stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(ui): ship unified audit surfaces

Browse Source
This commit is contained in:
master
2026-03-08 02:16:20 +02:00
parent 6e00a48e00
commit 484abe0039
27 changed files with 673 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
docs-archived/implplan/SPRINT_20260307_039_FE_unified_audit_surfaces.md Normal file
View File

@@ -0,0 +1,123 @@
# Sprint 20260307-039 - Unified Audit Surfaces
## Topic & Scope
- Restore the dropped and weakly surfaced audit capability by making one canonical audit owner fully usable instead of leaving Evidence, Admin, and legacy aliases split.
- Ship a working `Evidence > Audit Log` surface with live route wiring, repaired internal navigation, bookmark-safe aliases, and real entry points from Admin, Mission Control, Ops, Releases, and quota drilldowns.
- Complete the audit flows end to end: dashboard, events, event detail, correlations, anomalies, module-specific views, and export.
- Working directory: `src/Web/StellaOps.Web/src/app/features/audit-log`.
- Allowed coordination edits: `src/Web/StellaOps.Web/src/app/routes/`, `src/Web/StellaOps.Web/src/app/core/navigation/`, `src/Web/StellaOps.Web/src/app/layout/`, `src/Web/StellaOps.Web/src/app/features/administration/`, `src/Web/StellaOps.Web/src/app/features/mission-control/`, `src/Web.StellaOps.Web/src/app/features/dashboard-v3/`, `src/Web.StellaOps.Web/src/app/features/platform/`, `src/Web.StellaOps.Web/src/app/features/quota-dashboard/`, `src/Web.StellaOps.Web/src/app/features/release-orchestrator/`, `docs/modules/ui/unified-audit-surfaces/`, `docs/features/checked/web/`, `docs/modules/ui/TASKS.md`, and `docs/modules/ui/implementation_plan.md`.
- Expected evidence: one mounted audit route family, working alias redirects, repaired internal links, secondary entry-point handoffs, targeted Angular tests, Playwright verification, and synced docs.
## Dependencies & Concurrency
- Depends on:
- `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`
- `docs/modules/ui/contextual-actions-patterns/README.md`
- `docs/modules/ui/triage-explainability-workspace/README.md`
- `src/Web/StellaOps.Web/src/app/routes/evidence.routes.ts`
- `src/Web.StellaOps.Web/src/app/features/audit-log/audit-log.routes.ts`
- `src/Web.StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts`
- Safe parallelism:
- canonical ownership and alias contract must freeze before deep-link cleanup starts
- audit-shell internal link repairs can proceed in parallel with secondary entry-point rewiring once the canonical path is fixed
- docs sync can proceed in parallel with test authoring after route contracts are stable
## Documentation Prerequisites
- `docs/modules/ui/unified-audit-surfaces/README.md`
- `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`
- `docs/modules/ui/contextual-actions-patterns/README.md`
- `docs/modules/ui/implementation_plan.md`
## Delivery Tracker
### FE-AUD-001 - Freeze canonical audit owner and alias contract
Status: DONE
Dependency: none
Owners: Product Manager, FE Architect
Task description:
- Make `Evidence > Audit Log` the canonical owner for cross-module audit browsing and exports.
- Define and implement bookmark-safe redirects from stale `/admin/audit*` and related setup/admin entry points into the mounted evidence route family.
Completion criteria:
- [x] One canonical audit route family exists in the active router.
- [x] Legacy aliases land on working audit pages without losing query params.
- [x] Admin and Evidence navigation reference the same audit owner.
### FE-AUD-002 - Repair audit-shell internal navigation and subviews
Status: DONE
Dependency: FE-AUD-001
Owners: Developer, FE Architect
Task description:
- Update dashboard, event table, event detail, module-specific audit views, anomalies, timeline, correlations, and export pages so their internal navigation stays inside the canonical route family.
- Ensure module subviews remain usable rather than depending on stale absolute admin paths.
Completion criteria:
- [x] Every audit-log subview links to the canonical owner routes.
- [x] Event detail, correlations, and export flows work from the mounted shell.
- [x] No internal audit workflow requires the stale admin path family.
### FE-AUD-003 - Wire secondary entry points and contextual handoffs
Status: DONE
Dependency: FE-AUD-001
Owners: Developer, Product Manager
Task description:
- Repair audit entry points from Setup/Admin overview, Mission Control activity, dashboard activity cards, platform ops, quota detail, and release detail.
- Preserve filter context where practical so the receiving audit surface opens with the relevant release, tenant, or correlation context.
Completion criteria:
- [x] The main cross-shell audit links land on a usable canonical audit page.
- [x] Release and quota handoffs preserve their query/filter context.
- [x] Evidence overview exposes audit entry points as first-class shortcuts.
### FE-AUD-004 - Verify route cutover and operator journeys
Status: DONE
Dependency: FE-AUD-002
Owners: QA, Test Automation
Task description:
- Add targeted UI verification for canonical evidence routes, admin aliases, secondary entry points, and at least one in-shell navigation journey.
- Prove the restored audit functionality is usable, not only mounted.
Completion criteria:
- [x] Angular tests cover canonical routes, alias redirects, and representative entry points.
- [x] Playwright covers the core audit landing and alias journey.
- [x] Verification explicitly checks that stale admin links no longer strand the operator.
### FE-AUD-005 - Sync docs, archive the sprint, and record the shipped feature
Status: DONE
Dependency: FE-AUD-004
Owners: Documentation author, Project Manager
Task description:
- Update the audit UX dossier, checked-feature note, task board, and implementation plan to reflect the shipped canonical owner.
- Archive the sprint only after code and verification evidence are complete.
Completion criteria:
- [x] Shipped audit UX is documented with canonical routes and alias behavior.
- [x] Checked-feature note records the exact verification commands and outcomes.
- [x] Sprint is archived only after all delivery tasks are marked done.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-07 | Sprint created to restore unified audit functionality by making Evidence the canonical owner and fixing stale admin-route fragmentation. | Project Manager |
| 2026-03-07 | Implemented canonical Evidence-owned audit routing, repaired stale `/admin/audit*` links inside the audit shell, and added bookmark-safe aliases from `admin` and `administration` entry points. | Developer |
| 2026-03-07 | Rewired admin navigation, quota handoff, and Evidence overview shortcuts so audit resolves into one mounted route family instead of split owners. | Developer |
| 2026-03-07 | Verified the cutover with targeted Angular tests (`npm test -- --watch=false --include src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts --include src/tests/evidence-audit/evidence-audit-routes.spec.ts --include src/tests/evidence-audit/evidence-audit-overview.component.spec.ts --include src/tests/administration/administration-routes.spec.ts --include src/tests/navigation/legacy-redirects.spec.ts`): 31 tests passed. | QA |
| 2026-03-07 | Added browser verification via `npx playwright test tests/e2e/unified-audit-surfaces.spec.ts --workers=1`: 2 tests passed. | QA |
| 2026-03-07 | Production build passed via `npm run build`; existing bundle budget warnings remain unchanged from the baseline. | QA |
## Decisions & Risks
- Decision: `Evidence > Audit Log` is the canonical owner for cross-module audit browsing and export. Admin remains a secondary surfacing point, not a separate product owner.
- Decision: `Audit Bundles` stay under Triage and the `Auditor Workspace` stays a separate artifact-focused surface; this sprint only unifies the cross-module audit log and its entry points.
- Risk: existing audit components hard-code `/admin/audit*` links, so a partial route fix would still leave in-shell navigation broken.
- Mitigation: repair internal links and add alias coverage in the same sprint.
- Risk: aliasing both `/admin/audit*` and `/administration/audit*` could cause hidden divergence if query params are dropped.
- Mitigation: use redirect helpers or legacy templates that preserve params and cover route variants explicitly.
- Delivery rule: this sprint is only complete when the canonical audit tree is mounted, secondary entry points work, and the main operator journeys are verified end to end.
- Reference design note: `docs/modules/ui/unified-audit-surfaces/README.md`.
- Docs synced:
- `docs/modules/ui/unified-audit-surfaces/README.md`
- `docs/features/checked/web/unified-audit-surfaces-ui.md`
- `docs/modules/ui/TASKS.md`
- `docs/modules/ui/implementation_plan.md`
## Next Checkpoints
- 2026-03-07: archived after implementation, verification, and docs sync completed.

