From 484abe003999a88e7e58018ce589b8ec74e57769 Mon Sep 17 00:00:00 2001 From: master <> Date: Sun, 8 Mar 2026 02:16:20 +0200 Subject: [PATCH] feat(ui): ship unified audit surfaces --- ..._20260307_039_FE_unified_audit_surfaces.md | 123 +++++++++ .../checked/web/unified-audit-surfaces-ui.md | 42 +++ docs/modules/ui/TASKS.md | 5 + .../RESTORATION_PRIORITIES.md | 4 + docs/modules/ui/implementation_plan.md | 3 + .../ui/unified-audit-surfaces/README.md | 114 ++++++++ .../app/core/navigation/navigation.config.ts | 16 +- .../audit-log/audit-anomalies.component.ts | 4 +- .../audit-log/audit-authority.component.ts | 4 +- .../audit-log/audit-correlations.component.ts | 6 +- .../audit-log/audit-event-detail.component.ts | 8 +- .../audit-log/audit-export.component.ts | 2 +- .../audit-log/audit-integrations.component.ts | 2 +- .../audit-log/audit-log-table.component.ts | 4 +- .../audit-log/audit-policy.component.ts | 4 +- .../audit-timeline-search.component.ts | 4 +- .../features/audit-log/audit-vex.component.ts | 4 +- .../evidence-audit-overview.component.ts | 1 + .../tenant-quota-detail.component.ts | 2 +- .../src/app/routes/administration.routes.ts | 45 ++++ .../src/app/routes/legacy-redirects.routes.ts | 15 ++ .../administration-routes.spec.ts | 9 + .../unified-audit-log-viewer.behavior.spec.ts | 28 +- .../evidence-audit-overview.component.spec.ts | 29 +-- .../evidence-audit-routes.spec.ts | 1 + .../tests/navigation/legacy-redirects.spec.ts | 4 + .../tests/e2e/unified-audit-surfaces.spec.ts | 245 ++++++++++++++++++ 27 files changed, 673 insertions(+), 55 deletions(-) create mode 100644 docs-archived/implplan/SPRINT_20260307_039_FE_unified_audit_surfaces.md create mode 100644 docs/features/checked/web/unified-audit-surfaces-ui.md create mode 100644 docs/modules/ui/unified-audit-surfaces/README.md create mode 100644 src/Web/StellaOps.Web/tests/e2e/unified-audit-surfaces.spec.ts diff --git a/docs-archived/implplan/SPRINT_20260307_039_FE_unified_audit_surfaces.md b/docs-archived/implplan/SPRINT_20260307_039_FE_unified_audit_surfaces.md new file mode 100644 index 000000000..39ffa8760 --- /dev/null +++ b/docs-archived/implplan/SPRINT_20260307_039_FE_unified_audit_surfaces.md @@ -0,0 +1,123 @@ +# Sprint 20260307-039 - Unified Audit Surfaces + +## Topic & Scope +- Restore the dropped and weakly surfaced audit capability by making one canonical audit owner fully usable instead of leaving Evidence, Admin, and legacy aliases split. +- Ship a working `Evidence > Audit Log` surface with live route wiring, repaired internal navigation, bookmark-safe aliases, and real entry points from Admin, Mission Control, Ops, Releases, and quota drilldowns. +- Complete the audit flows end to end: dashboard, events, event detail, correlations, anomalies, module-specific views, and export. +- Working directory: `src/Web/StellaOps.Web/src/app/features/audit-log`. +- Allowed coordination edits: `src/Web/StellaOps.Web/src/app/routes/`, `src/Web/StellaOps.Web/src/app/core/navigation/`, `src/Web/StellaOps.Web/src/app/layout/`, `src/Web/StellaOps.Web/src/app/features/administration/`, `src/Web/StellaOps.Web/src/app/features/mission-control/`, `src/Web.StellaOps.Web/src/app/features/dashboard-v3/`, `src/Web.StellaOps.Web/src/app/features/platform/`, `src/Web.StellaOps.Web/src/app/features/quota-dashboard/`, `src/Web.StellaOps.Web/src/app/features/release-orchestrator/`, `docs/modules/ui/unified-audit-surfaces/`, `docs/features/checked/web/`, `docs/modules/ui/TASKS.md`, and `docs/modules/ui/implementation_plan.md`. +- Expected evidence: one mounted audit route family, working alias redirects, repaired internal links, secondary entry-point handoffs, targeted Angular tests, Playwright verification, and synced docs. + +## Dependencies & Concurrency +- Depends on: + - `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md` + - `docs/modules/ui/contextual-actions-patterns/README.md` + - `docs/modules/ui/triage-explainability-workspace/README.md` + - `src/Web/StellaOps.Web/src/app/routes/evidence.routes.ts` + - `src/Web.StellaOps.Web/src/app/features/audit-log/audit-log.routes.ts` + - `src/Web.StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts` +- Safe parallelism: + - canonical ownership and alias contract must freeze before deep-link cleanup starts + - audit-shell internal link repairs can proceed in parallel with secondary entry-point rewiring once the canonical path is fixed + - docs sync can proceed in parallel with test authoring after route contracts are stable + +## Documentation Prerequisites +- `docs/modules/ui/unified-audit-surfaces/README.md` +- `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md` +- `docs/modules/ui/contextual-actions-patterns/README.md` +- `docs/modules/ui/implementation_plan.md` + +## Delivery Tracker + +### FE-AUD-001 - Freeze canonical audit owner and alias contract +Status: DONE +Dependency: none +Owners: Product Manager, FE Architect +Task description: +- Make `Evidence > Audit Log` the canonical owner for cross-module audit browsing and exports. +- Define and implement bookmark-safe redirects from stale `/admin/audit*` and related setup/admin entry points into the mounted evidence route family. + +Completion criteria: +- [x] One canonical audit route family exists in the active router. +- [x] Legacy aliases land on working audit pages without losing query params. +- [x] Admin and Evidence navigation reference the same audit owner. + +### FE-AUD-002 - Repair audit-shell internal navigation and subviews +Status: DONE +Dependency: FE-AUD-001 +Owners: Developer, FE Architect +Task description: +- Update dashboard, event table, event detail, module-specific audit views, anomalies, timeline, correlations, and export pages so their internal navigation stays inside the canonical route family. +- Ensure module subviews remain usable rather than depending on stale absolute admin paths. + +Completion criteria: +- [x] Every audit-log subview links to the canonical owner routes. +- [x] Event detail, correlations, and