11 changed files with 50 additions and 286 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,9 +0,0 @@
 **/bin/
 **/obj/
 .vs/
 TestResults/
 .git/
 .repo-tasks/
 .repo-context/
 .tasks/
 .agile/
--- a/.gitignore
+++ b/.gitignore
@ -1,24 +1,53 @@
-# Repository orchestration folders (local only)
+# AgileWebs local orchestration
 .repo-tasks/
 .repo-context/
 .tasks/
 .agile/
-# .NET build outputs
+# Build artifacts
-**/bin/
+**/[Bb]in/
-**/obj/
+**/[Oo]bj/
 /**/out/
 /**/artifacts/
 # IDE and editor files
 .vs/
 TestResults/
 **/TestResults/
 *.user
 *.suo
 *.rsuser
 # IDE
 .idea/
 .vscode/
 *.suo
 *.user
 *.userosscache
 *.sln.docstates
 *.rsuser
 *.swp
 *.swo
-# Runtime-local artifacts
+# NuGet
-logs/
+*.nupkg
 *.snupkg
 **/packages/*
 !**/packages/build/
 # Test output
 **/TestResults/
 *.trx
 *.coverage
 *.coveragexml
 # Logs
 *.log
-.env.local
+logs/
-.env.*.local
+
 # Local environment files
 .env
 .env.*
 !.env.example
 # Docker
 .docker/
 **/.docker/
 *.pid
 docker-compose.override.yml
 docker-compose.*.override.yml
 # OS files
 .DS_Store
 Thumbs.db
--- a/22
+++ b/22
@ -1,22 +0,0 @@
 # syntax=docker/dockerfile:1.7
 ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
 ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
 FROM ${SDK_IMAGE} AS build
 ARG NUGET_FEED_URL=https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json
 ARG NUGET_FEED_USERNAME=
 ARG NUGET_FEED_TOKEN=
 WORKDIR /src
 COPY . .
 RUN if [ -n "$NUGET_FEED_USERNAME" ] && [ -n "$NUGET_FEED_TOKEN" ]; then       dotnet nuget add source "$NUGET_FEED_URL"         --name gitea-org         --username "$NUGET_FEED_USERNAME"         --password "$NUGET_FEED_TOKEN"         --store-password-in-clear-text         --allow-insecure-connections         --configfile /root/.nuget/NuGet/NuGet.Config;     fi
 RUN dotnet restore "src/Furniture.Bff.Rest/Furniture.Bff.Rest.csproj" --configfile /root/.nuget/NuGet/NuGet.Config
 RUN dotnet publish "src/Furniture.Bff.Rest/Furniture.Bff.Rest.csproj" -c Release -o /app/publish /p:UseAppHost=false --no-restore
 FROM ${RUNTIME_IMAGE} AS runtime
 WORKDIR /app
 ENV ASPNETCORE_URLS=http://+:8080     ASPNETCORE_ENVIRONMENT=Production
 EXPOSE 8080
 COPY --from=build /app/publish .
 ENTRYPOINT ["dotnet", "Furniture.Bff.Rest.dll"]
--- a/docs/architecture/bff-service-boundary.md
+++ b/docs/architecture/bff-service-boundary.md
@ -7,7 +7,6 @@ Preserve BFF as an edge adapter layer that depends on service contracts only.
 - REST edge exposure
 - Service client adaptation
 - Correlation/tracing propagation
 - Single active edge protocol policy enforcement (`rest`)
 ## Prohibited
 - Direct DAL access
--- a/docs/roadmap/feature-epics.md
+++ b/docs/roadmap/feature-epics.md
@ -1,18 +0,0 @@
 # Feature Epics
 ## Repository
 furniture-bff
 ## Core Epics
 - Epic 1: Expand domain-aligned capabilities for restaurant operations.
 - Epic 2: Stabilize service contracts for containerized runtime integration.
 - Epic 3: Improve observability and operational readiness for demo compose environments.
