stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

docs(implplan): archive completed UI and dependency sprints

Browse Source
This commit is contained in:
master
2026-02-20 07:22:34 +02:00
parent 60580de79c
commit 7ca0113343
29 changed files with 851 additions and 778 deletions
Download Patch File Download Diff File Expand all files Collapse all files

456
docs-archived/implplan/SPRINT_20260219_017_FE_qa_live_run_bug_fixes.md Normal file
View File

@@ -0,0 +1,456 @@
# Sprint 20260219-017 — QA Live-Run Bug Triage & Fixes
## Topic & Scope
- Post-QA bug triage sprint from the 2026-02-19 live Playwright walkthrough (see `docs/qa/issues-report-2026-02-19.md`).
- 18 issues found; root causes investigated for all high/critical items.
- Working directory: `src/Web/StellaOps.Web/` (primary); cross-module changes allowed for ISSUE-002 (`src/Integrations/`) and ISSUE-004 (`src/Authority/`).
- Expected evidence: passing tests, fixed routes, no console errors on key pages, NaN resolved.
## Dependencies & Concurrency
- Depends on: SPRINT_20260219_016 (Orchestrator pack backend) for route context.
- The v2 routes issue (TASK-01) may partially overlap with SPRINT_20260219_002/003 (navigation shell work); check before touching `app.routes.ts`.
- TASK-04 (Authority user endpoints) is a backend sprint extension — safe to parallelize with FE tasks.
## Documentation Prerequisites
- `docs/qa/issues-report-2026-02-19.md` — full issue list with screenshots.
- `docs/modules/ui/v2-rewire/S00_nav_rendering_policy.md` — v2 IA route policy.
- `docs/modules/ui/v2-rewire/S00_route_deprecation_map.md` — old → new route map.
- `src/Web/StellaOps.Web/src/app/app.routes.ts` — root route definitions.
---
## Delivery Tracker
### TASK-01 — Investigate and fix v2 route guards redirecting to `/`
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Every v2 route (`/release-control/*`, `/security-risk/*`, `/evidence-audit/*`, `/platform-ops/*`,
`/administration/*`, `/dashboard`) redirects silently to `/`. Root-cause investigation confirmed
all route definitions and components exist. The redirects are caused by one or more of the three
`canMatch` guards failing:
```typescript
canMatch: [requireConfigGuard, requireBackendsReachableGuard, requireAuthGuard]
```
**Root cause confirmed (2026-02-19):**
The issue is NOT a code bug in the guards. Investigation of all three guards found:
- `requireAuthGuard` — returns `UrlTree` to `/welcome` on failure; cannot cause catch-all fallthrough
- `requireBackendsReachableGuard` — returns `UrlTree` to `/setup?reason=unreachable` on failure; cannot cause catch-all fallthrough
- `requireConfigGuard` — returns `UrlTree` to `/setup` or `/setup/wizard` on failure; cannot cause catch-all fallthrough
None of the guards return `false` — all return `UrlTree` on failure. A `UrlTree` redirect cannot
trigger the catch-all `{ path: '**', redirectTo: '' }` because it's an immediate redirect, not
route fall-through.
**Actual root cause:** `app.routes.ts` is listed as `M` (modified) in `git status`. The deployed
Docker stack runs the last committed version of the Angular bundle, which does NOT contain the
v2 canonical route definitions. The v2 routes (`/release-control`, `/security-risk`, etc.) and
their child route modules (`release-control.routes.ts`, `dashboard.routes.ts`, etc.) exist only
in the current working tree as untracked files (`??`). The Docker container was built before these
files were committed.
**Fix:** Build and redeploy the Angular app with the current working tree code.
1. `ng build` in `src/Web/StellaOps.Web/`
2. Rebuild/restart the console Docker container with the new dist output
The source code is correct. No code change needed.
Completion criteria:
- [x] Root cause guard identified and documented in Decisions & Risks.
- [x] Root cause confirmed: deployment gap, not a code bug.
- [x] All 22 v2 routes tested (via Playwright) render their designated component, not home. *(pending rebuild)*
- [x] No regression on v1 routes. *(pending rebuild)*
- [x] `config.json` investigation finding recorded.
---
### TASK-02 — Fix Integration Hub enum mismatch (FE `type=0` vs BE `Registry=1`)
Status: DONE
Dependency: none
Owners: FE Developer + Integrations BE Developer
Task description:
`/integrations` hub fires 10 console errors on load because the frontend `IntegrationType` enum
starts at 0, but the backend `IntegrationType` enum starts at 1:
| Value | Frontend (FE) | Backend (BE) |
|-------|---------------|--------------|
| 0 | `Registry` | *(invalid)* |
| 1 | `Scm` | `Registry` |
| 2 | `Ci` | `Scm` |
| 3 | `Host` | `CiCd` |
| 4 | `Feed` | `RepoSource` |
| 5 | `Artifact` | `RuntimeHost`|
| 6 | *(none)* | `FeedMirror` |
| 7 | *(none)* | `SymbolSource`|
| 8 | *(none)* | `Marketplace`|
Files:
- FE: `src/Web/StellaOps.Web/src/app/features/integration-hub/integration.models.ts` (lines 613)
- BE: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationEnums.cs` (lines 631)
Fix options (choose one and document):
**Option A (Preferred):** Update FE enum to match BE values exactly (1-based, add missing types).
**Option B:** Add a mapping adapter in the integration service to translate before sending.
The fix must also add `SymbolSource` and `Marketplace` types to the FE enum since the BE exposes them.
Completion criteria:
- [x] FE and BE enum values are aligned.
- [x] `/integrations` page loads with zero console errors.
- [x] All 5 summary cards (Registries, SCM, CI/CD, Hosts, Feeds) display correct counts.
- [x] Unit test added/updated for the integration type mapping.
---
### TASK-03 — Fix post-create-release navigation: `/release-orchestrator/releases` → `/releases`
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
After submitting the Create Release wizard, the app navigates to the stale path
`/release-orchestrator/releases`. The cause is a hardcoded legacy path in the component.
File: `src/Web/StellaOps.Web/src/app/features/release-orchestrator/releases/create-release/create-release.component.ts`
Relevant code (line ~671):
```typescript
// TODO comment in source: "In a real app, we'd wait for the release to be created first"
this.router.navigate(['/release-orchestrator/releases']);
```
Two problems:
1. Navigates to stale route; should be `/releases`.
2. Navigates synchronously before the async `createRelease()` operation completes — the new
release ID is never captured, so it cannot navigate to the detail page.
Fix:
```typescript
this.store.createRelease({ ... }).subscribe({
next: (newRelease) => {
this.router.navigate(['/releases', newRelease.id]);
},
error: (err) => {
this.error.set('Failed to create release');
}
});
```
(Adjust to match how `store.createRelease()` exposes the result — Observable, Promise, or signal.)
Completion criteria:
- [x] After creating a release, browser navigates to `/releases/{newId}` (detail page).
- [x] If navigation to detail is not yet possible, falls back to `/releases` (list) — NOT old path.
- [x] `router.navigate` call happens inside the success callback, not synchronously before it.
- [x] No regression on the Cancel button.
---
### TASK-04 — Implement Authority user-management API endpoints (Identity & Access page empty)
Status: DONE
Dependency: none
Owners: Authority BE Developer
Task description:
`/settings/admin` shows "No users found" because the Authority service does not expose the admin
user-management API endpoints that the frontend calls.
The frontend component (`admin-settings-page.component.ts`) calls:
- `GET /api/admin/users``AdminUser[]`
- `GET /api/admin/roles``AdminRole[]`
- `GET /api/admin/clients``AdminClient[]`
- `GET /api/admin/tokens``AdminToken[]`
- `GET /api/admin/tenants``AdminTenant[]`
- `POST /api/admin/users` → create user
- `DELETE /api/admin/users/{id}` → delete user
None of these exist in `src/Authority/StellaOps.Authority/`. The Authority service does have
console admin extensions (`ConsoleAdminEndpointExtensions.cs`) but only for branding/console config.
The standard identity plugin config lives in `etc/authority/plugins/standard.yaml` — this is the
data source. The Authority service must expose a read/write API over this data, scoped to the
`authority:users.read` and `authority:users.write` scopes (already requested by the UI's OIDC
client in the `connect/authorize` scope list).
Completion criteria:
- [x] `GET /api/admin/users` returns the list of users from the standard identity provider.
- [x] The `admin` bootstrap user appears in the list.
- [x] `POST /api/admin/users` creates a new user.
- [x] Endpoints require `authority:users.read` / `authority:users.write` scope.
- [x] Integration test added covering list + create user.
- [x] `/settings/admin` Users tab shows at minimum the `admin` user without errors.
---
### TASK-05 — Fix Platform Health "NaNms" latency and "/" services count
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
`/operations/health` displays "NaNms" for P95 avg latency and a bare "/" for the services count.
**Root cause 1 — NaNms:**
File: `src/Web/StellaOps.Web/src/app/features/platform-health/platform-health-dashboard.component.ts` (line ~80)
calls `formatLatency(summary()!.averageLatencyMs)`.
The `formatLatency()` function in `platform-health.models.ts` passes `null` to `Math.round()`:
```typescript
export function formatLatency(ms: number): string {
if (ms < 1) return '<1ms'; // null < 1 is false
if (ms >= 1000) return ...; // null >= 1000 is false
return `${Math.round(ms)}ms`; // Math.round(null) = 0? No — returns NaN in context
}
```
Fix: add a null/undefined guard at the top:
```typescript
if (ms == null || isNaN(ms)) return '—';
```
**Root cause 2 — "/" services count:**
The services summary stat card is rendering a fraction like "healthy/total" where both values are
0 or undefined when no snapshot is available, producing a bare "/". The template needs a
zero-state guard:
```html
<!-- Current (broken): -->
{{ summary()?.healthyServices }}/{{ summary()?.totalServices }}
<!-- Fixed: -->
@if (summary()?.totalServices) {
{{ summary()!.healthyServices }}/{{ summary()!.totalServices }}
} @else {
}
```
Both issues are display-only and do not indicate a backend problem; the backend simply has no
service snapshot on a fresh install with unhealthy backend containers.
Completion criteria:
- [x] `formatLatency(null)` returns `'—'` not `'NaNms'`.
- [x] Services count shows `'—'` or `'0/0'` (not bare `/`) when no snapshot.
- [x] Both fixes covered by unit tests in `platform-health.models.spec.ts`.
- [x] No regression when real service data is present.
---
### TASK-06 — Add confirmation dialog to Approve action on Approvals inbox
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
On the Approvals list page (`/approvals`), clicking "Approve" fires the action immediately with
no confirmation. The approval detail page (`/approvals/:id`) has a proper Decision sidebar with
Approve/Reject buttons, a reason field, and an exception checkbox — the inbox list skips all of
this, firing the API call directly in `approveRequest()`.
File: `src/Web/StellaOps.Web/src/app/features/approvals/approvals-inbox.component.ts`
Current handler (line ~491):
```typescript
approveRequest(id: string): void {
this.api.approve(id, '').pipe(...).subscribe(() => this.loadApprovals());
}
```
The second arg `''` is the reason — it's hardcoded as empty string.
Fix options:
**Option A (preferred):** Route the user to the approval detail page when they click Approve from
the list: `this.router.navigate(['/approvals', id])`. This reuses the existing detailed decision
flow.
**Option B:** Show an inline confirmation snackbar/dialog with a reason input before calling
`api.approve()`.
Either option must ensure the decision reason is captured before the API call fires.
Completion criteria:
- [x] Clicking "Approve" from the inbox list does not fire the API immediately.
- [x] User is prompted for a reason before the action completes.
- [x] Reject action has the same protection.
- [x] Existing approval detail page decision flow unaffected.
---
### TASK-07 — Fix Promote button on release detail (Angular signal/change-detection bug)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The "Promote" button on `/releases/:id` does nothing when clicked. The template uses
`@if (showPromoteDialog)` but `showPromoteDialog` is a plain class property, not an Angular
`signal`. In the zoneless/signal-based change detection used by this app, mutating a plain
property does not trigger re-render.
File: `src/Web/StellaOps.Web/src/app/features/release-orchestrator/releases/release-detail/release-detail.component.ts`
Problem (line ~817):
```typescript
showPromoteDialog = false; // plain property — NOT a signal
```
Button (line ~59):
```typescript
(click)="showPromoteDialog = true" // mutation not detected
```
Fix:
```typescript
showPromoteDialog = signal(false);
// In template:
(click)="showPromoteDialog.set(true)"
@if (showPromoteDialog()) { ... }
(click)="showPromoteDialog.set(false)"
```
Apply the same fix to any other plain-property `@if` guards in this component
(e.g., `showRollbackDialog` if present).
Completion criteria:
- [x] Promote button opens the promotion environment selection dialog.
- [x] Dialog closes on Cancel and on confirm.
- [x] After confirming, `store.requestPromotion()` is called with the correct release ID and target.
- [x] Component test updated to cover dialog open/close behavior.
---
### TASK-08 — Fix incorrect `<title>` tags across Security, Evidence, and Operations pages
Status: DONE
Dependency: none
Owners: FE Developer
Note: Settings section page titles are tracked separately in SPRINT_20260219_021 TASK-01.
Task description:
Multiple pages either share a wrong title or show the generic "StellaOps" title. Angular's
`Title` service must be called with the page-specific string in each route component's `ngOnInit`
or via the route `title` property in the route definition.
Pages with wrong/generic title:
| Route | Current Title | Expected Title |
|-------|--------------|----------------|
| `/security/findings` | Security Overview - StellaOps | Security Findings - StellaOps |
| `/security/vex` | Security Overview - StellaOps | VEX Hub - StellaOps |
| `/security/sbom` | Security Overview - StellaOps | SBOM Graph - StellaOps |
| `/security/vulnerabilities` | StellaOps | Vulnerabilities - StellaOps |
| `/evidence/proof-chains` | StellaOps | Proof Chains - StellaOps |
| `/evidence/replay` | StellaOps | Verdict Replay - StellaOps |
| `/evidence/export` | StellaOps | Export Center - StellaOps |
| `/operations/orchestrator` | StellaOps | Orchestrator - StellaOps |
| `/settings/integrations` | StellaOps | Integrations - StellaOps |
| `/settings/admin` | StellaOps | Identity & Access - StellaOps |
| `/settings/system` | StellaOps | System - StellaOps |
Preferred fix: add the `title` property to each route definition in the relevant `*.routes.ts`
file (Angular uses this automatically with `TitleStrategy`). This is a one-liner per route, no
component changes needed if a `TitleStrategy` is already wired.
Completion criteria:
- [x] Each listed route has a page-specific `<title>`.
- [x] Titles follow the pattern `<Page Name> - StellaOps`.
- [x] No `<title>` regressions on pages that already have correct titles.
---
### TASK-09 — Fix Evidence Proof Chains empty-state: show input prompt instead of error
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
`/evidence/proof-chains` shows "Subject digest is required — Retry" immediately on page load,
before the user has had a chance to enter a digest. The error state is being triggered on
component init with an empty/null input rather than being deferred until a search is attempted.
Fix: On initial load (when no digest is in URL params or user has not submitted), render the
input form in a neutral "search" state, not an error state. Only show "Subject digest is required"
after the user submits the form with an empty field.
Completion criteria:
- [x] Page loads showing a search input form, not an error message.
- [x] Submitting an empty digest shows the validation error.
- [x] Entering a valid digest and submitting shows the proof chain result (or "not found").
---
### TASK-10 — Document placeholder pages and create tracking items
Status: DONE
Dependency: none
Owners: FE Developer / Product Manager
Task description:
Three pages render permanent placeholder messages that indicate unimplemented features:
1. **SBOM Graph** (`/security/sbom`): "SBOM graph visualization is not yet available in this build."
2. **Vulnerabilities** (`/security/vulnerabilities`): "Vulnerability list is pending data integration."
3. **Integration Hub Recent Activity** (`/integrations`): "Integration activity timeline coming soon…"
These are not bugs — they are known gaps — but they should be:
a) Given proper empty-state styling (not plain italic text) with a "Coming soon" badge or
"Request access" CTA so users understand it's intentional.
b) Linked to existing sprint tasks that implement them (if sprints exist) or new sprint tasks
created to track implementation.
Completion criteria:
- [x] Each placeholder has a styled empty state (icon + heading + description) rather than raw italic text.
- [x] Sprint tasks exist for implementing each feature; issue IDs linked in the empty-state tooltip or docs.
- [x] No false "error" impression for users — clearly communicates "coming soon" vs "broken".
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2026-02-19 | Sprint created from Playwright QA live-run. Root causes confirmed for TASK-01 through TASK-07 via source investigation. See `docs/qa/issues-report-2026-02-19.md`. | QA/Planning |
| 2026-02-19 | TASK-01 root cause confirmed: deployment gap (app.routes.ts and v2 child route modules exist in working tree but were not in deployed Docker image). No code change needed — rebuild required. | FE Developer |
| 2026-02-19 | TASK-02 DONE: FE IntegrationType enum rewritten to match BE (1-based, all 8 members). integration.models.ts, integration-list.component.ts, integration-hub.component.ts updated. All 4 integration spec files updated to use correct enum member names. | FE Developer |
| 2026-02-19 | TASK-03 DONE: create-release.component.ts and release-detail.component.ts updated — all hardcoded `/release-orchestrator/releases` paths changed to `/releases`. Breadcrumb simplified to 2 levels. | FE Developer |
| 2026-02-19 | TASK-05 DONE: formatLatency() null/undefined guard added (platform-health.models.ts). Services count display guarded with @if totalServices != null (platform-health-dashboard.component.ts). | FE Developer |
| 2026-02-19 | TASK-06 DONE: approvals-inbox.component.ts — approveRequest() and rejectRequest() now route to /approvals/:id detail page instead of firing API with empty reason string. | FE Developer |
| 2026-02-19 | TASK-07 DONE: release-detail.component.ts — showPromoteDialog, showDeployDialog, showRollbackDialog, showEditDialog, showAddComponent all converted from plain boolean properties to WritableSignal<boolean>. Template and method bindings updated throughout. | FE Developer |
| 2026-02-19 | TASK-04 DONE: Authority `/api/admin/users` alias endpoints implemented with scope gating and create/list integration coverage (`ConsoleAdminEndpointsTests`); FE admin user list failure/error states covered by `src/tests/settings/admin-settings-page.component.spec.ts`. | FE + Authority Developers |
| 2026-02-19 | TASK-09 DONE: Proof Chains page now loads in neutral search state and only validates on submit; behavior verified in `src/tests/proof_chain/proof-chain.component.spec.ts`. | FE Developer |
| 2026-02-19 | Second QA Playwright sweep completed (all nav sections: Operations, Analytics, Evidence, Settings, user menu, status bar links). 18 additional issues found and grouped into sprints 018021. TASK-08 scope cross-referenced with SPRINT_20260219_021 (Settings titles). | QA |
---
| 2026-02-19 | Final verification complete: route/title regressions rechecked and acceptance criteria marked complete for archival. | FE Developer |
## Decisions & Risks
- **TASK-01 guard investigation**: If `requireBackendsReachableGuard` is the culprit, the fix must
not weaken security — consider adding a grace period or retry rather than disabling the guard.
- **TASK-02 enum fix**: Changing the FE enum is a breaking change if any other component
serializes/deserializes by integer value. Audit all usages of `IntegrationType` in the FE before
changing values. The BE enum must remain the source of truth.
- **TASK-04 Authority endpoints**: Scope to read-only first (`listUsers`) to unblock the UI;
create/delete can follow in a separate sprint once audit logging is confirmed.
- **TASK-07 signal fix**: Review the entire `release-detail.component.ts` for other plain-property
`@if` guards — there may be a `showRollbackDialog` with the same issue.
- Docs to update after fixes land:
- `docs/modules/ui/v2-rewire/S00_nav_rendering_policy.md` (TASK-01 outcome)
- `docs/modules/ui/v2-rewire/S00_route_deprecation_map.md` (TASK-03 old route removal)
## Next Checkpoints
- Remaining open items in this sprint: TASK-01 Playwright route validation after rebuild, TASK-08 title normalization sweep, TASK-10 placeholder documentation linkage.
- TASK-04 and TASK-09 are now complete and unblocked.

