Backend cleanup: audit, Program.cs split, fix BondEntry AddLabel no-op#515
Conversation
…no-op - Add Cleanup.md audit of the backend layers - Extract Program.cs DI wiring into AddApiOptions/AddApiSecurity/ AddApiBackgroundServices extension methods (pure move, no behaviour change) - Fix BondEntryRepository.AddLabel which fetched the entry/label but never attached the label; make it idempotent to match CurrencyEntryRepository - Add unit tests covering BondEntryRepository.AddLabel Claude-Session: https://claude.ai/code/session_012EXPZbnNNfCTpZc9xJfmP9
|
Warning Review limit reached
Next review available in: 47 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
WalkthroughThis PR extracts API dependency-injection wiring (options binding, JWT/CORS/forwarded-header security, and background services) from Program.cs into a new ApiConfigurationExtensions class, and makes BondEntryRepository.AddLabel idempotent, adding corresponding unit tests. ChangesAPI startup configuration extraction
Estimated code review effort: 4 (Complex) | ~60 minutes Bond entry label idempotency
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant Program
participant AddApiSecurity
participant IGuestSessionStore
Client->>Program: Request with access_token
Program->>AddApiSecurity: OnMessageReceived (extract token from query)
AddApiSecurity->>AddApiSecurity: OnTokenValidated
AddApiSecurity->>IGuestSessionStore: IsActive(guest claim)
IGuestSessionStore-->>AddApiSecurity: active/inactive
AddApiSecurity-->>Program: succeed or fail token
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@code/FinanceManager.Api/ApiConfigurationExtensions.cs`:
- Around line 204-221: Reject malformed reverse-proxy settings during startup:
in ApiConfigurationExtensions.ConfigureForwardedHeaders, the current
IPAddress.TryParse and IPNetwork.TryParse loops silently ignore bad entries, so
change them to validate every value and throw an InvalidOperationException when
any proxy IP or CIDR is invalid. Keep the existing startup guard for missing
configuration, and ensure the failure happens before ForwardedHeadersOptions is
finalized so invalid ReverseProxy:KnownProxies/ReverseProxy:KnownNetworks values
cannot be partially applied.
- Around line 147-156: In ApiConfigurationExtensions, the JWT setup currently
reads issuer and audience directly from configuration without validating them
first. Add an early startup check in the JWT configuration path to ensure both
JwtConfig:Issuer and JwtConfig:Audience are present and non-empty before
building TokenValidationParameters, and then use those validated local values
for ValidIssuer and ValidAudience so authentication fails fast instead of later
on every request. Refer to the JWT auth configuration block and
TokenValidationParameters setup to locate the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 2abe51c6-b3b8-42f9-a9ce-b3654a8e454d
⛔ Files ignored due to path filters (1)
Cleanup.mdis excluded by!**/*.md
📒 Files selected for processing (4)
code/FinanceManager.Api/ApiConfigurationExtensions.cscode/FinanceManager.Api/Program.cscode/FinanceManager.Infrastructure/Repositories/Account/Entry/BondEntryRepository.cscode/FinanceManager.Tests.Unit/Infrastructure/Repositories/BondEntryRepositoryLabelTests.cs
- Pin transitive Microsoft.OpenApi to 2.7.5 (patches GHSA-v5pm-xwqc-g5wc, High) via central version + direct reference in the Api project, since central transitive pinning is disabled. Clears the security-scan CI job. - Fail fast at startup when JwtConfig:Issuer/Audience are missing, instead of rejecting every token at request time (addresses review feedback). - Reject malformed ReverseProxy:KnownProxies/KnownNetworks entries at startup instead of silently dropping them (addresses review feedback). Claude-Session: https://claude.ai/code/session_012EXPZbnNNfCTpZc9xJfmP9
Summary
Backend cleanup pass. Audited the four backend layers (
Api,Application,Domain,Infrastructure) and recorded the findings in a newCleanup.md, then executed the safe, high-value items.The audit found the backend generally healthy: clean-architecture boundaries are respected (Domain has no EF/ASP.NET refs; the
AppDbContext/EF mentions in Application are only in comments), controllers stay thin, and naming conventions are consistent. Findings were mostly about size/complexity plus one latent bug.Changes
Cleanup.md— full audit with a task list (done items + recommended follow-ups).Program.cssplit — extracted the inline DI wiring into cohesive extension methods inApiConfigurationExtensions.cs:AddApiOptions,AddApiSecurity,AddApiBackgroundServices. Pure move, no behaviour change;Program.csshrinks ~200 lines and reads as a high-level outline. Logging filters stay onbuilder.Loggingwhere they belong.BondEntryRepository.AddLabelno-op — it fetched the entry and label but never attached the label beforeSaveChangesAsync(returnedtruedoing nothing). Now attaches the label and is idempotent, matchingCurrencyEntryRepository. Latent — no production call sites yet, so no user-visible change / no changelog entry.BondEntryRepositoryLabelTests(attach, idempotency, missing-label).Follow-ups documented (not in this PR)
ResolvedInstrumentPersisterfromInstrumentResolver(persistence/mapping vs. resolution).BondEntryRepositoryonto the existing set-based queries.Validation
dotnet build ./code/FinanceManager.slnx— clean (0 warnings).dotnet format --verify-no-changes— clean.No UI changes.
https://claude.ai/code/session_012EXPZbnNNfCTpZc9xJfmP9
Generated by Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
Tests