stop syncing with TASKS.md

src/Web/StellaOps.Web/AGENTS.md

@@ -7,13 +7,13 @@ Design and build the StellaOps web user experience that surfaces backend capabil
 - **UX Specialist** – defines user journeys, interaction patterns, accessibility guidelines, and visual design language.
 - **Angular Engineers** – implement the SPA, integrate with backend APIs, and ensure deterministic builds suitable for air-gapped deployments.
 
-## Operating Principles
-- Favor modular Angular architecture (feature modules, shared UI kit) with strong typing via latest TypeScript/Angular releases.
-- Align UI flows with backend contracts; coordinate with Authority and Concelier teams for API changes.
-- Keep assets and build outputs deterministic and cacheable for Offline Kit packaging.
-- Track work using the local `TASKS.md` board; keep statuses (TODO/DOING/REVIEW/BLOCKED/DONE) up to date.
-- Console admin flows use Authority `/console/admin/*` APIs and enforce fresh-auth for privileged actions.
-- Branding uses Authority `/console/branding` and applies only whitelisted CSS variables.
+## Operating Principles
+- Favor modular Angular architecture (feature modules, shared UI kit) with strong typing via latest TypeScript/Angular releases.
+- Align UI flows with backend contracts; coordinate with Authority and Concelier teams for API changes.
+- Keep assets and build outputs deterministic and cacheable for Offline Kit packaging.
+- Coordinate cross-module changes via docs/implplan/SPRINT*.md files updates and PR descriptions.  
+- Console admin flows use Authority `/console/admin/*` APIs and enforce fresh-auth for privileged actions.
+- Branding uses Authority `/console/branding` and applies only whitelisted CSS variables.
 
 ## Key Paths
 - `src/Web/StellaOps.Web` — Angular workspace (to be scaffolded).
@@ -64,13 +64,13 @@ Design and build the StellaOps web user experience that surfaces backend capabil
 - Partner with Docs Guild to translate UX decisions into operator guides.
 - Collaborate with Security Guild to validate authentication flows and session handling.
 
-## Required Reading
-- `docs/modules/platform/architecture-overview.md`
-- `docs/architecture/console-admin-rbac.md`
-- `docs/architecture/console-branding.md`
+## Required Reading
+- `docs/modules/platform/architecture-overview.md`
+- `docs/architecture/console-admin-rbac.md`
+- `docs/architecture/console-branding.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Web/StellaOps.Web/TASKS.md