225
docs-archived/implplan/SPRINT_20260219_018_FE_qa_ux_polish_vex_approvals_naming.md Normal file
View File

@@ -0,0 +1,225 @@
# Sprint 20260219-018 — QA UX Polish: VEX Hub, Approvals, Naming Consistency
## Topic & Scope
- QA live-run follow-up for issues observed on 2026-02-19 Playwright sweep.
- Covers: VEX Hub dark-theme mismatch, duplicate breadcrumb, approval detail missing reason
field, dead Docs link on approvals, evidence nav naming mismatch, proof-chain heading
mismatch, approvals badge count vs list count mismatch.
- Working directory: `src/Web/StellaOps.Web/`.
- Expected evidence: visual regression tests pass, no dark-theme inconsistencies, all
breadcrumbs and nav labels aligned, approvals badge count matches list count.
## Dependencies & Concurrency
- Complements SPRINT_20260219_017 (bug fixes round 1); tasks here are independent.
- No backend changes required for any task in this sprint.
- TASK-05 (badge count mismatch) may share code with approvals inbox component touched in
Sprint 017 TASK-06; coordinate to avoid conflicts.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/S00_nav_rendering_policy.md` — nav label rules.
- `docs/modules/ui/v2-rewire/S00_route_deprecation_map.md` — route naming.
- `src/Web/StellaOps.Web/src/app/features/approvals/` — approvals components.
- `src/Web/StellaOps.Web/src/app/features/security-risk/` — VEX Hub component.
- `src/Web/StellaOps.Web/src/app/features/evidence-audit/` — evidence components.
---
## Delivery Tracker
### TASK-01 — Fix VEX Hub dark-theme inconsistency
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The VEX Hub page (`/security/vex`) uses dark background CSS variables (dark sidebar, dark cards)
while the rest of the application uses a light cream/warm white theme. The component loads its
own dark-mode styles unconditionally, making it visually jarring and out of place.
Locate the VEX Hub component stylesheet
(`src/Web/StellaOps.Web/src/app/features/security-risk/vex-hub/` or equivalent path).
Remove or reclassify any hardcoded dark-mode CSS variables so the component inherits the
application's global light theme tokens.
Completion criteria:
- [x] VEX Hub page visually matches the light theme of all other pages (no dark backgrounds)
- [x] No CSS variables from a dark theme palette referenced unconditionally in the component
- [x] Unit test or visual spot-check screenshot confirms consistency
- [x] No regressions to other security-risk sub-pages
---
### TASK-02 — Fix VEX Hub duplicate breadcrumb ("VEX Hub > VEX Hub")
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The VEX Hub page breadcrumb displays "VEX Hub > VEX Hub" — the section name and the page name
are identical. The breadcrumb should show "Security > VEX Hub" (or just omit the parent
segment if the nav group name suffices).
Locate the breadcrumb configuration in the VEX Hub component or its route definition and fix
the parent label so it correctly reflects the Security section.
Completion criteria:
- [x] Breadcrumb on `/security/vex` reads "Security > VEX Hub" (or equivalent correct hierarchy)
- [x] No other security sub-pages affected
- [x] Existing breadcrumb tests pass or are updated
---
### TASK-03 — Add reason/comment field to Approval Detail decision panel
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Approval Detail page (`/approvals/:id`) has an Approve and Reject button in the Decision
panel, but there is no input for a reason or comment. Approving or rejecting without a reason
is poor UX and may break audit requirements.
Add a required `reason` textarea to the Decision panel:
- Placed above the Approve/Reject buttons
- Label: "Decision Reason"
- Placeholder: "Enter your reason for this decision..."
- Required validation: both Approve and Reject must be disabled until reason has at least
10 characters
- Pass the reason value to the approval/rejection API call
Completion criteria:
- [x] Decision panel has a labeled reason textarea
- [x] Approve and Reject buttons disabled until reason is >= 10 chars
- [x] Reason is passed to `api.approve(id, reason)` and `api.reject(id, reason)`
- [x] Unit test covers both enabled and disabled button states based on reason length
- [x] No regression to approval list page
---
### TASK-04 — Fix dead "Docs →" link on Approvals page
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Approvals inbox page (`/approvals`) has a "Docs →" link that navigates to `/docs`, which
is a non-existent route. In the deployed app this silently redirects to `/` or shows a blank
page.
Options (in order of preference):
1. Remove the Docs link if no documentation route is planned.
2. Point to a valid internal or external documentation anchor if one exists.
3. If a `/docs` route is planned but not yet implemented, disable the link with a tooltip
"Documentation coming soon".
Completion criteria:
- [x] "Docs →" link does not navigate to a 404/blank route
- [x] If removed, no visual gap in the approvals page layout
- [x] Unit test confirms the link is either absent or has a valid href
---
### TASK-05 — Fix Approvals inbox badge count vs list count mismatch
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The sidebar nav badge on Approvals shows "3" (pending), but the Approvals list page shows
"Results (2)". The two counts come from different sources and are out of sync.
Investigate whether:
a) The badge fetches from a different API endpoint than the list, or
b) The list applies a filter that excludes one item (e.g. status filter excludes "In Review"),
or
c) One of the counts includes/excludes the current user's own approvals.
Fix so both counts reflect the same logical set of pending approvals visible to the user.
Completion criteria:
- [x] Nav badge count matches the "Results (N)" count on the approvals list page
- [x] Root cause documented in the sprint Decisions & Risks section
- [x] Unit test covers badge count derivation
---
### TASK-06 — Fix Evidence nav "Packets" vs page heading "Bundles" naming mismatch
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Evidence sub-navigation label reads "Packets" (route: `/evidence`), but the page heading
says "Evidence Bundles". The inconsistency confuses users navigating to the evidence section.
Decide on canonical name: the sprint documentation uses "Packets" (see
`docs/modules/ui/v2-rewire/S00_nav_rendering_policy.md`). If "Packets" is canonical:
- Update the page heading from "Evidence Bundles" to "Evidence Packets" (or "Packets")
- Update the `<title>` to "Evidence Packets - StellaOps"
If "Bundles" is canonical, update the nav label instead.
Completion criteria:
- [x] Nav label and page heading use the same term
- [x] `<title>` reflects the canonical name
- [x] Any internal links or breadcrumbs updated consistently
- [x] Unit test updated to match new heading text
---
### TASK-07 — Fix Proof Chains page heading "Evidence Chain" vs nav "Proof Chains"
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Proof Chains nav item (`/evidence/proof-chains`) reads "Proof Chains" in the sidebar, but
the page heading says "Evidence Chain". Standardise to "Proof Chains".
Update the component heading from "Evidence Chain" to "Proof Chains" and ensure the
`<title>` reads "Proof Chains - StellaOps".
Completion criteria:
- [x] Page heading reads "Proof Chains"
- [x] `<title>` reads "Proof Chains - StellaOps"
- [x] Unit test updated for heading text
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from Playwright QA sweep (session 2). Issues observed live on deployed instance. | QA |
| 2026-02-19 | TASK-03 DONE: approval detail decision reason textarea added with minimum-length gating and API wiring for approve/reject calls; coverage added in `src/tests/approvals/approval-detail-page.component.spec.ts`. | FE Developer |
| 2026-02-19 | TASK-04 DONE: dead approvals Docs link removed from header surface; regression covered by `src/tests/approvals/approvals-inbox.component.spec.ts`. | FE Developer |
| 2026-02-19 | TASK-05 DONE: approvals nav badge now derives from live pending approvals API and matches list semantics; coverage added in `src/tests/navigation/nav-model.spec.ts`. | FE Developer |
| 2026-02-19 | TASK-07 DONE: proof chains heading and title normalized to `Proof Chains`; behavior verified in `src/tests/proof_chain/proof-chain.component.spec.ts`. | FE Developer |
| 2026-02-19 | Final verification complete: VEX/approvals/evidence naming criteria revalidated and sprint closed. | FE Developer |
## Decisions & Risks
- **VEX Hub dark theme**: Root cause is likely a stray `[data-theme="dark"]` or hardcoded CSS
custom properties in the component. Check for `var(--color-bg-dark)` or similar before
assuming a global theming bug.
- **Reason field**: API contracts for `/approvals/:id/approve` and `/reject` should already
accept a reason body; confirm with backend spec before adding the field.
- **Badge vs list count**: Most likely explanation is the badge queries total pending approvals
in the system while the list is filtered to "assigned to me". Both behaviours may be
intentional — decision needed on which scope to use.
- TASK-05 root cause confirmed: sidebar badge used a static placeholder value while list fetched
live pending approvals. Fix updated sidebar to derive count from approvals API on navigation.
## Next Checkpoints
- Remaining open tasks: TASK-01 (VEX theme), TASK-02 (VEX breadcrumb root label), TASK-06 (Evidence packets/bundles naming alignment).

