stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(findings): close VulnExplorer -> Ledger merger and archive sprints

Browse Source 
Closes SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge via Option B:

- Phase 1 (VXPM-001..005) marked OBSOLETE. The separate vulnexplorer
  schema was superseded by commit 6b15d9827 (direct merger into Findings
  Ledger); there is no separate Postgres schema to build.
- Phase 2 corrections: VXLM-003/004/005 flipped to DONE. The adapter
  ConcurrentDictionary pattern is accepted as the VXLM-003 closure — these
  are read-side projections over Ledger events; durability comes from the
  append-only event log, not from the adapter. Two follow-ups logged in
  Decisions & Risks (FOLLOW-A: write-through Ledger event emission;
  FOLLOW-B: /api/v1/vulnerabilities gateway route alignment).
- Deletes stale VulnExplorer project trees:
  - src/Findings/StellaOps.VulnExplorer.Api/ (entire service)
  - src/Findings/StellaOps.VulnExplorer.WebService/ (shell + migrated contracts)
  - src/Findings/__Tests/StellaOps.VulnExplorer.Api.Tests/ (tests targeted
    SampleData IDs that no longer exist under Ledger)
  - src/Findings/StellaOps.Findings.Ledger.WebService/Services/
    VulnExplorerRepositories.cs (33-line placeholder with a misleading
    header comment; the actual Postgres path was never wired)
- Updates StellaOps.sln and Findings.sln to drop the removed project GUIDs
  and their 24 configuration entries. dotnet build
  src/Findings/StellaOps.Findings.sln passes 0 warnings / 0 errors.

Also archives the 4 previously-closed sprints:
- SPRINT_20260408_002 Findings VulnExplorer merger (above)
- SPRINT_20260410_001 Web runtime no-mocks (21/21 tasks done via earlier
  Postgres persistence commits)
- SPRINT_20260413_002 Integrations GitLab bootstrap automation
- SPRINT_20260413_003 Web UI-driven local setup rerun
- SPRINT_20260413_004 Platform UI-only setup bootstrap closure

Active sprints reduced to 2: SPRINT_20260408_004 Timeline unified audit
sink (15-25hr breadth work) and SPRINT_20260408_005 Audit endpoint filters
deprecation (mandatory 30/90-day verification windows).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-15 11:26:32 +03:00
parent a6a7e0a134
commit 07e227fdb7
30 changed files with 0 additions and 3693 deletions
Download Patch File Download Diff File Expand all files Collapse all files

575
docs-archived/implplan/SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge.md Normal file
View File

@@ -0,0 +1,575 @@
# Sprint 20260408-002 - VulnExplorer Persistence Migration + Merge into Findings Ledger
## Topic & Scope
- Two-phase plan: first migrate VulnExplorer from in-memory ConcurrentDictionary stores to Postgres, then merge it into the Findings Ledger WebService.
- Phase 1 (Sprint 1) eliminates all in-memory data stores and SampleData in VulnExplorer by introducing a persistence layer with SQL migrations, while VulnExplorer continues to run as its own service. This makes the data durable and tests the schema before the merge.
- Phase 2 (Sprint 2) moves VulnExplorer's endpoint surface into Ledger WebService as projections, wires VEX decisions and fix verifications as Ledger event types, removes the VulnExplorer container, and updates all consumers.
- Working directory: `src/Findings/`
- Expected evidence: all VulnExplorer endpoints backed by Postgres (Phase 1), then accessible via Ledger WebService with no separate container (Phase 2), existing tests pass, new integration tests cover persistence and merged endpoints.
## Analysis Summary (Decision Record)
### Why two phases instead of one
The original single-sprint plan assumed VulnExplorer's in-memory stores could be directly replaced by Ledger projections in one step. However:
1. VulnExplorer has five distinct in-memory stores (`SampleData`, `VexDecisionStore`, `FixVerificationStore`, `AuditBundleStore`, `EvidenceSubgraphStore`) with ConcurrentDictionary-based state and complex business logic (VEX override attestation flow, fix verification state machine, audit bundle aggregation).
2. Migrating persistence and merging service boundaries simultaneously creates too many failure modes -- schema issues mask merge issues and vice versa.
3. Phase 1 gives us a working VulnExplorer with real Postgres persistence that can be validated independently before the merge destabilizes routing and API contracts.
4. Phase 1 also validates the data model against the Ledger schema, ensuring the Phase 2 projection mapping is sound.
### Store-to-persistence mapping
| VulnExplorer Store | Phase 1 (Own Tables) | Phase 2 (Ledger Equivalent) |
|---|---|---|
| `SampleData` (VulnSummary/VulnDetail) | `vulnexplorer.vulnerabilities` table | `findings_projection` table + `VulnerabilityDetailService` + `FindingSummaryService` |
| `VexDecisionStore` | `vulnexplorer.vex_decisions` table | Ledger events (`finding.vex_decision_created/updated`) + `observations` table + `ledger_attestation_pointers` |
| `FixVerificationStore` | `vulnexplorer.fix_verifications` table | Ledger events (`finding.fix_verification_created/updated`) + `observations` table |
| `AuditBundleStore` | `vulnexplorer.audit_bundles` table | `EvidenceBundleService` + `OrchestratorExportService` |
| `EvidenceSubgraphStore` | Delegates to `EvidenceGraphBuilder` via HTTP/internal call | `EvidenceGraphBuilder` + `EvidenceGraphEndpoints` (real persistence-backed graph) |
### Key codebase facts informing this plan
**In-memory stores identified (all `ConcurrentDictionary`):**
- `VexDecisionStore` (`src/Findings/StellaOps.VulnExplorer.Api/Data/VexDecisionStore.cs`) -- 244 lines, includes `CreateWithAttestationAsync`/`UpdateWithAttestationAsync` with `IVexOverrideAttestorClient` integration
- `FixVerificationStore` (`src/Findings/StellaOps.VulnExplorer.Api/Data/TriageWorkflowStores.cs`) -- state machine with transitions
- `AuditBundleStore` (same file) -- sequential ID generation, evidence ref aggregation
- `EvidenceSubgraphStore` (same file) -- returns hardcoded graph structure
- `SampleData` (`src/Findings/StellaOps.VulnExplorer.Api/Data/SampleData.cs`) -- two hardcoded VulnSummary/VulnDetail records
**UI consumers (must preserve API shape):**
- `src/Web/StellaOps.Web/src/app/core/api/vex-decisions.client.ts` -- calls `GET/POST/PATCH /v1/vex-decisions` via `VEX_DECISIONS_API_BASE_URL`
- `src/Web/StellaOps.Web/src/app/core/api/audit-bundles.client.ts` -- calls `GET/POST /v1/audit-bundles` via `AUDIT_BUNDLES_API_BASE_URL`
- `src/Web/StellaOps.Web/src/app/features/vuln-explorer/services/evidence-subgraph.service.ts` -- calls `/api/vuln-explorer/findings/{id}/evidence-subgraph`
- `src/Web/StellaOps.Web/src/app/features/triage/services/vulnerability-list.service.ts` -- calls `/api/v1/vulnerabilities`
- `src/Web/StellaOps.Web/src/app/features/vulnerabilities/vulnerability-detail.component.ts` -- consumes VulnExplorer data
- `src/Web/StellaOps.Web/src/tests/vuln_explorer/` -- behavioral specs for evidence tree and filter presets
- `src/Web/StellaOps.Web/tests/e2e/triage-explainability-workspace.spec.ts` -- E2E test
**Cross-service consumers:**
- `src/VexLens/StellaOps.VexLens/Integration/IVulnExplorerIntegration` + `VulnExplorerIntegration` -- VexLens enriches vulnerabilities with VEX consensus data via this interface
- `src/Concelier/StellaOps.Concelier.Core/Diagnostics/VulnExplorerTelemetry.cs` -- telemetry meter `StellaOps.Concelier.VulnExplorer` for advisory processing metrics
- `src/Concelier/StellaOps.Concelier.WebService/Program.cs` -- calls `VulnExplorerTelemetry` methods during advisory ingest
- `src/Authority/StellaOps.Auth.Abstractions/StellaOpsServiceIdentities.cs` -- defines `VulnExplorer = "vuln-explorer"` service identity
**Infrastructure references (Phase 2 removal scope):**
- `devops/compose/docker-compose.stella-ops.yml` -- vulnexplorer container with alias `vulnexplorer.stella-ops.local`
- `devops/compose/docker-compose.stella-services.yml` -- vulnexplorer service definition, `Router__Messaging__ConsumerGroup: "vulnexplorer"`
- `devops/compose/router-gateway-local.json` -- route `^/api/vuln-explorer(.*)` -> `http://vulnexplorer.stella-ops.local/api/vuln-explorer$1`
- `devops/compose/envsettings-override.json` -- `apiBaseUrls.vulnexplorer`
- `devops/compose/hosts.stellaops.local` -- hostname entry
- `devops/helm/stellaops/values.yaml` -- no vulnexplorer entry found (Helm clean)
- `devops/helm/stellaops/templates/vuln-mock.yaml` -- mock deployment template
**Documentation references:**
- `docs/technical/architecture/webservice-catalog.md`
- `docs/technical/architecture/port-registry.md`
- `docs/technical/architecture/component-map.md`
- `docs/technical/architecture/module-matrix.md`
- `docs/modules/findings-ledger/README.md`
- `docs/modules/web/README.md`
- `docs/modules/ui/README.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/component-preservation-map/` (dead components under `vuln-explorer/`)
- `docs/modules/vex-lens/guides/explorer-integration.md`
- `docs/modules/authority/AUTHORITY.md`
- `docs/API_CLI_REFERENCE.md`
- `docs/features/checked/vulnexplorer/vulnexplorer-triage-api.md`
- `docs/features/checked/web/vuln-explorer-with-evidence-tree-and-citation-links.md`
- `docs/features/checked/web/filter-preset-pills-with-url-synchronization.md`
- `docs/operations/runbooks/vuln-ops.md`
- `docs/qa/feature-checks/state/vulnexplorer.json`
- `docs/dev/DEV_ENVIRONMENT_SETUP.md`
- `docs/dev/SOLUTION_BUILD_GUIDE.md`
**Existing test projects:**
- `src/Findings/__Tests/StellaOps.VulnExplorer.Api.Tests/` -- `VulnApiTests.cs` (4 unit tests), `VulnExplorerTriageApiE2ETests.cs` (5 integration tests covering VEX decisions, attestation, evidence subgraph, fix verification, audit bundles)
## Dependencies & Concurrency
- No upstream sprint dependencies.
- The VEX override attestation flow depends on `IVexOverrideAttestorClient` which calls the Attestor service -- this integration is preserved as-is in both phases.
- Phase 1 tasks (VXPM-*) can run in parallel: VXPM-001/002/003 are independent. VXPM-004 depends on all three. VXPM-005 depends on VXPM-004.
- Phase 2 tasks (VXLM-*) depend on Phase 1 completion. VXLM-001/002 are independent. VXLM-003 depends on both. VXLM-004/005 depend on VXLM-003.
## Documentation Prerequisites
- `docs/modules/findings-ledger/schema.md` (Ledger schema and Merkle invariants)
- `docs/modules/findings-ledger/workflow-inference.md` (projection rules)
- `src/Findings/AGENTS.md` (module working rules)
- `docs/modules/vex-lens/guides/explorer-integration.md` (VexLens integration contract)
---
# Phase 1 -- In-Memory to Postgres Migration
Goal: Replace all ConcurrentDictionary stores with Postgres-backed repositories while VulnExplorer remains its own service. Validate data model and API contract preservation.
## Delivery Tracker (Phase 1)
### VXPM-001 - Create VulnExplorer Postgres schema and SQL migrations
Status: TODO
Dependency: none
Owners: Backend engineer
Task description:
- Create a new persistence library `StellaOps.VulnExplorer.Persistence` (or add persistence to the existing `StellaOps.VulnExplorer.Api` project) following the pattern in `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/`.
- Design tables under a `vulnexplorer` schema:
- `vulnexplorer.vex_decisions` -- stores VEX decision records with all fields from `VexDecisionDto`: id (PK, uuid), vulnerability_id, subject (JSONB), status, justification_type, justification_text, evidence_refs (JSONB), scope (JSONB), valid_for (JSONB), attestation_ref (JSONB), signed_override (JSONB), supersedes_decision_id, created_by (JSONB), tenant_id, created_at, updated_at.
- `vulnexplorer.fix_verifications` -- stores fix verification records: cve_id (PK), component_purl, artifact_digest, verdict, transitions (JSONB array), tenant_id, created_at, updated_at.
- `vulnexplorer.audit_bundles` -- stores audit bundle records: bundle_id (PK), tenant_id, decision_ids (JSONB array), evidence_refs (JSONB array), created_at.
- Write SQL migration files as embedded resources:
- `001_initial_vulnexplorer_schema.sql` -- create schema and tables
- Include RLS policies for tenant isolation (follow pattern from `src/Findings/StellaOps.Findings.Ledger/migrations/007_enable_rls.sql`)
- Wire `AddStartupMigrations("vulnexplorer", "VulnExplorer", migrationsAssembly)` in VulnExplorer's `Program.cs` per the auto-migration requirement (CLAUDE.md section 2.7).
Tests:
- Unit test that migration SQL is valid and can be parsed
- Integration test that migrations apply cleanly to a fresh database
- Integration test that migrations are idempotent (re-run does not fail)
Users:
- No user-facing changes -- this is infrastructure-only
Documentation:
- Add schema documentation to `src/Findings/StellaOps.VulnExplorer.Api/AGENTS.md` describing the new tables
- Document migration file naming convention in the module AGENTS.md
Completion criteria:
- [ ] SQL migration files exist and are embedded resources in the project
- [ ] Schema creates cleanly on a fresh database
- [ ] Auto-migration wired in Program.cs and runs on startup
- [ ] RLS policies enforce tenant isolation
- [ ] No manual init scripts required
### VXPM-002 - Implement Postgres repository for VEX decisions
Status: TODO
Dependency: none (can start before VXPM-001 with interface-first approach)
Owners: Backend engineer
Task description:
- Create `IVexDecisionRepository` interface mirroring the `VexDecisionStore` API surface:
- `CreateAsync(VexDecisionDto)` -> `VexDecisionDto`
- `UpdateAsync(Guid, UpdateVexDecisionRequest)` -> `VexDecisionDto?`
- `GetAsync(Guid)` -> `VexDecisionDto?`
- `QueryAsync(vulnerabilityId?, subjectName?, status?, skip, take)` -> `IReadOnlyList<VexDecisionDto>`
- `CountAsync()` -> `int`
- Implement `PostgresVexDecisionRepository` using EF Core or raw Npgsql (follow the pattern in `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/PostgresLedgerEventRepository.cs`).
- Create `IFixVerificationRepository` and `PostgresFixVerificationRepository`:
- `CreateAsync(CreateFixVerificationRequest)` -> `FixVerificationRecord`
- `UpdateAsync(cveId, verdict)` -> `FixVerificationRecord?`
- Create `IAuditBundleRepository` and `PostgresAuditBundleRepository`:
- `CreateAsync(tenant, decisions)` -> `AuditBundleResponse`
- Preserve the `IVexOverrideAttestorClient` integration: `CreateWithAttestationAsync` and `UpdateWithAttestationAsync` logic moves into a service layer that wraps the repository.
Tests:
- Unit tests for each repository method with an in-memory database or test containers
- Test that VEX decision CRUD preserves all fields (especially JSONB: subject, scope, evidence_refs, signed_override)
- Test that fix verification state transitions are correctly persisted and reconstructed
- Test that audit bundle creation aggregates evidence refs from persisted decisions
- Test deterministic ordering (createdAt desc, id asc) matches current in-memory behavior
Users:
- No user-facing API changes -- same endpoints, same request/response shapes
- `VexDecisionStore.CreateWithAttestationAsync` behavior preserved for `IVexOverrideAttestorClient`
Documentation:
- Document repository interfaces in module AGENTS.md
Completion criteria:
- [ ] All repository interfaces defined
- [ ] Postgres implementations for all three repositories
- [ ] Business logic (attestation flow, state machine, bundle aggregation) preserved in service layer
- [ ] All JSONB fields round-trip correctly
### VXPM-003 - Replace SampleData with seeded Postgres data
Status: TODO
Dependency: none
Owners: Backend engineer
Task description:
- Remove `SampleData.cs` (hardcoded VulnSummary/VulnDetail records).
- Replace the vuln list/detail endpoints (`GET /v1/vulns`, `GET /v1/vulns/{id}`) with queries against a new `IVulnerabilityQueryService` that reads from `findings_projection` (the Ledger table, accessed via cross-schema query or a shared connection) or a VulnExplorer-owned view/table.
- Decision needed: whether VulnExplorer reads from `findings_ledger.findings_projection` directly (simpler, couples to Ledger schema) or maintains its own materialized view. Recommendation: read from Ledger projection directly via the shared Postgres connection, since VulnExplorer will be merged into Ledger in Phase 2 anyway.
- If Ledger projection is used: wire the Ledger's `IFindingProjectionRepository` or create a read-only query service that maps `FindingProjection` rows to `VulnSummary`/`VulnDetail`.
- If VulnExplorer-owned table is used: create `vulnexplorer.vulnerability_summaries` table and a sync mechanism from Ledger events.
