Cephalon Project Memory
Project memory in this document reflects the repository state observed on May 2, 2026.
This page is a repo-oriented orientation snapshot. It is meant to help contributors recover context quickly before they change code, docs, planning, or package surfaces.
Cross-references: README.md, docs/README.md, docs/architecture.md, docs/architecture-inventory.md, docs/architecture-recommendations.md, docs/engine-roadmap.md, docs/engine-backlog.md, docs/compatibility.md, docs/long-range-direction.md, docs/engineering-standards.md, docs/dotnet11-readiness.md, docs/runtime-contract-index.md, docs/conformance-matrix.md, docs/architecture-review-2026-04.md, docs/architecture-review-2026-05.md, docs/planning-governance.md, docs/deployment-mode-support.md
Identity
Section titled “Identity”Cephalon is not being positioned as a single application shell.
The repository is aiming at a modular .NET engine/framework foundation that is growing into a modular runtime platform. The recurring design center is:
- host-agnostic contracts first
- deterministic module and package composition
- explicit app-model, transport, technology, and policy selection
- runtime introspection as a product surface
- additive companion packs instead of engine-core sprawl
- generated starter output, templates, and samples that stay aligned with the runtime contract
Current technical baseline
Section titled “Current technical baseline”- the repo is pinned to
.NET SDK 10.0.201throughglobal.json - the shipped project baseline is
net10.0 - notable packaging exceptions are the template pack and source generator surfaces that stay on
netstandard2.0 - repo-native framework assessment now lives in
scripts/validate-dotnet-readiness.ps1, which keepsglobal.json-selected shipping truth separate from higher-SDK readiness checks - central package management is enabled through
Directory.Packages.props - repo-wide build defaults enable nullable reference types, implicit usings, XML doc generation, and warnings-as-errors
- the default Cephalon package version baseline is currently
0.1.0-preview
Long-term engine direction
Section titled “Long-term engine direction”- the active north star is to build the best engine we can across architecture, runtime, tooling, packaging, documentation, and operational quality so developers can install Cephalon into many project shapes instead of adapting to one fixed app shell
- Cephalon should continue evolving as a reusable engine/framework that developers install into many project shapes, not as a single opinionated app shell
- current shipping should stay on
net10.0, but official planning should assume Microsoft’s annual November .NET cadence,.NET 10LTS support throughNovember 14, 2028, and.NET 11as the next major release currently in Preview 3 onApril 26, 2026with final release expected inNovember 2026 - future-proofing should prefer a deliberate
.NET 11readiness lane over premature preview-only adoption: keepnet10.0as the stable shipping floor while reviewing new platform features, APIs, analyzers, and runtime behaviors early enough that Cephalon can migrate intentionally instead of reactively - release validation should continue emitting a framework-readiness report, while higher-SDK workflow lanes should validate future compatibility without mutating the repo-root
global.jsonpin or silently changing the public baseline - treat the currently observed
.NET 11preview wave as assessment-only input for framework planning, not as a stable dependency baseline; as ofApril 26, 2026, Microsoft has shipped Preview 1 onFebruary 10, 2026, Preview 2 onMarch 10, 2026, and Preview 3 onApril 14, 2026, while stable Cephalon packages should continue targetingnet10.0until an intentional migration lane is validated - optimize for 3/5/8/10/15/20/30+ year adaptability by keeping the core host-agnostic, runtime truth introspectable, package boundaries explicit, and future workloads additive through companion packs instead of baking one architectural era directly into the engine
- long-range planning should actively forecast how software may evolve over the next 3/5/8/10/15/20/30+ years and turn that forecast into engine primitives, package boundaries, runtime contracts, and migration lanes rather than waiting for external trends to force reactive redesign
- assume the next decades of software will keep pushing toward AI-assisted authoring, lower-ceremony application assembly, stronger policy/governance requirements, hybrid cloud plus edge execution, and deploy-anywhere constraints such as trimming, single-file, containers, and Native AOT; Cephalon should answer those shifts through additive runtime primitives, generated/projected surfaces, and introspectable policy contracts instead of one locked-in application style
- reduce consumer code aggressively: architecture, transport, host, and policy changes should prefer engine configuration, module composition, scaffold/runtime contracts, and generated low-code surfaces over app-local rewrites
- consumer projects should be able to change architecture, transport mix, topology, and other major runtime choices through engine-owned composition, configuration, and projected surfaces without having to rewrite their application code each time
- engine completeness should be measured by engine-owned, runtime-neutral contracts and swappable companion seams being ready, not by requiring one specific adapter or provider package to be installed
- companion and provider packs such as
Cephalon.Eventing.Wolverineare optional adoption choices for consumer apps; they may prove one managed implementation lane, but they must not redefine whether the core engine is considered ready - NuGet publication should stay discoverable and layered: keep a coherent package family around abstractions, engine core, host adapters, technology packs, provider packs, observability packs, tooling, scaffolding, templates, and samples/reference modules without collapsing everything into one monolith
- NuGet publication is part of the product design, not release afterthought: package naming, taxonomy, split count, metadata, and search discoverability should be designed deliberately for framework adoption and long-term upgrade safety
- NuGet publication should follow official library/package guidance: reserve and protect the
Cephalon.*prefix when eligible, split packages only when the assemblies are independently useful, keep package metadata/README/tags/repository information complete, ship Source Link plus symbols, and use trusted publishing instead of long-lived manual secrets when the release flow is formalized - public API design should follow Microsoft library and framework guidance for reusable .NET libraries: keep constructors lightweight, prefer constructor injection and stable
Add{Group}registration entry points, keep naming consistent, document public contracts with XML comments, and use the least-cost extensibility mechanism that preserves future evolution - compatibility discipline should stay high because Cephalon is a framework, not an app: avoid binary breaking changes in low-level packages unless the long-term design gain is worth a deliberate break, prefer additive opt-in settings and obsoletion over silent contract churn, and treat package dependencies as part of the public contract
- framework-quality gates should keep expanding beyond unit tests: use analyzers and
.editorconfigas policy, keep package validation baselines for public surface drift, keep NuGet vulnerability/supply-chain checks visible, and add truthful trimming/AOT/single-file readiness analysis where Cephalon claims those deployment modes - while the engine remains in POC, prefer materially better architecture, design patterns, packaging, code quality, developer ergonomics, or newly invented engine primitives over preserving transitional shapes that would weaken the long-term framework
- treat performance, security, usability, reliability, maintainability, scalability, flexibility, compatibility, data integrity, availability, auditability, and compliance as first-class engine qualities rather than later hardening chores
Repo shape at a glance
Section titled “Repo shape at a glance”Current project counts from the workspace scan:
src: 84 projectstests: 4 projectssamples: 9 projectstemplates: 6 projectsplayground: 2 projectsbenchmarks: 1 project
These counts are useful as a scale indicator only. They will drift as new companion packs and samples are added.
What the repository already ships
Section titled “What the repository already ships”The repo is well past an early prototype. The following surfaces are already present and should be treated as part of the living product:
Cephalon.Abstractionsas the host-agnostic contract layerCephalon.Engineas the composition, manifest, runtime, policy, package-loading, trust, and app-model centerCephalon.AspNetCoreandCephalon.Workeras the primary host adapters- transport adapters for REST, JSON-RPC, gRPC, GraphQL, Server-Sent Events, and WebSocket
Cephalon.Scaffolding,Cephalon.Cli, andCephalon.TemplatePackas the adoption and generation surfacesCephalon.ReferenceDocsplus the publisheddocs/reference/output as the XML-doc publishing pathCephalon.Observabilityplus dependency-health, exporter, cloud, and provider companion packsCephalon.Behaviorsplus HTTP, messaging, pattern, and source-generator companion packagesCephalon.DataandCephalon.EventSourcingplus relational and non-relational provider families- samples that model intended blueprint shapes and reference modules that model intended package authoring
- the first deployment-mode validation harness ships through
scripts/validate-deployment-mode-claims.ps1(now manifest-driven throughGet-DeploymentModeConfigFromManifest, reading per-moderequiredProjectProperties,requiredAnalyzerProperties, andwarningPatternsfromscripts/deployment-mode-support.jsonschema1.1.0with hardcoded fallback for legacy manifests) (3 audit phases: project-property, analyzer, optional dotnet publish probe; 5 verdict types: claim-truthful / claim-overstated / not-claimed / not-claimed-with-property-drift / mixed) plus a Pester suite attests/Cephalon.Tests.Scripts/validate-deployment-mode-claims.Tests.ps1(13 Describe groups, 67 It cases) plus a separate manifest-schema test file attests/Cephalon.Tests.Scripts/deployment-mode-support-manifest.Tests.ps1(9 Describe groups, 25 It cases) and a manifest schema atscripts/deployment-mode-support.jsonschema1.1.0with per-moderequiredProjectProperties,requiredAnalyzerProperties,warningPatterns, plusrepresentativePublishTargets,expectedPublishOutputShape,deploymentModeEligibility, andknownTransitiveHazardsfields scripts/validate-release.ps1now invokes the deployment-mode validation harness as an opt-out step (-SkipDeploymentModeClaims); release validation reports both.NET 11SDK readiness and deployment-mode claim truth in the same flow, with the harness running in audit-only mode untilrepresentativePublishTargets.projectsis populateddocs/conformance-matrix.mdships as the consolidated per-package adoption-truth read across maturity, ownership, engine routes, snapshot keys, and catalog interfaces;docs/runtime-contract-index.mdships as the consolidated/engine/*route,snapshot.*key, and runtime catalog interface map; both are linked fromdocs/README.mdResearch references and fromdocs/project-memory.mdcross-referencesdocs/architecture-review-2026-05.mdships as the May 2026 dated architecture review snapshot synthesizing ENG-238 through ENG-256 plus phase-13 cell baseline and the new long-range / standards / runtime-contract / conformance-matrix anchors; the monthly cadence is now an explicit standing rule indocs/planning-governance.md
Runtime and architecture anchors
Section titled “Runtime and architecture anchors”The architecture docs and the codebase align around a few important truths:
- blueprints are not the same thing as design patterns, deployment topology, or transports
- Cephalon models app shape through multiple dimensions rather than one overloaded architecture label
- the built-in app blueprints are
modular-monolith,modular-vertical-slice, andmicroservice - the built-in suite blueprint is
microservice-suite - transports are first-class descriptors and are expected to stay aligned across runtime, scaffolding, CLI parsing, templates, samples, and docs
- technology profiles are additive workload hints, not excuses to explode the blueprint catalog
- the engine owns the runtime contract and generator surfaces should follow it instead of re-encoding their own semantics
Current built-in transport surface:
rest-apijson-rpcgrpcgraphqlserver-sent-eventswebsocket
Current built-in technology profile surface includes:
agentic-workloadscell-based-architectureevent-driven-integrationknowledge-retrievalrealtime-experienceedge-native-deliveryserverless-hostingidentity-accessmulti-tenancyhybrid-cloud-runtimeservice-mesh-integration
High-value code anchors
Section titled “High-value code anchors”When recovering context in code, these are good starting points:
src/Cephalon.Abstractions/Modules/IModule.cssrc/Cephalon.Abstractions/Modules/ModuleDescriptor.cssrc/Cephalon.Engine/Composition/EngineServiceCollectionExtensions.cssrc/Cephalon.Engine/Runtime/IRuntime.cssrc/Cephalon.Engine/Runtime/RuntimeOperationalStory.cssrc/Cephalon.AspNetCore/Hosting/EngineWebApplicationBuilderExtensions.cssrc/Cephalon.AspNetCore/Hosting/EngineWebApplicationExtensions.cssrc/Cephalon.Worker/Hosting/WorkerHostApplicationBuilderExtensions.cssrc/Cephalon.Cli/CliApplication.cssrc/Cephalon.Behaviors/Services/BehaviorDispatcher.cssrc/Cephalon.Abstractions/Behaviors/IBehaviorContext.cs
These files anchor the public or cross-cutting runtime contract more reliably than any one sample or playground host.
Introspection is part of the product
Section titled “Introspection is part of the product”Runtime introspection is not secondary documentation. It is an explicit operator-facing surface.
Important routes and concepts that repeatedly appear across docs and code:
/engine/engine/manifest/engine/snapshot/engine/runtime-story/engine/cells/engine/cell-routes/engine/modules/engine/packages/engine/diagnostics/engine/technologies/engine/technology-catalog/engine/technology-surfaces/engine/capabilities/engine/dependencies/health/health/live/health/ready
If a change impacts lifecycle, packages, diagnostics, technologies, executions, or health semantics, it likely also impacts one or more of these routes and the docs that describe them.
Adoption surfaces
Section titled “Adoption surfaces”The repository now treats adoption as a first-class concern, not as a later packaging task.
The main adoption paths are:
Cephalon.Clias a packaged.NET toolwith thecephaloncommandCephalon.TemplatePackas thedotnet newinstall surfaceCephalon.Scaffoldingas the shared rendering layer behind generated outputsamples/as adoption-quality blueprint examplesplayground/as freeform experimentation rather than the official starter baseline
The shipped template-pack module starters now include:
cephalon-modulefor host-agnostic modulescephalon-rest-modulefor generic REST modules that do not dispatch into Cephalon behaviorscephalon-rest-behavior-modulefor the recommended behavior-backedRestBehaviorModuleBasepath- REST-enabled generated blueprint apps,
dotnet newblueprint starters, and the matching shipped blueprint samples now also default their public starter modules toRestBehaviorModuleBase.ConfigureRestBehaviors(...)plusMapProfile<TBehavior>(); keepcephalon-rest-moduleandCephalon.ReferenceModule.Operationsas the generic non-behavior path instead of treating them as the starter baseline
The generated app baseline already includes publishing and deployment assets for:
- published output smoke
- Windows Service
- IIS
- Azure App Service
- container image publishing
- Azure Container Apps
- Kubernetes
- Linux
systemd
Documentation model
Section titled “Documentation model”The repository uses two documentation layers on purpose:
- hand-authored Markdown under
README.mdanddocs/is the primary human-facing product and adoption documentation - XML comments on public contracts are the API explanation layer used by IntelliSense and generated reference-doc publishing
This distinction matters. Hand-authored docs should explain ownership, usage, architecture, and adoption. XML comments should explain supported public API behavior precisely enough for reference generation.
- treat the hand-authored docs graph as the primary human contract and
docs/reference/*as the generated API layer underneath it, not the other way around - before changing a package or subsystem, use
docs/components/README.mdas the map into the relevant component documentation before drilling directly into source - contributors should read the relevant
docs/*material first and use broader software-world knowledge to shape the engine; the docs are new enough that they may and should evolve together with the code - when changing source, inspect the related docs graph every time; do not patch source and leave the nearby hand-authored docs drifting behind
- if work touches a public surface, runtime surface, or package surface, review the source, component docs, compatibility docs, readiness/validation docs, and planning docs together as one change surface
- if the current docs conflict with a better engine shape during the POC and invention phase, update
docs + source + planning truthtogether in the same slice instead of preserving stale documentation just because it existed first
Planning memory
Section titled “Planning memory”The roadmap and backlog indicate that Cephalon has already shipped large parts of its foundation, adoption hardening, operational baseline, package-loading baseline, execution/orchestration baseline, and solution-level platform baseline.
The near-term planning center has shifted away from “start the engine” and toward:
- hardening and truthfulness across shipped surfaces
- resilience and migration patterns
- keeping docs, templates, CLI behavior, scaffolding, package metadata, and runtime contracts aligned
- every meaningful package or runtime surface now needs an explicit maturity and ownership label through
docs/engine-surface-maturity-audit.md:M0throughM4plustaxonomy-only,application-managed,cephalon-managed, orprovider-managed - intentional descriptor-only or catalog-only work is allowed, but it should stay explicitly labeled as
M0orM1instead of reading like partial execution ownership - mixed-maturity families should prefer one narrow vertical proof slice before expanding descriptor breadth again
ENG-232has now promotedCephalon.Agenticsfrom descriptor/runtime-surface truth into a narrowM2proof:IAgentToolDispatcherowns one Cephalon-managed tool loop around registeredIAgentToolExecutorservices,IAgentToolExecutionPolicycan require approval or deny before execution,IAgentToolExecutionObservercan attach audit/telemetry, andIAgentToolRunCatalogprojects run-state truth back into theagent-toolstechnology surface,/engine/agent-tool-runs, andsnapshot.AgentToolRuns; this does not yet claim autonomous planning, memory persistence, retry queues, or AI-provider orchestration ownershipENG-234keepsCephalon.MultiTenancyhonest as a narrowM2tenant-resolution proof: the base pack ownsITenantResolver,ITenantContextAccessor, andtenant-resolution, whiletenant-governance-boundariesseparates base-package ownership from companion-owned or companion-planned governance workflowsENG-235promotes the first governance companion proof:Cephalon.MultiTenancy.Governanceowns tenant membership cataloging and membership evaluation throughITenantMembershipCatalog,ITenantMembershipEvaluator,tenancy.membership.catalog,tenancy.membership.evaluation, diagnostics4510-4511, and thetenant-membershipsruntime surfaceENG-236promoted the second governance companion proof:Cephalon.MultiTenancy.Governanceadded tenant invitation cataloging and invitation validation throughITenantInvitationCatalog,ITenantInvitationValidator,tenancy.invitation.catalog,tenancy.invitation.validation, diagnostics4512-4513, and thetenant-invitationsruntime surface, while domain ownership, approval/remediation action decisions, durable membership or invitation stores, invitation delivery, identity-provider synchronization, and tenant administration remained future governance work after that slice; tenant administration workflow commands later shipped inENG-254, the host-agnostic invitation delivery dispatch/run-state lane later shipped inENG-256, and provider-specific senders plus identity-provider sync remain future workENG-237promotes the third governance companion proof:Cephalon.MultiTenancy.Governancenow also owns declared tenant-domain ownership cataloging and validation throughITenantDomainOwnershipCatalog,ITenantDomainOwnershipValidator,tenancy.domain-ownership.catalog,tenancy.domain-ownership.validation, diagnostics4514-4515, and thetenant-domain-ownershipruntime surface, while DNS/HTTP proof collection or external polling, approval/remediation action decisions, durable governance stores, invitation delivery, identity-provider synchronization, and tenant administration remained future governance work after that slice; action-state durability later shipped inENG-240and tenant administration workflow commands later shipped inENG-254ENG-238promotes the fourth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns approval/remediation action cataloging and deterministic action decisions throughITenantGovernanceActionCatalog,ITenantGovernanceActionDecider,tenancy.governance-action.catalog,tenancy.governance-action.decision, diagnostics4516-4517, and thetenant-governance-actionsruntime surfaceENG-239promotes the fifth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns in-process approval/remediation action workflow transitions throughITenantGovernanceActionWorkflow,TenantGovernanceActionWorkflowRequest,TenantGovernanceActionWorkflowResult,tenancy.governance-action.workflow, diagnostics4518-4519, and runtime action metadata on the existingtenant-governance-actionssurfaceENG-240promotes the sixth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns runtime approval/remediation action storage throughITenantGovernanceActionStore, an in-memory default, opt-in file-backed JSON durability viaGovernanceActionStoreFilePath,tenancy.governance-action.store, diagnostics4520-4521, and action-store metadata on the existingtenant-governance-actionssurface; durable membership storage was later narrowed and shipped inENG-241, durable invitation storage was later narrowed and shipped inENG-242, durable domain-ownership storage was later narrowed and shipped inENG-243, tenant administration workflow commands later shipped inENG-254, and the ASP.NET Core command endpoint later shipped inENG-255, while distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, DNS/HTTP proof collection or external polling, identity-provider synchronization, public onboarding, and tenant-admin UI remain future governance workENG-241promotes the seventh governance companion proof:Cephalon.MultiTenancy.Governancenow also owns runtime tenant-membership storage throughITenantMembershipStore, an in-memory default, opt-in file-backed JSON durability viaMembershipStoreFilePath,tenancy.membership.store, and membership-store metadata on the existingtenant-membershipssurface; durable invitation storage was later narrowed and shipped inENG-242, durable domain-ownership storage was later narrowed and shipped inENG-243, tenant administration workflow commands later shipped inENG-254, and the ASP.NET Core command endpoint later shipped inENG-255, while distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, DNS/HTTP proof collection or external polling, identity-provider synchronization, public onboarding, and tenant-admin UI remain future governance workENG-242promotes the eighth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns runtime tenant-invitation storage throughITenantInvitationStore, an in-memory default, opt-in file-backed JSON durability viaInvitationStoreFilePath,tenancy.invitation.store, and invitation-store metadata on the existingtenant-invitationssurface; durable domain-ownership storage was later narrowed and shipped inENG-243, tenant administration workflow commands later shipped inENG-254, and the ASP.NET Core command endpoint later shipped inENG-255, while distributed or provider-backed governance storage, notification/delivery, invitation delivery, remediation execution beyond state transitions, DNS/HTTP proof collection or external polling, identity-provider synchronization, public onboarding, and tenant-admin UI remain future governance workENG-243promotes the ninth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns runtime tenant-domain ownership storage throughITenantDomainOwnershipStore, an in-memory default, opt-in file-backed JSON durability viaDomainOwnershipStoreFilePath,tenancy.domain-ownership.store, and domain-ownership-store metadata on the existingtenant-domain-ownershipsurface; in-process domain-ownership verification workflow transitions were later narrowed and shipped inENG-244ENG-244promotes the tenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns in-process tenant-domain ownership verification workflow transitions throughITenantDomainOwnershipVerificationWorkflow, workflow request/result contracts,TenantDomainOwnershipVerificationWorkflowCommands,TenantDomainOwnershipVerificationWorkflowOutcomes,tenancy.domain-ownership.workflow, diagnostics4522-4525, andtenant-domain-ownershipmetadata for verification-workflow ownership and DNS/HTTP proof-collection ownership boundaries, while DNS/HTTP proof collection or external polling, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, invitation delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, and tenant administration remained future governance work after that slice; tenant administration workflow commands later shipped inENG-254ENG-245promotes the eleventh governance companion proof:Cephalon.MultiTenancy.Governancenow also owns tenant-domain ownership proof evaluation throughITenantDomainOwnershipProofEvaluator, proof-evaluation request/result contracts,TenantDomainOwnershipProofEvaluationOutcomes,TenantDomainOwnershipProofMetadataKeys,tenancy.domain-ownership.proof-evaluation, diagnostics4526-4527, andtenant-domain-ownershipmetadata for proof-evaluation ownership; HTTP file proof collection was later narrowed and shipped inENG-248, configured DNS TXT proof collection was later narrowed and shipped inENG-250, bounded on-demand proof polling was later narrowed and shipped inENG-251, and automatic background proof polling was later narrowed and shipped inENG-252ENG-246promotes the twelfth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns tenant-domain ownership proof challenge issuance throughITenantDomainOwnershipProofChallengeIssuer, proof-challenge request/result contracts,TenantDomainOwnershipProofChallengeOutcomes,TenantDomainOwnershipProofChallengeMetadataKeys,tenancy.domain-ownership.proof-challenge, diagnostics4528-4529, default DNS TXT / HTTP publication hints, andtenant-domain-ownershipmetadata for proof-challenge ownership; HTTP file collection was later narrowed and shipped inENG-248, configured DNS TXT collection was later narrowed and shipped inENG-250, bounded on-demand proof polling was later narrowed and shipped inENG-251, automatic background proof polling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253, while actual DNS proof publication remains future application/provider-managed work until a package owns that path explicitlyENG-247promotes the thirteenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns tenant-domain ownership proof publication planning throughITenantDomainOwnershipProofPublicationPlanner, proof-publication plan request/result contracts,TenantDomainOwnershipProofPublicationPlanOutcomes,TenantDomainOwnershipProofPublicationPlanMetadataKeys,tenancy.domain-ownership.proof-publication-plan, diagnostics4530-4531, deterministic DNS TXT / HTTP file publication instructions, andtenant-domain-ownershipmetadata for proof-publication planning ownership; HTTP file proof collection was later narrowed and shipped inENG-248, configured DNS TXT proof collection was later narrowed and shipped inENG-250, bounded on-demand proof polling was later narrowed and shipped inENG-251, automatic background proof polling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253, while actual DNS publication remains future application/provider-managed work until a package owns that path explicitlyENG-248promotes the fourteenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns on-demand tenant-domain ownership HTTP file proof collection throughITenantDomainOwnershipHttpProofCollector, HTTP proof-collection request/result contracts,TenantDomainOwnershipHttpProofCollectionOutcomes,TenantDomainOwnershipHttpProofCollectionMetadataKeys,tenancy.domain-ownership.http-proof-collection, diagnostics4532-4533, HTTPS-by-default host-matched bounded HTTP file fetching, andtenant-domain-ownershipmetadata for HTTP proof-collection ownership while DNS publication, HTTP publication, provider mutation, and tenant-admin/public onboarding remained future application/provider-managed work at that slice boundary; configured DNS TXT proof collection was later narrowed and shipped inENG-250, bounded on-demand proof polling was later narrowed and shipped inENG-251, automatic background proof polling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253ENG-249promotes the fifteenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns tenant-domain ownership proof verification runner orchestration throughITenantDomainOwnershipProofVerificationRunner, proof-verification request/result contracts,TenantDomainOwnershipProofVerificationOutcomes,TenantDomainOwnershipProofVerificationMetadataKeys,tenancy.domain-ownership.proof-verification-runner, diagnostics4534-4535, challenge/publication-plan/evaluation/optional HTTP collection orchestration, andtenant-domain-ownershipmetadata for proof-verification runner ownership while DNS publication, HTTP publication, provider mutation, and tenant-admin/public onboarding remained future application/provider-managed work at that slice boundary; configured DNS TXT proof collection was later narrowed and shipped inENG-250, bounded on-demand proof polling was later narrowed and shipped inENG-251, automatic background proof polling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253ENG-250promotes the sixteenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns configured on-demand tenant-domain ownership DNS TXT proof collection throughITenantDomainOwnershipDnsTxtProofCollector, DNS TXT proof-collection request/result contracts,TenantDomainOwnershipDnsTxtProofCollectionOutcomes,TenantDomainOwnershipDnsTxtProofCollectionMetadataKeys,tenancy.domain-ownership.dns-txt-proof-collection, diagnostics4536-4537, explicit DNS-over-HTTPS resolver collection, normalized TXT answer evaluation, andtenant-domain-ownershipmetadata for configured DNS TXT proof-collection ownership while DNS publication, HTTP publication, provider mutation, and tenant-admin/public onboarding remained future application/provider-managed work at that slice boundary; bounded on-demand proof polling was later narrowed and shipped inENG-251, automatic background proof polling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253ENG-251promotes the seventeenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns bounded on-demand tenant-domain ownership proof polling throughITenantDomainOwnershipProofPollingRunner, proof-polling request/result contracts,TenantDomainOwnershipProofPollingOutcomes,TenantDomainOwnershipProofPollingMetadataKeys,tenancy.domain-ownership.proof-polling-runner, diagnostics4538-4539, catalog scans over pending/rejected HTTP file and DNS TXT declarations, verification-runner delegation, default batch limits, andtenant-domain-ownershipmetadata for proof-polling runner ownership plusexternalProofPollingOwnership = cephalon-managedandbackgroundProofPollingOwnership = application-managed, while DNS publication, HTTP publication, provider mutation, tenant-admin workflow, and public onboarding remained future application/provider-managed work at that slice boundary; automatic background scheduling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253ENG-252promotes the eighteenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns opt-in automatic background tenant-domain ownership proof polling throughITenantDomainOwnershipProofPollingRuntimeCatalog,TenantDomainOwnershipProofPollingRuntimeSnapshot, theTenantDomainOwnershipProofPollingHostedService,EnableDomainOwnershipProofBackgroundPolling, interval/startup/source options,tenancy.domain-ownership.proof-background-polling, diagnostics4540-4543, runtime-surface metadata for interval, batch, last outcome, run counts, and ownership metadata that flips background proof polling tocephalon-managedonly when enabled, while DNS publication, HTTP publication, provider mutation, tenant-admin workflow, and public onboarding remained future application/provider-managed work at that slice boundary; HTTP file proof publication was later narrowed and shipped inENG-253ENG-253promotes the nineteenth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns tenant-domain ownership HTTP file proof publication throughITenantDomainOwnershipHttpProofPublisher,ITenantDomainOwnershipHttpProofPublicationCatalog, HTTP publication request/result/descriptor/outcome contracts, stable publication metadata keys,tenancy.domain-ownership.http-proof-publication, diagnostics4544-4545, andtenant-domain-ownershipmetadata for HTTP proof-publication ownership/count;Cephalon.MultiTenancy.Governance.AspNetCoreowns the opt-in ASP.NET Core endpoint adapter that serves published proof files while DNS publication, provider mutation, tenant-admin UI, and public onboarding remain future work until a package owns those paths explicitlyENG-254promotes the twentieth governance companion proof:Cephalon.MultiTenancy.Governancenow also owns host-driven tenant administration workflow commands throughITenantAdministrationWorkflow, request/result/command/outcome/metadata-key contracts, membership grant/suspend/expire transitions, invitation issue/accept/revoke/expire transitions,store-failedpersistence posture,tenancy.administration.workflow, diagnostics4546-4547, thetenant-administrationruntime surface, and base-package boundary truth while the ASP.NET Core command endpoint later shipped inENG-255and host-agnostic invitation delivery dispatch later shipped inENG-256; tenant-admin UI, public onboarding, provider-specific invitation senders, and identity-provider synchronization remain future application/provider-managed work until a package owns those paths explicitlyENG-255promotes the first ASP.NET Core tenant-administration endpoint proof:Cephalon.MultiTenancy.Governance.AspNetCorenow addsMapCephalonTenantAdministrationCommands(), the defaultPOST /engine/tenant-administration/commandsroute, fail-closed authorization with optional policy configuration,TenantAdministrationWorkflowRequesttoTenantAdministrationWorkflowResultcommand execution overITenantAdministrationWorkflow, and thetenant-administration-http-endpointsruntime surface while the host-agnostic invitation delivery dispatch lane later shipped inENG-256; tenant-admin UI, public onboarding, provider-specific invitation senders, identity-provider synchronization, distributed/provider-backed governance storage, and provider mutation remain outside this proofENG-256promotes the twenty-first governance companion proof:Cephalon.MultiTenancy.Governancenow owns host-agnostic tenant-invitation delivery dispatch throughITenantInvitationDeliveryDispatcher,ITenantInvitationDeliverySender,ITenantInvitationDeliveryRunCatalog, delivery request/result/run contracts, stable delivery metadata keys and outcomes,tenancy.invitation.delivery-dispatch, diagnostics4548-4549, andtenant-invitationsplustenant-administrationruntime metadata for dispatch enablement, sender IDs/count/ownership, external-delivery ownership, run history, and latest outcome; provider-specific email, SMS, chat, or identity-provider senders remain application/provider-managed until companion packages own those paths explicitly
