Frontend gaps fill work. Testing fixes work. Auditing in progress.
This commit is contained in:
StellaOps Bot
@@ -28,9 +28,9 @@
|
||||
* **State**: Angular **Signals** + `@ngrx/signals` store for cross‑page slices.
|
||||
* **Transport**: `fetch` + RxJS interop; **SSE** (EventSource) for progress streams.
|
||||
* **Build**: Angular CLI + Vite builder.
|
||||
* **Testing**: Jest + Testing Library, Playwright for e2e.
|
||||
* **Packaging**: Containerized NGINX (immutable assets, ETag + content hashing).
|
||||
* **Observability docs**: runbook + Grafana JSON stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
|
||||
* **Testing**: Jest + Testing Library, Playwright for e2e.
|
||||
* **Packaging**: Containerized NGINX (immutable assets, ETag + content hashing).
|
||||
* **Observability docs**: runbook + Grafana JSON stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
|
||||
|
||||
---
|
||||
|
||||
@@ -44,9 +44,9 @@
|
||||
├─ scans/ # scan list, detail, SBOM viewer, diff-by-layer, EntryTrace
|
||||
├─ runtime/ # Zastava posture, drift events, admission decisions
|
||||
├─ policy/ # rules editor (YAML/Rego), exemptions, previews
|
||||
├─ vex/ # VEX explorer (claims, consensus, conflicts)
|
||||
├─ triage/ # vulnerability triage (artifact-first), VEX decisions, audit bundles
|
||||
├─ concelier/ # source health, export cursors, rebuild/export triggers
|
||||
├─ vex/ # VEX explorer (claims, consensus, conflicts)
|
||||
├─ triage/ # vulnerability triage (artifact-first), VEX decisions, audit bundles
|
||||
├─ concelier/ # source health, export cursors, rebuild/export triggers
|
||||
├─ attest/ # attestation proofs, verification bundles, Rekor links
|
||||
├─ admin/ # tenants, roles, clients, quotas, licensing posture
|
||||
└─ plugins/ # route plug-ins (lazy remote modules, governed)
|
||||
@@ -107,24 +107,80 @@ Each feature folder builds as a **standalone route** (lazy loaded). All HTTP sha
|
||||
* **Proofs list**: last 7 days Rekor entries; filter by kind (sbom/report/vex).
|
||||
* **Verification**: paste UUID or upload bundle → verify; result with explanations (chain, Merkle path).
|
||||
|
||||
### 3.8 Admin
|
||||
|
||||
* **Tenants/Installations**: view/edit, isolation hints.
|
||||
* **Clients & roles**: Authority clients, role→scope mapping, rotation hints.
|
||||
* **Quotas**: per license plan, counters, throttle events.
|
||||
* **Licensing posture**: last PoE introspection snapshot (redacted), release window.
|
||||
* **Branding**: tenant logo, title, and theme tokens with preview/apply (fresh-auth).
|
||||
|
||||
### 3.9 Vulnerability triage (VEX-first)
|
||||
|
||||
* **Routes**: `/triage/artifacts`, `/triage/artifacts/:artifactId`, `/triage/audit-bundles`, `/triage/audit-bundles/new`.
|
||||
* **Workspace**: artifact-first split layout (finding cards on the left; explainability tabs on the right: Overview, Reachability, Policy, Attestations).
|
||||
* **VEX decisions**: evidence-first VEX modal with scope + validity + evidence links; bulk apply supported; uses `/v1/vex-decisions`.
|
||||
* **Audit bundles**: "Create immutable audit bundle" UX to build and download an evidence pack; uses `/v1/audit-bundles`.
|
||||
* **Schemas**: `docs/schemas/vex-decision.schema.json`, `docs/schemas/attestation-vuln-scan.schema.json`, `docs/schemas/audit-bundle-index.schema.json`.
|
||||
* **Reference**: `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
|
||||
|
||||
---
|
||||
### 3.8 Admin
|
||||
|
||||
* **Tenants/Installations**: view/edit, isolation hints.
|
||||
* **Clients & roles**: Authority clients, role→scope mapping, rotation hints.
|
||||
* **Quotas**: per license plan, counters, throttle events.
|
||||
* **Licensing posture**: last PoE introspection snapshot (redacted), release window.
|
||||
* **Branding**: tenant logo, title, and theme tokens with preview/apply (fresh-auth).