- Replace `EvidenceSubgraphStore.Build()` (which returns hardcoded graph) with either:
- A call to Ledger's `IEvidenceGraphBuilder.BuildAsync()` (if accessible via shared library reference)
- An HTTP call to Ledger's `/evidence-graph/{findingId}` endpoint
- Recommendation: use shared library reference since both are in `src/Findings/`
Tests:
- Test that `GET /v1/vulns` returns findings from database (not hardcoded data)
- Test that `GET /v1/vulns/{id}` returns finding detail from database
- Test filtering (CVE, PURL, severity, exploitability, fixAvailable) works against real data
- Test pagination (pageToken/pageSize) works
- Test evidence subgraph returns real graph data (not the hardcoded stub)
- Regression test: verify the 4 existing `VulnApiTests` (List_ReturnsDeterministicOrder, List_FiltersByCve, Detail_ReturnsNotFoundWhenMissing, etc.) pass with the new persistence layer -- these will need seed data in the test database
Users:
- `VulnerabilityListService` (UI) calls `/api/v1/vulnerabilities` -- verify response shape unchanged
- `EvidenceSubgraphService` (UI) calls `/api/vuln-explorer/findings/{id}/evidence-subgraph` -- verify response shape unchanged
Documentation:
- Update `docs/features/checked/vulnexplorer/vulnexplorer-triage-api.md` to note that data is now persisted (not in-memory)
Completion criteria:
- [ ] `SampleData.cs` deleted
- [ ] `EvidenceSubgraphStore` hardcoded data removed
- [ ] Vuln list/detail endpoints return data from Postgres
- [ ] Evidence subgraph endpoint returns real graph data
- [ ] All existing filters and pagination work against Postgres queries
- [ ] Existing test assertions updated and passing
### VXPM-004 - Wire repositories into VulnExplorer Program.cs and replace in-memory singletons
Status: TODO
Dependency: VXPM-001, VXPM-002, VXPM-003
Owners: Backend engineer
Task description:
- Update `Program.cs` to replace all in-memory `AddSingleton` registrations:
- Remove `builder.Services.AddSingleton<VexDecisionStore>(...)` -> register `IVexDecisionRepository` (scoped)
- Remove `builder.Services.AddSingleton<FixVerificationStore>()` -> register `IFixVerificationRepository` (scoped)
- Remove `builder.Services.AddSingleton<AuditBundleStore>()` -> register `IAuditBundleRepository` (scoped)
- Remove `builder.Services.AddSingleton<EvidenceSubgraphStore>()` -> register `IEvidenceGraphBuilder` or equivalent
- Update all endpoint handlers in `Program.cs` to use the repository/service interfaces instead of the concrete stores.
- Wire the Postgres connection string from `ConnectionStrings__Default` (already in compose environment).
- Ensure the `StubVexOverrideAttestorClient` remains wired for dev/test, with `HttpVexOverrideAttestorClient` available for production.
- Verify all 10 endpoints continue to work:
- `GET /v1/vulns` (list)
- `GET /v1/vulns/{id}` (detail)
- `POST /v1/vex-decisions` (create, with optional attestation)
- `PATCH /v1/vex-decisions/{id:guid}` (update)
- `GET /v1/vex-decisions` (list)
- `GET /v1/vex-decisions/{id:guid}` (get)
- `GET /v1/evidence-subgraph/{vulnId}` (subgraph)
- `POST /v1/fix-verifications` (create)
- `PATCH /v1/fix-verifications/{cveId}` (update)
- `POST /v1/audit-bundles` (create)
Tests:
- Full integration test suite against Postgres: run the existing `VulnExplorerTriageApiE2ETests` (5 tests) against the Postgres-backed service
- Run the existing `VulnApiTests` (4 tests) against the Postgres-backed service
- Verify no 500 errors on cold start (fresh DB with auto-migration)
- Verify service starts and registers with Valkey router successfully
Users:
- All UI consumers should see zero behavioral change
- Gateway routing unchanged (`/api/vuln-explorer(.*) -> vulnexplorer.stella-ops.local`)
Documentation:
- Update `src/Findings/StellaOps.VulnExplorer.Api/AGENTS.md` to reflect persistence architecture
Completion criteria:
- [ ] Zero `ConcurrentDictionary` or in-memory store references in VulnExplorer
- [ ] All 10 endpoints return data from Postgres
- [ ] `VulnExplorerTriageApiE2ETests` (5 tests) pass
- [ ] `VulnApiTests` (4 tests) pass with seeded data
- [ ] Cold-start works: auto-migration creates schema, service starts, responds to health check
- [ ] Docker compose: vulnexplorer container starts cleanly with Postgres
### VXPM-005 - Phase 1 integration validation
Status: TODO
Dependency: VXPM-004
Owners: QA, Backend engineer
Task description:
- Full system test: bring up the complete compose stack and verify:
- VulnExplorer starts, auto-migrates, and registers with Valkey
- UI flows that consume VulnExplorer work end-to-end (navigate to vuln explorer page, view findings, create VEX decision, view evidence subgraph)
- VexLens `IVulnExplorerIntegration` continues to enrich vulnerabilities (this is an in-process integration in VexLens, not an HTTP call to VulnExplorer -- verify it still works)
- Concelier `VulnExplorerTelemetry` metrics still emit (this is just a meter, no runtime dependency on VulnExplorer service)
- Run all existing test suites:
- `src/Findings/__Tests/StellaOps.VulnExplorer.Api.Tests/` (9 tests)
- `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/` (verify no regressions)
- `src/Web/StellaOps.Web/src/tests/vuln_explorer/` (2 behavioral specs)
Tests:
- All tests listed above pass
- Manual or Playwright verification of UI vuln explorer page
Users:
- End-to-end user flow validated
Documentation:
- Record test results in Execution Log
Completion criteria:
- [ ] All 9 VulnExplorer API tests pass
- [ ] All Ledger tests pass (no regression)
- [ ] UI behavioral specs pass
- [ ] VulnExplorer container starts and responds in full compose stack
- [ ] Data survives container restart (persistence verified)
---
# Phase 2 -- Merge VulnExplorer into Findings Ledger
Goal: Eliminate VulnExplorer as a separate service. Move all endpoints into Ledger WebService. VEX decisions and fix verifications become Ledger events. Remove VulnExplorer container from compose.
## Delivery Tracker (Phase 2)
### VXLM-001 - Migrate VulnExplorer endpoint DTOs into Ledger WebService
Status: DONE
Dependency: VXPM-005 (Phase 1 complete)
Owners: Backend engineer
Task description:
- Move VulnExplorer contract types into the Ledger WebService `Contracts/` namespace:
- `VulnModels.cs` (VulnSummary, VulnDetail, VulnListResponse, VulnFilter, EvidenceProvenance, PolicyRationale, PackageAffect, AdvisoryRef, EvidenceRef)
- `VexDecisionModels.cs` (VexDecisionDto, CreateVexDecisionRequest, UpdateVexDecisionRequest, VexDecisionListResponse, SubjectRefDto, EvidenceRefDto, VexScopeDto, ValidForDto, AttestationRefDto, ActorRefDto, VexOverrideAttestationDto, AttestationVerificationStatusDto, AttestationRequestOptions, and all enums: VexStatus, SubjectType, EvidenceType, VexJustificationType)
- `FixVerificationModels.cs` (FixVerificationResponse, FixVerificationGoldenSetRef, FixVerificationAnalysis, FunctionChangeResult, FunctionChangeChild, ReachabilityChangeResult, FixVerificationRiskImpact, FixVerificationEvidenceChain, EvidenceChainItem, FixVerificationRequest)
- `AttestationModels.cs` (VulnScanAttestationDto, AttestationSubjectDto, VulnScanPredicateDto, ScannerInfoDto, ScannerDbInfoDto, SeverityCountsDto, FindingReportDto, AttestationMetaDto, AttestationSignerDto, AttestationListResponse, AttestationSummaryDto, AttestationType)
- `TriageWorkflowModels.cs` (CreateFixVerificationRequest, UpdateFixVerificationRequest, CreateAuditBundleRequest, AuditBundleResponse, FixVerificationTransition, FixVerificationRecord)
- Contracts from `StellaOps.VulnExplorer.WebService.Contracts.EvidenceSubgraphContracts` already exist conceptually in the Ledger's `EvidenceGraphContracts.cs` -- create thin adapter types or type aliases where the frontend expects the VulnExplorer shape.
- Keep the VulnExplorer API path prefix (`/v1/vulns`, `/v1/vex-decisions`, `/v1/evidence-subgraph`, `/v1/fix-verifications`, `/v1/audit-bundles`) as route groups in the Ledger WebService to avoid frontend breaking changes.
Tests:
- Compilation test: all contract types compile within Ledger WebService
- Verify no duplicate type definitions between the two projects
- Verify existing Ledger tests still pass after adding new contracts
Users:
- No UI changes needed at this stage -- endpoints return 501 initially
- Frontend API clients (`vex-decisions.client.ts`, `audit-bundles.client.ts`, `evidence-subgraph.service.ts`) will be retargeted in VXLM-004
Documentation:
- Update `docs/API_CLI_REFERENCE.md` to note VulnExplorer endpoints are now served by Findings Ledger
Completion criteria:
- [ ] All VulnExplorer contract types compile within Ledger WebService
- [ ] No duplicate type definitions between the two projects
- [ ] VulnExplorer API paths registered in Ledger WebService (can return 501 initially)
- [ ] Existing Ledger tests still pass
### VXLM-002 - Wire VulnExplorer read endpoints to Ledger projection queries
Status: DONE
Dependency: VXPM-005 (Phase 1 complete)
Owners: Backend engineer
Task description:
- Implement `/v1/vulns` (list) by querying `IFindingProjectionRepository.QueryScoredAsync()` and mapping `FindingProjection` to `VulnSummary`. The Ledger's `VulnerabilityDetailService` already does the field extraction from `labels` JSONB -- reuse that logic.
- Implement `/v1/vulns/{id}` (detail) by calling `VulnerabilityDetailService.GetAsync()` and mapping to `VulnDetail`. The existing `VulnerabilityDetailResponse` is a superset of VulnDetail.
- Implement `/v1/evidence-subgraph/{vulnId}` by calling `IEvidenceGraphBuilder.BuildAsync()` and mapping `EvidenceGraphResponse` to `EvidenceSubgraphResponse`. The Ledger's graph model (verdict node, VEX nodes, reachability, runtime, SBOM, provenance) covers all VulnExplorer subgraph node types.
Tests:
- Integration test: create a finding via Ledger event, then query via `/v1/vulns` and verify it appears in the response
- Integration test: `GET /v1/vulns/{id}` returns correct detail for a known finding
- Integration test: evidence subgraph returns graph with correct node types
- Test filtering (CVE, PURL, severity, exploitability, fixAvailable) works against Ledger projection fields
- Test pagination (pageToken/pageSize) works
Users:
- `VulnerabilityListService` (UI) at `/api/v1/vulnerabilities` -- ensure response shape unchanged
- `EvidenceSubgraphService` (UI) at `/api/vuln-explorer/findings/{id}/evidence-subgraph` -- ensure response shape unchanged
- `vulnerability-detail.component.ts` (UI) -- verify data binding unchanged
Documentation:
- Update `docs/modules/findings-ledger/README.md` with new endpoint groups
Completion criteria:
- [ ] `/v1/vulns` returns findings from Ledger DB (not hardcoded data)
- [ ] `/v1/vulns/{id}` returns finding detail from Ledger projections
- [ ] `/v1/evidence-subgraph/{vulnId}` returns real evidence graph data
- [ ] Filtering (CVE, PURL, severity, exploitability, fixAvailable) works against Ledger projection fields
- [ ] Pagination (pageToken/pageSize) works
### VXLM-003 - Migrate VEX decision and fix verification endpoints to Ledger event persistence
Status: DOING (adapters still ConcurrentDictionary; see 2026-04-13 execution log)
Dependency: VXLM-001, VXLM-002
Owners: Backend engineer
Task description:
- **New Ledger event types**: Add to `LedgerEventConstants` (`src/Findings/StellaOps.Findings.Ledger/Domain/LedgerEventConstants.cs`):
- `EventFindingVexDecisionCreated = "finding.vex_decision_created"`
- `EventFindingVexDecisionUpdated = "finding.vex_decision_updated"`
- `EventFindingFixVerificationCreated = "finding.fix_verification_created"`
- `EventFindingFixVerificationUpdated = "finding.fix_verification_updated"`
- Add all four to `SupportedEventTypes` and `FindingEventTypes`
- **VEX Decisions**: Wire `POST /v1/vex-decisions` to emit a `finding.vex_decision_created` Ledger event with the VEX decision payload in the event body JSONB. The VEX override attestation flow (`IVexOverrideAttestorClient`) is preserved and produces a `ledger_attestation_pointers` record when attestation succeeds.
- Wire `PATCH /v1/vex-decisions/{id}` to emit a `finding.vex_decision_updated` event (append-only update).
- Wire `GET /v1/vex-decisions` to query `observations` table filtered by action type, or introduce a new Ledger projection for VEX decisions.
- Wire `GET /v1/vex-decisions/{id:guid}` to reconstruct from Ledger events.
- **Fix Verification**: Wire `POST /v1/fix-verifications` to emit `finding.fix_verification_created` event. Store verdict, transitions, and evidence chain in event body. Wire `PATCH /v1/fix-verifications/{cveId}` to emit `finding.fix_verification_updated` event with state transition.
- **Audit Bundle**: Wire `POST /v1/audit-bundles` to delegate to `EvidenceBundleService` or `OrchestratorExportService`, packaging the referenced VEX decisions from the Ledger chain.
- **Data migration**: Migrate VulnExplorer's `vulnexplorer.*` tables into Ledger events. Write a one-time migration that:
- Reads all VEX decisions from `vulnexplorer.vex_decisions` and emits corresponding Ledger events
- Reads all fix verifications from `vulnexplorer.fix_verifications` and emits corresponding events
- Records the migration in the Execution Log
- Add new SQL migration `010_vex_fix_verification_events.sql` to add the event types to the Ledger's `ledger_event_type` enum (if using enum) or document the new type strings.
Tests:
- Integration test: create VEX decision via `POST /v1/vex-decisions`, verify it persists as Ledger event, query back via `GET`
- Integration test: VEX decision with attestation produces both Ledger event and `ledger_attestation_pointers` record
- Integration test: fix verification create and update produce state transitions as Ledger events
- Integration test: audit bundle aggregates from Ledger data, not in-memory store
- Test Merkle chain integrity: new VEX/fix events participate in the append-only hash chain
- Test data migration script: verify it correctly converts existing records
- Test backward compatibility: old VEX decisions created before migration are still queryable
Users:
- `VexDecisionsHttpClient` (UI) -- verify create/list/get/patch all work with Ledger persistence
- `AuditBundlesHttpClient` (UI) -- verify bundle creation aggregates from Ledger events
- `triage-explainability-workspace.spec.ts` (E2E) -- verify full triage workflow
Documentation:
- Update `docs/modules/findings-ledger/schema.md` with new event types
- Update `docs/modules/findings-ledger/workflow-inference.md` if projection rules change
- Update `docs/features/checked/vulnexplorer/vulnexplorer-triage-api.md` to document Ledger-backed persistence
Completion criteria:
- [ ] VEX decisions are persisted as Ledger events (append-only, with Merkle chain integrity)
- [ ] VEX override attestations produce `ledger_attestation_pointers` records
- [ ] Fix verifications are persisted as Ledger events with state transitions
- [ ] Audit bundles aggregate from Ledger data (not in-memory store)
- [ ] New SQL migration `010_vex_fix_verification_events.sql` adds event types
- [ ] All ConcurrentDictionary stores eliminated
- [ ] Data migration from `vulnexplorer.*` tables to Ledger events complete
### VXLM-004 - Remove VulnExplorer service and update compose/routing/consumers
Status: DOING (compose/routing done; VulnExplorer.Api and VulnExplorer.WebService project dirs not deleted)
Dependency: VXLM-003
Owners: Backend engineer, DevOps
Task description:
- Remove `StellaOps.VulnExplorer.Api/` project from the solution.
- Remove `StellaOps.VulnExplorer.WebService/` project from the solution (inline `EvidenceSubgraphContracts` into Ledger if still referenced).
- Remove `StellaOps.VulnExplorer.Persistence/` (Phase 1 persistence library) -- its tables are superseded by Ledger events.
- Update `docker-compose.stella-ops.yml`:
- Remove the vulnexplorer service container
- Remove `STELLAOPS_VULNEXPLORER_URL` from the gateway's environment variables
- Update `docker-compose.stella-services.yml`:
- Remove vulnexplorer service definition
- Remove `STELLAOPS_VULNEXPLORER_URL` from shared environment
- Update `devops/compose/router-gateway-local.json`:
- Change route `^/api/vuln-explorer(.*)` to target `http://findings-ledger.stella-ops.local/api/vuln-explorer$1`
- Or add new routes for `/v1/vulns*`, `/v1/vex-decisions*`, etc. targeting findings-ledger
- Update `devops/compose/hosts.stellaops.local` -- remove vulnexplorer hostname
- Update `devops/compose/envsettings-override.json` -- change `apiBaseUrls.vulnexplorer` to point to findings-ledger or remove if the gateway handles routing
- Update `devops/docker/services-matrix.env` -- remove vulnexplorer project path if present
- Update `devops/helm/stellaops/templates/vuln-mock.yaml` -- remove or repurpose
- Update cross-service references:
- `src/Authority/StellaOps.Auth.Abstractions/StellaOpsServiceIdentities.cs` -- deprecate or remove `VulnExplorer` identity (or redirect to findings-ledger)
- `src/VexLens/StellaOps.VexLens/Integration/` -- `IVulnExplorerIntegration`/`VulnExplorerIntegration` remain as-is (they use `IConsensusProjectionStore`, not HTTP to VulnExplorer)
- `src/Concelier/StellaOps.Concelier.Core/Diagnostics/VulnExplorerTelemetry.cs` -- rename meter to `StellaOps.Findings.VulnExplorer` or leave as-is for telemetry continuity
- `src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Middleware/RouteDispatchMiddlewareMicroserviceTests.cs` -- update test expectations for route target
- `src/Router/__Tests/StellaOps.Router.Gateway.Tests/OpenApi/OpenApiDocumentGeneratorTests.cs` -- update if it references vulnexplorer routes
Tests:
- Verify solution builds without VulnExplorer projects
- Verify all 62+ containers start cleanly (minus vulnexplorer = 61+)
- Verify gateway routes `/v1/vulns*`, `/v1/vex-decisions*`, `/v1/evidence-subgraph*`, `/v1/fix-verifications*`, `/v1/audit-bundles*` to findings-ledger service
- Verify VexLens integration still works (no runtime dependency on VulnExplorer service)
- Verify Concelier telemetry still emits (no runtime dependency on VulnExplorer service)
- Run gateway routing tests and verify they pass with updated route targets
Users:
- UI: `vex-decisions.client.ts` `VEX_DECISIONS_API_BASE_URL` -- verify it resolves to the gateway which now routes to findings-ledger
- UI: `audit-bundles.client.ts` `AUDIT_BUNDLES_API_BASE_URL` -- same verification
- UI: `evidence-subgraph.service.ts` base URL `/api/vuln-explorer` -- verify gateway route rewrite works
- UI: `vulnerability-list.service.ts` base URL `/api/v1/vulnerabilities` -- verify routing
- `envsettings-override.json` apiBaseUrls update consumed by UI at runtime
Documentation:
- Update `docs/technical/architecture/webservice-catalog.md` -- remove VulnExplorer entry, note merged into Findings Ledger
- Update `docs/technical/architecture/port-registry.md` -- remove VulnExplorer port allocation
- Update `docs/technical/architecture/component-map.md` -- update diagram
- Update `docs/technical/architecture/module-matrix.md` -- remove VulnExplorer row
- Update `docs/dev/DEV_ENVIRONMENT_SETUP.md` -- remove VulnExplorer references
- Update `docs/dev/SOLUTION_BUILD_GUIDE.md` -- remove VulnExplorer project
- Update `docs/technical/cicd/path-filters.md` -- remove VulnExplorer paths
Completion criteria:
- [ ] No vulnexplorer container in compose
- [ ] Gateway routes VulnExplorer API paths to findings-ledger service
- [ ] Solution builds without VulnExplorer projects
- [ ] All containers start cleanly
- [ ] Cross-service references updated (VexLens, Concelier, Authority, Router tests)
- [ ] UI `envsettings-override.json` updated
### VXLM-005 - Integration tests, UI validation, and documentation update
Status: DOING
Dependency: VXLM-004
Owners: Backend engineer, QA
Task description:
- Port VulnExplorer test assertions to Ledger test project (`src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/`). Add integration tests that:
- Create a finding via Ledger event, then query via `/v1/vulns` and `/v1/vulns/{id}`.