42
docs/features/checked/web/unified-audit-surfaces-ui.md Normal file
View File

@@ -0,0 +1,42 @@
# Unified Audit Surfaces UI
## Status
VERIFIED
## Scope
Unified the cross-module audit experience around the Evidence-owned route family and restored old admin bookmarks as working aliases.
## Canonical Owner
- Canonical route family: `src/Web/StellaOps.Web/src/app/routes/evidence.routes.ts` mounted at `/evidence/audit-log`
- Canonical audit subviews: `src/Web/StellaOps.Web/src/app/features/audit-log/audit-log.routes.ts`
- Bookmark-safe aliases:
- `src/Web/StellaOps.Web/src/app/routes/legacy-redirects.routes.ts` for `/admin/audit*`
- `src/Web/StellaOps.Web/src/app/routes/administration.routes.ts` for `/administration/audit*`
## Key Implementation Files
- `src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts`
- `src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-dashboard.component.ts`
- `src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-table.component.ts`
- `src/Web.StellaOps.Web/src/app/features/audit-log/audit-event-detail.component.ts`
- `src/Web.StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts`
- `src/Web.StellaOps.Web/src/app/features/quota-dashboard/tenant-quota-detail.component.ts`
## Verification
- Date (UTC): 2026-03-07
- Targeted Angular tests:
- `npm test -- --watch=false --include src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts --include src/tests/evidence-audit/evidence-audit-routes.spec.ts --include src/tests/evidence-audit/evidence-audit-overview.component.spec.ts --include src/tests/administration/administration-routes.spec.ts --include src/tests/navigation/legacy-redirects.spec.ts`
- Result: `5` files, `31` tests passed
- Playwright:
- `npx playwright test tests/e2e/unified-audit-surfaces.spec.ts --workers=1`
- Result: `2/2` passed
- Production build:
- `npm run build`
- Result: pass; existing bundle-budget warnings only
## Verified Behavior
- `/evidence/audit-log` renders the canonical Unified Audit Log dashboard.
- `/admin/audit*` redirects into `/evidence/audit-log*` with query params preserved.
- Audit subviews no longer deep-link back into stale `/admin/audit*` paths.
- Admin navigation points to the canonical Evidence-owned audit shell.
- Evidence overview exposes `Audit Log` as a first-class shortcut.
- Quota tenant drilldown opens the canonical audit surface with tenant context.

5
docs/modules/ui/TASKS.md
View File

@@ -83,6 +83,11 @@
- [DONE] FE-RW-004 Cross-product deep links and release-context use for reachability proofs
- [DONE] FE-RW-005 Supporting evidence and export surfaces for witness UX
- [DONE] FE-RW-006 QA, rollout, and docs sync for reachability witnessing
- [DONE] FE-AUD-001 Freeze canonical audit owner and alias contract
- [DONE] FE-AUD-002 Repair audit-shell internal navigation and subviews
- [DONE] FE-AUD-003 Wire secondary entry points and contextual handoffs
- [DONE] FE-AUD-004 Verify route cutover and operator journeys
- [DONE] FE-AUD-005 Sync docs, archive the sprint, and record the shipped feature
- [DONE] FE-PO-001 Freeze Operations overview taxonomy and submenu structure
- [DONE] FE-PO-002 Overview page regrouping and blocking-card contract
- [DONE] FE-PO-003 Legacy widget absorption matrix for Platform Ops

