stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Repair first-time identity and trust operator journeys

Browse Source
This commit is contained in:
master
2026-03-15 12:33:56 +02:00
parent 7bdfcd5055
commit 08390f0ca4
27 changed files with 5814 additions and 2425 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
docs/implplan/SPRINT_20260315_006_Web_first_time_user_operator_journey_grouped_remediation.md Normal file
View File

@@ -0,0 +1,170 @@
# Sprint 20260315_006 - First-Time User Operator Journey Grouped Remediation
## Topic & Scope
- Turn the 54 findings in `docs/qa/FIRST_TIME_USER_UX_AUDIT_20260315.md` into a grouped remediation program instead of treating them as isolated page bugs.
- Reframe the Stella Ops QA loop around the real operator job: set up identity, trust, integrations, topology, and release confidence from the UI without source-code knowledge.
- Group defects by root cause and user journey: blank surfaces and route ownership, identity self-serve administration, trust/signing action design, onboarding and context guidance, and cross-cutting error/naming consistency.
- Working directory: `src/Web/StellaOps.Web`.
- Expected evidence: journey maps, grouped root-cause analysis, retained Playwright additions for newly discovered steps, focused regression coverage, live retest artifacts, and linked docs updates.
Cross-module edits allowed for this sprint:
- `devops/compose/`
- `src/Platform/`
- `src/Authority/`
- `docs/qa/`
- `docs/operations/`
- `docs/modules/`
## Dependencies & Concurrency
- Depends on the current intact live stack and the audit baseline in `docs/qa/FIRST_TIME_USER_UX_AUDIT_20260315.md`.
- Release-create contract repair in `SPRINT_20260315_005` is an immediate dependency because `/releases/versions/new` is one of the P0 findings and a critical operator journey.
- Safe parallelism: read-only discovery can continue in parallel, but mutations should be grouped by root cause so the same surfaces are not patched independently by multiple agents.
## Documentation Prerequisites
- `AGENTS.md`
- `docs/qa/FIRST_TIME_USER_UX_AUDIT_20260315.md`
- `docs/qa/feature-checks/FLOW.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/operations/deployment/console.md`
- `docs/operations/deployment/docker.md`
## Delivery Tracker
### FTU-OPS-001 - Re-baseline the first-time user journey matrix before more fixes
Status: DONE
Dependency: none
Owners: QA, Product Manager
Task description:
- Convert the audit into an explicit operator journey matrix: setup/identity-access, setup/trust-signing, setup/integrations, setup/topology/system, releases, ops/operations, security, evidence, and admin affordances. Each route, page-load, and page action must be mapped to either retained Playwright coverage, an identified gap, or a grouped defect bucket before more implementation starts.
Completion criteria:
- [ ] Every finding in `FIRST_TIME_USER_UX_AUDIT_20260315.md` is mapped to a route, journey, and root-cause bucket.
- [ ] Every route/page/action in the first-time operator journey is classified as covered, broken, or still requiring retained automation.
- [ ] The remediation order is driven by operator value and root cause, not by whichever page was most recently open.
### FTU-OPS-002 - Repair the P0 blank-surface and route-contract blockers
Status: TODO
Dependency: FTU-OPS-001
Owners: 3rd line support, Architect, Developer
Task description:
- Eliminate the three blank core surfaces and their contract mismatches: `/releases/versions/new`, `/releases/promotions`, and `/ops/operations`. Each route must render a truthful page shell, preserve user scope/context, and expose canonical guidance or actions rather than an empty `<main>`.
Completion criteria:
- [ ] The release create surface is fully functional and lands on the created canonical resource.
- [ ] Promotions renders a real landing or list surface instead of an empty page.
- [ ] Operations landing renders a real overview and links into its child workflows.
- [ ] Retained Playwright journeys prove these pages render and their primary actions work on a live stack.
### FTU-OPS-003 - Make identity and tenancy self-serve instead of source-code driven
Status: DONE
Dependency: FTU-OPS-001
Owners: QA, Product Manager, Architect, Developer
Task description:
- Close the identity-admin gaps around roles, users, tenants, and scope discoverability. This includes a proper scope catalog/picker, role detail visibility, edit/delete/archive flows where allowed, least-privilege defaults, and explicit credential/onboarding guidance.
