feat(ui): ship policy decisioning studio

src/Web/StellaOps.Web/tests/e2e/policy-decisioning-studio.spec.ts

@@ -0,0 +1,232 @@
+import { expect, test, type Page, type Route } from '@playwright/test';
+
+import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
+
+const adminSession: StubAuthSession = {
+  subjectId: 'policy-e2e-user',
+  tenant: 'tenant-default',
+  scopes: [
+    'admin',
+    'ui.read',
+    'ui.admin',
+    'release:read',
+    'policy:read',
+    'policy:author',
+    'policy:review',
+    'policy:approve',
+    'policy:simulate',
+    'policy:audit',
+    'vex:read',
+    'vex:write',
+    'vex:export',
+    'exception:read',
+    'exception:approve',
+    'findings:read',
+    'vuln:view',
+    'orch:read',
+    'orch:operate',
+  ],
+};
+
+const mockConfig = {
+  authority: {
+    issuer: '/authority',
+    clientId: 'stella-ops-ui',
+    authorizeEndpoint: '/authority/connect/authorize',
+    tokenEndpoint: '/authority/connect/token',
+    logoutEndpoint: '/authority/connect/logout',
+    redirectUri: 'https://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
+    scope: 'openid profile email ui.read',
+    audience: '/gateway',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: '/authority',
+    scanner: '/scanner',
+    policy: '/policy',
+    concelier: '/concelier',
+    attestor: '/attestor',
+    gateway: '/gateway',
+  },
+  quickstartMode: true,
+  setup: 'complete',
+};
+
+const policyPacks = [
+  {
+    id: 'pack-001',
+    name: 'Core Policy Pack',
+    description: 'Default pack for release gating',
+    version: '2026.03.07',
+    status: 'active',
+    createdAt: '2026-03-01T08:00:00Z',
+    modifiedAt: '2026-03-07T08:00:00Z',
+    createdBy: 'ops@example.com',
+    modifiedBy: 'ops@example.com',
+    tags: ['release', 'core'],
+  },
+];
+
+const packDashboard = {
+  runs: [
+    {
+      runId: 'run-001',
+      policyVersion: '2026.03.07',
+      status: 'completed',
+      completedAt: '2026-03-07T09:00:00Z',
+      findingsCount: 5,
+      changedCount: 2,
+    },
+  ],
+  ruleHeatmap: [
+    {
+      ruleName: 'reachable-critical',
+      hitCount: 5,
+      averageLatencyMs: 14,
+    },
+  ],
+  vexWinsByDay: [{ date: '2026-03-07', value: 2 }],
+  suppressionsByDay: [{ date: '2026-03-07', value: 1 }],
+};
+
+async function fulfillJson(route: Route, body: unknown): Promise<void> {
+  await route.fulfill({
+    status: 200,
+    contentType: 'application/json',
+    body: JSON.stringify(body),
+  });
+}
+
+async function navigateClientSide(page: Page, target: string): Promise<void> {
+  await page.evaluate((url) => {
+    window.history.pushState({}, '', url);
+    window.dispatchEvent(new PopStateEvent('popstate', { state: window.history.state }));
+  }, target);
+}
+
+async function setupHarness(page: Page): Promise<void> {
+  await page.addInitScript((session) => {
+    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
+  }, adminSession);
+
+  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/.well-known/openid-configuration', (route) =>
+    fulfillJson(route, {
+      issuer: 'https://127.0.0.1:4400/authority',
+      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
+      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
+      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
+      response_types_supported: ['code'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+    }),
+  );
+  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
+  await page.route('**/console/profile**', (route) =>
+    fulfillJson(route, {
+      subjectId: adminSession.subjectId,
+      username: 'policy-e2e',
+      displayName: 'Policy E2E',
+      tenant: adminSession.tenant,
+      roles: ['admin'],
+      scopes: adminSession.scopes,
+    }),
+  );
+  await page.route('**/console/token/introspect**', (route) =>