4
docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md
View File

@@ -107,6 +107,10 @@ These are mostly not dropped products. They are current or near-current capabili
- `Audit Log`
- Target:
- keep under admin/security, but improve entry points and deep links
- Notes:
- Detailed UX dossier: `docs/modules/ui/unified-audit-surfaces/README.md`
- Implementation sprint: `docs-archived/implplan/SPRINT_20260307_039_FE_unified_audit_surfaces.md`
- Shipped verification note: `docs/features/checked/web/unified-audit-surfaces-ui.md`
### 8. Offline Operations
- Type: `wire-in / preserve`

3
docs/modules/ui/implementation_plan.md
View File

@@ -27,11 +27,14 @@ Provide a living plan for UI deliverables, dependencies, and evidence.
- `docs/features/checked/web/triage-explainability-workspace-ui.md` - shipped verification note for the canonical triage artifact workspace, explainability rail, audit bundles, and security alias cutover.
- `docs/features/checked/web/workflow-visualization-replay-ui.md` - shipped verification note for the canonical run-detail graph, timeline, replay, evidence tabs, and workflow-editor preview reuse boundary.
- `docs/features/checked/web/contextual-actions-patterns-ui.md` - shipped verification note for the shared contextual route-state, headers, drawers, list-detail shells, grouped overview cards, and first adopted restoration surfaces.
- `docs/features/checked/web/unified-audit-surfaces-ui.md` - shipped verification note for the Evidence-owned audit shell, admin bookmark redirects, repaired audit subview links, and secondary handoff entry points.
- `docs/modules/ui/reachability-witnessing/README.md` - detailed witness and proof UX dossier plus cross-shell deep-link contract.
- `docs/modules/ui/platform-ops-consolidation/README.md` - detailed Operations overview taxonomy and legacy absorption plan.
- `docs/modules/ui/triage-explainability-workspace/README.md` - detailed artifact workspace and audit-bundle UX dossier.
- `docs/modules/ui/workflow-visualization-replay/README.md` - detailed run-detail graph, timeline, replay, and evidence UX dossier.
- `docs/modules/ui/contextual-actions-patterns/README.md` - shared placement contract for stray actions, pages, drawers, and tabs.
- `docs/modules/ui/unified-audit-surfaces/README.md` - shipped canonical audit owner, alias contract, and secondary entry-point rules for cross-module audit browsing.
- `docs/modules/ui/unified-audit-surfaces/README.md` - canonical audit owner, alias contract, and secondary entry-point rules for cross-module audit browsing.
## Dependencies
- `docs/modules/ui/architecture.md`

114
docs/modules/ui/unified-audit-surfaces/README.md Normal file
View File

@@ -0,0 +1,114 @@
# Unified Audit Surfaces
## Status
Shipped on 2026-03-07.
## Product Shape
Keep one canonical cross-module audit owner under Evidence.
- Canonical product home: `Evidence > Audit Log`
- Canonical route family: `/evidence/audit-log`
- Secondary surfacing:
- `Admin > Unified Audit Log`
- `Setup` overview drilldowns
- `Mission Control` activity
- `Ops` and quota drilldowns
- `Release` detail audit links
The current problem was not missing audit UI. The current problem was that the audit UI existed, but the app still split between Evidence-owned routes and stale admin absolute links.
## Product Boundary
### This shell owns
- cross-module audit dashboard
- all-events browser
- event detail
- timeline search
- correlation clusters
- anomaly alerts
- export
- module-specific audit views:
- policy
- authority
- vex
- integrations
### This shell does not own
- `Audit Bundles`
- stays under `/triage/audit-bundles`
- `Auditor Workspace`
- stays under `/workspace/audit/:artifactDigest`
- contextual reason capsules
- stay embedded in the owning workflow
- policy/VEX scoped audit tabs
- remain inside Policy Decisioning Studio but can deep-link into the canonical audit shell
## Canonical Route Contract
### Canonical routes
- `/evidence/audit-log`
- `/evidence/audit-log/events`
- `/evidence/audit-log/events/:eventId`
- `/evidence/audit-log/timeline`
- `/evidence/audit-log/correlations`
- `/evidence/audit-log/anomalies`
- `/evidence/audit-log/export`
- `/evidence/audit-log/policy`
- `/evidence/audit-log/authority`
- `/evidence/audit-log/vex`
- `/evidence/audit-log/integrations`
### Shipped aliases
- `/admin/audit`
- `/admin/audit/:page`
- `/admin/audit/events/:eventId`
- `/administration/audit`
- `/administration/audit/:page`
- `/administration/audit/events/:eventId`
Aliases must preserve query params for handoffs like `tenantId`, `releaseId`, `runId`, `correlationId`, and event filters.
## Navigation Contract
### Primary navigation
- Evidence keeps the real audit owner link.
- Admin keeps an audit entry, but it points to the same Evidence-owned route family.
### Secondary entry points to keep
- Setup overview drilldown card
- Mission Control activity feed
- dashboard activity cards
- platform ops summary links
- quota tenant detail
- release detail
### Secondary entry points to avoid
- do not create a second top-level audit product
- do not fork a separate admin-only audit route tree
- do not move audit bundles out of Triage just because they contain the word `audit`
## UX Rules
- audit detail pages must always offer a stable path back to the canonical dashboard or events list
- query-param handoffs should keep the operator in context instead of dumping them at an unfiltered dashboard
- breadcrumbs, quick links, and cards must use the canonical evidence route family
- cross-module audit is evidence-centered, not admin-settings-centered
## Why This Is Worth Keeping
- Stella Ops makes an auditability promise; cross-module audit is core product capability, not optional legacy UI.
- Most of the necessary pages already exist and appear implementation-ready.
- The feature value is currently obscured by route fragmentation, broken links, and split ownership language rather than lack of functionality.
## Verification Evidence
- feature verification note: `docs/features/checked/web/unified-audit-surfaces-ui.md`
- targeted Angular tests: `31` passing assertions across evidence routes, audit behavior, evidence overview, admin aliases, and legacy redirects
- Playwright: `2/2` passing scenarios for canonical audit landing, in-shell navigation, and old admin bookmark redirect
- production build: pass, with existing unrelated bundle-budget warnings
## Restoration Goal
Restored usability, not just visibility:
- one canonical owner
- working aliases for old bookmarks
- repaired internal navigation
- real contextual entry points from the workflows that need audit
- explicit verification that the main audit journeys work