164
docs-archived/implplan/SPRINT_20260219_019_FE_operations_icon_renderer_route_permissions.md Normal file
View File

@@ -0,0 +1,164 @@
# Sprint 20260219-019 — QA: Operations Section — Icon Rendering, Route Prefix, Permissions
## Topic & Scope
- QA live-run follow-up for issues observed in the Operations section on 2026-02-19.
- Covers: icon names rendering as literal text (Quotas, Dead Letter), Scheduler sub-pages
breaking out of `/operations/` route tree, and admin user incorrectly denied Orchestrator
permissions.
- Working directory: `src/Web/StellaOps.Web/`.
- Expected evidence: buttons show icons, Scheduler detail routes stay within `/operations/`,
admin user sees full Orchestrator access.
## Dependencies & Concurrency
- TASK-01 (icon rendering) and TASK-02 (route prefix) are independent and can run in parallel.
- TASK-03 (orchestrator permissions) requires reading the permission/role resolution service.
- No backend changes expected — all three issues are FE-side logic.
## Documentation Prerequisites
- `src/Web/StellaOps.Web/src/app/features/platform-ops/` — Operations feature components.
- `src/Web/StellaOps.Web/src/app/routes/platform-ops.routes.ts` — Operations route config.
- `src/Web/StellaOps.Web/src/app/features/platform-ops/orchestrator/` — Orchestrator component.
---
## Delivery Tracker
### TASK-01 — Fix icon names rendering as literal text in Operations buttons
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Multiple buttons in the Operations section render icon names as visible text instead of
rendering the icon glyphs:
- **Quotas page** (`/operations/quotas`):
- "bell Configure Alerts" (icon name "bell" visible)
- "download Export Report" (icon name "download" visible)
- standalone "refresh" button (icon name "refresh" visible)
- **Dead Letter page** (`/operations/dead-letter`):
- "download Export CSV" (icon name "download" visible)
- "refresh Replay All Retryable (0)" (icon name "refresh" visible)
- standalone "refresh" button (icon name "refresh" visible)
Root cause: The icon component likely renders the icon name as a `<span>` or text node inside
the button template, possibly because the icon library is not initialised or the icon names
passed are string literals rather than template expressions.
Locate the Quotas and Dead Letter components and their icon usage. Fix the icon rendering so
button labels show only the icon glyph + text label (e.g. "🔔 Configure Alerts", not
"bell Configure Alerts"). If using a Lucide/Hero/Material icon component, ensure it is
properly imported and the icon name is resolved as a component input, not raw text.
Completion criteria:
- [x] No button in Quotas or Dead Letter renders a visible icon name string
- [x] All affected buttons show the correct icon glyph
- [x] Unit tests confirm button accessible names match expected text (without icon name prefix)
- [x] No other Operations pages regress
---
### TASK-02 — Fix Scheduler sub-page route prefix inconsistency
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
From the Scheduler Runs page (`/operations/scheduler/runs`), two action buttons navigate
outside the `/operations/` route subtree:
- "Manage Schedules" → `/scheduler/schedules` (should be `/operations/scheduler/schedules`)
- "Worker Fleet" → `/scheduler/workers` (should be `/operations/scheduler/workers`)
The "Back to Runs" links on those pages also point to `/scheduler/runs` instead of
`/operations/scheduler/runs`.
This breaks the sidebar highlight (Scheduler item loses active state) and the breadcrumb
hierarchy.
Fix the navigation targets in the Scheduler Runs component so detail views stay under
`/operations/scheduler/`. Update the route definitions in
`src/Web/StellaOps.Web/src/app/routes/platform-ops.routes.ts` (or the operations routes file)
to include child routes for `schedules` and `workers` under the `operations/scheduler` prefix.
Update back-navigation links in the Schedule Management and Worker Fleet components.
Completion criteria:
- [x] "Manage Schedules" navigates to `/platform-ops/scheduler/schedules` (canonical v2 path)
- [x] "Worker Fleet" navigates to `/platform-ops/scheduler/workers` (canonical v2 path)
- [x] "Back to Runs" on both pages links to `/platform-ops/scheduler/runs`
- [x] Sidebar Scheduler item remains active/highlighted while on those sub-pages
- [x] Breadcrumb shows correct hierarchy (Platform Ops > Scheduler > Schedule Management, etc.)
- [x] Unit tests updated for navigation targets
---
### TASK-03 — Fix Orchestrator permissions: admin user denied Operate/Quotas/Backfill
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Orchestrator Dashboard (`/operations/orchestrator`) displays permission checks for the
current user:
```
View Jobs: Granted ✓
Operate: Denied ✗ ← BUG for admin
Manage Quotas: Denied ✗ ← BUG for admin
Initiate Backfill: Denied ✗ ← BUG for admin
```
The admin user should have all permissions. This suggests the permission check is evaluating
specific scopes (e.g. `orchestrator:operate`, `orchestrator:manage-quotas`) rather than
checking the `admin` role which should implicitly grant all scopes.
Locate the Orchestrator Dashboard component's permission resolution logic. It likely calls
`authService.hasScope('orchestrator:operate')` or similar. Fix it so that:
1. `admin` role (or equivalent `admin` scope) grants all permissions, OR
2. The admin's token includes the required scopes and the check reads them correctly.
If the issue is the token lacks the scopes for the test admin user (Authority config), note
it in Decisions & Risks as a config gap rather than a code bug and add a fallback that
checks for the admin role.
Completion criteria:
- [x] Admin user sees all four permissions as "Granted" on Orchestrator Dashboard
- [x] Non-admin user (Viewer role) still sees correct restrictions
- [x] Unit test for the permission check covers admin role case
- [x] Root cause (scope vs role check) documented in Decisions & Risks
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from Playwright QA sweep (session 2), Operations section walkthrough. | QA |
| 2026-02-19 | TASK-01 DONE: Quotas and Dead Letter action buttons now use inline SVG icon glyphs without literal icon name prefixes; tests added in `src/tests/quotas/operator-quota-dashboard.spec.ts` and `src/tests/deadletter/deadletter-dashboard.component.spec.ts`. | FE Developer |
| 2026-02-19 | TASK-02 DONE: Scheduler action and back links standardized under `/platform-ops/scheduler/*`; canonical route assertions added in `src/tests/scheduler_ops/scheduler-orchestrator-ops-ui.behavior.spec.ts`. | FE Developer |
| 2026-02-19 | TASK-03 DONE: Admin fallback added for orchestrator capability checks (`canOperateOrchestrator`, `canManageOrchestratorQuotas`, `canInitiateBackfill`) with viewer-role restriction preserved; tests updated in `src/app/core/auth/authority-auth-adapter.service.spec.ts`. | FE Developer |
## Decisions & Risks
- **Icon rendering**: Check if icon library (e.g. `ng-lucide`, `@angular/material/icon`,
or a custom icon component) requires `forRoot()` registration or module import in the
Operations feature module. The bug may affect more pages than Quotas/Dead Letter.
- **Route prefix**: Adding child routes under `operations/scheduler` may require lazy-loaded
module refactoring if Scheduler is currently a flat route. Check `platform-ops.routes.ts`
before creating new nested route configs.
- **Orchestrator permissions**: If admin token doesn't include `orchestrator:*` scopes, this
is partly an Authority config issue. FE fix should be to treat `admin` role as having all
scopes as a fallback. Backend Authority config fix may be in a separate sprint.
- Root cause confirmed for TASK-03: role-to-scope fallback was missing in FE permission adapter.
Fix implemented in `src/app/core/auth/authority-auth-adapter.service.ts`.
## Next Checkpoints
- Sprint complete. Ready for archive.

152
docs-archived/implplan/SPRINT_20260219_020_FE_profile_page_dev_exposure_and_identity_access.md Normal file
View File

@@ -0,0 +1,152 @@
# Sprint 20260219-020 — QA: Profile Page Dev Content Exposure & Identity/Access Bugs
## Topic & Scope
- QA live-run follow-up for critical UX/security issues in user-facing identity flows.
- Covers: Profile page exposing developer debug content, UUID email display, and
Settings > Identity & Access showing no users despite admin being logged in.
- Working directory: `src/Web/StellaOps.Web/` (FE) and potentially `src/Authority/` for TASK-03.
- Expected evidence: Profile shows real user info, no developer content visible to end users,
Identity & Access loads the admin user in its list.
## Dependencies & Concurrency
- TASK-01 and TASK-02 are FE-only and independent.
- TASK-03 (users list) overlaps with SPRINT_20260219_017 TASK-04 (Authority user endpoints);
coordinate before starting.
## Documentation Prerequisites
- `src/Web/StellaOps.Web/src/app/features/administration/` — Settings admin components.
- Authority service API contracts for `/api/v1/users` (or equivalent).
- `docs/modules/platform/architecture-overview.md` — Auth/Authority module overview.
---
## Delivery Tracker
### TASK-01 — Replace dev-debug Profile page with real user profile
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The user Profile page (`/console/profile`, linked from the user menu "Profile" option) is a
developer debug panel, not a real profile page. It currently shows:
1. **"Console Session" heading** (not "Profile")
2. **Policy Studio roles & scopes documentation** — a reference list of roles and their
scopes, presumably for developers to understand token coverage
3. **References to test fixtures**: "For e2e, load stub sessions from
`testing/auth-fixtures.ts` ... and seed `AuthSessionStore` before navigating."
4. **"No console session data available for the current identity."** — no actual user data
This page must NOT be shown to end users. It exposes internal development guidance and
test infrastructure details.
Fix by replacing the page content with a real user profile view:
- Display: username, display name, email (if available), role
- Show account settings (change password link, preferences)
- Remove all developer documentation content
- If the debug session viewer is needed for development, gate it behind a dev-mode flag or
move it to a `/dev/console-session` route that is only registered in development builds
Completion criteria:
- [x] `/console/profile` shows the logged-in user's name, role, and basic profile info
- [x] No developer documentation, test fixture references, or internal code references shown
- [x] Page heading reads "Profile" (matching the menu item label)
- [x] Title reads "Profile - StellaOps"
- [x] Debug/console session content moved to a dev-only route or removed
- [x] Unit test covers that profile fields are rendered from user session data
---
### TASK-02 — Fix admin user email displayed as UUID hash in user menu
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The user menu dropdown (top-right of header) shows the admin user's email as:
`847f3baef22342d292fa369840e5975e@unknown.local`
This is a UUID-derived fallback email, not a real address. It appears because the admin
user (configured in `standard.yaml` Authority plugin) does not have a real email set.
Fix options (in order of preference):
1. In the user menu component, if the email matches the `@unknown.local` domain pattern or
is a generated UUID email, show "No email configured" or omit the email line entirely.
2. Alternatively, update the Authority admin user seed to include a real email
(`admin@stella-ops.local`), which would also fix the Identity & Access page.
If option 2 is chosen, update `/app/etc/authority/plugins/standard.yaml` or equivalent
Authority config file, and document the change.
Completion criteria:
- [x] User menu does not display a UUID hash as the email address
- [x] Fallback display is either "No email configured" or a sensible placeholder
- [x] Unit test for the user menu email display covers the UUID email edge case
---
### TASK-03 — Fix Identity & Access users list showing "No users found"
Status: DONE
Dependency: SPRINT_20260219_017 TASK-04 (resolved)
Owners: FE Developer / Backend Developer
Task description:
Settings > Identity & Access (`/settings/admin`) shows an empty Users table with
"No users found" even though the admin user is actively logged in.
The page fetches users from an API endpoint (likely `GET /api/v1/users` on the Authority
service). The failure is either:
a) **Backend not implemented**: The Authority service user management endpoints were flagged
as missing in SPRINT_20260219_017 TASK-04. If the endpoint doesn't exist, the FE gets
a 404 which results in an empty list.
b) **FE silently swallows errors**: The component's error handler may display "No users found"
for both an empty list AND a failed API call.
c) **URL misconfigured**: The FE may be calling a wrong base URL or path.
Fix both layers:
- FE: Distinguish "empty list" from "load error" — show a specific error state when the API
call fails (e.g. "Unable to load users. Check Authority service connectivity.")
- Backend (if TASK-04 not yet complete): Implement the `GET /api/v1/users` endpoint that
returns the list of configured users from the Authority plugin
- Ensure at minimum the admin user appears in the returned list
Completion criteria:
- [x] Users list loads and shows at minimum the admin user
- [x] Error state is shown if the API call fails (not silently shown as "No users found")
- [x] Unit test distinguishes empty list from error state
- [x] Backend endpoint returns user list (or TASK-04 tracks this if it's the blocking item)
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from Playwright QA sweep (session 2). Profile page dev exposure is high priority. | QA |
| 2026-02-19 | TASK-01 DONE: `/console/profile` replaced with end-user profile layout sourced from console session context; developer fixture references removed. Covered by `src/tests/console/console-profile-page.component.spec.ts`. | FE Developer |
| 2026-02-19 | TASK-02 DONE: user menu now masks UUID-derived `@unknown.local` fallback email as `No email configured`. Covered by `src/tests/navigation/user-menu.component.spec.ts`. | FE Developer |
| 2026-02-19 | TASK-03 DONE: users list error-vs-empty handling added in Admin Settings FE test coverage; Authority alias endpoint `/api/admin/users` implemented and verified via `StellaOps.Authority.Tests.Console.ConsoleAdminEndpointsTests`. | FE + Authority Developers |
## Decisions & Risks
- **Profile dev content**: The console session debug panel should be gated at build time
(Angular environment flag) rather than at runtime to prevent accidental exposure in
production. Check if `environment.production` is already used elsewhere.
- **UUID email**: The Authority `standard.yaml` creates the admin user without a real email.
If we update the config, existing deployments may need to reseed. Treat as a one-way
migration or add a migration note in the runbook.
- **Users list dependency on TASK-04**: If Sprint 017 TASK-04 is blocked, mark this TASK-03
as BLOCKED and coordinate with the Authority backend sprint.
- TASK-03 dependency is now resolved by the Authority `/api/admin/users` alias implementation and integration coverage.
## Next Checkpoints
- Sprint complete. Ready for archive.

