chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates

Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/implplan/20260420_non_test_mock_stub_inmemory_inventory.md

@@ -0,0 +1,116 @@
+# 2026-04-20 Non-Test Mock/Stub/In-Memory Inventory
+
+## Scope
+- Source tree only: `src/**`
+- Excluded: `__Tests`, `tests`, `bin`, `obj`, `node_modules`, `dist`, `coverage`
+- Signal used:
+  - backend filename scan for `*InMemory*.cs`, `*Unsupported*.cs`, `*Mock*.cs`, `*Stub*.cs`
+  - frontend content scan for `mock`, `stub`, and `in-memory` references outside `*.spec.ts`
+
+## Completed in this pass
+- [SPRINT_20260420_020_SbomService_live_inmemory_and_fixture_fallback_retirement.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260420_020_SbomService_live_inmemory_and_fixture_fallback_retirement.md): DONE
+  - Non-testing `SbomService` no longer silently composes fixture or in-memory canonical repositories.
+  - Test-only fallback composition now lives in the explicit test harness.
+- [SPRINT_20260420_021_Notifier_live_runtime_inmemory_store_retirement.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260420_021_Notifier_live_runtime_inmemory_store_retirement.md): DONE
+  - Non-testing `Notifier` WebService now composes durable admin/runtime services directly.
+  - Remaining in-memory registrations are isolated to `Testing`.
+- [SPRINT_20260420_018_ExportCenter_truthful_runtime_placeholder_retirement.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260420_018_ExportCenter_truthful_runtime_placeholder_retirement.md): DONE
+  - ExportCenter no longer has live non-testing in-memory fallback in the reviewed runtime path.
+  - Remaining `Unsupported*` services are intentional fail-closed runtime behavior and documented explicitly.
+- [SPRINT_20260421_002_AdvisoryAI_policy_studio_runtime_truthfulness.md](/C:/dev/New%20folder/git.stella-ops.org/docs-archived/implplan/2026-04-21-runtime-mock-persistence-cleanup/SPRINT_20260421_002_AdvisoryAI_policy_studio_runtime_truthfulness.md): DONE
+  - AdvisoryAI Policy Studio `validate` and `compile` no longer emit live fake success payloads.
+  - Unimplemented stages now fail closed with explicit `501` responses and focused integration proof.
+- [SPRINT_20260421_003_FE_policy_explain_pdf_stub_retirement.md](/C:/dev/New%20folder/git.stella-ops.org/docs-archived/implplan/2026-04-21-runtime-mock-persistence-cleanup/SPRINT_20260421_003_FE_policy_explain_pdf_stub_retirement.md): DONE
+  - The live Policy Explain page no longer imports the no-op jsPDF stub or advertises a dead `Export PDF` action.
+  - `jspdf.stub.ts` was deleted and JSON export remains covered by focused frontend tests.
+- [SPRINT_20260421_004_BinaryIndex_debuginfod_dwarf_parser_fail_closed.md](/C:/dev/New%20folder/git.stella-ops.org/docs-archived/implplan/2026-04-21-runtime-mock-persistence-cleanup/SPRINT_20260421_004_BinaryIndex_debuginfod_dwarf_parser_fail_closed.md): DONE
+  - The live Debuginfod DWARF parser no longer returns silent empty symbol/build-metadata data.
+  - BinaryIndex parse now fails closed until the parser migration lands, and focused Debuginfod tests prove the failure path.
+- [SPRINT_20260421_005_FE_approval_detail_preview_truthfulness.md](/C:/dev/New%20folder/git.stella-ops.org/docs-archived/implplan/2026-04-21-runtime-mock-persistence-cleanup/SPRINT_20260421_005_FE_approval_detail_preview_truthfulness.md): DONE
+  - The approvals detail route is now explicitly preview-only instead of presenting local fake approve/reject actions as live behavior.
+  - The dead `monaco-loader.service.stub.ts` file was removed from the app source tree.
+- [SPRINT_20260421_008_FE_replay_shadow_notify_truthfulness.md](/C:/dev/New%20folder/git.stella-ops.org/docs-archived/implplan/2026-04-21-runtime-mock-persistence-cleanup/SPRINT_20260421_008_FE_replay_shadow_notify_truthfulness.md): DONE
+  - Quick-Verify now fails closed instead of fabricating runtime receipts or verified outcomes for heterogeneous caller identifiers.
+  - Policy Simulation no longer seeds fallback shadow-mode state or local promotion gate summaries, and Notify test-send defaults no longer ship mock-labelled copy.
+- [SPRINT_20260421_009_FE_developer_workspace_action_stub_retirement.md](/C:/dev/New%20folder/git.stella-ops.org/docs-archived/implplan/2026-04-21-runtime-mock-persistence-cleanup/SPRINT_20260421_009_FE_developer_workspace_action_stub_retirement.md): DONE
+  - The live Developer Workspace route no longer advertises dead GitHub/Jira ticket action stubs.
+  - The stale `policy-streaming.client.ts` mock footer comment was removed during the same frontend recheck.
+- [SPRINT_20260421_010_Platform_compatibility_stub_retirement.md](/C:/dev/New%20folder/git.stella-ops.org/docs-archived/implplan/2026-04-21-runtime-mock-persistence-cleanup/SPRINT_20260421_010_Platform_compatibility_stub_retirement.md): DONE
+  - Platform no longer maps synthetic notify/quota compatibility hosts, and the remaining legacy quota report/jobengine paths now fail closed instead of fabricating runtime data.
+  - The Admin Notifications screen now uses the real Notifier runtime for advanced configuration surfaces, while digest schedule CRUD is surfaced truthfully as unavailable.
+
+## Reviewed and classified runtime placeholders
+
+### ExportCenter
+- Classified as acceptable shipped fail-closed behavior until durable backends land:
+  - [UnsupportedExportArtifactStore.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Verification/UnsupportedExportArtifactStore.cs)
+  - [UnsupportedExportAttestationService.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Attestation/UnsupportedExportAttestationService.cs)
+  - [UnsupportedPromotionAttestationAssembler.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Attestation/UnsupportedPromotionAttestationAssembler.cs)
+  - [UnsupportedExportIncidentManager.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Incident/UnsupportedExportIncidentManager.cs)
+  - [UnsupportedRiskBundleJobHandler.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/RiskBundle/UnsupportedRiskBundleJobHandler.cs)
+  - [UnsupportedSimulationReportExporter.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/SimulationExport/UnsupportedSimulationReportExporter.cs)
+  - [UnsupportedAuditBundleJobHandler.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/AuditBundle/UnsupportedAuditBundleJobHandler.cs)
+  - [UnsupportedExceptionReportGenerator.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/ExceptionReport/UnsupportedExceptionReportGenerator.cs)
+  - [UnsupportedExportNotificationSink.cs](/C:/dev/New%20folder/git.stella-ops.org/src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Timeline/UnsupportedExportNotificationSink.cs)
+- Supporting docs:
+  - [architecture.md](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/export-center/architecture.md)
+  - [README.md](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/export-center/README.md)
+  - [api.md](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/export-center/api.md)
+
+## Backend inventory by top-level module
+
+| Module | Candidate files |
+| --- | ---: |
+| `ReleaseOrchestrator` | 39 |
+| `__Libraries` | 29 |
+| `Attestor` | 28 |
+| `Router` | 21 |
+| `Policy` | 21 |
+| `ExportCenter` | 18 |
+| `Authority` | 15 |
+| `Graph` | 15 |
+| `JobEngine` | 13 |
+| `Concelier` | 12 |
+| `AirGap` | 11 |
+| `BinaryIndex` | 10 |
+| `SbomService` | 9 |
+| `Signals` | 9 |
+| `Scanner` | 7 |
+| `Platform` | 7 |
+| `VexLens` | 6 |
+| `Findings` | 6 |
+| `AdvisoryAI` | 3 |
+| `Doctor` | 3 |
+| `Notifier` | 2 |
+| `Notify` | 2 |
+| `Integrations` | 1 |
+| `Mirror` | 1 |
+| `Registry` | 1 |
+| `Telemetry` | 1 |
+| `ReachGraph` | 1 |
+| `Plugin` | 1 |
+| `Workflow` | 1 |
+
+## Frontend non-spec classifications
+- [approval-detail-page.component.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/features/approvals/approval-detail-page.component.ts): intentional truthful preview-only route; the page explicitly warns that live approve/reject behavior is unavailable until the API-backed detail store is wired.
