stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(ui): ship policy decisioning studio

Browse Source
This commit is contained in:
master
2026-03-08 01:35:18 +02:00
parent 8ee40b56e9
commit 6e00a48e00
57 changed files with 3637 additions and 333 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
docs/features/checked/web/policy-decisioning-studio-ui.md Normal file
View File

@@ -0,0 +1,67 @@
# Policy Decisioning Studio UI
## Module
Web
## Status
VERIFIED
## Description
Shipped the canonical `Policy Decisioning Studio` shell at `/ops/policy` and made it the mutable owner for policy packs, governance, simulation, VEX, exceptions, release gates, and policy/VEX audit. Legacy `policy-studio`, `policy/*`, `admin/policy/*`, `admin/vex-hub/*`, and security VEX aliases now resolve into the same routed shell instead of leaving writable sibling products active.
## Implementation Details
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/policy-decisioning/`
- **Primary components**:
- `policy-decisioning-shell.component.ts`
- `policy-decisioning-overview-page.component.ts`
- `policy-pack-shell.component.ts`
- `policy-decisioning-vex-shell.component.ts`
- `policy-decisioning-gates-page.component.ts`
- `policy-decisioning-audit-shell.component.ts`
- **Canonical routes**:
- `/ops/policy/overview`
- `/ops/policy/packs/*`
- `/ops/policy/governance/*`
- `/ops/policy/simulation/*`
- `/ops/policy/vex/*`
- `/ops/policy/gates/*`
- `/ops/policy/audit/*`
- **Legacy aliases**:
- `/policy-studio/*`
- `/policy/*`
- `/admin/policy/*`
- `/admin/vex-hub/*`
- `/security/vex*`
- `/security/exceptions*`
- **Release-context entry points**:
- approvals detail
- promotion request
- release detail
- workflow editor
- evidence detail
## E2E Test Plan
- **Setup**:
- [x] Log in with a user that has policy, VEX, exception, and release read scopes.
- [x] Seed pack dashboard data or route fixtures for `/api/policy/packs` and `/api/policy/packs/:packId/dashboard`.
- [x] Start the local UI harness on `https://127.0.0.1:4400`.
- **Core verification**:
- [x] Verify `/ops/policy/overview` renders the canonical shell and primary tabs.
- [x] Verify a legacy pack bookmark lands inside pack-mode decisioning.
- [x] Verify a release-context gate URL renders context chips and return-to-source affordance.
- [x] Verify `/security/vex` redirects into the canonical VEX shell.
- **Regression verification**:
- [x] Verify targeted Angular route and redirect specs cover the alias contract.
- [x] Verify workflow-editor and evidence-detail deep links open the shared shell.
- [x] Verify global search VEX normalization lands in the canonical shell.
## Verification
- Run:
- `npm test -- --watch=false --include src/tests/policy_decisioning/policy-decisioning-shell.component.spec.ts --include src/tests/policy_decisioning/policy-decisioning-routes.spec.ts --include src/tests/release_orchestrator/evidence-detail.behavior.spec.ts --include src/tests/release_orchestrator/visual-workflow-editor.behavior.spec.ts --include src/tests/security/security-overview-dashboard.behavior.spec.ts --include src/tests/global_search/search-route-matrix.spec.ts --include src/tests/navigation/legacy-redirects.spec.ts --include src/tests/routes/legacy-route-migration-framework.component.spec.ts --include src/tests/administration/administration-routes.spec.ts --include src/tests/security-risk/security-risk-routes.spec.ts`
- `npx playwright test tests/e2e/policy-decisioning-studio.spec.ts`
- `npm run build`
- Tier 0 (source): pass
- Tier 1 (build/tests): pass
- Tier 2 (behavior): pass
- Note: the production build still emits existing bundle-budget warnings outside this feature scope; the build itself completes successfully.
- Verified on (UTC): 2026-03-07T23:22:53Z

147
docs/implplan/SPRINT_20260307_022_FE_policy_vex_release_decisioning_studio.md
View File

@@ -1,147 +0,0 @@
# Sprint 20260307-022 - Policy VEX Release Decisioning Studio
## Topic & Scope
- Consolidate Policy Studio, Policy Governance, Policy Simulation, and actionable VEX decisioning into one canonical sub-product shell for the Console.
