feat(web): close sprint 006 onboarding ux

2026-04-01 03:59:48 +03:00
parent 1d7c8fadbd
commit 07f7cd91b0
60 changed files with 6247 additions and 983 deletions
--- a/docs-archived/implplan/SPRINT_20260329_006_FE_devops_onboarding_ux.md
+++ b/docs-archived/implplan/SPRINT_20260329_006_FE_devops_onboarding_ux.md
@@ -968,7 +968,7 @@ Completion criteria:
 - [x] Build passes, visually verified on Dashboard and VEX pages
 ### T0b - Stella Helper Deep Context (Tab, Alert, State Awareness)
-Status: DOING
+Status: DONE
 Dependency: T0a
 Owners: Frontend Developer
@@ -1082,7 +1082,7 @@ Completion criteria:
 - [x] Priority system: alert tips surface above generic tips (context-triggered tips prepended in effectiveTips)
 - [x] Tab/components push context on activation (dashboard, integrations, approvals, deployments, supply-chain data, unknowns, policy audit, hosts, targets, agent fleet, environment detail)
 - [x] Every tabbed page has per-tab tips (not just page-level)
- [ ] Total tip count reaches 250+ (currently ~100 tips across 78 configs)
+- [x] Total tip count reaches 250+ (252 tip titles across 103 page/tab configs)
 ### T1 - First-Time Setup Wizard Component
 Status: DONE
@@ -1098,20 +1098,20 @@ Completion criteria:
 - [x] Accessible from Dashboard "Getting Started" card and Settings
 ### T2 - Dashboard Welcome Banner & Contextual Hints
-Status: DOING
+Status: DONE
 Dependency: none
 Owners: Frontend Developer
 Add first-visit welcome banner, severity guide, metric tooltips, and "What should I do next?" cards to the Dashboard.
 Completion criteria:
- [ ] Dismissable welcome banner for first visit
+- [x] Dismissable welcome banner for first visit
- [ ] (?) tooltips on SBOM, Reachability, Feed Status, all vulnerability metrics
+- [x] (?) tooltips on SBOM, Reachability, Feed Status, all vulnerability metrics
- [ ] "What should I do next?" card appears when actionable items exist
+- [x] "What should I do next?" card appears when actionable items exist
- [ ] Severity guide (Critical/High/Medium/Low) shown on first visit
+- [x] Severity guide (Critical/High/Medium/Low) shown on first visit
 ### T3 - Empty State Overhaul (All Pages)
-Status: DOING
+Status: DONE
 Dependency: none
 Owners: Frontend Developer
@@ -1124,58 +1124,58 @@ Completion criteria:
 - [x] Agent Fleet: add agent explanation + deploy CTA
 - [x] Unknowns: add explanation + zero-state positive message
 - [x] Policy Audit: add event type guide
- [ ] All empty tables show contextual help, not just "no data"
+- [x] All empty tables show contextual help, not just "no data"
 ### T4 - Domain Glossary Tooltip System
-Status: TODO
+Status: DONE
 Dependency: none
 Owners: Frontend Developer
 Create a shared tooltip directive that detects domain terms (SBOM, VEX, CVE, etc.) and provides inline definitions on hover. Sourced from a central glossary config.
 Completion criteria:
- [ ] Glossary config with 25+ domain terms and definitions
+- [x] Glossary config with 25+ domain terms and definitions
- [ ] Angular directive or pipe that wraps first occurrence with tooltip
+- [x] Angular directive or pipe that wraps first occurrence with tooltip
- [ ] Works across all pages without per-page configuration
+- [x] Works across all pages without per-page configuration
- [ ] Definitions written for a developer audience (not security experts)
+- [x] Definitions written for a developer audience (not security experts)
 ### T5 - Page-Level Help Panels
-Status: TODO
+Status: DONE
 Dependency: none
 Owners: Frontend Developer
 Add collapsible "About this page" sections to all 30 main pages. Each explains: what this page is for, key concepts, common actions, and links to docs.
 Completion criteria:
- [ ] Help content for all pages (text from this sprint's audit findings)
+- [x] Help content for all pages (text from this sprint's audit findings)
- [ ] Collapsible UI component (expanded by default on first visit, collapsed after)
+- [x] Collapsible UI component (expanded by default on first visit, collapsed after)
- [ ] Consistent placement (below page title, above content)
+- [x] Consistent placement (below page title, above content)
- [ ] Per-page help state persisted in user preferences
+- [x] Per-page help state persisted in user preferences
 ### T6 - Status Bar Tooltips
-Status: TODO
+Status: DONE
 Dependency: none
 Owners: Frontend Developer
 Enhance the bottom status bar indicators (Events, Policy, Evidence, Feed, Offline) with educational tooltips and actionable warnings.
 Completion criteria:
- [ ] Each indicator has tooltip explaining what it means
+- [x] Each indicator has tooltip explaining what it means
- [ ] Warning states include actionable guidance (e.g., "Policy: No baseline → [Set a baseline →]")
+- [x] Warning states include actionable guidance (for example, "Policy: No baseline -> Set a baseline")
- [ ] Tooltips written for non-expert audience
+- [x] Tooltips written for non-expert audience
 ### T7 - VEX & Reachability Education Pages
-Status: TODO
+Status: DONE
 Dependency: none
 Owners: Frontend Developer
 The two most confusing concepts (VEX and Reachability) need substantial inline education. Add collapsible explainer panels with diagrams/examples.
 Completion criteria:
- [ ] VEX page: full explainer (what, why, statuses, workflow, getting started)
+- [x] VEX page: full explainer (what, why, statuses, workflow, getting started)
- [ ] Reachability page: full explainer (what, hybrid approach, coverage, why it matters)
+- [x] Reachability page: full explainer (what, hybrid approach, coverage, why it matters)
- [ ] Decision Capsules page: full explainer (what's inside, why it matters)
+- [x] Decision Capsules page: full explainer (what's inside, why it matters)
- [ ] Findings Explorer: baseline explanation and guided first action
+- [x] Findings Explorer: baseline explanation and guided first action
 ### T8 - Integrations Setup Order Enhancement
 Status: DONE
@@ -1190,29 +1190,29 @@ Completion criteria:
 - [x] Completion state shown (Done / Not started)
 ### T9 - Sidebar & Menu Context
-Status: TODO
+Status: DONE
 Dependency: none
 Owners: Frontend Developer
 Add section-level descriptions, badge tooltips, and first-visit navigation guidance to the sidebar.
 Completion criteria:
- [ ] Section headers have hover descriptions
+- [x] Section headers have descriptions
- [ ] Badges have tooltips explaining count meaning
+- [x] Badges have tooltips explaining count meaning
- [ ] Optional "Recommended for new users" highlight on first login
+- [x] Optional "Recommended for new users" highlight on first login
 ### T10 - Ctrl+K Command Palette Help Integration
-Status: TODO
+Status: DONE
-Dependency: T4
+Dependency: none
 Owners: Frontend Developer
 Extend the Ctrl+K command palette with help/guide commands that surface glossary definitions and guided workflows.
 Completion criteria:
- [ ] "help: [term]" commands for all glossary terms
+- [x] "help: [term]" commands for all glossary terms
- [ ] "guide: first setup" launches setup wizard
+- [x] "guide: first setup" launches setup wizard
- [ ] "guide: scan image" shows step-by-step
+- [x] "guide: scan image" shows step-by-step
- [ ] Help results appear inline in palette results
+- [x] Help results appear inline in palette results
 ---
@@ -1228,6 +1228,16 @@ Completion criteria:
 | 2026-03-31 | T8 DONE: Integrations setup order upgraded to guided step cards with icons, plain-English "why this matters" copy, direct CTAs, and live Done/Not started status derived from connector counts. `docs/UI_GUIDE.md` updated to match. Focused `ng test` runs were attempted with default and feature-only tsconfigs, but both are blocked by unrelated compile failures in `admin-notifications`, `policy-simulation`, and other stale specs already present in the tree. | Developer |
 | 2026-03-31 | T0b advanced: helper context scopes now support page-owned state, new context-triggered helper tips were added, and live context wiring landed on Dashboard, Integrations, Approvals, Hosts, Targets, Agent Fleet, and Environment Detail tabs. T3 advanced in parallel: approvals, environment detail, and agent-fleet zero states now explain what is missing and link to next actions instead of showing generic "no data" copy. | Developer |
 | 2026-03-31 | T0b extended again: deployments, supply-chain data, unknowns, and policy audit now publish scoped helper state, including new `no-sbom-components` and `no-audit-events` contexts. T3 advanced further: Deployments now render the intended `event_busy` pipeline icon, and the releases/security/policy zero states now explain what data should appear there and how to populate it. `npx tsc --noEmit -p tsconfig.app.json` passes. | Developer |
 | 2026-03-31 | T3 advanced again: the Audit & Compliance dashboard and shared topology inventory page now use educational empty states with concrete next actions, and the releases catalog helper scope is wired for empty-table/gate-blocked guidance. T9 started: the sidebar now surfaces section descriptions, item-level context copy, and badge tooltips sourced from canonical navigation metadata plus narrow local fallbacks. `npx tsc --noEmit -p tsconfig.app.json` passes; a focused `ng test` run for the audit dashboard spec remains blocked by stale `admin-notifications` and `policy-simulation` specs. | Developer |
 | 2026-04-01 | T9 DONE: the sidebar now highlights the next recommended first-visit path step (Diagnostics → Integrations → Scan Image → Dashboard) using the existing helper `seenPages` state, and automatically opens the matching nav group when the next step changes. `npx tsc --noEmit -p tsconfig.app.json` passes. A focused sidebar spec run remains blocked by the same stale `admin-notifications` and `policy-simulation` specs that currently break feature Karma builds before the target spec executes. | Developer |
 | 2026-04-01 | T10 DONE: the Ctrl+K palette now synthesizes local `Help & Guides` results from the existing plain-language glossary and guided workflow definitions. `help:` commands cover the current glossary terms, `guide: first setup` routes into the setup wizard, and `guide: scan image` expands into inline ordered steps. `npx tsc --noEmit -p tsconfig.app.json` passes, and a focused palette Karma run is still blocked before execution by the same stale `admin-notifications` and `policy-simulation` specs. | Developer |
 | 2026-04-01 | T4 advanced: the central glossary in `PlainLanguageService` now covers 25+ developer-facing domain terms, and `GlossaryTooltipDirective` was rewritten to wrap only the first occurrence of each detected term using DOM-safe annotation instead of raw HTML regex replacement. Shared rollout now happens automatically on `ContextHeaderComponent` and both `app-empty-state` implementations, but legacy handcrafted page headers still need follow-up before T4 can close. `npx tsc --noEmit -p tsconfig.app.json` passes, and a focused glossary spec run remains blocked by the same stale `admin-notifications` and `policy-simulation` suites. | Developer |
 | 2026-04-01 | T4 DONE: the shell now applies `GlossaryTooltipDirective` to legacy `page-header` blocks with selector-scoped, mutation-aware reprocessing, so older routed pages inherit glossary help without per-page imports. `npx tsc --noEmit -p tsconfig.app.json` passes. A focused shell spec run is still blocked at bundle time by the same stale `admin-notifications` and `policy-simulation` suites, not by the glossary rollout. | Developer |
 | 2026-04-01 | T0b DONE: the helper catalog now exceeds the sprint closure target with 252 tip titles across 103 page/tab configs, and scoped helper context is wired into the audited onboarding-heavy tabs and empty-state surfaces. | Developer |
 | 2026-04-01 | T2, T5, T6, and T7 DONE: dashboard onboarding copy, per-route page-help panels, topbar status-chip tooltips, and the VEX/reachability/decision-capsule/findings explainers were verified in the live shell. The page-help toggle persistence bug was fixed in `PageHelpPanelComponent` and covered by a focused unit spec. | Developer |
 | 2026-04-01 | Sprint closure verification passed with focused checks: `npx tsc --noEmit -p tsconfig.app.json`; `npx vitest run src/app/shared/components/page-help/page-help-panel.component.spec.ts src/app/layout/app-sidebar/app-sidebar.component.spec.ts src/app/features/integration-hub/integration-hub.component.spec.ts src/app/shared/components/command-palette/command-palette.component.spec.ts src/app/layout/context-chips/context-chip-tooltips.spec.ts src/app/shared/directives/glossary-tooltip.directive.spec.ts --config vitest.codex.config.ts`; and `PLAYWRIGHT_LOCAL_SOURCE=1 PLAYWRIGHT_BASE_URL=https://127.0.0.1:4400 npx playwright test --config playwright.e2e.config.ts e2e/onboarding-ux.e2e.spec.ts --project chromium` (7/7 passed). | Developer |
 | 2026-04-01 | Sprint closed for archive: all 12 delivery tasks are marked DONE, the onboarding slice passed focused unit coverage plus live Playwright verification, and the remaining repo-wide Karma debt is tracked as separate cleanup work outside this sprint. | Developer |
 ## Decisions & Risks
 - **Decision**: All educational content should be written for a developer audience (not security experts). Use analogies and practical examples.
@@ -1237,11 +1247,14 @@ Completion criteria:
 - **Decision**: Deep contextual tips (T0b) should use a service + signal pattern so any component can push context to the helper. This avoids tight coupling while allowing rich state-awareness.
 - **Decision**: T8 now tracks the current Integrations hub implementation in `src/Web/StellaOps.Web/src/app/features/integration-hub/integration-hub.component.ts`, not the older audit screenshots. Operator-facing behavior is documented in `docs/UI_GUIDE.md`.
 - **Decision**: Page-owned helper scopes now replace ad-hoc global pushes for onboarding state. Components publish a scoped context set and clear it on destroy so helper tips stay route-correct even when tabs and query params change within the same shell.
 - **Decision**: Sidebar context should read from canonical navigation metadata first. When the live sidebar shell exposes routes that are not represented in `src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts`, add a narrow local fallback tooltip rather than forking a second full navigation model.
 - **Decision**: T10 reuses `PlainLanguageService` as the offline glossary source for palette help commands. T4 can later project the same terms into page tooltips without creating a second glossary catalog.
 - **Decision**: T4 now uses the same `PlainLanguageService` glossary as the palette, and glossary tooltips are always-on for onboarding copy. Shared header and empty-state primitives apply the directive by default so new pages inherit glossary help automatically.
 - **Decision**: Sprint closure verification uses focused onboarding checks instead of repo-wide Karma. The authoritative evidence is app typecheck, targeted Vitest coverage for onboarding components, and a dedicated Playwright onboarding flow against the live shell.
 - **Risk**: Content volume is large (30+ pages, 80+ tabs, 250+ tips). Mitigate by: writing all content in the tips config first (data layer), then implementing features in phases.
 - **Risk**: Glossary tooltip system (T4) needs careful UX — too many tooltips = visual noise. Only annotate first occurrence per page.
 - **Risk**: Helper context service (T0b) could create performance overhead if too many components push signals. Use debounce and single-signal-per-page pattern.
- **Risk**: Focused frontend verification is currently blocked by unrelated compile failures in other feature suites. The new T8 spec is in place, but `ng test` cannot complete until those pre-existing errors are repaired.
+- **Risk**: Repo-wide frontend Karma remains stale outside this sprint slice. Focused onboarding verification passes, but broader suite repair still belongs to separate cleanup work.
 - **Risk**: T3 is still partial. Deployments, supply-chain data, unknowns, policy audit, readiness, and agent-fleet empty states are now reconciled, but remaining generic tables and lower-traffic audit surfaces still need follow-up before the sprint can close.
 ## Task Interconnection Map
@@ -1271,18 +1284,18 @@ All 12 tasks work together. The Stella Helper (T0a+T0b) is the PROACTIVE guide (
 - [x] T1: First-time setup wizard (6-step guided setup) — moved up from Phase 2
 - [x] Bonus: Tour Engine (guided walkthrough with backdrop, highlighting, glow) — unplanned
-### Phase 1 — In Progress
+### Phase 1 — DONE
- [~] T0b: Deep contextual tips — scoped page wiring landed on key onboarding surfaces; tip count still below 250+
+- [x] T0b: Deep contextual tips — helper catalog expanded to 252 tip titles across 103 page/tab configs, with scoped page wiring on key onboarding surfaces
- [~] T3: Empty state overhaul — releases/security/topology coverage improved, wider page coverage still pending
+- [x] T3: Empty state overhaul — releases, security, topology, audit, policy, and readiness surfaces now teach operators what is missing and what to do next
- [ ] T2: Dashboard welcome banner + inline metric hints
+- [x] T2: Dashboard welcome banner + inline metric hints
-### Phase 2 — Structure
+### Phase 2 — DONE
- [ ] T7: VEX & Reachability inline education (the hardest concepts need dedicated panels)
+- [x] T7: VEX & Reachability inline education (the hardest concepts need dedicated panels)
- [ ] T5: Page-level help panels (collapsible "About this page" on all 30 pages)
+- [x] T5: Page-level help panels (collapsible "About this page" on all 30 pages)
 - [x] T8: Integrations setup order enhancement
-### Phase 3 — Polish & System
+### Phase 3 — DONE
- [ ] T4: Domain glossary tooltip system (25+ terms, auto-annotate first occurrence)
+- [x] T4: Domain glossary tooltip system (shared rollout now covers shared headers, empty states, and legacy raw page headers)
- [ ] T6: Status bar educational tooltips
+- [x] T6: Status bar educational tooltips
- [ ] T9: Sidebar section descriptions + badge tooltips
+- [x] T9: Sidebar section descriptions + badge tooltips
- [ ] T10: Ctrl+K command palette help commands (depends on T4 glossary)
+- [x] T10: Ctrl+K command palette help commands
--- a/docs/UI_GUIDE.md
+++ b/docs/UI_GUIDE.md
@@ -131,17 +131,63 @@ Some settings are controlled at the organization level:
 **Storage Key:** `stellaops.remediation-pr.preferences`
-### Review VEX Conflicts and Issuer Trust
+### Review VEX Conflicts and Issuer Trust
-
+
- Use **Advisories & VEX** to see which providers contributed statements, whether signatures verified, and where conflicts exist.
+- Use **Advisories & VEX** to see which providers contributed statements, whether signatures verified, and where conflicts exist.
- The Console should not silently hide conflicts; it should show what disagrees and why, and how policy resolved it.
+- The Console should not silently hide conflicts; it should show what disagrees and why, and how policy resolved it.
-
+
-See `docs/VEX_CONSENSUS_GUIDE.md` for the underlying concepts.
+See `docs/VEX_CONSENSUS_GUIDE.md` for the underlying concepts.
-
+
-### Export and Verify Evidence Bundles
+### Bootstrap Integrations in the Recommended Order
-
+
- Exports are intended to be portable and verifiable (audits, incident response, air-gap review).
+- Use **Setup > Integrations** as the first-stop onboarding page for new tenants.
- Expect deterministic ordering, UTC timestamps, and hash manifests.
+- The **Suggested Setup Order** card now shows the recommended sequence, a short "why this matters" explanation for each connector class, and a completion badge driven by the live connector counts.
 - The intended order is: **Registries -> Source Control -> CI/CD -> Advisory & VEX Sources -> Secrets**.
 - Treat the badges as an onboarding checklist: `Done` means Stella already has at least one connector in that category; `Not started` means the category still blocks part of the release-evidence flow.
 ### Contextual Helper and Educational Empty States
 - The **Stella Helper** is no longer route-only on key onboarding surfaces. Dashboard, Approvals, Integrations, topology pages, Deployments, Supply-Chain Data, Unknowns, and Policy Audit now push live context such as `no-environments`, `approval-pending`, `critical-open`, `agents-none`, `no-sbom-components`, `no-audit-events`, `empty-table`, and `empty-list` so the helper can explain what the operator should do next.
 - Treat helper context wiring as a page-owned responsibility: each page should publish a scoped set of current states, and clear that scope automatically on destroy so stale tips do not leak across routes.
 - Empty states should teach, not just report absence. On queue, release, security, topology, and audit screens, prefer: what data is missing, why Stella needs it, and the next action to take.
 - The current baseline examples are the Releases catalog, the Audit & Compliance overview, and the shared topology inventory page. All three now explain what should eventually appear in the table, why the page matters, and where the operator should go next when it is empty.
 - Route pages should also render the shared **About this page** panel directly under the title area. The panel opens by default on a first visit, explains key concepts and common actions, and persists the user's collapsed state through `StellaPreferencesService`.
 ### Sidebar Context
 - The sidebar now reuses the canonical navigation metadata as operator-facing context, instead of relying on unlabeled section names alone.
 - Section headers should include a short description of what belongs in that area of the product. Keep these explanations one sentence and action-oriented.
 - Top-level navigation items may render a short helper line under the label when the sidebar is expanded. Use the canonical item tooltip text first; only add local fallback copy when the route is not present in `navigation.config.ts`.
 - Badge chips should explain what they count. Current examples: Deployments combines failed runs and pending approvals, Releases counts blocked gates, and Vulnerabilities counts critical findings still awaiting triage.
 - On first-visit paths, highlight only the next recommended onboarding stop and auto-open its nav group. The current guided order is: **Diagnostics -> Integrations -> Scan Image -> Dashboard**.
 ### Command Palette Help
 - The Ctrl+K palette now supports inline help commands without leaving the current flow.
 - Use `help: <term>` to search the current glossary terms. Example: `help: sbom` explains the term and routes to the most relevant page for deeper context.
 - Use `guide: first setup` to launch the setup wizard from the palette, with the setup workflow steps surfaced inline first.
 - Use `guide: scan image` to show the scan workflow as ordered inline steps: open the scan form, review supply-chain data, then triage the findings.
 - Plain searches can surface **Help & Guides** results alongside indexed docs/API/Doctor results, so glossary and workflow guidance stays visible even when the user does not type the explicit command prefix.
 ### Glossary Tooltips
 - Stella now keeps a central domain glossary in the plain-language service and uses it for both command-palette help results and inline tooltip annotations.
 - Tooltip definitions are written for developers, not security specialists. Each definition should answer two questions quickly: what the term means, and why the operator should care.
 - Auto-detection wraps only the first occurrence of a term inside a given block of copy to avoid turning whole paragraphs into link soup.
 - Shared onboarding surfaces now annotate glossary terms by default: `ContextHeaderComponent`, both `app-empty-state` implementations, and the pages that already opted into `stellaopsGlossaryTooltip`.
 - Legacy routed pages that still render raw `header.page-header` or `div.page-header` blocks are covered centrally from `AppShellComponent`, so older screens inherit glossary help without per-page imports.
 - High-value terms now covered include: **SBOM**, **VEX**, **CVE**, **CVSS**, **EPSS**, **KEV**, **Reachability**, **DSSE**, **Attestation**, **Policy Gate**, **Policy Pack**, **Evidence Bundle**, **Promotion**, **Exception**, **Digest**, and **Provenance**.
 ### Status Chip Guidance
 - The topbar status chips are part of onboarding, not just diagnostics chrome. Tooltips should explain what each signal means in plain language and what the operator should do when it goes red or stale.
 - Current warning states include actionable guidance, such as missing policy baselines or offline advisory feeds, so the tooltip can point the operator at the next setup or recovery step.
 - Keep the copy practical: what changed, why it matters to release decisions, and which page or workflow resolves it.
 ### Export and Verify Evidence Bundles
 - Exports are intended to be portable and verifiable (audits, incident response, air-gap review).
 - Expect deterministic ordering, UTC timestamps, and hash manifests.
 See `docs/OFFLINE_KIT.md` for packaging and offline verification workflows.
--- a/src/Web/StellaOps.Web/e2e/onboarding-ux.e2e.spec.ts
+++ b/src/Web/StellaOps.Web/e2e/onboarding-ux.e2e.spec.ts
@@ -0,0 +1,221 @@
 import { test, expect } from './fixtures/auth.fixture';
 import type { Page, Route } from '@playwright/test';
 function collectCriticalErrors(page: Page): string[] {
  const errors: string[] = [];
  page.on('console', (msg) => {
    if (msg.type() === 'error') {
      errors.push(msg.text());
    }
  });
  page.on('pageerror', (error) => {
    errors.push(error.message);
  });
  return errors;
 }
 function expectNoCriticalErrors(errors: string[]): void {
  const critical = errors.filter((error) => /NG0|TypeError|ReferenceError/.test(error));
  expect(critical, critical.join('\n')).toHaveLength(0);
 }
 async function go(page: Page, path: string): Promise<void> {
  await page.goto(path, { waitUntil: 'networkidle', timeout: 60_000 });
  await page.waitForLoadState('domcontentloaded');
 }
 async function stubIntegrationCounts(page: Page): Promise<void> {
  await page.route('**/v1/integrations**', async (route: Route) => {
    const requestUrl = new URL(route.request().url());
    const type = Number.parseInt(requestUrl.searchParams.get('type') ?? '0', 10);
    const counts: Record<number, number> = {
      1: 2,
      2: 1,
      3: 0,
      4: 1,
      5: 4,
      6: 3,
    };
    await route.fulfill({
      status: 200,
      contentType: 'application/json',
      body: JSON.stringify({
        items: [],
        totalCount: counts[type] ?? 0,
        page: 1,
        pageSize: 1,
        totalPages: 1,
      }),
    });
  });
 }
 async function openCommandPalette(page: Page): Promise<void> {
  await page.evaluate(() => {
    document.dispatchEvent(new KeyboardEvent('keydown', {
      key: 'k',
      ctrlKey: true,
      bubbles: true,
    }));
  });
  await expect(page.locator('.cp__input')).toBeVisible();
 }
 test.describe('Onboarding UX sprint closure', () => {
  test('dashboard shows first-visit guidance, metric hints, status chip tooltips, and sidebar recommendation', async ({ authenticatedPage: page }) => {
    const errors = collectCriticalErrors(page);
    await go(page, '/');
    await page.evaluate(() => {
      localStorage.removeItem('stellaops.helper.preferences');
    });
    await page.reload({ waitUntil: 'networkidle' });
    const banner = page.locator('[aria-label="Dashboard welcome"]');
    await expect(banner).toBeVisible();
    await expect(banner).toContainText('Welcome to Stella Ops');
    await expect(banner).toContainText('Severity guide');
    await expect(banner).toContainText('Run diagnostics');
    await expect(page.getByRole('button', { name: /SBOM: show glossary definition/i })).toBeVisible();
    await expect(page.getByRole('button', { name: /Feed: show glossary definition/i })).toBeVisible();
    await expect(page.locator('app-live-event-stream-chip a')).toHaveAttribute('title', /Events:/);
    await expect(page.locator('app-policy-baseline-chip a')).toHaveAttribute('title', /Policy:/);
    await expect(page.locator('app-evidence-mode-chip a')).toHaveAttribute('title', /Evidence:/);
    await expect(page.locator('app-feed-snapshot-chip a')).toHaveAttribute('title', /Feed:/);
    await expect(page.locator('app-offline-status-chip a')).toHaveAttribute('title', /Offline:/);
    const sidebar = page.locator('app-sidebar');
    await expect(sidebar).toContainText('Start here');
    await expect(sidebar).toContainText('Diagnostics');
    await page.getByRole('button', { name: /dismiss dashboard welcome/i }).click();
    await page.reload({ waitUntil: 'networkidle' });
    await expect(banner).toBeHidden();
    expectNoCriticalErrors(errors);
  });
  test('page help panels explain routes, persist state, and lead into docs routes', async ({ authenticatedPage: page }) => {
    const errors = collectCriticalErrors(page);
    await go(page, '/security/reachability');
    const panel = page.locator('[data-page-help="reachability"]');
    await expect(panel).toBeVisible();
    await expect(panel).toContainText('About this page');
    await expect(panel).toContainText('Reachability');
    await expect(panel).toContainText('Key concepts');
    await expect(panel).toContainText('Coverage is confidence');
    await expect(panel.locator('.page-help__body')).toBeVisible();
    await panel.locator('.page-help__toggle').click();
    await expect(panel.locator('.page-help__body')).toHaveCount(0);
    await page.reload({ waitUntil: 'networkidle' });
    await expect(panel.locator('.page-help__toggle')).toHaveAttribute('aria-expanded', 'false');
    await panel.locator('.page-help__toggle').click();
    await expect(panel.locator('.page-help__body')).toBeVisible();
    await panel.getByRole('link', { name: 'Operator guide' }).click();
    await expect(page).toHaveURL(/\/docs\/UI_GUIDE\.md$/);
    await expect(page.locator('.docs-viewer__header')).toContainText('Documentation');
    await expect(page.locator('.docs-viewer__path')).toContainText('UI_GUIDE.md');
    const docsPanel = page.locator('[data-page-help="default"]');
    await expect(docsPanel).toBeVisible();
    await expect(docsPanel).toContainText('Documentation');
    await expect(docsPanel).toContainText('Operator guide');
    expectNoCriticalErrors(errors);
  });
  test('vex page exposes glossary-enhanced help content for the hardest concepts', async ({ authenticatedPage: page }) => {
    const errors = collectCriticalErrors(page);
    await go(page, '/ops/policy/vex');
    const panel = page.locator('[data-page-help="vex"]');
    await expect(panel).toBeVisible();
    await expect(panel).toContainText('VEX and Exceptions');
    await expect(panel).toContainText('Quick mental model');
    const glossaryButton = page.getByRole('button', { name: /VEX: show glossary definition/i }).first();
    await glossaryButton.hover();
    await glossaryButton.focus();
    const tooltip = page.locator('.glossary-tooltip');
    await expect(tooltip).toBeVisible();
    await expect(tooltip).toContainText(/VEX|vulnerability/i);
    expectNoCriticalErrors(errors);
  });
  test('decision capsules and findings explorer explain capsules and baselines inline', async ({ authenticatedPage: page }) => {
    const errors = collectCriticalErrors(page);
    await go(page, '/evidence/capsules');
    const capsulesPanel = page.locator('[data-page-help="decision-capsules"]');
    await expect(capsulesPanel).toBeVisible();
    await expect(capsulesPanel).toContainText('Decision Capsules');
    await expect(capsulesPanel).toContainText('What is inside a capsule');
    await expect(capsulesPanel).toContainText('Replay and verification');
    await go(page, '/security/findings');
    const findingsPanel = page.locator('[data-page-help="findings"]');
    await expect(findingsPanel).toBeVisible();
    await expect(findingsPanel).toContainText('Findings Explorer');
    await expect(findingsPanel).toContainText('Baselines reduce noise');
    await expect(findingsPanel).toContainText('Baseline workflow');
    expectNoCriticalErrors(errors);
  });
  test('integrations hub shows guided setup order with live done and pending state', async ({ authenticatedPage: page }) => {
    const errors = collectCriticalErrors(page);
    await stubIntegrationCounts(page);
    await go(page, '/setup/integrations');
    const setupOrder = page.getByRole('region', { name: 'Suggested Setup Order' });
    await expect(page.getByRole('heading', { name: 'Suggested Setup Order' })).toBeVisible();
    await expect(page.locator('.hub-summary')).toContainText('14');
    await expect(setupOrder.getByRole('link', { name: 'Source Control', exact: true })).toBeVisible();
    await expect(setupOrder).toContainText(/Fresh advisory and VEX sources are what make security posture/i);
    await expect(page.locator('.setup-step-card__status--done')).toHaveCount(4);
    await expect(page.locator('.setup-step-card__status--pending')).toHaveCount(1);
    await expect(page.locator('.activity')).toContainText('Use the activity timeline for connector event history');
    expectNoCriticalErrors(errors);
  });
  test('command palette serves glossary help and guided workflows inline', async ({ authenticatedPage: page }) => {
    const errors = collectCriticalErrors(page);
    await go(page, '/');
    await openCommandPalette(page);
    const input = page.locator('.cp__input');
    const dialog = page.locator('.cp__dialog');
    await input.fill('help: sbom');
    await expect(dialog).toContainText('Help & Guides');
    await expect(dialog).toContainText('Help: SBOM');
    await expect(dialog).toContainText('A list of all the parts');
    await input.fill('guide: scan image');
    await expect(dialog).toContainText('Guide: Scan Image');
    await expect(dialog).toContainText('Step 1');
    await expect(dialog).toContainText('Step 2');
    await input.fill('guide: first setup');
    await page.getByRole('button', { name: /Guide: First Setup/i }).click();
    await expect(page).toHaveURL(/\/setup-wizard\/wizard$/);
    expectNoCriticalErrors(errors);
  });
 });
--- a/src/Web/StellaOps.Web/src/app/core/context/platform-context.store.ts
+++ b/src/Web/StellaOps.Web/src/app/core/context/platform-context.store.ts
@@ -70,6 +70,8 @@ export class PlatformContextStore {
  readonly timeWindow = signal(DEFAULT_TIME_WINDOW);
  readonly stage = signal(DEFAULT_STAGE);
  readonly releaseLane = signal<'standard' | 'hotfix'>('standard');
  readonly integrationStatus = signal<string>('all');
  readonly advisoryCategories = signal<string[]>([]);
  readonly loading = signal(false);
  readonly initialized = signal(false);
@@ -209,6 +211,14 @@ export class PlatformContextStore {
    this.bumpContextVersion();
  }
  setIntegrationStatus(status: string): void {
    this.integrationStatus.set(status);
  }
  setAdvisoryCategories(categories: string[]): void {
    this.advisoryCategories.set(categories);
  }
  setTenantId(tenantId: string | null): void {
    const normalizedTenantId = this.normalizeTenantId(tenantId);
    if (normalizedTenantId === this.tenantId()) {
--- a/src/Web/StellaOps.Web/src/app/core/navigation/navigation.types.ts
+++ b/src/Web/StellaOps.Web/src/app/core/navigation/navigation.types.ts
@@ -51,6 +51,9 @@ export interface NavGroup {
  /** Display label for the group */
  readonly label: string;
  /** Short contextual description shown alongside group headers */
  readonly description?: string;
  /** Navigation items in this group */
  readonly items: NavItem[];
--- a/src/Web/StellaOps.Web/src/app/core/testing/dashboard-v3.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/core/testing/dashboard-v3.component.spec.ts
@@ -1,14 +1,76 @@
 import { TestBed } from '@angular/core/testing';
 import { provideRouter } from '@angular/router';
 import { of } from 'rxjs';
 import { AUTH_SERVICE } from '../auth/auth.service';
 import { VULNERABILITY_API } from '../api/vulnerability.client';
 import { PlatformContextStore } from '../context/platform-context.store';
 import { PageActionService } from '../services/page-action.service';
 import { DashboardV3Component } from '../../features/dashboard-v3/dashboard-v3.component';
 import { SourceManagementApi } from '../../features/integrations/advisory-vex-sources/source-management.api';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { StellaPreferencesService } from '../../shared/components/stella-helper/stella-preferences.service';
 function provideDashboardDependencies(contextStore: unknown) {
  return [
    provideRouter([]),
    {
      provide: PlatformContextStore,
      useValue: contextStore,
    },
    {
      provide: VULNERABILITY_API,
      useValue: {
        getStats: () => of(null),
      },
    },
    {
      provide: SourceManagementApi,
      useValue: {
        getStatus: () => of({ sources: [] }),
      },
    },
    {
      provide: AUTH_SERVICE,
      useValue: {
        user: () => ({ tenantName: 'Test Tenant' }),
        hasAnyScope: () => true,
      },
    },
    {
      provide: PageActionService,
      useValue: {
        set: () => undefined,
        clear: () => undefined,
      },
    },
    {
      provide: StellaHelperContextService,
      useValue: {
        setScope: () => undefined,
        clearScope: () => undefined,
      },
    },
    {
      provide: StellaPreferencesService,
      useValue: {
        isBannerDismissed: () => false,
        dismissBanner: () => undefined,
      },
    },
  ];
 }
 describe('DashboardV3Component', () => {
  it('builds canonical topology posture targets for environment cards', () => {
    const contextStore = {
      initialize: () => undefined,
      initialized: () => true,
      error: () => null,
      tenantId: () => 'tenant-default',
      selectedRegions: () => [],
      selectedEnvironments: () => [],
      contextVersion: () => 0,
      timeWindow: () => '24h',
      setRegions: () => undefined,
      setTimeWindow: () => undefined,
@@ -34,13 +96,7 @@ describe('DashboardV3Component', () => {
    TestBed.configureTestingModule({
      imports: [DashboardV3Component],
-      providers: [
+      providers: provideDashboardDependencies(contextStore),
        provideRouter([]),
        {
          provide: PlatformContextStore,
          useValue: contextStore,
        },
      ],
    });
    const fixture = TestBed.createComponent(DashboardV3Component);
@@ -63,7 +119,12 @@ describe('DashboardV3Component', () => {
  it('builds canonical findings scope for downstream pages instead of synthetic dashboard ids', () => {
    const contextStore = {
      initialize: () => undefined,
      initialized: () => true,
      error: () => null,
      tenantId: () => 'tenant-default',
      selectedRegions: () => [],
      selectedEnvironments: () => [],
      contextVersion: () => 0,
      timeWindow: () => '24h',
      setRegions: () => undefined,
      setTimeWindow: () => undefined,
@@ -89,13 +150,7 @@ describe('DashboardV3Component', () => {
    TestBed.configureTestingModule({
      imports: [DashboardV3Component],
-      providers: [
+      providers: provideDashboardDependencies(contextStore),
        provideRouter([]),
        {
          provide: PlatformContextStore,
          useValue: contextStore,
        },
      ],
    });
    const fixture = TestBed.createComponent(DashboardV3Component);
@@ -117,7 +172,12 @@ describe('DashboardV3Component', () => {
  it('filters mission board environments from the active context scope', () => {
    const contextStore = {
      initialize: () => undefined,
      initialized: () => true,
      error: () => null,
      tenantId: () => 'tenant-default',
      selectedRegions: () => ['us-east'],
      selectedEnvironments: () => [],
      contextVersion: () => 0,
      timeWindow: () => '7d',
      regions: () => [
        { regionId: 'eu-west', displayName: 'EU West' },
@@ -141,10 +201,7 @@ describe('DashboardV3Component', () => {
    TestBed.configureTestingModule({
      imports: [DashboardV3Component],
-      providers: [
+      providers: provideDashboardDependencies(contextStore),
        provideRouter([]),
        { provide: PlatformContextStore, useValue: contextStore },
      ],
    });
    const fixture = TestBed.createComponent(DashboardV3Component);
@@ -159,4 +216,42 @@ describe('DashboardV3Component', () => {
      environments: 'stage',
    });
  });
  it('recommends scanning when every environment is missing SBOM data', () => {
    const contextStore = {
      initialize: () => undefined,
      initialized: () => true,
      error: () => null,
      tenantId: () => 'tenant-default',
      selectedRegions: () => [],
      selectedEnvironments: () => [],
      contextVersion: () => 0,
      environments: () => [
        {
          environmentId: 'dev',
          regionId: 'eu-west',
          environmentType: 'development',
          displayName: 'Development EU West',
        },
      ],
    };
    TestBed.configureTestingModule({
      imports: [DashboardV3Component],
      providers: provideDashboardDependencies(contextStore),
    });
    const fixture = TestBed.createComponent(DashboardV3Component);
    const component = fixture.componentInstance;
    expect(component.allSbomMissing()).toBeTrue();
    expect(component.helperContexts()).toContain('sbom-missing');
    expect(
      component.recommendedDashboardActions().some(
        (action) =>
          action.id === 'scan-first-image' &&
          action.route === '/security/scan',
      ),
    ).toBeTrue();
  });
 });
--- a/src/Web/StellaOps.Web/src/app/features/approvals/approvals-inbox.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/approvals/approvals-inbox.component.ts
@@ -1,4 +1,4 @@
-import { ChangeDetectionStrategy, Component, computed, inject, signal } from '@angular/core';
+import { ChangeDetectionStrategy, Component, computed, DestroyRef, effect, inject, signal } from '@angular/core';
 import { ActivatedRoute, Router, RouterModule } from '@angular/router';
 import { catchError, of } from 'rxjs';
@@ -6,6 +6,7 @@ import { APPROVAL_API } from '../../core/api/approval.client';
 import type { ApprovalRequest, ApprovalStatus } from '../../core/api/approval.models';
 import { FilterBarComponent, type FilterOption, type ActiveFilter } from '../../shared/ui/filter-bar/filter-bar.component';
 import { StellaPageTabsComponent, StellaPageTab } from '../../shared/components/stella-page-tabs/stella-page-tabs.component';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 type QueueTab = 'pending' | 'approved' | 'rejected' | 'expiring' | 'my-team';
@@ -69,19 +70,18 @@ const QUEUE_TABS: StellaPageTab[] = [
              <path d="M3 9h18M9 21V9"/>
            </svg>
          </div>
-          <h3 class="empty-state__title">No approvals found</h3>
+          <h3 class="empty-state__title">{{ emptyStateTitle() }}</h3>
-          <p class="empty-state__desc">
+          <p class="empty-state__desc">{{ emptyStateDescription() }}</p>
          <div class="empty-state__actions">
            @if (hasActiveFilters()) {
-              No approvals match the current filters. Try broadening your search or clearing filters.
+              <button type="button" class="btn-secondary" (click)="clearAllFilters()">Clear Filters</button>
            } @else if (activeTab() !== 'pending') {
              <button type="button" class="btn-secondary" (click)="switchTab('pending')">Open Pending Queue</button>
            } @else {
-              There are no {{ activeTab() }} approval requests at this time.
+              <a [routerLink]="['/releases/deployments']" class="btn-secondary">View Deployment History</a>
            }
-          </p>
+            <a [routerLink]="['/releases/deployments']" class="empty-state__learn">Learn where approvals come from</a>
-          @if (hasActiveFilters()) {
+          </div>
            <div class="empty-state__actions">
              <button type="button" class="btn-secondary" (click)="clearAllFilters()">Clear All Filters</button>
            </div>
          }
        </div>
      } @else {
        <div class="table-container">
@@ -316,6 +316,17 @@ const QUEUE_TABS: StellaPageTab[] = [
    }
    /* ─── Table ─── */
    .empty-state__learn {
      color: var(--color-text-link);
      font-size: var(--font-size-sm, 0.75rem);
      font-weight: var(--font-weight-medium);
      text-decoration: none;
    }
    .empty-state__learn:hover {
      text-decoration: underline;
    }
    .table-container {
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-lg);
@@ -543,6 +554,8 @@ export class ApprovalsInboxComponent {
  private readonly api = inject(APPROVAL_API);
  private readonly route = inject(ActivatedRoute);
  private readonly router = inject(Router);
  private readonly destroyRef = inject(DestroyRef);
  private readonly helperCtx = inject(StellaHelperContextService);
  readonly loading = signal(true);
  readonly error = signal<string | null>(null);
@@ -554,6 +567,18 @@ export class ApprovalsInboxComponent {
  readonly pageTabs = computed(() =>
    QUEUE_TABS.map(tab => ({ ...tab, badge: this.tabCount(tab.id as QueueTab) }))
  );
  readonly helperContexts = computed(() => {
    const contexts: string[] = [];
    if (!this.loading() && !this.error() && this.filtered().length === 0) {
      contexts.push('empty-table');
    }
    const actionableTab = this.activeTab() === 'pending' || this.activeTab() === 'expiring' || this.activeTab() === 'my-team';
    if (!this.loading() && actionableTab && this.filtered().length > 0) {
      contexts.push('approval-pending');
    }
    return contexts;
  });
  // Shared filter bar integration
  readonly filterOptions: FilterOption[] = [
@@ -572,6 +597,11 @@ export class ApprovalsInboxComponent {
  searchTerm = '';
  constructor() {
    effect(() => {
      this.helperCtx.setScope('approvals-inbox', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('approvals-inbox'));
    this.route.queryParamMap.subscribe((params) => {
      const tab = (params.get('tab') ?? 'pending') as QueueTab;
      if (QUEUE_TABS.some((item) => item.id === tab)) {
@@ -654,6 +684,44 @@ export class ApprovalsInboxComponent {
    return this.activeFilterPills().length > 0 || this.searchTerm.trim().length > 0;
  }
  emptyStateTitle(): string {
    if (this.hasActiveFilters()) {
      return 'No approvals match this view';
    }
    switch (this.activeTab()) {
      case 'approved':
        return 'No approved promotions recorded';
      case 'rejected':
        return 'No rejected promotions recorded';
      case 'expiring':
        return 'Nothing is close to expiry';
      case 'my-team':
        return 'Your team has no requests in queue';
      default:
        return 'No approvals need review right now';
    }
  }
  emptyStateDescription(): string {
    if (this.hasActiveFilters()) {
      return 'Stella found approval data for this queue, but the current search or filter set narrowed it down to zero rows. Clear filters first before assuming the promotion flow is idle.';
    }
    switch (this.activeTab()) {
      case 'approved':
        return 'Approved promotions appear here after a human signs off on a release. If you expected history, check the deployment timeline to confirm a promotion actually reached approval.';
      case 'rejected':
        return 'Rejected promotions show up here when an approver blocks a release. An empty list is a healthy sign that recent releases were either approved or never required escalation.';
      case 'expiring':
        return 'This queue highlights requests that are about to time out. Nothing here means the current approval backlog is not at immediate risk of expiring.';
      case 'my-team':
        return 'Team requests appear here when releases created by your group still need sign-off. If the list is empty, your team is either clear or operating through another environment scope.';
      default:
        return 'Approvals are only created after automated gates finish and a promotion still requires human judgment. An empty pending queue usually means releases are either flowing cleanly or have not reached review yet.';
    }
  }
  reload(): void {
    this.load();
  }
--- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-dashboard.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-dashboard.component.ts
@@ -1,43 +1,84 @@
-// Sprint: SPRINT_20251229_028_FE - Unified Audit Log Viewer
+import {
-import { Component, OnInit, inject, signal, computed, ChangeDetectionStrategy } from '@angular/core';
+  ChangeDetectionStrategy,
  Component,
  DestroyRef,
  OnInit,
  computed,
  effect,
  inject,
  signal,
 } from '@angular/core';
 import { CommonModule } from '@angular/common';
-import { RouterModule } from '@angular/router';
+import { RouterLink } from '@angular/router';
 import { AuditLogClient } from '../../core/api/audit-log.client';
-import { AuditStatsSummary, AuditEvent, AuditAnomalyAlert, AuditModule } from '../../core/api/audit-log.models';
+import {
  AuditAnomalyAlert,
  AuditEvent,
  AuditModule,
  AuditStatsSummary,
 } from '../../core/api/audit-log.models';
 import { StellaMetricCardComponent } from '../../shared/components/stella-metric-card/stella-metric-card.component';
 import { StellaMetricGridComponent } from '../../shared/components/stella-metric-card/stella-metric-grid.component';
-import { StellaPageTabsComponent, StellaPageTab } from '../../shared/components/stella-page-tabs/stella-page-tabs.component';
+import {
-import { StellaQuickLinksComponent, type StellaQuickLink } from '../../shared/components/stella-quick-links/stella-quick-links.component';
+  StellaPageTab,
-import { AuditTimelineSearchComponent } from './audit-timeline-search.component';
+  StellaPageTabsComponent,
 } from '../../shared/components/stella-page-tabs/stella-page-tabs.component';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { AuditCorrelationsComponent } from './audit-correlations.component';
 import { AuditLogTableComponent } from './audit-log-table.component';
 import { AuditTimelineSearchComponent } from './audit-timeline-search.component';
 const AUDIT_TABS: StellaPageTab[] = [
-  { id: 'overview', label: 'Overview', icon: 'M3 9l9-7 9 7v11a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z|||M9 22V12h6v10' },
+  {
-  { id: 'all-events', label: 'All Events', icon: 'M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z|||M14 2v6h6|||M16 13H8|||M16 17H8|||M10 9H8' },
+    id: 'overview',
-  { id: 'timeline', label: 'Timeline', icon: 'M12 12m-10 0a10 10 0 1 0 20 0 10 10 0 1 0-20 0|||M12 6v6l4 2' },
+    label: 'Overview',
-  { id: 'correlations', label: 'Correlations', icon: 'M22 12h-4l-3 9L9 3l-3 9H2' },
+    icon: 'M3 9l9-7 9 7v11a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z|||M9 22V12h6v10',
  },
  {
    id: 'all-events',
    label: 'All Events',
    icon: 'M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z|||M14 2v6h6|||M16 13H8|||M16 17H8|||M10 9H8',
  },
  {
    id: 'timeline',
    label: 'Timeline',
    icon: 'M12 12m-10 0a10 10 0 1 0 20 0 10 10 0 1 0-20 0|||M12 6v6l4 2',
  },
  {
    id: 'correlations',
    label: 'Correlations',
    icon: 'M22 12h-4l-3 9L9 3l-3 9H2',
  },
 ];
@Component({
-    selector: 'app-audit-log-dashboard',
+  selector: 'app-audit-log-dashboard',
-    imports: [
+  standalone: true,
-      CommonModule, RouterModule,
+  imports: [
-      StellaMetricCardComponent, StellaMetricGridComponent, StellaPageTabsComponent,
+    CommonModule,
-      StellaQuickLinksComponent,
+    RouterLink,
-      AuditTimelineSearchComponent, AuditCorrelationsComponent, AuditLogTableComponent,
+    StellaMetricCardComponent,
-    ],
+    StellaMetricGridComponent,
-    changeDetection: ChangeDetectionStrategy.OnPush,
+    StellaPageTabsComponent,
-    template: `
+    AuditTimelineSearchComponent,
    AuditCorrelationsComponent,
    AuditLogTableComponent,
  ],
  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    <div class="audit-dashboard">
      <header class="page-header">
-        <div>
+        <div class="page-copy">
          <h1>Audit & Compliance</h1>
-          <p class="description">Cross-module audit trail, anomaly detection, timeline search, and event correlation</p>
+          <p class="description">
            Cross-module audit trail, anomaly detection, timeline search, and event correlation.
