ASP.NET Core & C# AI Prompts: Build Production APIs Faster in 2026

You are a senior .NET 9 architect using C# 13.

Build a complete Task API using ASP.NET Core Minimal APIs with MediatR CQRS pattern:

Endpoint registration (TaskEndpoints.cs — extension method on WebApplication):
- GET /api/v1/tasks — GetTasksQuery
- GET /api/v1/tasks/{id:guid} — GetTaskByIdQuery
- POST /api/v1/tasks — CreateTaskCommand
- PUT /api/v1/tasks/{id:guid} — UpdateTaskCommand
- DELETE /api/v1/tasks/{id:guid} — DeleteTaskCommand

Each endpoint:
- [Authorize] attribute or RequireAuthorization() with policy name
- Extract organizationId from JWT claims (ClaimsPrincipal extension method)
- Send to IMediator.Send()
- Return TypedResults (Results<Ok<TaskDto>, NotFound, ForbidHttpResult, ValidationProblem>)

Commands/Queries (records):
- GetTasksQuery(Guid OrganizationId, TaskStatus? Status, int Page, int PageSize) : IRequest<PagedResult<TaskDto>>
- CreateTaskCommand(string Title, string? Description, DateOnly? DueDate, Guid ProjectId, Guid OrganizationId) : IRequest<Result<TaskDto>>

Result pattern: Result<T> with IsSuccess, Value, Error (no exceptions for expected failures).

Output: endpoint registration, commands/queries as records, handlers, and Program.cs registration.

You are an EF Core 9 expert.

Design EF Core 9 entity configurations for a multi-tenant task management system:

Entities (C# 13 primary constructors):
- Organization, User, Project, Task, Comment, AuditLog

IEntityTypeConfiguration<Task> (TaskConfiguration : IEntityTypeConfiguration<Task>):
- Table name, schema: tasks schema
- Primary key: Guid (NewId() from UlidId or sequential GUID for index friendliness)
- Soft delete: IsDeleted (bool) + DeletedAt (DateTime?) with global query filter
- Tenant filter: global query filter for OrganizationId == currentTenantId (injected via ITenantContext)
- Indexes: composite [OrganizationId, Status, DueDate], [OrganizationId, AssignedToId]
- Value conversions: TaskStatus enum → string (not int for readability in DB)
- Owned entity: Task.Address as owned type (no separate table)
- Concurrency: RowVersion byte[] property for optimistic concurrency

Bulk operations (EF Core 7+):
- ExecuteUpdateAsync for bulk status changes (no entity loading)
- ExecuteDeleteAsync for hard delete admin operations

Repository:
- ITaskRepository with async methods, CancellationToken on all
- Specification pattern: ISpecification<T> for reusable query building

Output: entity configurations, DbContext with all entity registrations, repository interface + EF implementation.

You are a .NET security engineer.

Implement JWT authentication for ASP.NET Core 9 with ASP.NET Identity:

Identity configuration:
- ApplicationUser extends IdentityUser with: OrganizationId (Guid), Role (enum), CreatedAt, LastLoginAt
- IdentityOptions: strong password policy, lockout after 5 failures for 15 minutes, require confirmed email

JWT setup (Program.cs):
- AddAuthentication().AddJwtBearer() with RSA256 (load public key from env for validation)
- Token issuer: separate TokenService
- Validate: issuer, audience, lifetime, signing key

TokenService:
- GenerateAccessToken(ApplicationUser user): RS256, 15-minute lifetime, claims: sub, email, organizationId, role, jti
- GenerateRefreshToken(): opaque 32-byte random, stored in RefreshTokens table with userId, expiresAt, isRevoked
- RevokeRefreshToken(token): mark as revoked, optional: revoke entire family on reuse detection
- RefreshAccessToken(refreshToken): validate table entry → generate new access token + rotate refresh token

Auth endpoints (/api/auth):
- POST /login: Identity SignInManager, return token pair
- POST /refresh: validate refresh token table
- POST /logout: revoke refresh token
- POST /register: create user, send confirmation email via IEmailSender

Output: TokenService, AuthController (or Minimal API), Identity configuration in Program.cs.

You are a MediatR expert for .NET applications.

Build a production MediatR pipeline with behaviors (in execution order):

1. LoggingBehavior<TRequest, TResponse>:
   - Log: request type, request payload (sanitize sensitive fields), duration, user ID from ICurrentUser
   - Structured logging with Serilog: include correlationId, userId, organizationId as enrichers
   - Warn if handler takes longer than 500ms

2. ValidationBehavior<TRequest, TResponse>:
   - Run all IValidator<TRequest> registered via FluentValidation
   - On failure: return Result.Failure with ValidationError list (not throw exception)
   - Only run for commands (implement ICommand marker interface check)

3. AuthorizationBehavior<TRequest, TResponse>:
   - Check IAuthorizeRequest on command/query
   - Call IAuthorizationService with the required policy name
   - Return Result.Failure(Error.Forbidden) if denied

4. TransactionBehavior<TRequest, TResponse>:
   - Wrap commands (ICommand) in EF Core DbContext.BeginTransactionAsync
   - Commit on success, rollback on exception
   - Do NOT apply to queries

5. CachingBehavior<TRequest, TResponse>:
   - For queries implementing ICacheable (with CacheKey and CacheDuration properties)
   - Read from IDistributedCache, deserialize, return early if hit
   - On miss: execute handler, write to cache

Output: all 5 behavior classes, ICurrentUser interface + HttpContext implementation, FluentValidation registration in Program.cs.