- Ship a fully wired `/ops/policy` experience with working routes, tabs, legacy redirects, release-context deep links, and no orphan mutable policy or VEX shells.
- Complete the usable operator workflows for packs, governance, simulation, VEX conflicts, exceptions, release gates, and audit rather than stopping at merge or routing notes.
- Working directory: `src/Web/StellaOps.Web/src/app/features`.
- Allowed coordination edits: `src/Web/StellaOps.Web/src/app/routes/`, `docs/modules/ui/policy-decisioning-studio`, `docs/implplan/`, `docs/modules/ui/TASKS.md`, and `docs/modules/ui/implementation_plan.md`.
- Expected evidence: code under `src/Web/**`, routable `/ops/policy` shell, working alias redirects, release-context entry points, targeted tests, and updated docs.
## Dependencies & Concurrency
- Depends on:
- `docs/contracts/policy-studio.md`
- `docs/security/policy-governance.md`
- `docs/modules/release-orchestrator/ui/overview.md`
- `docs/modules/release-orchestrator/workflow/evidence-based-release-gates.md`
- `docs/modules/ui/component-preservation-map/README.md`
- `src/Web/StellaOps.Web/src/app/routes/ops.routes.ts`
- `src/Web/StellaOps.Web/src/app/routes/administration.routes.ts`
- Safe parallelism:
- shell scaffolding and alias wiring can proceed in parallel with tab-by-tab migration once the canonical route family is fixed
- packs/governance and simulation/VEX work can proceed in parallel after shared shell context is in place
- release-context entry points and docs sync can proceed in parallel with tab implementation once ownership boundaries are stable
## Documentation Prerequisites
- `docs/modules/ui/policy-decisioning-studio/README.md`
- `docs/contracts/policy-studio.md`
- `docs/security/policy-governance.md`
- `docs/modules/release-orchestrator/ui/overview.md`
- `docs/modules/release-orchestrator/workflow/evidence-based-release-gates.md`
- `docs/modules/ui/component-preservation-map/SUMMARY_TREE.md`
## Delivery Tracker
### FE-PD-001 - Build the canonical `/ops/policy` shell
Status: TODO
Dependency: none
Owners: Product Manager, FE Architect
Task description:
- Implement the shell component, primary tabs, shared context header, and nav entry under the canonical `/ops/policy` root.
- Make the shell usable in global, pack, and release-context modes from the first shipped route.
Completion criteria:
- [ ] `/ops/policy` renders as the canonical shell with working top-level navigation.
- [ ] Primary tabs and shared context header are wired in code.
- [ ] Release-context mode can be entered without creating a separate product shell.
### FE-PD-002 - Migrate routes and legacy aliases into the new tree
Status: TODO
Dependency: FE-PD-001
Owners: FE Architect, Documentation author
Task description:
- Implement the canonical route tree for packs, governance, simulation, VEX, exceptions, release gates, and audit under `/ops/policy`.
- Wire redirects from `/policy-studio/*`, `/admin/policy/*`, and `/admin/vex-hub/*` so old entry points land on usable new pages.
Completion criteria:
- [ ] Canonical child routes exist in the active router.
- [ ] Legacy aliases redirect into working `/ops/policy` subviews.
- [ ] No mutable policy or VEX workflow remains dependent on an orphan route.
### FE-PD-003 - Ship Packs and Governance functionality
Status: TODO
Dependency: FE-PD-002
Owners: FE Architect, Documentation author
Task description:
- Migrate the policy pack workspace, editor, YAML, rule builder, approvals, explain flows, and governance controls into the new shell.
- Ensure these flows remain usable, not just reachable, after the shell cutover.
Completion criteria:
- [ ] Packs and Governance tabs are functional under `/ops/policy`.
- [ ] Editing, approvals, governance settings, and explain flows are usable from the new shell.
- [ ] Superseded pack and governance shells can be retired or redirected after cutover.
### FE-PD-004 - Ship Simulation, VEX, Exceptions, Gates, and Audit functionality
Status: TODO
Dependency: FE-PD-001
Owners: Product Manager, FE Architect
Task description:
- Migrate simulation flows, VEX conflict handling, exceptions, release gates, and audit history into the same shell.
