stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

Browse Source 
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
This commit is contained in:
master
2025-10-30 00:09:39 +02:00
parent 3154c67978
commit 7b5bdcf4d3
503 changed files with 16136 additions and 54638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

348
docs/ui/admin.md
View File

@@ -1,174 +1,174 @@
# StellaOps Console - Admin Workspace
> **Audience:** Authority Guild, Console admins, support engineers, tenant operators.
> **Scope:** Tenant management, role mapping, token lifecycle, integrations, fresh-auth prompts, security guardrails, offline behaviour, and compliance checklist for Sprint 23.
The Admin workspace centralises Authority-facing controls: tenants, roles, API clients, tokens, and integrations. It surfaces RBAC mappings, token issuance logs, and bootstrap flows with the same offline-first guarantees as the rest of the console.
---
## 1. Access and prerequisites
- **Route:** `/console/admin` with sub-routes for tenants, users, roles, tokens, integrations, audit, and bootstrap.
- **Scopes:**
- `ui.admin` (base access)
- `authority:tenants.read` / `authority:tenants.write`
- `authority:roles.read` / `authority:roles.write`
- `authority:tokens.read` / `authority:tokens.revoke`
- `authority:clients.read` / `authority:clients.write`
- `authority:audit.read` (view audit trails)
- **Fresh-auth:** Sensitive actions (token revoke, bootstrap key issue, signing key rotation) require fresh-auth challenge.
- **Dependencies:** Authority service (`/internal/*` APIs), revocation export, JWKS, licensing posture endpoint, integration config store.
---
## 2. Layout overview
```
+--------------------------------------------------------------------+
| Header: Tenant picker - environment badge - security banner |
+--------------------------------------------------------------------+
| Tabs: Tenants | Roles & Scopes | Users & Tokens | Integrations | Audit |
+--------------------------------------------------------------------+
| Sidebar: Quick actions (Invite user, Create client, Export revocations)
| Main panel varies per tab |
+--------------------------------------------------------------------+
```
The header includes offline status indicator and link to Authority health page.
---
## 3. Tenants tab
| Field | Description |
|-------|-------------|
| **Tenant ID** | Lowercase slug used in tokens and client registrations. |
| **Display name** | Human-friendly name. |
| **Status** | `active`, `suspended`, `pending`. Suspended tenants block token issuance. |
| **Isolation mode** | `dedicated`, `shared`, or `sandbox`. Drives RBAC defaults. |
| **Default roles** | Roles automatically assigned to new users within the tenant. |
| **Offline snapshots** | Latest snapshot timestamp, checksum, operator. |
Actions:
- `Create tenant` (requires `authority:tenants.write`). Form captures display name, slug, isolation mode, default roles, bootstrap contact, optional plan metadata.
- `Suspend/Resume` toggles token issuance and surfaces audit entry.
- `Export tenant bundle` downloads tenant-specific revocation + JWKS package for air-gap distribution.
- CLI parity: `stella auth tenant create --tenant <id>`, `stella auth tenant suspend --tenant <id>`.
---
## 4. Roles & scopes tab
- Table lists roles with mapped scopes and audiences.
- Inline editor supports adding/removing scopes (with validation).
- Scope categories: UI, Scanner, Concelier, Excititor, Policy, Attestor, Notifier, Scheduler, Offline kit.
- Visual diff shows impact of changes on linked clients/users before committing.
- "Effective permissions" view summarises what each role grants per service.
- CLI parity: `stella auth role update --role ui.admin --add-scope authority:tokens.revoke`.
---
## 5. Users & tokens tab
Sections:
1. **User list** - identity, tenant, roles, last login, MFA status. Actions include reset password (if plugin supports), enforce fresh-auth, disable user.
2. **Token inventory** - lists active tokens (access/refresh/device). Columns: token ID, type, subject, audience, issued at, expires, status. Toggle to show revoked tokens.
3. **Token details** drawer shows claims, sender constraint (`cnf`), issuance metadata, revocation history.
4. **Revoke token** action requires fresh-auth and prompts for reason (incident, user request, compromise).
5. **Bulk revoke** (per tenant or role) triggers Authority revocation export to ensure downstream services purge caches.
Audit entries appear for every user/token change. CLI parity: `stella auth token revoke --token <id>`.
---
## 6. Integrations tab
- **Authority clients** list (service accounts) with grant types, allowed scopes, DPoP/mTLS settings, tenant hints, and rotation status.
- **Bootstrap bundles** - downloadable templates for new clients/users; includes configuration YAML and CLI instructions.
- **External IdP connectors** (optional) - displays status for SAML/OIDC plugins; includes metadata upload field and test login result.
- **Licensing posture** - read-only panel summarising plan tier, entitlement expiry, and contact info (pulled from licensing service).
- **Notifications** - optional webhook configuration for token events (on revoke, on failure).
- CLI parity: `stella auth client create --client concelier --grant client_credentials --tenant prod`.
---
## 7. Audit tab
- Timeline view of administrative events (user changes, role updates, token revocations, bootstrap actions, key rotations).
- Filters: event type, actor, tenant, scope, correlation ID.
- Export button downloads CSV/JSON for SOC ingestion.
- "Open in logs" copies search query pre-populated with correlation IDs.
- CLI parity: `stella auth audit export --from 2025-10-20`.
---
## 8. Fresh-auth prompts
- High-risk actions (revoke all tokens, rotate signing key, create privileged client) trigger modal requiring credential re-entry or hardware key touch.
- Fresh-auth window is 5 minutes; countdown displayed.
- UI surface indicates when current session is outside fresh-auth window; sensitive buttons disabled until re-auth.
- Audit log records fresh-auth events (`authority.fresh_auth.start`, `authority.fresh_auth.success`).
- CLI parity: `stella auth fresh-auth` obtains short-lived token for scriptable flows.
---
## 9. Security guardrails
- DPoP enforcement reminders for UI clients; console warns if any client lacks sender constraint.
- mTLS enforcement summary for high-value audiences (Signer/Attestor).
- Token policy checklists (access token TTL, refresh token policy) with alerts when deviating from defaults.
- Revocation bundle export status (timestamp, digest, operator).
- Key rotation panel showing current `kid`, last rotation, next scheduled rotation, and manual trigger button (ties into Authority rotate API).
- CLI parity: `stella auth signing rotate` for script automation.
---
## 10. Offline and air-gap behaviour
- Offline banner indicates snapshot version; disables direct remote calls.
- Tenant/role edits queue change manifests; UI instructs users to apply via CLI (`stella auth apply --bundle <file>`).
- Token inventory shows snapshot state; revoke buttons generate scripts for offline Authority host.
- Integrations tab offers manual download/upload for client definitions and IdP metadata.
- Audit exports default to local storage with checksum output for transfer.
---
## 11. Screenshot coordination
- Placeholders:
- `![Admin tenants placeholder](../assets/ui/admin/tenants-placeholder.png)`
- `![Admin roles placeholder](../assets/ui/admin/roles-placeholder.png)`
- `![Admin tokens placeholder](../assets/ui/admin/tokens-placeholder.png)`
- Capture real screenshots with Authority Guild once Sprint 23 UI is final (tracked in `#console-screenshots`, 2025-10-26 entry). Provide both light and dark theme variants.
---
## 12. References
- `/docs/ARCHITECTURE_AUTHORITY.md` - Authority architecture.
- `/docs/11_AUTHORITY.md` - Authority service overview.
- `/docs/security/authority-scopes.md` - scope definitions.
- `/docs/ui/policies.md` - policy approvals requiring fresh-auth.
- `/docs/ui/console-overview.md` - navigation shell.
- `/docs/cli/authentication.md` (pending) and `/docs/cli/policy.md` for CLI flows.
- `/docs/ops/scheduler-runbook.md` for integration with scheduler token rotation.
---
## 13. Compliance checklist
- [ ] Tenants, roles/scopes, and token management documented with actions and CLI parity.
- [ ] Integrations and audit views covered.
- [ ] Fresh-auth prompts and guardrails described.
- [ ] Security controls (DPoP, mTLS, key rotation, revocations) captured.
- [ ] Offline behaviour explained with script guidance.
- [ ] Screenshot placeholders and coordination noted.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*
# StellaOps Console - Admin Workspace
> **Audience:** Authority Guild, Console admins, support engineers, tenant operators.
> **Scope:** Tenant management, role mapping, token lifecycle, integrations, fresh-auth prompts, security guardrails, offline behaviour, and compliance checklist for Sprint 23.
The Admin workspace centralises Authority-facing controls: tenants, roles, API clients, tokens, and integrations. It surfaces RBAC mappings, token issuance logs, and bootstrap flows with the same offline-first guarantees as the rest of the console.
---
## 1. Access and prerequisites
- **Route:** `/console/admin` with sub-routes for tenants, users, roles, tokens, integrations, audit, and bootstrap.
- **Scopes:**
- `ui.admin` (base access)
- `authority:tenants.read` / `authority:tenants.write`
- `authority:roles.read` / `authority:roles.write`
- `authority:tokens.read` / `authority:tokens.revoke`
- `authority:clients.read` / `authority:clients.write`
- `authority:audit.read` (view audit trails)
- **Fresh-auth:** Sensitive actions (token revoke, bootstrap key issue, signing key rotation) require fresh-auth challenge.
- **Dependencies:** Authority service (`/internal/*` APIs), revocation export, JWKS, licensing posture endpoint, integration config store.
---
## 2. Layout overview
```
+--------------------------------------------------------------------+
| Header: Tenant picker - environment badge - security banner |
+--------------------------------------------------------------------+
| Tabs: Tenants | Roles & Scopes | Users & Tokens | Integrations | Audit |
+--------------------------------------------------------------------+
| Sidebar: Quick actions (Invite user, Create client, Export revocations)
| Main panel varies per tab |
+--------------------------------------------------------------------+
```
The header includes offline status indicator and link to Authority health page.
---
## 3. Tenants tab
| Field | Description |
|-------|-------------|
| **Tenant ID** | Lowercase slug used in tokens and client registrations. |
| **Display name** | Human-friendly name. |
| **Status** | `active`, `suspended`, `pending`. Suspended tenants block token issuance. |
| **Isolation mode** | `dedicated`, `shared`, or `sandbox`. Drives RBAC defaults. |
| **Default roles** | Roles automatically assigned to new users within the tenant. |
| **Offline snapshots** | Latest snapshot timestamp, checksum, operator. |
Actions:
- `Create tenant` (requires `authority:tenants.write`). Form captures display name, slug, isolation mode, default roles, bootstrap contact, optional plan metadata.
- `Suspend/Resume` toggles token issuance and surfaces audit entry.
- `Export tenant bundle` downloads tenant-specific revocation + JWKS package for air-gap distribution.
- CLI parity: `stella auth tenant create --tenant <id>`, `stella auth tenant suspend --tenant <id>`.
---
## 4. Roles & scopes tab
- Table lists roles with mapped scopes and audiences.
- Inline editor supports adding/removing scopes (with validation).
- Scope categories: UI, Scanner, Concelier, Excititor, Policy, Attestor, Notifier, Scheduler, Offline kit.
- Visual diff shows impact of changes on linked clients/users before committing.
- "Effective permissions" view summarises what each role grants per service.
- CLI parity: `stella auth role update --role ui.admin --add-scope authority:tokens.revoke`.
---
## 5. Users & tokens tab
Sections:
1. **User list** - identity, tenant, roles, last login, MFA status. Actions include reset password (if plugin supports), enforce fresh-auth, disable user.
2. **Token inventory** - lists active tokens (access/refresh/device). Columns: token ID, type, subject, audience, issued at, expires, status. Toggle to show revoked tokens.
3. **Token details** drawer shows claims, sender constraint (`cnf`), issuance metadata, revocation history.
4. **Revoke token** action requires fresh-auth and prompts for reason (incident, user request, compromise).
5. **Bulk revoke** (per tenant or role) triggers Authority revocation export to ensure downstream services purge caches.
Audit entries appear for every user/token change. CLI parity: `stella auth token revoke --token <id>`.
---
## 6. Integrations tab
- **Authority clients** list (service accounts) with grant types, allowed scopes, DPoP/mTLS settings, tenant hints, and rotation status.
- **Bootstrap bundles** - downloadable templates for new clients/users; includes configuration YAML and CLI instructions.
- **External IdP connectors** (optional) - displays status for SAML/OIDC plugins; includes metadata upload field and test login result.
- **Licensing posture** - read-only panel summarising plan tier, entitlement expiry, and contact info (pulled from licensing service).
- **Notifications** - optional webhook configuration for token events (on revoke, on failure).
- CLI parity: `stella auth client create --client concelier --grant client_credentials --tenant prod`.
---
## 7. Audit tab
- Timeline view of administrative events (user changes, role updates, token revocations, bootstrap actions, key rotations).
- Filters: event type, actor, tenant, scope, correlation ID.
- Export button downloads CSV/JSON for SOC ingestion.
- "Open in logs" copies search query pre-populated with correlation IDs.
- CLI parity: `stella auth audit export --from 2025-10-20`.
---
## 8. Fresh-auth prompts
- High-risk actions (revoke all tokens, rotate signing key, create privileged client) trigger modal requiring credential re-entry or hardware key touch.
- Fresh-auth window is 5 minutes; countdown displayed.
- UI surface indicates when current session is outside fresh-auth window; sensitive buttons disabled until re-auth.
- Audit log records fresh-auth events (`authority.fresh_auth.start`, `authority.fresh_auth.success`).
- CLI parity: `stella auth fresh-auth` obtains short-lived token for scriptable flows.
---
## 9. Security guardrails
- DPoP enforcement reminders for UI clients; console warns if any client lacks sender constraint.
- mTLS enforcement summary for high-value audiences (Signer/Attestor).
- Token policy checklists (access token TTL, refresh token policy) with alerts when deviating from defaults.
- Revocation bundle export status (timestamp, digest, operator).
- Key rotation panel showing current `kid`, last rotation, next scheduled rotation, and manual trigger button (ties into Authority rotate API).
- CLI parity: `stella auth signing rotate` for script automation.
---
## 10. Offline and air-gap behaviour
- Offline banner indicates snapshot version; disables direct remote calls.
- Tenant/role edits queue change manifests; UI instructs users to apply via CLI (`stella auth apply --bundle <file>`).
- Token inventory shows snapshot state; revoke buttons generate scripts for offline Authority host.
- Integrations tab offers manual download/upload for client definitions and IdP metadata.
- Audit exports default to local storage with checksum output for transfer.
---
## 11. Screenshot coordination
- Placeholders:
- `![Admin tenants placeholder](../assets/ui/admin/tenants-placeholder.png)`
- `![Admin roles placeholder](../assets/ui/admin/roles-placeholder.png)`
- `![Admin tokens placeholder](../assets/ui/admin/tokens-placeholder.png)`
- Capture real screenshots with Authority Guild once Sprint 23 UI is final (tracked in `#console-screenshots`, 2025-10-26 entry). Provide both light and dark theme variants.
---
## 12. References
- `/docs/modules/authority/architecture.md` - Authority architecture.
- `/docs/11_AUTHORITY.md` - Authority service overview.
- `/docs/security/authority-scopes.md` - scope definitions.
- `/docs/ui/policies.md` - policy approvals requiring fresh-auth.
- `/docs/ui/console-overview.md` - navigation shell.
- `/docs/modules/cli/guides/authentication.md` (pending) and `/docs/modules/cli/guides/policy.md` for CLI flows.
- `/docs/modules/scheduler/operations/worker.md` for integration with scheduler token rotation.
---
## 13. Compliance checklist
- [ ] Tenants, roles/scopes, and token management documented with actions and CLI parity.
- [ ] Integrations and audit views covered.
- [ ] Fresh-auth prompts and guardrails described.
- [ ] Security controls (DPoP, mTLS, key rotation, revocations) captured.
- [ ] Offline behaviour explained with script guidance.
- [ ] Screenshot placeholders and coordination noted.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*