You are a .NET testing expert.

Write integration tests for the Task API using xUnit and WebApplicationFactory:

Test infrastructure:
- CustomWebApplicationFactory<Program>: replace real DB with Testcontainers PostgreSQL, override JWT validation to accept test tokens
- DatabaseFixture: IAsyncLifetime — create schema on InitializeAsync, truncate tables between tests
- TestJwtTokenFactory: generate signed JWT with any claims for test users
- ApiClient: HttpClient wrapper with typed methods (GetTaskAsync, CreateTaskAsync, etc.)

Test cases (Fact and Theory):

[Fact] CreateTask_WithValidData_Returns201AndCreatedTask
[Fact] CreateTask_AsMemberOfDifferentOrg_Returns403
[Theory, InlineData("", "Title required"), InlineData("ab", "Min 3 chars")]
CreateTask_WithInvalidTitle_Returns400WithFieldError(string title, string expectedMessage)
[Fact] GetTasks_ReturnsOnlyCurrentOrgTasks_TenantIsolation
[Fact] UpdateTask_WithStaleVersion_Returns409Conflict
[Fact] DeleteTask_SoftDeletes_NotReturnedInSubsequentGet

Assertions:
- HTTP status code (FluentAssertions: response.Should().HaveStatusCode(201))
- Response body JSON (deserialize to DTO, assert fields)
- Database state (inject IDbContextFactory, query DB directly to assert persistence)

Output: WebApplicationFactory, DatabaseFixture, test token factory, and all test cases.

You are a senior .NET 9 real-time systems engineer.

Add SignalR to an ASP.NET Core 9 Minimal API application for live collaboration features:

Hub: TaskHub : Hub
- OnConnectedAsync: join group for user's tenantId, send pending notifications count
- OnDisconnectedAsync: log disconnect, remove from group
- Methods:
  - UpdateTask(string taskId, TaskUpdateDto update): validate user permission, broadcast to tenant group, persist change
  - JoinTaskRoom(string taskId): add to task-specific group for field-level updates
  - TypingIndicator(string taskId, bool isTyping): broadcast to others in task room (not back to sender)
  - SendMessage(string taskId, string content): add to real-time comment stream

Authentication: JWT bearer token via query string (?access_token=) — SignalR specific setup in Program.cs
Scale-out: Azure SignalR Service or Redis backplane for multiple instances
Client TypeScript: generated via @microsoft/signalr, typed method calls using HubConnection

Output: TaskHub class, Program.cs SignalR registration with Redis backplane, JWT config for SignalR, and TypeScript client hook useTaskHub(taskId).

You are a .NET 9 backend engineer.

Implement background processing using IHostedService and BackgroundService in ASP.NET Core 9:

Services to implement:
1. SubscriptionExpiryWorker (BackgroundService): runs every hour, finds organizations with subscriptions expiring in next 24h, queues renewal reminder emails via IEmailQueue, idempotent (cache processed IDs in Redis for 26h)
2. MetricsAggregator (BackgroundService): runs every 5 minutes, computes org-level stats (active users, task completion rate), writes to PostgreSQL summary table with UPSERT
3. FileCleanupService (IHostedService): on startup, delete S3 objects with status=orphaned older than 7 days (created without DB record)

Common requirements:
- CancellationToken: respect stoppingToken — check IsCancellationRequested in loops, pass to async DB calls
- Structured logging: ILogger<T> with scope including service name and run ID
- Error isolation: catch exceptions per iteration, log and continue — one bad record should not stop the worker
- Graceful shutdown: override StopAsync, drain current work within 30s
- Health checks: custom IHealthCheck for each worker showing last run time and status

Output: all three service classes, Program.cs registration, and the health check implementations.

Context for all .NET prompts in this session:
- Platform: .NET 9, C# 13
- API style: Minimal APIs in endpoint classes (NOT MVC Controllers unless I specify)
- Architecture: CQRS with MediatR 12 — Commands and Queries as C# records
- Validation: FluentValidation 12 as a MediatR pipeline behavior (NOT DataAnnotations)
  DataAnnotations are for display metadata only — never for domain validation
- Database: Entity Framework Core 9 + Npgsql (PostgreSQL)
  Use AsNoTracking() on all read-only queries
- Nullable: #nullable enable in all files
- Testing: xUnit + WebApplicationFactory + Testcontainers.PostgreSql
  NEVER EF Core InMemory provider — it doesn't enforce relational constraints

Never generate:
- IRepository<T> wrapping EF Core (EF Core IS the repository — double abstraction hurts)
- DataAnnotations on domain models ([Required], [MaxLength] etc.)
- .NET Framework APIs (System.Web, HttpWebRequest — use HttpClient + IHttpClientFactory)