fix: release readiness — SQL params, tenant validation, token store, ETL cache

- Fix double @@ SQL parameter prefix in MsSqlDataCommandTranslatorBase
- Separate tenant access denied (403) from query failure (500) in TenantResolutionMiddleware
- Add TenantAccessCheckFailed log method (EventId 567)
- Fix EventId collision 7542→7550 in MultitenancyDisabledCode
- Add no-op Operations initialize block in ServiceTypeExtensions
- Migrate MsSqlTokenStoreLog from [LoggerMessage] to [MessageLogging]
- Refactor MsSqlTokenStore to use IConnectionProvider instead of raw connection strings
- Replace Guid.Parse with TryParse and AddWithValue with typed SqlParameters
- Add LookupTransformType.ClearCache() to StreamingPipeline finally block

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Mike Blair

src/FractalDataWorks.Data.MsSql/Translators/MsSqlDataCommandTranslatorBase.cs

@@ -163,8 +163,8 @@ private static string BuildWhereCondition(FilterCondition condition, SqlBuildCon
                 foreach (var item in enumerable)
                 {
                     var paramName = $"{context.ParameterPrefix}p{conditionIndex}_{itemIndex++}";
-                    paramNames.Add($"@{paramName}");
-                    var parameter = new SqlParameter($"@{paramName}", item ?? DBNull.Value);
+                    paramNames.Add(paramName);
+                    var parameter = new SqlParameter(paramName, item ?? DBNull.Value);
                     context.Command.Parameters.Add(parameter);
                 }
 
@@ -178,15 +178,15 @@ private static string BuildWhereCondition(FilterCondition condition, SqlBuildCon
             }
 
             var singleParamName = $"{context.ParameterPrefix}p{context.ParameterCounter++}";
-            var sql = $"{columnName} {condition.Operator.SqlOperator} @{singleParamName}";
+            var sql = $"{columnName} {condition.Operator.SqlOperator} {singleParamName}";
 
             // ZERO SQL INJECTION: Value goes into parameter, NOT concatenated into SQL
             // Preprocess string values to escape operator-specific metacharacters (e.g., LIKE wildcards)
             object? paramValue = condition.Value is string strValue
                 ? condition.Operator.PreprocessSqlValue(strValue)
                 : condition.Value;
 
-            var singleParameter = new SqlParameter($"@{singleParamName}", paramValue ?? DBNull.Value);
+            var singleParameter = new SqlParameter(singleParamName, paramValue ?? DBNull.Value);
             context.Command.Parameters.Add(singleParameter);
             return sql;
         }

src/FractalDataWorks.Hosting/Extensions/ServiceTypeExtensions.cs

@@ -95,6 +95,13 @@ public static WebApplication InitializeFrameworkServiceTypes(
             SchedulerTypes.Initialize(app.Services, loggerFactory);
         }
 
+        if (state.HasOperations)
+        {
+            HostingLog.ServiceTypeRegistrationPhase(logger, "Initialize", "Operations");
+            // Operations services are registered via AddOperations() but require no Initialize phase.
+            // This block exists for pattern consistency with other service types.
+        }
+
         if (state.HasConfigurationWriters)
         {
             app.Services.InitializeConfigurationWriters(loggerFactory);

src/FractalDataWorks.Services.Authentication.Jwt.MsSql/Extensions/MsSqlTokenStoreServiceCollectionExtensions.cs

@@ -1,7 +1,9 @@
 using FractalDataWorks.Services.Authentication.Jwt.MsSql.Storage;
 using FractalDataWorks.Services.Authentication.Jwt.Storage;
+using FractalDataWorks.Services.Connections.Abstractions;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
 
 namespace FractalDataWorks.Services.Authentication.Jwt.MsSql.Extensions;
 
