Merge origin/main into fix/perf-14-dbcontext-resilience

Resolve conflict in OptionsValidationTests.cs by keeping both
DatabaseSettings validation tests (feature branch) and
AuditRetentionSettings validation tests (main).

Author: Chris0Jeky

backend/src/Taskdeck.Api/Extensions/ApplicationServiceRegistration.cs

@@ -28,6 +28,7 @@ public static IServiceCollection AddApplicationServices(this IServiceCollection
         services.AddScoped<AuthenticationService>();
         services.AddScoped<AuthorizationService>();
         services.AddScoped<MfaService>();
+        services.AddSingleton<OAuthScopeValidator>();
         services.AddScoped<IAuthorizationService>(sp => sp.GetRequiredService<AuthorizationService>());
         services.AddScoped<UserService>();
         services.AddScoped<BoardAccessService>();

backend/src/Taskdeck.Api/Extensions/AuthenticationRegistration.cs

@@ -3,10 +3,13 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authentication.OAuth;
 using Microsoft.AspNetCore.Authentication.OAuth.Claims;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Http;
+using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.Tokens;
 using Polly;
 using Polly.Extensions.Http;
@@ -135,15 +138,69 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
                 options.Scope.Add("read:user");
                 options.Scope.Add("user:email");
 
+                // Ensure any additional RequiredScopes from configuration are also
+                // requested from GitHub. Without this, configuring a required scope
+                // that isn't requested causes all logins to be rejected.
+                foreach (var scope in gitHubOAuthSettings.RequiredScopes ?? Enumerable.Empty<string>())
+                {
+                    if (!options.Scope.Contains(scope))
+                        options.Scope.Add(scope);
+                }
+                foreach (var scope in gitHubOAuthSettings.ExpectedScopes ?? Enumerable.Empty<string>())
+                {
+                    if (!options.Scope.Contains(scope))
+                        options.Scope.Add(scope);
+                }
+
                 options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
                 options.ClaimActions.MapJsonKey(ClaimTypes.Name, "login");
                 options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
                 options.ClaimActions.MapJsonKey("urn:github:name", "name");
                 options.ClaimActions.MapJsonKey("urn:github:login", "login");
                 options.ClaimActions.MapJsonKey("urn:github:avatar", "avatar_url");
 
-                // OAuthHandler fetches UserInformationEndpoint automatically
-                // and applies ClaimActions — no custom OnCreatingTicket needed.
+                // Validate OAuth scopes after token exchange.
+                // GitHub returns the granted scopes in the token response body as "scope"
+                // (comma-separated). Reject authentication if required scopes are missing.
+                var scopeSettings = gitHubOAuthSettings;
+                options.Events = new OAuthEvents
+                {
+                    OnCreatingTicket = context =>
+                    {
+                        var scopeValidator = context.HttpContext.RequestServices
+                            .GetRequiredService<OAuthScopeValidator>();
+
+                        // GitHub returns granted scopes in the token response "scope" field.
+                        // The X-OAuth-Scopes header appears on API responses, but the token
+                        // response body is the authoritative source at auth time.
+                        var grantedScopesRaw = context.TokenResponse?.Response?.RootElement
+                            .TryGetProperty("scope", out var scopeElement) == true
+                            ? scopeElement.GetString()
+                            : null;
+
+                        var validationResult = scopeValidator.Validate(
+                            grantedScopesRaw,
+                            scopeSettings.RequiredScopes,
+                            scopeSettings.ExpectedScopes);
+
+                        if (!validationResult.IsValid)
+                        {
+                            var logger = context.HttpContext.RequestServices
+                                .GetRequiredService<ILoggerFactory>()
+                                .CreateLogger("Taskdeck.Api.OAuth.ScopeValidation");
+
+                            logger.LogError(
+                                "GitHub OAuth authentication rejected: missing required scopes. " +
+                                "Missing: [{MissingScopes}]. User must re-authorize with required permissions.",
+                                string.Join(", ", validationResult.MissingRequiredScopes));
+
+                            context.Fail(validationResult.ErrorMessage
+                                ?? "GitHub OAuth scope validation failed");
+                        }
+
+                        return Task.CompletedTask;
+                    }
+                };
 
