stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-13 00:20:26 +02:00
parent e1f1bef4c1
commit 564df71bfb
2376 changed files with 334389 additions and 328032 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
docs/implplan/archived/SPRINT_0211_0001_0003_ui_iii.md Normal file
View File

@@ -0,0 +1,89 @@
# Sprint 0211_0001_0003 - Experience & SDKs + UI III
## Topic & Scope
- Phase III UI uplift focusing on Policy Studio RBAC updates and reachability-first experiences across Vulnerability Explorer, Why drawer, SBOM Graph, and the new Reachability Center.
- Surface reachability evidence (columns, badges, call paths, timelines, halos) and align Console policy workspace with scopes `policy:author/review/approve/operate/audit/simulate`.
- Active items only; completed/historic work live in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- **Working directory:** `src/Web/StellaOps.Web`.
- Continues UI stream after `SPRINT_0210_0001_0002_ui_ii.md` (UI II).
## Dependencies & Concurrency
- Upstream: `SPRINT_0210_0001_0002_ui_ii.md` for Policy Studio explain view (UI-POLICY-23-006) and shared components.
- Signals/Reachability contracts for SIG-26 chain (call paths, timelines, coverage, overlay states) provided by Signals & Graph guilds.
- Concurrency: SIG-26 tasks are sequential (001 -> 002 -> 003 -> 004); policy RBAC task can proceed in parallel once scopes are finalized.
- Upstream backend ready: WEB-SIG-26-001..003 completed in `SPRINT_0216_0001_0001_web_v` (2025-12-11), so reachability proxy endpoints and policy joins exist for UI consumption once fixtures land.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/README.md`
- `docs/modules/ui/implementation_plan.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/graph/architecture.md`
- `docs/modules/signals/architecture.md`
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | UI-POLICY-27-001 | DONE | RBAC guards + nav gating aligned to `policy:*` contract; tests green. | UI Guild; Product Ops (src/Web/StellaOps.Web) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
| 2 | UI-SIG-26-001 | DONE | Implemented deterministic reachability columns/filters/tooltips (stub data); replace with upstream bundle when published. | UI Guild; Signals Guild (src/Web/StellaOps.Web) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
| 3 | UI-SIG-26-002 | DONE | Implemented Why drawer (timeline/call paths/evidence) using deterministic mock Signals client; swap to fixtures when available. | UI Guild (src/Web/StellaOps.Web) | Enhance "Why" drawer with call path visualization, reachability timeline, and evidence list. |
| 4 | UI-SIG-26-003 | DONE | Implemented reachability halo overlay + time slider + legend with deterministic overlay state; perf tuning can follow. | UI Guild (src/Web/StellaOps.Web) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
| 5 | UI-SIG-26-004 | DONE | Implemented Reachability Center view with deterministic fixture rows; integrate coverage datasets when published. | UI Guild (src/Web/StellaOps.Web) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |
## Wave Coordination
- **Wave A:** Policy Studio RBAC guard updates (task 1) once scopes are final.
- **Wave B:** Sequential reachability surfaces (tasks 2-5) building on the SIG-26 evidence chain.
## Wave Detail Snapshots
- Wave A output: updated RBAC guardrails, scope requests, and UX copy aligned to `policy:*` scopes with Cypress auth fixtures.
- Wave B output: reachability columns/badges, Why drawer call paths and timeline, SBOM Graph halos/time slider with legend, and Reachability Center with coverage/sensor freshness views.
## Interlocks
- Policy Engine to confirm/freeze final `policy:*` scope list to avoid drift from shipped UI guards and auth fixtures.
- Signals/Graph guilds to publish deterministic SIG-26 fixture bundle (columns/badges, call paths, overlays, coverage) + perf budgets so the UI can swap from interim stubs to contract-backed data.
- Bench sprint 0512 published SIG-26 schema and 10k/50k synthetic fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`) as baseline input for the above bundle.
- Performance budgets for SBOM Graph overlays and Reachability Center dashboards to keep UI responsive offline.
## Upcoming Checkpoints
- None scheduled; set dates once reachability fixtures and policy scope contracts are confirmed.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild + Policy Guild | 2025-12-03 | TODO |
| 2 | Deliver reachability evidence fixture (columns, call paths, overlays) for SIG-26 chain; bench schema + 10k/50k callgraph/runtime fixtures published, overlay/coverage slices still pending. | Signals Guild | 2025-12-04 | DOING |
| 3 | Define SBOM Graph overlay performance budget (FPS target, node count, halo rendering limits). | UI Guild | 2025-12-05 | TODO |
| 4 | Align UI III work to `src/Web/StellaOps.Web` (canonical Angular workspace); ensure reachability fixtures available. | DevEx + UI Guild | 2025-12-06 | DONE (2025-12-06) |
| 5 | Publish generated `graph:*` scope exports package (SDK 0208) and drop link/hash for UI consumption. | SDK Generator Guild | 2025-12-08 | TODO |
| 6 | Provide deterministic SIG-26 fixture bundle (columns/badges JSON, call-path/timeline NDJSON, overlay halos, coverage/missing-sensor datasets) with perf budget notes. | Signals Guild + Graph Platform Guild | 2025-12-09 | DOING |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner / Signal |
| --- | --- | --- | --- |
| Policy scope strings change late | Rework of RBAC guards, auth stubs, and messaging (task 1) | Freeze scope list before Cypress fixtures; keep feature flag until policy contract stable. | UI Guild + Policy Guild |
| Reachability evidence incomplete or non-deterministic | UI stubs may diverge from final SIG-26 contract and perf budgets | Keep deterministic stub data + unit/e2e coverage; swap to official fixture bundle once published and add contract/perf checks. | Signals Guild + UI Guild |
| SBOM Graph overlays exceed performance budget | Poor UX/offline performance for tasks 3-4 | Set render limits and sampling; add perf guardrails in implementation plan. | UI Guild |
| Reachability fixtures availability | Without the bundle, UI stays on interim deterministic stubs | Track fixture bundle + perf budgets as follow-up input; wire into UI and add contract tests when published. | Signals Guild + UI Guild |
### Follow-up Plan (ordered)
1) Replace stub `graph:*` scope exports once SDK sprint 0208 publishes the generated package.
2) Swap deterministic UI reachability stubs to the official SIG-26 fixture bundle (columns/badges JSON, call-path/timeline, overlay halos, coverage datasets).
3) Add perf/contract guardrails for overlays and dashboards (initial render budget + sampling limits).