16
src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts
View File

@@ -513,50 +513,50 @@ export const NAVIGATION_GROUPS: NavGroup[] = [
{
id: 'audit',
label: 'Unified Audit Log',
route: '/admin/audit',
route: '/evidence/audit-log',
icon: 'log',
tooltip: 'Cross-module audit trail and compliance reporting',
children: [
{
id: 'audit-dashboard',
label: 'Dashboard',
route: '/admin/audit',
route: '/evidence/audit-log',
tooltip: 'Audit log overview and stats',
},
{
id: 'audit-events',
label: 'All Events',
route: '/admin/audit/events',
route: '/evidence/audit-log/events',
tooltip: 'Browse all audit events with filters',
},
{
id: 'audit-policy',
label: 'Policy Audit',
route: '/admin/audit/policy',
route: '/evidence/audit-log/policy',
tooltip: 'Policy promotions and approvals',
},
{
id: 'audit-authority',
label: 'Authority Audit',
route: '/admin/audit/authority',
route: '/evidence/audit-log/authority',
tooltip: 'Token lifecycle and incidents',
},
{
id: 'audit-vex',
label: 'VEX Audit',
route: '/admin/audit/vex',
route: '/evidence/audit-log/vex',
tooltip: 'VEX decisions and consensus',
},
{
id: 'audit-integrations',
label: 'Integration Audit',
route: '/admin/audit/integrations',
route: '/evidence/audit-log/integrations',
tooltip: 'Integration configuration changes',
},
{
id: 'audit-export',
label: 'Export',
route: '/admin/audit/export',
route: '/evidence/audit-log/export',
tooltip: 'Export audit logs for compliance',
},
],

4
src/Web/StellaOps.Web/src/app/features/audit-log/audit-anomalies.component.ts
View File

@@ -13,7 +13,7 @@ import { AuditAnomalyAlert } from '../../core/api/audit-log.models';
<div class="anomalies-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / Anomaly Alerts
<a routerLink="/evidence/audit-log">Audit Log</a> / Anomaly Alerts
</div>
<h1>Anomaly Detection Alerts</h1>
<p class="description">Unusual audit patterns detected by anomaly detection</p>
@@ -44,7 +44,7 @@ import { AuditAnomalyAlert } from '../../core/api/audit-log.models';
} @else {
<div class="alert-actions">
<button class="btn-primary" (click)="acknowledge(alert.id)">Acknowledge</button>
<a [routerLink]="['/admin/audit/events']" [queryParams]="{ids: alert.affectedEvents.join(',')}" class="btn-secondary">
<a [routerLink]="['/evidence/audit-log/events']" [queryParams]="{ids: alert.affectedEvents.join(',')}" class="btn-secondary">
View Events
</a>
</div>

4
src/Web/StellaOps.Web/src/app/features/audit-log/audit-authority.component.ts
View File

@@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
<div class="authority-audit-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / Authority Audit
<a routerLink="/evidence/audit-log">Audit Log</a> / Authority Audit
</div>
<h1>Authority Audit Events</h1>
<p class="description">Token lifecycle, revocations, air-gap events, and incidents</p>
@@ -39,7 +39,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
</thead>
<tbody>
@for (event of events(); track event.id) {
<tr [routerLink]="['/admin/audit/events', event.id]" class="clickable" [class]="event.severity">
<tr [routerLink]="['/evidence/audit-log/events', event.id]" class="clickable" [class]="event.severity">
<td class="mono">{{ formatTime(event.timestamp) }}</td>
<td><span class="badge action" [class]="event.action">{{ event.action }}</span></td>
<td class="mono token-id">{{ truncateId(getDetail(event, 'tokenId')) }}</td>

6
src/Web/StellaOps.Web/src/app/features/audit-log/audit-correlations.component.ts
View File

@@ -13,7 +13,7 @@ import { AuditCorrelationCluster } from '../../core/api/audit-log.models';
<div class="correlations-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / Correlations
<a routerLink="/evidence/audit-log">Audit Log</a> / Correlations
</div>
<h1>Event Correlations</h1>
<p class="description">Events clustered by causality and correlation IDs</p>
@@ -32,7 +32,7 @@ import { AuditCorrelationCluster } from '../../core/api/audit-log.models';
</div>
<div class="root-event">
<h3>Root Event</h3>
<div class="event-card" [routerLink]="['/admin/audit/events', cluster.rootEvent.id]">
<div class="event-card" [routerLink]="['/evidence/audit-log/events', cluster.rootEvent.id]">
<span class="badge module" [class]="cluster.rootEvent.module">{{ cluster.rootEvent.module }}</span>
<span class="badge action" [class]="cluster.rootEvent.action">{{ cluster.rootEvent.action }}</span>
<span class="desc">{{ cluster.rootEvent.description }}</span>
@@ -42,7 +42,7 @@ import { AuditCorrelationCluster } from '../../core/api/audit-log.models';
<div class="related-events">
<h3>Related Events</h3>
@for (event of cluster.relatedEvents; track event.id) {
<div class="event-card" [routerLink]="['/admin/audit/events', event.id]">
<div class="event-card" [routerLink]="['/evidence/audit-log/events', event.id]">
<span class="badge module" [class]="event.module">{{ event.module }}</span>
<span class="badge action" [class]="event.action">{{ event.action }}</span>
<span class="desc">{{ event.description }}</span>

