feat(ui): ship unified audit surfaces

2026-03-08 02:16:20 +02:00
parent 6e00a48e00
commit 484abe0039
27 changed files with 673 additions and 55 deletions
--- a/src/Web/StellaOps.Web/tests/e2e/unified-audit-surfaces.spec.ts
+++ b/src/Web/StellaOps.Web/tests/e2e/unified-audit-surfaces.spec.ts
@@ -0,0 +1,245 @@
+import { expect, test, type Page, type Route } from '@playwright/test';
+
+import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
+
+const auditSession: StubAuthSession = {
+  subjectId: 'audit-e2e-user',
+  tenant: 'tenant-default',
+  scopes: [
+    'ui.read',
+    'ui.admin',
+    'release:read',
+    'policy:audit',
+    'authority:audit.read',
+    'signer:read',
+    'vex:export',
+  ],
+};
+
+const mockConfig = {
+  authority: {
+    issuer: '/authority',
+    clientId: 'stella-ops-ui',
+    authorizeEndpoint: '/authority/connect/authorize',
+    tokenEndpoint: '/authority/connect/token',
+    logoutEndpoint: '/authority/connect/logout',
+    redirectUri: 'https://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
+    scope: 'openid profile email ui.read',
+    audience: '/gateway',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: '/authority',
+    scanner: '/scanner',
+    policy: '/policy',
+    concelier: '/concelier',
+    attestor: '/attestor',
+    gateway: '/gateway',
+  },
+  quickstartMode: true,
+  setup: 'complete',
+};
+
+const auditEventsPage = {
+  items: [
+    {
+      id: 'evt-001',
+      timestamp: '2026-03-07T10:00:00Z',
+      module: 'policy',
+      action: 'update',
+      severity: 'warning',
+      actor: { id: 'actor-1', name: 'Audit Operator', type: 'user' },
+      resource: { type: 'policy-pack', id: 'pack-001', name: 'Core Policy Pack' },
+      description: 'Updated the production policy pack.',
+      details: { changedFields: ['riskBudget'] },
+      tags: ['policy', 'prod'],
+      correlationId: 'corr-001',
+      tenantId: 'tenant-default',
+    },
+    {
+      id: 'evt-002',
+      timestamp: '2026-03-07T09:45:00Z',
+      module: 'vex',
+      action: 'approve',
+      severity: 'info',
+      actor: { id: 'actor-2', name: 'Security Reviewer', type: 'user' },
+      resource: { type: 'vex-statement', id: 'stmt-002', name: 'CVE-2026-0002' },
+      description: 'Approved the VEX resolution.',
+      details: { outcome: 'approved' },
+      tags: ['vex'],
+      correlationId: 'corr-002',
+      tenantId: 'tenant-default',
+    },
+  ],
+  cursor: 'cursor-next',
+  hasMore: true,
+};
+
+const auditStats = {
+  period: {
+    start: '2026-03-01T00:00:00Z',
+    end: '2026-03-07T23:59:59Z',
+  },
+  totalEvents: 24,
+  byModule: {
+    authority: 3,
+    policy: 9,
+    jobengine: 2,
+    integrations: 4,
+    vex: 6,
+    scanner: 0,
+    attestor: 0,
+    sbom: 0,
+    scheduler: 0,
+  },
+  byAction: {
+    create: 1,
+    update: 12,
+    delete: 0,
+    promote: 1,
+    demote: 0,
+    revoke: 0,
+    issue: 0,
+    refresh: 0,
+    test: 0,
+    fail: 0,
+    complete: 0,
+    start: 0,
+    submit: 0,
+    approve: 10,
+    reject: 0,
+    sign: 0,
+    verify: 0,
+    rotate: 0,
+    enable: 0,
+    disable: 0,
+    deadletter: 0,
+    replay: 0,
+  },
+  bySeverity: {
+    info: 8,
+    warning: 12,
+    error: 3,
+    critical: 1,
+  },
+  topActors: [],
+  topResources: [],
+};
+
+const auditAnomalies = [
+  {
+    id: 'anomaly-1',
+    detectedAt: '2026-03-07T11:00:00Z',
+    type: 'unusual_pattern',
+    severity: 'warning',
+    description: 'Burst of policy mutations in the last hour.',
+    affectedEvents: ['evt-001'],
+    acknowledged: false,
+  },
+];
+
+async function fulfillJson(route: Route, body: unknown): Promise<void> {
+  await route.fulfill({
+    status: 200,
+    contentType: 'application/json',