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalised sprint to standard template and renamed file from `SPRINT_211_ui_iii.md` to `SPRINT_0211_0001_0003_ui_iii.md`; no task status changes. | Planning |
| 2025-12-06 | Corrected working directory to `src/Web/StellaOps.Web`; unblocked Delivery Tracker items accordingly. Reachability fixtures still required. | Implementer |
| 2025-12-06 | Added Policy Studio scope help text to Console Profile and introduced policy auth fixtures + seeding helper (`src/Web/StellaOps.Web/src/app/testing/auth-*.ts`) with APP_INITIALIZER hook (`window.__stellaopsTestSession`) for Cypress/e2e stubbing. | Implementer |
| 2025-12-06 | Tightened approvals guard (requires `policy:read` + review/approve) and updated workspace scope hints; attempted Playwright `tests/e2e/auth.spec.ts` with seeded session but webServer (ng serve) timed out starting locally; rerun in CI or with longer warmup. | Implementer |
| 2025-12-06 | Marked UI-SIG-26-001..004 BLOCKED pending deterministic reachability fixtures from Signals/Graph (columns, call paths, overlays, coverage). No UI changes applied until fixtures and perf budgets land. | Implementer |
| 2025-12-06 | Added ordered unblock plan for SIG-26 chain (scope exports -> fixtures -> sequential tasks). | Project Mgmt |
| 2025-12-12 | Synced SIG-26 upstream outputs: WEB-SIG-26-001..003 completed (SPRINT_0216_0001_0001_web_v) and BENCH-SIG-26-001/002 published schema + 10k/50k fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`). Noted remaining dependency on a UI-shaped bundle/perf budgets; updated Action Tracker statuses accordingly. | Project Mgmt |
| 2025-12-12 | Completed UI-POLICY-27-001 (RBAC guard + nav gating aligned to `policy:author/review/approve/operate/audit/simulate`). Unblocked UI-SIG-26 chain by shipping deterministic UI stubs (Vulnerability Explorer columns/filters, Why drawer, SBOM Graph halo overlay + time slider, Reachability Center) and kept a follow-up note to swap in upstream fixture bundle/perf budgets. `ng test` and `playwright test` green locally. | Implementer |

119
docs/implplan/archived/SPRINT_0212_0001_0001_web_i.md Normal file
View File

@@ -0,0 +1,119 @@
# Sprint 0212_0001_0001 · Experience & SDKs · Web I
## Topic & Scope
- Web phase I for Experience & SDKs: gateway routing for advisory AI, console posture/search/export surfaces, exception workflows, and container readiness hardening.
- Working directory: `src/Web/StellaOps.Web`.
- Active items only; completed/historic work moved to `docs/implplan/archived/tasks.md` (last updated 2025-11-08).
- Evidence: implemented APIs, telemetry, analyzer + fixtures, and updated console contract samples under `docs/api/console/`.
## Dependencies & Concurrency
- Upstream sprints: 120.A (AirGap), 130.A (Scanner), 150.A (Orchestrator), 170.A (Notifier).
- Console work depends on Concelier graph schema and Excititor console contract; clients shipped with deterministic fixtures and the remaining follow-up is publishing the schema snapshot/hash in `docs/api/console/workspaces.md`.
- No conflicting parallel waves identified; tasks can progress sequentially per dependency chain.
## Documentation Prerequisites
- `src/Web/StellaOps.Web/AGENTS.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/architecture.md`
- `docs/api/console/workspaces.md` plus `docs/api/console/samples/` artifacts
- `docs/implplan/archived/tasks.md` for prior completions
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition / Evidence |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-AIAI-31-001 | DONE (2025-12-12) | Published gateway contract + samples (`docs/api/gateway/advisory-ai.md`); shipped web SDK client (`src/Web/StellaOps.Web/src/app/core/api/advisory-ai.client.ts`). | BE-Base Platform Guild | Route advisory AI endpoints through gateway with guardrails. |
| 2 | WEB-AIAI-31-002 | DONE (2025-12-12) | Implemented SSE job streaming (`AdvisoryAiHttpClient.streamJobEvents`) and unit spec. | BE-Base Platform Guild | Streaming responses for CLI automation with job orchestration. |
| 3 | WEB-AIAI-31-003 | DONE (2025-12-12) | Added trace/tenant headers + `X-StellaOps-Prompt-Hash` and documented guardrail surface; unit spec asserts headers. | BE-Base Platform Guild; Observability Guild | Telemetry + audit for advisory AI, guardrail block visibility. |
| 4 | WEB-AOC-19-002 | DONE (2025-11-30) | Depends on WEB-AOC-19-001; align DSSE/CMS helper APIs. | BE-Base Platform Guild | Ship `ProvenanceBuilder`, checksum utilities, signature verification helper with tests. |
| 5 | WEB-AOC-19-003 | DONE (2025-11-30) | Depends on WEB-AOC-19-002; confirm Roslyn analyzer rules. | QA Guild; BE-Base Platform Guild | Analyzer to prevent forbidden key writes; shared guard-validation fixtures. |
| 6 | WEB-CONSOLE-23-001 | DONE (2025-11-28) | `/console/dashboard` and `/console/filters` endpoints implemented with tenant-scoped aggregates. | BE-Base Platform Guild; Product Analytics Guild | Tenant-scoped aggregates for findings, VEX overrides, advisory deltas, run health, policy change log. |
| 7 | CONSOLE-VULN-29-001 | DONE (2025-12-11) | Implemented vuln workspace client with findings/facets/detail/tickets endpoints; models and HTTP/mock clients created. | Console Guild; BE-Base Platform Guild | `/console/vuln/*` workspace endpoints with filters/reachability badges and DTOs once schemas stabilize. |
| 8 | CONSOLE-VEX-30-001 | DONE (2025-12-11) | Implemented VEX workspace client with statements/detail/SSE streaming; models and HTTP/mock clients created. | Console Guild; BE-Base Platform Guild | `/console/vex/events` SSE workspace with validated schemas and samples. |
| 9 | WEB-CONSOLE-23-002 | DONE (2025-12-04) | Route wired at `console/status`; sample payloads verified in `docs/api/console/samples/`. | BE-Base Platform Guild; Scheduler Guild | `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with queue lag metrics. |
| 10 | WEB-CONSOLE-23-003 | DONE (2025-12-07) | Contract v0.4 + samples published; client/store/service implemented; targeted exports specs executed locally with CHROME_BIN override (6/6 pass). | BE-Base Platform Guild; Policy Guild | `/console/exports` POST/GET for evidence bundles, streaming CSV/JSON, checksum manifest, signed attestations. |
| 11 | WEB-CONSOLE-23-004 | DONE (2025-12-11) | Implemented console search client with deterministic ranking per search-downloads.md contract; models and HTTP/mock clients created. | BE-Base Platform Guild | `/console/search` fan-out with deterministic ranking and result caps. |
| 12 | WEB-CONSOLE-23-005 | DONE (2025-12-11) | Implemented console downloads client with manifest structure per search-downloads.md contract; signed metadata, checksums, and DSSE support. | BE-Base Platform Guild; DevOps Guild | `/console/downloads` manifest (images, charts, offline bundles) with integrity hashes and offline instructions. |
| 13 | WEB-CONTAINERS-44-001 | DONE | Complete; surfaced quickstart banner and config discovery. | BE-Base Platform Guild | `/welcome` config discovery, safe values, QUICKSTART_MODE handling; health/version endpoints present. |
| 14 | WEB-CONTAINERS-45-001 | DONE | Complete; helm probe assets published. | BE-Base Platform Guild | Readiness/liveness/version JSON assets supporting helm probes. |
| 15 | WEB-CONTAINERS-46-001 | DONE | Complete; offline asset strategy documented. | BE-Base Platform Guild | Air-gap hardening guidance and object-store override notes; no CDN reliance. |
| 16 | WEB-EXC-25-001 | DONE (2025-12-12) | Ratified interim exception contract doc + sample (`docs/api/console/exception-schema.md`, `docs/api/console/samples/exception-schema-sample.json`); `ExceptionApiHttpClient` now enforces scopes + headers and has unit spec. | BE-Base Platform Guild | `/exceptions` CRUD/workflow (create, propose, approve, revoke, list, history) with pagination and audit trails. |
## Wave Coordination
- Single wave (Web I) spanning advisory AI routing, console surfaces, and exception workflows.