@@ -15,22 +17,35 @@ public static class MsSqlTokenStoreServiceCollectionExtensions
     /// <see cref="MsSqlTokenStore"/> backed by a SQL Server database.
     /// </summary>
     /// <param name="services">The service collection.</param>
-    /// <param name="connectionString">The SQL Server connection string for the auth database.</param>
+    /// <param name="connectionName">
+    /// The name of the connection to resolve via <see cref="IConnectionProvider"/>.
+    /// Defaults to <c>"AuthDb"</c>.
+    /// </param>
     /// <returns>The service collection for chaining.</returns>
     /// <remarks>
+    /// <para>
     /// Call this after <c>JwtAuthenticationType.RegisterRequiredServices</c> to override
     /// the default <see cref="InMemoryTokenStore"/> with the SQL-backed implementation.
+    /// </para>
+    /// <para>
+    /// The connection is resolved at runtime via <see cref="IConnectionProvider"/>,
+    /// supporting secret manager integration, Entra ID authentication, and
+    /// configuration reload from the database.
+    /// </para>
+    /// <para>
     /// The SQL Server database must have the <c>auth.RefreshToken</c> and
     /// <c>auth.RevokedAccessToken</c> tables created before calling this.
+    /// </para>
     /// </remarks>
     public static IServiceCollection AddMsSqlTokenStore(
         this IServiceCollection services,
-        string connectionString)
+        string connectionName = "AuthDb")
     {
         services.Replace(ServiceDescriptor.Singleton<ITokenStore>(sp =>
         {
-            var logger = sp.GetService<Microsoft.Extensions.Logging.ILogger<MsSqlTokenStore>>();
-            return new MsSqlTokenStore(connectionString, logger);
+            var connectionProvider = sp.GetRequiredService<IConnectionProvider>();
+            var logger = sp.GetRequiredService<ILogger<MsSqlTokenStore>>();
+            return new MsSqlTokenStore(connectionProvider, connectionName, logger);
         }));
 
         return services;

src/FractalDataWorks.Services.Authentication.Jwt.MsSql/FractalDataWorks.Services.Authentication.Jwt.MsSql.csproj

@@ -22,4 +22,11 @@
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
   </ItemGroup>
 
+  <ItemGroup>
+    <ProjectReference Include="..\FractalDataWorks.MessageLogging.Abstractions\FractalDataWorks.MessageLogging.Abstractions.csproj" />
+    <ProjectReference Include="..\FractalDataWorks.MessageLogging.SourceGenerators\FractalDataWorks.MessageLogging.SourceGenerators.csproj" OutputItemType="Analyzer" ReferenceOutputAssembly="false" PrivateAssets="all" />
+    <ProjectReference Include="..\FractalDataWorks.Services.Connections.Abstractions\FractalDataWorks.Services.Connections.Abstractions.csproj" />
+    <ProjectReference Include="..\FractalDataWorks.Services.Connections.MsSql\FractalDataWorks.Services.Connections.MsSql.csproj" />
+  </ItemGroup>
+
 </Project>

src/FractalDataWorks.Services.Authentication.Jwt.MsSql/Logging/MsSqlTokenStoreLog.cs

@@ -1,4 +1,6 @@
 using System;
+using FractalDataWorks.MessageLogging;
+using FractalDataWorks.Messages;
 using Microsoft.Extensions.Logging;
 
 namespace FractalDataWorks.Services.Authentication.Jwt.MsSql.Logging;
@@ -10,26 +12,38 @@ namespace FractalDataWorks.Services.Authentication.Jwt.MsSql.Logging;
 public static partial class MsSqlTokenStoreLog
 {
     /// <summary>Logs when storing a refresh token fails.</summary>
-    [LoggerMessage(EventId = 7481, Level = LogLevel.Error, Message = "Database error storing refresh token for user {UserId}")]
-    public static partial void StoreRefreshTokenFailed(ILogger logger, Exception exception, string userId);
+    [MessageLogging(EventId = 7481, Level = LogLevel.Error, Message = "Database error storing refresh token for user {userId}")]
+    public static partial IGenericMessage StoreRefreshTokenFailed(ILogger logger, Exception exception, string userId);
 
