From 15e06db230a18a25aaf1c98134abaca00b8bc95c Mon Sep 17 00:00:00 2001
From: master <>
Date: Mon, 16 Mar 2026 22:19:05 +0200
Subject: [PATCH] Create Sprint 021: auth latch fix + honest product gap
 assessment

Documents the auth session latch fix (DONE), remaining backend blockers
(registry search 500, policy pack creation), and an honest product quality
assessment from 3 iterations of first-time user journey testing.

UI/UX: 9/10. Navigation: 9/10 (was 2/10). Backend completeness: 6/10.
End-to-end workflow: 5/10.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ...16_021_FE_auth_latch_and_remaining_gaps.md | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 docs/implplan/SPRINT_20260316_021_FE_auth_latch_and_remaining_gaps.md

diff --git a/docs/implplan/SPRINT_20260316_021_FE_auth_latch_and_remaining_gaps.md b/docs/implplan/SPRINT_20260316_021_FE_auth_latch_and_remaining_gaps.md
new file mode 100644
index 000000000..66fd16a84
--- /dev/null
+++ b/docs/implplan/SPRINT_20260316_021_FE_auth_latch_and_remaining_gaps.md
@@ -0,0 +1,83 @@
+# Sprint 20260316-021 — Auth Session Latch + Remaining Product Gaps
+
+## Topic & Scope
+- Fix the root cause of phantom route redirects: auth session loading state during token refresh
+- Document remaining product gaps found during deep journey testing
+- Working directory: `src/Web/StellaOps.Web/`, `src/Platform/`
+
+## Delivery Tracker
+
+### S21-T01 - Auth session latch (prevent redirects during token refresh)
+Status: DONE
+Dependency: none
+Owners: Developer
+Task description:
+- isAuthenticated computed signal returned false during token refresh ('loading' status)
+- This caused ALL canMatch guards to re-fire and redirect to /welcome
+- Fixed: wasEverAuthenticated latch stays true once set, so transient loading
+  states don't trigger guard redirects
+
+Completion criteria:
+- [x] Pages stay stable for 12+ seconds after hard navigation
+- [x] /setup/identity-access, /evidence/audit-log, /ops/policy/governance all verified stable
+- [x] Angular build succeeds
+
+### S21-T02 - Registry search 500 (release creation blocker)
+Status: TODO
+Dependency: none
+Owners: Developer
+Task description:
+- `GET /api/v1/registries/images/search?q=alpine` returns 500 Internal Server Error
+- RegistrySearchEndpoints.cs proxies to Harbor fixture at http://harbor-fixture.stella-ops.local
+- The HttpClientFactory "HarborFixture" client may not be configured or Harbor fixture isn't responding
+- This blocks release creation wizard at Step 2 (Components) since image search returns nothing
+
+### S21-T03 - Policy packs: no "Create" action in UI
+Status: TODO
+Dependency: none
+Owners: Developer
+Task description:
+- Policy Packs page has empty state guidance (added in Sprint 020) but no create action
+- User needs to be able to create a policy pack through the UI
+- Backend endpoint may already exist — needs research
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-16 | Sprint created. S21-T01 DONE: auth session latch fix verified on fresh install. | Developer |
+
+## Decisions & Risks
+- S21-T01 is the final piece of the route stability puzzle (combined with Location.replaceState from Sprint 020)
+- S21-T02 is a backend issue blocking the full release workflow
+- S21-T03 requires backend research
+
+## Honest Product Assessment (Journey Iteration 3)
+
+### What works end-to-end for a real user:
+1. Login → Dashboard → Setup guide
+2. Integrations: registry wizard (6-step, preflight)
+3. Advisory sources: enable, health check (36/42 healthy)
+4. Scan image submission (POST accepted, scan ID tracked)
+5. All pages are now STABLE (no more phantom redirects)
+6. Triage workspace: artifact lanes, findings explorer
+7. Trust & Signing: empty state guidance
+8. Notifications: channels, rules, test send
+9. Topology: overview, regions, environments, wizard
+10. Evidence: overview, replay/verify, export profiles, audit log
+11. Identity & Access: users, roles, OAuth, tokens, tenants
+12. Operations Hub: comprehensive operator command center
+13. Diagnostics: 100+ checks across 10 categories
+14. Policy Governance: risk budget visualization (excellent)
+15. Release Gates: 4-gate evaluation with PASS/WARN/FAIL
+
+### What blocks a real user from full value:
+1. Registry search 500 → can't add components to releases → can't seal
+2. Scanner processes scans as "pending" forever (no actual Trivy/Grype engine)
+3. No way to create policy packs through UI
+4. Evidence is all demo fixture data (1842 packs, 106 bundles are not from real operations)
+
+### Product quality score:
+- **UI/UX design: 9/10** — consistent, thoughtful, production-grade
+- **Navigation stability: 9/10** (was 2/10 before this session's fixes)
+- **Backend integration completeness: 6/10** — many endpoints return fixture data
+- **End-to-end workflow completeness: 5/10** — setup works, but scan→triage→release→promote chain is not yet connected with real data