deps update full rewrite of dev scripts to csharp

.claude/skills/update-axsharp-version/SKILL.md

@@ -0,0 +1,167 @@
+---
+name: update-axsharp-version
+description: Update AXSharp.* and Inxton.Operon.* package versions in this repo (via scripts/update_axsharp_versions.ps1), verify the build, update the central CHANGELOG.md, and open a PR with a generated description. Use when the user asks to bump/update AXSharp versions or open a dependency-update PR. Defaults to the latest versions from the feed; accepts optional explicit versions.
+---
+
+# Update AXSharp version
+
+Drives the AXSharp / Inxton.Operon dependency bump end to end: run the existing update script →
+verify the build → record the change in the central `CHANGELOG.md` → open a PR.
+
+The actual file edits live in [`scripts/update_axsharp_versions.ps1`](../../../scripts/update_axsharp_versions.ps1).
+**Do not reimplement version rewriting** — this skill only orchestrates around that script.
+
+By default the script auto-detects the latest `AXSharp.ixc` and `Inxton.Operon` versions from the
+GitHub Packages feed. The user may pass explicit versions; thread them through as
+`-AxSharpVersion <v>` / `-OperonVersion <v>` on every script invocation below.
+
+## Procedure
+
+### 1. Preconditions
+
+- Run all commands from the **repo root**. The script resolves its own `repoRoot`, but `git`/`gh`
+  operations assume root.
+- **Token (auto-detect mode only):** the script needs a feed token with `read:packages` scope. It
+  reads, in order, `AXSHARP_FEED_TOKEN`, `GITHUB_PACKAGES_TOKEN`, `GITHUB_TOKEN`, `GH_TOKEN`,
+  `NUGET_TOKEN`. If none is set **and** no explicit versions were given, tell the user to set one
+  (or pass `-Token`) and stop. Skip this check when explicit versions are supplied.
+- **Clean tree:** run `git status`. If the working tree is dirty, surface it and stop — do not bundle
+  unrelated changes into a dependency PR.
+
+### 2. Branch
+
+Check the current branch (`git branch --show-current`). If on the default branch `dev` (or any
+protected branch), create a working branch first. Prefer a version-tagged name once the version is
+known, otherwise a generic one:
+
+```powershell
+git switch -c chore/update-axsharp-versions
+```
+
+If already on a non-default working branch, stay on it.
+
+### 3. Preview (recommended)
+
+Show the user what will change before touching files:
+
+```powershell
+pwsh -File scripts/update_axsharp_versions.ps1 -DryRun -Detailed
+```
+
+Append `-AxSharpVersion <v> -OperonVersion <v>` to override. Use `-ListAvailable` to inspect feed
+versions. The dry run must not modify files — `git status` stays clean.
+
+### 4. Apply
+
+Run for real and **capture stdout** — the `Summary of changes:` and `Target versions:` blocks feed
+the CHANGELOG entry, commit message, and PR body:
+
+```powershell
+pwsh -File scripts/update_axsharp_versions.ps1
+# or, with overrides:
+pwsh -File scripts/update_axsharp_versions.ps1 -AxSharpVersion <v> -OperonVersion <v>
+```
+
+Handle outcomes:
+- **Non-zero exit** — exit `2` = feed/auth failure, exit `3` = JSON parse failure. Report the error
+  output and stop.
+- **No changes** — if `git status` shows nothing changed, report "already up to date at
+  `<version>`" and stop. Do **not** open a PR.
+
+Record the resolved `<AxSharpVersion>` and `<OperonVersion>` from the script's `Target versions:`
+block for the steps below.
+
+### 5. Verify build
+
+Confirm the new package set resolves before opening the PR (build only, no tests):
+
+```powershell
+dotnet run --project cake/Build.csproj -- --do-apax-update
+```
+
+`--do-apax-update` pulls the apax-side packages; the .NET restore covers the central-managed NuGet
+bumps. For a heavier check, [`scripts/build_with_update.ps1`](../../../scripts/build_with_update.ps1)
+runs build + tests at level 10.
+
+If the build **fails**: report the failure with output and **do not open the PR**. Leave the changes
+on the branch for the user to inspect.
+
+### 6. Update central CHANGELOG.md
+
+Prepend a new entry at the **top** of [`CHANGELOG.md`](../../../CHANGELOG.md) (newest-on-top, above
+the current first `###` heading), matching the existing structured format. Use category tag `[DEPS]`.
+Fill bullets from the script's `Summary of changes:` block.
+
+```markdown
+### [DEPS] Update AXSharp / Inxton.Operon package versions to <AxSharpVersion>
+
+**Note:** Dependency version bump via `scripts/update_axsharp_versions.ps1`. No source change.
+Branch: `<branch-name>`.
+
+- chore: AXSharp.* packages updated to `<AxSharpVersion>` in `.config/dotnet-tools.json` and `Directory.Packages.props`.
+- chore: Inxton.Operon.* packages updated to `<OperonVersion>`.
+- chore: reconciled AXSharp transitive (third-party) dependencies in `Directory.Packages.props` (bump-up only).
+<one bullet per non-trivial line from the script's "Summary of changes:" block>
+
+**Impact:**
+- Repo now builds and tests against AXSharp `<AxSharpVersion>` / Inxton.Operon `<OperonVersion>`.
+
+**Risks/Review:**
+- Transitive pinned versions were bumped up to satisfy AXSharp's nuspec requirements; review `Directory.Packages.props` diff.
+
+**Testing:**
+- `dotnet run --project cake/Build.csproj -- --do-apax-update` — build succeeds with the new package set.
+```
+
+### 7. Commit
+
+Match the repo convention (see commit `0929211f1`):
+
+```powershell
+git add .config/dotnet-tools.json Directory.Packages.props CHANGELOG.md
+git commit -m "chore: update AXSharp package versions to <AxSharpVersion> and reconcile transitive dependencies"
+git push -u origin HEAD
+```
+
+Scope the `git add` to the touched files. (The script edits only these in a normal run.)
+
+### 8. Create PR
+
+```powershell
+gh pr create --base dev --title "chore: update AXSharp package versions to <AxSharpVersion>" --body "<body>"
+```
+
+Use the template below for `<body>`, filling placeholders and pasting the script's
+`Summary of changes:` lines as a bullet list. Report the resulting PR URL to the user.
+
+#### PR body template
+
+```markdown
+## Update AXSharp / Inxton.Operon package versions
+
+Bumps AXSharp.* and Inxton.Operon.* packages and reconciles transitive (third-party) dependencies
+that AXSharp requires, via `scripts/update_axsharp_versions.ps1`.
+
+### Target versions
+- **AXSharp.\***: `<AxSharpVersion>`
+- **Inxton.Operon.\***: `<OperonVersion>`
+
+### Changes
+- `.config/dotnet-tools.json` — tool versions bumped
+- `Directory.Packages.props` — package versions + bump-up of pinned transitive deps
+- `CHANGELOG.md` — `[DEPS]` entry prepended
+
+<paste the script's "Summary of changes:" lines here as a bullet list>
+
+### Verification
+- [x] `dotnet run --project cake/Build.csproj -- --do-apax-update` succeeded
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+```
+
+## Notes
+
+- Script switches: `-DryRun`, `-Detailed`, `-ListAvailable`, `-AxSharpVersion`, `-OperonVersion`,
+  `-SkipTransitive`, `-Source`, `-Token`, `-Username`, `-NormalizeJson`.
+- Default PR base branch: `dev`.
+- Build options live in [`cake/BuildParameters.cs`](../../../cake/BuildParameters.cs).