Completion criteria:
- [ ] Role creation no longer depends on free-text scope knowledge.
- [ ] Existing roles can be understood from the UI through a detail view or equivalent surface.
- [ ] Users, roles, and tenants expose truthful edit/delete/archive semantics or explicit limitations.
- [ ] Add-user guidance explains credentials and defaults to least privilege.
- [ ] Retained Playwright coverage exercises the real create/view/edit flows.
### FTU-OPS-004 - Repair trust/signing operator workflows and broken trust analytics
Status: DONE
Dependency: FTU-OPS-001
Owners: QA, 3rd line support, Architect, Developer
Task description:
- Replace trust/signing admin anti-patterns with production-grade workflows. Broken analytics, raw `prompt()` destructive actions, no issuer actions, weak certificate affordances, and developer-note language all need to be corrected together so trust management feels operationally real.
Completion criteria:
- [ ] Trust analytics loads correctly or shows a truthful error state with recovery guidance.
- [ ] Rotate/Revoke flows use real modals with reason capture and impact language.
- [ ] Issuers and certificates expose meaningful actions or explicit limitations.
- [ ] Trust copy is operator-facing rather than developer-facing.
- [ ] Retained Playwright journeys cover keys, issuers, certificates, analytics, and destructive-action confirmations.
### FTU-OPS-005 - Align onboarding, context, empty states, and naming across the product
Status: TODO
Dependency: FTU-OPS-001
Owners: Product Manager, Architect, Developer, Documentation author
Task description:
- Remove the cross-cutting confusion patterns: inconsistent page names, duplicate pages, silent API failures, misleading health/empty states, unexplained toggles, and missing onboarding guidance. This is a product-contract cleanup, not just a copy pass.
Completion criteria:
- [ ] A first-time operator can discover the setup order from the product itself.
- [ ] Sidebar, breadcrumb, document title, and H1 use one name per surface.
- [ ] Silent API failures render truthful operator-facing error states.
- [ ] Empty states tell the operator what to do next.
- [ ] Retained Playwright journeys assert the corrected naming and error-state behavior on the affected routes.
### FTU-OPS-006 - Expand retained Playwright to cover every newly discovered operator step
Status: DOING
Dependency: FTU-OPS-001
Owners: QA, Test Automation
Task description:
- For every new route/page/action discovered during this operator remediation program, add retained Playwright coverage before the iteration closes. The retained suite must describe real operator journeys, not just route visits.
Completion criteria:
- [ ] Every newly discovered operator step is either automated or explicitly logged as an open gap with reason.
- [ ] Aggregate audits include the new journey scripts.
- [ ] Future iterations would recheck the same first-time-user behavior automatically.
## Grouped Remediation Matrix
| Journey / Surface | Audit issues | Root-cause theme | Planned grouped repair |
| --- | --- | --- | --- |
| Releases and release confidence | P0-4, P0-5, CC-2, CC-3, P3-7 | Blank core routes, scope/context loss, inconsistent canonical route ownership | Finish release-create contract repair, restore promotions landing, preserve operator scope through release routes, add retained release-create and promotions journeys. |
| Operations landing and ops affordances | P0-6, P2-9, P2-10, P2-11, P2-21, P2-22, P3-11, P3-12 | Parent landing page missing, split canonical surfaces, contradictory status signals, weak empty/error guidance | Add truthful operations overview, cross-link notifications surfaces, fix contradictory runtime/status rendering, and retain the ops landing plus child actions as one operator journey. |
| Identity, roles, tenants, and access admin | P0-1, P0-2, P0-3, P1-1 through P1-7, P1-14, P2-1 through P2-6 | Identity admin is create-only and source-code dependent; permissions are undiscoverable; admin objects lack detail and lifecycle actions | Build scope catalog + picker, role detail surface, truthful CRUD/edit semantics, least-privilege defaults, and onboarding guidance; retain add/view/edit/delete journeys. |
| Trust and signing administration | P1-8, P1-9, P1-13, P2-7, P2-8, P3-2, P3-3, P3-4 | Broken analytics contract, destructive actions implemented as raw browser prompts, issuer/certificate workflows incomplete, operator copy not productized | Replace prompt flows with modal workflows, repair analytics API and UI states, add issuer/certificate affordances, and retain trust administration journeys end to end. |