8
src/Web/StellaOps.Web/src/app/features/audit-log/audit-event-detail.component.ts
View File

@@ -13,8 +13,8 @@ import { AuditEvent, AuditCorrelationCluster } from '../../core/api/audit-log.mo
<div class="event-detail-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> /
<a routerLink="/admin/audit/events">Events</a> /
<a routerLink="/evidence/audit-log">Audit Log</a> /
<a routerLink="/evidence/audit-log/events">Events</a> /
{{ event()?.id?.slice(0, 8) }}...
</div>
<h1>Event Details</h1>
@@ -68,7 +68,7 @@ import { AuditEvent, AuditCorrelationCluster } from '../../core/api/audit-log.mo
@if (event()?.correlationId) {
<div class="detail-item">
<span class="label">Correlation ID</span>
<a class="value mono link" [routerLink]="['/admin/audit/correlations']" [queryParams]="{id: event()?.correlationId}">
<a class="value mono link" [routerLink]="['/evidence/audit-log/correlations']" [queryParams]="{id: event()?.correlationId}">
{{ event()?.correlationId }}
</a>
</div>
@@ -147,7 +147,7 @@ import { AuditEvent, AuditCorrelationCluster } from '../../core/api/audit-log.mo
</thead>
<tbody>
@for (related of correlation()?.relatedEvents; track related.id) {
<tr [routerLink]="['/admin/audit/events', related.id]" [class.current]="related.id === event()?.id">
<tr [routerLink]="['/evidence/audit-log/events', related.id]" [class.current]="related.id === event()?.id">
<td class="mono">{{ formatTimestamp(related.timestamp) }}</td>
<td><span class="badge module" [class]="related.module">{{ related.module }}</span></td>
<td><span class="badge action" [class]="related.action">{{ related.action }}</span></td>

2
src/Web/StellaOps.Web/src/app/features/audit-log/audit-export.component.ts
View File

@@ -14,7 +14,7 @@ import { AuditExportRequest, AuditExportResponse, AuditLogFilters, AuditModule,
<div class="export-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / Export
<a routerLink="/evidence/audit-log">Audit Log</a> / Export
</div>
<h1>Export Audit Log</h1>
<p class="description">Export audit events for compliance reporting and archival</p>

2
src/Web/StellaOps.Web/src/app/features/audit-log/audit-integrations.component.ts
View File

@@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
<div class="integrations-audit-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / Integration Audit
<a routerLink="/evidence/audit-log">Audit Log</a> / Integration Audit
</div>
<h1>Integration Audit Events</h1>
<p class="description">Integration configuration changes, connections, and health events</p>

4
src/Web/StellaOps.Web/src/app/features/audit-log/audit-log-table.component.ts
View File

@@ -14,7 +14,7 @@ import { AuditEvent, AuditLogFilters, AuditModule, AuditAction, AuditSeverity }
<div class="audit-table-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / All Events
<a routerLink="/evidence/audit-log">Audit Log</a> / All Events
</div>
<h1>Audit Events</h1>
</header>
@@ -177,7 +177,7 @@ import { AuditEvent, AuditLogFilters, AuditModule, AuditAction, AuditSeverity }
@if (selectedEvent()?.correlationId) {
<div class="detail-row">
<span class="label">Correlation ID:</span>
<a class="value mono link" [routerLink]="['/admin/audit/correlations']" [queryParams]="{id: selectedEvent()?.correlationId}">{{ selectedEvent()?.correlationId }}</a>
<a class="value mono link" [routerLink]="['/evidence/audit-log/correlations']" [queryParams]="{id: selectedEvent()?.correlationId}">{{ selectedEvent()?.correlationId }}</a>
</div>
}
@if (selectedEvent()?.tags?.length) {

4
src/Web/StellaOps.Web/src/app/features/audit-log/audit-policy.component.ts
View File

@@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
<div class="policy-audit-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / Policy Audit
<a routerLink="/evidence/audit-log">Audit Log</a> / Policy Audit
</div>
<h1>Policy Audit Events</h1>
<p class="description">Policy promotions, simulations, approvals, and lint events</p>
@@ -41,7 +41,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
</thead>
<tbody>
@for (event of events(); track event.id) {
<tr [routerLink]="['/admin/audit/events', event.id]" class="clickable">
<tr [routerLink]="['/evidence/audit-log/events', event.id]" class="clickable">
<td class="mono">{{ formatTime(event.timestamp) }}</td>
<td><span class="badge action" [class]="event.action">{{ event.action }}</span></td>
<td>{{ getDetail(event, 'packName') || getDetail(event, 'packId') || '-' }}</td>

4
src/Web/StellaOps.Web/src/app/features/audit-log/audit-timeline-search.component.ts
View File

@@ -14,7 +14,7 @@ import { AuditTimelineEntry } from '../../core/api/audit-log.models';
<div class="timeline-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / Timeline Search
<a routerLink="/evidence/audit-log">Audit Log</a> / Timeline Search
</div>
<h1>Timeline Search</h1>
<p class="description">Search across all indexed audit events using TimelineIndexer</p>
@@ -47,7 +47,7 @@ import { AuditTimelineEntry } from '../../core/api/audit-log.models';
}
<div class="entry-events">
@for (event of entry.events; track event.id) {
<div class="event-item" [routerLink]="['/admin/audit/events', event.id]">
<div class="event-item" [routerLink]="['/evidence/audit-log/events', event.id]">
<span class="badge module" [class]="event.module">{{ event.module }}</span>
<span class="badge action" [class]="event.action">{{ event.action }}</span>
<span class="actor">{{ event.actor.name }}</span>

4
src/Web/StellaOps.Web/src/app/features/audit-log/audit-vex.component.ts
View File