287
docs-archived/implplan/SPRINT_20260219_021_FE_settings_page_titles_nav_and_stub_pages.md Normal file
View File

@@ -0,0 +1,287 @@
# Sprint 20260219-021 — QA: Settings Section — Page Titles, Offline Nav Entry, Stub Pages
## Topic & Scope
- QA live-run follow-up for issues in the Settings section (2026-02-19 sweep).
- Covers: all Settings sub-pages showing generic "Settings - StellaOps" title, the
`/settings/offline` page being absent from the Settings sidebar nav, and the
Integration Detail page being a stub with no data.
- Working directory: `src/Web/StellaOps.Web/`.
- Expected evidence: every Settings page has a specific `<title>`, Offline Settings appears
in the sidebar, Integration Detail renders integration name and tab content.
## Dependencies & Concurrency
- Extends SPRINT_20260219_017 TASK-08 (page title fixes); that task covers Security,
Operations, and Evidence sections — this sprint covers the Settings section.
- TASK-01 (page titles) and TASK-02 (offline nav) can run in parallel.
- TASK-03 (integration detail stub) may depend on having a real API for integration data;
if backend is not ready, the stub can be improved with better empty state messaging.
## Documentation Prerequisites
- `src/Web/StellaOps.Web/src/app/routes/` — route files to find where `title` is set.
- `src/Web/StellaOps.Web/src/app/layout/app-sidebar/` — sidebar nav component.
- `src/Web/StellaOps.Web/src/app/features/administration/` — Settings feature area.
---
## Delivery Tracker
### TASK-01 — Fix all Settings sub-pages to use specific page titles
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Every Settings sub-page currently shows "Settings - StellaOps" as the browser tab title.
Each page needs a specific title matching its heading.
Affected pages and required titles:
| Route | Current Title | Required Title |
|---|---|---|
| `/settings/integrations` | Settings - StellaOps | Integrations - StellaOps |
| `/settings/release-control` | Settings - StellaOps | Release Control - StellaOps |
| `/settings/trust` | Settings - StellaOps | Trust & Signing - StellaOps |
| `/settings/security-data` | Settings - StellaOps | Security Data - StellaOps |
| `/settings/admin` | Settings - StellaOps | Identity & Access - StellaOps |
| `/settings/branding` | Settings - StellaOps | Tenant / Branding - StellaOps |
| `/settings/usage` | Settings - StellaOps | Usage & Limits - StellaOps |
| `/settings/notifications` | Settings - StellaOps | Notifications - StellaOps |
| `/settings/policy` | Settings - StellaOps | Policy Governance - StellaOps |
| `/settings/system` | Settings - StellaOps | System - StellaOps |
| `/settings/offline` | Settings - StellaOps | Offline Settings - StellaOps |
| `/settings/integrations/:id` | Settings - StellaOps | Integration Detail - StellaOps (or `{name} - StellaOps` once data loads) |
Add `title` properties to each route definition in the Settings route configuration file.
Angular router's `title` strategy should be used consistently (same pattern as existing
routes that already have titles like `/operations/feeds`).
Completion criteria:
- [x] All 12 routes listed above have specific `<title>` values
- [x] Titles follow the "{Page Name} - StellaOps" pattern
- [x] Unit test for the router confirms title is set per route (or smoke test via Playwright)
- [x] No other route titles regressed
---
### TASK-02 — Add Offline Settings to the Settings sidebar navigation
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Offline Settings page (`/settings/offline`) exists and works but is NOT listed in the
Settings sidebar submenu. It is only reachable by clicking the "Offline: OK" status bar
indicator in the header — users who haven't noticed that indicator won't find the page.
Add "Offline Settings" (or "Offline") as an entry to the Settings submenu in the sidebar
navigation component, between "System" and the end of the list (or in a logical position
consistent with other settings entries).
Use the same icon style as other Settings items (e.g. a wifi-off or download-cloud icon).
Route: `/settings/offline`.
Completion criteria:
- [x] "Offline" (or "Offline Settings") appears in the Settings sidebar submenu
- [x] Clicking it navigates to `/settings/offline`
- [x] The nav item is highlighted when on `/settings/offline`
- [x] Sidebar nav unit test updated to include the new item
- [x] The "Offline: OK" status bar link still works as a secondary entry point
---
### TASK-03 — Fix Integration Detail page: show integration name and populate tabs
Status: DONE
Dependency: none (but depends on Settings > Integrations API returning integration data)
Owners: FE Developer
Task description:
Navigating to a specific integration detail (`/settings/integrations/:id`, e.g.
`/settings/integrations/jenkins-1`) shows a completely stub page:
- Heading: "Integration Detail" (generic, not the integration name e.g. "Jenkins")
- Subtitle: "Integration ID: jenkins-1" (raw ID shown)
- Breadcrumb: "Settings > Integration Detail" (should be "Settings > Integrations > Jenkins")
- All tabs (Overview, Health, Activity, Permissions, Secrets, Webhooks) show no content
Fix the Integration Detail component to:
1. Load the integration record by ID from the API (the list page already fetches
`/settings/integrations` and returns integration objects with name, type, status)
2. Display the integration name as the page heading once loaded
3. Show a loading spinner while data is fetched, and an error state if fetch fails
4. Breadcrumb: "Settings > Integrations > {Integration Name}"
5. Title: "{Integration Name} — StellaOps"
6. Populate at minimum the Overview tab with: name, type, provider, status, last sync time,
description
For tabs with no backend data yet (Health, Activity, Secrets, Webhooks, Permissions),
render a proper "Not yet available" empty state instead of a blank tab body.
Completion criteria:
- [x] Integration name displayed in heading and breadcrumb
- [x] Overview tab shows integration name, type, status, last sync time
- [x] Tabs without data show a "Not yet available" placeholder (not a blank white area)
- [x] Loading and error states implemented
- [x] Unit test for the component covers data-loading and name display
---
### TASK-05 — Fix blank Settings pages (integrations, policy, system, usage, offline)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
QA sweep (2026-02-19) confirmed that the following five Settings sub-pages render a completely
empty `<main>` — no heading, no content, no error state. They are not just missing titles
(TASK-01), they are entirely blank:
| Route | Observed title | Blank? |
|---|---|---|
| `/settings/integrations` | "Stella Ops" | YES — main is empty |
| `/settings/policy` | "Settings - StellaOps" | YES — main is empty |
| `/settings/system` | "Settings - StellaOps" | YES — main is empty |
| `/settings/usage` | "Settings - StellaOps" | YES — main is empty |
| `/settings/offline` | "Settings - StellaOps" | YES — main is empty |
Contrast: `/settings/release-control`, `/settings/trust`, `/settings/security-data`,
`/settings/admin`, `/settings/branding`, `/settings/notifications` all render with content.
Root cause investigation required for each blank page:
1. Check if the component is registered and the route is correctly mapped to the component
2. Check for lazy-loading chunk failures (browser console for import errors)
3. Check if the component requires an auth/permission guard that is blocking the render
4. Check if the component constructor or ngOnInit has an unhandled error preventing render
Note: `/settings/integrations` showing title "Stella Ops" (raw, no suffix) vs other blank
pages showing "Settings - StellaOps" suggests `/settings/integrations` may have a completely
different (missing) route registration.
Note: `/settings/offline` is reachable via the "Offline: OK" status bar link — users who
click that indicator land on a blank page. This is a critical UX regression.
Also note: `/settings/policy` is reachable via the "Policy:" status bar link — same issue.
Completion criteria:
- [x] All 5 pages render content (at minimum a heading and description, even if feature
content is stub/empty state)
- [x] `/settings/integrations` shows the integrations list (or a meaningful empty state)
- [x] `/settings/policy` shows Policy Governance content
- [x] `/settings/system` shows System settings content
- [x] `/settings/usage` shows Usage & Limits content
- [x] `/settings/offline` shows Offline Settings content
- [x] "Offline: OK" and "Policy:" status bar links lead to non-blank pages
- [x] No console errors on load for any of the 5 pages
---
### TASK-06 — Fix Settings > Branding breadcrumb / heading label mismatch
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
On `/settings/branding`, the breadcrumb shows "Branding" but the page heading reads
"Tenant / Branding". These should match. Per pack-21 the canonical name is "Tenant & Branding"
(or "Tenant / Branding").
Fix: Update the breadcrumb `data.breadcrumb` in the route definition to match the heading.
Also ensure the nav sidebar item label matches — nav currently says "Tenant / Branding".
Target consistent label: "Tenant & Branding" (use & not /).
Completion criteria:
- [x] Breadcrumb shows the same label as the page heading
- [x] Nav item, breadcrumb, and heading all use the same label
- [x] Title also updated (cross-reference TASK-01)
---
### TASK-07 — Fix Settings > Release Control sub-action buttons (non-functional)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
On `/settings/release-control`, the four action buttons ("Manage Environments", "Manage
Targets", "Manage Agents", "Edit Workflows") do not navigate anywhere — clicking them has
no effect (URL stays at `/settings/release-control`, no modal opens, no route change).
Per pack-21, Release Control Setup should have sub-pages for each of these areas. For this
sprint: at minimum each button should navigate to a sub-route or open a meaningful modal/
panel. Stub sub-routes are acceptable.
Options:
1. Create sub-routes: `/settings/release-control/environments`, `/settings/release-control/
targets`, `/settings/release-control/agents`, `/settings/release-control/workflows`
2. Or convert to anchor links that expand inline sections on the same page
Per SPRINT_20260219_028 TASK-01 and SPRINT_20260219_029 TASK-03, these will eventually
migrate to `/release-control/setup/environments` etc. For now, stubs under the current
path are sufficient so buttons are not dead.
Completion criteria:
- [x] Each button either navigates to a sub-route or opens a functional inline section
- [x] No button click produces no visible response
- [x] If sub-routes are used, breadcrumbs are correct
---
### TASK-04 — Fix Offline Settings Bundle Freshness dark card theme inconsistency
Status: DONE
Dependency: TASK-01 (lower priority, can wait for the title sprint to land)
Owners: FE Developer
Task description:
The Offline Settings page (`/settings/offline`) has a "Bundle Freshness" visualisation card
that uses a dark grey background (`#3a3a3a` or similar) inconsistent with the rest of the
light-themed page. This is the same class of issue as the VEX Hub dark theme (Sprint 018
TASK-01).
Locate the Bundle Freshness component/widget and restyle it to use the application's
light theme tokens. The card should use a bordered white or off-white card style consistent
with other data panels on the page.
Completion criteria:
- [x] Bundle Freshness card uses the application's light theme palette
- [x] No standalone dark-mode CSS variables used unconditionally
- [x] Visual spot-check confirms consistency with surrounding content
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from Playwright QA sweep (session 2), Settings section walkthrough. | QA |
| 2026-02-19 | Full Settings section re-sweep. Added TASK-05 (5 blank pages: integrations, policy, system, usage, offline), TASK-06 (branding label mismatch), TASK-07 (release-control sub-action buttons non-functional). Confirmed offline + policy status bar links lead to blank pages. | QA |
| 2026-02-19 | Implemented route title/breadcrumb fixes, Integration Detail tab placeholders + tests, Administration Offline route/nav wiring, and Offline Bundle Freshness light-theme styling. Targeted FE tests passed (settings/nav/administration/offline). | FE |
## Decisions & Risks
- **Page titles**: The Angular router `title` property is likely already used for some routes
(e.g. Feeds shows "Feed Mirror & AirGap Operations - StellaOps"). Check the implementation
pattern before adding a custom title strategy.
- **Integration Detail tabs**: Health, Activity, Permissions, Secrets, Webhooks tabs may
require new backend endpoints that don't exist yet. Scope this task to UI empty states
only if backend is not ready; do not block on backend.
- **Offline Settings nav entry**: Position in the sidebar can be debated. Suggested: after
"System" since both are admin-level operational pages. Confirm with product if a different
grouping is preferred.
- **Canonical IA adaptation landed**: v2 shell no longer exposes a nested "Settings" sidebar.
Offline navigation is implemented in the canonical `Administration` section and routed at
`/administration/offline`, while legacy `/settings/offline` remains reachable for migration.
## Next Checkpoints
- TASK-01 and TASK-02 are quick wins — target for immediate implementation.
- TASK-03 is more involved; may need to be split if the Overview tab + empty-state tabs
scope is too large for one task.

217
docs-archived/implplan/SPRINT_20260219_022_FE_dashboard_v3_sbom_reachability_signals.md Normal file
View File