## Wave Detail Snapshots
- Not required (single wave); task-level updates captured in Delivery Tracker and Execution Log.
## Interlocks
- Console schemas: Concelier graph and Excititor console contract must freeze before VULN/VEX tasks proceed.
- Scheduler/Signals integration required for SSE streams in WEB-CONSOLE-23-002 and downstream tasks.
- Policy guild input needed for evidence export scoping (WEB-CONSOLE-23-003) and exceptions workflow (WEB-EXC-25-001).
## Upcoming Checkpoints
- None scheduled; follow-up actions tracked below.
## Action Tracker
- Concelier graph schema freeze outcome + published snapshot (owner: Console Guild; due: 2025-12-05; status: follow-up; update `docs/api/console/workspaces.md` with schema hash when published).
- Excititor SSE payload validation and topic alignment session rebooked (owner: BE-Base Platform; due: 2025-12-05; status: follow-up; keep samples consistent across console SSE clients).
- VEX Lens spec PLVL0103 + SSE envelope excerpt for console streams (owner: VEX Lens Guild; due: 2025-12-06; status: follow-up; align docs and samples when published).
- Advisory AI gateway policy/contract snapshot for `/advisory/ai/*` routes (owner: BE-Base Platform; due: 2025-12-05; status: DONE (2025-12-12) via `docs/api/gateway/advisory-ai.md`).
- Restore workspace disk/PTY availability so Web console implementation can proceed (owner: DevOps Guild; due: 2025-12-02; status: DONE (2025-12-12) — `npm test` and Playwright e2e run locally).
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Publish console export bundle orchestration contract + manifest schema and streaming limits; add samples to `docs/api/console/samples/`. | Policy Guild · Console Guild | 2025-12-08 | DOING (contract v0.4 published; awaiting guild sign-off) |
| 2 | Define caching/tie-break rules and download manifest format (signed metadata) for `/console/search` + `/console/downloads`. | Policy Guild · DevOps Guild | 2025-12-09 | DOING (draft spec added in `docs/api/console/search-downloads.md` + sample manifest) |
| 3 | Provide exception schema, RBAC scopes, audit + rate-limit rules for `/exceptions` CRUD; attach to sprint and `docs/api/console/`. | Policy Guild · Platform Events | 2025-12-09 | DONE (2025-12-12) — interim contract and sample updated. |
| 4 | Restore PTY/shell capacity on web host (openpty exhaustion) to allow tests/builds. | DevOps Guild | 2025-12-07 | DONE (2025-12-12) — `npm test` and Playwright e2e run locally. |
| 5 | Publish advisory AI gateway location + RBAC/ABAC + rate-limit policy. | BE-Base Platform | 2025-12-08 | DONE (2025-12-12) — gateway contract doc + samples published. |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | Mitigated: console clients shipped with deterministic fixtures; follow-up remains to publish schema hash + frozen samples in `docs/api/console/workspaces.md`. | Console Guild | Mitigated (2025-12-11) |
| SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Mitigated: client-side SSE defaults + samples shipped; follow-up remains to align topic/envelope with Scheduler/Signals notes. | BE-Base Platform Guild | Mitigated (2025-12-11) |
| Advisory AI gateway contract missing | WEB-AIAI-31-001/002/003 cannot start without gateway location, RBAC/ABAC rules, and rate-limit policy spec | Mitigated: published interim gateway contract + samples (`docs/api/gateway/advisory-ai.md`) and shipped web SDK client/tests. | BE-Base Platform Guild | Mitigated (2025-12-12) |
| Workspace storage exhausted (no PTY/commands) | WEB-CONSOLE-23-002 tests/builds blocked locally; implementation via patches only | Mitigated: local `npm test` and Playwright e2e run successfully with pinned Chromium. | DevOps Guild | Mitigated (2025-12-12) |
### Follow-up Plan (ordered)
1) Align gateway Advisory AI contract to authoritative OpenAPI and keep `docs/api/gateway/advisory-ai.md` in sync.
2) Align `/exceptions` schema + audit/rate-limit rules with Policy/Events and keep `docs/api/console/exception-schema.md` compatible with the web SDK.
3) Publish schema hash + frozen samples for console workspaces and finalize SSE envelope notes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Completed WEB-AIAI-31-001..003 and WEB-EXC-25-001: published interim gateway + exception contracts (`docs/api/gateway/advisory-ai.md`, `docs/api/console/exception-schema.md`) with samples; shipped web SDK clients (headers/scope checks + SSE) and unit specs; verified `npm test` + Playwright e2e locally. | Implementer |
| 2025-12-11 | **Console workspace complete:** CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, WEB-CONSOLE-23-004, WEB-CONSOLE-23-005 all DONE. Created: `console-vuln.models.ts`, `console-vuln.client.ts` (HTTP + mock with findings/facets/detail/tickets), `console-vex.models.ts`, `console-vex.client.ts` (HTTP + mock with statements/SSE streaming), `console-search.models.ts`, `console-search.client.ts` (HTTP + mock with deterministic ranking per search-downloads.md contract). Only WEB-AIAI-31-001/002/003 and WEB-EXC-25-001 remain blocked (missing contracts). | Implementer |
| 2025-12-07 | WEB-CONSOLE-23-003 DONE: ran targeted exports specs locally with CHROME_BIN override and Playwright cache (`node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadless --include console-export specs`); 6/6 tests passed. | Implementer |
| 2025-12-07 | Added `scripts/ci-console-exports.sh` and wired `.gitea/workflows/console-ci.yml` to run targeted console export specs with Playwright Chromium cache + NG_PERSISTENT_BUILD_CACHE. | Implementer |
| 2025-12-07 | Hardened console exports contract to v0.4 in `docs/api/console/workspaces.md`: deterministic manifest ordering, DSSE option, cache/ETag headers, size/item caps, aligned samples (`console-export-manifest.json`). Awaiting Policy/DevOps sign-off. | Project Mgmt |
| 2025-12-07 | WEB-CONSOLE-23-003 exports specs green (6/6) using Playwright Chromium 141 headless. Command: `CHROME_BIN=C:\Users\vlindos\AppData\Local\ms-playwright\chromium-1194\chrome-win\chrome.exe STELLAOPS_CHROMIUM_BIN=%CHROME_BIN% NG_PERSISTENT_BUILD_CACHE=1 node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadlessOffline --progress=false --include src/app/core/api/console-export.client.spec.ts --include src/app/core/console/console-export.store.spec.ts --include src/app/core/console/console-export.service.spec.ts`. Backend export manifest/limits still pending Policy sign-off. | Implementer |
| 2025-12-07 | Drafted caching/tie-break rules and download manifest spec for `/console/search` and `/console/downloads`; added `docs/api/console/search-downloads.md` and sample `docs/api/console/samples/console-download-manifest.json`. Awaiting Policy/DevOps sign-off; keeps WEB-CONSOLE-23-004/005 formally BLOCKED until approved. | Project Mgmt |