Recent roadmap memory worth keeping in mind:
- Sprint 35 shipped benchmark expansion for hot paths
- Phase 11 is planned around resilience foundations such as circuit breaker, retry, timeout, bulkhead, rate limiting, and taxonomy additions such as Onion Architecture and Anti-Corruption Layer
- Phase 12 is planned around migration and advanced coordination, including strangler fig, saga choreography, BFF, feature flags, and durable execution foundations; the descriptor-only taxonomy slice is now shipped through
strangler-figandbackend-for-frontend, the first strangler-fig runtime-contract slice is now shipped throughIStranglerFigRouteContributor,IStranglerFigRuntimeCatalog,IStranglerFigRouter,/engine/strangler-fig, andsnapshot.StranglerFigRoutes, the first configuration-driven policy/progress slice is now also shipped throughEngine:Migration:StranglerFig,IStranglerFigMigrationRuntimeCatalog,/engine/strangler-fig/runtime, andsnapshot.StranglerFigRoutePolicies, the first ASP.NET Core host-level cutover slice is now shipped throughEngine:Migration:StranglerFig:AspNetCore,/engine/strangler-fig/cutover, and/engine/strangler-fig/cutover/resolve, the first BFF client-binding runtime is now shipped throughBackendForFrontendClientBindingDescriptor,IBackendForFrontendRuntimeCatalog,Engine:BackendForFrontend:Bindings,/engine/backend-for-frontend, andsnapshot.BackendForFrontendBindings, the first client-aware BFF REST filtering runtime is now shipped throughBackendForFrontendRestEndpointRuntimeDescriptor,IBackendForFrontendRestRuntimeCatalog,/engine/backend-for-frontend/rest-endpoints, andsnapshot.BackendForFrontendRestEndpoints, the first BFF REST documentation/materialization runtime is now shipped throughBackendForFrontendRestDocumentRuntimeDescriptor,IBackendForFrontendRestDocumentRuntimeCatalog,/engine/backend-for-frontend/rest-documents, filtered OpenAPI plus Scalar surfaces, andsnapshot.BackendForFrontendRestDocuments, the first feature-flag runtime baseline is now shipped throughFeatureFlagDescriptor,IFeatureToggle,IFeatureFlagRuntimeCatalog,Engine:Features,/engine/features, andsnapshot.FeatureFlags, the generic external-provider bridge baseline is now also shipped throughFeatureFlagProviderBindingDescriptor,FeatureFlagProviderEvaluationResult,IFeatureFlagProvider,FeatureFlagDescriptor.ProviderBindings,Engine:Features:Flags:*:ProviderBindings, andengine.AddFeatureFlagProvider(...), the first host-agnostic saga choreography baseline is now also shipped throughIBehaviorTopologyBuilder.AsSagaChoreography(),ISagaChoreographyPublisher,SagaChoreographyPublication,SagaChoreographyStepResult,InMemorySagaChoreographyPublisher,ChoreographySagaExecutionStrategy, capabilitybehaviors.saga-choreography, and advisoryABT-005, the explicit saga choreography eventing bridge follow-through is now also shipped throughCephalon.Eventing.Behaviors,AddBehaviorEventingBridge(), capabilityeventing.behaviors.saga-choreography, and thesaga-choreography-bridgesruntime surface, the first higher-level saga choreography authoring-helper follow-through is now also shipped throughISagaChoreographyStepResult,ISagaEventReactor<TEvent>,ISagaEventReactor<TEvent, TOutput>,SagaChoreographyStepResult<TOutput>, and typed JSON helper factories onSagaChoreographyPublication, the first choreography runtime/operator catalog follow-through is now also shipped throughSagaChoreographyRuntimeDescriptor,ISagaChoreographyRuntimeCatalog,/engine/saga-choreographies, andsnapshot.SagaChoreographies, the first live choreography publication-state follow-through is now also shipped throughSagaChoreographyPublicationRuntimeState,ISagaChoreographyPublicationRuntimeStateCatalog,/engine/saga-choreographies/runtime*, andsnapshot.SagaChoreographyPublicationStates, the saga choreography capability-publication follow-through is now also shipped throughbehaviors.saga-choreography.runtime-catalogandbehaviors.saga-choreography.publication-state, and the first durable-execution baseline is now also shipped throughIBehaviorTopologyBuilder.AsDurableExecution(),IDurableExecution<TState>,IDurableExecution<TInput, TState, TOutput>,DurableExecutionState<TState>,DurableExecutionStepResult<TOutput>,DurableExecutionStrategy, capabilitybehaviors.durable-execution, compatibility ruleABT-006, and scopedIEventStorehandoff through Kafka/RabbitMQ/test behavior contexts; the first durable runtime/operator follow-through is now also shipped throughDurableExecutionRuntimeDescriptor,IDurableExecutionRuntimeCatalog,/engine/durable-executions, andsnapshot.DurableExecutions, the first durable live-state/failure-posture follow-through is now also shipped throughDurableExecutionRuntimeState,IDurableExecutionRuntimeStateCatalog,/engine/durable-executions/runtime, andsnapshot.DurableExecutionStates, the first durable timer/signal coordination follow-through is now also shipped throughDurableExecutionPendingTimer,DurableExecutionPendingSignal, the durablewaitingruntime posture,/engine/durable-executions/runtime/timers*, and/engine/durable-executions/runtime/signals*, and the first durable compensation-helper follow-through is now also shipped throughDurableExecutionCompensationAction,DurableExecutionStepResult<TOutput>.CompensationActions,DurableExecutionRuntimeState.CompensationActions, and/engine/durable-executions/runtime/compensations*, while broader traffic-manager or ingress follow-through, non-REST frontend materialization, and provider-specific feature-flag companion packs remain later work - the 2026-04-19
ENG-120slice opened phase 13 with the first cell-based architecture boundary baseline:Cephalon.Abstractionsnow shipsCellBoundaryDescriptor,ICellBoundaryContributor,ICellBoundaryRegistry, andICellBoundaryCatalog,Cephalon.Enginenow projectssnapshot.CellBoundariesplus thecell-boundariestechnology runtime surface, active cell boundaries now auto-select the built-incell-based-architectureprofile, and ASP.NET Core now exposes/engine/cells* - the 2026-04-19
ENG-121slice extended that same phase-13 baseline with the first governed cell-route runtime:Cephalon.Abstractionsnow shipsCellRouteDescriptor,ICellRouteContributor,ICellRouteRegistry, andICellRouteCatalog,Cephalon.Enginenow projectssnapshot.CellRoutesplus thecell-routestechnology runtime surface while validating route ownership against active cells, and ASP.NET Core now exposes/engine/cell-routes* - the 2026-04-19
ENG-122slice extended that same phase-13 baseline again with the first cell health-isolation runtime:Cephalon.Abstractionsnow shipsCellHealthIsolationDescriptor,ICellHealthIsolationContributor,ICellHealthIsolationRegistry, andICellHealthIsolationCatalog,Cephalon.Enginenow projectssnapshot.CellHealthIsolationsplus thecell-health-isolationstechnology runtime surface while validating isolation ownership against active cells, and ASP.NET Core now exposes/engine/cell-health-isolations*as the health posture drill-down over that shared cell graph - the 2026-04-20
ENG-123slice completed the engine-owned phase-13 cell baseline with configuration-driven traffic automation:Cephalon.Abstractionsnow shipsCellTrafficAutomationRuntimeDescriptorplusICellTrafficAutomationRuntimeCatalog,Cephalon.Enginenow bindsEngine:Cells:TrafficAutomationintosnapshot.CellTrafficAutomationsplus thecell-traffic-automationstechnology runtime surface while deriving effective automation policy from active routes plus health isolations, and ASP.NET Core now exposes/engine/cell-traffic-automations* - the 2026-04-21
ENG-135slice extended that same shared cell automation baseline with provider-aware and edge-aware targeting:CellTrafficAutomationRuntimeDescriptornow carries first-classProviderIdplusEdgeNodeIds,ICellTrafficAutomationRuntimeCatalognow answers provider and edge-node drill-downs,Engine:Cells:TrafficAutomationnow supports additive provider plus edge defaults and route overrides, and ASP.NET Core now exposes/engine/cell-traffic-automations/providers/{providerId}plus/engine/cell-traffic-automations/edge-nodes/{edgeNodeId}while the same catalog still stays derived from routes plus health isolations - the 2026-04-21
ENG-136slice added the first provider-managed cell traffic materializer baseline:Cephalon.Abstractionsnow shipsICellTrafficAutomationProviderMaterializerplus typed provider-materialization result/state contracts,Cephalon.Enginenow selects provider materializers byproviderId, seedspendingorunavailableanswers onto the shared automation catalog, and runs startup reconciliation back intosnapshot.CellTrafficAutomations,/engine/cell-traffic-automations*, and thecell-traffic-automationstechnology surface - the 2026-04-21
ENG-137slice added the first edge-runtime cell traffic materializer baseline:Cephalon.Abstractionsnow shipsCellTrafficAutomationMaterializationResult,CellTrafficAutomationMaterializationStates, andICellTrafficAutomationEdgeMaterializer,Cephalon.Enginenow selects one edge materializer peredge-managedorprovider-and-edge-managedautomation and writes the observed posture back into the same shared automation catalog, andCephalon.Edgenow contributesEdgeTrafficAutomationMaterializerso targetededgeNodeIdsreconcile through the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andcell-traffic-automationstechnology surface - the 2026-04-21
ENG-138slice hardened richer multi-provider reconciliation on that same shared cell automation baseline:ICellTrafficAutomationProviderMaterializernow carriesPriorityplusCanMaterialize(...),ICellTrafficAutomationEdgeMaterializernow carriesPriority,CellTrafficAutomationRuntimeDescriptornow carries derivedMaterializationState,MaterializationObservedAtUtc, andMaterializationError, andCephalon.Enginenow selects the highest-priority matching provider or edge materializer while publishing matching-candidate counts, selected-priority metadata, and overall state breakdown on/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, and thecell-traffic-automationstechnology surface - the 2026-04-21
ENG-139slice added the first provider-specific control-plane materializer throughCephalon.Edge.KubernetesGateway:KubernetesGatewayTrafficMaterializerOptions,KubernetesGatewayTrafficRouteOptions, andAddKubernetesGatewayTrafficMaterializer(...)now project deterministic Kubernetes Gateway API intent back onto the same shared automation catalog and the provider-facingkubernetes-gateway-traffic-materializationstechnology surface while keepingstatusSource = configured-intenttruthful - the 2026-04-21
ENG-140slice added the first live Kubernetes Gateway observation overlay on that same baseline:Cephalon.Abstractionsnow shipsICellTrafficAutomationMaterializationReportSink,Cephalon.Enginenow lets provider or edge observers merge live materialization answers back into the same shared automation catalog, andCephalon.Edge.KubernetesGatewaynow addsKubernetesGatewayTrafficObservationModes,KubernetesGatewayTrafficObservationOptions, and opt-inobserve-onlypolling so selected routes can publish liveGatewayplusHTTPRouteconditions, drift, and freshness metadata through/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andkubernetes-gateway-traffic-materializations - the 2026-04-21
ENG-141slice hardened that same Kubernetes Gateway baseline with the first apply-and-reconcile loop:KubernetesGatewayTrafficObservationModesnow addsapply-and-reconcile, configured intent now stays truthfullypending,Cephalon.Edge.KubernetesGatewaynow writes only ownedHTTPRouteresources while treatingGatewayas a pre-provisioned dependency, and the same shared automation surfaces now publish ownership-aware write metadata together with observedGatewayplusHTTPRoutestatus - the 2026-04-21
ENG-142slice proved the shared provider-materializer seam against a second control-plane family throughCephalon.Edge.Traefik:TraefikTrafficMaterializerOptions,TraefikIngressRouteOptions,TraefikMiddlewareReferenceOptions, andAddTraefikTrafficMaterializer(...)now project deterministic TraefikIngressRouteintent back onto the same shared automation catalog and the provider-facingtraefik-ingressroute-traffic-materializationstechnology surface while keepingstatusSource = configured-intenttruthful - the 2026-04-21
ENG-143slice hardened shared control-plane ownership lifecycle truth on that same automation baseline:Cephalon.Abstractionsnow shipsCellTrafficAutomationOwnershipStates,CellTrafficAutomationDependencyStates,CellTrafficAutomationDriftStates, andCellTrafficAutomationLifecycleActions,Cephalon.Enginenow seeds and derives normalizedproviderMaterialization.*,edgeMaterialization.*, andmaterialization.*lifecycle summaries for ownership, dependency, drift, and lifecycle action on the same/engine/cell-traffic-automations*plussnapshot.CellTrafficAutomationssurfaces, andCephalon.Edge,Cephalon.Edge.KubernetesGateway, plusCephalon.Edge.Traefiknow publish the same lifecycle vocabulary instead of provider-local status taxonomies - the 2026-04-21
ENG-144slice added the first live Traefik observation overlay on that same baseline:Cephalon.Edge.Traefiknow shipsTraefikTrafficObservationModes,TraefikTrafficObservationOptions, and opt-inobserve-onlypolling over TraefikIngressRoute,Middleware,TLSOption, backendService, and TLSSecretresources so selected routes can publish live existence, ownership, dependency, drift, and freshness metadata through/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andtraefik-ingressroute-traffic-materializationswhile keeping write ownership and apply-and-reconcile as later follow-through - the 2026-04-21
ENG-145slice closed that immediate Traefik follow-through with the first owned apply-and-reconcile loop:TraefikTrafficObservationModesnow addsapply-and-reconcile,Cephalon.Edge.Traefiknow creates or replaces only ownedIngressRouteresources while treatingMiddleware,TLSOption, backendService, and TLSSecretresources as pre-provisioned dependencies, and the same shared automation surfaces now publishstatusSource = control-plane-apply,ingressRouteWriteAction, and merged live Traefik observation truth without inventing a second registry - the 2026-04-22
ENG-146slice hardened provider-native lifecycle execution across both shipped control-plane packs:Cephalon.Edge.KubernetesGatewayandCephalon.Edge.Traefiknow classify external unmanaged resources separately from stale or incomplete Cephalon ownership metadata, lazily resolve active owners throughICellTrafficAutomationRuntimeCatalog, preserve previous-owner metadata during transfer-aware adoption, and keep mergedcreate/replace/transferlifecycle truth visible on the same shared automation and provider-specific surfaces instead of collapsing successful reconciliation back toobserve - the 2026-04-22
ENG-147slice closed the first provider-native cleanup sweep baseline on that same runtime story:KubernetesGatewayTrafficObservationOptionsandTraefikTrafficObservationOptionsnow expose opt-inEnableCleanupSweep, both provider packs now run namespace-scoped delete or prune sweeps over stale transferred or orphaned provider-owned routes only duringapply-and-reconcile, and the same shared automation plus provider-specific surfaces now publish additiveproviderMaterialization.cleanup*,cleanupState,cleanupObservedAtUtc, and cleanup lifecycle summaries without inventing a second lifecycle registry - the 2026-04-22
ENG-150slice added richer provider-native condition semantics on that same runtime story:Cephalon.Abstractionsnow shipsCellTrafficAutomationMaterializationConditionDescriptorplus stable condition dimensions/categories/states/severities, provider and edge materialization results now carry typedConditions,CellTrafficAutomationRuntimeDescriptornow carries mergedMaterializationConditions, andCephalon.Engine,Cephalon.Edge,Cephalon.Edge.KubernetesGateway, plusCephalon.Edge.Traefiknow publish additivematerialization.*,providerMaterialization.*, andedgeMaterialization.*condition summaries such asconditionCount,conditionBreakdown, andhighestConditionSeverityinstead of provider-local condition vocabularies - the 2026-04-20
ENG-124slice opened the first data mesh runtime baseline:Cephalon.Abstractionsnow shipsIDataProduct<T>plusDataProductDescriptor,IDataProductCatalog,IDataProductContributor, andIDataProductRegistry,Cephalon.Enginenow projectssnapshot.DataProducts, and ASP.NET Core now exposes/engine/data-products*so module-owned query surfaces stay grounded insourceModuleId,domainId,contractId, andmode; provider-specific self-serve data infrastructure remained later follow-through from that baseline - the 2026-04-20
ENG-125slice closed the first CDC capture runtime baseline:Cephalon.Abstractionsnow shipsICdcCaptureplusCdcCaptureDescriptor,ICdcCaptureCatalog,ICdcCaptureContributor, andICdcCaptureRegistry,Cephalon.Enginenow projectssnapshot.CdcCaptureswhile validatingsourceModuleIdplusoutboxIdagainst active runtime truth, and ASP.NET Core now exposes/engine/cdc-captures*so module-owned CDC posture stays grounded inprovider,sourceId,outboxId,mode,eventFormat, andresourceIds; provider-specific WAL/change-stream execution remains later follow-through - the 2026-04-20
ENG-126slice added the first live CDC runtime-state follow-through:Cephalon.Abstractionsnow shipsCdcCaptureRuntimeStateplusICdcCaptureRuntimeStateCatalog,Cephalon.Datanow reports descriptor-backed capture observations throughICdcCaptureRuntimeReporter,Cephalon.Enginenow projectssnapshot.CdcCaptureStates, and ASP.NET Core now exposes/engine/cdc-captures/runtime*so operators can inspect latest capture counts, checkpoints, errors, and optional linkedOutboxDispatchStatewithout inventing a host-only CDC monitor - the 2026-04-20
ENG-127slice extended that same CDC runtime baseline with typed operational posture:Cephalon.Abstractionsnow shipsCdcCaptureFreshnessStatus,CdcCaptureLagStatus, andCdcCapturePublicationStatus,Cephalon.Datanow letsCdcCaptureExecutionReportcarry freshness windows, lag posture, pending source-change counts, and pending publication counts, and the shared runtime-state catalog now keepssnapshot.CdcCaptureStatesplus/engine/cdc-captures/runtime*truthful with conservative linked-dispatch publication overlays instead of metadata-only parsing - the 2026-04-20
ENG-128slice closed the shared CDC hosted-execution substrate baseline:Cephalon.Abstractionsnow shipsCdcCaptureExecutionResultplus stableICdcCapture.CdcCaptureIdandIOutbox.OutboxIdidentities,Cephalon.Datanow owns the optional in-process CDC pump throughDataRuntimeOptions.EnableCdcExecution,data.cdc.execution,data-cdc-capture-flow, anddata-cdc-capture-pump, the shared pump now stages bounded capture batches through the linked outbox while reporting back into the same CDC runtime-state catalog, and the broader runtime now exposes the same execution lifecycle through/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, andsnapshot.OperationalStorywithout replacing/engine/cdc-captures* - the 2026-04-20
ENG-129slice closed the shared CDC acknowledgement and checkpoint-commit follow-through:Cephalon.Abstractionsnow shipsCdcCaptureExecutionAcknowledgementplusICdcCaptureAcknowledger,Cephalon.Datanow lets the shared pump acknowledge provider progress only after linked outbox staging succeeds, the shared runtime now reportsacknowledgementandacknowledgerServiceTypemetadata on success plusfailureKind = acknowledgementwith pending checkpoint/change-id metadata on acknowledgement failure, and thedata-cdc-capture-flowexecution graph now includes the explicitacknowledge-cdc-progressstep so/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, and/engine/snapshotstay aligned with the actual replay-safe loop - the 2026-04-20
ENG-130slice closed the first CDC execution-runtime catalog baseline:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeDescriptor,CdcCaptureExecutionRuntimeSummary, andICdcCaptureExecutionRuntimeCatalog,Cephalon.Datanow contributes the shareddata-cdc-capture-pumpexecution runtime with ownership/topology/acknowledgement metadata plus a summary derived from the shared CDC runtime-state catalog,Cephalon.Enginenow projectssnapshot.CdcCaptureExecutionRuntimes, andCephalon.AspNetCorenow exposes/engine/cdc-capture-runtimes*so shared or future provider-native CDC runners can publish one truthful execution-topology answer without replacing/engine/cdc-captures*or/engine/cdc-captures/runtime* - the 2026-04-21
ENG-131slice closed the first CDC execution-ownership binding baseline:Cephalon.Abstractionsnow shipsCdcCaptureExecutionBindingDescriptor,CdcCaptureDescriptorplusCdcCaptureRuntimeStatenow carryExecutionBinding,Cephalon.Datanow resolves authored/requested/effective capture ownership deterministically from active runtime claims while rejecting ambiguous competing claims and keeping the shared pump scoped to its effective owner, andCephalon.AspNetCorenow exposes/engine/cdc-captures/execution-runtimes/{executionRuntimeId}plus/engine/cdc-captures/runtime/execution-runtimes/{executionRuntimeId}so capture-first and runtime-first ownership views stay on the same truth - the 2026-04-21
ENG-132slice closed the first CDC external execution-runtime declaration baseline:Cephalon.Abstractionsnow promotes first-class execution runtime ownership/topology/execution-link fields plus inverseGetByExecutionRuntimeId(...)lookups on the shared CDC catalogs,Cephalon.Datanow acceptsDataRuntimeOptions.CdcExecutionRuntimesthroughCdcCaptureExecutionRuntimeOptionsandConfiguredCdcCaptureExecutionRuntimeContributorso hosts can declare external-managed or provider-native runtimes on the same operator surface, and the shared pump now stays scoped away from captures effectively owned by those configured runtimes while/engine/cdc-capture-runtimes*, inverse capture/runtime routes, andsnapshotstay aligned on the same truth - the 2026-04-21
ENG-133slice shipped the first concrete provider-native CDC runner throughCephalon.Data.MongoDB:MongoDbChangeStreamCaptureOptionsnow contribute provider-native MongoDB change-stream captures, the runtime now exposes capabilitydata.cdc.mongodbplusmongodb-change-stream-capture-flowandmongodb-change-stream-capture-pump, durable resume-token checkpoints now live in the MongoDB provider path, and CDC descriptors can preserve authoredsourceModuleIdwhile surfacingcontributorModuleIdseparately when the provider pack contributes on behalf of another module - the 2026-04-21
ENG-134slice closed the first external CDC runtime live-reporting baseline:Cephalon.Abstractionsnow shipsCdcCaptureRuntimeObservationplusICdcCaptureExecutionRuntimeReportSink,Cephalon.Datanow exposes opt-inDataRuntimeOptions.EnableExternalCdcRuntimeReportingso the shared runtime-state catalog can accept validated execution-runtime-owned reports keyed byexecutionRuntimeId, and ASP.NET Core now exposesPOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reportsonly when that sink is active so out-of-process runners can refresh/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotwithout inventing a second registry - the 2026-04-22
ENG-148slice added the second provider-native CDC runner and first relational proof on that same shared CDC runtime story:Cephalon.Data.SqlServernow contributesAddSqlServerData(...),SqlServerCdcCaptureOptions,sqlserver-cdc-capture-flow,sqlserver-cdc-capture-pump, durablestartLsn|seqval|operationcheckpoints, and the same/engine/cdc-*truth model already used by MongoDB so document and relational capture providers now sit on one ownership/runtime-story contract - the 2026-04-22
ENG-149slice hardened that external CDC reporting seam with first-class retry, ordering, and freshness-expiry truth:CdcCaptureRuntimeObservationnow carries stableReportId, declared execution runtimes can now setObservationStaleAfterSecondsplusRejectOutOfOrderReports,CdcCaptureRuntimeStateplusCdcCaptureExecutionRuntimeSummarynow surfaceLastReportIdand typedObservationFreshness, and the samePOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces now stay truthful under retries, delayed deliveries, and stale external runners without inventing a second watchdog registry - the 2026-04-22
ENG-152slice deepened that same external and edge-aware CDC execution story with first-class reporter and edge identity:CdcCaptureRuntimeObservationplusCdcCaptureExecutionReportnow carryReporterIdplusEdgeNodeId, declared execution runtimes can now setReporterLeaseSeconds,RejectConflictingReporterIds, andEdgeNodeIds,CdcCaptureRuntimeStateplusCdcCaptureExecutionRuntimeSummarynow surfaceLastReporterId,ActiveReporterId,ReporterLeaseExpiresAtUtc,ObservedEdgeNodeIds, andLastEdgeNodeId, and the samePOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces now stay truthful under reporter-lease conflicts and edge-node allow-list validation without inventing a second topology coordinator - the 2026-04-22
ENG-153slice added the third provider-native CDC runner and the first logical-replication streaming proof on that same shared runtime story:Cephalon.Data.Postgresnow contributesAddPostgresData(...),PostgresLogicalReplicationCaptureOptions,postgresql-logical-replication-capture-flow,postgresql-logical-replication-capture-pump, slot-backed durableslotName|commitLsn|transactionEndLsncheckpoints, publication/table validation, optional slot creation, and the same/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces without inventing a PostgreSQL-specific CDC registry - the 2026-04-22
ENG-154slice hardened that same PostgreSQL runner with publication and slot lifecycle truth:PostgresLogicalReplicationCaptureOptionsnow exposesRecreateSlotIfInvalidated, provider-native transport execution now validates slot type/plugin/database ownership plus invalidated or WAL-loss posture, inactive invalidated slots can now be recreated intentionally, and the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces now publish additiveslotLifecycleState,slotLifecycleAction,slotResumeMode,slotRestartLsn,slotConfirmedFlushLsn,slotWalStatus,slotInvalidationReason, and provider-specific failure-kind answers without inventing a PostgreSQL-only lifecycle registry - the 2026-04-22
ENG-155slice added richer external and edge-aware CDC failover plus takeover truth on that same shared runtime story:CdcCaptureRuntimeStateplusCdcCaptureExecutionRuntimeSummarynow surface typedReporterCoordination,Cephalon.Datanow records rejected conflicting reporters plus accepted post-expiry takeovers on the shared runtime-state catalog, and the samePOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces now answer active-owner versus expired-lease versus conflicted reporter posture without inventing a second topology coordinator - the 2026-04-22
ENG-156slice hardened that same shared external CDC runtime story with richer multi-reporter reconciliation and operator-story truth:Cephalon.Abstractionsnow shipsCdcCaptureReporterParticipantRolesplusCdcCaptureReporterParticipantStatus,CdcCaptureReporterCoordinationStatusnow carriesReporterParticipants,HasStandbyReporters, andHasRejectedReporters, andCephalon.Datanow keeps accepted previous owners visible as standby participants plus rejected conflicts visible as rejected participants on the samePOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces without inventing a second coordination registry - the next REST feature-rollout follow-through is now also shipped: ASP.NET Core endpoints can require one or more feature flags through
RequireFeatureFlag(...)/RequireFeatureFlags(...), shorthand REST governance can rewrite or clear those rollout boundaries throughRestApi:Overrides, request-time HTTP evaluation now feeds the active host environment intoIFeatureToggle, and/engine/rest-endpointsplussnapshot.RestEndpointspreserve both effective and original required feature ids without hiding the published endpoint from operator introspection - the next shared behavior-execution feature-rollout follow-through is now also shipped:
IBehaviorTopologyBuilder.RequireFeatureFlag(...)/RequireFeatureFlags(...),BehaviorTopologyDescriptor.RequiredFeatureFlagIds, andBehaviorTopologyDescriptor.SourceModuleIdnow let behavior authors keep rollout gates in the shared topology, source-generated literals preserve those ids,Cephalon.Behaviorsevaluates them throughIFeatureToggleusing behavior/module/transport/environment/tenant/subject/tag context,BehaviorFeatureDisabledExceptionkeeps the rejection host-agnostic,BehaviorRuntimeContributornow reports feature-gated behavior counts plus per-behavior ownership metadata, and REST helper plus JSON-RPC transports now map the same shared gate without replacing it with host-only truth while messaging bindings treat disabled executions as skipped outcomes rather than retryable failures - the generic external-provider feature-flag bridge now keeps Cephalon descriptors as the runtime source of truth while letting provider packs contribute additional gates through typed bindings and
IFeatureFlagProvider;/engine/features/{featureFlagId}/evaluatenow publishes provider-result details, and behavior-owned HTTP execution now resolves subject identity fromNameIdentifier,sub, orIdentity.Nameso provider-backed feature gates see the same subject truth as direct REST endpoint evaluation
Collaboration agreements
Section titled “Collaboration agreements”These are explicit working agreements from the current collaboration and should be extended as new standing decisions are made.