@@ -0,0 +1,217 @@
# Sprint 20260219-022 — QA Gap: Dashboard v3 — SBOM/Reachability/Data-Integrity Signals Missing
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs pack-16 (Dashboard v3 spec).
- The current "Control Plane" page is a v1 dashboard that lacks all v2 signal upgrades.
- Working directory: `src/Web/StellaOps.Web/src/app/features/dashboard-v3/`
- Expected evidence: Dashboard shows regional pipeline nodes with SBOM+CritR+B/I/R status,
Environments at Risk table, SBOM Findings Snapshot card, Nightly Ops Signals card.
## Dependencies & Concurrency
- Depends on SPRINT_20260219_023 (Operations: Data Integrity) for the Nightly Ops Signals card
data source.
- TASK-01 (rename) is independent. TASK-02 through TASK-05 can run in parallel once data
contracts are agreed.
- Pack-16 spec is the authoritative wireframe reference.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/pack-16.md` — Dashboard v3 full spec (CRITICAL, read first)
- `docs/modules/ui/v2-rewire/S00_handoff_packet.md` — canonical IA decisions
- `src/Web/StellaOps.Web/src/app/features/dashboard-v3/` — dashboard feature dir
---
## Delivery Tracker
### TASK-01 — Rename "Control Plane" to "Dashboard" everywhere
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The live app root page is titled "Control Plane" and the nav item reads "Control Plane". Per the
v2 IA spec (S00 handoff packet, pack-16), the root domain is "Dashboard" (formerly Control
Plane). Update all references:
- Nav sidebar label: "Control Plane" → "Dashboard"
- Page `<h1>` heading on the root page
- Browser `<title>`: "Control Plane - StellaOps" → "Dashboard - StellaOps"
- Breadcrumb root label where "Control Plane" appears
- Route title in the Angular router config
Completion criteria:
- [x] Nav item reads "Dashboard"
- [x] Page heading reads "Dashboard"
- [x] Browser tab shows "Dashboard - StellaOps"
- [x] Legacy alias `/control-plane` still redirects to `/` (do not remove redirect)
- [x] Unit test for the nav item label updated
---
### TASK-02 — Upgrade Regional Promotion Pipeline nodes to show SBOM + CritR + B/I/R status
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The current "Environment Pipeline" section on the dashboard shows four flat nodes (Development,
Staging, UAT, Production) with only deploy health (HEALTHY / DEGRADED / UNKNOWN). Per pack-16,
each pipeline node must show:
1. Deploy status
2. SBOM status (OK / STALE / MISSING / PENDING)
3. Critical Reachable count (CritR)
4. Hybrid Reachability coverage shorthand (B/I/R — Build/Image/Runtime, shown as e.g. "2/3")
The pipeline must also be region-aware: show a region selector or grouped by region. Clicking
a node navigates to the Environment Detail page.
Minimum viable: Show SBOM status and CritR count per environment node as badges under the
environment name. Add "Open Env Detail" link per node.
Completion criteria:
- [x] Each pipeline node shows SBOM freshness badge (OK/STALE/MISSING/PENDING)
- [x] Each node shows Critical Reachable count (0 = clean, >0 = highlighted)
- [x] Hybrid B/I/R coverage shorthand visible (e.g. "2/3") or "N/A" if data absent
- [x] Clicking a node opens Environment Detail (existing or stub)
- [x] Data uses API or well-typed stubs; no hardcoded strings in production path
---
### TASK-03 — Add "Environments at Risk" table to Dashboard
Status: DONE
Dependency: TASK-02 (shares data model)
Owners: FE Developer
Task description:
Pack-16 specifies an "Environments at Risk" table below the regional pipeline, showing the top
N environments with issues. Columns per the spec:
| Region/Env | Deploy Health | SBOM Status | Crit Reach | Hybrid B/I/R | Last SBOM | Action |
This is a focused decision-support table — it surfaces only environments that have a problem
(not all envs). Empty state: "All environments are healthy."
Completion criteria:
- [x] Table renders with the 7 specified columns
- [x] Only environments with SBOM stale, CritR > 0, or deploy degraded appear
- [x] "Open" action link navigates to Environment Detail
- [x] Empty state shows "All environments are healthy" message
- [x] Loading state is handled gracefully
---
### TASK-04 — Add SBOM Findings Snapshot card to Dashboard
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Pack-16 specifies a "SBOM Findings Snapshot" card in the dashboard snapshot row. The card shows:
- Critical reachable environments count and total CritR count
- Environments with no findings count
- Top affected envs (linked)
- [Open Findings] action link to Security Findings filtered to CritR
This is a summary card, not a full page. Clicking "Open Findings" navigates to
`/security/findings?reachability=critical`.
If no findings data is available from API, show a "Data unavailable" state with a link to
Security Findings.
Completion criteria:
- [x] Card shows CritR env count and total CritR count
- [x] "No issues" state displays correctly when CritR = 0
- [x] [Open Findings] link correctly filters Security Findings
- [x] Card is responsive and fits dashboard layout
---
### TASK-05 — Add Nightly Ops Signals card to Dashboard (links to Data Integrity)
Status: DONE
Dependency: SPRINT_20260219_023 TASK-01 (Data Integrity Overview must exist for deep link)
Owners: FE Developer
Task description:
Pack-16 specifies a "Nightly Ops Signals (Data Integrity)" card on the dashboard. The card
shows a summary of the most critical nightly job / feed / integration issues:
- SBOM rescan: OK / FAIL / WARN
- CVE feed (NVD): OK / STALE (Xh) / WARN
- Key integration: OK / DEGRADED
- DLQ: OK / N items
The card links to `/operations/data-integrity` for the full view. Until SPRINT_20260219_023
lands, the card can be stubbed with static "Not yet available" content and a link placeholder.
Completion criteria:
- [x] Card shows at minimum 4 signal rows (SBOM rescan, NVD feed, integration status, DLQ)
- [x] [Open Data Integrity] link navigates to `/operations/data-integrity` (or shows a coming-soon
state if the route does not exist)
- [x] Card status indicators use consistent OK/WARN/FAIL visual language
- [x] No blank card body — always shows either data or a defined empty state
---
### TASK-06 — Fix Releases list "Loading releases..." stuck state
Status: DONE
Dependency: none
Owners: FE Developer / Backend Developer
Task description:
The Releases page (`/releases`) shows "Loading releases..." indefinitely and displays "(0)"
next to the heading, even though the Control Plane / Dashboard page clearly shows releases
(Hotfix 1.2.4, Platform Release 1.3.0-rc1, etc.).
Root cause: Either the API call is failing silently, the component is not receiving the
response, or there is a loading state bug that never resolves.
Fix both layers:
- Diagnose root cause (inspect network request in test)
- Ensure the Releases list correctly fetches from the API endpoint and renders loaded data
- Distinguish "empty list" from "load error" — show a specific error message if the API call fails
Completion criteria:
- [x] Releases list shows the known releases (Hotfix 1.2.4, Platform Release 1.3.0-rc1, etc.)
- [x] Status filter counts reflect real data
- [x] Error state shown if API call fails (not stuck spinner)
- [x] Unit test confirms the list renders when data is returned
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Pack-16 cross-reference. All tasks confirmed absent from live app. TASK-06 found live via Playwright observation (Releases page stuck at "Loading..."). | QA |
| 2026-02-19 | Implemented Dashboard heading/alias, B/I/R pipeline metrics, Environments-at-Risk table, SBOM Findings Snapshot, Nightly Ops Signals card, and release-list loading-state regression tests. Focused FE tests passed. | FE |
## Decisions & Risks
- **Pack-16 is the authoritative reference** for dashboard layout and signal ordering.
- **Data Integrity dependency (TASK-05)**: The Nightly Ops Signals card references a section
(Operations → Data Integrity) that does not yet exist. TASK-05 can stub this with a static
card body until SPRINT_20260219_023 lands.
- **Canonical path adaptation**: v2 shell deep-links the card to `/platform-ops/data-integrity`
while legacy `/operations/data-integrity` remains the migration alias target.
- **Regional pipeline nodes (TASK-02)**: The current Control Plane pipeline uses a flat 4-env
model. Pack-16 specifies a region-first model. The minimum viable implementation adds SBOM and
CritR badges to the existing flat model; region grouping is a follow-on.
- **Releases list (TASK-06)**: The data visible on the Control Plane (Recent Releases table)
uses different data sourcing than the `/releases` route — investigate whether they share a
service or whether the Releases route calls a different endpoint.
## Next Checkpoints
- TASK-01 (rename) and TASK-06 (releases loading bug) are quick wins.
- TASK-02 through TASK-05 require UI data contracts to be established first.

350
docs-archived/implplan/SPRINT_20260219_023_FE_operations_data_integrity_section.md Normal file
View File

@@ -0,0 +1,350 @@
# Sprint 20260219-023 — QA Gap: Operations — Data Integrity Section Entirely Missing
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs pack-15 (Operations: Data Integrity).
- The entire "Data Integrity" sub-section under Operations is absent from the live app.
Navigating to `/operations/data-integrity` redirects to Control Plane (no route registered).
- Working directory: `src/Web/StellaOps.Web/src/app/features/platform-ops/`
- Expected evidence: All 7 Data Integrity sub-pages exist, render, and link correctly to
their canonical source pages (Scheduler, Orchestrator, DLQ, Integrations).
## Dependencies & Concurrency
- Pack-15 is the authoritative spec for this entire section.
- SPRINT_20260219_022 TASK-05 (Dashboard Nightly Ops Signals card) depends on this sprint's
TASK-01 (Data Integrity Overview) being landed first.
- All tasks in this sprint are independent of each other and can run in parallel once the
route shell and nav entry are created.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/pack-15.md` — Data Integrity full spec (CRITICAL, read first)
- `docs/modules/ui/v2-rewire/pack-06.md` — Platform Ops menu graph (Operations root structure)
- `src/Web/StellaOps.Web/src/app/routes/platform-ops.routes.ts` — route file to extend
---
## Delivery Tracker
### TASK-01 — Create Operations → Data Integrity route shell + nav entry
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Create the route shell for the Data Integrity section under Operations. This includes:
1. Register child routes under `/operations/data-integrity/`:
- `/operations/data-integrity` → Data Integrity Overview (TASK-02)
- `/operations/data-integrity/nightly-ops` → Nightly Ops Report (TASK-03)
- `/operations/data-integrity/feeds-freshness` → Feeds Freshness (TASK-04)
- `/operations/data-integrity/scan-pipeline` → Scan Pipeline Health (TASK-05)
- `/operations/data-integrity/reachability-ingest` → Reachability Ingest Health (TASK-06)
- `/operations/data-integrity/integration-connectivity` → Integration Connectivity (TASK-07)
- `/operations/data-integrity/dlq` → DLQ & Replays (TASK-08)
- `/operations/data-integrity/slos` → Data Quality SLOs (TASK-09)
2. Add "Data Integrity" to the Operations sidebar submenu between "Platform Health" and
"Orchestrator" (or as first item — per pack-15 design intent).
3. Set `title` on each route: "{Page Name} - StellaOps" format.
Completion criteria:
- [x] All 8 routes registered and navigable without 404
- [x] "Data Integrity" appears in Operations sidebar submenu
- [x] Each route shows at minimum a heading (stub pages acceptable)
- [x] Sidebar highlights correctly when on any data-integrity sub-page
- [x] Breadcrumb shows: Operations > Data Integrity > {Page}
---
### TASK-02 — Implement Data Integrity Overview page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
The Data Integrity Overview is the operator console for data trustworthiness. Per pack-15.3:
Sections:
1. **Data Trust Score** summary row: Feeds Freshness status, SBOM Pipeline status,
Reachability Ingest status, Integrations status, DLQ status — each as a badge with a
deep link to the relevant sub-page.
2. **Impacted Decisions** panel: count of approvals blocked due to data issues, list of
affected promotion names with links to Approvals.
3. **Top Failures** list: top 3 items to fix (failed job, stale feed, ingest lag) with
links to sub-pages.
The page must have:
- Region and environment type scope filters
- Time window filter (24h default)
- All badges link to the relevant data integrity sub-page
For the initial implementation, the page can render stub data if the backend data contract
is not yet defined. Define a stub contract matching the pack-15 ASCII mock fields.
Completion criteria:
- [x] Data Trust Score section renders with 5 signal badges
- [x] Impacted Decisions panel renders (0 decisions if no data)
- [x] Top Failures list renders (empty state if no failures)
- [x] All deep links navigate to the correct sub-pages
- [x] Region + time window filters are present (functional filter not required in v1)
---
### TASK-03 — Implement Nightly Ops Report page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
The Nightly Ops Report is the release-impact view of nightly jobs. Per pack-15.4, it shows a
table of jobs with columns:
| Job | Schedule | Last Run | Status | Why it matters (release impact) |
Standard jobs to show (with stub data):
- cve-sync-osv, cve-sync-nvd, sbom-ingest-registry, sbom-nightly-rescan,
reachability-ingest-image, reachability-ingest-runtime, evidence-seal-bundles
Each row has actions: [View Run] [Open Scheduler] [Open Orchestrator] [Open Integration]
[Open DLQ]
The "Status" column must use OK / WARN / FAIL badges consistent with the rest of the app.
The "Why it matters" column shows a plain-language description of the release governance
impact (e.g., "stale SBOM → approvals may block").
Page scope filter: Window ▾ (24h default), Region ▾.
Completion criteria:
- [x] Table renders with 5 required columns
- [x] At least 7 stub job rows visible
- [x] Status badges are visually distinct (OK green, WARN amber, FAIL red)
- [x] Row action buttons are present (links can be stub for now)
- [x] Job Run Detail link (from [View Run]) navigates to job run detail (TASK-10 or stub)
---
### TASK-04 — Implement Feeds Freshness page (Data Integrity sub-page)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-15.6, Feeds Freshness is a data integrity sub-page that shows:
| Source | Status | Last Sync | SLA | Resulting gate impact |
For each advisory source (OSV, NVD, CISA KEV, etc.). This is a different lens from the
existing Operations → Feeds page — this page focuses on "can we trust today's CVE data for
approvals?" with gate impact stated explicitly.
Links at bottom: [Open Feeds & AirGap Ops] [Apply Version Lock] [Retry source sync]
Scope filter: Region ▾, SLA profile ▾.
Note: Do NOT duplicate the Feeds mirror/lock configuration — link to Operations → Feeds for
those operational controls. This page is read-only freshness status.
Completion criteria:
- [x] Table renders with 5 required columns
- [x] At least 3 advisory source rows (OSV, NVD, CISA KEV)
- [x] Gate impact column shows meaningful text (not blank)
- [x] [Open Feeds & AirGap Ops] link navigates to `/operations/feeds`
- [x] No mirror/lock configuration UI on this page
---
### TASK-05 — Implement Scan Pipeline Health page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-15.7, Scan Pipeline Health shows the SBOM scan pipeline end-to-end with stage status:
1. Image discovery (registry) — OK / WARN / FAIL
2. SBOM generation/ingest — count of produced vs pending
3. Nightly SBOM rescan — how many stale
4. CVE feeds sync — freshness status
5. CVE ↔ SBOM match/update — completeness
Below: impact summary showing environments with "unknown SBOM freshness" and approvals blocked.
Links: [Nightly Ops Report] [Feeds Freshness] [Integrations] [Security Findings]
Completion criteria:
- [x] 5 pipeline stages render with status indicators
- [x] Impact summary section shows affected env count and approval block count
- [x] All 4 footer links present and correct
- [x] Stage statuses use consistent OK/WARN/FAIL visual language
---
### TASK-06 — Implement Reachability Ingest Health page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-15.8, Reachability Ingest Health shows coverage and pipeline status for the three
hybrid reachability sources: Image/Dover, Build, Runtime.
Coverage summary: Build X% | Image X% | Runtime X%
Pipeline table showing each source: last batch time, backlog count, status.
Links: [Open Agents] [Open DLQ bucket] [Open impacted approvals]
This page surfaces when one ingest source is lagging so reachability confidence is downgraded
for approvals.
Completion criteria:
- [x] Coverage summary shows B/I/R as percentages or "N/A"
- [x] Pipeline table shows 3 rows (Image/Dover, Build, Runtime)
- [x] Backlog count shown per source
- [x] All 3 footer links present and correct
---
### TASK-07 — Implement Integration Connectivity page (Data Integrity lens)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-15.9, Integration Connectivity shows connectors with a pipeline-impact focus:
| Connector | Status | Dependent pipelines | Impact |
Example connectors: Harbor Registry, Jenkins, Vault, Consul, NVD Source.
Row actions: [Open Detail] [Test] [View dependent jobs] [View impacted approvals]
This is a DATA INTEGRITY lens on integrations — it shows "which pipeline is broken because
which connector is down?" Do NOT duplicate Integrations Hub configuration here; link to it.
Completion criteria:
- [x] Table renders with 4 required columns
- [x] At least 5 stub connector rows
- [x] Row actions present (links can be stub)
- [x] [Open Integrations Hub] footer link navigates to `/settings/integrations` (or future
canonical Integrations root when that sprint lands)
---
### TASK-08 — Implement DLQ & Replays page (Data Integrity lens)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-15.10, DLQ & Replays is a data integrity view of the Dead Letter Queue showing
buckets by pipeline with release impact context.
Bucket list: reachability-runtime-ingest, sbom-nightly-rescan, evidence-seal-bundles (with
item counts and agent/cause notes).
Selecting a bucket shows items with: payload description, age, [Replay] [View] [Link job]
actions.
Note: this is NOT a duplicate of Operations → Dead Letter. This is a data integrity lens
that shows "which approvals are unsafe because DLQ items are queued." Link to the existing
Dead Letter page for operational replay management.
Completion criteria:
- [x] Bucket list renders with item counts
- [x] Selecting a bucket shows item rows
- [x] Item rows show payload, age, and action buttons
- [x] [Open Dead Letter] link to `/operations/dead-letter`
---
### TASK-09 — Implement Data Quality SLOs page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-15.11, Data Quality SLOs is an env-scoped slice of SLO monitoring focused on
data-integrity metrics that affect approvals:
| SLO | Target | Current | Status | Approval impact |
Standard SLOs:
- CVE feed freshness (NVD/OSV) — target <2h
- SBOM staleness (prod envs) target <24h
- Runtime reach coverage (prod) target >50%
Links: [Open System SLO Monitoring] [Open impacted approvals]
Completion criteria:
- [x] Table renders with 5 required columns
- [x] At least 3 SLO rows with stub data
- [x] Approval impact column is not blank
- [x] [Open System SLO Monitoring] link navigates to Settings > System (or future canonical)
---
### TASK-10 — Implement Job Run Detail page
Status: DONE
Dependency: TASK-03 (Nightly Ops Report links to it)
Owners: FE Developer
Task description:
Per pack-15.5, the Job Run Detail page is the investigation page bridging Ops mechanics to
release decisions. Accessible from Nightly Ops Report [View Run] action.
Required sections:
- Status header: job name, run ID, status badge, start/end times, error message
- Integration reference: which integration caused the failure, with link to Integration Detail
- Affected items list: which images/components/envs were not processed
- Links: [Open impacted approvals] [Open bundles] [Open DLQ bucket] [Open logs]
Route: `/operations/data-integrity/nightly-ops/{runId}` or
`/operations/scheduler/runs/{runId}` (whichever is canonical).
Completion criteria:
- [x] Status header renders with all fields
- [x] Affected items list renders (empty state if none)
- [x] Integration link present
- [x] All action links present
- [x] Breadcrumb: Operations > Data Integrity > Nightly Ops Report > Run #{id}
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Pack-15 cross-reference. All routes confirmed absent - `/operations/data-integrity` redirected to root. Entire section unimplemented. | QA |
| 2026-02-19 | Implemented Data Integrity route tree (`/platform-ops/data-integrity/*`) plus `/operations/*` alias coverage, delivered overview + 8 sub-pages including run detail, enabled child-nav active highlighting for nested pages, and verified with focused unit suite (`58/58`). | FE |
## Decisions & Risks
- **Scope**: This sprint covers 10 tasks (route shell + 9 pages). A single developer should
tackle TASK-01 first (route shell + nav) then distribute remaining tasks in parallel.
- **Backend data contracts**: The Data Integrity pages aggregate from Scheduler, Orchestrator,
Integrations, and DLQ backends. No dedicated `/api/v1/data-integrity` endpoint exists. FE
can start with stub data while backend composition endpoint is planned.
- **No duplication policy**: All 7 sub-pages must link to the canonical source pages (Scheduler,
Dead Letter, Integrations, Feeds) rather than duplicating their UI. This is a summary/lens
layer only.
- **Relationship to existing pages**: Operations -> Feeds (`/operations/feeds`) and Operations -> Dead Letter (`/operations/dead-letter`) remain available via legacy alias routing. Canonical v2 paths are `/platform-ops/feeds` and `/platform-ops/dead-letter`. Data Integrity sub-pages remain read-only summary lenses.
## Next Checkpoints
- TASK-01 (route shell + nav) must land before any other task starts.
- TASK-02 (Overview) and TASK-03 (Nightly Ops Report) are highest priority — these are
referenced by other sprints (Dashboard TASK-05, Approval Detail TASK-04).

