doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
--- a/docs/ui-analysis/05_ROUTE_SUMMARY_AND_OBSERVATIONS.md
+++ b/docs/ui-analysis/05_ROUTE_SUMMARY_AND_OBSERVATIONS.md
@@ -0,0 +1,373 @@
+# Stella Ops UI Structure - Part 5: Route Summary & Observations
+
+---
+
+## 1. COMPLETE ROUTE TABLE
+
+### 1.1 Home & Dashboard Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/` | `HomeDashboardComponent` | features/home/ | requireAuthGuard |
+| `/welcome` | `WelcomePageComponent` | features/welcome/ | - |
+| `/dashboard/sources` | `SourcesDashboardComponent` | features/dashboard/ | - |
+
+### 1.2 Analyze Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/findings` | `FindingsContainerComponent` | features/findings/container/ | requireAuthGuard |
+| `/findings/:scanId` | `FindingsContainerComponent` | features/findings/container/ | requireAuthGuard |
+| `/vulnerabilities` | `VulnerabilityExplorerComponent` | features/vulnerabilities/ | requireAuthGuard |
+| `/vulnerabilities/:vulnId` | `VulnerabilityDetailComponent` | features/vulnerabilities/ | requireAuthGuard |
+| `/graph` | `GraphExplorerComponent` | features/graph/ | requireAuthGuard |
+| `/lineage` | `LineageGraphContainerComponent` | features/lineage/components/ | requireAuthGuard |
+| `/lineage/:artifact/compare` | `LineageCompareComponent` | features/lineage/components/ | requireAuthGuard |
+| `/lineage/compare` | `LineageCompareComponent` | features/lineage/components/ | requireAuthGuard |
+| `/reachability` | `ReachabilityCenterComponent` | features/reachability/ | requireAuthGuard |
+| `/admin/vex-hub` | `VexHubDashboardComponent` | features/vex-hub/ | requireAuthGuard |
+| `/admin/vex-hub/search` | `VexStatementSearchComponent` | features/vex-hub/ | requireAuthGuard |
+| `/admin/vex-hub/search/detail/:id` | `VexStatementDetailComponent` | features/vex-hub/ | requireAuthGuard |
+| `/admin/vex-hub/stats` | `VexHubStatsComponent` | features/vex-hub/ | requireAuthGuard |
+| `/admin/vex-hub/consensus` | `VexConsensusComponent` | features/vex-hub/ | requireAuthGuard |
+| `/admin/vex-hub/explorer` | `VexHubComponent` | features/vex-hub/ | requireAuthGuard |
+| `/analyze/unknowns` | unknownsRoutes | features/unknowns-tracking/ | requireAuthGuard |
+| `/analyze/patch-map` | `PatchMapComponent` | features/binary-index/ | requireAuthGuard |
+| `/scans/:scanId` | `ScanDetailPageComponent` | features/scans/ | - |
+| `/compare/:currentId` | `CompareViewComponent` | features/compare/components/ | requireAuthGuard |
+| `/cvss/receipts/:receiptId` | `CvssReceiptComponent` | features/cvss/ | requireAuthGuard |
+
+### 1.3 Triage Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/triage/artifacts` | `TriageArtifactsComponent` | features/triage/ | requireAuthGuard |
+| `/triage/artifacts/:artifactId` | `TriageWorkspaceComponent` | features/triage/ | requireAuthGuard |
+| `/triage/audit-bundles` | `TriageAuditBundlesComponent` | features/triage/ | requireAuthGuard |
+| `/triage/audit-bundles/new` | `TriageAuditBundleNewComponent` | features/triage/ | requireAuthGuard |
+| `/exceptions` | `TriageArtifactsComponent` | features/triage/ | requireAuthGuard |
+| `/risk` | `RiskDashboardComponent` | features/risk/ | requireAuthGuard |
+
+### 1.4 Policy Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/policy-studio/packs` | `PolicyWorkspaceComponent` | features/policy-studio/workspace/ | requirePolicyViewerGuard |