288
docs/ui/console.md
View File

@@ -1,144 +1,144 @@
# Console AOC Dashboard
> **Audience:** Console PMs, UI engineers, Concelier/Excititor operators, SREs monitoring ingestion health.
> **Scope:** Layout, RBAC, workflow, and observability for the Aggregation-Only Contract (AOC) dashboard that ships with Sprint19.
The Console AOC dashboard gives operators a live view of ingestion guardrails across all configured sources. It surfaces raw Concelier/Excititor health, highlights violations raised by `AOCWriteGuard`, and lets on-call staff trigger verification without leaving the browser. Use it alongside the [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md) and the [architecture overview](../architecture/overview.md) when rolling out AOC changes.
---
## 1·Access & prerequisites
- **Route:** `/console/sources` (dashboard) with contextual drawer routes `/console/sources/:sourceKey` and `/console/sources/:sourceKey/violations/:documentId`.
- **Feature flag:** `aocDashboard.enabled` (default `true` once Concelier WebService exposes `/aoc/verify`). Toggle is tenant-scoped to support phased rollout.
- **Scopes:**
- `ui.read` (base navigation) plus `advisory:read` to view Concelier ingestion metrics/violations.
- `vex:read` to see Excititor entries and run VEX verifications.
- `aoc:verify` to trigger guard runs from the dashboard action bar.
- `advisory:ingest` / `vex:ingest` **not** required; the dashboard uses read-only APIs.
- **Tenancy:** All data is filtered by the active tenant selector. Switching tenants re-fetches tiles and drill-down tables with tenant-scoped tokens.
- **Back-end contracts:** Requires Concelier/Excititor 19.x (AOC guards enabled) and Authority scopes updated per [Authority service docs](../ARCHITECTURE_AUTHORITY.md#new-aoc-scopes).
---
## 2·Layout overview
```
┌────────────────────────────────────────────────────────────────────────────┐
│ Header: tenant picker • live status pill • Last verify (“2h ago”) │
├────────────────────────────────────────────────────────────────────────────┤
│ Tile grid (4 per row) │
│ ┌───── Concelier sources ─────┐ ┌────── Excititor sources ────────┐ │
│ │ Red Hat | Ubuntu | OSV ... │ │ Vendor VEX | CSAF feeds ... │ │
├────────────────────────────────────────────────────────────────────────────┤
│ Violations & history table │
│ • Filters: timeframe, source, ERR_AOC code, severity (warning/block) │
│ • Columns: timestamp, source, code, summary, supersedes link, actions │
├────────────────────────────────────────────────────────────────────────────┤
│ Action bar: Run Verify • Download CSV • Open Concelier raw doc • Help │
└────────────────────────────────────────────────────────────────────────────┘
```
Tiles summarise the latest ingestion runs. The table and drawers provide drill-down views, and the action bar launches verifier workflows or exports evidence for audits.
---
## 3·Source tiles
Each tile represents a Concelier or Excititor source and contains the fields below.
| Field | Description | Thresholds & colours |
| ------ | ----------- | -------------------- |
| **Status badge** | Aggregated health computed from the latest job. | `Healthy` (green) when last job finished <30min ago and `violations24h = 0`; `Warning` (amber) when age 30min or 5 violations; `Critical` (red) on any guard rejection (`ERR_AOC_00x`) or if job age >2h. |
| **Last ingest** | Timestamp and relative age of last successful append to `advisory_raw`/`vex_raw`. | Clicking opens job detail drawer. |
| **Violations (24h)** | Count of guard failures grouped by `ERR_AOC` code across the last 24hours. | Shows pill per code (e.g., `ERR_AOC_001 ×2`). |
| **Supersedes depth** | Average length of supersedes chain for the source over the last day. | Helps spot runaway revisions. |
| **Signature pass rate** | % of documents where signature/checksum verification succeeded. | Derived from `ingestion_signature_verified_total`. |
| **Latency P95** | Write latency recorded by ingestion spans / histograms. | Mirrors `ingestion_latency_seconds{quantile=0.95}`. |
Tile menus expose quick actions:
- **View history** jumps to table filtered by the selected source.
- **Open metrics** deep links to Grafana panel seeded with `source=<key>` for `ingestion_write_total` and `aoc_violation_total`.
- **Download raw sample** fetches the most recent document via `GET /advisories/raw/{id}` (or VEX equivalent) for debugging.
---
## 4·Violation drill-down workflow
1. **Select a tile** or use table filters to focus on a source, timeframe, or `ERR_AOC` code.
2. **Inspect the violation row:** summary shows offending field, guard code, and document hash.
3. **Open detail drawer:** reveals provenance (source URI, signature info), supersedes chain, and raw JSON (redacted secrets). Drawer also lists linked `effective_finding_*` entries if Policy Engine has already materialised overlays.
4. **Remediate / annotate:** operators can add notes (stored as structured annotations) or flag as *acknowledged* (for on-call rotations). Annotations sync to Concelier audit logs.
5. **Escalate:** “Create incident” button opens the standard incident template pre-filled with context (requires `ui.incidents` scope).
The drill-down retains filter state, so back navigation returns to the scoped table without reloading the entire dashboard.
---
## 5·Verification & actions
- **Run Verify:** calls `POST /aoc/verify` with the chosen `since` window (default 24h). UI displays summary cards (documents checked, violations found, top codes) and stores reports for 7days. Results include a downloadable JSON manifest mirroring CLI output.
- **Schedule verify:** schedule modal configures automated verification (daily/weekly) and optional email/Notifier hooks.
- **Export evidence:** CSV/JSON export buttons include tile metrics, verification summaries, and violation annotations—useful for audits.
- **Open in CLI:** copies `stella aoc verify --tenant <tenant> --since <window>` for parity with automation scripts.
All verify actions are scoped by tenant and recorded in Authority audit logs (`action=aoc.verify.ui`).
---
## 6·Metrics & observability
The dashboard consumes the same metrics emitted by Concelier/Excititor (documented in the [AOC reference](../ingestion/aggregation-only-contract.md#9-observability-and-diagnostics)):
- `ingestion_write_total{source,tenant,result}` populates success/error sparklines beneath each tile.
- `aoc_violation_total{source,tenant,code}` feeds violation pills and trend chart.
- `ingestion_signature_verified_total{source,result}` renders signature pass-rate gauge.
- `ingestion_latency_seconds{source,quantile}` used for latency badges and alert banners.
- `advisory_revision_count{source}` displayed in supersedes depth tooltip.
The page shows the correlation ID for each violation entry, matching structured logs emitted by Concelier and Excititor, enabling quick log pivoting.
---
## 7·Security & tenancy
- Tokens are DPoP-bound; every API call includes the UIs DPoP proof and inherits tenant scoping from Authority.
- Violations drawer hides sensitive fields (credentials, private keys) using the same redaction rules as Concelier events.
- Run Verify honours rate limits to avoid overloading ingestion services; repeated failures trigger a cool-down banner.
- The dashboard never exposes derived severity or policy status—only raw ingestion facts and guard results, preserving AOC separation of duties.
---
## 8·Offline & air-gap behaviour
- In sealed/offline mode the dashboard switches to **“offline snapshot”** banner, reading from Offline Kit snapshots seeded via `ouk` imports.
- Verification requests queue until connectivity resumes; UI provides `Download script` to run `stella aoc verify` on a workstation and upload results later.
- Tiles display the timestamp of the last imported snapshot and flag when it exceeds the configured staleness threshold (default 48h offline).
- CSV/JSON exports include checksums so operators can transfer evidence across air gaps securely.
---
## 9·Related references
- [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md)
- [Architecture overview](../architecture/overview.md)
- [Concelier architecture](../ARCHITECTURE_CONCELIER.md)
- [Excititor architecture](../ARCHITECTURE_EXCITITOR.md)
- [CLI AOC commands](../cli/cli-reference.md)
---
## 10·Compliance checklist
- [ ] Dashboard wired to live AOC metrics (`ingestion_*`, `aoc_violation_total`).
- [ ] Verify action logs to Authority audit trail with tenant context.
- [ ] UI enforces read-only access to raw stores; no mutation endpoints invoked.
- [ ] Offline/air-gap mode documented and validated with Offline Kit snapshots.
- [ ] Violation exports include provenance and `ERR_AOC_00x` codes.
- [ ] Accessibility tested (WCAG2.2 AA) for tiles, tables, and drawers.
- [ ] Screenshot/recording captured for Docs release notes (pending UI capture).
---
*Last updated: 2025-10-26 (Sprint19).*
# Console AOC Dashboard
> **Audience:** Console PMs, UI engineers, Concelier/Excititor operators, SREs monitoring ingestion health.
> **Scope:** Layout, RBAC, workflow, and observability for the Aggregation-Only Contract (AOC) dashboard that ships with Sprint19.
The Console AOC dashboard gives operators a live view of ingestion guardrails across all configured sources. It surfaces raw Concelier/Excititor health, highlights violations raised by `AOCWriteGuard`, and lets on-call staff trigger verification without leaving the browser. Use it alongside the [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md) and the [architecture overview](../modules/platform/architecture-overview.md) when rolling out AOC changes.
---
## 1·Access & prerequisites
- **Route:** `/console/sources` (dashboard) with contextual drawer routes `/console/sources/:sourceKey` and `/console/sources/:sourceKey/violations/:documentId`.
- **Feature flag:** `aocDashboard.enabled` (default `true` once Concelier WebService exposes `/aoc/verify`). Toggle is tenant-scoped to support phased rollout.
- **Scopes:**
- `ui.read` (base navigation) plus `advisory:read` to view Concelier ingestion metrics/violations.
- `vex:read` to see Excititor entries and run VEX verifications.
- `aoc:verify` to trigger guard runs from the dashboard action bar.
- `advisory:ingest` / `vex:ingest` **not** required; the dashboard uses read-only APIs.
- **Tenancy:** All data is filtered by the active tenant selector. Switching tenants re-fetches tiles and drill-down tables with tenant-scoped tokens.
- **Back-end contracts:** Requires Concelier/Excititor 19.x (AOC guards enabled) and Authority scopes updated per [Authority service docs](../modules/authority/architecture.md#new-aoc-scopes).
---
## 2·Layout overview
```
┌────────────────────────────────────────────────────────────────────────────┐
│ Header: tenant picker • live status pill • Last verify (“2h ago”) │
├────────────────────────────────────────────────────────────────────────────┤
│ Tile grid (4 per row) │
│ ┌───── Concelier sources ─────┐ ┌────── Excititor sources ────────┐ │
│ │ Red Hat | Ubuntu | OSV ... │ │ Vendor VEX | CSAF feeds ... │ │
├────────────────────────────────────────────────────────────────────────────┤
│ Violations & history table │
│ • Filters: timeframe, source, ERR_AOC code, severity (warning/block) │
│ • Columns: timestamp, source, code, summary, supersedes link, actions │
├────────────────────────────────────────────────────────────────────────────┤
│ Action bar: Run Verify • Download CSV • Open Concelier raw doc • Help │
└────────────────────────────────────────────────────────────────────────────┘
```
Tiles summarise the latest ingestion runs. The table and drawers provide drill-down views, and the action bar launches verifier workflows or exports evidence for audits.
---
## 3·Source tiles
Each tile represents a Concelier or Excititor source and contains the fields below.
| Field | Description | Thresholds & colours |
| ------ | ----------- | -------------------- |
| **Status badge** | Aggregated health computed from the latest job. | `Healthy` (green) when last job finished <30min ago and `violations24h = 0`; `Warning` (amber) when age 30min or 5 violations; `Critical` (red) on any guard rejection (`ERR_AOC_00x`) or if job age >2h. |
| **Last ingest** | Timestamp and relative age of last successful append to `advisory_raw`/`vex_raw`. | Clicking opens job detail drawer. |
| **Violations (24h)** | Count of guard failures grouped by `ERR_AOC` code across the last 24hours. | Shows pill per code (e.g., `ERR_AOC_001 ×2`). |
| **Supersedes depth** | Average length of supersedes chain for the source over the last day. | Helps spot runaway revisions. |
| **Signature pass rate** | % of documents where signature/checksum verification succeeded. | Derived from `ingestion_signature_verified_total`. |
| **Latency P95** | Write latency recorded by ingestion spans / histograms. | Mirrors `ingestion_latency_seconds{quantile=0.95}`. |
Tile menus expose quick actions:
- **View history** jumps to table filtered by the selected source.
- **Open metrics** deep links to Grafana panel seeded with `source=<key>` for `ingestion_write_total` and `aoc_violation_total`.
- **Download raw sample** fetches the most recent document via `GET /advisories/raw/{id}` (or VEX equivalent) for debugging.
---
## 4·Violation drill-down workflow
1. **Select a tile** or use table filters to focus on a source, timeframe, or `ERR_AOC` code.
2. **Inspect the violation row:** summary shows offending field, guard code, and document hash.
3. **Open detail drawer:** reveals provenance (source URI, signature info), supersedes chain, and raw JSON (redacted secrets). Drawer also lists linked `effective_finding_*` entries if Policy Engine has already materialised overlays.
4. **Remediate / annotate:** operators can add notes (stored as structured annotations) or flag as *acknowledged* (for on-call rotations). Annotations sync to Concelier audit logs.
5. **Escalate:** “Create incident” button opens the standard incident template pre-filled with context (requires `ui.incidents` scope).
The drill-down retains filter state, so back navigation returns to the scoped table without reloading the entire dashboard.
---
## 5·Verification & actions
- **Run Verify:** calls `POST /aoc/verify` with the chosen `since` window (default 24h). UI displays summary cards (documents checked, violations found, top codes) and stores reports for 7days. Results include a downloadable JSON manifest mirroring CLI output.
- **Schedule verify:** schedule modal configures automated verification (daily/weekly) and optional email/Notifier hooks.
- **Export evidence:** CSV/JSON export buttons include tile metrics, verification summaries, and violation annotations—useful for audits.
- **Open in CLI:** copies `stella aoc verify --tenant <tenant> --since <window>` for parity with automation scripts.
All verify actions are scoped by tenant and recorded in Authority audit logs (`action=aoc.verify.ui`).
---
## 6·Metrics & observability
The dashboard consumes the same metrics emitted by Concelier/Excititor (documented in the [AOC reference](../ingestion/aggregation-only-contract.md#9-observability-and-diagnostics)):
- `ingestion_write_total{source,tenant,result}` populates success/error sparklines beneath each tile.
- `aoc_violation_total{source,tenant,code}` feeds violation pills and trend chart.
- `ingestion_signature_verified_total{source,result}` renders signature pass-rate gauge.
- `ingestion_latency_seconds{source,quantile}` used for latency badges and alert banners.
- `advisory_revision_count{source}` displayed in supersedes depth tooltip.
The page shows the correlation ID for each violation entry, matching structured logs emitted by Concelier and Excititor, enabling quick log pivoting.
---
## 7·Security & tenancy
- Tokens are DPoP-bound; every API call includes the UIs DPoP proof and inherits tenant scoping from Authority.
- Violations drawer hides sensitive fields (credentials, private keys) using the same redaction rules as Concelier events.
- Run Verify honours rate limits to avoid overloading ingestion services; repeated failures trigger a cool-down banner.
- The dashboard never exposes derived severity or policy status—only raw ingestion facts and guard results, preserving AOC separation of duties.
---
## 8·Offline & air-gap behaviour
- In sealed/offline mode the dashboard switches to **“offline snapshot”** banner, reading from Offline Kit snapshots seeded via `ouk` imports.
- Verification requests queue until connectivity resumes; UI provides `Download script` to run `stella aoc verify` on a workstation and upload results later.
- Tiles display the timestamp of the last imported snapshot and flag when it exceeds the configured staleness threshold (default 48h offline).
- CSV/JSON exports include checksums so operators can transfer evidence across air gaps securely.
---
## 9·Related references
- [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md)
- [Architecture overview](../modules/platform/architecture-overview.md)
- [Concelier architecture](../modules/concelier/architecture.md)
- [Excititor architecture](../modules/excititor/architecture.md)
- [CLI AOC commands](../modules/cli/guides/cli-reference.md)
---
## 10·Compliance checklist
- [ ] Dashboard wired to live AOC metrics (`ingestion_*`, `aoc_violation_total`).
- [ ] Verify action logs to Authority audit trail with tenant context.
- [ ] UI enforces read-only access to raw stores; no mutation endpoints invoked.
- [ ] Offline/air-gap mode documented and validated with Offline Kit snapshots.
- [ ] Violation exports include provenance and `ERR_AOC_00x` codes.
- [ ] Accessibility tested (WCAG2.2 AA) for tiles, tables, and drawers.
- [ ] Screenshot/recording captured for Docs release notes (pending UI capture).
---
*Last updated: 2025-10-26 (Sprint19).*