 ## Domain-Specific Candidate Features
 - Order lifecycle consistency and state transitions.
 - Kitchen queue and dispatch optimization hooks.
 - Operations control-plane policies (flags, service windows, overrides).
 - POS closeout and settlement summary alignment.
 ## Documentation Contract
 Any code change in this repository must include docs updates in the same branch.
--- a/docs/runbooks/containerization.md
+++ b/docs/runbooks/containerization.md
@ -1,41 +0,0 @@
 # Containerization Runbook
 ## Image Build
 If the repo consumes internal packages from Gitea, pass feed credentials as build args.
 ```bash
 docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/furniture-bff:dev .
 ```
 ## Local Run
 ```bash
 docker run --rm -p 8080:8080 --name furniture-bff agilewebs/furniture-bff:dev
 ```
 ## Health Probe
 - Path: `/health`
 - Fallback path: `/healthz`
 - Port: `8080`
 ## Runtime Notes
 - Requires `FurnitureService__GrpcAddress` to target furniture-service in distributed runs.
 - gRPC client contract protobuf is vendored at `src/Furniture.Bff.Rest/Protos/furniture_runtime.proto` to keep image builds repo-local.
 ## Health Endpoint Consistency
 - Canonical probe: `/health`
 - Compatibility probe: `/healthz`
 - Container port: `8080`
 ## Demo Integration
 - Participates in: **furniture** demo compose stack.
 - Integration artifact path: `greenfield/demo/furniture/docker-compose.yml`
 ## Known Limitations
 - Current runtime adapters are still predominantly in-memory for deterministic local/demo behavior.
 - Demo PostgreSQL seeds validate integration contracts and smoke determinism, but do not yet imply full persistence implementation parity.
--- a/docs/security/auth-enforcement.md
+++ b/docs/security/auth-enforcement.md
@ -1,45 +0,0 @@
 # Auth Enforcement
 ## Scope
 This BFF enforces authenticated access on business endpoints using Thalos session validation.
 ## Protected Endpoints
 - `/api/furniture/{furnitureId}/availability`
 - `(GET-only endpoint in this BFF)`
 ## Anonymous Endpoints
 - `/health`
 - `/healthz`
 ## Session Validation Contract
 - BFF requires at least one session cookie:
  - `thalos_session`
  - `thalos_refresh`
 - BFF calls Thalos session introspection endpoint:
  - `GET /api/identity/session/me`
 - Base address configured by:
  - `ThalosAuth:BaseAddress`
 ## Error Semantics
 Standard auth error payload:
 ```json
 {
  "code": "unauthorized|forbidden|session_missing|session_invalid",
  "message": "human-readable message",
  "correlationId": "request correlation id"
 }
 ```
 - `401`: missing or invalid session
 - `403`: permission denied by identity service
 ## Correlation
 - Incoming/outgoing correlation header: `x-correlation-id`
 - Correlation ID is forwarded to Thalos session validation call.
