Align release create wizard with canonical bundle lifecycle

Wire orch:operate scope into console bootstrap so the browser token can execute release-control actions. Replace the silent-redirect fallback with the canonical createBundle → publishVersion → materialize flow and surface truthful error messages on 403/409/503. Add focused Angular tests and Playwright journey evidence for standard and hotfix paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-15 13:26:20 +02:00
parent 08390f0ca4
commit 27d27b1952
10 changed files with 769 additions and 24 deletions
--- a/docs/implplan/SPRINT_20260315_005_Web_release_create_operator_journey_contract_alignment.md
+++ b/docs/implplan/SPRINT_20260315_005_Web_release_create_operator_journey_contract_alignment.md
@@ -0,0 +1,54 @@
+# Sprint 20260315_005 - Release Create Operator Journey Contract Alignment
+
+## Topic & Scope
+- Repair the first-user release creation journey on the live stack after operator QA proved the action silently fails.
+- Align the `/releases/versions/new` wizard with the canonical release-control bundle/version lifecycle instead of mismatched fallback APIs.
+- Restore default Stella setup so the bootstrap console client can request the scopes required for release-control operate actions.
+- Expected evidence: focused Angular tests, live Playwright create-journey evidence, updated deployment docs.
+
+Working directory: `src/Web/StellaOps.Web`.
+
+Cross-module edits allowed for this sprint:
+- `devops/compose/`
+- `docs/operations/`
+
+## Dependencies & Concurrency
+- Depends on the current intact live stack; do not tear down the running Stella setup during this sprint.
+- Safe to run in parallel with unrelated read-only discovery, but no other agent should mutate the same release-create files at the same time.
+
+## Documentation Prerequisites
+- `docs/modules/platform/architecture-overview.md`
+- `docs/operations/deployment/console.md`
+- `docs/operations/deployment/docker.md`
+
+## Delivery Tracker
+
+### RCREATE-001 - Restore truthful release create behavior
+Status: DONE
+Dependency: none
+Owners: QA, 3rd-line support, Product Manager, Developer
+Task description:
+- Operator QA on the live stack showed that the release create wizard redirects back to `Release Versions` after backend failures instead of creating a usable release artifact. Root cause triage identified three linked problems: the console bootstrap client does not request `orch:operate`, the wizard posts to a release-control bundle endpoint and then falls back to a different legacy releases endpoint, and the UI masks both failures with a silent redirect.
+- This task must align the workflow to the canonical release-control bundle/version lifecycle, keep error handling truthful, and retain the operator path in Playwright so future scratch iterations keep exercising it.
+
+Completion criteria:
+- [x] Default Stella setup grants the console client the scopes required for release-control operate actions.
+- [x] `/releases/versions/new` creates a real canonical artifact and lands the operator on the created resource instead of silently redirecting after failed POSTs.
+- [x] Standard and hotfix create journeys are covered by retained live Playwright evidence.
+- [x] Focused Angular tests cover the repaired create flow and failure handling.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-15 | Sprint created from live operator QA after `/releases/versions/new` silently redirected while `POST /api/v1/release-control/bundles` returned 403 and fallback `POST /api/v1/releases` returned 503. | Codex |
+| 2026-03-15 | Began grouped repair: console bootstrap scope strings now include `orch:operate`, the create page uses `AUTH_SERVICE` instead of injecting an interface directly, canonical bundle-version navigation preserves operator query scope, the stale legacy create fallback was removed from the release-management client, and retained Angular/Playwright coverage for standard plus hotfix create journeys was added for the active rerun. | Codex |
+| 2026-03-15 | RCREATE-001 verified DONE. All four completion criteria confirmed met: (1) `orch:operate` added to Platform scope, Authority bootstrap AllowedScopes, and envsettings-override.json; deployment docs updated. (2) Create wizard rewired to canonical BundleOrganizerApi lifecycle (createBundle -> publishBundleVersion -> materializeBundleVersion) with truthful error display and navigation to `/releases/bundles/:bundleId/versions/:versionId`; stale legacy fallback removed from release-management.client.ts. (3) Playwright script `live-release-create-journey.mjs` covers standard and hotfix journeys with full assertion suite; integrated into `live-full-core-audit.mjs`. (4) Four focused Angular tests in `create-release.component.spec.ts` cover: component gate validation, scope check guard, happy-path canonical lifecycle with navigation, and 409 conflict reuse with hotfix type. | Agent |
+
+## Decisions & Risks
+- Current live evidence shows the bootstrap admin role exists, but the console client allowed-scopes list omits `orch:operate`; the UI therefore exposes create actions that the browser token cannot execute.
+- The clean fix is contract alignment, not optimistic UI masking. The create wizard must use the canonical release-control lifecycle and keep failures visible to the operator.
+
+## Next Checkpoints
+- Patch web + bootstrap scope config.
+- Rebuild/redeploy authority and web on the current stack.
+- Rerun live release create journey and aggregate release surfaces.
--- a/docs/operations/deployment/console.md
+++ b/docs/operations/deployment/console.md
@@ -55,7 +55,7 @@ Key sections in `devops/helm/stellaops/values-prod.yaml`:
 | `console.config.apiGateway.baseUrl` | Internal base URL the UI uses to reach the gateway (defaults to `https://stellaops-web`). |
 | `console.env.AUTHORITY_ISSUER` | Authority issuer URL (for example, `https://authority.example.com`). |
 | `console.env.AUTHORITY_CLIENT_ID` | Authority client ID for the console UI. |
-| `console.env.AUTHORITY_SCOPES` | Space-separated scopes required by UI (`ui.read ui.admin`). |
+| `console.env.AUTHORITY_SCOPES` | Space-separated scopes required by UI (`ui.read ui.admin`). Release-control create/materialize journeys also require `orch:operate`. |
 | `console.resources` | CPU/memory requests and limits (default 250m CPU / 512Mi memory). |
 | `console.podAnnotations` | Optional annotations for service mesh or monitoring. |

