fix(web): ship findings compare baseline availability

2026-03-08 15:13:32 +02:00
parent 30532800ec
commit 6be4a25d17
7 changed files with 291 additions and 10 deletions
--- a/docs/features/checked/web/findings-compare-baseline-availability-ui.md
+++ b/docs/features/checked/web/findings-compare-baseline-availability-ui.md
@@ -0,0 +1,46 @@
+# Findings Compare Baseline Availability UI
+
+## Module
+Web
+
+## Status
+VERIFIED
+
+## Description
+The embedded compare surface on `/security/findings` now treats `active-scan` as a first-class current target, shows an explicit unavailable state when no baseline exists, disables export until comparison data is real, and keeps detail mode on live findings data without the stale `Export Audit Pack` control.
+
+## Implementation Details
+- **Feature directories**:
+  - `src/Web/StellaOps.Web/src/app/features/findings/`
+  - `src/Web/StellaOps.Web/src/app/features/compare/`
+- **Primary implementation files**:
+  - `src/Web/StellaOps.Web/src/app/features/findings/container/findings-container.component.ts`
+  - `src/Web/StellaOps.Web/src/app/features/compare/components/compare-view/compare-view.component.ts`
+  - `src/Web/StellaOps.Web/src/app/features/findings/findings-list.component.ts`
+- **Focused regression files**:
+  - `src/Web/StellaOps.Web/src/app/core/testing/findings-container.component.spec.ts`
+  - `src/Web/StellaOps.Web/src/tests/findings/findings-list.audit-export.behavior.spec.ts`
+  - `src/Web/StellaOps.Web/tests/e2e/findings-compare-baseline-availability.spec.ts`
+- **Canonical route**:
+  - `/security/findings`
+
+## Verification
+- Run:
+  - `npm test -- --watch=false --include src/tests/findings/findings-list.audit-export.behavior.spec.ts`
+  - `npx playwright test --config playwright.config.ts tests/e2e/findings-compare-baseline-availability.spec.ts --workers=1`
+  - `npm run build`
+- Tier 0 (source): pass
+- Tier 1 (build/tests): pass
+- Tier 2 (behavior): pass
+- Notes:
+  - Focused unit coverage passed: `1/1` tests in `findings-list.audit-export.behavior.spec.ts`.
+  - Deterministic Playwright passed: `2/2` scenarios for no-baseline diff behavior and detail-mode audit-export removal.
+  - Live authenticated replay on `https://stella-ops.local/security/findings?tenant=demo-prod&regions=us-east&environments=stage&timeWindow=7d` showed `Active scan`, rendered `No baseline recommendations available for this scan`, kept `Export` disabled, and issued no `/api/compare/delta` request without a selected baseline.
+  - Production build passed; existing bundle-budget warnings remain unchanged from the baseline.
+- Verified on (UTC): 2026-03-08T13:04:26Z
+
+## Verified Behavior
+- `/security/findings` passes the embedded compare surface the active/current scan context instead of relying on standalone compare route params.
+- When `/api/compare/baselines/active-scan` returns `selectedDigest: null`, the page shows a truthful unavailable state instead of fake zero-change content.
+- Export remains disabled until both current and baseline targets exist.
+- Detail mode renders live findings rows and does not expose the removed `Export Audit Pack` action.
--- a/docs/implplan/SPRINT_20260307_018_FE_findings_compare_baseline_availability.md
+++ b/docs/implplan/SPRINT_20260307_018_FE_findings_compare_baseline_availability.md
@@ -1,52 +0,0 @@
-# Sprint 20260307_018 - Findings Compare Baseline Availability
-
-## Topic & Scope
- Repair the live `/security/findings` diff surface so it does not present an empty compare shell as if comparison data exists.
- Wire the embedded findings compare view to the current scan context instead of relying only on route params from standalone compare routes.
- Replace misleading zero-change and active-export states with truthful comparison availability states when no baseline exists.
- Remove the unsupported detail-view audit export affordance that currently posts to a nonexistent frontend-only route.
- Working directory: `src/Web/StellaOps.Web`.
- Expected evidence: focused Angular specs, live Playwright findings-route verification, rebuilt/synced web bundle.