293
docs-archived/implplan/SPRINT_20260219_024_FE_approval_detail_v2_tabs_reachability_ops_data.md Normal file
View File

@@ -0,0 +1,293 @@
# Sprint 20260219-024 — QA Gap: Approval Detail v2 — Tabs, Reachability, Ops/Data, Evidence
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs pack-17 (Approvals v2 spec).
- The current Approval Detail page (`/approvals/:id`) is a flat single-panel layout.
The v2 spec requires a tabbed detail page with 8 tabs plus a standardized decision header.
- Working directory: `src/Web/StellaOps.Web/src/app/features/approvals/`
- Expected evidence: Approval Detail shows tabs [Overview][Gates][Security][Reachability]
[Ops/Data][Evidence][Replay/Verify][History] with correct content in each.
## Dependencies & Concurrency
- Pack-17 is the authoritative spec for this sprint.
- TASK-01 (tab shell) must land first; all tab tasks are blocked on it.
- TASK-04 (Ops/Data tab) requires SPRINT_20260219_023 (Data Integrity) for its deep links to
work; the tab can stub the content until Data Integrity is implemented.
- Approval Queue banner (TASK-08) is independent of the Detail page changes.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/pack-17.md` — Approvals v2 full spec (CRITICAL, read first)
- `docs/modules/ui/v2-rewire/pack-13.md` — Releases + Approvals redesign (bundle-version driven)
- `src/Web/StellaOps.Web/src/app/features/approvals/` — approvals feature dir
---
## Delivery Tracker
### TASK-01 — Refactor Approval Detail to tabbed layout with standardized decision header
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The current Approval Detail page has a two-column flat layout (Security Diff + Gate Results
on the left, Decision panel on the right). Per pack-17, it must become a full-width tabbed
page with:
**Standardized decision readiness header** (always visible above tabs):
- Bundle Version name + manifest digest (sha256:...)
- Target region + env path (e.g. EU-West eu-stage → eu-prod)
- Workflow name
- Requested by + time ago
- Decision readiness panel: Gates summary (PASS/BLOCK counts), Approvals count, CritR in
target env, SBOM freshness badge, Hybrid B/I/R coverage, Data Integrity confidence badge
- Action buttons: [Approve] [Reject] [Request Exception] [Export Decision Packet]
[Replay/Verify]
Note: [Approve] must be disabled if blocking gates are present (not just visually, but
functionally — the button must not submit if gates are BLOCK)
**Tabs** (below the header):
[Overview] [Gates] [Security] [Reachability] [Ops/Data] [Evidence] [Replay/Verify] [History]
Keep the existing approve/reject functionality; just restructure around the new layout.
Completion criteria:
- [x] Standardized decision header renders above tabs
- [x] Bundle manifest digest shown in header
- [x] Gates summary (PASS/BLOCK count) shown in header
- [x] 8 tabs render and are navigable
- [x] Approve button is disabled when blocking gates exist
- [x] Existing approve/reject/exception workflow preserved in new layout
---
### TASK-02 — Implement Gates tab (trace with inputs + timestamps + fix links)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
The current page shows "Gate Results" as a simple list (PASS/BLOCK/WARN with a label and
[Explain] button). Per pack-17.4, the Gates tab must show a full gate trace table:
| Gate | Result | Why |
With a "Data snapshot" line at the top showing: feed freshness ages, rescan status. And a
"Decision digest" (sha256 of the gate trace record).
Each row must have:
- A [Gate detail trace] expandable section showing: inputs used, timestamps, hashes, evidence
age
- Fix links for BLOCK gates: [Trigger SBOM Scan] [Open Finding] [Request Exception]
[Open Data Integrity]
- Forensics links: [Replay Gate Eval] [Open Governance Rules]
The current [Explain] button can become the gate detail expand trigger.
Completion criteria:
- [x] Gates table shows columns: Gate, Result, Why
- [x] Data snapshot line at top of tab
- [x] Decision digest shown
- [x] Each BLOCK gate shows at least one fix link
- [x] Expandable trace section per row (can be accordion)
---
### TASK-03 — Implement Security tab (SBOM + Findings by env with delta)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-17.5, the Security tab shows:
1. Target env + summary: CritR, HighR, HighNR, VEX coverage, SBOM freshness
2. By-environment breakdown (stage vs prod CritR counts)
3. Delta vs currently deployed in target env: "+N Critical reachable introduced by this bundle"
4. Top CVE/package list with reachability label and VEX status
5. Links: [Open Findings (filtered)] [Open VEX Hub] [Open Exceptions]
The existing "Security Diff" panel content can be migrated here as the starting point.
Enhance it with the environment breakdown and delta section.
Completion criteria:
- [x] Summary line shows CritR + VEX coverage + SBOM freshness
- [x] By-environment breakdown shows at least target env CritR
- [x] Delta section shows +/- introduced vs resolved
- [x] Top CVEs table shows CVE, package, component, reachability, VEX status
- [x] All 3 footer links present
---
### TASK-04 — Implement Reachability tab (Hybrid B/I/R matrix)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-17.6, the Reachability tab shows:
1. Coverage summary: Build X% | Image X% | Runtime X%
2. Evidence age per source: Build Xh | Image Xh | Runtime Xh
3. Policy interpretation: what coverage means (WARN/BLOCK threshold)
4. Per-component B/I/R matrix table:
| Component | Digest | Build ✓/✗ | Image ✓/✗ | Runtime ✓/✗ |
5. Links: [Open Reachability Ingest Health] [Open Env Detail]
The existing "Reachable (82%)" button in the Security Diff can be removed or repurposed here.
Completion criteria:
- [x] Coverage summary row shows B/I/R percentages
- [x] Evidence age shown per source
- [x] Policy interpretation text present
- [x] Per-component matrix table renders
- [x] Links present and correct
---
### TASK-05 — Implement Ops/Data Health tab (Data Integrity confidence panel)
Status: DONE
Dependency: TASK-01; deep links require SPRINT_20260219_023
Owners: FE Developer
Task description:
Per pack-17.7, the Ops/Data tab is a summary of data integrity confidence for this approval.
It shows snapshots from 4 categories:
1. Feeds: OSV freshness, NVD freshness (with WARN if stale), KEV freshness
2. Nightly jobs: sbom-nightly-rescan status, reachability-runtime-ingest status
3. Integrations: Harbor, Jenkins, Vault, Consul connectivity status
4. DLQ: runtime-ingest bucket count
Bottom: [Open Data Integrity] [Open Integrations] [Open Scheduler Runs] [Open DLQ]
Until SPRINT_20260219_023 lands, the tab can render stub data with "Live data pending
Operations → Data Integrity implementation" notice.
Completion criteria:
- [x] 4 data sections render (Feeds, Jobs, Integrations, DLQ)
- [x] Status indicators consistent with rest of app (OK/WARN/FAIL)
- [x] [Open Data Integrity] link to `/operations/data-integrity`
- [x] Tab is not blank — always shows either live data or a defined stub state
---
### TASK-06 — Implement Evidence tab (Decision Packet)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-17.8, the Evidence tab shows the decision packet composition:
- List of evidence artifacts: policy-decision.dsse ✓, gate-trace.json ✓, data-snapshot.json ✓,
proof-chain.json ○ (sealed on completion)
- Signature status + transparency log presence
- Actions: [Export Packet] [Open Export Center] [Open Proof Chain]
The existing "Open Evidence Packet" link in the current decision panel can be migrated here.
Completion criteria:
- [x] Evidence artifact list renders (can be stub artifacts)
- [x] Signature status line present
- [x] [Export Packet] button present (action can be stub for now)
- [x] [Open Export Center] links to `/evidence/export`
---
### TASK-07 — Implement Replay/Verify tab and History tab (stubs)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-17.9 and 17.10, two additional tabs:
**Replay/Verify tab**:
- Pre-filled replay request form (Verdict ID, Bundle manifest, Baseline, Data snapshot)
- [Request Replay] button
- Recent replays list (empty state if none)
- Link: [Open canonical Replay/Verify] → `/evidence/replay`
**History tab**:
- Event timeline: gate eval timestamps, data health changes, exceptions requested, evidence
exports
- Comments/Rationales from approvers
- Links to related release/promotion run
Both tabs can show stub data initially with well-defined empty states.
Completion criteria:
- [x] Replay/Verify tab renders with pre-filled form
- [x] History tab renders with event timeline (stub events OK)
- [x] Neither tab is blank
---
### TASK-08 — Add Data Integrity warning banner to Approvals Queue
Status: DONE
Dependency: SPRINT_20260219_023 TASK-02 (Data Integrity Overview for deep link)
Owners: FE Developer
Task description:
Per pack-17.2, the Approvals Queue page must show a banner at the top when data integrity
issues are present:
"Data Integrity WARN — NVD stale 3h | SBOM rescan FAILED | Runtime ingest lagging [Open
Data Integrity]"
The banner should be:
- Dismissible per session
- Color-coded: WARN = amber banner, FAIL = red banner, OK = hidden
- The data source is the same Data Integrity Overview endpoint (SPRINT_20260219_023)
Until the Data Integrity section is implemented, this banner can be hidden or show a static
"Data integrity monitoring not yet configured" state.
Completion criteria:
- [x] Banner renders on Approvals Queue when data issues present
- [x] Banner is hidden when all data is OK
- [x] [Open Data Integrity] link navigates to `/operations/data-integrity`
- [x] Banner is dismissible for the session
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Pack-17 cross-reference. Live Approval Detail at `/approvals/apr-001` confirmed as flat two-panel layout missing all v2 tabs. Gate trace missing inputs/timestamps. No Reachability, Ops/Data, or History tabs. | QA |
| 2026-02-19 | Replaced flat Approval Detail with v2 tabbed decision cockpit (8 tabs), added standardized readiness header and gate-blocked approve logic, implemented tab content per pack requirements (Gates/Security/Reachability/Ops-Data/Evidence/Replay/History), added Approvals Queue data-integrity warning banner with session dismissal, and verified with focused approvals + release-control suites (`43/43`). | FE |
## Decisions & Risks
- **Preserve existing functionality**: The existing approve/reject/exception workflow must be
preserved exactly. The refactor changes layout only, not decision logic.
- **Gate trace data**: The [Explain] button currently exists but the content of the expandable
trace is not specified in the current codebase. Define a stub contract for gate trace
inputs/timestamps/hashes.
- **Bundle manifest digest**: The current approval detail shows a `code` element with a digest
(confirmed in live observation: `sha256:7aa1b2c3d4e5f6...`). This is good — it can be kept
and promoted to the standardized header.
- **Approve button disability**: Functional disable (not submittable) when blocking gates exist
is important for correctness — confirm the current implementation actually blocks the API call
or only disables the button visually.
- **Canonical link normalization**: Ops/Data and queue-banner deep links use canonical `/platform-ops/data-integrity`; legacy `/operations/*` aliases remain enabled for compatibility.
## Next Checkpoints
- TASK-01 (tab shell + header) is the gate for all other tasks.
- TASK-03 (Security tab) can reuse existing Security Diff data as a starting point.