--- a/src/Furniture.Bff.Application/Furniture.Bff.Application.csproj
+++ b/src/Furniture.Bff.Application/Furniture.Bff.Application.csproj
@ -6,7 +6,7 @@
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
    <PackageReference Include="Furniture.Service.Contracts" Version="0.2.0" />
    <ProjectReference Include="..\Furniture.Bff.Contracts\Furniture.Bff.Contracts.csproj" />
    <ProjectReference Include="..\..\..\furniture-service\src\Furniture.Service.Contracts\Furniture.Service.Contracts.csproj" />
  </ItemGroup>
 </Project>
--- a/src/Furniture.Bff.Rest/Furniture.Bff.Rest.csproj
+++ b/src/Furniture.Bff.Rest/Furniture.Bff.Rest.csproj
@ -15,11 +15,11 @@
    </PackageReference>
  </ItemGroup>
  <ItemGroup>
-    <Protobuf Include="Protos\furniture_runtime.proto" GrpcServices="Client" />
+    <Protobuf Include="..\..\..\furniture-service\src\Furniture.Service.Grpc\Protos\furniture_runtime.proto" GrpcServices="Client" Link="Protos\furniture_runtime.proto" />
  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\Furniture.Bff.Application\Furniture.Bff.Application.csproj" />
    <ProjectReference Include="..\Furniture.Bff.Contracts\Furniture.Bff.Contracts.csproj" />
-    <PackageReference Include="Core.Blueprint.Common" Version="0.2.0" />
+    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
  </ItemGroup>
 </Project>
--- a/src/Furniture.Bff.Rest/Program.cs
+++ b/src/Furniture.Bff.Rest/Program.cs
@ -1,4 +1,3 @@
 using System.Net;
 using Core.Blueprint.Common.DependencyInjection;
 using Furniture.Bff.Application.Adapters;
 using Furniture.Bff.Application.DependencyInjection;
@ -10,39 +9,14 @@ using Furniture.Service.Grpc;
 using Microsoft.Extensions.Primitives;
 const string CorrelationHeaderName = "x-correlation-id";
 const string SessionAccessCookieName = "thalos_session";
 const string SessionRefreshCookieName = "thalos_refresh";
 const string CorsPolicyName = "FurnitureBffCors";
 var builder = WebApplication.CreateBuilder(args);
 var edgeProtocol = builder.Configuration["FurnitureBff:EdgeProtocol"] ?? "rest";
 if (!string.Equals(edgeProtocol, "rest", StringComparison.OrdinalIgnoreCase))
 {
    throw new InvalidOperationException(
        $"Furniture BFF supports one active edge protocol per deployment. Configured: '{edgeProtocol}'. Expected: 'rest'.");
 }
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddHealthChecks();
 builder.Services.AddBlueprintRuntimeCore();
 builder.Services.AddFurnitureBffApplicationRuntime();
 builder.Services.AddScoped<IFurnitureServiceClient, FurnitureServiceGrpcClientAdapter>();
 builder.Services.AddHttpClient("ThalosAuth");
 var allowedOrigins = builder.Configuration.GetSection("FurnitureBff:AllowedOrigins").Get<string[]>() ??
    ["http://localhost:22380", "http://127.0.0.1:22380"];
 builder.Services.AddCors(options =>
 {
    options.AddPolicy(CorsPolicyName, policy =>
    {
        if (Array.Exists(allowedOrigins, origin => origin == "*"))
        {
            policy.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
            return;
        }
        policy.WithOrigins(allowedOrigins).AllowAnyMethod().AllowAnyHeader();
    });
 });
 builder.Services.AddGrpcClient<FurnitureRuntime.FurnitureRuntimeClient>(options =>
 {
    var serviceAddress = builder.Configuration["FurnitureService:GrpcAddress"] ?? "http://localhost:5252";
@ -50,7 +24,6 @@ builder.Services.AddGrpcClient<FurnitureRuntime.FurnitureRuntimeClient>(options
 });
 var app = builder.Build();
 app.UseCors(CorsPolicyName);
 app.Use(async (context, next) =>
 {
@ -64,17 +37,8 @@ app.Use(async (context, next) =>
 app.MapGet($"{EndpointConventions.ApiPrefix}/{{furnitureId}}/availability", async (
    string furnitureId,
    HttpContext context,
-    IHttpClientFactory httpClientFactory,
+    IGetFurnitureAvailabilityHandler handler) =>
    IConfiguration configuration,
