Change dashboard API to default to off

[JamesNK]

Description

Change the dashboard Telemetry API to default to disabled (false) instead of enabled.

Previously, the Api.Enabled option defaulted to true when not explicitly configured. This change flips the default so the API endpoints (/api/telemetry/*) are not registered unless the user explicitly opts in by setting Api.Enabled = true.

Key changes:

• Updated ApiOptions.Enabled default from true to false in documentation and behavior.
• Changed null-coalescing logic to use GetValueOrDefault() (which returns false for null) instead of == false/== true checks.
• Updated integration test helpers to explicitly enable the API so existing tests continue to pass.
• Added a new ApiEnabled_ReturnsExpectedStatusAndWarning theory test covering null, true, and false scenarios.
• Removed the now-redundant GetSpans_ApiDisabled_Returns404 test (covered by the new theory).

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire.dev issue:
      • New issue
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15154

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15154"

[Copilot]

Pull request overview

This PR changes the Dashboard Telemetry API to default to disabled so /api/telemetry/* endpoints are only registered when users explicitly opt in.

Changes:

• Flip API enablement checks to treat Api.Enabled == null as disabled via GetValueOrDefault().
• Update docs/comments to reflect the new default (false).
• Update integration tests/helpers to explicitly enable the API by default and add coverage for null/true/false enablement.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/Aspire.Dashboard.Tests/Integration/TelemetryApiTests.cs	Removes redundant disabled-API test now covered elsewhere.
tests/Aspire.Dashboard.Tests/Integration/StartupTests.cs	Adds theory test covering enabled null/true/false and warning behavior.
tests/Aspire.Dashboard.Tests/Integration/IntegrationTestHelpers.cs	Forces API enabled in default test configuration to keep existing tests working.
src/Aspire.Dashboard/DashboardWebApplication.cs	Updates unsecured API warning gate to treat null as disabled.
src/Aspire.Dashboard/DashboardEndpointsBuilder.cs	Updates endpoint mapping gate to treat null as disabled and adjusts comment.
src/Aspire.Dashboard/Configuration/DashboardOptions.cs	Updates XML doc to state API defaults to disabled.
src/Aspire.Dashboard/Components/Layout/MainLayout.razor.cs	Updates UI warning gate to treat null as disabled.

[github-actions]

🎬 CLI E2E Test Recordings

The following terminal recordings are available for commit aaa86f4:

Test	Recording
AddPackageInteractiveWhileAppHostRunningDetached	▶️ View Recording
AddPackageWhileAppHostRunningDetached	▶️ View Recording
AgentCommands_AllHelpOutputs_AreCorrect	▶️ View Recording
AgentInitCommand_DefaultSelection_InstallsSkillOnly	▶️ View Recording
AgentInitCommand_MigratesDeprecatedConfig	▶️ View Recording
AspireAddPackageVersionToDirectoryPackagesProps	▶️ View Recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	▶️ View Recording
Banner_DisplayedOnFirstRun	▶️ View Recording
Banner_DisplayedWithExplicitFlag	▶️ View Recording
CreateAndDeployToDockerCompose	▶️ View Recording
CreateAndDeployToDockerComposeInteractive	▶️ View Recording
CreateAndPublishToKubernetes	▶️ View Recording
CreateAndRunAspireStarterProject	▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle	▶️ View Recording
CreateAndRunJsReactProject	▶️ View Recording
CreateAndRunPythonReactProject	▶️ View Recording
CreateAndRunTypeScriptStarterProject	▶️ View Recording
CreateEmptyAppHostProject	▶️ View Recording
CreateStartAndStopAspireProject	▶️ View Recording
CreateTypeScriptAppHostWithViteApp	▶️ View Recording
DescribeCommandResolvesReplicaNames	▶️ View Recording
DescribeCommandShowsRunningResources	▶️ View Recording
DetachFormatJsonProducesValidJson	▶️ View Recording
DoctorCommand_DetectsDeprecatedAgentConfig	▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted	▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	▶️ View Recording
LogsCommandShowsResourceLogs	▶️ View Recording
PsCommandListsRunningAppHost	▶️ View Recording
PsFormatJsonOutputsOnlyJsonToStdout	▶️ View Recording
RestoreGeneratesSdkFiles	▶️ View Recording
RunWithMissingAwaitShowsHelpfulError	▶️ View Recording
SecretCrudOnDotNetAppHost	▶️ View Recording
SecretCrudOnTypeScriptAppHost	▶️ View Recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	▶️ View Recording
StopAllAppHostsFromAppHostDirectory	▶️ View Recording
StopAllAppHostsFromUnrelatedDirectory	▶️ View Recording
StopNonInteractiveMultipleAppHostsShowsError	▶️ View Recording
StopNonInteractiveSingleAppHost	▶️ View Recording
StopWithNoRunningAppHostExitsSuccessfully	▶️ View Recording
TypeScriptAppHostWithProjectReferenceIntegration	▶️ View Recording

---

_{📹 Recordings uploaded automatically from CI run #22985573073}

[mitchdenny]

LGTM! Clean, security-positive change with good test coverage.

Nit (non-blocking): The new field DashboardApiEnabledEnvName breaks the naming convention of all other ConfigName fields, which consistently use just a Name suffix (e.g., DashboardAIDisabledName, DashboardFrontendUrlName). The "Env" infix was needed to avoid colliding with the pre-existing DashboardApiEnabledName, but it reads a bit inconsistently. Something like DashboardAspireApiEnabledName might better convey what distinguishes it (the ASPIRE_-prefixed env var path vs the binding-style path).

[github-actions]

The transient CI rerun workflow requested reruns for the following jobs after analyzing the failed attempt.
GitHub's job rerun API also reruns dependent jobs, so the retry is being tracked in the rerun attempt.
The job links below point to the failed attempt that matched the retry-safe transient failure rules.

• Tests / Hosting.JavaScript / Hosting.JavaScript (ubuntu-latest) - Ignored failed step 'Build test project' matched the feed network failure override allowlist.