feat: add Reachability Center and Why Drawer components with tests

- Implemented ReachabilityCenterComponent for displaying asset reachability status with summary and filtering options.
- Added ReachabilityWhyDrawerComponent to show detailed reachability evidence and call paths.
- Created unit tests for both components to ensure functionality and correctness.
- Updated accessibility test results for the new components.

docs/api/console/exception-schema.md

@@ -1,20 +1,38 @@
-# Console Exceptions API Schema (draft placeholder)
+# Console Exceptions API Schema (Web I)
 
-**Status:** TODO · awaiting Policy Guild + Platform Events
+**Status:** Interim contract shipped by Web I to unblock SDK/UI work. Align to the authoritative Policy/Events schema when published.
 
 ## Scope
-- `/exceptions` CRUD/workflow (create, propose, approve, revoke, list, history) proxied by Web gateway.
-- Audit logging, pagination, notification hooks, rate limits, RBAC scopes.
+- `/exceptions` CRUD/workflow (create, propose, approve/reject, revoke, list, history) proxied by the gateway.
+- Deterministic pagination (`continuationToken`), stable sorting, and explicit audit trails.
 
-## Needed from owners
-- JSON schema for exception entity and workflow transitions; validation rules.
-- Required scopes/roles; audit fields; pagination/sorting defaults; max durations/guardrails.
-- Notification hook contract (`exception.*` events) and rate-limit policy.
-- Sample payloads for each state and error cases.
+## Headers
+- `X-StellaOps-Tenant` (required)
+- `X-Stella-Project` (optional)
+- `X-Stella-Trace-Id` (required)
+- `X-Stella-Request-Id` (required; defaults to trace ID)
 
-## Draft sample (placeholder)
-- See `docs/api/console/samples/exception-schema-sample.json` for a skeleton payload covering `pending_review` state.
-- Replace with authoritative samples once schema is published.
+## Scopes
+- Read: `exception:read`
+- Create/edit: `exception:write`
+- Approve/reject/revoke: `exception:approve`
 
-## TODO
-- Replace with ratified schema + samples; log hash/date; link from Web I/II sprint logs.
+## Endpoints
+- `GET /exceptions?status=&severity=&search=&sortBy=&sortOrder=&limit=&continuationToken=`
+- `GET /exceptions/{exceptionId}`
+- `POST /exceptions`
+- `PATCH /exceptions/{exceptionId}`
+- `DELETE /exceptions/{exceptionId}`
+- `POST /exceptions/{exceptionId}/transition`
+- `GET /exceptions/stats`
+
+## Entity shape
+This doc mirrors the web contract used by the Angular SDK (`src/Web/StellaOps.Web/src/app/core/api/exception.contract.models.ts`).
+
+- Sample exception: `docs/api/console/samples/exception-schema-sample.json`
+
+## Status transitions (baseline)
+- `draft` → `pending_review` (submit)
+- `pending_review` → `approved` | `rejected`
+- `approved` → `revoked`
+- `approved` → `expired` (timebox lapse; system-driven)

docs/api/console/samples/exception-schema-sample.json

@@ -1,37 +1,58 @@
 {
-  "exceptionId": "exc::tenant-default::2025-12-06::00012",
+  "schemaVersion": "1.0",
+  "exceptionId": "exc-001",
   "tenantId": "tenant-default",
-  "title": "Risk accepted for log4j on batch nodes",
-  "state": "pending_review",
-  "type": "advisory",
+  "name": "log4j-temporary-exception",
+  "displayName": "Log4j Temporary Exception",
+  "description": "Temporary exception for legacy Log4j usage in internal tooling",
+  "type": "vulnerability",
+  "status": "pending_review",
+  "severity": "high",
   "scope": {
-    "level": "asset",
-    "assetIds": ["batch-node-17", "batch-node-18"],
-    "advisoryIds": ["CVE-2021-44228"],
-    "components": ["pkg:maven/org.apache.logging.log4j/log4j-core@2.14.0"]
+    "type": "component",
+    "tenantId": "tenant-default",
+    "componentPurls": ["pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"],
+    "vulnIds": ["CVE-2021-44228"]
   },
   "justification": {
-    "template": "compensating_control",
-    "details": "Ingress disabled; nodes isolated; patch planned 2025-12-20"
+    "template": "compensating-control",
+    "text": "Ingress disabled; nodes isolated; patch planned 2025-12-20"
   },
   "timebox": {
-    "start": "2025-12-06T00:00:00Z",
-    "end": "2025-12-31T00:00:00Z",
-    "maxRenewals": 1
+    "startDate": "2025-12-03T00:00:00Z",
+    "endDate": "2025-12-31T23:59:59Z",
+    "autoRenew": false
   },
-  "audit": {
-    "createdBy": "alice@example.com",
-    "createdAt": "2025-12-06T11:12:13Z",
-    "modifiedAt": "2025-12-06T11:12:13Z"
+  "approvals": [
+    {
+      "approvalId": "apr-001",
+      "approvedBy": "security-lead@example.com",
+      "approvedAt": "2025-12-04T10:30:00Z",
+      "comment": "Approve with condition: migrate before expiry."
+    }
+  ],
+  "auditTrail": [
+    {
+      "auditId": "aud-001",
+      "action": "created",
+      "actor": "alice@example.com",
+      "timestamp": "2025-12-03T00:00:00Z"
+    },
+    {
+      "auditId": "aud-002",
+      "action": "submitted",
+      "actor": "alice@example.com",
+      "timestamp": "2025-12-03T00:05:00Z",
+      "previousStatus": "draft",
+      "newStatus": "pending_review"
+    }
+  ],
+  "labels": {
+    "ticket": "SEC-123",
+    "owner": "platform-security"
   },
-  "links": {
-    "history": "/console/exceptions/exc::tenant-default::2025-12-06::00012/history",
-    "attachments": [
-      {
-        "name": "risk-assessment.pdf",
-        "url": "https://console.local/files/risk-assessment.pdf?sig=...",
-        "sha256": "cafe..."
-      }
-    ]
-  }
+  "createdBy": "alice@example.com",
+  "createdAt": "2025-12-03T00:00:00Z",
+  "updatedBy": "alice@example.com",
+  "updatedAt": "2025-12-03T00:05:00Z"
 }