dotnet
diff --git a/‎.github/skills/release-notes/references/examples/aspnetcore.md‎
Lines changed: 35 additions & 32 deletions b/‎.github/skills/release-notes/references/examples/aspnetcore.md‎
Lines changed: 35 additions & 32 deletions
diff --git a/‎.github/skills/release-notes/references/examples/csharp.md‎
Lines changed: 15 additions & 12 deletions b/‎.github/skills/release-notes/references/examples/csharp.md‎
Lines changed: 15 additions & 12 deletions
diff --git a/‎.github/skills/release-notes/references/examples/libraries.md‎
Lines changed: 12 additions & 11 deletions b/‎.github/skills/release-notes/references/examples/libraries.md‎
Lines changed: 12 additions & 11 deletions
@@ -2,31 +2,28 @@
 
 ## Configure suppressing exception handler diagnostics
 
-> Source: [.NET 10 Preview 7 — ASP.NET Core](../../../../release-notes/10.0/preview/preview7/aspnetcore.md)
+A new configuration option has been added to the [ASP.NET Core exception handler middleware](https://learn.microsoft.com/aspnet/core/fundamentals/error-handling#exception-handler-page) to control diagnostic output: `ExceptionHandlerOptions.SuppressDiagnosticsCallback`. This callback is passed context about the request and exception, allowing you to add logic that determines whether the middleware should write exception logs and other telemetry.
 
-Short — three sentences covering the new option, the use case, and a behavior change. No code needed.
+This setting is useful when you know an exception is transient, or has been handled by the exception handler middleware, and don't want the error logs written to your observability platform.
 
-> A new configuration option has been added to the [ASP.NET Core exception handler middleware](https://learn.microsoft.com/aspnet/core/fundamentals/error-handling#exception-handler-page) to control diagnostic output: `ExceptionHandlerOptions.SuppressDiagnosticsCallback`. This callback is passed context about the request and exception, allowing you to add logic that determines whether the middleware should write exception logs and other telemetry.
->
-> This setting is useful when you know an exception is transient, or has been handled by the exception handler middleware, and don't want the error logs written to your observability platform.
->
-> Additionally, the middleware's default behavior has changed: it no longer writes exception diagnostics for exceptions handled by `IExceptionHandler`. Based on user feedback, logging handled exceptions at the error level was often undesirable when `IExceptionHandler.TryHandleAsync` returned `true`.
+Additionally, the middleware's default behavior has changed: it no longer writes exception diagnostics for exceptions handled by `IExceptionHandler`. Based on user feedback, logging handled exceptions at the error level was often undesirable when `IExceptionHandler.TryHandleAsync` returned `true`.
 
-**Why it works**: concise problem/solution. The reader immediately knows what changed, why, and whether they're affected.
+---
+Source: [.NET 10 Preview 7 — ASP.NET Core](../../../../release-notes/10.0/preview/preview7/aspnetcore.md)
+Commentary: Short and focused — three sentences covering the new option, the use case, and a behavior change. No code needed.
+Why it works: The reader immediately knows what changed, why, and whether they're affected.
 
 ---
 
 ## Use PipeReader support in System.Text.Json
 
-> Source: [.NET 10 Preview 7 — ASP.NET Core](../../../../release-notes/10.0/preview/preview7/aspnetcore.md)
+MVC, Minimal APIs, and the `HttpRequestJsonExtensions.ReadFromJsonAsync` methods have all been updated to use the new PipeReader support in System.Text.Json without requiring any code changes from applications.
 
-Medium — behavioral change with workaround guidance and two code samples (quick fix and optimal fix).
+For the majority of applications this should have no impact on behavior. However, if the application is using a custom `JsonConverter`, there is a chance that the converter doesn't handle [Utf8JsonReader.HasValueSequence](https://learn.microsoft.com/dotnet/api/system.text.json.utf8jsonreader.hasvaluesequence) correctly. This can result in missing data and errors like `ArgumentOutOfRangeException` when deserializing.
 
-> MVC, Minimal APIs, and the `HttpRequestJsonExtensions.ReadFromJsonAsync` methods have all been updated to use the new PipeReader support in System.Text.Json without requiring any code changes from applications.
->
-> For the majority of applications this should have no impact on behavior. However, if the application is using a custom `JsonConverter`, there is a chance that the converter doesn't handle `Utf8JsonReader.HasValueSequence` correctly. This can result in missing data and errors like `ArgumentOutOfRangeException` when deserializing.
->
-> The quick workaround (especially if you don't own the custom `JsonConverter` being used) is to set the `"Microsoft.AspNetCore.UseStreamBasedJsonParsing"` AppContext switch to `true`. This should be a temporary workaround and the `JsonConverter`(s) should be updated to support `HasValueSequence`.
+The quick workaround (especially if you don't own the custom `JsonConverter` being used) is to set the `"Microsoft.AspNetCore.UseStreamBasedJsonParsing"` [AppContext](https://learn.microsoft.com/dotnet/api/system.appcontext) switch to `true`. This should be a temporary workaround and the `JsonConverter`(s) should be updated to support `HasValueSequence`.
+
+To fix `JsonConverter` implementations, there is the quick fix which allocates an array from the `ReadOnlySequence`:
 
 ```csharp
 public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
@@ -36,28 +33,27 @@ public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSeria
 }
 ```
 