| Onboarding, topology, and system setup | P1-10, P2-12, P2-13, P2-14, P2-15, P2-16, P2-17, P2-18, CC-4, CC-5, CC-6, CC-9 | Product does not teach setup order; system status and setup surfaces are misleading or under-explained | Introduce operator guidance/checklist, repair misleading health/status language, improve branding/topology explanations, and retain first-time setup journeys with seeded and empty states. |
| Security, evidence, naming, and error-state consistency | P1-11, P1-12, P2-19, P2-20, P3-5 through P3-10, CC-1, CC-7, CC-8, CC-10 | Naming contracts diverged across sidebar/title/H1, duplicate pages exist, API failures are silently swallowed, and demo tooling leaks into operator surfaces | Unify naming contracts, remove duplicate or dead-end routes, surface truthful error states, and retain the affected security/evidence journeys under one consistency sweep. |
## 3rd-Line Support Findings
- Source-backed root cause: `/setup/identity-access` is still served by `AdminSettingsPageComponent`, a create-only administration surface with free-text permissions, no role detail, no edit flows, and no lifecycle actions. The Authority backend already exposes update, disable, suspend, resume, and impact-preview semantics, so the setup page is the limiting contract.
- Source-backed root cause: trust destructive actions still use raw `window.prompt(...)` in `signing-key-dashboard.component.ts`, which is not acceptable for signing-key rotation and revocation.
- Source-backed root cause: trust analytics calls `/api/v1/trust/analytics/*`, but the repo does not expose matching live backend endpoints. The current UI therefore presents a broken analytics tab instead of a truthful operational view.
- Source-backed root cause: issuer and certificate setup views intentionally omit actionable operator affordances and present that omission as contract-note copy, which reads like an internal developer limitation instead of a product workflow.
- Re-baselined audit note: the reported blank pages at `/releases/promotions` and `/ops/operations` are no longer source-backed. Current source already owns those routes with real components, so they must be revalidated live after deployment rather than treated as present-tense missing-page bugs.
## Product / Architecture Decisions
- Decision: `Identity & Access` remains the canonical setup route, but it must surface the real Authority administration contract instead of a weaker create-only facade.
- Decision: unsupported hard-delete semantics will be handled truthfully. Where the backend supports update, disable, suspend, or resume, the UI must expose those actions. Where hard delete is not in contract, the UI must say so clearly and offer the supported lifecycle alternative.
- Decision: scope discoverability is a product requirement. Role create and edit flows must use a grouped in-app scope catalog with labels and descriptions instead of free-text scope entry.
- Decision: trust destructive actions must move from browser prompts to in-app confirmation workflows with reason capture, impact language, and visible success or error outcomes.
- Decision: trust analytics must not depend on dead endpoints. Until a richer analytics backend contract exists, the trust UI should derive operator-useful analytics from the live administration inventory instead of calling non-existent `/api/v1/trust/analytics/*` routes.
## First Repair Order
- Batch 1: P0 blank surfaces and route-contract repair (`/releases/versions/new`, `/releases/promotions`, `/ops/operations`) because they block the main operator path.
- Batch 2: Identity self-serve administration because role/scope discoverability prevents safe delegated use of the product.
- Batch 3: Trust/signing workflows because broken analytics and raw prompt-based destructive actions block production readiness.
- Batch 4: Cross-cutting naming, error-state, onboarding, and consistency repair to remove repeated operator confusion after the core workflows are functional.
## Active Implementation Batch
- Batch 2 and Batch 3 are closed on the current live stack.
- Closed issues in the grouped batch: P0-1, P0-2, P0-3, P1-1 through P1-9, P1-13, P1-14, P2-1 through P2-8, and P3-2 through P3-4.
- Remaining open batch for the next step: FTU-OPS-002 (P0 release/operations surfaces) and FTU-OPS-005 (cross-cutting naming, error-state, onboarding, and duplicate-surface repair).
