feat(ui): ship topology and trust admin cutover

docs/modules/ui/README.md

@@ -9,6 +9,8 @@
 The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
 
 ## Latest updates (2026-03-08)
+- Shipped the canonical `Setup > Topology` and `Setup > Trust & Signing` cutover, including repaired legacy trust bookmarks, fixed `Platform Setup` handoffs, and expanded topology shell exposure.
+- Added checked-feature verification for topology and trust administration at `../../features/checked/web/topology-trust-administration-ui.md`.
 - Shipped the execution-operations cutover for canonical JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows under `Ops > Operations`.
 - Added checked-feature verification for execution operations at `../../features/checked/web/execution-operations-ui.md`.
 
@@ -80,6 +82,7 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
 - ./offline-operations/README.md
 - ./quota-health-aoc-operations/README.md
 - ./execution-operations/README.md
+- ./topology-trust-administration/README.md
 - ./triage-explainability-workspace/README.md
 - ./workflow-visualization-replay/README.md
 - ./contextual-actions-patterns/README.md

docs/modules/ui/TASKS.md

@@ -100,6 +100,10 @@
 - [DONE] FE-EXO-002 Complete JobEngine and scheduler operator workflows
 - [DONE] FE-EXO-003 Complete dead-letter and scanner-ops supporting workflows
 - [DONE] FE-EXO-004 Verify cutover, sync docs, and archive
+- [DONE] FE-TTA-001 Freeze canonical setup owner and alias contract
+- [DONE] FE-TTA-002 Complete topology shell exposure and platform setup handoffs
+- [DONE] FE-TTA-003 Merge legacy trust settings and issuer entry points into usable trust administration
+- [DONE] FE-TTA-004 Verify cutover, sync docs, and archive
 - [DONE] FE-PO-001 Freeze Operations overview taxonomy and submenu structure
 - [DONE] FE-PO-002 Overview page regrouping and blocking-card contract
 - [DONE] FE-PO-003 Legacy widget absorption matrix for Platform Ops

docs/modules/ui/implementation_plan.md

@@ -31,11 +31,13 @@ Provide a living plan for UI deliverables, dependencies, and evidence.
 - `docs/features/checked/web/offline-operations-ui.md` - shipped verification note for the canonical Offline Kit and Feeds & Airgap owner routes, repaired stale aliases, and completed offline shell actions.
 - `docs/features/checked/web/quota-health-aoc-operations-ui.md` - shipped verification note for canonical quota, health, and AOC owner routes, repaired deep links, route-backed filters, and completed operator actions.
 - `docs/features/checked/web/execution-operations-ui.md` - shipped verification note for canonical execution routes, repaired jobengine and scheduler aliases, completed dead-letter actions, and usable scanner-support workflows.
+- `docs/features/checked/web/topology-trust-administration-ui.md` - shipped verification note for canonical topology and trust setup shells, repaired settings/admin/platform aliases, and platform-setup handoffs.
 - `docs/modules/ui/reachability-witnessing/README.md` - detailed witness and proof UX dossier plus cross-shell deep-link contract.
 - `docs/modules/ui/platform-ops-consolidation/README.md` - detailed Operations overview taxonomy and legacy absorption plan.
 - `docs/modules/ui/offline-operations/README.md` - detailed owner-shell contract for Offline Kit, Feeds & Airgap, Evidence handoffs, and stale alias policy.
 - `docs/modules/ui/quota-health-aoc-operations/README.md` - canonical owner-shell contract for quota, health, and AOC operations cutover plus alias and action rules.
 - `docs/modules/ui/execution-operations/README.md` - canonical execution owner-shell contract for JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows.
+- `docs/modules/ui/topology-trust-administration/README.md` - canonical setup owner contract for topology inventory, trust administration, legacy trust redirects, and platform-setup handoffs.
 - `docs/modules/ui/triage-explainability-workspace/README.md` - detailed artifact workspace and audit-bundle UX dossier.
 - `docs/modules/ui/workflow-visualization-replay/README.md` - detailed run-detail graph, timeline, replay, and evidence UX dossier.
 - `docs/modules/ui/contextual-actions-patterns/README.md` - shared placement contract for stray actions, pages, drawers, and tabs.