- when the team settles on an approach, plan, recurring workflow, or repeated command pattern, record it in project memory so it does not rely on thread-local recall alone
- when planning or docs start to imply that a package is runtime-ready, verify whether the surface is
taxonomy-only,application-managed,cephalon-managed, orprovider-managedbefore widening the claim - do not add descriptor-first breadth to mixed-maturity runtime packs unless the slice is intentionally labeled
M0orM1, or it carries a concrete proof path toM2and beyond - when deeper or version-sensitive external research is needed, especially around
.NET,.NET 10, libraries, frameworks, support policy, or official guidance, use internet research instead of relying only on prior model knowledge - when recording .NET planning decisions, prefer exact release and support dates over relative wording; the current official planning anchor is
.NET 10LTS released onNovember 11, 2025with support throughNovember 14, 2028, while.NET 11is in Preview 3 onApril 26, 2026with final release expected inNovember 2026 - when using preview-era
.NETguidance for Cephalon planning, record the exact preview state and keep the decision boundary explicit: previews are for compatibility assessment, benchmarks, analyzer review, and migration rehearsal, while stable Cephalon packages stay on the current supported shipping floor until the migration lane is intentionally approved - when delegating research work to sub-agents, prefer primary and official sources first, then synthesize the result back into repo context for Cephalon-specific decisions
- for meaningful work, prefer using sub-agents in complementary roles when that improves the outcome, for example business/product framing, architecture, design patterns, documentation, planning cards, quality review, testing, benchmarking, or other task-shaped specialties
- sub-agents may be used freely when they materially improve the outcome; there is no artificial cap on how many architecture, documentation, quality, research, benchmarking, or planning helpers can collaborate on Cephalon work
- let sub-agents collaborate as a working group rather than as isolated note takers; they can cross-check one another’s reasoning, surface tradeoffs, and help review the same change from different perspectives before the final decision lands
- sub-agents may use internet research when it helps them validate framework guidance, technical options, benchmarks, security practices, documentation, or other external references that matter to the decision
- repo-local memory is the reliable cross-thread source of truth; agreements that matter beyond the current thread should be written down here or in another repo-owned document
- keep generic hosting tests deterministic by isolating them from transitive sample
Configurationscontent, and keep sample-host tests such as the showcase harness pointing at their real project content roots explicitly instead of relying on whatever config files happen to be copied into a test output folder - Cephalon is still in an active POC and invention phase, so decisions should not stay trapped by the current implementation alone; if a materially better approach exists for engine quality, architecture, performance, security, developer ergonomics, or future-proofing, it is acceptable to change direction deliberately
- when rethinking an area during this POC phase, optimize for making Cephalon a stronger long-term engine: reduce common developer pain, keep the platform broad enough for varied project types, and prefer durable engine primitives over short-term local convenience
- Cephalon does not yet have legacy production consumers that must be preserved at all costs; when a compatibility shim conflicts with a cleaner long-term engine contract during the POC phase, prefer removing the shim and shipping the better design deliberately
Current standing examples from this collaboration:
- keep important collaboration memory in
docs/project-memory.md - keep the durable planning workflow explicit through
docs/planning-governance.md; meaningful work must stay aligned across repo docs, GitHub Project tracking, sprint placement, validation expectations, and commit-reference history - once an
ENG-*id is part of the durable project record, treat it as immutable; future planning resets should allocate fresh ids instead of reusing shipped history - treat internet-backed research as the default follow-through for sub-agent learning tasks when accuracy or freshness matters
- when making reusable framework or package-family decisions, default to official Microsoft or NuGet guidance for library design, compatibility, analyzers, packaging, Source Link, and publishing hygiene before inventing a repo-local convention
- package-family decisions should optimize for long-term discoverability and upgrade safety: prefer a coherent
Cephalon.*taxonomy, complete NuGet metadata, Source Link, symbols, SemVer, package-validation baselines, and trusted publishing rather than treating packaging as an afterthought - future-facing Cephalon work should reduce end-user code by moving variability into engine-owned configuration, projected low-code surfaces, module/package composition, and runtime truth instead of requiring app projects to rewrite architecture decisions locally
- when a coding task is complete and the change is validated, stage only the intended files, create a commit, keep
masterupdated as the integration branch, push the finished work to GitHub, and leave project docs aligned with the shipped behavior - when a code change affects documented behavior, inspect the related
docs/*graph and update every impacted hand-authored document that references that surface instead of patching only one nearby page - when work touches a public/runtime/package surface, check the live source together with
docs/components/*,docs/compatibility.md, readiness or validation docs, and planning docs before deciding that the change is complete - when database-topology operator guidance becomes a stable reusable runtime answer, move it into an engine-owned route and snapshot contract first, then let the showcase sample consume that answer and add only sample-specific adaptation
- GitHub Project cards should contain enough narrative detail for a reader to understand the work without extra thread context, and they should populate the standard fields
Assignee,Label,Type,Project,Estimate,Iteration,Test,Benchmark,Milestone, andRelationshipwhen cross-card references exist - when a commit materially advances a GitHub Project card, add a card comment that records what changed and references the commit id so the card keeps a readable implementation history
- roadmap, backlog, sprint placement, plan details, and GitHub Project cards must stay synchronized; if scope, estimate, validation, milestone, or relationships change, update both the docs and the card instead of leaving one side stale
- repository-facing written artifacts should be in English, including hand-authored documentation, commit messages, and planning or tracking content that becomes part of the project record
- use sub-agents proactively for review, consultation, and parallel investigation when a task benefits from multiple perspectives instead of treating delegation as a last resort
- default to the OpenAI Codex CLI (
gpt-5.5) and Anthropic Claude Code (opus-4.7) as dual primary code-management seats for actively shaping, editing, refactoring, and committing repository source; either seat may drive any given slice while keeping the samedocs + source + planningtruth aligned through the existingdocs/components/*,docs/project-memory.md,docs/architecture.md,docs/compatibility.md,docs/engine-roadmap.md, anddocs/engine-backlog.mdgraph; other agents and tools may still research, review, validate, benchmark, or plan in parallel, but treat Codex CLI as the authoritative editing surface for landed code changes by default - when committing or pushing repository changes from any seat (Codex CLI, this assistant, or another tool), use the
Cephalon-NezaGit/GitHub account as the default author and pusher so commit history, GitHub Project card comments, and remote push attribution stay aligned with the intended project identity instead of leaking ad-hoc local user identity into the durable record - when promoting trim, Native AOT, or single-file from
not-claimedtoclaimed, the plannedscripts/validate-deployment-mode-claims.ps1harness’sclaim-truthfulverdict is the authoritative gate; analyzer-only signals, local publish experiments, or untruthful manifest edits do not widen the support contract by themselves (seedocs/deployment-mode-support.mdfor harness scope) - keep future-facing engine quality in view during POC work, including architecture strength, design-pattern fit, performance, security, support for broad project shapes, and overall developer experience
- when a host exposes both module-owned REST helpers and generic behavior HTTP routes, treat the module-owned REST groups as the public REST/OpenAPI/Scalar surface and keep the generic behavior routes focused on non-REST adapter transports
OpenApi:EnabledVersionsand legacyOpenApi:Documentsgovern only the published OpenAPI + Scalar document set; generic behavior HTTP adapter routes resolve their version/document segment fromApiRoutes:DefaultBehaviorDocumentNameor, when unset, the raw configuredOpenApi:DefaultVersion- module-owned REST version segments default to the owning module major version; tests or harnesses that target a module-owned public REST surface should derive that
/api/v{major}segment from module metadata instead of hardcodingv1, and showcase transport projections should keeprestOperationsseparate from generic behaviortransportIds - public REST is module-owned only: do not declare
http.restin[BehaviorAllowedTransports(...)]orConfigureTopology(...); author REST throughRestBehaviorModuleBase.ConfigureRestBehaviors(...)by default and reserve low-levelMapBehaviorRestGroup(...)work for advanced/manual cases - lower-ceremony REST authoring is now shipped only as metadata or projection-driven shorthand that still materializes into module-owned public REST; do not go back to direct behavior-owned REST activation
- if a higher-precedence module-owned REST mapping exists for a behavior, suppress lower-precedence implicit, generated, or convention REST projections for that same behavior by default instead of running them side by side
- the shipped generated-module REST shorthand stays explicit and module-owned through
IRestBehaviorEndpointGroupBuilder.MapGeneratedProfiles(),MapGeneratedProfiles(string),IRestBehaviorModuleBuilder.MapGeneratedProfileGroups(string), its shared-group-configuration overload, its derived-prefix-aware overload, andIRestBehaviorModuleBuilder.GroupFromBehaviorIdPrefix(string): it prefers source-generatedGetRestProfiles()plusGetRestProfileBehaviorTypes()hints, falls back only to a bounded scan of the explicit owning module assembly when generated type hints are unavailable, can now derive/foo/barfromfoo.barfor the common generated route-group path, can also fan one generated root prefix out into several derived route groups by each behavior id’s parent prefix while preserving the same generated shorthand/runtime truth, can now stamp different API-version/tag/governance-scope conventions per derived branch with awareness of the exact generated behavior-id prefix, and still never publishes public REST from[AppBehavior]alone - hosts can now govern that same shorthand ownership model by exact behavior id or subtree
BehaviorIdPrefixes, which is especially important forMapGeneratedProfileGroups(...)because one rule can target one generated grouped branch without enumerating every exact generated candidate id - the shipped low-code inline module-owned REST helpers are
engine.AddRestBehaviorModule<TMarker>(...),engine.AddGeneratedRestBehaviorModule<TMarker>(...), andengine.AddGeneratedRestBehaviorModuleGroups<TMarker>(...): their commonmoduleId/displayName/descriptionoverloads now keep the inline path terse without manualModuleDescriptorconstruction, while the descriptor-based overloads remain the advanced path for richer inline metadata; all three forms materialize real modules without dedicated module classes, reuse the same normalized projection/materialization/candidate/publication-group/governance pipeline asRestBehaviorModuleBase, useTMarkeras the source-assembly marker for generated profiles and as each helper’s distinct module-type identity, expect one stable marker type per inline module, let the common generated inline path derive its behavior-id prefix directly from the inline module id, let the grouped generated inline path keep the sameMapGeneratedProfileGroups(...)ownership/runtime story without a dedicated module class, reuse the same fail-fast deterministic grouped-prefix validation across dedicated-module and inline-helper paths, keep explicitbehaviorIdPrefixoverloads available when inline module identity and generated ownership should differ, and still never publish public REST from[AppBehavior]alone - grouped generated shorthand can now also configure each derived group with awareness of its exact generated behavior-id prefix through both dedicated-module and inline-helper overloads, so one owner can stamp different API-version, tag, or host-governance-scope conventions per branch without leaving the low-code grouped-generated path; generated shorthand still remains host-governable by default
- route groups can now also stamp one stable authored governance scope through
WithHostGovernanceScope("scope"); that value flows intoOriginalProjection.HostGovernanceScopefor runtime truth and host selector targeting, but it does not opt explicit module-DSL routes into host governance by itself - scope-first REST governance validation should prefer real
HostGovernanceScopestargeting over behavior-id stand-ins so suppression catalogs, override catalogs, publication groups, authoring-policy answers, andsnapshotall prove the same selector story end to end - overlapping behavior-targeted REST governance rules now prefer exact behavior ids over broader subtree prefixes and then prefer longer prefixes over shorter ones; runtime selection-basis answers expose that decisive subtree reason as
narrower-behavior-scope - even with the shipped low-code REST shorthand,
[AppBehavior]plus auto-registration alone must still not publish a public REST boundary; shorthand must remain an explicit REST opt-in - the shipped behavior-authored REST metadata bridge is
BehaviorRestProfileAttributeplus optional repeatedBehaviorRestBindingAttributedeclarations inCephalon.Behaviors.Http: together they declare a candidate REST method, relative pattern, optional API major version, explicit route/query/header/body input-binding descriptors, and optional preserved implicit-query fallback intent for the shipped module-owned profile/generated projection paths, but they remain metadata-only, do not publish public REST by themselves, and do not override host OpenAPI document publication policy - the shipped explicit consumption path for that metadata is
IRestBehaviorEndpointGroupBuilder.MapProfile<TBehavior>(): it stays module-owned, prefers source-generatedGetRestProfiles()hints, falls back only to the explicitly targeted behavior type when generated hints are unavailable, seeds a group API version only when.ApiVersion(...)is not set explicitly, fails fast when profiled behaviors in the same group declare conflicting candidate API versions, preserves explicit binding descriptors through the same normalized projection pipeline, and now also honors profile-authored preserved implicit query fallback when the profile explicitly opts into it - the current
RestBehaviorModuleBaseDSL now compiles into a normalized internal REST projection contract before ASP.NET Core materialization, and the shipped runtime follow-through now exposes resolved public REST truth throughIRestEndpointRuntimeCatalog,/engine/rest-endpoints,/engine/rest-endpoints/{restEndpointId}, andsnapshot.RestEndpoints - the shipped profile-consumption shorthand keeps runtime publication on the same
sourceKind = module-dslpath, while/engine/rest-endpointsnow distinguishes shorthand-authored endpoints through first-classRestEndpointRuntimeDescriptor.AuthoringStyle = behavior-module-profileand exposes explicit profile-driven binding plans through the typedRestEndpointRuntimeDescriptor.BindingDescriptorssurface plus the matchingsnapshot.RestEndpointsdata instead of treatingmetadatadictionaries as the canonical answer - the shipped generated module-owned shorthand also keeps runtime publication on the same
sourceKind = module-dslpath, while/engine/rest-endpointsnow distinguishes generated shorthand through first-classRestEndpointRuntimeDescriptor.AuthoringStyle = behavior-module-generated - published behavior-backed endpoints now also expose typed nullable
RestEndpointRuntimeDescriptor.CandidateId, so operators can jump from/engine/rest-endpointsorsnapshot.RestEndpointsdirectly to the originating shorthand candidate even when host overrides rewrote the final published route shape, while manual endpoints staynull - published endpoints now also expose typed nullable
RestEndpointRuntimeDescriptor.RouteGroupPrefixandRelativePattern, so operators can read the resolved grouped public route boundary directly from/engine/rest-endpointsorsnapshot.RestEndpointswithout treatingmetadata.routeGroupPrefixormetadata.relativePatternas the canonical runtime answer - published behavior-backed endpoints now also expose typed nullable
RestEndpointRuntimeDescriptor.BehaviorType, so operators can read the concrete behavior implementation identity directly from/engine/rest-endpointsorsnapshot.RestEndpointswithout treatingmetadata.behaviorTypeas the canonical runtime answer, while manual non-behavior endpoints staynull - published endpoints now also expose typed nullable
RestEndpointRuntimeDescriptor.SourceId, so operators can read the published source identity directly from/engine/rest-endpointsorsnapshot.RestEndpointswithout treatingmetadata.sourceIdas the canonical runtime answer - published endpoints now also expose typed nullable
RestEndpointRuntimeDescriptor.OriginalRequiredCapabilityKeyplusAppliedOverrideId, so the final/engine/rest-endpointsandsnapshot.RestEndpointssurfaces can explain source-versus-effective capability governance directly when shorthand overrides rewrite or clear a public REST boundary - published endpoints now also expose ordered
RestEndpointRuntimeDescriptor.MatchedOverrideIds, so operators can see the full shorthand override match set on the final published/engine/rest-endpointsandsnapshot.RestEndpointssurface without joining back to the candidate catalog; capability-only no-op matches should stay visible there even whenAppliedOverrideIdremainsnull - the typed override-effect baseline now also exposes
RestEndpointOverrideActionKindplus configuredRestEndpointOverrideDescriptor.ActionKinds, while shorthand candidates and published endpoints now exposeSelectedOverrideActionKindsplusAppliedOverrideActionKindsso declared-versus-effective override dimensions stay visible on/engine/rest-endpoint-overrides,/engine/rest-endpoint-candidates,/engine/rest-endpoints, and the matching snapshot surfaces; no-op winners keep selected action kinds visible while applied action kinds remain empty - reorder-only shorthand binding overrides are now treated as semantic no-op governance everywhere the shipped shorthand pipeline compares binding plans: candidate resolution, projection reuse, and post-materialization structural override reconciliation all share the same equivalent-binding-set comparison, so if a host or future synthetic candidate path restates an equivalent explicit binding set in a different order, candidates and published endpoints keep
MatchedOverrideIdsvisible but leaveAppliedOverrideId = null, and the source explicit binding order remains the authoritative runtime answer - published endpoints now also expose typed nullable
RestEndpointRuntimeDescriptor.OriginalProjection, so operators can compare original shorthand method, route, document-version, tag, and binding-plan truth against the final published endpoint directly from/engine/rest-endpointsorsnapshot.RestEndpointswithout joining back to/engine/rest-endpoint-candidates; manual and behavior-helper endpoints staynull - published endpoints now also expose typed nullable
RestEndpointRuntimeDescriptor.OriginalEndpointName,OriginalSummary, andOriginalDescription, so operators can compare original shorthand endpoint metadata against the final published endpoint directly from/engine/rest-endpointsorsnapshot.RestEndpointswithout falling back to behavior docs; manual and behavior-helper endpoints staynull - shorthand REST materialization now reads
ProjectedEndpoint.RouteGroupPrefixdirectly when it publishes effective route groups, so compatibilitymetadata.routeGroupPrefixis no longer part of internal runtime behavior and the typed route-boundary contract now drives both operator introspection and actual ASP.NET Core route mapping - the shipped REST precedence-visibility baseline now also exposes
IRestEndpointCandidateRuntimeCatalog,/engine/rest-endpoint-candidates,/engine/rest-endpoint-candidates/{candidateId}, andsnapshot.RestEndpointCandidates, plusIRestEndpointPublicationGroupRuntimeCatalog,/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, andsnapshot.RestEndpointPublicationGroups; within the normalized behavior-projection path the effective precedence isexplicit module DSL > MapProfile<TBehavior>() > generated shorthand, where generated shorthand includes bothMapGeneratedProfiles(...)andMapGeneratedProfileGroups(...), the candidate catalog now preserves both the original shorthand source shape throughRestEndpointCandidateRuntimeDescriptor.OriginalProjectionand the final effective mapped answer throughProjectedEndpoint, candidate ids now resolve from that original shorthand projection before host overrides are applied whileProjectedEndpoint.Idcontinues to identify the effective mapped endpoint shape, projected shorthand endpoints now also keep endpoint name plus summary/description metadata plus original shorthand endpoint name/summary/description lineage and host-governed required capability keys aligned with the final behavior-backed runtime endpoint conventions, and the grouped publication catalog now answers that same story per behavior through the published candidate ids, precedence-suppressed candidate ids, governance-suppressed candidate ids, winning precedence rank, and ordered candidate set RestEndpointCandidateStatusnow also carries stablepublished/suppressedwire names throughRestEndpointCandidateStatusExtensions, so/engine/rest-endpoint-candidates,/engine/rest-endpoint-candidates/{candidateId}, andsnapshot.RestEndpointCandidatesexpose readable operator-facing status truth instead of raw enum-number serialization- grouped publication answers now also expose
RestEndpointPublicationGroupDescriptor.AuthoringStyleSummariesas typedRestEndpointPublicationGroupAuthoringStyleDescriptorentries derived directly from the same grouped candidate truth, so/engine/rest-endpoint-publication-groupsandsnapshot.RestEndpointPublicationGroupsalso show which shorthand authoring styles participated, which remained published, and which were precedence-suppressed or governance-suppressed without manually partitioning the ordered candidate set - grouped publication answers now also expose
RestEndpointPublicationGroupDescriptor.AuthoringPolicyas typedRestEndpointPublicationGroupAuthoringPolicyDescriptordata, so/engine/rest-endpoint-publication-groupsandsnapshot.RestEndpointPublicationGroupsdistinguish the implicit default single-winner boundary from an explicitRestApi:AuthoringPolicies:{behaviorId}configuration;AllowMultiplePublishedCandidatesis now an enforced field that can keep lower-precedence unsuppressed shorthand candidates published together when the final route answers stay distinct, and preferred/allowed/disallowed authoring-style fields now also enforce shorthand publication policy forbehavior-module-profileandbehavior-module-generatedcandidates through distinct authoring-policy suppression truth instead of reusing governance or precedence semantics - grouped publication answers now also expose typed
RestEndpointPublicationGroupAuthoringPolicySuppressionDescriptorentries throughAuthoringPolicySuppressionSummariesat both the behavior-group level and inside eachAuthoringStyleSummariesentry, so/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, andsnapshot.RestEndpointPublicationGroupskeep the groupeddisallowed-authoring-style,not-allowed-authoring-style, andpreferred-authoring-style-selectedauthoring-policy breakdown visible without forcing operators to re-join candidate payloads - the shipped REST authoring-policy runtime baseline now also exposes
IRestEndpointAuthoringPolicyRuntimeCatalog,/engine/rest-endpoint-authoring-policies,/engine/rest-endpoint-authoring-policies/{behaviorId}, andsnapshot.RestEndpointAuthoringPolicies; that rule-centric behavior-level answer keeps explicit default-versus-configured policy intent, explicitly configuredRestApi:AuthoringPolicies:{behaviorId}entries with no current candidates, and separateCandidateIds,RetainedCandidateIds,PublishedCandidateIds,PrecedenceSuppressedCandidateIds,GovernanceSuppressedCandidateIds, and groupedSuppressionSummariesvisible without trapping authoring-policy truth only inside publication-group answers - that same rule-centric REST authoring-policy runtime answer now also exposes typed per-style
RestEndpointAuthoringPolicyAuthoringStyleDescriptorentries throughRestEndpointAuthoringPolicyDescriptor.AuthoringStyleSummaries, so/engine/rest-endpoint-authoring-policiesandsnapshot.RestEndpointAuthoringPoliciescan partition candidate, retained, published, precedence-suppressed, governance-suppressed, and authoring-policy-suppressed outcomes by normalized authoring style while still keeping explicitly configured-but-unmatched policies visible with empty style summaries - that same rule-centric REST authoring-policy runtime answer now also keeps
HostGovernanceEligibleCandidateIds,HostGovernanceIneligibleCandidateIds,SkippedSuppressionIds, andSkippedOverrideIdsvisible at both the behavior level and inside eachRestEndpointAuthoringPolicyAuthoringStyleDescriptor, so explicit ownership that never entered host governance remains readable from/engine/rest-endpoint-authoring-policiesandsnapshot.RestEndpointAuthoringPolicieswithout reopening grouped publication answers - that same rule-centric REST authoring-policy runtime answer now also exposes grouped governance-rule summaries directly through
GovernanceSuppressionSummaries,GovernanceOverrideSummaries,SkippedSuppressionSummaries, andSkippedOverrideSummariesat both the behavior level and inside eachRestEndpointAuthoringPolicyAuthoringStyleDescriptor, using the genericRestEndpointGovernance*SummaryDescriptorcontracts instead of publication-group-scoped types, so one authoring-policy payload can answer matched-versus-suppressed, selected-versus-applied, and skipped-rule candidate mappings without reopening grouped publication answers first - when REST policy or governance config can exist without active candidates, prefer a top-level rule or policy runtime catalog over burying that truth only inside grouped publication answers
- grouped publication answers now also expose typed
RestEndpointPublicationGroupGovernanceSuppressionSummaryDescriptorandRestEndpointPublicationGroupGovernanceOverrideSummaryDescriptorentries throughGovernanceSuppressionSummariesandGovernanceOverrideSummariesat both the behavior-group level and inside eachAuthoringStyleSummariesentry, so/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, andsnapshot.RestEndpointPublicationGroupskeep matched-versus-suppressed host suppression outcomes plus matched/selected/applied override outcomes visible, including no-op winning overrides whose applied bucket stays empty - grouped publication answers now also expose typed
RestEndpointPublicationGroupGovernanceSelectionBasisSummaryDescriptorandRestEndpointPublicationGroupGovernanceOverrideActionKindSummaryDescriptorbuckets through grouped suppressionSelectionBasisSummariesplus grouped overrideSelectionBasisSummaries,SelectedActionKindSummaries, andAppliedActionKindSummaries, so behavior-level and per-authoring-style publication answers can show why a winning governance rule beat the runner-up and which override dimensions only stayed declared versus materially applied without reopening the candidate catalog - the shipped REST governance rule catalogs now also derive rule-centric runtime-effect buckets directly from candidate truth:
RestEndpointSuppressionDescriptornow carriesMatchedCandidateIds,SuppressedCandidateIds,SkippedCandidateIds,SelectionBases, and groupedSelectionBasisSummaries, whileRestEndpointOverrideDescriptornow carriesMatchedCandidateIds,SelectedCandidateIds,AppliedCandidateIds,SkippedCandidateIds,SelectionBases, groupedSelectionBasisSummaries,SelectedActionKinds, groupedSelectedActionKindSummaries,AppliedActionKinds, and groupedAppliedActionKindSummaries; the reusable grouped bucket contracts are nowRestEndpointGovernanceSelectionBasisSummaryDescriptorandRestEndpointGovernanceOverrideActionKindSummaryDescriptor, so/engine/rest-endpoint-suppressions,/engine/rest-endpoint-overrides, and the matching snapshot surfaces can answer one rule’s actual runtime footprint plus grouped candidate provenance without reopening the full candidate catalog - grouped publication answers now also expose grouped host-governance eligibility and skipped-governance truth through
HostGovernanceEligibleCandidateIds,HostGovernanceIneligibleCandidateIds,SkippedSuppressionIds,SkippedOverrideIds, and typedRestEndpointPublicationGroupGovernanceSkippedSuppressionSummaryDescriptor/RestEndpointPublicationGroupGovernanceSkippedOverrideSummaryDescriptorentries viaSkippedSuppressionSummaries/SkippedOverrideSummariesat both the behavior-group level and inside eachAuthoringStyleSummariesentry, so explicit module-DSL ownership that stayed outside host governance remains visible without drilling into each candidate separately and operators can see which ineligible candidates each skipped host rule targeted - when more than one shorthand candidate stays published for one grouped behavior answer, runtime truth should keep the live ASP.NET Core endpoint names deterministic as well as the routes; co-published shorthand candidates now disambiguate their effective endpoint names by authoring style, route shape, and candidate identity when needed while preserving
OriginalEndpointNameas source shorthand lineage - the shipped REST governance baseline now also exposes
IRestEndpointSuppressionRuntimeCatalog,/engine/rest-endpoint-suppressions,/engine/rest-endpoint-suppressions/{suppressionId}, andsnapshot.RestEndpointSuppressions, plusIRestEndpointOverrideRuntimeCatalog,/engine/rest-endpoint-overrides,/engine/rest-endpoint-overrides/{overrideId}, andsnapshot.RestEndpointOverrides;RestApi:SuppressionsandRestApi:Overridesare host-level ASP.NET Core publication-governance surfaces for descriptor-backed module-owned shorthand candidates, not engine-core route-authoring contracts - the shipped
RestApi:Suppressionsbaseline remains suppression-only by design and shorthand-first by default: it can hideMapProfile<TBehavior>()candidates plus generated shorthand candidates fromMapGeneratedProfiles(...)andMapGeneratedProfileGroups(...)before precedence resolution, it can now target one exact candidate throughCandidateIds, it can refineBehaviors/Modulestargeting further with optionalApiVersionMajors,Methods,RelativePatterns,RouteGroupPrefixes,OpenApiDocumentNames,TagNames,EndpointNames,HostGovernanceScopes,BindingFallbackModes, and exact original explicitTargetBindings, those selector refiners and candidate ids all match the original candidate shape before override actions are applied,EndpointNamestargetsProjectedEndpoint.OriginalEndpointName,HostGovernanceScopestargetsOriginalProjection.HostGovernanceScope, and explicit module DSL/manual module-owned REST endpoints still remain authoritative unless the owning route group explicitly opts into host governance and the matching host rule explicitly targets authoring stylebehavior-module-dsl; omittedAuthoringStylesstill keep existing host rules shorthand-only by default, and suppression still does not rewrite route shape, HTTP method, input binding, or OpenAPI document membership - the shipped
RestApi:Overridesbaseline follows that same two-gate model and now supports the same optional exactCandidateIdstargeting plus selector refinersApiVersionMajors,Methods,RelativePatterns,RouteGroupPrefixes,OpenApiDocumentNames,TagNames,EndpointNames,HostGovernanceScopes,BindingFallbackModes, and exact original explicitTargetBindings, plus override actionsApiVersionMajor,OpenApiDocumentName,Method, bounded publishedRouteGroupPrefix, constrained relativePattern,RequiredCapabilityKey,ClearRequiredCapability, constrained explicitBindings,RemovedBindingProperties, binding resets throughClearBindings, host-governed preserved fallback throughPreserveImplicitQueryFallback, endpoint metadataEndpointName/Summary/Description, OpenAPI tag nameTagName, and typedRestEndpointOverrideBindingMode: it can retarget governable candidates to another effective API major version, published OpenAPI document name, HTTP method, published route-group prefix, relative route pattern, required Cephalon capability boundary, intentionally cleared capability boundary, endpoint metadata, OpenAPI tag name, preserved implicit query-fallback intent, and/or explicit binding plan, records the applied rule throughRestEndpointCandidateRuntimeDescriptor.AppliedOverrideId, keeps the original source shape visible throughOriginalProjection, now also keeps host-governance eligibility visible throughRestEndpointCandidateProjectionDescriptor.AllowsHostGovernance, keeps the original authored governance scope visible throughRestEndpointCandidateProjectionDescriptor.HostGovernanceScopeand publishedOriginalProjection.HostGovernanceScope, matches all of its selectors against that original candidate identity before override actions are applied, withEndpointNamestargetingProjectedEndpoint.OriginalEndpointNameandHostGovernanceScopestargetingOriginalProjection.HostGovernanceScope, drives ASP.NET Core materialization through the same effective projection shape reported by the runtime catalogs, keeps the/api/v{major}route segment and OpenAPI document name aligned when version changes, directly rewrites the effective document name whenOpenApiDocumentNamechanges, keeps mapped route truth aligned when pattern changes, keeps effective tag truth aligned whenTagNamechanges, letsRouteGroupPrefixmove the published governable group only when it stays beneath the active REST root, contains no placeholders, and does not silently change effective API-version truth, only re-derives the effective document name fromApiVersionMajorwhen the authored group did not pin one explicitly through.WithOpenApiDocumentName(...), allows placeholder-preserving rewrites by default, now also allows placeholder renames when the effective explicit route-binding plan covers the renamed placeholder set exactly, now also allows placeholder removals when the original projection already exposes full explicit route-binding coverage and the effective explicit binding plan keeps every affected original route-bound property explicitly bound, and now also allows placeholder additions when the effective explicit route-binding plan covers the full final placeholder set and every newly route-bound property was either already explicitly bound in the original projection, forPOST/PUT/PATCHalready part of the original deterministic remaining-body fallback surface, for candidates with no explicit binding plan already part of the original implicit query-fallback surface, or for explicit-binding shorthand candidates whose remaining source query surface was intentionally preserved either by the source profile or by a winning override that setsPreserveImplicitQueryFallback = true; no-explicit-plan candidates now also preserve their remaining implicit query-fallback surface when hosts add only partial explicit bindings, and preserved fallback answers are now published through typedRestEndpointCandidateProjectionDescriptor.BindingFallbackModeandRestEndpointRuntimeDescriptor.BindingFallbackModevalues backed byRestEndpointBindingFallbackMode, wherePreserveSourceImplicitFallbackmodels source implicit-query preservation andPreserveRemainingBodyFallbackmodels deterministic remaining request-body fallback for explicit body-capable binding plans; additivemetadata.bindingFallbackMode = preserve-source-implicit-fallbackandmetadata.bindingFallbackMode = preserve-remaining-body-fallbackremain compatibility-only metadata, exact original explicitTargetBindingsnow also lets hosts match the source binding-plan identity by descriptor-set equivalence before later override rewrites run, it still rejects broader implicit-property promotion beyond that constrained body-fallback-plus-bounded-query-fallback-plus-source-or-host-preserved-explicit-query-fallback path, treatsBindingModeas a split contract where host config stays wire-name-only withreplace-explicitormerge-explicitwhile runtime JSON preservesunspecifiedonly forClearBindingsrules that omitted an explicit mode and normalizes other omitted modes toreplace-explicitormerge-explicit, defaultsBindingstoreplace-explicit, now also allowsBindingMode = merge-explicitso hosts can upsert changed explicit bindings or withdraw selected original explicit bindings throughRemovedBindingPropertieswhile still letting unbound route placeholders and remaining request-body fields fill object properties deterministically, now also allowsClearBindingsso a host can return an authored explicit binding plan to the implicit route/query/body baseline when that effective route still binds truthfully, and now also treatsBindingsplusTargetBindingsbinding sources as stable wire-name-onlyroute/query/header/bodysurfaces across host config and runtime JSON; it still fails fast when one rule sets bothRequiredCapabilityKeyandClearRequiredCapability, whenreplace-explicitis paired with removals, when one merge rule tries to both remove and override the same property, whenClearBindingsis paired withBindings,RemovedBindingProperties,PreserveImplicitQueryFallback, or an explicitBindingMode, when a removal targets a property the source candidate never bound explicitly, when the effective method-plus-binding plan is invalid, or when a placeholder rename, removal, addition, orClearBindingsreset would rely on inference, lose explicit binding coverage, or promote an implicit property outside those bounded fallback surfaces; explicit module DSL and manual module-owned REST endpoints still stay authoritative by default, and explicit module DSL only enters that override boundary when both the owning route group and the matching host rule opt in - the shipped REST performance baseline now also includes
RestEndpointProjectionGovernanceBenchmarks.BuildMapGovernedRestCatalogs; it exercises generated/profile/DSL precedence, shorthand-only authoring-policy enforcement while explicit module DSL remains authoritative, grouped generated module ownership, suppression and override selection, explicit.ApiVersion(...)group authority over host version rewrites, and preserved implicit query fallback, andscripts/validate-release.ps1plus the guardrail catalog now treat that benchmark as part of the default release-validation lane - the shipped benchmark smoke path now uses a shared
BenchmarkInProcessShortRunConfigacross every benchmark class so repo-local mirrored.build/*benchmark projects do not break BenchmarkDotNet project resolution duringvalidate-release, and the default benchmark filter set now includes the hot-path benchmark classes so guardrail validation stays truthful against the full shipped catalog - the REST benchmark closeout also fixed
Cephalon.Behaviors.SourceGento emit theBehaviorRestProfileDescriptor.PreserveImplicitQueryFallbacknamed argument with the correct casing, so source-generated shorthand REST metadata remains buildable when that fallback option is declared - a deliberate