                 // Circuit breaker for the OAuth backchannel (token exchange + user info).
                 if (circuitBreakerTracker is not null && circuitBreakerSettings is not null)

backend/src/Taskdeck.Api/Extensions/McpApplicationServiceRegistration.cs

@@ -0,0 +1,43 @@
+using Taskdeck.Application.Interfaces;
+using Taskdeck.Application.Services;
+
+namespace Taskdeck.Api.Extensions;
+
+/// <summary>
+/// Registers the minimal subset of Application services required by MCP
+/// resources and tools. Both MCP stdio and MCP HTTP standalone modes call
+/// this instead of the full <see cref="ApplicationServiceRegistration.AddApplicationServices"/>
+/// which includes web-only services (SignalR notifiers, workers, LLM providers, etc.).
+/// </summary>
+public static class McpApplicationServiceRegistration
+{
+    /// <summary>
+    /// Register the Application services that MCP resources and tools depend on.
+    /// Deliberately skips web-only services (SignalR notifiers, workers,
+    /// LLM providers, rate limiting, etc.) to keep the MCP host minimal.
+    /// </summary>
+    public static IServiceCollection AddMcpApplicationServices(this IServiceCollection services)
+    {
+        services.AddScoped<AuthorizationService>();
+        services.AddScoped<IAuthorizationService>(
+            sp => sp.GetRequiredService<AuthorizationService>());
+        services.AddScoped<BoardService>(sp =>
+            new BoardService(
+                sp.GetRequiredService<IUnitOfWork>(),
+                sp.GetRequiredService<IAuthorizationService>()));
+        services.AddScoped<ColumnService>();
+        services.AddScoped<CardService>();
+        services.AddScoped<LabelService>();
+        services.AddScoped<AutomationProposalService>();
+        services.AddScoped<IAutomationProposalService>(
+            sp => sp.GetRequiredService<AutomationProposalService>());
+        services.AddScoped<CaptureService>();
+        services.AddScoped<ICaptureService>(
+            sp => sp.GetRequiredService<CaptureService>());
+        services.AddScoped<NotificationService>();
+        services.AddScoped<INotificationService>(
+            sp => sp.GetRequiredService<NotificationService>());
+
+        return services;
+    }
+}

backend/src/Taskdeck.Api/Extensions/McpResourcesAndToolsRegistration.cs

@@ -0,0 +1,27 @@
+using ModelContextProtocol.AspNetCore;
+using ModelContextProtocol.Server;
+using Taskdeck.Api.Mcp;
+
+namespace Taskdeck.Api.Extensions;
+
+/// <summary>
+/// Registers the shared set of MCP resources and tools used by all three
+/// hosting modes (co-hosted web, standalone HTTP, and stdio).
+/// </summary>
+public static class McpResourcesAndToolsRegistration
+{
+    /// <summary>
+    /// Add MCP resources (Board, Capture, Proposal) and tools (Read, Write, Proposal)
+    /// to the given MCP server builder.
+    /// </summary>
+    public static IMcpServerBuilder AddMcpResourcesAndTools(this IMcpServerBuilder builder)
+    {
+        return builder
+            .WithResources<BoardResources>()
+            .WithResources<CaptureResources>()
+            .WithResources<ProposalResources>()
+            .WithTools<ReadTools>()
+            .WithTools<WriteTools>()
+            .WithTools<ProposalTools>();
+    }
+}

backend/src/Taskdeck.Api/Extensions/OptionsValidationRegistration.cs

@@ -40,6 +40,7 @@ public static IServiceCollection AddOptionsValidation(
         // ── Settings from WorkerRegistration ────────────────────────────────
 
         services.RegisterValidatedOptions<WorkerSettings>(configuration, "Workers");
+        services.RegisterValidatedOptions<AuditRetentionSettings>(configuration, "AuditRetention");
 
         // ── Settings from CorsRegistration (Cache is used in infrastructure) ─
 

backend/src/Taskdeck.Api/Extensions/WorkerRegistration.cs

@@ -39,10 +39,14 @@ public static IServiceCollection AddTaskdeckWorkers(
             };
         });
 
+        var auditRetentionSettings = configuration.GetSection("AuditRetention").Get<AuditRetentionSettings>() ?? new AuditRetentionSettings();
+        services.AddSingleton(auditRetentionSettings);
+
         services.AddSingleton<WorkerHeartbeatRegistry>();
         services.AddHostedService<LlmQueueToProposalWorker>();
         services.AddHostedService<ProposalHousekeepingWorker>();
         services.AddHostedService<OutboundWebhookDeliveryWorker>();
+        services.AddHostedService<AuditRetentionWorker>();
 
         return services;
     }

backend/src/Taskdeck.Api/Program.cs

@@ -69,26 +69,8 @@
         // Infrastructure (DbContext, Repositories, UoW)
         mcpHttpBuilder.Services.AddInfrastructure(mcpHttpBuilder.Configuration);
 