- Ensure operators can complete the key workflows from the new tabs without falling back to dead or duplicate screens.
Completion criteria:
- [ ] Simulation, VEX, Exceptions, Release Gates, and Audit tabs are functional under `/ops/policy`.
- [ ] Conflict resolution, exception handling, and gate review are usable from the new shell.
- [ ] Old mutable VEX and policy action pages are no longer required for those workflows.
### FE-PD-005 - Wire Release Orchestrator into Decisioning Studio
Status: TODO
Dependency: FE-PD-002
Owners: Developer, FE Architect
Task description:
- Implement deep links from approvals, promotion requests, release detail, workflow editor, and evidence detail into release-context mode.
- Keep Release Orchestrator as the owner of release state while Decisioning Studio owns policy and VEX actions.
Completion criteria:
- [ ] Release-context entry points are wired from active release surfaces.
- [ ] Release-context header shows the required release, environment, artifact, and gate state.
- [ ] Operators can return to the release workflow after taking policy or VEX actions.
### FE-PD-006 - Verify cutover, redirects, and core operator journeys
Status: TODO
Dependency: FE-PD-005
Owners: QA, Test Automation
Task description:
- Add targeted UI verification for global mode, pack mode, and release-context mode, including old bookmarks and alias redirects.
- Validate that the new shell is the working owner for the core operator journeys, not just a shell around dead components.
Completion criteria:
- [ ] Playwright scenarios cover all three shell modes.
- [ ] Legacy aliases and old bookmarks land on usable new pages.
- [ ] Scope-based visibility and the main policy/VEX operator journeys are explicitly verified.
### FE-PD-007 - Complete docs sync and retire superseded shells
Status: TODO
Dependency: FE-PD-003
Owners: Documentation author, Project Manager
Task description:
- Update UI, security, and release docs to reflect the new canonical shell and the cutover state.
- Record which legacy names remain as temporary aliases and which old product shells are fully retired after the move.
Completion criteria:
- [ ] Cross-doc references are updated for the shipped shell.
- [ ] User-facing naming and alias lifetimes are documented.
- [ ] Retired sibling-product labels and routes are explicitly listed after cutover.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-07 | Sprint created to ship a single Decisioning Studio shell spanning policy authoring, governance, simulation, actionable VEX resolution, and release-context gate explanation. | Project Manager |
## Decisions & Risks
- Decision: the preferred product shape is one dynamic shell with deep-linkable tabs, not one giant page and not separate sibling products.
- Decision: Release Orchestrator remains the owner of promotion state; the new shell owns policy, VEX, exception, and gate explanation workflows.
- Decision: `/ops/policy` is the preferred canonical root because it already exists in the active route tree and best fits the "policy as an ops control plane" model.
- Risk: moving all VEX screens under Policy could bury read-only security exploration use cases that still belong in Analyze.
- Mitigation: allow Analyze entry points to deep-link into the same canonical VEX tab or a read-only shell mode instead of preserving a separate mutable VEX product.
- Risk: legacy aliases across `/policy-studio/*`, `/administration/policy/*`, and `/admin/vex-hub/*` can silently fragment analytics and QA coverage.
- Mitigation: freeze redirects and verification scenarios before implementation starts.
- Risk: Release Orchestrator could grow duplicate gate/policy UI while this consolidation is in flight.
- Mitigation: require release-facing FE work to deep-link into the shared shell rather than add new standalone policy/VEX pages.
- Delivery rule: this sprint is only complete when the canonical shell is routable, usable, verified, and old mutable policy or VEX action paths are no longer required.
- Reference design note: `docs/modules/ui/policy-decisioning-studio/README.md`.
## Next Checkpoints
- 2026-03-08: confirm the canonical shell name, tab set, and ownership boundary.
- 2026-03-09: freeze the route contract and component merge matrix.
- 2026-03-10: finalize release-context UX contract and implementation slice plan.