+- [pinned-explanation.service.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/services/pinned-explanation.service.ts): session-storage-backed UX state with an in-memory fallback if browser storage fails; this is not a backend persistence substitute.
+- [src/app/testing/** and src/app/core/testing/**](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/testing): source-tree test harness helpers outside `*.spec.ts`, including [auth-store.stub.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/testing/auth-store.stub.ts), [auth-fixtures.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/testing/auth-fixtures.ts), [auth.testing.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/testing/auth.testing.ts), [scoring.testing.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/testing/scoring.testing.ts), and [watchlist.testing.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/testing/watchlist.testing.ts). These are test support files, not live runtime surfaces.
+
+## Notes
+- The backend count table is an inventory of non-test source files with `InMemory`, `Unsupported`, `Mock`, or `Stub` in the filename. It is intentionally broader than the reviewed live-runtime gaps.
+- Many entries are likely valid development/test harnesses or library-level adapters that are not currently wired into non-testing runtime. They still need separate review before being treated as production debt.
+- The highest-signal reviewed runtime items from this pass were `SbomService`, `Notifier`, `ExportCenter`, `AdvisoryAI Policy Studio`, `Policy Explain`, `BinaryIndex Debuginfod`, and the `Approvals` detail preview route; those sprint trackers are now closed.
+- Post-fix frontend import scans now show stub imports only under `src/app/testing/**`, and repo search confirms `monaco-loader.service.stub.ts` no longer exists.
+- Wave-2 runtime recheck on 2026-04-21 closed the remaining high-signal candidates without new code changes:
+  - `AdvisoryAI` runtime consent/attestation storage already requires PostgreSQL outside `Testing`, with existing startup-contract and durable restart tests.
+  - `BinaryIndex Symbols` already limits in-memory manifest services to `Testing`, returns `501` for unsupported live manifest/resolve routes, and requires a connection string for durable source/catalog storage outside `Testing`.
+  - `IssuerDirectory` already defaults to PostgreSQL outside `Testing` and only allows the shared in-memory infrastructure when `Persistence:Provider=InMemory` under `Testing`.
+  - `Registry TokenService` already binds `InMemoryPlanRuleStore` only in `Testing` and fails fast outside `Testing` when durable Postgres configuration is missing.
+- Wave-3 frontend recheck on 2026-04-21 closed the stale Web candidate list:
+  - [attestation-chain.client.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/api/attestation-chain.client.ts), [notifier.client.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/api/notifier.client.ts), [noise-gating.client.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/api/noise-gating.client.ts), and [trust.client.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/api/trust.client.ts) are live HTTP clients and no longer contain the stale mock-classification comments previously recorded in the inventory.
+  - [policy-streaming.client.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/core/api/policy-streaming.client.ts) is a live SSE client; the dangling mock footer comment was removed during the follow-up cleanup.
+  - [quick-verify-drawer.component.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/shared/components/quick-verify-drawer/quick-verify-drawer.component.ts), [simulation-dashboard.component.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/features/policy-simulation/simulation-dashboard.component.ts), [notify-panel.component.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/features/notify/notify-panel.component.ts), and [developer-workspace.component.ts](/C:/dev/New%20folder/git.stella-ops.org/src/Web/StellaOps.Web/src/app/features/workspaces/developer/components/developer-workspace/developer-workspace.component.ts) no longer ship deceptive runtime placeholders after the 2026-04-21 frontend cleanup sprints.
+- Wave-4 platform/notify recheck on 2026-04-21 closed the remaining high-signal Platform-hosted compatibility shims:
+  - `src/Platform/StellaOps.Platform.WebService` no longer maps synthetic notify/quota compatibility endpoint hosts at runtime.
+  - The remaining legacy quota report and JobEngine quota routes now fail closed or return `501` until an owning durable backend exists.
+  - `src/Web/StellaOps.Web/src/app/features/admin-notifications/admin-notifications.component.ts` now uses `NOTIFIER_API` for advanced admin configuration, and `src/app/core/api/notify.client.ts` treats digest schedule CRUD as unsupported instead of emulating runtime data.

docs/implplan/SPRINT_20260420_003_FE_web_full_suite_stabilization.md

@@ -0,0 +1,183 @@
+# Sprint 20260420-003 - FE Web Full Suite Stabilization
+
+## Topic & Scope
+- Stabilize the remaining failing Web Vitest suites surfaced by the post-mock-retirement full-suite run.
+- Remove stale JIT-hostile input bindings, ProxyZone-only spec assumptions, and transport/test-harness mismatches that are still breaking frontend verification.
+- Keep the batch scoped to `src/Web/` with sprint evidence updates only.
+- Working directory: `src/Web/`.
+- Cross-module touchpoints explicitly allowed for this sprint: `docs/implplan/**`.
+- Expected evidence: targeted Vitest reruns for each repaired cluster, one clean follow-up full-suite rerun, and no reintroduction of runtime mocks.
+
+## Dependencies & Concurrency
+- Follows `docs/implplan/SPRINT_20260420_002_FE_web_test_stabilization_post_mock_retirement.md`, which closed the first set of stale Web test harness failures.
+- Safe to execute in parallel with backend work because the write scope is `src/Web/**` plus this sprint file only.
+- Must not revert unrelated dirty frontend or docs work already present in the repo.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/web/architecture.md`
+- `src/Web/AGENTS.md`
+- `src/Web/StellaOps.Web/AGENTS.md`
+- `docs/implplan/SPRINT_20260420_002_FE_web_test_stabilization_post_mock_retirement.md`
+
+## Delivery Tracker
+
+### FE-STAB2-001 - Repair setup wizard spec transport and bootstrap harnesses
+Status: DONE
+Dependency: none
+Owners: Developer / Implementer, Test Automation
+Task description:
+- The setup wizard cluster was leaking transport/bootstrap behavior through a stale behavior-spec harness, which produced jsdom/undici failures instead of exercising the current setup state wiring.
+- Reconcile the setup wizard spec harness with the current setup service transport path so the tests exercise the intended bootstrap logic without leaking network requests into jsdom.
+
+Completion criteria:
+- [x] The failing setup-wizard spec cluster passes under targeted Vitest execution.
+- [x] The repaired spec uses the current test transport path and does not depend on live network access.
+
+### FE-STAB2-002 - Retire stale signal-input host bindings across shared findings surfaces
+Status: DONE
+Dependency: FE-STAB2-001
+Owners: Developer / Implementer, Test Automation
+Task description:
+- The full-suite rerun confirms the next shared failure family is stale signal-input usage across findings-related specs: `findings-container.component.spec.ts`, `findings-list.component.spec.ts`, `finding-row.component.spec.ts`, `metrics-dashboard.component.spec.ts`, and the regression coverage in `src/tests/orphan_revival/orphan-revival-regression-remediation.spec.ts`.
+- Update these specs to use the current standalone/signal-input contract, replace outdated host binding patterns, and keep parent-child template imports aligned with the shipped component graph.