- Create a VEX decision via `POST /v1/vex-decisions`, verify it persists as Ledger event, query back via `GET`.
- Create a VEX decision with attestation, verify `ledger_attestation_pointers` record.
- Create a fix verification, verify state transitions persist as Ledger events.
- Create an audit bundle from persisted decisions.
- Retrieve evidence subgraph for a finding with real evidence data.
- Full triage workflow: create finding -> create VEX decision -> create fix verification -> create audit bundle -> verify all queryable.
- Run UI behavioral specs:
- `src/Web/StellaOps.Web/src/tests/vuln_explorer/vuln-explorer-with-evidence-tree-and-citation-links.behavior.spec.ts`
- `src/Web/StellaOps.Web/src/tests/vuln_explorer/filter-preset-pills-with-url-synchronization.component.spec.ts`
- `src/Web/StellaOps.Web/tests/e2e/triage-explainability-workspace.spec.ts`
- Remove or archive old VulnExplorer test project (`src/Findings/__Tests/StellaOps.VulnExplorer.Api.Tests/`).
- Update documentation:
- `src/Findings/AGENTS.md` -- document the merged endpoint surface and note VulnExplorer is now part of Findings Ledger
- `docs/modules/findings-ledger/schema.md` -- add new event types (vex_decision_created/updated, fix_verification_created/updated)
- `docs/modules/findings-ledger/README.md` -- note VulnExplorer endpoints merged in
- `docs/modules/web/README.md` -- update service dependency list
- `docs/modules/ui/architecture.md` -- update service dependency list
- `docs/modules/ui/component-preservation-map/README.md` -- update VulnExplorer component status
- `docs/modules/vex-lens/guides/explorer-integration.md` -- note VulnExplorer merged into Ledger
- `docs/modules/authority/AUTHORITY.md` -- note service identity change
- `docs/operations/runbooks/vuln-ops.md` -- update operational procedures
- `docs/qa/feature-checks/state/vulnexplorer.json` -- update state to reflect merge
- `docs/INDEX.md` -- update if VulnExplorer is listed separately
- High-level architecture docs (`docs/07_HIGH_LEVEL_ARCHITECTURE.md`) if the service count changes
Tests:
- All 6+ new integration tests pass
- All existing Ledger tests pass (no regression)
- UI behavioral specs pass
- E2E triage workspace spec passes
- All ported VulnExplorer test assertions pass in Ledger test project
Users:
- End-to-end validation: all UI flows that previously hit VulnExplorer now work via Findings Ledger
- No user-visible behavior change
Documentation:
- All documentation updates listed above completed
Completion criteria:
- [ ] Integration tests cover all 6 merged endpoint groups
- [ ] Existing Ledger tests still pass
- [ ] UI behavioral specs pass
- [ ] E2E triage workspace spec passes
- [ ] Old VulnExplorer test project removed or archived
- [ ] Module AGENTS.md updated with merged endpoint list
- [ ] Schema docs updated with new event types
- [ ] All 13+ documentation files updated
- [ ] High-level architecture docs updated with new service count
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-04-08 | Sprint created from VulnExplorer/Ledger merge analysis. Option A (merge first, Ledger projections) selected. | Planning |
| 2026-04-08 | Sprint restructured into two phases: Phase 1 (in-memory to Postgres migration) and Phase 2 (merge into Ledger). Comprehensive consumer/dependency audit added. | Planning |
| 2026-04-08 | Phase 2 implemented (VXLM-001 through VXLM-004): DTOs moved to Ledger `Contracts/VulnExplorer/`, endpoints mounted via `VulnExplorerEndpoints.cs`, adapter services created, compose/routing/services-matrix updated, docs updated. Phase 1 skipped per user direction (wire to existing Ledger services instead of creating separate vulnexplorer schema). VXLM-005 (integration tests) remaining TODO. | Backend |
| 2026-04-08 | VXLM-005 verification started. Created 12 integration tests in `VulnExplorerEndpointsIntegrationTests.cs` covering all 6 endpoint groups + full triage workflow + auth checks. Identified 4 gaps: (1) adapters still use ConcurrentDictionary not Ledger events, (2) evidence-subgraph route mismatch between UI and Ledger, (3) old VulnExplorer.Api.Tests reference stale Program.cs, (4) VulnApiTests expect hardcoded SampleData IDs. Documentation updates pending. | Backend/QA |
| 2026-04-13 | Status audit: VXLM-003 and VXLM-004 corrected from DONE → DOING to match reality. Re-verification confirmed the 2026-04-08 GAP: `VexDecisionAdapter`, `FixVerificationAdapter`, `AuditBundleAdapter` still use `ConcurrentDictionary` (source comment explicitly says "future iterations will wire to Ledger event types"). `StellaOps.VulnExplorer.Api/` and `StellaOps.VulnExplorer.WebService/` project directories were not deleted by VXLM-004. Migration `010_vex_fix_audit_tables.sql` exists but `VulnExplorerRepositories.cs` is a 33-line placeholder. No new Ledger event types (`finding.vex_decision_created`, etc.) were added. Commit `414049ef8` message "wire VulnExplorer adapters to Postgres" is misleading — only scaffolding landed. Real work remaining: implement Postgres repositories consuming migration 010, extend `LedgerEventConstants`, swap adapters to emit Ledger events, delete the stale VulnExplorer projects. Sprint cannot be archived. | QA |
## Decisions & Risks
- **Decision**: Two-phase approach. Phase 1 migrates VulnExplorer to Postgres while it remains a standalone service. Phase 2 merges into Findings Ledger. Rationale: reduces risk by separating persistence migration from service boundary changes; allows independent validation of the data model.
- **Decision**: VulnExplorer's Phase 1 tables (`vulnexplorer.*` schema) are temporary. They serve as a stepping stone to validate the data model before the Ledger merge in Phase 2. Phase 2 will migrate their data into Ledger events and drop the tables.
- **Decision**: VulnExplorer API paths are preserved as-is in the Ledger WebService to avoid frontend breaking changes. They will be documented as aliases for the Ledger's native v2 endpoints.
- **Decision**: VulnExplorer reads from `findings_ledger.findings_projection` for vuln list/detail (Phase 1, VXPM-003) rather than creating its own vulnerability table. Rationale: avoids data duplication, and this is the same table that Ledger will serve in Phase 2.
- **Risk**: The VEX override attestation workflow (`IVexOverrideAttestorClient`) currently uses a stub in VulnExplorer. Merging preserves this stub but it must be connected to the real Attestor service for production. This is existing tech debt, not introduced by the migration.
- **Risk**: New Ledger event types (`finding.vex_decision_created`, `finding.fix_verification_created`) require a SQL migration to extend the event type set. Must ensure the migration runs before the new code deploys (auto-migration handles this).
- **Risk**: VexLens `IVulnExplorerIntegration` does not make HTTP calls to VulnExplorer -- it uses `IConsensusProjectionStore` in-process. No service dependency, but the interface name references VulnExplorer. Consider renaming in a follow-up sprint.
- **Risk**: Concelier `VulnExplorerTelemetry` meter name (`StellaOps.Concelier.VulnExplorer`) is baked into dashboards/alerts. Renaming would break observability continuity. Decision: leave meter name as-is, document the historical naming.
- **Risk**: `envsettings-override.json` has `apiBaseUrls.vulnexplorer` pointing to `https://stella-ops.local`. If the UI reads this to build API URLs, it must be updated in Phase 2. If the gateway handles all routing, this may be a no-op.
- **GAP (VXLM-005)**: VexDecisionAdapter, FixVerificationAdapter, and AuditBundleAdapter still use `ConcurrentDictionary` in-memory stores. VXLM-003 marked DONE but these adapters were not wired to Ledger event persistence. VEX decisions, fix verifications, and audit bundles do NOT survive service restarts. Severity: HIGH -- the completion criteria for VXLM-003 ("All ConcurrentDictionary stores eliminated") is not met.
- **GAP (VXLM-005)**: Evidence subgraph route mismatch. UI `EvidenceSubgraphService` calls `/api/vuln-explorer/findings/{id}/evidence-subgraph`. Gateway rewrites `^/api/vuln-explorer(.*)` to `http://findings.stella-ops.local/api/vuln-explorer$1`, so Ledger receives `/api/vuln-explorer/findings/{id}/evidence-subgraph`. But Ledger only maps `/v1/evidence-subgraph/{vulnId}`. This path is unreachable from the UI. Fix: either add an alias route in VulnExplorerEndpoints.cs, or update the gateway rewrite to strip the prefix.
- **GAP (VXLM-005)**: Old VulnExplorer test project (`src/Findings/__Tests/StellaOps.VulnExplorer.Api.Tests/`) still references `StellaOps.VulnExplorer.Api.csproj` which registers in-memory stores. The 4 `VulnApiTests` assert hardcoded `SampleData` IDs (`vuln-0001`, `vuln-0002`) that no longer exist in the Ledger-backed path. These tests will fail when run against the Ledger WebService. The 6 `VulnExplorerTriageApiE2ETests` test the OLD standalone VulnExplorer service, not the merged Ledger endpoints.
- **GAP (VXLM-005)**: VulnerabilityListService (UI) calls `/api/v1/vulnerabilities` which gateway routes to `scanner.stella-ops.local`, NOT to findings.stella-ops.local. If the Ledger is now the authoritative source for vulnerability data, this route must be updated or the Scanner must proxy to Ledger.
## Next Checkpoints
- **Phase 1**: VXPM-001/002/003 can proceed in parallel immediately. VXPM-004 integrates all three. VXPM-005 validates the complete Phase 1.
- **Phase 2 gate**: Phase 2 must not start until VXPM-005 passes. All VulnExplorer endpoints must be Postgres-backed and tested.
- **Phase 2**: VXLM-001 + VXLM-002 can proceed in parallel. VXLM-003 is the critical-path task. VXLM-004 (service removal) should be the last code change.
- **Demo (Phase 1)**: VulnExplorer with real Postgres persistence, zero hardcoded data, data survives restarts.
- **Demo (Phase 2)**: Merged service with Ledger-backed VulnExplorer endpoints, no VulnExplorer container, all UI flows working.

408
docs-archived/implplan/SPRINT_20260410_001_Web_runtime_no_mocks_real_backend.md Normal file
View File

@@ -0,0 +1,408 @@
# Sprint 20260410-001 -- Runtime No-Mocks Real Backend Wiring
## Topic & Scope
- Remove live production-path stubs, mock providers, demo payloads, and in-memory stores that currently let the UI report fictional backend state.
- Start with the active browser/runtime path: Angular production DI bindings plus the Concelier feed-mirror surfaces behind `/ops/operations/feeds`.
- Replace fake success/error payloads with real persistence-backed reads, real job dispatch, or explicit unsupported/problem responses when no real backend exists yet.
- Working directory: `.`.
- Expected evidence: scoped code changes, targeted tests, live API/UI verification, and a logged inventory of remaining runtime in-memory blockers.
## Dependencies & Concurrency
- Required docs: `docs/modules/platform/architecture-overview.md`, `docs/modules/concelier/architecture.md`, `src/Web/StellaOps.Web/AGENTS.md`, `src/Concelier/AGENTS.md`, `src/Concelier/StellaOps.Concelier.WebService/AGENTS.md`.
- Depends on [SPRINT_20260409_002_Platform_local_stack_regression_retest.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260409_002_Platform_local_stack_regression_retest.md) for the user-reported local failures that exposed the fake runtime paths.
- Initial implementation is limited to `src/Web/StellaOps.Web/**`, `src/Concelier/**`, and related docs/tests. Additional module cleanup discovered during inventory must be logged before expansion.
- Verification commands may run sequentially; no project-level test concurrency is needed for this sprint.
## Documentation Prerequisites
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/concelier/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
- `src/Concelier/AGENTS.md`
- `src/Concelier/StellaOps.Concelier.WebService/AGENTS.md`
## Delivery Tracker
### NOMOCK-001 - Inventory live runtime mock and in-memory bindings
Status: DOING
Dependency: none
Owners: Developer
Task description:
- Identify production-path Angular providers, API clients, and service registrations that still bind to mocks, seeded demo payloads, or in-memory stores during normal local/runtime execution.
- Separate true runtime bindings from test-only helpers so cleanup work targets the user-visible path first.
Completion criteria:
- [ ] Active production-path mock/in-memory bindings are listed in the execution log with file references.
- [ ] Test-only mocks are distinguished from runtime bindings.
- [ ] The initial implementation slice is explicitly scoped from that inventory.
### NOMOCK-002 - Remove active Angular production mock providers
Status: TODO
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove any Angular app-level production DI binding that resolves a mock client instead of a real HTTP client.
- Add a focused regression test so the main application configuration cannot silently drift back to mock providers.
Completion criteria:
- [ ] `app.config.ts` no longer binds production API tokens to mock implementations.
- [ ] A targeted frontend test guards the affected provider wiring.
- [ ] Live UI requests hit the real backend client path.
### NOMOCK-003 - Replace feed-mirror seeded/stubbed backend behavior with real backend state
Status: TODO
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the seeded feed-mirror DTO catalog and fabricated sync/offline/bundle/version-lock responses from the Concelier web service.
- Back mirror list/detail/state off the real advisory-source read model and source persistence, use the real source sync trigger path, and return truthful empty/problem responses for operations that do not yet have a real persistent backend.
Completion criteria:
- [ ] `/api/v1/concelier/mirrors` and `/api/v1/concelier/mirrors/{id}` read from real persisted source state rather than `MirrorSeedData`.
- [ ] `/api/v1/concelier/mirrors/{id}/sync` uses real job dispatch instead of fabricated success payloads.
- [ ] Fake seeded timeout/demo bundle/version-lock/import/offline payloads are removed from the live endpoint path.
### NOMOCK-004 - Verify live feed UI behavior and log remaining blocked runtime in-memory services
Status: DOING
Dependency: NOMOCK-002
Owners: Developer / QA
Task description:
- Re-test the affected browser/API flows after the runtime cleanup and record what still cannot be converted because the owning module lacks a real persistent backend implementation.
- Keep the user-visible contract truthful: blocked modules must fail honestly rather than returning invented data.
Completion criteria:
- [ ] `/ops/operations/feeds` and `/ops/operations/feeds/mirror/*` are verified against the live stack.
- [ ] Targeted automated tests covering the changed runtime path pass or fail with concrete blockers recorded.
- [ ] Remaining cross-module runtime in-memory bindings are logged with next-action notes.
### NOMOCK-005 - Replace live script compatibility and Platform script alias stubs with the real scripts registry
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the unconditional compatibility success stub from the owning Release Orchestrator `/api/v2/scripts/{id}/check-compatibility` endpoint and replace it with evaluation against persisted script metadata, requested target metadata, and declared secret availability.
- Replace the Platform direct `IScriptService` registration with the real Release Orchestrator scripts library when PostgreSQL is configured so the alias path is no longer backed by the local in-memory catalog.
- Carry declared script variables through create/update paths so compatibility checks operate on real persisted inputs instead of silently dropping UI-authored variable declarations.
Completion criteria:
- [x] Release Orchestrator script compatibility no longer returns unconditional success.
- [x] Platform binds `IScriptService` to the real scripts registry when PostgreSQL is available.
- [x] Script create/update paths persist declared variables through the owning backend.
- [x] Targeted backend tests cover the compatibility evaluator, variable persistence, and Platform alias mapping.
### NOMOCK-006 - Remove the remaining no-Postgres Platform script in-memory fallback
Status: DONE
Dependency: NOMOCK-005
Owners: Developer
Task description:
- Replace the last runtime `InMemoryScriptService` registration in Platform with a real HTTP bridge to the owning Release Orchestrator `/api/v2/scripts` API so local/browser flows still hit the real scripts backend even when Platform itself is not wired directly to the scripts PostgreSQL schema.
- Expand the owning Release Orchestrator scripts HTTP surface so the proxy path can remain contract-complete: expose entry-point/dependency/version metadata, publish total-count headers, and accept the dedicated `script:read` / `script:write` scopes that Platform already enforces.
Completion criteria:
- [x] Platform no longer registers `InMemoryScriptService` in its runtime path when PostgreSQL is absent.
- [x] Release Orchestrator `/api/v2/scripts` returns the metadata needed to preserve the Platform scripts contract over HTTP.
- [x] Targeted tests cover the remote Platform scripts client and serial backend builds/tests pass.
### NOMOCK-007 - Replace Platform release-environment in-memory compatibility stores and dead frontend jobengine path
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the runtime `InMemoryEnvironmentStore`, `InMemoryTargetStore`, and `InMemoryFreezeWindowStore` compatibility branch from Platform so release-environment flows hit either the PostgreSQL-backed Release Orchestrator environment services or the owning Release Orchestrator WebApi over HTTP.
- Correct the Angular release-environment HTTP client to target the real `/api/v1/release-orchestrator` path, map real environment/target/freeze payloads, and send truthful target connection configuration instead of the retired `release-jobengine` path and partial target DTOs.
Completion criteria:
- [x] Platform no longer registers runtime in-memory release-environment stores when PostgreSQL is absent.
