Merge pull request #237 from petrsnd/bugfix/petrsnd/aot-deserialize-and-analyzers

Make SafeguardDotNet fully consumable by AOT-publishing apps

Author: petrsnd

.agents/skills/testing-guide/SKILL.md

@@ -32,6 +32,42 @@ live Safeguard appliance for testing.** If they do, ask for:
 This is not required for documentation or minor fixes, but it is **strongly encouraged**
 for any change that touches authentication, API calls, connection logic, or event handling.
 
+## AOT cleanliness — how reflection regressions are caught
+
+Every CLI tool csproj under `Test/` carries the **full AOT property set**: `IsAotCompatible`,
+`IsTrimmable`, `EnableAotAnalyzer`, `EnableTrimAnalyzer`, `EnableSingleFileAnalyzer`,
+`JsonSerializerIsReflectionEnabledByDefault=false`. This gives two complementary guards:
+
+1. **Build-time** — analyzers run against tool source; any reflection-based JSON
+   introduced in a tool fails the build via repo-wide `TreatWarningsAsErrors`.
+2. **Runtime** — when the PowerShell suite `dotnet run`s these tools against a live
+   appliance, they execute with reflection disabled, so any new SDK code path that needs
+   reflection fails loudly in regression instead of silently shipping to consumers.
+
+**Every new tool csproj under `Test/` must carry this full property set.** If a regression
+run starts failing event listeners, A2A retrieval, or auth, the answer is **not** "remove
+the AOT switches from the tool" — it's "fix the SDK code path that's trying to use
+reflection." The canonical example: SignalR registrations must be typed
+(`On<JsonElement>(...)`, never `On("name", (object) => ...)`) so `JsonHubProtocol` can
+deserialize without reflection.
+
+### Gap to be aware of
+
+The SDK targets `netstandard2.0`; trim/AOT analyzers do not run on its own source. A
+regression in the SDK that switches `SafeguardJson.Deserialize<T>` (or any other facade
+method) to a `[RequiresUnreferencedCode]`/`[RequiresDynamicCode]`-annotated overload
+**will not** be caught at SDK build time. It only surfaces either:
+
+- as `IL2026` / `IL3050` warnings in a downstream `PublishAot=true` consumer's build
+  (e.g. safeguard-mcp), or
+- as runtime failures during live appliance regression (broken event listeners, A2A
+  retrieval, auth).
+
+**For changes touching `SafeguardDotNet/Serialization/`, `SafeguardJsonContext`, the
+`SafeguardJson` facade, any `JsonSerializer.*` site, or any SignalR `HubConnection`
+registration, the live appliance regression is the primary safety net.** Run the full
+PowerShell suite (see below) before declaring such a change done.
+
 ## Connecting to the appliance (PKCE vs Resource Owner Grant)
 
 **Resource Owner Grant (ROG) is disabled by default** on Safeguard appliances. The SDK's

SafeguardDotNet.BrowserLogin/SafeguardDotNet.BrowserLogin.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFramework>netstandard2.0</TargetFramework>

SafeguardDotNet.Core.sln

@@ -1,3 +1,4 @@
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 18
 VisualStudioVersion = 18.2.11415.280
@@ -56,8 +57,6 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SafeguardDotNetUnitTest", "
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SafeguardDotNet.SerializationTests", "Test\SafeguardDotNet.SerializationTests\SafeguardDotNet.SerializationTests.csproj", "{F5591287-9C28-4778-951A-31F6A6766B63}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SafeguardDotNetAotTest", "Test\SafeguardDotNetAotTest\SafeguardDotNetAotTest.csproj", "{3E63CCAE-63D0-4E10-85F4-03D35091144D}"
-EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -112,18 +111,6 @@ Global
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9}.Release|Any CPU.Build.0 = Release|Any CPU
-		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.Build.0 = Release|Any CPU
-		{F5591287-9C28-4778-951A-31F6A6766B63}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{F5591287-9C28-4778-951A-31F6A6766B63}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{F5591287-9C28-4778-951A-31F6A6766B63}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{F5591287-9C28-4778-951A-31F6A6766B63}.Release|Any CPU.Build.0 = Release|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Release|Any CPU.Build.0 = Release|Any CPU
 		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -132,6 +119,14 @@ Global
 		{20D9ED51-6852-44FC-A413-5EC7631139F9}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{20D9ED51-6852-44FC-A413-5EC7631139F9}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{20D9ED51-6852-44FC-A413-5EC7631139F9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -150,7 +145,6 @@ Global
 		{1EB6D64D-7AFB-41DC-B11B-58934D053684} = {9249E337-656D-4970-B45C-7A077C56FA44}
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{F5591287-9C28-4778-951A-31F6A6766B63} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {5A3B2C1D-4E6F-7A8B-9C0D-1E2F3A4B5C6D}