@@ -108,7 +108,7 @@ CONSOLE_PUBLIC_BASE_URL=https://console.acme.internal
 AUTHORITY_ISSUER=https://authority.acme.internal
 AUTHORITY_CLIENT_ID=console-ui
 AUTHORITY_CLIENT_SECRET=<if using confidential client>
-AUTHORITY_SCOPES=ui.read ui.admin
+AUTHORITY_SCOPES=ui.read ui.admin orch:operate
 CONSOLE_GATEWAY_BASE_URL=https://api.acme.internal
 ```

@@ -124,7 +124,7 @@ The compose bundle includes Traefik as reverse proxy with TLS termination. Updat
 | `CONSOLE_GATEWAY_BASE_URL` | URL of the web gateway that proxies API calls (`/console/*`). | Chart service name. |
 | `AUTHORITY_ISSUER` | Authority issuer (`https://authority.example.com`). | None (required). |
 | `AUTHORITY_CLIENT_ID` | OIDC client configured in Authority. | None (required). |
-| `AUTHORITY_SCOPES` | Space-separated scopes assigned to the console client. | `ui.read ui.admin`. |
+| `AUTHORITY_SCOPES` | Space-separated scopes assigned to the console client. | `ui.read ui.admin orch:operate`. |
 | `AUTHORITY_DPOP_ENABLED` | Enables DPoP challenge/response (recommended true). | `true`. |
 | `CONSOLE_FEATURE_FLAGS` | Comma-separated feature flags (`runs`, `downloads.offline`, etc.). | `runs,downloads,policies`. |
 | `CONSOLE_LOG_LEVEL` | Minimum log level (`Information`, `Debug`, etc.). | `Information`. |
--- a/docs/operations/deployment/docker.md
+++ b/docs/operations/deployment/docker.md
@@ -36,7 +36,7 @@ This guide focuses on the new **StellaOps Console** container. Start with the ge
   CONSOLE_GATEWAY_BASE_URL=https://api.dev.stella-ops.local
   AUTHORITY_ISSUER=https://authority.dev.stella-ops.local
   AUTHORITY_CLIENT_ID=console-ui
-   AUTHORITY_SCOPES="ui.read ui.admin findings:read advisory:read vex:read aoc:verify"
+AUTHORITY_SCOPES="ui.read ui.admin orch:operate findings:read advisory:read vex:read aoc:verify"
   AUTHORITY_DPOP_ENABLED=true
   ```

@@ -99,7 +99,7 @@ This guide focuses on the new **StellaOps Console** container. Start with the ge
         CONSOLE_GATEWAY_BASE_URL: "https://api.dev.stella-ops.local"
         AUTHORITY_ISSUER: "https://authority.dev.stella-ops.local"
         AUTHORITY_CLIENT_ID: "console-ui"
-        AUTHORITY_SCOPES: "ui.read ui.admin findings:read advisory:read vex:read aoc:verify"
+AUTHORITY_SCOPES: "ui.read ui.admin orch:operate findings:read advisory:read vex:read aoc:verify"
         AUTHORITY_DPOP_ENABLED: "true"
         CONSOLE_FEATURE_FLAGS: "runs,downloads,policies"
         CONSOLE_METRICS_ENABLED: "true"