+
+Completion criteria:
+- [x] `findings-container.component.spec.ts` passes under targeted Vitest execution.
+- [x] `findings-list.component.spec.ts` passes under targeted Vitest execution.
+- [x] `finding-row.component.spec.ts` passes under targeted Vitest execution.
+- [x] `metrics-dashboard.component.spec.ts` passes under targeted Vitest execution.
+- [x] `orphan-revival-regression-remediation.spec.ts` passes under targeted Vitest execution.
+- [x] The rerun completes without stale signal-input `NG0303` warnings for the repaired findings surfaces.
+
+### FE-STAB2-003 - Remove ProxyZone-only assumptions from policy-simulation specs
+Status: DONE
+Dependency: FE-STAB2-002
+Owners: Developer / Implementer, Test Automation
+Task description:
+- The policy-simulation spec cluster (`batch-evaluation`, `simulation-history`, `simulation-console`, `conflict-detection`, `policy-merge-preview`) is still written around `fakeAsync`/ProxyZone expectations that do not hold under the current Vitest runner.
+- Update the affected specs to use deterministic synchronous or `async`/`await` flows against the current component contracts, keeping runtime behavior unchanged unless a real product bug is confirmed.
+
+Completion criteria:
+- [x] `batch-evaluation.component.spec.ts` passes under targeted Vitest execution.
+- [x] `simulation-history.component.spec.ts` passes under targeted Vitest execution.
+- [x] `simulation-console.component.spec.ts` passes under targeted Vitest execution.
+- [x] `conflict-detection.component.spec.ts` passes under targeted Vitest execution.
+- [x] `policy-merge-preview.component.spec.ts` passes under targeted Vitest execution.
+
+### FE-STAB2-004 - Reconcile proof-studio verdict-threshold expectations
+Status: DONE
+Dependency: FE-STAB2-003
+Owners: Developer / Implementer, Test Automation
+Task description:
+- `what-if-slider.component.spec.ts` still carries a small set of verdict/confidence expectations that do not match the current scoring logic.
+- Confirm whether the failure is a product regression or stale expectation, then fix the component or the tests accordingly and capture the result in the sprint log.
+
+Completion criteria:
+- [x] `what-if-slider.component.spec.ts` passes under targeted Vitest execution.
+- [x] The fix documents whether the source of truth was the component logic or the stale test expectation.
+
+### FE-STAB2-005 - Re-run the full Web Vitest suite after the above clusters are green
+Status: DOING
+Dependency: FE-STAB2-004
+Owners: Developer / Implementer, Test Automation
+Task description:
+- After the targeted failing clusters are stabilized, rerun the full Web Vitest suite to prove the repair is complete and to surface any remaining hidden failures.
+- Record the final suite result and the scope of the repaired files in the sprint execution log.
+
+Completion criteria:
+- [ ] `npx vitest run --config vitest.codex.config.ts` passes for `src/Web/StellaOps.Web`.
+- [ ] Final verification evidence is recorded in the sprint execution log.
+
+### FE-STAB2-006 - Repair mounted watchlist and notify shell expectations
+Status: DONE
+Dependency: FE-STAB2-005
+Owners: Developer / Implementer, Test Automation
+Task description:
+- The current rerun still shows stale mounted-shell expectations in `watchlist-page.component.spec.ts`, `src/tests/watchlist/identity-watchlist-management-ui.component.spec.ts`, and `notify-panel.component.spec.ts`.
+- Reconcile the mounted workspace shell, draft preservation, tuning, and navigation assertions with the current route/state contract without reintroducing placeholder data paths.
+
+Completion criteria:
+- [x] `watchlist-page.component.spec.ts` passes under targeted Vitest execution.
+- [x] `identity-watchlist-management-ui.component.spec.ts` passes under targeted Vitest execution.
+- [x] `notify-panel.component.spec.ts` passes under targeted Vitest execution.
+
+### FE-STAB2-007 - Reconcile export and replay workflow assertions with current component state
+Status: DONE
+Dependency: FE-STAB2-005
+Owners: Developer / Implementer, Test Automation
+Task description:
+- `audit-pack-export.component.spec.ts` and `replay-controls.component.spec.ts` now fail on current export/replay state semantics rather than on the already-retired runtime mocks.
+- Update the specs and only the minimal product behavior needed so export progress, completion, retry, and comparison flows reflect the shipped UI state machine.
+
+Completion criteria:
+- [x] `audit-pack-export.component.spec.ts` passes under targeted Vitest execution.
+- [x] `replay-controls.component.spec.ts` passes under targeted Vitest execution.
+
+### FE-STAB2-008 - Remove stale signal-input and ProxyZone assumptions from VEX Hub surfaces
+Status: DONE
+Dependency: FE-STAB2-005
+Owners: Developer / Implementer, Test Automation
+Task description:
+- The full suite still reports three VEX Hub failure modes: ProxyZone-only tests in `vex-statement-search.component.spec.ts`, stale signal-input usage in `vex-statement-detail-panel.component.spec.ts`, and missing provider/setup assumptions in `vex-create-workflow.component.spec.ts`.
+- Normalize these specs to the current standalone component contracts and current service graph without adding runtime mocks or bypassing initialization paths.
+
+Completion criteria:
+- [x] `vex-statement-search.component.spec.ts` passes under targeted Vitest execution.
+- [x] `vex-statement-detail-panel.component.spec.ts` passes under targeted Vitest execution.
+- [x] `vex-create-workflow.component.spec.ts` passes under targeted Vitest execution.
+
+### FE-STAB2-009 - Stabilize remaining standalone UI verification clusters
+Status: DOING
+Dependency: FE-STAB2-005
+Owners: Developer / Implementer, Test Automation
+Task description:
+- After the shared findings, watchlist/notify, export, and VEX Hub batches are resolved, the remaining failures should be swept as targeted UI clusters: `registry-capability-matrix.component.spec.ts`, `chat-message.component.spec.ts`, `proof-tree.component.spec.ts`, `sources-list.component.spec.ts`, `scheduler-runs.component.spec.ts`, `keyboard-shortcuts-for-triage.component.spec.ts`, `evidence-subgraph.component.spec.ts`, and the admin notifications specs that still have DOM expectation drift.
+- The latest full-suite rerun shows the next remaining families are now concentrated in signal-input/JIT-host and ProxyZone drift across `quick-verify-drawer`, `timeline-list`, `vex-hub`, `ai-explain-panel`, `exception-dashboard`, `sbom-diff-view`, `deploy-diff-panel`, `version-proof-popover`, `witness-page`, `findings-container-finding-list-adoption`, and `vex-trust-column-in-findings-and-triage-lists`, plus smaller expectation drift in `registry-health-card`, `vex-sources-panel`, `scheduler-runs`, `gating-explainer`, `system-settings-page`, `scanner-ops-settings-ui`, and `proof-chain`.
+- Keep this batch scoped to expectation and harness correctness; only change product code where the current shipped behavior is actually wrong.
+
+Completion criteria:
+- [ ] The remaining standalone UI clusters from the current full-suite rerun pass under targeted Vitest execution.