          </p>
        </div>
        <div class="header-actions">
          <a routerLink="/evidence/exports" class="btn-secondary">Export Center</a>
          <a routerLink="/ops/policy/packs" class="btn-secondary">Policy Packs</a>
        </div>
        <aside class="page-aside">
          <stella-quick-links [links]="quickLinks" label="Quick Links" layout="strip" />
        </aside>
      </header>
      <stella-page-tabs
@@ -49,7 +90,6 @@ const AUDIT_TABS: StellaPageTab[] = [
      >
        @switch (activeTab()) {
          @case ('overview') {
            <!-- Overview: stats + anomalies + recent events -->
            @if (stats()) {
              <stella-metric-grid [columns]="moduleStats().length + 1">
                <stella-metric-card
@@ -60,33 +100,50 @@ const AUDIT_TABS: StellaPageTab[] = [
                @for (entry of moduleStats(); track entry.module) {
                  <stella-metric-card
                    [label]="formatModule(entry.module)"
-                    [value]="(entry.count | number) ?? '0'"
+                    [value]="entry.count | number"
                    [icon]="getModuleIcon(entry.module)"
                  />
                }
              </stella-metric-grid>
            }
-            @if (allCountsZero()) {
+            @if (showOverviewGuidance()) {
-              <div class="audit-log__empty-guidance">
+              <section class="audit-log__empty-guidance">
-                <p>Audit events will appear as the platform is used. Events are captured automatically for:</p>
+                <div class="audit-log__empty-badge" aria-hidden="true">AU</div>
-                <ul>
+                <div class="audit-log__empty-copy">
-                  <li>Release seals, promotions, and approvals</li>
+                  <h2>No audit events have been recorded yet</h2>
-                  <li>Policy changes and activations</li>
+                  <p>
-                  <li>VEX decisions and consensus votes</li>
+                    Audit data appears automatically as operators use the platform. The first useful
-                  <li>Integration configuration changes</li>
+                    events usually come from release creation, policy changes, approvals, scans, and
-                  <li>Identity and access management</li>
+                    integration updates.
-                </ul>
+                  </p>
-                <p class="audit-log__status-note">The Evidence rail indicator shows <strong>ON</strong> — audit capture is active.</p>
+                  <ul>
-              </div>
+                    <li>Release seals, promotions, and approvals</li>
                    <li>Policy activations, simulations, and rollbacks</li>
                    <li>VEX decisions and consensus votes</li>
                    <li>Integration configuration changes</li>
                    <li>Identity, signing, and evidence actions</li>
                  </ul>
                  <p class="audit-log__status-note">
                    This is usually a first-run state, not a failure. Once work starts flowing through
                    Stella, this page becomes the evidence trail for who changed what and when.
                  </p>
                  <div class="audit-log__empty-actions">
                    <a routerLink="/releases" class="btn-primary">Open Releases</a>
                    <a routerLink="/ops/policy/packs" class="btn-secondary">Review Policy Packs</a>
                  </div>
                </div>
              </section>
            }
            @if (anomalies().length > 0) {
              <section class="anomaly-alerts">
-                <h2>Anomaly Alerts</h2>
+                <div class="section-header section-header--plain">
                  <h2>Anomaly Alerts</h2>
                </div>
                <div class="alert-list">
                  @for (alert of anomalies(); track alert.id) {
-                    <div class="alert-card" [class]="alert.severity">
+                    <article class="alert-card" [class]="alert.severity">
                      <div class="alert-header">
                        <span class="alert-type">{{ formatAnomalyType(alert.type) }}</span>
                        <span class="alert-time">{{ formatTime(alert.detectedAt) }}</span>
@@ -100,7 +157,7 @@ const AUDIT_TABS: StellaPageTab[] = [
                          <span class="ack">Acked by {{ alert.acknowledgedBy }}</span>
                        }
                      </div>
-                    </div>
+                    </article>
                  }
                </div>
              </section>
@@ -109,7 +166,7 @@ const AUDIT_TABS: StellaPageTab[] = [
            <section class="recent-events">
              <div class="section-header">
                <h2>Recent Events</h2>
-                <button class="link" (click)="activeTab.set('all-events')">View all</button>
+                <button class="link" type="button" (click)="activeTab.set('all-events')">View all</button>
              </div>
              <table class="events-table">
                <thead>
@@ -131,98 +188,435 @@ const AUDIT_TABS: StellaPageTab[] = [
                      <td class="resource">{{ event.resource.type }}: {{ event.resource.name || event.resource.id }}</td>
                    </tr>
                  } @empty {
-                    <tr><td colspan="5" style="text-align:center;padding:1.5rem;color:var(--color-text-muted)">No audit events recorded yet.</td></tr>
+                    <tr>
                      <td colspan="5" class="recent-events__empty-cell">
                        <div class="recent-events__empty">
                          <p class="recent-events__empty-title">Nothing has reached the audit stream yet.</p>
                          <p class="recent-events__empty-copy">
                            Start with a release, scan, or policy change. The newest events will appear
                            here first for quick operator review.
                          </p>
                        </div>
                      </td>
                    </tr>
                  }
                </tbody>
              </table>
            </section>
          }
-          @case ('all-events') { <app-audit-log-table /> }
+          @case ('all-events') {
-          @case ('timeline') { <app-audit-timeline-search /> }
+            <app-audit-log-table />
-          @case ('correlations') { <app-audit-correlations /> }
+          }
          @case ('timeline') {
            <app-audit-timeline-search />
          }
          @case ('correlations') {
            <app-audit-correlations />
          }
        }
      </stella-page-tabs>
    </div>
  `,
-    styles: [`
+  styles: [`
-    .audit-dashboard { padding: 1.5rem; max-width: 1400px; margin: 0 auto; }
+    .audit-dashboard {
-    .page-header { display: flex; justify-content: space-between; align-items: flex-start; margin-bottom: 1rem; gap: 1.5rem; }
+      padding: 1.5rem;
-    .page-header h1 { margin: 0 0 0.25rem; font-size: 1.5rem; }
+      max-width: 1400px;
-    .page-aside { flex: 0 1 60%; min-width: 0; }
+      margin: 0 auto;
-    .description { color: var(--color-text-secondary); margin: 0; font-size: 0.9rem; }
+    }
-    stella-metric-grid { margin-bottom: 1.5rem; }
+
-    .anomaly-alerts { margin-bottom: 1.5rem; }
+    .page-header {
-    .anomaly-alerts h2 { margin: 0 0 1rem; font-size: 1.1rem; }
+      display: flex;
-    .alert-list { display: flex; gap: 1rem; flex-wrap: wrap; }
+      justify-content: space-between;
      align-items: flex-start;
      gap: 1rem;
      margin-bottom: 1rem;
    }
    .page-copy h1 {
      margin: 0 0 0.25rem;
      font-size: 1.5rem;
    }
    .description {
      margin: 0;
      color: var(--color-text-secondary);
      font-size: 0.9rem;
    }
    .header-actions {
      display: flex;
      flex-wrap: wrap;
      gap: 0.75rem;
    }
    .btn-primary,
    .btn-secondary,
    .btn-sm {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      border-radius: var(--radius-sm);
      text-decoration: none;
      cursor: pointer;
      transition: opacity 150ms ease, transform 150ms ease;
      font: inherit;
    }
    .btn-primary:hover,
    .btn-secondary:hover,
    .btn-sm:hover {
      opacity: 0.92;
      transform: translateY(-1px);
    }
    .btn-primary,
    .btn-secondary {
      min-height: 2.25rem;
      padding: 0.5rem 0.9rem;
      border: 1px solid var(--color-btn-secondary-border, var(--color-border-primary));
    }
    .btn-primary {
      background: var(--color-btn-primary-bg);
      border-color: var(--color-btn-primary-bg);
      color: var(--color-btn-primary-text);
    }
    .btn-secondary {
      background: var(--color-btn-secondary-bg, var(--color-surface-primary));
      color: var(--color-btn-secondary-text, var(--color-text-primary));
    }
    stella-metric-grid {
      margin-bottom: 1.5rem;
    }
    .audit-log__empty-guidance {
      display: grid;
      grid-template-columns: auto minmax(0, 1fr);
      gap: 1rem;
      margin: 0 0 1.5rem;
      padding: 1rem 1.1rem;
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-lg);
      background: linear-gradient(
        135deg,
        color-mix(in srgb, var(--color-surface-primary) 92%, var(--color-brand-primary) 8%),
        var(--color-surface-primary)
      );
    }
    .audit-log__empty-badge {
      width: 2.75rem;
      height: 2.75rem;
      display: inline-flex;
      align-items: center;
      justify-content: center;
      border-radius: var(--radius-full);
      background: color-mix(in srgb, var(--color-brand-primary) 14%, transparent);
      color: var(--color-text-link);
      font-size: 0.78rem;
      font-weight: var(--font-weight-bold);
      letter-spacing: 0.08em;
    }
    .audit-log__empty-copy {
      display: grid;
      gap: 0.65rem;
    }
    .audit-log__empty-copy h2,
    .audit-log__empty-copy p {
      margin: 0;
    }
    .audit-log__empty-copy ul {
      margin: 0;
      padding-left: 1.2rem;
      color: var(--color-text-secondary);
    }
    .audit-log__empty-copy li + li {
      margin-top: 0.25rem;
    }
    .audit-log__status-note {
      color: var(--color-text-secondary);
      font-size: 0.85rem;
      line-height: 1.55;
    }
    .audit-log__empty-actions {
      display: flex;
      flex-wrap: wrap;
      gap: 0.75rem;
      margin-top: 0.15rem;
    }
    .anomaly-alerts {
      margin-bottom: 1.5rem;
    }
    .section-header {
      display: flex;
      justify-content: space-between;
      align-items: center;
      gap: 0.75rem;
      padding: 0.75rem 1rem;
      border-bottom: 1px solid var(--color-border-primary);
    }
    .section-header--plain {
      padding: 0 0 1rem;
      border-bottom: 0;
    }
    .section-header h2 {
      margin: 0;
      font-size: 1rem;
    }
    .alert-list {
      display: flex;
      gap: 1rem;
      flex-wrap: wrap;
    }
    .alert-card {
-      background: var(--color-surface-primary); border: 1px solid var(--color-border-primary);
+      min-width: 280px;
-      border-radius: var(--radius-lg); padding: 1rem; min-width: 280px; flex: 1;
+      flex: 1;
      padding: 1rem;
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-lg);
      background: var(--color-surface-primary);
      transition: transform 150ms ease, box-shadow 150ms ease;
    }
-    .alert-card:hover { transform: translateY(-2px); box-shadow: 0 4px 12px rgba(0, 0, 0, 0.08); }
+
-    .alert-card.warning { border-left: 4px solid var(--color-status-warning); }
+    .alert-card:hover {
-    .alert-card.error, .alert-card.critical { border-left: 4px solid var(--color-status-error); }
+      transform: translateY(-2px);
-    .alert-header { display: flex; justify-content: space-between; margin-bottom: 0.5rem; }
+      box-shadow: 0 4px 12px rgba(0, 0, 0, 0.08);
-    .alert-type { font-weight: var(--font-weight-semibold); font-size: 0.9rem; }
+    }
-    .alert-time { font-size: 0.75rem; color: var(--color-text-muted); }
+
-    .alert-desc { font-size: 0.85rem; margin: 0 0 0.75rem; color: var(--color-text-secondary); }
+    .alert-card.warning {
-    .alert-footer { display: flex; justify-content: space-between; align-items: center; }
+      border-left: 4px solid var(--color-status-warning);
-    .affected { font-size: 0.75rem; color: var(--color-text-muted); }
+    }
    .alert-card.error,
    .alert-card.critical {
      border-left: 4px solid var(--color-status-error);
    }
    .alert-header,
    .alert-footer {
      display: flex;
      justify-content: space-between;
      gap: 0.75rem;
      align-items: center;
    }
    .alert-header {
      margin-bottom: 0.5rem;
    }
    .alert-type {
      font-weight: var(--font-weight-semibold);
      font-size: 0.9rem;
    }
    .alert-time,
    .affected,
    .ack {
      font-size: 0.75rem;
      color: var(--color-text-muted);
    }
    .alert-desc {
      margin: 0 0 0.75rem;
      color: var(--color-text-secondary);
      font-size: 0.85rem;
      line-height: 1.5;
    }
    .btn-sm {
-      padding: 0.25rem 0.5rem; font-size: 0.8rem; cursor: pointer;
+      padding: 0.3rem 0.6rem;
-      background: var(--color-btn-primary-bg); color: var(--color-btn-primary-text);
+      border: none;
-      border: none; border-radius: var(--radius-sm); transition: opacity 150ms ease;
+      background: var(--color-btn-primary-bg);
      color: var(--color-btn-primary-text);
      font-size: 0.8rem;
    }
-    .btn-sm:hover { opacity: 0.9; }
+
-    .ack { font-size: 0.75rem; color: var(--color-text-muted); }
+    .recent-events {
-    .recent-events { background: var(--color-surface-primary); border: 1px solid var(--color-border-primary); border-radius: var(--radius-lg); overflow: hidden; }
+      background: var(--color-surface-primary);
-    .section-header { display: flex; justify-content: space-between; align-items: center; padding: 0.75rem 1rem; border-bottom: 1px solid var(--color-border-primary); }
+      border: 1px solid var(--color-border-primary);
-    .section-header h2 { margin: 0; font-size: 1rem; }
+      border-radius: var(--radius-lg);
-    .link { font-size: 0.85rem; color: var(--color-text-link); text-decoration: none; background: none; border: none; cursor: pointer; }
+      overflow: hidden;
-    .link:hover { text-decoration: underline; }
+    }
-    .events-table { width: 100%; border-collapse: collapse; }
+
-    .events-table th, .events-table td { padding: 0.5rem 0.75rem; text-align: left; border-bottom: 1px solid var(--color-border-primary); font-size: 0.84rem; }
+    .link {
      border: none;
      background: none;
      color: var(--color-text-link);
      cursor: pointer;
      font-size: 0.85rem;
      text-decoration: none;
    }
    .link:hover {
      text-decoration: underline;
    }
    .events-table {
      width: 100%;
      border-collapse: collapse;
    }
    .events-table th,
    .events-table td {
      padding: 0.5rem 0.75rem;
      text-align: left;
      border-bottom: 1px solid var(--color-border-primary);
      font-size: 0.84rem;
    }
    .events-table th {
-      background: var(--color-surface-elevated); font-weight: var(--font-weight-semibold);
+      background: var(--color-surface-elevated);
-      font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.03em;
+      font-weight: var(--font-weight-semibold);
      font-size: 0.8rem;
      text-transform: uppercase;
      letter-spacing: 0.03em;
    }
-    .events-table tbody tr:nth-child(even) { background: var(--color-surface-elevated); }
+
-    .mono { font-family: monospace; font-size: 0.78rem; }
+    .events-table tbody tr:nth-child(even) {
-    .clickable { cursor: pointer; transition: background 150ms ease; }
+      background: var(--color-surface-elevated);
    .clickable:hover { background: rgba(59, 130, 246, 0.06); }
    .badge { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 9999px; font-size: 0.7rem; font-weight: var(--font-weight-medium); text-transform: uppercase; letter-spacing: 0.02em; }
    .badge.module { background: var(--color-surface-elevated); }
    .badge.module.policy { background: var(--color-status-info-bg); color: var(--color-status-info-text); }
    .badge.module.authority { background: var(--color-status-excepted-bg); color: var(--color-status-excepted); }
    .badge.module.vex { background: var(--color-status-success-bg); color: var(--color-status-success-text); }
    .badge.module.integrations { background: var(--color-status-warning-bg); color: var(--color-status-warning-text); }
    .badge.action { background: var(--color-surface-elevated); }
    .badge.action.create { background: var(--color-status-success-bg); color: var(--color-status-success-text); }
    .badge.action.update { background: var(--color-status-info-bg); color: var(--color-status-info-text); }
    .badge.action.delete { background: var(--color-status-error-bg); color: var(--color-status-error-text); }
    .badge.action.promote { background: var(--color-status-warning-bg); color: var(--color-status-warning-text); }
    .resource { max-width: 200px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
    .audit-log__empty-guidance {
      margin: 0 0 1.5rem; padding: 0.75rem 1rem;
      color: var(--color-text-secondary); font-size: 0.9rem; line-height: 1.5;
      border-left: 3px solid var(--color-border-primary);
    }
-    .audit-log__empty-guidance p { margin: 0 0 0.5rem; }
+
-    .audit-log__empty-guidance ul { margin: 0 0 0.5rem; padding-left: 1.25rem; }
+    .clickable {
-    .audit-log__empty-guidance li { margin-bottom: 0.25rem; }
+      cursor: pointer;
-    .audit-log__status-note { margin-bottom: 0 !important; font-size: 0.85rem; }
+      transition: background 150ms ease;
-  `]
+    }
    .clickable:hover {
      background: color-mix(in srgb, var(--color-brand-primary) 6%, transparent);
    }
    .mono {
      font-family: monospace;
      font-size: 0.78rem;
    }
    .badge {
      display: inline-block;
      padding: 0.15rem 0.5rem;
      border-radius: 9999px;
      font-size: 0.7rem;
      font-weight: var(--font-weight-medium);
      text-transform: uppercase;
      letter-spacing: 0.02em;
    }
    .badge.module {
      background: var(--color-surface-elevated);
    }
    .badge.module.policy {
      background: var(--color-status-info-bg);
      color: var(--color-status-info-text);
    }
    .badge.module.authority {
      background: var(--color-status-excepted-bg);
      color: var(--color-status-excepted);
    }
    .badge.module.vex {
      background: var(--color-status-success-bg);
      color: var(--color-status-success-text);
    }
    .badge.module.integrations {
      background: var(--color-status-warning-bg);
      color: var(--color-status-warning-text);
    }
    .badge.action {
      background: var(--color-surface-elevated);
    }
    .badge.action.create {
      background: var(--color-status-success-bg);
      color: var(--color-status-success-text);
    }
    .badge.action.update,
    .badge.action.approve,
    .badge.action.enable {
      background: var(--color-status-info-bg);
      color: var(--color-status-info-text);
    }
    .badge.action.delete,
    .badge.action.fail,
    .badge.action.reject {
      background: var(--color-status-error-bg);
      color: var(--color-status-error-text);
    }
    .badge.action.promote,
    .badge.action.start {
      background: var(--color-status-warning-bg);
      color: var(--color-status-warning-text);
    }
    .resource {
      max-width: 220px;
      overflow: hidden;
      text-overflow: ellipsis;
      white-space: nowrap;
    }
    .recent-events__empty-cell {
      padding: 0;
    }
    .recent-events__empty {
      padding: 1.25rem 1rem;
      text-align: center;
      color: var(--color-text-secondary);
    }
    .recent-events__empty-title,
    .recent-events__empty-copy {
      margin: 0;
    }
    .recent-events__empty-title {
      font-weight: var(--font-weight-semibold);
      color: var(--color-text-primary);
    }
    .recent-events__empty-copy {
      margin-top: 0.35rem;
      line-height: 1.55;
    }
    @media (max-width: 900px) {
      .page-header,
      .audit-log__empty-guidance {
        grid-template-columns: 1fr;
        flex-direction: column;
      }
      .header-actions,
      .audit-log__empty-actions {
        width: 100%;
      }
    }
  `],
 })
 export class AuditLogDashboardComponent implements OnInit {
  private readonly auditClient = inject(AuditLogClient);
-
+  private readonly helperCtx = inject(StellaHelperContextService);
-  readonly quickLinks: readonly StellaQuickLink[] = [
+  private readonly destroyRef = inject(DestroyRef);
    { label: 'Evidence Overview', route: '/evidence/overview', description: 'Evidence search and quick views' },
    { label: 'Export Center', route: '/evidence/exports', description: 'Export profiles and StellaBundle generation' },
    { label: 'Decision Capsules', route: '/evidence/capsules', description: 'Signed decision capsules with evidence' },
    { label: 'Replay & Verify', route: '/evidence/verify-replay', description: 'Deterministic replay of past decisions' },
    { label: 'Trust & Signing', route: '/setup/trust-signing', description: 'Signing keys and certificate management' },
  ];
  readonly auditTabs = AUDIT_TABS;
  readonly activeTab = signal<string>('overview');
@@ -231,13 +625,43 @@ export class AuditLogDashboardComponent implements OnInit {
  readonly recentEvents = signal<AuditEvent[]>([]);
  readonly anomalies = signal<AuditAnomalyAlert[]>([]);
  readonly moduleStats = signal<Array<{ module: AuditModule; count: number }>>([]);
  readonly statsLoaded = signal(false);
  readonly eventsLoaded = signal(false);
  readonly anomaliesLoaded = signal(false);
  readonly overviewLoaded = computed(
    () => this.statsLoaded() && this.eventsLoaded() && this.anomaliesLoaded(),
  );
  readonly allCountsZero = computed(() => {
-    const s = this.stats();
+    const stats = this.stats();
-    if (!s) return false;
+    if (!stats) {
-    return s.totalEvents === 0 && this.moduleStats().every(entry => entry.count === 0);
+      return false;
    }
    return stats.totalEvents === 0 && this.moduleStats().every((entry) => entry.count === 0);
  });
  readonly showOverviewGuidance = computed(
    () => this.overviewLoaded() && this.allCountsZero() && this.recentEvents().length === 0,
  );
  readonly helperContexts = computed(() => {
    const contexts: string[] = [];
    if (this.activeTab() === 'overview' && this.showOverviewGuidance()) {
      contexts.push('empty-table', 'no-audit-events');
    }
    return contexts;
  });
  constructor() {
    effect(() => {
      this.helperCtx.setScope('audit-log-dashboard', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('audit-log-dashboard'));
  }
  ngOnInit(): void {
    this.loadData();
  }
@@ -245,69 +669,105 @@ export class AuditLogDashboardComponent implements OnInit {
  loadData(): void {
    const sevenDaysAgo = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000).toISOString();
-    this.auditClient.getStatsSummary(sevenDaysAgo).subscribe((stats) => {
+    this.auditClient.getStatsSummary(sevenDaysAgo).subscribe({
-      this.stats.set(stats);
+      next: (stats) => {
-      const moduleEntries = Object.entries(stats.byModule || {}).map(([module, count]) => ({
+        this.stats.set(stats);
        const moduleEntries = Object.entries(stats.byModule ?? {}).map(([module, count]) => ({
          module: module as AuditModule,
          count: count as number,
        }));
-      this.moduleStats.set(this.sortModuleStatsDeterministically(moduleEntries));
+        this.moduleStats.set(this.sortModuleStatsDeterministically(moduleEntries));
        this.statsLoaded.set(true);
      },
      error: () => {
        this.stats.set(null);
        this.moduleStats.set([]);
        this.statsLoaded.set(true);
      },
    });
-    this.auditClient.getEvents(undefined, undefined, 10).subscribe((res) => {
+    this.auditClient.getEvents(undefined, undefined, 10).subscribe({
-      this.recentEvents.set(this.sortEventsDeterministically(res.items));
+      next: (response) => {
        this.recentEvents.set(this.sortEventsDeterministically(response.items ?? []));
        this.eventsLoaded.set(true);
      },
      error: () => {
        this.recentEvents.set([]);
        this.eventsLoaded.set(true);
      },
    });
-    this.auditClient.getAnomalyAlerts(false, 5).subscribe((alerts) => {
+    this.auditClient.getAnomalyAlerts(false, 5).subscribe({
-      this.anomalies.set(alerts);
+      next: (alerts) => {
        this.anomalies.set(alerts);
        this.anomaliesLoaded.set(true);
      },
      error: () => {
        this.anomalies.set([]);
        this.anomaliesLoaded.set(true);
      },
    });
  }
  acknowledgeAlert(alertId: string): void {
    this.auditClient.acknowledgeAnomaly(alertId).subscribe(() => {
      this.anomalies.update((alerts) =>
-        alerts.map((a) => (a.id === alertId ? { ...a, acknowledged: true } : a))
+        alerts.map((alert) => (
          alert.id === alertId
            ? { ...alert, acknowledged: true }
            : alert
        )),
      );
    });
  }
-  formatTime(ts: string): string {
+  formatTime(timestamp: string): string {
-    return new Date(ts).toLocaleString();
+    return new Date(timestamp).toLocaleString();
  }
  formatAnomalyType(type: string): string {
-    return type.replace(/_/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase());
+    return type.replace(/_/g, ' ').replace(/\b\w/g, (char) => char.toUpperCase());
  }
  formatModule(module: AuditModule): string {
-    const labels: Record<string, string> = {
+    const labels: Partial<Record<AuditModule, string>> = {
      policy: 'Policy',
      authority: 'Authority',
-      vex: 'VEX',
+      policy: 'Policy',
      jobengine: 'Job Engine',
      integrations: 'Integrations',
-      release: 'Release',
+      vex: 'VEX',
      scanner: 'Scanner',
      attestor: 'Attestor',
      sbom: 'SBOM',
      scheduler: 'Scheduler',
    };
-    return labels[module] || module;
+    return labels[module] ?? module;
  }
  getModuleIcon(module: AuditModule): string {
-    const icons: Record<string, string> = {
+    const icons: Partial<Record<AuditModule, string>> = {
      policy: 'M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z',
      authority: 'M21 2l-2 2m-7.61 7.61a5.5 5.5 0 1 1-7.778 7.778 5.5 5.5 0 0 1 7.777-7.777zm0 0L15.5 7.5m0 0l3 3L22 7l-3-3m-3.5 3.5L19 4',
      vex: 'M9 11l3 3L22 4|||M21 12v7a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h11',
      integrations: 'M16 18l6-6-6-6|||M8 6l-6 6 6 6',
-      release: 'M12 2L2 7l10 5 10-5-10-5z|||M2 17l10 5 10-5|||M2 12l10 5 10-5',
+      jobengine: 'M21 16V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73l7 4a2 2 0 0 0 2 0l7-4A2 2 0 0 0 21 16z|||M3.3 7l8.7 5 8.7-5',
      scanner: 'M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z|||M12 12m-3 0a3 3 0 1 0 6 0 3 3 0 1 0-6 0',
      attestor: 'M12 2l8 4v6c0 5.25-3.5 9.5-8 10-4.5-.5-8-4.75-8-10V6l8-4z|||M9 12l2 2 4-4',
      sbom: 'M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z|||M14 2v6h6|||M8 13h8|||M8 17h5',
      scheduler: 'M8 2v4|||M16 2v4|||M3 10h18|||M5 6h14a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2z',
    };
-    return icons[module] || 'M12 12m-10 0a10 10 0 1 0 20 0 10 10 0 1 0-20 0';
+    return icons[module] ?? 'M12 12m-10 0a10 10 0 1 0 20 0 10 10 0 1 0-20 0';
  }
-  private sortModuleStatsDeterministically(entries: Array<{ module: AuditModule; count: number }>): Array<{ module: AuditModule; count: number }> {
+  private sortModuleStatsDeterministically(
-    return entries.sort((a, b) => b.count - a.count || a.module.localeCompare(b.module));
+    entries: Array<{ module: AuditModule; count: number }>,
  ): Array<{ module: AuditModule; count: number }> {
    return [...entries].sort((left, right) => right.count - left.count || left.module.localeCompare(right.module));
  }
  private sortEventsDeterministically(events: AuditEvent[]): AuditEvent[] {
-    return events.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    return [...events].sort(
      (left, right) => new Date(right.timestamp).getTime() - new Date(left.timestamp).getTime(),
    );
  }
 }
--- a/src/Web/StellaOps.Web/src/app/features/dashboard-v3/dashboard-v3.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/dashboard-v3/dashboard-v3.component.ts
@@ -10,6 +10,7 @@ import {
  Component,
  ChangeDetectionStrategy,
  computed,
  effect,
  inject,
  signal,
  OnInit,
@@ -24,6 +25,7 @@ import { LoadingStateComponent } from '../../shared/components/loading-state/loa
 import { StellaQuickLinksComponent, StellaQuickLink } from '../../shared/components/stella-quick-links/stella-quick-links.component';
 import { StellaMetricCardComponent } from '../../shared/components/stella-metric-card/stella-metric-card.component';
 import { StellaMetricGridComponent } from '../../shared/components/stella-metric-card/stella-metric-grid.component';
 import { GlossaryTooltipDirective } from '../../shared/directives/glossary-tooltip.directive';
 import { catchError, take } from 'rxjs/operators';
 import { of } from 'rxjs';
@@ -45,6 +47,8 @@ import {
  type AuthService,
 } from '../../core/auth/auth.service';
 import { PageActionService } from '../../core/services/page-action.service';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { StellaPreferencesService } from '../../shared/components/stella-helper/stella-preferences.service';
 interface EnvironmentCard {
  id: string;
@@ -79,10 +83,17 @@ interface PendingAction {
  route: string;
 }
 interface DashboardGuideAction {
  id: string;
  title: string;
  description: string;
  route: string;
 }
@Component({
  selector: 'app-dashboard-v3',
  standalone: true,
-  imports: [RouterLink, LoadingStateComponent, StellaQuickLinksComponent, StellaMetricCardComponent, StellaMetricGridComponent],
+  imports: [RouterLink, LoadingStateComponent, StellaQuickLinksComponent, StellaMetricCardComponent, StellaMetricGridComponent, GlossaryTooltipDirective],
  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    <div class="mission-board">
@@ -97,6 +108,54 @@ interface PendingAction {
        </div>
      </header>
      @if (showDashboardWelcomeBanner()) {
        <section class="dashboard-banner" aria-label="Dashboard welcome">
          <div class="dashboard-banner__copy">
            <div>
              <p class="dashboard-banner__eyebrow">First visit</p>
              <h2>Welcome to Stella Ops</h2>
            </div>
            <p class="dashboard-banner__body" stellaopsGlossaryTooltip>
              This dashboard is your daily command center. It summarizes SBOM coverage, reachable risk,
              feed freshness, and environment health so you can decide what to fix, approve, or investigate next.
            </p>
            <div class="dashboard-banner__actions">
              <a routerLink="/setup-wizard/wizard" class="dashboard-banner__cta">Start setup wizard</a>
              <a routerLink="/ops/operations/doctor" class="dashboard-banner__secondary">Run diagnostics</a>
            </div>
          </div>
          <div class="dashboard-banner__guide">
            <strong>Severity guide</strong>
            <ul>
              <li><span class="severity-pill severity-pill--critical">Critical</span> Exploitable or release-blocking. Fix immediately.</li>
              <li><span class="severity-pill severity-pill--high">High</span> Serious exposure. Schedule remediation within days.</li>
              <li><span class="severity-pill severity-pill--medium">Medium</span> Moderate risk. Address in planned sprint work.</li>
              <li><span class="severity-pill severity-pill--low">Low</span> Track and fix when it is cost-effective.</li>
            </ul>
          </div>
          <button type="button" class="dashboard-banner__dismiss" (click)="dismissDashboardWelcomeBanner()" aria-label="Dismiss dashboard welcome">
            Hide
          </button>
        </section>
      }
      @if (recommendedDashboardActions().length > 0 && !hasNoEnvironments()) {
        <section class="dashboard-next-steps" aria-label="Recommended next steps">
          <div class="dashboard-next-steps__header">
            <h2>What should I do next?</h2>
            <p>These suggestions are based on the current state of your environments, feeds, and findings.</p>
          </div>
          <div class="dashboard-next-steps__grid">
            @for (step of recommendedDashboardActions(); track step.id) {
              <a [routerLink]="step.route" class="dashboard-next-steps__card">
                <strong>{{ step.title }}</strong>
                <span>{{ step.description }}</span>
              </a>
            }
          </div>
        </section>
      }
      @if (!contextReady()) {
        <!-- Loading skeleton while data loads -->
        <div class="board-loading">
@@ -297,17 +356,20 @@ interface PendingAction {
          <div class="status-lane__col">
            <section class="posture-card" aria-label="Vulnerability summary">
              <div class="posture-card-header">
-                <h2 class="posture-card-title">Vulnerability Summary</h2>
+                <h2 class="posture-card-title">
                  Vulnerability Summary
                  <span class="metric-hint" tabindex="0" [attr.title]="dashboardHelp.vulnerabilitySummary" [attr.aria-label]="dashboardHelp.vulnerabilitySummary">?</span>
                </h2>
              </div>
              <div class="posture-card-body">
                @if (vulnStatsLoading()) {
                  <app-loading-state size="sm" />
                } @else if (vulnStats(); as stats) {
                  <div class="severity-grid">
-                    <div class="severity-row critical"><span class="severity-label">Critical</span><span class="severity-count">{{ stats.bySeverity.critical }}</span></div>
+                    <div class="severity-row critical" [attr.title]="dashboardHelp.severityCritical"><span class="severity-label">Critical</span><span class="severity-count">{{ stats.bySeverity.critical }}</span></div>
-                    <div class="severity-row high"><span class="severity-label">High</span><span class="severity-count">{{ stats.bySeverity.high }}</span></div>
+                    <div class="severity-row high" [attr.title]="dashboardHelp.severityHigh"><span class="severity-label">High</span><span class="severity-count">{{ stats.bySeverity.high }}</span></div>
-                    <div class="severity-row medium"><span class="severity-label">Medium</span><span class="severity-count">{{ stats.bySeverity.medium }}</span></div>
+                    <div class="severity-row medium" [attr.title]="dashboardHelp.severityMedium"><span class="severity-label">Medium</span><span class="severity-count">{{ stats.bySeverity.medium }}</span></div>
-                    <div class="severity-row low"><span class="severity-label">Low</span><span class="severity-count">{{ stats.bySeverity.low }}</span></div>
+                    <div class="severity-row low" [attr.title]="dashboardHelp.severityLow"><span class="severity-label">Low</span><span class="severity-count">{{ stats.bySeverity.low }}</span></div>
                  </div>
                  <div class="posture-meta">
                    <span>{{ stats.total }} total</span>
@@ -322,7 +384,10 @@ interface PendingAction {
            </section>
            <div class="status-lane__card">
              <div class="posture-card-header">
-                <h2 class="posture-card-title">Feed Status</h2>
+                <h2 class="posture-card-title">
                  Feed Status
                  <span class="metric-hint" tabindex="0" [attr.title]="dashboardHelp.feedStatus" [attr.aria-label]="dashboardHelp.feedStatus">?</span>
                </h2>
              </div>
              <div class="posture-card-body">
                @if (feedStatusLoading()) {
@@ -360,13 +425,22 @@ interface PendingAction {
          <!-- Column 2: SBOM Health -->
          <section class="posture-card" aria-label="SBOM health">
            <div class="posture-card-header">
-              <h2 class="posture-card-title">SBOM Health</h2>
+              <h2 class="posture-card-title">
                SBOM Health
                <span class="metric-hint" tabindex="0" [attr.title]="dashboardHelp.sbomHealth" [attr.aria-label]="dashboardHelp.sbomHealth">?</span>
              </h2>
            </div>
            <div class="posture-card-body">
              <stella-metric-grid [columns]="1">
-                <stella-metric-card label="Critical Envs" [value]="'' + sbomStats().criticalEnvCount" subtitle="With critical issues" icon="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z|||M12 9v4|||M12 17h.01" />
+                <div [attr.title]="dashboardHelp.sbomCriticalEnvironments">
-                <stella-metric-card label="Crit. Reachable" [value]="'' + sbomStats().totalCritR" subtitle="Reachable criticals" icon="M12 2a10 10 0 1 0 0 20a10 10 0 0 0 0-20z|||M2 12h20" />
+                  <stella-metric-card label="Critical Envs" [value]="'' + sbomStats().criticalEnvCount" subtitle="With critical issues" icon="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z|||M12 9v4|||M12 17h.01" />
-                <stella-metric-card label="Clean Envs" [value]="'' + sbomStats().noIssueCount" subtitle="No critical findings" icon="M22 11.08V12a10 10 0 1 1-5.93-9.14|||M9 11l3 3L22 4" />
+                </div>
                <div [attr.title]="dashboardHelp.reachability">
                  <stella-metric-card label="Crit. Reachable" [value]="'' + sbomStats().totalCritR" subtitle="Reachable criticals" icon="M12 2a10 10 0 1 0 0 20a10 10 0 0 0 0-20z|||M2 12h20" />
                </div>
                <div [attr.title]="dashboardHelp.sbomCleanEnvironments">
                  <stella-metric-card label="Clean Envs" [value]="'' + sbomStats().noIssueCount" subtitle="No critical findings" icon="M22 11.08V12a10 10 0 1 1-5.93-9.14|||M9 11l3 3L22 4" />
                </div>
              </stella-metric-grid>
              <a routerLink="/security/sbom-lake" queryParamsHandling="merge" class="posture-link">View SBOM</a>
            </div>
@@ -509,6 +583,221 @@ interface PendingAction {
      min-width: 0;
    }
    .dashboard-banner {
      display: grid;
      grid-template-columns: minmax(0, 1.9fr) minmax(240px, 1fr) auto;
      gap: 1rem;
      align-items: start;
      padding: 1.15rem 1.25rem;
      border: 1px solid color-mix(in srgb, var(--color-brand-primary) 18%, var(--color-border-primary));
      border-radius: var(--radius-lg);
      background:
        radial-gradient(circle at top right, color-mix(in srgb, var(--color-brand-primary) 16%, transparent), transparent 45%),
        linear-gradient(180deg, color-mix(in srgb, var(--color-surface-primary) 90%, var(--color-brand-primary) 10%), var(--color-surface-primary));
    }
    .dashboard-banner__copy {
      display: grid;
      gap: 0.75rem;
    }
    .dashboard-banner__eyebrow {
      margin: 0 0 0.2rem;
      font-size: 0.72rem;
      font-weight: 700;
      letter-spacing: 0.08em;
      text-transform: uppercase;
      color: var(--color-text-secondary);
    }
    .dashboard-banner__copy h2 {
      margin: 0;
      font-size: 1.35rem;
      color: var(--color-text-heading, var(--color-text-primary));
    }
    .dashboard-banner__body {
      margin: 0;
      color: var(--color-text-secondary);
      line-height: 1.55;
      max-width: 68ch;
    }
    .dashboard-banner__actions {
      display: flex;
      flex-wrap: wrap;
      gap: 0.75rem;
    }
    .dashboard-banner__cta,
    .dashboard-banner__secondary {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      min-height: 40px;
      padding: 0.65rem 0.95rem;
      border-radius: 999px;
      text-decoration: none;
      font-size: 0.84rem;
      font-weight: 600;
      transition: transform 150ms ease, box-shadow 150ms ease, border-color 150ms ease;
    }
    .dashboard-banner__cta {
      background: var(--color-btn-primary-bg);
      color: var(--color-btn-primary-text);
      border: 1px solid var(--color-btn-primary-border, transparent);
    }
    .dashboard-banner__secondary {
      background: var(--color-surface-primary);
      color: var(--color-text-link);
      border: 1px solid var(--color-border-primary);
    }
    .dashboard-banner__cta:hover,
    .dashboard-banner__secondary:hover,
    .dashboard-next-steps__card:hover {
      transform: translateY(-1px);
      box-shadow: 0 4px 12px rgba(0, 0, 0, 0.08);
    }
    .dashboard-banner__guide {
      display: grid;
      gap: 0.55rem;
      padding: 0.9rem 1rem;
      border-radius: 0.95rem;
      border: 1px solid color-mix(in srgb, var(--color-border-primary) 70%, transparent);
      background: color-mix(in srgb, var(--color-surface-primary) 92%, transparent);
    }
    .dashboard-banner__guide strong {
      font-size: 0.9rem;
      color: var(--color-text-heading, var(--color-text-primary));
    }
    .dashboard-banner__guide ul {
      margin: 0;
      padding-left: 1.1rem;
      display: grid;
      gap: 0.45rem;
      color: var(--color-text-secondary);
      font-size: 0.82rem;
      line-height: 1.45;
    }
    .dashboard-banner__dismiss {
      align-self: start;
      border: 1px solid var(--color-border-primary);
      border-radius: 999px;
      background: var(--color-surface-primary);
      color: var(--color-text-secondary);
      padding: 0.5rem 0.8rem;
      cursor: pointer;
      font-size: 0.78rem;
      font-weight: 600;
    }
    .dashboard-next-steps {
      display: grid;
      gap: 0.85rem;
      padding: 1rem 1.1rem;
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-lg);
      background: color-mix(in srgb, var(--color-surface-primary) 92%, var(--color-brand-primary) 8%);
    }
    .dashboard-next-steps__header {
      display: grid;
      gap: 0.2rem;
    }
    .dashboard-next-steps__header h2 {
      margin: 0;
      font-size: 1rem;
      color: var(--color-text-heading, var(--color-text-primary));
    }
    .dashboard-next-steps__header p {
      margin: 0;
      color: var(--color-text-secondary);
      font-size: 0.85rem;
    }
    .dashboard-next-steps__grid {
      display: grid;
      grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
      gap: 0.75rem;
    }
    .dashboard-next-steps__card {
      display: grid;
      gap: 0.35rem;
      padding: 0.9rem 1rem;
      border-radius: 0.95rem;
      border: 1px solid color-mix(in srgb, var(--color-border-primary) 80%, transparent);
      background: var(--color-surface-primary);
      color: inherit;
      text-decoration: none;
      transition: transform 150ms ease, box-shadow 150ms ease, border-color 150ms ease;
    }
    .dashboard-next-steps__card strong {
      color: var(--color-text-heading, var(--color-text-primary));
      font-size: 0.88rem;
    }
    .dashboard-next-steps__card span {
      color: var(--color-text-secondary);
      font-size: 0.82rem;
      line-height: 1.45;
    }
    .metric-hint {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      width: 1.15rem;
      height: 1.15rem;
      border-radius: 999px;
      border: 1px solid color-mix(in srgb, var(--color-brand-primary) 30%, var(--color-border-primary));
      background: color-mix(in srgb, var(--color-surface-primary) 88%, var(--color-brand-primary) 12%);
      color: var(--color-text-link);
      font-size: 0.72rem;
      font-weight: 700;
      cursor: help;
    }
    .severity-pill {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      min-width: 4.5rem;
      padding: 0.15rem 0.55rem;
      border-radius: 999px;
      font-size: 0.72rem;
      font-weight: 700;
      margin-right: 0.4rem;
      text-transform: uppercase;
      letter-spacing: 0.03em;
    }
    .severity-pill--critical {
      background: color-mix(in srgb, var(--color-status-error) 14%, transparent);
      color: var(--color-status-error);
    }
    .severity-pill--high {
      background: color-mix(in srgb, var(--color-status-warning) 18%, transparent);
      color: var(--color-status-warning);
    }
    .severity-pill--medium,
    .severity-pill--low {
      background: var(--color-surface-elevated);
      color: var(--color-text-secondary);
    }
    .refresh-btn {
      padding: 0.4rem 1rem;
      font-size: 0.8rem;
@@ -663,6 +952,14 @@ interface PendingAction {
      .status-lane {
        grid-template-columns: 1fr;
      }
      .dashboard-banner {
        grid-template-columns: 1fr;
      }
      .dashboard-banner__dismiss {
        justify-self: start;
      }
    }
    .posture-card {
@@ -1371,6 +1668,8 @@ export class DashboardV3Component implements OnInit, AfterViewInit, OnDestroy {
  private readonly authService = inject(AUTH_SERVICE) as AuthService;
  private readonly ngZone = inject(NgZone);
  private readonly pageAction = inject(PageActionService);
  private readonly helperCtx = inject(StellaHelperContextService);
  private readonly prefs = inject(StellaPreferencesService);
  // -- Scroll refs and signals ------------------------------------------------
  @ViewChild('pipelineScroll') pipelineScrollRef?: ElementRef<HTMLDivElement>;
@@ -1391,6 +1690,19 @@ export class DashboardV3Component implements OnInit, AfterViewInit, OnDestroy {
    { label: 'Diagnostics', route: '/ops/operations/doctor', description: 'Run health checks on your deployment' },
  ];
  readonly dashboardHelp = {
    vulnerabilitySummary: 'Severity counts show how much unresolved risk is waiting for triage. Critical and High findings should drive your next action because they are the most likely to block releases or require VEX review.',
    severityCritical: 'Critical means exploitability or blast radius is high enough to demand immediate attention. Treat these as release-blocking until they are fixed, waived with approval, or explained with evidence.',
    severityHigh: 'High means the issue is serious, but you usually still have time to plan remediation over the next few days rather than the next few hours.',
    severityMedium: 'Medium findings are real debt, but they are usually backlog work unless policy, reachability, or business context makes them more urgent.',
    severityLow: 'Low findings should still be tracked, but they are rarely the first reason to stop a promotion.',
    feedStatus: 'Feed status tells you whether Stella is receiving advisory data such as CVEs and VEX updates. If feeds are stale or missing, your scan results may miss newly published vulnerabilities.',
    sbomHealth: 'SBOM health summarizes whether Stella has enough component inventory to reason about vulnerable packages, reachable code, and clean environments.',
    sbomCriticalEnvironments: 'Critical environments are the scoped environments that currently contain at least one reachable or release-relevant critical issue.',
    reachability: 'Reachability separates theoretical findings from code paths an attacker can actually hit. This is how Stella turns scanner noise into a focused remediation list.',
    sbomCleanEnvironments: 'Clean environments have no current critical findings in scope, giving you the safest lanes for promotion.',
  } as const;
  // -- Loading states -------------------------------------------------------
  readonly vulnStatsLoading = signal(false);
  readonly feedStatusLoading = signal(false);
@@ -1409,6 +1721,120 @@ export class DashboardV3Component implements OnInit, AfterViewInit, OnDestroy {
  // -- Context-derived signals ----------------------------------------------
  readonly contextReady = computed(() => this.context.initialized());
  readonly hasNoEnvironments = computed(() => this.contextReady() && this.context.environments().length === 0);
  readonly allSbomMissing = computed(() => {
    const environments = this.filteredEnvironments();
    return environments.length > 0 && environments.every((environment) => environment.sbomFreshness === 'missing');
  });
  readonly feedRequiresAttention = computed(() => {
    const feeds = this.feedSummary();
    if (!feeds.loaded) {
      return false;
    }
    if (feeds.totalSources === 0) {
      return true;
    }
    return feeds.failedSources > 0 || feeds.healthySources === 0;
  });
  readonly showDashboardWelcomeBanner = computed(() => !this.prefs.isBannerDismissed('dashboard-welcome'));
  readonly helperContexts = computed(() => {
    const contexts: string[] = [];
    if (this.hasNoEnvironments()) {
      contexts.push('no-environments');
    }
    if (this.allSbomMissing()) {
      contexts.push('sbom-missing');
    }
    if (this.filteredEnvironments().some((env) => env.deployStatus === 'blocked')) {
      contexts.push('gate-blocked');
    }
    if (this.filteredEnvironments().some((env) => env.deployStatus === 'unknown')) {
      contexts.push('health-unknown');
    }
    if (this.filteredEnvironments().some((env) => env.pendingApprovals > 0)) {
      contexts.push('approval-pending');
    }
    if ((this.vulnStats()?.criticalOpen ?? 0) > 0) {
      contexts.push('critical-open');
    }
    const feeds = this.feedSummary();
    if (feeds.loaded && feeds.totalSources > 0 && feeds.healthySources === 0 && feeds.failedSources === 0) {
      contexts.push('feed-never-synced');
    }
    if (this.feedRequiresAttention()) {
      contexts.push('feed-stale');
    }
    return contexts;
  });
  readonly recommendedDashboardActions = computed<DashboardGuideAction[]>(() => {
    const actions: DashboardGuideAction[] = [];
    const seen = new Set<string>();
    const addAction = (action: DashboardGuideAction): void => {
      if (!seen.has(action.id)) {
        seen.add(action.id);
        actions.push(action);
      }
    };
    if (this.allSbomMissing()) {
      addAction({
        id: 'scan-first-image',
        title: 'Generate your first SBOM',
        description: 'Every environment currently shows SBOM missing. Scan one container image to unlock posture, reachability, and evidence data.',
        route: '/security/scan',
      });
    }
    const criticalOpen = this.vulnStats()?.criticalOpen ?? 0;
    if (criticalOpen > 0) {
      addAction({
        id: 'triage-criticals',
        title: `${criticalOpen} critical findings need triage`,
        description: 'Open the findings workflow to decide whether each critical issue should be fixed, waived, or explained with VEX evidence.',
        route: '/triage/artifacts',
      });
    }
    if (this.filteredEnvironments().some((environment) => environment.pendingApprovals > 0)) {
      addAction({
        id: 'review-approvals',
        title: 'Review pending approvals',
        description: 'A promotion is waiting on human sign-off. Verify the evidence chain and gate results before approving.',
        route: '/releases/approvals',
      });
    }
    if (this.filteredEnvironments().some((environment) => environment.deployStatus === 'unknown')) {
      addAction({
        id: 'run-diagnostics',
        title: 'Resolve unknown environment health',
        description: 'Unknown health usually means no agent, signal probe, or readiness telemetry is reporting yet. Run diagnostics to find the missing dependency.',
        route: '/ops/operations/doctor',
      });
    }
    if (this.feedRequiresAttention()) {
      addAction({
        id: 'refresh-feeds',
        title: 'Check advisory feed freshness',
        description: 'Your advisory sources are missing, stale, or degraded. Refresh them so new CVEs and VEX updates reach the dashboard.',
        route: '/ops/operations/feeds-airgap',
      });
    }
    if (actions.length === 0 && !this.hasNoEnvironments()) {
      addAction({
        id: 'review-ready-lanes',
        title: 'Review healthy environments',
        description: 'The dashboard is not showing urgent blockers. Use this time to inspect clean lanes, verify evidence, and plan the next promotion.',
        route: '/setup/topology/environments',
      });
    }
    return actions.slice(0, 4);
  });
  readonly tenantLabel = computed(() => {
    const user = this.authService.user();
@@ -1438,6 +1864,10 @@ export class DashboardV3Component implements OnInit, AfterViewInit, OnDestroy {
  constructor() {
    this.context.initialize();
    effect(() => {
      this.helperCtx.setScope('dashboard-v3', this.helperContexts());
    }, { allowSignalWrites: true });
  }
  ngOnInit(): void {
@@ -1449,6 +1879,7 @@ export class DashboardV3Component implements OnInit, AfterViewInit, OnDestroy {
  ngOnDestroy(): void {
    this.pageAction.clear();
    this.stopPipelineAutoScroll();
    this.helperCtx.clearScope('dashboard-v3');
  }
  ngAfterViewInit(): void {
@@ -1689,6 +2120,10 @@ export class DashboardV3Component implements OnInit, AfterViewInit, OnDestroy {
    };
  }
  dismissDashboardWelcomeBanner(): void {
    this.prefs.dismissBanner('dashboard-welcome');
  }
  // -- Private: API loaders -------------------------------------------------
  private loadVulnerabilityStats(): void {
--- a/src/Web/StellaOps.Web/src/app/features/doctor/doctor-dashboard.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/doctor/doctor-dashboard.component.ts
@@ -226,6 +226,22 @@ export class DoctorDashboardComponent implements OnInit, OnDestroy {
    if (category) {
      this.store.setCategoryFilter(category as DoctorCategory);
      this.activeTab.set(category as DoctorCategory);
      this.activePackTab.set(category);
    }
    // Apply integration type sub-filter from query param
    const integrationType = this.route.snapshot.queryParamMap.get('type');
    if (integrationType) {
      this.store.setSearchQuery(integrationType);
    }
    // Auto-run quick check when arriving from an integration page with category param
    if (category && !this.store.hasReport() && !this.store.isRunning()) {
      this.store.startRun({
        mode: 'quick',
        categories: [category as DoctorCategory],
        includeRemediation: true,
      });
    }
  }
--- a/src/Web/StellaOps.Web/src/app/features/evidence/evidence-center-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/evidence/evidence-center-page.component.ts
@@ -9,6 +9,7 @@ import { Component, ChangeDetectionStrategy, signal, computed } from '@angular/c
 import { CommonModule } from '@angular/common';
 import { RouterLink } from '@angular/router';
 import { FormsModule } from '@angular/forms';
 import { EmptyStateComponent } from '../../shared/components/empty-state/empty-state.component';
 import {
  EvidencePacketDrawerComponent,
  type EvidenceContentItem,
@@ -30,7 +31,7 @@ interface EvidencePacket {
@Component({
  selector: 'app-evidence-center-page',
  standalone: true,
-  imports: [CommonModule, RouterLink, FormsModule, EvidencePacketDrawerComponent],
+  imports: [CommonModule, RouterLink, FormsModule, EmptyStateComponent, EvidencePacketDrawerComponent],
  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    <div class="evidence-center">
@@ -145,7 +146,13 @@ interface EvidencePacket {
            } @empty {
              <tr>
                <td colspan="9" class="empty-state">
-                  <p>No evidence packets found</p>
+                  <app-empty-state
                    variant="no-data"
                    title="No evidence packets matched this view"
                    description="Evidence packets appear after scans, policy checks, promotions, or exceptions produce signed proof. Widen the filters or create a release action to generate the first packet."