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-15 | Sprint created from `docs/qa/FIRST_TIME_USER_UX_AUDIT_20260315.md`, which documented 54 first-time-user issues across 40+ routes and showed that prior route- and journey-level closure claims were too narrow. | QA / Product Manager |
| 2026-03-15 | Adopted the audit as the remediation baseline. The release-create defect already in `SPRINT_20260315_005` is now treated as one P0 slice inside a broader grouped operator-remediation program. | QA / Product Manager |
| 2026-03-15 | Completed the 3rd-line support collapse of the UX audit into source-backed buckets. Confirmed identity self-serve and trust administration as the first major live source defects; reclassified promotions and operations blank-page claims as requiring live revalidation after deployment because current source already owns those routes. | 3rd line support |
| 2026-03-15 | Recorded the product and architecture decisions for the first grouped implementation batch: upgrade the setup identity surface to expose the real Authority admin contract, replace trust prompt-based actions with modal workflows, and stop relying on dead trust analytics endpoints. | Product / Architect |
| 2026-03-15 | Shipped the grouped identity/trust operator batch on the current live stack: scope catalog and role detail, truthful user and tenant lifecycle actions, in-app trust create/block/unblock/verify/revoke workflows, and derived trust analytics that no longer call dead endpoints. Focused backend/frontend test slices passed before live retest. | Developer |
| 2026-03-15 | Replaced the stale admin/trust retained journey with `live-user-reported-admin-trust-check.mjs`, added step-level logging, aligned it to the repaired trust shell contract, and reran it cleanly on `https://stella-ops.local` with `failedCheckCount=0`. | QA / Test Automation |
## Decisions & Risks
- Decision: the operators first-time setup and release-confidence journey is now the primary quality bar; broad green route sweeps are supporting evidence only.
- Decision: findings will be fixed in grouped slices by root cause and journey, not one page at a time.
- Risk: prior retained Playwright coverage is biased toward route/action reachability and misses self-serve clarity, destructive-action design, scope discoverability, and onboarding guidance.
- Risk: some findings span frontend contracts, bootstrap auth configuration, and backend error handling, so frontend-only fixes may hide root causes instead of solving them.
- Risk: the Authority backend does not currently expose hard-delete semantics for users, roles, or tenants, so the audit expectation of delete or archive must be translated into truthful supported lifecycle actions rather than mirrored literally.
- Risk: the existing trust analytics UI assumes a backend contract that the repo does not implement. The derived-analytics fallback must remain obviously operator-focused and not pretend a richer backend exists.
- Evidence: current live-stack proof for the closed identity/trust batch is stored at `src/Web/StellaOps.Web/output/playwright/live-user-reported-admin-trust-check.json` with a full operator step log and `failedCheckCount=0`.
## Next Checkpoints
- Close the active release-create P0 slice and fold it into the broader remediation status.
- Repair the remaining P0 release and operations surfaces on the intact stack before the next teardown.
- Expand retained Playwright again for the next operator batch before restarting the wipe/rebuild loop.

313
docs/qa/FIRST_TIME_USER_UX_AUDIT_20260315.md Normal file
View File

@@ -0,0 +1,313 @@
# First-Time User UX Audit - 2026-03-15
**Auditor**: AI agent acting as first-time platform administrator
**Stack**: Live local (stella-ops.local), logged in as admin/Admin@Stella2026!
**Scope**: Every sidebar route and sub-tab, exercising create/edit/detail flows
**Sprint context**: SPRINT_20260315_003 (Identity/Trust) and SPRINT_20260315_004 (Integrations)
---
## Summary
- **Total routes inspected**: 40+
- **P0 (critical UX blockers)**: 6
- **P1 (significant UX gaps)**: 14
- **P2 (moderate issues)**: 22
- **P3 (minor polish)**: 12
- **Cross-cutting patterns**: 10
---
## P0 - Critical UX Blockers
### P0-1. Role permissions are free-text with no discoverability
**Route**: `/setup/identity-access` > Roles tab > + Create Role
**Detail**: The "Permissions" field is a plain `<textarea>` with placeholder `findings:read, vex:read, vuln:investigate`. A first-time user has zero way to discover what scopes are available. No autocomplete, no dropdown, no checkbox list, no catalog, no link to docs. The system has 149 scope permissions but none are surfaced in the UI.