+    body: JSON.stringify(body),
+  });
+}
+
+async function setupHarness(page: Page): Promise<void> {
+  await page.addInitScript((session) => {
+    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
+  }, auditSession);
+
+  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/.well-known/openid-configuration', (route) =>
+    fulfillJson(route, {
+      issuer: 'https://127.0.0.1:4400/authority',
+      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
+      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
+      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
+      response_types_supported: ['code'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+    }),
+  );
+  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
+  await page.route('**/console/profile**', (route) =>
+    fulfillJson(route, {
+      subjectId: auditSession.subjectId,
+      username: 'audit-e2e',
+      displayName: 'Audit E2E',
+      tenant: auditSession.tenant,
+      roles: ['admin'],
+      scopes: auditSession.scopes,
+    }),
+  );
+  await page.route('**/console/token/introspect**', (route) =>
+    fulfillJson(route, {
+      active: true,
+      tenant: auditSession.tenant,
+      subject: auditSession.subjectId,
+      scopes: auditSession.scopes,
+    }),
+  );
+  await page.route('**/api/v2/context/regions', (route) =>
+    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
+  );
+  await page.route('**/api/v2/context/environments**', (route) =>
+    fulfillJson(route, [
+      {
+        environmentId: 'prod-eu',
+        regionId: 'eu-west',
+        environmentType: 'prod',
+        displayName: 'Prod EU',
+        sortOrder: 1,
+        enabled: true,
+      },
+    ]),
+  );
+  await page.route('**/api/v2/context/preferences', (route) =>
+    fulfillJson(route, {
+      tenantId: auditSession.tenant,
+      actorId: auditSession.subjectId,
+      regions: ['eu-west'],
+      environments: ['prod-eu'],
+      timeWindow: '24h',
+      stage: 'all',
+      updatedAt: '2026-03-07T12:00:00Z',
+      updatedBy: auditSession.subjectId,
+    }),
+  );
+  await page.route('**/api/v1/audit/stats**', (route) => fulfillJson(route, auditStats));
+  await page.route('**/api/v1/audit/events**', (route) => fulfillJson(route, auditEventsPage));
+  await page.route('**/api/v1/audit/anomalies**', (route) => fulfillJson(route, auditAnomalies));
+}
+
+test.beforeEach(async ({ page }) => {
+  await setupHarness(page);
+});
+
+test('renders the canonical evidence-owned audit dashboard and events journey', async ({ page }) => {
+  await page.goto('/evidence/audit-log', { waitUntil: 'networkidle' });
+
+  await expect(page.getByRole('heading', { name: 'Unified Audit Log' })).toBeVisible();
+  await expect(page.getByText('Cross-module audit trail visibility for compliance and governance')).toBeVisible();
+  await expect(page.getByRole('link', { name: 'View All Events' })).toBeVisible();
+
+  await page.getByRole('link', { name: 'View All Events' }).click();
+
+  await expect(page).toHaveURL(/\/evidence\/audit-log\/events$/);
+  await expect(page.getByText('All Events')).toBeVisible();
+  await expect(page.locator('table.events-table')).toBeVisible();
+  await expect(page.getByText('Updated the production policy pack.')).toBeVisible();
+});
+
+test('redirects old admin audit bookmarks into the canonical evidence route with query context', async ({ page }) => {
+  await page.goto('/admin/audit?tenantId=tenant-default', { waitUntil: 'networkidle' });
+
+  await expect(page).toHaveURL(/\/evidence\/audit-log\?.*tenantId=tenant-default/);
+  await expect(page.getByRole('heading', { name: 'Unified Audit Log' })).toBeVisible();
+  await expect(page.getByText('Total Events (7d)')).toBeVisible();
+});