feat(sdk): add Phase 2 packages — HTTP clients and framework middleware

Extends the multi-runtime SDK with four new packages on top of the
Phase 1 contracts/validator foundation. All consume the same canonical
schemaVersion compatibility check.

.NET
  Ums.Sdk.Client (1.0.0)
    - Typed IUmsAuthClient backed by HttpClientFactory.
    - Calls POST /api/v1/client/authenticate, deserializes the
      ClientAuthResult (token + AuthorizationGraph + bookkeeping).
    - Validates schemaVersion: missing → AUTH_204, unsupported MAJOR → AUTH_205.
    - HTTP status mapping: 400 → AUTH_001, 401 → AUTH_006, 403 → AUTH_005,
      404 → AUTH_002, 423 → AUTH_007, other → AUTH_013.
    - AddUmsSdkClient(opt => opt.BaseAddress = …) DI extension.

  Ums.Sdk.Authorization.AspNetCore (1.0.0)
    - UmsAuthGraphMiddleware decodes the Bearer JWT body claim
      (configurable, default "graph") and stores the AuthorizationGraph
      on HttpContext.Items["UmsAuthGraph"].
    - Honors RejectExpiredGraphs and RejectIncompatibleGraphs options:
      401 + structured body {code, message} on AUTH_201/AUTH_204/AUTH_205.
    - app.UseUmsAuthGraph() / .UseUmsAuthGraph(configure) extensions.
    - FrameworkReference Microsoft.AspNetCore.App keeps the package
      shared-framework-friendly.

  Ums.Sdk.Tests (expanded)
    - UmsAuthClientTests (4): happy path, AUTH_205 on MAJOR mismatch,
      401 → AUTH_006, 404 → AUTH_002.
    - UmsAuthGraphMiddlewareTests (4): real WebHost + TestServer:
      bearer decoded into HttpContext.Items, no-bearer passthrough,
      expired graph → 401 AUTH_201, MAJOR mismatch → 401 AUTH_205.
    - Total: 38/38 PASS across the .NET SDK (was 30, now 38).

TypeScript
  @ums/sdk-client (1.0.0)
    - Fetch-based UmsAuthClient with injectable fetchImpl for tests.
    - Same schema-version pre-flight as the .NET client; same HTTP
      status → AUTH_xxx mapping.
    - Configurable timeout (AbortController).

  @ums/sdk-express (1.0.0)
    - umsAuthGraph({ accessor, rejectExpired, rejectIncompatible })
      middleware. Decodes JWT body claim, runs schema-compat checks,
      then binds the graph through AsyncLocalAuthGraphAccessor (Node
      scope) or MemoryAuthGraphAccessor (single-session).
    - 401 + structured body on AUTH_201/AUTH_204/AUTH_205.

  Tests
    - sdk-client (4): happy path, AUTH_205 MAJOR, 401 → AUTH_006,
      404 → AUTH_002.
    - sdk-express (5): MemoryAccessor binding, AsyncLocalAccessor
      binding observed inside the bound scope, AUTH_205 rejection,
      AUTH_201 expiry rejection, no-bearer passthrough.
    - Total: 42/42 PASS across the TypeScript workspace (was 33).

  package.json workspaces extended to include sdk-client and sdk-express.

NestJS regression: 7/7 PASS unchanged.

UMS SDK aggregate test count: 87 (was 70).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: beyondnetPeru

src/libs/sdk/dotnet/Ums.Sdk.Authorization.AspNetCore/ApplicationBuilderExtensions.cs

@@ -0,0 +1,31 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace Ums.Sdk.Authorization.AspNetCore;
+
+public static class ApplicationBuilderExtensions
+{
+    /// <summary>
+    /// Plugs <see cref="UmsAuthGraphMiddleware"/> into the pipeline with default options.
+    /// </summary>
+    public static IApplicationBuilder UseUmsAuthGraph(this IApplicationBuilder app) =>
+        app.UseMiddleware<UmsAuthGraphMiddleware>();
+
+    /// <summary>
+    /// Plugs <see cref="UmsAuthGraphMiddleware"/> with an inline configuration callback.
+    /// </summary>
+    public static IApplicationBuilder UseUmsAuthGraph(this IApplicationBuilder app, Action<UmsAuthGraphMiddlewareOptions> configure)
+    {
+        var monitor = app.ApplicationServices.GetService<IOptionsMonitor<UmsAuthGraphMiddlewareOptions>>();
+        if (monitor is not null) configure(monitor.CurrentValue);
+        return app.UseMiddleware<UmsAuthGraphMiddleware>();
+    }
+
+    /// <summary>Registers the middleware options for DI.</summary>
+    public static IServiceCollection AddUmsAuthGraphMiddleware(this IServiceCollection services)
+    {
+        services.AddOptions<UmsAuthGraphMiddlewareOptions>();
+        return services;
+    }
+}