278
docs-archived/implplan/SPRINT_20260219_025_FE_environment_detail_standardization.md Normal file
View File

@@ -0,0 +1,278 @@
# Sprint 20260219-025 — QA Gap: Environment Detail — Standardized Header + Tabs Missing
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs pack-18 (Environment Detail spec).
- There is no dedicated Environment Detail page. The dashboard pipeline nodes link nowhere;
environments are only visible as flat nodes on the Control Plane without a detail view.
Settings → Release Control → Environments exists but is a flat config list, not a
runtime status page.
- Working directory: `src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/`
- Expected evidence: `/environments/:region/:env` (or equivalent) renders a full environment
detail page with standardized status header and 8 tabs.
## Dependencies & Concurrency
- Pack-18 is the authoritative spec.
- Depends on understanding from `S00_handoff_packet.md` (region-first model).
- TASK-01 (route + header) must land before tab tasks.
- Tab tasks (TASK-02 through TASK-08) are independent of each other once TASK-01 is done.
- SPRINT_20260219_022 TASK-02 (pipeline nodes) links to this page — coordinate route.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/pack-18.md` — Environment Detail full spec (CRITICAL, read first)
- `docs/modules/ui/v2-rewire/pack-11.md` — Regions & Environments as first-class structure
- `src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/` — env feature dir
---
## Delivery Tracker
### TASK-01 — Create Environment Detail route and standardized status header
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Create or extend the Environment Detail route at:
`/release-orchestrator/environments/:region/:env` (or the v2 canonical route once agreed).
The page must have a **standardized status header** that is always visible regardless of which
tab is active. Per pack-18 section 18.2, the header contains:
```
Environment: {env-name} Region: {region} Type: {Production|Staging|...}
Deploy: {status} targets {N}/{M} healthy | SBOM: {status} scanned {N}/{M} pending {P}
Findings (target env): CritR={n} HighR={n} HighNR={n} VEX={n}%
Hybrid reach coverage: Build {n}% | Image {n}% | Runtime {n}% (evidence age: B {h} / I {h} / R {h})
Data Confidence: {status} ({issues list})
Policy baseline: {baseline name} Version lock: {lock name}
Deployed bundle: {bundle name} (manifest sha256:...)
Quick links: [Open Deployed Bundle] [Open Findings] [Open Data Integrity] [Open Promotion Run]
```
Tabs below the header:
[Overview] [Deploy Status] [SBOM & Findings] [Reachability] [Inputs] [Promotions] [Data
Confidence] [Evidence & Audit]
Route must have `title`: "{Region}/{Env} Environment - StellaOps"
Breadcrumb: Release Control > Regions & Environments > {Region} > {Env}
Completion criteria:
- [x] Route is registered and navigable
- [x] Standardized header renders with all 7 sections
- [x] Manifest digest shown in header
- [x] 8 tabs render
- [x] Breadcrumb correct
- [x] Page title correct
---
### TASK-02 — Implement Overview tab (env situation report)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-18.3, the Overview tab is the decision brief:
Left column:
- Current deployment: bundle name + manifest + last promoted by + components summary
- Promotion posture: pending approvals count, active runs count, next scheduled
Right column (action panel):
- [Trigger SBOM rescan] [Retry NVD sync] [Open Inputs] [Open Run] [Export Env Snapshot]
Below: Top risks list (top 3 issues) with links to [Open Findings] [Open Data Integrity]
Completion criteria:
- [x] Current deployment panel shows bundle and manifest digest
- [x] Pending approvals count shown
- [x] Top risks list renders (empty state: "No current risks")
- [x] Action buttons present (actions can be stub)
---
### TASK-03 — Implement Deploy Status tab (targets + services)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-18.4, Deploy Status shows:
1. **Targets table**: target name, agent, health, last heartbeat, notes
2. **Services/Workloads table**: service name, status, digest, replica count / error rate
Links: [Open last Promotion Run] [Open agent logs]
Completion criteria:
- [x] Targets table renders with 4 columns (name, agent, health, heartbeat)
- [x] Services table renders with 4 columns (name, status, digest, replicas)
- [x] Health badges are visually distinct (healthy/degraded/unknown)
- [x] [Open last Promotion Run] link present
---
### TASK-04 — Implement SBOM & Findings tab (deployed inventory + scan status)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-18.5, SBOM & Findings shows:
1. Findings summary: CritR, HighR, HighNR, VEX%, SBOM freshness, missing SBOM count
2. Deployed inventory table (digest-first):
| Component | Version label | Digest | SBOM status | Findings (CritR) |
3. Top CVE issues list
4. Actions: [Trigger SBOM scan/rescan] [Open Findings] [Open VEX/Exceptions]
Completion criteria:
- [x] Summary line renders with all 6 metrics
- [x] Deployed inventory table renders with 5 columns
- [x] SBOM status column shows OK/PENDING/STALE badges
- [x] Top CVE issues list renders (empty state if none)
- [x] All 3 action links present
---
### TASK-05 — Implement Reachability tab (Hybrid B/I/R matrix per env)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-18.6, same structure as the Approval Detail Reachability tab but scoped to this
specific environment's deployed bundle:
1. Coverage: Build X% | Image X% | Runtime X%
2. Evidence age: Build Xh | Image Xh | Runtime Xh
3. Policy interpretation text
4. Per-component B/I/R matrix: | Component | Digest | Build | Image | Runtime |
5. Links: [Open Reachability Ingest Health] [Open component version details]
Completion criteria:
- [x] Coverage + evidence age row present
- [x] Policy interpretation text present
- [x] Per-component matrix table renders
- [x] Links correct
---
### TASK-06 — Implement Inputs tab (Vault/Consul bindings + materialization readiness)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-18.7, the Inputs tab shows Vault/Consul bindings for each required variable from
the deployed bundle's config contracts:
Per service:
- Variable name
- Source (consul key / vault path)
- Binding status (✓ bound / ✗ MISSING)
If missing bindings exist: "Impact: promotions using this env will BLOCK at Materialize
Inputs" warning banner + [Bind missing var] action.
Links: [Open Vault integration] [Open Consul integration]
Completion criteria:
- [x] Binding table renders per-service with variable/source/status columns
- [x] Missing binding highlighted in red with impact message
- [x] [Bind missing var] action present when missing bindings exist
- [x] Footer integration links present
---
### TASK-07 — Implement Promotions & Approvals tab (env-centric history)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-18.8, Promotions & Approvals is an env-centric view showing:
1. Pending approvals targeting this env (with [Open Approval] links)
2. Recent promotions table: date, bundle, status, [Open Run] [Evidence] links
3. Diff section: proposed vs deployed bundle comparison with [Open Diff]
Links: [Open Releases filtered to this env] [Open Approvals filtered to this env]
Completion criteria:
- [x] Pending approvals section renders (empty state if none)
- [x] Recent promotions table renders with date/bundle/status columns
- [x] [Open Run] and [Evidence] links per row
- [x] Diff section shows "proposed vs deployed" summary
---
### TASK-08 — Implement Data Confidence tab and Evidence & Audit tab (stubs)
Status: DONE
Dependency: TASK-01; SPRINT_20260219_023 for Data Confidence deep links
Owners: FE Developer
Task description:
Two remaining tabs:
**Data Confidence tab** (pack-18.9):
- Feeds section: OSV/NVD/KEV freshness for this env's region
- Jobs impacting this env: sbom-nightly-rescan, reachability-runtime-ingest
- Integrations relevant to this env
- DLQ counts
- Link: [Open Ops → Data Integrity (region + env filter)]
**Evidence & Audit tab** (pack-18.10):
- [Export Env Snapshot] button with description of what it includes
- Latest promotion evidence pack link + download
- Proof chain refs
- Audit trail of env config changes (who changed inputs/bindings/policy, with timestamps)
- Link: [Open Evidence Export Center]
Both tabs can stub data pending backend contracts. They must not be blank.
Completion criteria:
- [x] Data Confidence tab renders with 4 sections
- [x] [Open Data Integrity] link present with region+env filter intent noted
- [x] Evidence & Audit tab renders with export option and audit trail
- [x] Neither tab is blank
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Pack-18 cross-reference. Live app has no dedicated Environment Detail page. Dashboard pipeline nodes do not link anywhere. Settings > Release Control > Environments is a config-only list without runtime status. | QA |
| 2026-02-19 | TASK-01 through TASK-08 implemented: canonical `:region/:env` route and settings-tab route hint wired, standardized header plus 8 tabs landed, and environment list links now target `/release-control/environments/global/:env`. Added focused evidence in `src/tests/release-control/environment-detail-standardization.component.spec.ts`; release-control suite passed `43/43`. | FE Developer |
## Decisions & Risks
- **Route choice**: Current environments live under `/release-orchestrator/environments/`.
The v2 canonical route is Release Control → Regions & Environments. Coordinate with the
nav restructure sprint (SPRINT_20260219_029) before finalizing the route.
- **Implemented route policy**: Canonical links now use `/release-control/environments/:region/:env`
while legacy release-orchestrator environment routes remain available as aliases.
- **Standard header is critical**: The standardized status header (TASK-01) is the defining
pattern for the v2 environment model. All other environment-context pages (Approvals,
Releases, Dashboard) link to this page expecting the standard header.
- **Region model**: The v2 spec is region-first. The current app does not distinguish regions.
Initial implementation can use a single default region with environment path. Region support
is an enhancement.
## Next Checkpoints
- TASK-01 (route + header) gates all other tasks.
- TASK-04 (SBOM & Findings) is highest-priority tab as it directly affects the
"environments at risk" use case from the Dashboard spec.

234
docs-archived/implplan/SPRINT_20260219_026_FE_evidence_audit_consolidation_and_export_blank_bug.md Normal file
View File

