Remove legacy run-local helper; rebaseline docs and references; add DAB remediation CSV

Author: srnichols

SAMPLE_GALLERIES.md

@@ -6,7 +6,7 @@ A visual index of sample app galleries and the management portal. Click a thumbn
 
 | Management Portal | TaskTracker |
 |---|---|
-| [![Management Portal](management-portal/docs/thumbnails/ManagmentPortal-Dashboard-Screenshot-thumb.png)](management-portal/docs/SCREENSHOTS.md)<br>**Management Portal**<br>Overview dashboard, tenant and cell management screenshots. | [![TaskTracker](samples/tasktracker/docs/thumbnails/TaskTrack-HomePage-screenshot.png)](samples/tasktracker/docs/SCREENSHOTS.md)<br>**TaskTracker**<br>Home, New Task and Edit Task screenshots. |
+| [![Management Portal](management-portal/docs/thumbnails/ManagmentPortal-Dashboard-Screenshot-thumb.png)](management-portal/docs/SCREENSHOTS.md)<br>**Management Portal**<br>Overview dashboard, tenant and cell management screenshots. | [![TaskTracker](samples/TaskTracker/docs/thumbnails/TaskTrack-HomePage-screenshot-thumb.png)](samples/TaskTracker/docs/SCREENSHOTS.md)<br>**TaskTracker**<br>Home, New Task and Edit Task screenshots. |
 
 ---
 

docs/CAPABILITIES_MATRIX.md

@@ -5,8 +5,8 @@ This matrix summarizes implemented, in-progress, and planned features across the
 | Capability | Status | Notes |
 |-----------:|:------:|:-----|
 | Core infra (Bicep) | Implemented | Global/hub/regional layers and sample deployments. |
-| Management Portal | Implemented | Blazor UI with DAB GraphQL; currently migrating from mock data to DAB-backed live data. |
-| DAB (Data API Builder) | Deployed | Custom image and schema present; monitor container app health and ensure IaC aligns targetPort and image config. |
+| Management Portal | Implemented | Blazor UI with GraphQL backend (Hot Chocolate); older DAB references may remain in the repo. |
+| Data API Builder (DAB) | Legacy | Custom image and schema may remain as a legacy artifact; prefer Hot Chocolate for new deployments. |
 | Seeder (Cosmos) | Implemented | Seeder with AAD auth; required RBAC adjustments to seed data. |
 | CI (image build & push) | Implemented (basic) | GitHub Actions with image build; recommend OIDC federation for minimal secrets. |
 | Key Vault integration | Implemented | Secrets used; recommend migration from container-app secrets to KV references for production. |

docs/DEPLOYMENT_GUIDE.md

@@ -46,7 +46,9 @@ The template includes subscription-scope toggles to reduce Microsoft Defender fo
 These set Microsoft.Security/pricings resources to Free or Standard as appropriate. CSPM (Arm) remains Free to preserve secure score and policy evaluations.
 
 
-If you want the fastest, repeatable route to a working Management Portal backed by live Cosmos data, follow these steps. This path deploys the smoke sample, seeds representative baseline data using the Seeder (AAD RBAC), and verifies Portal ↔ DAB ↔ Cosmos connectivity.
+If you want the fastest, repeatable route to a working Management Portal backed by live Cosmos data, follow these steps. This path deploys the smoke sample, seeds representative baseline data using the Seeder (AAD RBAC), and verifies Portal ↔ GraphQL backend ↔ Cosmos connectivity. The GraphQL backend is implemented using Hot Chocolate.
+
+Note: Hot Chocolate is the actively supported GraphQL backend used throughout this repository. User-facing documentation has been rebaselined to focus on Hot Chocolate so new developers see the current, supported stack.
 
 1. Create a resource group and deploy the smoke sample (lab-friendly parameters):
 
@@ -75,7 +77,7 @@ dotnet run
 
 4. Verify the deployment and seeded data.
 
-- Retrieve deployment outputs to get the Portal and DAB endpoints:
+- Retrieve deployment outputs to get the Portal and GraphQL backend endpoints (note: some deployment outputs retain legacy names like `dab-graphql-url`):
 
 ```powershell
 pwsh -Command "az deployment group show --resource-group rg-stamps-smoke --name $(az deployment group list --resource-group rg-stamps-smoke --query '[0].name' -o tsv) --query properties.outputs"
@@ -84,7 +86,7 @@ pwsh -Command "az deployment group show --resource-group rg-stamps-smoke --name
 - Open the Management Portal URL in a browser and confirm seeded tenants/cells are visible. Optionally test the GraphQL endpoint:
 