HostGovernanceScopesselector now also counts as a primary host-governance target besideCandidateIds,Behaviors, andModules, so scope-only suppression or override rules can govern one authored route-group label without restating behavior or module ids while empty-selector rules still fail fast - when a host configures suppression or override rules that target an explicit module-DSL candidate before that route group opts into governance, runtime truth should expose that near-match explicitly instead of pretending no rule targeted the route; candidates and published behavior-backed endpoints now keep ordered
SkippedSuppressionIdsandSkippedOverrideIdsvisible whileMatched*remains empty, so operators can distinguish governance-ineligible explicit ownership from an actual selector miss or winning governance outcome - when
RouteGroupPrefixremaps only one shorthand candidate in an authored route group, ASP.NET Core materialization should split the effective published group boundaries so actual HTTP routes,/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshotkeep one shared runtime truth instead of reporting a remapped candidate that still materializes under the old group - when
TagNameretags only one shorthand candidate in an authored route group, ASP.NET Core materialization should also split the effective published groups by route-group prefix plus document name plus tag so actual endpoint tag metadata, OpenAPI grouping,/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotkeep one shared runtime truth instead of reporting a retagged candidate that still materializes inside the original mixed-tag group - shorthand REST governance selectors must keep matching the original shorthand candidate identity rather than the already-rewritten published answer; that identity now includes
CandidateIds,ApiVersionMajors,Methods,RelativePatterns,RouteGroupPrefixes,OpenApiDocumentNames,TagNames,EndpointNames,HostGovernanceScopes,BindingFallbackModes, and exact original explicitTargetBindingsso hosts can target one of several same-behavior candidates without losing runtime truth, including the original shorthand endpoint name throughProjectedEndpoint.OriginalEndpointName, the original authored governance scope throughOriginalProjection.HostGovernanceScope, the original shorthand binding-fallback identity through the stable wire namespreserve-source-implicit-fallbackandpreserve-remaining-body-fallback, plus the original explicit binding-plan identity through full descriptor-set equivalence - the shipped suppression-rule baseline now fails fast when a rule omits all of
CandidateIds,Behaviors, andModules, so typo-shaped config cannot silently turn into a global shorthand kill switch - when more than one REST suppression rule matches the same candidate, the shipped resolver now picks the most specific rule deterministically by preferring candidate-targeted rules first, then by fewer targeted candidate ids, then by populated target dimensions (
CandidateIds,Behaviors,Modules,ApiVersionMajors,Methods,RelativePatterns,RouteGroupPrefixes,OpenApiDocumentNames,TagNames,EndpointNames,HostGovernanceScopes,BindingFallbackModes,TargetBindings), then by preferring behavior-targeted rules over module-only rules, then by narrower authoring-style scope, then by fewer total selector values, then by stable rule id ordering - when more than one REST override rule matches the same candidate, the shipped resolver uses that same candidate-targeted specificity model, including
EndpointNames,HostGovernanceScopes, andTargetBindingsas populated target dimensions, before falling back to stable rule id ordering - when more than one REST suppression or override rule matches one shorthand candidate, runtime truth now keeps the full ordered match set visible through
MatchedSuppressionIdsandMatchedOverrideIdswhileSuppressedBySuppressionIdcontinues to identify the selected suppression winner,AppliedOverrideIdcontinues to identify winning override rules that materially changed the effective answer, andSelectedOverrideIdnow identifies the winning override rule even when post-materialization reconciliation proves that winner was a runtime no-op - when more than one REST suppression or override rule matches one shorthand candidate, runtime truth should also surface the earliest decisive specificity answer through
SuppressionSelectionBasisorOverrideSelectionBasisso operators can see why the selected rule beat the runner-up instead of reverse-engineering the precedence chain from ordered ids alone - published REST endpoint applied-override provenance should only mark a rule as applied when that rule’s own capability or endpoint-metadata action family materially changed the published answer; capability-only or metadata-only no-op matches should remain selected-only even when ASP.NET Core still normalizes other runtime metadata around the endpoint
- when REST governance suppresses a shorthand candidate, runtime truth should point at the governing rule id rather than pretending another candidate won;
RestEndpointCandidateRuntimeDescriptor.SuppressedBySuppressionIdis now the canonical distinction from precedence-basedSuppressedByCandidateId - when REST governance retargets a shorthand candidate through version, method, route, binding, or endpoint-metadata override, runtime truth should point at the governing rule id rather than hiding the decision inside the final endpoint shape;
RestEndpointCandidateRuntimeDescriptor.AppliedOverrideIdis now the canonical trace for that override - when REST governance rewrites shorthand
EndpointName,Summary, orDescription, the same effective values should driveProjectedEndpoint, actual ASP.NET Core endpoint metadata,/engine/rest-endpoints, andsnapshot.RestEndpoints; metadata-only no-op rules should not claim they changed the published answer - when REST governance clears shorthand
EndpointName,Summary, orDescriptionthroughClearEndpointName,ClearSummary, orClearDescription, the effective candidate, actual ASP.NET Core endpoint metadata,/engine/rest-endpoints, andsnapshot.RestEndpointsanswer should all agree onnullwhileOriginalEndpointName,OriginalSummary, andOriginalDescriptionstill preserve the source shorthand lineage - when REST governance rewrites shorthand
TagName, the same effective answer should driveProjectedEndpoint.Tags, actual ASP.NET Core endpoint tag metadata,/engine/rest-endpoints, andsnapshot.RestEndpointswhileOriginalProjection.TagNamestill preserves the source shorthand lineage - when REST governance rewrites shorthand
OpenApiDocumentName, the same effective answer should driveProjectedEndpoint.OpenApiDocumentName, actual ASP.NET Core endpoint-group metadata,/engine/rest-endpoints, andsnapshot.RestEndpointswhileOriginalProjection.OpenApiDocumentNamestill preserves the source shorthand lineage - when published candidate or endpoint runtime truth is reconciled after ASP.NET Core materialization, metadata-only same-value rewrites, same-value document rewrites, same-value tag rewrites, and metadata clears against source metadata the owning module already set or removed should keep
MatchedOverrideIdsvisible while leavingAppliedOverrideIdempty on/engine/rest-endpoint-candidates,/engine/rest-endpoints, and the matching snapshot answers - when published candidate or endpoint runtime truth is reconciled after ASP.NET Core materialization, reorder-only equivalent binding-plan rewrites should also keep
MatchedOverrideIdsvisible while leavingAppliedOverrideIdempty, and that same semantic binding-set comparison should remain shared with projection reuse so the source explicit binding order stays authoritative on the final projected answer - when post-materialization reconciliation proves a matched shorthand override rule was a runtime no-op,
/engine/rest-endpoint-candidates,/engine/rest-endpoints, and the matching snapshot answers should keepAppliedOverrideIdempty but still surface the winning rule throughSelectedOverrideIdplusOverrideSelectionBasisso operators can distinguish “no rule won” from “a rule won but changed nothing” and still understand why that rule won Cephalon.Behaviors.Httpnow also publishes stable startup diagnostics for shorthand and explicit REST governance through/engine/diagnosticssourceCephalon.Behaviors.Httpwith event ids5200-5206for governance suppression, authoring-policy suppression, precedence suppression, applied overrides, no-op override matches, preserved binding fallback, and skipped explicit-governance visibility; when the runtime candidate registry is active, published-endpoint logging should reconcile against post-materialization truth so no-op published endpoints do not claim they changed the runtime answer, event5200now also echoes the decisiveSuppressionSelectionBasiswire name, events5202and5203now also echo the decisiveOverrideSelectionBasiswire name plus selected-versus-applied override action-kind wire names so the startup log story matches the runtime-catalog truth, event5204now follows whichever typedBindingFallbackModewas actually preserved while also echoing the same stable fallback-mode wire name published byRestEndpointBindingFallbackModeExtensions.GetWireName(), including bothpreserve-source-implicit-fallbackandpreserve-remaining-body-fallback, event5205now records authoring-policy suppression through the stable kindsdisallowed-authoring-style,not-allowed-authoring-style, andpreferred-authoring-style-selected, and event5206now records when explicit module-DSL candidates keptSkippedSuppressionIdsandSkippedOverrideIdsbecause the original projection did not allow host governanceRestEndpointBindingFallbackModeExtensions.GetWireName()plusTryParseWireName(...)are now the canonical public bridge for the stableRestEndpointBindingFallbackModewire names used by JSON serialization and additivemetadata.bindingFallbackMode; host adapters and tests should use that helper instead of maintaining independent hardcoded fallback-mode strings- ASP.NET Core
RestApi:SuppressionsandRestApi:Overridesnow also treatBindingFallbackModesas a wire-name-only config surface: usepreserve-source-implicit-fallbackandpreserve-remaining-body-fallback, and fail fast instead of silently accepting PascalCase enum-member aliases - when REST governance rewrites shorthand
RequiredCapabilityKeyor clears it throughClearRequiredCapability, the same effective answer should driveProjectedEndpoint.RequiredCapabilityKey, actual ASP.NET Core endpoint metadata,/engine/rest-endpoints, andsnapshot.RestEndpoints;RequireCapability(...)andClearRequiredCapability()now both treat the last declared capability boundary registration as authoritative so a later host override can supersede or intentionally remove an earlier shorthandconfigureEndpointguard instead of stacking or silently retaining it - when REST governance clears shorthand explicit bindings through
ClearBindings, the same effective answer should driveProjectedEndpoint.BindingDescriptors, actual ASP.NET Core request composition,/engine/rest-endpoints, andsnapshot.RestEndpoints; alias-dependent placeholder routes must fail fast instead of silently surviving through removed explicit route-binding aliases - merge-explicit host overrides must not silently demote source explicit query bindings on non-body shorthand endpoints; withdrawal is allowed only when the source explicitly preserved query fallback, the winning override intentionally sets
PreserveImplicitQueryFallback = true, or the host intentionally clears bindings - when published endpoint runtime truth needs to explain shorthand capability governance,
/engine/rest-endpointsandsnapshot.RestEndpointsshould expose bothOriginalRequiredCapabilityKeyandAppliedOverrideId, and capability-only no-op clear matches should leave the endpoint-levelAppliedOverrideIdempty when the effective published capability answer does not change - when published candidate runtime truth needs to explain shorthand capability governance,
/engine/rest-endpoint-candidatesandsnapshot.RestEndpointCandidatesshould keepMatchedOverrideIdsvisible for capability-only no-op matches but leaveAppliedOverrideIdempty when ASP.NET Core materialization proves the effective published capability answer did not change, including both no-op clears and same-key capability rewrites - the shipped profile-binding baseline treats explicit route/query/header/body bindings as overrides rather than as an exclusive binder mode, still lets unbound route placeholders and request bodies fill remaining object properties deterministically, and fails fast when a JSON body tries to overwrite a property reserved by an explicit non-body binding
- the current profile-binding hardening baseline now rejects invalid binding metadata at build time through
ABT0019throughABT0025, now also rejects malformedBehaviorRestProfileAttribute.RelativePatternplaceholder syntax earlier throughABT0026, now also rejectsBehaviorRestProfile(PreserveImplicitQueryFallback = true)without any explicit bindings throughABT0027, removes enum-ordinal assumptions from source-generatedGetRestProfiles()output, and re-checks route-pattern validity, route-placeholder truth, and preserved implicit-query fallback requirements duringBehaviorRestProfileResolvernormalization soMapProfile<TBehavior>()stays fail-fast even when it falls back to direct attribute metadata instead of generated hints - the current profile-binding hardening baseline now also gives
BehaviorRestMethodstableget/post/put/patch/deletewire names throughBehaviorRestMethodExtensionsplusBehaviorRestBindingSourcestableroute/query/header/bodywire names throughBehaviorRestBindingSourceExtensions, and source-generatedGetRestProfiles()validation now keys off those canonical wire-name vocabularies while still emitting the resolved enum member names, so future package-surface refactors can preserve behavior-authored REST metadata by keeping the wire-name contracts stable - the current profile-binding hardening baseline now also reuses those same canonical method and binding-source wire names in runtime attribute-fallback and explicit binding-plan normalization errors, so JSON serialization, source generation,
MapProfile<TBehavior>()fallback, and operator/developer guidance all point at one stable behavior-authored REST vocabulary instead of mixing canonical wire names with generic runtime wording - the current behavior-authored REST method-guidance baseline now also reuses the canonical method wire names in non-body method body-binding rejections and unsupported REST method parser failures, so runtime fallback, body-capability validation, and parser guidance no longer leak
Get/Delete-style member names or generic method wording back into the operator contract - the current shorthand-governance operator baseline now also locks
SuppressedByAuthoringPolicyKindonto canonicaldisallowed-authoring-style,not-allowed-authoring-style, andpreferred-authoring-style-selectedwire names across/engine/rest-endpoint-candidates, candidate-by-id payloads, andsnapshot.RestEndpointCandidates, so authoring-policy suppression truth does not depend on raw enum serialization behavior - the current public REST baseline now fails fast when two resolved public endpoints collide on the same
HTTP method + route pattern; future shorthand or convention publication must compose through the same projection, runtime-catalog, and collision-validation pipeline instead of bypassing it - any future broader config-override model beyond the shipped original-shape candidate-id-plus-selector-targeting baseline across version, method, route-group prefix, document name, tag name, binding fallback, capability, binding replacement, merge-explicit upsert/withdraw, clear-bindings reset,
PreserveImplicitQueryFallback, placeholder rename/removal/addition, implicit body-fallback promotion, bounded implicit query-fallback promotion, partial explicit-override query-fallback preservation, and source-or-host-preserved explicit-query-fallback promotion should land only if runtime truth remains explicit and introspectable; any future implicit-property-promotion route model beyond that constrained body-fallback-plus-bounded-query-fallback-plus-source-or-host-preserved-explicit-query-fallback path, or any broader binding-rewrite model beyond the current replace-plus-merge-explicit upsert-plus-withdraw approach, should extend the same candidate, suppression, and override catalogs instead of bypassing them, and any future additional shorthand sources should land only when that runtime truth stays visible - exact-versus-prefix behavior-subtree governance truth must stay aligned not only in
/engine/rest-endpoint-candidates,/engine/rest-endpoint-suppressions,/engine/rest-endpoint-overrides, andsnapshot, but also in/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-authoring-policies, the direct grouped/operator runtime catalogs, and the matching per-authoring-style summaries; broader prefix rules should remain visible as matched-only outcomes when a narrower exact behavior rule wins selection, and prefix-targeted rules that hit explicit module-DSL behavior ids withoutAllowHostGovernance()should stay visible as skipped outcomes rather than disappearing as if they never matched - when a shorthand profile declares explicit bindings and intentionally preserves source implicit query fallback, host overrides can now promote that remaining query-bound property set into added route placeholders, and candidate plus published runtime truth now clear
BindingFallbackModeonce the effective binding plan fully consumes that preserved surface - REST runtime truth may now intentionally differ between
OriginalProjectionandProjectedEndpointforBindingFallbackMode; that split is the contract, not drift - explicit manual module-owned REST now joins that same engine-owned runtime catalog and duplicate-route guard baseline; freeform host routes outside
IRestModuleremain out of scope unless Cephalon deliberately adopts them later Engine:Behaviorsis no longer a per-behavior REST topology contract; keep it focused on behavior discovery and auto-registration- when a module explicitly owns behaviors, prefer
BehaviorModuleBasefor process-only modules andRestBehaviorModuleBasewhen the same module also exposes some of those behaviors over REST; keep rawIRestModuleimplementations for REST modules that do not dispatch through behaviors - prefer
BehaviorModuleBasewhen a module explicitly owns behaviors but does not expose a public REST surface - prefer
RestBehaviorModuleBasewhen the same module owns behaviors and exposes some of them over REST - prefer the single-surface REST DSL on
RestBehaviorModuleBase: publicbehaviors.Group(...).MapGet/MapPost/...routes imply ownership automatically, whilebehaviors.Internal<TBehavior>()is the explicit path for internal-only or custom/manual-route behaviors in the same module - keep one bounded context in one module when possible; do not split modules only to separate internal behaviors from REST-exposed behaviors
Engine:Behaviors:AutoRegisteris now an opt-in fallback rather than the default behavior-ownership path; prefer explicit module ownership and only turn scanning back on when a host intentionally wants convention-based discovery- keep behavior return contracts transport-neutral by default: prefer raw
TOutfor simple success paths, preferResult<T>for expected non-success branches, keepBehaviorResult<T>as a compatibility alias during the transition, and treatResultModel<T>/ResultModelErroras an optional REST wire-format policy rather than the universal engine contract - the optional REST result-envelope wire contract now uses problem-style
typeplus HTTPstatusinstead of the olderstatus_code;ApiRoutes:ResultEnvelope:Enabled = falsemust continue to leave ASP.NET CoreProblemDetailsand protocol-native envelopes alone, whiletruemay translate REST-prefixed problem responses intoResultModelError - prioritize core engine quality, contract clarity, performance, security, and maintainability before pushing deeper agentic, AI, or broader multi-platform runtime follow-through; future-tech expansion should build on a solid engine baseline instead of driving premature core-contract churn
- standardize provider-pack settings by family instead of forcing one property shape on every pack: use
ConnectionStringNameplusConnectionStringfor connection-string-native providers, useUriNameplusUrifor URI-first providers, resolve named entries from the rootConnectionStringsorUrissections as appropriate, fail fast when both named and inline settings are configured together, and keep topology-first providers such as Cassandra and Qdrant explicit - preferred long-term data direction: keep
Engine:Dataas the logical app-model and capability-selection layer, use the shipped engine-ownedEngine:Databasesbaseline for physical roles, migrations, and topology introspection, do not make mandatoryDbContextbase classes the primary engine contract, and keep durable audit history as additive provider-pack follow-through instead of overloading the narrowCephalon.Auditbaseline - the current database-topology role-reference contract is intentionally narrow:
WriteandReadstay concrete root targets, whileOutboxandHistorycan explicitly reusewritethroughUseRoleand still layer local schema/runtime overrides; broader role graphs are a later follow-through only if runtime and migration truth stay explicit - the current database-topology baseline now has five complementary operator answers:
/engine/databasesis the raw engine-owned topology projection,/engine/database-rolesplussnapshot.DatabaseRolesare the resolved runtime catalog for requested versus resolved roles,UseRole, co-location, consumers, audit-history metadata, and provider-contributed live role health,/engine/database-migrationsplussnapshot.DatabaseMigrationsare the resolved runtime catalog for logical migration targets, their current status, typed resolved-role runtime state, and provider-added command guidance,/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybookare the canonical engine-owned ordered migration answer with generated counts, ordered steps, physical-target execution groups, grouped command sets, combined command-batch templates, startup-apply truth, resolved-role identity, and selected production-versus-manual command guidance, and/engine/database-topologyplussnapshot.DatabaseTopologyare the canonical engine-owned posture summary, advisory, and ordered action-plan answer over role health, migration status, and production-guidance completeness - the current durable audit-history baseline is
Cephalon.Audit.EntityFramework, driven byEngine:Audit:Historyplus a selected engine-owned database role that defaults tohistory, withEngine:Audit:History:Export,Engine:Audit:History:Retention,IAuditHistoryReader,IAuditHistoryExporter,/engine/audit-history,/engine/audit-history/export, and showcase-facing/api/v1/showcase/audit/historyplus/api/v1/showcase/audit/history/exportroutes now proving read, bounded NDJSON export, and retention follow-through while the showcase sample keeps configuredWriteDb/ReadDb/HistoryDbroots for Docker-backed runs plus an explicitOutbox -> writedependent role reference - the showcase database-topology operator projection now layers six complementary sample-level answers on top of the engine routes: a readiness summary, an ordered operator action plan, derived operator insights, an ordered migration playbook, a Markdown operator brief export at
/api/v1/showcase/system/database-topology/brief, and a downloadable self-describing handoff package at/api/v1/showcase/system/database-topology/handoffthat now includes a packageREADME.md, a machine-readablehandoff-manifest.json, the Markdown brief, and the raw projection payload; the engine-owned/engine/database-topologyposture is now the baseline for readiness, engine-level advisories, and the engine portion of the ordered action plan, the engine-owned/engine/database-migration-playbookroute is now the baseline for ordered migration guidance plus physical-target execution-group truth, grouped command sets, and combined command batches, and sample-only follow-through stays limited to read-model drift, backlog, retry pressure, disabled-sync truth, and repo-root command adaptation instead of re-deriving core role/migration posture locally, while the projection still preserves engine-owned action categories plus source role or migration ids instead of collapsing those stable fields away - the showcase sample now always wires
Cephalon.Data.EntityFrameworkplusCephalon.Audit.EntityFramework; Docker mode keeps the configured PostgreSQL root roles, while non-Docker local/test runs rewriteWrite,Read, andHistoryto unique in-memory targets so/engine/database-roles,/engine/database-migrations, and showcase-facing audit-history routes stay truthful without external infrastructure Cephalon.Data.EntityFrameworknow contributes live role-probe metadata through the engine-owned database-role catalog, including connectivity outcome plus pending-migration diagnostics for registeredDbContextroles, while dependent targets such asoutbox -> writecan inherit resolved-role runtime truth without losing their logical role identity- the engine-owned database runtime contract now also includes
RoleProbeFreshnessSeconds;Cephalon.Data.EntityFrameworkuses the merged shared-plus-role runtime selection to cache probe results per logical role, treats0as the explicit no-cache answer, defaults to a 30-second freshness window when none is configured, invalidates cached probes when migration runtime state changes, and now projects stable cache/freshness/source timing through the typedDatabaseRoleProbeDescriptorcontract onDatabaseRoleRuntimeDescriptor.ProbeplusDatabaseRoleDescriptor.Probe, while keepingprobeSource,probeFreshnessOrigin,probeFreshUntilUtc, andprobeAgeSecondsmetadata only for additive provider details and compatibility. The showcase database-topology projection now consumes the typed probe surface directly instead of parsing those stable keys locally - the engine-owned migration catalog now carries typed provider-added command templates through
DatabaseMigrationCommandDescriptor;Cephalon.Data.EntityFrameworkuses that surface to publish bundle/script/update guidance per logical role,DatabaseMigrationDescriptornow also carries typedRecommendedExecutionOrderhints plus typed resolved-role runtime fields so operator playbooks and projections do not hardcodewrite/read/historylocally or parse only metadata dictionaries for stable engine-owned answers, and the command descriptor now also carries typed operator metadata such asToolId,ExecutionCategory, andWorkingDirectoryHintso sample or host projections do not have to infer those reusable fields only from metadata dictionaries, while staying honest that true bundle/script generation or execution orchestration is still a later slice - the engine-owned migration runtime now also includes
DatabaseMigrationOperationalPlaybook,DatabaseMigrationOperationalStep,DatabaseMigrationOperationalExecutionGroup,DatabaseMigrationOperationalExecutionGroupCommand,DatabaseMigrationOperationalExecutionGroupCommandBatch, andIDatabaseMigrationOperationalPlaybookProvider;Cephalon.Enginenow publishes/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybookas the canonical ordered migration answer over the lower-level migration catalog, selecting one production-recommended and one manual/direct command path per target when available, grouping logical targets into physical-target execution batches when possible, surfacing those grouped command paths directly, and now also publishing deterministic combined command-batch templates for the selected production and manual paths, while the showcase sample consumes that engine-owned playbook directly and limits its own logic to repo-root runnable command adaptation plus sample-only read-model follow-through - the engine-owned database role plus migration-playbook contract now also surfaces stable physical-target identity and shared-target coordination truth;
/engine/database-rolesplussnapshot.DatabaseRolesnow answerPhysicalTargetId,PhysicalTargetDisplayName, and physical co-location for logical roles that share one database,/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybooknow answer coordination counts, physical-target execution groups, grouped command sets, combined command batches, and per-step coordinated migration ids and hints, and/engine/database-topologynow adds shared-physical-target migration-coordination advisories plus action-plan entries when pending or failed logical migration work spans one physical database, while the showcase sample consumes those answers directly in/showcase, the Markdown brief, and the handoff package instead of inferring shared-database risk locally - durable audit-history export is intentionally NDJSON-only for the first shipped slice, configuration-gated through
Engine:Audit:History:Export, and bounded byMaxEntries; replay UX, richer export formats, and delivery automation remain separate follow-through work - the current eventing operator baseline now splits configured dispatch ownership from live dispatch state explicitly:
IEventDispatchRuntimeDescriptorCatalogplus/engine/event-dispatch-runtimesanswer what managed dispatch runtimes are active and what outbox/runtime ids they own, whileIEventDispatchRuntimeCatalogplus/engine/event-dispatchesanswer the latest reported dispatch outcome, retry intent, timestamps, and totals per outbox path; both sets also flow into/engine/snapshotasEventDispatchRuntimesandEventDispatchStates - the current engine-owned outbox answer is no longer a static staged-descriptor only:
OutboxDescriptor.DispatchPolicyplusIOutboxDispatchPolicyCatalognow carry effective ownership per outbox asdisabled,consumer-managed, or runtime-managed,/engine/outboxesis the canonical operator surface for that truth, and eventing/Wolverine runtime surfaces are expected to stay aligned with the same ownership answer instead of re-deriving it ad hoc - the showcase sample now wires
Cephalon.Eventing.Wolverinedirectly so the officialwolverine-manageddispatch path stays visible through/engine/event-dispatch-runtimes,/engine/event-dispatches, and the runtime snapshot without custom sample-only operator code - treat
EventDispatchRuntimeDescriptor.Summaryas the canonical per-runtime aggregate operator answer; keep/engine/event-dispatchesas the per-outbox detail surface, and prefer pack-specific runtime surfaces such as Wolverine to consume the canonical summary instead of re-aggregating dispatch state independently - event-subscription execution truth now has first-class public read seams:
IEventSubscriptionExecutionBindingCatalogexposes active managed bindings by subscription id,IEventSubscriptionExecutionReadinessCataloglives inCephalon.Abstractions.Dataand tells whether each declared subscription isruntime-bound,hosted-execution-linked,application-managed-state, ordeclared-only,/engine/event-subscription-readinessplussnapshot.EventSubscriptionExecutionReadinesscarry the operator answer, andEventSubscriptionRuntimeMetadataKeyskeeps theevent-subscriptionsownership, readiness, and runtime-state metadata stable for operator consumers; an empty binding catalog plusdeclared-onlyreadiness is a valid application-managed answer and Wolverine remains an optional provider-managed proof rather than an engine requirement - when a provider pack truthfully stages durable outbox messages and can persist dispatch outcomes, register
IEventDispatchStorealongsideIOutboxso consumer-managed and adapter-managed dispatch can reuse the same provider contract without host-specific glue - current provider-native dispatch-store coverage now includes Entity Framework, MongoDB, Redis, Elasticsearch, OpenSearch, Neo4j, Qdrant, NATS, and Cassandra; Cassandra now uses a deterministic message-sharded pending-dispatch index so wide-column workloads can answer due-event queries truthfully without pretending to be a globally ordered queue, while ClickHouse now stays explicit as a staging-only outbox with
DispatchPolicy.PolicyId = unsupporteduntil a truthful mutable pending-dispatch design exists - phase 11 resilience work now has the contract-first baseline plus shipped follow-through slices:
Engine:Resilience,AppProfile.Resilience, and/engine/resilienceremain the public source of truth for requestedRetry,Timeout,CircuitBreaker,Bulkhead, andRateLimitingintent, ASP.NET Core projects effective public-HTTP enforcement throughIRateLimitingRuntimeCatalog,/engine/rate-limiting, andsnapshot.RateLimitingPolicieswith operator/docs route exclusions plus endpoint-scoped override metadata fromEngine:Resilience:RateLimiting:Overrides, and that same host runtime now keeps long-lived stream-versus-connection truth visible there throughtransportKind,transportSemantics,enforcementMoment, andlongLivedTransportIdswhile the built-in GraphQL adapter maps explicit/graphql,/graphql/schema,/graphql-sse, and/graphql-wssurfaces under the shared prefix contract. The shared GraphQL transport authoring layer now also exposesConfigureGraphQLMutation(...)andConfigureGraphQLSubscription(...), so modules can contribute mutation and subscription roots without dropping to raw request-executor hooks, while the built-in hosting coverage now proves configured schema, SSE, and WebSocket routes through real SDL downloads,text/event-streampayloads, andgraphql-transport-wsframes instead of path-only reachability.Cephalon.Behaviorsnow projects effective behavior-execution retry, timeout, circuit-breaker, bulkhead, and rate-limiting enforcement throughIBehaviorResilienceRuntimeCatalog,/engine/behavior-resilience, andsnapshot.BehaviorResiliencePolicies. That behavior-execution layer now also resolves additiveEngine:Resilience:BehaviorExecution:Overridesentries withbehavior+transport > behavior > transport > defaultprecedence, keeps explicit disable overrides visible in the runtime catalog, lets the REST helper layer translate the still-effective timeout or open-circuit answers into503plus bulkhead or behavior-execution rate-limiting answers into429with per-route OpenAPI metadata, and now shares that same resilience-fault translation across the generic behavior HTTP GraphQL, JSON-RPC, GraphQL-SSE, GraphQL-WS, SSE, and WebSocket adapters so those transports keep protocol-native rate-limiting, timeout, and open-circuit envelopes instead of flattening shared behavior-dispatch rejections into generic failures. It also carries explicit behavior-authored idempotency throughBehaviorIdempotencyAttributesoResolve(behaviorId, transportId)can surface retry eligibility aseligible,ineligible, orunknownwhile the shared pipeline only replays explicitly idempotent transient failures with effective retry backoff/jitter settings. When a REST route keeps both the ASP.NET Core endpoint limiter and the behavior-dispatch limiter active, the host limiter rejects first and surfaces the host-owned429envelope unless anEngine:Resilience:RateLimiting:Overridesentry disables that endpoint policy for the targeted behavior/transport pair; broader non-REST resilience-envelope semantics beyond the shipped429/503baseline remain later slices - the built-in pattern taxonomy now includes
onion-architecture,anti-corruption-layer,strangler-fig, andbackend-for-frontend; future architecture guidance should treat those as shipped runtime-app-model descriptors rather than pending recommendations only, while remembering that broader provider-specific ingress or edge automation, broader non-REST frontend materialization, and provider-specific feature-flag packs are still separate work - the current phase 12 strangler-fig baseline follows the same contributor/registry/catalog pattern as other engine surfaces: modules or hosts contribute
StranglerFigRouteDescriptorentries, the engine composes them intoIStranglerFigRuntimeCatalogandsnapshot.StranglerFigRoutes,Engine:Migration:StranglerFigoverlays deterministic default plus per-route target/progress policy throughIStranglerFigMigrationRuntimeCatalogandsnapshot.StranglerFigRoutePolicies, and the engine-first ingress follow-through now also projects normalized materialization answers throughIStranglerFigIngressRuntimeCatalogandsnapshot.StranglerFigIngressRoutes. ASP.NET Core now exposes/engine/strangler-fig,/engine/strangler-fig/runtime,/engine/strangler-fig/ingress,/engine/strangler-fig/resolve,/engine/strangler-fig/cutover, and/engine/strangler-fig/cutover/resolve; whenEngine:Migration:StranglerFig:AspNetCoreis enabled, rooted local selected endpoints rewrite in-process, absolute HTTP or HTTPS selected endpoints redirect or proxy, and unsupported or opaque selected endpoints fail truthfully with502without introducing a second source of cutover truth outside the shared runtime catalogs - the current phase 12 backend-for-frontend baseline follows that same contributor/registry/catalog pattern: modules or hosts contribute
BackendForFrontendClientBindingDescriptorentries,Engine:BackendForFrontend:Bindingscan contribute the same shape from configuration, the engine composes them intoIBackendForFrontendRuntimeCatalogandsnapshot.BackendForFrontendBindings, thebackend-for-frontendpattern now auto-selects when bindings exist, and ASP.NET Core now exposes/engine/backend-for-frontendplus client/module/transport drill-down routes. The first client-aware REST follow-through now stays on that same truth path too: ASP.NET Core derivesIBackendForFrontendRestRuntimeCatalog,/engine/backend-for-frontend/rest-endpoints, andsnapshot.BackendForFrontendRestEndpointsfrom the shared binding catalog plus the published REST endpoint catalog instead of creating host-only truth. The first REST documentation/materialization follow-through also stays on that same truth path: ASP.NET Core now derivesIBackendForFrontendRestDocumentRuntimeCatalog,/engine/backend-for-frontend/rest-documents, scope-specific filtered OpenAPI routes, scope-aware Scalar pages, andsnapshot.BackendForFrontendRestDocumentsfrom those same shared runtime answers plus the normal host OpenAPI settings instead of inventing a separate documentation registry. Broader non-REST frontend materialization remains later work - the current phase 12 feature-flag baseline follows that same contributor/registry/catalog pattern: hosts can add
FeatureFlagDescriptorentries directly,Engine:Featurescan contribute the same shape from configuration, modules can contribute module-owned flags throughIFeatureFlagContributor, and the engine now composes that merged answer intoIFeatureFlagRuntimeCatalog,IFeatureToggle, andsnapshot.FeatureFlags. ASP.NET Core now exposes/engine/featuresplus enabled, disabled, source-module, id, and evaluate routes from that same shared truth. Module-contributed flags must declareSourceKind.Modulewith a matchingSourceModuleId, duplicate ids fail composition deterministically, and the current baseline intentionally does not advertise aruntime.feature-flagscapability because runtime capability provenance is still module-based - that same phase 12 feature-flag baseline now also has the first shared behavior-consumption follow-through: behavior topology descriptors can carry ordered required feature ids plus owning module identity, the shared pipeline evaluates those gates through
IFeatureToggle, source-generated topology literals preserve the same declarations, runtime metadata reports feature-gated behavior counts plus per-behavior required ids, and transport adapters now map the resultingBehaviorFeatureDisabledExceptioninto transport-appropriate outcomes instead of inventing a second host-only rollout registry Cephalon.Eventing.Behaviorsis now the explicit phase-12 bridge betweenISagaChoreographyPublisherand the shared outbox-backedCephalon.Eventingpublish path; keep choreography authoring ownership inCephalon.Behaviors.Patterns, keep staged publication ownership inCephalon.Eventing, and useAddBehaviorEventingBridge()instead of silently wiring choreography handoff through baseline eventing enablement- the current phase 12 saga choreography authoring-helper follow-through stays on that same truth path too: keep higher-level helper ownership in
