stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Gaps fill up, fixes, ui restructuring

Browse Source
This commit is contained in:
master
2026-02-19 22:10:54 +02:00
parent b5829dce5c
commit 04cacdca8a
331 changed files with 42859 additions and 2174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

306
docs/qa/issues-report-2026-02-19.md Normal file
View File

@@ -0,0 +1,306 @@
# Stella Ops — QA Issues Report
**Date:** 2026-02-19
**Tester:** Claude Code (Playwright automated walkthrough)
**Stack:** Fresh `docker compose up` from `devops/compose/docker-compose.stella-ops.yml`
**Auth:** `admin` / default credentials
**Base URL:** `https://stella-ops.local/`
**Build:** v1.0.0 (as shown in sidebar footer)
---
## Summary
| Severity | Count |
|----------|-------|
| 🔴 Critical | 1 |
| 🟠 High | 4 |
| 🟡 Medium | 7 |
| 🔵 Low | 6 |
| **Total** | **18** |
---
## 🔴 Critical
### ISSUE-001 — All v2 navigation routes redirect to home (`/`)
**Pages:** `/release-control/*`, `/security-risk/*`, `/evidence-audit/*`, `/platform-ops/*`, `/administration/*`, `/dashboard`
**Reproduction:** Navigate to any of the 22+ new v2 IA routes introduced in SPRINT_20260218_006016.
**Observed:** Every route silently redirects to `/` (Control Plane dashboard). No 404, no error — just home.
**Expected:** Each route renders its designated v2 component.
**Impact:** The entire v2 information architecture (Release Control, Security & Risk, Evidence & Audit, Platform Ops, Administration, Dashboard v3) is inaccessible. Only the old v1 routes work.
**Notes:** This is the primary blocker for SPRINT_20260218 sprint delivery. The new sidebar components exist in source but the routes are not wired to the deployed build. The `/integrations` route is the only v2-era route that partially works.
**Affected routes tested:**
```
/release-control → / (Control Plane)
/release-control/releases → /
/release-control/approvals → /
/release-control/environments→ /
/release-control/bundles → /
/release-control/promotions → /
/release-control/runs → /
/security-risk → /
/security-risk/findings → /
/security-risk/advisory-sources → /
/security-risk/vulnerabilities → /
/evidence-audit → /
/evidence-audit/packs → /
/evidence-audit/proofs → /
/evidence-audit/audit → /
/platform-ops → /
/platform-ops/health → /
/platform-ops/feeds → /
/administration → /
/administration/identity-access → /
/administration/policy-governance → /
/dashboard → /
```
---
## 🟠 High
### ISSUE-002 — Integration Hub (`/integrations`) fires 10 API errors on load
**Page:** `https://stella-ops.local/integrations`
**Reproduction:** Navigate to `/integrations`.
**Observed:** Page loads visually (shows Integration Hub with all category counts as 0) but generates 10 console errors:
```
Failed to load resource: server responded with an error
/api/v1/integrations?type=0&pageSize=1
/api/v1/integrations?type=1&pageSize=1
/api/v1/integrations?type=2&pageSize=1
/api/v1/integrations?type=3&pageSize=1
/api/v1/integrations?type=4&pageSize=1
(plus 5x "ERROR N @ chunk-2UEM7CYT.js:3")
```
**Expected:** API calls succeed; summary counts reflect actual integration state (the old `/settings/integrations` shows 8 integrations with seed data).
**Impact:** The v2 Integration Hub is broken — all counts show 0 and the "Recent Activity" section shows a placeholder ("Integration activity timeline coming soon…"). Users cannot use this page.
**Note:** `/settings/integrations` works correctly (8 integrations shown). The backend API endpoint `/api/v1/integrations` may not be connected to the integrations service.
---
### ISSUE-003 — After creating a release, redirects to orphaned route `/release-orchestrator/releases`
**Page:** `/releases/create`
**Reproduction:** Create a release through the 3-step wizard → click "Create Release" on step 3.
**Observed:** After submit, browser navigates to `/release-orchestrator/releases`.
**Expected:** Should navigate to `/releases` (the current releases list route).
**Impact:** The post-create redirect lands on an old route that no longer exists in the sidebar IA and was renamed. The URL works (Angular handles it), but it's a stale reference that will break when the old route aliases are removed during the v2 cutover (SPRINT_20260218_016).