**Impact**: Role creation is impossible without internal knowledge or reading source code.
**Recommendation**: Replace with a grouped checkbox/chip picker organized by domain (Security, Releases, Evidence, Ops, Setup) with descriptions per scope.
### P0-2. No role detail view exists
**Route**: `/setup/identity-access` > Roles tab
**Detail**: Clicking any role row (admin, operator, viewer) does nothing. No detail panel, no side drawer, no navigation. The only visible info is Name, Description ("Full platform access"), Users count, and Built-in flag. You cannot see what permissions any role actually grants.
**Impact**: An operator cannot audit or understand existing role configurations.
### P0-3. No scope catalog or reference anywhere in the app
**Route**: Global
**Detail**: No "Available Permissions" page, no docs link, no in-app reference. The scope naming convention (module:action) is never explained. A new operator is completely blind.
### P0-4. "Create Release" header button leads to blank page
**Route**: `/releases/versions/new`
**Detail**: The primary "Create Release" CTA in the global header navigates to a page with a completely empty `<main>` element. No form, no heading, no description. This is the single most important action button in the product.
**Impact**: The most prominent action in the UI is a dead end.
### P0-5. Promotions page is completely blank
**Route**: `/releases/promotions`
**Detail**: The `<main>` element has zero children. No heading, no description, no empty state, no guidance. Additionally, the global context bar shows "No regions defined" and "No env defined yet" (disabled buttons), and "Events: DEGRADED".
**Impact**: A core release workflow page is a dead end.
### P0-6. Operations landing page is completely blank
**Route**: `/ops/operations`
**Detail**: The `<main>` element has zero children. This is the parent landing page for 7 sub-pages (Scheduled Jobs, Signals, Offline Kit, etc.).
**Impact**: Users navigating from the sidebar hit a dead end.
---
## P1 - Significant UX Gaps
### P1-1. Role descriptions too vague to be actionable
**Route**: `/setup/identity-access` > Roles tab
**Detail**: Built-in roles show only one-line descriptions: "Full platform access" (admin), "Release and deployment operations" (operator), "Read-only access" (viewer). These tell you nothing about specific capabilities. Can an operator approve promotions? Can a viewer see security findings? No way to know.
### P1-2. Role dropdown defaults to admin (most privileged)
**Route**: `/setup/identity-access` > Users tab > + Add User
**Detail**: The Role `<select>` pre-selects "admin". Security-by-default should pre-select "viewer" (least privilege).
### P1-3. No role descriptions in the user creation dropdown
**Route**: `/setup/identity-access` > Users tab > + Add User
**Detail**: The role dropdown shows bare names (admin, operator, viewer, qa-role-...) with no hint about what each grants.
### P1-4. No delete/deactivate for users
**Route**: `/setup/identity-access` > Users tab
**Detail**: No delete, deactivate, or disable button on user rows. No row actions at all. No right-click context menu.
### P1-5. No delete for roles
**Route**: `/setup/identity-access` > Roles tab
**Detail**: No delete button on role rows. Custom roles with 0 users cannot be removed.
### P1-6. No delete/archive for tenants
**Route**: `/setup/identity-access` > Tenants tab
**Detail**: No delete or archive button. Tenants with 0 users are stuck permanently.
### P1-7. No edit action on any Identity entity
**Route**: `/setup/identity-access` (all tabs)
**Detail**: Cannot change a user's role after creation. Cannot edit a role's permissions. Cannot rename a tenant. Click-through on any row does nothing. The only workflow is create-and-forget.
### P1-8. Signing key Rotate/Revoke uses raw browser prompt()
**Route**: `/setup/trust-signing/keys`
**Detail**: Clicking "Rotate" shows a native browser `window.prompt("Rotation reason for...")` dialog. Same for "Revoke". These should be proper in-app modal dialogs with confirmation, reason field, and impact warning.