@@ -13,7 +13,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
<div class="vex-audit-page">
<header class="page-header">
<div class="breadcrumb">
<a routerLink="/admin/audit">Audit Log</a> / VEX Audit
<a routerLink="/evidence/audit-log">Audit Log</a> / VEX Audit
</div>
<h1>VEX Audit Events</h1>
<p class="description">VEX decisions, consensus votes, and rejected claims</p>
@@ -33,7 +33,7 @@ import { AuditEvent } from '../../core/api/audit-log.models';
</thead>
<tbody>
@for (event of events(); track event.id) {
<tr [routerLink]="['/admin/audit/events', event.id]" class="clickable">
<tr [routerLink]="['/evidence/audit-log/events', event.id]" class="clickable">
<td class="mono">{{ formatTime(event.timestamp) }}</td>
<td><span class="badge action" [class]="event.action">{{ event.action }}</span></td>
<td class="mono">{{ truncateId(getDetail(event, 'vexId')) }}</td>

1
src/Web/StellaOps.Web/src/app/features/evidence-audit/evidence-audit-overview.component.ts
View File

@@ -116,6 +116,7 @@ type EvidenceHomeMode = 'normal' | 'degraded' | 'empty';
<section class="shortcuts-section" aria-label="Evidence home shortcuts">
<h2 class="section-title">Shortcuts</h2>
<div class="shortcut-links">
<a routerLink="/evidence/audit-log" class="shortcut-link">Audit Log</a>
<a routerLink="/evidence/exports" class="shortcut-link">Export Center</a>
<a routerLink="/releases/bundles" class="shortcut-link">Evidence Bundles</a>
<a routerLink="/evidence/verify-replay" class="shortcut-link">Replay &amp; Verify</a>

2
src/Web/StellaOps.Web/src/app/features/quota-dashboard/tenant-quota-detail.component.ts
View File

@@ -555,7 +555,7 @@ export class TenantQuotaDetailComponent implements OnInit, OnDestroy {
viewAuditLog(): void {
const tenantId = this.breakdown()?.tenantId;
if (tenantId) {
window.location.href = `/admin/audit?tenantId=${tenantId}`;
window.location.href = `/evidence/audit-log?tenantId=${encodeURIComponent(tenantId)}`;
}
}

45
src/Web/StellaOps.Web/src/app/routes/administration.routes.ts
View File

@@ -44,6 +44,30 @@ function redirectToDecisioning(path: string) {
};
}
function redirectToEvidence(path: string) {
return ({
params,
queryParams,
fragment,
}: {
params: Record<string, string>;
queryParams: Record<string, string>;
fragment?: string | null;
}) => {
const router = inject(Router);
let targetPath = path;
for (const [name, value] of Object.entries(params ?? {})) {
targetPath = targetPath.replaceAll(`:${name}`, encodeURIComponent(value));
}
const target = router.parseUrl(targetPath);
target.queryParams = { ...queryParams };
target.fragment = fragment ?? null;
return target;
};
}
export const ADMINISTRATION_ROUTES: Routes = [
// A0 — Administration overview
{
@@ -245,6 +269,27 @@ export const ADMINISTRATION_ROUTES: Routes = [
},
// A6 — Trust & Signing
{
path: 'audit',
title: 'Unified Audit Log',
data: { breadcrumb: 'Unified Audit Log' },
redirectTo: redirectToEvidence('/evidence/audit-log'),
pathMatch: 'full',
},
{
path: 'audit/:page',
title: 'Unified Audit Log',
data: { breadcrumb: 'Unified Audit Log' },
redirectTo: redirectToEvidence('/evidence/audit-log/:page'),
pathMatch: 'full',
},
{
path: 'audit/:page/:child',
title: 'Unified Audit Log',
data: { breadcrumb: 'Unified Audit Log' },
redirectTo: redirectToEvidence('/evidence/audit-log/:page/:child'),
pathMatch: 'full',
},
{
path: 'trust-signing',
title: 'Trust & Signing',

15
src/Web/StellaOps.Web/src/app/routes/legacy-redirects.routes.ts
View File

@@ -203,6 +203,21 @@ export const LEGACY_REDIRECT_ROUTE_TEMPLATES: readonly LegacyRedirectRouteTempla
redirectTo: '/ops/policy/simulation/:page',
pathMatch: 'full',
},
{
path: 'admin/audit',
redirectTo: '/evidence/audit-log',
pathMatch: 'full',
},
{
path: 'admin/audit/:page',
redirectTo: '/evidence/audit-log/:page',
pathMatch: 'full',
},
{
path: 'admin/audit/:page/:child',
redirectTo: '/evidence/audit-log/:page/:child',
pathMatch: 'full',
},
{
path: 'ops/health',
redirectTo: '/ops/operations/health-slo',

9
src/Web/StellaOps.Web/src/tests/administration/administration-routes.spec.ts
View File

@@ -60,6 +60,15 @@ describe('ADMINISTRATION_ROUTES (administration)', () => {
expect(typeof route?.redirectTo).toBe('function');
});
it('audit route is preserved as an Administration alias into the evidence-owned audit shell', () => {
const route = ADMINISTRATION_ROUTES.find((r) => r.path === 'audit');
const deepRoute = ADMINISTRATION_ROUTES.find((r) => r.path === 'audit/:page/:child');
expect(route).toBeDefined();
expect(typeof route?.redirectTo).toBe('function');
expect(deepRoute).toBeDefined();
expect(typeof deepRoute?.redirectTo).toBe('function');
});
it('policy-governance breadcrumb is canonical (no Release Control ownership)', () => {
const route = ADMINISTRATION_ROUTES.find((r) => r.path === 'policy-governance');
expect(route?.data?.['breadcrumb']).toBe('Policy Governance');

28
src/Web/StellaOps.Web/src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts
View File