|
||||
|
||||
### 3.9 Vulnerability triage (VEX-first)
|
||||
|
||||
* **Routes**: `/triage/artifacts`, `/triage/artifacts/:artifactId`, `/triage/audit-bundles`, `/triage/audit-bundles/new`.
|
||||
* **Workspace**: artifact-first split layout (finding cards on the left; explainability tabs on the right: Overview, Reachability, Policy, Attestations).
|
||||
* **VEX decisions**: evidence-first VEX modal with scope + validity + evidence links; bulk apply supported; uses `/v1/vex-decisions`.
|
||||
* **Audit bundles**: "Create immutable audit bundle" UX to build and download an evidence pack; uses `/v1/audit-bundles`.
|
||||
* **Schemas**: `docs/schemas/vex-decision.schema.json`, `docs/schemas/attestation-vuln-scan.schema.json`, `docs/schemas/audit-bundle-index.schema.json`.
|
||||
* **Reference**: `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
|
||||
|
||||
### 3.10 Integration Hub (Sprint 011)
|
||||
|
||||
* **Routes**: `/integrations`, `/integrations/:id`, `/integrations/activity`.
|
||||
* **Navigation placement**: Under Ops for operators; advanced settings under Admin > Integrations.
|
||||
* **Integration types**: SCM (GitHub/GitLab/Gitea), CI (GitHub Actions/GitLab CI/Jenkins), Registry (Docker Hub/Harbor/ECR/ACR/GCR/GHCR), Hosts (Zastava observer), Feeds (Concelier/Excititor mirrors), Artifacts (SBOM/VEX uploads).
|
||||
* **List view**:
|
||||
- KPI strip: total integrations, active, degraded, failed.
|
||||
- Filters: type chips, status, provider, owner, search.
|
||||
- Table columns: name, provider, type, status badge, last sync, owner, actions.
|
||||
- CTA: "Add Integration" button.
|
||||
* **Detail view**:
|
||||
- Summary header: status badge, type, provider, last test timestamp.
|
||||
- Tabs: Overview, Health, Activity, Permissions, Secrets (AuthRef), Webhooks, Inventory.
|
||||
- Actions: Test Connection, Edit, Pause/Resume, Delete.
|
||||
* **Activity view**:
|
||||
- Chronological timeline of all integration events.
|
||||
- Filters: event type, integration, date range.
|
||||
- Event types: created, updated, deleted, test_success, test_failure, health_ok, health_degraded, health_failed, paused, resumed, credential_rotated, sync_started, sync_completed, sync_failed.
|
||||
- Stats: total events, success count, warning count, failure count.
|
||||
- Auto-refresh every 30 seconds.
|
||||
* **Role gating**: `integrations.read` for list/detail; `integrations.admin` for CRUD and test actions.
|
||||
* **API backend**: `src/Integrations/StellaOps.Integrations.WebService` providing CRUD, test, trigger, pause/resume endpoints.
|
||||
* **Credentials**: All secrets via AuthRef URIs only; no raw credentials stored in UI state.
|
||||
|
||||
### 3.11 Integration Wizard (Sprint 014)
|
||||
|
||||
* **Routes**: Wizard is modal-based, launched from Integration Hub via "Add Integration" CTA.
|
||||
* **Location**: `src/Web/StellaOps.Web/src/app/features/integrations/integration-wizard.component.ts`.
|
||||
* **Wizard steps**:
|
||||
1. **Provider selection**: Choose provider from type-specific lists (registry, SCM, CI, host).
|
||||
2. **Authentication**: Configure auth method with AuthRef-managed credentials.
|
||||
3. **Scope**: Define repository/branch/namespace filters.
|
||||
4. **Schedule**: Set sync schedule (manual, interval, cron).
|
||||
5. **Preflight checks**: Run connection tests with detailed failure states.
|
||||
6. **Review**: Summary and create confirmation.
|
||||
* **Provider profiles**:
|
||||
- **Registry**: Docker Hub, Harbor, ECR, ACR, GCR, GHCR with type-specific auth (basic, token, IAM).
|
||||
- **SCM**: GitHub, GitLab, Gitea with OAuth apps or PAT auth.
|
||||
- **CI**: GitHub Actions, GitLab CI, Gitea Actions with webhook configuration.
|
||||
- **Host**: Kubernetes, VM, Baremetal with agent install templates.
|
||||
* **Auth methods**: Token, OAuth, Service Account, API Key depending on provider.