export flows work from the mounted shell. +- [x] No internal audit workflow requires the stale admin path family. + +### FE-AUD-003 - Wire secondary entry points and contextual handoffs +Status: DONE +Dependency: FE-AUD-001 +Owners: Developer, Product Manager +Task description: +- Repair audit entry points from Setup/Admin overview, Mission Control activity, dashboard activity cards, platform ops, quota detail, and release detail. +- Preserve filter context where practical so the receiving audit surface opens with the relevant release, tenant, or correlation context. + +Completion criteria: +- [x] The main cross-shell audit links land on a usable canonical audit page. +- [x] Release and quota handoffs preserve their query/filter context. +- [x] Evidence overview exposes audit entry points as first-class shortcuts. + +### FE-AUD-004 - Verify route cutover and operator journeys +Status: DONE +Dependency: FE-AUD-002 +Owners: QA, Test Automation +Task description: +- Add targeted UI verification for canonical evidence routes, admin aliases, secondary entry points, and at least one in-shell navigation journey. +- Prove the restored audit functionality is usable, not only mounted. + +Completion criteria: +- [x] Angular tests cover canonical routes, alias redirects, and representative entry points. +- [x] Playwright covers the core audit landing and alias journey. +- [x] Verification explicitly checks that stale admin links no longer strand the operator. + +### FE-AUD-005 - Sync docs, archive the sprint, and record the shipped feature +Status: DONE +Dependency: FE-AUD-004 +Owners: Documentation author, Project Manager +Task description: +- Update the audit UX dossier, checked-feature note, task board, and implementation plan to reflect the shipped canonical owner. +- Archive the sprint only after code and verification evidence are complete. + +Completion criteria: +- [x] Shipped audit UX is documented with canonical routes and alias behavior. +- [x] Checked-feature note records the exact verification commands and outcomes. +- [x] Sprint is archived only after all delivery tasks are marked done. + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-03-07 | Sprint created to restore unified audit functionality by making Evidence the canonical owner and fixing stale admin-route fragmentation. | Project Manager | +| 2026-03-07 | Implemented canonical Evidence-owned audit routing, repaired stale `/admin/audit*` links inside the audit shell, and added bookmark-safe aliases from `admin` and `administration` entry points. | Developer | +| 2026-03-07 | Rewired admin navigation, quota handoff, and Evidence overview shortcuts so audit resolves into one mounted route family instead of split owners. | Developer | +| 2026-03-07 | Verified the cutover with targeted Angular tests (`npm test -- --watch=false --include src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts --include src/tests/evidence-audit/evidence-audit-routes.spec.ts --include src/tests/evidence-audit/evidence-audit-overview.component.spec.ts --include src/tests/administration/administration-routes.spec.ts --include src/tests/navigation/legacy-redirects.spec.ts`): 31 tests passed. | QA | +| 2026-03-07 | Added browser verification via `npx playwright test tests/e2e/unified-audit-surfaces.spec.ts --workers=1`: 2 tests passed. | QA | +| 2026-03-07 | Production build passed via `npm run build`; existing bundle budget warnings remain unchanged from the baseline. | QA | + +## Decisions & Risks +- Decision: `Evidence > Audit Log` is the canonical owner for cross-module audit browsing and export. Admin remains a secondary surfacing point, not a separate product owner. +- Decision: `Audit Bundles` stay under Triage and the `Auditor Workspace` stays a separate artifact-focused surface; this sprint only unifies the cross-module audit log and its entry points. +- Risk: existing audit components hard-code `/admin/audit*` links, so a partial route fix would still leave in-shell navigation broken. +- Mitigation: repair internal links and add alias coverage in the same sprint. +- Risk: aliasing both `/admin/audit*` and `/administration/audit*` could cause hidden divergence if query params are dropped. +- Mitigation: use redirect helpers or legacy templates that preserve params and cover route variants explicitly. +- Delivery rule: this sprint is only complete when the canonical audit tree is mounted, secondary entry points work, and the main operator journeys are verified end to end. +- Reference design note: `docs/modules/ui/unified-audit-surfaces/README.md`. +- Docs synced: + - `docs/modules/ui/unified-audit-surfaces/README.md` + - `docs/features/checked/web/unified-audit-surfaces-ui.md` + - `docs/modules/ui/TASKS.md` + - `docs/modules/ui/implementation_plan.md` + +## Next Checkpoints +- 2026-03-07: archived after implementation, verification, and docs sync completed. diff --git a/docs/features/checked/web/unified-audit-surfaces-ui.md b/docs/features/checked/web/unified-audit-surfaces-ui.md new file mode 100644 index 000000000..9db0bc858 --- /dev/null +++ b/docs/features/checked/web/unified-audit-surfaces-ui.md @@ -0,0 +1,42 @@ +# Unified Audit Surfaces UI + +## Status +VERIFIED + +## Scope +Unified the cross-module audit experience around the Evidence-owned route family and restored old admin bookmarks as working aliases. + +## Canonical Owner +- Canonical route family: `src/Web/StellaOps.Web/src/app/routes/evidence.routes.ts` mounted at `/evidence/audit-log` +- Canonical audit subviews: `src/Web/StellaOps.Web/src/app/features/audit-log/audit-log.routes.ts` +- Bookmark-safe aliases: + - `src/Web/StellaOps.Web/src/app/routes/legacy-redirects.routes.ts` for `/admin/audit*` + - `src/Web/StellaOps.Web/src/app/routes/administration.routes.ts` for `/administration/audit*` + +## Key Implementation Files +- `src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts` +- `src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-dashboard.component.ts` +- `src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-table.component.ts` +- `src/Web.StellaOps.Web/src/app/features/audit-log/audit-event-detail.component.ts` +- `src/Web.StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts` +- `src/Web.StellaOps.Web/src/app/features/quota-dashboard/tenant-quota-detail.component.ts` + +## Verification +- Date (UTC): 2026-03-07 +- Targeted Angular tests: + - `npm test -- --watch=false --include src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts --include src/tests/evidence-audit/evidence-audit-routes.spec.ts --include src/tests/evidence-audit/evidence-audit-overview.component.spec.ts --include src/tests/administration/administration-routes.spec.ts --include src/tests/navigation/legacy-redirects.spec.ts` + - Result: `5` files, `31` tests passed +- Playwright: + - `npx playwright test tests/e2e/unified-audit-surfaces.spec.ts --workers=1` + - Result: `2/2` passed +- Production build: + - `npm run build` + - Result: pass; existing bundle-budget warnings only + +## Verified Behavior +- `/evidence/audit-log` renders the canonical Unified Audit Log dashboard. +- `/admin/audit*` redirects into `/evidence/audit-log*` with query params preserved. +- Audit subviews no longer deep-link back into stale `/admin/audit*` paths. +- Admin navigation points to the canonical Evidence-owned audit shell. +- Evidence overview exposes `Audit Log` as a first-class shortcut. +- Quota tenant drilldown opens the canonical audit surface with tenant context. diff --git a/docs/modules/ui/TASKS.md b/docs/modules/ui/TASKS.md index b0df6adfd..bc0bff4d8 100644 --- a/docs/modules/ui/TASKS.md +++ b/docs/modules/ui/TASKS.md @@ -83,6 +83,11 @@ - [DONE] FE-RW-004 Cross-product deep links and release-context use for reachability proofs - [DONE] FE-RW-005 Supporting evidence and export surfaces for witness UX - [DONE] FE-RW-006 QA, rollout, and docs sync for reachability witnessing +- [DONE] FE-AUD-001 Freeze canonical audit owner and alias contract +- [DONE] FE-AUD-002 Repair audit-shell internal navigation and subviews +- [DONE] FE-AUD-003 Wire secondary entry points and contextual handoffs +- [DONE] FE-AUD-004 Verify route cutover and operator journeys +- [DONE] FE-AUD-005 Sync docs, archive the sprint, and record the shipped feature - [DONE] FE-PO-001 Freeze Operations overview taxonomy and submenu structure - [DONE] FE-PO-002 Overview page regrouping and blocking-card contract - [DONE] FE-PO-003 Legacy widget absorption matrix for Platform Ops diff --git a/docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md b/docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md index a1b2ffdb3..1f538e6eb 100644 --- a/docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md +++ b/docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md @@ -107,6 +107,10 @@ These are mostly not dropped products. They are current or near-current capabili - `Audit Log` - Target: - keep under admin/security, but improve entry points and deep links +- Notes: + - Detailed UX dossier: `docs/modules/ui/unified-audit-surfaces/README.md` + - Implementation sprint: `docs-archived/implplan/SPRINT_20260307_039_FE_unified_audit_surfaces.md` + - Shipped verification note: `docs/features/checked/web/unified-audit-surfaces-ui.md` ### 8. Offline Operations - Type: `wire-in / preserve` diff --git a/docs/modules/ui/implementation_plan.md b/docs/modules/ui/implementation_plan.md index b800346c7..b88755863 100644 --- a/docs/modules/ui/implementation_plan.md +++ b/docs/modules/ui/implementation_plan.md @@ -27,11 +27,14 @@ Provide a living plan for UI deliverables, dependencies, and evidence. - `docs/features/checked/web/triage-explainability-workspace-ui.md` - shipped verification note for the canonical triage artifact workspace, explainability rail, audit bundles, and security alias cutover. - `docs/features/checked/web/workflow-visualization-replay-ui.md` - shipped verification note for the canonical run-detail graph, timeline, replay, evidence tabs, and workflow-editor preview reuse boundary. - `docs/features/checked/web/contextual-actions-patterns-ui.md` - shipped verification note for the shared contextual route-state, headers, drawers, list-detail shells, grouped overview cards, and first adopted restoration surfaces. +- `docs/features/checked/web/unified-audit-surfaces-ui.md` - shipped verification note for the Evidence-owned audit shell, admin bookmark redirects, repaired audit subview links, and secondary handoff entry points. - `docs/modules/ui/reachability-witnessing/README.md` - detailed witness and proof UX dossier plus cross-shell deep-link contract. - `docs/modules/ui/platform-ops-consolidation/README.md` - detailed Operations overview taxonomy and legacy absorption plan. - `docs/modules/ui/triage-explainability-workspace/README.md` - detailed artifact workspace and audit-bundle UX dossier. - `docs/modules/ui/workflow-visualization-replay/README.md` - detailed run-detail graph, timeline, replay, and evidence UX dossier. - `docs/modules/ui/contextual-actions-patterns/README.md` - shared placement contract for stray actions, pages, drawers, and tabs. +- `docs/modules/ui/unified-audit-surfaces/README.md` - shipped canonical audit owner, alias contract, and secondary entry-point rules for cross-module audit browsing. +- `docs/modules/ui/unified-audit-surfaces/README.md` - canonical audit owner, alias contract, and secondary entry-point rules for cross-module audit browsing. ## Dependencies - `docs/modules/ui/architecture.md` diff --git a/docs/modules/ui/unified-audit-surfaces/README.md b/docs/modules/ui/unified-audit-surfaces/README.md new file mode 100644 index 000000000..2984df86c --- /dev/null +++ b/docs/modules/ui/unified-audit-surfaces/README.md @@ -0,0 +1,114 @@ +# Unified Audit Surfaces + +## Status +Shipped on 2026-03-07. + +## Product Shape +Keep one canonical cross-module audit owner under Evidence. + +- Canonical product home: `Evidence > Audit Log` +- Canonical route family: `/evidence/audit-log` +- Secondary