@@ -4,6 +4,7 @@ import { of } from 'rxjs';
import { routes } from '../../app/app.routes';
import { AuditLogClient } from '../../app/core/api/audit-log.client';
import { NAVIGATION_GROUPS } from '../../app/core/navigation/navigation.config';
import type {
AuditAnomalyAlert,
AuditEvent,
@@ -11,6 +12,7 @@ import type {
AuditStatsSummary,
} from '../../app/core/api/audit-log.models';
import { auditLogRoutes } from '../../app/features/audit-log/audit-log.routes';
import { LEGACY_REDIRECT_ROUTE_TEMPLATES } from '../../app/routes/legacy-redirects.routes';
import { AuditLogDashboardComponent } from '../../app/features/audit-log/audit-log-dashboard.component';
import { AuditLogTableComponent } from '../../app/features/audit-log/audit-log-table.component';
@@ -99,10 +101,7 @@ const anomaliesFixture: AuditAnomalyAlert[] = [
];
describe('unified-audit-log-viewer behavior', () => {
it('declares canonical evidence route without legacy admin/audit alias', () => {
const legacyAlias = routes.find((route) => route.path === 'admin/audit');
expect(legacyAlias).toBeUndefined();
it('keeps evidence canonical while preserving admin audit aliases', () => {
const canonicalRoute = routes.find((route) => route.path === 'evidence');
expect(canonicalRoute).toBeDefined();
expect(typeof canonicalRoute?.loadChildren).toBe('function');
@@ -121,6 +120,27 @@ describe('unified-audit-log-viewer behavior', () => {
'vex',
'integrations',
]);
expect(LEGACY_REDIRECT_ROUTE_TEMPLATES).toEqual(
jasmine.arrayContaining([
jasmine.objectContaining({
path: 'admin/audit',
redirectTo: '/evidence/audit-log',
}),
jasmine.objectContaining({
path: 'admin/audit/:page',
redirectTo: '/evidence/audit-log/:page',
}),
jasmine.objectContaining({
path: 'admin/audit/:page/:child',
redirectTo: '/evidence/audit-log/:page/:child',
}),
]),
);
const adminGroup = NAVIGATION_GROUPS.find((group) => group.id === 'admin');
const auditItem = adminGroup?.items.find((item) => item.id === 'audit');
expect(auditItem?.route).toBe('/evidence/audit-log');
});
});

29
src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-overview.component.spec.ts
View File

@@ -28,32 +28,19 @@ describe('EvidenceAuditOverviewComponent (evidence-audit)', () => {
expect(text).toContain('Expiring trust/certs');
});
it('keeps the 5 required pack shortcuts including trust ownership deep-link', () => {
it('keeps the canonical audit and evidence shortcuts on the overview page', () => {
const fixture = TestBed.createComponent(EvidenceAuditOverviewComponent);
fixture.detectChanges();
const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
const trustLink = links.find((link) =>
link.getAttribute('href')?.includes('/evidence-audit/trust-signing')
);
const exportLink = links.find((link) =>
link.getAttribute('href')?.includes('/evidence-audit/evidence')
);
const bundlesLink = links.find((link) =>
link.getAttribute('href')?.includes('/evidence-audit/bundles')
);
const replayLink = links.find((link) =>
link.getAttribute('href')?.includes('/evidence-audit/replay')
);
const proofsLink = links.find((link) =>
link.getAttribute('href')?.includes('/evidence-audit/proofs')
);
const hrefs = links.map((link) => link.getAttribute('href') ?? '');
expect(trustLink).toBeTruthy();
expect(exportLink).toBeTruthy();
expect(bundlesLink).toBeTruthy();
expect(replayLink).toBeTruthy();
expect(proofsLink).toBeTruthy();
expect(hrefs).toContain('/evidence/audit-log');
expect(hrefs).toContain('/evidence/exports');
expect(hrefs).toContain('/releases/bundles');
expect(hrefs).toContain('/evidence/verify-replay');
expect(hrefs).toContain('/evidence/capsules');
expect(hrefs).toContain('/setup/trust-signing');
});
it('supports degraded state banner', () => {

1
src/Web/StellaOps.Web/src/tests/evidence-audit/evidence-audit-routes.spec.ts
View File

@@ -18,6 +18,7 @@ describe('EVIDENCE_ROUTES (pre-alpha)', () => {
'verify-replay',
'proofs',
'exports',
'proof-chain',
'audit-log',
]);
});

4
src/Web/StellaOps.Web/src/tests/navigation/legacy-redirects.spec.ts
View File

@@ -31,6 +31,10 @@ describe('Legacy redirect policy', () => {
path: 'admin/policy/governance',
redirectTo: '/ops/policy/governance',
}),
jasmine.objectContaining({
path: 'admin/audit',
redirectTo: '/evidence/audit-log',
}),
]),
);
});

245
src/Web/StellaOps.Web/tests/e2e/unified-audit-surfaces.spec.ts Normal file
View File