-**Why it works**: acknowledges most users won't notice, identifies who *will* be affected, gives an immediate workaround, then the proper fix. Good template for "mostly invisible but has an edge case."
-
 ---
+Source: [.NET 10 Preview 7 — ASP.NET Core](../../../../release-notes/10.0/preview/preview7/aspnetcore.md)
+Commentary: Medium — behavioral change that's mostly invisible but has an edge case. Gives the workaround and the proper fix.
+Why it works: Acknowledges most users won't notice, identifies who *will* be affected, gives an immediate workaround, then the proper fix.
 
-## OpenIdConnectHandler support for Pushed Authorization Requests (PAR)
+---
 
-> Source: [.NET 9 Preview 7 — ASP.NET Core](../../../../release-notes/9.0/preview/preview7/aspnetcore.md)
+## `OpenIdConnectHandler` support for Pushed Authorization Requests (PAR)
 
-Long — community contribution with extensive quoted motivation, configuration example, and operational guidance.
+We'd like to thank @josephdecock from @DuendeSoftware for adding Pushed Authorization Requests (PAR) to ASP.NET Core's `OpenIdConnectHandler`. Joe described the background and motivation for enabling PAR in [his API proposal](https://github.com/dotnet/aspnetcore/issues/51686) as follows:
 
-> We'd like to thank @josephdecock from @DuendeSoftware for adding Pushed Authorization Requests (PAR) to ASP.NET Core's `OpenIdConnectHandler`. Joe described the background and motivation for enabling PAR in [his API proposal](https://github.com/dotnet/aspnetcore/issues/51686) as follows:
+> Pushed Authorization Requests (PAR) is a relatively new [OAuth standard](https://datatracker.ietf.org/doc/html/rfc9126) that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end).
+>
+> This prevents an attacker in the browser from:
 >
-> > Pushed Authorization Requests (PAR) is a relatively new [OAuth standard](https://datatracker.ietf.org/doc/html/rfc9126) that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end).
-> >
-> > This prevents an attacker in the browser from:
-> >
-> > - Seeing authorization parameters (which could leak PII) and from
-> > - Tampering with those parameters (e.g., the attacker could change the scope of access being requested).
-> >
-> > The use of PAR is encouraged by the [FAPI working group](https://openid.net/wg/fapi/) within the OpenID Foundation.
+> - Seeing authorization parameters (which could leak PII) and from
+> - Tampering with those parameters (e.g., the attacker could change the scope of access being requested).
+>
+> The use of PAR is encouraged by the [FAPI working group](https://openid.net/wg/fapi/) within the OpenID Foundation.
 
-> PAR is now enabled by default if the identity provider's discovery document advertises support for it. This change should provide enhanced security for providers that support PAR. If this causes problems, disable PAR via `OpenIdConnectOptions.PushedAuthorizationBehavior`:
+PAR is now enabled by default if the identity provider's discovery document advertises support for it. The identity provider's discovery document is usually found at `.well-known/openid-configuration`. This change should provide enhanced security for providers that support PAR. If this causes problems, disable PAR via `OpenIdConnectOptions.PushedAuthorizationBehavior` as follows:
 
 ```csharp
 builder.Services
@@ -74,6 +70,13 @@ builder.Services
     });
 ```
 
-> To ensure that authentication only succeeds if PAR is used, use `PushedAuthorizationBehavior.Require`.
+To ensure that authentication only succeeds if PAR is used, use `PushedAuthorizationBehavior.Require`.
+
+This change also introduces a new `OnPushAuthorization` event to `OpenIdConnectEvents` which can be used to customize the pushed authorization request or handle it manually. Refer to the [API proposal](https://github.com/dotnet/aspnetcore/issues/51686) for more details.
 
-**Why it works**: the block quote lets the contributor explain the significance in their own words — more credible than the agent paraphrasing. Then practical: default behavior, how to disable, how to require. Good template for features with security or compliance significance.
+---
+Source: [.NET 9 Preview 7 — ASP.NET Core](../../../../release-notes/9.0/preview/preview7/aspnetcore.md)
+Commentary: Long — community contribution with the contributor's own words explaining significance. Good template for features with security or compliance importance.
+Why it works: The block quote lets the contributor explain the significance — more credible than paraphrasing. Then practical: default behavior, how to disable, how to require.
+
+---
@@ -2,11 +2,7 @@
 
 ## Extension operators
 
-> Source: [.NET 10 Preview 7 — C#](../../../../release-notes/10.0/preview/preview7/csharp.md)
-
-Medium — one sentence of context, then a code block showing the new syntax, then rule bullets. Code-first because the syntax *is* the feature.
-
-> The new extension blocks now include support for *operators*, with the exception of implicit and explicit conversion operators. You can declare operators in extension blocks, as shown in the following example:
+The new extension blocks now include support for *operators*, with the exception of implicit and explicit conversion operators. You can declare operators in extension blocks, as shown in the following example:
 
 ```csharp
 public static class Operators
@@ -22,11 +18,18 @@ public static class Operators
 }
 ```
 