15
docs/modules/ui/TASKS.md
View File

@@ -5,7 +5,6 @@
- `docs/implplan/SPRINT_20260307_004_FE_self_serve_search_answer_first.md`
- `docs/implplan/SPRINT_20260307_006_FE_self_serve_rollout_and_gap_closure.md`
- `docs/implplan/SPRINT_20260307_009_DOCS_ui_component_preservation_map.md`
- `docs/implplan/SPRINT_20260307_022_FE_policy_vex_release_decisioning_studio.md`
- `docs/implplan/SPRINT_20260307_023_DOCS_ui_restoration_topic_shapes.md`
- `docs/implplan/SPRINT_20260307_038_FE_live_search_supported_route_execution_matrix.md`
@@ -65,13 +64,13 @@
- [DONE] DOCS-RTS-005 Triage explainability restoration placement note
- [DONE] DOCS-RTS-006 Workflow visualization and replay placement note
- [DONE] DOCS-RTS-007 Deeper corroboration and implementation-sprint cutover for restoration topics
- [DOING] FE-PD-001 Freeze Policy Decisioning Studio shell shape and ownership
- [DOING] FE-PD-002 Canonical route and alias contract for policy / VEX / release decisioning
- [DOING] FE-PD-003 Component merge matrix for Policy Studio, Governance, Simulation, and VEX
- [DOING] FE-PD-004 Release-context UX contract for Release Orchestrator deep links
- [DOING] FE-PD-005 FE implementation slices for Decisioning Studio shell and cutover
- [TODO] FE-PD-006 QA and rollout contract for Decisioning Studio
- [TODO] FE-PD-007 Docs and deprecation plan for legacy policy / VEX product labels
- [DONE] FE-PD-001 Freeze Policy Decisioning Studio shell shape and ownership
- [DONE] FE-PD-002 Canonical route and alias contract for policy / VEX / release decisioning
- [DONE] FE-PD-003 Component merge matrix for Policy Studio, Governance, Simulation, and VEX
- [DONE] FE-PD-004 Release-context UX contract for Release Orchestrator deep links
- [DONE] FE-PD-005 FE implementation slices for Decisioning Studio shell and cutover
- [DONE] FE-PD-006 QA and rollout contract for Decisioning Studio
- [DONE] FE-PD-007 Docs and deprecation plan for legacy policy / VEX product labels
- [DONE] FE-WL-001 Freeze Watchlist shell ownership and route contract
- [DONE] FE-WL-002 Entries tab list-detail implementation slice
- [DONE] FE-WL-003 Alerts tab and alert-detail drill-in

4
docs/modules/ui/implementation_plan.md
View File

@@ -11,19 +11,19 @@ Provide a living plan for UI deliverables, dependencies, and evidence.
- `SPRINT_20260307_004_FE_self_serve_search_answer_first.md` - answer-first search shell, page-owned self-serve questions, and explicit fallback states.
- `SPRINT_20260307_006_FE_self_serve_rollout_and_gap_closure.md` - page rollout, guided handoffs, and telemetry-driven gap closure.
- `SPRINT_20260307_009_DOCS_ui_component_preservation_map.md` - per-component preservation dossiers for unused and weakly surfaced console UI components.
- `SPRINT_20260307_022_FE_policy_vex_release_decisioning_studio.md` - canonical Decisioning Studio shell to unify policy, simulation, VEX decisioning, and release-context gate explanation.
- `SPRINT_20260307_023_DOCS_ui_restoration_topic_shapes.md` - documentation prerequisite for shell/menu/tab placements; not a product-delivery sprint by itself.
## Latest evidence
- `docs/modules/ui/component-preservation-map/README.md` - root index for the first-pass preservation map.
- `docs/modules/ui/component-preservation-map/SUMMARY_TREE.md` - branch-level keep / merge / wire / archive guidance.
- `docs/modules/ui/component-preservation-map/inventory.json` - deterministic machine-readable inventory for 303 candidate components.
- `docs/modules/ui/policy-decisioning-studio/README.md` - proposed Decisioning Studio product shape, tab model, route contract, and Release Orchestrator integration boundary.
- `docs/modules/ui/policy-decisioning-studio/README.md` - shipped Decisioning Studio product shape, canonical routes, alias coverage, and release-context entry-point contract.
- `docs/modules/ui/restoration-topics/README.md` - detailed placement notes for the next restoration topics after Decisioning Studio.
- `docs/modules/ui/watchlist-operations/README.md` - detailed watchlist UX dossier and owner-shell contract.