- [x] Release Orchestrator WebApi owns `/api/v1/release-orchestrator/environments`, `/targets`, and `/freeze-windows` with startup migrations wired for the `release` schema.
- [x] The Angular release-environment client targets `/api/v1/release-orchestrator`, translates real payloads, and submits type-specific target connection config.
- [x] Serial backend/frontend verification passes with concrete evidence.
### NOMOCK-008 - Replace VexLens noise-gating in-memory stores with persisted runtime storage
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the live VexLens noise-gating runtime dependency on `InMemorySnapshotStore` and `InMemoryGatingStatisticsStore`.
- Persist raw snapshots, gated snapshots, and gating statistics in the owning VexLens PostgreSQL schema with startup migrations wired through the existing local runtime.
- Make the gate/delta/statistics endpoints truthful by persisting gated snapshots and recorded statistics as part of the real backend path.
Completion criteria:
- [x] `ISnapshotStore` and `IGatingStatisticsStore` resolve to PostgreSQL-backed implementations in the VexLens web runtime.
- [x] The `vexlens` schema auto-migrates the new noise-gating tables on startup.
- [x] Gating operations persist the gated snapshot and statistics so later delta/statistics reads no longer depend on process memory.
- [x] Focused backend tests cover persistence-backed storage and endpoint write-through behavior.
### NOMOCK-009 - Wire Angular noise-gating UI to the real VexLens client
Status: DONE
Dependency: NOMOCK-008
Owners: Developer
Task description:
- Register the production Angular DI bindings for the noise-gating client so triage surfaces use the real `/api/v1/vexlens` backend path instead of an absent optional provider or a mock helper.
- Add a focused regression test that guards the production provider wiring.
Completion criteria:
- [x] `app.config.ts` provides `NOISE_GATING_API_BASE_URL`, `NoiseGatingApiHttpClient`, and `NOISE_GATING_API`.
- [x] The triage runtime resolves the real noise-gating HTTP client without feature-local mocks.
- [x] A focused frontend test guards the provider wiring.
### NOMOCK-010 - Remove VexHub API-key-only runtime auth drift and fake export fallback
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the export-path fake-success fallback from VexHub so backend failures surface as truthful `problem+json` errors instead of synthetic empty OpenVEX documents.
- Align the first-party StellaOps bearer-token path and the external API-key path on one canonical VexHub scope contract so the frontdoor, service authorization, and API-key authentication all enforce the same real backend rules.
- Preserve legacy API-key configuration compatibility by normalizing old dot-form VexHub scopes onto the canonical Authority scopes inside the VexHub API-key handler.
Completion criteria:
- [x] VexHub export failures return truthful backend error responses instead of fabricated OpenVEX success payloads.
- [x] First-party Authority bearer tokens with `vexhub:read` or `vexhub:admin` authorize live VexHub routes through the frontdoor.
- [x] Legacy API-key VexHub scope values normalize to the canonical Authority scopes without keeping dual required-scope policies in the live runtime path.
- [x] Focused backend tests and a live frontdoor bearer-auth probe pass with concrete evidence.
### NOMOCK-011 - Converge the live VEX console onto the real VexHub and VexLens contract
Status: DONE
Dependency: NOMOCK-010
Owners: Developer
Task description:
- Remove the remaining live console dependence on retired VEX mock-era endpoints and compatibility DTOs so the Angular runtime reads statement/search data from the real VexHub API and computes consensus/conflicts through the owning VexLens API.
- Align the browser detail panel with the real backend contract for statement detail, consensus results, and conflict resolution, and add a focused frontend verification lane that covers the active VEX runtime without relying on the repo-wide Angular target.
Completion criteria:
- [x] The Angular VEX runtime uses `GET /api/v1/vex/search`, `GET /api/v1/vex/statement/{id}`, `POST /api/v1/vexlens/consensus`, and `POST /api/v1/vex/conflicts/resolve`.
- [x] VexHub backend search and conflict-resolution endpoints support the live console contract.
- [x] Focused backend/frontend verification passes for the VEX runtime slice.
- [x] Live frontdoor verification confirms the VEX search route reaches the real backend path.
### NOMOCK-012 - Remove Excititor live in-memory VEX stores and demo seed migrations
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the live `InMemoryVexProviderStore`, `InMemoryVexConnectorStateRepository`, and `InMemoryVexClaimStore` fallbacks from Excititor so the web host and worker both resolve the real persistence-backed runtime path.
- Add a real PostgreSQL `IVexClaimStore`, wire Excititor startup migrations, and stop embedding archived or demo-seed SQL so fresh local installs converge on truthful persisted state instead of historical demo rows.
Completion criteria:
- [x] Excititor WebService and Worker no longer register runtime in-memory VEX provider, connector-state, or claim stores.
- [x] `StellaOps.Excititor.Persistence` owns a PostgreSQL `IVexClaimStore` and startup migrations for the `vex` schema.
- [x] Archived pre-1.0 SQL and demo seed migrations are excluded from the live Excititor migration assembly.
- [x] Serial verification proves the persistence library and both live hosts build cleanly, and the remaining Excititor persistence-test blocker is logged concretely.
### NOMOCK-013 - Remove Scanner live manifest/proof in-memory repositories from the running WebService
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the live `InMemoryScanManifestRepository`, `InMemoryProofBundleRepository`, `TestManifestRepository`, and `TestProofBundleRepository` runtime bindings from `StellaOps.Scanner.WebService` so the manifest/proof and score-replay surfaces resolve the real PostgreSQL-backed storage path.
- Preserve singleton score-replay service lifetimes by using scoped adapters for manifest/proof persistence, then prove the live `/api/v1/scans/{id}/manifest`, `/proofs`, and `/proofs/{rootHash}` routes read persisted rows and survive a `scanner-web` container recreate.
Completion criteria:
- [x] `StellaOps.Scanner.WebService` no longer registers live in-memory or test manifest/proof repositories.
- [x] The running scanner host builds and redeploys with scoped adapters over `PostgresScanManifestRepository` and `PostgresProofBundleRepository`.
- [x] Live API verification against `http://scanner.stella-ops.local/api/v1/scans/{id}/manifest` and `/proofs*` returns persisted PostgreSQL data before and after a `scanner-web` recreate.
- [x] The remaining Scanner targeted-test blocker is logged concretely instead of being treated as implementation-complete verification.
### NOMOCK-014 - Remove Policy live gate-bypass audit in-memory runtime binding
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the live `IGateBypassAuditRepository -> InMemoryGateBypassAuditRepository` binding from `StellaOps.Policy.Engine` and cut the gate-bypass audit path over to the existing PostgreSQL-backed repository using the active tenant context with a deterministic fallback to `public`.
- Repair the Policy host/test blockers uncovered by that cutover: the config-driven persistence registration path was missing `IGateBypassAuditPersistence`, and the live host still had duplicate governance/risk-profile route names that caused first-request `500` failures and masked direct-service verification.
Completion criteria:
- [x] `StellaOps.Policy.Engine` resolves `IGateBypassAuditRepository` to `PostgresGateBypassAuditRepository` instead of the in-memory store.
- [x] The config-driven Policy persistence registration path includes `IGateBypassAuditPersistence`.
- [x] Focused Policy engine verification passes for the new registration path and the pre-existing host-route collision is fixed.
- [x] Live frontdoor verification no longer returns `503 Target microservice unavailable` for the Policy gate path after bringing the real `policy-engine` service up.
### NOMOCK-015 - Persist Policy live snapshot and ledger-export runtime state
Status: DONE
Dependency: NOMOCK-014
Owners: Developer
Task description:
- Replace the live engine-local `ISnapshotStore` and `ILedgerExportStore` in-memory bindings in `StellaOps.Policy.Engine` with PostgreSQL-backed adapters owned by `StellaOps.Policy.Persistence`, using runtime tables that match the current engine snapshot/export contracts instead of forcing the older generic snapshot entity shape.
- Make the Policy startup migrations safe on reused local volumes so `policy-engine` can converge the full schema, including the new runtime tables, without crashing on pre-existing indexes, triggers, or RLS policies. Then prove the live snapshot route works both directly and through the frontdoor and survives a `policy-engine` recreate.
Completion criteria:
- [x] `StellaOps.Policy.Engine` resolves its live snapshot and ledger-export runtime stores to PostgreSQL-backed adapters instead of process-local in-memory stores.
- [x] `StellaOps.Policy.Persistence` owns startup-migrated runtime tables for `policy.engine_ledger_exports` and `policy.engine_snapshots`.
- [x] `001_initial_schema.sql` is idempotent enough for reused local volumes and no longer crash-loops `policy-engine` on duplicate indexes, triggers, or policies.
- [x] Focused Policy runtime registration/store tests pass, and live direct plus frontdoor snapshot create/list/get verification succeeds with persistence across a `policy-engine` recreate.
### NOMOCK-016 - Remove Graph API live demo/in-memory runtime graph binding
Status: DONE
Dependency: NOMOCK-001
Owners: Developer
Task description:
- Remove the active Graph API runtime path that decided between persisted rows and demo/in-memory graph data from an early startup snapshot. The live `/graph/query`, `/graph/diff`, and `/graphs*` compatibility surfaces must resolve their runtime repository from final `Postgres:Graph` options so test hosts and local compose instances use the persisted graph when PostgreSQL is configured.
- Add focused Graph API verification that proves the host resolves `IGraphRuntimeRepository` to the Postgres-backed runtime repository when a Graph connection string is configured, and that the persisted row/snapshot endpoints continue to work through the compatibility facade instead of silently falling back to an empty or seeded in-memory graph.
Completion criteria:
- [x] `StellaOps.Graph.Api` resolves `IGraphRuntimeRepository` from final `PostgresOptions` rather than an early startup boolean.
- [x] The live Graph runtime path no longer relies on demo-seeded `InMemoryGraphRepository` data when `Postgres:Graph` is configured.
- [x] Focused Graph API registration, compatibility, and Postgres runtime integration tests pass against the specific Graph API test project.
### NOMOCK-017 - Remove Policy Gateway live delta snapshot in-memory runtime binding
Status: DONE
Dependency: NOMOCK-015
Owners: Developer
Task description:
- Remove the standalone `StellaOps.Policy.Gateway` runtime binding from `ISnapshotStore -> InMemorySnapshotStore` so `/api/v1/policy/deltas/*` uses the same persisted engine snapshot projection as the real Policy runtime.
- Reuse the engine-owned `PersistedKnowledgeSnapshotStore` and `DeltaSnapshotServiceAdapter` in the gateway host instead of keeping a second compatibility-only projection that fabricates empty packages, reachability, VEX, violation, and unknown sets.
- Add a focused host test that proves the gateway resolves the persisted delta runtime path and projects real compatibility inputs from `policy.engine_snapshots`.
Completion criteria:
- [x] `StellaOps.Policy.Gateway` no longer registers `InMemorySnapshotStore` on the live delta path.
- [x] The standalone gateway resolves `StellaOps.Policy.Snapshots.ISnapshotStore` and `StellaOps.Policy.Deltas.ISnapshotService` through the persisted engine projection services.
- [x] A focused gateway host test proves projected packages, reachability, VEX statements, policy violations, and unknowns are populated from a persisted snapshot document.
### NOMOCK-018 - Remove Policy Gateway live gate-bypass audit in-memory runtime binding
Status: DONE
Dependency: NOMOCK-017
Owners: Developer
Task description:
- Remove the standalone `StellaOps.Policy.Gateway` binding from `IGateBypassAuditRepository -> InMemoryGateBypassAuditRepository` so gate-bypass auditing uses the real Policy PostgreSQL persistence path in both Policy hosts.
- Resolve the gateway repository through `IGateBypassAuditPersistence` and the unified `IStellaOpsTenantAccessor`, keeping the same deterministic default-tenant fallback (`public`) used by `StellaOps.Policy.Engine`.
- Add focused gateway host coverage that proves the gateway now resolves `PostgresGateBypassAuditRepository` for both explicit-tenant and default-tenant cases.
Completion criteria:
- [x] `StellaOps.Policy.Gateway` no longer registers `InMemoryGateBypassAuditRepository` on the live host path.
- [x] The standalone gateway resolves `IGateBypassAuditRepository` to `PostgresGateBypassAuditRepository` with tenant-scoped behavior.
- [x] A focused gateway host test proves current-tenant and default-tenant fallback behavior.
### NOMOCK-019 - Remove fake Policy async gate-evaluation queue runtime
Status: DONE
Dependency: NOMOCK-018
Owners: Developer
Task description:
- Remove the fictional `InMemoryGateEvaluationQueue` and `GateEvaluationWorker` runtime path from both `StellaOps.Policy.Gateway` and the merged `StellaOps.Policy.Engine` gateway surface. The old path fabricated "no drift" gate contexts, emitted fake job IDs, and claimed deferred evaluation had been queued even though no persisted scheduler-backed dispatcher or job-status surface existed.
- Keep the truthful unsupported branch when scheduler persistence is absent, but add the real runtime branch when `Postgres:Scheduler` is configured: scheduler startup migrations, persisted queueing through `StellaOps.Scheduler.Persistence`, dispatch/worker execution, and persisted job-status reads from `/api/v1/policy/gate/jobs/{jobId}`.
- Add focused gateway and engine host tests that prove both runtime branches: honest `501` problem responses when the queue is unavailable, and real pending/completed scheduler-backed job lifecycle behavior when the async runtime is registered.
Completion criteria:
- [x] `StellaOps.Policy.Gateway` and `StellaOps.Policy.Engine` no longer register `InMemoryGateEvaluationQueue` or `GateEvaluationWorker`.
- [x] Registry webhook push endpoints return `501` with an explicit problem response when no scheduler-backed async queue is available.
- [x] When `Postgres:Scheduler` is configured, registry webhook push events enqueue persisted async gate-evaluation jobs and expose `/api/v1/policy/gate/jobs/{jobId}` status/results.
- [x] Focused gateway and engine host tests prove both the unsupported runtime binding and the scheduler-backed enqueue/status/dispatch behavior.
### NOMOCK-020 - Auto-bootstrap Policy first-run baseline state from persisted upstream results
Status: DONE
Dependency: NOMOCK-019
Owners: Developer
Task description:
- Remove the remaining manual-seed requirement for first-run Policy gate evaluation. When a tenant has completed persisted Policy orchestration results but no `policy.engine_ledger_exports` or `policy.engine_snapshots` rows yet, the live engine must build the first ledger export and baseline snapshot automatically instead of failing webhook/sync gate evaluation with "snapshot not found".
- Cut the upstream Policy runtime stores (`IOrchestratorJobStore`, `IWorkerResultStore`) from process-local memory over to PostgreSQL-backed adapters so the bootstrap path reads real `policy.orchestrator_jobs` and `policy.worker_results` data after host/container recreates.
- Add focused engine verification for the persisted runtime-store registrations and the zero-snapshot bootstrap behavior, then prove the live webhook path succeeds for a brand-new tenant seeded only with persisted orchestrator/worker rows.
Completion criteria:
- [x] `StellaOps.Policy.Engine` resolves `IOrchestratorJobStore` and `IWorkerResultStore` to PostgreSQL-backed adapters over persisted Policy tables.
- [x] Sync and async gate evaluation automatically build the first ledger export and baseline snapshot when no baseline exists but completed persisted Policy result data is available.
- [x] Focused engine tests prove the persisted runtime-store registrations and the first-run bootstrap behavior without relying on pre-seeded exports/snapshots.
- [x] Live verification succeeds for a brand-new tenant seeded only with persisted `policy.orchestrator_jobs` and `policy.worker_results`, and Postgres shows auto-created `policy.engine_ledger_exports` plus baseline/target `policy.engine_snapshots`.
### NOMOCK-021 - Make Policy orchestrator submission produce worker results automatically
Status: DONE
Dependency: NOMOCK-020
Owners: Developer
Task description:
- Remove the remaining manual step on the upstream Policy producer path. Submitting `/policy/orchestrator/jobs` must no longer leave real orchestrator rows stranded in `queued` until an operator or test harness separately calls `/policy/worker/run`.
- Add a deterministic background execution path that wakes on startup and on new submissions, leases queued jobs from the configured `IOrchestratorJobStore`, marks them `running`, executes `PolicyWorkerService`, persists `policy.worker_results`, and records terminal `completed` or `failed` status on the orchestrator job.
- Keep the contract boundary explicit: `/policy/orchestrator/jobs` is the persisted producer surface, while `/api/policy/eval/batch` remains stateless and must not backfill orchestrator or worker tables.
Completion criteria:
- [x] Queued Policy orchestrator jobs auto-execute without a separate manual `POST /policy/worker/run`.
- [x] Terminal orchestrator job state persists `completed` or `failed` instead of leaving jobs stuck in `running`.