+- [ ] No stale host-input usage remains in the repaired specs.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-04-20 | Sprint created after the full Web Vitest rerun exposed remaining failures in setup wizard, finding detail, proof studio, and a wider policy-simulation spec cluster. | Codex |
+| 2026-04-20 | Stabilized `setup-wizard-live-api-wiring.behavior.spec.ts`, `integration-detail.component.spec.ts`, and `auditor-workspace.component.spec.ts`; targeted rerun passed with 3 files and 19 tests green. | Codex |
+| 2026-04-20 | Fresh full-suite rerun confirmed the earlier policy-simulation and proof-studio clusters are green and surfaced the remaining families in shared findings surfaces, watchlist/notify shells, export/replay workflows, VEX Hub, and several standalone UI specs. | Codex |
+| 2026-04-20 | Repaired the shared findings batch (`findings-container`, `findings-list`, `finding-row`, `metrics-dashboard`, and `orphan_revival` coverage); combined targeted rerun passed with 5 files and 98 tests green. | Codex |
+| 2026-04-20 | Repaired the mounted watchlist/notify shell batch plus the auditor-workspace signal-input regression edge; targeted rerun passed with `auditor-workspace`, `watchlist-page`, `identity-watchlist-management-ui`, and `notify-panel` at 4 files and 26 tests green. | Codex |
+| 2026-04-20 | Repaired the score visualization and patch-list batch by replacing stale signal-input test patterns and jsdom-incompatible click assumptions; targeted reruns passed with `score-ui-display-enhancement`, `score-history-chart`, and `patch-list` at 3 files and 79 tests green. | Codex |
+| 2026-04-20 | Repaired the remaining low-cost standalone drift in `freshness-warnings` and `key-detail-panel`; targeted rerun passed with 2 files and 30 tests green. | Codex |
+| 2026-04-20 | Repaired the export/replay workflow batch; targeted reruns passed with `audit-pack-export` and `replay-controls` at 2 files and 65 tests green. | Codex |
+| 2026-04-20 | Repaired the VEX Hub batch by aligning `vex-create-workflow`, `vex-consensus`, `vex-statement-search`, and `vex-statement-detail-panel` to the current signal-input and standalone component contracts; combined rerun passed with 4 files and 169 tests green. | Codex |
+| 2026-04-20 | Repaired shared standalone drift in `proof-tree` and `input-manifest` by aligning truncation, accessibility, and helper expectations to the live component contracts; targeted rerun passed with 2 files and 107 tests green. | Codex |
+| 2026-04-20 | Repaired the next admin notifications drift batch in `notification-rule-list` and `admin-notifications`; targeted rerun passed with 2 files and 90 tests green. | Codex |
+| 2026-04-20 | Repaired `sources-list` and the focused triage keyboard-shortcuts harness by aligning error/notice assertions and seeding workspace shortcut state without stale render assumptions; targeted rerun passed with 2 files and 35 tests green. | Codex |
+| 2026-04-20 | Repaired stale status-icon and settled-view assertions in `registry-capability-matrix` and `delivery-history`; targeted rerun passed with 2 files and 70 tests green. | Codex |
+| 2026-04-20 | Repaired the remaining admin notifications configuration/dashboard drift in `throttle-config`, `notification-dashboard`, `delivery-analytics`, `escalation-config`, and `quiet-hours-config`; combined targeted rerun passed with 5 files and 340 tests green. | Codex |
+| 2026-04-20 | Repaired the follow-on standalone drift and provider batch in `schema-docs`, `confidence-breakdown`, `registry-check-details`, `chat-message`, `integration-list`, and `triage-workspace`; combined targeted rerun passed with 6 files and 129 tests green. | Codex |
+| 2026-04-20 | Repaired the next signal-input/spec-drift batch in `vex-trust-chip`, `vex-trust-popover`, `commit-info`, `ai-justify-panel`, and `proof-chain-viewer`; combined targeted rerun passed with 5 files and 58 tests green. | Codex |
+| 2026-04-20 | Repaired `policy-studio`, `score-comparison`, and `configuration-pane` by removing ProxyZone-only flows and isolating JIT-hostile child signal-input contracts in the parent spec; combined targeted rerun passed with 3 files and 90 tests green. | Codex |
+| 2026-04-20 | Full Web Vitest rerun remains red; the next failure families are concentrated in `quick-verify-drawer`, `timeline-list`, `vex-hub`, `ai-explain-panel`, `exception-dashboard`, `sbom-diff-view`, `deploy-diff-panel`, `version-proof-popover`, `witness-page`, `findings-container-finding-list-adoption`, `vex-trust-column-in-findings-and-triage-lists`, and smaller expectation drift in `registry-health-card`, `vex-sources-panel`, `scheduler-runs`, `gating-explainer`, `system-settings-page`, `scanner-ops-settings-ui`, and `proof-chain`. | Codex |
+| 2026-04-20 | Repaired the VEX Hub follow-on drift in `vex-hub` and `ai-explain-panel` by replacing stale signal-input/ProxyZone test patterns with current standalone contracts; combined targeted rerun passed with 2 files and 28 tests green. | Codex |
+| 2026-04-20 | Repaired shared standalone host-contract drift in `timeline-list` and `version-proof-popover`; combined targeted rerun passed with 2 files and 25 tests green after replacing JIT-hostile host bindings and noisy child imports. | Codex |
+| 2026-04-20 | Repaired the next low-cost UI expectation batch in `quick-verify-drawer`, `scheduler-runs`, and `system-settings-page`; combined targeted rerun passed with 3 files and 54 tests green. | Codex |
+| 2026-04-20 | Repaired expectation/harness drift in `gating-explainer` and `registry-health-card`; combined targeted rerun passed with 2 files and 77 tests green after removing stale emoji/Jest assumptions and routing registry input updates through Angular's input path. | Codex |
+
+## Decisions & Risks
+- Decision: the full Web suite, not only previously targeted slices, is the verification authority for closing frontend stabilization work.
+- Risk: the policy-simulation failures appear to be a cross-cutting spec-harness problem rather than isolated product defects, so fixes should be applied deliberately and rerun in targeted clusters before another full-suite pass.
+- Risk: several failures still look like test-host contract drift rather than runtime regressions; product code changes must remain minimal and should only land where the current shipped component contract is actually wrong.
+- Decision: for standalone components that now expose signal inputs, tests should prefer direct signal-accessor replacement or host setups aligned to the current contract instead of stale `fixture.componentRef.setInput(...)` patterns that Angular 21 now rejects.
+- Risk: multiple remaining failures share the same signal-input drift across parent and child components, so partial fixes can leave regression-remediation coverage red until the whole findings/VEX batch is aligned.
+- Risk: Angular 21 JIT still emits noisy `NG0303` warnings for some stubbed or overridden child bindings even when the targeted behavior passes; these warnings should be cleaned where practical, but they are currently not failing the suite.
+- Decision: when a parent component spec is blocked by imported child signal-input metadata that JIT does not honor, replace those children with focused standalone stubs in the parent spec rather than mutating shipped runtime code that already AOT-compiles correctly.
+
+## Next Checkpoints
+- Repair the setup-wizard harness first because it leaks transport errors into jsdom and blocks confidence in the setup flow.
+- Close the finding-detail binding cluster next to remove another class of JIT-host breakage.
+- Then sweep the policy-simulation specs as one consistent ProxyZone-removal batch before rerunning the full suite.

docs/implplan/SPRINT_20260421_005_FE_console_route_identity_and_redirect_truth.md

@@ -0,0 +1,90 @@
+# Sprint 20260421_005_FE - Console Route Identity And Redirect Truth
+
+## Topic & Scope
+- Correct route-level defects that make the Console ambiguous or unreachable in local-source QA.
+- Restore truthful ownership for admin and evidence entry routes before broader UI verification continues.
+- Strengthen low-identity pages so operators can tell what workspace they are on and what action comes next.
+- Working directory: `src/Web/StellaOps.Web/`.
+- Expected evidence: route fixes, retained Playwright coverage, and doc sync to the QA traversal and strategy docs.
+
+## Dependencies & Concurrency
+- Depends on `docs/product/release-with-confidence-product-card.md`.