- `docs/features/checked/web/reachability-witnessing-ui.md` - shipped verification note for the canonical Reachability witness and PoE shell.
- `docs/features/checked/web/identity-watchlist-management-ui.md` - shipped verification note for the Trust & Signing watchlist shell and its Mission Control / Notifications handoffs.
- `docs/features/checked/web/operations-consolidation-ui.md` - shipped verification note for the canonical Operations shell, overview grouping, and legacy alias cutover.
- `docs/features/checked/web/policy-decisioning-studio-ui.md` - shipped verification note for the canonical Decisioning Studio shell, redirect cutover, release-context deep links, and VEX ownership merge.
- `docs/features/checked/web/triage-explainability-workspace-ui.md` - shipped verification note for the canonical triage artifact workspace, explainability rail, audit bundles, and security alias cutover.
- `docs/features/checked/web/workflow-visualization-replay-ui.md` - shipped verification note for the canonical run-detail graph, timeline, replay, evidence tabs, and workflow-editor preview reuse boundary.
- `docs/features/checked/web/contextual-actions-patterns-ui.md` - shipped verification note for the shared contextual route-state, headers, drawers, list-detail shells, grouped overview cards, and first adopted restoration surfaces.

218
docs/modules/ui/policy-decisioning-studio/README.md
View File

@@ -1,172 +1,132 @@
# Policy Decisioning Studio
## Recommendation
Create one dynamic sub-product shell, not one giant page and not three separate sibling products.
## Status
Shipped on 2026-03-07.
## Product Shape
- Canonical mount: `/ops/policy`
- Suggested user-facing title: `Decisioning Studio`
- Suggested nav label for now: keep `Policy` to avoid unnecessary IA churn during rollout
- User-facing title: `Policy Decisioning Studio`
- Active primary tabs: `Overview`, `Packs`, `Governance`, `Simulation`, `VEX & Exceptions`, `Release Gates`, `Audit`
- Supported modes: `global`, `pack`, `release-context`, plus non-owning `approval`, `workflow`, and `evidence` context chips
This shell should unify the current policy workspace, policy governance, policy simulation, and the actionable parts of VEX conflict resolution into one product surface with deep-linkable tabs and a shared context model.
This is now the canonical mutable owner for policy packs, governance controls, policy simulation, VEX resolution, exception handling, release-gate review, and policy/VEX audit.
## Why This Is The Right Shape
- Policy authoring, governance, simulation, VEX overrides, exceptions, and release gates are all parts of one decisioning workflow.
- Release Orchestrator is a consumer of policy/VEX decisions, not a second owner of those UIs.
- The current split creates duplicated mental models: packs live in one branch, governance in another, simulation in another, and VEX conflicts off to the side.
- A single shell allows one shared context header for tenant, pack, environment, artifact digest, and release.
- Deep-linkable child routes preserve auditability and operator workflows better than a modal-heavy or single-scroll design.
## Product Modes
The shell should support three modes without forking the UI into separate apps.
### 1. Global Mode
- Used by policy admins and security operators.
- Focus: pack inventory, governance controls, simulations, trust/VEX posture, gate policy defaults.
### 2. Pack Mode
- Used when the user is working on a specific policy pack.
- Focus: editing, YAML, rule builder, approvals, explain traces, simulation for one pack.
### 3. Release Context Mode
- Entered from Release Orchestrator deep links.
- Context is pinned in the shell header: `releaseId`, `environment`, `artifactDigest`, `approvalId`, and effective policy bundle.
- Focus: "why is this promotion blocked / allowed?" rather than general administration.
## Recommended IA
### Primary tabs
- `Overview`
- decision board for active packs, pending approvals, open conflicts, shadow-mode readiness, and gate health
- `Packs`
- policy pack inventory and pack-scoped workspace
- `Governance`
- risk budgets, trust weights, staleness, sealed mode, profiles, validator, governance audit
- `Simulation`
- shadow mode, console, coverage, effective policy, diff, merge preview, history, batch evaluation
- `VEX & Exceptions`
- VEX conflicts, consensus review, overrides, exception queue, exception detail, rationale capture
- `Release Gates`
- gate catalog, environment-specific gate policy, release-context gate evaluation, promotion readiness
- `Audit`
- immutable policy/VEX decision history, evidence pointers, exports, explain traces
### Secondary navigation
- Use child tabs inside the active primary tab.