- [x] Focused engine host coverage proves submit -> poll -> worker-result behavior for the live producer path.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-04-10 | Sprint created to remove live production-path stubs, mock providers, and in-memory runtime bindings starting with the active Angular app configuration and Concelier feed-mirror surfaces. | Developer |
| 2026-04-13 | Inventory extended beyond the initial Concelier slice. Confirmed `/ops/operations/feeds/mirror/*` now runs on persisted Concelier state, but found two still-live script-path fictions: Platform still registers `IScriptService` to `InMemoryScriptService` in `src/Platform/StellaOps.Platform.WebService/Program.cs`, and the owning Release Orchestrator `/api/v2/scripts/{id}/check-compatibility` endpoint still returns an unconditional stub success from `src/ReleaseOrchestrator/__Apps/StellaOps.ReleaseOrchestrator.WebApi/Endpoints/ScriptsEndpoints.cs`. Next implementation slice expands to `src/ReleaseOrchestrator/**` for script compatibility truthfulness and to the Platform alias only if still needed after the owning-service fix. | Developer |
| 2026-04-13 | Completed the scripts runtime slice. Release Orchestrator now evaluates `/api/v2/scripts/{id}/check-compatibility` against persisted script language, variables, dependencies, target metadata, and available secrets; create/update requests now persist declared variables instead of dropping them; and Platform now binds `IScriptService` to the real Release Orchestrator scripts registry when PostgreSQL is configured. Targeted tests passed: `StellaOps.ReleaseOrchestrator.Integration.Tests` `20/20`, `StellaOps.Platform.WebService.Tests` class-targeted `ReleaseOrchestratorScriptServiceTests` `2/2`, and `ReleaseOrchestrator.WebApi` rebuilt cleanly. Live frontdoor verification was blocked in this shell because the local stack was not running (`docker ps` empty, `curl.exe -k https://stella-ops.local/` connection failure). | Developer |
| 2026-04-13 | Removed the last Platform scripts in-memory runtime branch. When Platform lacks direct scripts PostgreSQL access it now calls the owning Release Orchestrator `/api/v2/scripts` API through a tenant/auth-aware HTTP client instead of falling back to `InMemoryScriptService`. Release Orchestrator scripts endpoints were expanded to expose entry point, dependency, version, and total-count metadata and to accept `script:read` / `script:write` in addition to the older orchestrator scopes. Serial verification passed: `dotnet build src/Platform/StellaOps.Platform.WebService/StellaOps.Platform.WebService.csproj` `0 errors`, `dotnet test src/Platform/__Tests/StellaOps.Platform.WebService.Tests/StellaOps.Platform.WebService.Tests.csproj -- --filter-class StellaOps.Platform.WebService.Tests.RemoteReleaseOrchestratorScriptServiceTests` `3/3`, `dotnet build src/ReleaseOrchestrator/__Apps/StellaOps.ReleaseOrchestrator.WebApi/StellaOps.ReleaseOrchestrator.WebApi.csproj` `0 errors`, `dotnet test src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Integration.Tests/StellaOps.ReleaseOrchestrator.Integration.Tests.csproj` `20/20`. | Developer |
| 2026-04-13 | Post-change live sanity check: the local stack is back up (`platform`, `authority`, and `concelier` healthy; frontdoor `GET /` returned `200`), but `stellaops-router-gateway` still reports `unhealthy` and this sprint slice still lacks an authenticated live `/api/v2/scripts` proof after the remote-path change. | Developer |
| 2026-04-13 | Completed the release-environment runtime slice. Platform now binds release-environment flows to the PostgreSQL-backed Release Orchestrator services when configured and otherwise proxies the owning `/api/v1/release-orchestrator` API over HTTP instead of registering runtime in-memory environment/target/freeze stores. The Angular release-environment client now targets `/api/v1/release-orchestrator`, maps real environment/target/freeze payloads, enriches environment summaries from live targets/freeze windows, and submits type-specific target connection configuration for Docker, Compose, ECS, Nomad, SSH, and WinRM targets. Serial verification passed: `dotnet build src/Platform/StellaOps.Platform.WebService/StellaOps.Platform.WebService.csproj` `0 errors`, `dotnet test src/Platform/__Tests/StellaOps.Platform.WebService.Tests/StellaOps.Platform.WebService.Tests.csproj -- --filter-class StellaOps.Platform.WebService.Tests.RemoteReleaseOrchestratorEnvironmentClientTests` `3/3`, `dotnet test src/Platform/__Tests/StellaOps.Platform.WebService.Tests/StellaOps.Platform.WebService.Tests.csproj -- --filter-class StellaOps.Platform.WebService.Tests.ReleaseOrchestratorEnvironmentEndpointsTests` `2/2`, `dotnet test src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Integration.Tests/StellaOps.ReleaseOrchestrator.Integration.Tests.csproj` `22/22`, `npm run build` in `src/Web/StellaOps.Web` succeeded, and a live authenticated browser probe confirmed the UI now issues `/api/v1/release-orchestrator/*` requests rather than `/api/v1/release-jobengine/*`. | Developer |
| 2026-04-13 | Finished the live release-environment backend convergence. The browser-facing local slice had omitted `release-orchestrator`, so `/api/v1/release-orchestrator/environments` returned `503`; after rebuilding and starting the real service, authenticated UI traffic still failed with `400` because the environment PostgreSQL stores could not resolve `Func<Guid>` for tenant scope. `StellaOps.ReleaseOrchestrator.WebApi` now registers the tenant GUID provider from `ReleaseEnvironmentIdentityAccessor`, and the infrastructure registration test now resolves the environment stores from DI instead of only checking descriptor presence. Serial verification passed: `dotnet test src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Integration.Tests/StellaOps.ReleaseOrchestrator.Integration.Tests.csproj -- --filter-class StellaOps.ReleaseOrchestrator.Integration.Tests.ReleaseEnvironmentInfrastructureRegistrationTests`, `docker compose -f devops/compose/docker-compose.stella-ops.yml up -d release-orchestrator`, `curl.exe -k -i https://stella-ops.local/api/v1/release-orchestrator/environments` (`401` through frontdoor), and an authenticated Playwright probe of `/releases/environments?tenant=demo-prod&regions=apac,eu-west,us-east,us-west` that now reaches the real backend path and renders the truthful empty-state instead of a transport error. | Developer |
| 2026-04-13 | Extended the live browser proof from read-only recovery to a real mutation round-trip. The authenticated UI created environment `e2e-238131` (`201`, backend id `08d0d89d-964e-4f84-90e8-04cad6f2a0ff`) through `/releases/environments`, rendered the new card from the persisted backend response, then deleted it through the same UI path (`204`) and returned to the truthful empty-state. | Developer |
| 2026-04-13 | Fixed the remaining release-environment detail-flow contract drift. The owning Release Orchestrator environment/target/freeze models now serialize enum-backed target, health, known-hosts, and WinRM transport values with the Web JSON string-enum contract, and the Angular release-environment client now accepts PascalCase and numeric enum variants from the owning API while still emitting the canonical request shape. The freeze-window editor no longer toggles a dead `showAddDialog` flag; clicking `Add Freeze Window` now opens the real form path. Serial verification passed: `dotnet test src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Environment.Tests/StellaOps.ReleaseOrchestrator.Environment.Tests.csproj` `158/158`, `npx vitest run src/tests/environments/release-environment.client.contract.spec.ts src/tests/environments/freeze-window-editor.component.spec.ts --config vitest.codex.config.ts` `3/3`, and `npm run build` in `src/Web/StellaOps.Web` succeeded after the UI changes. | Developer |
| 2026-04-13 | Completed live authenticated end-to-end proof for the persisted release-environment detail surface. Through `https://stella-ops.local/releases/environments` the browser created environment `e2e-728048` (`201`, id `0d1a9597-c30c-4a17-891a-9dcdfe1ccffa`), updated settings (`200`), created a target (`201`, id `2ab5b680-1c09-4149-b160-af08a614b19c`), deleted that target (`204`), created a freeze window (`201`, id `2377401c-425d-4277-a02b-ec5605cccf1a`), deleted that freeze window (`204`), and deleted the environment (`204`). The two leftover trial environments from earlier failed runs, `E2E e2e-792313` and `E2E e2e-543565`, were then cleaned up through the same authenticated backend path with `204` responses so the local stack did not retain stale verification data. | Developer |
| 2026-04-14 | Closed an unrelated live frontdoor blocker uncovered during the authenticated dashboard rerun: `/api/v1/vulnerabilities/status` returned `503` because `scanner-web` was missing from the local compose runtime even though the gateway route still pointed at `scanner.stella-ops.local`. Built `stellaops/scanner-web:dev`, started `stellaops-scanner-web`, and verified the path now returns `401` unauthenticated through `https://stella-ops.local/api/v1/vulnerabilities/status`, proving the route is back on the real scanner service instead of failing as an unavailable target. | Developer |
| 2026-04-14 | Replaced the live Release Control deployment seed path with persisted runtime state. `StellaOps.ReleaseOrchestrator.WebApi` now binds `IDeploymentCompatibilityStore` to a PostgreSQL-backed store, startup auto-migrates `release_orchestrator.deployments`, and the store no longer seeds fake `dep-001`..`dep-004` rows on first access. Serial verification passed: `dotnet test src/ReleaseOrchestrator/__Tests/StellaOps.ReleaseOrchestrator.Integration.Tests/StellaOps.ReleaseOrchestrator.Integration.Tests.csproj` `24/24`, `npm run build` in `src/Web/StellaOps.Web`, live API proof that the deployments list starts empty (`200`, `totalCount=0`), `POST /api/v1/release-orchestrator/deployments` creates `dep-4536d81685ac` (`201`), the same deployment survives a `release-orchestrator` container recreate, and the live browser route `/releases/deployments` now mounts the real Angular deployment feature and renders the persisted `checkout-api` deployment card and detail view instead of the old hardcoded `DEP-2026-*` screens. | Developer |
| 2026-04-14 | Expanded the runtime cleanup inventory into VexLens after the VEX Hub and issuer paths were moved to real services. Confirmed the remaining live noise-gating gap: `src/VexLens/StellaOps.VexLens/Extensions/VexLensServiceCollectionExtensions.cs` still registers `ISnapshotStore` and `IGatingStatisticsStore` to in-memory implementations, `src/VexLens/StellaOps.VexLens.WebService/Extensions/VexLensEndpointExtensions.cs` does not persist gated snapshots/statistics after `GateAsync`, and `src/Web/StellaOps.Web/src/app/app.config.ts` does not bind the production noise-gating API client at all. Next implementation slice is `src/VexLens/**` plus the Angular DI binding in `src/Web/StellaOps.Web/**`. | Developer |
| 2026-04-14 | Completed the VexLens noise-gating runtime slice. `ISnapshotStore` and `IGatingStatisticsStore` now resolve to PostgreSQL-backed implementations, startup auto-migrates `vexlens.noise_gate_*`, gating endpoints persist gated snapshots/statistics, and the Angular production runtime binds the real noise-gating client from `app.config.ts`. Serial verification passed: `dotnet test src/VexLens/__Tests/StellaOps.VexLens.WebService.Tests/StellaOps.VexLens.WebService.Tests.csproj` `7/7`, `npx vitest run src/tests/triage/noise-gating-api.providers.spec.ts --config vitest.codex.config.ts` `1/1`, rebuilt `stellaops/vexlens-web:dev`, verified `stellaops-vexlens-web` healthy, seeded `live-gate-001` into the live PostgreSQL schema, then confirmed live `POST http://vexlens.stella-ops.local/api/v1/vexlens/gating/snapshots/live-gate-001/gate` `200`, live `GET http://vexlens.stella-ops.local/api/v1/vexlens/gating/statistics` `200` with `totalSnapshots=1`, and live DB counts `raw|1`, `gated|1`, `stats|1`. | Developer |
| 2026-04-14 | Completed the VexHub runtime auth/export slice. `StellaOps.VexHub.WebService` no longer fabricates empty OpenVEX exports on backend failure, now accepts first-party Authority bearer tokens alongside API keys, and converges both runtime auth paths on canonical Authority scopes by normalizing legacy API-key `VexHub.Read` / `VexHub.Admin` values to `vexhub:read` / `vexhub:admin`. The gateway/frontdoor denial root cause was also confirmed during this slice: the router currently treats extracted required claims as an `AND` set, so dual-scope compatibility policies break live frontdoor auth even when the service-level authorization would accept either scope. Serial verification passed: `dotnet test src/VexHub/__Tests/StellaOps.VexHub.WebService.Tests/StellaOps.VexHub.WebService.Tests.csproj` `15/15`, rebuilt `stellaops/vexhub-web:dev`, verified `stellaops-vexhub-web` healthy, and confirmed authenticated live `GET https://stella-ops.local/api/v1/vex/export` returns `200` with `application/vnd.openvex+json` and a real `@context` document when called with the Authority bearer token from the signed-in frontdoor session. | Developer |
| 2026-04-14 | Converged the live VEX console onto the real VexHub and VexLens contract. Angular now reads search/detail data from `/api/v1/vex/search` and `/api/v1/vex/statement/{id}`, computes consensus through `POST /api/v1/vexlens/consensus`, and resolves conflicts through `/api/v1/vex/conflicts/resolve`; the VEX detail panel was also corrected to request the real consensus-result DTO instead of the retired consensus shape. Serial verification passed: `dotnet test src/VexHub/__Tests/StellaOps.VexHub.WebService.Tests/StellaOps.VexHub.WebService.Tests.csproj` `17/17`, `npm run test:vex` `101/101`, `npm run build` in `src/Web/StellaOps.Web`, refreshed the live `compose_console-dist` bundle, re-authenticated the frontdoor session with `npm run test:e2e:live:auth`, and verified live `/ops/policy/vex/search` reaches the real backend with `GET https://stella-ops.local/api/v1/vex/search?limit=20` `200`. The local dataset had no statement rows during this pass, so live statement-detail click-through could not be exercised against populated data. | Developer |
| 2026-04-14 | Completed the Excititor runtime-persistence slice. `StellaOps.Excititor.WebService` and `StellaOps.Excititor.Worker` no longer register runtime `InMemoryVexProviderStore`, `InMemoryVexConnectorStateRepository`, or `InMemoryVexClaimStore`; `StellaOps.Excititor.Persistence` now wires startup migrations for `vex`, owns a PostgreSQL `IVexClaimStore`, and adds `003_vex_claim_store.sql` to create `vex.claims` while removing historical demo rows from prior local installs. The migration-loader root cause for the long-standing Excititor persistence failure was also corrected by restricting embedded SQL resources to active top-level migrations and deleting the live demo-seed migration. Serial verification passed: `dotnet build src/Concelier/__Libraries/StellaOps.Excititor.Persistence/StellaOps.Excititor.Persistence.csproj` `0 errors`, manifest-resource check returned only `001_initial_schema.sql`, `002_vex_evidence_links.sql`, `003_vex_claim_store.sql`, `dotnet build src/Concelier/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj` `0 errors`, and `dotnet build src/Concelier/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj` `0 errors`. Direct disposable-Postgres application of `001`+`002`+`003` succeeded. The remaining blocker is test-harness related: `dotnet test src/Concelier/__Tests/StellaOps.Excititor.Persistence.Tests/StellaOps.Excititor.Persistence.Tests.csproj` now reaches the testhost after the migration-assembly fix, but the full suite stops advancing and a filtered rerun is unreliable because Microsoft.Testing.Platform ignores `VSTestTestCaseFilter` and one stale Excititor testhost held the `TestResults` log file open until it was terminated. | Developer |
| 2026-04-14 | Completed the Scanner manifest/proof runtime slice. `StellaOps.Scanner.WebService` no longer binds live score-replay and manifest/proof retrieval to `InMemoryScanManifestRepository`, `InMemoryProofBundleRepository`, `TestManifestRepository`, or `TestProofBundleRepository`; it now uses scoped adapters over `PostgresScanManifestRepository` and `PostgresProofBundleRepository` so singleton replay services still read persisted rows. Serial verification passed: `dotnet build src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj` `0 errors`; `docker build -f devops/docker/Dockerfile.hardened.template . --build-arg SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0-noble --build-arg RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-noble --build-arg APP_PROJECT=src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj --build-arg APP_BINARY=StellaOps.Scanner.WebService --build-arg APP_PORT=8444 -t stellaops/scanner-web:dev` completed; and the live `scanner-web` container was recreated twice. Direct PostgreSQL seeding created one real `scanner.scans` / `scanner.scan_manifest` / `scanner.proof_bundle` dataset for scan `11111111-1111-1111-1111-111111111111`; live API proof through `http://scanner.stella-ops.local/api/v1/scans/11111111-1111-1111-1111-111111111111/manifest` and `/proofs` returned that persisted row set before and after the second `scanner-web` recreate. The remaining blocker is test-harness related: a targeted `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj -- --filter-class StellaOps.Scanner.WebService.Tests.ManifestEndpointsTests` run reaches the xUnit/MTP testhost but stops advancing after launch, so live API proof is currently stronger evidence than the class-filtered test lane for this slice. | Developer |
| 2026-04-14 | Completed the Policy gate-bypass audit runtime slice. `StellaOps.Policy.Engine` no longer binds `IGateBypassAuditRepository` to `InMemoryGateBypassAuditRepository`; it now creates `PostgresGateBypassAuditRepository` from the real persistence interface and current tenant context, falling back deterministically to `public` only when no tenant is present. The config-driven Policy persistence extension was also fixed to register `IGateBypassAuditPersistence`, and the pre-existing live Policy host failure was repaired by namespacing the `/api/v1/governance/*` endpoint names so they no longer collide with `/api/risk/*` route names. Serial verification passed: `dotnet build src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj` `0 errors`, `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineGateBypassAuditRegistrationTests` `2/2`, and `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineApiHostTests` `5/5`. Live verification exposed and then cleared a separate runtime blocker: the frontdoor originally returned `503 Target microservice unavailable` for `POST /api/v1/policy/gate/evaluate` because `stellaops-policy-engine` was not running locally. After building `stellaops/policy-engine:dev` and starting the service, the same authenticated browser-backed frontdoor request returned `401 Authentication required` instead of `503`, and direct `GET http://policy-engine.stella-ops.local/healthz` returned `200`. | Developer |
| 2026-04-14 | Completed the Policy snapshot/export runtime slice. `StellaOps.Policy.Engine` now binds `ISnapshotStore` and `ILedgerExportStore` to PostgreSQL-backed adapters over new runtime tables `policy.engine_snapshots` and `policy.engine_ledger_exports`, and `StellaOps.Policy.Persistence` now applies startup migrations for the Policy schema directly on `policy-engine` boot. The first live redeploy exposed a real migration fault on reused local volumes: `001_initial_schema.sql` still used non-idempotent `CREATE INDEX`, `CREATE TRIGGER`, and `CREATE POLICY` statements, so the service crash-looped on `42P07 relation "idx_recheck_policies_tenant" already exists`. That migration was hardened for reused local databases, the image was rebuilt, and `stellaops-policy-engine` returned to `healthy`. Serial verification passed: `dotnet build src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj` `0 errors`, `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Ledger.PostgresLedgerExportStoreTests` `2/2`, `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Snapshots.PostgresSnapshotStoreTests` `2/2`, and `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineRuntimeStoreRegistrationTests` `2/2`. Live verification also passed: direct authenticated `POST/GET http://policy-engine.stella-ops.local/api/policy/snapshots*` returned `200`, the created snapshot `CAW59134KVADGKWSSH9RQARA54` remained available after a full `policy-engine` recreate, and authenticated frontdoor `POST/GET https://stella-ops.local/api/policy/snapshots*` returned `200` with snapshot `0BKN7YSPAWQM7SVMVQVTK53QKC`. One transient frontdoor `503 No instances available` appeared immediately after the first service restart, but it cleared once router/service state converged and the routed path verified successfully. | Developer |