 ```powershell
-pwsh -Command "curl -s -X POST 'https://<DAB_GRAPHQL_URL>/graphql' -H 'Content-Type: application/json' -d '{\"query\":\"{ tenants { id name } }\"}'"
+pwsh -Command "curl -s -X POST 'https://<GRAPHQL_URL>/graphql' -H 'Content-Type: application/json' -d '{\"query\":\"{ tenants { id name } }\"}'"
 ```
 
 Notes:
@@ -153,7 +155,8 @@ Steps:
 1) Start local data stack (Cosmos Emulator, Portal, GraphQL API) [optional]
 
   - PowerShell (Windows):
-    - pwsh -File ./scripts/run-local.ps1
+    - Note: `scripts/run-local.ps1` has been removed. To run locally, start the portal directly:
+      `dotnet run --project ./management-portal/src/Portal/Portal.csproj`
   - Default ports: Cosmos Emulator 8085, Portal 8081, GraphQL API 8082
 
 2) Ensure local.settings.json
@@ -181,7 +184,7 @@ Steps:
 Tips:
 
 - Port busy? Run: func start --port 7072
-- Cosmos TLS trust: the run-local.ps1 script imports the emulator certificate into CurrentUser/Root; if calls fail, open <https://localhost:8085/_explorer/emulator.pem> once in a browser to trust the cert.
+-- Cosmos TLS trust: the legacy `run-local.ps1` previously imported the emulator certificate into CurrentUser/Root. If SSL calls fail, open <https://localhost:8085/_explorer/emulator.pem> in a browser and import/accept the cert manually, or run the sample import steps in `docs/DEVELOPER_QUICKSTART.md`.
 - Functions task in VS Code: use the default “build (functions)” task, then start with func start from the AzureArchitecture folder.
 
 ## 📖 Key Concepts Before You Start
@@ -1186,8 +1189,8 @@ Use this quick checklist before promoting a test deployment to production. Cross
 - Authentication and authorization
   - Enable built‑in auth for Azure Container Apps and Functions; require login for all endpoints.
   - Map Entra ID groups to application roles (e.g., platform.admin). Disable anonymous access and lock down CORS.
-  - Propagate platform roles to DAB; ensure non‑admins have read‑only or least‑privilege permissions.
-- API/DAB hardening
+  - Propagate platform roles to the GraphQL backend (or to legacy DAB deployments); ensure non‑admins have read‑only or least‑privilege permissions.
+  - API hardening for the GraphQL backend
   - Disable public schema mutation where not needed; restrict filters/projections; rate‑limit externally exposed routes via APIM/App Gateway.
   - Turn off development features in production (verbose errors, GraphQL introspection if policy requires).
 - Data and Cosmos DB settings

docs/DEVELOPER_QUICKSTART.md

@@ -23,13 +23,18 @@ cd StampsPattern
 
 ## 2) Start local data stack (scripted)
 
-Recommended: use the helper to start Cosmos Emulator, DAB, and the portal.
+Recommended: use the helper to start Cosmos Emulator and the portal. The portal hosts a Hot Chocolate GraphQL endpoint by default; starting Data API Builder (DAB) is optional and only needed for legacy compatibility testing.
+
+Note: Hot Chocolate is the active GraphQL backend. References and legacy names (for example `DAB_GRAPHQL_URL` or `ca-stamps-dab`) are being rebaselined across the documentation; before renaming or removing production secrets or resource identifiers, follow a staged verification and migration procedure to avoid service disruptions.
 