- Use a contextual right rail for evidence, explain traces, or release summary.
- Never hide critical release-decision screens behind modal-only flows.
## Route Contract
Keep `/ops/policy` as the canonical root and move the product to a single route tree.
## Shipped Route Contract
### Canonical routes
- `/ops/policy`
- `/ops/policy/overview`
- `/ops/policy/packs`
- `/ops/policy/packs/:packId`
- `/ops/policy/packs/:packId/edit`
- `/ops/policy/packs/:packId/rules`
- `/ops/policy/packs/:packId/yaml`
- `/ops/policy/packs/:packId/approvals`
- `/ops/policy/packs/:packId/simulate`
- `/ops/policy/packs/:packId/explain/:runId`
- `/ops/policy/governance/...`
- `/ops/policy/simulation/...`
- `/ops/policy/vex`
- `/ops/policy/vex/search`
- `/ops/policy/vex/search/detail/:id`
- `/ops/policy/vex/create`
- `/ops/policy/vex/stats`
- `/ops/policy/vex/consensus`
- `/ops/policy/vex/explorer`
- `/ops/policy/vex/conflicts`
- `/ops/policy/vex/conflicts/:conflictId`
- `/ops/policy/exceptions`
- `/ops/policy/exceptions/:exceptionId`
- `/ops/policy/vex/exceptions`
- `/ops/policy/vex/exceptions/approvals`
- `/ops/policy/vex/exceptions/:exceptionId`
- `/ops/policy/gates`
- `/ops/policy/gates/catalog`
- `/ops/policy/gates/simulate/:promotionId`
- `/ops/policy/gates/environments/:environment`
- `/ops/policy/gates/releases/:releaseId`
- `/ops/policy/audit`
- `/ops/policy/gates/approvals/:approvalId`
- `/ops/policy/audit/policy`
- `/ops/policy/audit/vex`
- `/ops/policy/audit/log`
- `/ops/policy/audit/log/events`
### Alias and migration rules
- Legacy `/policy-studio/*` routes redirect into `/ops/policy/packs/*`
- `/admin/policy/governance` and `/admin/policy/simulation` redirect into `/ops/policy/governance/*` and `/ops/policy/simulation/*`
- `/admin/vex-hub/*` should redirect into `/ops/policy/vex/*` for mutating and conflict-resolution flows
- If Analyze keeps a VEX entry point, it should deep-link into the same shell in read-only context instead of owning a separate VEX product
### Legacy aliases kept live
- `/policy-studio/*`
- `/policy/*`
- `/admin/policy/governance*`
- `/admin/policy/simulation*`
- `/admin/vex-hub*`
- `/security/vex*`
- `/security/exceptions*`
- `/administration/policy*`
- `/administration/policy-governance*`
## What To Merge
## Shipped Merge Boundary
### Merge into `Packs`
### Packs
- `PolicyWorkspaceComponent`
- `PolicyDashboardComponent`
- `PolicyEditorComponent`
- `PolicyYamlEditorComponent`
- `PolicyRuleBuilderComponent`
- `PolicyYamlEditorComponent`
- `PolicyApprovalsComponent`
- `PolicyExplainComponent`
- `PolicyDashboardComponent`
### Merge into `Governance`
- `PolicyGovernanceComponent` shell
- risk budget, trust weighting, staleness, sealed mode, profiles, validator, audit, conflicts, schema tools
### Governance
- Existing `policy-governance.routes.ts` subtree mounted under `/ops/policy/governance`
- Settings, impact-preview, profile, trust-weight, and schema surfaces now point to the canonical shell
### Merge into `Simulation`
- `SimulationDashboardComponent` shell
- shadow mode, console, lint, coverage, effective policy, audit, diff, promotion, merge preview, history, batch
### Simulation
- Existing `policy-simulation.routes.ts` subtree mounted under `/ops/policy/simulation`
- Internal simulation navigation updated to stay inside the canonical route family
### Merge into `VEX & Exceptions`
- `VexConflictResolutionComponent`
- preserved ideas from `VexConflictStudioComponent`
- exception queue and exception detail flows
- VEX consensus and trust-weighted decision support
### VEX and exceptions
- Existing `vex-hub` components mounted under `/ops/policy/vex`
- Security VEX and exception aliases now redirect into the canonical VEX subtree
- Mutable VEX actions are no longer owned by a separate Security shell
### Merge into `Release Gates`
- promotion gate surfaces from policy simulation
- environment gate policy editors
- release-context verdict page used by Release Orchestrator
### Gates and audit
- Canonical release-gate page at `/ops/policy/gates*`
- Canonical policy/VEX audit owner under `/ops/policy/audit*`
## Release Orchestrator Integration
Release Orchestrator should link into this shell instead of growing a parallel policy UI.
