Business Process Programming - Production Hardening Checklist

Production Hardening Checklist

The architecture described in this section is suitable for production systems, but a production deployment still requires additional hardening. The following concerns should be addressed before exposing such a system broadly.

Authentication

The server must know who is calling /rpc or /mcp endpoints. Anonymous access may be acceptable for demonstrations but not for business operations.

Authorization Per Tool

Authorization should be evaluated per method. A user allowed to call Shipment.Search may not be allowed to call Bank.MakeDeposit.

Input Validation

JSON Schema is useful for discovery, but server-side validation must still enforce required fields, ranges, formats, and business rules.

JSON-RPC Error Contract

Errors should be consistent and should not leak internal implementation details, like:

{
  "jsonrpc": "2.0",
  "error": {
    "code": -32601,
    "message": "Method not found"
  },
  "id": "1"
}

Logging and Auditing

Record method name, caller, duration, success/failure, and important business identifiers. Write operations require especially careful auditing.

Versioning

Large systems need a clear strategy for evolving request and response contracts. Version metadata can be placed in descriptors or method names.

Plugin Trust

Loading DLLs from a folder is powerful. In production, use trusted locations, deployment controls, duplicate method detection, and possibly assembly signing or manifest validation.

Observability

Track call counts, failure counts, latency, slow handlers, and startup discovery results. Tool-based systems are much easier to operate when their behavior is measurable.

Table of Content Operation-Oriented APIs and AI Tools Previous: Plugin-Based Request Handler Assemblies Next: Incremental Sample Solutions

Business Process Programming in .Net
© 2004–2026 Laskarzhevsky Software Inc.
Unless otherwise noted, the content of this website is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
Code examples are provided under the MIT License.
You are free to share and adapt the material provided that appropriate credit is given and any modifications are clearly indicated.
The information provided on this website is for educational purposes only.
The author and publisher make no warranties regarding the completeness or suitability of the information and are not responsible for any damages resulting from its use.