**Impact**: Destructive actions on cryptographic keys should never use browser prompts.
### P1-9. Trust Analytics tab is broken (API errors)
**Route**: `/setup/trust-signing/analytics`
**Detail**: Shows "Failed to load analytics data. Please try again." Console errors: `/api/v1/trust/analytics/summary` and `/api/v1/trust/analytics/verification` return server errors.
### P1-10. No setup onboarding wizard or getting-started flow
**Route**: Global / Setup section
**Detail**: No guided first-time setup flow. A new operator lands on the dashboard and must discover Setup sections manually from the sidebar. Should have a checklist: 1) Configure identity, 2) Set up trust, 3) Add integrations, 4) Review topology.
### P1-11. Security page naming chaos (3 different names)
**Route**: `/security`
**Detail**: Sidebar says "Vulnerabilities", breadcrumb says "Risk Overview", H1 says "Security / Posture". Three different names for the same page creates significant confusion.
### P1-12. /security and /security/posture are near-duplicate pages
**Route**: `/security` and `/security/posture`
**Detail**: Both render with H1 "Security / Posture", same structure. Two sidebar items leading to essentially the same page. Additionally, `/security/posture` appears stuck in "Loading security overview..." state.
### P1-13. Trusted Issuers have no actions at all
**Route**: `/setup/trust-signing/issuers`
**Detail**: Unlike Signing Keys (which have View/Rotate/Revoke), the Issuers table has zero actions. The only issuer ("Demo Prod Root CA") shows trust level "Untrusted" but there is no way to change it, promote it, block it, or remove it.
### P1-14. No password/credential explanation in Add User
**Route**: `/setup/identity-access` > Users tab > + Add User
**Detail**: Form has Username, Email, Display Name, Role. No password field. No explanation of how the new user gets their credentials (email invite? default password? OIDC redirect only?). A first-time admin would be confused.
---
## P2 - Moderate Issues
### P2-1. No search or filter on Identity tables
**Route**: `/setup/identity-access` (Users, Roles, Tenants tabs)
**Detail**: No search box, no filter dropdowns on any of the three tables.
### P2-2. No sorting controls on Identity tables
**Route**: `/setup/identity-access` (all tabs)
**Detail**: Column headers are not sortable. Built-in roles are alphabetically mixed with custom roles.
### P2-3. Tenant "Lifecycle" column shows identical boilerplate
**Route**: `/setup/identity-access` > Tenants tab
**Detail**: Every tenant shows the same text: "Branding and policies are managed from the canonical setup surfaces." This is not lifecycle information.
### P2-4. Tenant Isolation Mode not explained
**Route**: `/setup/identity-access` > Tenants > + Add Tenant
**Detail**: "Shared" / "Dedicated" dropdown with zero tooltip or description.
### P2-5. OAuth Clients tab is a dead end
**Route**: `/setup/identity-access` > OAuth Clients tab
**Detail**: Shows disclaimer: "registration and secret rotation remain outside this setup tab until the full guided flow is shipped" but doesn't tell the user WHERE to do these things.
### P2-6. API Tokens tab is a dead end
**Route**: `/setup/identity-access` > API Tokens tab
**Detail**: Says "Token issuance and revocation are not exposed on this setup route yet" with no alternative path.
### P2-7. Certificates show raw UUIDs for Issuer/Key References
**Route**: `/setup/trust-signing/certificates`
**Detail**: Shows `4ac7e1d4-7a2e-4b4d-9e12-5d42e3168a91` instead of human-readable names. Operator must mentally cross-reference.
### P2-8. Certificate "Expiring Soon" with no action
**Route**: `/setup/trust-signing/certificates`
**Detail**: Certificate shows "Expiring Soon" (Mar 18, 3 days away) but has no Renew/Rotate button or urgency banner.
### P2-9. Two notification surfaces with no cross-link
**Route**: `/setup/notifications` and `/ops/operations/notifications`
**Detail**: Setup Notifications (rich admin with Rules/Channels/Templates/Simulator/Config) vs Ops Notifications (inline forms). No explanation of which is canonical. Sidebar places "Notifications" under Operations, not under Setup.