### Shipped entry points
- approvals detail
- promotion request
- release detail
- workflow editor
- evidence detail
### Entry points from releases
- approval detail -> open gate verdict in release context mode
- promotion request -> open readiness checklist in release context mode
- release detail -> open effective policy + VEX posture for this artifact
- workflow editor -> deep link to gate catalog / policy pack used by the workflow
- evidence detail -> deep link to policy and VEX rationale bound to the promotion
### Shipped context fields
- `releaseId`
- `approvalId`
- `environment`
- `artifact` / `bundleDigest`
- `workflowId`
- `evidenceId`
- `returnTo`
### Required release-context panel
- active release / approval identifier
- environment lane
- artifact digest / subject digest
- effective policy pack and version
- gate verdict summary
- open conflicts or missing evidence
- CTA back to release flow
Release Orchestrator still owns promotion state and workflow execution. Decisioning Studio owns policy and VEX authoring, mutation, and explanation.
### Ownership rule
- Release Orchestrator owns promotion state and workflow execution
- Decisioning Studio owns policy authoring, governance, VEX resolution, exceptions, and gate explanation
## Secondary Entry Points Updated
- `Security Overview`
- `Security Exceptions`
- `Vulnerability Detail`
- `Home Dashboard`
- `Policy Governance Settings`
- `Evidence Audit`
- `Timeline Evidence Links`
- `Policy baseline chip`
- global search VEX normalization
## UI Standards For Implementation
## Retired Or Superseded Writable Owners
- standalone `Policy Studio` product label
- standalone `VEX Hub` mutable owner
- mutable `policy/*` writable paths
- mutable `security/vex*` owner paths
- One shell component with child router outlets, not duplicated top-level pages
- Page-owned context and self-serve guidance
- Stable deep links for every tab and subview
- Scope-aware tabs that hide or disable only what the operator cannot act on
- Shared evidence and explain cards reused across policy, VEX, and release contexts
- Deterministic loading order and route aliases so legacy bookmarks remain functional during rollout
These names survive only as temporary redirect aliases where needed for bookmark continuity.
## Non-Goals
- Do not move all security exploration into this shell; read-only security analytics can remain elsewhere if they deep-link into the same canonical decisioning routes when action is required.
- Do not let Release Orchestrator fork its own policy editor or VEX conflict UI.
- Do not collapse everything into one scroll page; operators need stable, bookmarkable subviews.
## Source Inputs
- `docs/contracts/policy-studio.md`
- `docs/security/policy-governance.md`
- `docs/modules/release-orchestrator/ui/overview.md`
- `docs/modules/release-orchestrator/workflow/evidence-based-release-gates.md`
- `docs/modules/ui/component-preservation-map/README.md`
- `src/Web/StellaOps.Web/src/app/features/policy-governance/policy-governance.routes.ts`
- `src/Web/StellaOps.Web/src/app/features/policy-simulation/policy-simulation.routes.ts`
- `src/Web/StellaOps.Web/src/app/features/vex-hub/vex-hub.routes.ts`
- `src/Web/StellaOps.Web/src/app/routes/ops.routes.ts`
- `src/Web/StellaOps.Web/src/app/routes/administration.routes.ts`
## Verification Evidence
- feature verification note: `docs/features/checked/web/policy-decisioning-studio-ui.md`
- targeted Angular tests: `94` passing assertions across route, shell, redirect, workflow, evidence, and search coverage
- Playwright: `4/4` passing scenarios for global mode, pack mode, release-context mode, and security VEX alias redirect
- production build: pass, with existing unrelated bundle-budget warnings