+| `/policy-studio/packs/:packId/editor` | `PolicyEditorComponent` | features/policy-studio/editor/ | requirePolicyAuthorGuard |
+| `/policy-studio/packs/:packId/yaml` | `PolicyYamlEditorComponent` | features/policy-studio/yaml/ | requirePolicyAuthorGuard |
+| `/policy-studio/packs/:packId/simulate` | `PolicySimulationComponent` | features/policy-studio/simulation/ | requirePolicySimulatorGuard |
+| `/policy-studio/packs/:packId/approvals` | `PolicyApprovalsComponent` | features/policy-studio/approvals/ | requirePolicyReviewOrApproveGuard |
+| `/policy-studio/packs/:packId/rules` | `PolicyRuleBuilderComponent` | features/policy-studio/rule-builder/ | requirePolicyAuthorGuard |
+| `/policy-studio/packs/:packId/explain/:runId` | `PolicyExplainComponent` | features/policy-studio/explain/ | requirePolicyViewerGuard |
+| `/policy-studio/packs/:packId/dashboard` | `PolicyDashboardComponent` | features/policy-studio/dashboard/ | requirePolicyViewerGuard |
+| `/orchestrator` | `OrchestratorDashboardComponent` | features/orchestrator/ | requireOrchViewerGuard |
+| `/orchestrator/jobs` | `OrchestratorJobsComponent` | features/orchestrator/ | requireOrchViewerGuard |
+| `/orchestrator/jobs/:jobId` | `OrchestratorJobDetailComponent` | features/orchestrator/ | requireOrchViewerGuard |
+| `/orchestrator/quotas` | `OrchestratorQuotasComponent` | features/orchestrator/ | requireOrchOperatorGuard |
+
+### 1.5 Ops Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/sbom-sources` | `SourcesListComponent` | features/sbom-sources/components/ | requireAuthGuard |
+| `/sbom-sources/new` | `SourceWizardComponent` | features/sbom-sources/components/ | requireAuthGuard |
+| `/sbom-sources/:id` | `SourceDetailComponent` | features/sbom-sources/components/ | requireAuthGuard |
+| `/sbom-sources/:id/edit` | `SourceWizardComponent` | features/sbom-sources/components/ | requireAuthGuard |
+| `/ops/quotas` | quotaRoutes | features/quota-dashboard/ | requireAuthGuard |
+| `/ops/quotas/tenants` | `TenantQuotaTableComponent` | features/quota-dashboard/ | requireAuthGuard |
+| `/ops/quotas/tenants/:tenantId` | `TenantQuotaDetailComponent` | features/quota-dashboard/ | requireAuthGuard |
+| `/ops/quotas/throttle` | `ThrottleContextComponent` | features/quota-dashboard/ | requireAuthGuard |
+| `/ops/quotas/alerts` | `QuotaAlertConfigComponent` | features/quota-dashboard/ | requireAuthGuard |
+| `/ops/quotas/forecast` | `QuotaForecastComponent` | features/quota-dashboard/ | requireAuthGuard |
+| `/ops/quotas/reports` | `QuotaReportExportComponent` | features/quota-dashboard/ | requireAuthGuard |
+| `/ops/orchestrator/dead-letter` | deadletterRoutes | features/deadletter/ | requireAuthGuard |
+| `/ops/orchestrator/slo` | sloRoutes | features/slo-monitoring/ | requireAuthGuard |
+| `/ops/health` | platformHealthRoutes | features/platform-health/ | requireAuthGuard |
+| `/ops/feeds` | feedMirrorRoutes | features/feed-mirror/ | requireAuthGuard |
+| `/ops/feeds/mirror/:mirrorId` | `MirrorDetailComponent` | features/feed-mirror/ | requireAuthGuard |
+| `/ops/feeds/airgap/import` | `AirgapImportComponent` | features/feed-mirror/ | requireAuthGuard |
+| `/ops/feeds/airgap/export` | `AirgapExportComponent` | features/feed-mirror/ | requireAuthGuard |
+| `/ops/feeds/version-locks` | `VersionLockComponent` | features/feed-mirror/ | requireAuthGuard |
+| `/ops/offline-kit` | offlineKitRoutes | features/offline-kit/ | requireAuthGuard |