-
-## Dependencies & Concurrency
- Depends on the current live stack at `https://stella-ops.local`.
- Safe to run in parallel with unrelated UI/settings/search work as long as edits stay within compare/findings components and this sprint file.
-
-## Documentation Prerequisites
- `AGENTS.md`
- `src/Web/StellaOps.Web/AGENTS.md`
- `docs/qa/feature-checks/FLOW.md`
-
-## Delivery Tracker
-
-### FE-018-01 - Restore truthful findings diff behavior
-Status: DOING
-Dependency: none
-Owners: Developer, QA
-Task description:
- Investigate the live authenticated findings diff route with Playwright and trace why the compare surface renders empty panes and misleading change/export affordances.
- Implement a durable fix in the embedded compare/finding components so the current scan context is wired correctly, baseline availability is surfaced honestly, and inert export behavior is removed.
- Replace detail-mode placeholder findings data and unsupported audit export controls with truthful live-data and live-contract behavior.
-
-Completion criteria:
- [ ] `/security/findings` uses the active/current scan context inside the embedded compare surface.
- [ ] When no baseline is available, the UI shows an explicit unavailable state instead of fake zero-change content.
- [ ] Export affordances are disabled or otherwise truthful when comparison data is unavailable.
- [ ] Detail mode does not expose any inert audit export control without a live backend contract.
- [ ] Focused Angular tests cover the embedded-current-scan path and the no-baseline state.
- [ ] Live Playwright verification on `https://stella-ops.local` confirms the corrected behavior.
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2026-03-07 | Sprint created and set to DOING after real-auth Playwright reproduction showed `/security/findings` only calling `/api/compare/baselines/active-scan`, then rendering empty compare panes with active export despite no baseline being available. | Codex |
-| 2026-03-07 | Replaced detail-mode placeholder findings with live `api/v2/security/findings` data, removed the unsupported `Export Audit Pack` control that posted to nonexistent `/api/v1/audit-pack/export`, and queued a live Playwright recheck for detail/diff parity. | Codex |
-
-## Decisions & Risks
- The live compare API returns `selectedDigest: null` with a selection reason for `active-scan`; the UI must handle this as a first-class state instead of implying a successful comparison.
- The embedded findings route cannot rely only on standalone compare route params; it must pass or derive current scan context explicitly.
- Findings detail mode previously exposed an audit export workflow backed only by a stale frontend-only path. Until a real scan/finding-scoped export contract exists, the findings surface must not advertise that action.
-
-## Next Checkpoints
- Focused Angular regression specs green.
- Live Playwright recheck on `/security/findings?tenant=demo-prod&regions=us-east&environments=stage&timeWindow=7d`.
--- a/docs/modules/ui/implementation_plan.md
+++ b/docs/modules/ui/implementation_plan.md
@@ -33,6 +33,7 @@ Provide a living plan for UI deliverables, dependencies, and evidence.
 - `docs/features/checked/web/execution-operations-ui.md` - shipped verification note for canonical execution routes, repaired jobengine and scheduler aliases, completed dead-letter actions, and usable scanner-support workflows.
 - `docs/features/checked/web/topology-trust-administration-ui.md` - shipped verification note for canonical topology and trust setup shells, repaired settings/admin/platform aliases, and platform-setup handoffs.
 - `docs/features/checked/web/security-operations-leaves-ui.md` - shipped verification note for mission alerts/activity surfacing, unknowns route repair, notifications ownership, and legacy security alias cutover.
+- `docs/features/checked/web/findings-compare-baseline-availability-ui.md` - shipped verification note for the truthful no-baseline findings compare state, disabled export behavior, live findings detail list, and removed stale audit export action.
 - `docs/features/checked/web/platform-setup-canonical-route-preservation-ui.md` - shipped verification note for preserved `/ops/platform-setup/*` URLs during the shared setup/topology cutover.
 - `docs/features/checked/web/release-promotions-cutover-ui.md` - shipped verification note for canonical release promotions routing, alias cutover, release-context wizard handoff, and end-to-end request submission.
 - `docs/features/checked/web/evidence-capsules-canonical-cutover-ui.md` - shipped verification note for canonical Evidence-owned capsule routes, `/evidence-packs*` bookmark repair, and AI/release context handoffs.