surfacing: + - `Admin > Unified Audit Log` + - `Setup` overview drilldowns + - `Mission Control` activity + - `Ops` and quota drilldowns + - `Release` detail audit links + +The current problem was not missing audit UI. The current problem was that the audit UI existed, but the app still split between Evidence-owned routes and stale admin absolute links. + +## Product Boundary + +### This shell owns +- cross-module audit dashboard +- all-events browser +- event detail +- timeline search +- correlation clusters +- anomaly alerts +- export +- module-specific audit views: + - policy + - authority + - vex + - integrations + +### This shell does not own +- `Audit Bundles` + - stays under `/triage/audit-bundles` +- `Auditor Workspace` + - stays under `/workspace/audit/:artifactDigest` +- contextual reason capsules + - stay embedded in the owning workflow +- policy/VEX scoped audit tabs + - remain inside Policy Decisioning Studio but can deep-link into the canonical audit shell + +## Canonical Route Contract + +### Canonical routes +- `/evidence/audit-log` +- `/evidence/audit-log/events` +- `/evidence/audit-log/events/:eventId` +- `/evidence/audit-log/timeline` +- `/evidence/audit-log/correlations` +- `/evidence/audit-log/anomalies` +- `/evidence/audit-log/export` +- `/evidence/audit-log/policy` +- `/evidence/audit-log/authority` +- `/evidence/audit-log/vex` +- `/evidence/audit-log/integrations` + +### Shipped aliases +- `/admin/audit` +- `/admin/audit/:page` +- `/admin/audit/events/:eventId` +- `/administration/audit` +- `/administration/audit/:page` +- `/administration/audit/events/:eventId` + +Aliases must preserve query params for handoffs like `tenantId`, `releaseId`, `runId`, `correlationId`, and event filters. + +## Navigation Contract + +### Primary navigation +- Evidence keeps the real audit owner link. +- Admin keeps an audit entry, but it points to the same Evidence-owned route family. + +### Secondary entry points to keep +- Setup overview drilldown card +- Mission Control activity feed +- dashboard activity cards +- platform ops summary links +- quota tenant detail +- release detail + +### Secondary entry points to avoid +- do not create a second top-level audit product +- do not fork a separate admin-only audit route tree +- do not move audit bundles out of Triage just because they contain the word `audit` + +## UX Rules +- audit detail pages must always offer a stable path back to the canonical dashboard or events list +- query-param handoffs should keep the operator in context instead of dumping them at an unfiltered dashboard +- breadcrumbs, quick links, and cards must use the canonical evidence route family +- cross-module audit is evidence-centered, not admin-settings-centered + +## Why This Is Worth Keeping +- Stella Ops makes an auditability promise; cross-module audit is core product capability, not optional legacy UI. +- Most of the necessary pages already exist and appear implementation-ready. +- The feature value is currently obscured by route fragmentation, broken links, and split ownership language rather than lack of functionality. + +## Verification Evidence +- feature verification note: `docs/features/checked/web/unified-audit-surfaces-ui.md` +- targeted Angular tests: `31` passing assertions across evidence routes, audit behavior, evidence overview, admin aliases, and legacy redirects +- Playwright: `2/2` passing scenarios for canonical audit landing, in-shell navigation, and old admin bookmark redirect +- production build: pass, with existing unrelated bundle-budget warnings + +## Restoration Goal +Restored usability, not just visibility: + +- one canonical owner +- working aliases for old bookmarks +- repaired internal navigation +- real contextual entry points from the workflows that need audit +- explicit verification that the main audit journeys work diff --git a/src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts b/src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts index 135be6dea..9790d59ba 100644 --- a/src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts +++ b/src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts @@ -513,50 +513,50 @@ export const NAVIGATION_GROUPS: NavGroup[] = [ { id: 'audit', label: 'Unified Audit Log', - route: '/admin/audit', + route: '/evidence/audit-log', icon: 'log', tooltip: 'Cross-module audit trail and compliance reporting', children: [ { id: 'audit-dashboard', label: 'Dashboard', - route: '/admin/audit', + route: '/evidence/audit-log', tooltip: 'Audit log overview and stats', }, { id: 'audit-events', label: 'All Events', - route: '/admin/audit/events', + route: '/evidence/audit-log/events', tooltip: 'Browse all audit events with filters', }, { id: 'audit-policy', label: 'Policy Audit', - route: '/admin/audit/policy', + route: '/evidence/audit-log/policy', tooltip: 'Policy promotions and approvals', }, { id: 'audit-authority', label: 'Authority Audit', - route: '/admin/audit/authority', + route: '/evidence/audit-log/authority', tooltip: 'Token lifecycle and incidents', }, { id: 'audit-vex', label: 'VEX Audit', - route: '/admin/audit/vex', + route: '/evidence/audit-log/vex', tooltip: 'VEX decisions and consensus', }, { id: 'audit-integrations', label: 'Integration Audit', - route: '/admin/audit/integrations', + route: '/evidence/audit-log/integrations', tooltip: 'Integration configuration changes', }, { id: 'audit-export', label: 'Export', - route: '/admin/audit/export', + route: '/evidence/audit-log/export', tooltip: 'Export audit logs for compliance', }, ], diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-anomalies.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-anomalies.component.ts index 86c0e8827..1a29ad463 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-anomalies.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-anomalies.component.ts @@ -13,7 +13,7 @@ import { AuditAnomalyAlert } from '../../core/api/audit-log.models';
- Audit Log / Anomaly Alerts + Audit Log / Anomaly Alerts