                    actionLabel="Open evidence overview"
                    actionRoute="/evidence/overview"
                  ></app-empty-state>
                </td>
              </tr>
            }
@@ -277,9 +284,7 @@ interface EvidencePacket {
    .btn--secondary { background: var(--color-surface-secondary); border: 1px solid var(--color-border-primary); color: var(--color-text-primary); }
    .empty-state {
-      text-align: center;
+      padding: 1.5rem !important;
      padding: 3rem !important;
      color: var(--color-text-secondary);
    }
  `]
 })
--- a/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-detail.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-detail.component.ts
@@ -20,6 +20,7 @@ import {
 } from './integration.models';
 import { StellaPageTabsComponent, StellaPageTab } from '../../shared/components/stella-page-tabs/stella-page-tabs.component';
 import { AuditModuleEventsComponent } from '../../shared/components/audit-module-events/audit-module-events.component';
 import { SkeletonComponent } from '../../shared/components/skeleton/skeleton.component';
 type IntegrationDetailTab = 'overview' | 'credentials' | 'scopes-rules' | 'events' | 'health' | 'audit';
@@ -38,18 +39,30 @@ const HUB_DETAIL_TABS: StellaPageTab[] = [
 */
@Component({
    selector: 'app-integration-detail',
-    imports: [CommonModule, RouterModule, StellaPageTabsComponent, AuditModuleEventsComponent],
+    imports: [CommonModule, RouterModule, StellaPageTabsComponent, AuditModuleEventsComponent, SkeletonComponent],
    template: `
    @if (loading) {
-      <div class="loading">Loading integration details...</div>
+      <div class="skeleton-detail" aria-busy="true" aria-label="Loading integration details">
        <app-skeleton variant="heading" />
        <app-skeleton variant="text" />
        <app-skeleton variant="text" />
        <app-skeleton variant="text" />
        <app-skeleton variant="text" />
        <app-skeleton variant="text" />
        <app-skeleton variant="card" />
      </div>
    } @else if (integration) {
      <div class="integration-detail">
        <header class="detail-header">
-          <a [routerLink]="integrationHubRoute()" class="back-link"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true" style="vertical-align: middle; margin-right: 4px;"><line x1="19" y1="12" x2="5" y2="12"/><polyline points="12 19 5 12 12 5"/></svg>Back to Integrations</a>
+          <div class="detail-header__back-row">
-          <h1>{{ integration.name }}</h1>
+            <a [routerLink]="integrationHubRoute()" class="back-link"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true" style="vertical-align: middle; margin-right: 4px;"><line x1="19" y1="12" x2="5" y2="12"/><polyline points="12 19 5 12 12 5"/></svg>Back to Integrations</a>
-          <span [class]="'status-badge status-' + getStatusColor(integration.status)">
+          </div>
-            {{ getStatusLabel(integration.status) }}
+          <div class="detail-header__title-row">
-          </span>
+            <h1>{{ integration.name }}</h1>
            <span [class]="'status-badge status-' + getStatusColor(integration.status)">
              {{ getStatusLabel(integration.status) }}
            </span>
          </div>
        </header>
        <section class="detail-summary">
          <div class="summary-item">
@@ -81,8 +94,7 @@ const HUB_DETAIL_TABS: StellaPageTab[] = [
          urlParam="tab"
          (tabChange)="activeTab = $any($event)"
          ariaLabel="Integration detail tabs"
-        />
+        >
        <section class="tab-content">
          @switch (activeTab) {
            @case ('overview') {
              <div class="tab-panel">
@@ -224,7 +236,7 @@ const HUB_DETAIL_TABS: StellaPageTab[] = [
              </div>
            }
          }
-        </section>
+        </stella-page-tabs>
      </div>
    } @else {
      <section class="detail-state" role="status">
@@ -243,29 +255,43 @@ const HUB_DETAIL_TABS: StellaPageTab[] = [
    }
    .back-link {
-      color: var(--color-text-link, var(--color-brand-primary));
+      font-size: 0.75rem;
      color: var(--color-text-secondary);
      text-decoration: none;
-      font-size: 0.8125rem;
+      display: inline-flex;
      align-items: center;
      gap: 0.25rem;
      transition: color 150ms ease;
    }
    .back-link:hover {
      color: var(--color-brand-primary);
    }
    .detail-header {
-      margin-bottom: 2rem;
+      display: grid;
      gap: 0.5rem;
      margin-bottom: 1.5rem;
    }
    .detail-header__title-row {
      display: flex;
      align-items: center;
      gap: 0.75rem;
    }
    .detail-header h1 {
      font-size: 1.35rem;
      font-weight: var(--font-weight-semibold, 600);
      margin: 0;
      display: inline;
      margin-right: 1rem;
    }
    .detail-summary {
      display: flex;
      flex-wrap: wrap;
      gap: 1rem;
-      padding: 1.5rem;
+      background: none;
-      background: var(--color-surface-primary);
+      padding: 0;
      border-radius: var(--radius-lg);
      margin-bottom: 2rem;
    }
@@ -273,16 +299,28 @@ const HUB_DETAIL_TABS: StellaPageTab[] = [
    .summary-item {
      min-width: 120px;
      flex: 1;
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-md);
      padding: 0.75rem;
      background: var(--color-surface-primary);
    }
    .summary-item label {
      display: block;
-      font-size: 0.75rem;
+      font-size: 0.625rem;
-      color: var(--color-text-secondary);
+      letter-spacing: 0.06em;
      font-weight: 700;
      color: var(--color-text-muted, var(--color-text-secondary));
      text-transform: uppercase;
      margin-bottom: 0.25rem;
    }
    .summary-item span {
      font-size: 0.875rem;
      font-weight: 600;
      color: var(--color-text-primary);
    }
    .tab-panel h2 {
@@ -452,7 +490,7 @@ const HUB_DETAIL_TABS: StellaPageTab[] = [
    .detail-state p {
      color: var(--color-text-secondary);
    }
-    .loading { text-align: center; padding: 3rem; color: var(--color-text-secondary); }
+    .skeleton-detail { display: grid; gap: 0.75rem; padding: 2rem; max-width: 1000px; margin: 0 auto; }
    .audit-cross-link {
      margin-top: 1.5rem;
--- a/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-hub.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-hub.component.spec.ts
@@ -2,6 +2,7 @@ import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { ActivatedRoute, Router, provideRouter } from '@angular/router';
 import { of } from 'rxjs';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { IntegrationHubComponent } from './integration-hub.component';
 import { IntegrationService } from './integration.service';
 import { IntegrationListResponse, IntegrationType } from './integration.models';
@@ -10,6 +11,7 @@ describe('IntegrationHubComponent', () => {
  let fixture: ComponentFixture<IntegrationHubComponent>;
  let component: IntegrationHubComponent;
  let mockIntegrationService: jasmine.SpyObj<IntegrationService>;
  let mockHelperCtx: jasmine.SpyObj<StellaHelperContextService>;
  let router: Router;
  let route: ActivatedRoute;
@@ -23,6 +25,7 @@ describe('IntegrationHubComponent', () => {
  beforeEach(async () => {
    mockIntegrationService = jasmine.createSpyObj('IntegrationService', ['list']);
    mockHelperCtx = jasmine.createSpyObj('StellaHelperContextService', ['setScope', 'clearScope']);
    mockIntegrationService.list.and.callFake((params) => {
      switch (params?.type) {
        case IntegrationType.Registry:
@@ -44,7 +47,11 @@ describe('IntegrationHubComponent', () => {
    await TestBed.configureTestingModule({
      imports: [IntegrationHubComponent],
-      providers: [provideRouter([]), { provide: IntegrationService, useValue: mockIntegrationService }],
+      providers: [
        provideRouter([]),
        { provide: IntegrationService, useValue: mockIntegrationService },
        { provide: StellaHelperContextService, useValue: mockHelperCtx },
      ],
    }).compileComponents();
    fixture = TestBed.createComponent(IntegrationHubComponent);
@@ -64,9 +71,10 @@ describe('IntegrationHubComponent', () => {
    const text = fixture.nativeElement.textContent;
-    expect(text).toContain('Integrations');
+    expect(text).toContain('Add Integration');
    expect(text).toContain('Suggested Setup Order');
    expect(text).toContain('Use the activity timeline for connector event history');
    expect(text).toContain('Fresh advisory and VEX sources are what make security posture');
    expect(text).not.toContain('coming soon');
  });
@@ -102,6 +110,48 @@ describe('IntegrationHubComponent', () => {
    expect(hrefs).toContain('/secrets');
  });
  it('shows step completion state from connector counts', async () => {
    fixture.detectChanges();
    await fixture.whenStable();
    component.stats.set({
      registries: 2,
      scm: 1,
      ci: 0,
      runtimeHosts: 0,
      advisorySources: 0,
      vexSources: 0,
      secrets: 0,
    });
    fixture.detectChanges();
    const text = fixture.nativeElement.textContent;
    expect(text).toContain('Done');
    expect(text).toContain('Not started');
    expect(text).toContain('2 connectors configured');
    expect(text).toContain('0 connectors configured');
  });
  it('publishes a no-integrations helper context once all stats resolve empty', async () => {
    fixture.detectChanges();
    await fixture.whenStable();
    component.stats.set({
      registries: 0,
      scm: 0,
      ci: 0,
      runtimeHosts: 0,
      advisorySources: 0,
      vexSources: 0,
      secrets: 0,
    });
    component.resolvedStatsRequests.set(6);
    fixture.detectChanges();
    expect(mockHelperCtx.setScope).toHaveBeenCalledWith('integration-hub', ['no-integrations']);
  });
  it('navigates to the onboarding flow from the primary action', async () => {
    const navigateSpy = spyOn(router, 'navigate').and.returnValue(Promise.resolve(true));
@@ -112,4 +162,10 @@ describe('IntegrationHubComponent', () => {
      queryParamsHandling: 'merge',
    });
  });
  it('clears its helper scope on destroy', () => {
    fixture.destroy();
    expect(mockHelperCtx.clearScope).toHaveBeenCalledWith('integration-hub');
  });
 });
--- a/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-hub.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-hub.component.ts
@@ -1,8 +1,9 @@
-import { Component, inject, OnDestroy, signal } from '@angular/core';
+import { Component, computed, effect, inject, OnDestroy, signal } from '@angular/core';
 import { ActivatedRoute, Router, RouterModule } from '@angular/router';
 import { PageActionService } from '../../core/services/page-action.service';
 import { PageActionOutletComponent } from '../../shared/components/page-action-outlet/page-action-outlet.component';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { IntegrationService } from './integration.service';
 import { IntegrationType } from './integration.models';
@@ -16,6 +17,17 @@ interface IntegrationHubStats {
  secrets: number;
 }
 interface IntegrationSetupStep {
  id: string;
  title: string;
  route: string;
  description: string;
  why: string;
  configuredCount: number;
  actionLabel: string;
  icon: 'registry' | 'scm' | 'ci' | 'advisory' | 'secrets';
 }
@Component({
  selector: 'app-integration-hub',
  standalone: true,
@@ -38,26 +50,71 @@ interface IntegrationHubStats {
          <p>Start with the connectors that unblock releases and evidence, then add operator conveniences.</p>
        </div>
        <ol class="setup-order__list">
-          <li>
+          @for (step of setupSteps(); track step.id; let stepIndex = $index) {
-            <a routerLink="registries">Registries</a>
+            <li class="setup-step-card">
-            <span>Connect the container sources that release versions, promotions, and policy checks depend on.</span>
+              <div class="setup-step-card__header">
-          </li>
+                <span class="setup-step-card__order">{{ stepIndex + 1 }}</span>
-          <li>
+                <span class="setup-step-card__icon" aria-hidden="true">
-            <a routerLink="scm">Source Control</a>
+                  @switch (step.icon) {
-            <span>Wire repository and commit metadata before relying on release evidence and drift context.</span>
+                    @case ('registry') {
-          </li>
+                      <svg viewBox="0 0 24 24" width="18" height="18" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round">
-          <li>
+                        <path d="M3 6h18v12H3z"/>
-            <a routerLink="ci">CI/CD</a>
+                        <path d="M7 10h10"/>
-            <span>Capture pipeline runs and deployment triggers for release confidence.</span>
+                        <path d="M7 14h6"/>
-          </li>
+                      </svg>
-          <li>
+                    }
-            <a routerLink="advisory-vex-sources">Advisory &amp; VEX Sources</a>
+                    @case ('scm') {
-            <span>Keep security posture, exceptions, and freshness checks truthful.</span>
+                      <svg viewBox="0 0 24 24" width="18" height="18" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round">
-          </li>
+                        <circle cx="6" cy="6" r="2.5"/>
-          <li>
+                        <circle cx="18" cy="18" r="2.5"/>
-            <a routerLink="secrets">Secrets</a>
+                        <circle cx="18" cy="6" r="2.5"/>
-            <span>Finish by wiring vaults and credentials used by downstream integrations.</span>
+                        <path d="M8.2 7.5l7.6 9"/>
-          </li>
+                        <path d="M8.5 6h7"/>
                      </svg>
                    }
                    @case ('ci') {
                      <svg viewBox="0 0 24 24" width="18" height="18" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round">
                        <path d="M4 7h16"/>
                        <path d="M4 12h10"/>
                        <path d="M4 17h7"/>
                        <path d="M17 10l3 2-3 2"/>
                      </svg>
                    }
                    @case ('advisory') {
                      <svg viewBox="0 0 24 24" width="18" height="18" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round">
                        <path d="M4 4h16v12H4z"/>
                        <path d="M8 20h8"/>
                        <path d="M12 16v4"/>
                        <path d="M8 9h8"/>
                      </svg>
                    }
                    @case ('secrets') {
                      <svg viewBox="0 0 24 24" width="18" height="18" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round">
                        <path d="M7 11a5 5 0 1 1 9.9 1H20l1 2-2 2-2-2h-2.1A5 5 0 0 1 7 11z"/>
                        <circle cx="12" cy="11" r="1.5"/>
                      </svg>
                    }
                  }
                </span>
                <div class="setup-step-card__identity">
                  <a [routerLink]="step.route">{{ step.title }}</a>
                  <span class="setup-step-card__description">{{ step.description }}</span>
                </div>
                <span
                  class="setup-step-card__status"
                  [class.setup-step-card__status--done]="step.configuredCount > 0"
                  [class.setup-step-card__status--pending]="step.configuredCount === 0"
                >
                  {{ step.configuredCount > 0 ? 'Done' : 'Not started' }}
                </span>
              </div>
              <p class="setup-step-card__why">{{ step.why }}</p>
              <div class="setup-step-card__footer">
                <span class="setup-step-card__count">{{ configuredText(step.configuredCount) }}</span>
                <a [routerLink]="step.route" class="setup-step-card__action">{{ step.actionLabel }}</a>
              </div>
            </li>
          }
        </ol>
      </section>
@@ -192,20 +249,120 @@ interface IntegrationHubStats {
    .setup-order__list {
      margin: 0;
-      padding-left: 1.1rem;
+      padding: 0;
      list-style: none;
      display: grid;
      gap: 0.55rem;
    }
-    .setup-order__list li {
+    .setup-step-card {
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-md);
      background: color-mix(in srgb, var(--color-surface-primary) 92%, var(--color-surface-secondary) 8%);
      padding: 0.8rem 0.85rem;
      display: grid;
-      gap: 0.15rem;
+      gap: 0.55rem;
    }
    .setup-step-card__header {
      display: grid;
      grid-template-columns: auto auto 1fr auto;
      gap: 0.6rem;
      align-items: start;
    }
    .setup-step-card__order {
      width: 1.55rem;
      height: 1.55rem;
      border-radius: 999px;
      background: color-mix(in srgb, var(--color-brand-primary) 18%, transparent);
      color: var(--color-brand-primary);
      font-size: 0.74rem;
      font-weight: var(--font-weight-semibold);
      display: inline-flex;
      align-items: center;
      justify-content: center;
      flex-shrink: 0;
    }
    .setup-step-card__icon {
      width: 1.9rem;
      height: 1.9rem;
      border-radius: 0.65rem;
      background: color-mix(in srgb, var(--color-brand-primary) 12%, transparent);
      color: var(--color-brand-primary);
      display: inline-flex;
      align-items: center;
      justify-content: center;
      flex-shrink: 0;
    }
    .setup-step-card__identity {
      display: grid;
      gap: 0.2rem;
      min-width: 0;
    }
    .setup-step-card__identity a {
      color: var(--color-text-link);
      font-weight: var(--font-weight-semibold);
      text-decoration: none;
      font-size: 0.82rem;
    }
    .setup-step-card__description {
      color: var(--color-text-secondary);
      display: grid;
      font-size: 0.78rem;
    }
-    .setup-order__list a {
+    .setup-step-card__status {
      border-radius: 999px;
      padding: 0.2rem 0.5rem;
      font-size: 0.68rem;
      font-weight: var(--font-weight-semibold);
      letter-spacing: 0.03em;
      text-transform: uppercase;
      white-space: nowrap;
    }
    .setup-step-card__status--done {
      background: color-mix(in srgb, var(--color-status-success-bg) 85%, transparent);
      color: var(--color-status-success-text);
      border: 1px solid color-mix(in srgb, var(--color-status-success-border) 90%, transparent);
    }
    .setup-step-card__status--pending {
      background: color-mix(in srgb, var(--color-status-warning-bg) 85%, transparent);
      color: var(--color-status-warning-text);
      border: 1px solid color-mix(in srgb, var(--color-status-warning-border) 90%, transparent);
    }
    .setup-step-card__why {
      margin: 0;
      color: var(--color-text-secondary);
      font-size: 0.76rem;
      line-height: 1.5;
    }
    .setup-step-card__footer {
      display: flex;
      align-items: center;
      justify-content: space-between;
      gap: 0.75rem;
      flex-wrap: wrap;
    }
    .setup-step-card__count {
      color: var(--color-text-tertiary);
      font-size: 0.72rem;
      text-transform: uppercase;
      letter-spacing: 0.04em;
    }
    .setup-step-card__action {
      color: var(--color-text-link);
      font-size: 0.74rem;
      font-weight: var(--font-weight-semibold);
      text-decoration: none;
    }
@@ -297,6 +454,7 @@ export class IntegrationHubComponent implements OnDestroy {
  private readonly router = inject(Router);
  private readonly route = inject(ActivatedRoute);
  private readonly pageAction = inject(PageActionService);
  private readonly helperCtx = inject(StellaHelperContextService);
  readonly stats = signal<IntegrationHubStats>({
    registries: 0,
@@ -307,44 +465,150 @@ export class IntegrationHubComponent implements OnDestroy {
    vexSources: 0,
    secrets: 0,
  });
  readonly resolvedStatsRequests = signal(0);
  readonly statsLoaded = computed(() => this.resolvedStatsRequests() >= 6);
  readonly setupSteps = computed<IntegrationSetupStep[]>(() => {
    const stats = this.stats();
    return [
      {
        id: 'registries',
        title: 'Registries',
        route: 'registries',
        description: 'Connect the container sources Stella scans, versions, and promotes.',
        why: 'Release versions, promotions, and gate checks cannot start until Stella can discover immutable image digests from a registry.',
        configuredCount: stats.registries,
        actionLabel: 'Open registries',
        icon: 'registry',
      },
      {
        id: 'scm',
        title: 'Source Control',
        route: 'scm',
        description: 'Attach repository metadata so evidence traces back to commits and pull requests.',
        why: 'SCM context links a release back to the code that produced it, which keeps drift analysis and audit evidence explainable.',
        configuredCount: stats.scm,
        actionLabel: 'Open source control',
        icon: 'scm',
      },
      {
        id: 'ci',
        title: 'CI/CD',
        route: 'ci',
        description: 'Capture pipeline runs, promotion triggers, and deployment hooks from your build system.',
        why: 'CI/CD integrations turn raw scan data into release confidence by proving which pipeline produced and approved an artifact.',
        configuredCount: stats.ci,
        actionLabel: 'Open CI/CD',
        icon: 'ci',
      },
      {
        id: 'advisory-vex-sources',
        title: 'Advisory & VEX Sources',
        route: 'advisory-vex-sources',
        description: 'Keep vulnerability feeds, vendor advisories, and exception evidence current.',
        why: 'Fresh advisory and VEX sources are what make security posture, policy exceptions, and feed freshness alerts trustworthy.',
        configuredCount: Math.max(stats.advisorySources, stats.vexSources),
        actionLabel: 'Open advisory sources',
        icon: 'advisory',
      },
      {
        id: 'secrets',
        title: 'Secrets',
        route: 'secrets',
        description: 'Finish by wiring the credential stores that downstream integrations read from.',
        why: 'Secret references let Stella rotate credentials safely instead of embedding them into connector configuration.',
        configuredCount: stats.secrets,
        actionLabel: 'Open secrets',
        icon: 'secrets',
      },
    ];
  });
  configuredConnectorCount(): number {
    return Object.values(this.stats()).reduce((sum, value) => sum + value, 0);
  }
  configuredText(count: number): string {
    return count === 1 ? '1 connector configured' : `${count} connectors configured`;
  }
  constructor() {
    this.loadStats();
    this.pageAction.set({ label: 'Add Integration', action: () => this.addIntegration() });
    effect(() => {
      this.helperCtx.setScope(
        'integration-hub',
        this.statsLoaded() && this.configuredConnectorCount() === 0 ? ['no-integrations'] : [],
      );
    }, { allowSignalWrites: true });
  }
  ngOnDestroy(): void {
    this.pageAction.clear();
    this.helperCtx.clearScope('integration-hub');
  }
  private loadStats(): void {
    this.integrationService.list({ type: IntegrationType.Registry, pageSize: 1 }).subscribe({
-      next: (res) => this.updateStats({ registries: res.totalCount }),
+      next: (res) => {
-      error: () => this.updateStats({ registries: 0 }),
+        this.updateStats({ registries: res.totalCount });
        this.markStatsRequestResolved();
      },
      error: () => {
        this.updateStats({ registries: 0 });
        this.markStatsRequestResolved();
      },
    });
    this.integrationService.list({ type: IntegrationType.Scm, pageSize: 1 }).subscribe({
-      next: (res) => this.updateStats({ scm: res.totalCount }),
+      next: (res) => {
-      error: () => this.updateStats({ scm: 0 }),
+        this.updateStats({ scm: res.totalCount });
        this.markStatsRequestResolved();
      },
      error: () => {
        this.updateStats({ scm: 0 });
        this.markStatsRequestResolved();
      },
    });
    this.integrationService.list({ type: IntegrationType.CiCd, pageSize: 1 }).subscribe({
-      next: (res) => this.updateStats({ ci: res.totalCount }),
+      next: (res) => {
-      error: () => this.updateStats({ ci: 0 }),
+        this.updateStats({ ci: res.totalCount });
        this.markStatsRequestResolved();
      },
      error: () => {
        this.updateStats({ ci: 0 });
        this.markStatsRequestResolved();
      },
    });
    this.integrationService.list({ type: IntegrationType.RuntimeHost, pageSize: 1 }).subscribe({
-      next: (res) => this.updateStats({ runtimeHosts: res.totalCount }),
+      next: (res) => {
-      error: () => this.updateStats({ runtimeHosts: 0 }),
+        this.updateStats({ runtimeHosts: res.totalCount });
        this.markStatsRequestResolved();
      },
      error: () => {
        this.updateStats({ runtimeHosts: 0 });
        this.markStatsRequestResolved();
      },
    });
    this.integrationService.list({ type: IntegrationType.FeedMirror, pageSize: 1 }).subscribe({
-      next: (res) => this.updateStats({ advisorySources: res.totalCount, vexSources: res.totalCount }),
+      next: (res) => {
-      error: () => this.updateStats({ advisorySources: 0, vexSources: 0 }),
+        this.updateStats({ advisorySources: res.totalCount, vexSources: res.totalCount });
        this.markStatsRequestResolved();
      },
      error: () => {
        this.updateStats({ advisorySources: 0, vexSources: 0 });
        this.markStatsRequestResolved();
      },
    });
    this.integrationService.list({ type: IntegrationType.RepoSource, pageSize: 1 }).subscribe({
-      next: (res) => this.updateStats({ secrets: res.totalCount }),
+      next: (res) => {
-      error: () => this.updateStats({ secrets: 0 }),
+        this.updateStats({ secrets: res.totalCount });
        this.markStatsRequestResolved();
      },
      error: () => {
        this.updateStats({ secrets: 0 });
        this.markStatsRequestResolved();
      },
    });
  }
@@ -352,6 +616,10 @@ export class IntegrationHubComponent implements OnDestroy {
    this.stats.update((current) => ({ ...current, ...update }));
  }
  private markStatsRequestResolved(): void {
    this.resolvedStatsRequests.update((count) => count + 1);
  }
  addIntegration(): void {
    void this.router.navigate(['onboarding'], {
      relativeTo: this.route,
--- a/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-shell.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/integration-hub/integration-shell.component.ts
@@ -1,11 +1,11 @@
 import { ChangeDetectionStrategy, Component, DestroyRef, inject, OnInit, signal } from '@angular/core';
 import { takeUntilDestroyed } from '@angular/core/rxjs-interop';
 import { ActivatedRoute, NavigationEnd, Router, RouterModule, RouterOutlet } from '@angular/router';
-import { filter, take, forkJoin } from 'rxjs';
+import { filter } from 'rxjs';
 import { StellaPageTabsComponent, StellaPageTab } from '../../shared/components/stella-page-tabs/stella-page-tabs.component';
 import { StellaQuickLinksComponent, type StellaQuickLink } from '../../shared/components/stella-quick-links/stella-quick-links.component';
-import { IntegrationService } from './integration.service';
+import { IntegrationHubComponent } from './integration-hub.component';
 type TabType = 'registries' | 'scm' | 'ci' | 'runtime-hosts' | 'advisory-vex-sources' | 'secrets';
@@ -28,7 +28,7 @@ const TAB_PRIORITY: readonly TabType[] = ['registries', 'scm', 'ci', 'advisory-v
@Component({
  selector: 'app-integration-shell',
  standalone: true,
-  imports: [RouterOutlet, RouterModule, StellaPageTabsComponent, StellaQuickLinksComponent],
+  imports: [RouterOutlet, RouterModule, StellaPageTabsComponent, StellaQuickLinksComponent, IntegrationHubComponent],
  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    <section class="integration-shell">
@@ -48,59 +48,8 @@ const TAB_PRIORITY: readonly TabType[] = ['registries', 'scm', 'ci', 'advisory-v
        ariaLabel="Integration tabs"
        (tabChange)="onTabChange($event)"
      >
-        @if (showOnboarding()) {
+        @if (showOverview()) {
-          <section class="onboarding-panel">
+          <app-integration-hub />
            <div class="onboarding-panel__header">
              <h2>Get Started</h2>
              <p>Connect StellaOps to the providers installed in this environment.</p>
            </div>
            <div class="onboarding-panel__categories">
              <div class="category-card">
                <div class="category-card__header">
                  <div>
                    <h3>Container Registries</h3>
                    <p>Connect container registries for image discovery, probing, and policy handoff.</p>
                  </div>
                  <button class="btn btn-primary" type="button" (click)="navigateOnboarding('registry')">+ Add Registry</button>
                </div>
              </div>
              <div class="category-card">
                <div class="category-card__header">
                  <div>
                    <h3>Source Control</h3>
                    <p>Connect repository hosts for commit metadata, drift context, and release evidence.</p>
                  </div>
                  <button class="btn btn-primary" type="button" (click)="navigateOnboarding('scm')">+ Add SCM</button>
                </div>
              </div>
              <div class="category-card">
                <div class="category-card__header">
                  <div>
                    <h3>CI/CD Pipelines</h3>
                    <p>Connect CI/CD systems for deployment gate signals and pipeline health monitoring.</p>
                  </div>
                  <button class="btn btn-primary" type="button" (click)="navigateOnboarding('ci')">+ Add CI/CD</button>
                </div>
              </div>
              <div class="category-card">
                <div class="category-card__header">
                  <div>
                    <h3>Advisory & VEX Sources</h3>
                    <p>Browse, enable, and health-check upstream advisory and VEX data sources.</p>
                  </div>
                  <button class="btn btn-primary" type="button" (click)="onTabChange('advisory-vex-sources')">Configure Sources</button>
                </div>
              </div>
            </div>
            <div class="onboarding-panel__hint">
              <strong>Suggested order:</strong> Registries first (unblock releases), then SCM (wire metadata), CI/CD (capture pipelines), Advisory (security posture), Secrets (vaults).
            </div>
          </section>
        } @else {
          <router-outlet />
        }
@@ -133,76 +82,18 @@ const TAB_PRIORITY: readonly TabType[] = ['registries', 'scm', 'ci', 'advisory-v
      color: var(--color-text-secondary);
      font-size: 0.8rem;
    }
    /* ── Onboarding panel ── */
    .onboarding-panel {
      padding: 1.5rem 0;
      display: grid;
      gap: 1.5rem;
    }
    .onboarding-panel__header h2 {
      margin: 0;
      font-size: 1.2rem;
    }
    .onboarding-panel__header p {
      margin: 0.25rem 0 0;
      color: var(--color-text-secondary);
      font-size: 0.85rem;
    }
    .onboarding-panel__categories {
      display: grid;
      gap: 1rem;
    }
    .category-card {
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-lg);
      padding: 1rem 1.2rem;
      background: var(--color-surface-primary);
    }
    .category-card__header {
      display: flex;
      justify-content: space-between;
      align-items: center;
      gap: 1rem;
    }
    .category-card h3 {
      margin: 0;
      font-size: 1rem;
    }
    .category-card p {
      margin: 0.2rem 0 0;
      color: var(--color-text-secondary);
      font-size: 0.8rem;
    }
    .onboarding-panel__hint {
      font-size: 0.8rem;
      color: var(--color-text-secondary);
      background: var(--color-surface-secondary);
      border-radius: var(--radius-md);
      padding: 0.6rem 1rem;
    }
  `],
 })
 export class IntegrationShellComponent implements OnInit {
  private readonly router = inject(Router);
  private readonly route = inject(ActivatedRoute);
  private readonly destroyRef = inject(DestroyRef);
  private readonly integrationService = inject(IntegrationService);
  readonly pageTabs = PAGE_TABS;
  readonly activeTab = signal<string>('registries');
-  readonly showOnboarding = signal(false);
+  readonly showOverview = signal(false);
  readonly quickLinks: readonly StellaQuickLink[] = [
    { label: 'Scanner Ops', route: '/ops/scanner-ops', description: 'Offline kits and scan baselines' },
    { label: 'Advisory Sources', route: '/security/advisory-sources', description: 'NVD, OSV, and GHSA feeds' },
    { label: 'SBOM Sources', route: '/security/supply-chain-data', description: 'Supply-chain data and SBOM health' },
    { label: 'Audit Events', route: '/evidence/audit-log', description: 'Cross-module audit trail' },
  ];
@@ -213,14 +104,11 @@ export class IntegrationShellComponent implements OnInit {
      filter((e): e is NavigationEnd => e instanceof NavigationEnd),
      takeUntilDestroyed(this.destroyRef),
    ).subscribe(e => this.setActiveTabFromUrl(e.urlAfterRedirects));
    // Check if any integrations exist to decide landing behavior
    this.loadCounts();
  }
  onTabChange(tabId: string): void {
    this.activeTab.set(tabId as TabType);
-    this.showOnboarding.set(false); // Hide onboarding when navigating to a tab
+    this.showOverview.set(false);
    this.router.navigate([tabId], { relativeTo: this.route, queryParamsHandling: 'merge' });
  }
@@ -229,45 +117,19 @@ export class IntegrationShellComponent implements OnInit {
  }
  private setActiveTabFromUrl(url: string): void {
-    const segments = url.split('?')[0].split('/').filter(Boolean);
+    const normalizedUrl = url.split('?')[0].replace(/\/+$/, '');
    if (normalizedUrl.endsWith('/integrations')) {
      this.showOverview.set(true);
      return;
    }
    const segments = normalizedUrl.split('/').filter(Boolean);
    const lastSegment = segments.at(-1) ?? '';
    if (KNOWN_TAB_IDS.includes(lastSegment as TabType)) {
      this.activeTab.set(lastSegment as TabType);
-      this.showOnboarding.set(false);
+      this.showOverview.set(false);
      return;
    }
-    // If at integrations root and onboarding is showing, keep it
+    this.showOverview.set(false);
    // Otherwise the loadCounts logic will handle redirect
  }
  private loadCounts(): void {
    // Quick count check using pageSize=1 for each type
    forkJoin({
      reg: this.integrationService.list({ type: 1, page: 1, pageSize: 1 }),
      scm: this.integrationService.list({ type: 2, page: 1, pageSize: 1 }),
      ci: this.integrationService.list({ type: 3, page: 1, pageSize: 1 }),
    }).pipe(take(1)).subscribe({
      next: (counts) => {
        const total = counts.reg.totalCount + counts.scm.totalCount + counts.ci.totalCount;
        if (total === 0) {
          // No integrations — check if we're at the root path
          const url = this.router.url.split('?')[0];
          if (url.endsWith('/integrations') || url.endsWith('/integrations/')) {
            this.showOnboarding.set(true);
          }
        } else {
          // Has integrations — if at root, redirect to first populated tab
          const url = this.router.url.split('?')[0];
          if (url.endsWith('/integrations') || url.endsWith('/integrations/')) {
            const firstTab = counts.reg.totalCount > 0 ? 'registries'
              : counts.scm.totalCount > 0 ? 'scm'
              : counts.ci.totalCount > 0 ? 'ci'
              : 'registries';
            this.activeTab.set(firstTab);
            this.router.navigate([firstTab], { relativeTo: this.route, replaceUrl: true, queryParamsHandling: 'merge' });
          }
        }
      },
    });
  }
 }
--- a/src/Web/StellaOps.Web/src/app/features/policy-decisioning/policy-decisioning-overview-page.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/features/policy-decisioning/policy-decisioning-overview-page.component.spec.ts
@@ -1,11 +1,9 @@
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { RouterTestingModule } from '@angular/router/testing';
 import { PolicyDecisioningOverviewPageComponent } from './policy-decisioning-overview-page.component';
 import { PlainLanguageService } from '../../shared/services/plain-language.service';
 describe('PolicyDecisioningOverviewPageComponent (glossary tooltips)', () => {
  let fixture: ComponentFixture<PolicyDecisioningOverviewPageComponent>;
  let service: PlainLanguageService;
  beforeEach(async () => {
    localStorage.clear();
@@ -15,7 +13,6 @@ describe('PolicyDecisioningOverviewPageComponent (glossary tooltips)', () => {
    }).compileComponents();
    fixture = TestBed.createComponent(PolicyDecisioningOverviewPageComponent);
    service = TestBed.inject(PlainLanguageService);
  });
  afterEach(() => {
@@ -47,8 +44,7 @@ describe('PolicyDecisioningOverviewPageComponent (glossary tooltips)', () => {
    expect(cardDescriptions.length).toBe(6);
  });
-  it('should wrap VEX terms when plain language is enabled', () => {
+  it('should wrap VEX terms by default', () => {
    service.setPlainLanguage(true);
    fixture.detectChanges();
    const glossaryTerms = fixture.nativeElement.querySelectorAll('.glossary-term--inline');
@@ -58,12 +54,4 @@ describe('PolicyDecisioningOverviewPageComponent (glossary tooltips)', () => {
    expect(termNames).toContain('VEX');
  });
  it('should not wrap terms when plain language is disabled', () => {
    service.setPlainLanguage(false);
    fixture.detectChanges();
    const glossaryTerms = fixture.nativeElement.querySelectorAll('.glossary-term--inline');
    expect(glossaryTerms.length).toBe(0);
  });
 });
--- a/src/Web/StellaOps.Web/src/app/features/policy-simulation/policy-audit-log.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/features/policy-simulation/policy-audit-log.component.spec.ts
@@ -7,12 +7,14 @@ import { delay } from 'rxjs/operators';
 import { PolicyAuditLogComponent } from './policy-audit-log.component';
 import { POLICY_SIMULATION_API, PolicySimulationApi } from '../../core/api/policy-simulation.client';
 import { PolicyAuditLogResult, PolicyAuditEntry, PolicyAuditAction } from '../../core/api/policy-simulation.models';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 describe('PolicyAuditLogComponent', () => {
  let component: PolicyAuditLogComponent;
  let fixture: ComponentFixture<PolicyAuditLogComponent>;
  let mockApi: jasmine.SpyObj<PolicySimulationApi>;
  let mockRouter: jasmine.SpyObj<Router>;
  let helperCtx: jasmine.SpyObj<StellaHelperContextService>;
  const mockAuditResult: PolicyAuditLogResult = {
    entries: [
@@ -67,6 +69,7 @@ describe('PolicyAuditLogComponent', () => {
  beforeEach(async () => {
    mockApi = jasmine.createSpyObj('PolicySimulationApi', ['getAuditLog']);
    mockRouter = jasmine.createSpyObj('Router', ['navigate']);
    helperCtx = jasmine.createSpyObj('StellaHelperContextService', ['setScope', 'clearScope']);
    mockApi.getAuditLog.and.returnValue(of(mockAuditResult));
    await TestBed.configureTestingModule({
@@ -74,6 +77,7 @@ describe('PolicyAuditLogComponent', () => {
      providers: [
        { provide: POLICY_SIMULATION_API, useValue: mockApi },
        { provide: Router, useValue: mockRouter },
        { provide: StellaHelperContextService, useValue: helperCtx },
      ],
    })
      .overrideComponent(PolicyAuditLogComponent, {
@@ -350,7 +354,7 @@ describe('PolicyAuditLogComponent', () => {
      component.viewDiff(entry);
      expect(mockRouter.navigate).toHaveBeenCalledWith(
-        ['/policy/simulation/diff', 'policy-pack-001'],
+        ['/ops/policy/simulation/diff', 'policy-pack-001'],
        { queryParams: { from: 1, to: 2 } }
      );
    });
--- a/src/Web/StellaOps.Web/src/app/features/policy-simulation/policy-audit-log.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/policy-simulation/policy-audit-log.component.ts
@@ -1,7 +1,7 @@
 import { CommonModule } from '@angular/common';
-import { Component, ChangeDetectionStrategy, inject, signal, computed, OnInit, Input } from '@angular/core';
+import { Component, ChangeDetectionStrategy, inject, signal, computed, OnInit, Input, DestroyRef, effect } from '@angular/core';
 import { FormBuilder, ReactiveFormsModule } from '@angular/forms';
-import { Router } from '@angular/router';
+import { Router, RouterLink } from '@angular/router';
 import { finalize } from 'rxjs/operators';
@@ -14,6 +14,7 @@ import {
  PolicyAuditEntry,
  PolicyAuditAction,
 } from '../../core/api/policy-simulation.models';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 /**
 * Policy audit log showing change history with actor, timestamp, and diff links.