+| `/ops/aoc` | AOC_COMPLIANCE_ROUTES | features/aoc-compliance/ | requireAuthGuard |
+| `/ops/doctor` | DOCTOR_ROUTES | features/doctor/ | requireAuthGuard |
+| `/scheduler` | schedulerOpsRoutes | features/scheduler-ops/ | requireAuthGuard |
+| `/scheduler/runs` | `SchedulerRunsComponent` | features/scheduler-ops/ | requireAuthGuard |
+| `/scheduler/schedules` | `ScheduleManagementComponent` | features/scheduler-ops/ | requireAuthGuard |
+| `/scheduler/workers` | `WorkerFleetComponent` | features/scheduler-ops/ | requireAuthGuard |
+
+### 1.6 Notify Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/notify` | `NotifyPanelComponent` | features/notify/ | - |
+
+### 1.7 Admin Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/console/admin` | consoleAdminRoutes | features/console-admin/ | requireAuthGuard + ui.admin |
+| `/console/admin/tenants` | `TenantsListComponent` | features/console-admin/tenants/ | authority:tenants:read |
+| `/console/admin/users` | `UsersListComponent` | features/console-admin/users/ | authority:users:read |
+| `/console/admin/roles` | `RolesListComponent` | features/console-admin/roles/ | authority:roles:read |
+| `/console/admin/clients` | `ClientsListComponent` | features/console-admin/clients/ | authority:clients:read |
+| `/console/admin/tokens` | `TokensListComponent` | features/console-admin/tokens/ | authority:tokens:read |
+| `/console/admin/audit` | `AuditLogComponent` | features/console-admin/audit/ | authority:audit:read |
+| `/console/admin/branding` | `BrandingEditorComponent` | features/console-admin/branding/ | authority:branding:read |
+| `/admin/audit` | auditLogRoutes | features/audit-log/ | requireAuthGuard |
+| `/admin/notifications` | adminNotificationsRoutes | features/admin-notifications/ | requireAuthGuard |
+| `/admin/trust` | trustAdminRoutes | features/trust-admin/ | requireAuthGuard + signer:read |
+| `/admin/policy/governance` | policyGovernanceRoutes | features/policy-governance/ | requireAuthGuard |
+| `/admin/policy/simulation` | policySimulationRoutes | features/policy-simulation/ | requireAuthGuard |
+| `/admin/registries` | registryAdminRoutes | features/registry-admin/ | requireAuthGuard |
+| `/admin/issuers` | issuerTrustRoutes | features/issuer-trust/ | requireAuthGuard |
+| `/ops/scanner` | scannerOpsRoutes | features/scanner-ops/ | requireAuthGuard |
+| `/concelier/trivy-db-settings` | `TrivyDbSettingsPageComponent` | features/trivy-db-settings/ | - |
+
+### 1.8 Console Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/console/profile` | `ConsoleProfileComponent` | features/console/ | - |
+| `/console/status` | `ConsoleStatusComponent` | features/console/ | - |
+| `/console/configuration` | CONFIGURATION_PANE_ROUTES | features/configuration-pane/ | requireAuthGuard |
+
+### 1.9 Release Orchestrator Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/release-orchestrator` | DASHBOARD_ROUTES | features/release-orchestrator/dashboard/ | requireAuthGuard |
+| `/release-orchestrator/environments` | ENVIRONMENT_ROUTES | features/release-orchestrator/environments/ | requireAuthGuard |
+| `/release-orchestrator/releases` | RELEASE_ROUTES | features/release-orchestrator/releases/ | requireAuthGuard |
+| `/release-orchestrator/workflows` | WORKFLOW_ROUTES | features/release-orchestrator/workflows/ | requireAuthGuard |
+| `/release-orchestrator/approvals` | APPROVAL_ROUTES | features/release-orchestrator/approvals/ | requireAuthGuard |