@@ -0,0 +1,245 @@
import { expect, test, type Page, type Route } from '@playwright/test';
import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
const auditSession: StubAuthSession = {
subjectId: 'audit-e2e-user',
tenant: 'tenant-default',
scopes: [
'ui.read',
'ui.admin',
'release:read',
'policy:audit',
'authority:audit.read',
'signer:read',
'vex:export',
],
};
const mockConfig = {
authority: {
issuer: '/authority',
clientId: 'stella-ops-ui',
authorizeEndpoint: '/authority/connect/authorize',
tokenEndpoint: '/authority/connect/token',
logoutEndpoint: '/authority/connect/logout',
redirectUri: 'https://127.0.0.1:4400/auth/callback',
postLogoutRedirectUri: 'https://127.0.0.1:4400/',
scope: 'openid profile email ui.read',
audience: '/gateway',
dpopAlgorithms: ['ES256'],
refreshLeewaySeconds: 60,
},
apiBaseUrls: {
authority: '/authority',
scanner: '/scanner',
policy: '/policy',
concelier: '/concelier',
attestor: '/attestor',
gateway: '/gateway',
},
quickstartMode: true,
setup: 'complete',
};
const auditEventsPage = {
items: [
{
id: 'evt-001',
timestamp: '2026-03-07T10:00:00Z',
module: 'policy',
action: 'update',
severity: 'warning',
actor: { id: 'actor-1', name: 'Audit Operator', type: 'user' },
resource: { type: 'policy-pack', id: 'pack-001', name: 'Core Policy Pack' },
description: 'Updated the production policy pack.',
details: { changedFields: ['riskBudget'] },
tags: ['policy', 'prod'],
correlationId: 'corr-001',
tenantId: 'tenant-default',
},
{
id: 'evt-002',
timestamp: '2026-03-07T09:45:00Z',
module: 'vex',
action: 'approve',
severity: 'info',
actor: { id: 'actor-2', name: 'Security Reviewer', type: 'user' },
resource: { type: 'vex-statement', id: 'stmt-002', name: 'CVE-2026-0002' },
description: 'Approved the VEX resolution.',
details: { outcome: 'approved' },
tags: ['vex'],
correlationId: 'corr-002',
tenantId: 'tenant-default',
},
],
cursor: 'cursor-next',
hasMore: true,
};
const auditStats = {
period: {
start: '2026-03-01T00:00:00Z',
end: '2026-03-07T23:59:59Z',
},
totalEvents: 24,
byModule: {
authority: 3,
policy: 9,
jobengine: 2,
integrations: 4,
vex: 6,
scanner: 0,
attestor: 0,
sbom: 0,
scheduler: 0,
},
byAction: {
create: 1,
update: 12,
delete: 0,
promote: 1,
demote: 0,
revoke: 0,
issue: 0,
refresh: 0,
test: 0,
fail: 0,
complete: 0,
start: 0,
submit: 0,
approve: 10,
reject: 0,
sign: 0,
verify: 0,
rotate: 0,
enable: 0,
disable: 0,
deadletter: 0,
replay: 0,
},
bySeverity: {
info: 8,
warning: 12,
error: 3,
critical: 1,
},
topActors: [],
topResources: [],
};
const auditAnomalies = [
{
id: 'anomaly-1',
detectedAt: '2026-03-07T11:00:00Z',
type: 'unusual_pattern',
severity: 'warning',
description: 'Burst of policy mutations in the last hour.',
affectedEvents: ['evt-001'],
acknowledged: false,
},
];
async function fulfillJson(route: Route, body: unknown): Promise<void> {
await route.fulfill({
status: 200,
contentType: 'application/json',
body: JSON.stringify(body),
});
}
async function setupHarness(page: Page): Promise<void> {
await page.addInitScript((session) => {
(window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
}, auditSession);
await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/.well-known/openid-configuration', (route) =>
fulfillJson(route, {
issuer: 'https://127.0.0.1:4400/authority',
authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
response_types_supported: ['code'],
subject_types_supported: ['public'],
id_token_signing_alg_values_supported: ['RS256'],
}),
);
await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
await page.route('**/console/profile**', (route) =>
fulfillJson(route, {
subjectId: auditSession.subjectId,
username: 'audit-e2e',
displayName: 'Audit E2E',
tenant: auditSession.tenant,
roles: ['admin'],
scopes: auditSession.scopes,
}),
);
await page.route('**/console/token/introspect**', (route) =>
fulfillJson(route, {
active: true,
tenant: auditSession.tenant,
subject: auditSession.subjectId,
scopes: auditSession.scopes,
}),
);
await page.route('**/api/v2/context/regions', (route) =>
fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
);
await page.route('**/api/v2/context/environments**', (route) =>
fulfillJson(route, [
{
environmentId: 'prod-eu',
regionId: 'eu-west',
environmentType: 'prod',
displayName: 'Prod EU',
sortOrder: 1,
enabled: true,
},
]),
);
await page.route('**/api/v2/context/preferences', (route) =>
fulfillJson(route, {
tenantId: auditSession.tenant,
actorId: auditSession.subjectId,
regions: ['eu-west'],
environments: ['prod-eu'],
timeWindow: '24h',
stage: 'all',
updatedAt: '2026-03-07T12:00:00Z',
updatedBy: auditSession.subjectId,
}),
);
await page.route('**/api/v1/audit/stats**', (route) => fulfillJson(route, auditStats));
await page.route('**/api/v1/audit/events**', (route) => fulfillJson(route, auditEventsPage));
await page.route('**/api/v1/audit/anomalies**', (route) => fulfillJson(route, auditAnomalies));
}
test.beforeEach(async ({ page }) => {
await setupHarness(page);
});
test('renders the canonical evidence-owned audit dashboard and events journey', async ({ page }) => {
await page.goto('/evidence/audit-log', { waitUntil: 'networkidle' });
await expect(page.getByRole('heading', { name: 'Unified Audit Log' })).toBeVisible();
await expect(page.getByText('Cross-module audit trail visibility for compliance and governance')).toBeVisible();
await expect(page.getByRole('link', { name: 'View All Events' })).toBeVisible();
await page.getByRole('link', { name: 'View All Events' }).click();
await expect(page).toHaveURL(/\/evidence\/audit-log\/events$/);
await expect(page.getByText('All Events')).toBeVisible();
await expect(page.locator('table.events-table')).toBeVisible();
await expect(page.getByText('Updated the production policy pack.')).toBeVisible();
});
test('redirects old admin audit bookmarks into the canonical evidence route with query context', async ({ page }) => {
await page.goto('/admin/audit?tenantId=tenant-default', { waitUntil: 'networkidle' });
await expect(page).toHaveURL(/\/evidence\/audit-log\?.*tenantId=tenant-default/);
await expect(page.getByRole('heading', { name: 'Unified Audit Log' })).toBeVisible();
await expect(page.getByText('Total Events (7d)')).toBeVisible();
});