Create Sprint 021: auth latch fix + honest product gap assessment
Documents the auth session latch fix (DONE), remaining backend blockers (registry search 500, policy pack creation), and an honest product quality assessment from 3 iterations of first-time user journey testing. UI/UX: 9/10. Navigation: 9/10 (was 2/10). Backend completeness: 6/10. End-to-end workflow: 5/10. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -0,0 +1,83 @@
|
||||
# Sprint 20260316-021 — Auth Session Latch + Remaining Product Gaps
|
||||
|
||||
## Topic & Scope
|
||||
- Fix the root cause of phantom route redirects: auth session loading state during token refresh
|
||||
- Document remaining product gaps found during deep journey testing
|
||||
- Working directory: `src/Web/StellaOps.Web/`, `src/Platform/`
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### S21-T01 - Auth session latch (prevent redirects during token refresh)
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- isAuthenticated computed signal returned false during token refresh ('loading' status)
|
||||
- This caused ALL canMatch guards to re-fire and redirect to /welcome
|
||||
- Fixed: wasEverAuthenticated latch stays true once set, so transient loading
|
||||
states don't trigger guard redirects
|
||||
|
||||
Completion criteria:
|
||||
- [x] Pages stay stable for 12+ seconds after hard navigation
|
||||
- [x] /setup/identity-access, /evidence/audit-log, /ops/policy/governance all verified stable
|
||||
- [x] Angular build succeeds
|
||||
|
||||
### S21-T02 - Registry search 500 (release creation blocker)
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- `GET /api/v1/registries/images/search?q=alpine` returns 500 Internal Server Error
|
||||
- RegistrySearchEndpoints.cs proxies to Harbor fixture at http://harbor-fixture.stella-ops.local
|
||||
- The HttpClientFactory "HarborFixture" client may not be configured or Harbor fixture isn't responding
|
||||
- This blocks release creation wizard at Step 2 (Components) since image search returns nothing
|
||||
|
||||
### S21-T03 - Policy packs: no "Create" action in UI
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Policy Packs page has empty state guidance (added in Sprint 020) but no create action
|
||||
- User needs to be able to create a policy pack through the UI
|
||||
- Backend endpoint may already exist — needs research
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-03-16 | Sprint created. S21-T01 DONE: auth session latch fix verified on fresh install. | Developer |
|
||||
|
||||
## Decisions & Risks
|
||||
- S21-T01 is the final piece of the route stability puzzle (combined with Location.replaceState from Sprint 020)
|
||||
- S21-T02 is a backend issue blocking the full release workflow
|
||||
- S21-T03 requires backend research
|
||||
|
||||
## Honest Product Assessment (Journey Iteration 3)
|
||||
|
||||
### What works end-to-end for a real user:
|
||||
1. Login → Dashboard → Setup guide
|
||||
2. Integrations: registry wizard (6-step, preflight)
|
||||
3. Advisory sources: enable, health check (36/42 healthy)
|
||||
4. Scan image submission (POST accepted, scan ID tracked)
|
||||
5. All pages are now STABLE (no more phantom redirects)
|
||||
6. Triage workspace: artifact lanes, findings explorer
|
||||
7. Trust & Signing: empty state guidance
|
||||
8. Notifications: channels, rules, test send
|
||||
9. Topology: overview, regions, environments, wizard
|
||||
10. Evidence: overview, replay/verify, export profiles, audit log
|
||||
11. Identity & Access: users, roles, OAuth, tokens, tenants
|
||||
12. Operations Hub: comprehensive operator command center
|
||||
13. Diagnostics: 100+ checks across 10 categories
|
||||
14. Policy Governance: risk budget visualization (excellent)
|
||||
15. Release Gates: 4-gate evaluation with PASS/WARN/FAIL
|
||||
|
||||
### What blocks a real user from full value:
|
||||
1. Registry search 500 → can't add components to releases → can't seal
|
||||
2. Scanner processes scans as "pending" forever (no actual Trivy/Grype engine)
|
||||
3. No way to create policy packs through UI
|
||||
4. Evidence is all demo fixture data (1842 packs, 106 bundles are not from real operations)
|
||||
|
||||
### Product quality score:
|
||||
- **UI/UX design: 9/10** — consistent, thoughtful, production-grade
|
||||
- **Navigation stability: 9/10** (was 2/10 before this session's fixes)
|
||||
- **Backend integration completeness: 6/10** — many endpoints return fixture data
|
||||
- **End-to-end workflow completeness: 5/10** — setup works, but scan→triage→release→promote chain is not yet connected with real data
|
||||
Reference in New Issue
Block a user