---
### ISSUE-004 — Identity & Access (`/settings/admin`) shows "No users found" with admin logged in
**Page:** `https://stella-ops.local/settings/admin`
**Reproduction:** Navigate to Settings → Identity & Access → Users tab.
**Observed:** "No users found" message shown even though the `admin` user is currently authenticated.
**Expected:** At minimum the `admin` user should appear in the user list.
**Impact:** Administrators cannot view or manage users from this page. User management is effectively broken.
**Screenshot context:** Bootstrap admin email is `admin@unknown.local` (possibly indicating the user was seeded without persisting to the listing query).
---
### ISSUE-005 — Approvals badge count (3) does not match Pending filter results (2)
**Page:** `/approvals`
**Reproduction:** Observe sidebar badge → click through to Approvals page → filter defaults to "Pending" status.
**Observed:**
- Sidebar badge: **3 pending**
- Pending filter: **Results (2)**
- All filter: **Results (4)**
**Expected:** Badge should equal the "Pending" filtered count. The badge logic and the pending query are sourced differently.
**Impact:** Misleading count for approvers — could cause someone to think they've missed an item or search for a non-existent third pending approval.
---
## 🟡 Medium
### ISSUE-006 — Platform Health shows "NaNms" P95 latency and "/" service count
**Page:** `https://stella-ops.local/operations/health`
**Reproduction:** Navigate to Operations → Platform Health.
**Observed:**
- "Avg Latency **NaNms** — P95 across services"
- "Services **/** Healthy" (shows a bare `/` instead of a number)
- "No services available in current snapshot"
- "Dependencies: 0 nodes · 0 connections"
**Expected:** Should show either real service health data or a meaningful empty state ("No health data available yet" with guidance).
**Impact:** The health dashboard is completely non-functional on a fresh install. The NaN renders because it divides by zero services. The "/" is a formatting bug where a fraction like "0/0" is rendered without the surrounding numbers.
---
### ISSUE-007 — Approve button on Approvals list has no confirmation step
**Page:** `/approvals`
**Reproduction:** On the approvals list, click "Approve" directly on any approval card.
**Observed:** No confirmation dialog, modal, or reason input appears. The action fires silently (or may silently fail — no success/error toast was observed).
**Expected:** A confirmation dialog or inline form should appear asking for a decision reason, especially since approvals are policy-gated actions that must produce signed evidence.
**Impact:** Accidental approvals are possible with a single click. Audit trail for the decision reason is missing if no reason is captured.
---
### ISSUE-008 — SBOM Graph is a placeholder: "not yet available in this build"
**Page:** `https://stella-ops.local/security/sbom`
**Reproduction:** Navigate to Security → SBOM Graph.
**Observed:** Page renders with heading "SBOM Graph" and single message: "SBOM graph visualization is not yet available in this build."