docs/modules/ui/topology-trust-administration/README.md

@@ -0,0 +1,85 @@
+# Topology And Trust Administration
+
+## Purpose
+- Make `Setup > Topology` and `Setup > Trust & Signing` the canonical owners for environment inventory and trust administration.
+- Keep legacy `settings`, `administration`, `admin`, and `platform/setup` entry points usable without preserving the old split-product shells.
+
+## Canonical Owner
+- Owner shells:
+  - `Setup > Topology`
+  - `Setup > Trust & Signing`
+- Primary routes:
+  - `/setup/topology/overview`
+  - `/setup/topology/map`
+  - `/setup/topology/regions`
+  - `/setup/topology/targets`
+  - `/setup/topology/hosts`
+  - `/setup/topology/agents`
+  - `/setup/topology/promotion-graph`
+  - `/setup/topology/workflows`
+  - `/setup/topology/gate-profiles`
+  - `/setup/topology/connectivity`
+  - `/setup/topology/runtime-drift`
+  - `/setup/trust-signing`
+  - `/setup/trust-signing/keys`
+  - `/setup/trust-signing/issuers`
+  - `/setup/trust-signing/certificates`
+  - `/setup/trust-signing/watchlist`
+  - `/setup/trust-signing/watchlist/entries`
+  - `/setup/trust-signing/watchlist/alerts`
+  - `/setup/trust-signing/watchlist/tuning`
+  - `/setup/trust-signing/audit`
+  - `/setup/trust-signing/airgap`
+  - `/setup/trust-signing/incidents`
+  - `/setup/trust-signing/analytics`
+- Secondary handoff route:
+  - `/ops/platform-setup`
+
+## Legacy Alias Policy
+- Preserve stale bookmarks and old links by redirecting:
+  - `/platform/setup`
+  - `/platform/setup/regions-environments`
+  - `/platform/setup/promotion-paths`
+  - `/platform/setup/workflows-gates`
+  - `/platform/setup/gate-profiles`
+  - `/platform/setup/trust-signing`
+  - `/platform/setup/trust-signing/:page`
+  - `/settings/trust`
+  - `/settings/trust/issuers`
+  - `/settings/trust/:page`
+  - `/administration/trust`
+  - `/administration/trust/issuers`
+  - `/administration/trust/:page`
+  - `/admin/trust`
+  - `/admin/trust/:page`
+  - `/admin/issuers`
+- Redirects must preserve query params and fragments so tenant, region, environment, and tab context survive the handoff.
+
+## UX Rules
+- `Platform Setup` is a setup overview and handoff page, not the owner of topology or trust subtrees.
+- `Topology` owns region, environment, target, agent, promotion, workflow, gate-profile, connectivity, and runtime-drift navigation.
+- `Trust & Signing` owns keys, issuers, certificates, watchlist, audit, air-gap trust posture, incidents, and analytics.
+- Legacy settings or admin trust URLs should land directly on the live trust shell instead of placeholder pages.
+
+## Preserved Value
+- Keep:
+  - topology inventory and graph drill-ins
+  - promotion, workflow, and gate-profile setup
+  - trust summary, issuer management, certificate inventory, and watchlist
+  - trust audit, incident, analytics, and air-gap administration
+- Why:
+  - these are core release-setup capabilities, not experimental side branches
+  - the product issue was weak wiring and stale route ownership, not missing product value
+
+## Shipped In This Cut
+- Canonical setup alias helpers for trust and platform-setup handoffs.
+- Top-level `/admin/*` compatibility redirects for trust and notification bookmarks.
+- Expanded `Topology` shell tabs so preserved mounted pages are reachable from the live setup shell.
+- Fixed `Platform Setup` quick links so they hand off into canonical `Setup` routes.
+- Retired live trust-placeholder ownership in favor of the real `Trust Management` shell.
+
+## Related Docs
+- `docs/features/checked/web/topology-trust-administration-ui.md`
+- `docs/modules/ui/watchlist-operations/README.md`
+- `docs/modules/ui/platform-ops-consolidation/README.md`
+- `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`