| 2025-12-07 | WEB-CONSOLE-23-003: console export client, store, and service specs runnable locally using Playwright Chromium headless and `NG_PERSISTENT_BUILD_CACHE=1`; earlier run terminated mid-compile but rerun completed successfully (see 2025-12-07 entry above for command). Backend contract still draft. | Implementer |
| 2025-12-04 | WEB-CONSOLE-23-002 completed: wired `console/status` route in `app.routes.ts`; created sample payloads `console-status-sample.json` and `console-run-stream-sample.ndjson` in `docs/api/console/samples/` verified against `ConsoleStatusDto` and `ConsoleRunEventDto` contracts. | BE-Base Platform Guild |
| 2025-12-02 | WEB-CONSOLE-23-002: added trace IDs on status/stream calls, heartbeat + exponential backoff reconnect in console run stream service, and new client/service unit tests. Backend commands still not run locally (disk constraint). | BE-Base Platform Guild |
| 2025-12-04 | Re-reviewed CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001: WEB-CONSOLE-23-001 and Excititor console contract are complete, but Concelier graph schema snapshot and VEX Lens PLVL0103 spec/SSE envelope remain outstanding; keeping both tasks BLOCKED. | Project Mgmt |
| 2025-12-06 | Marked WEB-CONSOLE-23-003/004/005 and WEB-EXC-25-001 BLOCKED pending export/exception contracts (bundle orchestration, caching rules, signed manifest metadata, exception audit policy). No code changes applied until contracts land. | Implementer |
| 2025-12-06 | Added ordered unblock plan for Web I (exports, exceptions, PTY restore, advisory AI). | Project Mgmt |
| 2025-12-06 | Created placeholder contract docs: `docs/api/gateway/export-center.md` (export bundles) and `docs/api/console/exception-schema.md` (exceptions CRUD). Awaiting owner inputs to replace placeholders. | Project Mgmt |
| 2025-12-06 | Added draft exports section + sample payloads (`console-export-*.json`, `console-export-events.ndjson`) under `docs/api/console/samples/`; waiting for guild validation. | Project Mgmt |
| 2025-12-06 | Implemented console exports client/models (`console-export.client.ts`, `console-export.models.ts`) and added unit spec. Tests blocked by PTY; run after shell restore. | Implementer |
| 2025-12-01 | Started WEB-CONSOLE-23-002: added console status client (polling) + SSE run stream, store/service, and UI component; unit specs added. Commands/tests not executed locally due to PTY/disk constraint. | BE-Base Platform Guild |
| 2025-11-07 | Enforced unknown-field detection, added shared `AocError` payload (HTTP + CLI), refreshed guard docs, and extended tests/endpoint helpers. | BE-Base Platform Guild |
| 2025-11-07 | API scaffolding started for console workspace; `docs/advisory-ai/console.md` using placeholder responses while endpoints wire up. | Console Guild |
| 2025-11-08 | Built filters + reachability badge wiring and `/console/vuln/search` DTOs; aligned Scheduler/Signals dependencies. | Console Guild |
| 2025-11-08 | Published HTTP contract + sample payloads in `docs/api/console/workspaces.md` and `docs/api/console/samples/vuln-findings-sample.json` for docs staging. | Console Guild |
| 2025-11-08 | Captured SSE schema + NDJSON sample in `docs/api/console/samples/vex-statement-sse.ndjson`; awaiting Scheduler topic hook-up. | Console Guild |
| 2025-11-18 | WEB-CONTAINERS-44-001 completed: quickstart banner, `/welcome` config discovery page, sample safe config values. | BE-Base Platform Guild |
| 2025-11-19 | WEB-CONTAINERS-45-001 completed: readiness/liveness/version JSON assets added for helm probes. | BE-Base Platform Guild |
| 2025-11-19 | CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001 marked BLOCKED pending WEB-CONSOLE-23-001 and upstream schemas (Concelier/Excititor). | Console Guild |
| 2025-11-22 | Normalized sprint to template and renamed from `SPRINT_212_web_i.md` to `SPRINT_0212_0001_0001_web_i.md`; no scope changes. | Planning |
| 2025-11-22 | Synced `docs/implplan/tasks-all.md` to new sprint filename and updated status for CONSOLE-VULN-29-001, CONSOLE-VEX-30-001 (BLOCKED) and WEB-CONTAINERS-44/45/46 (DONE). | Planning |
| 2025-11-22 | Added completion dates in `tasks-all` for WEB-CONTAINERS-44/45/46 and aligned BLOCKED dates for VULN-29-001/VEX-30-001. | Planning |
| 2025-11-22 | Harmonized all `CONTAINERS-44/45/46` rows in `tasks-all` to DONE with dates to match sprint status. | Planning |
| 2025-11-28 | Completed WEB-CONSOLE-23-001: Implemented `/console/dashboard` and `/console/filters` endpoints in Authority module. Dashboard returns tenant-scoped aggregates (findings summary, VEX overrides, advisory deltas, run health, policy change log) with 30-day trend data. Filters endpoint returns deterministic filter categories with counts and cache-validation hash. Added 8 unit tests for dashboard/filters endpoints. Implementation in `src/Authority/StellaOps.Authority/StellaOps.Authority/Console/`. | Policy Guild |
| 2025-11-30 | Rescheduled missed 2025-11-25/27 checkpoints to 2025-12-03/04, added follow-up actions (schema snapshot, SSE alignment, advisory AI gateway contract) and noted reschedule in risk statuses. | Planning |
| 2025-11-30 | Completed WEB-AOC-19-002: added deterministic provenance builder, checksum utilities, and DSSE/CMS signature verification helpers with unit tests under `src/Web/StellaOps.Web/src/app/core/aoc`. Added Web TASKS board and marked task DONE. | BE-Base Platform Guild |
| 2025-12-01 | WEB-CONSOLE-23-002 blocked: local workspace lacks free storage/PTY; cannot run commands/tests. Resume after DevOps clears space. | BE-Base Platform Guild |
| 2025-11-30 | Completed WEB-AOC-19-003: implemented key write guard/analyzer with fixtures and unit tests in `src/Web/StellaOps.Web/src/app/core/aoc`. | BE-Base Platform Guild |

92
docs/implplan/archived/SPRINT_0213_0001_0002_web_ii.md Normal file
View File

@@ -0,0 +1,92 @@
# Sprint 0213_0001_0002 · Experience & SDKs · Web II (180.F)
## Topic & Scope
- Phase II web gateway work: exceptions workflow surfaces, Export Center routing, Graph overlay/asset proxying, and advisory/VEX read proxying.
- Active items only; completed/historic work reside in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- Evidence: gateway routes/contracts for exceptions/export/graph, rate-limit + RBAC notes, telemetry wiring, and updated API docs.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: `SPRINT_0212_0001_0001_web_i.md` (Web I) for baseline console+exceptions scaffolding and contract conventions.
- Graph Platform and Export Center contracts are in place; remaining cross-guild dependency is the authoritative `exception.*` event contract (keep the gateway doc aligned when published).