Cephalon.Behaviors.PatternsthroughISagaChoreographyStepResult,ISagaEventReactor<TEvent>,ISagaEventReactor<TEvent, TOutput>,SagaChoreographyStepResult<TOutput>, and the typed JSON helper factories onSagaChoreographyPublication; letChoreographySagaExecutionStrategynormalize those additive contracts into the sameISagaChoreographyPublisherhandoff; and do not move serializer, publication, or runtime-source-of-truth ownership intoCephalon.Eventing.Behaviors AddBehaviorPatterns()defaults are now fallback-friendly (TryAddSingleton/TryAddEnumerable) so explicit saga publisher, saga-store, checkpoint-store, and strategy registrations can coexist with the eventing bridge without registration-order traps; the engine-managed bridge only advertises capability/runtime-surface truth when it owns the effectiveISagaChoreographyPublisherregistration, while deeper post-composition override truth remains separate future work if hosts need runtime catalogs to observe later service replacement- the current phase 12 durable-execution follow-through stays on the same contributor/registry/catalog path as other engine surfaces:
AddBehaviorPatterns()now registers bothIDurableExecutionRuntimeCatalogandIDurableExecutionRuntimeStateCatalog,Cephalon.Behaviors.Patternsderives the static catalog fromIBehaviorCatalogplusIBehaviorTypeRegistryand reports per-stream live posture fromDurableExecutionStrategyitself,Cephalon.Enginenow projects bothsnapshot.DurableExecutionsandsnapshot.DurableExecutionStates, and ASP.NET Core now exposes/engine/durable-executionsplus/engine/durable-executions/runtimedrill-down routes; the timer/signal follow-through now keeps pending timer/signal coordination on that same runtime-state catalog throughDurableExecutionPendingTimer,DurableExecutionPendingSignal, thewaitingposture, and the pending timer/signal filter routes, and the compensation-helper follow-through now keeps operator-facingDurableExecutionCompensationActionmetadata on that same runtime-state catalog through the compensation filter routes instead of creating a second workflow registry
Working assumptions for contributors
Section titled “Working assumptions for contributors”Unless the code clearly proves otherwise, contributors should assume:
- host adapters should stay thin
- reusable behavior belongs in engine services, modules, or companion packs rather than in app hosts
- deterministic ordering and explicit registration beat ambient discovery magic
- any public runtime, package, or diagnostics surface may also have docs, sample, scaffold, template, and validation-script follow-through
- hand-authored docs are part of the product and should be kept truthful when shipped behavior changes
- documents under
docs/*often cross-reference one another, so code changes may require multi-file doc updates across hubs, component pages, operations guides, compatibility guidance, roadmap/backlog notes, and related adoption docs - GitHub Project tracking should stay readable on its own, with complete card descriptions and the expected planning fields filled in so another contributor can understand scope, validation, timing, and dependencies quickly
- GitHub Project history should remain traceable from the card itself, including comment-level references to relevant commit ids as work lands
- meaningful work should appear in both repo-owned planning/docs surfaces and GitHub Project tracking; if one side is missing, treat the planning record as incomplete
- the durable written project record should stay in English so docs, commits, cards, and related planning artifacts read consistently across the repository
- XML comments on public contracts are not optional polish; they are part of the supported documentation surface
Current next-look areas
Section titled “Current next-look areas”If you need to resume deeper analysis later, the most likely next focus areas are:
Cephalon.Engineruntime, package, trust, and introspection internalsCephalon.Behaviorsand the ABT pipeline, strategies, and transport bindings- REST authoring is now mostly in adoption and closeout mode: keep the engine-first module-owned strategy, grouped shorthand/runtime-truth surfaces, and the
cephalon-rest-behavior-modulestarter stable, and only revisit new publication sources when they preserve ownership, deterministic precedence, and the existing runtime-catalog/operator-story contract - phase 13 now has shipped cell-boundary, cell-route, cell-health-isolation, configuration-driven cell-traffic-automation, provider-aware and edge-aware cell-traffic-automation targeting, the first provider-managed cell traffic materializer baseline, the first edge-runtime cell traffic materializer baseline, richer multi-provider reconciliation over that shared traffic catalog, the first provider-specific control-plane materializer through
Cephalon.Edge.KubernetesGateway, the first live Kubernetes Gateway observation overlay throughICellTrafficAutomationMaterializationReportSinkplus opt-inobserve-onlypolling, the first ownedHTTPRouteapply-and-reconcile baseline throughKubernetesGatewayTrafficObservationModes.ApplyAndReconcile, the second provider-specific control-plane materializer throughCephalon.Edge.Traefik, the first live Traefik observation overlay throughTraefikTrafficObservationModesplus opt-inobserve-onlypolling, the first ownedIngressRouteapply-and-reconcile baseline throughTraefikTrafficObservationModes.ApplyAndReconcile, the first provider-native lifecycle execution hardening baseline throughENG-146, the first opt-in provider-native cleanup sweep baseline throughENG-147, the second provider-native CDC runner plus first relational CDC proof throughENG-148, the richer external CDC reporting hardening baseline throughENG-149, the richer provider-native condition-semantics baseline throughENG-150, the third provider-native CDC runner plus first logical-replication streaming proof throughENG-153, the PostgreSQL publication/slot lifecycle plus restart-resume hardening follow-through throughENG-154, the richer external failover/takeover baseline throughENG-155, the richer multi-reporter reconciliation baseline throughENG-156, the stronger reporter takeover/degraded-posture hardening follow-through throughENG-157, and the fourth provider-native CDC runner plus first MySQL binlog proof throughENG-158, which together keepRecreateSlotIfInvalidated, additive slot lifecycle plus failure metadata, inactive invalidated-slot recreation, slot-confirmed-flush resume truth, participant-level reporter truth, stable takeover-state answers, degraded-reason classification, durable MySQLbinlogFile|positioncheckpoints, and bounded initial-position plus resume-mode truth on the same shared/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces; keepcell-based-architectureas a technology/profile concern instead of a new blueprint, preserve cell ownership throughCellBoundaryDescriptor.SourceModuleId,CellRouteDescriptor.SourceModuleId, andCellHealthIsolationDescriptor.SourceModuleId, keep automation overlays additive throughEngine:Cells:TrafficAutomation,CellTrafficAutomationRuntimeDescriptor.ProviderId,CellTrafficAutomationRuntimeDescriptor.EdgeNodeIds,CellTrafficAutomationRuntimeDescriptor.ProviderMaterializerId,CellTrafficAutomationRuntimeDescriptor.ProviderMaterializationState,CellTrafficAutomationRuntimeDescriptor.EdgeMaterializerId,CellTrafficAutomationRuntimeDescriptor.EdgeMaterializationState, the derivedCellTrafficAutomationRuntimeDescriptor.MaterializationState, andCellTrafficAutomationRuntimeDescriptor.MaterializationConditions, keep traffic materialization grounded inCellTrafficAutomationMaterializationResult,CellTrafficAutomationMaterializationStates,CellTrafficAutomationMaterializationConditionDescriptor,ICellTrafficAutomationProviderMaterializer,ICellTrafficAutomationEdgeMaterializer, andICellTrafficAutomationMaterializationReportSink, keep provider-managed and edge-managed reconciliation plus deterministic selection rationale on the shared/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andcell-traffic-automationstechnology surface instead of a second traffic registry, keep provider-specific control-plane projection, live observation, owned-route apply semantics, additive cleanup-sweep posture, and typed provider conditions throughCephalon.Edge.KubernetesGateway,KubernetesGatewayTrafficMaterializerOptions,KubernetesGatewayTrafficObservationOptions,KubernetesGatewayTrafficRouteOptions,KubernetesGatewayTrafficObservationModes,providerMaterialization.providerRouteId, and thekubernetes-gateway-traffic-materializationstechnology surface while remaining truthful aboutstatusSource = configured-intent,statusSource = gateway-api-status, andstatusSource = control-plane-apply, keep second-provider projection, live observation, owned-route apply semantics, additive cleanup-sweep posture, and typed provider conditions throughCephalon.Edge.Traefik,TraefikTrafficMaterializerOptions,TraefikTrafficObservationModes,TraefikTrafficObservationOptions,TraefikIngressRouteOptions,TraefikMiddlewareReferenceOptions,providerMaterialization.providerRouteId, and thetraefik-ingressroute-traffic-materializationstechnology surface while remaining truthful aboutstatusSource = configured-intent,statusSource = traefik-ingressroute-observation, andstatusSource = control-plane-apply, keep explicit external-conflict versus orphaned-transfer semantics plus mergedcreate/replace/transferlifecycle truth and additive cleanup summaries on those same provider-specific surfaces instead of a second lifecycle registry, keep data mesh ownership grounded inDataProductDescriptor.SourceModuleId,DomainId,ContractId, andMode, keep CDC ownership grounded inCdcCaptureDescriptor.SourceModuleId,Provider,SourceId,OutboxId,Mode,ExecutionBinding, and provider-contribution metadata when packs contribute on behalf of another module, keep shared CDC execution grounded inICdcCapture.CdcCaptureId,CdcCaptureExecutionResult,CdcCaptureExecutionAcknowledgement,ICdcCaptureAcknowledger,IOutbox.OutboxId,data.cdc.execution,/engine/execution-graphs,/engine/hosted-executions, and/engine/runtime-story, keep provider-native CDC execution grounded indata.cdc.mongodb,mongodb-change-stream-capture-flow,mongodb-change-stream-capture-pump,data.cdc.sqlserver,sqlserver-cdc-capture-flow,sqlserver-cdc-capture-pump,data.cdc.postgresql,postgresql-logical-replication-capture-flow,postgresql-logical-replication-capture-pump,data.cdc.mysql,mysql-binlog-capture-flow,mysql-binlog-capture-pump, additive slot lifecycle metadata, durable resume-token plus LSN plus slot-backed logical-replication checkpoints, durable MySQL file-plus-position checkpoints, and the same/engine/cdc-captures*,/engine/cdc-captures/runtime*, and/engine/cdc-capture-runtimes*surfaces, keep execution-topology truth grounded inCdcCaptureExecutionRuntimeDescriptor,CdcCaptureExecutionRuntimeSummary,ICdcCaptureExecutionRuntimeCatalog,DataRuntimeOptions.CdcExecutionRuntimes,/engine/cdc-capture-runtimes,/engine/cdc-captures/execution-runtimes/{executionRuntimeId},/engine/cdc-captures/runtime/execution-runtimes/{executionRuntimeId},ICdcCaptureExecutionRuntimeReportSink, andPOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, keep live CDC posture grounded inCdcCaptureRuntimeStateplus optional linkedOutboxDispatchState, and keep any later provider-specific automation, data-product, CDC execution, or richer traffic-materialization follow-through additive over/engine/cells,/engine/cell-routes,/engine/cell-health-isolations,/engine/cell-traffic-automations,/engine/cell-traffic-automations/providers/{providerId},/engine/cell-traffic-automations/edge-nodes/{edgeNodeId},/engine/data-products,/engine/cdc-captures,/engine/cdc-captures/runtime,/engine/cdc-capture-runtimes,/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story,/engine/technology-surfaces,snapshot.CellBoundaries,snapshot.CellRoutes,snapshot.CellHealthIsolations,snapshot.CellTrafficAutomations,snapshot.DataProducts,snapshot.CdcCaptures,snapshot.CdcCaptureStates,snapshot.CdcCaptureExecutionRuntimes,snapshot.ExecutionGraphs,snapshot.HostedExecutions, andsnapshot.OperationalStory - the 2026-04-22
ENG-151slice shipped the broader dependency-aware teardown baseline:providerMaterialization.cleanup*and provider-specific technology surfaces now publishcleanupStrategyplus primary/dependency cleanup breakdowns,Cephalon.Edge.KubernetesGatewaytruthfully staysprimary-onlyfor ownedHTTPRoutesweeps, andCephalon.Edge.Traefiknow sweeps safe ownedMiddlewareandTLSOptiondependents in addition toIngressRoutecleanup without inventing a second lifecycle registry - the 2026-04-22
ENG-152slice shipped the deeper external and edge-aware CDC execution-topology baseline: external reports now keep first-class reporter identity, reporter-lease expiry, and edge-node provenance on the shared runtime-state plus execution-runtime surfaces, while declared runtime policy can now reject conflicting reporters and undeclared edge nodes without inventing a second topology coordinator - the 2026-04-22
ENG-153slice shipped the PostgreSQL provider-native CDC baseline:Cephalon.Data.Postgresnow proves slot-backed logical-replication streaming on the same shared CDC descriptor, runtime-state, execution-runtime, execution-graph, hosted-execution, and runtime-story surfaces already used by MongoDB and SQL Server - the 2026-04-22
ENG-155slice shipped the richer external and edge-aware CDC failover/takeover baseline: external report ingestion now keeps typedReporterCoordinationon both per-capture and per-execution-runtime surfaces, rejected conflicting reporters are preserved as degraded coordination evidence, accepted post-expiry takeovers now keep previous-owner plus takeover timestamps, and the same shared/engine/cdc-*plussnapshotsurfaces now answer active-owner versus expired-lease versus conflicted posture without inventing a second topology coordinator - the 2026-04-22
ENG-156slice shipped richer multi-reporter reconciliation plus operator-story hardening on that same shared CDC runtime story: reporter coordination now keeps first-class participant-levelactive,standby, andrejectedtruth throughReporterParticipants,HasStandbyReporters, andHasRejectedReporters, while accepted takeovers keep previous owners visible as standby evidence and rejected conflicts stay visible without inventing a second coordination registry - the 2026-04-22
ENG-157slice shipped stronger reporter takeover and degraded-posture hardening on that same shared CDC runtime story:Cephalon.Abstractionsnow shipsCdcCaptureReporterCoordinationIssueReasonsplusCdcCaptureReporterTakeoverStates,CdcCaptureReporterCoordinationStatusnow carriesTakeoverState,DegradedReason,RequiresTakeover, andHasCompletedTakeover, andCephalon.Datanow distinguishes awaiting-takeover, rejected-conflict, and multiple-active ambiguity on the same shared/engine/cdc-*plussnapshotsurfaces without inventing a second operator taxonomy - the 2026-04-22
ENG-158slice shipped the MySQL provider-native CDC baseline:Cephalon.Data.MySqlnow proves bounded row-event binlog capture, durablebinlogFile|positioncheckpoints, provider-owned execution throughmysql-binlog-capture-flowplusmysql-binlog-capture-pump, and shared capture/runtime/execution-story truth on the same/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces already used by MongoDB, SQL Server, and PostgreSQL - the 2026-04-22
ENG-159slice shipped MySQL-specific lifecycle and resume hardening on that same shared CDC runtime story:MySqlBinlogCaptureOptionsnow supportsExpectedSourceServerUuid, the Cephalon-managed checkpoint table now keeps additiveSourceServerUuid,SourceServerId,GtidExecutedSet,BinlogFormat, andBinlogRowImagemetadata, and the same/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces now publish retained-binlog lifecycle posture, source-server identity truth, checkpoint provenance, and GTID observe-only metadata without inventing a MySQL-only lifecycle registry - the 2026-04-22
ENG-160slice shipped broader external CDC reporter rejoin and stale-conflict cleanup on that same shared runtime story:CdcCaptureReporterCoordinationStatusnow exposes additive participant-count helpers, later accepted reports now clear stale rejected-conflict evidence, and completed takeovers stop surfacing previous owners as standby participants once the replacement reporter reaffirms lease ownership while the same shared/engine/cdc-*plussnapshotsurfaces keep historical takeover fields available - the 2026-04-22
ENG-161slice shipped the Oracle provider-native CDC baseline:Cephalon.Data.Oraclenow proves committed-only LogMiner capture, bounded SCN-window execution, covering redo plus archive-log selection, durablecommitScn|changeScn|rsId|ssncheckpoints, provider-owned execution throughoracle-logminer-capture-flowplusoracle-logminer-capture-pump, and shared capture/runtime/execution-story truth on the same/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces already used by MongoDB, SQL Server, PostgreSQL, and MySQL - the 2026-04-22
ENG-162slice shipped Oracle-specific lifecycle and resume hardening on that same shared CDC runtime story:OracleLogMinerCaptureOptionsnow supportsExpectedDatabaseId,ExpectedDatabaseUniqueName, andResumeFromEarliestAvailableScnIfCheckpointUnavailable, the Cephalon-managed checkpoint table now keeps additiveDatabaseId,DatabaseUniqueName,ResetLogsChangeNumber,ArchiveLogMode, andSupplementalLogDataMinmetadata, and the same/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces now publishdatabaseIdentity*,archiveLogLifecycle*, and checkpoint-provenance truth without inventing an Oracle-only lifecycle registry - the 2026-04-22
ENG-163slice shipped broader external and edge-aware CDC operator-story drill-downs on that same shared runtime story:ICdcCaptureRuntimeStateCatalogplusICdcCaptureExecutionRuntimeCatalognow expose reporter-id, edge-node-id, coordination-state, and degraded-reason filters, and the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces now support reporter-first, edge-first, and degraded-posture operator readback without inventing a second coordination registry - the 2026-04-23
ENG-164slice shipped the Debezium external managed-connector CDC baseline:Cephalon.Data.Debeziumnow contributesDebeziumDataOptions,DebeziumConnectorOptions, andDebeziumCaptureOptions, publishes Debezium-managed runtime ownership through the shared/engine/cdc-*,/engine/runtime-story, andsnapshotsurfaces without faking a hosted execution or execution graph, and auto-registers the shared external runtime report sink whenever Debezium connectors are configured - the 2026-04-23
ENG-165slice shipped Debezium lifecycle and reconciliation hardening on that same shared CDC runtime story:DebeziumConnectorOptionsnow supportsManagementModeplusExpectedTaskCount, Debezium runtime reports now normalize raw connector/task metadata into stabledebezium*lifecycle and reconciliation answers, and the shared execution-runtime catalog now promotes runtime-scoped Debezium metadata back onto/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only lifecycle registry - the 2026-04-23
ENG-166slice shipped richer CDC operator-story rollups on that same shared external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeReporterCoordinationRollupplusCdcCaptureReporterCoordinationBreakdownEntry,CdcCaptureExecutionRuntimeSummarynow carries additiveReporterCoordinationRollup, and the shared execution-runtime catalog now projects coordination-state breakdowns, degraded-reason breakdowns, active/standby/rejected reporter ids, and degraded capture ids back onto/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a second coordination registry - the 2026-04-23
ENG-167slice shipped broader external-runtime reporting-coverage hardening on that same shared runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeReportingCoverageStatesplusCdcCaptureExecutionRuntimeReportingCoverageStatus,CdcCaptureExecutionRuntimeSummarynow carries additiveReportingCoverageplusHasUnreportedDeclaredCaptures/HasFullCaptureCoverage, and the shared execution-runtime catalog now derivesReportedCdcCaptureIdsplusnot-bound/unreported/partially-reported/fully-reportedposture only from captures that have submitted real observations instead of descriptor-backed placeholder state - the 2026-04-23
ENG-168slice shipped external-runtime remediation summaries and drill-downs on that same shared runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeRemediationStates,CdcCaptureExecutionRuntimeRemediationCategories, andCdcCaptureExecutionRuntimeRemediationStatus,CdcCaptureExecutionRuntimeSummarynow carries additiveRemediationplusRequiresRemediation/HasBlockingRemediation, and the shared execution-runtime catalog now derivesready/attention/blockedposture plus active remediation categories from resolved capture ownership instead of only the raw authored runtime descriptor ids - the 2026-04-23
ENG-169slice shipped the first shared managed-connector governance baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorGovernanceStates,CdcCaptureExecutionRuntimeManagedConnectorGovernanceCategories,CdcCaptureExecutionRuntimeManagedConnectorGovernanceActionIds, andCdcCaptureExecutionRuntimeManagedConnectorGovernanceStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorGovernance, Debezium now normalizes sharedmanagedConnector*metadata beside existingdebezium*metadata, and the shared execution-runtime catalog now derivesobserve-only/future-control-plane/out-of-policyposture plus governance categories and drill-down routes on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only governance registry - the 2026-04-23
ENG-170slice shipped the first shared desired-versus-observed managed-connector drift baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDriftStates,CdcCaptureExecutionRuntimeManagedConnectorDriftCategories,CdcCaptureExecutionRuntimeManagedConnectorDriftActionIds, andCdcCaptureExecutionRuntimeManagedConnectorDriftStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDrift, Debezium now normalizes declared-versus-reported sharedmanagedConnector*identity metadata beside existingdebezium*metadata, and the shared execution-runtime catalog now derivesnot-applicable/unknown/in-sync/driftedposture plus drift drill-down routes on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only drift registry - the 2026-04-23
ENG-171slice shipped the first shared managed-connector action-planning baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorActionPlanStates,CdcCaptureExecutionRuntimeManagedConnectorActionPlanCategories,CdcCaptureExecutionRuntimeManagedConnectorActionPlanActionIds, andCdcCaptureExecutionRuntimeManagedConnectorActionPlanStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorActionPlan, and the shared execution-runtime catalog now derivesnot-applicable/observe/waiting/action-required/blockedposture plus action ids and drill-down routes from the merged remediation, governance, and drift answers on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only action-planning registry - the 2026-04-23
ENG-172slice shipped the first shared managed-connector write-path readiness baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorWritePathReadinessStates,CdcCaptureExecutionRuntimeManagedConnectorWritePathReadinessCategories, andCdcCaptureExecutionRuntimeManagedConnectorWritePathReadinessStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorWritePathReadiness, and the shared execution-runtime catalog now derivesnot-applicable/deferred/not-ready/ready/blockedposture plus readiness categories and drill-down routes from merged coverage, remediation, governance, drift, and action-planning truth on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only readiness registry - the 2026-04-23
ENG-173slice shipped the first shared managed-connector preflight baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorPreflightStates,CdcCaptureExecutionRuntimeManagedConnectorPreflightCategories,CdcCaptureExecutionRuntimeManagedConnectorPreflightOperationIds, andCdcCaptureExecutionRuntimeManagedConnectorPreflightStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorPreflight, and the shared execution-runtime catalog now derivesnot-applicable/deferred/not-ready/ready/blockedposture plus preflight categories and operation ids from merged coverage, remediation, governance, drift, action-planning, and write-path-readiness truth on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only preflight registry - the 2026-04-23
ENG-174slice shipped the first shared managed-connector dry-run baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDryRunStates,CdcCaptureExecutionRuntimeManagedConnectorDryRunCategories,CdcCaptureExecutionRuntimeManagedConnectorDryRunOperationIds, andCdcCaptureExecutionRuntimeManagedConnectorDryRunStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDryRun, and the shared execution-runtime catalog now derivesnot-applicable/deferred/blocked/no-op/would-changeposture plus dry-run categories and operation ids from merged coverage, remediation, governance, drift, action-planning, write-path-readiness, and preflight truth on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only dry-run registry - the 2026-04-23
ENG-175slice shipped the first shared managed-connector execution-intent baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorExecutionIntentStates,CdcCaptureExecutionRuntimeManagedConnectorExecutionIntentCategories,CdcCaptureExecutionRuntimeManagedConnectorExecutionIntentOperationIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionIntentSources, andCdcCaptureExecutionRuntimeManagedConnectorExecutionIntentStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorExecutionIntent, and the shared execution-runtime catalog now derivesnot-applicable/deferred/blocked/operator-action/requires-approval/ready-to-executeposture plus execution-intent categories, operation ids, confidence-source truth, and operator-versus-future-engine follow-through on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only execution planner - the 2026-04-23
ENG-176slice shipped the first shared managed-connector execution-approval and safety-gating baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalStates,CdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalCategories,CdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalOperationIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalSources, andCdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorExecutionApproval, and the shared execution-runtime catalog now derivesnot-applicable/auto-blocked/policy-blocked/approval-required/approval-ready/auto-eligibleposture plus execution-approval categories, operation ids, safety-gating source truth, and explicit-approval posture on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only approval registry - the 2026-04-23
ENG-177slice shipped the first shared managed-connector write-path command-envelope baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeStates,CdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeSources, andCdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandEnvelope, and the shared execution-runtime catalog now derivesnot-applicable/blocked/operator-only/approval-gated/engine-readyposture plus command-envelope categories, operation ids, source truth, target identity, deterministic command fingerprints, and safety flags on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only execution registry - the 2026-04-23
ENG-178slice shipped the first shared managed-connector command-issuance baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceStates,CdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceSources, andCdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandIssuance, and the shared execution-runtime catalog now derivesnot-applicable/blocked/operator-only/accepted/rejected/issuedposture plus command-issuance categories, operation ids, issuance source truth, deterministic issuance fingerprints, and safety flags on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a Debezium-only issuance registry - the 2026-04-23
ENG-179slice shipped the first shared managed-connector provider execution-adapter baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterStates,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterCategories,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterOperationIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterSources,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterStatus,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionRequest,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionResult,ICdcCaptureExecutionRuntimeManagedConnectorExecutionAdapter, andICdcCaptureExecutionRuntimeManagedConnectorCommandExecutor,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorExecutionAdapter, the shared execution-runtime catalog now derivesnot-applicable/blocked/operator-only/unavailable/readyposture plus execution-adapter categories, operation ids, adapter identity, deterministic adapter fingerprints, and provider-ready safety flags on/engine/cdc-capture-runtimes*plussnapshot.CdcCaptureExecutionRuntimes, andCephalon.Data.Debeziumnow proves the first provider translation lane by mapping shared pause/resume/restart/delete intent into Debezium or Kafka Connect REST command shape without inventing a second coordinator or control-plane registry - the 2026-04-23
ENG-180slice shipped the first shared managed-connector execution outcome/history baseline on that same external runtime story:CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionStatesnow also exposes stableunrecorded,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionResultnow carries additiveAttemptId,RecordedAtUtc,IsUnrecorded, andHasRecordedOutcome,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandExecution, the shared execution-runtime catalog now projects latest command-execution posture plus bounded recent history throughGetByManagedConnectorCommandExecutionState(...),GetByManagedConnectorCommandExecutionOperationId(...), andGetManagedConnectorCommandExecutionHistory(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-executions/{executionState},/engine/cdc-capture-runtimes/command-executions/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/command-executionson the existing shared route family without inventing a Debezium-only execution journal - the 2026-04-23
ENG-181slice shipped the first shared managed-connector retry/idempotency hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandRetryStates,CdcCaptureExecutionRuntimeManagedConnectorCommandRetryCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandRetryOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandRetrySources, andCdcCaptureExecutionRuntimeManagedConnectorCommandRetryStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandRetry, the shared execution-runtime catalog now derivesnot-applicable/not-needed/duplicate/cooldown/retry-blocked/operator-only/retry-eligibleposture plus retry categories, operation ids, source truth, cooldown windows, fingerprint matching, and latest-attempt context throughGetByManagedConnectorCommandRetryState(...),GetByManagedConnectorCommandRetryCategory(...), andGetByManagedConnectorCommandRetryOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-retries/{retryState},/engine/cdc-capture-runtimes/command-retries/categories/{retryCategory}, and/engine/cdc-capture-runtimes/command-retries/operations/{operationId}on the existing shared route family without inventing a Debezium-only retry registry - the 2026-04-23
ENG-182slice shipped the first shared managed-connector retry-execution policy baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyStates,CdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyCategories,CdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyOperationIds,CdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicySources, andCdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorRetryExecutionPolicy, the shared execution-runtime catalog now derivesnot-applicable/not-needed/cooldown/manual-approval/policy-blocked/operator-only/background-retry-disabledposture plus policy categories, operation ids, source truth, retry fingerprints, cooldown windows, and latest-attempt context throughGetByManagedConnectorRetryExecutionPolicyState(...),GetByManagedConnectorRetryExecutionPolicyCategory(...), andGetByManagedConnectorRetryExecutionPolicyOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/retry-execution-policies/{policyState},/engine/cdc-capture-runtimes/retry-execution-policies/categories/{policyCategory}, and/engine/cdc-capture-runtimes/retry-execution-policies/operations/{operationId}on the existing shared route family without inventing a Debezium-only retry-policy registry - the 2026-04-24
ENG-183slice shipped the first shared managed-connector bounded command-journal hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandJournalStates,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalSources, andCdcCaptureExecutionRuntimeManagedConnectorCommandJournalStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandJournal, the shared execution-runtime catalog now derivesnot-applicable/empty/bounded/truncated/cooldown-active/duplicate-evidence-present/insufficient-for-automationposture plus journal categories, operation ids, source truth, retained-versus-recorded history counts, fingerprint matching, cooldown windows, and latest-versus-oldest retained attempt metadata throughGetByManagedConnectorCommandJournalState(...)andGetByManagedConnectorCommandJournalCategory(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-journals/{journalState},/engine/cdc-capture-runtimes/command-journals/categories/{journalCategory}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/command-journalon the existing shared route family without inventing a Debezium-only durable journal or second coordinator - the 2026-04-24
ENG-184slice shipped the first shared managed-connector automatic background retry execution baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionCategories,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionOperationIds,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionSources,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionStatus, andCdcCaptureExecutionRuntimeManagedConnectorCommandExecutionInvocationSources,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorAutomaticRetryExecution, the shared execution-runtime catalog now derivesnot-applicable/disabled/blocked/eligible/completedposture plus automatic-retry categories, operation ids, source truth, matching approval and destructive-allowance reuse flags, cooldown windows, retry and execution fingerprints, latest automatic-attempt metadata, and operator-versus-automatic invocation-source truth throughGetByManagedConnectorAutomaticRetryExecutionState(...),GetByManagedConnectorAutomaticRetryExecutionCategory(...), andGetByManagedConnectorAutomaticRetryExecutionOperationId(...),Cephalon.Datanow exposes the opt-inEnableManagedConnectorAutomaticRetryExecutionplusManagedConnectorAutomaticRetryPollingIntervalSecondshost policy and runs the bounded shared automatic retry lane throughManagedConnectorAutomaticRetryHostedService, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/automatic-retries/{automaticRetryState},/engine/cdc-capture-runtimes/automatic-retries/categories/{automaticRetryCategory}, and/engine/cdc-capture-runtimes/automatic-retries/operations/{operationId}on the existing shared route family without inventing a Debezium-only retry loop, durable distributed scheduler, or second coordinator - the 2026-04-24
ENG-185slice shipped the first shared managed-connector automatic background retry coordination baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationStates,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationCategories,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationSources, andCdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorAutomaticRetryCoordination, the shared execution-runtime catalog now derivesnot-applicable/single-node/uncoordinated/lease-held/lease-missing/conflicted/operator-onlyposture plus coordination categories, coordination owner id, active reporter id, reporter-lease timing, execution ownership and topology source truth, andCanExecuteOnCurrentNodethroughGetByManagedConnectorAutomaticRetryCoordinationState(...),GetByManagedConnectorAutomaticRetryCoordinationCategory(...), andGetByManagedConnectorAutomaticRetryCoordinationOwnerId(...),Cephalon.Datanow exposes the host-levelManagedConnectorAutomaticRetryCoordinationOwnerIdpolicy and uses that shared answer to gate bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutor, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/automatic-retry-coordinations/{coordinationState},/engine/cdc-capture-runtimes/automatic-retry-coordinations/categories/{coordinationCategory}, and/engine/cdc-capture-runtimes/automatic-retry-coordinations/owners/{ownerId}on the existing shared route family without inventing a durable distributed scheduler, a second coordination registry, or a Debezium-only multi-node retry loop - the 2026-04-24
ENG-186slice shipped the first shared managed-connector durable retry-journal baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilityStates,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilityCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilitySources, andCdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilityStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandJournalDurability, the shared execution-runtime catalog now derivesnot-applicable/in-memory-only/persisted/recovered/recovery-failed/persistence-failedposture plus durability categories, persistence path, persisted-versus-recovered timestamps, retained-versus-recorded history counts, persisted/recovered-history flags, and source truth throughGetByManagedConnectorCommandJournalDurabilityState(...)andGetByManagedConnectorCommandJournalDurabilityCategory(...),Cephalon.Datanow exposes the host-levelManagedConnectorCommandJournalPersistencePathpolicy and persists bounded command history throughManagedConnectorCommandExecutionHistoryStoreso retry evidence can survive host restart, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-journal-durability/{durabilityState},/engine/cdc-capture-runtimes/command-journal-durability/categories/{durabilityCategory}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/command-journal-durabilityon the existing shared route family without inventing a second journal registry, durable distributed scheduler, or Debezium-only persistence subsystem - the 2026-04-24
ENG-187slice shipped the first shared managed-connector distributed retry lease and cross-node idempotency hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseStates,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseCategories,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseSources, andCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDistributedRetryLease, the shared execution-runtime catalog now derivesnot-applicable/single-node/lease-held/lease-missing/lease-conflicted/idempotent-safe/idempotency-risk/operator-onlyposture plus lease categories, coordination-owner and active-reporter identity, retry-fingerprint and bounded-history evidence, durable-store and duplicate-attempt truth, andCanExecuteAutomaticRetryOnCurrentNodethroughGetByManagedConnectorDistributedRetryLeaseState(...),GetByManagedConnectorDistributedRetryLeaseCategory(...), andGetByManagedConnectorDistributedRetryLeaseOwnerId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that richer cross-node answer instead of raw coordination alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/distributed-retry-leases/{leaseState},/engine/cdc-capture-runtimes/distributed-retry-leases/categories/{leaseCategory},/engine/cdc-capture-runtimes/distributed-retry-leases/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/distributed-retry-leaseon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only retry subsystem - the 2026-04-24