-        // Register Application services needed by MCP resources and tools.
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.AuthorizationService>();
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.IAuthorizationService>(
-            sp => sp.GetRequiredService<Taskdeck.Application.Services.AuthorizationService>());
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.BoardService>(sp =>
-            new Taskdeck.Application.Services.BoardService(
-                sp.GetRequiredService<IUnitOfWork>(),
-                sp.GetRequiredService<Taskdeck.Application.Services.IAuthorizationService>()));
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.ColumnService>();
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.CardService>();
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.LabelService>();
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.AutomationProposalService>();
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.IAutomationProposalService>(
-            sp => sp.GetRequiredService<Taskdeck.Application.Services.AutomationProposalService>());
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.CaptureService>();
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.ICaptureService>(
-            sp => sp.GetRequiredService<Taskdeck.Application.Services.CaptureService>());
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.NotificationService>();
-        mcpHttpBuilder.Services.AddScoped<Taskdeck.Application.Services.INotificationService>(
-            sp => sp.GetRequiredService<Taskdeck.Application.Services.NotificationService>());
+        // Application services needed by MCP resources and tools (shared with stdio mode).
+        mcpHttpBuilder.Services.AddMcpApplicationServices();
 
         // HTTP identity: maps API key to user via HttpUserContextProvider.
         mcpHttpBuilder.Services.AddHttpContextAccessor();
@@ -119,12 +101,7 @@
         // MCP server: HTTP transport + all resources and tools.
         mcpHttpBuilder.Services.AddMcpServer()
             .WithHttpTransport()
-            .WithResources<BoardResources>()
-            .WithResources<CaptureResources>()
-            .WithResources<ProposalResources>()
-            .WithTools<ReadTools>()
-            .WithTools<WriteTools>()
-            .WithTools<ProposalTools>();
+            .AddMcpResourcesAndTools();
 
         var mcpHttpApp = mcpHttpBuilder.Build();
 
@@ -189,28 +166,8 @@
             // Infrastructure (DbContext, Repositories, UoW)
             services.AddInfrastructure(ctx.Configuration);
 
-            // Register Application services needed by MCP resources and tools.
-            // We deliberately skip web-only services (SignalR notifiers, workers,
-            // LLM providers, rate limiting, etc.) to keep the MCP host minimal.
-            services.AddScoped<Taskdeck.Application.Services.AuthorizationService>();
-            services.AddScoped<Taskdeck.Application.Services.IAuthorizationService>(
-                sp => sp.GetRequiredService<Taskdeck.Application.Services.AuthorizationService>());
-            services.AddScoped<Taskdeck.Application.Services.BoardService>(sp =>
-                new Taskdeck.Application.Services.BoardService(
-                    sp.GetRequiredService<IUnitOfWork>(),
-                    sp.GetRequiredService<Taskdeck.Application.Services.IAuthorizationService>()));
-            services.AddScoped<Taskdeck.Application.Services.ColumnService>();
-            services.AddScoped<Taskdeck.Application.Services.CardService>();
-            services.AddScoped<Taskdeck.Application.Services.LabelService>();
-            services.AddScoped<Taskdeck.Application.Services.AutomationProposalService>();
-            services.AddScoped<Taskdeck.Application.Services.IAutomationProposalService>(
-                sp => sp.GetRequiredService<Taskdeck.Application.Services.AutomationProposalService>());
-            services.AddScoped<Taskdeck.Application.Services.CaptureService>();
-            services.AddScoped<Taskdeck.Application.Services.ICaptureService>(
-                sp => sp.GetRequiredService<Taskdeck.Application.Services.CaptureService>());
-            services.AddScoped<Taskdeck.Application.Services.NotificationService>();
-            services.AddScoped<Taskdeck.Application.Services.INotificationService>(
-                sp => sp.GetRequiredService<Taskdeck.Application.Services.NotificationService>());
+            // Application services needed by MCP resources and tools (shared with HTTP mode).
+            services.AddMcpApplicationServices();
 
             // Stdio identity: maps the OS process owner to the local default user.
             services.AddScoped<IUserContextProvider, StdioUserContextProvider>();
@@ -221,12 +178,7 @@
             // MCP server: stdio transport + all resources and tools.
             services.AddMcpServer()
                 .WithStdioServerTransport()
-                .WithResources<BoardResources>()
-                .WithResources<CaptureResources>()
-                .WithResources<ProposalResources>()
-                .WithTools<ReadTools>()
-                .WithTools<WriteTools>()
-                .WithTools<ProposalTools>();
+                .AddMcpResourcesAndTools();
         })
         .Build();
 