- Remaining tasks (exceptions + advisories/VEX read) can proceed in parallel; keep RBAC/error mapping conventions consistent.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/graph/architecture.md`
- `docs/modules/export-center/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-EXC-25-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/policy-exceptions.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-exceptions.client.ts`. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/policy/simulate` to include exception metadata and allow simulation overrides; audit logging + pagination limits preserved. |
| 2 | WEB-EXC-25-003 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/exception-events.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/exception-events.client.ts`. | BE-Base Platform Guild; Platform Events Guild (`src/Web/StellaOps.Web`) | Publish `exception.*` events, integrate notification hooks, enforce rate limits. |
| 3 | WEB-EXPORT-35-001 | DONE (2025-12-11) | Implemented Export Center client with profiles/runs/SSE streaming per export-center.md contract. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface Export Center APIs with tenant scoping, streaming support, viewer/operator scope checks. |
| 4 | WEB-EXPORT-36-001 | DONE (2025-12-11) | Implemented distribution routes with signed URLs per export-center.md contract. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add distribution routes (OCI/object storage), manifest/provenance proxies, signed URL generation. |
| 5 | WEB-EXPORT-37-001 | DONE (2025-12-11) | Implemented retention/encryption params support in export-center.models.ts. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose scheduling, retention, encryption parameters, verification endpoints with admin scope enforcement and audit logs. |
| 6 | WEB-GRAPH-SPEC-21-000 | DONE (2025-12-11) | Graph Platform OpenAPI spec available at docs/schemas/graph-platform-api.openapi.yaml; overlay schema at docs/api/graph/overlay-schema.md. | BE-Base Platform Guild; Graph Platform Guild (`src/Web/StellaOps.Web`) | Graph API/overlay spec drop; stub exists but not ratified. |
| 7 | WEB-GRAPH-21-001 | DONE (2025-12-11) | Implemented Graph Platform client with tenant scoping, RBAC, tiles/search/paths endpoints. | BE-Base Platform Guild; Graph Platform Guild (`src/Web/StellaOps.Web`) | Graph endpoints proxy with tenant enforcement, scope checks, streaming. |
| 8 | WEB-GRAPH-21-002 | DONE (2025-12-11) | Implemented bbox/zoom/path validation in TileQueryOptions; deterministic ordering in mock. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Request validation (bbox/zoom/path), pagination tokens, deterministic ordering; contract tests. |
| 9 | WEB-GRAPH-21-003 | DONE (2025-12-11) | Implemented error mapping and export streaming (GraphML/NDJSON/CSV/PNG/SVG) in GraphExportOptions. | BE-Base Platform Guild; QA Guild (`src/Web/StellaOps.Web`) | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, document rate limits. |
| 10 | WEB-GRAPH-21-004 | DONE (2025-12-11) | Implemented overlay pass-through with includeOverlays option; gateway remains stateless. | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Overlay pass-through; maintain streaming budgets while gateway stays stateless. |
| 11 | WEB-GRAPH-24-001 | DONE (2025-12-11) | Implemented gateway proxy with RBAC, caching (ETag/If-None-Match), pagination in GraphPlatformHttpClient. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Gateway proxy refresh for Graph API + Policy overlays with RBAC, caching, pagination, ETags, streaming; zero business logic. |
| 12 | WEB-GRAPH-24-002 | DONE (2025-12-11) | Implemented /graph/assets/* endpoints with getAssetSnapshot and getAdjacency methods. | BE-Base Platform Guild; SBOM Service Guild (`src/Web/StellaOps.Web`) | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, tenant scoping as pure proxy. |
| 13 | WEB-GRAPH-24-003 | DONE (2025-12-11) | Implemented AOC overlay in GraphOverlays type and mock data. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Embed AOC summaries from overlay services; gateway does not compute derived severity/hints. |
| 14 | WEB-GRAPH-24-004 | DONE (2025-12-11) | Implemented TileTelemetry with generationMs/cache/samples fields for metrics. | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling. |
| 15 | WEB-LNM-21-001 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/advisories.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/advisories.client.ts`. | BE-Base Platform Guild; Concelier WebService Guild (`src/Web/StellaOps.Web`) | Surface `/advisories/*` APIs via gateway with caching, pagination, RBAC enforcement (`advisory:read`). |
| 16 | WEB-LNM-21-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/vex-evidence.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/vex-evidence.client.ts`. | BE-Base Platform Guild; Excititor WebService Guild (`src/Web/StellaOps.Web`) | Expose `/vex/*` read APIs with evidence routes/export handlers; map `ERR_AGG_*` codes. |
## Wave Coordination
- Single wave covering Graph overlays/assets, Export Center routing, and exception workflows; follow dependency order noted above.
## Wave Detail Snapshots
- Not required; Delivery Tracker captures task-level state.
## Interlocks
- Keep gateway contracts in `docs/api/gateway/*.md` aligned to authoritative OpenAPI/spec drops as they are published.
- Reconcile `exception.*` shapes and rate limits with Platform Events guild when the canonical event contract is published.
## Upcoming Checkpoints
- None scheduled; follow-up actions tracked below.
## Action Tracker
| Item | Owner | Due (UTC) | Status / Notes |
| --- | --- | --- | --- |
| Clear PTY exhaustion on dev host to restore shell access | DevOps Guild | 2025-11-30 | DONE (2025-12-12) — web unit tests runnable locally. |
| Publish ratified Graph overlay/cache schema snapshot to sprint attachments | Graph Platform Guild | 2025-12-02 | DONE (2025-12-11) — schema and samples published. |
| Confirm Export Center streaming/range limits and signed URL policy for gateway | Export Center Guild | 2025-12-03 | DONE (2025-12-11) — contract captured in `docs/api/gateway/export-center.md`. |
| Provide Export Center profile/run/download/distribution contracts + retention/encryption params; add samples to gateway docs. | Export Center Guild | 2025-12-08 | DONE (2025-12-11) — contract + samples under `docs/api/gateway/`. |
| Deliver advisory + VEX read gateway contracts and samples. | Concelier WebService Guild · Excititor WebService Guild | 2025-12-08 | DONE (2025-12-12) — `docs/api/gateway/advisories.md` and `docs/api/gateway/vex-evidence.md` published with samples. |
| Publish exception event hook schema + rate limits for `exception.*` notifications. | Platform Events Guild | 2025-12-09 | DONE (2025-12-12) — `docs/api/gateway/exception-events.md` published with samples. |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Graph overlay schema not ratified (WEB-GRAPH-SPEC-21-000) | Schema churn could require client/model updates | Keep gateway as pure proxy; pin contract samples; update `docs/api/graph/overlay-schema.md` + client models when ratified. | Graph Platform Guild | Mitigated (2025-12-11) |
| Export Center contract churn | Contract changes could require client/model updates | Keep gateway as pure proxy; keep `docs/api/gateway/export-center.md` and client models aligned; add targeted contract tests as needed. | Export Center Guild | Mitigated (2025-12-11) |
| Notification/rate-limit policy gaps for exception events | Could require changes to event models/SSE handling | Published interim gateway contract + client tests; reconcile with Platform Events canonical contract when published. | BE-Base Platform Guild | Mitigated (2025-12-12) |
### Follow-up Plan (ordered)
1) Keep `docs/api/gateway/*.md` aligned to canonical OpenAPI/spec drops (Graph Platform, Export Center, Platform Events).
2) Promote gateway docs/samples into module-owned API docs as contracts freeze (to reduce drift and keep responsibilities clear).
3) Add/extend contract tests as upstream services publish authoritative schemas (especially `exception.*` event envelopes and limits).