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "AXSharp.ixc": {
-      "version": "0.47.0-alpha.479",
+      "version": "0.47.0-alpha.489",
       "commands": [
         "ixc"
       ],
@@ -17,14 +17,14 @@
       "rollForward": false
     },
     "AXSharp.ixd": {
-      "version": "0.47.0-alpha.479",
+      "version": "0.47.0-alpha.489",
       "commands": [
         "ixd"
       ],
       "rollForward": false
     },
     "AXSharp.ixr": {
-      "version": "0.47.0-alpha.479",
+      "version": "0.47.0-alpha.489",
       "commands": [
         "ixr"
       ],

.github/workflows/nightly.yml

@@ -91,7 +91,7 @@ jobs:
           GH_TOKEN : ${{ secrets.GH_TOKEN }}
           GH_USER : ${{ secrets.GH_USER }}
       run: |
-        dotnet run --project cake/Build.csproj --apps-run
+        dotnet run --project cake/Build.csproj --do-test --test-level 4
         "TEST_EXIT_CODE=$LASTEXITCODE" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
       shell: pwsh
 

.gitignore

@@ -440,4 +440,5 @@ operon-variables.css
 
 *.lscache
 
+# Vulnerability scan reports (scripts/update-vulnerable-deps.ps1)
 scripts/reports/

