
+                    ? Results.Ok(new { message = "Signed in" })
+                    : Results.Ok(new { message = "Signed in", redirectUrl = result.Value.RedirectUrl });
+            }
 
-            if (result.IsLockedOut)
+            if (result.Error.Code == "LOCKED_OUT")
                 return Results.Problem("Account is locked out.", statusCode: 423);
 
-            if (!result.Succeeded)
-                return Results.Unauthorized();
-
-            await signInManager.SignInAsync(user, isPersistent: false);
-
-            var returnUrl = request.ReturnUrl;
-            if (!string.IsNullOrEmpty(returnUrl) && Uri.IsWellFormedUriString(returnUrl, UriKind.Relative))
-                return Results.Ok(new { message = "Signed in", redirectUrl = returnUrl });
-
-            return Results.Ok(new { message = "Signed in" });
+            return Results.Unauthorized();
         })
         .AllowAnonymous()
 #if (UseRateLimiting)
@@ -196,10 +194,19 @@ public static void MapAuthEndpoints(this IEndpointRouteBuilder app, bool isDevel
         .WithSummary("Sign in via cookie (for SSR/authorization code flow)");
 
         auth.MapPost("/logout", async (
-            HttpContext httpContext,
-            [FromServices] SignInManager<ApplicationUser> signInManager) =>
+#if (UseMessaging)
+            IMessageBus bus,
+            CancellationToken cancellationToken) =>
+#else
+            [FromServices] AuthLogoutHandler handler,
+            CancellationToken cancellationToken) =>
+#endif
         {
-            await signInManager.SignOutAsync();
+#if (UseMessaging)
+            await bus.InvokeAsync<Result>(new AuthLogoutCommand(), cancellationToken);
+#else
+            await handler.Handle(new AuthLogoutCommand(), cancellationToken);
+#endif
             return Results.Ok(new { message = "Signed out" });
         })
         .AllowAnonymous()
@@ -238,36 +245,35 @@ public static void MapAuthEndpoints(this IEndpointRouteBuilder app, bool isDevel
             // SSR login form handler — POST /auth/login (development only)
             app.MapPost("/auth/login", async (
                 HttpContext context,
-                [FromServices] SignInManager<ApplicationUser> signInManager,
-                [FromServices] UserManager<ApplicationUser> userManager) =>
+#if (UseMessaging)
+                IMessageBus bus,
+                CancellationToken cancellationToken) =>
+#else
+                [FromServices] AuthLoginHandler handler,
+                CancellationToken cancellationToken) =>
+#endif
             {
                 var form = await context.Request.ReadFormAsync();
                 var email = form["email"].ToString();
                 var password = form["password"].ToString();
                 var returnUrl = form["returnUrl"].ToString();
 
-                var user = await userManager.FindByEmailAsync(email)
-                    ?? await userManager.FindByNameAsync(email);
-
-                if (user == null)
-                    return Results.Redirect(
-                        $"/auth/login?error=Invalid+credentials&returnUrl={Uri.EscapeDataString(returnUrl)}");
-
-                var result = await signInManager.CheckPasswordSignInAsync(user, password, lockoutOnFailure: true);
+                var command = new AuthLoginCommand(email, password, returnUrl);
+#if (UseMessaging)
+                var result = await bus.InvokeAsync<Result<AuthLoginResult>>(command, cancellationToken);
+#else
+                var result = await handler.Handle(command, cancellationToken);
+#endif
+                if (result.IsSuccess)
+                {
+                    return Results.Redirect(result.Value.RedirectUrl ?? "/");
+                }
 
-                if (result.IsLockedOut)
+                if (result.Error.Code == "LOCKED_OUT")
                     return Results.Redirect("/auth/login?error=Account+is+locked+out");
 
-                if (!result.Succeeded)
-                    return Results.Redirect(
-                        $"/auth/login?error=Invalid+credentials&returnUrl={Uri.EscapeDataString(returnUrl)}");
-
-                await signInManager.SignInAsync(user, isPersistent: false);
-
-                if (!string.IsNullOrEmpty(returnUrl) && Uri.IsWellFormedUriString(returnUrl, UriKind.Relative))
-                    return Results.Redirect(returnUrl);
-
-                return Results.Redirect("/");
+                return Results.Redirect(
+                    $"/auth/login?error=Invalid+credentials&returnUrl={Uri.EscapeDataString(returnUrl)}");
             })
             .AllowAnonymous()
 #if (UseRateLimiting)