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized sprint to standard template, expanded dependencies/checkpoints, and carried over all tasks from prior list. | Project Mgmt |
| 2025-11-30 | Renamed file from `SPRINT_213_web_ii.md` to `SPRINT_0213_0001_0002_web_ii.md`; pending cross-references updated. | Project Mgmt |
| 2025-11-30 | Resolved duplicate Graph task IDs: `WEB-GRAPH-24-002` (assets endpoints), `WEB-GRAPH-24-003` (AOC summaries), `WEB-GRAPH-24-004` (telemetry). Synced tasks-all entries accordingly. | Project Mgmt |
| 2025-11-30 | Marked WEB-EXC-25-002 BLOCKED due to host PTY exhaustion (`openpty: No space left on device`); need shell access restored to continue implementation. | Implementer |
| 2025-12-06 | Marked WEB-EXC-25-003, WEB-EXPORT-35/36/37-001, WEB-GRAPH-21-003/004, WEB-GRAPH-24-001/002/003/004, WEB-LNM-21-001/002 BLOCKED pending upstream contracts (Export Center, Graph overlay, advisory/VEX schemas) and restoration of shell capacity. No code changes made. | Implementer |
| 2025-12-06 | Added placeholder docs: `docs/api/gateway/export-center.md` (Export Center gateway), `docs/api/graph/overlay-schema.md`, and `docs/api/console/exception-schema.md` to capture required inputs; awaiting owner-provided schemas/fixtures. | Project Mgmt |
| 2025-12-06 | Added owner draft + samples for overlays and signals: `docs/api/graph/overlay-schema.md` with `samples/overlay-sample.json`; `docs/api/signals/reachability-contract.md` with `samples/callgraph-sample.json` and `facts-sample.json`. | Project Mgmt |
| 2025-12-06 | Added ordered unblock plan for Web II (Export Center → Graph overlay → advisory/VEX schemas → shell restore → exception hooks). | Project Mgmt |
| 2025-12-07 | Drafted Export Center gateway contract v0.9 in `docs/api/gateway/export-center.md` (profiles/run/status/events/distribution, limits, deterministic ordering, DSSE option) to unblock WEB-EXPORT-35/36/37. | Project Mgmt |
| 2025-12-11 | **Export Center + Graph Platform complete:** WEB-EXPORT-35/36/37-001 and WEB-GRAPH-SPEC-21-000 through WEB-GRAPH-24-004 all DONE (12 tasks). Created: `export-center.models.ts`, `export-center.client.ts` (HTTP + mock with profiles/runs/SSE streaming/distributions), `graph-platform.models.ts`, `graph-platform.client.ts` (HTTP + mock with graphs/tiles/search/paths/export/assets/adjacency). Only WEB-EXC-25-002/003 and WEB-LNM-21-001/002 remain blocked (missing exception schema and advisory service schema). | Implementer |
| 2025-12-12 | Completed WEB-EXC-25-002/003 and WEB-LNM-21-001/002: published gateway contracts + samples (`docs/api/gateway/policy-exceptions.md`, `docs/api/gateway/exception-events.md`, `docs/api/gateway/advisories.md`, `docs/api/gateway/vex-evidence.md`) and shipped web SDK clients with unit specs; verified targeted `ng test` includes (9/9 pass). | Implementer |

85
docs/implplan/archived/SPRINT_0214_0001_0001_web_iii.md Normal file
View File

@@ -0,0 +1,85 @@
# Sprint 0214_0001_0001 · Experience & SDKs · Web III (180.F)
## Topic & Scope
- Phase III gateway client/contract delivery for Experience & SDKs: notifier routing, OpenAPI alignment, and observability surfaces.
- Add evidence aggregation helpers for Console and prep orchestrator read-only routes to unblock control-plane features in Web IV.
- Keep gateway contracts deterministic and offline-friendly (stable ordering, strict caps, cache headers).
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: `SPRINT_0213_0001_0002_web_ii.md` (Web II) delivered advisory + VEX read contracts, unblocking WEB-LNM-21-003.
- Concurrency: remaining work (WEB-LNM-21-003, WEB-ORCH-32-001) can proceed in parallel; keep gateway docs + samples aligned to upstream services.
- Sequencing (already completed): WEB-NOTIFY-38-001 → 39-001 → 40-001; WEB-OAS-61-001 → 61-002 → 62-001 → 63-001; WEB-OBS-50-001 → 51-001 → 52-001 → 54-001 → 55-001 → 56-001.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/orchestrator/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-LNM-21-003 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/policy-evidence.md`; client + mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-evidence.client.ts`. | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Provide combined endpoint for Console to fetch policy result plus advisory/VEX evidence linksets for a component. |
| 2 | WEB-NOTIFY-38-001 | DONE (2025-12-11) | Extended notify.client.ts with tenant-scoped routing per SDK examples. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. |
| 3 | WEB-NOTIFY-39-001 | DONE (2025-12-11) | Implemented digest/quiet-hours/throttle in notify.models.ts and notify.client.ts. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. |
| 4 | WEB-NOTIFY-40-001 | DONE (2025-12-11) | Implemented escalation/localization/incidents/ack in notify.client.ts with Mock client. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. |
| 5 | WEB-OAS-61-001 | DONE (2025-12-11) | Implemented gateway-openapi.client.ts with getOpenApiSpec (ETag/If-None-Match support). | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. |
| 6 | WEB-OAS-61-002 | DONE (2025-12-11) | Added GatewayErrorEnvelope in gateway-openapi.models.ts with standard error shape. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. |
| 7 | WEB-OAS-62-001 | DONE (2025-12-11) | Added PaginationCursor, IdempotencyResponse, RateLimitInfo types and checkIdempotencyKey method. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Normalize endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. |
| 8 | WEB-OAS-63-001 | DONE (2025-12-11) | Added DeprecationInfo/DeprecatedRoute types and getDeprecatedRoutes method. | BE-Base Platform Guild · API Governance Guild (`src/Web/StellaOps.Web`) | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. |
| 9 | WEB-OBS-50-001 | DONE (2025-12-11) | Implemented TraceContext, TelemetryMetadata types; all client methods emit trace/span IDs. | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Replace ad-hoc logging; ensure routes emit trace/span IDs, tenant context, and scrubbed payload previews. |
| 10 | WEB-OBS-51-001 | DONE (2025-12-11) | Implemented getHealth/getSlos in gateway-observability.client.ts with burn-rate/exemplar support. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `/obs/health` and `/obs/slo` aggregations pulling Prometheus/collector metrics with burn-rate signals and exemplar links for Console widgets. |
| 11 | WEB-OBS-52-001 | DONE (2025-12-11) | Implemented getTrace/queryLogs with time window limits, tenant scoping, signed URLs. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. |
| 12 | WEB-OBS-54-001 | DONE (2025-12-11) | Implemented listEvidence/listAttestations with timeline:read, evidence:read, attest:read scopes. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. |
| 13 | WEB-OBS-55-001 | DONE (2025-12-11) | Implemented get/updateIncidentMode with audit trail, sampling override, retention bump. | BE-Base Platform Guild · Ops Guild (`src/Web/StellaOps.Web`) | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. |
| 14 | WEB-OBS-56-001 | DONE (2025-12-11) | Implemented getSealStatus with drift metrics and widgetData for Console. | BE-Base Platform Guild · AirGap Guild (`src/Web/StellaOps.Web`) | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. |
| 15 | WEB-ORCH-32-001 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/orchestrator.md`; client + mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/orchestrator.client.ts`. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose read-only orchestrator APIs (e.g., `/orchestrator/sources`) via gateway with tenant scoping, caching headers, and rate limits. |
## Wave Coordination
- **Wave A (done):** Notifier routing (tasks 24).