@@ -21,7 +22,8 @@ import {
 */
@Component({
    selector: 'app-policy-audit-log',
-    imports: [CommonModule, ReactiveFormsModule],
+    standalone: true,
    imports: [CommonModule, ReactiveFormsModule, RouterLink],
    changeDetection: ChangeDetectionStrategy.OnPush,
    template: `
    <section class="audit-log" [attr.aria-busy]="loading()">
@@ -168,8 +170,17 @@ import {
            <line x1="16" y1="17" x2="8" y2="17" />
            <polyline points="10 9 9 9 8 9" />
          </svg>
-          <h3>No Audit Entries</h3>
+          <h3>{{ emptyStateTitle() }}</h3>
-          <p>No policy changes have been recorded.</p>
+          <p>{{ emptyStateDescription() }}</p>
          <p class="audit-log__empty-hint">{{ emptyStateHint() }}</p>
          <div class="audit-log__empty-actions">
            @if (hasActiveFilters()) {
              <button class="btn btn--secondary" type="button" (click)="clearFilters()">Clear filters</button>
            } @else {
              <a [routerLink]="['/ops/policy/packs']" class="btn btn--primary">Open policy packs</a>
              <a [routerLink]="['/ops/policy/simulation']" class="btn btn--secondary">Run a simulation</a>
            }
          </div>
        </div>
      }
    </section>
@@ -466,22 +477,42 @@ import {
        align-items: center;
        justify-content: center;
        padding: 4rem 2rem;
        gap: 0.75rem;
        text-align: center;
        color: var(--color-text-secondary);
      }
      .audit-log__empty svg {
        margin-bottom: 1rem;
        opacity: 0.5;
      }
      .audit-log__empty h3 {
-        margin: 0 0 0.5rem;
+        margin: 0;
        color: var(--color-text-muted);
      }
      .audit-log__empty p {
        margin: 0;
        max-width: 60ch;
        line-height: 1.6;
      }
      .audit-log__empty-hint {
        font-size: 0.8125rem;
      }
      .audit-log__empty-actions {
        display: flex;
        flex-wrap: wrap;
        justify-content: center;
        gap: 0.75rem;
        margin-top: 0.25rem;
      }
      .audit-log__empty .btn--secondary {
        border: 1px solid var(--color-border-primary);
        color: var(--color-text-primary);
        text-decoration: none;
      }
    `,
    ]
@@ -490,11 +521,23 @@ export class PolicyAuditLogComponent implements OnInit {
  private readonly api = inject(POLICY_SIMULATION_API);
  private readonly fb = inject(FormBuilder);
  private readonly router = inject(Router);
  private readonly destroyRef = inject(DestroyRef);
  private readonly helperCtx = inject(StellaHelperContextService);
  @Input() policyPackId?: string;
  readonly loading = signal(false);
  readonly result = signal<PolicyAuditLogResult | undefined>(undefined);
  readonly helperContexts = computed(() => {
    const contexts: string[] = [];
    if (!this.loading() && (this.result()?.entries?.length ?? 0) === 0) {
      contexts.push('empty-list');
      if (!this.hasActiveFilters()) {
        contexts.push('no-audit-events');
      }
    }
    return contexts;
  });
  private currentPage = 1;
  readonly filterForm = this.fb.group({
@@ -522,6 +565,13 @@ export class PolicyAuditLogComponent implements OnInit {
    { value: 'shadow_disabled', label: 'Shadow Disabled' },
  ];
  constructor() {
    effect(() => {
      this.helperCtx.setScope('policy-audit-log', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('policy-audit-log'));
  }
  ngOnInit(): void {
    if (this.policyPackId) {
      this.filterForm.patchValue({ policyPackId: this.policyPackId });
@@ -574,6 +624,40 @@ export class PolicyAuditLogComponent implements OnInit {
    return action.replace(/_/g, ' ');
  }
  hasActiveFilters(): boolean {
    const formValue = this.filterForm.getRawValue();
    return Boolean(formValue.policyPackId) ||
      Boolean(formValue.action) ||
      (formValue.dateRange ?? '30d') !== '30d';
  }
  clearFilters(): void {
    this.filterForm.setValue({
      policyPackId: this.policyPackId ?? '',
      action: '',
      dateRange: '30d',
    });
    this.loadAuditLog();
  }
  emptyStateTitle(): string {
    return this.hasActiveFilters()
      ? 'No policy audit entries match the current filters'
      : 'No policy changes have been recorded yet';
  }
  emptyStateDescription(): string {
    return this.hasActiveFilters()
      ? 'The current policy pack, action, or date range filter narrowed the audit trail to zero rows. Broaden the scope to return to the full history.'
      : 'This log fills when policy packs are created, activated, updated, approved, rejected, or rolled back. It becomes the authoritative timeline for who changed release rules and when.';
  }
  emptyStateHint(): string {
    return this.hasActiveFilters()
      ? 'Clear filters first. If the log is still empty, your selected pack probably has not changed within the chosen window.'
      : 'Start by opening a policy pack or simulation. Once a change is saved or activated, the event will appear here with actor, timestamp, and diff context.';
  }
  viewDiff(entry: PolicyAuditEntry): void {
    if (entry.diffId && entry.policyVersion) {
      this.router.navigate(['/ops/policy/simulation/diff', entry.policyPackId], {
@@ -585,4 +669,3 @@ export class PolicyAuditLogComponent implements OnInit {
    }
  }
 }
--- a/src/Web/StellaOps.Web/src/app/features/releases/releases-list-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/releases/releases-list-page.component.ts
@@ -5,10 +5,11 @@
 * Lists all releases with filter bar and action buttons.
 */
-import { Component, ChangeDetectionStrategy, signal, computed } from '@angular/core';
+import { ChangeDetectionStrategy, Component, computed, DestroyRef, effect, inject, signal } from '@angular/core';
 import { RouterLink } from '@angular/router';
 import { FormsModule } from '@angular/forms';
 import { Router, RouterLink } from '@angular/router';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { DigestChipComponent } from '../../shared/domain/digest-chip/digest-chip.component';
 interface Release {
@@ -35,14 +36,13 @@ interface Release {
          <p class="page-subtitle">Release bundles identified by digest. The unit of promotion.</p>
        </div>
        <div class="page-actions">
-          <a routerLink="/docs" class="btn btn--secondary">Docs <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true" style="display:inline;vertical-align:middle"><line x1="5" y1="12" x2="19" y2="12"/><polyline points="12 5 19 12 12 19"/></svg></a>
+          <a routerLink="/docs" class="btn btn--secondary">Docs</a>
          <button type="button" class="btn btn--primary" (click)="openCreateRelease()">
-            + Create Release
+            Create Release
          </button>
        </div>
      </header>
      <!-- Filter Bar -->
      <div class="filter-bar">
        <div class="filter-bar__search">
          <svg class="filter-bar__search-icon" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -54,17 +54,17 @@ interface Release {
            class="filter-bar__input"
            placeholder="Search by version, digest, or component..."
            [ngModel]="searchQuery()"
-            (ngModelChange)="onSearch($event)"
+            (ngModelChange)="searchQuery.set($event)"
          />
        </div>
-        <select class="filter-bar__select" (change)="filterByEnv($event)">
+        <select class="filter-bar__select" [ngModel]="envFilter()" (ngModelChange)="envFilter.set($event)">
          <option value="">All Environments</option>
          <option value="Dev">Dev</option>
          <option value="QA">QA</option>
          <option value="Staging">Staging</option>
          <option value="Prod">Prod</option>
        </select>
-        <select class="filter-bar__select" (change)="filterByGate($event)">
+        <select class="filter-bar__select" [ngModel]="gateFilter()" (ngModelChange)="gateFilter.set($event)">
          <option value="">All Gates</option>
          <option value="PASS">Pass</option>
          <option value="WARN">Warn</option>
@@ -72,7 +72,6 @@ interface Release {
        </select>
      </div>
      <!-- Releases Table -->
      <div class="table-container">
        <table class="data-table">
          <thead>
@@ -96,10 +95,7 @@ interface Release {
                  </a>
                </td>
                <td>
-                  <app-digest-chip
+                  <app-digest-chip [digest]="release.bundleDigest" variant="bundle"></app-digest-chip>
                    [digest]="release.bundleDigest"
                    variant="bundle"
                  ></app-digest-chip>
                </td>
                <td>{{ release.components }}</td>
                <td>{{ release.environment }}</td>
@@ -111,10 +107,10 @@ interface Release {
                <td>
                  @if (release.evidenceId) {
                    <a [routerLink]="['/evidence', release.evidenceId]" class="evidence-link">
-                      <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true" style="display:inline;vertical-align:middle"><path d="M16 4h2a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h2"/><rect x="8" y="2" width="8" height="4" rx="1" ry="1"/></svg> {{ release.evidenceId }}
+                      {{ release.evidenceId }}
                    </a>
                  } @else {
-                    <span class="text-muted">—</span>
+                    <span class="text-muted">-</span>
                  }
                </td>
                <td>{{ release.createdAt }}</td>
@@ -130,10 +126,20 @@ interface Release {
            } @empty {
              <tr>
                <td colspan="8" class="empty-state">
-                  <p>No releases found</p>
+                  <div class="empty-state__card">
-                  <button type="button" class="btn btn--primary" (click)="openCreateRelease()">
+                    <div class="empty-state__icon" aria-hidden="true">RL</div>
-                    Create your first release
+                    <h2 class="empty-state__title">{{ emptyStateTitle() }}</h2>
-                  </button>
+                    <p class="empty-state__description">{{ emptyStateDescription() }}</p>
                    <p class="empty-state__hint">{{ emptyStateHint() }}</p>
                    <div class="empty-state__actions">
                      @if (hasActiveFilters()) {
                        <button type="button" class="btn btn--secondary" (click)="clearFilters()">Clear filters</button>
                      } @else {
                        <button type="button" class="btn btn--primary" (click)="openCreateRelease()">Create your first release</button>
                        <a routerLink="/releases/new" class="btn btn--secondary">Learn the release flow</a>
                      }
                    </div>
                  </div>
                </td>
              </tr>
            }
@@ -148,6 +154,7 @@ interface Release {
      display: flex;
      justify-content: space-between;
      align-items: flex-start;
      gap: 1rem;
      margin-bottom: 1.5rem;
    }
    .page-title { margin: 0 0 0.25rem; font-size: 1.5rem; font-weight: var(--font-weight-semibold); }
@@ -228,21 +235,6 @@ interface Release {
    }
    .release-link:hover { text-decoration: underline; }
    .digest {
      font-family: ui-monospace, SFMono-Regular, 'SF Mono', Menlo, Consolas, monospace;
      font-size: 0.75rem;
      padding: 0.125rem 0.375rem;
      background: var(--color-surface-secondary);
      border-radius: var(--radius-sm);
    }
    .copy-btn {
      background: transparent;
      border: none;
      cursor: pointer;
      padding: 0.125rem;
      margin-left: 0.25rem;
    }
    .gate-badge {
      display: inline-block;
      padding: 0.125rem 0.625rem;
@@ -280,26 +272,73 @@ interface Release {
      background: var(--color-surface-secondary);
      color: var(--color-text-primary);
    }
-    .btn:hover { opacity: 0.85; transform: translateY(-1px); }
+    .btn:hover { opacity: 0.9; transform: translateY(-1px); }
    .btn--sm { padding: 0.25rem 0.5rem; font-size: 0.75rem; }
-    .btn--primary { background: var(--color-btn-primary-bg); border: none; color: var(--color-btn-primary-text); }
+    .btn--primary { background: var(--color-btn-primary-bg); border-color: var(--color-btn-primary-bg); color: var(--color-btn-primary-text); }
-    .btn--primary:hover { opacity: 0.9; }
+    .btn--secondary { background: var(--color-surface-secondary); border-color: var(--color-border-primary); color: var(--color-text-primary); }
    .btn--secondary { background: var(--color-surface-secondary); border: 1px solid var(--color-border-primary); color: var(--color-text-primary); }
    .empty-state {
-      text-align: center;
+      padding: 0 !important;
-      padding: 3rem !important;
+      background: var(--color-surface-primary) !important;
      color: var(--color-text-secondary);
    }
-    .empty-state p { margin: 0 0 1rem; }
+    .empty-state__card {
-  `]
+      display: grid;
      justify-items: center;
      gap: 0.75rem;
      padding: 2.75rem 1.5rem;
      text-align: center;
    }
    .empty-state__icon {
      width: 3rem;
      height: 3rem;
      display: inline-flex;
      align-items: center;
      justify-content: center;
      border-radius: var(--radius-full);
      background: var(--color-brand-soft, var(--color-surface-secondary));
      color: var(--color-text-link);
      font-size: 0.875rem;
      font-weight: var(--font-weight-bold);
      letter-spacing: 0.08em;
    }
    .empty-state__title,
    .empty-state__description,
    .empty-state__hint {
      margin: 0;
      max-width: 64ch;
    }
    .empty-state__title {
      font-size: 1rem;
      font-weight: var(--font-weight-semibold);
      color: var(--color-text-heading, var(--color-text-primary));
    }
    .empty-state__description,
    .empty-state__hint {
      color: var(--color-text-secondary);
      line-height: 1.6;
    }
    .empty-state__hint {
      font-size: 0.8125rem;
    }
    .empty-state__actions {
      display: flex;
      flex-wrap: wrap;
      justify-content: center;
      gap: 0.75rem;
      margin-top: 0.25rem;
    }
  `],
 })
 export class ReleasesListPageComponent {
-  searchQuery = signal('');
+  private readonly router = inject(Router);
-  envFilter = signal<string>('');
+  private readonly destroyRef = inject(DestroyRef);
-  gateFilter = signal<string>('');
+  private readonly helperCtx = inject(StellaHelperContextService);
-  releases = signal<Release[]>([
+  readonly searchQuery = signal('');
  readonly envFilter = signal<string>('');
  readonly gateFilter = signal<string>('');
  readonly releases = signal<Release[]>([
    { id: 'v1.2.5', version: 'v1.2.5', bundleDigest: 'sha256:7aa1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9', createdAt: '2h ago', environment: 'QA', gateStatus: 'WARN', evidenceId: 'EVD-2026-045', components: 24 },
    { id: 'v1.2.4', version: 'v1.2.4', bundleDigest: 'sha256:6bb1a2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8b8', createdAt: '6h ago', environment: 'Staging', gateStatus: 'PASS', evidenceId: 'EVD-2026-044', components: 23 },
    { id: 'v1.2.3', version: 'v1.2.3', bundleDigest: 'sha256:5cc1a2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8c7', createdAt: '1d ago', environment: 'Prod', gateStatus: 'PASS', evidenceId: 'EVD-2026-041', components: 22 },
@@ -307,25 +346,30 @@ export class ReleasesListPageComponent {
    { id: 'v1.2.6', version: 'v1.2.6', bundleDigest: 'sha256:8ee1a2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8e5', createdAt: '30m ago', environment: 'Dev', gateStatus: 'BLOCK', components: 25 },
  ]);
-  filteredReleases = computed(() => {
+  readonly hasActiveFilters = computed(() =>
    this.searchQuery().trim().length > 0 || this.envFilter() !== '' || this.gateFilter() !== ''
  );
  readonly filteredReleases = computed(() => {
    let result = this.releases();
    const env = this.envFilter();
    const gate = this.gateFilter();
-    const query = this.searchQuery().toLowerCase();
+    const query = this.searchQuery().toLowerCase().trim();
    if (env) {
-      result = result.filter(r => r.environment === env);
+      result = result.filter((release) => release.environment === env);
    }
    if (gate) {
-      result = result.filter(r => r.gateStatus === gate);
+      result = result.filter((release) => release.gateStatus === gate);
    }
    if (query) {
-      result = result.filter(r =>
+      result = result.filter((release) =>
-        r.version.toLowerCase().includes(query) ||
+        release.version.toLowerCase().includes(query) ||
-        r.bundleDigest.toLowerCase().includes(query) ||
+        release.bundleDigest.toLowerCase().includes(query) ||
-        String(r.components).includes(query)
+        String(release.components).includes(query)
      );
    }
    return [...result].sort((left, right) => {
      const byVersion = this.compareVersionsDesc(left.version, right.version);
      if (byVersion !== 0) {
@@ -335,8 +379,46 @@ export class ReleasesListPageComponent {
    });
  });
-  onSearch(query: string): void {
+  readonly helperContexts = computed(() => {
-    this.searchQuery.set(query);
+    const contexts: string[] = [];
    if (this.releases().some((release) => release.gateStatus === 'BLOCK')) {
      contexts.push('gate-blocked');
    }
    if (this.filteredReleases().length === 0) {
      contexts.push('empty-table');
    }
    return contexts;
  });
  constructor() {
    effect(() => {
      this.helperCtx.setScope('releases-list', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('releases-list'));
  }
  clearFilters(): void {
    this.searchQuery.set('');
    this.envFilter.set('');
    this.gateFilter.set('');
  }
  emptyStateTitle(): string {
    return this.hasActiveFilters()
      ? 'No releases match the current filters'
      : 'No releases have been created yet';
  }
  emptyStateDescription(): string {
    return this.hasActiveFilters()
      ? 'The current search, environment, or gate filter narrowed the release catalog to zero rows. Broaden the scope to return to the full list.'
      : 'A release is the immutable bundle Stella promotes through your environments. It ties together the scanned artifacts, gate results, and evidence needed for approval and deployment.';
  }
  emptyStateHint(): string {
    return this.hasActiveFilters()
      ? 'Clear filters first. If the table is still empty, the selected scope probably has not produced any releases yet.'
      : 'Start by creating a release or version from the release launchpad. Once a bundle exists, it will appear here with its gate and evidence status.';
  }
  private compareVersionsDesc(left: string, right: string): number {
@@ -365,21 +447,13 @@ export class ReleasesListPageComponent {
      });
  }
  filterByEnv(event: Event): void {
    const select = event.target as HTMLSelectElement;
    this.envFilter.set(select.value);
  }
  filterByGate(event: Event): void {
    const select = event.target as HTMLSelectElement;
    this.gateFilter.set(select.value);
  }
  openCreateRelease(): void {
-    console.log('Open create release modal');
+    void this.router.navigate(['/releases/new']);
  }
  requestPromotion(release: Release): void {
-    console.log('Request promotion for:', release.version);
+    void this.router.navigate(['/releases/promotions/create'], {
      queryParams: { releaseId: release.id },
    });
  }
 }
--- a/src/Web/StellaOps.Web/src/app/features/security/security-findings-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/security/security-findings-page.component.ts
@@ -7,6 +7,7 @@ import { take } from 'rxjs';
 import { PlatformContextStore } from '../../core/context/platform-context.store';
 import { DateFormatService } from '../../core/i18n/date-format.service';
 import { EmptyStateComponent } from '../../shared/components/empty-state/empty-state.component';
 import { StellaPageTabsComponent, StellaPageTab } from '../../shared/components/stella-page-tabs/stella-page-tabs.component';
 const EVIDENCE_RAIL_TABS: StellaPageTab[] = [
@@ -50,7 +51,7 @@ type EvidenceTab = 'why' | 'sbom' | 'reachability' | 'vex' | 'waiver' | 'policy'
@Component({
  selector: 'app-security-findings-page',
  standalone: true,
-  imports: [RouterLink, FormsModule, StellaPageTabsComponent],
+  imports: [RouterLink, FormsModule, EmptyStateComponent, StellaPageTabsComponent],
  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    <section class="triage">
@@ -184,7 +185,17 @@ type EvidenceTab = 'why' | 'sbom' | 'reachability' | 'vex' | 'waiver' | 'policy'
                    <td>{{ fmt(item.updatedAt) }}</td>
                  </tr>
                } @empty {
-                  <tr><td colspan="9">No findings match the active filters.</td></tr>
+                  <tr>
                    <td colspan="9" class="table-panel__empty">
                      <app-empty-state
                        variant="no-data"
                        title="No findings matched this comparison"
                        description="Adjust the filters, select a different scan scope, or add a baseline. Findings Explorer is most useful when Stella can compare current evidence against a known-good reference and show only the meaningful delta."
                        actionLabel="Scan an image"
                        actionRoute="/security/scan"
                      ></app-empty-state>
                    </td>
                  </tr>
                }
              </tbody>
            </table>
@@ -368,6 +379,11 @@ type EvidenceTab = 'why' | 'sbom' | 'reachability' | 'vex' | 'waiver' | 'policy'
    tbody tr:hover { background: var(--color-surface-tertiary, var(--color-nav-hover)); }
    tbody tr.selected { background: color-mix(in srgb, var(--color-brand-primary) 10%, transparent); }
    .table-panel__empty {
      padding: 1.25rem;
      background: var(--color-surface-primary);
    }
    .verdict {
      display: inline-block;
      border-radius: var(--radius-full);
--- a/src/Web/StellaOps.Web/src/app/features/security/security-sbom-explorer-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/security/security-sbom-explorer-page.component.ts
@@ -1,9 +1,10 @@
 import { HttpClient, HttpParams } from '@angular/common/http';
-import { ChangeDetectionStrategy, Component, computed, effect, inject, signal } from '@angular/core';
+import { ChangeDetectionStrategy, Component, computed, DestroyRef, effect, inject, signal } from '@angular/core';
 import { ActivatedRoute, Router, RouterLink } from '@angular/router';
 import { take } from 'rxjs';
 import { PlatformContextStore } from '../../core/context/platform-context.store';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { StellaPageTabsComponent, StellaPageTab } from '../../shared/components/stella-page-tabs/stella-page-tabs.component';
 const SUPPLY_CHAIN_TABS: StellaPageTab[] = [
@@ -69,6 +70,24 @@ type SupplyChainMode = 'viewer' | 'graph' | 'lake' | 'reachability' | 'coverage'
      @if (loading()) { <div class="banner">Loading supply-chain data...</div> }
      @if (!loading()) {
        @if (!error() && tableRows().length === 0) {
          <section class="panel panel--empty">
            <div class="empty-panel">
              <div class="empty-panel__icon" aria-hidden="true">SB</div>
              <div class="empty-panel__body">
                <h2>No supply-chain data is available for this scope yet</h2>
                <p>
                  Supply-chain data is Stella's SBOM inventory: the packages, libraries, and binaries discovered inside scanned container images.
                  Until images are scanned and linked to releases, this workspace cannot show component inventory, reachability coverage, or unknown exposure.
                </p>
              </div>
              <div class="empty-panel__actions">
                <a [routerLink]="['/security/scan']" class="btn btn--primary">Scan an image</a>
                <a [routerLink]="['/setup/integrations']" class="btn btn--secondary">Connect sources</a>
              </div>
            </div>
          </section>
        } @else {
        @switch (mode()) {
          @case ('viewer') {
            <section class="panel">
@@ -95,8 +114,6 @@ type SupplyChainMode = 'viewer' | 'graph' | 'lake' | 'reachability' | 'coverage'
                      <td>{{ row.vulnerabilityCount }}</td>
                      <td>{{ row.criticalReachableCount }}</td>
                    </tr>
                  } @empty {
                    <tr><td colspan="7">No SBOM component rows for current scope.</td></tr>
                  }
                </tbody>
              </table>
@@ -145,8 +162,6 @@ type SupplyChainMode = 'viewer' | 'graph' | 'lake' | 'reachability' | 'coverage'
                      <td>{{ row.criticalReachable }}</td>
                      <td>{{ row.unknown }}</td>
                    </tr>
                  } @empty {
                    <tr><td colspan="4">No reachability coverage rows in current scope.</td></tr>
                  }
                </tbody>
              </table>
@@ -174,14 +189,13 @@ type SupplyChainMode = 'viewer' | 'graph' | 'lake' | 'reachability' | 'coverage'
                      <td>{{ row.stale }}</td>
                      <td>{{ row.unknown }}</td>
                    </tr>
                  } @empty {
                    <tr><td colspan="5">No coverage rows for current scope.</td></tr>
                  }
                </tbody>
              </table>
            </section>
          }
        }
        }
      }
    </section>
  `,
@@ -218,6 +232,10 @@ type SupplyChainMode = 'viewer' | 'graph' | 'lake' | 'reachability' | 'coverage'
      display: grid;
      gap: 0.75rem;
    }
    .panel--empty {
      padding: 0;
      overflow: hidden;
    }
    .panel h2 {
      margin: 0;
      font-size: 1rem;
@@ -231,6 +249,73 @@ type SupplyChainMode = 'viewer' | 'graph' | 'lake' | 'reachability' | 'coverage'
      line-height: 1.5;
    }
    .empty-panel {
      display: grid;
      gap: 1rem;
      padding: 1.5rem;
    }
    .empty-panel__icon {
      width: 3rem;
      height: 3rem;
      display: inline-flex;
      align-items: center;
      justify-content: center;
      border-radius: var(--radius-full);
      background: var(--color-brand-soft, var(--color-surface-secondary));
      color: var(--color-text-link);
      font-size: 0.875rem;
      font-weight: var(--font-weight-bold);
      letter-spacing: 0.08em;
    }
    .empty-panel__body {
      display: grid;
      gap: 0.5rem;
      max-width: 72ch;
    }
    .empty-panel__body h2,
    .empty-panel__body p {
      margin: 0;
    }
    .empty-panel__body p {
      font-size: 0.875rem;
      color: var(--color-text-secondary);
      line-height: 1.6;
    }
    .empty-panel__actions {
      display: flex;
      flex-wrap: wrap;
      gap: 0.75rem;
    }
    .btn {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      gap: 0.35rem;
      min-height: 2.5rem;
      padding: 0.625rem 1rem;
      border-radius: var(--radius-md);
      border: 1px solid transparent;
      font-size: 0.8125rem;
      font-weight: var(--font-weight-semibold);
      text-decoration: none;
      transition: transform 140ms ease, border-color 140ms ease, background-color 140ms ease;
      cursor: pointer;
    }
    .btn:hover {
      transform: translateY(-1px);
    }
    .btn--primary {
      background: var(--color-text-link);
      border-color: var(--color-text-link);
      color: var(--color-btn-primary-text, #fff);
    }
    .btn--secondary {
      background: var(--color-surface-secondary);
      border-color: var(--color-border-primary);
      color: var(--color-text-primary);
    }
    .stats-grid {
      display: grid;
      grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
@@ -290,6 +375,8 @@ export class SecuritySbomExplorerPageComponent {
  private readonly http = inject(HttpClient);
  private readonly route = inject(ActivatedRoute);
  private readonly router = inject(Router);
  private readonly destroyRef = inject(DestroyRef);
  private readonly helperCtx = inject(StellaHelperContextService);
  readonly context = inject(PlatformContextStore);
  readonly loading = signal(false);
@@ -330,6 +417,13 @@ export class SecuritySbomExplorerPageComponent {
    const fresh = rows.filter((row) => !this.isStale(row.updatedAt)).length;
    return `${fresh}/${rows.length} components are fresh.`;
  });
  readonly helperContexts = computed(() => {
    const contexts: string[] = [];
    if (!this.loading() && !this.error() && this.tableRows().length === 0) {
      contexts.push('no-sbom-components', 'empty-table');
    }
    return contexts;
  });
  readonly environmentCoverageRows = computed(() => {
    const map = new Map<string, { key: string; total: number; criticalReachable: number; unknown: number }>();
@@ -382,6 +476,11 @@ export class SecuritySbomExplorerPageComponent {
      this.context.contextVersion();
      this.load();
    });
    effect(() => {
      this.helperCtx.setScope('security-sbom-explorer', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('security-sbom-explorer'));
  }
  private load(): void {
@@ -437,4 +536,4 @@ export class SecuritySbomExplorerPageComponent {
    if (!Number.isFinite(parsed)) return true;
    return Date.now() - parsed > 24 * 60 * 60 * 1000;
  }
-}
+}
--- a/src/Web/StellaOps.Web/src/app/features/security/unknowns-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/security/unknowns-page.component.ts
@@ -3,19 +3,25 @@
 * Sprint: SPRINT_20260118_007_FE_security_consolidation (SEC-003)
 */
-import { ChangeDetectionStrategy, Component } from '@angular/core';
+import { ChangeDetectionStrategy, Component, computed, DestroyRef, effect, inject } from '@angular/core';
 import { RouterLink } from '@angular/router';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
@Component({
-    selector: 'app-unknowns-page',
+  selector: 'app-unknowns-page',
-    imports: [],
+  standalone: true,
-    changeDetection: ChangeDetectionStrategy.OnPush,
+  imports: [RouterLink],
-    template: `
+  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    <section class="page">
      <header class="page-header">
        <h1 class="page-title">Unknowns</h1>
-        <p class="page-subtitle">Review findings pending classification.</p>
+        <p class="page-subtitle">
          Review components the platform could not confidently classify, then decide whether to enrich them, investigate them, or accept the risk.
        </p>
      </header>
      <div class="panel">
        <div class="empty-icon" aria-hidden="true">
          <svg viewBox="0 0 24 24" width="24" height="24" fill="none" stroke="currentColor" stroke-width="1.6">
@@ -24,51 +30,108 @@ import { ChangeDetectionStrategy, Component } from '@angular/core';
            <line x1="12" y1="17" x2="12.01" y2="17"></line>
          </svg>
        </div>
-        <p class="empty-heading">No unknowns data available yet</p>
+        <h2 class="empty-heading">No unknown components need attention right now</h2>
-        <p class="empty-text">Findings pending classification will appear here once scans produce results.</p>
+        <p class="empty-text">
          This queue fills when a scan finds packages or binaries that Stella cannot confidently identify. An empty queue means the current scope has no unresolved blind spots waiting for classification.
        </p>
        <p class="empty-hint">
          If you expected entries here, run a fresh scan or open Supply-Chain Data to confirm components were ingested for the selected environment.
        </p>
        <div class="empty-actions">
          <a [routerLink]="['/security/scan']" class="btn btn--primary">Scan an image</a>
          <a [routerLink]="['/security/supply-chain-data']" class="btn btn--secondary">Open supply-chain data</a>
        </div>
      </div>
    </section>
  `,
-    styles: [`
+  styles: [`
-      .page { display: grid; gap: 1rem; }
+    .page { display: grid; gap: 1rem; }
-      .page-header { display: flex; flex-direction: column; gap: 0.25rem; }
+    .page-header { display: flex; flex-direction: column; gap: 0.25rem; }
-      .page-title { margin: 0; font-size: 1.35rem; color: var(--color-text-heading, var(--color-text-primary)); }
+    .page-title { margin: 0; font-size: 1.35rem; color: var(--color-text-heading, var(--color-text-primary)); }
-      .page-subtitle { margin: 0; color: var(--color-text-secondary); font-size: 0.875rem; }
+    .page-subtitle { margin: 0; color: var(--color-text-secondary); font-size: 0.875rem; line-height: 1.5; }
-      .panel {
+    .panel {
-        border: 1px solid var(--color-border-primary);
+      border: 1px solid var(--color-border-primary);
-        border-radius: var(--radius-lg);
+      border-radius: var(--radius-lg);
-        background: var(--color-surface-primary);
+      background: var(--color-surface-primary);
-        padding: 2.5rem 1.5rem;
+      padding: 2.5rem 1.5rem;
-        display: flex;
+      display: grid;
-        flex-direction: column;
+      justify-items: center;
-        align-items: center;
+      gap: 0.75rem;
-        gap: 0.5rem;
+      text-align: center;
-      }
+    }
-      .empty-icon {
+    .empty-icon {
-        width: 2.5rem;
+      width: 2.75rem;
-        height: 2.5rem;
+      height: 2.75rem;
-        display: inline-flex;
+      display: inline-flex;
-        align-items: center;
+      align-items: center;
-        justify-content: center;
+      justify-content: center;
-        border-radius: var(--radius-full);
+      border-radius: var(--radius-full);
-        color: var(--color-text-link);
+      color: var(--color-text-link);
-        background: var(--color-brand-soft, var(--color-surface-secondary));
+      background: var(--color-brand-soft, var(--color-surface-secondary));
-        margin-bottom: 0.25rem;
+      margin-bottom: 0.25rem;
-      }
+    }
-      .empty-heading {
+    .empty-heading {
-        margin: 0;
+      margin: 0;
-        font-size: 1rem;
+      font-size: 1rem;
-        font-weight: var(--font-weight-semibold);
+      font-weight: var(--font-weight-semibold);
-        color: var(--color-text-heading, var(--color-text-primary));
+      color: var(--color-text-heading, var(--color-text-primary));
-      }
+    }
-      .empty-text {
+    .empty-text,
-        margin: 0;
+    .empty-hint {
-        font-size: 0.875rem;
+      margin: 0;
-        color: var(--color-text-secondary);
+      max-width: 64ch;
-        max-width: 48ch;
+      font-size: 0.875rem;
-        text-align: center;
+      color: var(--color-text-secondary);
-        line-height: 1.5;
+      line-height: 1.6;
-      }
+    }
-    `]
+    .empty-hint {
      font-size: 0.8125rem;
    }
    .empty-actions {
      display: flex;
      flex-wrap: wrap;
      justify-content: center;
      gap: 0.75rem;
      margin-top: 0.25rem;
    }
    .btn {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      min-height: 2.5rem;
      padding: 0.625rem 1rem;
      border-radius: var(--radius-md);
      border: 1px solid transparent;
      font-size: 0.8125rem;
      font-weight: var(--font-weight-semibold);
      text-decoration: none;
      transition: transform 140ms ease, border-color 140ms ease, background-color 140ms ease;
    }
    .btn:hover {
      transform: translateY(-1px);
    }
    .btn--primary {
      background: var(--color-text-link);
      border-color: var(--color-text-link);
      color: var(--color-btn-primary-text, #fff);
    }
    .btn--secondary {
      background: var(--color-surface-secondary);
      border-color: var(--color-border-primary);
      color: var(--color-text-primary);
    }
  `],
 })
-export class UnknownsPageComponent {}
+export class UnknownsPageComponent {
  private readonly destroyRef = inject(DestroyRef);
  private readonly helperCtx = inject(StellaHelperContextService);
  readonly helperContexts = computed(() => ['empty-list']);
  constructor() {
    effect(() => {
      this.helperCtx.setScope('security-unknowns', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('security-unknowns'));
  }
 }
--- a/src/Web/StellaOps.Web/src/app/features/settings/user-preferences/user-preferences-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/settings/user-preferences/user-preferences-page.component.ts
@@ -8,6 +8,7 @@ import { SidebarPreferenceService } from '../../../layout/app-sidebar/sidebar-pr
 import { AiPreferencesComponent, type AiPreferences } from '../ai-preferences.component';
 import { StellaPageTabsComponent, StellaPageTab } from '../../../shared/components/stella-page-tabs/stella-page-tabs.component';
 import { ContentWidthService } from '../../../core/services/content-width.service';
 import { StellaPreferencesService } from '../../../shared/components/stella-helper/stella-preferences.service';
 type PrefsTab = 'profile' | 'appearance' | 'language' | 'layout' | 'ai';
@@ -270,6 +271,60 @@ type LocaleSaveState = 'idle' | 'saving' | 'saved' | 'syncFailed';
                  </span>
                </button>
              </div>
              <div class="ai-divider"></div>
              <!-- Stella Assistant section -->
              <h3 class="prefs-card__subtitle">Stella Assistant</h3>
              <p class="prefs-card__desc">Control the mascot and tooltip behavior</p>
              <div class="toggle-row">
                <div class="toggle-row__info">
                  <span class="toggle-row__label">Show mascot</span>
                  <span class="toggle-row__hint">Display Stella helper in the corner</span>
                </div>
                <button type="button" role="switch" class="switch"
                  [class.switch--on]="!stellaPrefs.isDismissed()"
                  [attr.aria-checked]="!stellaPrefs.isDismissed()"
                  (click)="stellaPrefs.setDismissed(!stellaPrefs.isDismissed())">
                  <span class="switch__track"><span class="switch__thumb"></span></span>
                </button>
              </div>
              <div class="toggle-row">
                <div class="toggle-row__info">
                  <span class="toggle-row__label">Show tooltips</span>
                  <span class="toggle-row__hint">Auto-show contextual tips on page visits</span>
                </div>
                <button type="button" role="switch" class="switch"
                  [class.switch--on]="!stellaPrefs.isTooltipsMuted()"
                  [attr.aria-checked]="!stellaPrefs.isTooltipsMuted()"
                  (click)="stellaPrefs.setTooltipsMuted(!stellaPrefs.isTooltipsMuted())">
                  <span class="switch__track"><span class="switch__thumb"></span></span>
                </button>
              </div>
              @if (stellaPrefs.prefs().mutedPages.length > 0) {
                <div class="stella-muted-pages">
                  <span class="toggle-row__label">Muted pages</span>
                  @for (pg of stellaPrefs.prefs().mutedPages; track pg) {
                    <div class="stella-muted-page">
                      <code>{{ pg }}</code>
                      <button type="button" class="stella-muted-remove" (click)="stellaPrefs.removeMutedPage(pg)" title="Unmute">
                        <svg viewBox="0 0 24 24" width="14" height="14" fill="none" stroke="currentColor" stroke-width="2"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
                      </button>
                    </div>
                  }
                </div>
              }
              <div class="toggle-row">
                <div class="toggle-row__info">
                  <span class="toggle-row__label">Reset first-visit tips</span>
                  <span class="toggle-row__hint">Re-show greeting tips on all pages</span>
                </div>
                <button type="button" class="prefs-btn" (click)="stellaPrefs.resetSeenPages()">Reset</button>
              </div>
            </div>
          }
        }
@@ -756,6 +811,69 @@ type LocaleSaveState = 'idle' | 'saving' | 'saved' | 'syncFailed';
      background: var(--color-border-primary);
    }
    .prefs-card__subtitle {
      margin: 0;
      font-size: 0.875rem;
      font-weight: 600;
      color: var(--color-text-heading);
    }
    .stella-muted-pages {
      display: flex;
      flex-direction: column;
      gap: 0.375rem;
    }
    .stella-muted-page {
      display: flex;
      align-items: center;
      justify-content: space-between;
      padding: 0.35rem 0.625rem;
      background: var(--color-surface-secondary);
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-md);
      font-size: 0.75rem;
    }
    .stella-muted-page code {
      font-family: var(--font-family-mono);
      font-size: 0.6875rem;
      color: var(--color-text-primary);
    }
    .stella-muted-remove {
      width: 22px;
      height: 22px;
      border: none;
      border-radius: 50%;
      background: transparent;
      color: var(--color-text-secondary);
      cursor: pointer;
      display: flex;
      align-items: center;
      justify-content: center;
    }
    .stella-muted-remove:hover {
      background: color-mix(in srgb, var(--color-status-error, #c62828) 10%, transparent);
      color: var(--color-status-error, #c62828);
    }
    .prefs-btn {
      padding: 4px 12px;
      border: 1px solid var(--color-border-primary);
      border-radius: var(--radius-md);
      background: var(--color-surface-secondary);
      color: var(--color-text-primary);
      font-size: 0.6875rem;
      font-weight: 600;
      cursor: pointer;
    }
    .prefs-btn:hover {
      border-color: var(--color-brand-primary);
    }
    /* ------------------------------------------------------------------ */
    /*  Content width selector                                             */
    /* ------------------------------------------------------------------ */
@@ -834,6 +952,7 @@ export class UserPreferencesPageComponent implements OnInit {
  protected readonly themeService = inject(ThemeService);
  protected readonly sidebarPrefs = inject(SidebarPreferenceService);
  protected readonly contentWidthService = inject(ContentWidthService);
  protected readonly stellaPrefs = inject(StellaPreferencesService);
  readonly prefsTabs = PREFS_TABS;
  readonly activeTab = signal<PrefsTab>('profile');
--- a/src/Web/StellaOps.Web/src/app/features/topology/topology-agents-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/topology/topology-agents-page.component.ts
@@ -1,9 +1,10 @@
-import { ChangeDetectionStrategy, Component, computed, effect, inject, signal } from '@angular/core';
+import { ChangeDetectionStrategy, Component, computed, DestroyRef, effect, inject, signal } from '@angular/core';
 import { FormsModule } from '@angular/forms';
 import { ActivatedRoute, RouterLink } from '@angular/router';
 import { catchError, forkJoin, of, take } from 'rxjs';
 import { PlatformContextStore } from '../../core/context/platform-context.store';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { TopologyDataService } from './topology-data.service';
 import { TopologyAgent, TopologyTarget } from './topology.models';
@@ -101,8 +102,27 @@ interface AgentGroupRow {
                      </tr>
                    } @empty {
                      <tr><td colspan="6" class="empty-cell">
-                        <svg class="empty-cell__icon" viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
+                        <div class="empty-callout">
-                        No groups for current filters.
+                          <svg class="empty-callout__icon" viewBox="0 0 20 20" fill="currentColor" width="20" height="20"><path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
                          <div class="empty-callout__body">
                            <strong>{{ hasActiveTableFilters() ? 'No agent groups match these filters' : 'No agent groups are reporting in this scope' }}</strong>
                            <p>
                              @if (hasActiveTableFilters()) {
                                Clear the search or status filter to bring group rows back into scope.
                              } @else {
                                Agent groups are assembled from live agents by environment and region. Until agents check in, Stella cannot validate readiness or perform deployments here.
                              }
                            </p>
                          </div>
                          <div class="empty-callout__actions">
                            @if (hasActiveTableFilters()) {
                              <button type="button" class="empty-callout__button" (click)="clearFilters()">Clear filters</button>
                            } @else {
                              <a [routerLink]="['/ops/operations/agents']">Open agent fleet</a>
                              <a [routerLink]="['/ops/operations/doctor']">Run diagnostics</a>
                            }
                          </div>
                        </div>
                      </td></tr>
                    }
                  </tbody>
@@ -134,8 +154,27 @@ interface AgentGroupRow {
                      </tr>
                    } @empty {
                      <tr><td colspan="6" class="empty-cell">
-                        <svg class="empty-cell__icon" viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
+                        <div class="empty-callout">
-                        No agents for current filters.
+                          <svg class="empty-callout__icon" viewBox="0 0 20 20" fill="currentColor" width="20" height="20"><path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
                          <div class="empty-callout__body">
                            <strong>{{ hasActiveTableFilters() ? 'No agents match these filters' : 'No agents are connected right now' }}</strong>
                            <p>
                              @if (hasActiveTableFilters()) {
                                The current search or status filter narrowed the fleet to zero rows.
                              } @else {
                                Agents are the execution layer that lets Stella deploy and validate real workloads. Without them, topology remains descriptive only.