@@ -1,55 +0,0 @@
-# Web Guild Tasks
-
-| Task ID | State | Notes |
-| --- | --- | --- |
-| WEB-AOC-19-002 | DONE (2025-11-30) | Added provenance builder, checksum utilities, and DSSE/CMS signature verification helpers with unit tests. |
-| WEB-AOC-19-003 | DONE (2025-11-30) | Added client-side guard validator (forbidden/derived/unknown fields, provenance/signature checks) with unit fixtures. |
-| WEB-AIAI-31-001 | DONE (2025-12-12) | Advisory AI gateway contract + samples shipped (`docs/api/gateway/advisory-ai.md`); web SDK client added (`src/app/core/api/advisory-ai.client.ts`). |
-| WEB-AIAI-31-002 | DONE (2025-12-12) | SSE job event streaming implemented + unit spec (`src/app/core/api/advisory-ai.client.spec.ts`). |
-| WEB-AIAI-31-003 | DONE (2025-12-12) | Telemetry headers + prompt hash support; documented guardrail surface for audit visibility. |
-| WEB-CONSOLE-23-002 | DONE (2025-12-04) | console/status polling + run stream client/store/UI shipped; samples verified in `docs/api/console/samples/`. |
-| WEB-CONSOLE-23-003 | DONE (2025-12-07) | Exports client/store/service + models shipped; targeted Karma specs green locally with CHROME_BIN override (`node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadless --include console-export specs`). Backend manifest/limits v0.4 published; awaiting final Policy/DevOps sign-off but UI/client slice complete. |
-| WEB-RISK-66-001 | DONE (2025-12-20) | Gateway routing/client slice completed; Angular unit tests now run and pass (`npm test`), clearing the prior npm/CI blocker. |
-| WEB-EXC-25-001 | DONE (2025-12-12) | Exception contract + sample updated (`docs/api/console/exception-schema.md`); `ExceptionApiHttpClient` enforces scopes + trace/tenant headers with unit spec. |
-| WEB-EXC-25-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/policy-exceptions.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-exceptions.client.ts`. |
-| WEB-EXC-25-003 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/exception-events.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/exception-events.client.ts`. |
-| WEB-LNM-21-001 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/advisories.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/advisories.client.ts`. |
-| WEB-LNM-21-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/vex-evidence.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/vex-evidence.client.ts`. |
-| WEB-LNM-21-003 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/policy-evidence.md`; composition client + deterministic mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-evidence.client.ts`. |
-| WEB-ORCH-32-001 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/orchestrator.md`; web SDK client + deterministic mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/orchestrator.client.ts`. |
-| WEB-ORCH-33-001 | DONE (2025-12-12) | Orchestrator control SDK shipped (`src/app/core/api/orchestrator-control.*`) with unit spec; gateway contract + samples updated in `docs/api/gateway/orchestrator.md`. |
-| WEB-ORCH-34-001 | DONE (2025-12-12) | Quota/metrics surfaces documented + sampled (`docs/api/gateway/orchestrator.md` + samples) and covered by `OrchestratorControlHttpClient` unit spec. |
-| WEB-TEN-47-CONTRACT | DONE (2025-12-01) | Gateway tenant auth/ABAC contract doc v1.0 published (`docs/api/gateway/tenant-auth.md`). |
-| WEB-VULN-29-LEDGER-DOC | DONE (2025-12-01) | Findings Ledger proxy contract doc v1.0 with idempotency + retries (`docs/api/gateway/findings-ledger-proxy.md`). |
-| WEB-RISK-68-NOTIFY-DOC | DONE (2025-12-01) | Notifications severity transition event schema v1.0 published (`docs/api/gateway/notifications-severity.md`). |
-| UI-MICRO-GAPS-0209-011 | BLOCKED (2025-12-06) | Motion token catalog + Storybook/Playwright a11y harness added; remaining work paused pending SIG-26 reachability fixtures and final token mapping approvals. |
-| UI-POLICY-20-001 | DONE (2025-12-05) | Policy Studio Monaco editor with DSL highlighting, lint markers, and compliance checklist shipped; Karma spec now passes locally via Monaco loader file-replacement stub + Playwright Chromium/.deps NSS libs. |
-| UI-POLICY-20-002 | DONE (2025-12-05) | Simulation panel with deterministic diff rendering shipped (`/policy-studio/packs/:packId/simulate`). |
-| UI-POLICY-20-003 | DONE (2025-12-05) | Approvals workflow UI delivered with submit/review actions, two-person badge, and deterministic log. |
-| UI-POLICY-20-004 | DONE (2025-12-05) | Policy run dashboards delivered with filters, exports, heatmap, and daily deltas. |