ENG-188slice shipped the first shared managed-connector distributed retry orchestration baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationStates,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationCategories,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationSources, andCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDistributedRetryOrchestration, the shared execution-runtime catalog now derivesnot-applicable/disabled/operator-only/cooldown/blocked/scheduled/completedposture plus orchestration categories, scheduler identity and polling metadata, owner/reporter identity, retry fingerprint and latest-attempt context, durable-history evidence, andCanScheduleAutomaticRetryOnCurrentNodethroughGetByManagedConnectorDistributedRetryOrchestrationState(...),GetByManagedConnectorDistributedRetryOrchestrationCategory(...), andGetByManagedConnectorDistributedRetryOrchestrationOwnerId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that richer shared orchestration answer instead of raw lease checks, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/distributed-retry-orchestrations/{orchestrationState},/engine/cdc-capture-runtimes/distributed-retry-orchestrations/categories/{orchestrationCategory},/engine/cdc-capture-runtimes/distributed-retry-orchestrations/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/distributed-retry-orchestrationon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only scheduler lane - the 2026-04-24
ENG-189slice shipped the first shared managed-connector richer cross-node idempotency hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCrossNodeIdempotencyHardening, the shared execution-runtime catalog now derivesnot-applicable/operator-only/idempotent-safe/stale-owner-risk/duplicate-lineage-risk/replay-window-riskposture plus hardening categories, coordination-owner and active-reporter identity, retry fingerprint, retained-lineage and automatic-attempt evidence, durable-history truth, andCanExecuteAutomaticRetryOnCurrentNodethroughGetByManagedConnectorCrossNodeIdempotencyHardeningState(...),GetByManagedConnectorCrossNodeIdempotencyHardeningCategory(...),GetByManagedConnectorCrossNodeIdempotencyHardeningOwnerId(...), andGetByManagedConnectorCrossNodeIdempotencyHardeningRetryFingerprint(...),Cephalon.Datanow feeds that richer hardening answer back into distributed retry orchestration so bounded automatic retry scheduling no longer trusts raw lease truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/{hardeningState},/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/owners/{ownerId},/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/fingerprints/{retryFingerprint}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/cross-node-idempotency-hardeningon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only idempotency subsystem - the 2026-04-24
ENG-190slice shipped the first shared managed-connector broader multi-node lease-execution baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionCategories,CdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionSources, andCdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorMultiNodeLeaseExecution, the shared execution-runtime catalog now derivesnot-applicable/operator-only/single-node/lease-executable/lease-blocked/lease-conflicted/stale-lease-riskposture plus lease-execution categories, coordination-owner and active-reporter identity, scheduler identity and polling metadata, retry fingerprint, latest automatic-attempt evidence, andCanExecuteAutomaticRetryOnCurrentNodethroughGetByManagedConnectorMultiNodeLeaseExecutionState(...),GetByManagedConnectorMultiNodeLeaseExecutionCategory(...), andGetByManagedConnectorMultiNodeLeaseExecutionOwnerId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader multi-node lease-execution answer instead of distributed retry orchestration alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/multi-node-lease-executions/{leaseExecutionState},/engine/cdc-capture-runtimes/multi-node-lease-executions/categories/{leaseExecutionCategory},/engine/cdc-capture-runtimes/multi-node-lease-executions/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/multi-node-lease-executionon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only lease-execution subsystem - the 2026-04-24
ENG-191slice shipped the first shared managed-connector durable shared scheduler-orchestration baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationStates,CdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationCategories,CdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationSources, andCdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDurableSharedSchedulerOrchestration, the shared execution-runtime catalog now derivesnot-applicable/disabled/operator-only/unscheduled/scheduled/lease-blocked/recovery-needed/scheduler-conflictedposture plus scheduler categories, execution-runtime and capture identity, ownership/topology, coordination-owner and active-reporter identity, scheduler identity/kind, polling metadata, retry fingerprint, latest automatic-attempt evidence, durable-history truth, andCanScheduleAutomaticRetryOnCurrentNodethroughGetByManagedConnectorDurableSharedSchedulerOrchestrationState(...),GetByManagedConnectorDurableSharedSchedulerOrchestrationCategory(...), andGetByManagedConnectorDurableSharedSchedulerOrchestrationOwnerId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader durable shared scheduler answer instead of broader multi-node lease-execution truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/durable-shared-scheduler-orchestrations/{schedulerState},/engine/cdc-capture-runtimes/durable-shared-scheduler-orchestrations/categories/{schedulerCategory},/engine/cdc-capture-runtimes/durable-shared-scheduler-orchestrations/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/durable-shared-scheduler-orchestrationon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only scheduler subsystem - the 2026-04-24
ENG-192slice shipped the first shared managed-connector scheduler recovery and execution-hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorSchedulerRecoveryExecutionHardening, the shared execution-runtime catalog now derivesnot-applicable/operator-only/recovery-ready/recovery-blocked/replaying/execution-hardened/execution-riskposture plus categories, execution-runtime and capture identity, ownership/topology, coordination-owner and active-reporter identity, durable shared scheduler, broader multi-node lease-execution, distributed retry orchestration, command-journal durability, and latest command-execution truth, scheduler identity/kind, retry fingerprint, latest automatic-attempt evidence, durable-history truth, andCanExecuteAutomaticRetryOnCurrentNodethroughGetByManagedConnectorSchedulerRecoveryExecutionHardeningState(...),GetByManagedConnectorSchedulerRecoveryExecutionHardeningCategory(...),GetByManagedConnectorSchedulerRecoveryExecutionHardeningOwnerId(...), andGetByManagedConnectorSchedulerRecoveryExecutionHardeningRetryFingerprint(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader scheduler recovery and execution-hardening answer instead of durable shared scheduler truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/{hardeningState},/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/owners/{ownerId},/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/fingerprints/{retryFingerprint}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/scheduler-recovery-execution-hardeningon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only recovery subsystem - the 2026-04-24
ENG-193slice shipped the first shared managed-connector broader provider-owned write-path execution baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedWritePathExecution, the shared execution-runtime catalog now derivesnot-applicable/operator-only/provider-executable/provider-blocked/provider-owned-executing/provider-owned-completed/provider-owned-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, execution-adapter plus latest-command plus retry-policy plus automatic-retry plus lease plus scheduler plus recovery state, adapter/provider metadata, deterministic fingerprints, approval/destructive/change metadata, andCanExecuteProviderOwnedWritePathOnCurrentNodethroughGetByManagedConnectorProviderOwnedWritePathExecutionState(...),GetByManagedConnectorProviderOwnedWritePathExecutionCategory(...), andGetByManagedConnectorProviderOwnedWritePathExecutionOperationId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader provider-owned write-path answer instead of scheduler-recovery truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-write-path-executions/{providerExecutionState},/engine/cdc-capture-runtimes/provider-owned-write-path-executions/categories/{providerExecutionCategory},/engine/cdc-capture-runtimes/provider-owned-write-path-executions/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-write-path-executionon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only control-plane surface - the 2026-04-24
ENG-194slice shipped the first shared managed-connector broader provider execution orchestration hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderExecutionOrchestrationStates,CdcCaptureExecutionRuntimeManagedConnectorProviderExecutionOrchestrationCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderExecutionOrchestrationSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderExecutionOrchestrationStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderExecutionOrchestration, the shared execution-runtime catalog now derivesnot-applicable/operator-only/orchestration-ready/orchestration-blocked/orchestration-executing/orchestration-completed/orchestration-riskposture plus categories, execution-runtime and capture identity, ownership/topology, operation/source, provider-owned write-path plus execution-adapter plus latest-command plus retry-policy plus command-journal plus durable shared scheduler plus scheduler-recovery state, deterministic fingerprints, adapter/provider metadata, andCanOrchestrateProviderExecutionOnCurrentNodethroughGetByManagedConnectorProviderExecutionOrchestrationState(...),GetByManagedConnectorProviderExecutionOrchestrationCategory(...), andGetByManagedConnectorProviderExecutionOrchestrationOperationId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader provider execution orchestration answer instead of provider-owned write-path truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-execution-orchestrations/{providerExecutionOrchestrationState},/engine/cdc-capture-runtimes/provider-execution-orchestrations/categories/{providerExecutionOrchestrationCategory},/engine/cdc-capture-runtimes/provider-execution-orchestrations/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-execution-orchestrationon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only orchestration surface - the 2026-04-24
ENG-195slice shipped the first shared managed-connector provider-owned control-plane ownership baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneOwnershipStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneOwnershipCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneOwnershipSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneOwnershipStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneOwnership, the shared execution-runtime catalog now derivesnot-applicable/operator-only/ownership-ready/ownership-blocked/ownership-active/ownership-partial/ownership-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, provider execution orchestration plus provider-owned write-path plus execution-adapter plus latest-command plus retry-policy plus command-journal plus durable shared scheduler plus scheduler-recovery state, deterministic fingerprints, adapter/provider metadata, approval/destructive/change metadata, durable-history evidence, andCanExerciseProviderOwnedControlPlaneOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneOwnershipState(...),GetByManagedConnectorProviderOwnedControlPlaneOwnershipCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneOwnershipOperationId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader provider-owned control-plane ownership answer instead of broader provider execution orchestration truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-ownership/{providerOwnedControlPlaneOwnershipState},/engine/cdc-capture-runtimes/provider-owned-control-plane-ownership/categories/{providerOwnedControlPlaneOwnershipCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-ownership/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-ownershipon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only control-plane ownership surface - the 2026-04-24
ENG-196slice shipped the first shared managed-connector provider-owned control-plane mutation/reconcile baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneMutationReconcileStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneMutationReconcileCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneMutationReconcileSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneMutationReconcileStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneMutationReconcile, the shared execution-runtime catalog now derivesnot-applicable/operator-only/mutation-ready/reconcile-ready/mutation-blocked/reconcile-blocked/mutation-executing/mutation-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, provider-owned control-plane ownership plus provider execution orchestration plus provider-owned write-path plus command-envelope plus command-issuance plus latest-command plus retry-policy plus command-journal state, deterministic fingerprints, adapter/provider metadata, approval/destructive/change metadata, durable-history evidence, andCanMutateOrReconcileOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneMutationReconcileState(...),GetByManagedConnectorProviderOwnedControlPlaneMutationReconcileCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneMutationReconcileOperationId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader provider-owned control-plane mutation/reconcile answer instead of broader provider-owned control-plane ownership truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-mutation-reconcile/{providerOwnedControlPlaneMutationReconcileState},/engine/cdc-capture-runtimes/provider-owned-control-plane-mutation-reconcile/categories/{providerOwnedControlPlaneMutationReconcileCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-mutation-reconcile/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-mutation-reconcileon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only control-plane mutation/reconcile surface - the 2026-04-24
ENG-197slice shipped the first shared managed-connector provider-owned control-plane provisioning baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneProvisioningStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneProvisioningCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneProvisioningSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneProvisioningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneProvisioning, the shared execution-runtime catalog now derivesnot-applicable/operator-only/provisioning-ready/provisioning-blocked/provisioning-executing/provisioning-partial/provisioning-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, provider-owned control-plane mutation/reconcile plus provider-owned control-plane ownership plus provider execution orchestration plus provider-owned write-path plus command-envelope plus command-issuance plus latest-command plus retry-policy plus command-journal state, deterministic fingerprints, adapter/provider metadata, approval/destructive/change metadata, durable-history evidence, andCanProvisionProviderOwnedControlPlaneOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneProvisioningState(...),GetByManagedConnectorProviderOwnedControlPlaneProvisioningCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneProvisioningOperationId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader provider-owned control-plane provisioning answer instead of broader provider-owned control-plane mutation/reconcile truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-provisioning/{providerOwnedControlPlaneProvisioningState},/engine/cdc-capture-runtimes/provider-owned-control-plane-provisioning/categories/{providerOwnedControlPlaneProvisioningCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-provisioning/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-provisioningon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only provisioning surface - the 2026-04-24
ENG-198slice shipped the first shared managed-connector provider-owned control-plane apply-and-reconcile execution baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecutionCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecutionSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecutionStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecution, the shared execution-runtime catalog now derivesnot-applicable/operator-only/apply-and-reconcile-ready/apply-and-reconcile-blocked/apply-and-reconcile-executing/apply-and-reconcile-completed/apply-and-reconcile-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, provider-owned control-plane provisioning plus provider-owned control-plane mutation/reconcile plus provider-owned control-plane ownership plus provider execution orchestration plus provider-owned write-path plus command-envelope plus command-issuance plus latest-command plus retry-policy plus command-journal state, deterministic fingerprints, adapter/provider metadata, approval/destructive/change metadata, durable-history evidence, andCanExecuteProviderOwnedControlPlaneApplyAndReconcileOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecutionState(...),GetByManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecutionCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneApplyAndReconcileExecutionOperationId(...),Cephalon.Datanow gates bothManagedConnectorAutomaticRetryHostedServiceand automatic command execution through that broader provider-owned control-plane apply-and-reconcile execution answer instead of broader provider-owned control-plane provisioning truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-apply-and-reconcile-executions/{applyAndReconcileExecutionState},/engine/cdc-capture-runtimes/provider-owned-control-plane-apply-and-reconcile-executions/categories/{applyAndReconcileExecutionCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-apply-and-reconcile-executions/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-apply-and-reconcile-executionon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only apply-and-reconcile execution surface - the 2026-04-24
ENG-199slice shipped the first shared managed-connector provider-owned control-plane dependency-aware apply-and-reconcile hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardening, the shared execution-runtime catalog now derivesnot-applicable/operator-only/dependency-ready/dependency-blocked/dependency-degraded/apply-and-reconcile-hardened/dependency-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader governance plus drift plus provider-owned control-plane apply-and-reconcile plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, declared-versus-reported dependency identity and task-topology metadata, active reporter-lease evidence, andCanExecuteDependencyAwareApplyAndReconcileOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningState(...),GetByManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardenings/{hardeningState},/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardenings/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardeningon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only dependency-hardening surface - the 2026-04-24
ENG-200slice shipped the first shared managed-connector provider-owned control-plane dependency-aware provisioning and mutation hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardening, the shared execution-runtime catalog now derivesnot-applicable/operator-only/dependency-ready/provisioning-blocked/mutation-blocked/dependency-degraded/provisioning-hardened/mutation-hardened/dependency-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader governance plus drift plus provider-owned control-plane dependency-aware apply-and-reconcile plus apply-and-reconcile execution plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, declared-versus-reported dependency identity and task-topology metadata, durable-history plus reporter-lease evidence, andCanExecuteDependencyAwareProvisioningAndMutationOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningState(...),GetByManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardenings/{hardeningState},/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardenings/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardeningon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only provisioning/mutation dependency-hardening surface - the 2026-04-24
ENG-201slice shipped the first shared managed-connector provider-specific control-plane materializer follow-through baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerStates,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderSpecificControlPlaneMaterializer, the shared execution-runtime catalog now derivesnot-applicable/operator-only/materializer-unavailable/materializer-ready/materializer-selected/materializer-executing/materializer-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader provider-owned control-plane dependency-aware provisioning and mutation hardening plus apply-and-reconcile plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, durable-history plus reporter-lease signals, provider-specific provider/materializer/transport/provider-surface/connector/worker identity, andCanUseProviderSpecificControlPlaneMaterializerOnCurrentNodethroughGetByManagedConnectorProviderSpecificControlPlaneMaterializerState(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerCategory(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerProviderId(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerProviderSurfaceId(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerId(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerConnectorId(...), andGetByManagedConnectorProviderSpecificControlPlaneMaterializerOperationId(...),Cephalon.Data.Debeziumnow normalizes provider-specific materializer metadata through the existing contributor plus report-sink lane, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/{materializerState},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/categories/{materializerCategory},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/providers/{providerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/provider-surfaces/{providerSurfaceId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/materializers/{materializerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/connectors/{connectorId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-specific-control-plane-materializeron the existing shared route family without inventing a second coordinator, second registry, or Debezium-only materializer surface - the 2026-04-24
ENG-202slice shipped the first shared managed-connector provider-specific control-plane dependency-aware teardown and mutation-execution hardening baseline on that same external runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardening, the shared execution-runtime catalog now derivesnot-applicable/operator-only/dependency-ready/teardown-blocked/mutation-execution-blocked/dependency-degraded/teardown-hardened/mutation-execution-hardened/dependency-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader provider-specific control-plane materializer plus provider-owned control-plane dependency-aware provisioning and mutation hardening plus apply-and-reconcile plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, durable-history plus reporter-lease signals, provider/materializer/transport/provider-surface/connector/worker identity, andCanExecuteDependencyAwareTeardownAndMutationExecutionOnCurrentNodethroughGetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningState(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningCategory(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningProviderId(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningProviderSurfaceId(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningMaterializerId(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningConnectorId(...), andGetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/{hardeningState},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/providers/{providerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/provider-surfaces/{providerSurfaceId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/materializers/{materializerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/connectors/{connectorId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardeningon the existing shared route family without inventing a second coordinator, second registry, or Debezium-only teardown/mutation-execution surface - the 2026-04-24
ENG-203slice shipped the next shared provider-specific identity drill-down follow-through on that same external runtime story:ICdcCaptureExecutionRuntimeCatalognow exposes provider-surface and connector selectors for bothManagedConnectorProviderSpecificControlPlaneMaterializerandManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardening,Cephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/provider-surfaces/{providerSurfaceId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/connectors/{connectorId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/provider-surfaces/{providerSurfaceId}, and/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/connectors/{connectorId}, and the shared runtime story can now drill directly into Debezium Kafka Connect REST provider-surface plus connector identity without inventing a second provider-specific registry or Debezium-only operator surface - the 2026-04-25
ENG-204slice hardened provider-specific worker identity normalization on that same shared runtime story:Cephalon.Data.Debeziumnow falls back from rawworkerIdmetadata to the stable externalreporterIdwhen normalizing provider-specific materializer observations, the shared execution-runtime catalog now resolves the best available provider-specific control-plane worker id from normalized provider-specific metadata plus active reporter truth, and bothManagedConnectorProviderSpecificControlPlaneMaterializerplusManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningnow keep stable worker identity andWorkerIdentityVisibleposture visible on the existing shared surfaces even when Debezium reports omit an explicitworkerId - the 2026-04-25
ENG-205slice shipped the next shared provider-specific identity drill-down follow-through on that same external runtime story:ICdcCaptureExecutionRuntimeCatalognow exposes worker-id selectors for bothManagedConnectorProviderSpecificControlPlaneMaterializerandManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardening,Cephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/workers/{workerId}and/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/workers/{workerId}, and the shared runtime story can now drill directly into Debezium Kafka Connect REST worker identity without inventing a second provider-specific registry or Debezium-only operator surface - the 2026-04-25
ENG-206slice shipped the next shared provider-specific transport identity drill-down follow-through on that same external runtime story:ICdcCaptureExecutionRuntimeCatalognow exposes transport-kind selectors for bothManagedConnectorProviderSpecificControlPlaneMaterializerandManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardening,Cephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/transports/{transportKind}and/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/transports/{transportKind}, and the shared runtime story can now drill directly into Debezium Kafka Connect REST transport identity without inventing a second provider-specific registry or Debezium-only operator surface - the 2026-04-25
ENG-207slice shipped the next shared provider-specific dependency-identity drill-down follow-through on that same external runtime story:ICdcCaptureExecutionRuntimeCatalognow exposes connect-cluster, connector-class, and source-provider selectors for bothManagedConnectorProviderSpecificControlPlaneMaterializerandManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardening,Cephalon.AspNetCorenow publishes matching/connect-clusters/{connectClusterId},/connector-classes/{connectorClass}, and/source-providers/{sourceProviderId}drill-downs on those same two shared route families, and the shared runtime story can now drill directly into Debezium Kafka Connect dependency identity without inventing a second provider-specific registry or Debezium-only operator surface - the 2026-04-25
ENG-208slice shipped the next shared provider-specific current-node drill-down follow-through on that same external runtime story:ICdcCaptureExecutionRuntimeCatalognow exposes current-node selectors forManagedConnectorProviderSpecificControlPlaneMaterializerplus overall, teardown, and mutation-execution current-node selectors forManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardening,Cephalon.AspNetCorenow publishes matching/current-nodes/{canUseOnCurrentNode},/current-nodes/{canExecuteOnCurrentNode},/current-nodes/teardowns/{canExecuteTeardownOnCurrentNode}, and/current-nodes/mutation-executions/{canExecuteMutationExecutionOnCurrentNode}drill-downs on the existing shared route families, and the shared runtime story can now drill directly into blocked-versus-executable provider-specific node posture without inventing a second provider-specific registry or Debezium-only operator surface - the 2026-04-25
ENG-209slice shipped the next phase-7 external-adoption follow-through on the CLI-driven install-and-bootstrap path:Cephalon.Clinow extendscephalon doctorwith--app-root <path>so adopters can validate a generated app root from the same first-run command path,DoctorCommandnow proves the scaffolded.slnx,Directory.Packages.propsCephalon package baseline,NuGet.configcephalonsource plus package-source mapping, seeded local./.cephalon/packagesfeed or replaced non-local source, generated host project, andCephalonFolder.pubxmlprofile before restore, run, publish, or deployment work, success output now returns copy/paste-readySet-Location,dotnet restore, anddotnet runnext steps for that app root, and the root README, getting-started guide, CLI component docs, CLI package README, template-pack README, focused tooling coverage, and generated reference docs now stay aligned with that same generated-app bootstrap doctor contract - the 2026-04-25
ENG-210slice shipped the next framework-readiness follow-through on that same external-adoption lane:scripts/deployment-mode-support.jsonnow carries the machine-readable trim / Native AOT / single-file support contract,scripts/validate-dotnet-readiness.ps1now projects and validates that manifest back through the readiness JSON plus Markdown reports, and the docs hub, readiness guide, compatibility guide, and package-publishing guidance now keep the same manifest-backed support story explicit without widening current repo truth beyondnot-claimed - the 2026-04-25
ENG-211slice shipped the next CLI adoption follow-through on that same external-adoption lane:Cephalon.Clinow packages the existing deployment-mode support manifest as an embedded tool resource,cephalon doctornow echoes the stablenet10.0shipping floor plus the.NET 11assessment-only readiness lane and keeps trim / Native AOT / single-filenot-claimedposture visible from the same first-run command path adopters already use for SDK/runtime/bootstrap verification, and the getting-started guide, CLI component docs, CLI package README, template-pack README, root README, and focused tooling coverage now stay aligned with that packaged support-contract story - the 2026-04-25
ENG-212slice shipped the next generated-app adoption follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now inspects the generated host target framework against the stablenet10.0shipping floor plus the.NET 11assessment-only readiness lane, compares generatedPublishTrimmed,PublishAot, andPublishSingleFilesettings from the generated host project plusCephalonFolder.pubxmlagainst the packaged deployment-mode support contract, and keeps stable-versus-readiness-versus-out-of-contract generated-app posture visible from the same generated-app bootstrap command path before restore, publish, or deployment work begins - the 2026-04-25
ENG-213slice shipped the next generated-app deployment follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generatedDockerfileplus the shipped container-image, Azure Container Apps, and Kubernetes deployment assets, compares generated Dockerfile SDK and ASP.NET base-image tags against the generated host target framework baseline, and keeps stable-floor versus readiness-lane deployment-asset posture visible before container-image or hosted-container deployment work begins - the 2026-04-25
ENG-214slice shipped the next generated-app deployment follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the shipped Windows Service, IIS, Azure App Service, and Linuxsystemddeployment assets, compares those generated published-output deployment scripts and units against the current host identity, and keeps self-hosted plus hosted deployment-asset posture visible before published-output deployment work begins - the 2026-04-25
ENG-215slice shipped the next generated-app deployment follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the shippedcompose.yamlandotel-collector-config.yamllocal orchestration assets, compares the generated compose baseline against the shipped Dockerfile plus OTLP collector handoff, compares the generated collector config againsthealth_check,otlp/httpon4318, and the debug-exporter pipelines, and keeps generated local orchestration posture visible before localdocker compose up --buildwork begins - the 2026-04-25
ENG-216slice shipped the next generated-app documentation-surface follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generatedConfigurations/AddOpenApi.jsonandConfigurations/AddReferenceDocs.jsonassets, compares the generated OpenAPI title plus hosted reference-doc enablement, route, directory, and default-document settings against an explicit split-config baseline, and keeps/scalarplus optional hosted reference-doc posture visible before teams rely on those docs surfaces - the 2026-04-25
ENG-217slice shipped the next generated-app split-config follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generatedConfigurations/AddEngine.*.jsonassets plusConfigurations/Observability/Development.json, compares explicit scaffolded app-model, engine-feature, observability, localization, and development Serilog defaults against that split-config baseline, and keeps generated runtime plus docs plus telemetry configuration posture visible before teams rely on those defaults - the 2026-04-25
ENG-218slice shipped the next generated-app host-bootstrap follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the scaffoldedProgram.csbootstrap source plus the generated host-projectPackageReferenceset andConfigurations/**/*.jsoncopy/publish baseline, compares explicitAddCephalonProjectConfigurations, observability wiring, andMapCephalonseams against that scaffolded host bootstrap, and keeps host startup plus build/publish bootstrap posture visible before teams rely on edited startup code - the 2026-04-25
ENG-219slice shipped the next generated-app starter-test follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generated test project plus scaffoldedArchitecture/CompositionSmokeTests.csandFeatures/*BehaviorSpecifications.csplaceholders, compares composition smoke plus Given/When/Then starter seams against the shipped scaffold contract, and keeps generated test-harness posture visible before teams replace those files with real specs - the 2026-04-25
ENG-220slice shipped the next generated-app guidance-doc follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generated rootREADME.md,Configurations/README.md, and deploymentREADME.mdassets, compares scaffolded package-source, split-config, publish, deployment, and local-orchestration instructions against the shipped doctor contract, and keeps generated human-facing run/publish/deploy guidance visible before teams follow those docs literally - the 2026-04-25
ENG-221slice shipped the next generated-app local package-feed guidance follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generated.cephalon/packages/README.mdasset, compares scaffolded local package-feed seeding plus shared-feed replacement instructions against the shipped doctor contract, and keeps generated package-bootstrap guidance visible before teams seed packages or replace thecephalonsource - the 2026-04-25
ENG-222slice shipped the next generated-app container deployment-script follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generateddeploy/container-image/publish-image.ps1,deploy/azure-container-apps/deploy-up.ps1, anddeploy/kubernetes/apply.ps1assets, compares Dockerfile plusNuGet.configplus host-project/source-root plus image placeholder plus namespace plus manifest-root seams against the shipped doctor contract, and keeps executable container deployment-script posture visible before teams run those shipped scripts literally - the 2026-04-25
ENG-223slice shipped the next generated-app Kubernetes manifest follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generateddeploy/kubernetes/kustomization.yaml,deploy/kubernetes/namespace.yaml,deploy/kubernetes/deployment.yaml, anddeploy/kubernetes/service.yamlassets, compares scaffolded namespace plus labels plus image placeholder plus env plus probe plusClusterIPservice seams against the shipped doctor contract, and keeps platform-neutral Kubernetes manifest posture visible before teams rely on those shipped manifests literally - the 2026-04-25
ENG-224slice shipped the next generated-app teardown and service-manager environment follow-through on that same external-adoption lane:cephalon doctor --app-root <path>now validates the generateddeploy/windows-service/remove-service.ps1,deploy/iis/remove-site.ps1, anddeploy/linux/systemd/<App>.envassets, compares scaffolded Windows Service stop/delete flow, IIS site/app-pool teardown flow, and Linuxsystemdenvironment plus telemetry override hints against the shipped doctor contract, and keeps teardown plus service-manager environment posture visible before teams rely on those shipped operational assets literally - the 2026-04-25
ENG-225slice shipped the next scenario-driven adoption follow-through on that same external-adoption lane:scripts/validate-generated-app-adoption.ps1now replays the external cold-start path through temporary package-feed publish,dotnet tool installofCephalon.Cli,cephalon doctor, scaffold outside the repository, generated local package-feed seeding,cephalon doctor --app-root <path>, restore, build, run, and runtime route probes, whilepublish-package-artifacts.ps1now preserves an existing outputREADME.mdso generated local package-feed guidance survives package refreshes - the 2026-04-25
ENG-226slice shipped the matching template-pack parity follow-through on that same external-adoption lane:scripts/validate-template-pack-adoption.ps1now replays the external cold-startdotnet newpath through temporary package-feed publish,dotnet tool installofCephalon.Cli, isolatedCephalon.TemplatePackinstall plusdotnet new list cephalonthrough a custom hive,cephalon doctorwithCEPHALON_DOCTOR_TEMPLATE_HIVE, template-pack scaffold outside the repository, generated local package-feed seeding,cephalon doctor --app-root <path>, restore, build, run, and runtime route probes, whilecephalon doctor --app-rootnow accepts template-pack project-root starters instead of requiring only the CLI scaffold layout - the 2026-04-25
ENG-227slice shipped the matching out-of-tree package parity follow-through on that same external-adoption lane:scripts/validate-out-of-tree-package-adoption.ps1now replays the external package path through temporary package-feed publish,dotnet tool installofCephalon.Cli,cephalon doctor, scaffold outside the repository, generated local package-feed seeding,Cephalon.ReferenceModule.Operationspack pluscephalon package stage, generatedEngine:Discovery:PackageDirectoriesplusEngine:PackagePolicyandEngine:Trustpatching,cephalon doctor --app-root <path>, restore, build, run, and staged-package runtime plus route probes, so the repo now proves out-of-tree package trust/load truth from the same external-adoption lane - the 2026-04-25