     /// <summary>Logs when validating a refresh token fails.</summary>
-    [LoggerMessage(EventId = 7482, Level = LogLevel.Error, Message = "Database error validating refresh token for user {UserId}")]
-    public static partial void ValidateRefreshTokenFailed(ILogger logger, Exception exception, string userId);
+    [MessageLogging(EventId = 7482, Level = LogLevel.Error, Message = "Database error validating refresh token for user {userId}")]
+    public static partial IGenericMessage ValidateRefreshTokenFailed(ILogger logger, Exception exception, string userId);
 
     /// <summary>Logs when invalidating user refresh tokens fails.</summary>
-    [LoggerMessage(EventId = 7483, Level = LogLevel.Error, Message = "Database error invalidating refresh tokens for user {UserId}")]
-    public static partial void InvalidateRefreshTokensFailed(ILogger logger, Exception exception, string userId);
+    [MessageLogging(EventId = 7483, Level = LogLevel.Error, Message = "Database error invalidating refresh tokens for user {userId}")]
+    public static partial IGenericMessage InvalidateRefreshTokensFailed(ILogger logger, Exception exception, string userId);
 
     /// <summary>Logs when revoking an access token fails.</summary>
-    [LoggerMessage(EventId = 7484, Level = LogLevel.Error, Message = "Database error revoking access token with JTI {Jti}")]
-    public static partial void RevokeAccessTokenFailed(ILogger logger, Exception exception, string jti);
+    [MessageLogging(EventId = 7484, Level = LogLevel.Error, Message = "Database error revoking access token with JTI {jti}")]
+    public static partial IGenericMessage RevokeAccessTokenFailed(ILogger logger, Exception exception, string jti);
 
     /// <summary>Logs when checking if an access token is revoked fails.</summary>
-    [LoggerMessage(EventId = 7485, Level = LogLevel.Error, Message = "Database error checking revocation status for JTI {Jti}")]
-    public static partial void IsAccessTokenRevokedFailed(ILogger logger, Exception exception, string jti);
+    [MessageLogging(EventId = 7485, Level = LogLevel.Error, Message = "Database error checking revocation status for JTI {jti}")]
+    public static partial IGenericMessage IsAccessTokenRevokedFailed(ILogger logger, Exception exception, string jti);
 
     /// <summary>Logs when cleaning up expired tokens fails.</summary>
-    [LoggerMessage(EventId = 7486, Level = LogLevel.Error, Message = "Database error cleaning up expired tokens")]
-    public static partial void CleanupExpiredTokensFailed(ILogger logger, Exception exception);
+    [MessageLogging(EventId = 7486, Level = LogLevel.Error, Message = "Database error cleaning up expired tokens")]
+    public static partial IGenericMessage CleanupExpiredTokensFailed(ILogger logger, Exception exception);
+
+    /// <summary>Logs when a user ID string cannot be parsed as a GUID.</summary>
+    [MessageLogging(EventId = 7487, Level = LogLevel.Warning, Message = "Invalid user ID format: '{userId}'")]
+    public static partial IGenericMessage InvalidUserId(ILogger logger, string userId);
+
+    /// <summary>Logs when the connection provider fails to resolve the named connection.</summary>
+    [MessageLogging(EventId = 7488, Level = LogLevel.Error, Message = "Failed to resolve connection '{connectionName}' for token store")]
+    public static partial IGenericMessage ConnectionFailed(ILogger logger, string connectionName);
+
+    /// <summary>Logs when the resolved connection is not a SQL Server connection.</summary>
+    [MessageLogging(EventId = 7489, Level = LogLevel.Error, Message = "Connection '{connectionName}' is not a SQL Server connection")]
+    public static partial IGenericMessage InvalidConnectionType(ILogger logger, string connectionName);
 }