Anomaly Detection Alerts

Unusual audit patterns detected by anomaly detection

@@ -44,7 +44,7 @@ import { AuditAnomalyAlert } from '../../core/api/audit-log.models'; } @else {
- + View Events
diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-authority.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-authority.component.ts index bce926c9c..2b5708f46 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-authority.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-authority.component.ts @@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
- Audit Log / Authority Audit + Audit Log / Authority Audit

Authority Audit Events

Token lifecycle, revocations, air-gap events, and incidents

@@ -39,7 +39,7 @@ import { AuditEvent } from '../../core/api/audit-log.models'; @for (event of events(); track event.id) { - + {{ formatTime(event.timestamp) }} {{ event.action }} {{ truncateId(getDetail(event, 'tokenId')) }} diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-correlations.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-correlations.component.ts index b97209134..4221ba282 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-correlations.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-correlations.component.ts @@ -13,7 +13,7 @@ import { AuditCorrelationCluster } from '../../core/api/audit-log.models';
- Audit Log / Correlations + Audit Log / Correlations

Event Correlations

Events clustered by causality and correlation IDs

@@ -32,7 +32,7 @@ import { AuditCorrelationCluster } from '../../core/api/audit-log.models';

Root Event

-
+
{{ cluster.rootEvent.module }} {{ cluster.rootEvent.action }} {{ cluster.rootEvent.description }} @@ -42,7 +42,7 @@ import { AuditCorrelationCluster } from '../../core/api/audit-log.models';

Related Events

@for (event of cluster.relatedEvents; track event.id) { -
+
{{ event.module }} {{ event.action }} {{ event.description }} diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-event-detail.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-event-detail.component.ts index 002a090b0..6138f1e74 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-event-detail.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-event-detail.component.ts @@ -13,8 +13,8 @@ import { AuditEvent, AuditCorrelationCluster } from '../../core/api/audit-log.mo
- Audit Log / - Events / + Audit Log / + Events / {{ event()?.id?.slice(0, 8) }}...

Event Details

@@ -68,7 +68,7 @@ import { AuditEvent, AuditCorrelationCluster } from '../../core/api/audit-log.mo @if (event()?.correlationId) {
Correlation ID - + {{ event()?.correlationId }}
@@ -147,7 +147,7 @@ import { AuditEvent, AuditCorrelationCluster } from '../../core/api/audit-log.mo @for (related of correlation()?.relatedEvents; track related.id) { - + {{ formatTimestamp(related.timestamp) }} {{ related.module }} {{ related.action }} diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-export.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-export.component.ts index 9c6bfad0e..a0c8e67b1 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-export.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-export.component.ts @@ -14,7 +14,7 @@ import { AuditExportRequest, AuditExportResponse, AuditLogFilters, AuditModule,
- Audit Log / Export + Audit Log / Export

Export Audit Log

Export audit events for compliance reporting and archival

diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-integrations.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-integrations.component.ts index f01be97ce..961b72a45 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-integrations.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-integrations.component.ts @@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
- Audit Log / Integration Audit + Audit Log / Integration Audit

Integration Audit Events

Integration configuration changes, connections, and health events

diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-table.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-table.component.ts index 8395a9376..b8a67d397 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-table.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-table.component.ts @@ -14,7 +14,7 @@ import { AuditEvent, AuditLogFilters, AuditModule, AuditAction, AuditSeverity }
- Audit Log / All Events + Audit Log / All Events

Audit Events

@@ -177,7 +177,7 @@ import { AuditEvent, AuditLogFilters, AuditModule, AuditAction, AuditSeverity } @if (selectedEvent()?.correlationId) {
Correlation ID: - {{ selectedEvent()?.correlationId }} + {{ selectedEvent()?.correlationId }}
} @if (selectedEvent()?.tags?.length) { diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-policy.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-policy.component.ts index c296fca88..517f46e57 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-policy.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-policy.component.ts @@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
- Audit Log / Policy Audit + Audit Log / Policy Audit

Policy Audit Events

Policy promotions, simulations, approvals, and lint events

@@ -41,7 +41,7 @@ import { AuditEvent } from '../../core/api/audit-log.models'; @for (event of events(); track event.id) { - + {{ formatTime(event.timestamp) }} {{ event.action }} {{ getDetail(event, 'packName') || getDetail(event, 'packId') || '-' }} diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-timeline-search.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-timeline-search.component.ts index 6357200f2..ac431dc6a 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-timeline-search.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-timeline-search.component.ts @@ -14,7 +14,7 @@ import { AuditTimelineEntry } from '../../core/api/audit-log.models';
- Audit Log / Timeline Search + Audit Log / Timeline Search

Timeline Search

Search across all indexed audit events using TimelineIndexer

@@ -47,7 +47,7 @@ import { AuditTimelineEntry } from '../../core/api/audit-log.models'; }
@for (event of entry.events; track event.id) { -
+
{{ event.module }} {{ event.action }} {{ event.actor.name }} diff --git a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-vex.component.ts b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-vex.component.ts index 098894911..415a4f06b 100644 --- a/src/Web/StellaOps.Web/src/app/features/audit-log/audit-vex.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/audit-log/audit-vex.component.ts @@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
- Audit Log / VEX Audit + Audit Log / VEX Audit

VEX Audit Events

VEX decisions, consensus votes, and rejected claims

@@ -33,7 +33,7 @@ import { AuditEvent } from '../../core/api/audit-log.models'; @for (event of events(); track event.id) { - + {{ formatTime(event.timestamp) }} {{ event.action }} {{ truncateId(getDetail(event, 'vexId')) }} diff --git a/src/Web/StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts b/src/Web/StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts index 6afce74d2..201c3c237 100644 --- a/src/Web/StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts @@ -116,6 +116,7 @@ type EvidenceHomeMode = 'normal' | 'degraded' | 'empty';