                              }
                            </p>
                          </div>
                          <div class="empty-callout__actions">
                            @if (hasActiveTableFilters()) {
                              <button type="button" class="empty-callout__button" (click)="clearFilters()">Clear filters</button>
                            } @else {
                              <a [routerLink]="['/ops/operations/doctor']">Run diagnostics</a>
                              <a [routerLink]="['/environments/overview']">Review environments</a>
                            }
                          </div>
                        </div>
                      </td></tr>
                    }
                  </tbody>
@@ -443,13 +482,68 @@ interface AgentGroupRow {
      color: var(--color-text-muted);
      font-size: 0.74rem;
      padding: 1rem 0.5rem;
      display: flex;
      align-items: center;
      justify-content: center;
      gap: 0.35rem;
    }
-    .empty-cell__icon { opacity: 0.4; flex-shrink: 0; }
+    .empty-callout {
      display: grid;
      gap: 0.6rem;
      justify-items: center;
      text-align: center;
      max-width: 32rem;
      margin: 0 auto;
    }
    .empty-callout__icon {
      opacity: 0.4;
      flex-shrink: 0;
    }
    .empty-callout__body {
      display: grid;
      gap: 0.25rem;
    }
    .empty-callout__body strong {
      color: var(--color-text-primary);
      font-size: 0.8rem;
    }
    .empty-callout__body p {
      margin: 0;
      color: var(--color-text-secondary);
      line-height: 1.5;
    }
    .empty-callout__actions {
      display: flex;
      flex-wrap: wrap;
      justify-content: center;
      gap: 0.4rem;
    }
    .empty-callout__actions a,
    .empty-callout__button {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      gap: 0.2rem;
      color: var(--color-text-link);
      font-size: 0.73rem;
      font-weight: 500;
      text-decoration: none;
      padding: 0.2rem 0.45rem;
      border-radius: var(--radius-sm);
      border: 1px solid var(--color-border-primary);
      background: var(--color-surface-secondary);
      cursor: pointer;
      transition: background 150ms ease, color 150ms ease;
    }
    .empty-callout__actions a:hover,
    .empty-callout__button:hover {
      background: var(--color-brand-soft);
      color: var(--color-text-link-hover);
    }
    .empty-state {
      display: flex;
@@ -477,6 +571,8 @@ interface AgentGroupRow {
 export class TopologyAgentsPageComponent {
  private readonly topologyApi = inject(TopologyDataService);
  private readonly route = inject(ActivatedRoute);
  private readonly destroyRef = inject(DestroyRef);
  private readonly helperCtx = inject(StellaHelperContextService);
  readonly context = inject(PlatformContextStore);
  readonly loading = signal(false);
@@ -565,6 +661,25 @@ export class TopologyAgentsPageComponent {
    }
    return this.agents().find((agent) => agent.agentId === id) ?? null;
  });
  readonly hasActiveTableFilters = computed(() => this.searchQuery().trim().length > 0 || this.statusFilter() !== 'all');
  readonly helperContexts = computed(() => {
    const contexts: string[] = [];
    if (this.agents().some((agent) => agent.status.trim().toLowerCase() !== 'active')) {
      contexts.push('agents-degraded');
    }
    if (!this.loading() && this.agents().length === 0) {
      contexts.push('agents-none');
    }
    if (!this.loading()) {
      if (this.viewMode() === 'groups' && this.filteredGroups().length === 0) {
        contexts.push('empty-table');
      }
      if (this.viewMode() === 'agents' && this.filteredAgents().length === 0) {
        contexts.push('empty-table');
      }
    }
    return contexts;
  });
  constructor() {
    this.context.initialize();
@@ -585,6 +700,16 @@ export class TopologyAgentsPageComponent {
      this.context.contextVersion();
      this.load();
    });
    effect(() => {
      this.helperCtx.setScope('topology-agents', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('topology-agents'));
  }
  clearFilters(): void {
    this.searchQuery.set('');
    this.statusFilter.set('all');
  }
  private load(): void {
--- a/src/Web/StellaOps.Web/src/app/features/topology/topology-inventory-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/topology/topology-inventory-page.component.ts
@@ -1,10 +1,19 @@
 import { HttpClient, HttpParams } from '@angular/common/http';
-import { ChangeDetectionStrategy, Component, computed, effect, inject, signal } from '@angular/core';
+import {
-import { ActivatedRoute } from '@angular/router';
+  ChangeDetectionStrategy,
  Component,
  DestroyRef,
  computed,
  effect,
  inject,
  signal,
 } from '@angular/core';
 import { ActivatedRoute, RouterLink } from '@angular/router';
 import { take } from 'rxjs';
 import { LoadingStateComponent } from '../../shared/components/loading-state/loading-state.component';
 import { PlatformContextStore } from '../../core/context/platform-context.store';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 interface PlatformListResponse<T> {
  items: T[];
@@ -20,7 +29,7 @@ interface TopologyRouteData {
@Component({
  selector: 'app-topology-inventory-page',
  standalone: true,
-  imports: [LoadingStateComponent],
+  imports: [LoadingStateComponent, RouterLink],
  template: `
    <section class="topology">
      <header class="topology__header">
@@ -40,7 +49,20 @@ interface TopologyRouteData {
      @if (loading()) {
        <app-loading-state size="md" [message]="'Loading ' + title().toLowerCase() + '...'" />
      } @else if (rows().length === 0) {
-        <div class="topology__empty">No data is available for the selected context.</div>
+        <div class="topology__empty">
          <div class="topology__empty-icon" aria-hidden="true">TI</div>
          <h2>{{ emptyStateTitle() }}</h2>
          <p>{{ emptyStateDescription() }}</p>
          <p class="topology__empty-hint">{{ emptyStateHint() }}</p>
          <div class="topology__empty-actions">
            <a [routerLink]="primaryActionRoute()" class="topology__btn topology__btn--primary">
              {{ primaryActionLabel() }}
            </a>
            <a [routerLink]="secondaryActionRoute()" class="topology__btn topology__btn--secondary">
              {{ secondaryActionLabel() }}
            </a>
          </div>
        </div>
      } @else {
        <table class="stella-table stella-table--striped stella-table--hoverable stella-table--bordered">
          <thead>
@@ -96,7 +118,6 @@ interface TopologyRouteData {
    /* Table styling provided by global .stella-table class */
    .topology__loading,
    .topology__empty,
    .topology__error {
      border: 1px solid var(--color-border-primary);
@@ -105,6 +126,76 @@ interface TopologyRouteData {
      padding: 1rem;
    }
    .topology__empty {
      display: grid;
      justify-items: center;
      gap: 0.75rem;
      padding: 2rem 1.5rem;
      text-align: center;
    }
    .topology__empty h2,
    .topology__empty p {
      margin: 0;
      max-width: 64ch;
    }
    .topology__empty-icon {
      width: 3rem;
      height: 3rem;
      display: inline-flex;
      align-items: center;
      justify-content: center;
      border-radius: var(--radius-full);
      background: color-mix(in srgb, var(--color-brand-primary) 12%, transparent);
      color: var(--color-text-link);
      font-size: 0.8rem;
      font-weight: var(--font-weight-bold);
      letter-spacing: 0.08em;
    }
    .topology__empty-hint {
      color: var(--color-text-secondary);
      font-size: 0.85rem;
      line-height: 1.55;
    }
    .topology__empty-actions {
      display: flex;
      flex-wrap: wrap;
      justify-content: center;
      gap: 0.75rem;
      margin-top: 0.25rem;
    }
    .topology__btn {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      min-height: 2.25rem;
      padding: 0.5rem 0.9rem;
      border-radius: var(--radius-sm);
      border: 1px solid var(--color-border-primary);
      text-decoration: none;
      transition: opacity 150ms ease, transform 150ms ease;
    }
    .topology__btn:hover {
      opacity: 0.92;
      transform: translateY(-1px);
    }
    .topology__btn--primary {
      background: var(--color-btn-primary-bg);
      border-color: var(--color-btn-primary-bg);
      color: var(--color-btn-primary-text);
    }
    .topology__btn--secondary {
      background: var(--color-btn-secondary-bg, var(--color-surface-primary));
      color: var(--color-btn-secondary-text, var(--color-text-primary));
    }
    .topology__error {
      color: var(--color-status-error-text);
    }
@@ -114,6 +205,8 @@ interface TopologyRouteData {
 export class TopologyInventoryPageComponent {
  private readonly http = inject(HttpClient);
  private readonly route = inject(ActivatedRoute);
  private readonly destroyRef = inject(DestroyRef);
  private readonly helperCtx = inject(StellaHelperContextService);
  readonly context = inject(PlatformContextStore);
  readonly loading = signal(false);
@@ -122,6 +215,13 @@ export class TopologyInventoryPageComponent {
  readonly title = signal('Topology');
  readonly description = signal('Topology inventory');
  readonly endpoint = signal('/api/v2/topology/regions');
  readonly helperContexts = computed(() => {
    if (this.loading() || this.error() || this.rows().length > 0) {
      return [];
    }
    return ['empty-table'];
  });
  readonly columnKeys = computed(() => {
    const first = this.rows()[0];
@@ -135,11 +235,17 @@ export class TopologyInventoryPageComponent {
  constructor() {
    this.context.initialize();
    effect(() => {
      this.helperCtx.setScope('topology-inventory', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('topology-inventory'));
    this.route.data.subscribe((data) => {
-      const routeData = data as TopologyRouteData;
+      const routeData = data as Partial<TopologyRouteData>;
-      this.title.set(routeData.title);
+      this.title.set(routeData.title ?? 'Topology Inventory');
-      this.description.set(routeData.description);
+      this.description.set(routeData.description ?? 'Scope-aware inventory for the currently selected platform context.');
-      this.endpoint.set(routeData.endpoint);
+      this.endpoint.set(routeData.endpoint ?? '/api/v2/topology/regions');
      this.load();
    });
@@ -172,6 +278,44 @@ export class TopologyInventoryPageComponent {
    return String(value);
  }
  emptyStateTitle(): string {
    return this.isGateProfilesView()
      ? 'No gate profiles are available for this scope'
      : `No ${this.title().toLowerCase()} are available for this scope`;
  }
  emptyStateDescription(): string {
    return this.isGateProfilesView()
      ? 'Gate profiles appear after policy packs and environment mappings define which checks a promotion must pass. An empty page usually means the policy model has not been attached to the selected environment set yet.'
      : 'This inventory follows the active region and environment filters. When it is empty, Stella has not discovered any matching resources for the selected scope yet.';
  }
  emptyStateHint(): string {
    return this.isGateProfilesView()
      ? 'Start by reviewing the policy packs that feed promotion rules, then confirm agents and environments are reporting for the target scope.'
      : 'Check the selected context first. If it is correct, connect agents or populate the underlying topology source so Stella can discover rows for this view.';
  }
  primaryActionLabel(): string {
    return this.isGateProfilesView() ? 'Open policy packs' : 'View environment map';
  }
  primaryActionRoute(): string {
    return this.isGateProfilesView() ? '/ops/policy/packs' : '/environments/overview';
  }
  secondaryActionLabel(): string {
    return 'Review connected agents';
  }
  secondaryActionRoute(): string {
    return '/ops/operations/agents';
  }
  private isGateProfilesView(): boolean {
    return this.endpoint().includes('gate-profiles') || this.title().toLowerCase().includes('gate profile');
  }
  private load(): void {
    if (!this.endpoint()) {
      return;
@@ -208,4 +352,3 @@ export class TopologyInventoryPageComponent {
  }
 }
--- a/src/Web/StellaOps.Web/src/app/features/topology/topology-targets-page.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/topology/topology-targets-page.component.ts
@@ -1,9 +1,10 @@
-import { ChangeDetectionStrategy, Component, computed, effect, inject, signal } from '@angular/core';
+import { ChangeDetectionStrategy, Component, computed, DestroyRef, effect, inject, signal } from '@angular/core';
 import { FormsModule } from '@angular/forms';
 import { ActivatedRoute, RouterLink } from '@angular/router';
 import { catchError, forkJoin, of, take } from 'rxjs';
 import { PlatformContextStore } from '../../core/context/platform-context.store';
 import { StellaHelperContextService } from '../../shared/components/stella-helper/stella-helper-context.service';
 import { TopologyDataService } from './topology-data.service';
 import { TopologyAgent, TopologyHost, TopologyTarget } from './topology.models';
@@ -467,6 +468,8 @@ import { TopologyAgent, TopologyHost, TopologyTarget } from './topology.models';
 export class TopologyTargetsPageComponent {
  private readonly topologyApi = inject(TopologyDataService);
  private readonly route = inject(ActivatedRoute);
  private readonly destroyRef = inject(DestroyRef);
  private readonly helperCtx = inject(StellaHelperContextService);
  readonly context = inject(PlatformContextStore);
  readonly loading = signal(false);
@@ -527,6 +530,16 @@ export class TopologyTargetsPageComponent {
    const agent = this.agents().find((item) => item.agentId === target.agentId);
    return agent?.agentName ?? target.agentId;
  });
  readonly helperContexts = computed(() => {
    const contexts: string[] = [];
    if (!this.loading() && this.filteredTargets().length === 0) {
      contexts.push('empty-table');
    }
    if (this.targets().some((target) => target.healthStatus.trim().toLowerCase() === 'unknown')) {
      contexts.push('health-unknown');
    }
    return contexts;
  });
  constructor() {
    this.context.initialize();
@@ -546,6 +559,11 @@ export class TopologyTargetsPageComponent {
      this.context.contextVersion();
      this.load();
    });
    effect(() => {
      this.helperCtx.setScope('topology-targets', this.helperContexts());
    }, { allowSignalWrites: true });
    this.destroyRef.onDestroy(() => this.helperCtx.clearScope('topology-targets'));
  }
  private load(): void {
--- a/src/Web/StellaOps.Web/src/app/layout/app-shell/app-shell.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/app-shell/app-shell.component.spec.ts
@@ -1,6 +1,6 @@
 import { Component, signal } from '@angular/core';
 import { ComponentFixture, TestBed } from '@angular/core/testing';
-import { provideRouter } from '@angular/router';
+import { provideRouter, Router } from '@angular/router';
 import { signal } from '@angular/core';
 import { of } from 'rxjs';
 import { AUTH_SERVICE, MockAuthService } from '../../core/auth';
 import { OfflineModeService } from '../../core/services/offline-mode.service';
@@ -8,6 +8,32 @@ import { PolicyPackStore } from '../../features/policy-studio/services/policy-pa
 import { AppShellComponent } from './app-shell.component';
@Component({
  standalone: true,
  template: `
    <section class="legacy-header-page">
      <header class="page-header">
        <h1>SBOM Coverage</h1>
        <p>Review Policy Gate decisions before promotion.</p>
      </header>
    </section>
  `,
 })
 class LegacyHeaderRouteComponent {}
@Component({
  standalone: true,
  template: `
    <section class="legacy-header-page">
      <header class="page-header">
        <h1>VEX Coverage</h1>
        <p>Promotion evidence stays visible here.</p>
      </header>
    </section>
  `,
 })
 class LegacyHeaderSecondRouteComponent {}
 class OfflineModeServiceStub {
  readonly isOffline = signal(false);
  readonly bundleFreshness = signal<{
@@ -41,12 +67,16 @@ class PolicyPackStoreStub {
 describe('AppShellComponent', () => {
  let component: AppShellComponent;
  let fixture: ComponentFixture<AppShellComponent>;
  let router: Router;
  beforeEach(async () => {
    await TestBed.configureTestingModule({
      imports: [AppShellComponent],
      providers: [
-        provideRouter([]),
+        provideRouter([
          { path: '', component: LegacyHeaderRouteComponent },
          { path: 'second', component: LegacyHeaderSecondRouteComponent },
        ]),
        { provide: AUTH_SERVICE, useClass: MockAuthService },
        { provide: OfflineModeService, useClass: OfflineModeServiceStub },
        { provide: PolicyPackStore, useClass: PolicyPackStoreStub },
@@ -55,6 +85,7 @@ describe('AppShellComponent', () => {
    fixture = TestBed.createComponent(AppShellComponent);
    component = fixture.componentInstance;
    router = TestBed.inject(Router);
    fixture.detectChanges();
  });
@@ -96,4 +127,29 @@ describe('AppShellComponent', () => {
    const outlet = fixture.nativeElement.querySelector('router-outlet');
    expect(outlet).toBeTruthy();
  });
  it('annotates legacy page-header copy across route changes without per-page imports', async () => {
    await router.navigateByUrl('/');
    fixture.detectChanges();
    await fixture.whenStable();
    await new Promise((resolve) => setTimeout(resolve, 0));
    fixture.detectChanges();
    let glossaryTerms = fixture.nativeElement.querySelectorAll('#main-content .page-header .glossary-term--inline');
    let wrappedText = Array.from<Element>(glossaryTerms).map((term) => term.textContent?.trim());
    expect(wrappedText).toContain('SBOM');
    expect(wrappedText).toContain('Policy Gate');
    await router.navigateByUrl('/second');
    fixture.detectChanges();
    await fixture.whenStable();
    await new Promise((resolve) => setTimeout(resolve, 0));
    fixture.detectChanges();
    glossaryTerms = fixture.nativeElement.querySelectorAll('#main-content .page-header .glossary-term--inline');
    wrappedText = Array.from<Element>(glossaryTerms).map((term) => term.textContent?.trim());
    expect(wrappedText).not.toContain('SBOM');
    expect(wrappedText).toContain('VEX');
    expect(wrappedText).toContain('Promotion');
  });
 });
--- a/src/Web/StellaOps.Web/src/app/layout/app-shell/app-shell.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/app-shell/app-shell.component.ts
@@ -11,6 +11,8 @@ import { ContentWidthService } from '../../core/services/content-width.service';
 import { SearchAssistantHostComponent } from '../search-assistant-host/search-assistant-host.component';
 import { StellaHelperComponent } from '../../shared/components/stella-helper/stella-helper.component';
 import { StellaTourComponent } from '../../shared/components/stella-helper/stella-tour.component';
 import { GlossaryTooltipDirective } from '../../shared/directives/glossary-tooltip.directive';
 import { PageHelpPanelComponent } from '../../shared/components/page-help/page-help-panel.component';
 /**
 * AppShellComponent - Main application shell with permanent left rail navigation.
@@ -35,6 +37,8 @@ import { StellaTourComponent } from '../../shared/components/stella-helper/stell
    SearchAssistantHostComponent,
    StellaHelperComponent,
    StellaTourComponent,
    GlossaryTooltipDirective,
    PageHelpPanelComponent,
  ],
  template: `
    <div class="shell" [class.shell--mobile-open]="mobileMenuOpen()" [class.shell--collapsed]="sidebarPrefs.sidebarCollapsed()">
@@ -79,7 +83,11 @@ import { StellaTourComponent } from '../../shared/components/stella-helper/stell
          <main id="main-content" class="shell__outlet"
                [class.shell__outlet--centered]="contentWidth.isCentered()"
                [attr.data-width]="contentWidth.mode()"
                [targetSelectors]="legacyGlossaryTargets"
                [observeMutations]="true"
                stellaopsGlossaryTooltip
                tabindex="-1">
            <app-page-help-panel></app-page-help-panel>
            <router-outlet />
          </main>
        </div>
@@ -317,6 +325,7 @@ import { StellaTourComponent } from '../../shared/components/stella-helper/stell
 export class AppShellComponent {
  readonly sidebarPrefs = inject(SidebarPreferenceService);
  readonly contentWidth = inject(ContentWidthService);
  readonly legacyGlossaryTargets = 'header.page-header, div.page-header';
  @ViewChild(AppSidebarComponent) sidebarRef?: AppSidebarComponent;
  /** Whether mobile menu is open */
--- a/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.spec.ts
@@ -1,5 +1,7 @@
 import { Component } from '@angular/core';
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { provideHttpClient } from '@angular/common/http';
 import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing';
 import { provideRouter, Router } from '@angular/router';
 import { of } from 'rxjs';
 import { AppSidebarComponent } from './app-sidebar.component';
@@ -20,6 +22,7 @@ class DummyRouteComponent {}
 describe('AppSidebarComponent', () => {
  let authService: MockAuthService;
  let approvalApi: jasmine.SpyObj<ApprovalApi>;
  let httpController: HttpTestingController;
  beforeEach(async () => {
    authService = new MockAuthService();
@@ -29,6 +32,8 @@ describe('AppSidebarComponent', () => {
    await TestBed.configureTestingModule({
      imports: [AppSidebarComponent],
      providers: [
        provideHttpClient(),
        provideHttpClientTesting(),
        provideRouter([
          { path: '', component: DummyRouteComponent },
          { path: 'ops/integrations/scm', component: DummyRouteComponent },
@@ -39,6 +44,12 @@ describe('AppSidebarComponent', () => {
        { provide: APPROVAL_API, useValue: approvalApi },
      ],
    }).compileComponents();
    httpController = TestBed.inject(HttpTestingController);
  });
  afterEach(() => {
    httpController.verify();
  });
  it('hides analytics navigation when analytics scope is missing', () => {
@@ -63,8 +74,7 @@ describe('AppSidebarComponent', () => {
    const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
    const hrefs = links.map((link) => link.getAttribute('href'));
-    // Dashboard link exists but no alerts/activity children
+    expect(hrefs).toContain('/');
    expect(hrefs).toContain('/mission-control/board');
    expect(hrefs).not.toContain('/mission-control/alerts');
    expect(hrefs).not.toContain('/mission-control/activity');
  });
@@ -75,6 +85,7 @@ describe('AppSidebarComponent', () => {
    const cancelSpy = spyOn(window, 'cancelAnimationFrame');
    const fixture = createComponent();
    const nav = fixture.nativeElement.querySelector('.sidebar__nav') as HTMLElement;
    rafSpy.calls.reset();
    expect(nav).toBeTruthy();
    expect(rafSpy).not.toHaveBeenCalled();
@@ -88,7 +99,7 @@ describe('AppSidebarComponent', () => {
    expect(cancelSpy).toHaveBeenCalledWith(1);
  });
-  it('shows Trust & Signing under Setup for setup-capable operators', () => {
+  it('shows Certificates & Trust under Setup for setup-capable operators', () => {
    setScopes([
      StellaOpsScopes.UI_ADMIN,
      StellaOpsScopes.ORCH_READ,
@@ -96,10 +107,10 @@ describe('AppSidebarComponent', () => {
    ]);
    const fixture = createComponent();
-    expect(fixture.nativeElement.textContent).toContain('Trust & Signing');
+    expect(fixture.nativeElement.textContent).toContain('Certificates & Trust');
  });
-  it('surfaces unknowns and notifications leaves in the live sidebar shells', () => {
+  it('surfaces the unknowns leaf in the live sidebar shell', () => {
    setScopes([
      StellaOpsScopes.UI_READ,
      StellaOpsScopes.RELEASE_READ,
@@ -113,10 +124,9 @@ describe('AppSidebarComponent', () => {
    const hrefs = links.map((link) => link.getAttribute('href'));
    expect(hrefs).toContain('/security/unknowns');
    expect(hrefs).toContain('/ops/operations/notifications');
  });
-  it('shows Health under Releases section', () => {
+  it('shows Releases under Release Control', () => {
    setScopes([
      StellaOpsScopes.UI_READ,
      StellaOpsScopes.RELEASE_READ,
@@ -125,7 +135,7 @@ describe('AppSidebarComponent', () => {
    const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
    const hrefs = links.map((link) => link.getAttribute('href'));
-    expect(hrefs).toContain('/releases/health');
+    expect(hrefs).toContain('/releases');
  });
  it('shows the security posture landing under the Security Posture section', () => {
@@ -141,7 +151,7 @@ describe('AppSidebarComponent', () => {
    expect(hrefs).toContain('/security');
  });
-  it('shows Audit section with Logs and Bundles', () => {
+  it('shows Evidence section with Audit Log and Export Center', () => {
    setScopes([
      StellaOpsScopes.UI_READ,
      StellaOpsScopes.RELEASE_READ,
@@ -150,12 +160,11 @@ describe('AppSidebarComponent', () => {
    const fixture = createComponent();
    const text = fixture.nativeElement.textContent as string;
-    expect(text).toContain('Audit');
+    expect(text).toContain('Audit Log');
-    expect(text).toContain('Logs');
+    expect(text).toContain('Export Center');
    expect(text).toContain('Bundles');
  });
-  it('shows Operations children: Scheduled Jobs, Signals, Offline Kit, Environments', () => {
+  it('shows current Operations leaves: Scheduled Jobs, Feeds & Airgap, Scripts, Diagnostics', () => {
    setScopes([
      StellaOpsScopes.UI_ADMIN,
      StellaOpsScopes.ORCH_READ,
@@ -163,15 +172,16 @@ describe('AppSidebarComponent', () => {
      StellaOpsScopes.HEALTH_READ,
      StellaOpsScopes.NOTIFY_VIEWER,
      StellaOpsScopes.POLICY_READ,
      StellaOpsScopes.ADVISORY_READ,
    ]);
    const fixture = createComponent();
    const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
    const hrefs = links.map((link) => link.getAttribute('href'));
    expect(hrefs).toContain('/ops/operations/jobengine');
-    expect(hrefs).toContain('/ops/operations/signals');
+    expect(hrefs).toContain('/ops/operations/feeds-airgap');
-    expect(hrefs).toContain('/ops/operations/offline-kit');
+    expect(hrefs).toContain('/ops/scripts');
-    expect(hrefs).toContain('/ops/operations/environments');
+    expect(hrefs).toContain('/ops/operations/doctor');
  });
  it('shows Diagnostics under Setup', () => {
@@ -189,6 +199,24 @@ describe('AppSidebarComponent', () => {
    expect(hrefs).toContain('/ops/operations/doctor');
  });
  it('marks the first recommended onboarding step without creating a signal cycle', () => {
    setScopes([
      StellaOpsScopes.UI_READ,
      StellaOpsScopes.RELEASE_READ,
      StellaOpsScopes.SCANNER_READ,
      StellaOpsScopes.UI_ADMIN,
      StellaOpsScopes.ORCH_READ,
      StellaOpsScopes.ORCH_OPERATE,
      StellaOpsScopes.HEALTH_READ,
    ]);
    const fixture = createComponent();
    const text = fixture.nativeElement.textContent as string;
    expect(text).toContain('Start here');
    expect(text).toContain('Diagnostics');
  });
  it('does not show Notifications under Setup', () => {
    setScopes([
      StellaOpsScopes.UI_ADMIN,
@@ -250,6 +278,16 @@ describe('AppSidebarComponent', () => {
  function createComponent(): ComponentFixture<AppSidebarComponent> {
    const fixture = TestBed.createComponent(AppSidebarComponent);
    fixture.detectChanges();
    flushSidebarBadgeRequests();
    return fixture;
  }
  function flushSidebarBadgeRequests(): void {
    httpController.expectOne('/api/v1/release-orchestrator/releases/versions?gateStatus=block&limit=0')
      .flush({ items: [] });
    httpController.expectOne('/api/v2/security/findings?severity=critical&disposition=unreviewed&limit=0')
      .flush({ totalCount: 0, items: [] });
    httpController.expectOne('/api/v1/release-orchestrator/releases/activity?outcome=failed&limit=0')
      .flush({ items: [] });
  }
 });
--- a/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.ts
@@ -1128,11 +1128,9 @@ export class AppSidebarComponent implements AfterViewInit {
      .map((child) => this.filterItem(child))
      .filter((child): child is NavItem => child !== null);
    const children = visibleChildren.map((child) => this.withDisplayChildState(child));
    return {
      ...section,
-      children,
+      children: visibleChildren,
    };
  }
--- a/src/Web/StellaOps.Web/src/app/layout/app-sidebar/sidebar-nav-item.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/app-sidebar/sidebar-nav-item.component.ts
@@ -13,6 +13,8 @@ export interface NavItem {
  icon: string;
  badge?: number;
  tooltip?: string;
  badgeTooltip?: string;
  recommendationLabel?: string;
  requiredScopes?: readonly StellaOpsScope[];
  requireAnyScope?: readonly StellaOpsScope[];
 }
@@ -30,10 +32,12 @@ export interface NavItem {
      class="nav-item"
      [class.nav-item--child]="isChild"
      [class.nav-item--icon-only]="collapsed"
      [class.nav-item--recommended]="!!recommendationLabel"
      [routerLink]="route"
      routerLinkActive="nav-item--active"
      [routerLinkActiveOptions]="isChild ? { paths: 'subset', queryParams: 'ignored', matrixParams: 'ignored', fragment: 'ignored' } : { paths: 'exact', queryParams: 'ignored', matrixParams: 'ignored', fragment: 'ignored' }"
-      [attr.title]="label"
+      [attr.title]="titleText()"
      [attr.aria-label]="ariaLabelText()"
      >
      <span class="nav-item__icon" [attr.aria-hidden]="true">
        @switch (icon) {
@@ -407,11 +411,23 @@ export interface NavItem {
      </span>
      @if (!collapsed) {
-        <span class="nav-item__label">{{ label }}</span>
+        <span class="nav-item__content">
          @if (recommendationLabel && !isChild) {
            <span class="nav-item__recommendation">{{ recommendationLabel }}</span>
          }
          <span class="nav-item__label">{{ label }}</span>
          @if (tooltip && !isChild) {
            <span class="nav-item__context">{{ tooltip }}</span>
          }
        </span>
      }
      @if (!collapsed && badge !== null && badge > 0) {
-        <span class="nav-item__badge" [attr.aria-label]="badge + ' pending'">
+        <span
          class="nav-item__badge"
          [attr.title]="badgeTooltip || null"
          [attr.aria-label]="badgeTooltip || (badge + ' pending')"
        >
          {{ badge > 9 ? '9+' : badge }}
        </span>
      }
@@ -481,6 +497,29 @@ export interface NavItem {
      }
    }
    .nav-item--recommended:not(.nav-item--active) {
      background:
        linear-gradient(
          90deg,
          color-mix(in srgb, var(--color-brand-primary) 16%, transparent),
          transparent 80%
        );
      box-shadow: inset 0 0 0 1px color-mix(in srgb, var(--color-brand-primary) 24%, transparent);
    }
    .nav-item--recommended:not(.nav-item--active)::after {
      content: '';
      position: absolute;
      right: 0.5rem;
      top: 50%;
      width: 0.45rem;
      height: 0.45rem;
      transform: translateY(-50%);
      border-radius: 9999px;
      background: var(--color-brand-primary);
      box-shadow: 0 0 10px color-mix(in srgb, var(--color-brand-primary) 40%, transparent);
    }
    .nav-item--child {
      font-size: 0.7875rem;
      font-weight: 420;
@@ -554,14 +593,40 @@ export interface NavItem {
      opacity: 1;
    }
-    .nav-item__label {
+    .nav-item__content {
      flex: 1;
      min-width: 0;
      display: grid;
      gap: 0.125rem;
    }
    .nav-item__label {
      white-space: nowrap;
      overflow: hidden;
      text-overflow: ellipsis;
      min-width: 0;
    }
    .nav-item__recommendation {
      justify-self: start;
      padding: 0.1rem 0.42rem;
      border-radius: 9999px;
      background: color-mix(in srgb, var(--color-brand-primary) 18%, transparent);
      color: var(--color-sidebar-active-text);
      font-size: 0.625rem;
      font-weight: 700;
      letter-spacing: 0.04em;
      text-transform: uppercase;
      line-height: 1.4;
    }
    .nav-item__context {
      color: var(--color-sidebar-text-muted);
      font-size: 0.6875rem;
      line-height: 1.35;
      white-space: normal;
    }
    .nav-item__badge {
      flex-shrink: 0;
      min-width: 18px;
@@ -609,6 +674,12 @@ export interface NavItem {
        background: var(--color-sidebar-active-border);
      }
    }
    .nav-item--icon-only.nav-item--recommended:not(.nav-item--active) {
      box-shadow:
        inset 0 0 0 1px color-mix(in srgb, var(--color-brand-primary) 24%, transparent),
        0 0 14px color-mix(in srgb, var(--color-brand-primary) 18%, transparent);
    }
  `],
  changeDetection: ChangeDetectionStrategy.OnPush,
 })
@@ -617,6 +688,21 @@ export class SidebarNavItemComponent {
  @Input({ required: true }) icon!: string;
  @Input({ required: true }) route!: string;
  @Input() badge: number | null = null;
  @Input() tooltip: string | null = null;
  @Input() badgeTooltip: string | null = null;
  @Input() recommendationLabel: string | null = null;
  @Input() isChild = false;
  @Input() collapsed = false;
  titleText(): string | null {
    if (this.collapsed) {
      return [this.recommendationLabel, this.tooltip || this.label].filter(Boolean).join(' — ');
    }
    return this.tooltip || this.recommendationLabel || null;
  }
  ariaLabelText(): string {
    return [this.label, this.recommendationLabel, this.tooltip].filter(Boolean).join('. ');
  }
 }
--- a/src/Web/StellaOps.Web/src/app/layout/context-chips/context-chip-tooltips.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/context-chips/context-chip-tooltips.spec.ts
@@ -0,0 +1,127 @@
 import { TestBed } from '@angular/core/testing';
 import { provideRouter } from '@angular/router';
 import { of } from 'rxjs';
 import { AUTH_SERVICE } from '../../core/auth/auth.service';
 import { PlatformContextStore } from '../../core/context/platform-context.store';
 import { OfflineModeService } from '../../core/services/offline-mode.service';
 import { PolicyPackStore } from '../../features/policy-studio/services/policy-pack.store';
 import { EvidenceModeChipComponent } from './evidence-mode-chip.component';
 import { FeedSnapshotChipComponent } from './feed-snapshot-chip.component';
 import { LiveEventStreamChipComponent } from './live-event-stream-chip.component';
 import { OfflineStatusChipComponent } from './offline-status-chip.component';
 import { PolicyBaselineChipComponent } from './policy-baseline-chip.component';
 describe('Context chip onboarding tooltips', () => {
  it('explains missing policy baseline with an action-oriented tooltip', () => {
    TestBed.configureTestingModule({
      imports: [PolicyBaselineChipComponent],
      providers: [
        provideRouter([]),
        {
          provide: PolicyPackStore,
          useValue: {
            getPacks: () => of([]),
          },
        },
      ],
    });
    const fixture = TestBed.createComponent(PolicyBaselineChipComponent);
    fixture.detectChanges();
    expect(fixture.componentInstance.tooltip()).toContain('Policy: No baseline.');
    expect(fixture.componentInstance.tooltip()).toContain('Open Policy Packs');
  });
  it('explains disabled evidence signing in plain language', () => {
    TestBed.configureTestingModule({
      imports: [EvidenceModeChipComponent],
      providers: [
        provideRouter([]),
        {
          provide: AUTH_SERVICE,
          useValue: {
            hasAnyScope: () => false,
          },
        },
      ],
    });
    const fixture = TestBed.createComponent(EvidenceModeChipComponent);
    fixture.detectChanges();
    expect(fixture.componentInstance.tooltip()).toContain('Evidence: OFF.');
    expect(fixture.componentInstance.tooltip()).toContain('enable evidence-grade workflows');
  });
  it('warns when advisory feed data is stale', () => {
    TestBed.configureTestingModule({
      imports: [FeedSnapshotChipComponent],
      providers: [
        provideRouter([]),
        {
          provide: OfflineModeService,
          useValue: {
            bundleFreshness: () => ({
              status: 'stale',
              bundleCreatedAt: '2026-03-01T00:00:00Z',
              ageInDays: 8,
              message: 'Bundle is 8 days old - feed data may be stale',
            }),
          },
        },
      ],
    });
    const fixture = TestBed.createComponent(FeedSnapshotChipComponent);
    fixture.detectChanges();
    expect(fixture.componentInstance.tooltip()).toContain('Advisory data is stale');
    expect(fixture.componentInstance.tooltip()).toContain('Open Feeds & Airgap');
  });
  it('explains degraded event streaming', () => {
    TestBed.configureTestingModule({
      imports: [LiveEventStreamChipComponent],
      providers: [
        provideRouter([]),
        {
          provide: PlatformContextStore,
          useValue: {
            error: () => 'stream disconnected',
          },
        },
      ],
    });
    const fixture = TestBed.createComponent(LiveEventStreamChipComponent);
    fixture.detectChanges();
    expect(fixture.componentInstance.tooltip()).toContain('Events: Degraded.');
    expect(fixture.componentInstance.tooltip()).toContain('Open Operations');
  });
  it('explains offline mode with refresh guidance', () => {
    TestBed.configureTestingModule({
      imports: [OfflineStatusChipComponent],
      providers: [
        provideRouter([]),
        {
          provide: OfflineModeService,
          useValue: {
            isOffline: () => true,
            bundleFreshness: () => null,
            offlineBannerMessage: () => 'Offline Mode - Data as of Mar 1, 2026',
          },
        },
      ],
    });
    const fixture = TestBed.createComponent(OfflineStatusChipComponent);
    fixture.detectChanges();
    expect(fixture.componentInstance.tooltip()).toContain('Offline: Degraded.');
    expect(fixture.componentInstance.tooltip()).toContain('Open Offline Kit');
  });
 });
--- a/src/Web/StellaOps.Web/src/app/layout/context-chips/context-chips.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/context-chips/context-chips.component.ts
@@ -70,6 +70,31 @@ import { StellaFilterMultiComponent, FilterMultiOption } from '../../shared/comp
          (valueChange)="selectStage($event)"
        />
        <!-- Advisory category filter (only on advisory-vex-sources route) -->
        @if (showAdvisoryFilter()) {
          <stella-filter-multi
            label="Category"
            [options]="advisoryCategoryMultiOptions()"
            (optionsChange)="onAdvisoryCategoryChange($event)"
          />
        }
        <!-- Integration status filter (only on integration routes) -->
        @if (showIntegrationFilter()) {
          <div class="ctx__segmented" role="radiogroup" aria-label="Integration status">
            @for (opt of integrationStatusOptions; track opt.value) {
              <button
                type="button"
                role="radio"
                class="ctx__seg-btn"
                [class.ctx__seg-btn--active]="context.integrationStatus() === opt.value"
                [attr.aria-checked]="context.integrationStatus() === opt.value"
                (click)="selectIntegrationStatus(opt.value)"
              >{{ opt.label }}</button>
            }
          </div>
        }
        <!-- Release lane toggle (only on release routes) -->
        @if (showLaneToggle()) {
          <div class="ctx__segmented" role="radiogroup" aria-label="Lane">
@@ -230,6 +255,43 @@ export class ContextChipsComponent {
    { initialValue: this.router.url },
  );
  readonly showAdvisoryFilter = computed(() => {
    const url = (this.currentUrl() ?? '').split('?')[0];
    return url.includes('/advisory-vex-sources');
  });
  private readonly advisoryCategoryIds = [
    'Primary', 'Vendor', 'Distribution', 'Ecosystem', 'Cert', 'Csaf',
    'Threat', 'Exploit', 'Container', 'Hardware', 'Ics', 'PackageManager',
    'Mirror', 'Other',
  ];
  readonly advisoryCategoryMultiOptions = computed<FilterMultiOption[]>(() => {
    const selected = this.context.advisoryCategories();
    return this.advisoryCategoryIds.map(cat => ({
      id: cat,
      label: cat,
      checked: selected.length === 0 || selected.includes(cat),
    }));
  });
  readonly showIntegrationFilter = computed(() => {
    const url = (this.currentUrl() ?? '').split('?')[0];
    return url.includes('/integrations/registries') ||
           url.includes('/integrations/scm') ||
           url.includes('/integrations/ci') ||
           url.includes('/integrations/runtime-hosts') ||
           url.includes('/integrations/secrets');
  });
  readonly integrationStatusOptions = [
    { value: 'all', label: 'All' },
    { value: 'active', label: 'Active' },
    { value: 'pending', label: 'Pending' },
    { value: 'failed', label: 'Failed' },
    { value: 'disabled', label: 'Disabled' },
  ];
  readonly showLaneToggle = computed(() => {
    const url = (this.currentUrl() ?? '').split('?')[0];
    return url.startsWith('/releases');
@@ -317,4 +379,17 @@ export class ContextChipsComponent {
  selectLane(value: 'standard' | 'hotfix'): void {
    this.context.setReleaseLane(value);
  }
  selectIntegrationStatus(value: string): void {
    this.context.setIntegrationStatus(value);
  }
  onAdvisoryCategoryChange(options: FilterMultiOption[]): void {
    const next = options.filter(o => o.checked).map(o => o.id);
    if (next.length === 0 || next.length === this.advisoryCategoryIds.length) {
      this.context.setAdvisoryCategories([]);
    } else {
      this.context.setAdvisoryCategories(next);
    }
  }
 }
--- a/src/Web/StellaOps.Web/src/app/layout/context-chips/evidence-mode-chip.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/context-chips/evidence-mode-chip.component.ts
@@ -86,7 +86,7 @@ export class EvidenceModeChipComponent {
  readonly tooltip = computed(() =>
    this.isEnabled()
-      ? 'Evidence: ON \u2014 signing scopes active'
+      ? 'Evidence: ON. Signing scopes are active, so Stella can seal releases, approvals, and exports with auditable proof.'
-      : 'Evidence: OFF \u2014 signing scopes inactive'
+      : 'Evidence: OFF. Signing scopes are inactive, so releases may be readable but not fully attestable. Open trust and signing to enable evidence-grade workflows.'
  );
 }
--- a/src/Web/StellaOps.Web/src/app/layout/context-chips/feed-snapshot-chip.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/context-chips/feed-snapshot-chip.component.ts
@@ -97,8 +97,8 @@ export class FeedSnapshotChipComponent {
  readonly tooltip = computed(() => {
    if (this.isStale()) {
-      return `Feed: ${this.snapshotDate()} \u2014 stale`;
+      return `Feed: ${this.snapshotDate()}. Advisory data is stale, so newly published CVEs or VEX updates may not be reflected yet. Open Feeds & Airgap to refresh the snapshot.`;
    }
-    return `Feed: ${this.snapshotDate()}`;
+    return `Feed: ${this.snapshotDate()}. This is the advisory snapshot Stella is matching your scans against right now.`;
  });
 }
--- a/src/Web/StellaOps.Web/src/app/layout/context-chips/live-event-stream-chip.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/context-chips/live-event-stream-chip.component.ts
@@ -75,9 +75,11 @@ export class LiveEventStreamChipComponent {
  readonly tooltip = computed(() => {
    if (this.status() === 'connected') {
-      return 'Events: Connected';
+      return 'Events: Connected. Live platform activity is streaming normally, so approvals, deployments, and audits should update in near real time.';
    }
    const error = this.context.error();
-    return error ? `Events: Degraded \u2014 ${error}` : 'Events: Degraded';
+    return error
      ? `Events: Degraded. The live stream is having trouble, so timelines may lag behind recent activity. Open Operations to inspect the stream health. Details: ${error}`
      : 'Events: Degraded. Live activity may be delayed. Open Operations to inspect the stream health.';
  });
 }
--- a/src/Web/StellaOps.Web/src/app/layout/context-chips/offline-status-chip.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/context-chips/offline-status-chip.component.ts
@@ -89,21 +89,21 @@ export class OfflineStatusChipComponent {
  readonly tooltip = computed(() => {
    if (this.status() === 'ok') {
-      return 'Offline: OK \u2014 online with live connectivity';
+      return 'Offline: OK. Stella is online and using live platform connectivity rather than a frozen offline bundle.';
    }
    if (this.offlineMode.isOffline()) {
      const message = this.offlineMode.offlineBannerMessage();
      return message
-        ? `Offline: Degraded \u2014 ${message}`
+        ? `Offline: Degraded. ${message}. Open Offline Kit to review the current bundle and decide whether it needs a refresh.`
-        : 'Offline: Degraded \u2014 offline mode is active';
+        : 'Offline: Degraded. Offline mode is active, so the UI may be using cached bundle data instead of live services.';
    }
    const freshness = this.offlineMode.bundleFreshness();
    if (freshness?.message) {
-      return `Offline: Degraded \u2014 ${freshness.message}`;
+      return `Offline: Degraded. ${freshness.message}. Refresh the offline bundle if you need newer advisory or evidence data.`;
    }
-    return 'Offline: Degraded';
+    return 'Offline: Degraded. Connectivity or bundle freshness needs operator attention.';
  });
 }
--- a/src/Web/StellaOps.Web/src/app/layout/context-chips/policy-baseline-chip.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/context-chips/policy-baseline-chip.component.ts
@@ -88,10 +88,10 @@ export class PolicyBaselineChipComponent {
  readonly tooltip = computed(() => {
    const packs = this.packs();
    if (packs.length === 0) {
-      return 'Policy: No baseline';
+      return 'Policy: No baseline. Releases are not yet being checked against an active policy pack. Open Policy Packs to activate a baseline before you rely on PASS, WARN, or BLOCK outcomes.';
    }
    const activePack = packs.find((pack) => pack.status === 'active') ?? packs[0];
-    return `Policy: ${activePack.name} ${activePack.version}`.trim();
+    return `Policy: ${activePack.name} ${activePack.version}. This active baseline is the ruleset currently deciding release gates and approvals. Open Policy Packs to review or switch it.`.trim();
  });
 }
--- a/src/Web/StellaOps.Web/src/app/layout/search-assistant-host/search-assistant-host.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/search-assistant-host/search-assistant-host.component.ts
@@ -228,8 +228,11 @@ interface TrailBubble { x: number; y: number; size: number; delay: number; }
    .ah__close-btn:hover { background: color-mix(in srgb, var(--color-status-error, #c62828) 10%, transparent); color: var(--color-status-error, #c62828); }
    /* ===== Content ===== */
-    .ah__content { flex:1; display:flex; flex-direction:column; min-height:0; overflow:hidden; }
+    .ah__content { flex:1; display:flex; flex-direction:column; min-height:0; overflow:hidden; position:relative; }
-    .ah__content stellaops-chat { flex:1; }
+
    .ah__view { display:flex; flex-direction:column; flex:1; min-height:0; }
    .ah__view stellaops-chat { flex:1; }
    .ah__view--hidden { display:none; }
    /* ===== Search view ===== */
    .ah__search-view { display:flex; flex-direction:column; height:100%; }
@@ -361,7 +364,7 @@ export class SearchAssistantHostComponent {
        this.entering.set(true);
        this.chatVisible.set(true);
        setTimeout(() => { this.entering.set(false); this.computeTrail(); }, 500);
-        setTimeout(() => this.drawerRef?.nativeElement?.focus(), 100);
+        setTimeout(() => this.focusActiveView(), 300);
        setTimeout(() => this.computeTrail(), 50);
      }
    });
@@ -376,7 +379,10 @@ export class SearchAssistantHostComponent {
    }, 280);
  }
-  onToggleView(): void { this.stella.toggleDrawerView(); }
+  onToggleView(): void {
    this.stella.toggleDrawerView();
    setTimeout(() => this.focusActiveView(), 100);
  }
  onNewSession(): void {
    this.stella.newSession();
@@ -433,6 +439,20 @@ export class SearchAssistantHostComponent {
    }
  }
  /** Focus the appropriate input based on the active drawer view */
  private focusActiveView(): void {
    const drawerEl = this.drawerRef?.nativeElement;
    if (!drawerEl) return;
    if (this.stella.drawerView() === 'search') {
      const searchInput = drawerEl.querySelector<HTMLInputElement>('.ah__search-input');
      searchInput?.focus();
    } else {
      const chatInput = drawerEl.querySelector<HTMLTextAreaElement>('textarea.chat-input');
      chatInput?.focus();
    }
  }
  onBackdropClick(event: MouseEvent): void {
    if (event.target === event.currentTarget) this.close();
  }
--- a/src/Web/StellaOps.Web/src/app/shared/components/command-palette/command-palette.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/command-palette/command-palette.component.spec.ts
@@ -0,0 +1,136 @@
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { Router } from '@angular/router';
 import { of } from 'rxjs';
 import { SearchClient } from '../../../core/api/search.client';
 import { QuickAction, SearchResponse } from '../../../core/api/search.models';
 import { SeedClient } from '../../../core/api/seed.client';
 import { DoctorQuickCheckService } from '../../../features/doctor/services/doctor-quick-check.service';
 import { CommandPaletteComponent } from './command-palette.component';
 describe('CommandPaletteComponent', () => {
  let fixture: ComponentFixture<CommandPaletteComponent>;
  let component: CommandPaletteComponent;
  let searchClient: jasmine.SpyObj<SearchClient>;
  beforeEach(async () => {
    searchClient = jasmine.createSpyObj<SearchClient>('SearchClient', ['search']);
    searchClient.search.and.returnValue(
      of({
        query: '',
        groups: [],
        totalCount: 0,
        durationMs: 0,
      } satisfies SearchResponse)
    );
    await TestBed.configureTestingModule({
      imports: [CommandPaletteComponent],
      providers: [
        { provide: SearchClient, useValue: searchClient },
        {
          provide: Router,
          useValue: jasmine.createSpyObj<Router>('Router', ['navigate', 'navigateByUrl']),
        },
        {
          provide: DoctorQuickCheckService,
          useValue: {
            getQuickActions: (): QuickAction[] => [],
          },
        },
        {
          provide: SeedClient,
          useValue: jasmine.createSpyObj<SeedClient>('SeedClient', ['seedDemo']),
        },
      ],
    }).compileComponents();
    fixture = TestBed.createComponent(CommandPaletteComponent);
    component = fixture.componentInstance;
    component.open();
    fixture.detectChanges();
  });
  async function flushSearch(): Promise<void> {
    await new Promise((resolve) => setTimeout(resolve, 260));
    fixture.detectChanges();
    await fixture.whenStable();
    fixture.detectChanges();
  }
  it('shows glossary help results for help commands without calling backend search', async () => {
    component.onQueryChange('help: sbom');
    await flushSearch();
    expect(searchClient.search).not.toHaveBeenCalled();
    expect(component.displayGroups().length).toBe(1);
    expect(component.displayGroups()[0].label).toBe('Help & Guides');
    expect(component.displayGroups()[0].results.map((result) => result.title)).toContain('Help: SBOM');
    expect(fixture.nativeElement.textContent).toContain('Help & Guides (');
  });
  it('maps guide: first setup to the setup wizard launch result', async () => {
    component.onQueryChange('guide: first setup');
    await flushSearch();
    const result = component.helpResults().find((entry) => entry.id === 'guide-first-setup');
    expect(result?.route).toBe('/setup-wizard/wizard');
  });
  it('expands guide: scan image into ordered inline steps', async () => {
    component.onQueryChange('guide: scan image');
    await flushSearch();
    const stepResults = component.helpResults().filter(
      (entry) => entry.metadata?.['helpKind'] === 'guide-step' && entry.metadata?.['guideId'] === 'scan-image'
    );
    expect(stepResults.length).toBe(3);
    expect(stepResults[0].title).toContain('Step 1');
    expect(stepResults[0].route).toBe('/security/scan');
    expect(stepResults[1].route).toBe('/security/supply-chain-data');
  });
  it('renders help results inline alongside backend search groups for plain queries', async () => {
    searchClient.search.and.returnValue(
      of({
        query: 'vex',
        groups: [
          {
            type: 'docs',
            label: 'Docs',
            results: [
              {
                id: 'docs-vex',
                type: 'docs',
                title: 'VEX Reference',
                description: 'Documentation search result',
                route: '/security/advisories-vex',
                matchScore: 50,
                open: {
                  kind: 'docs',
                  docs: {
                    path: 'docs/VEX_CONSENSUS_GUIDE.md',
                    anchor: 'vex-reference',
                    spanStart: 0,
                    spanEnd: 0,
                  },
                },
              },
            ],
            totalCount: 1,
            hasMore: false,
          },
        ],
        totalCount: 1,
        durationMs: 8,
      } satisfies SearchResponse)
    );
    component.onQueryChange('vex');
    await flushSearch();
    expect(searchClient.search).toHaveBeenCalledWith('vex');
    expect(component.displayGroups().map((group) => group.label)).toEqual(['Help & Guides', 'Docs']);
    expect(component.displayGroups()[0].results.some((result) => result.id === 'help-vex')).toBeTrue();
  });
 });
--- a/src/Web/StellaOps.Web/src/app/shared/components/command-palette/command-palette.component.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/command-palette/command-palette.component.ts
@@ -31,6 +31,110 @@ import {
 } from '../../../core/api/search.models';
 import { DoctorQuickCheckService } from '../../../features/doctor/services/doctor-quick-check.service';
 import { SeedClient } from '../../../core/api/seed.client';
 import { GlossaryEntry, PlainLanguageService } from '../../services/plain-language.service';
 interface PaletteResultGroup extends SearchResultGroup {
  id: string;
 }
 interface HelpWorkflowStep {
  title: string;
  description: string;
  route: string;
 }
 interface HelpWorkflow {
  id: string;
  title: string;
  description: string;
  route: string;
  aliases: string[];
  keywords: string[];
  steps?: HelpWorkflowStep[];
 }
 const HELP_GROUP_ID = 'help-guides';
 const GLOSSARY_ROUTE_MAP: Record<string, string> = {
  sbom: '/security/supply-chain-data',
  vex: '/security/advisories-vex',
  cve: '/security/triage',
  cvss: '/security/triage',
  epss: '/security/triage',
  kev: '/security/triage',
  reachability: '/security/reachability',
  call_path: '/security/reachability',
  entry_point: '/security/reachability',
  dsse: '/evidence/overview',
  attestation: '/evidence/overview',
  merkle_proof: '/evidence/proofs',
  baseline: '/releases',
  head: '/releases',
  delta: '/releases',
  purl: '/security/supply-chain-data',
 };
 const HELP_WORKFLOWS: HelpWorkflow[] = [
  {
    id: 'first-setup',
    title: 'First Setup',
    description: 'Launch the guided setup wizard, then connect integrations and validate the platform before your first scan.',
    route: '/setup-wizard/wizard',
    aliases: ['first setup', 'setup wizard', 'guided setup', 'onboarding'],
    keywords: ['setup', 'wizard', 'onboarding', 'integrations', 'first run'],
    steps: [
      {
        title: 'Start the setup wizard',
        description: 'Open the guided setup flow and step through the initial platform configuration.',
        route: '/setup-wizard/wizard',
      },
      {
        title: 'Connect integrations',
        description: 'Use the integrations hub to add registries, source control, CI/CD, advisory feeds, and secrets.',
        route: '/setup/integrations',
      },
      {
        title: 'Run diagnostics',
        description: 'Verify that services, feeds, and signing components are healthy before operators depend on them.',
        route: '/ops/operations/doctor',
      },
      {
        title: 'Scan the first image',
        description: 'Populate SBOM, findings, and release evidence so the rest of the UI has real data to work with.',
        route: '/security/scan',
      },
    ],
  },
  {
    id: 'scan-image',
    title: 'Scan Image',
    description: 'Follow the scan workflow from image submission to SBOM review and vulnerability triage.',
    route: '/security/scan',
    aliases: ['scan image', 'scan artifact', 'first scan', 'image scan'],
    keywords: ['scan', 'image', 'artifact', 'sbom', 'triage', 'vulnerability'],
    steps: [
      {
        title: 'Open the scan form',
        description: 'Choose an image, digest, or artifact coordinate and start the on-demand scan.',
        route: '/security/scan',
      },
      {
        title: 'Review supply-chain data',
        description: 'Inspect the generated SBOM and component inventory to confirm what Stella actually found.',
        route: '/security/supply-chain-data',
      },
      {
        title: 'Triage the findings',
        description: 'Use vulnerability and reachability views to decide what is actionable before promotion.',
        route: '/security/reachability',
      },
    ],
  },
 ];
 function normalizeHelpQuery(value: string): string {
  return value.toLowerCase().replace(/[\s-]+/g, '_').replace(/[^a-z0-9_:]/g, '');
 }
@Component({
    selector: 'app-command-palette',
@@ -57,10 +161,10 @@ import { SeedClient } from '../../../core/api/seed.client';
              #searchInput
              type="text"
              class="cp__input"
-              [(ngModel)]="query"
+              [ngModel]="query()"
              (ngModelChange)="onQueryChange($event)"
              (keydown)="onKeyDown($event)"
-              placeholder="Search StellaOps or type > for commands..."