-| UI-POLICY-23-000 | DONE (2025-12-05) | Added Policy Studio nav dropdown with pack selector and persisted selection. |
-| UI-POLICY-23-001 | DONE (2025-12-05) | Workspace route `/policy-studio/packs` with pack list + quick actions; cached pack store with offline fallback. |
-| UI-POLICY-23-002 | DONE (2025-12-05) | YAML editor route `/policy-studio/packs/:packId/yaml` with canonical preview and lint diagnostics. |
-| UI-POLICY-23-003 | DONE (2025-12-05) | Rule Builder route `/policy-studio/packs/:packId/rules` with guided inputs and deterministic preview JSON. |
-| UI-POLICY-23-004 | DONE (2025-12-05) | Approval workflow UI with checklist/schedule/comments; targeted Karma spec now passes locally using Playwright Chromium + bundled NSS libs (`CHROME_BIN=$HOME/.cache/ms-playwright/chromium-1140/chrome-linux/chrome`, `LD_LIBRARY_PATH=$PWD/.deps/usr/lib/x86_64-linux-gnu`). |
-| UI-POLICY-23-005 | DONE (2025-12-05) | Simulator updated with SBOM/advisory pickers and explain trace view; uses PolicyApiService simulate. |
-| UI-POLICY-23-006 | DONE (2025-12-06) | Explain view route `/policy-studio/packs/:packId/explain/:runId` with trace + JSON/PDF export (uses offline-safe jsPDF shim). |
-| UI-POLICY-23-001 | DONE (2025-12-05) | Workspace route `/policy-studio/packs` with pack list + quick actions; cached pack store with offline fallback. |
-| CVSS-UI-190-011 | DONE (2025-12-07) | Added CVSS receipt viewer route (/cvss/receipts/:receiptId) with score badge, tabbed sections, stub client, and unit spec in src/Web/StellaOps.Web. |
-| UI-POLICY-27-001 | DONE (2025-12-12) | Policy Studio RBAC guards + nav gating aligned to `policy:author/review/approve/operate/audit/simulate`; auth fixtures/e2e aligned; `ng test` + `playwright test` green. |
-| UI-SIG-26-001 | DONE (2025-12-12) | Vulnerability Explorer reachability column/filter/tooltips with deterministic stub data; hooks Why drawer. |
-| UI-SIG-26-002 | DONE (2025-12-12) | Reachability Why drawer with deterministic call paths/timeline/evidence (MockSignalsClient). |
-| UI-SIG-26-003 | DONE (2025-12-12) | SBOM Graph reachability halo overlay + time slider + legend (deterministic overlay state). |
-| UI-SIG-26-004 | DONE (2025-12-12) | Reachability Center view (coverage/missing/stale) using deterministic fixture rows; swap to upstream datasets when published. |
-| UI-TRIAGE-0215-001 | DONE (2025-12-12) | Triage artifacts list + workspace routes (`/triage/artifacts`, `/triage/artifacts/:artifactId`) with overview/reachability/policy/attestations tabs + signed evidence detail modal. |
-| UI-VEX-0215-001 | DONE (2025-12-12) | VEX-first triage modal with scope/validity/evidence/review sections and bulk apply; wired via `src/app/core/api/vex-decisions.client.ts`. |
-| UI-AUDIT-0215-001 | DONE (2025-12-12) | Immutable audit bundle button + wizard/history views; download via `GET /v1/audit-bundles/{bundleId}` (`Accept: application/octet-stream`) using `src/app/core/api/audit-bundles.client.ts`. |
-| WEB-TRIAGE-0215-001 | DONE (2025-12-12) | Added triage TS models + web SDK clients (VEX decisions, audit bundles, vuln-scan attestation predicate) and fixed `scripts/chrome-path.js` so `npm test` runs on Windows Playwright Chromium. |
-| UI-VEX-0215-A11Y | DONE (2025-12-12) | Added dialog semantics + focus trap for `VexDecisionModalComponent` and Playwright Axe coverage in `tests/e2e/a11y-smoke.spec.ts`. |
-| UI-TRIAGE-0215-FIXTURES | DONE (2025-12-12) | Made quickstart mock fixtures deterministic for triage surfaces (VEX decisions, audit bundles, vulnerabilities) to support offline-kit hashing and stable tests. |
-| UI-TRIAGE-4601-001 | DONE (2025-12-15) | Keyboard shortcuts for triage workspace (SPRINT_4601_0001_0001_keyboard_shortcuts.md). |
-| UI-TRIAGE-4602-001 | DONE (2025-12-15) | Finish triage decision drawer/evidence pills QA: component specs + Storybook stories (SPRINT_4602_0001_0001_decision_drawer_evidence_tab.md). |
-| UI-TTFS-0340-001 | DONE (2025-12-18) | FirstSignalCard UI component + client/store/tests + TTFS telemetry client/sampling + i18n micro-copy (SPRINT_0340_0001_0001_first_signal_card_ui.md). |
-| WEB-TTFS-0341-001 | DONE (2025-12-18) | Extend FirstSignal client models with `lastKnownOutcome` (SPRINT_0341_0001_0001_ttfs_enhancements.md). |
-| TRI-MASTER-0009 | DONE (2025-12-17) | Added Playwright E2E coverage for triage workflow (tabs, VEX modal, decision drawer, evidence pills). |
-| UI-EXC-3900-0003-0002-T7 | DONE (2025-12-22) | Exception wizard updated with recheck policy and evidence requirement steps plus unit coverage. |