Shortcuts

+ Audit Log Export Center Evidence Bundles Replay & Verify diff --git a/src/Web/StellaOps.Web/src/app/features/quota-dashboard/tenant-quota-detail.component.ts b/src/Web/StellaOps.Web/src/app/features/quota-dashboard/tenant-quota-detail.component.ts index 8e246ad73..f94c95e0e 100644 --- a/src/Web/StellaOps.Web/src/app/features/quota-dashboard/tenant-quota-detail.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/quota-dashboard/tenant-quota-detail.component.ts @@ -555,7 +555,7 @@ export class TenantQuotaDetailComponent implements OnInit, OnDestroy { viewAuditLog(): void { const tenantId = this.breakdown()?.tenantId; if (tenantId) { - window.location.href = `/admin/audit?tenantId=${tenantId}`; + window.location.href = `/evidence/audit-log?tenantId=${encodeURIComponent(tenantId)}`; } } diff --git a/src/Web/StellaOps.Web/src/app/routes/administration.routes.ts b/src/Web/StellaOps.Web/src/app/routes/administration.routes.ts index 71c8bd9d2..04816ae67 100644 --- a/src/Web/StellaOps.Web/src/app/routes/administration.routes.ts +++ b/src/Web/StellaOps.Web/src/app/routes/administration.routes.ts @@ -44,6 +44,30 @@ function redirectToDecisioning(path: string) { }; } +function redirectToEvidence(path: string) { + return ({ + params, + queryParams, + fragment, + }: { + params: Record; + queryParams: Record; + fragment?: string | null; + }) => { + const router = inject(Router); + let targetPath = path; + + for (const [name, value] of Object.entries(params ?? {})) { + targetPath = targetPath.replaceAll(`:${name}`, encodeURIComponent(value)); + } + + const target = router.parseUrl(targetPath); + target.queryParams = { ...queryParams }; + target.fragment = fragment ?? null; + return target; + }; +} + export const ADMINISTRATION_ROUTES: Routes = [ // A0 — Administration overview { @@ -245,6 +269,27 @@ export const ADMINISTRATION_ROUTES: Routes = [ }, // A6 — Trust & Signing + { + path: 'audit', + title: 'Unified Audit Log', + data: { breadcrumb: 'Unified Audit Log' }, + redirectTo: redirectToEvidence('/evidence/audit-log'), + pathMatch: 'full', + }, + { + path: 'audit/:page', + title: 'Unified Audit Log', + data: { breadcrumb: 'Unified Audit Log' }, + redirectTo: redirectToEvidence('/evidence/audit-log/:page'), + pathMatch: 'full', + }, + { + path: 'audit/:page/:child', + title: 'Unified Audit Log', + data: { breadcrumb: 'Unified Audit Log' }, + redirectTo: redirectToEvidence('/evidence/audit-log/:page/:child'), + pathMatch: 'full', + }, { path: 'trust-signing', title: 'Trust & Signing', diff --git a/src/Web/StellaOps.Web/src/app/routes/legacy-redirects.routes.ts b/src/Web/StellaOps.Web/src/app/routes/legacy-redirects.routes.ts index 868bc6128..69e9a6a89 100644 --- a/src/Web/StellaOps.Web/src/app/routes/legacy-redirects.routes.ts +++ b/src/Web/StellaOps.Web/src/app/routes/legacy-redirects.routes.ts @@ -203,6 +203,21 @@ export const LEGACY_REDIRECT_ROUTE_TEMPLATES: readonly LegacyRedirectRouteTempla redirectTo: '/ops/policy/simulation/:page', pathMatch: 'full', }, + { + path: 'admin/audit', + redirectTo: '/evidence/audit-log', + pathMatch: 'full', + }, + { + path: 'admin/audit/:page', + redirectTo: '/evidence/audit-log/:page', + pathMatch: 'full', + }, + { + path: 'admin/audit/:page/:child', + redirectTo: '/evidence/audit-log/:page/:child', + pathMatch: 'full', + }, { path: 'ops/health', redirectTo: '/ops/operations/health-slo', diff --git a/src/Web/StellaOps.Web/src/tests/administration/administration-routes.spec.ts b/src/Web/StellaOps.Web/src/tests/administration/administration-routes.spec.ts index 7b03ad4c4..a4dc55fc4 100644 --- a/src/Web/StellaOps.Web/src/tests/administration/administration-routes.spec.ts +++ b/src/Web/StellaOps.Web/src/tests/administration/administration-routes.spec.ts @@ -60,6 +60,15 @@ describe('ADMINISTRATION_ROUTES (administration)', () => { expect(typeof route?.redirectTo).toBe('function'); }); + it('audit route is preserved as an Administration alias into the evidence-owned audit shell', () => { + const route = ADMINISTRATION_ROUTES.find((r) => r.path === 'audit'); + const deepRoute = ADMINISTRATION_ROUTES.find((r) => r.path === 'audit/:page/:child'); + expect(route).toBeDefined(); + expect(typeof route?.redirectTo).toBe('function'); + expect(deepRoute).toBeDefined(); + expect(typeof deepRoute?.redirectTo).toBe('function'); + }); + it('policy-governance breadcrumb is canonical (no Release Control ownership)', () => { const route = ADMINISTRATION_ROUTES.find((r) => r.path === 'policy-governance'); expect(route?.data?.['breadcrumb']).toBe('Policy Governance'); diff --git a/src/Web/StellaOps.Web/src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts b/src/Web/StellaOps.Web/src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts index 3cc949997..74beb0a0c 100644 --- a/src/Web/StellaOps.Web/src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts +++ b/src/Web/StellaOps.Web/src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts @@ -4,6 +4,7 @@ import { of } from 'rxjs'; import { routes } from '../../app/app.routes'; import { AuditLogClient } from '../../app/core/api/audit-log.client'; +import { NAVIGATION_GROUPS } from '../../app/core/navigation/navigation.config'; import type { AuditAnomalyAlert, AuditEvent, @@ -11,6 +12,7 @@ import type { AuditStatsSummary, } from '../../app/core/api/audit-log.models'; import { auditLogRoutes } from '../../app/features/audit-log/audit-log.routes'; +import { LEGACY_REDIRECT_ROUTE_TEMPLATES } from '../../app/routes/legacy-redirects.routes'; import { AuditLogDashboardComponent } from '../../app/features/audit-log/audit-log-dashboard.component'; import { AuditLogTableComponent } from '../../app/features/audit-log/audit-log-table.component'; @@ -99,10 +101,7 @@ const anomaliesFixture: AuditAnomalyAlert[] = [ ]; describe('unified-audit-log-viewer behavior', () => { - it('declares canonical evidence route without legacy admin/audit alias', () => { - const legacyAlias = routes.find((route) => route.path === 'admin/audit'); - expect(legacyAlias).toBeUndefined(); - + it('keeps evidence canonical while preserving admin audit aliases', () => { const canonicalRoute = routes.find((route) => route.path === 'evidence'); expect(canonicalRoute).toBeDefined(); expect(typeof canonicalRoute?.loadChildren).toBe('function'); @@ -121,6 +120,27 @@ describe('unified-audit-log-viewer behavior', () => { 'vex', 'integrations', ]); + + expect(LEGACY_REDIRECT_ROUTE_TEMPLATES).toEqual( + jasmine.arrayContaining([ + jasmine.objectContaining({ + path: 'admin/audit', + redirectTo: '/evidence/audit-log', + }), + jasmine.objectContaining({ + path: 'admin/audit/:page', + redirectTo: '/evidence/audit-log/:page', + }), + jasmine.objectContaining({ + path: 'admin/audit/:page/:child', + redirectTo: '/evidence/audit-log/:page/:child', + }), + ]), + ); + + const adminGroup = NAVIGATION_GROUPS.find((group) => group.id === 'admin'); + const auditItem = adminGroup?.items.find((item) => item.id === 'audit'); + expect(auditItem?.route).toBe('/evidence/audit-log'); }); }); diff --git a/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-overview.component.spec.ts b/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-overview.component.spec.ts index bcfba555d..a06c33155 100644 --- a/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-overview.component.spec.ts +++ b/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-overview.component.spec.ts @@ -28,32 +28,19 @@ describe('EvidenceAuditOverviewComponent (evidence-audit)', () => { expect(text).toContain('Expiring trust/certs'); }); - it('keeps the 5 required pack shortcuts including trust ownership deep-link', () => { + it('keeps the canonical audit and evidence shortcuts on the overview page', () => { const fixture = TestBed.createComponent(EvidenceAuditOverviewComponent); fixture.detectChanges(); const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[]; - const trustLink = links.find((link) => - link.getAttribute('href')?.includes('/evidence-audit/trust-signing') - ); - const exportLink = links.find((link) => - link.getAttribute('href')?.includes('/evidence-audit/evidence') - ); - const bundlesLink = links.find((link) => - link.getAttribute('href')?.includes('/evidence-audit/bundles') - ); - const replayLink = links.find((link) => - link.getAttribute('href')?.includes('/evidence-audit/replay') - ); - const proofsLink = links.find((link) => - link.getAttribute('href')?.includes('/evidence-audit/proofs') - ); + const hrefs = links.map((link) => link.getAttribute('href') ?? ''); - expect(trustLink).toBeTruthy(); - expect(exportLink).toBeTruthy(); - expect(bundlesLink).toBeTruthy(); - expect(replayLink).toBeTruthy(); - expect(proofsLink).toBeTruthy(); + expect(hrefs).toContain('/evidence/audit-log'); + expect(hrefs).toContain('/evidence/exports'); + expect(hrefs).toContain('/releases/bundles'); + expect(hrefs).toContain('/evidence/verify-replay'); + expect(hrefs).toContain('/evidence/capsules'); + expect(hrefs).toContain('/setup/trust-signing'); }); it('supports degraded state banner', () => { diff --git a/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-routes.spec.ts b/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-routes.spec.ts index 606afc7bc..7ec46e2e8 100644 --- a/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-routes.spec.ts +++ b/src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-routes.spec.ts @@ -18,6 +18,7 @@ describe('EVIDENCE_ROUTES (pre-alpha)', () => { 'verify-replay', 'proofs', 'exports', + 'proof-chain', 'audit-log', ]); }); diff --git a/src/Web/StellaOps.Web/src/tests/navigation/legacy-redirects.spec.ts b/src/Web/StellaOps.Web/src/tests/navigation/legacy-redirects.spec.ts index 4ef415be7..06ca78954 100644 --- a/src/Web/StellaOps.Web/src/tests/navigation/legacy-redirects.spec.ts +++ b/src/Web/StellaOps.Web/src/tests/navigation/legacy-redirects.spec.ts @@ -31,6 +31,10 @@ describe('Legacy redirect policy', () => { path: 'admin/policy/governance', redirectTo: '/ops/policy/governance', }), + jasmine.objectContaining({ + path: 'admin/audit', + redirectTo: '/evidence/audit-log', + }), ]), ); }); diff --git a/src/Web/StellaOps.Web/tests/e2e/unified-audit-surfaces.spec.ts b/src/Web/StellaOps.Web/tests/e2e/unified-audit-surfaces.spec.ts new file mode 100644 index 000000000..e15a04870 --- /dev/null +++ b/src/Web/StellaOps.Web/tests/e2e/unified-audit-surfaces.spec.ts @@ -0,0 +1,245 @@ +import { expect, test, type Page, type Route } from '@playwright/test'; + +import type { StubAuthSession } from '../../src/app/testing/auth-fixtures'; + +const auditSession: StubAuthSession = { + subjectId: 'audit-e2e-user', + tenant: 'tenant-default', + scopes: [ + 'ui.read', + 'ui.admin', + 'release:read', + 'policy:audit', + 'authority:audit.read', + 'signer:read', + 'vex:export', + ], +}; + +const mockConfig = { + authority: { + issuer: '/authority', + clientId: 'stella-ops-ui', + authorizeEndpoint: '/authority/connect/authorize', + tokenEndpoint: '/authority/connect/token', + logoutEndpoint: '/authority/connect/logout', + redirectUri: 'https://127.0.0.1:4400/auth/callback', + postLogoutRedirectUri: 'https://127.0.0.1:4400/', + scope: 'openid profile email ui.read', + audience: '/gateway', + dpopAlgorithms: ['ES256'], + refreshLeewaySeconds: 60, + }, + apiBaseUrls: { + authority: '/authority', + scanner: '/scanner', + policy: '/policy', + concelier: '/concelier', + attestor: '/attestor', + gateway: '/gateway', + }, + quickstartMode: true, + setup: 'complete', +}; + +const auditEventsPage = { + items: [ + { + id: 'evt-001', + timestamp: '2026-03-07T10:00:00Z', + module: 'policy', + action: 'update', + severity: 'warning', + actor: { id: 'actor-1', name: 'Audit Operator', type: 'user' }, + resource: { type: 'policy-pack', id: 'pack-001', name: 'Core Policy Pack' }, + description: 'Updated the production policy pack.', + details: { changedFields: ['riskBudget'] }, + tags: ['policy', 'prod'], + correlationId: 'corr-001', + tenantId: 'tenant-default', + }, + { + id: 'evt-002', + timestamp: '2026-03-07T09:45:00Z', + module: 'vex', + action: 'approve', + severity: 'info', + actor: { id: 'actor-2', name: 'Security Reviewer', type: 'user' }, + resource: { type: 'vex-statement', id: 'stmt-002', name: 'CVE-2026-0002' }, + description: 'Approved the VEX resolution.', + details: { outcome: 'approved' }, + tags: ['vex'], + correlationId: 'corr-002', + tenantId: 'tenant-default', + }, + ], + cursor: 'cursor-next', + hasMore: true, +}; + +const auditStats = { + period: { + start: '2026-03-01T00:00:00Z', + end: '2026-03-07T23:59:59Z', + }, + totalEvents: 24, + byModule: { + authority: 3, + policy: 9, + jobengine: 2, + integrations: 4, + vex: 6, + scanner: 0, + attestor: 0, + sbom: 0, + scheduler: 0, + }, + byAction: { + create: 1, + update: 12, + delete: 0, + promote: 1, + demote: 0, + revoke: 0, + issue: 0, + refresh: 0, + test: 0, + fail: 0, + complete: 0, + start: 0, + submit: 0, + approve: 10, + reject: 0, + sign: 0, + verify: 0, + rotate: 0, + enable: 0, + disable: 0, + deadletter: 0, + replay: 0, + }, + bySeverity: { + info: 8, + warning: 12, + error: 3, + critical: 1, + }, + topActors: [], + topResources: [], +}; + +const auditAnomalies = [ + { + id: 'anomaly-1', + detectedAt: '2026-03-07T11:00:00Z', + type: 'unusual_pattern', + severity: 'warning', + description: 'Burst of policy mutations in the last hour.', + affectedEvents: ['evt-001'], + acknowledged: false, + }, +]; + +async function fulfillJson(route: Route, body: unknown): Promise { + await route.fulfill({ + status: 200, + contentType: 'application/json', + body: JSON.stringify(body), + }); +} + +async function setupHarness(page: Page): Promise { + await page.addInitScript((session) => { + (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session; + }, auditSession); + + await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig)); + await page.route('**/config.json', (route) => fulfillJson(route, mockConfig)); + await page.route('**/.well-known/openid-configuration', (route) => + fulfillJson(route, { + issuer: 'https://127.0.0.1:4400/authority', + authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize', + token_endpoint: 'https://127.0.0.1:4400/authority/connect/token', + jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json', + response_types_supported: ['code'], + subject_types_supported: ['public'], + id_token_signing_alg_values_supported: ['RS256'], + }), + ); + await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] })); + await page.route('**/console/profile**', (route) => + fulfillJson(route, { + subjectId: auditSession.subjectId, + username: 'audit-e2e', + displayName: 'Audit E2E', + tenant: auditSession.tenant, + roles: ['admin'], + scopes: auditSession.scopes, + }), + ); + await page.route('**/console/token/introspect**', (route) => + fulfillJson(route, { + active: true, + tenant: auditSession.tenant, + subject: auditSession.subjectId, + scopes: auditSession.scopes, + }), + ); + await page.route('**/api/v2/context/regions', (route) => + fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]), + ); + await page.route('**/api/v2/context/environments**', (route) => + fulfillJson(route, [ + { + environmentId: 'prod-eu', + regionId: 'eu-west', + environmentType: 'prod', + displayName: 'Prod EU', + sortOrder: 1, + enabled: true, + }, + ]), + ); + await page.route('**/api/v2/context/preferences', (route) => + fulfillJson(route, { + tenantId: auditSession.tenant, + actorId: auditSession.subjectId, + regions: ['eu-west'], + environments: ['prod-eu'], + timeWindow: '24h', + stage: 'all', + updatedAt: '2026-03-07T12:00:00Z', + updatedBy: auditSession.subjectId, + }), + ); + await page.route('**/api/v1/audit/stats**', (route) => fulfillJson(route, auditStats)); + await page.route('**/api/v1/audit/events**', (route) => fulfillJson(route, auditEventsPage)); + await page.route('**/api/v1/audit/anomalies**', (route) => fulfillJson(route, auditAnomalies)); +} + +test.beforeEach(async ({ page }) => { + await setupHarness(page); +}); + +test('renders the canonical evidence-owned audit dashboard and events journey', async ({ page }) => { + await page.goto('/evidence/audit-log', { waitUntil: 'networkidle' }); + + await expect(page.getByRole('heading', { name: 'Unified Audit Log' })).toBeVisible(); + await expect(page.getByText('Cross-module audit trail visibility for compliance and governance')).toBeVisible(); + await expect(page.getByRole('link', { name: 'View All Events' })).toBeVisible(); + + await page.getByRole('link', { name: 'View All Events' }).click(); + + await expect(page).toHaveURL(/\/evidence\/audit-log\/events$/); + await expect(page.getByText('All Events')).toBeVisible(); + await expect(page.locator('table.events-table')).toBeVisible(); + await expect(page.getByText('Updated the production policy pack.')).toBeVisible(); +}); + +test('redirects old admin audit bookmarks into the canonical evidence route with query context', async ({ page }) => { + await page.goto('/admin/audit?tenantId=tenant-default', { waitUntil: 'networkidle' }); + + await expect(page).toHaveURL(/\/evidence\/audit-log\?.*tenantId=tenant-default/); + await expect(page.getByRole('heading', { name: 'Unified Audit Log' })).toBeVisible(); + await expect(page.getByText('Total Events (7d)')).toBeVisible(); +});