+    fulfillJson(route, {
+      active: true,
+      tenant: adminSession.tenant,
+      subject: adminSession.subjectId,
+      scopes: adminSession.scopes,
+    }),
+  );
+  await page.route('**/api/v2/context/regions', (route) =>
+    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
+  );
+  await page.route('**/api/v2/context/environments**', (route) =>
+    fulfillJson(route, [
+      {
+        environmentId: 'prod-eu',
+        regionId: 'eu-west',
+        environmentType: 'prod',
+        displayName: 'Prod EU',
+        sortOrder: 1,
+        enabled: true,
+      },
+    ]),
+  );
+  await page.route('**/api/v2/context/preferences', (route) =>
+    fulfillJson(route, {
+      tenantId: adminSession.tenant,
+      actorId: adminSession.subjectId,
+      regions: ['eu-west'],
+      environments: ['prod-eu'],
+      timeWindow: '24h',
+      stage: 'all',
+      updatedAt: '2026-03-07T12:00:00Z',
+      updatedBy: adminSession.subjectId,
+    }),
+  );
+  await page.route('**/doctor/api/v1/doctor/trends**', (route) => fulfillJson(route, []));
+  await page.route('**/api/v1/approvals**', (route) => fulfillJson(route, []));
+  await page.route('**/api/policy/packs?**', (route) => fulfillJson(route, policyPacks));
+  await page.route('**/api/policy/packs', (route) => fulfillJson(route, policyPacks));
+  await page.route('**/api/policy/packs/pack-001/dashboard**', (route) =>
+    fulfillJson(route, packDashboard),
+  );
+}
+
+test.beforeEach(async ({ page }) => {
+  await setupHarness(page);
+});
+
+test('renders the canonical global shell under /ops/policy', async ({ page }) => {
+  await page.goto('/ops/policy/overview', { waitUntil: 'networkidle' });
+
+  await expect(page.getByTestId('policy-decisioning-shell')).toBeVisible();
+  await expect(page.getByTestId('policy-decisioning-overview')).toBeVisible();
+  await expect(page.getByTestId('policy-tab-overview')).toBeVisible();
+  await expect(page.getByTestId('policy-tab-vex')).toBeVisible();
+  await expect(page.getByText('Policy Decisioning Studio')).toBeVisible();
+});
+
+test('redirects legacy pack bookmarks into pack-mode decisioning', async ({ page }) => {
+  await page.goto('/ops/policy/overview', { waitUntil: 'networkidle' });
+
+  await navigateClientSide(page, '/policy-studio/packs/pack-001/dashboard');
+
+  await expect(page).toHaveURL(/\/ops\/policy\/packs\/pack-001(?:\/dashboard)?$/);
+  await expect(page.getByTestId('policy-pack-shell')).toBeVisible();
+  await expect(
+    page.getByTestId('policy-pack-shell').getByRole('heading', { name: 'Pack pack-001' }),
+  ).toBeVisible();
+  await expect(page.getByText('Run dashboards')).toBeVisible();
+});
+
+test('keeps release-context gate review inside the shared shell', async ({ page }) => {
+  await page.goto(
+    '/ops/policy/gates/releases/rel-42?environment=prod-eu&artifact=sha256%3Afeedface&returnTo=%2Freleases%2Frel-42',
+    { waitUntil: 'networkidle' },
+  );
+
+  await expect(page.getByTestId('policy-decisioning-shell')).toBeVisible();
+  await expect(page.getByTestId('policy-gates-page')).toBeVisible();
+  await expect(page.getByText('Release rel-42 Decisioning')).toBeVisible();
+  await expect(page.getByText('Env prod-eu')).toBeVisible();
+  await expect(
+    page.locator('app-context-header').getByRole('button', { name: 'Return to source' }),
+  ).toBeVisible();
+});
+
+test('redirects security VEX aliases into the canonical decisioning shell', async ({ page }) => {
+  await page.goto('/ops/policy/overview', { waitUntil: 'networkidle' });
+
+  await navigateClientSide(page, '/security/vex?cveId=CVE-2024-21626');
+
+  await expect(page).toHaveURL(/\/ops\/policy\/vex\?cveId=CVE-2024-21626$/);
+  await expect(page.getByTestId('policy-vex-shell')).toBeVisible();
+  await expect(page.getByText('Mutable VEX actions now live in Decisioning Studio')).toBeVisible();
+});