358
docs/ui/findings.md
View File

@@ -1,179 +1,179 @@
# StellaOps Console - Findings
> **Audience:** Policy Guild, Console UX team, security analysts, customer enablement.
> **Scope:** Findings list UX, filters, saved views, explain drawer, exports, CLI parity, real-time updates, and offline considerations for Sprint 23.
The Findings workspace visualises materialised policy verdicts produced by the Policy Engine. It lets analysts triage affected components, inspect explain traces, compare policy views, and export evidence while respecting Aggregation-Only guardrails.
---
## 1. Access and prerequisites
- **Route:** `/console/findings` with optional panel parameters (e.g., `/console/findings?panel=explain&finding=<id>`).
- **Scopes:** `findings.read` (list), `policy:runs` (view run metadata), `policy:simulate` (stage simulations), `downloads.read` (export bundles).
- **Prerequisites:** Policy Engine v2 (`policy_run` and `effective_finding_*` endpoints), Concelier/Excititor feeds for provenance, SBOM Service for component metadata.
- **Feature flags:** `findings.explain.enabled`, `findings.savedViews.enabled`, `findings.simulationDiff.enabled`.
- **Tenancy:** All queries include tenant context; cross-tenant comparisons require explicit admin scope and render split-pane view.
---
## 2. Layout overview
```
+-------------------------------------------------------------------+
| Header: Tenant badge - policy selector - global filters - actions |
+-------------------------------------------------------------------+
| Top row cards: Affected assets - Critical count - KEV count |
+-------------------------------------------------------------------+
| Findings grid (virtualised) |
| Columns: Status | Severity | Component | Policy | Source | Age |
| Row badges: KEV, Quieted, Override, Simulation only |
+-------------------------------------------------------------------+
| Right drawer / full view tabs: Summary | Explain | Evidence | Run |
+-------------------------------------------------------------------+
```
The policy selector includes Active, Staged, and Simulation snapshots. Switching snapshots triggers diff banners to highlight changes.
---
## 3. Filters and saved views
| Filter | Description | Notes |
|--------|-------------|-------|
| **Status** | `affected`, `at_risk`, `quieted`, `fixed`, `not_applicable`, `mitigated`. | Status definitions align with Policy Engine taxonomy. |
| **Severity** | Critical, High, Medium, Low, Informational, Untriaged. | Derived from policy scoring; UI displays numeric score tooltip. |
| **KEV** | Toggle to show only Known Exploited Vulnerabilities. | Pulls from Concelier enrichment. |
| **Policy** | Active, Staged, Simulation snapshots. | Simulation requires recent run; otherwise greyed out. |
| **Component** | PURL or substring search. | Autocomplete draws from current tenant findings. |
| **SBOM** | Filter by image digest or SBOM ID. | Includes quick links to SBOM Explorer. |
| **Tag** | Team or environment tags emitted by Policy Engine (`tags[]`). | Supports multi-select. |
| **Run window** | `Last 24h`, `Last 7d`, `Custom range`. | Applies to run timestamp. |
| **Explain hints** | Filter by explain artefact (rule ID, justification, VEX provider). | Uses server-side filter parameters. |
Saved views persist filter combinations per tenant and policy. Users can mark views as shared; shared views appear in the left rail with owner and last updated timestamp. Keyboard shortcuts align with global presets (`Cmd+1-9 / Ctrl+1-9`).
---
## 4. Findings grid
| Column | Details |
|--------|---------|
| **Status** | Badge with tooltip describing resolution path (e.g., "Affected - blocked by policy rule R-105"). Quieted findings show a muted badge with expiry. |
| **Severity** | Numeric score and label. Hover reveals scoring formula and evidence sources. |
| **Component** | PURL plus human-friendly name. Includes SBOM badge linking to SBOM Explorer detail. |
| **Policy** | Policy name + revision digest; clicking opens policy diff in new tab. |
| **Source signals** | Icons for VEX, Advisory, Runtime overlays. Hover shows counts and last updated timestamps. |
| **Age** | Time since finding was last evaluated; colour-coded when exceeding SLA. |
Row indicators:
- **KEV** badge when Concelier marks the vulnerability as exploited.
- **Override** badge when policy override or exemption applied.
- **Simulation only** badge when viewing simulation snapshot; warns that finding is not yet active.
- **Determinism alert** icon if latest run reported a determinism mismatch (links to run detail).
Bulk actions (multi-select):
- `Open explains` (launch explain drawer for up to 10 findings).
- `Export CSV/JSON`.
- `Copy CLI` commands for batch explains (`stella findings explain --batch file`).
- `Create ticket` (integrates with integrations configured under Admin).
---
## 5. Explain drawer
Tabs inside the explain drawer:
1. **Summary** - status, severity, policy decision, rule ID, last evaluated timestamp, SBOM link, run ID.
2. **Rule chain** - ordered list of policy rules triggered; each entry shows rule ID, name, action (block/warn/quiet), score contribution, and condition snippet.
3. **Evidence** - references to Concelier advisories, Excititor consensus, runtime signals, and overrides. Evidence entries link to their respective explorers.
4. **VEX impact** - table of VEX claims considered; displays provider, status, justification, acceptance (accepted/ignored), weight.
5. **History** - timeline of state transitions (affected -> quieted -> mitigated) with timestamps and operators (if override applied).
6. **Raw trace** - canonical JSON trace from Policy Engine (read-only). CLI parity snippet:
- `stella findings explain --policy <id> --finding <key> --format json`.
Explain drawer includes copy-to-clipboard buttons for rule chain and evidence JSON to support audit workflows. When sealed mode is active, a banner highlights which evidence was sourced from cached data.
---
## 6. Simulations and comparisons
- Simulation toggle lets analysts compare Active vs Staged/Sandbox policies.
- Diff banner summarises added, removed, and changed findings.
- Side-by-side view shows baseline vs simulation verdicts with change badges (`added`, `removed`, `severity up`, `severity down`).
- CLI parity callout: `stella policy simulate --policy <id> --sbom <sbomId> --format diff`.
- Simulation results persist for 7 days; stale simulations prompt re-run recommendation.
---
## 7. Exports and automation
- Immediate exports: CSV, JSON, Markdown summary for selected findings.
- Scheduled exports: asynchronous job to generate full tenant report (JSON + CSV) with manifest digests.
- Explain bundle export packages traces for a set of findings; includes manifest and hash for offline review.
- CLI parity:
- `stella findings ls --policy <id> --format json --output findings.json`
- `stella findings export --policy <id> --format csv --output findings.csv`
- `stella findings explain --batch batch.txt --output explains/`
- Automation: webhook copy button for `/downloads/hooks/subscribe?topic=findings.report.ready`.
---
## 8. Real-time updates and observability
- SSE channel `/console/findings/stream` pushes new findings, status changes, and quieted expirations; UI animates affected rows.
- Header cards show metrics: `findings_critical_total`, `findings_quieted_total`, `findings_kev_total`.
- Run ticker lists latest policy runs with status, duration, determinism hash.
- Error banners include correlation IDs linking to Policy Engine run logs.
- Metrics drill-down links to dashboards (OpenTelemetry, Prometheus).
---
## 9. Offline and air-gap behaviour
- Offline banner indicates snapshot ID and timestamp used for findings.
- Explain drawer notes when evidence references offline bundles; suggests importing updated advisories/VEX to refresh results.
- Exports default to local storage paths; UI provides manual transfer instructions.
- CLI examples switch to include `--sealed` or `--offline` flags.
- Tenant selector hides tenants without corresponding offline findings data to avoid partial views.
---
## 10. Screenshot coordination
- Placeholders:
- `![Findings grid placeholder](../assets/ui/findings/grid-placeholder.png)`
- `![Explain drawer placeholder](../assets/ui/findings/explain-placeholder.png)`
- Coordinate with Console Guild (Slack `#console-screenshots`, entry 2025-10-26) to capture updated light and dark theme shots before release.
---
## 11. References
- `/docs/ui/console-overview.md` - shell, filters, tenant model.
- `/docs/ui/navigation.md` - route list, deep-link schema.
- `/docs/ui/advisories-and-vex.md` - advisory and VEX context feeding findings.
- `/docs/ui/policies.md` (pending) - editor and policy lifecycle.
- `/docs/policy/overview.md` - Policy Engine outputs.
- `/docs/policy/runs.md` - run orchestration.
- `/docs/cli/policy.md` - CLI parity for findings commands.
---
## 12. Compliance checklist
- [ ] Filters and saved view behaviour documented with CLI alignment.
- [ ] Findings grid columns, badges, and bulk actions captured.
- [ ] Explain drawer walkthrough includes rule chain, evidence, and raw trace.
- [ ] Simulation diff behaviour and CLI callouts described.
- [ ] Exports (immediate and scheduled) plus webhook integration covered.
- [ ] Real-time updates, metrics, and error correlation documented.
- [ ] Offline behaviour and screenshot coordination noted.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*
# StellaOps Console - Findings
> **Audience:** Policy Guild, Console UX team, security analysts, customer enablement.
> **Scope:** Findings list UX, filters, saved views, explain drawer, exports, CLI parity, real-time updates, and offline considerations for Sprint 23.
The Findings workspace visualises materialised policy verdicts produced by the Policy Engine. It lets analysts triage affected components, inspect explain traces, compare policy views, and export evidence while respecting Aggregation-Only guardrails.
---
## 1. Access and prerequisites
- **Route:** `/console/findings` with optional panel parameters (e.g., `/console/findings?panel=explain&finding=<id>`).
- **Scopes:** `findings.read` (list), `policy:runs` (view run metadata), `policy:simulate` (stage simulations), `downloads.read` (export bundles).
- **Prerequisites:** Policy Engine v2 (`policy_run` and `effective_finding_*` endpoints), Concelier/Excititor feeds for provenance, SBOM Service for component metadata.
- **Feature flags:** `findings.explain.enabled`, `findings.savedViews.enabled`, `findings.simulationDiff.enabled`.
- **Tenancy:** All queries include tenant context; cross-tenant comparisons require explicit admin scope and render split-pane view.
---
## 2. Layout overview
```
+-------------------------------------------------------------------+
| Header: Tenant badge - policy selector - global filters - actions |
+-------------------------------------------------------------------+
| Top row cards: Affected assets - Critical count - KEV count |
+-------------------------------------------------------------------+
| Findings grid (virtualised) |
| Columns: Status | Severity | Component | Policy | Source | Age |
| Row badges: KEV, Quieted, Override, Simulation only |
+-------------------------------------------------------------------+
| Right drawer / full view tabs: Summary | Explain | Evidence | Run |
+-------------------------------------------------------------------+
```
The policy selector includes Active, Staged, and Simulation snapshots. Switching snapshots triggers diff banners to highlight changes.
---
## 3. Filters and saved views
| Filter | Description | Notes |
|--------|-------------|-------|
| **Status** | `affected`, `at_risk`, `quieted`, `fixed`, `not_applicable`, `mitigated`. | Status definitions align with Policy Engine taxonomy. |
| **Severity** | Critical, High, Medium, Low, Informational, Untriaged. | Derived from policy scoring; UI displays numeric score tooltip. |
| **KEV** | Toggle to show only Known Exploited Vulnerabilities. | Pulls from Concelier enrichment. |
| **Policy** | Active, Staged, Simulation snapshots. | Simulation requires recent run; otherwise greyed out. |
| **Component** | PURL or substring search. | Autocomplete draws from current tenant findings. |
| **SBOM** | Filter by image digest or SBOM ID. | Includes quick links to SBOM Explorer. |
| **Tag** | Team or environment tags emitted by Policy Engine (`tags[]`). | Supports multi-select. |
| **Run window** | `Last 24h`, `Last 7d`, `Custom range`. | Applies to run timestamp. |
| **Explain hints** | Filter by explain artefact (rule ID, justification, VEX provider). | Uses server-side filter parameters. |
Saved views persist filter combinations per tenant and policy. Users can mark views as shared; shared views appear in the left rail with owner and last updated timestamp. Keyboard shortcuts align with global presets (`Cmd+1-9 / Ctrl+1-9`).
---
## 4. Findings grid
| Column | Details |
|--------|---------|
| **Status** | Badge with tooltip describing resolution path (e.g., "Affected - blocked by policy rule R-105"). Quieted findings show a muted badge with expiry. |
| **Severity** | Numeric score and label. Hover reveals scoring formula and evidence sources. |
| **Component** | PURL plus human-friendly name. Includes SBOM badge linking to SBOM Explorer detail. |
| **Policy** | Policy name + revision digest; clicking opens policy diff in new tab. |
| **Source signals** | Icons for VEX, Advisory, Runtime overlays. Hover shows counts and last updated timestamps. |
| **Age** | Time since finding was last evaluated; colour-coded when exceeding SLA. |
Row indicators:
- **KEV** badge when Concelier marks the vulnerability as exploited.
- **Override** badge when policy override or exemption applied.
- **Simulation only** badge when viewing simulation snapshot; warns that finding is not yet active.
- **Determinism alert** icon if latest run reported a determinism mismatch (links to run detail).
Bulk actions (multi-select):
- `Open explains` (launch explain drawer for up to 10 findings).
- `Export CSV/JSON`.
- `Copy CLI` commands for batch explains (`stella findings explain --batch file`).
- `Create ticket` (integrates with integrations configured under Admin).
---
## 5. Explain drawer
Tabs inside the explain drawer:
1. **Summary** - status, severity, policy decision, rule ID, last evaluated timestamp, SBOM link, run ID.
2. **Rule chain** - ordered list of policy rules triggered; each entry shows rule ID, name, action (block/warn/quiet), score contribution, and condition snippet.
3. **Evidence** - references to Concelier advisories, Excititor consensus, runtime signals, and overrides. Evidence entries link to their respective explorers.
4. **VEX impact** - table of VEX claims considered; displays provider, status, justification, acceptance (accepted/ignored), weight.
5. **History** - timeline of state transitions (affected -> quieted -> mitigated) with timestamps and operators (if override applied).
6. **Raw trace** - canonical JSON trace from Policy Engine (read-only). CLI parity snippet:
- `stella findings explain --policy <id> --finding <key> --format json`.
Explain drawer includes copy-to-clipboard buttons for rule chain and evidence JSON to support audit workflows. When sealed mode is active, a banner highlights which evidence was sourced from cached data.
---
## 6. Simulations and comparisons
- Simulation toggle lets analysts compare Active vs Staged/Sandbox policies.
- Diff banner summarises added, removed, and changed findings.
- Side-by-side view shows baseline vs simulation verdicts with change badges (`added`, `removed`, `severity up`, `severity down`).
- CLI parity callout: `stella policy simulate --policy <id> --sbom <sbomId> --format diff`.
- Simulation results persist for 7 days; stale simulations prompt re-run recommendation.
---
## 7. Exports and automation
- Immediate exports: CSV, JSON, Markdown summary for selected findings.
- Scheduled exports: asynchronous job to generate full tenant report (JSON + CSV) with manifest digests.
- Explain bundle export packages traces for a set of findings; includes manifest and hash for offline review.
- CLI parity:
- `stella findings ls --policy <id> --format json --output findings.json`
- `stella findings export --policy <id> --format csv --output findings.csv`
- `stella findings explain --batch batch.txt --output explains/`
- Automation: webhook copy button for `/downloads/hooks/subscribe?topic=findings.report.ready`.
---
## 8. Real-time updates and observability
- SSE channel `/console/findings/stream` pushes new findings, status changes, and quieted expirations; UI animates affected rows.
- Header cards show metrics: `findings_critical_total`, `findings_quieted_total`, `findings_kev_total`.
- Run ticker lists latest policy runs with status, duration, determinism hash.
- Error banners include correlation IDs linking to Policy Engine run logs.
- Metrics drill-down links to dashboards (OpenTelemetry, Prometheus).
---
## 9. Offline and air-gap behaviour
- Offline banner indicates snapshot ID and timestamp used for findings.
- Explain drawer notes when evidence references offline bundles; suggests importing updated advisories/VEX to refresh results.
- Exports default to local storage paths; UI provides manual transfer instructions.
- CLI examples switch to include `--sealed` or `--offline` flags.
- Tenant selector hides tenants without corresponding offline findings data to avoid partial views.
---
## 10. Screenshot coordination
- Placeholders:
- `![Findings grid placeholder](../assets/ui/findings/grid-placeholder.png)`
- `![Explain drawer placeholder](../assets/ui/findings/explain-placeholder.png)`
- Coordinate with Console Guild (Slack `#console-screenshots`, entry 2025-10-26) to capture updated light and dark theme shots before release.
---
## 11. References
- `/docs/ui/console-overview.md` - shell, filters, tenant model.
- `/docs/ui/navigation.md` - route list, deep-link schema.
- `/docs/ui/advisories-and-vex.md` - advisory and VEX context feeding findings.
- `/docs/ui/policies.md` (pending) - editor and policy lifecycle.
- `/docs/policy/overview.md` - Policy Engine outputs.
- `/docs/policy/runs.md` - run orchestration.
- `/docs/modules/cli/guides/policy.md` - CLI parity for findings commands.
---
## 12. Compliance checklist
- [ ] Filters and saved view behaviour documented with CLI alignment.
- [ ] Findings grid columns, badges, and bulk actions captured.
- [ ] Explain drawer walkthrough includes rule chain, evidence, and raw trace.
- [ ] Simulation diff behaviour and CLI callouts described.
- [ ] Exports (immediate and scheduled) plus webhook integration covered.
- [ ] Real-time updates, metrics, and error correlation documented.
- [ ] Offline behaviour and screenshot coordination noted.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*