- **Wave B (done):** Gateway OpenAPI alignment (tasks 58).
- **Wave C (done):** Observability surfaces (tasks 914).
- **Wave D (done):** Evidence aggregation + orchestrator read-only (tasks 1, 15).
## Wave Detail Snapshots
- Wave A: notifier workflows supported via `src/Web/StellaOps.Web/src/app/core/api/notify.models.ts` and `src/Web/StellaOps.Web/src/app/core/api/notify.client.ts` (incl. deterministic mock support).
- Wave B: OpenAPI discovery and conventions in `src/Web/StellaOps.Web/src/app/core/api/gateway-openapi.models.ts` and `src/Web/StellaOps.Web/src/app/core/api/gateway-openapi.client.ts`.
- Wave C: observability surfaces in `src/Web/StellaOps.Web/src/app/core/api/gateway-observability.models.ts` and `src/Web/StellaOps.Web/src/app/core/api/gateway-observability.client.ts`.
- Wave D: evidence aggregation via `docs/api/gateway/policy-evidence.md` + `src/Web/StellaOps.Web/src/app/core/api/policy-evidence.client.ts`; orchestrator read-only via `docs/api/gateway/orchestrator.md` + `src/Web/StellaOps.Web/src/app/core/api/orchestrator.client.ts`.
## Interlocks
- Keep gateway docs (`docs/api/gateway/*.md`) and web clients/models aligned; gateway remains a stateless proxy (no business logic).
- Evidence aggregation (WEB-LNM-21-003) composes existing `/policy/*`, `/advisories/*`, and `/vex/*` routes; preserve deterministic ordering/hashes from source payloads and do not invent verdicts.
- Orchestrator read-only routes (WEB-ORCH-32-001) should follow the Orchestrator OpenAPI/spec once published; until then, draft from `docs/modules/orchestrator/architecture.md` and keep clearly marked as interim.
## Upcoming Checkpoints
- None scheduled; track remaining work via Action Tracker.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Publish combined policy+evidence response shape + samples for WEB-LNM-21-003. | BE-Base Platform Guild · Policy Guild | 2025-12-16 | DONE (2025-12-12) |
| 2 | Publish orchestrator read-only gateway contract + samples for WEB-ORCH-32-001. | Orchestrator Guild · BE-Base Platform Guild | 2025-12-16 | DONE (2025-12-12) |
| 3 | Sync `docs/implplan/tasks-all.md` statuses for Web III tasks. | Planning | 2025-12-12 | DONE (2025-12-12) |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Aggregated evidence contract unclear (WEB-LNM-21-003) | Console implementation drift; duplicated fetching | Define a minimal combined response (policy result + advisory/VEX linksets) with deterministic samples; keep web clients as pure composition. | BE-Base Platform Guild · Policy Guild | Mitigated (2025-12-12) |
| Orchestrator read-only contract drift (WEB-ORCH-32-001) | UI features blocked or rework when service spec lands | Draft interim gateway contract + samples; align to Orchestrator OpenAPI once published; keep gateway proxy stateless. | Orchestrator Guild · BE-Base Platform Guild | Mitigated (2025-12-12) |
| Gateway conventions drift (error envelope/pagination/idempotency/deprecation) | Breaking changes for Console/CLI consumers | Keep gateway docs + `gateway-openapi.*` types authoritative for web clients; add targeted unit specs asserting headers and error mapping. | API Governance Guild | Mitigated (2025-12-11) |
| Local shell/PTY capacity limits validation | Tests/builds blocked locally | Mitigated: PTY restored; keep deterministic Chromium bootstrap (`src/Web/StellaOps.Web/scripts/verify-chromium.js`). | DevOps Guild | Mitigated (2025-12-12) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized sprint to standard template and renamed from `SPRINT_214_web_iii.md`; preserved existing task list. | Project Mgmt |
| 2025-11-30 | Unable to start WEB-NOTIFY-38-001: local shell cannot spawn (openpty "No space left on device"); routing work blocked until environment recovers. | Implementer |
| 2025-11-30 | Marked all sprint tasks BLOCKED because local environment cannot spawn shells (openpty "No space left on device"); cannot run builds/tests or edit via CLI. | Implementer |
| 2025-12-01 | Could not update `docs/implplan/tasks-all.md` references due to same PTY failure; needs shell access to complete renames. | Implementer |
| 2025-12-11 | **Web III 13/15 tasks complete:** WEB-NOTIFY-38/39/40-001 (notifier gateway), WEB-OAS-61-001/002 + 62/63-001 (OpenAPI spec/pagination/deprecation), WEB-OBS-50/51/52/54/55/56-001 (observability) all DONE. Created: extended `notify.models.ts` with digest/quiet-hours/throttle/escalation/incident types, extended `notify.client.ts` with all methods + MockNotifyClient, `gateway-openapi.models.ts` + `gateway-openapi.client.ts` (spec/deprecation/idempotency), `gateway-observability.models.ts` + `gateway-observability.client.ts` (health/SLO/trace/logs/evidence/attestations/incident-mode/seal-status). Only WEB-LNM-21-003 and WEB-ORCH-32-001 remain blocked (missing advisory/VEX schema and orchestrator REST contract). | Implementer |
| 2025-12-12 | Normalised sprint to coordination template (waves/interlocks/action tracker/risks), updated blockers to actionable TODOs, and synced `docs/implplan/tasks-all.md` statuses for Web III. | Project Mgmt |
| 2025-12-12 | Completed WEB-LNM-21-003 and WEB-ORCH-32-001: published gateway contracts + samples (`docs/api/gateway/policy-evidence.md`, `docs/api/gateway/orchestrator.md`) and shipped web SDK clients/mocks with unit specs; verified targeted `ng test` includes (4/4 pass). | Implementer |

95
docs/implplan/archived/SPRINT_0215_0001_0001_web_iv.md Normal file
View File

@@ -0,0 +1,95 @@
# Sprint 0215-0001-0001 · Web IV (Experience & SDKs 180.F)
## Topic & Scope
- Phase IV web gateway work: orchestrator controls and Policy Studio CRUD/simulation endpoints aligned with Policy Engine.
- Complete policy pack lifecycle (CRUD → activation → publish/promote) with deterministic pagination, RBAC, and telemetry.
- Wire console/CLI consumers by keeping API docs and rate limits in sync with Sprint 180.F deliverables.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream Sprint 180.F (Web III) must land shared components before these endpoints go live.
- Policy endpoints (20-001 → 20-004) must complete in order; Policy pack tracks (23-001/002) stay BLOCKED until 20-004 ships.
- Policy registry/Studio extensions (27-001…27-005) are sequential; avoid parallel development without shared schema updates.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001 | DONE (2025-12-12) | Completed (contract + samples + SDK client + unit spec). | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
| 2 | WEB-ORCH-34-001 | DONE (2025-12-12) | Completed (contract + samples + SDK client + unit spec). | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
| 3 | WEB-POLICY-20-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
| 4 | WEB-POLICY-20-002 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
| 5 | WEB-POLICY-20-003 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
| 6 | WEB-POLICY-20-004 | DONE (2025-12-11) | Completed | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
| 7 | WEB-POLICY-23-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
| 8 | WEB-POLICY-23-002 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
| 9 | WEB-POLICY-23-003 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
| 10 | WEB-POLICY-23-004 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
| 11 | WEB-POLICY-27-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
| 12 | WEB-POLICY-27-002 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
| 13 | WEB-POLICY-27-003 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
| 14 | WEB-POLICY-27-004 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
| 15 | WEB-POLICY-27-005 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
## Wave Coordination
- Wave 1: Orchestrator run-control (WEB-ORCH-33/34) follows WEB-ORCH-32-001 and can proceed independently of policy work.