ENG-228slice shipped the higher-assurance signed-governance follow-through on that same external-adoption lane:scripts/validate-signed-package-governance.ps1now replays the external package path through temporary package-feed publish,dotnet tool installofCephalon.Cli,cephalon doctor, scaffold outside the repository, generated local package-feed seeding,Cephalon.ReferenceModule.Operationspack plus deterministic detached-signature repack pluscephalon package stage, generatedEngine:Discovery:PackageDirectoriesplus stricterEngine:PackagePolicyandEngine:Trust:TrustedSignaturePublicKeyspatching,cephalon doctor --app-root <path>, restore, build, run, signed-package runtime plus route probes, and a tampered-package denial path so the repo now proves detached-signature trust/load truth from the same external-adoption lane - the 2026-04-26
ENG-229slice shipped the matching certificate-chain signed-governance follow-through on that same external-adoption lane:scripts/validate-signed-package-governance.ps1now supports bothPublicKeyandCertificateChaintrust modes,scripts/validate-signed-package-certificate-chain-governance.ps1now replays the external package path withEngine:Trust:TrustedSignatureCertificatesplusEngine:Trust:TrustedSignatureCertificateAuthorities, and the same runtime/package surfaces now provetrusted-certificate-chainverification pluscertificateThumbprinttruth while a tampered signed package is still denied before module activation - the 2026-04-28
ENG-233slice shipped the first managed retrieval proof:Cephalon.Retrievalnow keeps source material application-owned throughIKnowledgeDocumentProviderwhile Cephalon owns one in-process lexical indexing/query path throughIKnowledgeIndexer,IKnowledgeQueryEngine, andIKnowledgeIndexCatalog;/engine/technology-surfacesand/engine/snapshotnow report provider readiness, indexing/query ownership, freshness state, document/query counts, latest outcomes, andlastQueryFingerprintplus query length instead of raw query text, while vector databases, embeddings, durable/distributed indexes, rerankers, provider-specific semantic search, and distributed scheduler coordination remain future companion work; opt-in in-process background reindexing later shipped inENG-270 - the 2026-04-28
ENG-234slice shipped the multi-tenancy governance-boundary split:Cephalon.MultiTenancynow addstenant-governance-boundariesbesidetenant-resolution, keeps the base package’s current ownership to configuration-driven tenant resolution plus ambient context, and separates membership, invitation, domain ownership, and tenant-governance workflows from the base package instead of implying runtime ownership there - the 2026-04-28
ENG-235slice shipped the first concrete governance companion proof:Cephalon.MultiTenancy.GovernanceaddsAddMultiTenancyGovernance(...), host-defined and module-contributedTenantMembershipDescriptormembership cataloging, tenant/principal-kind/principal-id isolated membership evaluation outcomes (allowed,no-membership,suspended,expired,missing-role,disabled),tenancy.membership.catalog,tenancy.membership.evaluation, diagnostics4510-4511, and the aggregatetenant-membershipstechnology surface without taking over domain verification, approval/remediation, durable stores, identity-provider synchronization, or tenant administration - the 2026-04-28
ENG-236slice shipped the second concrete governance companion proof:Cephalon.MultiTenancy.Governancenow adds host-defined and module-contributedTenantInvitationDescriptorinvitation cataloging, tenant/invitation plus invitee-kind/invitee-id isolated validation outcomes (valid,not-found,accepted,revoked,expired,invitee-mismatch,missing-role,disabled),tenancy.invitation.catalog,tenancy.invitation.validation, diagnostics4512-4513, and the aggregatetenant-invitationstechnology surface without taking over invitation delivery, public onboarding, invitation storage, domain verification, approval/remediation, identity-provider synchronization, or tenant administration at the time; invitation storage later shipped inENG-242 - the 2026-04-28
ENG-237slice shipped the third concrete governance companion proof:Cephalon.MultiTenancy.Governancenow adds host-defined and module-contributedTenantDomainOwnershipDescriptordeclared domain-ownership cataloging, tenant/domain isolated validation outcomes (valid,not-found,tenant-mismatch,pending,rejected,suspended,expired,disabled),tenancy.domain-ownership.catalog,tenancy.domain-ownership.validation, diagnostics4514-4515, and the aggregatetenant-domain-ownershiptechnology surface without taking over DNS/HTTP proof collection, domain lifecycle automation, public onboarding, durable domain stores at the time, approval/remediation action decisions, identity-provider synchronization, or tenant administration; durable domain-ownership storage later shipped inENG-243 - the 2026-04-28
ENG-238slice shipped the fourth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow adds host-defined and module-contributedTenantGovernanceActionDescriptorapproval/remediation action cataloging, tenant/action/action-kind/subject isolated decision outcomes (allowed,not-found,tenant-mismatch,action-kind-mismatch,subject-mismatch,pending-approval,rejected,remediation-required,expired,disabled),tenancy.governance-action.catalog,tenancy.governance-action.decision, diagnostics4516-4517, and the aggregatetenant-governance-actionstechnology surface, while workflow execution was left to the follow-up now shipped inENG-239 - the 2026-04-29
ENG-239slice shipped the fifth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantGovernanceActionWorkflow, workflow request/result contracts, command/outcome vocabularies, in-process runtime action state, tenant/action-kind/subject guarded transitions (request,approve,reject,require-remediation,mark-remediated,expire),tenancy.governance-action.workflow, diagnostics4518-4519, andtenant-governance-actionsmetadata for workflow ownership, runtime action count, durable-store ownership, and notification-delivery ownership - the 2026-04-29
ENG-240slice shipped the sixth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantGovernanceActionStore, an in-memory default action store, opt-in file-backed JSON durability throughMultiTenancyGovernanceOptions.GovernanceActionStoreFilePath,store-failedworkflow outcomes when persistence fails,tenancy.governance-action.store, diagnostics4520-4521, andtenant-governance-actionsmetadata for action-store kind, durability, ownership, and durable-store ownership without taking over durable membership/invitation/domain stores at the time; durable membership storage was then narrowed and shipped inENG-241 - the 2026-04-29
ENG-241slice shipped the seventh concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantMembershipStore, an in-memory default membership store, opt-in file-backed JSON durability throughMultiTenancyGovernanceOptions.MembershipStoreFilePath,tenancy.membership.store, andtenant-membershipsmetadata for runtime membership count, membership-store kind, durability, ownership, and durable-store ownership without taking over invitation durability or domain stores at the time; invitation storage was later narrowed and shipped inENG-242 - the 2026-04-29
ENG-242slice shipped the eighth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantInvitationStore, an in-memory default invitation store, opt-in file-backed JSON durability throughMultiTenancyGovernanceOptions.InvitationStoreFilePath,tenancy.invitation.store, andtenant-invitationsmetadata for runtime invitation count, invitation-store kind, durability, ownership, and durable-store ownership without taking over invitation delivery, durable domain stores at the time, distributed or provider-backed membership/invitation/action-store backends, notification/delivery, remediation execution beyond state transitions, DNS/HTTP proof collection or external polling, identity-provider synchronization, public onboarding, or tenant administration - the 2026-04-29
ENG-243slice shipped the ninth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipStore, an in-memory default domain-ownership store, opt-in file-backed JSON durability throughMultiTenancyGovernanceOptions.DomainOwnershipStoreFilePath,tenancy.domain-ownership.store, andtenant-domain-ownershipmetadata for runtime domain ownership count, domain-ownership-store kind, durability, ownership, and durable-store ownership without taking over domain verification workflow execution at the time; that workflow was later narrowed and shipped inENG-244 - the 2026-04-29
ENG-244slice shipped the tenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipVerificationWorkflow, workflow request/result contracts, in-process runtime domain-ownership state transitions, tenant/domain and verification-method guarded commands (request,verify,reject,suspend,expire),store-failedpersistence outcomes,tenancy.domain-ownership.workflow, diagnostics4522-4525, andtenant-domain-ownershipmetadata for verification-workflow ownership plus DNS/HTTP proof-collection ownership boundaries without taking over DNS/HTTP proof collection or external polling, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant administration - the 2026-04-29
ENG-245slice shipped the eleventh concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipProofEvaluator, proof-evaluation request/result contracts, proof outcome and metadata-key vocabularies, exact trimmed expected-versus-observed proof comparison, verify/reject workflow mutation, SHA-256 proof fingerprints,tenancy.domain-ownership.proof-evaluation, diagnostics4526-4527, andtenant-domain-ownershipmetadata for proof-evaluation ownership without taking over DNS/HTTP proof collection or external polling, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant administration - the 2026-04-29
ENG-246slice shipped the twelfth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipProofChallengeIssuer, proof-challenge request/result contracts, proof-challenge outcome and metadata-key vocabularies, secure generatedcephalon-domain-proof-*values, DNS TXT / HTTP publication hints, expected-proof metadata persistence throughITenantDomainOwnershipStore,tenancy.domain-ownership.proof-challenge, diagnostics4528-4529, andtenant-domain-ownershipmetadata for proof-challenge issuance ownership without taking over DNS publication, HTTP publication, DNS/HTTP proof collection, or external polling at the time; on-demand HTTP file proof collection was later narrowed and shipped inENG-248, and HTTP file proof publication was later narrowed and shipped inENG-253 - the 2026-04-29
ENG-247slice shipped the thirteenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipProofPublicationPlanner, proof-publication plan request/result contracts, proof-publication outcome and metadata-key vocabularies, DNS TXT record/value or HTTP file path/content/content-type instruction generation from expected proof metadata and challenge hints, optional plan metadata persistence throughITenantDomainOwnershipStore,tenancy.domain-ownership.proof-publication-plan, diagnostics4530-4531, andtenant-domain-ownershipmetadata for proof-publication planning ownership without taking over DNS publication, HTTP publication, DNS/HTTP proof collection, or external polling at the time; on-demand HTTP file proof collection was later narrowed and shipped inENG-248, and HTTP file proof publication was later narrowed and shipped inENG-253 - the 2026-04-29
ENG-248slice shipped the fourteenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipHttpProofCollector, HTTP proof-collection request/result contracts, HTTP proof-collection outcome and metadata-key vocabularies, HTTPS-by-default host-matched bounded HTTP file collection, safe URI/status/length/fingerprint metadata,tenancy.domain-ownership.http-proof-collection, diagnostics4532-4533, andtenant-domain-ownershipmetadata for HTTP proof-collection ownership without taking over DNS publication, HTTP publication, provider-backed collection/mutation, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant administration at the time; DNS TXT proof collection was later narrowed and shipped inENG-250, and HTTP file proof publication was later narrowed and shipped inENG-253 - the 2026-04-29
ENG-249slice shipped the fifteenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipProofVerificationRunner, proof-verification request/result contracts, proof-verification outcome and metadata-key vocabularies, one orchestration entry point for challenge issuance, publication planning, supplied-proof evaluation, and optional HTTP file collection,tenancy.domain-ownership.proof-verification-runner, diagnostics4534-4535, andtenant-domain-ownershipmetadata for proof-verification runner ownership without taking over DNS publication, HTTP publication, provider-backed collection/mutation, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant administration at the time; DNS TXT proof collection was later narrowed and shipped inENG-250, and HTTP file proof publication was later narrowed and shipped inENG-253 - the 2026-04-29
ENG-250slice shipped the sixteenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipDnsTxtProofCollector, DNS TXT proof-collection request/result contracts, DNS TXT proof-collection outcome and metadata-key vocabularies, bounded DNS-over-HTTPS JSON collection through an explicit resolver endpoint, normalized TXT answer evaluation through the existing proof evaluator, safe resolver/status/count/fingerprint metadata,tenancy.domain-ownership.dns-txt-proof-collection, diagnostics4536-4537, andtenant-domain-ownershipmetadata for configured DNS TXT proof-collection ownership without taking over DNS publication, HTTP publication, provider-backed collection/mutation, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant administration at the time; bounded on-demand proof polling was later narrowed and shipped inENG-251, automatic background proof polling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253 - the 2026-04-29
ENG-251slice shipped the seventeenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipProofPollingRunner, proof-polling request/result contracts, proof-polling outcome and metadata-key vocabularies, bounded catalog selection for pending/rejected HTTP file and DNS TXT declarations, verification-runner delegation, default batch-limit options,tenancy.domain-ownership.proof-polling-runner, diagnostics4538-4539, andtenant-domain-ownershipmetadata for proof-polling runner ownership plusexternalProofPollingOwnership = cephalon-managedandbackgroundProofPollingOwnership = application-managedwithout taking over DNS publication, HTTP publication, provider mutation, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant administration at the time; automatic background scheduling was later narrowed and shipped inENG-252, and HTTP file proof publication was later narrowed and shipped inENG-253 - the 2026-04-29
ENG-252slice shipped the eighteenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow adds opt-in automatic background tenant-domain ownership proof polling throughITenantDomainOwnershipProofPollingRuntimeCatalog,TenantDomainOwnershipProofPollingRuntimeSnapshot,TenantDomainOwnershipProofPollingHostedService, background polling enable/interval/startup/source options, startup and interval scheduling over the bounded proof-polling runner,tenancy.domain-ownership.proof-background-polling, diagnostics4540-4543, andtenant-domain-ownershipmetadata for background proof-polling enabled state, interval, batch, run counts, latest outcome, andcephalon-managedownership when enabled without taking over DNS publication, HTTP publication, provider mutation, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant administration at the time; HTTP file proof publication was later narrowed and shipped inENG-253 - the 2026-04-29
ENG-253slice shipped the nineteenth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantDomainOwnershipHttpProofPublisher,ITenantDomainOwnershipHttpProofPublicationCatalog, HTTP proof-publication request/result/descriptor/outcome contracts, publication metadata keys, HTTP path/content/content-type materialization through the existing publication planner,tenancy.domain-ownership.http-proof-publication, diagnostics4544-4545, andtenant-domain-ownershipmetadata for HTTP proof-publication ownership/count;Cephalon.MultiTenancy.Governance.AspNetCoreis the optional ASP.NET Core adapter that serves published proof files while DNS publication, provider mutation, domain lifecycle automation beyond status transitions, distributed or provider-backed governance storage, notification/delivery, remediation execution beyond state transitions, identity-provider synchronization, public onboarding, or tenant-admin UI remain outside this proof - the 2026-04-29
ENG-254slice shipped the twentieth concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantAdministrationWorkflow, tenant-administration workflow request/result/command/outcome/metadata-key contracts, host-driven membership grant/suspend/expire commands, invitation issue/accept/revoke/expire commands,store-failedpersistence posture,tenancy.administration.workflow, diagnostics4546-4547, thetenant-administrationruntime surface, and basetenant-governance-boundariestruth for the companion-shipped lane while the ASP.NET Core command endpoint later shipped inENG-255and host-agnostic invitation delivery dispatch later shipped inENG-256; tenant-admin UI, public onboarding, provider-specific invitation senders, identity-provider synchronization, distributed or provider-backed governance storage, and provider mutation remain outside this proof - the 2026-04-29
ENG-255slice shipped the first host-adapter tenant-admin endpoint proof:Cephalon.MultiTenancy.Governance.AspNetCorenow addsMapCephalonTenantAdministrationCommands(), the defaultPOST /engine/tenant-administration/commandsroute, fail-closed authorization with optional policy configuration, configuration keys underEngine:MultiTenancy:Governance:AspNetCore, thetenant-administration-http-endpointsruntime surface, and focused hosting/tooling/reference-doc coverage while the host-agnostic invitation delivery dispatch lane later shipped inENG-256; tenant-admin UI, public onboarding, provider-specific invitation senders, identity-provider synchronization, distributed/provider-backed governance storage, and provider mutation remain outside this proof - the 2026-04-29
ENG-256slice shipped the twenty-first concrete governance companion proof:Cephalon.MultiTenancy.Governancenow addsITenantInvitationDeliveryDispatcher,ITenantInvitationDeliverySender,ITenantInvitationDeliveryRunCatalog, delivery request/result/run contracts, delivery metadata keys and outcome vocabulary, dispatch over registered sender extensions, sender-not-configured and sender-failed truth, bounded in-memory run history, optional persisted delivery metadata throughITenantInvitationStore,tenancy.invitation.delivery-dispatch, diagnostics4548-4549, andtenant-invitationsplustenant-administrationruntime metadata for dispatch enablement, sender count/ids, sender ownership, external-delivery ownership, latest outcome, and run counts without taking over provider-specific email/SMS/chat/identity-provider senders, public onboarding, tenant-admin UI, distributed/provider-backed governance storage, or provider mutation - the 2026-04-29
ENG-257slice shipped the optional HTTP invitation delivery sender proof:Cephalon.MultiTenancy.Governance.HttpDeliverynow addsHttpInvitationDeliveryOptions,AddCephalonHttpInvitationDelivery(...),HttpInvitationDeliveryPayload, a provider-managedhttp-webhookITenantInvitationDeliverySender, bounded JSON webhook dispatch with configurable method/timeout/headers/accepted statuses/supported channels, provider-message id response-header capture, diagnostics4550-4551, default reference-doc inclusion, and focused composition/tooling coverage over the existing governance dispatcher while provider-specific email/SMS/chat/CRM/identity-provider connectors, durable retry queues, provider-specific callback endpoints or provider polling, public onboarding, tenant-admin UI, identity-provider sync, and provider mutation remain outside this proof - the 2026-04-29
ENG-258slice shipped the HTTP invitation delivery webhook signing proof:Cephalon.MultiTenancy.Governance.HttpDeliverynow addsSigningSecret,SigningKeyId, configurable signature/timestamp/key-id header names, HMAC-SHA256 signing over{unixTimestamp}.{jsonBody},v1=<lowercase hex>signature emission, safehttpSignedandhttpSigningKeyIdsender metadata, and focused composition/reference-doc coverage while provider-specific email/SMS/chat/CRM/identity-provider connectors, durable retry queues, provider-specific delivery-status callback endpoints or provider polling, public onboarding, tenant-admin UI, identity-provider sync, and provider mutation remain outside this proof - the 2026-04-29
ENG-259slice shipped the HTTP invitation delivery retry proof:Cephalon.MultiTenancy.Governance.HttpDeliverynow addsMaxAttempts,RetryDelayMilliseconds,RetryStatusCodes,RetryTransportFailures, fresh request construction per attempt, bounded in-process retry/backoff over configured transient status codes and transport failures, safe attempt/retry metadata such ashttpAttemptCount,httpMaxAttempts,httpRetried, andhttpRetryReason, plus focused composition/reference-doc coverage while durable retry queues, provider-specific delivery-status callback endpoints or provider polling, provider-specific invitation connectors, public onboarding, tenant-admin UI, identity-provider sync, and provider mutation remain outside this proof - the 2026-04-29
ENG-260slice shipped the HTTP invitation delivery idempotency proof:Cephalon.MultiTenancy.Governance.HttpDeliverynow addsEnableIdempotencyHeader,IdempotencyHeaderName,IdempotencyMetadataKey, provider-neutral idempotency headers on every webhook attempt, caller-supplied header-safe dispatch metadata keys when present, deterministic hashing for overlong/header-unsafe metadata keys, derived hashed keys from tenant/invitation/channel/sender when absent, stable retry-attempt idempotency, and safehttpIdempotencyHeaderName,httpIdempotencyKey, andhttpIdempotencyKeySourcemetadata while durable retry queues, provider-specific delivery-status callback endpoints or provider polling, provider-specific invitation connectors, public onboarding, tenant-admin UI, identity-provider sync, and provider mutation remain outside this proof - the 2026-04-29
ENG-261slice shipped the host-agnostic invitation delivery status reconciliation proof:Cephalon.MultiTenancy.Governancenow addsITenantInvitationDeliveryStatusReconciler, delivery status request/result contracts, status and reconciliation-outcome vocabularies, status metadata keys, provider-message id match guarding,tenancy.invitation.delivery-status-reconciliation, diagnostics4552-4553, andtenant-invitationsplustenant-administrationmetadata for status reconciliation ownership, external status ownership, reported status count, latest status, and latest observed timestamp while provider-specific callback endpoints, provider polling, durable retry queues, provider-specific invitation connectors, public onboarding, tenant-admin UI, identity-provider sync, and provider mutation remain outside this proof - the 2026-04-29
ENG-262slice repaired behavior REST ownership truth:Cephalon.Behaviors.Httpremains metadata-first forBehaviorRestProfileAttributeandBehaviorRestBindingAttribute, but explicit module-ownedMapProfile<TBehavior>(),MapGeneratedProfiles(...), and grouped generated shorthand now publish stable runtime metadata through/engine/rest-endpoints,/engine/rest-endpoint-candidates, andsnapshot.RestEndpoints:restPublicationActivationOwnership = application-managed,restMaterializationOwnership = cephalon-managed,restProfileMetadataOwnership = application-managed, andrestPublicationActivationModevalues such asexplicit-map-profileorexplicit-map-generated-profiles; the maturity audit should treat this as mixedM2, not metadata-onlyM1, while ambient behavior-to-REST auto-publication remains out of scope - the 2026-04-29
ENG-263slice shipped the eventing subscription execution-binding catalog proof:Cephalon.Eventingnow exposesIEventSubscriptionExecutionBindingCatalogplus stableEventSubscriptionRuntimeMetadataKeysso hosts and companion packs can read active managed subscription bindings directly by subscription id, whileCephalon.Eventing.Wolverineremains the optionalprovider-managedproof that contributes awolverine-managedbinding through the existing adapter-neutral contributor seam - the 2026-04-29
ENG-264slice shipped the eventing subscription execution-readiness catalog proof:Cephalon.Eventingnow derivesruntime-bound,hosted-execution-linked,application-managed-state, anddeclared-onlyreadiness from declared subscriptions, managed bindings, hosted-execution links, and application-managed runtime reports, and projectsexecutionReadiness,executionPath, andexecutionReadinessReasonsthrough theevent-subscriptionstechnology surface without claiming generic broker or inbox ownership - the 2026-04-29
ENG-265/ issue #774 slice shipped the eventing subscription readiness operator surface:EventSubscriptionExecutionReadinessDescriptor,EventSubscriptionExecutionReadinessStates, andIEventSubscriptionExecutionReadinessCatalognow live inCephalon.Abstractions.Data,Cephalon.Eventingremains the implementation owner, ASP.NET Core exposes/engine/event-subscription-readinessplus/engine/event-subscription-readiness/{subscriptionId}, andRuntimeIntrospectionSnapshotnow carriesEventSubscriptionExecutionReadinessso host adapters can publish readiness without depending onCephalon.Eventing - the 2026-04-29
ENG-266/ issue #775 slice shipped the agentics tool-run operator surface:AgentToolExecutionOutcomes,AgentToolRunState, andIAgentToolRunCatalognow live inCephalon.Abstractions.Agentics,Cephalon.Agenticsremains the dispatcher/reporting implementation owner, ASP.NET Core exposes/engine/agent-tool-runs,/engine/agent-tool-runs/{runId}, and/engine/agent-tool-runs/by-tool/{toolId}, andRuntimeIntrospectionSnapshotnow carriesAgentToolRunsso host adapters can publish agent-tool run state without depending onCephalon.Agentics - the 2026-04-29
ENG-267/ issue #776 slice shipped the retrieval knowledge-index operator surface:IKnowledgeIndexCatalog,KnowledgeIndexState,KnowledgeIndexFreshnessStates, andKnowledgeIndexingOutcomesnow live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalremains the document-provider ingestion, lexical indexing, bounded query, freshness, and in-memory index-state implementation owner, ASP.NET Core exposes/engine/knowledge-indexesplus/engine/knowledge-indexes/{collectionId}, andRuntimeIntrospectionSnapshotnow carriesKnowledgeIndexesso host adapters can publish index posture without depending onCephalon.Retrieval - the 2026-04-29
ENG-268/ issue #777 slice shipped the retrieval reindex operator action surface:IKnowledgeIndexer,KnowledgeIndexingRequest, andKnowledgeIndexingResultnow live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalremains the provider-ingestion, lexical-indexing, freshness, and index-state implementation owner, ASP.NET Core exposesPOST /engine/knowledge-indexes/{collectionId}/reindex, and route-triggered reindex runs record safe run id, actor, correlation, trigger, and route metadata while background scheduling was still future at that slice boundary; opt-in in-process scheduling later shipped inENG-270, while durable/distributed indexes, vector search, distributed scheduler coordination, and provider-specific semantic search stay future package-owned work - the 2026-04-29
ENG-269/ issue #778 slice shipped the agentics tool execution operator action surface:IAgentToolDispatcher,AgentToolExecutionRequest, andAgentToolExecutionResultnow live inCephalon.Abstractions.Agentics,Cephalon.Agenticsremains the descriptor-resolution, policy, executor, observer, reporter, and run-state implementation owner, ASP.NET Core exposesPOST /engine/agent-tools/{toolId}/runs, and route-triggered tool runs record safe run id, actor, correlation, attempt, arguments, trigger, and route metadata while autonomous planning, memory persistence, durable retry queues, provider-specific AI orchestration, and broader agent operator workflows stay future package-owned work - the 2026-04-29
ENG-270/ issue #779 slice shipped the retrieval background reindex scheduler baseline:Cephalon.Retrievalnow adds opt-in scheduler options, registers a generic-hostIHostedServiceonly when ingestion and background reindexing are enabled, runs startup and interval reindex attempts over all registered collections or configured collection ids through the existingIKnowledgeIndexer, records safe scheduler metadata, and surfacesretrieval.background-reindexingplusbackgroundReindexing*metadata including per-collection scheduled/not-selected truth while durable/distributed indexes, vector search, provider-specific semantic search, distributed scheduler coordination, leader election, and multi-node freshness orchestration stay future package-owned work - the 2026-04-29
ENG-271/ issue #780 slice shipped the eventing in-process subscription execution baseline:Cephalon.Eventingnow addsEnableInProcessSubscriptionExecution, registers a Cephalon-managed direct in-process publisher when matchingIEventSubscriptionExecutorservices exist, publisheseventing.publishandeventing.subscribewithcephalon-managed,in-process-direct, andretryPolicy = nonetruth, executes matching subscriptions throughIEventPublisher, and projects the resulting runtime state throughevent-publishers,event-subscriptions,/engine/event-subscription-readiness, andsnapshot.EventSubscriptionExecutionReadiness; durable broker dispatch, inbox/idempotency ownership, retry queues, distributed subscription scheduling, and provider-specific inbound consumption remain future package-owned work - the 2026-04-29
ENG-272/ issue #781 slice shipped the eventing publication operator action baseline: publication command contracts now live inCephalon.Abstractions.Data,Cephalon.Eventingregisters a boundedIEventPublicationDispatcherover the activeIEventPublisherwhen a publishing path exists, ASP.NET Core exposesPOST /engine/event-publications, safe route metadata flows into publication results and in-process subscription execution state, and runtime surfaces markpublicationDispatcher = available; durable broker dispatch, inbox/idempotency ownership, retry queues, distributed subscription scheduling, and provider-specific inbound consumption remain future package-owned work - the 2026-04-29
ENG-273/ issue #782 slice shipped the eventing in-process subscription retry baseline:Cephalon.Eventingnow addsInProcessSubscriptionMaxAttemptsandInProcessSubscriptionRetryDelayMilliseconds, preservesretryPolicy = noneby default, retries transient direct executor failures inline when max attempts is greater than one, reportsretry-scheduledplus final runtime state throughIEventSubscriptionRuntimeCatalog, and projectsbounded-in-process, max-attempt, delay,retryDurability = none, andretryScope = process-localmetadata through capabilities, bindings,event-publishers,event-subscriptions, andreported.*; durable broker retries, inbox/idempotency ownership, durable retry queues, distributed subscription scheduling, and provider-specific inbound consumption remain future package-owned work - the 2026-04-29
ENG-274/ issue #783 slice shipped the eventing in-process subscription idempotency baseline:Cephalon.Eventingnow addsEnableInProcessSubscriptionIdempotencyandInProcessSubscriptionIdempotencyRetentionMinutes, preserves current behavior by default, tracks successful directsubscriptionId + publicationIdexecutions in bounded process-local memory when enabled, reports duplicate completed executions asskippedthroughIEventSubscriptionRuntimeCatalog, and projectsidempotencyPolicy = completed-publication,idempotencyKey = subscription-publication, retention,idempotencyDurability = none, andidempotencyScope = process-localmetadata through capabilities, bindings,event-publishers,event-subscriptions, andreported.*; durable inbox ownership, cross-node exactly-once delivery, broker deduplication, durable retry queues, distributed subscription scheduling, and provider-specific inbound consumption remain future package-owned work - the 2026-04-29
ENG-275/ issue #784 slice shipped the eventing publication runtime operator-state baseline:EventPublicationRuntimeOutcomes,EventPublicationRuntimeState, andIEventPublicationRuntimeCatalognow live inCephalon.Abstractions.Data,Cephalon.Eventingreports direct in-process publicationsucceeded/failed/skippedposture with subscription counters and safe metadata, outbox-backed publication reportsacceptedstaged handoff withdeliveryCompletion = pending-dispatch, ASP.NET Core exposes/engine/event-publications/runtime,/engine/event-publications/runtime/{publicationId}, and/engine/event-publications/runtime/channels/{channelId}, andRuntimeIntrospectionSnapshotcarriesEventPublicationStates; durable broker dispatch, downstream delivery completion, durable inbox ownership, cross-node exactly-once delivery, durable retry queues, distributed subscription scheduling, and provider-specific inbound consumption remain future package-owned work - the 2026-04-29
ENG-276/ issue #785 slice shipped the Wolverine bounded subscription retry terminal-failure baseline:Cephalon.Eventing.Wolverinenow addsSubscriptionMaxAttempts, reportsretryPolicy = bounded-fixed-delayplus max-attempt, delay, durability, and provider-managed scope metadata through capabilities, binding metadata,event-subscriptions, and thewolverine-adapterruntime surface, continues using Wolverine scheduled messages while attempts remain, and reports terminalfailedstate withretryExhausted = true/terminalFailure = truewhen the retry budget is exhausted; generic inbound broker-consumption ownership, durable inbox ownership, and dispatch-loop dead-letter or terminal-failure storage semantics remain future package-owned work - the 2026-04-29
ENG-277/ issue #786 slice shipped the Wolverine dispatch terminal retry-failure baseline:Cephalon.Eventing.Wolverinenow addsDispatchMaxAttempts, reportsretryPolicy = bounded-fixed-delayplus max-attempt, delay, dispatch-store durability, and provider-managed scope metadata througheventing.wolverine.dispatch, dispatch runtime descriptors, dispatch reports, and thewolverine-adapterruntime surface, and reports terminalfailedstate withretryOutcome = max-attempts-exhausted,retryExhausted = true, andterminalFailure = truewhen no-destination or publish failures exhaust the retry budget; supported dispatch stores now useEventDispatchRuntimeMetadataKeysto stop terminal failed staged publications from re-entering pending reads, while broker-specific dead-letter queues, durable inbox ownership, cross-node exactly-once delivery, and generic inbound broker-consumption remain future package-owned work - the 2026-04-29
ENG-278/ issue #787 slice tightened that Wolverine dispatch terminal proof around real publish exceptions: focused composition coverage now proves that aPublishAsync(...)exception with destinations present reports retryableretry-scheduledmetadata before the budget is exhausted, reports terminalfailedmetadata withrouting = publish,exceptionType,retryOutcome = max-attempts-exhausted,retryExhausted = true, andterminalFailure = trueon the final attempt, and removes the staged publication from pending-dispatch reads through the same terminal metadata contract; broker-specific dead-letter queues, durable inbox ownership, generic inbound broker consumption, and cross-node exactly-once delivery remain future package-owned work - the 2026-04-29
ENG-279/ issue #788 slice promoted terminal event-dispatch failure posture from metadata-only to first-class operator truth:EventDispatchRuntimeStatenow exposesTerminalFailureplusTerminalFailureCount,EventDispatchRuntimeSummarynow exposesTerminalFailureCount,TerminalOutboxCount, andHasTerminalFailures, ASP.NET Core now exposes/engine/event-dispatches/terminal-failures, and the event-dispatch technology surfaces plussnapshot.EventDispatch*carry the same typed posture; this is still dispatch-report/dispatch-store truth, not broker-specific dead-letter, durable inbox, generic inbound broker-consumption, downstream delivery-completion, or cross-node exactly-once ownership - the 2026-04-29
ENG-280/ issue #789 slice added bounded process-local retry posture to the Agentics dispatcher lane:AgenticRuntimeOptionsnow exposesExecutionMaxAttemptsplusExecutionRetryDelayMilliseconds, the dispatcher reportsretry-scheduledobservations before retrying failed executor attempts,AgentToolRunStateexposesRetryScheduledCountandRetryPending, ASP.NET Core exposes/engine/agent-tool-runs/retry-pending, andagentics.executionplusagent-toolsmetadata publish retry policy, max attempts, delay, durability, scope, counters, and pending posture while durable retry queues, autonomous planning, memory persistence, distributed scheduling, and provider-specific AI orchestration remain future package-owned work - the 2026-04-29
ENG-281/ issue #790 slice added opt-in bounded process-local duplicate-completed idempotency posture to the Agentics dispatcher lane:AgenticRuntimeOptionsnow exposesEnableExecutionIdempotencyplusExecutionIdempotencyRetentionMinutes, duplicate completedtoolId + runIdexecutions are reported asskippedwithout invoking the executor again,AgentToolRunStateexposesDuplicateCompleted, ASP.NET Core exposes/engine/agent-tool-runs/idempotency-duplicates, andagentics.executionplusagent-toolsmetadata publish idempotency policy, key, retention, durability, scope, counters, and duplicate posture while durable inboxes, cross-node exactly-once delivery, durable retry queues, autonomous planning, memory persistence, distributed scheduling, and provider-specific AI orchestration remain future package-owned work - the 2026-04-29
ENG-282/ issue #791 slice added approval-required and terminal-failure operator posture to the Agentics dispatcher lane:AgentToolRunStatenow exposesTerminalFailure, ASP.NET Core exposes/engine/agent-tool-runs/approval-requiredplus/engine/agent-tool-runs/terminal-failures, and theagent-toolsruntime surface publishesterminalFailuremetadata so operators can separate policy-blocked runs from terminal failed executor outcomes while durable approval workflows, dead-letter systems, durable retry queues, durable inboxes, cross-node exactly-once delivery, autonomous planning, memory persistence, distributed scheduling, and provider-specific AI orchestration remain future package-owned work - the 2026-04-29
ENG-283/ issue #792 slice added the retrieval query operator action seam:IKnowledgeQueryEngine,KnowledgeQueryRequest,KnowledgeQueryResult, andKnowledgeQueryMatchnow live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalremains the bounded lexical query implementation and runtime-observation owner, ASP.NET Core exposesPOST /engine/knowledge-indexes/{collectionId}/queries, and route-triggered queries record safe actor, correlation, trigger, route, metadata, query fingerprint, query length, and match-count posture while vector databases, embeddings, durable/distributed indexes, rerankers, semantic provider adapters, distributed scheduler coordination, and leader election remain future package-owned work - the 2026-04-29
ENG-284/ issue #793 slice added the multi-tenancy invitation delivery status callback endpoint baseline:Cephalon.MultiTenancy.Governance.AspNetCorenow exposesTenantInvitationDeliveryStatusCallbackRequestplusMapCephalonTenantInvitationDeliveryStatusCallbacks()forPOST /engine/tenant-invitations/delivery-status, keeps callback authorization fail-closed by default, enforces provider-message matching by default, records safe callback-ingress metadata before callingITenantInvitationDeliveryStatusReconciler, and projectstenant-invitation-delivery-status-http-endpointswith route, authorization, provider-message-match, and provider-specific translation/signature/polling boundary truth while provider-specific callback payload translation, provider-specific callback signature verification, provider polling, durable notification queues, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-29
