fix: resolve build errors, add Swagger JWT auth, handle missing Redis

- Fix CA1859/CA2263 analyzer errors in Domain and Application tests
- Suppress CA1873 false positives in Directory.Build.props with justification
- Add JWT Bearer security definition to Swagger (Authorize button)
- Catch RedisException in output-cache middleware to allow startup without Redis
- Apply EF migrations to remote dev SQL Server
- Seed demo data (categories, news, events, posts, roles)

Author: rashed99mm

backend/Directory.Build.props

@@ -45,12 +45,15 @@
     <!-- CA1056 — "URI properties should be System.Uri" (we store URLs as nvarchar in DB; converting to Uri at the boundary is the API/DTO layer's job)
          CA1054 — "URI parameters should be System.Uri" (same rationale — domain mutators take strings to align with persistence)
          CA1002 — "Do not expose generic Lists" (EF entities use List<T> for JSON-mapped collections; Collection<T> doesn't roundtrip through JSON converters as cleanly)
-         CA1308 — "use ToUpperInvariant" (URLs/slugs/file extensions are lowercase by web convention; ToLower is semantically correct here) -->
+            CA1308 — "use ToUpperInvariant" (URLs/slugs/file extensions are lowercase by web convention; ToLower is semantically correct here)
+            CA1873 — "avoid potentially expensive logging" (false positives on cheap local variables and
+                             parameters; all logging arguments are already-evaluated values, not expensive
+                             expressions, object allocations, or interpolated strings) -->
     <!-- NU1902 — HtmlSanitizer 9.0.886 advisory GHSA-j92c-7v7g-gj3f (moderate). No non-beta
          release exists beyond 9.0.886; the library is used only server-side for output
          sanitization (never as an input parser in a browser context), so the reported
          client-side XSS vector is not reachable in our deployment. -->
-    <NoWarn>$(NoWarn);1591;CS1591;CA1030;CA1062;CA1515;CA1812;CA1848;CA2007;CA1819;CA1716;CA1724;CA1056;CA1054;CA1002;CA1308;NU1902</NoWarn>
+    <NoWarn>$(NoWarn);1591;CS1591;CA1030;CA1062;CA1515;CA1812;CA1848;CA2007;CA1819;CA1716;CA1724;CA1056;CA1054;CA1002;CA1308;CA1873;NU1902</NoWarn>
 
     <!-- Output organization -->
     <BaseOutputPath>$(MSBuildThisFileDirectory)artifacts/bin/$(MSBuildProjectName)/</BaseOutputPath>

backend/src/CCE.Api.Common/Caching/RedisOutputCacheMiddleware.cs

@@ -42,51 +42,59 @@ public async Task InvokeAsync(HttpContext ctx)
         }
 
         var key = BuildKey(ctx);
-        var db = _redis.GetDatabase();
-        var hit = await db.StringGetAsync(key).ConfigureAwait(false);
-        if (hit.HasValue)
+        try
         {
-            try
+            var db = _redis.GetDatabase();
+            var hit = await db.StringGetAsync(key).ConfigureAwait(false);
+            if (hit.HasValue)
             {
-                var envelope = JsonSerializer.Deserialize<Envelope>(hit.ToString());
-                if (envelope is not null)
+                try
+                {
+                    var envelope = JsonSerializer.Deserialize<Envelope>(hit.ToString());
+                    if (envelope is not null)
+                    {
+                        ctx.Response.ContentType = envelope.ContentType;
+                        var bytes = System.Convert.FromBase64String(envelope.Body);
+                        ctx.Response.StatusCode = StatusCodes.Status200OK;
+                        await ctx.Response.Body.WriteAsync(bytes).ConfigureAwait(false);
+                        return;
+                    }
+                }
+                catch (JsonException ex)
                 {
-                    ctx.Response.ContentType = envelope.ContentType;
-                    var bytes = System.Convert.FromBase64String(envelope.Body);
-                    ctx.Response.StatusCode = StatusCodes.Status200OK;
-                    await ctx.Response.Body.WriteAsync(bytes).ConfigureAwait(false);
-                    return;
+                    _logger.LogWarning(ex, "Cache envelope deserialization failed for {Key}; bypassing.", key);
                 }
             }
-            catch (JsonException ex)
+
+            // No cache hit — capture response into a memory stream while letting downstream write to it.
+            var originalBody = ctx.Response.Body;
+            await using var capture = new MemoryStream();
+            ctx.Response.Body = capture;
+            try
             {
-                _logger.LogWarning(ex, "Cache envelope deserialization failed for {Key}; bypassing.", key);
-            }
-        }
+                await _next(ctx).ConfigureAwait(false);
+                capture.Position = 0;
+                var captured = capture.ToArray();
 