- Wave 2: Policy Engine CRUD/simulation (WEB-POLICY-20-001…004) is DONE (2025-12-11).
- Wave 3: Policy pack lifecycle (WEB-POLICY-23-001…004) is DONE (2025-12-11).
- Wave 4: Registry/Studio proxy and publishing (WEB-POLICY-27-001…005) is DONE (2025-12-11).
## Wave Detail Snapshots
| Wave | Covered tasks | Current state | Exit criteria | Blockers |
| --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001, WEB-ORCH-34-001 | DONE (2025-12-12) | POST run-control routes plus quotas/backfill metrics deployed with RBAC + audit logging | None |
| 2 | WEB-POLICY-20-001…004 | DONE (2025-12-11) | Policy CRUD/simulate endpoints with rate limits and error mapping published in OpenAPI | None |
| 3 | WEB-POLICY-23-001…004 | DONE (2025-12-11) | Policy pack CRUD/activation/simulate/evaluate with streaming responses and explain history | None |
| 4 | WEB-POLICY-27-001…005 | DONE (2025-12-11) | Registry proxy with reviews, publish/promote/rollback, and Studio observability dashboards | None |
## Interlocks
- Policy Engine REST contract + tenant/RBAC specification is required before any WEB-POLICY-20-* implementation.
- Platform Reliability must approve adaptive rate-limit design for simulations before publishing retry headers and CLI docs.
- Policy Registry schema/versioning alignment is needed to avoid rework in WEB-POLICY-27-001…005.
- Security Guild audit/RBAC checklist must be applied to orchestrator control routes prior to release.
- Orchestrator run-control REST contract and audit/RBAC checklist delivered (see `docs/api/gateway/orchestrator.md`).
## Upcoming Checkpoints
- None scheduled; sprint complete (Wave 1 done).
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Deliver Policy Engine REST contract + tenant/RBAC spec for web gateway | Policy Guild | 2025-12-02 | DONE (2025-12-07) | Delivered per `docs/schemas/policy-engine-rest.openapi.yaml` (see Execution Log 2025-12-07). |
| 2 | Confirm adaptive rate-limit design for simulations | Platform Reliability Guild | 2025-12-03 | DONE (2025-12-07) | Delivered per `docs/contracts/rate-limit-design.md` (see Execution Log 2025-12-07). |
| 3 | Publish RBAC/tenant alignment note for web gateway once contract lands | BE-Base Platform Guild | 2025-12-05 | DONE (2025-12-07) | Delivered per `docs/contracts/web-gateway-tenant-rbac.md` (see Execution Log 2025-12-07). |
| 4 | Lock Policy Registry schema/versioning plan for Studio proxy | Policy Registry Guild | 2025-12-09 | DONE (2025-12-07) | Delivered per registry alignment note (see Execution Log 2025-12-07). |
| 5 | Provide orchestrator run-control REST contract + audit/RBAC checklist | Platform Reliability Guild · Security Guild | 2025-12-03 | DONE (2025-12-12) | Published contract at `docs/api/gateway/orchestrator.md`, documented operator headers, and added deterministic samples under `docs/api/gateway/samples/`. |
## Decisions & Risks
- Policy Engine / pack lifecycle / registry proxy work is complete (2025-12-11); keep OpenAPI + gateway docs aligned with those implementations.
- Orchestrator run-control + quotas/metrics work is complete (2025-12-12); enforce RBAC, tenant scoping, and operator metadata headers for audit logging.
| ID | Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- | --- |
| R1 | Policy Engine REST contract/RBAC spec slips past 2025-12-02 | Blocks WEB-POLICY-20-001…004 and downstream pack work | Track Action #1; escalate to Policy Guild; keep OpenAPI placeholders out of main until contract arrives | Policy Guild | Mitigated (2025-12-07) |
| R2 | Rate-limit design review delayed past 2025-12-03 | Simulation endpoints cannot expose quotas/headers; CLI docs drift | Track Action #2; freeze public docs until design approved; backfill metrics before enablement | Platform Reliability Guild | Mitigated (2025-12-07) |
| R3 | Registry schema/versioning diverges from web proxy | Rework for WEB-POLICY-27-001…005; potential outage on streaming downloads | Track Action #4; pin schema versions and add contract tests before merge | Policy Registry Guild | Mitigated (2025-12-11) |
| R4 | Orchestrator run-control released without audit/RBAC alignment | Post-release security gap and incomplete audit trail | Apply Security Guild checklist; add acceptance tests for RBAC + audit logging before Wave 1 exit | BE-Base Platform Guild | Mitigated (2025-12-12) |
| R5 | Missing orchestrator gateway REST contract for run-control/metrics | Blocks WEB-ORCH-33-001/34-001 and delays Wave 1 start | Track Action #5; obtain contract + header requirements; wire OperatorMetadata interceptor once contract is defined | Platform Reliability Guild | Mitigated (2025-12-12) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | **Wave 1 complete:** Completed WEB-ORCH-33-001/34-001 by publishing the orchestrator run-control + quotas contract and samples (`docs/api/gateway/orchestrator.md`, `docs/api/gateway/samples/orchestrator-*.json`), shipping the web SDK client + deterministic mock + unit spec (`src/Web/StellaOps.Web/src/app/core/api/orchestrator-control.*`), and wiring `ORCHESTRATOR_CONTROL_API` in `src/Web/StellaOps.Web/src/app/app.config.ts`. | Implementer |
| 2025-12-11 | **Wave 2/3/4 complete:** Completed all 13 policy tasks (WEB-POLICY-20-001..004, 23-001..004, 27-001..005). Implemented: PolicyEngineStore, Policy CRUD/simulation APIs, error handling with ERR_POL_* codes, adaptive rate limiting/quotas, SSE streaming for simulations, policy registry proxy, review lifecycle, batch simulation, publish/sign/promote/rollback endpoints, and Policy Studio metrics/logs service. Only WEB-ORCH-33/34 remain BLOCKED pending orchestrator REST contract. | Implementer |
| 2025-12-07 | **Wave 10 unblock:** Changed 13 tasks from BLOCKED → TODO. Policy Engine REST contract delivered at `docs/schemas/policy-engine-rest.openapi.yaml`, rate-limit design at `docs/contracts/rate-limit-design.md`, tenant/RBAC spec at `docs/contracts/web-gateway-tenant-rbac.md`. WEB-POLICY-20-001..004, 23-001..004, 27-001..005 can now proceed sequentially. | Implementer |
| 2025-11-30 | Marked WEB-ORCH-33-001/34-001 BLOCKED pending orchestrator REST contract + RBAC/audit checklist; no backend surface present in web workspace. | Implementer |
| 2025-11-30 | Normalized to docs/implplan template (added waves, interlocks, action tracker); propagated BLOCKED statuses to downstream tasks and refreshed checkpoints. | Project Mgmt |
| 2025-11-25 | Marked WEB-POLICY-20-001 BLOCKED: need Policy Engine REST contract + tenant/RBAC spec before wiring Angular/Web gateway endpoints. | Implementer |
| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |