chore(furniture-bff): checkpoint pending development updates

Why: protect business endpoint access with thalos-backed session checks.

What: add edge auth guard call to thalos session/me, preserve anonymous health endpoints, and add auth enforcement docs.

Rule: keep identity ownership in thalos and standardize edge auth behavior.

.dockerignore

@@ -0,0 +1,9 @@
+**/bin/
+**/obj/
+.vs/
+TestResults/
+.git/
+.repo-tasks/
+.repo-context/
+.tasks/
+.agile/

.gitignore

@@ -1,53 +1,24 @@
-# AgileWebs local orchestration
+# Repository orchestration folders (local only)
+.repo-tasks/
+.repo-context/
 .tasks/
 .agile/
 
-# Build artifacts
+# .NET build outputs
-**/[Bb]in/
+**/bin/
-**/[Oo]bj/
+**/obj/
-/**/out/
-/**/artifacts/
-
-# IDE and editor files
 .vs/
-.idea/
+TestResults/
-.vscode/
-*.suo
-*.user
-*.userosscache
-*.sln.docstates
-*.rsuser
-*.swp
-*.swo
-
-# NuGet
-*.nupkg
-*.snupkg
-**/packages/*
-!**/packages/build/
-
-# Test output
 **/TestResults/
-*.trx
+*.user
-*.coverage
+*.suo
-*.coveragexml
+*.rsuser
 
-# Logs
+# IDE
-*.log
+.idea/
+
+# Runtime-local artifacts
 logs/
-
+*.log
-# Local environment files
+.env.local
-.env
+.env.*.local
-.env.*
-!.env.example
-
-# Docker
-.docker/
-**/.docker/
-*.pid
-docker-compose.override.yml
-docker-compose.*.override.yml
-
-# OS files
-.DS_Store
-Thumbs.db

Dockerfile

@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1.7
+ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
+ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
+
+FROM ${SDK_IMAGE} AS build
+ARG NUGET_FEED_URL=https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json
+ARG NUGET_FEED_USERNAME=
+ARG NUGET_FEED_TOKEN=
+WORKDIR /src
+COPY . .
+
+RUN if [ -n "$NUGET_FEED_USERNAME" ] && [ -n "$NUGET_FEED_TOKEN" ]; then       dotnet nuget add source "$NUGET_FEED_URL"         --name gitea-org         --username "$NUGET_FEED_USERNAME"         --password "$NUGET_FEED_TOKEN"         --store-password-in-clear-text         --allow-insecure-connections         --configfile /root/.nuget/NuGet/NuGet.Config;     fi
+
+RUN dotnet restore "src/Furniture.Bff.Rest/Furniture.Bff.Rest.csproj" --configfile /root/.nuget/NuGet/NuGet.Config
+RUN dotnet publish "src/Furniture.Bff.Rest/Furniture.Bff.Rest.csproj" -c Release -o /app/publish /p:UseAppHost=false --no-restore
+
+FROM ${RUNTIME_IMAGE} AS runtime
+WORKDIR /app
+ENV ASPNETCORE_URLS=http://+:8080     ASPNETCORE_ENVIRONMENT=Production
+EXPOSE 8080
+COPY --from=build /app/publish .
+ENTRYPOINT ["dotnet", "Furniture.Bff.Rest.dll"]

docs/architecture/bff-service-boundary.md

@@ -7,6 +7,7 @@ Preserve BFF as an edge adapter layer that depends on service contracts only.
 - REST edge exposure
 - Service client adaptation
 - Correlation/tracing propagation
+- Single active edge protocol policy enforcement (`rest`)
 