@@ -357,12 +309,7 @@
 builder.Services.AddMcpTelemetry();
 builder.Services.AddMcpServer()
     .WithHttpTransport()
-    .WithResources<BoardResources>()
-    .WithResources<CaptureResources>()
-    .WithResources<ProposalResources>()
-    .WithTools<ReadTools>()
-    .WithTools<WriteTools>()
-    .WithTools<ProposalTools>();
+    .AddMcpResourcesAndTools();
 
 // Add JWT Authentication (with optional GitHub OAuth and OIDC providers, circuit-breaker-protected backchannel)
 // CircuitBreakerStateTracker is already registered as a singleton by AddLlmProviders above.

backend/src/Taskdeck.Api/Workers/AuditRetentionWorker.cs

@@ -0,0 +1,96 @@
+using Taskdeck.Application.Interfaces;
+using Taskdeck.Application.Services;
+using Taskdeck.Api.Telemetry;
+
+namespace Taskdeck.Api.Workers;
+
+/// <summary>
+/// Background worker that periodically deletes audit log entries
+/// older than the configured retention period.
+/// </summary>
+public class AuditRetentionWorker : BackgroundService
+{
+    private readonly IServiceScopeFactory _scopeFactory;
+    private readonly AuditRetentionSettings _settings;
+    private readonly WorkerHeartbeatRegistry _workerHeartbeatRegistry;
+    private readonly ILogger<AuditRetentionWorker> _logger;
+
+    public AuditRetentionWorker(
+        IServiceScopeFactory scopeFactory,
+        AuditRetentionSettings settings,
+        WorkerHeartbeatRegistry workerHeartbeatRegistry,
+        ILogger<AuditRetentionWorker> logger)
+    {
+        _scopeFactory = scopeFactory;
+        _settings = settings;
+        _workerHeartbeatRegistry = workerHeartbeatRegistry;
+        _logger = logger;
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        _logger.LogInformation(
+            "AuditRetentionWorker starting (retention={RetentionDays}d, batch={BatchSize}, interval={IntervalHours}h)",
+            _settings.MaxRetentionDays,
+            _settings.CleanupBatchSize,
+            _settings.CleanupIntervalHours);
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            _workerHeartbeatRegistry.ReportHeartbeat(nameof(AuditRetentionWorker));
+
+            try
+            {
+                await CleanupOldEntriesAsync(stoppingToken);
+            }
+            catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
+            {
+                break;
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(
+                    "Error in AuditRetentionWorker iteration. {ExceptionSummary}",
+                    SensitiveDataRedactor.SummarizeException(ex));
+            }
+
+            await Task.Delay(TimeSpan.FromHours(_settings.CleanupIntervalHours), stoppingToken);
+        }
+
+        _logger.LogInformation("AuditRetentionWorker stopped");
+    }
+
+    internal async Task CleanupOldEntriesAsync(CancellationToken ct)
+    {
+        using var activity = TaskdeckTelemetry.ActivitySource.StartActivity(
+            "taskdeck.worker.audit_retention_cleanup",
+            System.Diagnostics.ActivityKind.Internal);
+        activity?.SetTag(TaskdeckTelemetryTags.WorkerName, nameof(AuditRetentionWorker));
+
+        var cutoff = DateTimeOffset.UtcNow.AddDays(-_settings.MaxRetentionDays);
+
+        using var scope = _scopeFactory.CreateScope();
+        var auditRepo = scope.ServiceProvider.GetRequiredService<IAuditLogRepository>();
+
+        var totalDeleted = await auditRepo.DeleteOldEntriesAsync(
+            cutoff,
+            _settings.CleanupBatchSize,
+            ct);
+
+        if (totalDeleted > 0)
+        {
+            _logger.LogInformation(
+                "AuditRetentionWorker deleted {Count} entries older than {CutoffDate:u}",
+                totalDeleted,
+                cutoff);
+        }
+        else
+        {
+            _logger.LogDebug(
+                "AuditRetentionWorker found no entries older than {CutoffDate:u}",
+                cutoff);
+        }
+
+        activity?.SetTag("taskdeck.audit.deleted_count", totalDeleted);
+    }
+}

backend/src/Taskdeck.Api/appsettings.json

@@ -5,6 +5,11 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
+  "AuditRetention": {
+    "MaxRetentionDays": 90,
+    "CleanupBatchSize": 1000,
+    "CleanupIntervalHours": 24
+  },
   "Workers": {
     "QueuePollIntervalSeconds": 5,
     "MaxBatchSize": 5,