### P2-10. Ops Notifications: "Refresh data" button permanently disabled
**Route**: `/ops/operations/notifications`
**Detail**: Header refresh button is disabled with no tooltip explanation.
### P2-11. Ops Notifications: Channel dropdown in Rules is empty
**Route**: `/ops/operations/notifications`
**Detail**: The "Channel" combobox in rule creation shows no options because no channels exist, but there's no "create a channel first" guidance.
### P2-12. Branding page has no tenant selector
**Route**: `/setup/tenant-branding`
**Detail**: Branding edits apply to globally selected tenant (from header bar), but this is never stated.
### P2-13. Branding "Border Colors" and "Status Colors" sections empty
**Route**: `/setup/tenant-branding`
**Detail**: Section headers appear but no input fields beneath them (unlike Background/Text/Brand).
### P2-14. All 10 topology environments show "degraded" with no explanation
**Route**: `/setup/topology/overview`
**Detail**: Overview shows "Healthy 0 / Degraded 10 / Unhealthy 0". Every environment is degraded but no explanation of why or what to fix.
### P2-15. All topology environments show "0 targets"
**Route**: `/setup/topology/overview` and `/setup/topology/targets`
**Detail**: Every environment lists 0 targets, yet the dashboard shows active deployments. Mismatch confuses operators.
### P2-16. System health falsely claims "All systems operational"
**Route**: `/setup/system`
**Detail**: The Health Check card says "All systems operational" without running any checks. False-positive confidence signal.
### P2-17. Integrations "Activity stream is coming soon" placeholder
**Route**: `/setup/integrations` > Hub tab
**Detail**: Recent Activity section shows a "coming soon" stub.
### P2-18. Failed integration has no visible error message in list
**Route**: `/setup/integrations/registries`
**Detail**: "QA Harbor" shows Status: Failed, Health: Unhealthy but no inline error message or troubleshooting link in the table row.
### P2-19. /security/unknowns swallows API errors silently
**Route**: `/security/unknowns`
**Detail**: 4 console errors (500s from `/api/v1/scanner/unknowns` and `/api/v1/scanner/unknowns/stats`) but UI shows clean empty table.
### P2-20. Security Reports: Risk Report tab shows embedded triage view
**Route**: `/security/reports`
**Detail**: The "Risk Report" tab renders the Artifact Triage workspace inside Reports instead of an actual report. Confusing overlap.
### P2-21. Offline Kit: activity contradicts stats
**Route**: `/ops/operations/offline-kit`
**Detail**: Recent Activity shows "Loaded offline bundle v2025.01.15" and "Verified 45 assets" but stats show 0 bundles loaded and 0 assets verified.
### P2-22. JobEngine: console DENY contradicts displayed "Granted"
**Route**: `/ops/operations/jobengine`
**Detail**: Console logs `[TenantAuth] DENY: jobengine:operate` but the UI shows "Operate Jobs: Granted".
---
## P3 - Minor Polish
### P3-1. Header action button changes contextually without explanation
**Route**: Global
**Detail**: Top-right button alternates between "ADD TARGET", "Add Integration", "Create Release", "Create Hotfix", "Export Report" depending on page. No visual cue explaining the context.
### P3-2. Trust overview cards show developer jargon
**Route**: `/setup/trust-signing`
**Detail**: Subtitles like "Administration inventory projection" and "Routed from live administration projection" are technical jargon, not helpful to operators.
### P3-3. Trust disclaimer banners read as developer notes
**Route**: `/setup/trust-signing` (multiple tabs)
**Detail**: "Usage statistics, fingerprint material, and expiry policy are not part of the current administration contract..." should be hidden or rephrased.
### P3-4. No "Add" buttons for trust entities
**Route**: `/setup/trust-signing` (Signing Keys, Issuers, Certificates tabs)
**Detail**: No way to add a new signing key, issuer, or certificate from the UI. Only Watchlist has a create action.
### P3-5. Inconsistent page heading capitalization
**Route**: Multiple
**Detail**: "Artifact workspace" (lowercase w), "Audit bundles" (lowercase b) vs "Security Reports", "Export Center" (title case).