|
||||
* **Copy-safe UX**:
|
||||
- Webhook URLs and secrets are copy-button enabled.
|
||||
- Secret fields use `type="password"` with reveal toggle.
|
||||
- Setup instructions are Markdown-formatted and copy-safe.
|
||||
* **Preflight checks**:
|
||||
- Network connectivity validation.
|
||||
- Credential verification.
|
||||
- Permission/scope sufficiency checks.
|
||||
- Provider-specific health probes.
|
||||
* **Host wizard additions** (Sprint 014 extension):
|
||||
- Kernel/privilege preflight checks for eBPF/ETW observers.
|
||||
- Helm and systemd install templates.
|
||||
- Agent download and registration flow.
|
||||
* **Models**: `integration.models.ts` defines `IntegrationDraft`, `IntegrationProvider`, `WizardStep`, `PreflightCheck`, `AuthMethod`, and provider constants.
|
||||
|
||||
---
|
||||
|
||||
## 4) Auth, sessions & RBAC
|
||||
|
||||
@@ -156,11 +212,13 @@ Each feature folder builds as a **standalone route** (lazy loaded). All HTTP sha
|
||||
* **SSE** helper (EventSource) with auto‑reconnect & backpressure.
|
||||
* **DPoP** injector & nonce handling.
|
||||
|
||||
* Typed API clients (DTOs in `core/api/models.ts`):
|
||||
|
||||
* `ScannerApi`, `PolicyApi`, `ExcititorApi`, `ConcelierApi`, `AttestorApi`, `AuthorityApi`.
|
||||
|
||||
**DTO examples (abbrev):**
|
||||
* Typed API clients (DTOs in `core/api/models.ts`):
|
||||
|
||||
* `ScannerApi`, `PolicyApi`, `ExcititorApi`, `ConcelierApi`, `AttestorApi`, `AuthorityApi`.
|
||||
|
||||
* **Offline-first UX**: Ops dashboards must display a "data as of" banner with staleness thresholds when serving cached snapshots.
|
||||
|
||||
**DTO examples (abbrev):**
|
||||
|
||||
```ts
|
||||
export type ImageDigest = `sha256:${string}`;
|
||||
@@ -238,16 +296,16 @@ export interface NotifyDelivery {
|
||||
* **A11y**: WCAG 2.2 AA; keyboard navigation, focus management, ARIA roles; color‑contrast tokens verified by unit tests.
|
||||
* **I18n**: Angular i18n + runtime translation loader (`/locales/{lang}.json`); dates/numbers localized via `Intl`.
|
||||
* **Languages**: English default; Bulgarian, German, Japanese as initial additions.
|
||||
* **Theming**: dark/light via CSS variables; persisted in `prefers-color-scheme` aware store.
|
||||
* **Branding**: tenant-scoped theme tokens and logo pulled from Authority `/console/branding` after login.
|
||||
* **Theming**: dark/light via CSS variables; persisted in `prefers-color-scheme` aware store.
|
||||
* **Branding**: tenant-scoped theme tokens and logo pulled from Authority `/console/branding` after login.
|
||||
|
||||
---
|
||||
|
||||
## 10) Performance budgets
|
||||
|
||||
* **SBOM Graph overlays**: maintain >= 45 FPS pan/zoom/hover up to ~2,500 nodes / 10,000 edges (baseline laptop); degrade via LOD + sampling above this.
|
||||
* **Reachability halo limits**: cap visible halos to <= 2,000 at once; beyond this, aggregate (counts/heat) and require zoom-in or filtering to expand.
|
||||
|
||||
## 10) Performance budgets
|
||||
|
||||
* **SBOM Graph overlays**: maintain >= 45 FPS pan/zoom/hover up to ~2,500 nodes / 10,000 edges (baseline laptop); degrade via LOD + sampling above this.
|
||||
* **Reachability halo limits**: cap visible halos to <= 2,000 at once; beyond this, aggregate (counts/heat) and require zoom-in or filtering to expand.
|
||||
|
||||
* **TTI** ≤ 1.5 s on 4G/slow CPU (first visit), ≤ 0.6 s repeat (HTTP/2, cached).
|
||||
* **JS** initial < 300 KB gz (lazy routes).
|
||||
* **SBOM list**: render 10k rows in < 70 ms with virtualization; filter in < 150 ms.
|
||||
|
||||
Reference in New Issue
Block a user