 ```powershell
-pwsh -File ./scripts/run-local.ps1
+Note: `scripts/run-local.ps1` has been removed. Start the portal locally with:
+`dotnet run --project ./management-portal/src/Portal/Portal.csproj`
+Seed sample data with:
+`dotnet run --project ./management-portal/Seeder/Seeder.csproj`
 ```
 
-Default ports: Cosmos 8085, DAB 8082, Portal 8081. The script also helps trust the emulator cert.
+Default ports: Cosmos 8085, Portal 8081. (Legacy DAB port: 8082) The script also helps trust the emulator cert.
 
 Manual alternative (optional):
 
@@ -64,7 +69,7 @@ At minimum set Cosmos and identity settings:
     // "B2C_POLICY": "your-policy"
   }
 }
-```jsonc
+```
 
 Tip: The emulator account key shown above is the standard sample key; adjust if your emulator differs.
 
@@ -79,11 +84,10 @@ If `func` isn’t found, ensure your npm global bin is on PATH.
 
 ## 5) Build and run the Functions app
 
-```powershell
 ```powershell
 cd ./AzureArchitecture
- dotnet build
- func start
+dotnet build
+func start
 ```
 
 If the default port is busy, try `func start --port 7072`.
@@ -110,7 +114,7 @@ func start --verbose
 
 # Check port conflicts, try another port
 func start --port 7072
-```bash
+```
 
 See also: Known Issues → Functions host exits on startup or endpoints not reachable locally.
 

docs/DOCS.md

@@ -5,7 +5,7 @@ Your single source of truth for the Azure Stamps Pattern - Architecture (ASPA),
 ## 🎯 Start Here — 60 second checklist
 
 - Read `README.md` (project overview & prerequisites).
-- Run the Live Data Path: `docs/LIVE_DATA_PATH.md` to seed Cosmos and validate Management Portal ↔ DAB ↔ Cosmos.
+- Run the Live Data Path: `docs/LIVE_DATA_PATH.md` to seed Cosmos and validate Management Portal ↔ Hot Chocolate (GraphQL) ↔ Cosmos.
 - For local development: follow `docs/DEVELOPER_QUICKSTART.md` (run Functions + Portal locally).
 - For deployments: open `docs/DEPLOYMENT_GUIDE.md` and use `scripts/deploy.ps1` or Bicep templates as documented.
 - Fast path: for a complete single-subscription deployment end-to-end, use the [Three-Step Deployment Guide](./THREE_STEP_DEPLOYMENT_GUIDE.md).

docs/GLOSSARY.md

@@ -133,12 +133,13 @@ Secure store for secrets, keys, and certificates.
 - **Integration**: Managed identity; reference secrets in app settings and Bicep
 - **Docs**: <a href="https://learn.microsoft.com/azure/key-vault/general/overview" target="_blank" rel="noopener" title="Opens in a new tab">Key Vault overview</a>&nbsp;<sup>↗</sup>
 
-### **Data API Builder (DAB)**
+### **GraphQL backend (Hot Chocolate) — Data API Builder (DAB) (legacy)**
 
-Runtime that exposes databases as REST/GraphQL with role-based access.
+The Management Portal exposes a GraphQL API for control-plane data. The primary, actively maintained implementation uses Hot Chocolate (a .NET GraphQL server). Older references to Data API Builder (DAB) still exist in archive material and some operational scripts.
 
-- **Use Cases**: Data plane for the Management Portal with Easy Auth headers
-- **Docs**: <a href="https://learn.microsoft.com/azure/data-api-builder/overview" target="_blank" rel="noopener" title="Opens in a new tab">Data API Builder overview</a>&nbsp;<sup>↗</sup>
+- **Use Cases**: Exposes control-plane data (tenants, cells, operations) via GraphQL with role-based access patterns
+- **Notes**: Hot Chocolate is the recommended GraphQL backend. References to Data API Builder (DAB) in the repo are legacy; we are rebaselining docs and examples to prefer Hot Chocolate. Some runtime names and secrets still include "DAB"; follow a staged verification and migration plan before renaming live secrets or resources.
+- **Docs**: Hot Chocolate: <https://chillicream.com/docs/hotchocolate> & DAB: <https://learn.microsoft.com/azure/data-api-builder/overview> (legacy)
 
 ## 🏠 **Tenancy Models**
 

docs/KNOWN_ISSUES.md

@@ -22,8 +22,8 @@ Practical fixes and workarounds for common issues across development, deployment
 >
 > 1. Bicep/template errors — run `bicep build <file>.bicep` and `az deployment group what-if` → see [Deployment Issues](#-deployment-issues).
 > 2. Name conflicts — change `resourceToken` or use uniqueString(resourceGroup().id) → [Deployment Issues](#-deployment-issues).
-> 3. DAB crashing / port mismatch — confirm `ASPNETCORE_URLS` vs Container App `targetPort` → [Deployment Issues](#-deployment-issues).
-> 4. Portal timeouts to DAB — check `DAB_GRAPHQL_URL` secret and Container App logs → [Troubleshooting Playbooks](#portal-→-dab-connectivity-decision-tree).
+> 3. GraphQL backend crashing / port mismatch — confirm `ASPNETCORE_URLS` vs Container App `targetPort` → [Deployment Issues](#-deployment-issues).  # note: env var names like `ASPNETCORE_URLS` are still used by the image
+> 4. Portal timeouts to the GraphQL backend — check `DAB_GRAPHQL_URL` secret and Container App logs → [Troubleshooting Playbooks](#portal-→-dab-connectivity-decision-tree).
 > 5. Seeder 401/403 — grant Cosmos DB Data Contributor to the identity and use DefaultAzureCredential locally → [Development Issues](#-development-issues).
 > 6. Key Vault access denied — grant `get`/`list` or Key Vault Secrets User RBAC to the principal → [Security Issues](#-security-issues).
 > 7. Cosmos 429 throttling — implement retries/backoff and scale RU/s or enable autoscale → [Performance Issues](#-performance-issues).
@@ -150,7 +150,7 @@ flowchart LR
 
 ## 🔁 Troubleshooting Playbooks (decision trees)
 
-Below are three focused decision trees that operators reach for frequently: Portal → DAB connectivity, DAB container startup, and AAD/authentication issues. Use these as quick visual playbooks during incidents.
+Below are three focused decision trees that operators reach for frequently: Portal → GraphQL backend connectivity, GraphQL container startup, and AAD/authentication issues. Use these as quick visual playbooks during incidents. Note: runtime names and secrets like `DAB_GRAPHQL_URL` may still be used for compatibility.
 
 ### 1) Portal → DAB connectivity decision tree
 
@@ -166,7 +166,7 @@ flowchart TD
     P2 --> P4{Is DAB endpoint configured (DAB_GRAPHQL_URL)?}
     P3 --> P4
 
-    P4 -->|No| P5[Set secret `DAB_GRAPHQL_URL` to Container App ingress FQDN + /graphql]
+    P4 -->|No| P5[Set secret `DAB_GRAPHQL_URL` (or GraphQL backend URL secret) to Container App ingress FQDN + /graphql]
     P4 -->|Yes| P6[Ping DAB endpoint from Portal (curl/postman) using managed identity header if required]
 
     P6 -->|Connection refused / DNS| P7[Check Container App ingress FQDN, DNS CNAME, and firewall / private endpoint settings]
@@ -180,7 +180,7 @@ flowchart TD
     P10 --> P12
     P11 --> P12
 
-    P12 --> P13[If still failing: redeploy DAB with corrected targetPort and validate ACR pull permissions]
+    P12 --> P13[If still failing: redeploy the GraphQL backend (or legacy DAB image) with corrected targetPort and validate ACR pull permissions]
     P13 --> P14[If redeploy fails: capture logs, open issue, escalate to infra on-call]
 ```
 