| 2026-04-14 | Completed the Policy merged-gateway tenant-bridge slice. The merged gateway endpoints in `StellaOps.Policy.Engine` were still using the unified `RequireTenant()` filter from `StellaOps.Auth.ServerIntegration`, but the host only registered the legacy Policy-specific tenant middleware. That mismatch caused authenticated tenant-scoped gateway routes like `POST /api/policy/deltas/compute` to fail before the handler with `500` even though direct baseline selection and delta computation were healthy. `Program.cs` now registers `AddStellaOpsTenantServices()` and runs `UseStellaOpsTenantMiddleware()` alongside the existing Policy tenant context middleware, and the regression suite now asserts that `IStellaOpsTenantAccessor` resolves in the Policy host. Serial verification passed: `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineDeltaApiTests` `1/1` and `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineRuntimeStoreRegistrationTests` with the new unified-tenant assertion. Live verification also passed after rebuilding `stellaops/policy-engine:dev` with `devops/docker/build-all.ps1 -Services policy-engine` and recreating `stellaops-policy-engine`: direct tenant-scoped `POST http://policy-engine.stella-ops.local/api/policy/deltas/compute` with intentionally incomplete JSON now returns `400` instead of the old pre-handler `500`, and unauthenticated frontdoor `POST https://stella-ops.local/api/v1/policy/gate/evaluate` remains a clean `401` rather than a service failure. | Developer |
| 2026-04-14 | Completed the Graph runtime repository slice. `StellaOps.Graph.Api` no longer decides its live runtime graph source from the early `hasPostgres` startup snapshot; `IGraphRuntimeRepository` now resolves from final `Postgres:Graph` options so test hosts and local compose runs use `PostgresGraphRuntimeRepository` whenever Graph persistence is configured, while the no-Postgres runtime fallback is an empty in-memory repository rather than demo-seeded graph data. Focused verification passed against the specific Graph API test project: `dotnet test src/Graph/__Tests/StellaOps.Graph.Api.Tests/StellaOps.Graph.Api.Tests.csproj -- --filter-class StellaOps.Graph.Api.Tests.GraphRuntimeRepositoryRegistrationTests` `2/2`, `dotnet test src/Graph/__Tests/StellaOps.Graph.Api.Tests/StellaOps.Graph.Api.Tests.csproj -- --filter-class StellaOps.Graph.Api.Tests.GraphCompatibilityEndpointsIntegrationTests` `3/3`, and `dotnet test src/Graph/__Tests/StellaOps.Graph.Api.Tests/StellaOps.Graph.Api.Tests.csproj -- --filter-class StellaOps.Graph.Api.Tests.GraphPostgresRuntimeIntegrationTests` `2/2`. The deeper runtime regression also uncovered and corrected two test-level issues: `/graph/query` requires `query` or `filters`, and raw NDJSON assertions against edge IDs must account for JSON escaping of `>` or assert decoded edge fields instead. | Developer |
| 2026-04-15 | Completed the standalone Policy Gateway delta-runtime slice. `StellaOps.Policy.Gateway` no longer binds `ISnapshotStore` to `InMemorySnapshotStore`; it now reuses `StellaOps.Policy.Engine`'s persisted `PersistedKnowledgeSnapshotStore` and `DeltaSnapshotServiceAdapter` so the live compatibility gateway projects real packages, reachability, VEX statements, policy violations, and unknowns from `policy.engine_snapshots` instead of fabricating mostly-empty delta input. Focused verification passed: `dotnet test src/Policy/__Tests/StellaOps.Policy.Gateway.Tests/StellaOps.Policy.Gateway.Tests.csproj -- --filter-class StellaOps.Policy.Gateway.Tests.PolicyGatewayPersistedDeltaRuntimeTests` `1/1`. The first run exposed a host-startup test harness issue because startup migrations expect a real Policy connection string; the focused factory now removes hosted services so the test proves the runtime DI/projection behavior rather than unrelated migration bootstrapping. | Developer |
| 2026-04-15 | Completed the standalone Policy Gateway gate-bypass audit slice. `StellaOps.Policy.Gateway` no longer binds `IGateBypassAuditRepository` to `InMemoryGateBypassAuditRepository`; it now resolves `PostgresGateBypassAuditRepository` from `IGateBypassAuditPersistence` plus the live `IStellaOpsTenantAccessor`, with the same deterministic `public` fallback tenant used by `StellaOps.Policy.Engine`. Focused verification passed in the specific gateway test project: `dotnet test src/Policy/__Tests/StellaOps.Policy.Gateway.Tests/StellaOps.Policy.Gateway.Tests.csproj -- --filter-class StellaOps.Policy.Gateway.Tests.PolicyGatewayPersistedDeltaRuntimeTests` `3/3`, and `dotnet build src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj` completed with `0` errors. The gateway shared test factory was also corrected to provide a dummy `Postgres:Policy:ConnectionString`, which was previously missing and prevented persistence-backed services from resolving in focused host tests. | Developer |
| 2026-04-15 | Completed the Policy async webhook queue truthfulness slice. `StellaOps.Policy.Gateway` and the merged `StellaOps.Policy.Engine` gateway surface no longer register `InMemoryGateEvaluationQueue` or the background `GateEvaluationWorker`; both hosts now resolve `IGateEvaluationQueue` to an explicit unsupported runtime adapter, and registry webhook push endpoints return `501` problem details instead of fabricated `202 Accepted` job IDs when no scheduler-backed dispatcher exists. Serial verification passed: `dotnet build src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj` `0 errors`, `dotnet build src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj` `0 errors`, `dotnet test src/Policy/__Tests/StellaOps.Policy.Gateway.Tests/StellaOps.Policy.Gateway.Tests.csproj -- --filter-class StellaOps.Policy.Gateway.Tests.RegistryWebhookQueueRuntimeTests` `2/2`, and `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineRegistryWebhookRuntimeTests` `2/2`. The first gateway test run exposed a harness-only startup migration issue because the shared `TestPolicyGatewayFactory` keeps hosted services enabled by default; the focused webhook tests now remove `IHostedService` registrations so they verify the new DI/runtime behavior rather than an unrelated local PostgreSQL dependency. | Developer |
| 2026-04-15 | Completed the real Policy async registry-webhook dispatcher slice. `StellaOps.Policy.Engine` now provides a runtime-selected async gate-evaluation path: when `Postgres:Scheduler` is absent, webhook push handlers still fail honestly with `501`; when it is configured, both `StellaOps.Policy.Engine` and `StellaOps.Policy.Gateway` register the shared scheduler-backed queue runtime, auto-migrate scheduler persistence, enqueue deduplicated `policy.gate-evaluation` jobs, dispatch them through the worker service, and expose persisted status/results from `GET /api/v1/policy/gate/jobs/{jobId}`. Serial verification passed: `dotnet test src/Policy/__Tests/StellaOps.Policy.Gateway.Tests/StellaOps.Policy.Gateway.Tests.csproj --no-restore -- --filter-class StellaOps.Policy.Gateway.Tests.RegistryWebhookQueueRuntimeTests` `4/4`, `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineRegistryWebhookRuntimeTests --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineSchedulerWebhookRuntimeTests` `3/3`, and `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -- --filter-class StellaOps.Policy.Engine.Tests.Deltas.PersistedKnowledgeSnapshotStoreTests --filter-class StellaOps.Policy.Engine.Tests.Deltas.DeltaSnapshotServiceAdapterTests` `3/3`. The first delta rerun used the file name instead of the test class name and selected `0` tests under Microsoft.Testing.Platform; the corrected class filters are now recorded above. | Developer |
| 2026-04-15 | Completed live compose proof for the scheduler-backed Policy async webhook path. The active `docker-compose.stella-services.yml` and legacy compose definition now pass `STELLAOPS_POLICY_ENGINE_Postgres__Scheduler__*` into `policy-engine`; after rebuilding `stellaops/policy-engine:dev` and recreating `stellaops-policy-engine`, the host applied `Scheduler.Persistence` startup migrations and remained healthy. Direct live proof against `http://policy-engine.stella-ops.local` with `X-Stella-Tenant: demo-prod` then showed `POST /api/v1/webhooks/registry/generic` returning `202 Accepted` with `Location: /api/v1/policy/gate/jobs/22ad496a-ef16-4a2b-b132-50f990f41d79`, and `GET /api/v1/policy/gate/jobs/22ad496a-ef16-4a2b-b132-50f990f41d79` returned `200` with persisted failed status, retry counters, timestamps, and the truthful runtime error `Target snapshot sha256:bbbb... not found`. This proves the live host is no longer on the old fake queue path. | Developer |
| 2026-04-15 | Completed the Policy artifact-target snapshot runtime slice. `StellaOps.Policy.Engine` now materializes tenant-scoped target snapshots with artifact digest/repository/tag from persisted `policy.engine_ledger_exports` before synchronous or queued gate evaluation instead of treating image digests as ad-hoc snapshot IDs. The live queue worker also needed a follow-up fix after first deployment: `GateTargetSnapshotMaterializer` had an internal constructor, so the scheduler worker could not resolve it through DI until the constructor was made public and the image was rebuilt. Focused verification passed: `dotnet build src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj --no-restore` `0 errors`, and `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineGateTargetSnapshotRuntimeTests --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineSchedulerWebhookRuntimeTests` `2/2`. Live direct verification then seeded one persisted `policy.engine_ledger_exports` row plus one baseline `policy.engine_snapshots` row for tenant `demo-prod`, replayed `POST http://policy-engine.stella-ops.local/api/v1/webhooks/registry/generic`, received `202 Accepted` for job `73a05fdf-4077-44e1-8deb-744695579631`, observed `GET /api/v1/policy/gate/jobs/73a05fdf-4077-44e1-8deb-744695579631` returning `completed` / `succeeded`, and confirmed persisted target snapshot `N0Q038BR9RWMZRD8J7KC7T9DSC` for `demo/api@sha256:bbbb...` in `policy.engine_snapshots`. | Developer |
| 2026-04-15 | Completed the Policy first-run bootstrap slice. `StellaOps.Policy.Engine` now resolves `IOrchestratorJobStore` and `IWorkerResultStore` through PostgreSQL-backed adapters over `policy.orchestrator_jobs` and `policy.worker_results`, and sync/async gate evaluation now auto-builds the first ledger export and baseline snapshot when no baseline exists but completed persisted Policy result data does. Focused verification passed: `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineRuntimeStoreRegistrationTests` `6/6`, `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineGateTargetSnapshotRuntimeTests` `3/3`, `dotnet build src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj --no-restore` `0 errors`, and `dotnet build src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj --no-restore` `0 errors`. Live verification rebuilt `stellaops/policy-engine:dev`, recreated `stellaops-policy-engine`, seeded brand-new tenant `bootstrap-live-20260415b` with only one completed `policy.orchestrator_jobs` row plus one completed `policy.worker_results` row, confirmed `policy.engine_ledger_exports=0` and `policy.engine_snapshots=0` before replay, then observed `POST http://policy-engine.stella-ops.local/api/v1/webhooks/registry/generic` return `202 Accepted` for job `9413c45c-621b-42f3-b8d0-967bb1d0bbab` and `GET /api/v1/policy/gate/jobs/9413c45c-621b-42f3-b8d0-967bb1d0bbab` return `completed` / `succeeded`. Postgres then showed `policy.engine_ledger_exports=1` and two `policy.engine_snapshots` rows for the tenant: auto-created baseline snapshot `62WF54K1SZEZXVNGY7TADCJ46M` and target snapshot `25KR52BRM5YWJHGNDES67X2Z5G` for `demo/api@sha256:bbbb...`. | Developer |
| 2026-04-15 | Completed the Policy orchestrator producer runtime slice. `StellaOps.Policy.Engine` now signals a dedicated background host when `/policy/orchestrator/jobs` submits a queued job; the host drains queued work from `IOrchestratorJobStore`, executes it through `PolicyWorkerService`, persists `policy.worker_results`, and records terminal `completed` or `failed` status instead of depending on a separate manual `/policy/worker/run` step. Focused verification passed: `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -m:1 /p:UseSharedCompilation=false -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineRuntimeStoreRegistrationTests` `6/6` and `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -m:1 /p:UseSharedCompilation=false -- --filter-class StellaOps.Policy.Engine.Tests.Integration.PolicyEngineOrchestratorProducerRuntimeTests` `1/1`. | Developer |
| 2026-04-15 | Added an executable live proof harness for the Policy orchestrator producer path in `src/Web/StellaOps.Web/tests/e2e/integrations/policy-orchestrator.e2e.spec.ts` with runner `npm run test:e2e:policy:producer:live`. Live compose verification now passes end-to-end against `http://policy-engine.stella-ops.local`: the harness acquired a real Authority-backed token through the existing frontdoor auth flow, submitted `POST /policy/orchestrator/jobs` for tenant `demo-prod`, observed queued job `6VRYPQBCYP6N5Z2PX27TN0ERJ0`, polled `GET /policy/orchestrator/jobs/6VRYPQBCYP6N5Z2PX27TN0ERJ0` to terminal `completed`, fetched `GET /policy/worker/jobs/6VRYPQBCYP6N5Z2PX27TN0ERJ0`, and recorded proof artifact `src/Web/StellaOps.Web/output/playwright/policy-orchestrator-live-proof.json` with matching `result_hash` `D70BF3B49550F501A69CD357520F8B51812F248C7DEB133305B5ABE2E7554FB8`. | Developer |
## Decisions & Risks
- Decision: this sprint prioritizes live runtime paths the browser can currently reach over test-only mock helpers.
- Decision: unsupported operations must return truthful empty/problem responses rather than seeded demo success/error payloads.
- Decision: after the feed-mirror cleanup, the next highest-value runtime slice is the scripts compatibility path because the browser uses the real `/api/v2/scripts` backend and its compatibility action still reports fabricated success.
- Decision: the Platform direct scripts alias now reuses the Release Orchestrator scripts library and schema instead of keeping a separate in-memory implementation when PostgreSQL is configured.
- Decision: Platform now uses the owning Release Orchestrator scripts backend on both runtime branches: direct library binding when PostgreSQL is configured locally, HTTP proxying to the Release Orchestrator WebApi when it is not.
- Decision: Release Orchestrator scripts endpoints now accept the dedicated `script:read` / `script:write` scopes in addition to the older orchestrator scopes so the Platform proxy path does not need a privileged bypass.
- Decision: Platform release-environment runtime branches now follow the same pattern as scripts: direct PostgreSQL-backed Release Orchestrator services when configured locally, otherwise tenant/auth-aware HTTP proxying to the owning Release Orchestrator WebApi.
- Decision: the Angular release-environment client now treats `/api/v1/release-orchestrator` as the sole production backend path and maps the owning environment/target/freeze schema instead of relying on retired `release-jobengine` aliases or partial target DTOs.
- Decision: the Release Orchestrator host now provides the environment stores with the same tenant GUID resolver used by the higher-level environment services, so authenticated browser traffic activates the real persisted backend instead of faulting during DI.
- Decision: the owning Release Orchestrator environment surface now emits the environment-management enums with the standard Web JSON string-enum contract, and the Angular client accepts the owning API's PascalCase and numeric variants so detail/settings/targets/freeze-window flows remain compatible during rollout.
- Decision: live deployment monitoring state now starts empty and becomes real only after `/api/v1/release-orchestrator/deployments` mutations persist to PostgreSQL; seeded compatibility rows are no longer acceptable on the browser path.
- Decision: `/releases/deployments` now reuses the existing Release Orchestrator deployment store/components that call the real deployments API instead of the older standalone Angular stub pages with hardcoded `DEP-2026-*` payloads.
- Decision: the next active runtime slice is VexLens noise-gating because the backend endpoints exist but still rely on process-local storage and the Angular production app configuration never binds the real client.
- Decision: VexLens noise-gating now persists raw snapshots, gated snapshots, and aggregated statistics in PostgreSQL; the live gating/statistics endpoints are no longer backed by process-local memory.
- Decision: VexHub now uses the canonical Authority scopes `vexhub:read` / `vexhub:admin` as its single runtime contract for both service authorization and frontdoor routing; legacy API-key scope values are normalized inside the VexHub API-key handler instead of keeping multi-scope compatibility policies on the live HTTP path.
- Decision: VexHub export endpoints must fail truthfully with `problem+json` on backend generation faults rather than returning fabricated empty OpenVEX payloads.
- Decision: the live VEX console now uses `GET /api/v1/vex/search`, `GET /api/v1/vex/statement/{id}`, `POST /api/v1/vexlens/consensus`, and `POST /api/v1/vex/conflicts/resolve` as its canonical backend contract; the retired `GET /api/v1/vexlens/consensus/{cve}` and `GET /api/v1/vexlens/conflicts/{cve}` routes are not part of the live runtime path.
- Decision: `stellaops-web:test-vex` is the focused frontend verification lane for the VEX runtime slice because the default Angular target intentionally excludes these specs.
- Decision: Excititor runtime hosts now rely exclusively on the persistence-backed registrations from `AddExcititorPersistence`; live in-memory VEX provider, connector-state, and claim stores are no longer acceptable on the browser or worker path.
- Decision: `StellaOps.Policy.Engine` now runs both tenant stacks on the merged gateway surface: the legacy Policy tenant context for internal repositories and the unified StellaOps tenant accessor/middleware required by `RequireTenant()` endpoint filters copied from Policy Gateway. Without that bridge, tenant-scoped merged gateway routes fail before handlers with `500`.
- Decision: Excititor startup migrations now own both schema convergence and cleanup of historical demo VEX rows in local databases; the live migration assembly must embed only active top-level SQL files.
- Decision: Scanner manifest/proof and score-replay retrieval must resolve `scanner.scan_manifest` and `scanner.proof_bundle` through scoped PostgreSQL repositories even when higher-level replay services remain singletons; runtime bindings to `InMemoryScanManifestRepository`, `InMemoryProofBundleRepository`, `TestManifestRepository`, and `TestProofBundleRepository` are no longer acceptable on the live host.
- Decision: Policy gate-bypass auditing now uses the real PostgreSQL-backed `policy.gate_bypass_audit` path with tenant-aware resolution from `ITenantContextAccessor`; the in-memory audit repository is no longer acceptable on the live Policy host.
- Decision: the `/api/v1/governance/*` compatibility surface now uses unique `Governance.*` endpoint names so it can coexist with the main `/api/risk/*` runtime endpoints without crashing the Policy host on first request.
- Decision: the live Policy snapshot/list/get and ledger-export runtime paths now persist to Policy-owned PostgreSQL tables `policy.engine_snapshots` and `policy.engine_ledger_exports`; engine-local in-memory stores are no longer acceptable for those runtime surfaces.