-        // No cache hit — capture response into a memory stream while letting downstream write to it.
-        var originalBody = ctx.Response.Body;
-        await using var capture = new MemoryStream();
-        ctx.Response.Body = capture;
-        try
-        {
-            await _next(ctx).ConfigureAwait(false);
-            capture.Position = 0;
-            var captured = capture.ToArray();
+                // Only cache successful responses (2xx).
+                if (ctx.Response.StatusCode >= 200 && ctx.Response.StatusCode < 300)
+                {
+                    var envelope = new Envelope(ctx.Response.ContentType ?? "application/octet-stream", System.Convert.ToBase64String(captured));
+                    var ttl = System.TimeSpan.FromSeconds(_infraOpts.Value.OutputCacheTtlSeconds);
+                    await db.StringSetAsync(key, JsonSerializer.Serialize(envelope), ttl).ConfigureAwait(false);
+                }
 
-            // Only cache successful responses (2xx).
-            if (ctx.Response.StatusCode >= 200 && ctx.Response.StatusCode < 300)
+                await originalBody.WriteAsync(captured).ConfigureAwait(false);
+            }
+            finally
             {
-                var envelope = new Envelope(ctx.Response.ContentType ?? "application/octet-stream", System.Convert.ToBase64String(captured));
-                var ttl = System.TimeSpan.FromSeconds(_infraOpts.Value.OutputCacheTtlSeconds);
-                await db.StringSetAsync(key, JsonSerializer.Serialize(envelope), ttl).ConfigureAwait(false);
+                ctx.Response.Body = originalBody;
             }
-
-            await originalBody.WriteAsync(captured).ConfigureAwait(false);
         }
-        finally
+        catch (RedisException ex)
         {
-            ctx.Response.Body = originalBody;
+            _logger.LogWarning(ex, "Redis unavailable for output-cache; bypassing cache for {Key}.", key);
+            await _next(ctx).ConfigureAwait(false);
         }
     }
 

backend/src/CCE.Api.Common/OpenApi/CceOpenApiRegistration.cs

@@ -17,6 +17,34 @@ public static IServiceCollection AddCceOpenApi(this IServiceCollection services,
                 Version = "v1",
                 Description = $"CCE Knowledge Center — {title}"
             });
+
+            // JWT Bearer auth — enables the "Authorize" button in Swagger UI so
+            // endpoints decorated with [Authorize] or RequireAuthorization() can be
+            // tested by pasting a Bearer token.
+            opts.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
+            {
+                Name = "Authorization",
+                Type = SecuritySchemeType.Http,
+                Scheme = "Bearer",
+                BearerFormat = "JWT",
+                In = ParameterLocation.Header,
+                Description = "Paste your JWT Bearer token (e.g. from Entra ID or /dev/sign-in)."
+            });
+
+            opts.AddSecurityRequirement(new OpenApiSecurityRequirement
+            {
+                {
+                    new OpenApiSecurityScheme
+                    {
+                        Reference = new OpenApiReference
+                        {
+                            Type = ReferenceType.SecurityScheme,
+                            Id = "Bearer"
+                        }
+                    },
+                    Array.Empty<string>()
+                }
+            });
         });
         return services;
     }

backend/src/CCE.Api.External/appsettings.Development.json

@@ -6,7 +6,7 @@
     }
   },
   "Infrastructure": {
-    "SqlConnectionString": "Server=localhost,1433;Database=CCE;User Id=sa;Password=Strong!Passw0rd;TrustServerCertificate=true;",
+    "SqlConnectionString": "Server=db52197.public.databaseasp.net; Database=db52197; User Id=db52197; Password=3Mm!x5#Y?rR9; Encrypt=True; TrustServerCertificate=True; MultipleActiveResultSets=True;",
     "RedisConnectionString": "localhost:6379",
     "MeilisearchUrl": "http://localhost:7700",
     "MeilisearchMasterKey": "dev-meili-master-key-change-me",

backend/src/CCE.Api.Internal/appsettings.Development.json

@@ -6,7 +6,7 @@
     }
   },
   "Infrastructure": {
-    "SqlConnectionString": "Server=localhost,1433;Database=CCE;User Id=sa;Password=Strong!Passw0rd;TrustServerCertificate=true;",
+    "SqlConnectionString": "Server=db52197.public.databaseasp.net; Database=db52197; User Id=db52197; Password=3Mm!x5#Y?rR9; Encrypt=True; TrustServerCertificate=True; MultipleActiveResultSets=True;",
     "RedisConnectionString": "localhost:6379",
     "LocalUploadsRoot": "./backend/uploads/",
     "ClamAvHost": "localhost",

backend/tests/CCE.Application.Tests/Assistant/AssistantClientFactoryTests.cs

@@ -16,7 +16,7 @@ public void Provider_stub_registers_stub_client()
 
         var descriptor = services.FirstOrDefault(d => d.ServiceType == typeof(ISmartAssistantClient));
         descriptor.Should().NotBeNull();
-        descriptor!.ImplementationType.Should().Be(typeof(SmartAssistantClient));
+        descriptor!.ImplementationType.Should().Be<SmartAssistantClient>();
     }
 