 ## Prohibited
 - Direct DAL access

docs/roadmap/feature-epics.md

@@ -0,0 +1,18 @@
+# Feature Epics
+
+## Repository
+furniture-bff
+
+## Core Epics
+- Epic 1: Expand domain-aligned capabilities for restaurant operations.
+- Epic 2: Stabilize service contracts for containerized runtime integration.
+- Epic 3: Improve observability and operational readiness for demo compose environments.
+
+## Domain-Specific Candidate Features
+- Order lifecycle consistency and state transitions.
+- Kitchen queue and dispatch optimization hooks.
+- Operations control-plane policies (flags, service windows, overrides).
+- POS closeout and settlement summary alignment.
+
+## Documentation Contract
+Any code change in this repository must include docs updates in the same branch.

docs/runbooks/containerization.md

@@ -0,0 +1,41 @@
+# Containerization Runbook
+
+## Image Build
+
+If the repo consumes internal packages from Gitea, pass feed credentials as build args.
+
+```bash
+docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/furniture-bff:dev .
+```
+
+## Local Run
+
+```bash
+docker run --rm -p 8080:8080 --name furniture-bff agilewebs/furniture-bff:dev
+```
+
+## Health Probe
+
+- Path: `/health`
+- Fallback path: `/healthz`
+- Port: `8080`
+
+## Runtime Notes
+
+- Requires `FurnitureService__GrpcAddress` to target furniture-service in distributed runs.
+- gRPC client contract protobuf is vendored at `src/Furniture.Bff.Rest/Protos/furniture_runtime.proto` to keep image builds repo-local.
+
+## Health Endpoint Consistency
+
+- Canonical probe: `/health`
+- Compatibility probe: `/healthz`
+- Container port: `8080`
+
+## Demo Integration
+
+- Participates in: **furniture** demo compose stack.
+- Integration artifact path: `greenfield/demo/furniture/docker-compose.yml`
+## Known Limitations
+
+- Current runtime adapters are still predominantly in-memory for deterministic local/demo behavior.
+- Demo PostgreSQL seeds validate integration contracts and smoke determinism, but do not yet imply full persistence implementation parity.

docs/security/auth-enforcement.md

@@ -0,0 +1,45 @@
+# Auth Enforcement
+
+## Scope
+
+This BFF enforces authenticated access on business endpoints using Thalos session validation.
+
+## Protected Endpoints
+
+- `/api/furniture/{furnitureId}/availability`
+- `(GET-only endpoint in this BFF)`
+
+## Anonymous Endpoints
+
+- `/health`
+- `/healthz`
+
+## Session Validation Contract
+
+- BFF requires at least one session cookie:
+  - `thalos_session`
+  - `thalos_refresh`
+- BFF calls Thalos session introspection endpoint:
+  - `GET /api/identity/session/me`
+- Base address configured by:
+  - `ThalosAuth:BaseAddress`
+
+## Error Semantics
+
+Standard auth error payload:
+
+```json
+{
+  "code": "unauthorized|forbidden|session_missing|session_invalid",
+  "message": "human-readable message",
+  "correlationId": "request correlation id"
+}
+```
+
+- `401`: missing or invalid session
+- `403`: permission denied by identity service
+
+## Correlation
+
+- Incoming/outgoing correlation header: `x-correlation-id`
+- Correlation ID is forwarded to Thalos session validation call.

src/Furniture.Bff.Application/Furniture.Bff.Application.csproj

@@ -6,7 +6,7 @@
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
+    <PackageReference Include="Furniture.Service.Contracts" Version="0.2.0" />
     <ProjectReference Include="..\Furniture.Bff.Contracts\Furniture.Bff.Contracts.csproj" />
-    <ProjectReference Include="..\..\..\furniture-service\src\Furniture.Service.Contracts\Furniture.Service.Contracts.csproj" />
   </ItemGroup>
 </Project>