+              placeholder="Search, >actions, help: sbom, guide: first setup"
              id="command-palette-title"
              autocomplete="off"
            />
@@ -97,7 +201,7 @@ import { SeedClient } from '../../../core/api/seed.client';
                  <div class="cp__empty">No matching actions</div>
                }
              </div>
-            } @else if (!query || query.length < 2) {
+            } @else if (!query() || query().length < 2) {
              @if (recentSearches().length > 0) {
                <div class="cp__section cp__section--border">
                  <div class="cp__section-header">
@@ -154,8 +258,8 @@ import { SeedClient } from '../../../core/api/seed.client';
                  }
                </div>
              }
-              @if (searchResponse()) {
+              @if (displayGroups().length > 0) {
-                @for (group of searchResponse()!.groups; track group.type) {
+                @for (group of displayGroups(); track group.id) {
                  <div class="cp__section cp__section--border">
                    <div class="cp__section-label">
                      {{ group.label }} ({{ group.totalCount }})
@@ -168,10 +272,10 @@ import { SeedClient } from '../../../core/api/seed.client';
                        (mouseenter)="setSelectedResult(group, i)"
                      >
                        <span class="cp__row-icon">
-                          {{ getEntityIcon(group.type) }}
+                          {{ getGroupIcon(group) }}
                        </span>
                        <div class="cp__row-content">
-                          <div class="cp__row-label" [innerHTML]="highlightMatch(result.title, query)"></div>
+                          <div class="cp__row-label" [innerHTML]="highlightMatch(result.title, query())"></div>
                          @if (result.subtitle) {
                            <div class="cp__row-desc">{{ result.subtitle }}</div>
                          } @else if (result.description) {
@@ -192,12 +296,11 @@ import { SeedClient } from '../../../core/api/seed.client';
                    }
                  </div>
                }
-                @if (searchResponse()!.groups.length === 0 && inlineMatchedActions().length === 0) {
+              } @else if (!loading()) {
-                  <div class="cp__empty cp__empty--lg">
+                <div class="cp__empty cp__empty--lg">
-                    <div class="cp__empty-title">No results found</div>
+                  <div class="cp__empty-title">No results found</div>
-                    <div class="cp__empty-hint">Try a different search term or use &gt; for actions</div>
+                  <div class="cp__empty-hint">Try a different term, or use help: / guide: commands</div>
-                  </div>
+                </div>
                }
              }
            }
          </div>
@@ -207,6 +310,8 @@ import { SeedClient } from '../../../core/api/seed.client';
              <span><kbd>Up/Down</kbd> Navigate</span>
              <span><kbd>Enter</kbd> Select</span>
              <span><kbd>Esc</kbd> Close</span>
              <span><kbd>help:</kbd> Glossary</span>
              <span><kbd>guide:</kbd> Workflow</span>
            </div>
            @if (searchResponse()) {
              <span>{{ searchResponse()!.durationMs }}ms</span>
@@ -500,6 +605,7 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
  private readonly router = inject(Router);
  private readonly doctorQuickCheck = inject(DoctorQuickCheckService);
  private readonly seedClient = inject(SeedClient);
  private readonly plainLanguage = inject(PlainLanguageService);
  private readonly destroy$ = new Subject<void>();
  private readonly searchQuery$ = new Subject<string>();
@@ -510,7 +616,7 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
  @ViewChild('searchInput') searchInput!: ElementRef<HTMLInputElement>;
  isOpen = signal(false);
-  query = '';
+  query = signal('');
  loading = signal(false);
  selectedIndex = signal(0);
  searchResponse = signal<SearchResponse | null>(null);
@@ -519,12 +625,34 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
  quickActions: QuickAction[] = DEFAULT_QUICK_ACTIONS;
  readonly highlightMatch = highlightMatch;
-  isActionMode = computed(() => this.query.startsWith('>'));
+  isActionMode = computed(() => this.query().startsWith('>'));
-  filteredActions = computed(() => filterQuickActions(this.query, this.quickActions));
+  filteredActions = computed(() => filterQuickActions(this.query(), this.quickActions));
  /** Quick actions matching a plain-text (non-">" prefixed) query. */
  inlineMatchedActions = signal<QuickAction[]>([]);
  readonly helpResults = computed(() => this.buildHelpResults(this.query()));
  readonly displayGroups = computed<PaletteResultGroup[]>(() => {
    const groups: PaletteResultGroup[] = [];
    const helpResults = this.helpResults();
-  private flatResults: SearchResult[] = [];
+    if (helpResults.length > 0) {
      groups.push({
        id: HELP_GROUP_ID,
        type: 'docs',
        label: 'Help & Guides',
        results: helpResults,
        totalCount: helpResults.length,
        hasMore: false,
      });
    }
    const response = this.searchResponse();
    if (response) {
      groups.push(...response.groups.map((group) => ({ ...group, id: `search-${group.type}` })));
    }
    return groups;
  });
  readonly flatResults = computed(() => this.displayGroups().flatMap((group) => group.results));
  ngOnInit(): void {
    // Merge Doctor quick actions (with bound callbacks) into the actions list
@@ -538,7 +666,7 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
    this.recentSearches.set(getRecentSearches());
    this.searchQuery$.pipe(debounceTime(200), distinctUntilChanged(), takeUntil(this.destroy$))
      .subscribe((query) => {
-        if (query.startsWith('>') || query.length < 2) {
+        if (query.startsWith('>') || query.length < 2 || this.isLocalHelpCommand(query)) {
          this.searchResponse.set(null);
          this.loading.set(false);
          return;
@@ -547,7 +675,6 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
        this.searchClient.search(query).subscribe({
          next: (response) => {
            this.searchResponse.set(response);
            this.flatResults = response.groups.flatMap((g) => g.results);
            this.selectedIndex.set(0);
            this.loading.set(false);
            addRecentSearch(query, response.totalCount);
@@ -572,7 +699,7 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
  open(): void {
    this.isOpen.set(true);
-    this.query = '';
+    this.query.set('');
    this.searchResponse.set(null);
    this.inlineMatchedActions.set([]);
    this.selectedIndex.set(0);
@@ -580,9 +707,14 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
    setTimeout(() => this.searchInput?.nativeElement?.focus(), 0);
  }
-  close(): void { this.isOpen.set(false); this.query = ''; this.inlineMatchedActions.set([]); }
+  close(): void {
    this.isOpen.set(false);
    this.query.set('');
    this.inlineMatchedActions.set([]);
  }
  onQueryChange(query: string): void {
    this.query.set(query);
    this.selectedIndex.set(0);
    // For plain-text queries (no ">" prefix), compute matching quick actions
    if (!query.startsWith('>') && query.trim().length >= 2) {
@@ -605,16 +737,16 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
  private getMaxIndex(): number {
    if (this.isActionMode()) return Math.max(0, this.filteredActions().length - 1);
-    if (!this.query || this.query.length < 2) return Math.max(0, this.recentSearches().length + 5 - 1);
+    if (!this.query() || this.query().length < 2) return Math.max(0, this.recentSearches().length + 5 - 1);
    // In mixed mode: inline actions + search results
    const inlineCount = this.inlineMatchedActions().length;
-    return Math.max(0, inlineCount + this.flatResults.length - 1);
+    return Math.max(0, inlineCount + this.flatResults().length - 1);
  }
  private selectCurrentItem(): void {
    const idx = this.selectedIndex();
    if (this.isActionMode()) { const a = this.filteredActions()[idx]; if (a) this.executeAction(a); return; }
-    if (!this.query || this.query.length < 2) {
+    if (!this.query() || this.query().length < 2) {
      const rc = this.recentSearches().length;
      if (idx < rc) { this.selectRecent(this.recentSearches()[idx]); }
      else { const a = this.quickActions[idx - rc]; if (a) this.executeAction(a); }
@@ -627,7 +759,7 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
      if (action) this.executeAction(action);
      return;
    }
-    const result = this.flatResults[idx - inlineCount];
+    const result = this.flatResults()[idx - inlineCount];
    if (result) this.selectResult(result);
  }
@@ -635,7 +767,7 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
    this.close();
    this.executeSearchResult(result);
  }
-  selectRecent(recent: RecentSearch): void { this.query = recent.query; this.onQueryChange(recent.query); }
+  selectRecent(recent: RecentSearch): void { this.onQueryChange(recent.query); }
  executeAction(action: QuickAction): void {
    if (action.id === 'seed-demo') {
      this.close();
@@ -696,29 +828,36 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
  }
  clearRecent(): void { clearRecentSearches(); this.recentSearches.set([]); }
-  isResultSelected(group: SearchResultGroup, resultIndex: number): boolean {
+  isResultSelected(group: PaletteResultGroup, resultIndex: number): boolean {
    const inlineOffset = this.inlineMatchedActions().length;
    let flatIdx = inlineOffset;
-    const response = this.searchResponse();
+    const groups = this.displayGroups();
-    if (!response) return false;
+    if (groups.length === 0) return false;
-    for (const g of response.groups) {
+    for (const g of groups) {
-      if (g.type === group.type) return this.selectedIndex() === flatIdx + resultIndex;
+      if (g.id === group.id) return this.selectedIndex() === flatIdx + resultIndex;
      flatIdx += g.results.length;
    }
    return false;
  }
-  setSelectedResult(group: SearchResultGroup, resultIndex: number): void {
+  setSelectedResult(group: PaletteResultGroup, resultIndex: number): void {
    const inlineOffset = this.inlineMatchedActions().length;
    let flatIdx = inlineOffset;
-    const response = this.searchResponse();
+    const groups = this.displayGroups();
-    if (!response) return;
+    if (groups.length === 0) return;
-    for (const g of response.groups) {
+    for (const g of groups) {
-      if (g.type === group.type) { this.selectedIndex.set(flatIdx + resultIndex); return; }
+      if (g.id === group.id) { this.selectedIndex.set(flatIdx + resultIndex); return; }
      flatIdx += g.results.length;
    }
  }
  getGroupIcon(group: PaletteResultGroup): string {
    if (group.id === HELP_GROUP_ID) {
      return '?';
    }
    return this.getEntityIcon(group.type);
  }
  getEntityIcon(type: string): string {
    const icons: Record<string, string> = {
      docs: 'D',
@@ -739,7 +878,230 @@ export class CommandPaletteComponent implements OnInit, OnDestroy {
      api: '/ops/integrations',
      doctor: '/ops/operations/doctor',
    };
-    if (routes[type]) this.router.navigate([routes[type]], { queryParams: { q: this.query } });
+    if (routes[type]) this.router.navigate([routes[type]], { queryParams: { q: this.query() } });
  }
  private isLocalHelpCommand(query: string): boolean {
    return this.extractCommandPayload(query, 'help') !== null || this.extractCommandPayload(query, 'guide') !== null;
  }
  private extractCommandPayload(query: string, command: 'help' | 'guide'): string | null {
    const match = query.trim().match(new RegExp(`^${command}\\s*:\\s*(.*)$`, 'i'));
    return match ? match[1].trim() : null;
  }
  private buildHelpResults(query: string): SearchResult[] {
    const trimmedQuery = query.trim();
    if (trimmedQuery.length < 2 || trimmedQuery.startsWith('>')) {
      return [];
    }
    const helpPayload = this.extractCommandPayload(trimmedQuery, 'help');
    if (helpPayload !== null) {
      return this.buildGlossaryResults(helpPayload);
    }
    const guidePayload = this.extractCommandPayload(trimmedQuery, 'guide');
    if (guidePayload !== null) {
      return this.buildGuideResults(guidePayload, true);
    }
    const guideResults = this.buildGuideResults(trimmedQuery, false).slice(0, 2);
    const glossaryResults = this.buildGlossaryResults(trimmedQuery).slice(0, 3);
    return this.dedupeResults([...guideResults, ...glossaryResults]);
  }
  private buildGlossaryResults(filterText: string): SearchResult[] {
    const normalizedFilter = normalizeHelpQuery(filterText);
    return this.plainLanguage
      .getAllGlossaryEntries()
      .filter((entry) => this.glossaryEntryMatches(entry, normalizedFilter))
      .sort((a, b) => this.glossaryMatchScore(b, normalizedFilter) - this.glossaryMatchScore(a, normalizedFilter))
      .map((entry) => this.createGlossaryResult(entry, normalizedFilter));
  }
  private buildGuideResults(filterText: string, includeSteps: boolean): SearchResult[] {
    const normalizedFilter = normalizeHelpQuery(filterText);
    const workflows = HELP_WORKFLOWS
      .filter((workflow) => this.workflowMatches(workflow, normalizedFilter))
      .sort((a, b) => this.workflowMatchScore(b, normalizedFilter) - this.workflowMatchScore(a, normalizedFilter));
    const results: SearchResult[] = [];
    for (const workflow of workflows) {
      results.push(this.createGuideResult(workflow));
      if (!includeSteps || !workflow.steps) {
        continue;
      }
      results.push(
        ...workflow.steps.map((step, index) => ({
          id: `guide-${workflow.id}-step-${index + 1}`,
          type: 'docs' as const,
          title: `${workflow.title} · Step ${index + 1}`,
          description: step.description,
          route: step.route,
          tags: ['guide', workflow.id, `step-${index + 1}`],
          matchScore: Math.max(0, 98 - index),
          metadata: {
            helpKind: 'guide-step',
            guideId: workflow.id,
            stepNumber: index + 1,
            stepTitle: step.title,
          },
          open: {
            kind: 'docs' as const,
            docs: {
              path: workflow.route,
              anchor: `step-${index + 1}`,
              spanStart: 0,
              spanEnd: 0,
            },
          },
        }))
      );
    }
    return results;
  }
  private glossaryEntryMatches(entry: GlossaryEntry, filterText: string): boolean {
    if (!filterText) {
      return true;
    }
    const fields = [
      entry.term,
      entry.abbreviation ?? '',
      entry.plainLanguage,
      entry.detailedExplanation,
      ...(entry.relatedTerms ?? []),
    ];
    return fields.some((field) => normalizeHelpQuery(field).includes(filterText));
  }
  private glossaryMatchScore(entry: GlossaryEntry, filterText: string): number {
    if (!filterText) {
      return 0;
    }
    const normalizedTerm = normalizeHelpQuery(entry.term);
    const normalizedAbbreviation = normalizeHelpQuery(entry.abbreviation ?? '');
    if (normalizedTerm === filterText || normalizedAbbreviation === filterText) {
      return 100;
    }
    if (normalizedTerm.startsWith(filterText) || normalizedAbbreviation.startsWith(filterText)) {
      return 90;
    }
    if ((entry.relatedTerms ?? []).some((term) => normalizeHelpQuery(term).includes(filterText))) {
      return 70;
    }
    if (normalizeHelpQuery(entry.plainLanguage).includes(filterText)) {
      return 60;
    }
    return 50;
  }
  private workflowMatches(workflow: HelpWorkflow, filterText: string): boolean {
    if (!filterText) {
      return true;
    }
    const fields = [
      workflow.title,
      workflow.description,
      ...workflow.aliases,
      ...workflow.keywords,
      ...(workflow.steps?.flatMap((step) => [step.title, step.description]) ?? []),
    ];
    return fields.some((field) => normalizeHelpQuery(field).includes(filterText));
  }
  private workflowMatchScore(workflow: HelpWorkflow, filterText: string): number {
    if (!filterText) {
      return 0;
    }
    const title = normalizeHelpQuery(workflow.title);
    if (title === filterText) {
      return 100;
    }
    if (workflow.aliases.some((alias) => normalizeHelpQuery(alias) === filterText)) {
      return 95;
    }
    if (title.startsWith(filterText)) {
      return 85;
    }
    if (workflow.aliases.some((alias) => normalizeHelpQuery(alias).includes(filterText))) {
      return 80;
    }
    return 60;
  }
  private createGlossaryResult(entry: GlossaryEntry, filterText: string): SearchResult {
    const normalizedTerm = normalizeHelpQuery(entry.term);
    return {
      id: `help-${normalizedTerm}`,
      type: 'docs',
      title: `Help: ${entry.term}`,
      description: entry.plainLanguage,
      route: GLOSSARY_ROUTE_MAP[normalizedTerm] ?? '/security',
      tags: ['help', 'glossary', entry.term.toLowerCase()],
      matchScore: this.glossaryMatchScore(entry, filterText),
      metadata: {
        helpKind: 'glossary',
        term: entry.term,
        abbreviation: entry.abbreviation,
        definition: entry.detailedExplanation,
      },
      open: {
        kind: 'docs',
        docs: {
          path: entry.learnMoreUrl ?? `/help/${normalizedTerm}`,
          anchor: normalizedTerm,
          spanStart: 0,
          spanEnd: 0,
        },
      },
    };
  }
  private createGuideResult(workflow: HelpWorkflow): SearchResult {
    return {
      id: `guide-${workflow.id}`,
      type: 'docs',
      title: `Guide: ${workflow.title}`,
      description: workflow.description,
      route: workflow.route,
      tags: ['guide', workflow.id],
      matchScore: 100,
      metadata: {
        helpKind: 'guide',
        guideId: workflow.id,
      },
      open: {
        kind: 'docs',
        docs: {
          path: workflow.route,
          anchor: workflow.id,
          spanStart: 0,
          spanEnd: 0,
        },
      },
    };
  }
  private dedupeResults(results: SearchResult[]): SearchResult[] {
    const seen = new Set<string>();
    return results.filter((result) => {
      if (seen.has(result.id)) {
        return false;
      }
      seen.add(result.id);
      return true;
    });
  }
  private buildCurlCommand(result: SearchResult): string {
--- a/src/Web/StellaOps.Web/src/app/shared/components/empty-state/empty-state.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/empty-state/empty-state.component.spec.ts
@@ -0,0 +1,30 @@
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { EmptyStateComponent } from './empty-state.component';
 describe('EmptyStateComponent', () => {
  let fixture: ComponentFixture<EmptyStateComponent>;
  let component: EmptyStateComponent;
  beforeEach(async () => {
    await TestBed.configureTestingModule({
      imports: [EmptyStateComponent],
    }).compileComponents();
    fixture = TestBed.createComponent(EmptyStateComponent);
    component = fixture.componentInstance;
  });
  it('auto-annotates glossary terms in title and description', () => {
    component.title = 'No SBOM data yet';
    component.description = 'Scan an artifact to collect VEX and CVE evidence.';
    fixture.detectChanges();
    const glossaryTerms = fixture.nativeElement.querySelectorAll('.glossary-term--inline');
    const wrappedText = Array.from<Element>(glossaryTerms).map((term) => term.textContent?.trim());
    expect(wrappedText).toContain('SBOM');
    expect(wrappedText).toContain('artifact');
    expect(wrappedText).toContain('VEX');
    expect(wrappedText).toContain('CVE');
  });
 });
--- a/src/Web/StellaOps.Web/src/app/shared/components/empty-state/empty-state.component.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/empty-state/empty-state.component.ts
@@ -1,6 +1,8 @@
-import { Component, Input } from '@angular/core';
+import { Component, Input, computed, inject } from '@angular/core';
-import { RouterLink } from '@angular/router';
+import { Router, RouterLink } from '@angular/router';
 import { GlossaryTooltipDirective } from '../../directives/glossary-tooltip.directive';
 import { getDefaultEmptyStateCopyForUrl } from '../page-help/page-help-content';
 export type EmptyStateVariant = 'default' | 'search' | 'error' | 'no-data' | 'no-access';
@@ -10,13 +12,13 @@ export type EmptyStateVariant = 'default' | 'search' | 'error' | 'no-data' | 'no
 */
@Component({
    selector: 'app-empty-state',
-    imports: [RouterLink],
+    imports: [RouterLink, GlossaryTooltipDirective],
    template: `
    <div class="empty-state" [class]="'empty-state--' + variant">
      <div class="empty-state__icon" [innerHTML]="getIcon()"></div>
-      <h3 class="empty-state__title">{{ title || getDefaultTitle() }}</h3>
+      <h3 class="empty-state__title" stellaopsGlossaryTooltip>{{ resolvedTitle() }}</h3>
-      @if (description) {
+      @if (resolvedDescription()) {
-        <p class="empty-state__description">{{ description }}</p>
+        <p class="empty-state__description" stellaopsGlossaryTooltip>{{ resolvedDescription() }}</p>
      }
      <div class="empty-state__actions">
        <ng-content select="[actions]"></ng-content>
@@ -117,6 +119,9 @@ export type EmptyStateVariant = 'default' | 'search' | 'error' | 'no-data' | 'no
  `]
 })
 export class EmptyStateComponent {
  private readonly router = inject(Router);
  private readonly routeCopy = computed(() => getDefaultEmptyStateCopyForUrl(this.router.url));
  @Input() variant: EmptyStateVariant = 'default';
  @Input() title?: string;
  @Input() description?: string;
@@ -128,6 +133,32 @@ export class EmptyStateComponent {
    this.actionClick?.();
  }
  resolvedTitle(): string {
    const provided = this.title?.trim();
    if (provided && provided !== 'No data' && provided !== 'No data available') {
      return provided;
    }
    if (this.variant === 'default' || this.variant === 'no-data') {
      return this.routeCopy().title;
    }
    return this.getDefaultTitle();
  }
  resolvedDescription(): string {
    const provided = this.description?.trim();
    if (provided) {
      return provided;
    }
    if (this.variant === 'default' || this.variant === 'no-data') {
      return this.routeCopy().description;
    }
    return '';
  }
  getDefaultTitle(): string {
    switch (this.variant) {
      case 'search': return 'No results found';
--- a/src/Web/StellaOps.Web/src/app/shared/components/page-help/page-help-content.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/page-help/page-help-content.ts
@@ -0,0 +1,584 @@
 import { PAGE_TIPS, resolvePageKey } from '../stella-helper/stella-helper-tips.config';
 export interface PageHelpTopic {
  title: string;
  description: string;
 }
 export interface PageHelpAction {
  label: string;
  route: string;
 }
 export interface PageHelpDocLink {
  label: string;
  route: string;
 }
 export interface PageHelpContent {
  title: string;
  overview: string;
  topics: PageHelpTopic[];
  actions: PageHelpAction[];
  docs: PageHelpDocLink[];
  exampleTitle?: string;
  example?: string;
  emptyStateTitle?: string;
  emptyStateDescription?: string;
 }
 const DEFAULT_DOCS: PageHelpDocLink[] = [
  { label: 'Operator guide', route: '/docs/UI_GUIDE.md' },
  { label: 'Glossary', route: '/docs/GLOSSARY.md' },
 ];
 const SECTION_FALLBACK_HELP: Record<string, Partial<PageHelpContent>> = {
  releases: {
    title: 'Release Control',
    overview: 'This area defines release versions, promotions, approvals, and deployment history. Use it to move container changes through governed environments without losing the evidence trail.',
    topics: [
      {
        title: 'Digest-first workflow',
        description: 'Stella tracks releases by immutable digest so the artifact you approve is the same one that later gets promoted or audited.',
      },
      {
        title: 'Gates and approvals',
        description: 'Every promotion can combine automated policy checks with human approvals. This is where you see what passed, what blocked, and what still needs operator action.',
      },
      {
        title: 'Operational auditability',
        description: 'Deployment history, promotion decisions, and remediation follow-ups stay linked so you can explain what changed and why it was allowed.',
      },
    ],
    actions: [
      { label: 'Open releases', route: '/releases' },
      { label: 'Open deployments', route: '/releases/deployments' },
      { label: 'Review approvals', route: '/releases/approvals' },
    ],
  },
  security: {
    title: 'Security Workspace',
    overview: 'This area turns scans into operator decisions. Start with SBOM and findings, use reachability to separate real exposure from noise, and capture VEX or exception evidence when you need a justified non-fix outcome.',
    topics: [
      {
        title: 'From scan to decision',
        description: 'A scan produces inventory and findings. Stella then helps you interpret them with reachability, VEX, baseline delta, and policy context.',
      },
      {
        title: 'Noise reduction',
        description: 'Reachability, baselines, and signed VEX statements exist to shrink raw scanner output into the small set of issues that truly need action.',
      },
      {
        title: 'Evidence-first posture',
        description: 'Every decision should leave a trace: fix evidence, waiver approval, or a signed explanation for why the vulnerability is not applicable.',
      },
    ],
    actions: [
      { label: 'Scan an image', route: '/security/scan' },
      { label: 'Open posture', route: '/security' },
      { label: 'Open findings', route: '/security/findings' },
    ],
  },
  evidence: {
    title: 'Evidence Workspace',
    overview: 'This area is the proof rail for Stella. Use it to review signed release evidence, inspect audit history, replay decisions, and export packages for auditors or air-gapped verification.',
    topics: [
      {
        title: 'Proof, not screenshots',
        description: 'Evidence here is designed to survive audit and incident review. It preserves the structured facts behind every release decision.',
      },
      {
        title: 'Replayable history',
        description: 'When inputs are frozen, Stella can replay a past decision and prove whether the outcome is deterministic and untampered.',
      },
      {
        title: 'Exportable trust',
        description: 'Bundles and capsules let you take the signed decision trail outside the UI without losing integrity metadata.',
      },
    ],
    actions: [
      { label: 'Open evidence overview', route: '/evidence/overview' },
      { label: 'Review capsules', route: '/evidence/capsules' },
      { label: 'Open audit log', route: '/evidence/audit-log' },
    ],
  },
  ops: {
    title: 'Operations Workspace',
    overview: 'This area is the operator view of platform health. Use it to verify feeds, inspect agents and jobs, run diagnostics, and keep the deployment control plane ready for real release traffic.',
    topics: [
      {
        title: 'Platform readiness',
        description: 'Healthy feeds, online agents, and current policy state all affect whether Stella can make trustworthy promotion decisions.',
      },
      {
        title: 'Signals over guesswork',
        description: 'Operations pages convert raw service health and queue state into the practical answer operators need: can the platform safely continue governed releases right now?',
      },
      {
        title: 'Drill-down workflow',
        description: 'Start at overview or diagnostics, then jump into the specific subsystem when you need queue, feed, runtime, or job detail.',
      },
    ],
    actions: [
      { label: 'Open operations overview', route: '/ops/operations' },
      { label: 'Run diagnostics', route: '/ops/operations/doctor' },
      { label: 'Inspect feeds', route: '/ops/operations/feeds-airgap' },
    ],
  },
  setup: {
    title: 'Setup Workspace',
    overview: 'This area is for first-time platform wiring: integrations, identity, trust, notifications, topology, and the defaults that make later releases predictable and auditable.',
    topics: [
      {
        title: 'Order matters',
        description: 'A clean setup usually starts with diagnostics and integrations, then moves into topology, trust, scanning, and release policy.',
      },
      {
        title: 'Reusable defaults',
        description: 'The choices you make here shape every later workflow: which environments exist, which registries are scanned, and which trust roots and policies releases depend on.',
      },
      {
        title: 'Operator self-service',
        description: 'These pages exist so a new operator can build confidence without tribal knowledge. Use the linked guide pages when you need the longer explanation behind a setting.',
      },
    ],
    actions: [
      { label: 'Open integrations', route: '/setup/integrations' },
      { label: 'Open identity access', route: '/setup/identity-access' },
      { label: 'Open trust signing', route: '/setup/trust-signing' },
    ],
  },
  environments: {
    title: 'Environment Topology',
    overview: 'This area models the release path itself: environments, hosts, targets, and the promotion graph that tells Stella where releases are allowed to move next.',
    topics: [
      {
        title: 'Topology as release contract',
        description: 'Promotion rules are not just UI labels. They define the permitted path from dev through staging to production and shape the approvals and gates each step requires.',
      },
      {
        title: 'Targets and agents',
        description: 'Targets are where deployments land. Agents are the executors that report readiness, carry out actions, and feed runtime evidence back into Stella.',
      },
      {
        title: 'Readiness and blockers',
        description: 'Unknown or degraded readiness usually means missing telemetry, missing targets, or missing agents. Fix the infrastructure signal before assuming the release itself is broken.',
      },
    ],
    actions: [
      { label: 'Open topology overview', route: '/environments/overview' },
      { label: 'Review targets', route: '/environments/targets' },
      { label: 'Review hosts', route: '/environments/hosts' },
    ],
  },
  triage: {
    title: 'Triage Workspace',
    overview: 'This area is where raw findings become operator decisions. Use it when you need the full evidence rail around a vulnerability before fixing, waiving, or marking it not applicable.',
    topics: [
      {
        title: 'Decision workflow',
        description: 'Start from the artifact or finding, inspect severity and reachability, check for existing VEX or waiver state, then decide how the organization should respond.',
      },
      {
        title: 'Evidence in context',
        description: 'Triage is more than severity ranking. It combines advisory facts, runtime evidence, policy outcome, and historical delta so the chosen action is defensible later.',
      },
      {
        title: 'Escalate the right findings',
        description: 'Critical and reachable issues should move first. Everything else is backlog, explanation, or policy tuning work unless your environment or product context says otherwise.',
      },
    ],
    actions: [
      { label: 'Open vulnerabilities', route: '/triage/artifacts' },
      { label: 'Open findings explorer', route: '/security/findings' },
      { label: 'Open VEX workspace', route: '/ops/policy/vex' },
    ],
  },
  docs: {
    title: 'Documentation',
    overview: 'This page serves Stella’s built-in operator and architecture docs inside the app shell, so new operators can learn terms and workflows without leaving the platform.',
    topics: [
      {
        title: 'Operator guidance in product',
        description: 'The docs viewer is the longer-form companion to the inline onboarding copy. Use it when a tooltip or help panel gives you the short answer and you need the full walkthrough.',
      },
      {
        title: 'Offline-friendly reference',
        description: 'Docs are bundled with the app so teams in disconnected environments still have access to workflow guidance and glossary definitions.',
      },
    ],
    actions: [
      { label: 'Open docs index', route: '/docs/README.md' },
      { label: 'Open operator guide', route: '/docs/UI_GUIDE.md' },
      { label: 'Open glossary', route: '/docs/GLOSSARY.md' },
    ],
  },
 };
 const PAGE_TITLE_OVERRIDES: Record<string, string> = {
  dashboard: 'Dashboard',
  deployments: 'Deployments',
  releases: 'Releases',
  environments: 'Environments',
  readiness: 'Readiness',
  vulnerabilities: 'Vulnerabilities',
  findings: 'Findings Explorer',
  'security-posture': 'Security Posture',
  'scan-image': 'Scan Image',
  'supply-chain': 'Supply-Chain Data',
  reachability: 'Reachability',
  unknowns: 'Unknowns',
  vex: 'VEX and Exceptions',
  governance: 'Risk and Governance',
  simulation: 'Policy Simulation',
  'policy-audit': 'Policy Audit',
  'decision-capsules': 'Decision Capsules',
  'audit-log': 'Audit Log',
  'evidence-overview': 'Evidence Overview',
  'agent-fleet': 'Agent Fleet',
  diagnostics: 'Diagnostics',
  integrations: 'Integrations',
  'identity-access': 'Identity and Access',
  'certificates-trust': 'Certificates and Trust',
  'offline-kit': 'Offline Kit',
 };
 const SPECIAL_PAGE_HELP: Record<string, Partial<PageHelpContent>> = {
  dashboard: {
    overview: 'This is your daily command center. It tells you which environments are healthy, where risk is building up, whether advisory feeds are current, and what action should happen next.',
    topics: [
      {
        title: 'SBOM and reachability',
        description: 'SBOM tells Stella what is inside each image. Reachability tells Stella which of those vulnerable code paths are actually callable, so you can separate real risk from background noise.',
      },
      {
        title: 'Severity counts',
        description: 'Critical means fix now. High means near-term remediation. Medium and Low help you plan backlog work without losing sight of immediate blockers.',
      },
      {
        title: 'Next-step workflow',
        description: 'Fresh installations usually follow the same order: run diagnostics, connect integrations, scan an image, review findings, then create and promote a release.',
      },
    ],
    docs: [
      { label: 'Operator guide', route: '/docs/UI_GUIDE.md' },
      { label: 'Architecture overview', route: '/docs/ARCHITECTURE_OVERVIEW.md' },
    ],
    emptyStateTitle: 'No dashboard data yet',
    emptyStateDescription: 'Start by connecting a registry or scanning an image so Stella can populate posture, reachability, and feed health with real evidence.',
  },
  vex: {
    overview: 'VEX lets you document whether a published vulnerability actually affects your software. It is the signed explanation layer that turns generic scanner output into organization-specific decisions.',
    topics: [
      {
        title: 'What VEX means',
        description: 'VEX stands for Vulnerability Exploitability eXchange. It answers the question "does this known CVE actually affect our product in this configuration?" with evidence instead of guesswork.',
      },
      {
        title: 'Statuses you will use',
        description: 'Affected means the issue is real and action is required. Not affected means the vulnerable path is not reachable or not enabled. Fixed means the vulnerable version is no longer shipped. Under investigation means the team is still gathering proof.',
      },
      {
        title: 'Why teams rely on it',
        description: 'Without VEX, scanners keep repeating theoretical findings on every release. VEX reduces that noise by preserving signed justifications that future scans and auditors can reuse.',
      },
      {
        title: 'First workflow',
        description: 'Start from a finding, inspect reachability and runtime context, choose the correct status, write a specific justification, then sign and store the statement so later scans inherit it.',
      },
    ],
    actions: [
      { label: 'Open findings triage', route: '/triage/artifacts' },
      { label: 'Browse VEX conflicts', route: '/ops/policy/vex/conflicts' },
      { label: 'Open VEX search', route: '/ops/policy/vex/search' },
    ],
    exampleTitle: 'Quick mental model',
    example: 'Finding -> Review exploit path -> Record VEX status -> Sign evidence -> Future scans inherit the decision',
    docs: [
      { label: 'VEX consensus guide', route: '/docs/VEX_CONSENSUS_GUIDE.md' },
      { label: 'Operator guide', route: '/docs/UI_GUIDE.md' },
      { label: 'Glossary', route: '/docs/GLOSSARY.md' },
    ],
    emptyStateTitle: 'No VEX decisions yet',
    emptyStateDescription: 'Create your first statement from a finding when you need to explain why a vulnerability is affected, not affected, fixed, or still under investigation.',
  },
  reachability: {
    overview: 'Reachability answers the question scanners alone cannot: can an attacker actually get to the vulnerable code path in your running application or deployment path?',
    topics: [
      {
        title: 'Why it matters',
        description: 'A critical CVE in a package you never call is not the same as a critical CVE on an exposed request path. Reachability turns raw severity into operational priority.',
      },
      {
        title: 'Hybrid evidence',
        description: 'Stella combines static dependency and call-path analysis with runtime or observed execution signals, then scores confidence so you can tell confirmed paths from theoretical ones.',
      },
      {
        title: 'Coverage is confidence',
        description: 'Coverage measures how much of the scoped software graph Stella has enough evidence to reason about. Higher coverage means fewer unknowns in your release decisions.',
      },
      {
        title: 'How to use it',
        description: 'Use reachability data to focus triage on paths attackers can really hit, justify VEX not-affected decisions, and explain why one critical finding blocks promotion while another does not.',
      },
    ],
    actions: [
      { label: 'Open findings explorer', route: '/security/findings' },
      { label: 'Scan an image', route: '/security/scan' },
      { label: 'Review security posture', route: '/security' },
    ],
    exampleTitle: 'Why it matters',
    example: '200 critical findings without reachability can become a much smaller set of urgent fixes once Stella proves which paths are callable and which are inert.',
    docs: [
      { label: 'Operator guide', route: '/docs/UI_GUIDE.md' },
      { label: 'Architecture overview', route: '/docs/ARCHITECTURE_OVERVIEW.md' },
      { label: 'Glossary', route: '/docs/GLOSSARY.md' },
    ],
    emptyStateTitle: 'No reachability evidence yet',
    emptyStateDescription: 'Scan an image and let Stella build the dependency and call-path evidence needed to separate reachable risk from theoretical exposure.',
  },
  'decision-capsules': {
    overview: 'Decision Capsules are the signed release record for Stella. They bundle the scan facts, policy verdicts, approvals, and provenance links needed to replay or audit a release decision later.',
    topics: [
      {
        title: 'What goes inside',
        description: 'A capsule packages the subject digest, scan outputs, policy results, approvals, signatures, and export metadata needed to explain exactly why a release was allowed or blocked.',
      },
      {
        title: 'Why operators care',
        description: 'Capsules are the fastest answer to "prove this release was evaluated correctly." They save audit time because the evidence is already bundled and signed.',
      },
      {
        title: 'Replay and verification',
        description: 'Because the inputs are frozen, Stella can replay the same decision later and prove whether the result is deterministic and untampered.',
      },
      {
        title: 'Operational workflow',
        description: 'Generate capsules after scans, policy checks, and approvals complete. Then export them for auditors, incident review, or offline verification in air-gapped environments.',
      },
    ],
    actions: [
      { label: 'Open evidence overview', route: '/evidence/overview' },
      { label: 'View export center', route: '/evidence/exports' },
      { label: 'Browse release approvals', route: '/releases/approvals' },
    ],
    exampleTitle: 'What is inside a capsule',
    example: 'Subject digest + scan evidence + policy verdict + approval trail + signatures + exportable audit metadata',
    docs: [
      { label: 'Operator guide', route: '/docs/UI_GUIDE.md' },
      { label: 'Evidence export schema', route: '/docs/modules/evidence-locker/guides/evidence-pack-schema.md' },
    ],
    emptyStateTitle: 'No decision capsules yet',
    emptyStateDescription: 'Capsules appear after a release has been evaluated with evidence and policy. Scan, review, and promote a release to generate the first signed package.',
  },
  findings: {
    overview: 'Findings Explorer is where you compare current scan results against a baseline, focus on what changed, and decide whether each vulnerability should be fixed, accepted, or explained with evidence.',
    topics: [
      {
        title: 'Baselines reduce noise',
        description: 'A baseline is your known-good or previously accepted scan. Comparing against it lets you focus on delta rather than re-triaging inherited issues every time.',
      },
      {
        title: 'Guided first action',
        description: 'Start by selecting the current scan scope, then choose a baseline if one exists. Stella can then highlight what is new, what is already explained, and what still blocks promotion.',
      },
      {
        title: 'Evidence rail thinking',
        description: 'Treat each finding as a decision workflow: inspect SBOM facts, check reachability, review VEX and waiver state, then export evidence if someone asks why you made that call.',
      },
      {
        title: 'Outcome options',
        description: 'Your usual outcomes are fix, waive with approval, or mark not applicable with VEX evidence. The page exists to make that decision explicit and auditable.',
      },
    ],
    actions: [
      { label: 'Open scan submission', route: '/security/scan' },
      { label: 'Review security posture', route: '/security' },
      { label: 'Open triage workspace', route: '/triage/artifacts' },
    ],
    exampleTitle: 'Baseline workflow',
    example: 'Select current scan -> choose known-good baseline -> inspect delta -> triage only the material changes',
    docs: [
      { label: 'Operator guide', route: '/docs/UI_GUIDE.md' },
      { label: 'Glossary', route: '/docs/GLOSSARY.md' },
    ],
    emptyStateTitle: 'No findings to compare yet',
    emptyStateDescription: 'Run a scan or select a baseline so Stella can show which findings are new, inherited, or already explained by evidence.',
  },
 };
 function titleFromPageKey(pageKey: string): string {
  if (PAGE_TITLE_OVERRIDES[pageKey]) {
    return PAGE_TITLE_OVERRIDES[pageKey];
  }
  return pageKey
    .split(/[-_]/g)
    .filter(Boolean)
    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
    .join(' ');
 }
 function normalizePath(url: string): string {
  return url.split('?')[0].split('#')[0];
 }
 function deriveFallbackTitleFromPath(path: string): string {
  const segments = path.split('/').filter(Boolean);
  if (segments.length === 0) {
    return 'Dashboard';
  }
  const lastSegment = segments.at(-1) ?? 'page';
  const titleSeed =
    /^[0-9a-f-]{8,}$/i.test(lastSegment) && segments.length > 1
      ? segments[segments.length - 2]
      : lastSegment;
  return titleFromPageKey(titleSeed);
 }
 function buildFallbackPageHelp(url: string): PageHelpContent | null {
  const path = normalizePath(url);
  if (!path || path === '/' || path.startsWith('/auth/')) {
    return null;
  }
  const segments = path.split('/').filter(Boolean);
  const section = segments[0] ?? '';
  const fallback = SECTION_FALLBACK_HELP[section];
  if (!fallback) {
    return {
      title: deriveFallbackTitleFromPath(path),
      overview: 'This page is part of Stella Ops operator workflow. Use the inline copy to understand the current surface, then follow the linked guides when you need the deeper operational background.',
      topics: [
        {
          title: 'What this page is for',
          description: 'Stella groups related operator actions by workflow so you can move from setup to scan, release, approval, and evidence review without leaving the control plane.',
        },
        {
          title: 'How to get data here',
          description: 'Empty states usually mean the upstream workflow has not happened yet: no integration, no scan, no promotion, or no evidence generated for the current scope.',
        },
        {
          title: 'What to do next',
          description: 'Use the suggested actions and help panels to jump to the step that creates the missing data instead of guessing which module owns it.',
        },
      ],
      actions: [
        { label: 'Open dashboard', route: '/' },
        { label: 'Open setup wizard', route: '/setup-wizard/wizard' },
      ],
      docs: DEFAULT_DOCS,
      emptyStateTitle: 'Nothing to review here yet',
      emptyStateDescription: 'This surface is ready, but the workflow that feeds it has not produced data for the current scope yet.',
    };
  }
  const title = fallback.title ?? deriveFallbackTitleFromPath(path);
  const overview =
    fallback.overview ??