+- Depends on `docs/qa/console-ui-traversal-map.md` and `docs/qa/console-ui-qa-strategy.md`.
+- Safe parallelism: no concurrent writers in `src/Web/StellaOps.Web/` route ownership, auth bootstrap helpers, or admin/evidence navigation contracts.
+
+## Documentation Prerequisites
+- `docs/qa/console-ui-traversal-map.md`
+- `docs/qa/console-ui-qa-strategy.md`
+- `src/Web/AGENTS.md`
+- `src/Web/StellaOps.Web/src/app/app.routes.ts`
+- `src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts`
+
+## Delivery Tracker
+
+### FE-ROUTES-001 - Fix console-admin deep-link redirects
+Status: DONE
+Dependency: none
+Owners: Frontend / Implementer, QA
+Task description:
+- Investigate why `/console-admin/*` and `/console/admin/*` redirect to `https://127.0.0.1/...` without the local dev-server port during source-served verification.
+- Fix the route and base-url behavior so admin deep links remain inside the Console origin and land on the intended admin page.
+
+Completion criteria:
+- [ ] `/console-admin/tenants`, `/console-admin/users`, and `/console-admin/roles` resolve inside the current Console origin during local-source QA.
+- [ ] Retained Playwright coverage asserts final URL origin and route ownership for the admin deep links.
+
+### FE-ROUTES-002 - Restore evidence route identity
+Status: DONE
+Dependency: FE-ROUTES-001
+Owners: Frontend / Implementer, Product Manager
+Task description:
+- Decide and implement the truthful behavior for `/evidence/overview` and `/evidence/capsules`.
+- If the routes are intentional aliases to Ops > Audit, make that ownership explicit in page identity and docs. If they are meant to remain Evidence surfaces, restore standalone evidence identity and routing.
+
+Completion criteria:
+- [ ] Evidence entry routes no longer silently collapse into an unrelated workspace.
+- [ ] Evidence and Audit ownership is explicit in the UI copy and in the retained route coverage.
+
+### FE-ROUTES-003 - Add stable page identity to weak surfaces
+Status: TODO
+Dependency: FE-ROUTES-002
+Owners: Frontend / Implementer
+Task description:
+- Improve the main-panel identity of the weak surfaces found in the 2026-04-21 traversal: dashboard, environments overview, policy packs, advisory sources, triage artifacts, evidence exports, feeds-airgap, doctor, integrations, and tenant-branding.
+- Use stable headings, page summaries, and truthful primary actions so the operator can immediately understand workspace ownership.
+
+Completion criteria:
+- [ ] Each weak surface has a stable page-level identity in the main panel.
+- [ ] The primary action on each page reflects the owning workflow rather than generic shell copy.
+
+### FE-ROUTES-004 - Align local-source auth bootstrap with the live guard contract
+Status: DONE
+Dependency: FE-ROUTES-001
+Owners: Frontend / Implementer, Test Automation
+Task description:
+- Update local-source Playwright and auth helpers so they seed the same persisted auth session contract that `AuthSessionStore` restores at runtime.
+- Remove or correct misleading comments that imply `window.__stellaopsTestSession` alone is authoritative.
+
+Completion criteria:
+- [ ] Local-source UI verification can reach protected routes without relying on stale bootstrap assumptions.
+- [ ] Auth helper comments and retained tests describe the real bootstrap contract.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-04-21 | Sprint created from the authenticated Console traversal findings. | Product Manager |
+| 2026-04-21 | Narrowed the dev proxy context from `/console` to `/console/`, which keeps `/console-admin/*` inside the SPA origin while preserving `/console/*` API proxying. | Frontend / Implementer |
+| 2026-04-21 | Restored `/evidence`, `/evidence/overview`, and `/evidence/capsules` as first-class Evidence surfaces and redirected legacy `/evidence/audit-log/export` into `/evidence/exports`. | Frontend / Implementer |
+| 2026-04-21 | Updated the local-source Playwright auth fixture to seed the persisted `AuthSessionStore` keys and verified the affected routes with focused Vitest and Playwright coverage. | Frontend / Implementer |
+
+## Decisions & Risks
+- The confirmed admin-route failure is currently reproducible through `curl -k -I https://127.0.0.1:4400/console-admin/tenants`, which returns a `302` dropping the dev-server port.
+- Evidence ownership must be explicit. A silent alias from Evidence to Ops/Audit is a product risk unless the UI tells the operator why that handoff occurred.
+- The user-facing admin workspace remains `/console-admin/*`. `/console/admin/*` stays reserved for Authority admin API traffic and is still proxied as backend namespace, so retained route coverage was corrected to target the real UI surface.
+- Local-source browser verification of `e2e/**` requires `PLAYWRIGHT_LOCAL_SOURCE=1` and `PLAYWRIGHT_BASE_URL=https://127.0.0.1:4400` so the suite hits the source-served console instead of `https://stella-ops.local`.
+- References: `docs/qa/console-ui-traversal-map.md`, `docs/qa/console-ui-qa-strategy.md`.
+
+## Next Checkpoints
+- Fix admin redirects and re-run the affected route checks.
+- Resolve Evidence route ownership.
+- Re-run the weak-identity route inventory after the fixes land.

docs/implplan/SPRINT_20260421_006_FE_release_and_security_console_behavioral_qa.md

@@ -0,0 +1,90 @@
+# Sprint 20260421_006_FE - Release And Security Console Behavioral QA
+
+## Topic & Scope
+- Execute route-by-route, tab-by-tab behavioral verification for the release and security surfaces.
+- Capture retained evidence that proves Stella can explain release readiness, bundle identity, policy gating, and security posture in one coherent Console.
+- Fix route or tab regressions discovered during the pass when they fall within `src/Web/StellaOps.Web/`.
+- Working directory: `src/Web/StellaOps.Web/`.
+- Expected evidence: fresh Playwright run artifacts, route findings, focused fixes, and updated docs when ownership or workflow meaning changes.
+
+## Dependencies & Concurrency
+- Depends on `SPRINT_20260421_005_FE_console_route_identity_and_redirect_truth.md` for route-truth stabilization.
+- Depends on `docs/qa/console-ui-traversal-map.md` and `docs/qa/console-ui-qa-strategy.md`.
+- Safe parallelism: keep this sprint focused on release and security routes while another sprint, if staffed, covers Ops, Setup, and Admin surfaces.
+
+## Documentation Prerequisites
+- `docs/product/release-with-confidence-product-card.md`
+- `docs/qa/console-ui-traversal-map.md`
+- `docs/qa/console-ui-qa-strategy.md`
+- `docs/qa/feature-checks/FLOW.md`
+- `src/Web/AGENTS.md`
+
+## Delivery Tracker
+
+### FE-QA-REL-001 - Verify Release Control routes
+Status: DOING
+Dependency: none
+Owners: QA, Frontend / Implementer
+Task description:
+- Verify `/environments/overview`, `/releases`, `/releases/deployments`, `/releases/bundles`, `/releases/promotions`, and `/releases/approvals`.
+- Exercise filters, tabs, and empty states and confirm they preserve release meaning instead of generic shell behavior.
+
+Completion criteria:
+- [ ] A fresh UI run captures route-level evidence for the Release Control surfaces.
+- [ ] Approval tabs and release or deployment filters are verified through actual UI interactions.
+
+### FE-QA-REL-002 - Verify Release Policy surfaces
+Status: BLOCKED
+Dependency: FE-QA-REL-001
+Owners: QA, Frontend / Implementer
+Task description:
+- Verify `/ops/policy/packs`, `/ops/policy/governance`, `/ops/policy/vex`, and `/ops/policy/simulation`.
+- Confirm the policy tab family exposes governance, VEX, simulation, and audit as coherent parts of release decisioning.