ENG-285/ issue #800 slice added provider-neutral callback signature verification for that ASP.NET Core normalized delivery-status ingress: whenTenantInvitationDeliveryStatusCallbackSigningSecretis configured,MapCephalonTenantInvitationDeliveryStatusCallbacks()verifiesv1=<hex-hmac-sha256>over{unixTimestamp}.{exactUtf8JsonBody}before JSON parsing or reconciliation, supports configurable signature/timestamp/key-id headers plus timestamp tolerance, records safe verified-signature metadata, and projects signature verification posture throughtenant-invitation-delivery-status-http-endpointswhile provider-specific callback payload translation, provider-specific signature semantics, provider polling, durable notification queues, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-29
ENG-286/ issue #801 slice added bounded process-local replay protection for signed ASP.NET Core normalized delivery-status callbacks: whenTenantInvitationDeliveryStatusCallbackSigningSecretis configured andEnableTenantInvitationDeliveryStatusCallbackReplayProtectionremains enabled,MapCephalonTenantInvitationDeliveryStatusCallbacks()records safe SHA-256 signature fingerprints for accepted signed callbacks, rejects duplicate signed requests with409insideTenantInvitationDeliveryStatusCallbackReplayRetentionSeconds, projects replay policy/key/scope/durability/retention/cache-limit posture throughtenant-invitation-delivery-status-http-endpoints, and remains explicit that provider-specific or distributed callback inboxes, cross-node replay protection, provider-specific callback payload translation/signature semantics, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores are still future package-owned work - the 2026-04-29
ENG-287/ issue #802 slice added the host-agnostic invitation delivery status observation store baseline:Cephalon.MultiTenancy.Governancenow addsITenantInvitationDeliveryStatusObservationStore,TenantInvitationDeliveryStatusObservationDescriptor, an in-memory default store, opt-in local JSON durability throughMultiTenancyGovernanceOptions.InvitationDeliveryStatusObservationStoreFilePath, retention throughInvitationDeliveryStatusObservationHistoryLimit, thetenancy.invitation.delivery-status-observation-storecapability, andtenant-invitationsmetadata for observation-store kind, durability, scope, history limit, count, and latest observation while staying explicit that provider-specific or distributed callback inboxes, cross-node replay protection, provider-specific callback payload translation/signature semantics, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores are still future package-owned work - the 2026-04-29
ENG-288/ issue #803 slice added the ASP.NET Core invitation delivery status observation endpoint baseline:Cephalon.MultiTenancy.Governance.AspNetCorenow exposesMapCephalonTenantInvitationDeliveryStatusObservations()for bounded/filterableGET /engine/tenant-invitations/delivery-status/observationsreads overITenantInvitationDeliveryStatusObservationStore, returnsTenantInvitationDeliveryStatusObservationQueryResult, keeps observation reads fail-closed by default throughRequireTenantInvitationDeliveryStatusObservationAuthorization, reports route/auth/limit/read-contract posture throughtenant-invitation-delivery-status-http-endpoints, and stays explicit that provider-specific callback inboxes, provider polling, distributed replay ledgers, exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores are still future package-owned work - the 2026-04-29
ENG-289/ issue #804 slice added the ASP.NET Core invitation delivery dispatch endpoint baseline:Cephalon.MultiTenancy.Governance.AspNetCorenow exposesMapCephalonTenantInvitationDeliveryDispatches()for fail-closedPOST /engine/tenant-invitations/delivery-dispatchesactions overITenantInvitationDeliveryDispatcher, defaults the dispatch source toaspnetcore-invitation-delivery-dispatch, records safe adapter metadata, maps dispatcher outcomes to explicit HTTP statuses, and reports route/auth/status-mapping/boundary posture throughtenant-invitation-delivery-http-endpointswhile provider-specific senders, distributed retry queues, public onboarding, tenant-admin UI/backoffice, identity-provider sync, provider polling, callback inboxes, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-29
ENG-290/ issue #805 slice added the host-agnostic invitation delivery retry queue baseline:Cephalon.MultiTenancy.Governancenow exposesITenantInvitationDeliveryRetryStore,ITenantInvitationDeliveryRetryRunner, retry descriptor/request/result contracts, retry statuses/outcomes, retry metadata keys, opt-inEnableInvitationDeliveryRetryQueue, local JSON durability throughInvitationDeliveryRetryQueueFilePath, bounded manualRetryPendingAsync(...)replay over retryablesender-failedoutcomes,tenancy.invitation.delivery-retry-queue, andtenant-invitationsretry queue ownership/kind/durability/count/latest posture while distributed retry queues, cross-node leases, exactly-once delivery, provider-specific senders, public onboarding, tenant-admin UI/backoffice, identity-provider sync, provider polling, callback inboxes, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-29
ENG-291/ issue #806 slice added opt-in automatic invitation delivery retry background scheduling:Cephalon.MultiTenancy.Governancenow exposesEnableInvitationDeliveryRetryBackgroundScheduling,InvitationDeliveryRetryBackgroundIntervalSeconds,InvitationDeliveryRetryBackgroundRunOnStartup,InvitationDeliveryRetryBackgroundSource,TenantInvitationDeliveryRetryHostedService,ITenantInvitationDeliveryRetryRuntimeCatalog,TenantInvitationDeliveryRetryRuntimeSnapshot,tenancy.invitation.delivery-retry-background-scheduling, diagnostics4554-4557, andtenant-invitationsdeliveryRetryBackground*metadata while distributed retry queues, cross-node leases, exactly-once delivery, provider-specific senders, public onboarding, tenant-admin UI/backoffice, identity-provider sync, provider polling, callback inboxes, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-29
ENG-292/ issue #807 slice added process-local invitation delivery retry execution coordination:Cephalon.MultiTenancy.Governancenow exposesEnableInvitationDeliveryRetryExecutionCoordination,ITenantInvitationDeliveryRetryExecutionCoordinationCatalog,TenantInvitationDeliveryRetryExecutionCoordinationSnapshot, thealready-runningretry outcome, stable coordination metadata keys,tenancy.invitation.delivery-retry-execution-coordination, andtenant-invitationsdeliveryRetryExecutionCoordination*metadata; overlapping retry runner passes inside one host process now skip without dispatching entries or mutating the retry queue while distributed retry queues, cross-node leases, exactly-once delivery, provider-specific senders, public onboarding, tenant-admin UI/backoffice, identity-provider sync, provider polling, callback inboxes, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-29
ENG-293/ issue #808 slice added the optional SMTP invitation delivery sender proof:Cephalon.MultiTenancy.Governance.SmtpDeliverynow exposesSmtpInvitationDeliveryOptions,AddCephalonSmtpInvitationDelivery(...),ISmtpInvitationDeliveryClient,SmtpInvitationDeliveryMessage, andSmtpInvitationDeliveryClientResult; it registers the defaultsmtp-emailITenantInvitationDeliverySender, resolves recipient email from dispatch metadata, invitation metadata, orInviteeKind = email, prepares templated plain-text/HTML messages, derives deterministic SMTPMessage-Idvalues, records safe relay/recipient/message metadata, emits diagnostics4558-4559, and stays explicit that provider-specific email APIs, SMS/chat/CRM/identity-provider senders, bounce/callback translation, provider polling, distributed retry queues, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-29
ENG-294/ issue #809 slice added the optional SendGrid invitation delivery sender proof:Cephalon.MultiTenancy.Governance.SendGridDeliverynow exposesSendGridInvitationDeliveryOptions,AddCephalonSendGridInvitationDelivery(...),ISendGridInvitationDeliveryClient,SendGridInvitationDeliveryMessage, andSendGridInvitationDeliveryClientResult; it registers the defaultsendgrid-emailITenantInvitationDeliverySender, posts templated Mail Send API payloads to/v3/mail/send, resolves recipient email from dispatch metadata, invitation metadata, orInviteeKind = email, carries deterministic Cephalon message ids through safe custom arguments and headers, supports SendGrid sandbox validation where200 OKis accepted alongside the normal202 Accepted, capturesX-Message-IDas the provider message id, records only safe endpoint/status/sandbox/category/custom-argument/recipient metadata, emits diagnostics4560-4561, and stays explicit that SendGrid Event Webhook translation, webhook signature verification, bounce handling, provider polling, dynamic-template lifecycle management, Mailgun handoff later shipped throughENG-299, Amazon SES v2 handoff later shipped throughENG-306, additional non-SendGrid email APIs beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider senders, distributed retry queues, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-295/ issue #810 slice added the optional SendGrid Event Webhook callback translation proof:Cephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCorenow exposesSendGridInvitationDeliveryAspNetCoreOptions,AddCephalonSendGridInvitationDeliveryAspNetCore(...),MapCephalonSendGridInvitationDeliveryStatusCallbacks(),SendGridInvitationDeliveryStatusCallbackResult, andSendGridInvitationDeliveryStatusCallbackEventResult; it maps fail-closedPOST /engine/tenant-invitations/delivery-status/sendgrid, parses bounded SendGrid JSON event arrays, extracts Cephalon custom arguments, normalizessg_message_idto the stored SendGridX-Message-IDprovider message id by default, translatesprocessed/delivered/deferred/bounce/suppression events into normalized delivery statuses, skips engagement events by default, records safe status metadata andsendgrid:{sg_event_id}observation ids, emits diagnostics4562, and projectstenant-invitation-delivery-sendgrid-status-callbacks; at that point, SendGrid signed-webhook verification, durable callback inboxes, distributed replay protection, provider polling, dynamic-template lifecycle management, non-SendGrid callback translation, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remained future package-owned work - the 2026-04-30
ENG-296/ issue #811 slice added optional SendGrid signed Event Webhook verification toCephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCore: whenRequireSignedEventWebhookis enabled,MapCephalonSendGridInvitationDeliveryStatusCallbacks()verifiesX-Twilio-Email-Event-Webhook-SignatureandX-Twilio-Email-Event-Webhook-Timestampwith ECDSA-SHA256 overtimestamp + rawBodybefore JSON parsing or reconciliation, rejects invalid signed callbacks before touching invitation state or delivery-status observations, records safe signature metadata and callback-result posture, emits diagnostics4563, and projects signature verification ascephalon-managedthroughtenant-invitation-delivery-sendgrid-status-callbackswhile durable callback inboxes, distributed replay protection, provider polling, non-SendGrid callback translation/signature semantics, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-297/ issue #812 slice added bounded process-local replay protection for verified SendGrid signed Event Webhook callbacks: whenRequireSignedEventWebhookandEnableSignedEventWebhookReplayProtectionare enabled,MapCephalonSendGridInvitationDeliveryStatusCallbacks()records safe SHA-256 signature fingerprints in a bounded in-memory cache, rejects duplicate verified signatures with409before reconciliation, records safe replay metadata and callback-result posture, emits diagnostics4564, and projects replay policy/key/scope/durability/retention/cache posture throughtenant-invitation-delivery-sendgrid-status-callbackswhile durable callback inboxes, distributed replay ledgers, provider polling, cross-node exactly-once delivery, non-SendGrid callback translation/signature semantics, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-298/ issue #813 slice added observation-store-backed SendGrid event-id idempotency toCephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCore: whenEnableEventWebhookEventIdIdempotencyis enabled,MapCephalonSendGridInvitationDeliveryStatusCallbacks()checks the normalizedsendgrid:{sg_event_id}observation id inITenantInvitationDeliveryStatusObservationStore, skips duplicate translated events before invoking the reconciler, returnsDuplicateEventsplus per-eventduplicate-skippedoutcomes, records safe idempotency metadata, emits diagnostics4565, and projects event-id idempotency posture throughtenant-invitation-delivery-sendgrid-status-callbackswhile durable callback inboxes, distributed replay/event-id ledgers, provider polling, cross-node exactly-once delivery, non-SendGrid callback translation/signature semantics, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-299/ issue #814 slice added the optional Mailgun invitation delivery sender proof:Cephalon.MultiTenancy.Governance.MailgunDeliverynow exposesMailgunInvitationDeliveryOptions,AddCephalonMailgunInvitationDelivery(...),IMailgunInvitationDeliveryClient,MailgunInvitationDeliveryMessage, andMailgunInvitationDeliveryClientResult; it registers the defaultmailgun-emailITenantInvitationDeliverySender, posts templated multipart Messages API payloads to/v3/{domain}/messages, resolves recipient email from dispatch metadata, invitation metadata, orInviteeKind = email, carries deterministic Cephalon message ids through safev:*variables andh:*headers, supports Mailgun test mode througho:testmode=yes, captures the JSONidresponse as the provider message id, records only safe endpoint/status/domain/test-mode/tag/variable/header/recipient metadata, emits diagnostics4566-4567, and stays explicit that Mailgun webhook callback translation later shipped throughENG-300, Mailgun signed-webhook verification later shipped throughENG-301, Mailgun replay-token rejection later shipped throughENG-302, Mailgun event-id idempotency later shipped throughENG-303, Microsoft GraphsendMailhandoff later shipped throughENG-304, and Amazon SES v2 handoff later shipped throughENG-306, while additional provider senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider senders, provider polling, durable callback inboxes, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-300/ issue #815 slice added the optional Mailgun webhook callback translation proof:Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorenow exposesMailgunInvitationDeliveryAspNetCoreOptions,AddCephalonMailgunInvitationDeliveryAspNetCore(...),MapCephalonMailgunInvitationDeliveryStatusCallbacks(),MailgunInvitationDeliveryStatusCallbackResult, andMailgunInvitationDeliveryStatusCallbackEventResult; it maps fail-closedPOST /engine/tenant-invitations/delivery-status/mailgun, parses bounded Mailgun JSON event objects plus bounded arrays for controlled replay/tests, extracts Cephalonuser-variables, normalizesmessage.headers.message-idwith angle brackets by default to match the sender’s captured Mailgun JSONid, translates Mailgun delivery events into normalized delivery statuses, skips engagement events by default, records safe status metadata andmailgun:{id}observation ids, emits diagnostics4568, and projectstenant-invitation-delivery-mailgun-status-callbacks; Mailgun signed-webhook verification later shipped throughENG-301, Mailgun replay-token rejection later shipped throughENG-302, and Mailgun event-id idempotency later shipped throughENG-303, while durable callback inboxes, distributed replay/event-id ledgers, provider polling, cross-node exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-301/ issue #816 slice added optional Mailgun signed webhook verification toCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCore: whenRequireSignedWebhookis enabled,MapCephalonMailgunInvitationDeliveryStatusCallbacks()verifies the Mailgun HMAC-SHA256 hex digest overtimestamp + tokenusingWebhookSigningKey, acceptssignature.parent-signaturefor subaccount events whenAcceptParentSignatureis enabled, rejects missing/malformed/stale/invalid signed callbacks before reconciliation, records safe signature metadata and callback-result posture, emits diagnostics4569, and projects signature verification ascephalon-managedthroughtenant-invitation-delivery-mailgun-status-callbacks; Mailgun replay-token rejection later shipped throughENG-302and Mailgun event-id idempotency later shipped throughENG-303, while durable callback inboxes, distributed replay/event-id ledgers, provider polling, cross-node exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-302/ issue #817 slice added bounded process-local Mailgun signed webhook replay protection toCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCore: whenRequireSignedWebhookandEnableSignedWebhookReplayProtectionare enabled, verified Mailgun webhook tokens are retained as SHA-256 fingerprints forSignedWebhookReplayRetentionSecondsup toSignedWebhookReplayCacheLimit, duplicate tokens return409before reconciliation, accepted callbacks record safe replay metadata and callback-result posture, diagnostics now include4570, andtenant-invitation-delivery-mailgun-status-callbacksreports replay ownership ascephalon-managed, policysigned-webhook-token, keytoken-fingerprint, scopeprocess-local, and durabilitynone; durable callback inboxes, distributed replay/event-id ledgers, provider polling, cross-node exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-303/ issue #818 slice added observation-store-backed Mailgun event-id idempotency toCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCore: whenEnableWebhookEventIdIdempotencyis enabled and the governance observation store is enabled,MapCephalonMailgunInvitationDeliveryStatusCallbacks()checks the normalizedmailgun:{event-data.id}observation id inITenantInvitationDeliveryStatusObservationStore, skips duplicate translated events before invoking the reconciler, returnsDuplicateEventsplus per-eventduplicate-skippedoutcomes, records safe idempotency metadata, emits diagnostics4571, and projects event-id idempotency posture throughtenant-invitation-delivery-mailgun-status-callbackswhile durable callback inboxes, distributed replay/event-id ledgers, provider polling, cross-node exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-304/ issue #819 slice added the optional Microsoft Graph invitation delivery sender proof:Cephalon.MultiTenancy.Governance.MicrosoftGraphDeliverynow exposesMicrosoftGraphInvitationDeliveryOptions,AddCephalonMicrosoftGraphInvitationDelivery(...),IMicrosoftGraphInvitationDeliveryClient,IMicrosoftGraphInvitationDeliveryAccessTokenProvider,MicrosoftGraphInvitationDeliveryMessage, andMicrosoftGraphInvitationDeliveryClientResult; it registers the defaultmicrosoft-graph-emailITenantInvitationDeliverySender, posts templated JSON payloads to GraphsendMail, resolves recipient email from dispatch metadata, invitation metadata, orInviteeKind = email, carries deterministic Cephalon message ids through safe customx-*internet message headers, records only safe Graph endpoint/status/request-id/category/header/recipient metadata, emits diagnostics4572-4573, and stays explicit that Microsoft Entra app registration, permission consent, mailbox access policy, token-provider implementation beforeENG-305, delivery completion after accepted handoff, Graph change notifications, provider polling, durable callback inboxes, Amazon SES v2 handoff later shipped throughENG-306, additional provider senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider senders, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-305/ issue #820 slice added the optional Microsoft Graph Azure Identity token-provider proof:Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentitynow exposesMicrosoftGraphInvitationDeliveryAzureIdentityOptionsandAddCephalonMicrosoftGraphInvitationDeliveryAzureIdentity(...); it replaces the Graph senderIMicrosoftGraphInvitationDeliveryAccessTokenProviderwith Azure Identity-backed access-token acquisition, supports configuration/code-firstDefaultAzureCredentialsetup, explicitTokenCredentialinjection, Graph scope selection, tenant id, managed-identity client id, authority-host selection, and safe credential exclusion toggles, emits diagnostics4574-4575, never records token values or authorization headers, and stays explicit that Microsoft Entra app registration, GraphMail.Sendpermission consent, mailbox access policy, credential lifecycle policy beyond the selected Azure credential, delivery completion after accepted handoff, Graph change notifications, provider polling, durable callback inboxes, Amazon SES v2 handoff later shipped throughENG-306, additional provider senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider senders, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-306/ issue #821 slice added the optional Amazon SES v2 invitation delivery sender proof:Cephalon.MultiTenancy.Governance.AmazonSesDeliverynow exposesAmazonSesInvitationDeliveryOptions,AddCephalonAmazonSesInvitationDelivery(...),IAmazonSesInvitationDeliveryClient,AmazonSesInvitationDeliveryMessage, andAmazonSesInvitationDeliveryClientResult; it registers the defaultamazon-ses-emailITenantInvitationDeliverySender, sends templated SES v2SendEmailpayloads, resolves recipient email from dispatch metadata, invitation metadata, orInviteeKind = email, supports region/configuration-set/reply-to/tag configuration, captures SESMessageIdas the provider message id, records only safe region/configuration-set/status/message-id/tag/recipient metadata, emits diagnostics4576-4577, and stays explicit that AWS account/IAM/identity verification, DKIM/SPF/DMARC, SES sandbox exit, Amazon SES over SNS callback translation later shipped throughENG-307, provider polling, durable callback inboxes, additional provider senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider senders, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-307/ issue #822 slice added the optional Amazon SES over SNS callback translation proof:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow exposesAmazonSesInvitationDeliveryAspNetCoreOptions,AddCephalonAmazonSesInvitationDeliveryAspNetCore(...),MapCephalonAmazonSesInvitationDeliveryStatusCallbacks(),AmazonSesInvitationDeliveryStatusCallbackResult, andAmazonSesInvitationDeliveryStatusCallbackEventResult; it maps fail-closedPOST /engine/tenant-invitations/delivery-status/amazon-ses, parses bounded SNSNotificationenvelopes, unwraps SES event publishing JSON fromMessage, extracts Cephalon context tags frommail.tags, correlatesmail.messageIdwith the SES sender provider message id, translates SES delivery events into normalized delivery statuses, skips SNS confirmation/unsubscribe messages and engagement events by default, records safe callback metadata, emits diagnostics4578, and projectstenant-invitation-delivery-amazon-ses-status-callbackswhile SNS signature verification later shipped throughENG-308, process-local SNS replay protection throughENG-309, observation-store-backed SNS message-id idempotency throughENG-310, verified SNS subscription confirmation throughENG-311, and verified SNS unsubscribe-confirmation observation throughENG-312; SES event-destination setup, provider polling, durable callback inboxes, distributed replay/event-id ledgers, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-308/ issue #823 slice added optional Amazon SNS signature verification before Amazon SES callback translation:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow exposesRequireSnsSignatureVerification,RequireSnsSignatureVersion2,RequireAllowedSnsTopicArn,AllowedSnsTopicArns,PinnedSnsSigningCertificatePem, andValidateSnsSigningCertificateChain; it rejects unsigned or invalid SNS envelopes before mapping/reconciliation, verifies SNSNotification,SubscriptionConfirmation, andUnsubscribeConfirmationcanonical strings with RSA, requires signature version 2 and allowedTopicArnvalues by default, validates HTTPS Amazon SNS signing-certificate URLs, supports pinned PEM certificates for controlled tests, records safe signature metadata, emits diagnostics4579, and projects signature-version/topic/certificate policy throughtenant-invitation-delivery-amazon-ses-status-callbackswhile SNS replay protection later shipped throughENG-309, observation-store-backed SNS message-id idempotency throughENG-310, verified SNS subscription confirmation throughENG-311, and verified SNS unsubscribe-confirmation observation throughENG-312; SES event-destination setup, provider polling, durable callback inboxes, distributed replay/event-id ledgers, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-309/ issue #824 slice added bounded process-local Amazon SNS replay protection before Amazon SES callback reconciliation:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow exposesEnableSnsReplayProtection,SnsReplayRetentionSeconds, andSnsReplayCacheLimit; when SNS signature verification is required and verified, it stores safe fingerprints derived from SNSTopicArnplusMessageId, rejects duplicate verified callbacks with409 Conflict, records safe replay metadata, emits diagnostics4580, and projects replay policy/key/scope/durability/retention/cache posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile observation-store-backed SNS message-id idempotency later shipped throughENG-310, verified SNS subscription confirmation throughENG-311, and verified SNS unsubscribe-confirmation observation throughENG-312; SES event-destination setup, provider polling, durable callback inboxes, distributed replay/event-id ledgers, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-310/ issue #825 slice added observation-store-backed Amazon SNS message-id idempotency before Amazon SES callback reconciliation:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow exposesEnableSnsMessageIdIdempotency; when the governance observation store is enabled, it checks normalizedamazon-ses-sns:{MessageId}observation ids before invoking the reconciler, skips duplicate translated SNS events withduplicate-skippedoutcomes and aggregateduplicateEvents, records safe idempotency metadata, emits diagnostics4581, and projects message-id idempotency policy/key/scope/store-durability posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile verified SNS subscription confirmation later shipped throughENG-311and verified SNS unsubscribe-confirmation observation later shipped throughENG-312; SES event-destination setup, provider polling, durable callback inboxes, distributed replay/event-id ledgers, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-311/ issue #826 slice added opt-in verified Amazon SNS subscription confirmation before Amazon SES callback translation/reconciliation:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow exposesEnableSnsSubscriptionConfirmation,SnsSubscriptionConfirmationTimeoutSeconds,IAmazonSesSnsSubscriptionConfirmationClient,AmazonSesSnsSubscriptionConfirmationRequest, andAmazonSesSnsSubscriptionConfirmationResult; it confirms only verifiedSubscriptionConfirmationenvelopes from allowed topics, validates trusted HTTPS Amazon SNSSubscribeURLvalues, uses a bounded no-redirect default HTTP confirmation client, returns subscription-confirmation aggregate fields, emits diagnostics4582-4583, and projects confirmation ownership/policy/timeout posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile verified SNS unsubscribe-confirmation observation later shipped throughENG-312, and SNS topic/subscription creation, SES event-destination setup, automatic resubscribe/restore, subscription lifecycle governance, provider polling, durable callback inboxes, distributed replay/event-id ledgers, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-312/ issue #827 slice added opt-in verified Amazon SNS unsubscribe-confirmation observation for Amazon SES callbacks:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow exposesEnableSnsUnsubscribeConfirmationObservation; when enabled with SNS signature verification, it observes only verifiedUnsubscribeConfirmationenvelopes from allowed topics, validates required lifecycle fields and trusted HTTPS Amazon SNSSubscribeURLvalues, records safe observe-only metadata, reuses bounded process-local replay posture, returns unsubscribe-confirmation aggregate fields onAmazonSesInvitationDeliveryStatusCallbackResult, emits diagnostic4584, and projects unsubscribe-confirmation ownership/action/SubscribeURL policy throughtenant-invitation-delivery-amazon-ses-status-callbackswhile never invokingSubscribeURLbecause that would re-confirm or restore the subscription; SNS topic/subscription creation, SES event-destination setup, automatic resubscribe/restore, subscription lifecycle governance, provider polling, durable callback inboxes, distributed replay/event-id ledgers, public onboarding, tenant-admin UI/backoffice, identity-provider sync, distributed retry queues, and distributed/provider-backed governance stores remain future package-owned work - the 2026-04-30
ENG-313/ issue #828 slice added filtered delivery-status observation rollup summaries toCephalon.MultiTenancy.Governance.AspNetCore:TenantInvitationDeliveryStatusObservationQueryResultnow exposesSummaryCountandSummaries,TenantInvitationDeliveryStatusObservationSummaryDescriptorreports dimension/value counts plus reconciled/recorded/latest timestamps,GET /engine/tenant-invitations/delivery-status/observationssummarizes matched normalized observations by status, outcome, source, channel, sender, and tenant before applying the response record limit, andtenant-invitation-delivery-status-http-endpointsreports observation-summary ownership/scope/dimensions; this remains an operator/audit projection over the existing observation store, not a provider-specific callback inbox, provider polling loop, distributed replay/event-id ledger, or exactly-once delivery claim - the 2026-04-30
ENG-314/ issue #829 slice added delivery-status observation attention drill-downs toCephalon.MultiTenancy.Governance.AspNetCore:TenantInvitationDeliveryStatusObservationAttentionCategoriesnow exposes stabledelivery-failed,delivery-deferred,delivery-suppressed,delivery-unknown,reconciliation-gap, andrecording-gaplabels,GET /engine/tenant-invitations/delivery-status/observationsnow includes anattentionsummary dimension derived from the matched normalized observation set before applying the response record limit, supports theattention=query filter, and reports observation-attention ownership/scope/categories throughtenant-invitation-delivery-status-http-endpoints; this remains an operator/audit projection over the existing observation store, not a provider-specific callback inbox, provider polling loop, distributed replay/event-id ledger, or exactly-once delivery claim - the 2026-04-30
ENG-315/ issue #830 slice added delivery-status observation remediation hints toCephalon.MultiTenancy.Governance.AspNetCore:TenantInvitationDeliveryStatusObservationRemediationActionsnow exposes stable action labels,TenantInvitationDeliveryStatusObservationRemediationHintDescriptordescribes aggregate operator guidance,TenantInvitationDeliveryStatusObservationQueryResultnow exposesRemediationHintCountandRemediationHints,GET /engine/tenant-invitations/delivery-status/observationsderives hints from the matched normalized observation set before applying the response record limit, andtenant-invitation-delivery-status-http-endpointsreports remediation-hint ownership/scope/actions; this remains deterministic operator guidance over existing observation history, not provider polling, distributed remediation execution, distributed callback inbox, distributed replay/event-id ledger, or exactly-once delivery - the 2026-04-30
ENG-316/ issue #831 slice added delivery-status observation remediation-action filtering toCephalon.MultiTenancy.Governance.AspNetCore:GET /engine/tenant-invitations/delivery-status/observationsnow includes aremediationsummary dimension derived from matched normalized observations before applying the response record limit, supports the normalizedremediation=query filter using the same stable action labels as remediation hints, and reports observation-remediation filter ownership/scope throughtenant-invitation-delivery-status-http-endpoints; this remains an operator/audit projection over stored observations, not provider polling, distributed remediation execution, distributed callback inbox, distributed replay/event-id ledger, or exactly-once delivery - the 2026-04-30
ENG-317/ issue #832 slice added delivery-status observation provider-message drill-down filtering toCephalon.MultiTenancy.Governance.AspNetCore:GET /engine/tenant-invitations/delivery-status/observationsnow includes aproviderMessageIdsummary dimension derived from matched normalized observations before applying the response record limit, supports theproviderMessageId=query filter for provider callback tracebacks, and reports observation-provider-message filter ownership/scope throughtenant-invitation-delivery-status-http-endpoints; this remains an operator/audit projection over stored observations, not provider polling, provider-specific callback inbox, distributed remediation execution, distributed replay/event-id ledger, or exactly-once delivery - likely next phase-13 follow-through after the shared coverage, remediation, governance, drift, action-planning, write-path-readiness, preflight, dry-run, execution-intent, execution-approval, command-envelope, command-issuance, provider execution-adapter, execution outcome/history, retry/idempotency, retry-execution-policy, bounded command-journal, automatic background retry execution, automatic background retry coordination, durable command-journal, distributed retry lease, distributed retry orchestration, richer cross-node idempotency hardening, broader multi-node lease-execution, durable shared scheduler-orchestration, scheduler recovery/execution-hardening, broader provider-owned write-path execution, broader provider execution orchestration hardening, provider-owned control-plane ownership, provider-owned control-plane mutation/reconcile, provider-owned control-plane provisioning, provider-owned control-plane apply-and-reconcile execution, provider-owned control-plane dependency-aware apply-and-reconcile hardening, provider-owned control-plane dependency-aware provisioning and mutation hardening, provider-specific control-plane materializer, provider-specific control-plane dependency-aware teardown and mutation-execution hardening, provider-specific identity drill-down, provider-specific worker identity normalization, provider-specific worker drill-down, provider-specific transport drill-down, provider-specific dependency-identity drill-down, and provider-specific current-node drill-down follow-through baselines is later additional provider-specific control-plane materializers or broader provider-specific teardown and mutation-execution follow-through, while full Kafka Connect control-plane ownership still remains later than the shipped shared bounded retry plus durability plus lease plus orchestration plus hardening plus lease-execution plus scheduler plus recovery plus provider-owned write-path plus provider execution orchestration plus provider-owned control-plane ownership plus provider-owned control-plane mutation/reconcile plus provider-owned control-plane provisioning plus provider-owned control-plane apply-and-reconcile execution plus dependency-aware apply-and-reconcile hardening plus dependency-aware provisioning and mutation hardening plus provider-specific control-plane materializer plus provider-specific teardown and mutation-execution hardening plus provider-specific identity drill-down plus worker plus transport plus dependency-identity plus current-node operator truth
- the 2026-04-19 repo-truth audit confirmed the remaining historically open pre-
ENG-058-T78REST cards (#324,#325,#326,#327,#329,#331,#337,#338,#339,#340,#341, and#342) were GitHub tracking drift rather than missing implementation work: the shipped backlog/roadmap/docs already describe those slices, focused validation passed throughBehaviorRestRuntimeCatalogHostingTests(122/122) plus tooling/reference-doc suites (178/178), and GitHub project state should stay aligned with the repo-owned closeout posture instead of reopening those older REST baselines - the 2026-04-19
ENG-112slice shipped the first durable live runtime-state and failure-posture baseline: active durable streams now surface throughIDurableExecutionRuntimeStateCatalog,/engine/durable-executions/runtime, andsnapshot.DurableExecutionStateswith per-stream outcome, stage, replayed-version, known-version, append-count, output/completion posture, error summary, and contextual metadata derived from the shared durable strategy - the 2026-04-19
ENG-113slice shipped the first durable timer/signal coordination baseline:DurableExecutionStepResult<TOutput>andDurableExecutionRuntimeStatenow carry pending timers/signals, the shared strategy now emits awaitingposture with202for coordination-only waits, and operators can filter active durable streams through/engine/durable-executions/runtime/timers*and/engine/durable-executions/runtime/signals* - the 2026-04-19
ENG-114slice shipped the first durable compensation-helper baseline:DurableExecutionCompensationAction,DurableExecutionStepResult<TOutput>.CompensationActions,DurableExecutionRuntimeState.CompensationActions, and/engine/durable-executions/runtime/compensations*now keep operator-facing recovery guidance on the same shared durable runtime-state catalog without changing durable coordination semantics - the 2026-04-19
ENG-115slice shipped the first higher-level saga choreography authoring-helper baseline:ISagaChoreographyStepResult,ISagaEventReactor<TEvent>,ISagaEventReactor<TEvent, TOutput>,SagaChoreographyStepResult<TOutput>, and typed JSON helper factories onSagaChoreographyPublicationnow keep lower-ceremony choreography authoring on the same shared execution contract without changing the explicit eventing bridge or introducing a second choreography registry - the 2026-04-19
ENG-116slice shipped the first choreography runtime/operator catalog baseline:SagaChoreographyRuntimeDescriptor,ISagaChoreographyRuntimeCatalog,/engine/saga-choreographies, andsnapshot.SagaChoreographiesnow keep choreography ownership, transport exposure, feature gates, and result-shape metadata queryable from one shared operator surface without pretending to be live publication-state tracking or replacing the explicit eventing bridge truth - the 2026-04-19
ENG-117slice shipped the first live choreography publication-state baseline:SagaChoreographyPublicationRuntimeState,ISagaChoreographyPublicationRuntimeStateCatalog,/engine/saga-choreographies/runtime*, andsnapshot.SagaChoreographyPublicationStatesnow keep strategy-owned publication handoff observations queryable by publication, behavior, module, transport, channel, correlation, compensation, and failure posture without collapsing the explicit eventing bridge or downstream dispatch truth into the choreography runtime answer - the 2026-04-19
ENG-118slice shipped the module-backed saga choreography capability-publication follow-through:Cephalon.Behaviorsnow publishesbehaviors.saga-choreography.runtime-catalogandbehaviors.saga-choreography.publication-stateonly whenAddBehaviorPatterns()registers the shared choreography runtime services, and/engine/capabilitiesplus manifest metadata now keep runtime-catalog versus publication-state ownership explicit without inventing synthetic engine or bridge provenance - continued
.NET 11readiness follow-through, including analyzer drift, package-surface compatibility expectations, any future deployment-mode claim proof beyond the shipped manifest-backed support contract, and the eventual deliberate migration from readiness lane to supported default baseline Cephalon.Dataplus provider families and event-sourcing follow-throughCephalon.Observabilityplus dependency-health and exporter/provider conventions- CLI, scaffolding, template, sample, and NuGet publication alignment whenever app-model or package contracts change
Local workspace notes
Section titled “Local workspace notes”This snapshot was created from the current local workspace, not from a clean published release artifact.
Observed local notes during the scan:
- the git worktree contains local untracked directories such as
.build/,.claude/,.dotnet/,.dotnet-cli/,.dotnet-appdata/, and.nuget-appdata/ - direct
git statusrequired a safe-directory override because the repository ownership on disk differs from the current user context
Those notes may be local-environment artifacts rather than repository-intended state.