save checkpoint

2026-02-07 12:44:24 +02:00
parent 9339a8952c
commit 04360dff63
789 changed files with 39719 additions and 31710 deletions
--- a/docs/FEATURE_MATRIX.md
+++ b/docs/FEATURE_MATRIX.md
@@ -657,4 +657,98 @@

 ---

-*Last updated: 17 Jan 2026 (rev 6.0 - All features available across all tiers)*
+*Last updated: 6 Feb 2026 (rev 6.1 - Web UI Validation Results added)*
+
+---
+
+## Web UI Validation Results (6 Feb 2026)
+
+*Systematic Playwright-based validation of all Web UI routes and features. Sprint: SPRINT_20260206_021.*
+
+### Validation Summary
+
+| Metric | Count |
+|--------|-------|
+| Total routes tested | 76+ |
+| PASS | 66 |
+| FAIL (missing API) | 2 |
+| GUARD-BLOCKED (scope) | 2 |
+| PLACEHOLDER (no content) | 4 |
+| UNTESTABLE (nav issue) | 3 |
+
+### Bugs Found
+
+| ID | Severity | Status | Summary |
+|----|----------|--------|---------|
+| BUG-001 | Medium | Feature Gap | Auth state lost on page reload (in-memory tokens, no silent refresh) |
+| BUG-002 | High | FIXED | OAuth scope expanded from 4 to 21 scopes in PlatformServiceOptions.cs + config.json |
+| BUG-003 | High | FIXED | Added nginx reverse proxy to Dockerfile.console (7 proxy locations). Eliminates CORS. |
+| BUG-004 | Low | Backend | /api/v1/sources endpoint returns 404 |
+| BUG-005 | Medium | FIXED | Dark mode toggle hang (CSS `*` selector caused layout thrashing) |
+| BUG-006 | Medium | FIXED | Doubled API path `/api/api/v1/...` in 3 HTTP clients (removed extra `/api` prefix) |
+
+### Feature Area Validation Status
+
+| Feature Area | Routes Tested | Status | Notes |
+|-------------|---------------|--------|-------|
+| Control Plane Dashboard | 1 | PASS | 4 environments, approvals, deployments, releases |
+| OAuth2/OIDC Auth | 2 | PASS | PKCE flow works; SSO session remembered |
+| Navigation (5 dropdowns) | 1 | PASS | 40+ menu items across Analyze/Triage/Ops |
+| Findings (Diff View) | 2 | PASS | Three-panel layout, verification bar |
+| Vulnerability Explorer | 2 | PASS | 10 vulns, reachability, exceptions |
+| Triage Workspace | 3 | PASS | 6 artifacts, severity, attestations |
+| Approvals | 1 | PASS | 3 pending, gate evaluation chips |
+| Notifications | 1 | PASS* | UI renders; API blocked by CORS (BUG-003) |
+| Lineage | 1 | PASS | Graph controls render; no data |
+| Reachability Center | 1 | PASS | 3 assets, coverage %, sensor counts |
+| VEX Hub | 1 | PASS | 15,234 statements, 5 source types |
+| Security Overview | 1 | PASS | Severity cards, findings, VEX coverage |
+| Release Orchestrator | 2 | PASS/FAIL | Dashboard PASS; detail 404 |
+| Settings Hub (10 pages) | 10 | PASS | Integrations, Trust, Admin, Policy, etc. |
+| Policy Studio | 1 | PASS | Pack workspace renders |
+| Policy Governance | 1 | PASS | 9 tabs (budget, weights, staleness, etc.) |
+| Policy Simulation | 1 | PASS | Shadow mode, promotion workflow |
+| AOC Compliance | 1 | PASS | Guard violations, provenance, ingestion flow |
+| SLO Monitoring | 1 | PASS | SLO table, filters, search |
+| Offline Kit | 1 | PASS | Bundle freshness, 8 features, offline mode |
+| Scanner Ops | 1 | PASS | 3 kits, 5 baselines, 11 analyzers |
+| Doctor Diagnostics | 1 | PASS | Quick/Normal/Full checks, categories |
+| Agent Fleet | 1 | PASS | WebSocket real-time, grid/list views |
+| Evidence Bundles | 1 | PASS | 2 bundles, status badges |
+| Evidence Packs | 1 | PASS* | Renders; CORS on gateway API |
+| AI Runs | 1 | PASS* | 7 status filters; CORS on gateway API |
+| Scheduler | 1 | PASS | 4 runs, status filters |
+| Integration Hub | 1 | PASS | 5 categories, add integration |
+| Registry Token Service | 1 | PASS | Plans, audit log |
+| Audit Log (Unified) | 1 | PASS | Policy, authority, VEX audit |
+| Quota Dashboard | 1 | PASS | Consumption, forecast, throttle |
+| Dead-Letter Queue | 1 | PASS | 10 error types, queue browser |
+| Feed Mirror & AirGap | 1 | PASS | 6 feeds (NVD/GHSA/OVAL/OSV/EPSS/KEV) |
+| Console (Status/Config) | 3 | PASS | Queue lag, 4 integrations, tenants |
+| Change Trace | 1 | PASS | File load/export, empty state |
+| Dark Mode | 1 | PASS | Light/Dark/System instant toggle |
+| SBOM Diff | 1 | PLACEHOLDER | Breadcrumb only, no content |
+| VEX Timeline | 1 | PLACEHOLDER | Breadcrumb only, no content |
+| Developer Workspace | 1 | PLACEHOLDER | Breadcrumb only, no content |
+| Auditor Workspace | 1 | PLACEHOLDER | Breadcrumb only, no content |
+| Analytics | 1 | BLOCKED→FIXED | Guard requires analytics:read scope (BUG-002 FIXED in source) |
+| SBOM Sources | 1 | FAIL | API 404 (BUG-004) |
+
+### Interactive Workflow Validation (Batch 4, 6 Feb 2026)
+
+| Workflow | Status | Notes |
+|----------|--------|-------|
+| Setup Wizard (multi-step) | PASS | URL input, Connect, error recovery, Advanced Settings JSON editor |
+| Approval Queue (list+filters) | PASS | 3 pending items, status/env dropdowns, search, evidence badges |
+| Approval Detail (error handling) | PASS | Graceful "not found" with Back to Queue |
+| Dark Mode Toggle | PASS | BUG-005 fix re-confirmed: instant theme switch |
+| Doctor Diagnostics (UI) | PASS | 3 check modes, severity filters, categories, empty state |
+| Triage Artifact List (sort/filter) | PASS | Search, env filter, column sort all functional |
+| Triage Detail (evidence) | PASS | 5 CVEs, 7 evidence chips, 6 tabs, verification bar |
+| VEX Decision Drawer | PASS | Status/reason/notes form with validation |
+| Evidence Tabs (Reachability) | PASS | Score 0.95, Paths/Graph/Proof toggle |
+| Evidence Tabs (Attestations) | PASS | VULN_SCAN attestation table with View button |
+
+**Total validated: 94+ pages/routes/workflows across 4 batches.**
+
+*PASS\* = UI renders correctly but API calls failed due to CORS (BUG-003, now FIXED — requires container rebuild)*