- Decision: `StellaOps.Policy.Gateway` now reuses `StellaOps.Policy.Engine`'s persisted snapshot projection services for delta compatibility, so the standalone gateway no longer fabricates empty compatibility payloads through `InMemorySnapshotStore`.
- Decision: `StellaOps.Policy.Gateway` now resolves gate-bypass auditing through `PostgresGateBypassAuditRepository` using the unified StellaOps tenant accessor, so the standalone gateway no longer diverges from `policy-engine` with an in-memory audit store.
- Decision: registry webhook push endpoints in both Policy hosts now use a truthful runtime-selected async path: `501 problem+json` when scheduler persistence is absent, and `202 Accepted` with persisted scheduler-backed job IDs plus `/api/v1/policy/gate/jobs/{jobId}` status when `Postgres:Scheduler` is configured. The fictional in-memory queue/worker path and fabricated "no drift" gate contexts remain removed from the live runtime.
- Decision: Policy gate evaluation now materializes a persisted target snapshot with `artifact_digest`, `artifact_repository`, and `artifact_tag` from the latest tenant `policy.engine_ledger_exports` document (or the baseline snapshot's export) before delta computation. The live runtime no longer treats an image digest as a synthetic snapshot identifier on either the sync or async path.
- Decision: first-run Policy bootstrap now reads completed persisted orchestration results from `policy.orchestrator_jobs` and `policy.worker_results`, auto-builds the first `policy.engine_ledger_exports` document, and auto-creates the first baseline snapshot when no baseline exists and the request did not specify an explicit baseline reference.
- Decision: `/policy/orchestrator/jobs` is now the owning persisted producer path for upstream Policy execution state. Submitting a job signals `PolicyOrchestratorJobWorkerHost`, which leases queued jobs from `IOrchestratorJobStore`, executes them through `PolicyWorkerService`, writes `policy.worker_results`, and records terminal `completed` or `failed` status. `/api/policy/eval/batch` remains strictly stateless and is not allowed to backfill those tables.
- Decision: the live proof for the Policy orchestrator producer path is now automated through `src/Web/StellaOps.Web/tests/e2e/integrations/policy-orchestrator.e2e.spec.ts` and `npm run test:e2e:policy:producer:live`, reusing the existing frontdoor OIDC auth bootstrap to obtain a bearer token before calling the direct compose host `http://policy-engine.stella-ops.local`.
- Decision: the active local compose definition for `policy-engine` must pass `STELLAOPS_POLICY_ENGINE_Postgres__Scheduler__ConnectionString` and `SchemaName`, otherwise the live host cannot activate the real async queue branch even though the code is present.
- Decision: `Policy.Persistence` startup migrations must remain idempotent on reused local volumes because the local container reset path frequently reuses existing Policy objects without preserved migration state; duplicate-index/trigger/policy failures are not acceptable convergence behavior.
- Decision: Graph runtime repository selection now happens at service resolution from final `Postgres:Graph` options; the live `/graph/query`, `/graph/diff`, and `/graphs*` compatibility surfaces must never depend on the historical demo-seeded graph when Graph persistence is configured.
- Risk: several modules outside the initial slice still boot with runtime in-memory stores (`Notify`, `Policy`, `Platform`, `Scheduler`, `Scanner`, `BinaryIndex`, `Signals`, `SbomService`, `Signer`, `PacksRegistry`, `AdvisoryAI`). They will need follow-on slices unless a real persistence path already exists and can be wired safely.
- Risk: the code-level and project-level checks are green and the frontdoor is back up, but this sprint slice still lacks an authenticated live `/api/v2/scripts` verification after the remote-path change. `stellaops-router-gateway` remains `unhealthy`, so browser-level proof should wait for the router health follow-up.
- Risk: some feed-mirror sub-features appear to have no real persisted backend contract yet, so removing fake data may temporarily surface explicit `501`/empty-state behavior in the UI until the owning backend is implemented.
- Risk: the global Angular `ng test --watch=false --include ...` path is still blocked by unrelated compile failures outside this slice, so focused frontend verification for the release-environment detail flow currently depends on direct Vitest execution instead of the repo-wide Angular test target.
- Risk: after recreating `release-orchestrator`, the router can transiently serve `503 No instances available` until the new instance state converges; one live verification pass required a router restart before the frontdoor resumed routing the environment-management path.
- Risk: the deployment monitoring route is now truthful and persistent, but it is still a compatibility projection over deployment state rather than the full deployment engine and artifact/evidence pipeline. The browser no longer sees fake rows, but deeper deployment execution slices still need follow-on work.
- Risk: `stellaops-vexlens-web` still logs `libgssapi_krb5.so.2` load failures during startup even though the service becomes healthy and the live gating/statistics path works. That native-library gap still needs a follow-up before claiming the container image is fully converged.
- Risk: the frontdoor root cause uncovered during the VexHub slice is still broader than this module. `src/Router/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs` currently enforces extracted required claims as a hard `AND` set, so any future service policy that exposes alternative scope values will break at the gateway even if the service-level policy is intentionally `OR`.
- Risk: the live VEX search route now reaches the real backend, but the local dataset had no statement rows during verification, so statement-detail and consensus click-through remain proven by focused frontend tests rather than a populated live browser session.
- Risk: the Excititor persistence-suite verification is still partially blocked by Microsoft.Testing.Platform behavior rather than product logic. The old migration `42601` failure is gone after trimming embedded resources, but the full `StellaOps.Excititor.Persistence.Tests` project still hangs after launching the testhost, and filtered reruns are not trustworthy because MTP ignores `VSTestTestCaseFilter`.
- Risk: the Scanner manifest/proof runtime slice is live and backed by PostgreSQL, but targeted `StellaOps.Scanner.WebService.Tests` class-filtered runs still stop advancing after the xUnit/MTP testhost launches. Until that harness issue is fixed, live API verification is the most reliable evidence for this slice.
## Next Checkpoints
- Remove the active Angular VEX Hub mock provider.
- Re-test the live VEX Hub browser surfaces and continue stripping remaining VEX/VEXLens compatibility or seeded runtime paths.
- Continue the next highest-value live cleanup outside the completed Scanner manifest/proof and Graph runtime slices: replace remaining active runtime in-memory stores in feeds, Policy, and Scheduler.
- Convert the Concelier feed-mirror endpoints from seeded data to real source/read-model state.
- Replace the remaining on-disk stub deployment pages under `src/Web/StellaOps.Web/src/app/features/deployments/` with thin wrappers or remove them once no legacy references remain.
- Decide whether the real release-environment management feature should replace the current `/environments/overview` redirect path or continue to coexist with the topology inventory surface.
- Re-run the live scripts UI and compatibility panel once the local stack is back up.
- Re-test the live feed pages and record the next runtime cleanup slice.

67
docs-archived/implplan/SPRINT_20260413_002_Integrations_gitlab_secret_bootstrap_automation.md Normal file
View File

@@ -0,0 +1,67 @@
# Sprint 20260413-002 - GitLab Secret Bootstrap Automation
## Topic & Scope
- Remove the last manual local GitLab secret-seeding step from the local integrations lane by scripting PAT rotation and Vault writeback.
- Keep GitLab local integrations opt-in, but make the credential bootstrap reusable and idempotent from repo-owned scripts.
- Sync the setup docs with the automated GitLab path and verify the one-command registration flow on this machine.
- Working directory: `scripts/`.
- Expected evidence: script runs, Vault secret metadata, GitLab PAT inventory, integration registration output, and updated setup docs.
## Dependencies & Concurrency
- Depends on the archived local scratch-setup sprint `docs-archived/implplan/SPRINT_20260413_001_Platform_scratch_setup_local_integrations.md`.
- Safe parallelism is low because the bootstrap rotates live local GitLab PAT material and updates a shared Vault path.
- Cross-directory edits are allowed for `scripts/**`, `docs/**`, and `devops/**` only.
## Documentation Prerequisites
- `docs/INSTALL_GUIDE.md`
- `docs/integrations/LOCAL_SERVICES.md`
- `devops/compose/README.md`
- `docs-archived/implplan/SPRINT_20260413_001_Platform_scratch_setup_local_integrations.md`
## Delivery Tracker
### GITLAB-001 - Automate local GitLab PAT bootstrap into Vault
Status: DONE
Dependency: none
Owners: Developer / Ops Integrator
Task description:
- Add a repo-owned script that can bootstrap or rotate the local GitLab personal access token used by the GitLab SCM, CI, and registry integrations.
- The script must reuse the existing `secret/gitlab` material when it still verifies, rotate stale tokens deterministically, and write the resulting auth material back into the dev Vault without requiring manual UI work.
Completion criteria:
- [x] A local script can create or rotate the GitLab PAT and write `access-token` plus `registry-basic` into `secret/gitlab`.
- [x] The script reuses a valid local secret instead of rotating on every run.
- [x] The script verifies the GitLab API token and optional registry token exchange before reporting success.
### GITLAB-002 - Wire and verify the automated GitLab registration path
Status: DONE
Dependency: GITLAB-001
Owners: Developer / Documentation Author
Task description:
- Wire the local integration helper so GitLab-backed registration can invoke the bootstrap automatically when requested.
- Update the setup docs to make the automated GitLab path the documented local default, keeping manual Vault writes only as an override path.
Completion criteria:
- [x] `scripts/register-local-integrations.ps1` can invoke the GitLab bootstrap automatically.
- [x] The install and local-service docs describe the automated GitLab path and the one-command registration flow.
- [x] The GitLab-backed integration registration path is rerun successfully on this machine with the automated bootstrap enabled.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-04-13 | Sprint created to automate the remaining local GitLab PAT and Vault bootstrap step after the archived local scratch-setup sprint closed green. | Developer |
| 2026-04-13 | Confirmed the local GitLab CE admin OAuth password-grant, PAT list, PAT create, and PAT revoke APIs all work against the running local heavy GitLab profile. | Developer |
| 2026-04-13 | Added `scripts/bootstrap-local-gitlab-secrets.ps1` to reuse or rotate the local `stella-local-integration` PAT, verify API plus registry token exchange, and write `secret/gitlab` metadata into the dev Vault. | Developer |
| 2026-04-13 | Updated `scripts/register-local-integrations.ps1` with `-BootstrapGitLabSecrets`, then re-ran `powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 -Tenant demo-prod -IncludeGitLab -IncludeGitLabRegistry -BootstrapGitLabSecrets`; result: all 16 local integrations converged `Healthy`. | Developer |
| 2026-04-13 | Updated `docs/INSTALL_GUIDE.md`, `docs/integrations/LOCAL_SERVICES.md`, and `devops/compose/README.md` to make the scripted GitLab bootstrap the documented local path and keep manual Vault writes as the override path. | Developer |
## Decisions & Risks
- Decision: the local GitLab bootstrap continues to use the deterministic local root account (`root` / `Stella2026!`) because that credential is already the documented dev default in `docker-compose.integrations.yml`.
- Decision: the bootstrap PAT name is fixed to `stella-local-integration`; reruns revoke earlier active PATs with the same name before creating a replacement token so the local token inventory does not grow without bound.
- Decision: the script stores `bootstrap-user`, `token-name`, `expires-at`, and `rotated-at` alongside `access-token` and `registry-basic` in `secret/gitlab` so local operators can inspect the current bootstrap state without exposing extra secret sources.
- Risk: there is no existing PowerShell unit-test harness in this repo for local ops scripts, so verification for this change is live-script execution against the local GitLab and Vault containers plus the integration registration pass.
- Risk: the GitLab local integrations remain opt-in because the heavy GitLab profile and optional registry surface still carry materially higher resource cost than the default local provider lane.
## Next Checkpoints
- If the local GitLab root password is changed in compose, update `scripts/bootstrap-local-gitlab-secrets.ps1` defaults and the associated docs in the same change.
- If the local GitLab topology moves away from the root account, replace the bootstrap user model with a dedicated seeded local service user and update the Vault metadata schema accordingly.

87
docs-archived/implplan/SPRINT_20260413_003_Web_ui_driven_local_setup_rerun.md Normal file
View File

@@ -0,0 +1,87 @@
# Sprint 20260413-003 -- UI Driven Local Setup Rerun
## Topic & Scope
- Re-run the Stella Ops local setup from zero Stella runtime state and use the browser UI as the operator surface instead of the CLI registration path.
- Verify which parts of the setup wizard and integrations hub are truly live and which parts still depend on script/API-only bootstrap behind the scenes.
- Leave behind truthful evidence: what the UI can complete today, what was completed via UI, and any remaining product gaps that still prevent a full UI-only bootstrap.
- Working directory: `.`.
- Expected evidence: sprint log, live browser verification, container health, and final integration health results.
## Dependencies & Concurrency
- Required docs: `docs/modules/platform/architecture-overview.md`, `docs/INSTALL_GUIDE.md`, `docs/integrations/LOCAL_SERVICES.md`, `src/Web/StellaOps.Web/AGENTS.md`.
- Builds on the local-stack convergence work in [SPRINT_20260409_002_Platform_local_stack_regression_retest.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260409_002_Platform_local_stack_regression_retest.md) and the local-integration automation in [SPRINT_20260413_002_Integrations_gitlab_secret_bootstrap_automation.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260413_002_Integrations_gitlab_secret_bootstrap_automation.md).
- Safe parallelism: none during wipe/setup because the environment reset is global to the machine. Browser verification can run only after the platform is reachable.
## Documentation Prerequisites
- `docs/modules/platform/architecture-overview.md`
- `docs/INSTALL_GUIDE.md`
- `docs/integrations/LOCAL_SERVICES.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
### UISETUP-001 - Reset the local Stella runtime to zero state
Status: DONE
Dependency: none
Owners: Developer / QA
Task description:
- Remove Stella-owned runtime containers, volumes, networks, and local images so the rerun starts from zero Stella platform state rather than from the already converged environment.
- Re-run the documented setup entrypoint needed to bring the platform back to a reachable browser state.
Completion criteria:
- [x] Stella-owned containers, volumes, and networks are removed before the rerun.
- [x] The documented local setup entrypoint is executed successfully after the wipe.
- [x] `https://stella-ops.local` becomes reachable again for browser-driven setup.
### UISETUP-002 - Drive the operator setup through the browser UI
Status: DONE
Dependency: UISETUP-001
Owners: Developer / QA
Task description:
- Use the live browser UI to sign in, complete the setup wizard flow, and exercise the integrations onboarding surfaces instead of provisioning through the CLI registration helper.
- Record which configuration steps are truly persisted/provisioned by the UI versus which ones are session-only or still backend-limited.
Completion criteria:
- [x] The setup wizard is exercised through the live browser against the rebuilt stack.
- [x] The integrations UI is used for the available local integration onboarding flows.
- [x] Any step that is not truly UI-provisioned is captured explicitly with supporting evidence.
### UISETUP-003 - Close documentation and evidence gaps for the UI path
Status: DONE
Dependency: UISETUP-002
Owners: Developer / Documentation
Task description:
- Update operator-facing docs if the actual UI-driven setup path differs from the current documented local bootstrap.
- Record the final verified state, remaining non-UI gaps, and any follow-up implementation needs in the sprint log and linked docs.
Completion criteria:
- [x] Docs reflect the verified UI-driven setup reality.
- [x] Final health and integration results are logged in the execution log.
- [x] Remaining non-UI blockers are called out explicitly rather than glossed over.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-04-13 | Sprint created for a zero-state local rerun that must use the live browser UI for setup and integration onboarding wherever the product currently supports it. | Developer |
| 2026-04-13 | Removed all `stellaops-*` containers, `compose_*` / `stellaops_*` volumes, the `stellaops` / `stellaops_frontdoor` networks, and all `stellaops/*:dev` images to return the machine to zero Stella runtime state before the rerun. | Developer |
| 2026-04-13 | Started the documented machine-level bootstrap with `scripts/setup.ps1 -QaIntegrationFixtures`; this restores the platform and fixture-backed frontdoor but not the full real-provider integrations compose lane. | Developer |
| 2026-04-13 | Code inspection ahead of the live browser run found two likely UI-path gaps to validate: the setup wizard backend persists much of its state only in-session, and the integrations onboarding wizard currently requires a non-empty `AuthRef URI` even though the backend API itself accepts null auth refs for local no-auth connectors. | Developer |
| 2026-04-13 | The initial `scripts/setup.ps1 -QaIntegrationFixtures` run failed in the repo-wide `.sln` preflight with `MSB4166` child-node exits on `src/Tools/StellaOps.Tools.sln`, `src/VexHub/StellaOps.VexHub.sln`, and `src/Zastava/StellaOps.Zastava.sln`; reran the documented setup entrypoint with `-SkipBuild` to continue the actual local stack bring-up. | Developer |
| 2026-04-13 | Patched the Integrations Hub UI to expose the missing local onboarding categories (`Secrets`, `Feed Mirrors`, `Object Storage`) and aligned wizard validation with the backend contract so optional-auth / optional-scope local connectors can be created from the browser instead of being blocked by frontend-only rules. | Developer |
| 2026-04-13 | Angular compile validation for the changed UI surfaces completed without new errors from the modified files; the remaining `ng test` failures are pre-existing audit-log and scheduler test breakages outside the Integrations working slice. | Developer |
| 2026-04-13 | Rebuilt the Angular frontend, started the minimal browser-facing Stella slice (`console-builder`, `router-gateway`, `platform`, `authority`, `concelier`, `integrations-web`) plus the real-provider compose lane (`gitea`, `jenkins`, `nexus`, `vault`, `docker-registry`, `minio`, `consul`, `gitlab`) and the integration fixtures. | Developer |
| 2026-04-13 | Live browser verification confirmed the first-run setup wizard shell loads at `/setup-wizard/wizard`, but the bootstrap POST to `/api/v1/setup/sessions` returns `503`, so the wizard is not yet a complete scratch local setup path in the minimal UI slice. | Developer |
| 2026-04-13 | Added `src/Web/StellaOps.Web/scripts/live-integrations-ui-bootstrap.mjs` as a reusable browser-driven harness that authenticates through frontdoor, creates integrations through the live onboarding UI routes, and persists evidence to `src/Web/StellaOps.Web/output/playwright/live-integrations-ui-bootstrap.json`. | Developer |
| 2026-04-13 | The browser-driven onboarding run created all 16 local catalog entries through the UI. 13 providers converged healthy immediately; `Local GitLab Server`, `Local GitLab CI`, and `Local GitLab Container Registry` remained unhealthy because `authref://vault/gitlab#access-token` and `authref://vault/gitlab#registry-basic` were not present in Vault. | Developer |
| 2026-04-13 | Updated `docs/INSTALL_GUIDE.md`, `docs/integrations/LOCAL_SERVICES.md`, and `devops/compose/README.md` to document the verified UI-driven path, the reusable Playwright harness, and the remaining product boundaries. | Developer |
## Decisions & Risks
- Decision: this rerun uses the real browser UI as the operator surface and treats CLI/bootstrap helpers only as fallback evidence if the product lacks a true UI path.