384
docs/ui/policies.md
View File

@@ -1,192 +1,192 @@
# StellaOps Console - Policies Workspace
> **Audience:** Policy Guild, Console UX, product ops, review leads.
> **Scope:** Policy workspace navigation, editor surfaces, simulation, approvals, RBAC, observability, offline behaviour, and CLI parity for Sprint 23.
The Policies workspace centralises authoring, simulation, review, and promotion for `stella-dsl@1` packs. It builds on the Policy Editor (`docs/ui/policy-editor.md`) and adds list views, governance workflows, and integrations with runs and findings.
---
## 1. Access and prerequisites
- **Routes:**
- `/console/policies` (list)
- `/console/policies/:policyId` (details)
- `/console/policies/:policyId/:revision` (editor, approvals, runs)
- **Scopes / roles:**
- `policy:read` (list and details)
- `policy:author` (edit drafts, run lint/compile)
- `policy:review`, `policy:approve` (workflow actions)
- `policy:operate` (promotions, run orchestration)
- `policy:simulate` (run simulations)
- `policy:audit` (download audit bundles)
- `effective:write` (promotion visibility only; actual write remains server-side)
- **Feature flags:** `policy.studio.enabled`, `policy.simulation.diff`, `policy.runCharts.enabled`, `policy.offline.bundleUpload`.
- **Dependencies:** Policy Engine v2 APIs (`/policies`, `/policy/runs`, `/policy/simulations`), Policy Studio Monaco assets, Authority fresh-auth flows for critical operations.
---
## 2. List and detail views
### 2.1 Policy list
| Column | Description |
|--------|-------------|
| **Policy** | Human-readable name plus policy ID (e.g., `P-7`). |
| **State** | `Active`, `Draft`, `Staged`, `Simulation`, `Archived`. Badge colours align with Policy Engine status. |
| **Revision** | Latest revision digest (short SHA). |
| **Owner** | Primary maintainer or owning team tag. |
| **Last change** | Timestamp and actor of last update (edit, submit, approve). |
| **Pending approvals** | Count of outstanding approval requests (with tooltip listing reviewers). |
Row actions: `Open`, `Duplicate`, `Export pack`, `Run simulation`, `Compare revisions`.
Filters: owning team, state, tag, pending approvals, contains staged changes, last change window, simulation warnings (determinism, failed run).
### 2.2 Policy detail header
- Summary cards: current state, digest, active revision, staged revision (if any), simulation status, last production run (timestamp, duration, determinism hash).
- Action bar: `Edit draft`, `Run simulation`, `Submit for review`, `Promote`, `Export pack`, `View findings`.
---
## 3. Editor shell
The editor view reuses the structure documented in `/docs/ui/policy-editor.md` and adds:
- **Context banner** showing tenant, policy ID, revision digest, and simulation badge if editing sandbox copy.
- **Lint and compile status** displayed inline with time since last run.
- **Checklist sidebar** summarising required steps (lint pass, simulation run, deterministic CI, security review). Each item links to evidence (e.g., latest simulation diff).
- **Monaco integration** with policy-specific snippets, schema hover, code actions (`Insert allowlist`, `Add justification`).
- **Draft autosave** every 30 seconds with conflict detection (merges disabled; last write wins with warning).
---
## 4. Simulation workflows
- Simulation modal accepts SBOM filter (golden set, specific SBOM IDs, tenant-wide) and options for VEX weighting overrides.
- Simulations run asynchronously; progress shown in run ticker with status updates.
- Diff view summarises totals: affected findings added/removed, severity up/down counts, quieted changes.
- Side-by-side diff (Active vs Simulation) accessible directly from policy detail.
- Export options: JSON diff, Markdown summary, CLI snippet `stella policy simulate --policy <id> --sbom <sbomId>`.
- Simulation results cached per draft revision. Cache invalidates when draft changes or SBOM snapshot updates.
- Simulation compliance card requires at least one up-to-date simulation before submission.
---
## 5. Review and approval
- **Review requests:** Authors tag reviewers; review sidebar lists pending reviewers, due dates, and escalation contact.
- **Comments:** Threaded comments support markdown, mentions, and attachments (redacted before persistence). Comment resolution required before approval.
- **Approval checklist:**
- Lint/compile success
- Simulation fresh (within configured SLA)
- Determinism verification passed
- Security review (if flagged)
- Offline bundle prepared (optional)
- **Fresh-auth:** Approve/promote buttons require fresh authentication; modal prompts for credentials and enforces short-lived token (<5 minutes).
- **Approval audit:** Approval events recorded with correlation ID, digests, reviewer note, effective date, and optional ticket link.
---
## 6. Promotion and rollout
- Promotion dialog summarises staged changes, target tenants, release windows, and run plan (full vs incremental).
- Operators can schedule promotion or apply immediately.
- Promotion triggers Policy Engine to materialise new revision; console reflects status and shows run progress.
- CLI parity: `stella policy promote --policy <id> --revision <rev> --run-mode full`.
- Rollback guidance accessible from action bar (`Open rollback instructions`) linking to CLI command and documentation.
---
## 7. Runs and observability
- Runs tab displays table of recent runs with columns: run ID, type (`full`, `incremental`, `simulation`), duration, determinism hash, findings delta counts, triggered by.
- Charts: findings trend, quieted findings trend, rule hit heatmap (top rules vs recent runs).
- Clicking a run opens run detail drawer showing inputs (policy digest, SBOM batch hash, advisory snapshot hash), output summary, and explain bundle download.
- Error runs display red badge; detail drawer includes correlation ID and link to Policy Engine logs.
- SSE updates stream run status changes to keep UI real-time.
---
## 8. RBAC and governance
| Role | Scopes | Capabilities |
|------|--------|--------------|
| **Author** | `policy:read`, `policy:author`, `policy:simulate` | Create drafts, run lint/simulations, comment. |
| **Reviewer** | `policy:read`, `policy:review`, `policy:simulate` | Leave review comments, request changes. |
| **Approver** | `policy:read`, `policy:approve`, `policy:operate`, `policy:simulate` | Approve/promote, trigger runs, view run history. |
| **Operator** | `policy:read`, `policy:operate`, `policy:simulate`, `effective:write` | Schedule promotions, monitor runs (no editing). |
| **Auditor** | `policy:read`, `policy:audit`, `policy:simulate` | View immutable history, export audit bundles. |
| **Admin** | Above plus Authority admin scopes | Manage roles, configure escalation chains. |
UI disables controls not allowed by current scope and surfaces tooltip with required scope names. Audit log captures denied attempts (`policy.ui.action_denied`).
---
## 9. Exports and offline bundles
- `Export pack` button downloads policy pack (zip) with metadata, digest manifest, and README.
- Offline bundle uploader allows importing reviewed packs; UI verifies signatures and digests before applying.
- Explain bundle export collects latest run explain traces for audit.
- CLI parity:
- `stella policy export --policy <id> --revision <rev>`
- `stella policy bundle import --file <bundle>`
- `stella policy bundle export --policy <id> --revision <rev>`
- Offline mode displays banner and disables direct promotion; provides script instructions for offline runner.
---
## 10. Observability and alerts
- Metrics cards show `policy_run_seconds`, `policy_rules_fired_total`, `policy_determinism_failures_total`.
- Alert banners surfaced for determinism failures, simulation stale warnings, approval SLA breaches.
- Links to dashboards (Grafana) pre-filtered with policy ID.
- Telemetry panel lists last emitted events (policy.promoted, policy.simulation.completed).
---
## 11. Offline and air-gap considerations
- In sealed mode, editor warns about cached enrichment data; simulation run button adds tooltip explaining degraded evidence.
- Promotions queue and require manual CLI execution on authorised host; UI provides downloadable job manifest.
- Run charts switch to snapshot data; SSE streams disabled, replaced by manual refresh button.
- Export/download buttons label file paths for removable media transfer.
---
## 12. Screenshot coordination
- Placeholders:
- `![Policy list placeholder](../assets/ui/policies/list-placeholder.png)`
- `![Policy approval placeholder](../assets/ui/policies/approval-placeholder.png)`
- `![Simulation diff placeholder](../assets/ui/policies/simulation-placeholder.png)`
- Coordinate with Console Guild via `#console-screenshots` (entry 2025-10-26) to replace placeholders once UI captures are ready (light and dark themes).
---
## 13. References
- `/docs/ui/policy-editor.md` - detailed editor mechanics.
- `/docs/ui/findings.md` - downstream findings view and explain drawer.
- `/docs/policy/overview.md` and `/docs/policy/runs.md` - Policy Engine contracts.
- `/docs/security/authority-scopes.md` - scope definitions.
- `/docs/cli/policy.md` - CLI commands for policy management.
- `/docs/ui/console-overview.md` - navigation shell and filters.
---
## 14. Compliance checklist
- [ ] Policy list and detail workflow documented (columns, filters, actions).
- [ ] Editor shell extends Policy Studio guidance with checklists and lint/simulation integration.
- [ ] Simulation flow, diff presentation, and CLI parity captured.
- [ ] Review, approval, and promotion workflows detailed with scope gating.
- [ ] Runs dashboard, metrics, and SSE behaviour described.
- [ ] Exports and offline bundle handling included.
- [ ] Offline/air-gap behaviour and screenshot coordination recorded.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*
# StellaOps Console - Policies Workspace
> **Audience:** Policy Guild, Console UX, product ops, review leads.
> **Scope:** Policy workspace navigation, editor surfaces, simulation, approvals, RBAC, observability, offline behaviour, and CLI parity for Sprint 23.
The Policies workspace centralises authoring, simulation, review, and promotion for `stella-dsl@1` packs. It builds on the Policy Editor (`docs/ui/policy-editor.md`) and adds list views, governance workflows, and integrations with runs and findings.
---
## 1. Access and prerequisites
- **Routes:**
- `/console/policies` (list)
- `/console/policies/:policyId` (details)
- `/console/policies/:policyId/:revision` (editor, approvals, runs)
- **Scopes / roles:**
- `policy:read` (list and details)
- `policy:author` (edit drafts, run lint/compile)
- `policy:review`, `policy:approve` (workflow actions)
- `policy:operate` (promotions, run orchestration)
- `policy:simulate` (run simulations)
- `policy:audit` (download audit bundles)
- `effective:write` (promotion visibility only; actual write remains server-side)
- **Feature flags:** `policy.studio.enabled`, `policy.simulation.diff`, `policy.runCharts.enabled`, `policy.offline.bundleUpload`.
- **Dependencies:** Policy Engine v2 APIs (`/policies`, `/policy/runs`, `/policy/simulations`), Policy Studio Monaco assets, Authority fresh-auth flows for critical operations.
---
## 2. List and detail views
### 2.1 Policy list
| Column | Description |
|--------|-------------|
| **Policy** | Human-readable name plus policy ID (e.g., `P-7`). |
| **State** | `Active`, `Draft`, `Staged`, `Simulation`, `Archived`. Badge colours align with Policy Engine status. |
| **Revision** | Latest revision digest (short SHA). |
| **Owner** | Primary maintainer or owning team tag. |
| **Last change** | Timestamp and actor of last update (edit, submit, approve). |
| **Pending approvals** | Count of outstanding approval requests (with tooltip listing reviewers). |
Row actions: `Open`, `Duplicate`, `Export pack`, `Run simulation`, `Compare revisions`.
Filters: owning team, state, tag, pending approvals, contains staged changes, last change window, simulation warnings (determinism, failed run).
### 2.2 Policy detail header
- Summary cards: current state, digest, active revision, staged revision (if any), simulation status, last production run (timestamp, duration, determinism hash).
- Action bar: `Edit draft`, `Run simulation`, `Submit for review`, `Promote`, `Export pack`, `View findings`.
---
## 3. Editor shell
The editor view reuses the structure documented in `/docs/ui/policy-editor.md` and adds:
- **Context banner** showing tenant, policy ID, revision digest, and simulation badge if editing sandbox copy.
- **Lint and compile status** displayed inline with time since last run.
- **Checklist sidebar** summarising required steps (lint pass, simulation run, deterministic CI, security review). Each item links to evidence (e.g., latest simulation diff).
- **Monaco integration** with policy-specific snippets, schema hover, code actions (`Insert allowlist`, `Add justification`).
- **Draft autosave** every 30 seconds with conflict detection (merges disabled; last write wins with warning).
---
## 4. Simulation workflows
- Simulation modal accepts SBOM filter (golden set, specific SBOM IDs, tenant-wide) and options for VEX weighting overrides.
- Simulations run asynchronously; progress shown in run ticker with status updates.
- Diff view summarises totals: affected findings added/removed, severity up/down counts, quieted changes.
- Side-by-side diff (Active vs Simulation) accessible directly from policy detail.
- Export options: JSON diff, Markdown summary, CLI snippet `stella policy simulate --policy <id> --sbom <sbomId>`.
- Simulation results cached per draft revision. Cache invalidates when draft changes or SBOM snapshot updates.
- Simulation compliance card requires at least one up-to-date simulation before submission.
---
## 5. Review and approval
- **Review requests:** Authors tag reviewers; review sidebar lists pending reviewers, due dates, and escalation contact.
- **Comments:** Threaded comments support markdown, mentions, and attachments (redacted before persistence). Comment resolution required before approval.
- **Approval checklist:**
- Lint/compile success
- Simulation fresh (within configured SLA)
- Determinism verification passed
- Security review (if flagged)
- Offline bundle prepared (optional)
- **Fresh-auth:** Approve/promote buttons require fresh authentication; modal prompts for credentials and enforces short-lived token (<5 minutes).
- **Approval audit:** Approval events recorded with correlation ID, digests, reviewer note, effective date, and optional ticket link.
---
## 6. Promotion and rollout
- Promotion dialog summarises staged changes, target tenants, release windows, and run plan (full vs incremental).
- Operators can schedule promotion or apply immediately.
- Promotion triggers Policy Engine to materialise new revision; console reflects status and shows run progress.
- CLI parity: `stella policy promote --policy <id> --revision <rev> --run-mode full`.
- Rollback guidance accessible from action bar (`Open rollback instructions`) linking to CLI command and documentation.
---
## 7. Runs and observability
- Runs tab displays table of recent runs with columns: run ID, type (`full`, `incremental`, `simulation`), duration, determinism hash, findings delta counts, triggered by.
- Charts: findings trend, quieted findings trend, rule hit heatmap (top rules vs recent runs).
- Clicking a run opens run detail drawer showing inputs (policy digest, SBOM batch hash, advisory snapshot hash), output summary, and explain bundle download.
- Error runs display red badge; detail drawer includes correlation ID and link to Policy Engine logs.
- SSE updates stream run status changes to keep UI real-time.
---
## 8. RBAC and governance
| Role | Scopes | Capabilities |
|------|--------|--------------|
| **Author** | `policy:read`, `policy:author`, `policy:simulate` | Create drafts, run lint/simulations, comment. |
| **Reviewer** | `policy:read`, `policy:review`, `policy:simulate` | Leave review comments, request changes. |
| **Approver** | `policy:read`, `policy:approve`, `policy:operate`, `policy:simulate` | Approve/promote, trigger runs, view run history. |
| **Operator** | `policy:read`, `policy:operate`, `policy:simulate`, `effective:write` | Schedule promotions, monitor runs (no editing). |
| **Auditor** | `policy:read`, `policy:audit`, `policy:simulate` | View immutable history, export audit bundles. |
| **Admin** | Above plus Authority admin scopes | Manage roles, configure escalation chains. |
UI disables controls not allowed by current scope and surfaces tooltip with required scope names. Audit log captures denied attempts (`policy.ui.action_denied`).
---
## 9. Exports and offline bundles
- `Export pack` button downloads policy pack (zip) with metadata, digest manifest, and README.
- Offline bundle uploader allows importing reviewed packs; UI verifies signatures and digests before applying.
- Explain bundle export collects latest run explain traces for audit.
- CLI parity:
- `stella policy export --policy <id> --revision <rev>`
- `stella policy bundle import --file <bundle>`
- `stella policy bundle export --policy <id> --revision <rev>`
- Offline mode displays banner and disables direct promotion; provides script instructions for offline runner.
---
## 10. Observability and alerts
- Metrics cards show `policy_run_seconds`, `policy_rules_fired_total`, `policy_determinism_failures_total`.
- Alert banners surfaced for determinism failures, simulation stale warnings, approval SLA breaches.
- Links to dashboards (Grafana) pre-filtered with policy ID.
- Telemetry panel lists last emitted events (policy.promoted, policy.simulation.completed).
---
## 11. Offline and air-gap considerations
- In sealed mode, editor warns about cached enrichment data; simulation run button adds tooltip explaining degraded evidence.
- Promotions queue and require manual CLI execution on authorised host; UI provides downloadable job manifest.
- Run charts switch to snapshot data; SSE streams disabled, replaced by manual refresh button.
- Export/download buttons label file paths for removable media transfer.
---
## 12. Screenshot coordination
- Placeholders:
- `![Policy list placeholder](../assets/ui/policies/list-placeholder.png)`
- `![Policy approval placeholder](../assets/ui/policies/approval-placeholder.png)`
- `![Simulation diff placeholder](../assets/ui/policies/simulation-placeholder.png)`
- Coordinate with Console Guild via `#console-screenshots` (entry 2025-10-26) to replace placeholders once UI captures are ready (light and dark themes).
---
## 13. References
- `/docs/ui/policy-editor.md` - detailed editor mechanics.
- `/docs/ui/findings.md` - downstream findings view and explain drawer.
- `/docs/policy/overview.md` and `/docs/policy/runs.md` - Policy Engine contracts.
- `/docs/security/authority-scopes.md` - scope definitions.
- `/docs/modules/cli/guides/policy.md` - CLI commands for policy management.
- `/docs/ui/console-overview.md` - navigation shell and filters.
---
## 14. Compliance checklist
- [ ] Policy list and detail workflow documented (columns, filters, actions).
- [ ] Editor shell extends Policy Studio guidance with checklists and lint/simulation integration.
- [ ] Simulation flow, diff presentation, and CLI parity captured.
- [ ] Review, approval, and promotion workflows detailed with scope gating.
- [ ] Runs dashboard, metrics, and SSE behaviour described.
- [ ] Exports and offline bundle handling included.
- [ ] Offline/air-gap behaviour and screenshot coordination recorded.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*