+| `/release-orchestrator/deployments` | DEPLOYMENT_ROUTES | features/release-orchestrator/deployments/ | requireAuthGuard |
+| `/release-orchestrator/evidence` | EVIDENCE_ROUTES | features/release-orchestrator/evidence/ | requireAuthGuard |
+
+### 1.10 Evidence Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/evidence` | evidenceExportRoutes | features/evidence-export/ | requireAuthGuard |
+| `/evidence/bundles` | `EvidenceBundlesComponent` | features/evidence-export/ | requireAuthGuard |
+| `/evidence/export` | `ExportCenterComponent` | features/evidence-export/ | requireAuthGuard |
+| `/evidence/replay` | `ReplayControlsComponent` | features/evidence-export/ | requireAuthGuard |
+| `/evidence/provenance` | `ProvenanceVisualizationComponent` | features/evidence-export/ | requireAuthGuard |
+| `/evidence-packs` | `EvidencePackListComponent` | features/evidence-pack/ | requireAuthGuard |
+| `/evidence-packs/:packId` | `EvidencePackViewerComponent` | features/evidence-pack/ | requireAuthGuard |
+| `/proofs/:subjectDigest` | `ProofChainComponent` | features/proof-chain/ | requireAuthGuard |
+
+### 1.11 Integration Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/integrations` | integrationHubRoutes | features/integration-hub/ | requireAuthGuard |
+| `/integrations/registries` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
+| `/integrations/scm` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
+| `/integrations/ci` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
+| `/integrations/hosts` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
+| `/integrations/feeds` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
+| `/integrations/activity` | `IntegrationActivityComponent` | features/integration-hub/ | requireAuthGuard |
+| `/integrations/:integrationId` | `IntegrationDetailComponent` | features/integration-hub/ | requireAuthGuard |
+
+### 1.12 Other Routes
+
+| Route | Component | Location | Guards |
+|---|---|---|---|
+| `/ai-runs` | `AiRunsListComponent` | features/ai-runs/ | requireAuthGuard |
+| `/ai-runs/:runId` | `AiRunViewerComponent` | features/ai-runs/ | requireAuthGuard |
+| `/change-trace` | changeTraceRoutes | features/change-trace/ | requireAuthGuard |
+| `/setup` | setupWizardRoutes | features/setup-wizard/ | - |
+| `/auth/callback` | `AuthCallbackComponent` | features/auth/ | - |
+| `**` | redirectTo: '' | - | - |
+
+---
+
+## 2. ROUTE COUNT SUMMARY
+
+| Category | Route Count |
+|---|---|
+| Home & Dashboard | 3 |
+| Analyze | 20 |
+| Triage | 6 |
+| Policy | 12 |
+| Ops | 30+ |
+| Notify | 1 |
+| Admin | 17+ |
+| Console | 3 |
+| Release Orchestrator | 7 |
+| Evidence | 8 |
+| Integrations | 8 |
+| Other | 5 |
+| **TOTAL** | **~120+ routes** |
+
+---
+
+## 3. OBSERVATIONS
+
+### 3.1 Navigation Structure Observations
+
+1. **7 top-level navigation groups** defined in `navigation.config.ts`:
+   - HOME, ANALYZE, TRIAGE, POLICY, OPS, NOTIFY, ADMIN
+
+2. **Deep nesting in OPS section**: The Ops navigation group contains sub-items with their own children (e.g., Quotas has 6 sub-routes, SLO Monitoring has 3 sub-routes)
+
+3. **Admin section size**: Admin group contains 17+ items in the navigation configuration
+
+4. **Inconsistent route prefixes**:
+   - VEX Hub is at `/admin/vex-hub` but shown in Analyze menu
+   - Scanner Ops is at `/ops/scanner` but listed under Admin menu