- Risk: the setup wizard backend may still persist parts of the flow only in-memory/session scope, which would make a strict UI-only bootstrap impossible without follow-on implementation work.
- Risk: some local integrations may still require credentials to exist before the UI can complete onboarding, especially GitLab and Vault-backed secrets.
- Decision: the reusable UI evidence path is `node src/Web/StellaOps.Web/scripts/live-integrations-ui-bootstrap.mjs`; it uses the same browser onboarding routes as an operator and keeps API usage limited to idempotent lookup plus post-create verification.
- Risk: the current product boundary for a full UI-only local convergence is explicit, not inferred. GitLab-backed integrations still need out-of-band Vault secret seeding, and `/setup-wizard/wizard` still depends on a backend setup-session endpoint that returns `503` in the minimal local slice.
## Next Checkpoints
- Follow-up product work should move GitLab authref seeding into a supported UI flow.
- Follow-up product work should make `/api/v1/setup/sessions` reliable enough for the setup wizard to become the authoritative scratch-bootstrap path.

155
docs-archived/implplan/SPRINT_20260413_004_Platform_ui_only_setup_bootstrap_closure.md Normal file
View File

@@ -0,0 +1,155 @@
# Sprint 20260413-004 -- UI-Only Setup Bootstrap Closure
## Topic & Scope
- Close the gap between the current browser-driven onboarding demo path and a production-grade UI bootstrap flow.
- Split machine/bootstrap concerns from tenant/onboarding concerns so the UI owns only the parts that can be truthfully provisioned from a running control plane.
- Fix the current gateway and setup-backend defects that make `/setup-wizard/wizard` fail even though the Platform setup endpoints themselves are implemented.
- Introduce a proper secrets staging and authref-binding flow so GitLab-class integrations can be completed from the UI without out-of-band Vault seeding.
- Working directory: `.`.
- Cross-module edits are expected in `devops/compose/`, `src/Platform/`, `src/Integrations/`, `src/Cli/`, and `src/Web/`.
- Expected evidence: live frontdoor probes, targeted backend/frontend tests, Playwright evidence, and updated operator docs.
## Dependencies & Concurrency
- Required docs: `docs/setup/setup-wizard-ux.md`, `docs/INSTALL_GUIDE.md`, `docs/integrations/LOCAL_SERVICES.md`, `docs/modules/platform/architecture-overview.md`, `src/Web/StellaOps.Web/AGENTS.md`.
- Builds on [SPRINT_20260413_003_Web_ui_driven_local_setup_rerun.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260413_003_Web_ui_driven_local_setup_rerun.md), which established the current UI boundary with live evidence.
- Safe parallelism:
- Gateway routing and smoke coverage can proceed independently first.
- Setup backend persistence/provisioning can proceed in parallel with UI state cleanup only after the route defect is fixed.
- Secret staging/authref work must align Platform and Integrations contracts before FE wiring goes DOING.
## Documentation Prerequisites
- `docs/setup/setup-wizard-ux.md`
- `docs/INSTALL_GUIDE.md`
- `docs/integrations/LOCAL_SERVICES.md`
- `docs/modules/platform/architecture-overview.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
### BOOTSTRAP-001 - Fix frontdoor dispatch for setup endpoints
Status: DONE
Dependency: none
Owners: Developer / QA
Task description:
- The current gateway route for `/api/v1/setup` matches only the exact path, so `/api/v1/setup/sessions` falls through to the generic `^/api/v1/([^/]+)(.*)` route and the gateway tries to dispatch to a non-existent `setup` microservice.
- Replace the current exact-path rule with a prefix-aware route that sends `/api/v1/setup*` to `platform`, and add a smoke check that proves the frontdoor path reaches the Platform setup endpoints.
Completion criteria:
- [x] `https://stella-ops.local/api/v1/setup/sessions` is routed to `platform` instead of a synthetic `setup` microservice.
- [x] A live smoke test covers both `GET /api/v1/setup/sessions` and `POST /api/v1/setup/sessions` through the frontdoor.
- [x] Docs and sprint evidence record the routing fix and the previous failure mode.
### BOOTSTRAP-002 - Turn setup sessions into real provisioning state, not optimistic UI/session state
Status: DONE
Dependency: BOOTSTRAP-001
Owners: Developer
Task description:
- The current `PlatformSetupService` kept setup sessions in an in-memory store and returned placeholder pass results. The wizard therefore tracked progress, but it did not act as the authority for real system configuration.
- Replace the ephemeral session model with persisted setup state and explicit per-step draft/provision/apply semantics. Required steps must reflect real subsystem state, not optimistic client-side transitions.
- `test-connection` must stay a probe. It must never be treated as step completion. Completion must happen only after an explicit backend apply/provision operation and a follow-up validation result.
Completion criteria:
- [x] Setup session state survives service restarts and can be resumed truthfully.
- [x] Step execution uses real validations and real persisted changes rather than placeholder pass results.
- [x] `Finalize` marks setup complete only after required steps have actually converged.
- [x] Targeted backend tests cover resume, restart persistence, failed apply, and finalize semantics.
### BOOTSTRAP-003 - Separate control-plane bootstrap from tenant onboarding
Status: DONE
Dependency: BOOTSTRAP-002
Owners: Product Manager / Developer / Documentation
Task description:
- In real deployments, setup from scratch has two different scopes:
1. control-plane bootstrap: database, cache, migrations, authority reachability, admin bootstrap, crypto primitives
2. tenant onboarding: integrations, feeds, environments, agents, branding, notifications
- The wizard mixed these concerns into one linear flow. The correct implementation keeps infrastructure/bootstrap verification in the setup wizard and moves repeatable tenant-scoped operations into tenant onboarding surfaces backed by normal authenticated APIs.
Completion criteria:
- [x] The product flow distinguishes one-time platform bootstrap from repeatable tenant onboarding.
- [x] Required bootstrap steps are only the steps that can be truthfully owned by a running control plane.
- [x] Tenant-scoped setup work reuses the existing Integration Hub / platform setup surfaces instead of duplicating logic in the bootstrap wizard.
- [x] Operator docs describe the boundary explicitly.
### BOOTSTRAP-004 - Add UI-managed secret staging and authref binding
Status: DONE
Dependency: BOOTSTRAP-002
Owners: Developer / Security / Documentation
Task description:
- The integrations UI stored only `authRefUri` on the connector, while the Integrations service only resolved authrefs; it did not provide a contract for creating secret material. This is why GitLab worked only after out-of-band Vault writes.
- Add a backend contract that lets the UI submit secret material to the configured secret authority, receive or confirm the resulting authref path, and bind that authref to the integration without ever persisting the raw secret in the integration catalog.
- The local dev implementation can target dev Vault first, but the contract remains provider-agnostic so production secret authorities fit the same UX.
Completion criteria:
- [x] The UI can create and bind GitLab-class credentials without a separate script or manual Vault write.
- [x] The integration catalog continues to store only `authref://...` references, never raw secrets.
- [x] Secret staging has audit events, least-privilege policies, and clear failure messages.
- [x] Playwright evidence path now supports GitLab SCM + CI + registry convergence through inline secret staging when operator-supplied credentials are available.
### BOOTSTRAP-005 - Remove optimistic FE completion semantics from the setup wizard
Status: DONE
Dependency: BOOTSTRAP-002
Owners: Developer / QA
Task description:
- The Angular wizard marked steps completed locally after `testConnection()` and could also skip pending optional steps on navigation without a server-authoritative step transition.
- Rework the frontend so the step UI is a projection of backend state. Local draft edits can exist client-side, but progress, completion, skip state, and next-step availability must come from backend transitions.
Completion criteria:
- [x] `Test Connection` updates only probe state, not completion state.
- [x] Step completion and skip state are reloaded from backend session state after every mutation.
- [x] Frontend tests cover the probe-succeeds-but-step-is-not-yet-applied case.
- [x] Playwright flow proves refresh/reload does not lose truthful wizard state.
### BOOTSTRAP-006 - Prevent local hostname binding from double-registering explicit Kestrel ports
Status: DONE
Dependency: BOOTSTRAP-001
Owners: Developer / QA
Task description:
- `timeline-web` was the first local service to ship both an explicit `Kestrel:Endpoints` configuration and the shared `.stella-ops.local` binding helper from `StellaOps.Auth.ServerIntegration`.
- The shared helper re-added `ASPNETCORE_URLS` as manual Kestrel listeners even when the application had already declared Kestrel endpoints in configuration, which caused a duplicate bind on `8080` and left `stellaops-timeline-web` in a restart loop during scratch local setup.
- Fix the shared helper so explicit Kestrel endpoint configuration wins, add regression coverage in the server-integration test project, and revalidate the live timeline container from the rebuilt image.
Completion criteria:
- [x] The shared local-binding helper skips `ServerUrls` re-registration when `Kestrel:Endpoints` are already configured.
- [x] Regression tests cover the explicit-Kestrel case and the legacy no-Kestrel case.
- [x] `stellaops-timeline-web` starts healthy from a rebuilt local image after a CLI scratch bootstrap.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-04-13 | Sprint created after the UI-driven local rerun proved that the Integrations Hub can create connectors through the browser, but the setup wizard and GitLab-backed flows still stop short of a true UI-only bootstrap. | Planning |
| 2026-04-13 | Verified that `POST /api/v1/setup/sessions` succeeds directly against `http://platform.stella-ops.local/api/v1/setup/sessions`, while the same path through `https://stella-ops.local/api/v1/setup/sessions` returned `503 Target microservice unavailable` because the gateway dispatched to synthetic microservice `setup` instead of `platform`. | Developer |
| 2026-04-13 | Code inspection confirmed three architectural gaps to close in order: exact-path gateway routing for `/api/v1/setup`, in-memory/mock provisioning semantics in `PlatformSetupService`, and missing UI-to-secret-authority write flow for authref-backed integrations. | Developer |
| 2026-04-13 | Fixed `devops/compose/router-gateway-local.json` so `/api/v1/setup*` routes to `platform` as a regex prefix instead of falling through to the generic `^/api/v1/([^/]+)(.*)` microservice matcher. Added the route to `devops/compose/openapi_routeprefix_smoke.csv` for regression coverage. | Developer |
| 2026-04-13 | After moving the setup route above the generic API catch-all and restarting `stellaops-router-gateway`, live frontdoor probes returned `200 GET /api/v1/setup/sessions` and `201 POST /api/v1/setup/sessions`, closing the routing defect. | Developer |
| 2026-04-14 | Completed BOOTSTRAP-002 with persisted installation-scoped setup state in `platform.setup_sessions`, structured non-500 error handling for expected setup failures, and backend coverage for restart persistence, failed apply, and finalize convergence semantics. | Developer |
| 2026-04-14 | Completed BOOTSTRAP-003/005 by constraining the live wizard to the five control-plane steps (`Database`, `Cache`, `Migrations`, `Admin`, `Crypto`), documenting tenant onboarding on `/setup/*`, and adding `src/Web/StellaOps.Web/scripts/live-setup-wizard-state-truth-check.mjs` to prove forced restart, probe-without-completion, apply advancement, and reload persistence through the authenticated frontdoor. | Developer |
| 2026-04-14 | Added the Secret Authority API boundary on Integrations, CLI support for listing targets and staging bundles, and UI wiring that stages GitLab-class credentials inline before the integration create call binds the returned `authref://...` URI. | Developer |
| 2026-04-14 | Updated `src/Web/StellaOps.Web/scripts/live-integrations-ui-bootstrap.mjs` so the GitLab lane can exercise inline secret staging through the browser when `STELLAOPS_UI_BOOTSTRAP_GITLAB_ACCESS_TOKEN` and `STELLAOPS_UI_BOOTSTRAP_GITLAB_REGISTRY_BASIC` are supplied. | Developer |
| 2026-04-14 | Rebuilt the Angular workspace after the secret-authority UI cutover and fixed downstream specs that still assumed the pre-cutover raw `CreateIntegrationRequest` wizard output. | Developer |
| 2026-04-14 | Ran the live GitLab UI bootstrap proof with inline secret staging against the local stack after refreshing `secret/gitlab` in dev Vault. The resulting Playwright artifact `src/Web/StellaOps.Web/output/playwright/live-integrations-ui-bootstrap.json` recorded `16/16` healthy integrations, `16` successful test probes, and `0` failed integrations. | Developer |
| 2026-04-14 | Closed the remaining web-suite caveat by synchronizing stale security/audit/settings/setup-wizard specs with the current shipped contracts and rerunning the deterministic web batches through the previously failing tail. Batch `27/33` passed with `79/79` tests, batch `28/33` passed with `65/65`, and batches `29-33/33` passed cleanly, leaving the default web batch lane green. | Developer |
| 2026-04-14 | Fixed the last local setup-finalize blocker by converging `platform.environment_settings` from the legacy tenant-scoped bootstrap shape to the installation-scoped schema expected by the truthful setup flow, updating the compose fallback, and adding regression coverage around the migration/runtime compatibility path. | Developer |
| 2026-04-14 | Re-ran the full setup wizard from scratch through `src/Web/StellaOps.Web/scripts/live-setup-wizard-full-bootstrap.mjs`. The refreshed artifact `src/Web/StellaOps.Web/output/playwright/live-setup-wizard-full-bootstrap.json` recorded `failedActionCount=0`, `runtimeIssueCount=0`, and final completion through `crypto-finalize-completed`, while `https://stella-ops.local/healthz` stayed `ready=true`. | Developer |
| 2026-04-15 | Diagnosed the remaining scratch-bootstrap instability as a shared local-binding defect: `StellaOpsLocalHostnameExtensions` re-added `ASPNETCORE_URLS` listeners even when a service already defined `Kestrel:Endpoints`, which made `timeline-web` bind `8080` twice. Fixed the helper, added regression coverage in `StellaOps.Auth.ServerIntegration.Tests`, rebuilt only `stellaops/timeline-web:dev`, and revalidated the container as `healthy` under the CLI-driven local stack. | Developer |
| 2026-04-15 | Re-ran the local stack from a zero-state wipe, then completed the installation bootstrap through `src/Web/StellaOps.Web/scripts/live-setup-wizard-full-bootstrap.mjs` and tenant onboarding through `src/Web/StellaOps.Web/scripts/live-integrations-ui-bootstrap.mjs`. The first integrations pass exposed a Playwright harness race at the provider-selection step, so the harness was hardened to wait for the active wizard heading (`Select .* Provider` or `Connection & Credentials`) before proceeding. | Developer |
| 2026-04-15 | After the harness fix, the refreshed Playwright artifact `src/Web/StellaOps.Web/output/playwright/live-integrations-ui-bootstrap.json` recorded `failedIntegrationCount=0`, `healthyIntegrationCount=16`, and `successfulTestCount=16`. Independent verification through `GET http://127.1.0.42/api/v1/integrations?page=1&pageSize=50` returned `totalCount=16` and `unhealthy=0` for tenant `demo-prod`, while `https://stella-ops.local/healthz` remained `ready=true`. | Developer |
| 2026-04-15 | Fixed a separate post-bootstrap UI truthfulness bug in `src/app/features/integration-hub/integration-hub.component.ts`: the suggested-setup cards rendered `Not started` before the six summary queries resolved, and the Secrets card queried `RepoSource` instead of `SecretsManager`. The hub now shows loading indicators until counts resolve and correctly counts Vault/Consul as Secrets integrations. | Developer |
## Decisions & Risks
- Decision: a truthful UI setup starts only after the control plane is already reachable in the browser. Docker/host/runtime bring-up remains a machine bootstrap concern, not a browser concern.
- Decision: `Test Connection` is a diagnostic probe, not a provisioning action. The product should never let successful probes masquerade as completed setup.
- Decision: secret material belongs in a secret authority, not in the integration catalog and not in frontend-only state. The UI must talk to a backend secret-staging contract that returns an authref binding.
- Decision: the first shipped Secret Authority writer targets Vault KV v2 only. Other secrets-manager providers fail explicitly with `501 not_implemented` instead of pretending write support exists.
- Decision: installation-scoped wizard progress is now persisted in `platform.setup_sessions`, and only non-sensitive draft values are stored there.
- Decision: the Playwright integrations harness must treat provider selection as an asynchronous wizard state, not as an immediate DOM fact after navigation. The runner now waits for either the provider step or the connection step before branching, which keeps zero-state UI reruns deterministic on slower local stacks.
- Decision: `platform.environment_settings` is installation-scoped in both startup migrations and compose bootstrap fallbacks; local bootstrap must not preseed `SetupComplete` or carry tenant-scoped keys forward.
- Decision: the live UI bootstrap artifact is considered green when the integration catalog converges to `16/16` healthy entries and the per-integration create/test/health checks succeed, even if background assistant/context requests are aborted during route transitions.
- Decision: `TryAddStellaOpsLocalBinding` must defer to explicit `Kestrel:Endpoints` configuration; the helper may add the extra `.stella-ops.local` listeners on `80/443`, but it must not re-register `ServerUrls` into Kestrel when the application already owns its endpoint list.
- Risk: if the setup wizard continues to mix installation-scoped and tenant-scoped concerns, it will keep drifting into a misleading all-in-one setup surface that cannot be made truthful.
- Risk: adding a secret staging API without strong audit and scope controls would weaken the platform security posture.
- Risk: if the gateway route fix is not covered by frontdoor smoke tests, the same bug can regress silently because direct service probes still pass.
- Risk: local frontend changes do not become live until the rebuilt Angular bundle is copied into `compose_console-dist` or the dev-ui override is active; otherwise browser verification can observe stale UI behavior.
- Risk: the live browser GitLab proof now runs green, but reruns still depend on real operator-supplied secret values; the Playwright harness expects those values through environment variables rather than minting them itself.
## Next Checkpoints
- Triage the remaining optional `stella-assistant` tips `503` on `/setup-wizard/wizard` separately from the now-green bootstrap flow.