**Expected:** SBOM dependency graph visualization.
**Impact:** Feature is advertised in navigation but completely unimplemented in the deployed build.
---
### ISSUE-009 — Vulnerabilities page is a placeholder: "pending data integration"
**Page:** `https://stella-ops.local/security/vulnerabilities`
**Reproduction:** Navigate to Security → Vulnerabilities.
**Observed:** Page renders with heading "Vulnerabilities" and message: "Vulnerability list is pending data integration."
**Expected:** Vulnerability explorer with CVE list, filters, and triage actions.
**Impact:** Feature is advertised in navigation but has no functional content.
---
### ISSUE-010 — Promote button on a deployed release does nothing
**Page:** `/releases/rel-001` (Platform Release 1.2.3 — DEPLOYED)
**Reproduction:** Click the "Promote" button on a deployed release detail page.
**Observed:** No navigation, no modal, no drawer — the page stays unchanged.
**Expected:** A promotion dialog or navigation to the promotion wizard.
**Impact:** Users cannot initiate a promotion from the release detail page — a core workflow action is broken.
---
### ISSUE-011 — Security sub-pages carry wrong `<title>`: "Security Overview - StellaOps"
**Pages affected:**
- `/security/findings` → title: "Security Overview - StellaOps"
- `/security/vex` → title: "Security Overview - StellaOps"
- `/security/sbom` → title: "Security Overview - StellaOps"
**Expected:** Each page should have its own title, e.g. "Security Findings - StellaOps", "VEX Hub - StellaOps".
**Impact:** Browser tabs, bookmarks, and screen-reader announcements all say "Security Overview" regardless of which security sub-page is open. Causes confusion and breaks accessibility.
---
### ISSUE-012 — Integration Hub "Recent Activity" is a permanent placeholder
**Page:** `https://stella-ops.local/integrations`
**Observed:** "Integration activity timeline coming soon…" italic placeholder text under Recent Activity heading.
**Expected:** Activity timeline showing integration sync events, errors, and status changes.
**Impact:** The activity view the section promises is not implemented.
---
## 🔵 Low
### ISSUE-013 — Many pages have generic `<title>` "StellaOps" (no page context)
**Pages affected:**
| Route | Title |
|-------|-------|
| `/security/vulnerabilities` | StellaOps |
| `/evidence/proof-chains` | StellaOps |
| `/evidence/replay` | StellaOps |
| `/evidence/export` | StellaOps |
| `/operations/orchestrator` | StellaOps |
| `/settings/integrations` | StellaOps |
| `/settings/release-control` | StellaOps |
| `/settings/security-data` | StellaOps |
| `/settings/admin` | StellaOps |
| `/settings/system` | StellaOps |
**Expected:** `<Page Name> - StellaOps`
**Impact:** Browser tabs are undifferentiable, bookmarks are unlabelled, screen readers announce the wrong page context. This likely affects all pages whose route modules don't call Angular's `Title` service.
---
### ISSUE-014 — Release detail breadcrumb references old "Release Orchestrator" path
**Page:** `/releases/rel-001`
**Observed:** Breadcrumb reads: `Release Orchestrator / Releases / Platform Release 1.2.3`
**Links to:** `/release-orchestrator` and `/release-orchestrator/releases`
**Expected:** `Releases / Platform Release 1.2.3` (linking to `/releases`)
**Impact:** Clicking the breadcrumb links navigates to old route aliases that will be removed at v2 cutover. Low impact now; will become a broken link after SPRINT_20260218_016.
---
### ISSUE-015 — Evidence Proof Chains page shows error state on load with no input
**Page:** `https://stella-ops.local/evidence/proof-chains`
**Observed:** Page immediately shows "Subject digest is required — Retry" with no input field offered.
**Expected:** An empty state with a search or input field to enter a subject digest; error should only appear after a failed search.
**Impact:** Page is confusing on first load — appears broken but is just waiting for a digest input that it never prompts for.
---
### ISSUE-016 — `/evidence` redirects to `/evidence/bundles` (not to Packets)
**Page:** Navigate to `/evidence` (from Evidence nav button).
**Observed:** Redirects to `/evidence/bundles` — heading "Evidence Bundles".
**Expected per sidebar label:** "Packets" (sidebar link text) — `/evidence` should land on Evidence Packets, not Evidence Bundles. The sub-page URL `/evidence/bundles` is not in the sidebar nav.
**Impact:** Minor navigation inconsistency — sidebar says "Packets", page says "Bundles", route says "bundles". Naming is not aligned.
---
### ISSUE-017 — Scheduler nav link lands on `/operations/scheduler/runs` not `/operations/scheduler`
**Page:** Click Operations → Scheduler in the sidebar.
**Observed:** Navigates to `/operations/scheduler/runs`.
**Expected:** `/operations/scheduler` (the root scheduler page) with the runs as a sub-view.
**Impact:** Minor — the redirect is functional but means the scheduler root route appears to have no direct landing page.