src/Furniture.Bff.Rest/Furniture.Bff.Rest.csproj

@@ -15,11 +15,11 @@
     </PackageReference>
   </ItemGroup>
   <ItemGroup>
-    <Protobuf Include="..\..\..\furniture-service\src\Furniture.Service.Grpc\Protos\furniture_runtime.proto" GrpcServices="Client" Link="Protos\furniture_runtime.proto" />
+    <Protobuf Include="Protos\furniture_runtime.proto" GrpcServices="Client" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Furniture.Bff.Application\Furniture.Bff.Application.csproj" />
     <ProjectReference Include="..\Furniture.Bff.Contracts\Furniture.Bff.Contracts.csproj" />
-    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
+    <PackageReference Include="Core.Blueprint.Common" Version="0.2.0" />
   </ItemGroup>
 </Project>

src/Furniture.Bff.Rest/Program.cs

@@ -1,3 +1,4 @@
+using System.Net;
 using Core.Blueprint.Common.DependencyInjection;
 using Furniture.Bff.Application.Adapters;
 using Furniture.Bff.Application.DependencyInjection;
@@ -9,14 +10,39 @@ using Furniture.Service.Grpc;
 using Microsoft.Extensions.Primitives;
 
 const string CorrelationHeaderName = "x-correlation-id";
+const string SessionAccessCookieName = "thalos_session";
+const string SessionRefreshCookieName = "thalos_refresh";
+const string CorsPolicyName = "FurnitureBffCors";
 
 var builder = WebApplication.CreateBuilder(args);
+var edgeProtocol = builder.Configuration["FurnitureBff:EdgeProtocol"] ?? "rest";
+if (!string.Equals(edgeProtocol, "rest", StringComparison.OrdinalIgnoreCase))
+{
+    throw new InvalidOperationException(
+        $"Furniture BFF supports one active edge protocol per deployment. Configured: '{edgeProtocol}'. Expected: 'rest'.");
+}
 
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddHealthChecks();
 builder.Services.AddBlueprintRuntimeCore();
 builder.Services.AddFurnitureBffApplicationRuntime();
 builder.Services.AddScoped<IFurnitureServiceClient, FurnitureServiceGrpcClientAdapter>();
+builder.Services.AddHttpClient("ThalosAuth");
+var allowedOrigins = builder.Configuration.GetSection("FurnitureBff:AllowedOrigins").Get<string[]>() ??
+    ["http://localhost:22380", "http://127.0.0.1:22380"];
+builder.Services.AddCors(options =>
+{
+    options.AddPolicy(CorsPolicyName, policy =>
+    {
+        if (Array.Exists(allowedOrigins, origin => origin == "*"))
+        {
+            policy.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
+            return;
+        }
+
+        policy.WithOrigins(allowedOrigins).AllowAnyMethod().AllowAnyHeader();
+    });
+});
 builder.Services.AddGrpcClient<FurnitureRuntime.FurnitureRuntimeClient>(options =>
 {
     var serviceAddress = builder.Configuration["FurnitureService:GrpcAddress"] ?? "http://localhost:5252";
@@ -24,6 +50,7 @@ builder.Services.AddGrpcClient<FurnitureRuntime.FurnitureRuntimeClient>(options
 });
 
 var app = builder.Build();
+app.UseCors(CorsPolicyName);
 
 app.Use(async (context, next) =>
 {
@@ -37,8 +64,17 @@ app.Use(async (context, next) =>
 app.MapGet($"{EndpointConventions.ApiPrefix}/{{furnitureId}}/availability", async (
     string furnitureId,
     HttpContext context,
-    IGetFurnitureAvailabilityHandler handler) =>
+    IHttpClientFactory httpClientFactory,
+    IConfiguration configuration,
+    IGetFurnitureAvailabilityHandler handler,
+    CancellationToken ct) =>
 {
+    var authError = await EnforceSessionAsync(context, httpClientFactory, configuration, ct);
+    if (authError is not null)
+    {
+        return authError;
+    }
+
     var request = new GetFurnitureAvailabilityApiRequest(
         furnitureId,
         ResolveCorrelationId(context));
@@ -48,6 +84,7 @@ app.MapGet($"{EndpointConventions.ApiPrefix}/{{furnitureId}}/availability", asyn
 });
 
 app.MapHealthChecks("/healthz");
+app.MapHealthChecks("/health");
 
 app.Run();
 