358
docs/ui/policy-editor.md
View File

@@ -1,179 +1,179 @@
# Policy Editor Workspace
> **Audience:** Product/UX, UI engineers, policy authors/reviewers using the Console.
> **Scope:** Layout, features, RBAC, a11y, simulation workflow, approvals, run dashboards, and offline considerations for the Policy Engine v2 editor (“Policy Studio”).
The Policy Editor is the primary Console workspace for composing, simulating, and approving `stella-dsl@1` policies. It combines Monaco-based editing, diff visualisations, and governance tools so authors and reviewers can collaborate without leaving the browser.
---
## 1·Access & Prerequisites
- **Routes:** `/console/policy` (list) → `/console/policy/:policyId/:version?`.
- **Scopes / roles:**
- `policy:author` (role `policy-author`) to edit drafts, run lint/compile, and execute quick simulations.
- `policy:review` (role `policy-reviewer`) to review drafts, leave comments, and request changes.
- `policy:approve` (role `policy-approver`) to approve or reject submissions.
- `policy:operate` (role `policy-operator`) to trigger batch simulations, promotions, and canary runs.
- `policy:audit` (role `policy-auditor`) to access immutable history and audit exports.
- `policy:simulate` to run simulations from Console; `findings:read` to open explain drawers.
- **Feature flags:** `policyStudio.enabled` (defaults true once Policy Engine v2 API available).
- **Browser support:** Evergreen Chrome, Edge, Firefox, Safari (last two versions). Uses WASM OPA sandbox; ensure COOP/COEP enabled per [UI architecture](../ARCHITECTURE_UI.md).
---
## 2·Workspace Layout
```
┌────────────────────────────────────────────────────────────────────────────┐
│ Header: Policy selector • tenant switch • last activation banner │
├────────────────────────────────────────────────────────────────────────────┤
│ Sidebar (left) │ Main content (right) │
│ - Revision list │ ┌───────────── Editor tabs ───────────────┐ │
│ - Checklist status │ │ DSL │ Simulation │ Approvals │ ... │ │
│ - Pending reviews │ └─────────────────────────────────────────┘ │
│ - Run backlog │ │
│ │ Editor pane / Simulation diff / Run viewer │
└────────────────────────────────────────────────────────────────────────────┘
```
- **Sidebar:** Revision timeline (draft, submitted, approved), compliance checklist cards, outstanding review requests, run backlog (incremental queue depth and SLA).
- **Editor tabs:**
- *DSL* (primary Monaco editor)
- *Simulation* (pre/post diff charts)
- *Approvals* (comments, audit log)
- *Runs* (heatmap dashboards)
- *Explain Explorer* (optional drawer for findings)
- **Right rail:** context cards for VEX providers, policy metadata, quick links to CLI/API docs.
> Placeholder screenshot: `![Policy editor workspace](../assets/policy-editor/workspace.png)` (add after UI team captures latest build).
---
## 3·Editing Experience
- Monaco editor configured for `stella-dsl@1`:
- Syntax highlighting, IntelliSense for rule/action names, snippets for common patterns.
- Inline diagnostics sourced from `/policies/{id}/lint` and `/compile`.
- Code actions (“Fix indentation”, “Insert requireVex block”).
- Mini-map disabled by default to reduce contrast noise; toggle available.
- **Keyboard shortcuts (accessible via `?`):**
- `Ctrl/Cmd + S` Save draft (uploads to API if changed).
- `Ctrl/Cmd + Shift + Enter` Run lint + compile.
- `Ctrl/Cmd + Shift + D` Open diff view vs baseline.
- `Alt + Shift + F` Format document (canonical ordering).
- **Schema tooltips:** Hover on `profile`, `rule`, `action` to view documentation (sourced from DSL doc).
- **Offline warnings:** When `sealed` mode detected, banner reminds authors to validate with offline bundle.
---
## 4·Simulation & Diff Panel
- Triggered via “Run simulation” (toolbar) or automatically after compile.
- Displays:
- **Summary cards:** total findings added/removed/unchanged; severity up/down counts.
- **Rule hit table:** top rules contributing to diffs with percentage change.
- **Component list:** virtualised table linking to explain drawer; supports filters (severity, status, VEX outcome).
- **Visualisations:** stacked bar chart (severity deltas), sparkline for incremental backlog impact.
- Supports run presets:
- `Golden SBOM set` (default)
- Custom SBOM selection (via multi-select and search)
- Import sample JSON from CLI (`Upload diff`).
- Diff export options:
- `Download JSON` (same schema as CLI output)
- `Copy as Markdown` for review comments
- Simulation results persist per draft version; history accessible via timeline.
---
## 5·Review & Approval Workflow
- **Commenting:** Line-level comments anchored to DSL lines; global comments supported. Uses rich text (Markdown subset) with mention support (`@group/sec-reviewers`).
- **Resolution:** Approvers/reviewers can mark comment resolved; history preserved in timeline.
- **Approval pane:**
- Checklist (lint, simulation, determinism CI) with status indicators; links to evidence.
- Reviewer checklist (quorum, blocking comments).
- Approval button only enabled when checklist satisfied.
- **Audit log:** Chronological view of submit/review/approve/archive events with actor, timestamp, note, attachments.
- **RBAC feedback:** When user lacks permission, actions are disabled with tooltip referencing required scope(s).
- **Notifications:** Integration with Notifier—subscribe/unsubscribe from review reminders within panel.
---
## 6·Runs & Observability
- **Run tab** consumes `/policy/runs` data:
- Heatmap of rule hits per run (rows = runs, columns = top rules).
- VEX override counter, suppressions, quieted findings metrics.
- Incremental backlog widget (queue depth vs SLA).
- Export CSV/JSON button.
- **Replay/Download:** For each run, actions to download sealed replay bundle or open CLI command snippet.
- **Alert banners:**
- Determinism mismatch (red)
- SLA breach (amber)
- Pending replay (info)
---
## 7·Explain & Findings Integration
- Inline “Open in Findings” button for any diff entry; opens side drawer with explain trace (same schema as `/findings/*/explain`).
- Drawer includes:
- Rule sequence with badges (block/warn/quiet).
- VEX evidence and justification codes.
- Links to advisories (Concelier) and SBOM components.
- Copy-to-clipboard (JSON) and “Share permalink” features (permalinks encode tenant, policy version, component).
---
## 8·Accessibility & i18n
- WCAG 2.2 AA:
- Focus order follows logical workflow; skip link available.
- All actionable icons paired with text or `aria-label`.
- Simulation charts include table equivalents for screen readers.
- Keyboard support:
- `Alt+1/2/3/4` to switch tabs.
- `Shift+?` toggles help overlay (with key map).
- Internationalisation:
- Translations sourced from `/locales/{lang}.json`.
- Date/time displayed using user locale via `Intl.DateTimeFormat`.
- Theming:
- Light/dark CSS tokens; Monaco theme syncs with overall theme.
- High-contrast mode toggled via user preferences.
---
## 9·Offline & Air-Gap Behaviour
- When console operates in sealed enclave:
- Editor displays “Sealed mode” banner with import timestamp.
- Simulation uses cached SBOM/advisory/VEX data only; results flagged accordingly.
- “Export bundle” button packages draft + simulations for transfer.
- Approvals require local Authority; UI blocks actions if `policy:approve` scope absent due to offline token limitations.
- Run tab surfaces bundle staleness warnings (`policy_runs.inputs.env.sealed=true`).
---
## 10·Telemetry & Testing Hooks
- User actions (simulate, submit, approve, activate) emit telemetry (`ui.policy.action` spans) with anonymised metadata.
- Console surfaces correlation IDs for lint/compile errors to ease support triage.
- Cypress/Playwright fixtures available under `ui/policy-editor/examples/`; docs should note to re-record after significant UI changes.
---
## 11·Compliance Checklist
- [ ] **Lint integration:** Editor surfaces diagnostics from API compile endpoint; errors link to DSL documentation.
- [ ] **Simulation parity:** Diff panel mirrors CLI schema; export button tested.
- [ ] **Workflow RBAC:** Buttons enable/disable correctly per scope (`policy:write/submit/review/approve`).
- [ ] **A11y verified:** Keyboard navigation, focus management, colour contrast (light/dark) pass automated Axe checks.
- [ ] **Offline safeguards:** Sealed-mode banner and bundle export flows present; no network calls trigger in sealed mode.
- [ ] **Telemetry wired:** Action spans and error logs include policyId, version, traceId.
- [ ] **Docs cross-links:** Links to DSL, lifecycle, runs, API, CLI guides validated.
- [ ] **Screenshot placeholders updated:** Replace TODO images with latest UI captures before GA.
---
*Last updated: 2025-10-26 (Sprint 20).*
# Policy Editor Workspace
> **Audience:** Product/UX, UI engineers, policy authors/reviewers using the Console.
> **Scope:** Layout, features, RBAC, a11y, simulation workflow, approvals, run dashboards, and offline considerations for the Policy Engine v2 editor (“Policy Studio”).
The Policy Editor is the primary Console workspace for composing, simulating, and approving `stella-dsl@1` policies. It combines Monaco-based editing, diff visualisations, and governance tools so authors and reviewers can collaborate without leaving the browser.
---
## 1·Access & Prerequisites
- **Routes:** `/console/policy` (list) → `/console/policy/:policyId/:version?`.
- **Scopes / roles:**
- `policy:author` (role `policy-author`) to edit drafts, run lint/compile, and execute quick simulations.
- `policy:review` (role `policy-reviewer`) to review drafts, leave comments, and request changes.
- `policy:approve` (role `policy-approver`) to approve or reject submissions.
- `policy:operate` (role `policy-operator`) to trigger batch simulations, promotions, and canary runs.
- `policy:audit` (role `policy-auditor`) to access immutable history and audit exports.
- `policy:simulate` to run simulations from Console; `findings:read` to open explain drawers.
- **Feature flags:** `policyStudio.enabled` (defaults true once Policy Engine v2 API available).
- **Browser support:** Evergreen Chrome, Edge, Firefox, Safari (last two versions). Uses WASM OPA sandbox; ensure COOP/COEP enabled per [UI architecture](../modules/ui/architecture.md).
---
## 2·Workspace Layout
```
┌────────────────────────────────────────────────────────────────────────────┐
│ Header: Policy selector • tenant switch • last activation banner │
├────────────────────────────────────────────────────────────────────────────┤
│ Sidebar (left) │ Main content (right) │
│ - Revision list │ ┌───────────── Editor tabs ───────────────┐ │
│ - Checklist status │ │ DSL │ Simulation │ Approvals │ ... │ │
│ - Pending reviews │ └─────────────────────────────────────────┘ │
│ - Run backlog │ │
│ │ Editor pane / Simulation diff / Run viewer │
└────────────────────────────────────────────────────────────────────────────┘
```
- **Sidebar:** Revision timeline (draft, submitted, approved), compliance checklist cards, outstanding review requests, run backlog (incremental queue depth and SLA).
- **Editor tabs:**
- *DSL* (primary Monaco editor)
- *Simulation* (pre/post diff charts)
- *Approvals* (comments, audit log)
- *Runs* (heatmap dashboards)
- *Explain Explorer* (optional drawer for findings)
- **Right rail:** context cards for VEX providers, policy metadata, quick links to CLI/API docs.
> Placeholder screenshot: `![Policy editor workspace](../assets/policy-editor/workspace.png)` (add after UI team captures latest build).
---
## 3·Editing Experience
- Monaco editor configured for `stella-dsl@1`:
- Syntax highlighting, IntelliSense for rule/action names, snippets for common patterns.
- Inline diagnostics sourced from `/policies/{id}/lint` and `/compile`.
- Code actions (“Fix indentation”, “Insert requireVex block”).
- Mini-map disabled by default to reduce contrast noise; toggle available.
- **Keyboard shortcuts (accessible via `?`):**
- `Ctrl/Cmd + S` Save draft (uploads to API if changed).
- `Ctrl/Cmd + Shift + Enter` Run lint + compile.
- `Ctrl/Cmd + Shift + D` Open diff view vs baseline.
- `Alt + Shift + F` Format document (canonical ordering).
- **Schema tooltips:** Hover on `profile`, `rule`, `action` to view documentation (sourced from DSL doc).
- **Offline warnings:** When `sealed` mode detected, banner reminds authors to validate with offline bundle.
---
## 4·Simulation & Diff Panel
- Triggered via “Run simulation” (toolbar) or automatically after compile.
- Displays:
- **Summary cards:** total findings added/removed/unchanged; severity up/down counts.
- **Rule hit table:** top rules contributing to diffs with percentage change.
- **Component list:** virtualised table linking to explain drawer; supports filters (severity, status, VEX outcome).
- **Visualisations:** stacked bar chart (severity deltas), sparkline for incremental backlog impact.
- Supports run presets:
- `Golden SBOM set` (default)
- Custom SBOM selection (via multi-select and search)
- Import sample JSON from CLI (`Upload diff`).
- Diff export options:
- `Download JSON` (same schema as CLI output)
- `Copy as Markdown` for review comments
- Simulation results persist per draft version; history accessible via timeline.
---
## 5·Review & Approval Workflow
- **Commenting:** Line-level comments anchored to DSL lines; global comments supported. Uses rich text (Markdown subset) with mention support (`@group/sec-reviewers`).
- **Resolution:** Approvers/reviewers can mark comment resolved; history preserved in timeline.
- **Approval pane:**
- Checklist (lint, simulation, determinism CI) with status indicators; links to evidence.
- Reviewer checklist (quorum, blocking comments).
- Approval button only enabled when checklist satisfied.
- **Audit log:** Chronological view of submit/review/approve/archive events with actor, timestamp, note, attachments.
- **RBAC feedback:** When user lacks permission, actions are disabled with tooltip referencing required scope(s).
- **Notifications:** Integration with Notifier—subscribe/unsubscribe from review reminders within panel.
---
## 6·Runs & Observability
- **Run tab** consumes `/policy/runs` data:
- Heatmap of rule hits per run (rows = runs, columns = top rules).
- VEX override counter, suppressions, quieted findings metrics.
- Incremental backlog widget (queue depth vs SLA).
- Export CSV/JSON button.
- **Replay/Download:** For each run, actions to download sealed replay bundle or open CLI command snippet.
- **Alert banners:**
- Determinism mismatch (red)
- SLA breach (amber)
- Pending replay (info)
---
## 7·Explain & Findings Integration
- Inline “Open in Findings” button for any diff entry; opens side drawer with explain trace (same schema as `/findings/*/explain`).
- Drawer includes:
- Rule sequence with badges (block/warn/quiet).
- VEX evidence and justification codes.
- Links to advisories (Concelier) and SBOM components.
- Copy-to-clipboard (JSON) and “Share permalink” features (permalinks encode tenant, policy version, component).
---
## 8·Accessibility & i18n
- WCAG 2.2 AA:
- Focus order follows logical workflow; skip link available.
- All actionable icons paired with text or `aria-label`.
- Simulation charts include table equivalents for screen readers.
- Keyboard support:
- `Alt+1/2/3/4` to switch tabs.
- `Shift+?` toggles help overlay (with key map).
- Internationalisation:
- Translations sourced from `/locales/{lang}.json`.
- Date/time displayed using user locale via `Intl.DateTimeFormat`.
- Theming:
- Light/dark CSS tokens; Monaco theme syncs with overall theme.
- High-contrast mode toggled via user preferences.
---
## 9·Offline & Air-Gap Behaviour
- When console operates in sealed enclave:
- Editor displays “Sealed mode” banner with import timestamp.
- Simulation uses cached SBOM/advisory/VEX data only; results flagged accordingly.
- “Export bundle” button packages draft + simulations for transfer.
- Approvals require local Authority; UI blocks actions if `policy:approve` scope absent due to offline token limitations.
- Run tab surfaces bundle staleness warnings (`policy_runs.inputs.env.sealed=true`).
---
## 10·Telemetry & Testing Hooks
- User actions (simulate, submit, approve, activate) emit telemetry (`ui.policy.action` spans) with anonymised metadata.
- Console surfaces correlation IDs for lint/compile errors to ease support triage.
- Cypress/Playwright fixtures available under `ui/policy-editor/examples/`; docs should note to re-record after significant UI changes.
---
## 11·Compliance Checklist
- [ ] **Lint integration:** Editor surfaces diagnostics from API compile endpoint; errors link to DSL documentation.
- [ ] **Simulation parity:** Diff panel mirrors CLI schema; export button tested.
- [ ] **Workflow RBAC:** Buttons enable/disable correctly per scope (`policy:write/submit/review/approve`).
- [ ] **A11y verified:** Keyboard navigation, focus management, colour contrast (light/dark) pass automated Axe checks.
- [ ] **Offline safeguards:** Sealed-mode banner and bundle export flows present; no network calls trigger in sealed mode.
- [ ] **Telemetry wired:** Action spans and error logs include policyId, version, traceId.
- [ ] **Docs cross-links:** Links to DSL, lifecycle, runs, API, CLI guides validated.
- [ ] **Screenshot placeholders updated:** Replace TODO images with latest UI captures before GA.
---
*Last updated: 2025-10-26 (Sprint 20).*

