Phase 0 — Foundation Setup#

Status: ✅ Complete (merged on phase-0/foundationdevelop on 2026-07-06).

Lay down the architecture, security, and development pipeline every future phase depends on.

Deliverables (shipped)#

Web / API#

  • API-only host — MVC + Razor Pages removed.
  • JWT bearer auth via Microsoft.AspNetCore.Authentication.JwtBearer 8.0.11, HS256 signing key from config / env var.
  • Endpoints under /api/v1/auth/:
    • POST /login — username + password → JWT
    • GET /me — current user info
    • GET /permissions — roles + permission claims
  • ApiResponse<T> envelope + ProblemDetails global exception middleware.
  • Serilog with correlation-ID enricher, request logging, JSON output.
  • Health checks: /health (liveness), /ready (SQL Server check).
  • OpenAPI + Swagger UI at /docs with Bearer security definition.
  • Rate limiter (fixed window, per user / IP).
  • Versioned routing (/api/v{version:apiVersion}/...).
  • Named-origin CORS policy (not AllowAll).
  • New Manex.Contracts project for shared DTOs.

Data#

  • Single MnxEFContext (EF Core 8.0.11); duplicate contexts deleted.
  • Design-time DataContextFactory reads config + env vars.
  • No migrations shipped. Phase 0 is database-first — the legacy BcomMX_01_04 schema is treated as external. Migrations start landing in Phase 1 as forward-only deltas.
  • Legacy DAL folders (Helper/, Repositories/, Procedures/, …) preserved on disk but excluded from compile — later phases re-enable file by file.

Config / secrets#

  • Cleartext DB credentials removed from appsettings.json.
  • .env.example + appsettings.Development.json.example documented.
  • Program.cs fails fast on missing Jwt:SigningKey (≥ 32 chars).

Solution / build#

  • Rewrote cube2-backend.sln — only net8.0 projects.
  • Legacy Manex.BLL (v4.8) + manexcloud/** on disk but excluded.
  • Deleted empty skeleton projects.
  • build/Directory.Build.props enforces Nullable=enable, TreatWarningsAsErrors=true, LangVersion=latest.

Testing#

  • xUnit + FluentAssertions + Microsoft.AspNetCore.Mvc.Testing.
  • Three test projects: Manex.Web.Tests (unit), Manex.Data.Tests (InMemory EF), Manex.IntegrationTests (WebApplicationFactory).
  • 9 smoke tests passing.

DevOps#

  • .github/workflows/ci.yml — restore, build, test, docker build (replaced the stale Antwerp-project workflow).
  • deploy/docker/web.Dockerfile — multi-stage, non-root user, HEALTHCHECK.
  • docker-compose.yml — web + SQL Server 2022 + Seq, with healthchecks and env-var-based secrets.
  • .dockerignore added.

Documentation#

  • Real README.md (replaced Bitbucket placeholder).
  • ADRs — see Architecture → ADRs.
  • Migration roadmap — this section.

Deliberate scope limits#

Called out here because they gate later work:

  • Manex.Data only compiles the DbContext + minimal auth entity classes. The 100+ helper / repository / procedure files that landed half-migrated in the initial commit stay on disk but are excluded from build. Each is rehabilitated in the phase where it lands.
  • Legacy password verification is a placeholder (SHA1 base64) behind FeatureFlags:UseLegacyPasswordHash. Real format must be confirmed against a staging AspnetMembership row before Phase 1 rehash-on-login can go live. See ADR 0001.
  • Role / permission population is stubbed to empty arrays. Group → role/claim mapping is Phase 1.
  • Refresh tokens are not in scope. Access token lifetime defaults to 60 min.

Verification#

  • dotnet build cube2-backend.sln -c Release → 0 warnings, 0 errors.
  • dotnet test → 9/9 pass.
  • Local Docker Compose brings up web + db + seq with healthchecks green.

Cost#

~2 days for the foundation cleanup once the audit was scoped. Most of the cost was recovering from the initial half-migrated commit — 700+ warnings, 36 errors on first build.