+
+Completion criteria:
+- [ ] Shared policy tabs are traversed and their route handoffs are captured.
+- [ ] Any missing or weak page identity on policy surfaces is either fixed or recorded as a confirmed defect.
+
+### FE-QA-SEC-003 - Verify Security surfaces
+Status: BLOCKED
+Dependency: FE-QA-REL-002
+Owners: QA, Frontend / Implementer
+Task description:
+- Verify `/security/images`, `/security/risk`, `/security/advisory-sources`, and `/triage/artifacts`.
+- For Image Security, traverse Summary, Findings, SBOM, Reachability, VEX, and Evidence and confirm the empty state tells the operator what selection is required.
+
+Completion criteria:
+- [ ] Security tabs and routes are traversed with fresh UI evidence.
+- [ ] Empty-state copy and next actions are verified as truthful and operator-usable.
+
+### FE-QA-RELSEC-004 - Retain the new route coverage
+Status: TODO
+Dependency: FE-QA-SEC-003
+Owners: Test Automation
+Task description:
+- Convert the route and tab checks from this sprint into retained Playwright coverage.
+- Update stale navigation assumptions so future runs validate the current navigation contract rather than retired sidebar expectations.
+
+Completion criteria:
+- [ ] New or updated Playwright coverage exists for the routes exercised in this sprint.
+- [ ] The retained suite asserts route ownership and tab behavior rather than only screenshot existence.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-04-21 | Sprint created from the authenticated release and security traversal pass. | Product Manager |
+| 2026-04-21 | Fixed structural Web regressions in `policy simulation` tab routing and route-specific page-help identity for `release bundles` and `security/risk`; build passed and targeted Vitest route/help checks passed. Fresh live UI replay is blocked in the current runtime because protected routes redirect to `/setup-wizard/wizard` while setup is incomplete. | Frontend / Implementer |
+| 2026-04-21 | Router blocker cleared under Sprint 008: live frontdoor auth now succeeds again, `/policy/shadow/*` and `/policy/simulations*` no longer fail with `401`, and those compatibility endpoints now return the expected `501` from `policy-engine`, matching direct-service behavior. | QA |
+| 2026-04-22 | Fixed the hotfix detail runtime regression in `src/Web/StellaOps.Web/src/app/features/releases/hotfix-detail-page.component.ts` by restoring the standalone `UpperCasePipe` import required by the gate outcome badges. Added focused regression coverage in `src/Web/StellaOps.Web/src/tests/release-control/hotfix-detail-page.component.spec.ts`; targeted Vitest pass succeeded. | Frontend / Implementer |
+
+## Decisions & Risks
+- Release and security verification must happen before lower-risk setup polish because Stella's core promise is release authority backed by evidence.
+- The existing local-source harness has auth-bootstrap drift that should be fixed under Sprint 005 before this sprint is executed at full speed.
+- Current local runtime resolves protected routes through `requireConfigGuard` into `/setup-wizard/wizard` because the served config is not marked `setup=complete`; this blocks the fresh post-fix UI replay for `/releases/*`, `/ops/policy/simulation`, and `/security/risk` even though the route contract and build now pass.
+- Router transport blockers from port-dropping redirects and regex auth passthrough drift were resolved under [SPRINT_20260421_008_Router_preserve_gateway_https_redirect_port.md](/C:/dev/New folder/git.stella-ops.org/docs/implplan/SPRINT_20260421_008_Router_preserve_gateway_https_redirect_port.md). Remaining QA work should treat any new failures on release or policy pages as page-level or backend-feature issues rather than frontdoor auth failures by default.
+- References: `docs/qa/console-ui-traversal-map.md`, `docs/qa/console-ui-qa-strategy.md`.
+
+## Next Checkpoints
+- Stabilize route truth under Sprint 005.
+- Run the release and security behavioral pass.
+- Land retained Playwright coverage for the exercised routes and tabs.

docs/implplan/SPRINT_20260421_007_FE_evidence_ops_setup_admin_console_behavioral_qa.md

@@ -0,0 +1,93 @@
+# Sprint 20260421_007_FE - Evidence Ops Setup Admin Console Behavioral QA
+
+## Topic & Scope
+- Execute the next behavioral QA pass for Evidence, Ops, Setup, and Admin surfaces.
+- Confirm that audit, replay, feed, diagnostics, trust, integrations, and admin entry points remain truthful and reachable.
+- Fix Web-only regressions discovered during the pass, including route identity, tab ownership, and broken handoffs.
+- Working directory: `src/Web/StellaOps.Web/`.
+- Expected evidence: fresh Playwright route and tab artifacts, confirmed defects or fixes, and docs updates when ownership changes.
+
+## Dependencies & Concurrency
+- Depends on `SPRINT_20260421_005_FE_console_route_identity_and_redirect_truth.md`.
+- Depends on `docs/qa/console-ui-traversal-map.md` and `docs/qa/console-ui-qa-strategy.md`.
+- Safe parallelism: can run in parallel with Sprint 006 once Sprint 005 has stabilized the core route contract.
+
+## Documentation Prerequisites
+- `docs/qa/console-ui-traversal-map.md`
+- `docs/qa/console-ui-qa-strategy.md`
+- `docs/qa/feature-checks/FLOW.md`
+- `docs/UI_GUIDE.md`
+- `src/Web/AGENTS.md`
+
+## Delivery Tracker
+
+### FE-QA-EVID-001 - Verify Evidence surfaces
+Status: DOING
+Dependency: none
+Owners: QA, Frontend / Implementer
+Task description:
+- Verify `/evidence/overview`, `/evidence/audit-log`, `/evidence/verify-replay`, `/evidence/exports`, and `/evidence/capsules`.
+- Confirm which surfaces are true Evidence pages, which are intentional aliases, and whether the UI keeps evidence identity visible after the handoff.
+
+Completion criteria:
+- [ ] Evidence routes are traversed with fresh UI evidence.
+- [ ] Any alias behavior is either confirmed as intentional and understandable or fixed as a defect.
+
+### FE-QA-OPS-002 - Verify Ops surfaces
+Status: BLOCKED
+Dependency: FE-QA-EVID-001
+Owners: QA, Frontend / Implementer
+Task description:
+- Verify `/ops/operations/jobengine`, `/ops/operations/feeds-airgap`, `/ops/operations/doctor`, `/ops/operations/audit`, and `/ops/scripts`.
+- Exercise JobEngine and Audit tabs, and confirm feed and diagnostic pages expose operator-specific identity and next actions.
+
+Completion criteria:
+- [ ] JobEngine and Audit tabs are verified through actual UI interactions.
+- [ ] Feeds and Doctor surfaces either expose clear identity and actions or are logged as confirmed weak-identity defects.
+
+### FE-QA-SETUP-003 - Verify Setup and Admin surfaces
+Status: BLOCKED
+Dependency: FE-QA-OPS-002
+Owners: QA, Frontend / Implementer
+Task description:
+- Verify `/setup`, `/setup/integrations`, `/setup/trust-signing`, `/setup/identity-providers`, `/setup/tenant-branding`, and the `/console-admin/*` family.
+- For Trust Signing, traverse Signing Keys, Trusted Issuers, Certificates, and Audit. For admin routes, assert that redirects preserve the Console origin and land on the intended page.
+
+Completion criteria:
+- [ ] Trust Signing tabs are covered with fresh UI evidence.
+- [ ] Setup and Admin route handoffs are verified and admin deep-link regressions are fixed or confirmed with root cause.
+
+### FE-QA-EVIDOPS-004 - Retain the new Evidence and Ops coverage
+Status: TODO
+Dependency: FE-QA-SETUP-003
+Owners: Test Automation
+Task description:
+- Convert the manual traversal into retained Playwright coverage for the routes and tabs exercised in this sprint.
