Fix live evidence and registry auth contracts

docs/features/checked/web/evidence-thread-browser.md

@@ -7,41 +7,43 @@ Web
 VERIFIED
 
 ## Description
-Browse and inspect evidence threads per artifact digest. List view shows all evidence threads; detail view shows the full thread of evidence for a specific artifact including all linked attestations, proofs, and verification results.
+Search and inspect canonical evidence records by package URL. The live route uses the shipped EvidenceLocker API only:
+- `/api/v1/evidence/thread?purl=...` for the list/search view
+- `/api/v1/evidence/thread/{canonicalId}` for the detail view
+
+The current route supports PURL search, empty-result handling, missing-detail handling, and back-navigation. Legacy graph/transcript/export affordances are not exposed on the live route because the current API does not provide those capabilities.
 
 ## Implementation Details
 - **Feature directory**: `src/Web/StellaOps.Web/src/app/features/evidence-thread/`
-- **Routes**: `evidence-thread.routes.ts`
-- **Components**:
-  - `evidence-export-dialog` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/components/evidence-export-dialog/evidence-export-dialog.component.ts`)
-  - `evidence-graph-panel` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/components/evidence-graph-panel/evidence-graph-panel.component.ts`)
-  - `evidence-node-card` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/components/evidence-node-card/evidence-node-card.component.ts`)
+- **Routes**: `evidence-thread.routes.ts` exposes `/evidence/threads` and `/evidence/threads/:canonicalId`
+- **Supported live components**:
   - `evidence-thread-list` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/components/evidence-thread-list/evidence-thread-list.component.ts`)
   - `evidence-thread-view` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/components/evidence-thread-view/evidence-thread-view.component.ts`)
-  - `evidence-timeline-panel` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/components/evidence-timeline-panel/evidence-timeline-panel.component.ts`)
-  - `evidence-transcript-panel` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/components/evidence-transcript-panel/evidence-transcript-panel.component.ts`)
 - **Services**:
   - `evidence-thread` (`src/Web/StellaOps.Web/src/app/features/evidence-thread/services/evidence-thread.service.ts`)
+- **Contract note**:
+  - Legacy graph/export/transcript helper components still exist in the feature directory, but they are not part of the supported live route because the current EvidenceLocker API does not return graph, transcript, or export resources.
 - **Source**: Feature matrix scan
 
 ## E2E Test Plan
 - **Setup**:
   - [ ] Log in with a user that has appropriate permissions
-  - [ ] Navigate to `/evidence`
-  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+  - [ ] Navigate to `/evidence/threads`
+  - [ ] If positive-path detail data is required, seed or ingest a package URL that exists in EvidenceLocker first
 - **Core verification**:
-  - [ ] Verify the component renders correctly with sample data
-  - [ ] Verify interactive elements respond to user input
-  - [ ] Verify data is fetched and displayed from the correct API endpoints
+  - [ ] Verify the list page renders the PURL search form and instruction state
+  - [ ] Verify searching by PURL issues requests to `/api/v1/evidence/thread?purl=...`
+  - [ ] Verify empty-result and missing-detail states are handled without runtime errors
+  - [ ] Verify detail back-navigation preserves the originating `purl` query when present
 - **Edge cases**:
-  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify graceful handling when the backend returns `404` for an unknown canonical record
   - [ ] Verify responsive layout at different viewport sizes
   - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
 ## Verification
 - Run: docs/qa/feature-checks/runs/web/evidence-thread-browser/run-001/
-- Tier 0 (source): pass (	ier0-source-check.json)
-- Tier 1 (build/tests): pass (	ier1-build-check.json)
-- Tier 2 (behavior): pass (	ier2-e2e-check.json)
+- Tier 0 (source): pass (`tier0-source-check.json`)
+- Tier 1 (build/tests): pass (`tier1-build-check.json`)
+- Tier 2 (behavior): pass (`tier2-e2e-check.json`)
 - Verified on (UTC): 2026-02-10
 
 ## Recheck (run-003)
@@ -49,3 +51,16 @@ Browse and inspect evidence threads per artifact digest. List view shows all evi
 - Status: VERIFIED (strict Tier 2 UI replay)
 - Tier 2 evidence: docs/qa/feature-checks/runs/web/evidence-thread-browser/run-003/tier2-ui-check.json.
 
+## Recheck (2026-03-08 live frontdoor)
+- Date (UTC): 2026-03-08T20:49:05Z
+- Status: VERIFIED for the shipped EvidenceLocker contract on `https://stella-ops.local`
+- Live evidence:
+  - `src/Web/StellaOps.Web/output/playwright/live-frontdoor-auth-report.json`
+  - `src/Web/StellaOps.Web/output/playwright/live-frontdoor-changed-surfaces.json`
+- Live behavior confirmed:
+  - `/evidence/threads` renders the PURL search workflow without console/runtime failures
+  - Searching `pkg:npm/example@1.0.0` produces the expected empty-result state
+  - `/evidence/threads/missing-demo-canonical?purl=pkg:npm/example@1.0.0` renders the expected missing-detail state and `Back to Search` returns to the scoped search view
+- Environment note:
+  - The compose demo stack currently has no seeded EvidenceLocker thread rows, so live verification covers the supported empty-result and missing-detail flows. Positive-path detail normalization remains covered by the focused frontend tests for the route and service.
+