CHANGELOG.md

@@ -1,3 +1,55 @@
+### [FIX] `axdev` password guard contradicted the secrets complexity policy
+
+**Note:** Bug fix in `src/axopen.dev`. Branch: `feat/axdev-user-secrets-loader`.
+
+- fix: `AXOpen.Dev.Validation.PasswordValidator` no longer rejects `$ & ( ) *`. These are endorsed by the set-time complexity policy (`configure-secrets.sh` requires a special char from `!@#$%^&*()_+-=`), so a password that satisfied the complexity rule was then rejected at use time by `axdev alf` / `axdev all` with "The PASSWORD contains problematic characters." The blocklist now keeps only genuinely-dangerous shell metacharacters (`` ` \ " ' | ; < > ? [ ] { } `` and whitespace) — safe because arguments reach apax/openssl via CliWrap (no shell). Error message and `PasswordValidatorTests` updated.
+
+**Impact:** `apax alf` / `apax all` accept the same passwords the secrets-setup flow accepts; no more spurious rejection of compliant passwords.
+
+**Testing:** `dotnet test src/axopen.dev/AXOpen.Dev.Tests` — 180 passed.
+
+### [BUILD] `axdev` loads dotnet user-secrets at startup
+
+**Note:** Developer-CLI enhancement in `src/axopen.dev`. No PLC source change, no public-API removal. Branch: `feat/axdev-user-secrets-loader`.
+
+- feat: `AXOpen.Dev.Secrets.UserSecretsLoader` reads dotnet user-secrets into the process environment so PLC verbs resolve `AX_TARGET_PWD` / `AX_USERNAME` without a prior `source load-secrets.sh`. It locates the twin project's `<UserSecretsId>` (probes `../axpansion/twin` then `.`, overridable via the `AX_SECRETS_PROJECT` environment variable), reads its `secrets.json` from the OS user-secrets root, and flattens nested keys with the standard `key:subkey` convention.
+- feat: New shared entry point `AxdevApp.Run(args)` calls `UserSecretsLoader.Load()` then builds and runs the command app. Both the packed `dotnet axdev` tool (`AXOpen.Dev.Tool/Program.cs`) and the in-repo dispatcher (`src/scripts/dev.cs`) now call `AxdevApp.Run` instead of `AxdevApp.Build().Run`.
+- test: `AXOpen.Dev.Tests/Secrets/UserSecretsLoaderTests.cs` covers apply-from-store, existing-env-wins precedence, missing project / missing store / malformed JSON / no-`UserSecretsId` no-ops, the `AX_SECRETS_PROJECT` override, and nested-key flattening.
+
+**Impact:**
+- The template's credential UX (per-project `dotnet user-secrets`) is preserved while removing the bash `source load-secrets.sh` step, so apax verbs can call `axdev` directly on any platform.
+- Precedence is non-surprising: an already-set environment variable (or apax variable) always wins over the secrets store; an explicit `-p/--password` still overrides everything in `PlcCommandSettings.ResolvePassword`.
+
+**Risks/Review:**
+- Secret loading is best-effort: a missing twin project, missing store, or unreadable JSON is a silent no-op, and the per-command argument guards still report any genuinely missing credential.
+
+**Testing:**
+- `dotnet test src/axopen.dev/AXOpen.Dev.Tests` — full suite green (176 passed), including the 8 new `UserSecretsLoaderTests`.
+
+### [BUILD] Dependency-maintenance tooling + AXSharp `0.47.0-alpha.484` bump
+
+**Note:** Build/CI tooling and dependency maintenance. No public-API change, no PLC source change. Branch: `deps-update`.
+
+- feat: `scripts/update-latest-deps.ps1` — bumps all non-AXSharp dependencies (NuGet + npm) to their latest stable versions, sharing common helpers via `scripts/_deps-common.ps1`.
+- feat: `scripts/update-vulnerable-deps.ps1` — scans npm and NuGet dependencies for known vulnerabilities and emits a report.
+- chore: AXSharp packages bumped to `0.47.0-alpha.484` in `Directory.Packages.props`, with transitive dependencies reconciled. `.config/dotnet-tools.json` updated to match.
+- chore: Added `.claude/skills/update-axsharp-version/SKILL.md` — skill for updating AXSharp and Inxton.Operon package versions.
+- chore: Removed obsolete `package.json` / `package-lock.json` files across `src/components.abb.robotics`, `src/components.abstractions`, `src/data`, `src/data/src/AXOpen.Data.Blazor`, `src/inspectors`, and a stray `apax.yml`, to clean up the project structure.
+- chore: `develop` branch GitVersion mode changed to `ContinuousDeployment`.
+- chore: Styling dependencies refreshed (`src/styling/src/package.json` / lock; `momentum.css` regenerated).
+
+**Impact:**
+- Routine dependency bumps and vulnerability scanning are now scriptable and reproducible.
+- AXSharp consumers build against `0.47.0-alpha.484`.
+- Dead npm lockfiles no longer pollute the tree or trigger spurious tooling.
+
+**Risks/Review:**
+- Dependency version bumps can introduce behavioural drift; verify a full `dotnet build` and the styling render after pulling.
+
+**Testing:**
+- Run `scripts/update-latest-deps.ps1` and `scripts/update-vulnerable-deps.ps1` end-to-end (exit code 0).
+- `dotnet build` from solution root succeeds against the bumped package set.
+
 ### [CORE] AxoSequencer step-timeout alarm — does not fall after timeout clears
 
 **Note:** PLC bug fix in `src/core/ctrl/src/AxoCoordination/AxoSequencer/AxoSequencer.st` (`AxoStepTimedOutMessenger.Activate`). No public-API change. Branch: `fix-issue-when-timeout-sequencer-alarm-doesnot-fall`.