+- Ensure future suites catch Evidence alias regressions, Ops tab regressions, and admin-origin regressions automatically.
+
+Completion criteria:
+- [ ] New or updated Playwright coverage exists for the Evidence, Ops, Setup, and Admin surfaces in scope.
+- [ ] The retained coverage asserts route identity and corrective-action ownership rather than only page load success.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-04-21 | Sprint created from the authenticated evidence, ops, setup, and admin traversal pass. | Product Manager |
+| 2026-04-21 | Unified audit ownership on the Web side so `/evidence/audit-log` now loads the dashboard shell, legacy audit child URLs resolve back into the canonical audit tabs, `/ops/operations/audit` redirects to the Evidence canonical route, and `/console-admin/*` now resolves route-specific help keys. Build passed and targeted Vitest route/help checks passed. Fresh live UI replay is blocked in the current runtime because protected routes redirect to `/setup-wizard/wizard` while setup is incomplete. | Frontend / Implementer |
+| 2026-04-21 | Router blocker cleared under Sprint 008: live frontdoor auth and redirect handling are healthy again, so the next Evidence, Ops, Setup, and Admin pass should start from page behavior rather than bootstrap transport failures. | QA |
+| 2026-04-22 | Aligned the Notifications -> Watchlist handoff with the canonical owner surface by linking directly to `/ops/operations/watchlist/{alerts,tuning}`, preserving `returnTo`, mounting `watchlist/:tab` under Operations, and preserving legacy `/setup/trust-signing/watchlist/:sub` intent during redirect. Focused Vitest coverage passed for `notify-panel.component.spec.ts` and `route-surface-ownership.spec.ts`; a rebuilt live bundle now verifies both watchlist handoff links reach the correct owner tabs. | Frontend / Implementer |
+| 2026-04-22 | Collapsed `/setup/notifications/config/*` runtime-unavailable ownership into the dashboard shell by introducing a feature-local runtime state shared with the config tabs. Focused Vitest coverage passed for the dashboard plus quiet-hours, overrides, escalation, and throttle specs (`334` tests). Rebuilt live UI replay now shows a single truthful runtime-unavailable alert on each config tab while the underlying `/api/v1/notifier/*` 404s remain reproducible backend readiness gaps. | Frontend / Implementer |
+
+## Decisions & Risks
+- Evidence routes are high-risk because silent aliasing can make operators think they are reviewing evidence when they are actually in a generic audit workspace.
+- Admin-route failures must be classified carefully: the current local-source run shows a reproducible port-dropping redirect for `/console-admin/tenants`, which should be fixed before the full admin QA pass is considered trustworthy.
+- Current local runtime resolves protected routes through `requireConfigGuard` into `/setup-wizard/wizard` because the served config is not marked `setup=complete`; this blocks the fresh post-fix UI replay for `/evidence/audit-log`, `/ops/operations/audit`, and `/console-admin/*` even though the canonical route contract and build now pass.
+- Router HTTPS redirect and regex auth passthrough defects were resolved under [SPRINT_20260421_008_Router_preserve_gateway_https_redirect_port.md](/C:/dev/New folder/git.stella-ops.org/docs/implplan/SPRINT_20260421_008_Router_preserve_gateway_https_redirect_port.md). Remaining evidence/admin failures should be triaged as route guards, page ownership, or backend readiness issues unless a fresh frontdoor transport symptom is reproduced.
+- The refreshed live notifications recheck now proves the watchlist handoff contract is correct, but it also exposes real backend gaps on `/setup/notifications`: multiple admin reads return `404` from `/api/v1/notifier/*` (`channels`, `deliveries/stats`, `quiet-hours`, `overrides`, `escalation-policies`, `throttle-configs`). Those are service-readiness or route-surface gaps, not browser-transport failures.
+- The duplicate setup-notifications error banner was a Web ownership defect, not a backend defect. The shell now owns environment-level Notifier runtime-unavailable messaging for the config surfaces, so future triage should treat any reappearance of duplicate config alerts as a frontend regression.
+- References: `docs/qa/console-ui-traversal-map.md`, `docs/qa/console-ui-qa-strategy.md`.
+
+## Next Checkpoints
+- Re-run Evidence and Admin entry routes after Sprint 005 lands.
+- Execute the full Evidence, Ops, Setup, and Admin behavioral pass.
+- Retain the exercised route and tab coverage in Playwright.

docs/implplan/SPRINT_20260422_003_Concelier_source_credential_entry_paths.md

@@ -0,0 +1,129 @@
+# Sprint 20260422_003 - Concelier Source Credential Entry Paths
+
+## Topic & Scope
+- Replace env-only/operator-host-only credential handling for advisory source connectors with persisted source settings that can be supplied through StellaOps UI and CLI flows.
+- Add explicit source configuration contracts for credentialed connectors so enable/check/sync surfaces can explain what is missing and what is already retained without leaking secrets.
+- Extend operator surfaces to configure advisory source credentials from the advisory/VEX console and setup-adjacent flows, then document the vendor login and credential acquisition steps.
+- Working directory: `src/Concelier`.
+- Expected evidence: backend/API contracts, persisted runtime configuration wiring, focused Web/CLI entry paths, updated docs, and targeted tests.
+- Cross-module touchpoints explicitly allowed for this sprint:
+  - `src/Web/StellaOps.Web/**`
+  - `src/Cli/StellaOps.Cli/**`
+  - `docs/modules/concelier/**`
+  - `docs/modules/cli/**`
+  - `docs/UI_GUIDE.md`
+  - `docs/README.md`
+  - `docs/implplan/**`
+
+## Dependencies & Concurrency
+- Depends on the completed runtime-alignment work in [SPRINT_20260421_003_Concelier_advisory_connector_runtime_alignment.md](/C:/dev/New%20folder/git.stella-ops.org/docs/implplan/SPRINT_20260421_003_Concelier_advisory_connector_runtime_alignment.md).
+- Safe parallelism: keep backend credential/runtime work centered in `src/Concelier`, Web changes centered in `src/Web/StellaOps.Web`, CLI changes centered in `src/Cli/StellaOps.Cli`, and docs aligned only after the contracts settle.
+- The repo worktree is already dirty; edits in touched files must preserve unrelated in-flight changes.
+
+## Documentation Prerequisites
+- [docs/README.md](/C:/dev/New%20folder/git.stella-ops.org/docs/README.md)
+- [docs/07_HIGH_LEVEL_ARCHITECTURE.md](/C:/dev/New%20folder/git.stella-ops.org/docs/07_HIGH_LEVEL_ARCHITECTURE.md)
+- [docs/modules/platform/architecture-overview.md](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/platform/architecture-overview.md)
+- [docs/modules/concelier/architecture.md](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/concelier/architecture.md)
+- [docs/modules/concelier/connectors.md](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/concelier/connectors.md)
+- [docs/modules/cli/architecture.md](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/cli/architecture.md)
+- [docs/UI_GUIDE.md](/C:/dev/New%20folder/git.stella-ops.org/docs/UI_GUIDE.md)
+- [src/Concelier/AGENTS.md](/C:/dev/New%20folder/git.stella-ops.org/src/Concelier/AGENTS.md)
+- [src/Web/AGENTS.md](/C:/dev/New%20folder/git.stella-ops.org/src/Web/AGENTS.md)
+- [src/Cli/AGENTS.md](/C:/dev/New%20folder/git.stella-ops.org/src/Cli/AGENTS.md)
+
+## Delivery Tracker
+
+### SRC-CREDS-001 - Add persisted advisory source configuration contracts
+Status: DONE
+Dependency: none
+Owners: Developer / Implementer
+Task description:
+- Concelier already persists arbitrary source config JSON, but the operator-facing source management contract only exposes env-var hints and the runtime only validates startup-bound options. Introduce a first-class source configuration contract that describes editable fields, retained secret state, and source-specific readiness requirements for credentialed connectors.