    IGetFurnitureAvailabilityHandler handler,
    CancellationToken ct) =>
 {
    var authError = await EnforceSessionAsync(context, httpClientFactory, configuration, ct);
    if (authError is not null)
    {
        return authError;
    }
    var request = new GetFurnitureAvailabilityApiRequest(
        furnitureId,
        ResolveCorrelationId(context));
@ -84,7 +48,6 @@ app.MapGet($"{EndpointConventions.ApiPrefix}/{{furnitureId}}/availability", asyn
 });
 app.MapHealthChecks("/healthz");
 app.MapHealthChecks("/health");
 app.Run();
@ -105,75 +68,3 @@ string ResolveCorrelationId(HttpContext context)
    return context.TraceIdentifier;
 }
 async Task<IResult?> EnforceSessionAsync(
    HttpContext context,
    IHttpClientFactory httpClientFactory,
    IConfiguration configuration,
    CancellationToken ct)
 {
    var correlationId = ResolveCorrelationId(context);
    if (!context.Request.Cookies.ContainsKey(SessionAccessCookieName) &&
        !context.Request.Cookies.ContainsKey(SessionRefreshCookieName))
    {
        return ErrorResponse(StatusCodes.Status401Unauthorized, "session_missing", "No active session.", correlationId);
    }
    var thalosBaseAddress = configuration["ThalosAuth:BaseAddress"] ?? "http://thalos-bff:8080";
    using var request = new HttpRequestMessage(
        HttpMethod.Get,
        $"{thalosBaseAddress.TrimEnd('/')}/api/identity/session/me");
    request.Headers.TryAddWithoutValidation(CorrelationHeaderName, correlationId);
    var cookieHeader = BuildForwardCookieHeader(context);
    if (!string.IsNullOrWhiteSpace(cookieHeader))
    {
        request.Headers.TryAddWithoutValidation("Cookie", cookieHeader);
    }
    using var response = await httpClientFactory.CreateClient("ThalosAuth").SendAsync(request, ct);
    if (response.StatusCode == HttpStatusCode.Forbidden)
    {
        return ErrorResponse(StatusCodes.Status403Forbidden, "forbidden", "Permission denied.", correlationId);
    }
    if (response.StatusCode == HttpStatusCode.Unauthorized)
    {
        return ErrorResponse(StatusCodes.Status401Unauthorized, "unauthorized", "Unauthorized request.", correlationId);
    }
    if (!response.IsSuccessStatusCode)
    {
        return ErrorResponse(StatusCodes.Status401Unauthorized, "session_invalid", "Session validation failed.", correlationId);
    }
    return null;
 }
 static string BuildForwardCookieHeader(HttpContext context)
 {
    var cookies = new List<string>();
    if (context.Request.Cookies.TryGetValue(SessionAccessCookieName, out var accessCookie) &&
        !string.IsNullOrWhiteSpace(accessCookie))
    {
        cookies.Add($"{SessionAccessCookieName}={accessCookie}");
    }
    if (context.Request.Cookies.TryGetValue(SessionRefreshCookieName, out var refreshCookie) &&
        !string.IsNullOrWhiteSpace(refreshCookie))
    {
        cookies.Add($"{SessionRefreshCookieName}={refreshCookie}");
    }
    return string.Join("; ", cookies);
 }
 static IResult ErrorResponse(int statusCode, string code, string message, string correlationId)
 {
    return Results.Json(new AuthErrorResponse(code, message, correlationId), statusCode: statusCode);
 }
 sealed record AuthErrorResponse(string Code, string Message, string CorrelationId);
--- a/src/Furniture.Bff.Rest/Protos/furniture_runtime.proto
+++ b/src/Furniture.Bff.Rest/Protos/furniture_runtime.proto
@ -1,20 +0,0 @@
 syntax = "proto3";
 option csharp_namespace = "Furniture.Service.Grpc";
 package furniture.service.grpc;
 service FurnitureRuntime {
  rpc GetFurnitureAvailability (GetFurnitureAvailabilityGrpcRequest) returns (GetFurnitureAvailabilityGrpcResponse);
 }
 message GetFurnitureAvailabilityGrpcRequest {
  string furniture_id = 1;
  string correlation_id = 2;
 }
 message GetFurnitureAvailabilityGrpcResponse {
  string furniture_id = 1;
  string display_name = 2;
  int32 quantity_available = 3;
 }