src/libs/sdk/dotnet/Ums.Sdk.Authorization.AspNetCore/README.md

@@ -0,0 +1,35 @@
+# Ums.Sdk.Authorization.AspNetCore
+
+> Part of the [UMS SDK](https://github.com/beyondnetcode/ums/tree/main/docs/sdk).
+
+ASP.NET Core middleware that places the `AuthorizationGraph` on `HttpContext.Items` for the rest of the pipeline (validator, AOP aspect, controllers).
+
+## Install
+
+```bash
+dotnet add package Ums.Sdk.Authorization.AspNetCore
+```
+
+## Use
+
+```csharp
+builder.Services.AddUmsSdkAuthorization();
+builder.Services.AddHttpContextAuthGraphAccessor();
+
+var app = builder.Build();
+
+// Decodes JWT body → AuthorizationGraph → HttpContext.Items.
+app.UseUmsAuthGraph(options =>
+{
+    options.JwtBodyClaim = "graph";   // claim name carrying the serialized graph
+    options.RejectExpiredGraphs = true;
+});
+
+app.UseAuthorization();
+```
+
+The middleware reads the `Authorization: Bearer ...` header, decodes the JWT body, and stores the resulting `AuthorizationGraph` instance at `HttpContext.Items["UmsAuthGraph"]`.
+
+## License
+
+MIT — see [LICENSE](https://github.com/beyondnetcode/ums/blob/main/src/libs/sdk/LICENSE).

src/libs/sdk/dotnet/Ums.Sdk.Authorization.AspNetCore/Ums.Sdk.Authorization.AspNetCore.csproj

@@ -0,0 +1,36 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>true</IsPackable>
+    <PackageId>Ums.Sdk.Authorization.AspNetCore</PackageId>
+    <Version>1.0.0</Version>
+    <Description>UMS SDK — ASP.NET Core integration: UseUmsAuthGraph middleware that decodes the per-request authorization graph and stores it on HttpContext.Items for the validator/aspect to consume. See ADR-0073.</Description>
+    <Authors>BeyondNetCode</Authors>
+    <PackageProjectUrl>https://github.com/beyondnetcode/ums</PackageProjectUrl>
+    <PackageLicenseExpression>MIT</PackageLicenseExpression>
+    <PackageTags>ums;sdk;authorization;aspnetcore;middleware</PackageTags>
+    <PackageReadmeFile>README.md</PackageReadmeFile>
+    <UmsSchemaCompatibility>&gt;=1.0.0 &lt;2.0.0</UmsSchemaCompatibility>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="README.md" Pack="true" PackagePath="\" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../Ums.Sdk.Contracts/Ums.Sdk.Contracts.csproj" />
+    <ProjectReference Include="../Ums.Sdk.Authorization/Ums.Sdk.Authorization.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <InternalsVisibleTo Include="Ums.Sdk.Tests" />
+  </ItemGroup>
+
+</Project>