@@ -465,7 +465,7 @@ func start --port 7072
 
 # 5) Ensure local.settings.json points to the emulator
 #   - CosmosDbConnection: https://localhost:8085/
-#   - The run-local.ps1 script imports the emulator cert; if SSL errors persist,
+#   - The old `run-local.ps1` helper previously imported the emulator cert; it has been removed. If SSL errors persist,
 #     open https://localhost:8085/_explorer/emulator.pem in a browser once to trust it.
 
 # 6) Avoid overlapping builds/hosts

docs/LANDING_ZONES_GUIDE.md

@@ -35,7 +35,7 @@ Practical guide to placing Azure Stamps Pattern components within Azure Landing
 
 - Platform landing zones host shared enterprise services: Identity (process), Management, Connectivity, and Shared Services (global edge, shared gateways). Do not put all infra into the Management subscription.
 - Application (workload) landing zones host your CELLs (shared or dedicated) per region. Use one subscription per CELL for isolation, quotas, and billing clarity.
-- Control Plane (management portal, DAB GraphQL, control metadata): either a) Platform Shared-Services subscription if used by many apps/org-wide, or b) a dedicated “ControlPlane” workload subscription under Landing Zones for autonomy and SDLC separation.
+- Control Plane (management portal, GraphQL backend, control metadata): either a) Platform Shared-Services subscription if used by many apps/org-wide, or b) a dedicated “ControlPlane” workload subscription under Landing Zones for autonomy and SDLC separation.
 
 ### 🖼️ Visual: High-Level Placement
 

docs/LIVE_DATA_PATH.md

@@ -1,61 +1,61 @@
 ---
-# Live Data Path — Portal → DAB → Cosmos (quick guide)
+# Live Data Path — Portal → GraphQL → Cosmos (quick guide)
 
 Purpose
 
-- One-page smoke path and quick checks to validate the Management Portal consumes live data from Data API Builder (DAB) backed by Cosmos DB.
+- One-page smoke path and quick checks to validate the Management Portal consumes live data from the GraphQL backend (Hot Chocolate) backed by Cosmos DB.
 