+- The resulting API must let UI and CLI surfaces fetch source config metadata, submit updates without requiring env vars, and distinguish between missing values, retained secrets, and source defaults without echoing secret values back to callers.
+
+Completion criteria:
+- [x] Source-management API exposes source-specific config schema and retained-secret state for credentialed connectors.
+- [x] Persisted source config updates can be written without using environment variables.
+- [x] Existing enable/check/sync surfaces use the new persisted config readiness model instead of env-only messages.
+
+### SRC-CREDS-002 - Wire persisted source settings into connector runtime
+Status: DONE
+Dependency: SRC-CREDS-001
+Owners: Developer / Implementer, QA
+Task description:
+- Credential entry paths are only useful if live connector runtime reads the persisted values. Refactor the affected connectors and support services so GHSA, Cisco, MSRC, Oracle, and any source touched in this sprint resolve runtime settings from persisted source config with safe fallbacks for existing host-bound options.
+- The runtime contract must support secret retention, minimal hot-reload semantics for operator changes, and deterministic readiness diagnostics.
+
+Completion criteria:
+- [x] Credentialed connectors can run from persisted source config supplied through Concelier APIs.
+- [x] Startup-bound options remain compatibility fallbacks rather than the only supported path.
+- [x] Targeted tests cover at least one persisted-config readiness path per credentialed source family.
+
+### SRC-CREDS-003 - Expose advisory source credential entry in Web and CLI
+Status: DONE
+Dependency: SRC-CREDS-001
+Owners: Developer / Implementer, Documentation author
+Task description:
+- Add operator-facing entry paths so source credentials can be supplied without editing env files. The Web advisory/VEX source catalog should expose editable source settings for connectors that require credentials or explicit URIs, and the CLI should gain matching commands that drive the same backend API.
+- UI/CLI behavior must preserve the backend truth model, indicate when a secret is retained server-side, and avoid forcing users to re-enter secrets on unrelated edits.
+
+Completion criteria:
+- [x] Web advisory-source management surface can view/edit persisted source config and retained-secret state.
+- [x] Setup-adjacent source flows no longer imply env-only remediation for credentialed connectors.
+- [x] CLI offers source config inspection/update commands against the backend API.
+
+### SRC-CREDS-004 - Document credential acquisition and Adobe/Chromium follow-through
+Status: DONE
+Dependency: SRC-CREDS-002
+Owners: Documentation author, QA
+Task description:
+- Write operator documentation under `docs/` that explains where to sign in for each supported credentialed source, what credential type to create, whether the source is paywall/partner limited, and where the new UI/CLI entry paths live.
+- Continue the Adobe/Chromium follow-through by validating that the canonical source docs and runtime surfaces remain aligned after the credential-path changes, then capture the test evidence in this sprint.
+
+Completion criteria:
+- [x] Docs describe the new UI/CLI credential entry paths and retained-secret behavior.
+- [x] Docs list the official operator login destinations and required credential types for supported credentialed sources.
+- [x] Adobe/Chromium source docs/runtime verification is rechecked after the credential-path rollout.
+
+### SRC-CREDS-005 - Surface blocked schedule state for credential-gated sources
+Status: DOING
+Dependency: SRC-CREDS-002
+Owners: Developer / Implementer, Documentation author
+Task description:
+- Credential-gated sources can now be configured through the product, but the steady-state source status still collapses "enabled but waiting on credentials" into a generic failed/disabled shape. Split persisted enablement from runtime readiness so the product can show an explicit blocked or sleeping state while preserving operator intent.
+- Sync attempts for blocked sources must explain that credentials or required URIs are missing instead of looking like a generic scheduler failure. The source-management API, focused tests, and operator docs all need to align on the blocked-state contract.
+
+Completion criteria:
+- [ ] Source status responses preserve persisted enablement while exposing an explicit blocked readiness state and reason.
+- [ ] Sync attempts for blocked sources report a blocked outcome with the missing-configuration reason attached.
+- [ ] Docs explain the blocked or sleeping state for credential-gated sources.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-04-22 | Sprint created to replace env-only advisory source credential handling with persisted UI/CLI configuration paths and runtime-backed connector readiness. | Codex |
+| 2026-04-22 | Added persisted source-configuration schemas and runtime overlays for GHSA, Cisco, Microsoft, Oracle, Adobe, and Chromium so source settings can be supplied through Concelier rather than only through host env/yaml. | Codex |
+| 2026-04-22 | Updated Web and CLI operator surfaces plus Concelier/CLI/UI documentation with login destinations, credential types, retained-secret behavior, and Adobe/Chromium public-endpoint guidance. | Codex |
+| 2026-04-22 | Verification: `dotnet build src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj -v minimal` succeeded; targeted xUnit helper run for 4 source-configuration methods passed (`Total: 4, Failed: 0`); `npm run build` in `src/Web/StellaOps.Web` succeeded. | Codex |
+
+## Decisions & Risks
+- Decision: source credentials must be operator-supplied through StellaOps UI and CLI paths, with environment variables retained only as backward-compatible fallbacks.
+- Risk: MSRC and other singleton services currently cache startup-bound options, so persisted-config support requires refactoring the runtime settings resolution path instead of adding a thin API-only layer.
+- Risk: some upstream programs may require vendor accounts, approval, or terms acceptance even if StellaOps supports the connector path; docs must distinguish product integration support from upstream entitlement.
+- Decision: Adobe and Chromium now expose the same persisted UI/CLI configuration path as the credentialed connectors so mirrored public endpoints are no longer env-only overrides.
+- Decision: `additionalIndexUris` is normalized like the other multi-URI fields, so CLI and UI comma or semicolon input converges to a stable persisted shape.
+- Web fetch audit (user-requested upstream credential research):
+  - `https://docs.github.com/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token` - confirm current GitHub PAT creation path and policy notes.
+  - `https://docs.github.com/en/enterprise-cloud@latest/rest/security-advisories/global-advisories` - confirm GHSA REST authentication expectations and anonymous/fine-grained token support.
+  - `https://docs.github.com/articles/authorizing-a-personal-access-token-for-use-with-a-saml-single-sign-on-organization` - confirm SSO authorization requirement for PAT-backed org access.
+  - `https://developer.cisco.com/docs/psirt/authentication/` - confirm Cisco PSIRT openVuln app registration flow, grant type, and token issuance pattern.
+  - `https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app` - confirm Microsoft Entra app registration flow and IDs operators need to capture.
+  - `https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials` - confirm Microsoft client secret creation flow and current Microsoft guidance.
+  - `https://www.oracle.com/security-alerts/`, `https://helpx.adobe.com/security/security-bulletin.html`, `https://chromereleases.googleblog.com/atom.xml` - confirm Oracle, Adobe, and Chromium default public entry points remain unauthenticated.
+- Residual risk: the broader `AdvisorySourceEndpointsTests` class contains unrelated legacy failures outside this feature slice when run wholesale, so QA evidence for this sprint is the repo-approved targeted xUnit run against the exact connector-configuration methods rather than a class-wide pass count.
+
+## Next Checkpoints
+- 2026-04-22: land backend source configuration contracts and persisted runtime settings.
+- 2026-04-22: expose matching Web/CLI entry paths and update operator docs.
+- 2026-04-22: run targeted verification for credentialed connectors plus Adobe/Chromium regression checks.