    'This page is part of Stella Ops workflow. Use the overview here to understand what the current route is responsible for before taking action.';
  return {
    title,
    overview,
    topics: fallback.topics ?? [],
    actions: fallback.actions ?? [],
    docs: fallback.docs ?? DEFAULT_DOCS,
    exampleTitle: fallback.exampleTitle,
    example: fallback.example,
    emptyStateTitle: fallback.emptyStateTitle ?? `No ${title.toLowerCase()} data yet`,
    emptyStateDescription: fallback.emptyStateDescription ?? overview,
  };
 }
 function deriveTopics(pageKey: string): PageHelpTopic[] {
  const config = PAGE_TIPS[pageKey];
  if (!config) {
    return [];
  }
  return config.tips.slice(0, 3).map((tip) => ({
    title: tip.title,
    description: tip.body,
  }));
 }
 function deriveActions(pageKey: string): PageHelpAction[] {
  const config = PAGE_TIPS[pageKey];
  if (!config) {
    return [];
  }
  const seen = new Set<string>();
  const actions: PageHelpAction[] = [];
  for (const tip of config.tips) {
    if (!tip.action) {
      continue;
    }
    const key = `${tip.action.label}|${tip.action.route}`;
    if (seen.has(key)) {
      continue;
    }
    seen.add(key);
    actions.push({ label: tip.action.label, route: tip.action.route });
    if (actions.length >= 3) {
      break;
    }
  }
  return actions;
 }
 export function getPageHelpContent(pageKey: string): PageHelpContent | null {
  const config = PAGE_TIPS[pageKey];
  if (!config) {
    return null;
  }
  const special = SPECIAL_PAGE_HELP[pageKey];
  const derivedTopics = deriveTopics(pageKey);
  const derivedActions = deriveActions(pageKey);
  const overview = special?.overview ?? derivedTopics[0]?.description ?? config.greeting;
  return {
    title: special?.title ?? titleFromPageKey(pageKey),
    overview,
    topics: special?.topics ?? derivedTopics,
    actions: special?.actions ?? derivedActions,
    docs: special?.docs ?? DEFAULT_DOCS,
    exampleTitle: special?.exampleTitle,
    example: special?.example,
    emptyStateTitle: special?.emptyStateTitle ?? `No ${titleFromPageKey(pageKey).toLowerCase()} data yet`,
    emptyStateDescription: special?.emptyStateDescription ?? overview,
  };
 }
 export function getPageHelpContentForUrl(url: string): PageHelpContent | null {
  const pageKey = resolvePageKey(url);
  const explicitHelp = pageKey === 'default' ? null : getPageHelpContent(pageKey);
  return explicitHelp ?? buildFallbackPageHelp(url);
 }
 export function getDefaultEmptyStateCopyForUrl(url: string): { title: string; description: string } {
  const pageKey = resolvePageKey(url);
  const help = pageKey === 'default'
    ? buildFallbackPageHelp(url)
    : getPageHelpContent(pageKey) ?? buildFallbackPageHelp(url);
  if (!help) {
    return {
      title: 'Nothing to review yet',
      description: 'This view is empty right now. Adjust the scope, add data, or complete the setup steps that feed this page.',
    };
  }
  return {
    title: help.emptyStateTitle ?? 'Nothing to review yet',
    description: help.emptyStateDescription ?? help.overview,
  };
 }
--- a/src/Web/StellaOps.Web/src/app/shared/components/page-help/page-help-panel.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/page-help/page-help-panel.component.spec.ts
@@ -0,0 +1,96 @@
 import { Component } from '@angular/core';
 import { TestBed } from '@angular/core/testing';
 import { provideRouter, Router } from '@angular/router';
 import { getDefaultEmptyStateCopyForUrl, getPageHelpContentForUrl } from './page-help-content';
 import { PageHelpPanelComponent } from './page-help-panel.component';
 import { StellaPreferencesService } from '../stella-helper/stella-preferences.service';
@Component({
  standalone: true,
  template: '',
 })
 class DummyRouteComponent {}
 describe('PageHelpPanel content resolution', () => {
  it('returns route-specific onboarding content for reachability routes', () => {
    const help = getPageHelpContentForUrl('/security/reachability');
    expect(help).not.toBeNull();
    expect(help?.title).toBe('Reachability');
    expect(help?.overview).toContain('Reachability answers the question');
    expect(help?.topics.map((topic) => topic.title)).toContain('Why it matters');
    expect(help?.docs.map((doc) => doc.label)).toContain('Operator guide');
  });
  it('falls back to section-level help for routes without an explicit page config', () => {
    const help = getPageHelpContentForUrl('/docs/testing');
    expect(help).not.toBeNull();
    expect(help?.title).toBe('Documentation');
    expect(help?.overview).toContain('built-in operator and architecture docs');
    expect(help?.actions.map((action) => action.label)).toContain('Open operator guide');
    expect(help?.docs.map((doc) => doc.label)).toContain('Operator guide');
  });
  it('uses page help copy as the default educational empty-state message', () => {
    const emptyState = getDefaultEmptyStateCopyForUrl('/docs/testing');
    expect(emptyState.title).toContain('No documentation data yet');
    expect(emptyState.description).toContain('built-in operator and architecture docs');
  });
 });
 describe('PageHelpPanelComponent', () => {
  beforeEach(async () => {
    localStorage.removeItem('stellaops.helper.preferences');
    await TestBed.configureTestingModule({
      imports: [PageHelpPanelComponent],
      providers: [
        provideRouter([
          { path: 'security/reachability', component: DummyRouteComponent },
        ]),
      ],
    }).compileComponents();
  });
  it('keeps first-visit help open after marking the page as seen', async () => {
    const router = TestBed.inject(Router);
    await router.navigateByUrl('/security/reachability');
    const fixture = TestBed.createComponent(PageHelpPanelComponent);
    fixture.detectChanges();
    await fixture.whenStable();
    fixture.detectChanges();
    const prefs = TestBed.inject(StellaPreferencesService);
    expect(fixture.componentInstance.help()?.title).toBe('Reachability');
    expect(prefs.isPageHelpSeen('reachability')).toBeTrue();
    expect(fixture.componentInstance.isOpen()).toBeTrue();
    expect(fixture.nativeElement.querySelector('.page-help__body')).not.toBeNull();
  });
  it('persists collapsed state when the first-visit panel is toggled closed', async () => {
    const router = TestBed.inject(Router);
    await router.navigateByUrl('/security/reachability');
    const fixture = TestBed.createComponent(PageHelpPanelComponent);
    fixture.detectChanges();
    await fixture.whenStable();
    fixture.detectChanges();
    const prefs = TestBed.inject(StellaPreferencesService);
    expect(fixture.componentInstance.isOpen()).toBeTrue();
    fixture.componentInstance.toggle();
    fixture.detectChanges();
    await fixture.whenStable();
    fixture.detectChanges();
    expect(fixture.componentInstance.isOpen()).toBeFalse();
    expect(fixture.nativeElement.querySelector('.page-help__body')).toBeNull();
    expect(prefs.prefs().pageHelpOpen.reachability).toBeFalse();
  });
 });
--- a/src/Web/StellaOps.Web/src/app/shared/components/page-help/page-help-panel.component.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/page-help/page-help-panel.component.ts
@@ -0,0 +1,305 @@
 import { ChangeDetectionStrategy, ChangeDetectorRef, Component, computed, effect, inject, signal } from '@angular/core';
 import { NavigationEnd, Router, RouterLink } from '@angular/router';
 import { toSignal } from '@angular/core/rxjs-interop';
 import { filter, map, startWith } from 'rxjs/operators';
 import { StellaPreferencesService } from '../stella-helper/stella-preferences.service';
 import { getPageHelpContentForUrl } from './page-help-content';
 import { resolvePageKey } from '../stella-helper/stella-helper-tips.config';
 function normalizeHelpStateKey(url: string): string | null {
  const normalized = url
    .split('?')[0]
    .split('#')[0]
    .trim()
    .replace(/^\/+|\/+$/g, '');
  return normalized ? `route:${normalized}` : null;
 }
@Component({
  selector: 'app-page-help-panel',
  standalone: true,
  imports: [RouterLink],
  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    @if (help(); as helpContent) {
      <section class="page-help" [attr.data-page-help]="pageKey()">
        <button
          type="button"
          class="page-help__toggle"
          [attr.aria-expanded]="isOpen()"
          (click)="toggle()"
        >
          <div class="page-help__toggle-copy">
            <span class="page-help__eyebrow">About this page</span>
            <strong>{{ helpContent.title }}</strong>
          </div>
          <span class="page-help__toggle-state">{{ isOpen() ? 'Hide' : 'Show' }}</span>
        </button>
        @if (isOpen()) {
          <div class="page-help__body">
            <div class="page-help__intro">
              <p class="page-help__overview">{{ helpContent.overview }}</p>
            </div>
            @if (helpContent.topics.length > 0) {
              <section class="page-help__section">
                <h3>Key concepts</h3>
                <div class="page-help__topic-grid">
                  @for (topic of helpContent.topics; track topic.title) {
                    <article class="page-help__topic-card">
                      <strong>{{ topic.title }}</strong>
                      <p>{{ topic.description }}</p>
                    </article>
                  }
                </div>
              </section>
            }
            @if (helpContent.actions.length > 0) {
              <section class="page-help__section">
                <h3>Common actions</h3>
                <div class="page-help__actions">
                  @for (action of helpContent.actions; track action.label + action.route) {
                    <a [routerLink]="action.route" class="page-help__action">{{ action.label }}</a>
                  }
                </div>
              </section>
            }
            @if (helpContent.example) {
              <section class="page-help__section">
                <h3>{{ helpContent.exampleTitle || 'Example' }}</h3>
                <pre class="page-help__example">{{ helpContent.example }}</pre>
              </section>
            }
            <section class="page-help__section">
              <h3>Docs</h3>
              <div class="page-help__docs">
                @for (doc of helpContent.docs; track doc.label + doc.route) {
                  <a [routerLink]="doc.route" class="page-help__doc-link">{{ doc.label }}</a>
                }
              </div>
            </section>
          </div>
        }
      </section>
    }
  `,
  styles: [`
    .page-help {
      margin-bottom: 1rem;
      border: 1px solid color-mix(in srgb, var(--color-border-primary) 70%, transparent);
      border-radius: 1rem;
      background:
        radial-gradient(circle at top right, color-mix(in srgb, var(--color-brand-primary, #2563eb) 10%, transparent), transparent 42%),
        linear-gradient(180deg, color-mix(in srgb, var(--color-surface-primary) 92%, var(--color-brand-primary, #2563eb) 8%), var(--color-surface-primary));
      overflow: hidden;
    }
    .page-help__toggle {
      width: 100%;
      display: flex;
      align-items: center;
      justify-content: space-between;
      gap: 1rem;
      padding: 0.95rem 1.05rem;
      border: none;
      background: transparent;
      color: inherit;
      cursor: pointer;
      text-align: left;
    }
    .page-help__toggle:hover {
      background: color-mix(in srgb, var(--color-surface-secondary) 78%, transparent);
    }
    .page-help__toggle-copy {
      display: grid;
      gap: 0.18rem;
    }
    .page-help__eyebrow {
      font-size: 0.72rem;
      font-weight: 700;
      letter-spacing: 0.08em;
      text-transform: uppercase;
      color: var(--color-text-secondary);
    }
    .page-help__toggle-state {
      font-size: 0.82rem;
      color: var(--color-text-secondary);
      white-space: nowrap;
    }
    .page-help__body {
      display: grid;
      gap: 1rem;
      padding: 0 1.05rem 1.05rem;
      border-top: 1px solid color-mix(in srgb, var(--color-border-primary) 55%, transparent);
    }
    .page-help__overview {
      margin: 0;
      color: var(--color-text-secondary);
      line-height: 1.55;
    }
    .page-help__section {
      display: grid;
      gap: 0.65rem;
    }
    .page-help__section h3 {
      margin: 0;
      font-size: 0.9rem;
      color: var(--color-text-heading, var(--color-text-primary));
    }
    .page-help__topic-grid {
      display: grid;
      grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
      gap: 0.75rem;
    }
    .page-help__topic-card {
      display: grid;
      gap: 0.35rem;
      padding: 0.8rem 0.9rem;
      border-radius: 0.9rem;
      border: 1px solid color-mix(in srgb, var(--color-border-primary) 70%, transparent);
      background: color-mix(in srgb, var(--color-surface-primary) 86%, transparent);
    }
    .page-help__topic-card p {
      margin: 0;
      color: var(--color-text-secondary);
      line-height: 1.5;
      font-size: 0.88rem;
    }
    .page-help__actions,
    .page-help__docs {
      display: flex;
      flex-wrap: wrap;
      gap: 0.65rem;
    }
    .page-help__action,
    .page-help__doc-link {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      padding: 0.55rem 0.85rem;
      border-radius: 999px;
      border: 1px solid color-mix(in srgb, var(--color-border-primary) 78%, transparent);
      background: color-mix(in srgb, var(--color-surface-primary) 92%, transparent);
      color: var(--color-text-link, var(--color-brand-primary));
      text-decoration: none;
      font-size: 0.84rem;
      font-weight: 600;
    }
    .page-help__example {
      margin: 0;
      padding: 0.8rem 0.9rem;
      border-radius: 0.9rem;
      border: 1px dashed color-mix(in srgb, var(--color-brand-primary, #2563eb) 28%, var(--color-border-primary));
      background: color-mix(in srgb, var(--color-surface-primary) 92%, var(--color-brand-primary, #2563eb) 8%);
      color: var(--color-text-primary);
      font-size: 0.84rem;
      line-height: 1.55;
      white-space: pre-wrap;
    }
    @media (max-width: 700px) {
      .page-help__toggle {
        align-items: flex-start;
      }
      .page-help__toggle-state {
        padding-top: 0.15rem;
      }
    }
  `],
 })
 export class PageHelpPanelComponent {
  private readonly router = inject(Router);
  private readonly prefs = inject(StellaPreferencesService);
  private readonly cdr = inject(ChangeDetectorRef);
  private readonly firstVisitPage = signal<string | null>(null);
  private readonly initializedPageKey = signal<string | null>(null);
  private readonly currentUrl = toSignal(
    this.router.events.pipe(
      filter((event): event is NavigationEnd => event instanceof NavigationEnd),
      map((event) => event.urlAfterRedirects),
      startWith(this.router.url),
    ),
    { initialValue: this.router.url },
  );
  readonly pageKey = computed(() => resolvePageKey(this.currentUrl()));
  readonly help = computed(() => getPageHelpContentForUrl(this.currentUrl()));
  readonly helpStateKey = computed(() => {
    if (!this.help()) {
      return null;
    }
    const pageKey = this.pageKey();
    return pageKey === 'default' ? normalizeHelpStateKey(this.currentUrl()) : pageKey;
  });
  readonly isOpen = computed(() => {
    const key = this.helpStateKey();
    if (!key || this.help() === null) {
      return false;
    }
    const explicit = this.prefs.prefs().pageHelpOpen[key];
    if (typeof explicit === 'boolean') {
      return explicit;
    }
    return this.firstVisitPage() === key || !this.prefs.isPageHelpSeen(key);
  });
  constructor() {
    effect(() => {
      const key = this.helpStateKey();
      if (key && this.help()) {
        if (this.initializedPageKey() !== key) {
          const seen = this.prefs.isPageHelpSeen(key);
          this.firstVisitPage.set(seen ? null : key);
          this.initializedPageKey.set(key);
          if (!seen) {
            this.prefs.markPageHelpSeen(key);
          }
        }
      } else {
        this.firstVisitPage.set(null);
        this.initializedPageKey.set(null);
      }
      queueMicrotask(() => {
        try {
          this.cdr.detectChanges();
        } catch {
          // Ignore if the component was destroyed before the queued refresh runs.
        }
      });
    }, { allowSignalWrites: true });
  }
  toggle(): void {
    const key = this.helpStateKey();
    if (!key) {
      return;
    }
    this.prefs.setPageHelpOpen(key, !this.isOpen());
  }
 }
--- a/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-assistant.service.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-assistant.service.ts
@@ -28,6 +28,7 @@ import {
  resolvePageKey,
 } from './stella-helper-tips.config';
 import type { StellaContextKey } from './stella-helper-context.service';
 import { StellaPreferencesService } from './stella-preferences.service';
 // ---------------------------------------------------------------------------
 // API response models
@@ -85,6 +86,7 @@ export class StellaAssistantService {
  private readonly assistantDrawer = inject(SearchAssistantDrawerService);
  private readonly chatService = inject(ChatService);
  private readonly searchClient = inject(UnifiedSearchClient);
  private readonly stellaPrefs = inject(StellaPreferencesService);
  private readonly searchChatCtx = inject(SearchChatContextService);
  private routerSub?: Subscription;
@@ -427,8 +429,9 @@ export class StellaAssistantService {
    // Load tips from API (or fallback to static)
    await this.loadTipsForCurrentRoute();
-    // Auto-open on first visit
+    // Auto-open on first visit (respecting mute preferences)
-    if (this.isFirstVisit() && !this.userState().dismissed) {
+    const sp = this.stellaPrefs.prefs();
    if (this.isFirstVisit() && !sp.dismissed && !sp.tooltipsMuted && !sp.mutedPages.includes(key)) {
      setTimeout(() => {
        this.isOpen.set(true);
        this.isMinimized.set(false);
--- a/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-helper-context.service.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-helper-context.service.ts
@@ -85,21 +85,36 @@ export type StellaContextKey =
@Injectable({ providedIn: 'root' })
 export class StellaHelperContextService {
-  /** Active context keys pushed by page components. */
+  /** Active context keys pushed imperatively by page components. */
-  private readonly _contexts = signal<Set<StellaContextKey>>(new Set());
+  private readonly _globalContexts = signal<Set<StellaContextKey>>(new Set());
  /**
   * Scoped contexts keyed by component/page id.
   * Pages should prefer setScope()/clearScope() so reactive effects can
   * replace the full context set without leaking stale keys.
   */
  private readonly _scopedContexts = signal<Map<string, readonly StellaContextKey[]>>(new Map());
  /** Read-only signal of active contexts. */
-  readonly activeContexts = computed(() => [...this._contexts()]);
+  readonly activeContexts = computed(() => {
    const active = new Set(this._globalContexts());
    for (const keys of this._scopedContexts().values()) {
      for (const key of keys) {
        active.add(key);
      }
    }
    return [...active];
  });
  /** Whether any context is currently active. */
-  readonly hasContext = computed(() => this._contexts().size > 0);
+  readonly hasContext = computed(() => this.activeContexts().length > 0);
  /**
   * Push a context key. The helper will check if any tips match
   * this context and surface them with priority.
   */
  push(key: StellaContextKey): void {
-    this._contexts.update(set => {
+    this._globalContexts.update(set => {
      if (set.has(key)) return set;
      const next = new Set(set);
      next.add(key);
@@ -111,7 +126,7 @@ export class StellaHelperContextService {
   * Push multiple context keys at once.
   */
  pushAll(keys: StellaContextKey[]): void {
-    this._contexts.update(set => {
+    this._globalContexts.update(set => {
      const next = new Set(set);
      let changed = false;
      for (const k of keys) {
@@ -128,7 +143,7 @@ export class StellaHelperContextService {
   * Remove a specific context (e.g., when state changes).
   */
  remove(key: StellaContextKey): void {
-    this._contexts.update(set => {
+    this._globalContexts.update(set => {
      if (!set.has(key)) return set;
      const next = new Set(set);
      next.delete(key);
@@ -136,18 +151,58 @@ export class StellaHelperContextService {
    });
  }
  /**
   * Replace the full context set for a specific component/page scope.
   * This is the preferred API for reactive page-level context wiring.
   */
  setScope(scopeId: string, keys: readonly StellaContextKey[]): void {
    const normalized = [...new Set(keys)];
    this._scopedContexts.update(scopes => {
      const current = scopes.get(scopeId) ?? [];
      if (
        current.length === normalized.length &&
        current.every((value, index) => value === normalized[index])
      ) {
        return scopes;
      }
      const next = new Map(scopes);
      if (normalized.length === 0) {
        next.delete(scopeId);
      } else {
        next.set(scopeId, normalized);
      }
      return next;
    });
  }
  /**
   * Clear a previously registered scoped context set.
   */
  clearScope(scopeId: string): void {
    this._scopedContexts.update(scopes => {
      if (!scopes.has(scopeId)) {
        return scopes;
      }
      const next = new Map(scopes);
      next.delete(scopeId);
      return next;
    });
  }
  /**
   * Clear all contexts. Called automatically on route change
   * by the StellaHelperComponent.
   */
  clear(): void {
-    this._contexts.set(new Set());
+    this._globalContexts.set(new Set());
    this._scopedContexts.set(new Map());
  }
  /**
   * Check if a specific context is active.
   */
  has(key: StellaContextKey): boolean {
-    return this._contexts().has(key);
+    return this.activeContexts().includes(key);
  }
 }
--- a/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-helper-tips.config.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-helper-tips.config.ts
@@ -270,6 +270,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Ctrl+K — your power shortcut',
        body: 'Press Ctrl+K to open the command palette. From there you can search anything, jump to any page, run scans, and access quick actions without using the sidebar.',
      },
      {
        title: 'Environment health is not application health',
        body: 'Dashboard health answers "can this environment safely receive releases right now?" It combines target readiness, agent connectivity, and gate state — not just whether the app answered a ping.',
      },
      {
        title: 'Why reachable criticals get top billing',
        body: 'Reachable criticals matter more than raw critical counts because they are both severe and plausibly exploitable in your real code path. That combination is what usually blocks promotions.',
      },
      {
        title: 'Quick Links are the fastest escape hatch',
        body: 'Use Quick Links when the dashboard tells you something is wrong but not how to fix it. They jump straight into the owning workflow without making you hunt through sidebar groups.',
      },
      {
        title: 'Fresh installations look sparse on purpose',
        body: 'A quiet dashboard usually means Stella has not scanned images or synced feeds yet, not that the platform is broken. Start with setup and scanning so the board has evidence to work with.',
      },
    ],
  },
@@ -295,6 +311,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Approve vs Reject — when to use each',
        body: 'Approve when: all gates pass, evidence is verified, and you\'re confident in the release. Reject when: something looks wrong, gates show warnings you don\'t accept, or you need more info.',
      },
      {
        title: 'Pipeline tab vs approvals tab',
        body: 'Pipeline shows the technical execution path of a deployment run. Approvals shows the human decision checkpoints. Use both together when you need to answer "what happened?" and "who allowed it?"',
      },
      {
        title: 'What an expired approval means',
        body: 'Expired means the release was not approved within the allowed time window. That protects you from approving stale evidence after the environment or feed state has changed.',
      },
      {
        title: 'Normal priority is not the only lane',
        body: 'Normal is the default promotion lane. Some teams also use expedited or hotfix-style flows for emergencies, but those should still leave the same evidence trail.',
      },
      {
        title: 'Create Deployment vs Request Promotion',
        body: 'Use Create Deployment for an operator-driven rollout action. Use Request Promotion when you want Stella to evaluate the next environment in the governed promotion path with approvals and gates.',
      },
    ],
  },
@@ -338,6 +370,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        body: 'Click "Promote" to move a release to the next environment. Stella will evaluate all gates, collect approvals, and record the decision as signed evidence. The entire chain is auditable.',
        action: { label: 'Request a promotion', route: '/releases/promotions/create' },
      },
      {
        title: 'PASS, WARN, and BLOCK',
        body: 'PASS means every required gate succeeded. WARN means Stella found advisory issues that are visible but not release-stopping under the active policy. BLOCK means promotion cannot proceed until something changes.',
      },
      {
        title: 'Status is a lifecycle, not a health score',
        body: 'Draft, Ready, Deployed, and Failed describe where the release is in its governed workflow. They do not replace the underlying policy, evidence, or deployment details.',
      },
      {
        title: 'Why digests beat tags',
        body: 'Tags like latest are mutable labels. Digests are immutable identities. Stella centers digests so the thing you approved is the same thing that gets deployed later.',
      },
      {
        title: 'Standard vs hotfix releases',
        body: 'Standard releases follow the normal promotion path and evidence cadence. Hotfixes exist for emergency pressure, but they still need enough evidence to prove what changed and who approved it.',
      },
    ],
  },
@@ -396,6 +444,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Opening a Workspace',
        body: 'Click "Open Workspace" to get a full investigation view for an artifact — SBOM, findings, reachability evidence, and VEX statements all in one place.',
      },
      {
        title: 'Reachability changes triage order',
        body: 'If two CVEs have the same severity, triage the reachable one first. Stella is telling you which path looks operationally dangerous instead of theoretically dangerous.',
      },
      {
        title: 'Use VEX when fixing is not the right answer',
        body: 'Not every finding needs a package upgrade. If the vulnerable feature is disabled or the code path is unreachable, a well-supported VEX statement may be the correct decision.',
      },
      {
        title: 'Triage decisions become future signal',
        body: 'Once you fix, waive, or explain a finding, later scans inherit that context. Good triage today reduces repeated analysis tomorrow.',
      },
      {
        title: 'Filters are there to narrow scope, not hide debt',
        body: 'Use filters to focus on a release, environment, or severity band. Clear them before concluding that the system has no findings, otherwise you may be looking at an artificially quiet slice.',
      },
    ],
  },
@@ -415,6 +479,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        body: 'If SBOM health is empty, you need to scan container images first. That populates everything: vulnerability data, reachability analysis, and supply-chain coverage.',
        action: { label: 'Scan an image', route: '/security/scan' },
      },
      {
        title: 'A HIGH posture is a diagnosis',
        body: 'HIGH posture usually means unresolved critical or high findings, low VEX coverage, stale advisories, or a combination of all three. Open the supporting cards to find the real cause instead of treating the score as magic.',
      },
      {
        title: 'Advisory health affects trust',
        body: 'If advisory or VEX sources are stale, your posture may look artificially calm because Stella is missing recent disclosures. Feed freshness is part of posture quality, not just platform hygiene.',
      },
      {
        title: 'Supply-chain coverage is breadth',
        body: 'Coverage tells you how much of your estate Stella can see and reason about. Low coverage means blind spots, even if the visible slice looks healthy.',
      },
      {
        title: 'Expiring waivers are future blockers',
        body: 'Waivers and exceptions reduce noise today, but they eventually expire. Watch them here so tomorrow\'s promotion does not fail because an old acceptance silently timed out.',
      },
    ],
  },
@@ -434,6 +514,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'SBOM formats',
        body: 'Stella generates SBOMs in industry-standard formats: SPDX 3.0 and CycloneDX 1.7. These can be exported and shared with customers, auditors, or regulatory bodies.',
      },
      {
        title: 'Reachability starts with inventory',
        body: 'If Stella does not know which packages and binaries are present, it cannot reason about vulnerable paths. SBOM quality is the foundation for everything that follows.',
      },
      {
        title: 'Viewer vs graph',
        body: 'Use the viewer when you want a table of packages and versions. Use the graph when you need to see relationships and transitive dependency paths between components.',
      },
      {
        title: 'Supply-chain data is also compliance data',
        body: 'The same inventory used for CVEs can answer license, provenance, and drift questions. That is why this page matters to release operations, not only security teams.',
      },
      {
        title: 'Registry integrations reduce manual scanning',
        body: 'You can scan one image by hand, but connected registries let Stella discover and monitor new images continuously. That keeps the supply-chain picture current without operator babysitting.',
      },
    ],
  },
@@ -466,6 +562,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Coverage percentage',
        body: 'Coverage shows what percentage of your codebase has been analyzed. Higher = more confident decisions. Target >80% for production. Low coverage means more unknowns in your risk assessment.',
      },
      {
        title: 'Static analysis finds possible paths',
        body: 'Static analysis walks code structure and dependency graphs to find candidate call paths into vulnerable functions. It is broad, fast, and useful even when runtime telemetry is missing.',
      },
      {
        title: 'Runtime evidence narrows the picture',
        body: 'Runtime evidence shows which paths are actually exercised in a deployed environment. That makes it powerful for separating theoretical exposure from behavior observed in practice.',
      },
      {
        title: 'Confidence matters as much as status',
        body: 'A reachable finding with weak confidence should be investigated differently from one backed by strong evidence. Use both the verdict and the confidence signal before you write VEX or policy.',
      },
      {
        title: 'Low coverage has clear next steps',
        body: 'If coverage is low, improve inventory quality, enable more analyzers, or deploy signals. The fix is usually better data, not a more permissive policy.',
      },
    ],
  },
@@ -532,6 +644,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'VEX Consensus',
        body: 'When multiple sources publish VEX statements about the same vulnerability (vendor, scanner, your team), Stella uses trust-weighted consensus to determine the effective status. Higher-trust sources carry more weight.',
      },
      {
        title: 'Good justifications are specific',
        body: 'A useful justification explains the technical reason a vulnerability does or does not matter: disabled feature, unreachable function, non-shipped component, patched downstream fork, or compensating control.',
      },
      {
        title: 'Consensus is not the same as local policy',
        body: 'Consensus tells you the best combined interpretation of all known VEX sources. Your organization can still override that result with a local statement when you have better context.',
      },
      {
        title: 'Use exceptions when the issue is real',
        body: 'If the finding is truly affected but you cannot fix it immediately, use an exception workflow. VEX is for explaining exploitability; exceptions are for consciously carrying real risk.',
      },
      {
        title: 'Mark Affected when you need accountability',
        body: 'Affected is not a failure state — it is a clear statement that a vulnerability matters and action is required. That clarity is better than hiding a real problem behind vague investigation notes.',
      },
    ],
  },
@@ -617,6 +745,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Offline verification',
        body: 'Evidence bundles are self-contained. You can verify them without network access using bundled trust roots. Ship evidence to an air-gapped environment and it\'s still verifiable.',
      },
      {
        title: 'Search by release, digest, or event',
        body: 'When you are investigating a release, start with the digest or release ID. When you are answering an audit question, start with the event or export type instead. The entry point depends on the question you need to answer.',
      },
      {
        title: 'Proof chains link evidence together',
        body: 'A single artifact rarely tells the whole story. Proof chains connect scan facts, policy verdicts, approvals, and deployment evidence so you can trace one decision end to end.',
      },
      {
        title: 'Operators and auditors read evidence differently',
        body: 'Operators usually want the fastest root cause. Auditors usually want tamper resistance and provenance. This page supports both lenses, which is why the same packet can feel technical and formal at once.',
      },
      {
        title: 'Evidence has a lifecycle',
        body: 'Evidence is generated, signed, linked into chains, exported, and eventually replayed or verified. Treat it as an active release artifact, not as archival debris.',
      },
    ],
  },
@@ -635,6 +779,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Deterministic replay',
        body: 'Capsules can be "replayed" — feed the same inputs through the same policy and verify you get the same outputs. This proves the decision wasn\'t manipulated.',
      },
      {
        title: 'Capsules prove approvals too',
        body: 'Human approvals are part of the sealed record, not a side note. That matters when someone asks who accepted the remaining risk for a production release.',
      },
      {
        title: 'Exports are for handoff, not just backup',
        body: 'Export a capsule when you need to hand evidence to auditors, customers, or an air-gapped verifier. The export is a portable proof package, not merely a copy of UI data.',
      },
      {
        title: 'Replay is for trust verification',
        body: 'Use replay when you need to prove the policy engine would make the same decision again with the same inputs. That is stronger than saying "the UI looked green at the time."',
      },
      {
        title: 'Missing capsules mean the workflow stopped early',
        body: 'If a release has no capsule, it usually means scans, policy, or approvals never completed far enough to seal the full decision. Trace the missing step instead of searching for a hidden export button.',
      },
    ],
  },
@@ -772,6 +932,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Pro tip: run daily',
        body: 'Set up a daily diagnostic run via Scheduled Jobs. It catches drift, expiring certificates, and stale feeds before they cause problems. Prevention > firefighting.',
      },
      {
        title: 'Run diagnostics after every infrastructure change',
        body: 'Any change to certificates, networking, registries, signing keys, or feed mirrors can break later workflows quietly. A post-change diagnostic run catches those breaks while the change is still fresh in memory.',
      },
      {
        title: 'Remediation steps are the shortest path out',
        body: 'When Doctor gives you remediation steps, use them before improvising. They are written to solve the common failure shape the check just detected.',
      },
      {
        title: 'One failing service can explain many symptoms',
        body: 'A stale dashboard, missing approvals, and broken feed checks may all share the same root cause. Diagnostics helps you find the upstream dependency instead of chasing each symptom separately.',
      },
      {
        title: 'Automated checks reduce sleep-loss',
        body: 'Scheduled diagnostics turn platform hygiene into a routine. That is how you find expiring trust roots or dead feeds before they become 2 AM incidents.',
      },
    ],
  },
@@ -794,6 +970,22 @@ export const PAGE_TIPS: Record<string, StellaHelperPageConfig> = {
        title: 'Zero integrations is normal',
        body: 'For a fresh install, no integrations means you haven\'t connected external tools yet. Stella works without them (you can scan manually), but integrations enable automation.',
      },
      {
        title: 'SCM and CI come after registry',
        body: 'Registry access gives Stella something concrete to scan immediately. SCM and CI become more valuable once image discovery is already working and you want scans to trigger automatically from your delivery flow.',
      },
      {
        title: 'Advisory sources are a different kind of integration',
        body: 'Registries provide images. Advisory and VEX sources provide intelligence about those images. You need both to move from inventory to actual risk decisions.',
      },
      {
        title: 'Secrets integrations reduce manual credential sprawl',
        body: 'Use secret stores for registry passwords, API keys, and signing material wherever possible. That keeps sensitive values out of hand-maintained browser forms and CI variables.',
      },
      {
        title: 'Connectivity checks are part of setup',
        body: 'After creating an integration, run the built-in check instead of assuming it works. A saved configuration with a failing credential is operationally the same as no integration at all.',
      },
    ],
  },
--- a/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-helper.component.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-helper.component.ts
@@ -26,22 +26,9 @@ import {
  resolvePageKey,
 } from './stella-helper-tips.config';
 const STORAGE_KEY = 'stellaops.helper.preferences';
 const IDLE_ANIMATION_INTERVAL = 12_000; // wiggle every 12s
 const AUTO_TIP_INTERVAL = 45_000; // suggest next tip every 45s
 interface HelperPreferences {
  dismissed: boolean;
  seenPages: string[];
  tipIndex: Record<string, number>;
 }
 const DEFAULTS: HelperPreferences = {
  dismissed: false,
  seenPages: [],
  tipIndex: {},
 };
 /**
 * StellaHelperComponent — Clippy-style contextual help assistant.
 *
@@ -1207,7 +1194,7 @@ export class StellaHelperComponent implements OnInit, OnDestroy {
  });
  // ---- State ----
-  readonly prefs = signal<HelperPreferences>(this.loadPrefs());
+  readonly prefs = this.stellaPrefs.prefs;
  readonly forceShow = signal(false);
  readonly bubbleOpen = signal(false);
  readonly entering = signal(true);
@@ -1271,9 +1258,6 @@ export class StellaHelperComponent implements OnInit, OnDestroy {
  });
  constructor() {
    // Persist prefs on change
    effect(() => this.savePrefs(this.prefs()));
    // Sync service's isOpen → component's bubbleOpen
    // When external callers (global search, Ctrl+K) set assistant.isOpen(true),
    // the bubble should open. Uses allowSignalWrites to update bubbleOpen.
@@ -1517,25 +1501,4 @@ export class StellaHelperComponent implements OnInit, OnDestroy {
      tipIndex: { ...p.tipIndex, [key]: idx },
    }));
  }
  private loadPrefs(): HelperPreferences {
    try {
      const raw = localStorage.getItem(STORAGE_KEY);
      if (raw) {
        const parsed = JSON.parse(raw);
        return {
          dismissed: typeof parsed.dismissed === 'boolean' ? parsed.dismissed : DEFAULTS.dismissed,
          seenPages: Array.isArray(parsed.seenPages) ? parsed.seenPages : DEFAULTS.seenPages,
          tipIndex: parsed.tipIndex && typeof parsed.tipIndex === 'object' ? parsed.tipIndex : DEFAULTS.tipIndex,
        };
      }
    } catch { /* ignore */ }
    return { ...DEFAULTS };
  }
  private savePrefs(prefs: HelperPreferences): void {
    try {
      localStorage.setItem(STORAGE_KEY, JSON.stringify(prefs));
    } catch { /* ignore quota / private-mode */ }
  }
 }
--- a/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-preferences.service.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/components/stella-helper/stella-preferences.service.ts
@@ -0,0 +1,192 @@
 import { Injectable, signal, computed, effect } from '@angular/core';
 /**
 * Centralized preferences for the Stella Assistant mascot.
 * Owns mute/dismiss/seen state. Injected by both the mascot
 * component and the User Preferences page.
 *
 * Storage key: `stellaops.helper.preferences` (backward-compatible).
 */
 export interface StellaHelperPreferences {
  dismissed: boolean;
  tooltipsMuted: boolean;
  mutedPages: string[];
  mutedTipIds: string[];
  seenPages: string[];
  tipIndex: Record<string, number>;
  dismissedBanners: string[];
  seenHelpPages: string[];
  pageHelpOpen: Record<string, boolean>;
 }
 const STORAGE_KEY = 'stellaops.helper.preferences';
 const DEFAULTS: StellaHelperPreferences = {
  dismissed: false,
  tooltipsMuted: false,
  mutedPages: [],
  mutedTipIds: [],
  seenPages: [],
  tipIndex: {},
  dismissedBanners: [],
  seenHelpPages: [],
  pageHelpOpen: {},
 };
@Injectable({ providedIn: 'root' })
 export class StellaPreferencesService {
  readonly prefs = signal<StellaHelperPreferences>(this.load());
  // Convenience computed signals
  readonly isDismissed = computed(() => this.prefs().dismissed);
  readonly isTooltipsMuted = computed(() => this.prefs().tooltipsMuted);
  constructor() {
    effect(() => this.save(this.prefs()));
  }
  // ---- Mutation methods ----
  setDismissed(value: boolean): void {
    this.prefs.update(p => ({ ...p, dismissed: value }));
  }
  setTooltipsMuted(value: boolean): void {
    this.prefs.update(p => ({ ...p, tooltipsMuted: value }));
  }
  addMutedPage(pageKey: string): void {
    this.prefs.update(p => ({
      ...p,
      mutedPages: p.mutedPages.includes(pageKey) ? p.mutedPages : [...p.mutedPages, pageKey],
    }));
  }
  removeMutedPage(pageKey: string): void {
    this.prefs.update(p => ({
      ...p,
      mutedPages: p.mutedPages.filter(k => k !== pageKey),
    }));
  }
  addMutedTipId(tipTitle: string): void {
    this.prefs.update(p => ({
      ...p,
      mutedTipIds: p.mutedTipIds.includes(tipTitle) ? p.mutedTipIds : [...p.mutedTipIds, tipTitle],
    }));
  }
  markPageSeen(pageKey: string): void {
    this.prefs.update(p => ({
      ...p,
      seenPages: p.seenPages.includes(pageKey) ? p.seenPages : [...p.seenPages, pageKey],
    }));
  }
  isPageSeen(pageKey: string): boolean {
    return this.prefs().seenPages.includes(pageKey);
  }
  isPageMuted(pageKey: string): boolean {
    return this.prefs().mutedPages.includes(pageKey);
  }
  setTipIndex(pageKey: string, index: number): void {
    this.prefs.update(p => ({
      ...p,
      tipIndex: { ...p.tipIndex, [pageKey]: index },
    }));
  }
  getTipIndex(pageKey: string): number {
    return this.prefs().tipIndex[pageKey] ?? 0;
  }
  dismissBanner(bannerId: string): void {
    this.prefs.update((p) => ({
      ...p,
      dismissedBanners: p.dismissedBanners.includes(bannerId)
        ? p.dismissedBanners
        : [...p.dismissedBanners, bannerId],
    }));
  }
  restoreBanner(bannerId: string): void {
    this.prefs.update((p) => ({
      ...p,
      dismissedBanners: p.dismissedBanners.filter((id) => id !== bannerId),
    }));
  }
  isBannerDismissed(bannerId: string): boolean {
    return this.prefs().dismissedBanners.includes(bannerId);
  }
  markPageHelpSeen(pageKey: string): void {
    this.prefs.update((p) => ({
      ...p,
      seenHelpPages: p.seenHelpPages.includes(pageKey) ? p.seenHelpPages : [...p.seenHelpPages, pageKey],
    }));
  }
  isPageHelpSeen(pageKey: string): boolean {
    return this.prefs().seenHelpPages.includes(pageKey);
  }
  setPageHelpOpen(pageKey: string, open: boolean): void {
    this.prefs.update((p) => ({
      ...p,
      pageHelpOpen: { ...p.pageHelpOpen, [pageKey]: open },
    }));
  }
  isPageHelpOpen(pageKey: string): boolean {
    const override = this.prefs().pageHelpOpen[pageKey];
    if (typeof override === 'boolean') {
      return override;
    }
    return !this.isPageHelpSeen(pageKey);
  }
  resetSeenPages(): void {
    this.prefs.update(p => ({
      ...p,
      seenPages: [],
      mutedTipIds: [],
      seenHelpPages: [],
      pageHelpOpen: {},
      dismissedBanners: [],
    }));
  }
  // ---- Persistence ----
  private load(): StellaHelperPreferences {
    try {
      const raw = localStorage.getItem(STORAGE_KEY);
      if (raw) {
        const p = JSON.parse(raw);
        return {
          dismissed: typeof p.dismissed === 'boolean' ? p.dismissed : DEFAULTS.dismissed,
          tooltipsMuted: typeof p.tooltipsMuted === 'boolean' ? p.tooltipsMuted : DEFAULTS.tooltipsMuted,
          mutedPages: Array.isArray(p.mutedPages) ? p.mutedPages : DEFAULTS.mutedPages,
          mutedTipIds: Array.isArray(p.mutedTipIds) ? p.mutedTipIds : DEFAULTS.mutedTipIds,
          seenPages: Array.isArray(p.seenPages) ? p.seenPages : DEFAULTS.seenPages,
          tipIndex: p.tipIndex && typeof p.tipIndex === 'object' ? p.tipIndex : DEFAULTS.tipIndex,
          dismissedBanners: Array.isArray(p.dismissedBanners) ? p.dismissedBanners : DEFAULTS.dismissedBanners,
          seenHelpPages: Array.isArray(p.seenHelpPages) ? p.seenHelpPages : DEFAULTS.seenHelpPages,
          pageHelpOpen: p.pageHelpOpen && typeof p.pageHelpOpen === 'object' ? p.pageHelpOpen : DEFAULTS.pageHelpOpen,
        };
      }
    } catch { /* ignore */ }
    return { ...DEFAULTS };
  }
  private save(prefs: StellaHelperPreferences): void {
    try {
      localStorage.setItem(STORAGE_KEY, JSON.stringify(prefs));
    } catch { /* ignore quota/private-mode */ }
  }
 }
--- a/src/Web/StellaOps.Web/src/app/shared/directives/glossary-tooltip.directive.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/directives/glossary-tooltip.directive.spec.ts
@@ -0,0 +1,65 @@
 import { Component } from '@angular/core';
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { GlossaryTooltipDirective } from './glossary-tooltip.directive';
@Component({
  standalone: true,
  imports: [GlossaryTooltipDirective],
  template: `
    <p class="auto" stellaopsGlossaryTooltip>
      SBOM data maps CVE risk. A second SBOM mention should stay plain text.
    </p>
    <span class="specific" stellaopsGlossaryTooltip term="vex">VEX</span>
  `,
 })
 class GlossaryTooltipDirectiveHostComponent {}
 describe('GlossaryTooltipDirective', () => {
  let fixture: ComponentFixture<GlossaryTooltipDirectiveHostComponent>;
  beforeEach(async () => {
    await TestBed.configureTestingModule({
      imports: [GlossaryTooltipDirectiveHostComponent],
    }).compileComponents();
    fixture = TestBed.createComponent(GlossaryTooltipDirectiveHostComponent);
    fixture.detectChanges();
  });
  afterEach(() => {
    document.body.querySelectorAll('.glossary-tooltip').forEach((tooltip) => tooltip.remove());
  });
  it('wraps only the first occurrence of each detected term', () => {
    const autoCopy = fixture.nativeElement.querySelector('.auto') as HTMLElement;
    const glossaryTerms = autoCopy.querySelectorAll('.glossary-term--inline');
    const wrappedText = Array.from(glossaryTerms).map((term) => term.textContent?.trim());
    expect(wrappedText).toContain('SBOM');
    expect(wrappedText).toContain('CVE');
    expect(wrappedText.filter((term) => term === 'SBOM').length).toBe(1);
    expect(autoCopy.textContent).toContain('A second SBOM mention should stay plain text.');
  });
  it('can annotate a specific host element without auto-detect mode', () => {
    const specific = fixture.nativeElement.querySelector('.specific') as HTMLElement;
    expect(specific.classList.contains('glossary-term')).toBeTrue();
    expect(specific.getAttribute('role')).toBe('button');
    expect(specific.getAttribute('aria-label')).toContain('VEX');
  });
  it('shows a tooltip with the plain-language definition on hover', () => {
    const autoTerm = fixture.nativeElement.querySelector('.auto .glossary-term--inline') as HTMLElement;
    autoTerm.dispatchEvent(new Event('mouseenter'));
    fixture.detectChanges();
    const tooltip = document.body.querySelector('.glossary-tooltip') as HTMLElement | null;
    expect(tooltip).toBeTruthy();
    expect(tooltip?.textContent).toContain('SBOM');
    expect(tooltip?.textContent).toContain('ingredients list');
    autoTerm.dispatchEvent(new Event('mouseleave'));
    fixture.detectChanges();
  });
 });
--- a/src/Web/StellaOps.Web/src/app/shared/directives/glossary-tooltip.directive.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/directives/glossary-tooltip.directive.ts
@@ -1,210 +1,315 @@
 /**
 * Glossary Tooltip Directive
 * Sprint: SPRINT_20251226_010_FE_visual_diff_enhancements
 * Task: VD-ENH-07
 *
- * Auto-detects technical terms and adds plain language tooltips.
+ * Auto-detects Stella domain terms and annotates the first occurrence of each
 * term inside the host element with a tooltip. This directive is intentionally
 * always-on for onboarding copy; it does not depend on the plain-language
 * toggle used by explanation panels.