-> Several of the rules for extension operators are demonstrated in the preceding example:
->
-> - At least one of the operands must be the *extended type*, `TElement[]` in the preceding example.
-> - For operators that require pair-wise declarations, such as `==` and `!=`, both operators must be declared in the same static class.
-> - Instance compound assignment operators, and instance increment and decrement operators are expected to mutate the current instance.
-> - Extension operators, like other extension members, can't use the `abstract`, `virtual`, `override`, or `sealed` modifiers.
+Several of the rules for extension operators are demonstrated in the preceding example:
+
+- At least one of the operands must be the *extended type*, `TElement[]` in the preceding example.
+- For operators that require pair-wise declarations, such as `==` and `!=` in the preceding example, both operators must be declared in the same static class. They are not required to be in the same `extension` container.
+- Instance compound assignment operators, and instance increment and decrement operators are expected to mutate the current instance. Therefore reference type parameters must be passed by value and value type parameters must be passed by `ref`. These operators can't be declared when the extended type is an unconstrained type parameter.
+- Extension operators, like other extension members, can't use the `abstract`, `virtual`, `override`, or `sealed` modifiers. This is consistent with other extension members.
+
+Extension members are only considered for overload resolution when no applicable predefined or user defined non-extension members are found.
+
+---
+Source: [.NET 10 Preview 7 — C#](../../../../release-notes/10.0/preview/preview7/csharp.md)
+Commentary: Code-first — one sentence of context, then the syntax, then rule bullets. Language features need to be seen, not just described.
+Why it works: Shows the code immediately. The rule bullets follow naturally as "here's what you need to know." No motivation section needed.
 
-**Why it works**: shows the code immediately — language features need to be seen, not just described. The rule bullets follow naturally as "here's what you need to know." No motivation section needed because C# developers will already understand why extension operators are useful.
+---
@@ -2,13 +2,9 @@
 
 ## Post-Quantum Cryptography Updates
 
-> Source: [.NET 10 Preview 7 — Libraries](../../../../release-notes/10.0/preview/preview7/libraries.md)
+### ML-DSA
 
-Long — subheadings, diff-style before/after, multiple API examples spanning two related features.
-
-> ### ML-DSA
->
-> The `System.Security.Cryptography.MLDsa` class gained ease-of-use updates in this release, allowing some common code patterns to be simplified:
+The `System.Security.Cryptography.MLDsa` class gained ease-of-use updates in this release, allowing some common code patterns to be simplified:
 
 ```diff
 private static byte[] SignData(string privateKeyPath, ReadOnlySpan<byte> data)
@@ -23,7 +19,7 @@ private static byte[] SignData(string privateKeyPath, ReadOnlySpan<byte> data)
 }
 ```
 
-> Additionally, this release added support for HashML-DSA, which we call "PreHash" to help distinguish it from "pure" ML-DSA.
+Additionally, this release added support for HashML-DSA, which we call "PreHash" to help distinguish it from "pure" ML-DSA. As the underlying specification interacts with the Object Identifier (OID) value, the SignPreHash and VerifyPreHash methods on this `[Experimental]` type take the dotted-decimal OID as a string. This may evolve as more scenarios using HashML-DSA become well-defined.
 
 ```csharp
 private static byte[] SignPreHashSha3_256(MLDsa signingKey, ReadOnlySpan<byte> data)
@@ -33,9 +29,9 @@ private static byte[] SignPreHashSha3_256(MLDsa signingKey, ReadOnlySpan<byte> d
 }
 ```
 
-> ### Composite ML-DSA
->
-> This release also introduces new types to support ietf-lamps-pq-composite-sigs (currently at draft 7), and an implementation of the primitive methods for RSA variants.
+### Composite ML-DSA
+
+This release also introduces new types to support ietf-lamps-pq-composite-sigs (currently at draft 7), and an implementation of the primitive methods for RSA variants.
 
 ```csharp
 var algorithm = CompositeMLDsaAlgorithm.MLDsa65WithRSA4096Pss;
@@ -52,4 +48,9 @@ signature[0] ^= 1; // Tamper with signature
 Console.WriteLine(publicKey.VerifyData(data, signature)); // False
 ```
 
-**Why it works**: the `diff` block for ML-DSA immediately shows the simplification — red lines removed, green line added. Subheadings organize related-but-distinct features. The Composite ML-DSA sample is a complete, runnable scenario (generate → sign → verify → tamper → verify-fails).
+---
+Source: [.NET 10 Preview 7 — Libraries](../../../../release-notes/10.0/preview/preview7/libraries.md)
+Commentary: Long — subheadings organize related-but-distinct features. Uses `diff` blocks for API simplification and complete runnable scenarios for new APIs.
+Why it works: The `diff` block immediately shows the simplification (red lines removed, green line added). The Composite ML-DSA sample is a complete scenario (generate → sign → verify → tamper → verify-fails).
+
+---