SafeguardDotNet.Framework.sln

@@ -1,4 +1,4 @@
-
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 18
 VisualStudioVersion = 18.2.11415.280 d18.0

SafeguardDotNet.sln

@@ -52,8 +52,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SafeguardDotNet.PkceNoninte
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SafeguardDotNetPkceNoninteractiveLoginTester", "Test\SafeguardDotNetPkceNoninteractiveLoginTester\SafeguardDotNetPkceNoninteractiveLoginTester.csproj", "{C6D34567-3456-4321-9876-345678901CDE}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SafeguardDotNetAotTest", "Test\SafeguardDotNetAotTest\SafeguardDotNetAotTest.csproj", "{3E63CCAE-63D0-4E10-85F4-03D35091144D}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Samples", "Samples", "{867EB36D-7893-444D-900D-29733E8E2636}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SampleA2aService", "Samples\SampleA2aService\SampleA2aService.csproj", "{0149D659-78E3-476B-81F1-A80BDFA6F8A9}"
@@ -152,10 +150,6 @@ Global
 		{BE0C60E2-002E-42A0-A1D1-3BB9AE90D607}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{BE0C60E2-002E-42A0-A1D1-3BB9AE90D607}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{BE0C60E2-002E-42A0-A1D1-3BB9AE90D607}.Release|Any CPU.Build.0 = Release|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -171,7 +165,6 @@ Global
 		{1EB6D64D-7AFB-41DC-B11B-58934D053684} = {9249E337-656D-4970-B45C-7A077C56FA44}
 		{D0009DBA-16E1-4E6F-AC1E-D11B16AB3C41} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{C6D34567-3456-4321-9876-345678901CDE} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
-		{3E63CCAE-63D0-4E10-85F4-03D35091144D} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9} = {867EB36D-7893-444D-900D-29733E8E2636}
 		{BE0C60E2-002E-42A0-A1D1-3BB9AE90D607} = {867EB36D-7893-444D-900D-29733E8E2636}
 		{FB679533-9E9A-416B-BDE6-CC2D5EE52D49} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}

SafeguardDotNet/Event/SafeguardEventListener.cs

@@ -8,11 +8,14 @@ namespace OneIdentity.SafeguardDotNet.Event;
 using System.Net.Http;
 using System.Net.Security;
 using System.Security;
+using System.Text.Json;
 using System.Threading.Tasks;
 
 using Microsoft.AspNetCore.SignalR.Client;
+using Microsoft.Extensions.DependencyInjection;
 
 using OneIdentity.SafeguardDotNet.A2A;
+using OneIdentity.SafeguardDotNet.Serialization;
 
 using Serilog;
 
@@ -246,11 +249,16 @@ public void Start()
                     return message;
                 };
             })
+            .AddJsonProtocol(options =>
+            {
+                options.PayloadSerializerOptions.TypeInfoResolver = SafeguardJsonContext.Default;
+            })
             .Build();
 
         try
         {
-            _signalrConnection.On("NotifyEventAsync", (object message) => HandleEvent(message.ToString()));
+            // Typed JsonElement keeps SignalR off the reflection path so this works when consumers publish AOT.
+            _signalrConnection.On<JsonElement>("NotifyEventAsync", message => HandleEvent(message.GetRawText()));
             _signalrConnection.Closed += _signalrConnection_Closed;
 
             _signalrConnection.StartAsync().Wait();

SafeguardDotNet/SafeguardDotNet.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFramework>netstandard2.0</TargetFramework>
@@ -47,6 +47,7 @@ Bug Fixes:
 
   <ItemGroup>
     <InternalsVisibleTo Include="SafeguardDotNet.SerializationTests" />
+    <InternalsVisibleTo Include="SafeguardDotNetA2aTool" />
   </ItemGroup>
 
   <ItemGroup>

SafeguardDotNet/Serialization/SafeguardJson.cs

@@ -4,6 +4,7 @@ namespace OneIdentity.SafeguardDotNet.Serialization;
 
 using System;
 using System.Text.Json;
+using System.Text.Json.Serialization.Metadata;
 