---
### ISSUE-018 — `/settings/admin` is labeled "Identity & Access" in sidebar but Settings section uses "Identity & Access" inconsistently
**Page:** Settings group in sidebar.
**Observed:** The Settings sidebar link for the admin page reads "Identity & Access", which is correct — but the page was also previously accessible at the legacy path `/settings/admin`. The link in the sidebar still uses `/settings/admin` (the implementation path) rather than a semantic path like `/settings/identity`.
**Impact:** Minor URL semantics issue; the path exposes an internal implementation name (`admin`) rather than the user-facing label (`identity-access`).
---
## Pages Verified — No Issues
| Page | URL | Status |
|------|-----|--------|
| Welcome / Sign In | `/welcome` | ✅ |
| Control Plane Dashboard | `/` | ✅ |
| Releases List | `/releases` | ✅ |
| Release Detail | `/releases/rel-001` | ✅ (Promote broken, see ISSUE-010) |
| Approvals List | `/approvals` | ✅ (count mismatch, see ISSUE-005) |
| Approval Detail | `/approvals/apr-001` | ✅ |
| Security Overview | `/security/overview` | ✅ |
| Security Findings | `/security/findings` | ✅ |
| Security VEX Hub | `/security/vex` | ✅ |
| Security Exceptions | `/security/exceptions` | ✅ |
| SBOM Lake | `/analytics/sbom-lake` | ✅ |
| Evidence Bundles | `/evidence/bundles` | ✅ |
| Verdict Replay | `/evidence/replay` | ✅ |
| Export Center | `/evidence/export` | ✅ |
| Orchestrator Dashboard | `/operations/orchestrator` | ✅ |
| Scheduler Runs | `/operations/scheduler/runs` | ✅ |
| Quota Dashboard | `/operations/quotas` | ✅ |
| Dead-Letter Queue | `/operations/dead-letter` | ✅ |
| Feed Mirror & AirGap | `/operations/feeds` | ✅ |
| Integrations (legacy) | `/settings/integrations` | ✅ |
| Integrations SCM | `/integrations/scm` | ✅ |
| Integrations Registries | `/integrations/registries` | ✅ |
| Integration Detail | `/settings/integrations/jenkins-1` | ✅ |
| Integration Onboarding | `/integrations/onboarding/registry` | ✅ |
| Release Control Settings | `/settings/release-control` | ✅ |
| Trust & Signing | `/settings/trust` | ✅ |
| Security Data | `/settings/security-data` | ✅ |
| Tenant / Branding | `/settings/branding` | ✅ |
| Usage & Limits | `/settings/usage` | ✅ |
| Notifications | `/settings/notifications` | ✅ |
| Policy Governance | `/settings/policy` | ✅ |
| System | `/settings/system` | ✅ |
| Create Release Wizard (3 steps) | `/releases/create` | ✅ (redirect bug, see ISSUE-003) |
---
## Actions Verified
| Action | Result |
|--------|--------|
| Sign In (OAuth/OIDC) | ✅ Works |
| Global Search (type "hotfix") | ✅ Inline results shown |
| Sidebar expand/collapse all sections | ✅ Works |
| Release list filter by status/environment | ✅ Works |
| Release detail Timeline tab | ✅ Works |
| Approval list filter by Status/Environment | ✅ Works |
| Approval detail Explain gate | ✅ Opens explanation |
| Approval detail Add Comment | ✅ Comment saved |
| Create Release wizard (3 steps) | ✅ Completes (bad redirect after) |
| Export CSV (Findings) | ✅ Button present |
| Add Integration (opens onboarding) | ✅ Navigates to onboarding |
| User menu (Profile / Settings / Sign out) | ✅ All present |
---
## Environment Notes
- Fresh install with no scan data → all security counters (CVE counts, SBOM, reachability) are zero. Zero counts are **expected**, not bugs.
- Seed data is present for: Releases (5), Approvals (4), Integrations (8), and some environmental data.
- Several services reported `unhealthy` in Docker (`stellaops-signals`, `stellaops-smremote`, `stellaops-advisory-ai-worker`, etc.) — these backend health states may explain some of the data gaps (Platform Health no snapshot, Integration Hub API failures).