338
docs/ui/runs.md
View File

@@ -1,169 +1,169 @@
# StellaOps Console - Runs Workspace
> **Audience:** Scheduler Guild, Console UX, operators, support engineers.
> **Scope:** Runs dashboard, live progress, queue management, diffs, retries, evidence downloads, observability, troubleshooting, and offline behaviour (Sprint 23).
The Runs workspace surfaces Scheduler activity across tenants: upcoming schedules, active runs, progress, deltas, and evidence bundles. It helps operators monitor backlog, drill into run segments, and recover from failures without leaving the console.
---
## 1. Access and prerequisites
- **Route:** `/console/runs` (list) with detail drawer `/console/runs/:runId`. SSE stream at `/console/runs/:runId/stream`.
- **Scopes:** `runs.read` (baseline), `runs.manage` (cancel/retry), `policy:runs` (view policy deltas), `downloads.read` (evidence bundles).
- **Dependencies:** Scheduler WebService (`/runs`, `/schedules`, `/preview`), Scheduler Worker event feeds, Policy Engine run summaries, Scanner WebService evidence endpoints.
- **Feature flags:** `runs.dashboard.enabled`, `runs.sse.enabled`, `runs.retry.enabled`, `runs.evidenceBundles`.
- **Tenancy:** Tenant selector filters list; cross-tenant admins can pin multiple tenants side-by-side (split view).
---
## 2. Layout overview
```
+-------------------------------------------------------------------+
| Header: Tenant badge - schedule selector - backlog metrics |
+-------------------------------------------------------------------+
| Cards: Active runs - Queue depth - New findings - KEV deltas |
+-------------------------------------------------------------------+
| Tabs: Active | Completed | Scheduled | Failures |
+-------------------------------------------------------------------+
| Runs table (virtualised) |
| Columns: Run ID | Trigger | State | Progress | Duration | Deltas |
+-------------------------------------------------------------------+
| Detail drawer: Summary | Segments | Deltas | Evidence | Logs |
+-------------------------------------------------------------------+
```
The header integrates the status ticker to show ingestion deltas and planner heartbeat.
---
## 3. Runs table
| Column | Description |
|--------|-------------|
| **Run ID** | Deterministic identifier (`run:<tenant>:<timestamp>:<nonce>`). Clicking opens detail drawer. |
| **Trigger** | `cron`, `manual`, `feedser`, `vexer`, `policy`, `content-refresh`. Tooltip lists schedule and initiator. |
| **State** | Badges: `planning`, `queued`, `running`, `completed`, `cancelled`, `error`. Errors include error code (e.g., `ERR_RUN_005`). |
| **Progress** | Percentage + processed/total candidates. SSE updates increment in real time. |
| **Duration** | Elapsed time (auto-updating). Completed runs show total duration; running runs show timer. |
| **Deltas** | Count of findings deltas (`+critical`, `+high`, `-quieted`, etc.). Tooltip expands severity breakdown. |
Row badges include `KEV first`, `Content refresh`, `Policy promotion follow-up`, and `Retry`. Selecting multiple rows enables bulk downloads and exports.
Filters: trigger type, state, schedule, severity impact (critical/high), policy revision, timeframe, planner shard, error code.
---
## 4. Detail drawer
Sections:
1. **Summary** - run metadata (tenant, trigger, linked schedule, planner shard count, started/finished timestamps, correlation ID).
2. **Progress** - segmented progress bar (planner, queue, execution, post-processing). Real-time updates via SSE; includes throughput (targets per minute).
3. **Segments** - table of run segments with state, target count, executor, retry count. Operators can retry failed segments individually (requires `runs.manage`).
4. **Deltas** - summary of findings changes (new findings, resolved findings, severity shifts, KEV additions). Links to Findings view filtered by run ID.
5. **Evidence** - links to evidence bundles (JSON manifest, DSSE attestation), policy run records, and explain bundles. Download buttons use `/console/exports` orchestration.
6. **Logs** - last 50 structured log entries with severity, message, correlation ID; scroll-to-live for streaming logs. `Open in logs` copies query for external log tooling.
---
## 5. Queue and schedule management
- Schedule side panel lists upcoming jobs with cron expressions, time zones, and enable toggles.
- Queue depth chart shows current backlog per tenant and schedule (planner backlog, executor backlog).
- "Preview impact" button opens modal for manual run planning (purls or vuln IDs) and shows impacted image count before launch. CLI parity: `stella runs preview --tenant <id> --file keys.json`.
- Manual run form allows selecting mode (`analysis-only`, `content-refresh`), scope, and optional policy snapshot.
- Pausing a schedule requires confirmation; UI displays earliest next run after resume.
---
## 6. Live updates and SSE stream
- SSE endpoint `/console/runs/{id}/stream` streams JSON events (`stateChanged`, `segmentProgress`, `deltaSummary`, `log`). UI reconnects with exponential backoff and heartbeat.
- Global ticker shows planner heartbeat age; banner warns after 90 seconds of silence.
- Offline mode disables SSE and falls back to polling every 30 seconds.
---
## 7. Retry and remediation
- Failed segments show retry button; UI displays reason and cooldown timers. Retry actions are scope-gated and logged.
- Full run retry resets segments while preserving original run metadata; new run ID references previous run in `retryOf` field.
- "Escalate to support" button opens incident template pre-filled with run context and correlation IDs.
- Troubleshooting quick links:
- `ERR_RUN_001` (planner lock)
- `ERR_RUN_005` (Scanner timeout)
- `ERR_RUN_009` (impact index stale)
Each link points to corresponding runbook sections (`docs/ops/scheduler-runbook.md`).
- CLI parity: `stella runs retry --run <id>`, `stella runs cancel --run <id>`.
---
## 8. Evidence downloads
- Evidence tab aggregates:
- Policy run summary (`/policy/runs/{id}`)
- Findings delta CSV (`/downloads/findings/{runId}.csv`)
- Scanner evidence bundle (compressed JSON with manifest)
- Downloads show size, hash, signature status.
- "Bundle for offline" packages all evidence into single tarball with manifest/digest; UI notes CLI parity (`stella runs export --run <id> --bundle`).
- Completed bundles stored in Downloads workspace for reuse (links provided).
---
## 9. Observability
- Metrics cards: `scheduler_queue_depth`, `scheduler_runs_active`, `scheduler_runs_error_total`, `scheduler_runs_duration_seconds`.
- Trend charts: queue depth (last 24h), runs per trigger, average duration, determinism score.
- Alert banners: planner lag > SLA, queue depth > threshold, repeated error codes.
- Telemetry panel lists latest events (e.g., `scheduler.run.started`, `scheduler.run.completed`, `scheduler.run.failed`).
---
## 10. Offline and air-gap behaviour
- Offline banner highlights snapshot timestamp and indicates SSE disabled.
- Manual run form switches to generate CLI script for offline execution (`stella runs submit --bundle <file>`).
- Evidence download buttons output local paths; UI reminds to copy to removable media.
- Queue charts use snapshot data; manual refresh button loads latest records from Offline Kit.
- Tenants absent from snapshot hidden to avoid partial data.
---
## 11. Screenshot coordination
- Placeholders:
- `![Runs dashboard placeholder](../assets/ui/runs/dashboard-placeholder.png)`
- `![Run detail placeholder](../assets/ui/runs/detail-placeholder.png)`
- Coordinate with Scheduler Guild for updated screenshots after Sprint 23 UI stabilises (tracked in `#console-screenshots`, entry 2025-10-26).
---
## 12. References
- `/docs/ui/console-overview.md` - shell, SSE ticker.
- `/docs/ui/navigation.md` - route map and deep links.
- `/docs/ui/findings.md` - findings filtered by run.
- `/docs/ui/downloads.md` - download manager, export retention, CLI parity.
- `/docs/ARCHITECTURE_SCHEDULER.md` - scheduler architecture and data model.
- `/docs/policy/runs.md` - policy run integration.
- `/docs/cli/policy.md` and `/docs/cli/policy.md` section 5 for CLI parity (runs commands pending).
- `/docs/ops/scheduler-runbook.md` - troubleshooting.
---
## 13. Compliance checklist
- [ ] Runs table columns, filters, and states described.
- [ ] Detail drawer sections documented (segments, deltas, evidence, logs).
- [ ] Queue management, manual run, and preview coverage included.
- [ ] SSE and live update behaviour detailed.
- [ ] Retry, remediation, and runbook references provided.
- [ ] Evidence downloads and bundle workflows documented with CLI parity.
- [ ] Offline behaviour and screenshot coordination recorded.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*
# StellaOps Console - Runs Workspace
> **Audience:** Scheduler Guild, Console UX, operators, support engineers.
> **Scope:** Runs dashboard, live progress, queue management, diffs, retries, evidence downloads, observability, troubleshooting, and offline behaviour (Sprint 23).
The Runs workspace surfaces Scheduler activity across tenants: upcoming schedules, active runs, progress, deltas, and evidence bundles. It helps operators monitor backlog, drill into run segments, and recover from failures without leaving the console.
---
## 1. Access and prerequisites
- **Route:** `/console/runs` (list) with detail drawer `/console/runs/:runId`. SSE stream at `/console/runs/:runId/stream`.
- **Scopes:** `runs.read` (baseline), `runs.manage` (cancel/retry), `policy:runs` (view policy deltas), `downloads.read` (evidence bundles).
- **Dependencies:** Scheduler WebService (`/runs`, `/schedules`, `/preview`), Scheduler Worker event feeds, Policy Engine run summaries, Scanner WebService evidence endpoints.
- **Feature flags:** `runs.dashboard.enabled`, `runs.sse.enabled`, `runs.retry.enabled`, `runs.evidenceBundles`.
- **Tenancy:** Tenant selector filters list; cross-tenant admins can pin multiple tenants side-by-side (split view).
---
## 2. Layout overview
```
+-------------------------------------------------------------------+
| Header: Tenant badge - schedule selector - backlog metrics |
+-------------------------------------------------------------------+
| Cards: Active runs - Queue depth - New findings - KEV deltas |
+-------------------------------------------------------------------+
| Tabs: Active | Completed | Scheduled | Failures |
+-------------------------------------------------------------------+
| Runs table (virtualised) |
| Columns: Run ID | Trigger | State | Progress | Duration | Deltas |
+-------------------------------------------------------------------+
| Detail drawer: Summary | Segments | Deltas | Evidence | Logs |
+-------------------------------------------------------------------+
```
The header integrates the status ticker to show ingestion deltas and planner heartbeat.
---
## 3. Runs table
| Column | Description |
|--------|-------------|
| **Run ID** | Deterministic identifier (`run:<tenant>:<timestamp>:<nonce>`). Clicking opens detail drawer. |
| **Trigger** | `cron`, `manual`, `feedser`, `vexer`, `policy`, `content-refresh`. Tooltip lists schedule and initiator. |
| **State** | Badges: `planning`, `queued`, `running`, `completed`, `cancelled`, `error`. Errors include error code (e.g., `ERR_RUN_005`). |
| **Progress** | Percentage + processed/total candidates. SSE updates increment in real time. |
| **Duration** | Elapsed time (auto-updating). Completed runs show total duration; running runs show timer. |
| **Deltas** | Count of findings deltas (`+critical`, `+high`, `-quieted`, etc.). Tooltip expands severity breakdown. |
Row badges include `KEV first`, `Content refresh`, `Policy promotion follow-up`, and `Retry`. Selecting multiple rows enables bulk downloads and exports.
Filters: trigger type, state, schedule, severity impact (critical/high), policy revision, timeframe, planner shard, error code.
---
## 4. Detail drawer
Sections:
1. **Summary** - run metadata (tenant, trigger, linked schedule, planner shard count, started/finished timestamps, correlation ID).
2. **Progress** - segmented progress bar (planner, queue, execution, post-processing). Real-time updates via SSE; includes throughput (targets per minute).
3. **Segments** - table of run segments with state, target count, executor, retry count. Operators can retry failed segments individually (requires `runs.manage`).
4. **Deltas** - summary of findings changes (new findings, resolved findings, severity shifts, KEV additions). Links to Findings view filtered by run ID.
5. **Evidence** - links to evidence bundles (JSON manifest, DSSE attestation), policy run records, and explain bundles. Download buttons use `/console/exports` orchestration.
6. **Logs** - last 50 structured log entries with severity, message, correlation ID; scroll-to-live for streaming logs. `Open in logs` copies query for external log tooling.
---
## 5. Queue and schedule management
- Schedule side panel lists upcoming jobs with cron expressions, time zones, and enable toggles.
- Queue depth chart shows current backlog per tenant and schedule (planner backlog, executor backlog).
- "Preview impact" button opens modal for manual run planning (purls or vuln IDs) and shows impacted image count before launch. CLI parity: `stella runs preview --tenant <id> --file keys.json`.
- Manual run form allows selecting mode (`analysis-only`, `content-refresh`), scope, and optional policy snapshot.
- Pausing a schedule requires confirmation; UI displays earliest next run after resume.
---
## 6. Live updates and SSE stream
- SSE endpoint `/console/runs/{id}/stream` streams JSON events (`stateChanged`, `segmentProgress`, `deltaSummary`, `log`). UI reconnects with exponential backoff and heartbeat.
- Global ticker shows planner heartbeat age; banner warns after 90 seconds of silence.
- Offline mode disables SSE and falls back to polling every 30 seconds.
---
## 7. Retry and remediation
- Failed segments show retry button; UI displays reason and cooldown timers. Retry actions are scope-gated and logged.
- Full run retry resets segments while preserving original run metadata; new run ID references previous run in `retryOf` field.
- "Escalate to support" button opens incident template pre-filled with run context and correlation IDs.
- Troubleshooting quick links:
- `ERR_RUN_001` (planner lock)
- `ERR_RUN_005` (Scanner timeout)
- `ERR_RUN_009` (impact index stale)
Each link points to corresponding runbook sections (`docs/modules/scheduler/operations/worker.md`).
- CLI parity: `stella runs retry --run <id>`, `stella runs cancel --run <id>`.
---
## 8. Evidence downloads
- Evidence tab aggregates:
- Policy run summary (`/policy/runs/{id}`)
- Findings delta CSV (`/downloads/findings/{runId}.csv`)
- Scanner evidence bundle (compressed JSON with manifest)
- Downloads show size, hash, signature status.
- "Bundle for offline" packages all evidence into single tarball with manifest/digest; UI notes CLI parity (`stella runs export --run <id> --bundle`).
- Completed bundles stored in Downloads workspace for reuse (links provided).
---
## 9. Observability
- Metrics cards: `scheduler_queue_depth`, `scheduler_runs_active`, `scheduler_runs_error_total`, `scheduler_runs_duration_seconds`.
- Trend charts: queue depth (last 24h), runs per trigger, average duration, determinism score.
- Alert banners: planner lag > SLA, queue depth > threshold, repeated error codes.
- Telemetry panel lists latest events (e.g., `scheduler.run.started`, `scheduler.run.completed`, `scheduler.run.failed`).
---
## 10. Offline and air-gap behaviour
- Offline banner highlights snapshot timestamp and indicates SSE disabled.
- Manual run form switches to generate CLI script for offline execution (`stella runs submit --bundle <file>`).
- Evidence download buttons output local paths; UI reminds to copy to removable media.
- Queue charts use snapshot data; manual refresh button loads latest records from Offline Kit.
- Tenants absent from snapshot hidden to avoid partial data.
---
## 11. Screenshot coordination
- Placeholders:
- `![Runs dashboard placeholder](../assets/ui/runs/dashboard-placeholder.png)`
- `![Run detail placeholder](../assets/ui/runs/detail-placeholder.png)`
- Coordinate with Scheduler Guild for updated screenshots after Sprint 23 UI stabilises (tracked in `#console-screenshots`, entry 2025-10-26).
---
## 12. References
- `/docs/ui/console-overview.md` - shell, SSE ticker.
- `/docs/ui/navigation.md` - route map and deep links.
- `/docs/ui/findings.md` - findings filtered by run.
- `/docs/ui/downloads.md` - download manager, export retention, CLI parity.
- `/docs/modules/scheduler/architecture.md` - scheduler architecture and data model.
- `/docs/policy/runs.md` - policy run integration.
- `/docs/modules/cli/guides/policy.md` and `/docs/modules/cli/guides/policy.md` section 5 for CLI parity (runs commands pending).
- `/docs/modules/scheduler/operations/worker.md` - troubleshooting.
---
## 13. Compliance checklist
- [ ] Runs table columns, filters, and states described.
- [ ] Detail drawer sections documented (segments, deltas, evidence, logs).
- [ ] Queue management, manual run, and preview coverage included.
- [ ] SSE and live update behaviour detailed.
- [ ] Retry, remediation, and runbook references provided.
- [ ] Evidence downloads and bundle workflows documented with CLI parity.
- [ ] Offline behaviour and screenshot coordination recorded.
- [ ] References validated.
---
*Last updated: 2025-10-26 (Sprint 23).*