+   - Some scheduler routes are at `/scheduler` (not `/ops/scheduler`)
+
+### 3.2 Feature Module Observations
+
+1. **77 feature directories** under `src/app/features/`
+
+2. **Duplicate/similar named modules**:
+   - `evidence/` and `evidence-export/` and `evidence-pack/` and `evidence-thread/`
+   - `proof/` and `proof-chain/` and `proof-studio/` and `proofs/`
+   - `unknowns/` and `unknowns-tracking/`
+   - `integrations/` and `integration-hub/`
+   - `vex-hub/` and `vex-studio/`
+   - `triage/` and `triage-inbox/`
+   - `policy/` and `policy-gates/` and `policy-governance/` and `policy-simulation/` and `policy-studio/`
+
+3. **Orphaned/unused modules** (exist as directories but not in main routes):
+   - `advisory-ai/`
+   - `aoc/` (vs `aoc-compliance/`)
+   - `evidence/` (vs `evidence-export/`)
+   - `exceptions/` (route uses triage component)
+   - `integrations/` (vs `integration-hub/`)
+   - `opsmemory/`
+   - `policy/` (vs `policy-studio/`)
+   - `proof/` (vs `proof-chain/`)
+   - `proofs/` (vs `proof-chain/`)
+   - `releases/` (vs release-orchestrator)
+   - `runs/`
+   - `sbom/`
+   - `scores/`
+   - `secret-detection/`
+   - `settings/`
+   - `snapshot/`
+   - `sources/`
+   - `triage-inbox/`
+   - `unknowns/` (vs `unknowns-tracking/`)
+   - `verdicts/`
+   - `vex-studio/`
+   - `vuln-explorer/` (vs `vulnerabilities/`)
+
+### 3.3 Route Path Observations
+
+1. **Mixed path conventions**:
+   - Some use `/admin/` prefix: `/admin/vex-hub`, `/admin/trust`, `/admin/audit`
+   - Some use `/console/admin/`: `/console/admin/tenants`, `/console/admin/users`
+   - Some use `/ops/`: `/ops/quotas`, `/ops/health`, `/ops/feeds`
+   - Some use root: `/scheduler`, `/evidence`, `/integrations`
+
+2. **Inconsistent pluralization**:
+   - `/vulnerabilities` (plural) vs `/risk` (singular)
+   - `/findings` (plural) vs `/graph` (singular)
+   - `/integrations` (plural) vs `/scheduler` (singular)
+
+3. **Deep routes**:
+   - `/policy-studio/packs/:packId/explain/:runId` - 5 segments
+   - `/admin/vex-hub/search/detail/:id` - 5 segments
+   - `/ops/orchestrator/dead-letter/queue` - 4 segments
+
+### 3.4 Guard/Scope Observations
+
+1. **Different guard patterns used**:
+   - `requireAuthGuard` - basic authentication
+   - `requireOrchViewerGuard` - orchestrator read access
+   - `requireOrchOperatorGuard` - orchestrator operator access
+   - `requirePolicyViewerGuard` - policy read
+   - `requirePolicyAuthorGuard` - policy authoring
+   - `requirePolicySimulatorGuard` - policy simulation
+   - `requirePolicyReviewerGuard` - policy review
+   - `requirePolicyApproverGuard` - policy approval
+   - `requirePolicyReviewOrApproveGuard` - either review or approve
+
+2. **Scope-based access defined in navigation config**:
+   - `graph:read` for SBOM Graph
+   - `policy:author`, `policy:simulate`, `policy:review`, `policy:approve`, `policy:read`
+   - `ui.admin` for Admin section
+
+3. **Some routes have no guards**: `/welcome`, `/notify`, `/scans/:scanId`, `/concelier/trivy-db-settings`
+
+### 3.5 Dashboard Screen Observations
+
+Multiple dashboard screens exist across the application:
+
+1. **Home Dashboard** (`/`) - Security overview
+2. **Orchestrator Dashboard** (`/orchestrator`) - Job management
+3. **Policy Dashboard** (`/policy-studio/packs/:packId/dashboard`) - Per-pack metrics
+4. **Quota Dashboard** (`/ops/quotas`) - License/quota metrics
+5. **Platform Health Dashboard** (`/ops/health`) - Service health
