Fix findings detail truthfulness and export affordances

docs/implplan/SPRINT_20260307_018_FE_findings_compare_baseline_availability.md

@@ -0,0 +1,52 @@
+# Sprint 20260307_018 - Findings Compare Baseline Availability
+
+## Topic & Scope
+- Repair the live `/security/findings` diff surface so it does not present an empty compare shell as if comparison data exists.
+- Wire the embedded findings compare view to the current scan context instead of relying only on route params from standalone compare routes.
+- Replace misleading zero-change and active-export states with truthful comparison availability states when no baseline exists.
+- Remove the unsupported detail-view audit export affordance that currently posts to a nonexistent frontend-only route.
+- Working directory: `src/Web/StellaOps.Web`.
+- Expected evidence: focused Angular specs, live Playwright findings-route verification, rebuilt/synced web bundle.
+
+## Dependencies & Concurrency
+- Depends on the current live stack at `https://stella-ops.local`.
+- Safe to run in parallel with unrelated UI/settings/search work as long as edits stay within compare/findings components and this sprint file.
+
+## Documentation Prerequisites
+- `AGENTS.md`
+- `src/Web/StellaOps.Web/AGENTS.md`
+- `docs/qa/feature-checks/FLOW.md`
+
+## Delivery Tracker
+
+### FE-018-01 - Restore truthful findings diff behavior
+Status: DOING
+Dependency: none
+Owners: Developer, QA
+Task description:
+- Investigate the live authenticated findings diff route with Playwright and trace why the compare surface renders empty panes and misleading change/export affordances.
+- Implement a durable fix in the embedded compare/finding components so the current scan context is wired correctly, baseline availability is surfaced honestly, and inert export behavior is removed.
+- Replace detail-mode placeholder findings data and unsupported audit export controls with truthful live-data and live-contract behavior.
+
+Completion criteria:
+- [ ] `/security/findings` uses the active/current scan context inside the embedded compare surface.
+- [ ] When no baseline is available, the UI shows an explicit unavailable state instead of fake zero-change content.
+- [ ] Export affordances are disabled or otherwise truthful when comparison data is unavailable.
+- [ ] Detail mode does not expose any inert audit export control without a live backend contract.
+- [ ] Focused Angular tests cover the embedded-current-scan path and the no-baseline state.
+- [ ] Live Playwright verification on `https://stella-ops.local` confirms the corrected behavior.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-07 | Sprint created and set to DOING after real-auth Playwright reproduction showed `/security/findings` only calling `/api/compare/baselines/active-scan`, then rendering empty compare panes with active export despite no baseline being available. | Codex |
+| 2026-03-07 | Replaced detail-mode placeholder findings with live `api/v2/security/findings` data, removed the unsupported `Export Audit Pack` control that posted to nonexistent `/api/v1/audit-pack/export`, and queued a live Playwright recheck for detail/diff parity. | Codex |
+
+## Decisions & Risks
+- The live compare API returns `selectedDigest: null` with a selection reason for `active-scan`; the UI must handle this as a first-class state instead of implying a successful comparison.
+- The embedded findings route cannot rely only on standalone compare route params; it must pass or derive current scan context explicitly.
+- Findings detail mode previously exposed an audit export workflow backed only by a stale frontend-only path. Until a real scan/finding-scoped export contract exists, the findings surface must not advertise that action.
+
+## Next Checkpoints
+- Focused Angular regression specs green.
+- Live Playwright recheck on `/security/findings?tenant=demo-prod&regions=us-east&environments=stage&timeWindow=7d`.