src/libs/sdk/dotnet/Ums.Sdk.Authorization.AspNetCore/UmsAuthGraphMiddleware.cs

@@ -0,0 +1,161 @@
+using System.Text;
+using System.Text.Json;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Ums.Sdk.Authorization;
+using Ums.Sdk.Contracts;
+
+namespace Ums.Sdk.Authorization.AspNetCore;
+
+/// <summary>
+/// Middleware that extracts the AuthorizationGraph from an incoming bearer JWT and stores it on
+/// <c>HttpContext.Items["UmsAuthGraph"]</c> so the <see cref="HttpContextAuthGraphAccessor"/>
+/// (and any downstream validator or AOP aspect) can read it.
+///
+/// The JWT is expected to be a 3-segment compact serialization. The payload section is base64url-
+/// decoded as JSON and one of its top-level claims is treated as the serialized graph: either an
+/// embedded object (when the claim is itself the graph) or a string containing the JSON to
+/// re-parse (when the server packaged the graph as a string claim).
+/// </summary>
+public sealed class UmsAuthGraphMiddleware
+{
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNameCaseInsensitive = false
+    };
+
+    private readonly RequestDelegate _next;
+    private readonly IOptions<UmsAuthGraphMiddlewareOptions> _options;
+    private readonly ILogger<UmsAuthGraphMiddleware>? _logger;
+
+    public UmsAuthGraphMiddleware(
+        RequestDelegate next,
+        IOptions<UmsAuthGraphMiddlewareOptions> options,
+        ILogger<UmsAuthGraphMiddleware>? logger = null)
+    {
+        _next = next;
+        _options = options;
+        _logger = logger;
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        var opt = _options.Value;
+        var graph = ExtractGraph(context, opt);
+
+        if (graph is not null)
+        {
+            if (string.IsNullOrWhiteSpace(graph.SchemaVersion))
+            {
+                if (opt.RejectIncompatibleGraphs)
+                {
+                    await Reject(context, "AUTH_204", "AuthorizationGraph payload does not declare a schemaVersion.").ConfigureAwait(false);
+                    return;
+                }
+                _logger?.LogWarning("UmsAuthGraphMiddleware: incoming graph lacks schemaVersion — proceeding without binding.");
+            }
+            else if (!SchemaVersion.IsSupported(graph.SchemaVersion))
+            {
+                if (opt.RejectIncompatibleGraphs)
+                {
+                    await Reject(context, "AUTH_205",
+                        $"Server emitted schemaVersion '{graph.SchemaVersion}' which is outside SDK compatibility.").ConfigureAwait(false);
+                    return;
+                }
+                _logger?.LogWarning("UmsAuthGraphMiddleware: incompatible schemaVersion '{Version}' — proceeding without binding.", graph.SchemaVersion);
+            }
+            else if (opt.RejectExpiredGraphs && graph.ValidUntil <= DateTimeOffset.UtcNow)
+            {
+                await Reject(context, "AUTH_201", "AuthorizationGraph has expired.").ConfigureAwait(false);
+                return;
+            }
+            else
+            {
+                context.Items[HttpContextAuthGraphAccessor.ItemsKey] = graph;
+            }
+        }
+
+        await _next(context).ConfigureAwait(false);
+    }
+
+    private AuthorizationGraph? ExtractGraph(HttpContext context, UmsAuthGraphMiddlewareOptions opt)
+    {
+        string? token = ExtractBearerToken(context);
+        if (token is null) return null;
+
+        // Three-segment compact JWT.
+        var segments = token.Split('.');
+        if (segments.Length < 2) return null;
+
+        byte[] payload;
+        try
+        {
+            payload = Base64UrlDecode(segments[1]);
+        }
+        catch
+        {
+            _logger?.LogWarning("UmsAuthGraphMiddleware: JWT payload is not valid base64url.");
+            return null;
+        }
+
+        JsonElement payloadJson;
+        try
+        {
+            payloadJson = JsonSerializer.Deserialize<JsonElement>(payload, JsonOptions);
+        }
+        catch
+        {
+            _logger?.LogWarning("UmsAuthGraphMiddleware: JWT payload is not valid JSON.");
+            return null;
+        }
+
+        if (!payloadJson.TryGetProperty(opt.JwtBodyClaim, out var graphClaim))
+            return null;
+
+        try
+        {
+            return graphClaim.ValueKind switch
+            {
+                JsonValueKind.Object => graphClaim.Deserialize<AuthorizationGraph>(JsonOptions),
+                JsonValueKind.String => JsonSerializer.Deserialize<AuthorizationGraph>(graphClaim.GetString()!, JsonOptions),
+                _ => null
+            };
+        }
+        catch (JsonException ex)
+        {
+            _logger?.LogWarning(ex, "UmsAuthGraphMiddleware: failed to deserialize '{Claim}' claim.", opt.JwtBodyClaim);
+            return null;
+        }
+    }
+
+    private static string? ExtractBearerToken(HttpContext context)
+    {
+        string? header = context.Request.Headers.Authorization.ToString();
+        if (string.IsNullOrWhiteSpace(header)) return null;
+        const string prefix = "Bearer ";
+        if (!header.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)) return null;
+        var token = header[prefix.Length..].Trim();
+        return token.Length == 0 ? null : token;
+    }
+
+    private static byte[] Base64UrlDecode(string input)
+    {
+        var normalized = input.Replace('-', '+').Replace('_', '/');
+        switch (normalized.Length % 4)
+        {
+            case 2: normalized += "=="; break;
+            case 3: normalized += "=";  break;
+            case 1: throw new FormatException("Invalid base64url length.");
+        }
+        return Convert.FromBase64String(normalized);
+    }
+
+    private static async Task Reject(HttpContext context, string code, string message)
+    {
+        context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+        context.Response.ContentType = "application/json";
+        var body = JsonSerializer.Serialize(new { code, message });
+        await context.Response.Body.WriteAsync(Encoding.UTF8.GetBytes(body)).ConfigureAwait(false);
+    }
+}

src/libs/sdk/dotnet/Ums.Sdk.Authorization.AspNetCore/UmsAuthGraphMiddlewareOptions.cs

@@ -0,0 +1,18 @@
+namespace Ums.Sdk.Authorization.AspNetCore;
+
+/// <summary>Behavior knobs for <see cref="UmsAuthGraphMiddleware"/>.</summary>
+public sealed class UmsAuthGraphMiddlewareOptions
+{
+    /// <summary>JWT body claim that carries the serialized graph. Default: <c>"graph"</c>.</summary>
+    public string JwtBodyClaim { get; set; } = "graph";
+
+    /// <summary>When true, the middleware returns 401 + AUTH_201 when the bound graph is expired.</summary>
+    public bool RejectExpiredGraphs { get; set; } = false;
+
+    /// <summary>
+    /// When true, the middleware returns 401 + AUTH_204/AUTH_205 on missing or incompatible
+    /// schemaVersion. When false (default), the graph is silently dropped and the request
+    /// proceeds without authorization context — downstream code will see <c>Current = null</c>.
+    /// </summary>
+    public bool RejectIncompatibleGraphs { get; set; } = true;
+}

src/libs/sdk/dotnet/Ums.Sdk.Client/ClientAuthRequest.cs

@@ -0,0 +1,10 @@
+using System.Text.Json.Serialization;
+
+namespace Ums.Sdk.Client;
+
+/// <summary>Body sent to <c>POST /api/v1/client/authenticate</c>.</summary>
+public sealed record ClientAuthRequest(
+    [property: JsonPropertyName("tenantCode")] string TenantCode,
+    [property: JsonPropertyName("username")] string Username,
+    [property: JsonPropertyName("password")] string Password,
+    [property: JsonPropertyName("format")] string? Format = "JSON");

src/libs/sdk/dotnet/Ums.Sdk.Client/ClientAuthResult.cs

@@ -0,0 +1,17 @@
+using System.Text.Json.Serialization;
+using Ums.Sdk.Contracts;
+
+namespace Ums.Sdk.Client;
+
+/// <summary>
+/// Successful response from <c>POST /api/v1/client/authenticate</c>. Carries the JWT used for
+/// subsequent calls, the deserialized graph, and bookkeeping fields.
+/// </summary>
+public sealed record ClientAuthResult(
+    [property: JsonPropertyName("token")] string Token,
+    [property: JsonPropertyName("tokenType")] string TokenType,
+    [property: JsonPropertyName("expiresIn")] int ExpiresInSeconds,
+    [property: JsonPropertyName("issuedAt")] DateTimeOffset IssuedAt,
+    [property: JsonPropertyName("format")] string Format,
+    [property: JsonPropertyName("graph")] AuthorizationGraph Graph,
+    [property: JsonPropertyName("requestId")] Guid RequestId);

src/libs/sdk/dotnet/Ums.Sdk.Client/IUmsAuthClient.cs

@@ -0,0 +1,9 @@
+using Ums.Sdk.Authorization;
+
+namespace Ums.Sdk.Client;
+
+/// <summary>HTTP client for the UMS authentication surface.</summary>
+public interface IUmsAuthClient
+{
+    Task<Result<ClientAuthResult>> AuthenticateAsync(ClientAuthRequest request, CancellationToken ct = default);
+}

src/libs/sdk/dotnet/Ums.Sdk.Client/README.md

@@ -0,0 +1,29 @@
+# Ums.Sdk.Client
+
+> Part of the [UMS SDK](https://github.com/beyondnetcode/ums/tree/main/docs/sdk).
+
+Typed HTTP client for `POST /api/v1/client/authenticate`. Calls UMS, deserializes the `AuthorizationGraph`, validates schema compatibility and returns a typed `Result<ClientAuthResult>`.
+
+## Install
+
+```bash
+dotnet add package Ums.Sdk.Client
+```
+
+## Use
+
+```csharp
+builder.Services.AddUmsSdkClient(opt => opt.BaseAddress = new Uri("https://ums.example.com"));
+
+public class Login(IUmsAuthClient client)
+{
+    public async Task<Result<ClientAuthResult>> AuthenticateAsync(string tenant, string user, string password)
+        => await client.AuthenticateAsync(new ClientAuthRequest(tenant, user, password));
+}
+```
+
+The response includes the JWT (`Token`), the `AuthorizationGraph` and the schema compat outcome.
+
+## License
+
+MIT — see [LICENSE](https://github.com/beyondnetcode/ums/blob/main/src/libs/sdk/LICENSE).

src/libs/sdk/dotnet/Ums.Sdk.Client/ServiceCollectionExtensions.cs

@@ -0,0 +1,20 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace Ums.Sdk.Client;
+
+public static class ServiceCollectionExtensions
+{
+    /// <summary>
+    /// Registers a typed <see cref="IUmsAuthClient"/> backed by HttpClientFactory.
+    /// Configure the base address through <paramref name="configure"/>.
+    /// </summary>
+    public static IServiceCollection AddUmsSdkClient(this IServiceCollection services, Action<UmsSdkClientOptions> configure)
+    {
+        ArgumentNullException.ThrowIfNull(configure);
+        services.AddOptions<UmsSdkClientOptions>().Configure(configure);
+        services.AddHttpClient<IUmsAuthClient, UmsAuthClient>();
+        services.TryAddSingleton<IUmsAuthClient>(sp => sp.GetRequiredService<UmsAuthClient>());
+        return services;
+    }
+}