390
docs/ui/sbom-explorer.md
View File

@@ -1,195 +1,195 @@
# StellaOps Console - SBOM Explorer
> **Audience:** Console UX, SBOM Service Guild, enablement teams, customer onboarding.
> **Scope:** Catalog listing, component detail, graph overlays, exports, performance hints, and offline behaviour for the SBOM Explorer that ships in Sprint 23.
The SBOM Explorer lets operators inspect software bills of materials collected by Scanner and normalised by the SBOM Service. It provides tenant-scoped catalogs, usage overlays, provenance-aware graphs, and deterministic export paths that align with CLI workflows.
---
## 1. Access and prerequisites
- **Routes:** `/console/sbom` (catalog) and `/console/sbom/:digest` (detail).
- **Scopes:** `sbom.read` (required), `sbom.export` for large export jobs, `findings.read` to open explain drawers, `policy.read` to view overlay metadata.
- **Feature flags:** `sbomExplorer.enabled` (default true when SBOM Service v3 API is enabled) and `graph.overlays.enabled` for Cartographer-backed overlays.
- **Tenant scoping:** All queries include `tenant` tokens; switching tenants triggers catalog refetch and clears cached overlays.
- **Data dependencies:** Requires SBOM Service 3.1+ with Cartographer overlays and Policy Engine explain hints enabled.
---
## 2. Layout overview
```
+-----------------------------------------------------------------------+
| Header: Tenant badge - global filters - offline indicator - actions |
+-----------------------------------------------------------------------+
| Left rail: Saved views - pinned tags - export queue status |
+-----------------------------------------------------------------------+
| Catalog table (virtualised) |
| - Columns: Image digest - Source - Scan timestamp - Policy verdict |
| - Badges: Delta SBOM, Attested, Offline snapshot |
+-----------------------------------------------------------------------+
| Detail drawer or full page tabs (Inventory | Usage | Components | |
| Overlays | Explain | Exports) |
+-----------------------------------------------------------------------+
```
The catalog and detail views reuse the shared command palette, context chips, and SSE status ticker described in `/docs/ui/navigation.md`.
---
## 3. Catalog view
| Feature | Description |
|---------|-------------|
| **Virtual table** | Uses Angular CDK virtual scroll to render up to 10,000 records per tenant without layout jank. Sorting and filtering are client-side for <= 20k rows; the UI upgrades to server-side queries automatically when more records exist. |
| **Preset segments** | Quick toggles for `All`, `Recent (7 d)`, `Delta-ready`, `Attested`, and `Offline snapshots`. Each preset maps to saved view tokens for CLI parity. |
| **Search** | Global search field supports image digests, repository tags, SBOM IDs, and component PURLs. Search terms propagate to the detail view when opened. |
| **Badges** | - `Delta` badge indicates SBOM produced via delta mode (layers reuse).<br>- `Attested` badge links to Attestor proof and Rekor record.<br>- `Snapshot` badge shows offline import hash.<br>- `Policy` badge references last policy verdict summary. |
| **Bulk actions** | Multi-select rows to stage export jobs, trigger async explain generation, or copy CLI commands. Actions enforce per-tenant rate limits and show authority scopes in tooltips. |
---
## 4. Detail tabs
### 4.1 Inventory tab
- Default view summarising all components with columns for package name (PURL), version, supplier, license, size, and counts of referencing layers.
- Filters: severity, ecosystem (OS, NPM, PyPI, Maven, Go, NuGet, Rust, containers), usage flag (true/false), package tags.
- Sorting: by severity (desc), version (asc), supplier.
- Cell tooltips reference Concelier advisories and Policy Engine findings when available.
- Total component count, unique suppliers, and critical severity counts appear in the header cards.
### 4.2 Usage tab
- Focuses on runtime usage (EntryTrace, runtime sensors, allow lists).
- Columns include process names, entry points, and `usedByEntrypoint` flags.
- Grouping: by entry point, by package, or by namespace (Kubernetes).
- Highlights mismatches between declared dependencies and observed usage for drift detection.
### 4.3 Components tab
- Deep dive for a single component selected from Inventory or Usage.
- Shows provenance timeline (introduced in layer, modified, removed), file paths, cryptographic hashes, and linked evidence (DSSE, Attestor bundles).
- Links to CLI commands: `stella sbom component show <digest> <purl>` and `stella sbom component export`.
- Drawer supports multi-component comparison through tabbed interface.
### 4.4 Overlays tab
- Displays Cartographer overlays: vulnerability overlays (policy verdicts), runtime overlays (process traces), and vendor advisories.
- Each overlay card lists source, generation timestamp, precedence, and staleness relative to tenant SLA.
- Toggle overlays on/off to see impact on component status; UI does not mutate canonical SBOM, it only enriches the view.
- Graph preview button opens force-directed component graph (limited to <= 500 nodes) with filters for dependency depth and relationship type.
- Overlay metadata includes the CLI parity snippet: `stella sbom overlay apply --overlay <id> --digest <digest>`.
### 4.5 Explain tab
- Integrates Policy Engine explain drawer.
- Shows rule hits, VEX overrides, and evidence per component.
- Provides "Open in Findings" link that preserves tenant and filters.
### 4.6 Exports tab
- Lists available exports (CycloneDX JSON, CycloneDX Protobuf, SPDX JSON, SPDX Tag-Value, Delta bundle, Evidence bundle).
- Each export entry shows size, hash (SHA-256), format version, and generation time.
- Download buttons respect RBAC and offline quotas; CLI callouts mirror `stella sbom export`.
- "Schedule export" launches async job for large bundles; job status integrates with `/console/downloads`.
- Includes copy-to-clipboard path for offline transfers (`/offline-kits/export/<tenant>/<digest>/<format>`).
---
## 5. Filters and presets
| Filter | Applies to | Notes |
|--------|------------|-------|
| **Severity** | Inventory, Overlays, Explain | Uses Policy Engine severity buckets and KEV flag. |
| **Ecosystem** | Inventory, Usage | Multi-select list with search; maps to package type derived from PURL. |
| **License** | Inventory | Groups by SPDX identifiers; warns on copyleft obligations. |
| **Supplier** | Inventory, Components | Autocomplete backed by SBOM metadata. |
| **Tags** | Inventory, Usage | Tags provided by Scanner or user-defined metadata. |
| **Component search** | Components, Overlays | Accepts PURL or substring; retains highlight when switching tabs. |
| **Snapshot** | Catalog | Filters to SBOMs sourced from Offline Kit or local import. |
| **Attested only** | Catalog, Exports | Limits to SBOMs signed by Attestor; displays Rekor badge. |
Saved views store combinations of these filters and expose command palette shortcuts (`Cmd+1-9 / Ctrl+1-9`).
---
## 6. Graph overlays and cartography
- Graph view is powered by Cartographer projections (tenant-scoped graph snapshots).
- Supported overlays:
- **Dependency graph** (default) - nodes represent components, edges represent dependencies with direction (introducer -> introduced).
- **Runtime call graph** - optional overlay layering process calls on top of dependencies.
- **Vulnerability overlay** - colours nodes by highest severity and outlines exploited components.
- Controls: depth slider (1-6), include transitive flag, hide dev dependencies toggle, highlight vendor-specified critical paths.
- Export options: GraphML, JSON Lines, and screenshot capture (requires `graph.export`).
- Performance guardrails: overlays warn when node count exceeds 2,000; user can queue background job to render static graph for download instead.
---
## 7. Exports and automation
- **Instant exports:** Inline downloads for CycloneDX JSON/Protobuf (<= 25 MB) and SPDX JSON (<= 25 MB).
- **Async exports:** Larger bundles stream through the download manager with resume support. UI polls `/console/downloads` every 15 seconds while export is in progress.
- **CLI parity:** Each export card displays the equivalent CLI command and environment variables (proxy, offline).
- **Compliance metadata:** Export manifests include SBOM ID, component count, hash, signature state, and policy verdict summary so auditors can validate offline.
- **Automation hooks:** Webhook button copies the `/downloads/hooks/subscribe` call for integration with CI pipelines.
---
## 8. Performance tips
- Virtual scroll keeps initial render under 70 ms for 10k rows; server-side pagination engages beyond that threshold.
- Graph overlay rendering uses Web Workers to keep main thread responsive; heavy layouts show "Background layout in progress" banner.
- SSE updates (new SBOM ready) refresh header cards and prepend rows without full table redraw.
- Prefetching: opening a detail drawer preloads overlays and exports concurrently; these requests cancel automatically if the user navigates away.
- Local cache (IndexedDB) stores last viewed SBOM detail for each tenant (up to 20 entries). Cache invalidates when new merge hash is observed.
---
## 9. Offline and air-gap behaviour
- Catalog reads from Offline Kit snapshot if gateway is in sealed mode; offline banner lists snapshot ID and staleness.
- Overlays limited to data included in snapshot; missing overlays show guidance to import updated Cartographer package.
- Exports queue locally and generate tarballs ready to copy to removable media.
- CLI parity callouts switch to offline examples (using `stella sbom export --offline`).
- Tenants unavailable in snapshot are hidden from the tenant picker to prevent inconsistent views.
---
## 10. Screenshot coordination
- Placeholder images:
- `![SBOM catalog view placeholder](../assets/ui/sbom/catalog-placeholder.png)`
- `![Overlay graph placeholder](../assets/ui/sbom/overlay-placeholder.png)`
- Coordinate with Console Guild to capture updated screenshots (dark and light theme) once Sprint 23 UI stabilises. Track follow-up in Console Guild thread `#console-screenshots` dated 2025-10-26.
---
## 11. References
- `/docs/ui/console-overview.md` - navigation shell, tenant model, filters.
- `/docs/ui/navigation.md` - command palette, deep-link schema.
- `/docs/ui/downloads.md` - download queue, manifest parity, offline export handling.
- `/docs/security/console-security.md` - scopes, DPoP, CSP.
- `/docs/cli-vs-ui-parity.md` - CLI equivalence matrix.
- `/docs/architecture/console.md` (pending) - component data flows.
- `/docs/architecture/overview.md` - high-level module relationships.
- `/docs/ingestion/aggregation-only-contract.md` - provenance and guard rails.
---
## 12. Compliance checklist
- [ ] Catalog table and detail tabs documented with columns, filters, and presets.
- [ ] Overlay behaviour describes Cartographer integration and CLI parity.
- [ ] Export section includes instant vs async workflow and compliance metadata.
- [ ] Performance considerations align with UI benchmarks (virtual scroll, workers).
- [ ] Offline behaviour captured for catalog, overlays, exports.
- [ ] Screenshot placeholders and coordination notes recorded with Console Guild follow-up.
- [ ] All referenced docs verified and accessible.
---