+6. **Feed Mirror Dashboard** (`/ops/feeds`) - Feed sync status
+7. **Offline Dashboard** (`/ops/offline-kit/dashboard`) - Offline mode
+8. **AOC Compliance Dashboard** (`/ops/aoc`) - Compliance metrics
+9. **Release Dashboard** (`/release-orchestrator`) - Release pipeline
+10. **VEX Hub Dashboard** (`/admin/vex-hub`) - VEX statements
+11. **Doctor Dashboard** (`/ops/doctor`) - Diagnostics
+12. **SLO Dashboard** (`/ops/orchestrator/slo`) - SLO health
+13. **Dead-Letter Dashboard** (`/ops/orchestrator/dead-letter`) - Failed jobs
+14. **Audit Dashboard** (`/admin/audit`) - Audit overview
+15. **Trust Dashboard** (`/admin/trust/keys`) - Signing keys
+16. **Sources Dashboard** (`/dashboard/sources`) - SBOM sources
+
+### 3.6 Configuration/Settings Screen Observations
+
+Multiple locations for configuration:
+
+1. **Setup Wizard** (`/setup`) - Initial setup
+2. **Configuration Pane** (`/console/configuration`) - Integration config
+3. **Integration Hub** (`/integrations`) - Integration catalog
+4. **Console Admin** (`/console/admin/*`) - User/tenant/role management
+5. **Trust Admin** (`/admin/trust`) - Keys/certificates
+6. **Registry Admin** (`/admin/registries`) - Registry tokens
+7. **Notification Admin** (`/admin/notifications`) - Notification rules
+8. **Policy Governance** (`/admin/policy/governance`) - Policy config
+9. **Scanner Ops** (`/ops/scanner/settings`) - Scanner settings
+10. **Quota Alert Config** (`/ops/quotas/alerts`) - Alert thresholds
+11. **SLO Definitions** (`/ops/orchestrator/slo/definitions`) - SLO config
+12. **Trivy DB Settings** (`/concelier/trivy-db-settings`) - Trivy config
+
+### 3.7 Evidence/Proof Screen Observations
+
+Multiple locations for evidence-related functionality:
+
+1. **Evidence Center** (`/evidence`) - Bundles, export, replay, provenance
+2. **Evidence Packs** (`/evidence-packs`) - Pack list/viewer
+3. **Proof Chain** (`/proofs/:subjectDigest`) - Proof visualization
+4. **Audit Bundles** (`/triage/audit-bundles`) - Audit evidence
+5. **Release Evidence** (`/release-orchestrator/evidence`) - Release evidence
+
+### 3.8 Shared Component Observations
+
+Large number of shared components in `src/app/shared/components/`:
+- 100+ shared components
+- Mix of UI primitives (button, card, modal) and domain-specific (finding-detail, vex-status-chip)
+- Some components are highly specific (e.g., `dsse-envelope-viewer`, `lattice-diagram`)
+
+### 3.9 Feature Overlap Observations
+
+1. **Findings vs Triage**: Both handle vulnerability findings with different workflows
+2. **VEX Hub vs Triage VEX**: VEX decisions can be made in both places
+3. **Evidence in multiple places**: Evidence features spread across 5 different feature modules
+4. **Policy in multiple places**: Policy features spread across 5 different feature modules
+5. **Audit logs in multiple places**: Console admin audit, unified audit log, trust audit, etc.
+
+### 3.10 UI Pattern Observations
+
+1. **Consistent patterns used**:
+   - Tab navigation within features
+   - Slide-out detail panels
+   - Data tables with filters and pagination
+   - Status badges with color coding (🟢🟡🔴)
+   - Skeleton loading states
+
+2. **Dashboard card pattern**: Used on home dashboard and several other dashboards
+
+3. **Wizard pattern**: Used in setup wizard, source wizard, key rotation wizard
+
+4. **Split-pane pattern**: Used in policy editor, triage workspace