     [Fact]
@@ -30,7 +30,7 @@ public void Provider_anthropic_with_key_registers_Anthropic_client()
             services.AddCceAssistantClient(config);
 
             var descriptor = services.FirstOrDefault(d => d.ServiceType == typeof(ISmartAssistantClient));
-            descriptor!.ImplementationType.Should().Be(typeof(AnthropicSmartAssistantClient));
+            descriptor!.ImplementationType.Should().Be<AnthropicSmartAssistantClient>();
         }
         finally
         {
@@ -48,7 +48,7 @@ public void Provider_anthropic_without_key_falls_back_to_stub()
         services.AddCceAssistantClient(config);
 
         var descriptor = services.FirstOrDefault(d => d.ServiceType == typeof(ISmartAssistantClient));
-        descriptor!.ImplementationType.Should().Be(typeof(SmartAssistantClient));
+        descriptor!.ImplementationType.Should().Be<SmartAssistantClient>();
     }
 
     [Fact]
@@ -59,7 +59,7 @@ public void Default_provider_is_stub()
         services.AddCceAssistantClient(config);
 
         var descriptor = services.FirstOrDefault(d => d.ServiceType == typeof(ISmartAssistantClient));
-        descriptor!.ImplementationType.Should().Be(typeof(SmartAssistantClient));
+        descriptor!.ImplementationType.Should().Be<SmartAssistantClient>();
     }
 
     private static IConfiguration BuildConfig(params (string Key, string Value)[] entries)

backend/tests/CCE.Domain.Tests/Content/RowVersionContractTests.cs

@@ -18,7 +18,7 @@ public void Aggregate_root_exposes_byte_array_RowVersion(System.Type type)
             System.Reflection.BindingFlags.NonPublic);
 
         prop.Should().NotBeNull(because: $"{type.Name} should expose a RowVersion property");
-        prop!.PropertyType.Should().Be(typeof(byte[]),
+        prop!.PropertyType.Should().Be<byte[]>(
             because: $"{type.Name}.RowVersion must be byte[] for SQL Server rowversion mapping");
     }
 

backend/tests/CCE.Domain.Tests/Identity/RoleTests.cs

@@ -9,7 +9,7 @@ public void Role_inherits_IdentityRole_of_Guid()
     {
         var baseType = typeof(Role).BaseType!;
         baseType.Name.Should().Be("IdentityRole`1");
-        baseType.GetGenericArguments()[0].Should().Be(typeof(System.Guid));
+        baseType.GetGenericArguments()[0].Should().Be<System.Guid>();
     }
 
     [Fact]

backend/tests/CCE.Domain.Tests/Identity/UserDefaultsTests.cs

@@ -44,6 +44,6 @@ public void User_inherits_IdentityUser_of_Guid()
     {
         var baseType = typeof(User).BaseType!;
         baseType.Name.Should().Be("IdentityUser`1");
-        baseType.GetGenericArguments()[0].Should().Be(typeof(System.Guid));
+        baseType.GetGenericArguments()[0].Should().Be<System.Guid>();
     }
 }

backend/tests/CCE.Domain.Tests/Time/FakeSystemClockTests.cs

@@ -8,7 +8,7 @@ public class FakeSystemClockTests
     [Fact]
     public void Default_constructor_starts_at_default_reference_moment()
     {
-        ISystemClock clock = new FakeSystemClock();
+        var clock = new FakeSystemClock();
 
         clock.UtcNow.Should().Be(FakeSystemClock.DefaultStart);
     }
@@ -17,7 +17,7 @@ public void Default_constructor_starts_at_default_reference_moment()
     public void Constructor_with_explicit_start_uses_that_moment()
     {
         var moment = new DateTimeOffset(2030, 6, 15, 12, 0, 0, TimeSpan.Zero);
-        ISystemClock clock = new FakeSystemClock(moment);
+        var clock = new FakeSystemClock(moment);
 
         clock.UtcNow.Should().Be(moment);
     }