*Last updated: 2025-10-26 (Sprint 23).*
# StellaOps Console - SBOM Explorer
> **Audience:** Console UX, SBOM Service Guild, enablement teams, customer onboarding.
> **Scope:** Catalog listing, component detail, graph overlays, exports, performance hints, and offline behaviour for the SBOM Explorer that ships in Sprint 23.
The SBOM Explorer lets operators inspect software bills of materials collected by Scanner and normalised by the SBOM Service. It provides tenant-scoped catalogs, usage overlays, provenance-aware graphs, and deterministic export paths that align with CLI workflows.
---
## 1. Access and prerequisites
- **Routes:** `/console/sbom` (catalog) and `/console/sbom/:digest` (detail).
- **Scopes:** `sbom.read` (required), `sbom.export` for large export jobs, `findings.read` to open explain drawers, `policy.read` to view overlay metadata.
- **Feature flags:** `sbomExplorer.enabled` (default true when SBOM Service v3 API is enabled) and `graph.overlays.enabled` for Cartographer-backed overlays.
- **Tenant scoping:** All queries include `tenant` tokens; switching tenants triggers catalog refetch and clears cached overlays.
- **Data dependencies:** Requires SBOM Service 3.1+ with Cartographer overlays and Policy Engine explain hints enabled.
---
## 2. Layout overview
```
+-----------------------------------------------------------------------+
| Header: Tenant badge - global filters - offline indicator - actions |
+-----------------------------------------------------------------------+
| Left rail: Saved views - pinned tags - export queue status |
+-----------------------------------------------------------------------+
| Catalog table (virtualised) |
| - Columns: Image digest - Source - Scan timestamp - Policy verdict |
| - Badges: Delta SBOM, Attested, Offline snapshot |
+-----------------------------------------------------------------------+
| Detail drawer or full page tabs (Inventory | Usage | Components | |
| Overlays | Explain | Exports) |
+-----------------------------------------------------------------------+
```
The catalog and detail views reuse the shared command palette, context chips, and SSE status ticker described in `/docs/ui/navigation.md`.
---
## 3. Catalog view
| Feature | Description |
|---------|-------------|
| **Virtual table** | Uses Angular CDK virtual scroll to render up to 10,000 records per tenant without layout jank. Sorting and filtering are client-side for <= 20k rows; the UI upgrades to server-side queries automatically when more records exist. |
| **Preset segments** | Quick toggles for `All`, `Recent (7 d)`, `Delta-ready`, `Attested`, and `Offline snapshots`. Each preset maps to saved view tokens for CLI parity. |
| **Search** | Global search field supports image digests, repository tags, SBOM IDs, and component PURLs. Search terms propagate to the detail view when opened. |
| **Badges** | - `Delta` badge indicates SBOM produced via delta mode (layers reuse).<br>- `Attested` badge links to Attestor proof and Rekor record.<br>- `Snapshot` badge shows offline import hash.<br>- `Policy` badge references last policy verdict summary. |
| **Bulk actions** | Multi-select rows to stage export jobs, trigger async explain generation, or copy CLI commands. Actions enforce per-tenant rate limits and show authority scopes in tooltips. |
---
## 4. Detail tabs
### 4.1 Inventory tab
- Default view summarising all components with columns for package name (PURL), version, supplier, license, size, and counts of referencing layers.
- Filters: severity, ecosystem (OS, NPM, PyPI, Maven, Go, NuGet, Rust, containers), usage flag (true/false), package tags.
- Sorting: by severity (desc), version (asc), supplier.
- Cell tooltips reference Concelier advisories and Policy Engine findings when available.
- Total component count, unique suppliers, and critical severity counts appear in the header cards.
### 4.2 Usage tab
- Focuses on runtime usage (EntryTrace, runtime sensors, allow lists).
- Columns include process names, entry points, and `usedByEntrypoint` flags.
- Grouping: by entry point, by package, or by namespace (Kubernetes).
- Highlights mismatches between declared dependencies and observed usage for drift detection.
### 4.3 Components tab
- Deep dive for a single component selected from Inventory or Usage.
- Shows provenance timeline (introduced in layer, modified, removed), file paths, cryptographic hashes, and linked evidence (DSSE, Attestor bundles).
- Links to CLI commands: `stella sbom component show <digest> <purl>` and `stella sbom component export`.
- Drawer supports multi-component comparison through tabbed interface.
### 4.4 Overlays tab
- Displays Cartographer overlays: vulnerability overlays (policy verdicts), runtime overlays (process traces), and vendor advisories.
- Each overlay card lists source, generation timestamp, precedence, and staleness relative to tenant SLA.
- Toggle overlays on/off to see impact on component status; UI does not mutate canonical SBOM, it only enriches the view.
- Graph preview button opens force-directed component graph (limited to <= 500 nodes) with filters for dependency depth and relationship type.
- Overlay metadata includes the CLI parity snippet: `stella sbom overlay apply --overlay <id> --digest <digest>`.
### 4.5 Explain tab
- Integrates Policy Engine explain drawer.
- Shows rule hits, VEX overrides, and evidence per component.
- Provides "Open in Findings" link that preserves tenant and filters.
### 4.6 Exports tab
- Lists available exports (CycloneDX JSON, CycloneDX Protobuf, SPDX JSON, SPDX Tag-Value, Delta bundle, Evidence bundle).
- Each export entry shows size, hash (SHA-256), format version, and generation time.
- Download buttons respect RBAC and offline quotas; CLI callouts mirror `stella sbom export`.
- "Schedule export" launches async job for large bundles; job status integrates with `/console/downloads`.
- Includes copy-to-clipboard path for offline transfers (`/offline-kits/export/<tenant>/<digest>/<format>`).
---
## 5. Filters and presets
| Filter | Applies to | Notes |
|--------|------------|-------|
| **Severity** | Inventory, Overlays, Explain | Uses Policy Engine severity buckets and KEV flag. |
| **Ecosystem** | Inventory, Usage | Multi-select list with search; maps to package type derived from PURL. |
| **License** | Inventory | Groups by SPDX identifiers; warns on copyleft obligations. |
| **Supplier** | Inventory, Components | Autocomplete backed by SBOM metadata. |
| **Tags** | Inventory, Usage | Tags provided by Scanner or user-defined metadata. |
| **Component search** | Components, Overlays | Accepts PURL or substring; retains highlight when switching tabs. |
| **Snapshot** | Catalog | Filters to SBOMs sourced from Offline Kit or local import. |
| **Attested only** | Catalog, Exports | Limits to SBOMs signed by Attestor; displays Rekor badge. |
Saved views store combinations of these filters and expose command palette shortcuts (`Cmd+1-9 / Ctrl+1-9`).
---
## 6. Graph overlays and cartography
- Graph view is powered by Cartographer projections (tenant-scoped graph snapshots).
- Supported overlays:
- **Dependency graph** (default) - nodes represent components, edges represent dependencies with direction (introducer -> introduced).
- **Runtime call graph** - optional overlay layering process calls on top of dependencies.
- **Vulnerability overlay** - colours nodes by highest severity and outlines exploited components.
- Controls: depth slider (1-6), include transitive flag, hide dev dependencies toggle, highlight vendor-specified critical paths.
- Export options: GraphML, JSON Lines, and screenshot capture (requires `graph.export`).
- Performance guardrails: overlays warn when node count exceeds 2,000; user can queue background job to render static graph for download instead.
---
## 7. Exports and automation
- **Instant exports:** Inline downloads for CycloneDX JSON/Protobuf (<= 25 MB) and SPDX JSON (<= 25 MB).
- **Async exports:** Larger bundles stream through the download manager with resume support. UI polls `/console/downloads` every 15 seconds while export is in progress.
- **CLI parity:** Each export card displays the equivalent CLI command and environment variables (proxy, offline).
- **Compliance metadata:** Export manifests include SBOM ID, component count, hash, signature state, and policy verdict summary so auditors can validate offline.
- **Automation hooks:** Webhook button copies the `/downloads/hooks/subscribe` call for integration with CI pipelines.
---
## 8. Performance tips
- Virtual scroll keeps initial render under 70 ms for 10k rows; server-side pagination engages beyond that threshold.
- Graph overlay rendering uses Web Workers to keep main thread responsive; heavy layouts show "Background layout in progress" banner.
- SSE updates (new SBOM ready) refresh header cards and prepend rows without full table redraw.
- Prefetching: opening a detail drawer preloads overlays and exports concurrently; these requests cancel automatically if the user navigates away.
- Local cache (IndexedDB) stores last viewed SBOM detail for each tenant (up to 20 entries). Cache invalidates when new merge hash is observed.
---
## 9. Offline and air-gap behaviour
- Catalog reads from Offline Kit snapshot if gateway is in sealed mode; offline banner lists snapshot ID and staleness.
- Overlays limited to data included in snapshot; missing overlays show guidance to import updated Cartographer package.
- Exports queue locally and generate tarballs ready to copy to removable media.
- CLI parity callouts switch to offline examples (using `stella sbom export --offline`).
- Tenants unavailable in snapshot are hidden from the tenant picker to prevent inconsistent views.
---
## 10. Screenshot coordination
- Placeholder images:
- `![SBOM catalog view placeholder](../assets/ui/sbom/catalog-placeholder.png)`
- `![Overlay graph placeholder](../assets/ui/sbom/overlay-placeholder.png)`
- Coordinate with Console Guild to capture updated screenshots (dark and light theme) once Sprint 23 UI stabilises. Track follow-up in Console Guild thread `#console-screenshots` dated 2025-10-26.
---
## 11. References
- `/docs/ui/console-overview.md` - navigation shell, tenant model, filters.
- `/docs/ui/navigation.md` - command palette, deep-link schema.
- `/docs/ui/downloads.md` - download queue, manifest parity, offline export handling.
- `/docs/security/console-security.md` - scopes, DPoP, CSP.
- `/docs/cli-vs-ui-parity.md` - CLI equivalence matrix.
- `/docs/architecture/console.md` (pending) - component data flows.
- `/docs/modules/platform/architecture-overview.md` - high-level module relationships.
- `/docs/ingestion/aggregation-only-contract.md` - provenance and guard rails.
---
## 12. Compliance checklist
- [ ] Catalog table and detail tabs documented with columns, filters, and presets.
- [ ] Overlay behaviour describes Cartographer integration and CLI parity.
- [ ] Export section includes instant vs async workflow and compliance metadata.
- [ ] Performance considerations align with UI benchmarks (virtual scroll, workers).
- [ ] Offline behaviour captured for catalog, overlays, exports.
- [ ] Screenshot placeholders and coordination notes recorded with Console Guild follow-up.
- [ ] All referenced docs verified and accessible.
---
*Last updated: 2025-10-26 (Sprint 23).*