 /// <summary>
 /// Centralized facade for all JSON serialization/deserialization in the SDK.
@@ -12,12 +13,6 @@ namespace OneIdentity.SafeguardDotNet.Serialization;
 /// </summary>
 internal static class SafeguardJson
 {
-    private static readonly JsonSerializerOptions Options = new JsonSerializerOptions
-    {
-        PropertyNameCaseInsensitive = true,
-        TypeInfoResolver = SafeguardJsonContext.Default,
-    };
-
     /// <summary>
     /// Serializes a value using the source-generated context.
     /// </summary>
@@ -26,20 +21,28 @@ internal static class SafeguardJson
     /// <returns>A JSON string representation of the value.</returns>
     public static string Serialize<T>(T value)
     {
-        var typeInfo = SafeguardJsonContext.Default.GetTypeInfo(typeof(T))
-            ?? throw new InvalidOperationException($"Type {typeof(T).Name} is not registered in SafeguardJsonContext.");
-        return JsonSerializer.Serialize(value, typeInfo);
+        return JsonSerializer.Serialize(value, GetTypeInfo<T>());
     }
 
     /// <summary>
     /// Deserializes JSON into the specified type using the source-generated context.
+    /// Throws <see cref="SafeguardDotNetException"/> if the input is empty or deserializes to null,
+    /// so callers fail with an actionable error instead of an opaque <see cref="NullReferenceException"/>.
     /// </summary>
     /// <typeparam name="T">The type to deserialize into.</typeparam>
     /// <param name="json">The JSON string to deserialize.</param>
     /// <returns>The deserialized object.</returns>
     public static T Deserialize<T>(string json)
     {
-        return (T)JsonSerializer.Deserialize(json, typeof(T), Options);
+        if (string.IsNullOrWhiteSpace(json))
+        {
+            throw new SafeguardDotNetException(
+                $"Cannot deserialize empty response into {typeof(T).Name}.");
+        }
+
+        var result = JsonSerializer.Deserialize(json, GetTypeInfo<T>());
+        return result ?? throw new SafeguardDotNetException(
+            $"Deserialization of {typeof(T).Name} produced null. Response body: {json}");
     }
 
     /// <summary>
@@ -49,4 +52,12 @@ public static T Deserialize<T>(string json)
     /// <param name="json">The JSON string to parse.</param>
     /// <returns>A parsed <see cref="JsonDocument"/>.</returns>
     public static JsonDocument Parse(string json) => JsonDocument.Parse(json);
+
+    private static JsonTypeInfo<T> GetTypeInfo<T>()
+    {
+        return SafeguardJsonContext.Default.GetTypeInfo(typeof(T)) is JsonTypeInfo<T> typeInfo
+            ? typeInfo
+            : throw new InvalidOperationException(
+                $"Type {typeof(T).Name} is not registered in {nameof(SafeguardJsonContext)}.");
+    }
 }

SafeguardDotNet/Serialization/SafeguardJsonContext.cs

@@ -3,6 +3,7 @@
 namespace OneIdentity.SafeguardDotNet.Serialization;
 
 using System.Collections.Generic;
+using System.Text.Json;
 using System.Text.Json.Serialization;
 
 using OneIdentity.SafeguardDotNet.A2A;
@@ -11,6 +12,7 @@ namespace OneIdentity.SafeguardDotNet.Serialization;
 /// Source-generated JSON serializer context for all types that require serialization in the SDK.
 /// Guarantees AOT-compatible, reflection-free serialization at compile time.
 /// </summary>
+[JsonSourceGenerationOptions(PropertyNameCaseInsensitive = true)]
 [JsonSerializable(typeof(BrokeredAccessRequest))]
 [JsonSerializable(typeof(A2ARetrievableAccount))]
 [JsonSerializable(typeof(ApiKeySecret))]
@@ -23,6 +25,7 @@ namespace OneIdentity.SafeguardDotNet.Serialization;
 [JsonSerializable(typeof(List<A2ARetrievableAccount>))]
 [JsonSerializable(typeof(List<ApiKeySecret>))]
 [JsonSerializable(typeof(string))]
+[JsonSerializable(typeof(JsonElement))]
 internal partial class SafeguardJsonContext : JsonSerializerContext
 {
 }

Test/SafeguardDotNetA2aTool/Program.cs

@@ -9,6 +9,7 @@
 
 using OneIdentity.SafeguardDotNet;
 using OneIdentity.SafeguardDotNet.A2A;
+using OneIdentity.SafeguardDotNet.Serialization;
 
 using SafeguardDotNetA2aTool;
 
@@ -122,7 +123,8 @@ void Execute(ToolOptions opts)
                 var accounts = string.IsNullOrEmpty(opts.Filter)
                     ? context.GetRetrievableAccounts()
                     : context.GetRetrievableAccounts(opts.Filter);
-                Log.Information(System.Text.Json.JsonSerializer.Serialize(accounts));
+                var accountList = accounts as List<A2ARetrievableAccount> ?? [.. accounts];
+                Log.Information(SafeguardJson.Serialize(accountList));
             }
 
             if (opts.PrivateKey)