@@ -68,3 +105,75 @@ string ResolveCorrelationId(HttpContext context)
 
     return context.TraceIdentifier;
 }
+
+async Task<IResult?> EnforceSessionAsync(
+    HttpContext context,
+    IHttpClientFactory httpClientFactory,
+    IConfiguration configuration,
+    CancellationToken ct)
+{
+    var correlationId = ResolveCorrelationId(context);
+
+    if (!context.Request.Cookies.ContainsKey(SessionAccessCookieName) &&
+        !context.Request.Cookies.ContainsKey(SessionRefreshCookieName))
+    {
+        return ErrorResponse(StatusCodes.Status401Unauthorized, "session_missing", "No active session.", correlationId);
+    }
+
+    var thalosBaseAddress = configuration["ThalosAuth:BaseAddress"] ?? "http://thalos-bff:8080";
+    using var request = new HttpRequestMessage(
+        HttpMethod.Get,
+        $"{thalosBaseAddress.TrimEnd('/')}/api/identity/session/me");
+
+    request.Headers.TryAddWithoutValidation(CorrelationHeaderName, correlationId);
+    var cookieHeader = BuildForwardCookieHeader(context);
+    if (!string.IsNullOrWhiteSpace(cookieHeader))
+    {
+        request.Headers.TryAddWithoutValidation("Cookie", cookieHeader);
+    }
+
+    using var response = await httpClientFactory.CreateClient("ThalosAuth").SendAsync(request, ct);
+
+    if (response.StatusCode == HttpStatusCode.Forbidden)
+    {
+        return ErrorResponse(StatusCodes.Status403Forbidden, "forbidden", "Permission denied.", correlationId);
+    }
+
+    if (response.StatusCode == HttpStatusCode.Unauthorized)
+    {
+        return ErrorResponse(StatusCodes.Status401Unauthorized, "unauthorized", "Unauthorized request.", correlationId);
+    }
+
+    if (!response.IsSuccessStatusCode)
+    {
+        return ErrorResponse(StatusCodes.Status401Unauthorized, "session_invalid", "Session validation failed.", correlationId);
+    }
+
+    return null;
+}
+
+static string BuildForwardCookieHeader(HttpContext context)
+{
+    var cookies = new List<string>();
+
+    if (context.Request.Cookies.TryGetValue(SessionAccessCookieName, out var accessCookie) &&
+        !string.IsNullOrWhiteSpace(accessCookie))
+    {
+        cookies.Add($"{SessionAccessCookieName}={accessCookie}");
+    }
+
+    if (context.Request.Cookies.TryGetValue(SessionRefreshCookieName, out var refreshCookie) &&
+        !string.IsNullOrWhiteSpace(refreshCookie))
+    {
+        cookies.Add($"{SessionRefreshCookieName}={refreshCookie}");
+    }
+
+    return string.Join("; ", cookies);
+}
+
+static IResult ErrorResponse(int statusCode, string code, string message, string correlationId)
+{
+    return Results.Json(new AuthErrorResponse(code, message, correlationId), statusCode: statusCode);
+}
+
+sealed record AuthErrorResponse(string Code, string Message, string CorrelationId);

src/Furniture.Bff.Rest/Protos/furniture_runtime.proto

@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+option csharp_namespace = "Furniture.Service.Grpc";
+
+package furniture.service.grpc;
+
+service FurnitureRuntime {
+  rpc GetFurnitureAvailability (GetFurnitureAvailabilityGrpcRequest) returns (GetFurnitureAvailabilityGrpcResponse);
+}
+
+message GetFurnitureAvailabilityGrpcRequest {
+  string furniture_id = 1;
+  string correlation_id = 2;
+}
+
+message GetFurnitureAvailabilityGrpcResponse {
+  string furniture_id = 1;
+  string display_name = 2;
+  int32 quantity_available = 3;
+}