### P3-6. Replay & Verify naming mismatch
**Route**: `/evidence/verify-replay`
**Detail**: Sidebar says "Replay & Verify", page title says "Verify & Replay", H1 says "Verdict Replay". Three names.
### P3-7. Health page naming mismatch
**Route**: `/releases/health`
**Detail**: Sidebar says "Health", H1 says "Environment Posture". Description text "Environment . region" looks like a template placeholder.
### P3-8. Topology map labels truncated
**Route**: `/setup/topology/map`
**Detail**: Labels like "Production US E..." and "Production EU W..." cut off without tooltips.
### P3-9. Decision Capsules uses H2 instead of H1
**Route**: `/evidence/capsules`
**Detail**: Uses H2 for main heading, inconsistent with all other pages that use H1.
### P3-10. Audit Bundles timestamps in raw ISO format
**Route**: `/triage/audit-bundles`
**Detail**: Timestamps not human-friendly. Full SHA-256 hashes shown without truncation or copy button.
### P3-11. Signals: 60% error rate with no alert styling
**Route**: `/ops/operations/signals`
**Detail**: Metrics show "Error rate: 60%" in normal styling. Should use warning/error visual treatment.
### P3-12. Export button disabled before diagnostics run
**Route**: `/ops/operations/doctor`
**Detail**: No tooltip explaining "Run a check first to enable export".
---
## Cross-Cutting Patterns
### CC-1. Naming inconsistency is the single worst pattern
At least 4 routes have different names in sidebar, breadcrumb, page title, and H1. Examples:
- `/security`: sidebar="Vulnerabilities", breadcrumb="Risk Overview", H1="Security / Posture"
- `/evidence/verify-replay`: sidebar="Replay & Verify", title="Verify & Replay", H1="Verdict Replay"
- `/releases/health`: sidebar="Health", H1="Environment Posture"
### CC-2. Three completely blank pages
`/releases/promotions`, `/releases/versions/new`, `/ops/operations` render empty `<main>` elements with zero content.
### CC-3. Context bar inconsistency
Some routes show "4 regions" / "All environments" (working), others show "No regions defined" / "No env defined yet" (disabled). Depends on whether URL includes `?regions=...` query params.
### CC-4. Missing empty-state guidance
When tables are empty, most show "No X found" but don't explain how to populate them (how to ingest SBOMs, create capsules, generate audit events).
### CC-5. Events stream status flickers
Some pages show "Events: CONNECTED", others "Events: DEGRADED" in the same session.
### CC-6. Stale timestamps with no visual warning
Triage artifact last scan from 2024, Signal probe data from 6 days ago -- no staleness indicators.
### CC-7. Developer tooling exposed to end users
Evidence Overview has "State mode" buttons (Normal/Degraded/Empty) that appear to be developer/demo tooling.
### CC-8. Duplicate pages in sidebar
`/security` and `/security/posture` are near-duplicates with the same H1.
### CC-9. Operator/Admin toggle unexplained
Evidence Overview and Export Center have an Operator/Admin mode toggle with no explanation of what changes.
### CC-10. Console errors silently swallowed
Multiple pages have backend API errors (500s) but show clean empty tables instead of error states.
---
## Priority Matrix
| Priority | Count | Key Theme |
|----------|-------|-----------|
| P0 | 6 | Blank pages, scope discoverability |
| P1 | 14 | Missing CRUD, broken features, no guidance |
| P2 | 22 | Dead ends, contradictions, missing explanations |
| P3 | 12 | Naming, polish, minor inconsistencies |
| Cross-cutting | 10 | Naming chaos, empty states, context bar |
## Top 5 Actions for Maximum Self-Serve Impact
1. **Scope picker for role creation** - Replace free-text permissions with grouped checkbox picker + descriptions
2. **Fix the 3 blank pages** - `/releases/promotions`, `/releases/versions/new`, `/ops/operations`
3. **Add role detail view** - Click-through on role rows showing all assigned scopes
4. **Add edit/delete on Identity entities** - Users, Roles, Tenants need full CRUD
5. **Unify naming** - Each page should have ONE name used consistently in sidebar, breadcrumb, title, and H1