 Who this is for
 
 - Developers, platform engineers, and operators who need a fast, repeatable set of checks to confirm the live-data flow is healthy.
 
 Overview
 
-- Path: Management Portal (UI) → DAB (GraphQL) → Cosmos DB (control-plane containers: tenants, cells, operations)
-- Secrets and identity: Portal authenticates users via AAD; Portal calls DAB over internal network; DAB uses MI or connection string to read Cosmos.
+- Path: Management Portal (UI) → GraphQL backend (Hot Chocolate) → Cosmos DB (control-plane containers: tenants, cells, operations)
+- Secrets and identity: Portal authenticates users via AAD; Portal calls the GraphQL backend over the internal network; the GraphQL backend uses a managed identity or connection string to read Cosmos.
 
 Quick diagram
 
 ```mermaid
 flowchart LR
   Portal[Management Portal]
-  DAB[Data API Builder (Container App)]
+  GraphQL[GraphQL (Hot Chocolate) (Container App)]
   Cosmos[Cosmos DB - stamps-control-plane]
 
-  Portal -->|HTTP GraphQL POST| DAB
-  DAB -->|Cosmos SDK / REST| Cosmos
+  Portal -->|HTTP GraphQL POST| GraphQL
+  GraphQL -->|Cosmos SDK / REST| Cosmos
 ```mermaid
 
 Essential variables
 
-- DAB GraphQL URL (secret): DAB_GRAPHQL_URL — e.g. https://<internal-fqdn>/graphql
-- Portal secret/setting: ensure Portal reads `DAB_GRAPHQL_URL` from container-app secrets or Key Vault
+ - GraphQL URL (secret): DAB_GRAPHQL_URL — e.g. https://<internal-fqdn>/graphql (kept for backwards compatibility)
+ - Portal secret/setting: ensure Portal reads `DAB_GRAPHQL_URL` from container-app secrets or Key Vault. Note: the portal uses Hot Chocolate as the GraphQL implementation; `DAB_*` runtime names are retained for compatibility and should not be renamed without an infra/secret migration plan.
+
+Note: The GraphQL backend used in this project is Hot Chocolate. `DAB_*` names and references in this document are legacy compatibility artifacts. Runtime identifiers such as `DAB_GRAPHQL_URL` and `ca-stamps-dab` are intentionally preserved — do not rename them without a coordinated infra/secrets migration.
 - Seeder location: `AzureArchitecture/Seeder` (uses DefaultAzureCredential)
 
 Smoke checks (fast)
 
-1) Validate DAB is healthy (Container Apps)
+1) Validate GraphQL backend is healthy (Container Apps)
 
-# ```powershell
 # List revisions and health
-az containerapp revision list -g rg-stamps-mgmt -n ca-stamps-dab -o table
+az containerapp revision list -g rg-stamps-mgmt -n ca-stamps-dab -o table  # resource name retained for compatibility
 
 # Show ingress configuration (confirm targetPort matches container)
 az containerapp show -g rg-stamps-mgmt -n ca-stamps-dab --query properties.configuration.ingress
-```bash
 
-2) Tail DAB logs (look for startup errors and GraphQL listening)
+2) Tail GraphQL backend logs (look for startup errors and GraphQL listening). The Container App resource may still be named `ca-stamps-dab` for backward compatibility.
 
 ```powershell
 az containerapp logs show -g rg-stamps-mgmt -n ca-stamps-dab --container dab --tail 200
 ```
 
 1) Quick GraphQL introspection / simple query
 
-Using PowerShell (Invoke-RestMethod) — replace `$DAB` with the DAB GraphQL URL (from secret/outputs):
+Using PowerShell (Invoke-RestMethod) — replace `$DAB` with the GraphQL backend URL (from secret/outputs). Legacy secret names like `DAB_GRAPHQL_URL` may still be used:
 
 ```powershell
-$DAB = 'https://<dab-fqdn>/graphql'
+$DAB = 'https://<graphql-backend-fqdn>/graphql'
 $body = @{ query = 'query { __schema { queryType { name } } }' } | ConvertTo-Json
 
 # Use -UseBasicParsing if needed in older PowerShell