 */
 import {
  AfterViewInit,
  Directive,
  ElementRef,
  OnInit,
  OnDestroy,
  inject,
  input,
  Renderer2,
  effect,
 } from '@angular/core';
-import { PlainLanguageService, GlossaryEntry } from '../services/plain-language.service';
+import { GlossaryEntry, PlainLanguageService } from '../services/plain-language.service';
 const GLOSSARY_STYLE_ID = 'stellaops-glossary-tooltip-styles';
 const INTERACTIVE_ANCESTOR_SELECTOR = [
  'a',
  'button',
  'input',
  'textarea',
  'select',
  'code',
  'pre',
  '.glossary-term',
  '.glossary-term--inline',
 ].join(',');
 interface GlossaryMatch {
  entry: GlossaryEntry;
  key: string;
  index: number;
  matchedText: string;
 }
 let glossaryTooltipInstanceCounter = 0;
@Directive({
  selector: '[stellaopsGlossaryTooltip]',
  standalone: true,
 })
-export class GlossaryTooltipDirective implements OnInit, OnDestroy {
+export class GlossaryTooltipDirective implements AfterViewInit, OnDestroy {
-  private readonly el = inject(ElementRef);
+  private readonly el = inject<ElementRef<HTMLElement>>(ElementRef);
  private readonly renderer = inject(Renderer2);
  private readonly plainLanguageService = inject(PlainLanguageService);
  private readonly instanceId = `glossary-${++glossaryTooltipInstanceCounter}`;
-  /** Whether to auto-detect terms in the element's text content. */
+  /** Whether to auto-detect glossary terms in the host element. */
  autoDetect = input<boolean>(true);
-  /** Specific term to show tooltip for (if not auto-detecting). */
+  /** Specific term to annotate when auto-detection is not desired. */
  term = input<string | null>(null);
-  private tooltipElement: HTMLElement | null = null;
+  /** Reprocess the host when routed or async content changes. */
-  private cleanupFns: (() => void)[] = [];
+  observeMutations = input<boolean>(false);
  /** Optional descendant selector list to scope auto-detection to known copy blocks. */
  targetSelectors = input<string | null>(null);
  private originalHtml: string | null = null;
  private tooltipElement: HTMLElement | null = null;
  private annotationCleanupFns: Array<() => void> = [];
  private tooltipCleanupFns: Array<() => void> = [];
  private mutationObserver: MutationObserver | null = null;
  private reprocessTimer: ReturnType<typeof setTimeout> | null = null;
  private isProcessing = false;
-  constructor() {
+  ngAfterViewInit(): void {
-    effect(() => {
+    if (this.usesDynamicProcessing()) {
-      if (this.plainLanguageService.isPlainLanguageEnabled()) {
+      this.processDynamicContent();
-        this.processContent();
+      this.startMutationObserver();
-      } else {
+      return;
        this.restoreOriginal();
      }
    });
  }
  ngOnInit(): void {
    this.originalHtml = this.el.nativeElement.innerHTML;
    if (this.plainLanguageService.isPlainLanguageEnabled()) {
      this.processContent();
    }
    this.originalHtml = this.el.nativeElement.innerHTML;
    this.processContent();
  }
  ngOnDestroy(): void {
-    this.cleanup();
+    this.stopMutationObserver();
    if (this.reprocessTimer !== null) {
      clearTimeout(this.reprocessTimer);
      this.reprocessTimer = null;
    }
    if (this.usesDynamicProcessing()) {
      this.hideTooltip();
      this.annotationCleanupFns.forEach((cleanup) => cleanup());
      this.annotationCleanupFns = [];
      this.removeOwnedInlineTerms(this.el.nativeElement);
      return;
    }
    this.restoreOriginal();
  }
  private processContent(): void {
-    const specificTerm = this.term();
+    const host = this.el.nativeElement;
    const specificTerm = this.term()?.trim() || host.getAttribute('term')?.trim();
    if (specificTerm) {
      // Handle specific term
      const entry = this.plainLanguageService.getGlossaryEntry(specificTerm);
      if (entry) {
-        this.wrapElement(entry);
+        this.decorateHostElement(host, entry);
      }
-    } else if (this.autoDetect()) {
+      return;
-      // Auto-detect terms
+    }
-      this.processTextContent();
+
    if (!this.autoDetect()) {
      return;
    }
    const seenTerms = new Set<string>();
    const entries = this.plainLanguageService
      .getAllGlossaryEntries()
      .slice()
      .sort((left, right) => right.term.length - left.term.length);
    for (const textNode of this.collectTextNodes(host)) {
      this.annotateTextNode(textNode, entries, seenTerms);
    }
  }
-  private wrapElement(entry: GlossaryEntry): void {
+  private processTargets(root: HTMLElement, selectorList: string): void {
-    const el = this.el.nativeElement as HTMLElement;
+    const seenTerms = new Set<string>();
-    this.renderer.addClass(el, 'glossary-term');
+    const entries = this.plainLanguageService
-    this.renderer.setAttribute(el, 'tabindex', '0');
+      .getAllGlossaryEntries()
-    this.renderer.setAttribute(el, 'role', 'button');
+      .slice()
-    this.renderer.setAttribute(el, 'aria-describedby', `glossary-tooltip-${entry.term.toLowerCase()}`);
+      .sort((left, right) => right.term.length - left.term.length);
    const targets = Array.from(root.querySelectorAll<HTMLElement>(selectorList));
-    const mouseEnter = this.renderer.listen(el, 'mouseenter', () => this.showTooltip(entry, el));
+    for (const target of targets) {
-    const mouseLeave = this.renderer.listen(el, 'mouseleave', () => this.hideTooltip());
+      for (const textNode of this.collectTextNodes(target)) {
-    const focus = this.renderer.listen(el, 'focus', () => this.showTooltip(entry, el));
+        this.annotateTextNode(textNode, entries, seenTerms);
-    const blur = this.renderer.listen(el, 'blur', () => this.hideTooltip());
+      }
-
+    }
    this.cleanupFns.push(mouseEnter, mouseLeave, focus, blur);
  }
-  private processTextContent(): void {
+  private collectTextNodes(root: HTMLElement): Text[] {
-    const el = this.el.nativeElement as HTMLElement;
+    const walker = document.createTreeWalker(
-    const text = el.textContent ?? '';
+      root,
      NodeFilter.SHOW_TEXT,
      {
        acceptNode: (node: Node) => {
          if (!(node instanceof Text)) {
            return NodeFilter.FILTER_REJECT;
          }
-    const terms = this.plainLanguageService.findTermsInText(text);
+          if (!node.nodeValue?.trim()) {
-    if (terms.length === 0) return;
+            return NodeFilter.FILTER_REJECT;
          }
-    // Store original for restoration
+          const parent = node.parentElement;
-    if (!this.originalHtml) {
+          if (!parent) {
-      this.originalHtml = el.innerHTML;
+            return NodeFilter.FILTER_REJECT;
-    }
+          }
-    // Process terms in reverse order to maintain positions
+          if (parent.closest(INTERACTIVE_ANCESTOR_SELECTOR)) {
-    let html = el.innerHTML;
+            return NodeFilter.FILTER_REJECT;
-    const processedPositions = new Set<number>();
+          }
-    for (const { term, start, end } of [...terms].reverse()) {
+          return NodeFilter.FILTER_ACCEPT;
-      // Skip if this position overlaps with already processed
+        },
      if (processedPositions.has(start)) continue;
      const entry = this.plainLanguageService.getGlossaryEntry(term);
      if (!entry) continue;
      // Find the term in HTML (accounting for potential tags)
      const regex = new RegExp(`(${this.escapeRegex(text.substring(start, end))})`, 'gi');
      const replacement = `<span class="glossary-term glossary-term--inline" data-term="${entry.term.toLowerCase()}" tabindex="0" role="button">$1</span>`;
      html = html.replace(regex, replacement);
      processedPositions.add(start);
    }
    el.innerHTML = html;
    // Add event listeners to wrapped terms
    const termElements = el.querySelectorAll('.glossary-term--inline');
    termElements.forEach(termEl => {
      const termName = termEl.getAttribute('data-term');
      const entry = termName ? this.plainLanguageService.getGlossaryEntry(termName) : null;
      if (entry) {
        const mouseEnter = this.renderer.listen(termEl, 'mouseenter', () =>
          this.showTooltip(entry, termEl as HTMLElement)
        );
        const mouseLeave = this.renderer.listen(termEl, 'mouseleave', () => this.hideTooltip());
        const focus = this.renderer.listen(termEl, 'focus', () =>
          this.showTooltip(entry, termEl as HTMLElement)
        );
        const blur = this.renderer.listen(termEl, 'blur', () => this.hideTooltip());
        this.cleanupFns.push(mouseEnter, mouseLeave, focus, blur);
      }
-    });
+    );
    const textNodes: Text[] = [];
    let current = walker.nextNode();
    while (current) {
      textNodes.push(current as Text);
      current = walker.nextNode();
    }
    return textNodes;
  }
  private annotateTextNode(textNode: Text, entries: GlossaryEntry[], seenTerms: Set<string>): void {
    const text = textNode.nodeValue ?? '';
    const matches = entries
      .filter((entry) => !seenTerms.has(this.normalizeKey(entry.term)))
      .map((entry) => this.findFirstMatch(text, entry))
      .filter((match): match is GlossaryMatch => match !== null)
      .sort((left, right) => left.index - right.index || right.matchedText.length - left.matchedText.length);
    if (matches.length === 0) {
      return;
    }
    const fragment = document.createDocumentFragment();
    let cursor = 0;
    let replacedAny = false;
    for (const match of matches) {
      if (match.index < cursor) {
        continue;
      }
      if (match.index > cursor) {
        fragment.append(text.slice(cursor, match.index));
      }
      fragment.append(this.createInlineTerm(match.entry, match.matchedText));
      seenTerms.add(match.key);
      cursor = match.index + match.matchedText.length;
      replacedAny = true;
    }
    if (!replacedAny) {
      return;
    }
    if (cursor < text.length) {
      fragment.append(text.slice(cursor));
    }
    textNode.parentNode?.replaceChild(fragment, textNode);
  }
  private decorateHostElement(host: HTMLElement, entry: GlossaryEntry): void {
    host.classList.add('glossary-term');
    host.setAttribute('tabindex', host.getAttribute('tabindex') ?? '0');
    host.setAttribute('role', host.getAttribute('role') ?? 'button');
    host.setAttribute('aria-label', `${entry.term}: show glossary definition`);
    this.bindTooltip(host, entry);
  }
  private createInlineTerm(entry: GlossaryEntry, matchedText: string): HTMLElement {
    const termEl = this.renderer.createElement('span') as HTMLElement;
    termEl.className = 'glossary-term glossary-term--inline';
    termEl.setAttribute('data-stellaops-glossary-owner', this.instanceId);
    termEl.setAttribute('tabindex', '0');
    termEl.setAttribute('role', 'button');
    termEl.setAttribute('aria-label', `${entry.term}: show glossary definition`);
    termEl.textContent = matchedText;
    this.bindTooltip(termEl, entry);
    return termEl;
  }
  private bindTooltip(anchor: HTMLElement, entry: GlossaryEntry): void {
    const mouseEnter = this.renderer.listen(anchor, 'mouseenter', () => this.showTooltip(entry, anchor));
    const mouseLeave = this.renderer.listen(anchor, 'mouseleave', () => this.hideTooltip());
    const focus = this.renderer.listen(anchor, 'focus', () => this.showTooltip(entry, anchor));
    const blur = this.renderer.listen(anchor, 'blur', () => this.hideTooltip());
    this.annotationCleanupFns.push(mouseEnter, mouseLeave, focus, blur);
  }
  private showTooltip(entry: GlossaryEntry, anchor: HTMLElement): void {
    this.hideTooltip();
    this.ensureStyles();
    const tooltip = this.renderer.createElement('div') as HTMLElement;
    this.tooltipElement = tooltip;
-    this.renderer.addClass(tooltip, 'glossary-tooltip');
+    tooltip.className = 'glossary-tooltip';
-    this.renderer.setAttribute(tooltip, 'role', 'tooltip');
+    tooltip.setAttribute('role', 'tooltip');
    this.renderer.setAttribute(tooltip, 'id', `glossary-tooltip-${entry.term.toLowerCase()}`);
-    const content = `
+    const header = entry.abbreviation
-      <div class="glossary-tooltip__header">
+      ? `${this.escapeHtml(entry.term)} <span class="glossary-tooltip__abbr">(${this.escapeHtml(entry.abbreviation)})</span>`
-        <span class="glossary-tooltip__term">${entry.term}</span>
+      : this.escapeHtml(entry.term);
-        ${entry.abbreviation ? `<span class="glossary-tooltip__abbr">(${entry.abbreviation})</span>` : ''}
+
-      </div>
+    tooltip.innerHTML = `
-      <div class="glossary-tooltip__body">
+      <div class="glossary-tooltip__header">${header}</div>
-        <p class="glossary-tooltip__plain">${entry.plainLanguage}</p>
+      <p class="glossary-tooltip__plain">${this.escapeHtml(entry.plainLanguage)}</p>
-        <p class="glossary-tooltip__detail">${entry.detailedExplanation}</p>
+      <p class="glossary-tooltip__detail">${this.escapeHtml(entry.detailedExplanation)}</p>
        ${entry.learnMoreUrl ? `<a class="glossary-tooltip__link" href="${entry.learnMoreUrl}" target="_blank" rel="noopener">Learn more →</a>` : ''}
      </div>
    `;
    this.renderer.setProperty(tooltip, 'innerHTML', content);
    this.renderer.appendChild(document.body, tooltip);
    // Position tooltip
    this.positionTooltip(anchor);
-    // Add close on click outside
+    const clickOutside = this.renderer.listen('document', 'mousedown', (event: MouseEvent) => {
-    setTimeout(() => {
+      const target = event.target as Node | null;
-      const clickOutside = this.renderer.listen('document', 'click', (event: MouseEvent) => {
+      if (!target || (!tooltip.contains(target) && target !== anchor)) {
-        if (!this.tooltipElement?.contains(event.target as Node) && event.target !== anchor) {
+        this.hideTooltip();
-          this.hideTooltip();
+      }
-        }
+    });
-      });
+    const onScroll = this.renderer.listen('window', 'scroll', () => this.hideTooltip());
-      this.cleanupFns.push(clickOutside);
+    const onResize = this.renderer.listen('window', 'resize', () => this.hideTooltip());
-    }, 0);
+
    this.tooltipCleanupFns.push(clickOutside, onScroll, onResize);
  }
  private positionTooltip(anchor: HTMLElement): void {
-    if (!this.tooltipElement) return;
+    if (!this.tooltipElement) {
      return;
    }
    const rect = anchor.getBoundingClientRect();
    const tooltipRect = this.tooltipElement.getBoundingClientRect();
    let top = rect.bottom + 8;
    let left = rect.left + rect.width / 2 - tooltipRect.width / 2;
-
+    if (left < 12) {
-    // Keep within viewport
+      left = 12;
-    if (left < 8) left = 8;
+    }
-    if (left + tooltipRect.width > window.innerWidth - 8) {
+    if (left + tooltipRect.width > window.innerWidth - 12) {
-      left = window.innerWidth - tooltipRect.width - 8;
+      left = window.innerWidth - tooltipRect.width - 12;
    }
-    // Flip to top if not enough space below
+    let top = rect.bottom + 10;
-    if (top + tooltipRect.height > window.innerHeight - 8) {
+    if (top + tooltipRect.height > window.innerHeight - 12) {
-      top = rect.top - tooltipRect.height - 8;
+      top = rect.top - tooltipRect.height - 10;
-      this.renderer.addClass(this.tooltipElement, 'glossary-tooltip--above');
+      this.tooltipElement.classList.add('glossary-tooltip--above');
    } else {
      this.tooltipElement.classList.remove('glossary-tooltip--above');
    }
-    this.renderer.setStyle(this.tooltipElement, 'top', `${top}px`);
+    this.tooltipElement.style.top = `${Math.max(12, top)}px`;
-    this.renderer.setStyle(this.tooltipElement, 'left', `${left}px`);
+    this.tooltipElement.style.left = `${left}px`;
  }
  private hideTooltip(): void {
@@ -212,22 +317,203 @@ export class GlossaryTooltipDirective implements OnInit, OnDestroy {
      this.renderer.removeChild(document.body, this.tooltipElement);
      this.tooltipElement = null;
    }
    this.tooltipCleanupFns.forEach((cleanup) => cleanup());
    this.tooltipCleanupFns = [];
  }
  private restoreOriginal(): void {
    this.hideTooltip();
    this.annotationCleanupFns.forEach((cleanup) => cleanup());
    this.annotationCleanupFns = [];
    if (this.originalHtml !== null) {
      this.el.nativeElement.innerHTML = this.originalHtml;
    }
    this.cleanup();
  }
-  private cleanup(): void {
+  private usesDynamicProcessing(): boolean {
    return this.observeMutations() || Boolean(this.targetSelectors()?.trim());
  }
  private processDynamicContent(): void {
    if (this.isProcessing) {
      return;
    }
    this.isProcessing = true;
    try {
      this.removeOwnedInlineTerms(this.el.nativeElement);
      const selectorList = this.targetSelectors()?.trim();
      if (selectorList) {
        this.processTargets(this.el.nativeElement, selectorList);
      } else {
        this.processContent();
      }
    } finally {
      this.isProcessing = false;
    }
  }
  private startMutationObserver(): void {
    if (!this.observeMutations() || this.mutationObserver) {
      return;
    }
    this.mutationObserver = new MutationObserver(() => this.scheduleReprocess());
    this.mutationObserver.observe(this.el.nativeElement, {
      childList: true,
      subtree: true,
      characterData: true,
    });
  }
  private stopMutationObserver(): void {
    this.mutationObserver?.disconnect();
    this.mutationObserver = null;
  }
  private scheduleReprocess(): void {
    if (this.reprocessTimer !== null || this.isProcessing) {
      return;
    }
    this.reprocessTimer = setTimeout(() => {
      this.reprocessTimer = null;
      this.stopMutationObserver();
      this.processDynamicContent();
      this.startMutationObserver();
    }, 0);
  }
  private removeOwnedInlineTerms(root: HTMLElement): void {
    this.hideTooltip();
-    this.cleanupFns.forEach(fn => fn());
+    this.annotationCleanupFns.forEach((cleanup) => cleanup());
-    this.cleanupFns = [];
+    this.annotationCleanupFns = [];
    const ownedTerms = Array.from(
      root.querySelectorAll<HTMLElement>(`[data-stellaops-glossary-owner="${this.instanceId}"]`)
    );
    for (const term of ownedTerms) {
      term.replaceWith(document.createTextNode(term.textContent ?? ''));
    }
  }
-  private escapeRegex(str: string): string {
+  private findFirstMatch(text: string, entry: GlossaryEntry): GlossaryMatch | null {
-    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    let bestMatch: GlossaryMatch | null = null;
    for (const label of this.getDetectionLabels(entry)) {
      const regex = new RegExp(`\\b${this.escapeRegex(label)}\\b`, 'i');
      const match = regex.exec(text);
      if (!match || match.index === undefined) {
        continue;
      }
      const candidate: GlossaryMatch = {
        entry,
        key: this.normalizeKey(entry.term),
        index: match.index,
        matchedText: match[0],
      };
      if (
        !bestMatch ||
        candidate.index < bestMatch.index ||
        (candidate.index === bestMatch.index && candidate.matchedText.length > bestMatch.matchedText.length)
      ) {
        bestMatch = candidate;
      }
    }
    return bestMatch;
  }
  private getDetectionLabels(entry: GlossaryEntry): string[] {
    const labels = [entry.term];
    if (entry.abbreviation) {
      labels.push(entry.abbreviation);
    }
    return labels;
  }
  private normalizeKey(value: string): string {
    return value.toLowerCase().replace(/[\s-]+/g, '_');
  }
  private ensureStyles(): void {
    if (document.getElementById(GLOSSARY_STYLE_ID)) {
      return;
    }
    const styleEl = this.renderer.createElement('style') as HTMLStyleElement;
    styleEl.id = GLOSSARY_STYLE_ID;
    styleEl.textContent = `
      .glossary-term {
        cursor: help;
        text-decoration: underline dotted color-mix(in srgb, var(--color-brand-primary, #2563eb) 70%, transparent);
        text-underline-offset: 0.18em;
      }
      .glossary-term--inline {
        color: var(--color-brand-primary, #2563eb);
        font-weight: 600;
      }
      .glossary-tooltip {
        position: fixed;
        z-index: 900;
        max-width: min(24rem, calc(100vw - 24px));
        display: grid;
        gap: 0.45rem;
        padding: 0.8rem 0.9rem;
        border: 1px solid color-mix(in srgb, var(--color-brand-primary, #2563eb) 22%, var(--color-border-primary, #d0d7de));
        border-radius: 0.85rem;
        background: color-mix(in srgb, var(--color-surface-elevated, #ffffff) 96%, var(--color-brand-primary, #2563eb) 4%);
        color: var(--color-text-primary, #0f172a);
        box-shadow: 0 16px 42px rgba(15, 23, 42, 0.18);
      }
      .glossary-tooltip__header {
        font-size: 0.84rem;
        font-weight: 700;
        line-height: 1.35;
      }
      .glossary-tooltip__abbr {
        color: var(--color-text-secondary, #475569);
        font-weight: 600;
      }
      .glossary-tooltip__plain,
      .glossary-tooltip__detail {
        margin: 0;
        line-height: 1.45;
      }
      .glossary-tooltip__plain {
        color: var(--color-text-primary, #0f172a);
        font-size: 0.82rem;
        font-weight: 600;
      }
      .glossary-tooltip__detail {
        color: var(--color-text-secondary, #475569);
        font-size: 0.78rem;
      }
    `;
    this.renderer.appendChild(document.head, styleEl);
  }
  private escapeRegex(value: string): string {
    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
  }
  private escapeHtml(value: string): string {
    return value
      .replace(/&/g, '&amp;')
      .replace(/</g, '&lt;')
      .replace(/>/g, '&gt;')
      .replace(/"/g, '&quot;');
  }
 }
--- a/src/Web/StellaOps.Web/src/app/shared/services/plain-language.service.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/services/plain-language.service.spec.ts
@@ -150,10 +150,12 @@ describe('PlainLanguageService', () => {
  describe('getAllGlossaryEntries', () => {
    it('should return all glossary entries', () => {
      const entries = service.getAllGlossaryEntries();
-      expect(entries.length).toBeGreaterThan(10);
+      expect(entries.length).toBeGreaterThanOrEqual(25);
      expect(entries.some(e => e.term === 'SBOM')).toBeTrue();
      expect(entries.some(e => e.term === 'CVE')).toBeTrue();
      expect(entries.some(e => e.term === 'VEX')).toBeTrue();
      expect(entries.some(e => e.term === 'Policy Gate')).toBeTrue();
      expect(entries.some(e => e.term === 'Evidence Bundle')).toBeTrue();
    });
  });
--- a/src/Web/StellaOps.Web/src/app/shared/services/plain-language.service.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/services/plain-language.service.ts
@@ -246,6 +246,132 @@ export class PlainLanguageService {
      learnMoreUrl: 'https://github.com/package-url/purl-spec',
      relatedTerms: ['sbom', 'dependency'],
    }],
    ['advisory', {
      term: 'Advisory',
      plainLanguage: 'A published notice describing a security issue, mitigation, or fix',
      detailedExplanation: 'An advisory is the written guidance that tells operators what happened, which versions are affected, and what to do next.',
      relatedTerms: ['cve', 'vex', 'feed'],
    }],
    ['feed', {
      term: 'Feed',
      plainLanguage: 'A source Stella syncs to pull in new advisories and status updates',
      detailedExplanation: 'Feeds are the upstream streams of vulnerability and VEX data. Stella mirrors them so scans and release decisions use current evidence.',
      relatedTerms: ['advisory', 'vex', 'sbom'],
    }],
    ['artifact', {
      term: 'Artifact',
      plainLanguage: 'The build output you want Stella to inspect or promote',
      detailedExplanation: 'An artifact can be a container image, package, bundle, or other immutable build output. It is the thing being scanned, signed, or deployed.',
      relatedTerms: ['digest', 'registry', 'promotion'],
    }],
    ['registry', {
      term: 'Registry',
      plainLanguage: 'The system where built images or packages are stored before deployment',
      detailedExplanation: 'A registry is the warehouse for release artifacts. Stella connects to it so it can discover versions, scan them, and prove what was deployed.',
      relatedTerms: ['artifact', 'digest', 'promotion'],
    }],
    ['digest', {
      term: 'Digest',
      plainLanguage: 'The immutable fingerprint of an artifact',
      detailedExplanation: 'A digest is a cryptographic hash of an image or package. Tags can move, but a digest points to exactly one artifact forever.',
      relatedTerms: ['artifact', 'attestation', 'provenance'],
    }],
    ['provenance', {
      term: 'Provenance',
      plainLanguage: 'The recorded history of how a build was produced',
      detailedExplanation: 'Provenance links source, builder, inputs, and outputs so you can answer "where did this artifact come from?" with verifiable evidence.',
      relatedTerms: ['attestation', 'digest', 'evidence bundle'],
    }],
    ['evidence_bundle', {
      term: 'Evidence Bundle',
      plainLanguage: 'The portable package of records used to explain and verify a release decision',
      detailedExplanation: 'An evidence bundle collects the key facts for a decision: scan results, attestations, policy outcomes, and signatures so an auditor can review them offline.',
      relatedTerms: ['attestation', 'provenance', 'dsse'],
    }],
    ['policy_gate', {
      term: 'Policy Gate',
      plainLanguage: 'A required checkpoint a release must pass before promotion',
      detailedExplanation: 'A policy gate is a yes-or-no decision stage. Stella evaluates the evidence at that point and blocks promotion if the rule is not satisfied.',
      relatedTerms: ['policy pack', 'promotion', 'risk budget'],
    }],
    ['policy_pack', {
      term: 'Policy Pack',
      plainLanguage: 'A versioned set of rules Stella uses to evaluate releases',
      detailedExplanation: 'Policy packs bundle related gates and thresholds together so teams can review, test, and promote policy changes the same way they promote code.',
      relatedTerms: ['policy gate', 'simulation', 'sealed mode'],
    }],
    ['promotion', {
      term: 'Promotion',
      plainLanguage: 'The movement of a release from one environment to the next',
      detailedExplanation: 'Promotion is the controlled handoff from Dev to Stage to Prod. Stella records the gates, approvals, and evidence used at each step.',
      relatedTerms: ['policy gate', 'artifact', 'environment'],
    }],
    ['exception', {
      term: 'Exception',
      plainLanguage: 'A documented, time-bound decision to bypass a normal policy outcome',
      detailedExplanation: 'Exceptions are the escape hatches for unusual situations. They should name the risk, the reason, the approver, and when the exception expires.',
      relatedTerms: ['policy gate', 'risk budget', 'attestation'],
    }],
    ['trust_weight', {
      term: 'Trust Weight',
      plainLanguage: 'How much influence a source has when Stella combines conflicting statements',
      detailedExplanation: 'When multiple sources disagree, Stella does not treat them equally. Trust weights let operators say which vendors, scanners, or internal issuers should count more.',
      relatedTerms: ['vex', 'feed', 'consensus'],
    }],
    ['sealed_mode', {
      term: 'Sealed Mode',
      plainLanguage: 'A stricter operating mode where decisions must use approved, fixed inputs',
      detailedExplanation: 'Sealed mode is for high-assurance releases. It limits policy and evidence to trusted, versioned inputs so the decision can be replayed exactly later.',
      relatedTerms: ['policy pack', 'attestation', 'provenance'],
    }],
    ['blast_radius', {
      term: 'Blast Radius',
      plainLanguage: 'How much of the system would be affected if something goes wrong',
      detailedExplanation: 'Blast radius is the size of the impact zone. A small blast radius affects one service; a large one can spread across environments or shared dependencies.',
      relatedTerms: ['reachability', 'promotion', 'risk budget'],
    }],
    ['risk_budget', {
      term: 'Risk Budget',
      plainLanguage: 'The amount of risk a team is willing to carry for a release or environment',
      detailedExplanation: 'A risk budget turns policy into an allowance. Instead of arguing about every issue in isolation, teams decide how much unresolved risk is acceptable before promotion stops.',
      relatedTerms: ['policy gate', 'exception', 'blast radius'],
    }],
    ['simulation', {
      term: 'Simulation',
      plainLanguage: 'A dry run that shows how policy would behave before you enforce it',
      detailedExplanation: 'Simulation lets operators test a rule change against real data without blocking releases. It is the safe place to see what would have passed, warned, or failed.',
      relatedTerms: ['policy pack', 'policy gate', 'promotion'],
    }],
    ['issuer', {
      term: 'Issuer',
      plainLanguage: 'The identity Stella trusts to sign evidence or policy statements',
      detailedExplanation: 'An issuer is the signer or authority behind a statement. If you trust the issuer, you can trust the signed evidence came from the expected source.',
      relatedTerms: ['attestation', 'dsse', 'trust weight'],
    }],
    ['signature', {
      term: 'Signature',
      plainLanguage: 'The cryptographic mark proving who created a record and that it was not altered',
      detailedExplanation: 'A signature lets Stella verify both authorship and integrity. If the content changes after signing, the signature no longer validates.',
      relatedTerms: ['dsse', 'issuer', 'attestation'],
    }],
    ['dependency', {
      term: 'Dependency',
      plainLanguage: 'A library, package, or component your software relies on',
      detailedExplanation: 'Dependencies are the building blocks pulled into your application. They are where most SBOM entries and many transitive vulnerabilities come from.',
      relatedTerms: ['sbom', 'purl', 'artifact'],
    }],
    ['vulnerability', {
      term: 'Vulnerability',
      plainLanguage: 'A weakness in software that could be abused by an attacker',
      detailedExplanation: 'A vulnerability is the bug or design flaw itself. CVEs, scores, reachability, and VEX statements are all different ways of describing how much that flaw matters to you.',
      relatedTerms: ['cve', 'cvss', 'reachability'],
    }],
    ['exploitability', {
      term: 'Exploitability',
      plainLanguage: 'How practical it is for an attacker to turn a vulnerability into a real attack',
      detailedExplanation: 'Exploitability asks whether the vulnerable code is reachable, exposed, and useful to an attacker. It is the difference between "bug exists" and "bug is actually dangerous here."',
      relatedTerms: ['reachability', 'epss', 'kev'],
    }],
  ]);
  constructor() {
--- a/src/Web/StellaOps.Web/src/app/shared/ui/context-header/context-header.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/ui/context-header/context-header.component.spec.ts
@@ -43,30 +43,43 @@ class ContextHeaderTestHostComponent {
 }
 describe('ContextHeaderComponent', () => {
  let fixture: ComponentFixture<ContextHeaderTestHostComponent>;
  let host: ContextHeaderTestHostComponent;
  let el: HTMLElement;
  beforeEach(async () => {
    await TestBed.configureTestingModule({
      imports: [ContextHeaderTestHostComponent],
    }).compileComponents();
    fixture = TestBed.createComponent(ContextHeaderTestHostComponent);
    host = fixture.componentInstance;
    el = fixture.nativeElement;
    fixture.detectChanges();
  });
  async function renderHost(
    overrides: Partial<ContextHeaderTestHostComponent> = {},
  ): Promise<{
    fixture: ComponentFixture<ContextHeaderTestHostComponent>;
    host: ContextHeaderTestHostComponent;
    el: HTMLElement;
  }> {
    const fixture = TestBed.createComponent(ContextHeaderTestHostComponent);
    const host = fixture.componentInstance;
    Object.assign(host, overrides);
    fixture.detectChanges();
    await fixture.whenStable();
    fixture.detectChanges();
    return {
      fixture,
      host,
      el: fixture.nativeElement as HTMLElement,
    };
  }
  /* ---- Title rendering ---- */
-  it('renders the title as an h1 by default', () => {
+  it('renders the title as an h1 by default', async () => {
    const { el } = await renderHost();
    const h1 = el.querySelector('h1');
    expect(h1).toBeTruthy();
    expect(h1!.textContent!.trim()).toBe('Test Page');
  });
-  it('does not render eyebrow, subtitle, or note when empty', () => {
+  it('does not render eyebrow, subtitle, or note when empty', async () => {
    const { el } = await renderHost();
    expect(el.querySelector('.context-header__eyebrow')).toBeFalsy();
    expect(el.querySelector('.context-header__subtitle')).toBeFalsy();
    expect(el.querySelector('.context-header__note')).toBeFalsy();
@@ -74,30 +87,39 @@ describe('ContextHeaderComponent', () => {
  /* ---- Eyebrow/subtitle display ---- */
-  it('renders eyebrow text when provided', () => {
+  it('renders eyebrow text when provided', async () => {
-    host.eyebrow = 'Ops / Policy';
+    const { el } = await renderHost({ eyebrow: 'Ops / Policy' });
    fixture.detectChanges();
    const eyebrow = el.querySelector('.context-header__eyebrow');
    expect(eyebrow).toBeTruthy();
    expect(eyebrow!.textContent!.trim()).toBe('Ops / Policy');
  });
-  it('renders subtitle and context note when provided', () => {
+  it('renders subtitle and context note when provided', async () => {
-    host.subtitle = 'A brief description';
+    const { el } = await renderHost({
-    host.contextNote = 'Additional operational context';
+      subtitle: 'A brief description',
-    fixture.detectChanges();
+      contextNote: 'Additional operational context',
-
+    });
    expect(el.querySelector('.context-header__subtitle')!.textContent!.trim()).toBe('A brief description');
    expect(el.querySelector('.context-header__note')!.textContent!.trim()).toBe('Additional operational context');
  });
  it('auto-annotates glossary terms in title and subtitle copy', async () => {
    const { el } = await renderHost({
      title: 'SBOM overview',
      subtitle: 'VEX and CVE status for this release',
    });
    const glossaryTerms = el.querySelectorAll('.glossary-term--inline');
    const wrappedText = Array.from(glossaryTerms).map((term) => term.textContent?.trim());
    expect(wrappedText).toContain('SBOM');
    expect(wrappedText).toContain('VEX');
    expect(wrappedText).toContain('CVE');
  });
  /* ---- Chips ---- */
-  it('renders chips when provided', () => {
+  it('renders chips when provided', async () => {
-    host.chips = ['running', 'prod', 'v2.1'];
+    const { el } = await renderHost({ chips: ['running', 'prod', 'v2.1'] });
    fixture.detectChanges();
    const chips = el.querySelectorAll('.context-header__chip');
    expect(chips.length).toBe(3);
    expect(chips[0].textContent!.trim()).toBe('running');
@@ -105,17 +127,13 @@ describe('ContextHeaderComponent', () => {
    expect(chips[2].textContent!.trim()).toBe('v2.1');
  });
-  it('does not render chips container when empty', () => {
+  it('does not render chips container when empty', async () => {
-    host.chips = [];
+    const { el } = await renderHost({ chips: [] });
    fixture.detectChanges();
    expect(el.querySelector('.context-header__chips')).toBeFalsy();
  });
-  it('marks chip container with role=list for accessibility', () => {
+  it('marks chip container with role=list for accessibility', async () => {
-    host.chips = ['status'];
+    const { el } = await renderHost({ chips: ['status'] });
    fixture.detectChanges();
    const container = el.querySelector('.context-header__chips');
    expect(container!.getAttribute('role')).toBe('list');
    expect(container!.getAttribute('aria-label')).toBe('Context chips');
@@ -126,17 +144,13 @@ describe('ContextHeaderComponent', () => {
  /* ---- Back action behavior ---- */
-  it('hides back button when backLabel is null', () => {
+  it('hides back button when backLabel is null', async () => {
-    host.backLabel = null;
+    const { el } = await renderHost({ backLabel: null });
    fixture.detectChanges();
    expect(el.querySelector('.context-header__return')).toBeFalsy();
  });
-  it('renders back button and emits backClick when clicked', () => {
+  it('renders back button and emits backClick when clicked', async () => {
-    host.backLabel = 'Return to Findings';
+    const { fixture, host, el } = await renderHost({ backLabel: 'Return to Findings' });
    fixture.detectChanges();
    const button = el.querySelector('.context-header__return') as HTMLButtonElement;
    expect(button).toBeTruthy();
    expect(button.textContent).toContain('Return to Findings');
@@ -150,7 +164,8 @@ describe('ContextHeaderComponent', () => {
  /* ---- Action slot projection ---- */
-  it('projects content into the header-actions slot', () => {
+  it('projects content into the header-actions slot', async () => {
    const { el } = await renderHost();
    const projected = el.querySelector('[data-testid="projected-action"]');
    expect(projected).toBeTruthy();
    expect(projected!.textContent!.trim()).toBe('Do Something');
@@ -158,19 +173,15 @@ describe('ContextHeaderComponent', () => {
  /* ---- Heading levels (accessibility) ---- */
-  it('renders h2 when headingLevel is 2', () => {
+  it('renders h2 when headingLevel is 2', async () => {
-    host.headingLevel = 2;
+    const { el } = await renderHost({ headingLevel: 2 });
    fixture.detectChanges();
    expect(el.querySelector('h1')).toBeFalsy();
    expect(el.querySelector('h2')).toBeTruthy();
    expect(el.querySelector('h2')!.textContent!.trim()).toBe('Test Page');
  });
-  it('renders h3 when headingLevel is 3', () => {
+  it('renders h3 when headingLevel is 3', async () => {
-    host.headingLevel = 3;
+    const { el } = await renderHost({ headingLevel: 3 });
    fixture.detectChanges();
    expect(el.querySelector('h1')).toBeFalsy();
    expect(el.querySelector('h3')).toBeTruthy();
    expect(el.querySelector('h3')!.textContent!.trim()).toBe('Test Page');
@@ -178,25 +189,22 @@ describe('ContextHeaderComponent', () => {
  /* ---- Test ID ---- */
-  it('sets data-testid on the header element when provided', () => {
+  it('sets data-testid on the header element when provided', async () => {
-    host.testId = 'my-page-header';
+    const { el } = await renderHost({ testId: 'my-page-header' });
    fixture.detectChanges();
    const header = el.querySelector('header');
    expect(header!.getAttribute('data-testid')).toBe('my-page-header');
  });
-  it('does not set data-testid when testId is null', () => {
+  it('does not set data-testid when testId is null', async () => {
-    host.testId = null;
+    const { el } = await renderHost({ testId: null });
    fixture.detectChanges();
    const header = el.querySelector('header');
    expect(header!.getAttribute('data-testid')).toBeNull();
  });
  /* ---- Responsive behavior (structural check) ---- */
-  it('renders the header with flex layout between copy and actions', () => {
+  it('renders the header with flex layout between copy and actions', async () => {
    const { el } = await renderHost();
    const header = el.querySelector('.context-header') as HTMLElement;
    expect(header).toBeTruthy();
--- a/src/Web/StellaOps.Web/src/app/shared/ui/context-header/context-header.component.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/ui/context-header/context-header.component.ts
@@ -8,6 +8,7 @@
 * Replaces the deprecated PageHeaderComponent (SPRINT-027).
 */
 import { ChangeDetectionStrategy, Component, EventEmitter, Input, Output } from '@angular/core';
 import { GlossaryTooltipDirective } from '../../directives/glossary-tooltip.directive';
 /** Allowed heading element levels for the title. */
 export type HeadingLevel = 1 | 2 | 3;
@@ -15,26 +16,27 @@ export type HeadingLevel = 1 | 2 | 3;
@Component({
  selector: 'app-context-header',
  standalone: true,
  imports: [GlossaryTooltipDirective],
  template: `
    <header
      class="context-header"
      [attr.data-testid]="testId"
    >
-      <div class="context-header__copy">
+        <div class="context-header__copy">
        @if (eyebrow) {
-          <p class="context-header__eyebrow">{{ eyebrow }}</p>
+          <p class="context-header__eyebrow" stellaopsGlossaryTooltip>{{ eyebrow }}</p>
        }
        <div class="context-header__title-row">
          @switch (headingLevel) {
            @case (2) {
-              <h2 class="context-header__title">{{ title }}</h2>
+              <h2 class="context-header__title" stellaopsGlossaryTooltip>{{ title }}</h2>
            }
            @case (3) {
-              <h3 class="context-header__title">{{ title }}</h3>
+              <h3 class="context-header__title" stellaopsGlossaryTooltip>{{ title }}</h3>
            }
            @default {
-              <h1 class="context-header__title">{{ title }}</h1>
+              <h1 class="context-header__title" stellaopsGlossaryTooltip>{{ title }}</h1>
            }
          }
@@ -48,11 +50,11 @@ export type HeadingLevel = 1 | 2 | 3;
        </div>
        @if (subtitle) {
-          <p class="context-header__subtitle">{{ subtitle }}</p>
+          <p class="context-header__subtitle" stellaopsGlossaryTooltip>{{ subtitle }}</p>
        }
        @if (contextNote) {
-          <p class="context-header__note">{{ contextNote }}</p>
+          <p class="context-header__note" stellaopsGlossaryTooltip>{{ contextNote }}</p>
        }
      </div>
--- a/src/Web/StellaOps.Web/src/app/shared/ui/empty-state/empty-state.component.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/ui/empty-state/empty-state.component.ts
@@ -5,13 +5,16 @@
 * Displays empty/no-data state with optional illustration and CTA.
 */
-import { Component, Input, Output, EventEmitter, ChangeDetectionStrategy } from '@angular/core';
+import { ChangeDetectionStrategy, Component, Input, Output, EventEmitter, computed, inject } from '@angular/core';
 import { Router } from '@angular/router';
 import { GlossaryTooltipDirective } from '../../directives/glossary-tooltip.directive';
 import { getDefaultEmptyStateCopyForUrl } from '../../components/page-help/page-help-content';
@Component({
  selector: 'app-empty-state',
  standalone: true,
-  imports: [],
+  imports: [GlossaryTooltipDirective],
  changeDetection: ChangeDetectionStrategy.OnPush,
  template: `
    <div class="empty-state">
@@ -47,9 +50,9 @@ import { Component, Input, Output, EventEmitter, ChangeDetectionStrategy } from
          }
        }
      </div>
-      <h3 class="empty-state__title">{{ title }}</h3>
+      <h3 class="empty-state__title" stellaopsGlossaryTooltip>{{ resolvedTitle() }}</h3>
-      @if (description) {
+      @if (resolvedDescription()) {
-        <p class="empty-state__description">{{ description }}</p>
+        <p class="empty-state__description" stellaopsGlossaryTooltip>{{ resolvedDescription() }}</p>
      }
      @if (actionLabel) {
        <button type="button" class="empty-state__action" (click)="action.emit()">
@@ -104,10 +107,27 @@ import { Component, Input, Output, EventEmitter, ChangeDetectionStrategy } from
  `]
 })
 export class EmptyStateComponent {
  private readonly router = inject(Router);
  private readonly routeCopy = computed(() => getDefaultEmptyStateCopyForUrl(this.router.url));
  @Input() title = 'No data';
  @Input() description?: string;
  @Input() icon: 'search' | 'folder' | 'list' | 'default' = 'default';
  @Input() actionLabel?: string;
  @Output() action = new EventEmitter<void>();
  resolvedTitle(): string {
    const provided = this.title?.trim();
    if (provided && provided !== 'No data' && provided !== 'No data available') {
      return provided;
    }
    return this.routeCopy().title;
  }
  resolvedDescription(): string {
    const provided = this.description?.trim();
    return provided || this.routeCopy().description;
  }
 }
--- a/src/Web/StellaOps.Web/src/app/shared/ui/timeline-list/timeline-list.component.ts
+++ b/src/Web/StellaOps.Web/src/app/shared/ui/timeline-list/timeline-list.component.ts
@@ -136,6 +136,31 @@ function toDateKey(iso: string, locale?: string): string {
  });
 }
 function normalizeTimelineIcon(icon: string | undefined, kind: TimelineEventKind | undefined): string {
  const normalized = (icon ?? '').trim().toLowerCase();
  switch (normalized) {
    case 'rocket_launch':
    case 'check_circle':
    case 'block':
    case 'error':
    case 'pending':
    case 'play_circle':
    case 'event_busy':
      return normalized;
    default:
      switch (kind) {
        case 'success':
          return 'check_circle';
        case 'error':
          return 'error';
        case 'warning':
          return 'pending';
        default:
          return 'play_circle';
      }
  }
 }
 // ---------------------------------------------------------------------------
 // Component
 // ---------------------------------------------------------------------------
@@ -210,11 +235,17 @@ function toDateKey(iso: string, locale?: string): string {
          aria-hidden="true"
        >
          <svg class="timeline__icon" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
-            @switch (event.eventKind) {
+            @switch (timelineIcon(event)) {
-              @case ('success') { <polyline points="20 6 9 17 4 12"/> }
+              @case ('rocket_launch') {
                <path d="M5 19c3-1 5-3 6-6l4-4a5 5 0 0 0 1-6a5 5 0 0 0-6 1l-4 4c-3 1-5 3-6 6l4-1l2 2z"/>
                <path d="M13 5l6 6"/>
              }
              @case ('check_circle') { <circle cx="12" cy="12" r="10"/><polyline points="9 12 11 14 15 10"/> }
              @case ('block') { <circle cx="12" cy="12" r="10"/><line x1="8" y1="16" x2="16" y2="8"/> }
              @case ('error') { <circle cx="12" cy="12" r="10"/><line x1="15" y1="9" x2="9" y2="15"/><line x1="9" y1="9" x2="15" y2="15"/> }
-              @case ('warning') { <circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/> }
+              @case ('pending') { <circle cx="12" cy="12" r="10"/><path d="M12 7v5l3 2"/> }
-              @default { <circle cx="12" cy="12" r="10"/><polyline points="12 6 12 12 16 14"/> }
+              @case ('event_busy') { <rect x="3" y="4" width="18" height="17" rx="2"/><line x1="8" y1="2" x2="8" y2="6"/><line x1="16" y1="2" x2="16" y2="6"/><line x1="3" y1="10" x2="21" y2="10"/><circle cx="12" cy="15" r="3"/><path d="M12 13.5v1.75l1.25.75"/> }
              @default { <circle cx="12" cy="12" r="10"/><polygon points="10 8 16 12 10 16 10 8"/> }
            }
          </svg>
        </div>
@@ -679,6 +710,10 @@ export class TimelineListComponent {
    return Object.entries(obj);
  }
  timelineIcon(event: TimelineEvent): string {
    return normalizeTimelineIcon(event.icon, event.eventKind);
  }
  // Expand/collapse
  isExpanded(id: string): boolean {
    return this.expandedIds().has(id);
--- a/src/Web/StellaOps.Web/tsconfig.spec.onboarding.json
+++ b/src/Web/StellaOps.Web/tsconfig.spec.onboarding.json
@@ -0,0 +1,32 @@
 {
  "extends": "./tsconfig.json",
  "compilerOptions": {
    "outDir": "./out-tsc/spec-onboarding",
    "types": [
      "vitest/globals"
    ]
  },
  "include": [
    "src/**/*.ts",
    "src/**/*.d.ts"
  ],
  "exclude": [
    "src/**/*.spec.ts",
    "src/**/*.e2e.spec.ts"
  ],
  "files": [
    "src/test-setup.ts",
    "src/app/types/node-test-setup-shim.d.ts",
    "src/app/types/monaco-workers.d.ts",
    "src/app/core/testing/dashboard-v3.component.spec.ts",
    "src/app/features/integration-hub/integration-hub.component.spec.ts",
    "src/app/layout/app-shell/app-shell.component.spec.ts",
    "src/app/layout/context-chips/context-chip-tooltips.spec.ts",
    "src/app/shared/components/command-palette/command-palette.component.spec.ts",
    "src/app/shared/components/empty-state/empty-state.component.spec.ts",
    "src/app/shared/components/page-help/page-help-panel.component.spec.ts",
    "src/app/shared/directives/glossary-tooltip.directive.spec.ts",
    "src/app/shared/services/plain-language.service.spec.ts",
    "src/app/shared/ui/context-header/context-header.component.spec.ts"
  ]
 }