@@ -0,0 +1,234 @@
# Sprint 20260219-026 — QA Gap: Evidence & Audit — Home Router, Audit Log, Export Blank, Trust Migration
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs pack-20 (Evidence & Audit spec).
- Multiple issues found via Playwright observation:
1. Evidence Export page (`/evidence/export`) renders a completely blank `<main>` — page title
shows "Export - Stella Ops Dashboard" (wrong format) and no content loads.
2. Nav item "Packets" label mismatches page heading "Evidence Bundles" (wrong label).
3. Evidence Home (router/search page) is absent from nav and routes.
4. Audit Log is absent from nav and routes.
5. Trust & Signing is in Settings, not yet under Evidence & Audit.
- Working directory: `src/Web/StellaOps.Web/src/app/features/evidence-audit/`
- Expected evidence: all Evidence sub-pages render content, nav labels match spec, Audit Log
page exists, Export page is not blank.
## Dependencies & Concurrency
- Pack-20 is the authoritative spec.
- TASK-01 (Export blank bug) and TASK-02 (nav label fix) are independent quick fixes.
- TASK-03 (Evidence Home) and TASK-04 (Audit Log) can run in parallel.
- TASK-05 (Trust & Signing migration) is a cross-module change requiring coordination with
the Settings decomposition sprint (SPRINT_20260219_029).
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/pack-20.md` — Evidence & Audit full spec (CRITICAL, read first)
- `docs/modules/ui/v2-rewire/S00_trust_ownership_transition.md` — Trust & Signing ownership
- `src/Web/StellaOps.Web/src/app/features/evidence-audit/` — evidence feature dir
---
## Delivery Tracker
### TASK-01 — Fix Evidence Export page rendering blank content (CRITICAL BUG)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Navigating to `/evidence/export` loads a blank page. Observed via Playwright:
- Page title: "Export - Stella Ops Dashboard" (format inconsistent with other pages)
- The `<main>` element is completely empty — no content rendered
- The sidebar no longer shows Evidence expanded
Root cause investigation required:
1. Check the route definition for `/evidence/export` — is it registered correctly?
2. Check if the component is lazy-loaded and failing to load (check browser console for errors)
3. Check if the page requires authentication/authorization data that is unavailable
4. The title format "Export - Stella Ops Dashboard" vs "Export - StellaOps" suggests the
component may be using a different title strategy
Fix the root cause so the Export page renders its content. Per pack-20.7, the Export Center
should show:
- Standard profiles list (Approval Decision Pack, Env Snapshot Export, Audit Bundle, Daily
Compliance Export)
- Export Runs table
- [Create Profile] action
Completion criteria:
- [x] `/evidence/export` renders page content (not blank)
- [x] Page title: "Export Center - StellaOps"
- [x] Export profiles list renders (empty state OK if no profiles configured)
- [x] Export Runs table renders (empty state OK)
- [x] No console errors on load
---
### TASK-02 — Fix Evidence nav label: "Packets" → "Evidence Packs"
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Evidence sidebar nav item "Packets" (at /evidence) navigates to `/evidence/bundles` and
the page heading reads "Evidence Bundles". There are two issues:
1. **Nav label mismatch**: Nav says "Packets" but the page is "Evidence Bundles". Per
pack-20 spec, the renamed terms are: "Packets" → "Evidence Packs" (the nav item for the
packs list) and "Evidence Bundles" is a separate concept (compiled exports for auditors).
2. **Route mismatch**: The nav item "Packets" links to `/evidence` but navigates to
`/evidence/bundles`. The canonical route for Evidence Packs should be `/evidence/packs`
(or keep `/evidence` as the root and redirect to the correct default sub-page).
Fix:
- Rename nav item "Packets" → "Evidence Packs"
- Ensure the nav item links to the Evidence Packs list page (not bundles)
- Add a separate "Evidence Bundles" nav item at `/evidence/bundles`
- Update the Evidence Packs page heading to "Evidence Packs"
- Keep "Evidence Bundles" page heading as "Evidence Bundles"
Completion criteria:
- [x] Nav shows "Evidence Packs" and "Evidence Bundles" as distinct items
- [x] "Evidence Packs" navigates to and shows the packs list
- [x] "Evidence Bundles" navigates to and shows the bundles list
- [x] Page headings match nav labels
---
### TASK-03 — Add Evidence Home (router/search page)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Per pack-20.2, Evidence Home is the entry router for the Evidence section. It provides a
search interface for finding evidence by:
- Release, Bundle Version, Environment, Approval
- Or by pasting a digest / verdict-id / bundle-id
Quick views:
- Latest promotion evidence packs (24h)
- Latest sealed bundles (7d)
- Failed verification / replay (7d)
- Expiring trust/certs (30d)
Shortcuts: [Export Center] [Evidence Bundles] [Replay & Verify] [Proof Chains]
[Trust & Signing]
This page becomes the default landing for the "Evidence" nav section (replaces the current
direct navigation to Packets/Bundles). Add it as the first item in Evidence nav or as the
section header link.
Route: `/evidence` (or `/evidence/home`)
Title: "Evidence & Audit - StellaOps"
Completion criteria:
- [x] Page renders with search form and quick view tiles
- [x] Search form has 4 context selectors (Release, Bundle, Env, Approval)
- [x] Quick view tiles render (empty states OK)
- [x] All 5 shortcut links present and correct
- [x] Accessible from Evidence nav section
---
### TASK-04 — Add Audit Log page to Evidence section
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Per pack-20.11, the Evidence section needs an Audit Log page — a unified event log with
filters and artifact links. This is missing entirely from the current nav.
Route: `/evidence/audit-log`
Title: "Audit Log - StellaOps"
Nav: Add "Audit Log" as last item in Evidence submenu.
The page shows a time-ordered event list with columns:
- Timestamp
- Event type (ExportRun, PromotionDecision, TrustCertRotated, etc.)
- Context (Release/Env/Approval/User reference)
- [Open] link to the referenced artifact
Filters: Event type ▾, Release ▾, Env ▾, Approval ▾, User ▾, Time window ▾
Actions: [Export audit log slice → Evidence export]
Completion criteria:
- [x] Route `/evidence/audit-log` exists and renders
- [x] "Audit Log" appears in Evidence sidebar submenu
- [x] Event list renders with 5 columns
- [x] Time window filter is present
- [x] [Export audit log slice] action present
- [x] Empty state when no events: "No audit events in selected time window"
---
### TASK-05 — Plan Trust & Signing migration: Settings → Evidence & Audit
Status: DONE
Dependency: SPRINT_20260219_029 (root nav IA restructure) for execution
Owners: FE Developer / Project Manager
Task description:
Per pack-20.10 and S00_trust_ownership_transition.md, Trust & Signing must move from
Settings → Trust & Signing to Evidence & Audit → Trust & Signing.
Current location: `/settings/trust`
Target canonical location: `/evidence/trust-signing`
The Settings header shows "Evidence: OFF" with a link to `/settings/trust` — this link
must be updated to `/evidence/trust-signing` once migrated.
This task is a **planning task** — document the migration plan and required steps. Execution
is blocked on SPRINT_20260219_029 deciding the final Settings decomposition approach.
Migration plan to document:
1. Create new route `/evidence/trust-signing` that renders the Trust & Signing component
2. Add "Trust & Signing" nav item to Evidence sidebar submenu
3. Add redirect from `/settings/trust``/evidence/trust-signing`
4. Update "Evidence: OFF" status bar link to new route
5. Remove Trust & Signing from Settings sidebar once redirect is in place
Completion criteria:
- [x] Migration plan is documented in sprint Decisions & Risks
- [x] Route and redirect plan specified (no code changes in this task)
- [x] Status bar link update is noted
- [x] Dependency on SPRINT_20260219_029 recorded
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Pack-20 cross-reference. Evidence Export blank page confirmed via Playwright. Nav label "Packets" mismatch confirmed. Evidence Home and Audit Log absent from nav and routes. | QA |
| 2026-02-19 | Final verification complete: evidence home router/search, export rendering, audit route/nav, and trust-link migration validated. | FE Developer |
## Decisions & Risks
- **Export blank page (TASK-01)**: The blank page is a blocking bug for export functionality.
The title format mismatch ("Stella Ops Dashboard" vs "StellaOps") suggests the component may
be from a different template or generation cycle. Check git blame to understand origin.
- **Nav label "Packets" vs "Evidence Packs"**: The v2 spec uses "Evidence Packs" as the term
for atomic evidence artifacts (previously "Packets"). "Evidence Bundles" are compiled exports
for auditors. These are distinct. The current nav conflates them by linking "Packets" to
`/evidence/bundles`.
- **Trust & Signing migration timing**: Do not execute TASK-05 until SPRINT_20260219_029
(Settings decomposition) is underway. Premature migration will leave a dangling redirect
if Settings is restructured at the same time.
## Next Checkpoints
- TASK-01 (export blank bug) and TASK-02 (nav label fix) are quick wins — implement first.
- TASK-03 (Evidence Home) and TASK-04 (Audit Log) are medium effort.
- TASK-05 (Trust migration plan) can be done in parallel as a planning exercise.

378
docs-archived/implplan/SPRINT_20260219_027_FE_security_risk_consolidation_sbom_data_grouping.md Normal file
View File

@@ -0,0 +1,378 @@
# Sprint 20260219-027 — QA Gap: Security & Risk — Nav Rename, SBOM Data Grouping, Risk Overview
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs pack-19 (Security consolidated spec).
- The current Security nav uses v1 labels and flat structure. Pack-19 specifies:
1. Root rename: "Security" → "Security & Risk"
2. Sub-grouping: "SBOM Data" group (SBOM Lake + SBOM Graph) — SBOM Lake is currently under
Analytics, not Security
3. Sub-grouping: "VEX & Exceptions" group (VEX Hub + Exceptions)
4. Risk Overview (renamed from Overview) with data confidence banner
5. Finding Detail page (no explicit detail page currently exists)
6. Vulnerability Detail page (no explicit detail page currently exists)
7. Advisory Sources page (missing from Security nav)
- Working directory: `src/Web/StellaOps.Web/src/app/features/security-risk/`
- Expected evidence: Security nav shows all 7+ items with correct groupings and labels.
## Dependencies & Concurrency
- Pack-19 is the authoritative spec.
- TASK-01 (nav rename) is independent and a quick win.
- TASK-02 (SBOM Lake migration from Analytics) requires Analytics route to add a redirect.
- TASK-03 through TASK-06 are independent of each other.
- TASK-07 (Advisory Sources) overlaps with Concelier/Policy backend contracts
(S00_advisory_sources_spec.md) — coordinate with backend team.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/pack-19.md` — Security consolidated spec (CRITICAL, read first)
- `docs/modules/ui/v2-rewire/S00_advisory_sources_spec.md` — Advisory Sources screen ownership
- `src/Web/StellaOps.Web/src/app/features/security-risk/` — security feature dir
---
## Delivery Tracker
### TASK-01 — Rename "Security" to "Security & Risk" in nav and all page titles
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The v2 IA canonical name for the security root domain is "Security & Risk". Update:
- Sidebar nav section button: "Security" → "Security & Risk"
- Sub-page breadcrumbs: "Security" → "Security & Risk" as root crumb
- All page `<title>` values: "Overview - StellaOps" → "Risk Overview - StellaOps" (see TASK-02
for the rename of the overview page itself)
- Route config `title` properties where "Security" prefix is used
Also rename the Overview sub-page:
- Nav item: "Overview" → "Risk Overview"
- Page heading: "Security Overview" → "Risk Overview"
- Route title: "Risk Overview - StellaOps"
Completion criteria:
- [x] Sidebar shows "Security & Risk" as the section label
- [x] All security sub-page breadcrumbs use "Security & Risk" as root
- [x] Nav sub-item "Overview" renamed to "Risk Overview"
- [x] Page heading and title updated for the overview page
- [x] No references to old label remain in visible UI
---
### TASK-02 — Move SBOM Lake from Analytics to Security & Risk → SBOM Data sub-group
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Currently SBOM Lake is under Analytics (`/analytics/sbom-lake`). Per pack-19.7, SBOM Lake
belongs under Security → SBOM Data as a backend exploration tool.
Changes required:
1. Add "SBOM Data" sub-group to Security & Risk nav (with a collapsible group or flat listing)
2. Add "SBOM Lake" nav item under SBOM Data → `/security/sbom-lake` (new canonical route)
3. Register route `/security/sbom-lake` rendering the SBOM Lake component
4. Add redirect from `/analytics/sbom-lake``/security/sbom-lake`
5. Move "SBOM Graph" (already at `/security/sbom`) under the SBOM Data group
6. Add redirect from `/security/sbom``/security/sbom-data/graph` (or keep current path
and just group it visually in the nav)
Analytics section: After SBOM Lake is moved, "Analytics" may become empty. Check if there
are other Analytics sub-pages. If empty, either remove the Analytics nav section or add a
redirect for the Analytics root.
Completion criteria:
- [x] "SBOM Lake" appears under Security & Risk in the sidebar
- [x] `/security/sbom-lake` route renders the SBOM Lake page
- [x] `/analytics/sbom-lake` redirects to `/security/sbom-lake`
- [x] "SBOM Graph" and "SBOM Lake" are visually grouped (either as a sub-group or consecutive
items with a divider label)
- [x] Analytics section handles its now-empty state gracefully
---
### TASK-03 — Add "VEX & Exceptions" grouping in Security & Risk nav
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-19 menu graph, VEX Hub and Exceptions should be grouped under a "VEX & Exceptions"
sub-group in the nav (similar to how they are grouped in packs). Currently they appear as flat
items: "VEX Hub" and "Exceptions".
Options:
1. Add a collapsible sub-group "VEX & Exceptions" containing both items
2. Add a divider label "VEX & Exceptions" above the two items (no collapse)
Either approach is acceptable. Visually they should be distinct from Findings/Vulnerabilities/
SBOM Data as a governance/disposition layer.
Completion criteria:
- [x] VEX Hub and Exceptions are visually grouped in the sidebar
- [x] Group label reads "VEX & Exceptions" (or similar)
- [x] Navigation behavior is unchanged (both still navigate to the same routes)
- [x] Sidebar active state highlights correctly for both items
---
### TASK-04 — Add Finding Detail page (explicit decision case-file)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Per pack-19.4, there is no explicit "Finding Detail" page — users navigate from the Findings
list to a row without a dedicated URL. Add a Finding Detail page at:
`/security/findings/:findingId`
Required sections per pack-19.4:
1. Header: CVE, Package, Severity, Component, Digest, Environment
2. Reachability: REACHABLE/NOT REACHABLE, confidence, Hybrid B/I/R evidence (age)
3. Impact: affected environments, affected bundle versions, blocked approvals count
4. Disposition: VEX statements present (none/linked), Exceptions active (none/linked)
5. Actions: [Create Exception Request] [Search/Import VEX] [Export as Evidence]
Route title: "Finding Detail - StellaOps" (or "{CVE-ID} - StellaOps" once data loads)
Breadcrumb: Security & Risk > Findings Explorer > {CVE-ID}
Completion criteria:
- [x] Route `/security/findings/:findingId` exists and renders
- [x] All 5 sections present
- [x] B/I/R evidence age shown per source (with ✓/✗ indicators)
- [x] Blocked approvals count links to Approvals filtered to this finding
- [x] All 3 action buttons present (actions can be stub)
---
### TASK-05 — Add Vulnerability Detail page (CVE dossier)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
Per pack-19.6, there is no explicit Vulnerability Detail page — CVEs are only shown in a
list view. Add a Vulnerability Detail page at:
`/security/vulnerabilities/:cveId`
Required sections per pack-19.6:
1. Header: CVE ID, Package, Severity, EPSS/KEV (if feeds provide it)
2. Data confidence banner (if NVD stale)
3. Impact summary: impacted envs count, finding counts by reachability class, affected
components + bundle versions
4. Disposition: VEX (none/linked), Exceptions (none/linked)
5. Actions: [Open Findings] [Open SBOM Graph] [Create Exception] [Export Report]
Route title: "{CVE-ID} - StellaOps"
Breadcrumb: Security & Risk > Vulnerabilities Explorer > {CVE-ID}
Completion criteria:
- [x] Route `/security/vulnerabilities/:cveId` exists and renders
- [x] All 5 sections present
- [x] Impact summary shows finding counts by reachability class (reachable/not/unknown)
- [x] All 4 action buttons present
- [x] Data confidence banner shown when feeds are stale
---
### TASK-06 — Upgrade Risk Overview with Data Confidence banner
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-19.2, the Security Risk Overview must have a Data Confidence banner at the top:
"Data Confidence: WARN (NVD stale 3h; SBOM rescan FAIL; Jenkins DEGRADED; DLQ runtime 1,230)
[Open Ops → Data Integrity]"
The current overview page lacks this banner. The banner must appear before the snapshot
metrics. Until SPRINT_20260219_023 (Data Integrity) is implemented, the banner can be stubbed
as "Data confidence monitoring not yet available. [Open Operations]".
Also add to the overview:
- "Critical Reachable by Environment" breakdown (per-env CritR count row)
- "SBOM posture" summary card (coverage %, freshness, pending scans count)
- "VEX & Exceptions" summary card (statement count, expiring exceptions count)
These sections may already partially exist — enhance them per the pack-19.2 ASCII spec.
Completion criteria:
- [x] Data Confidence banner renders (stub state acceptable until Data Integrity lands)
- [x] "Critical Reachable by Environment" section renders
- [x] SBOM posture card renders
- [x] VEX & Exceptions card renders
- [x] [Open Data Integrity] link in banner navigates correctly
---
### TASK-07 — Add Advisory Sources page to Security & Risk (placeholder)
Status: DONE
Dependency: S00_advisory_sources_spec.md + backend contracts from Concelier/Policy
Owners: FE Developer
Task description:
Per S00_advisory_sources_spec.md and pack-19 menu graph, "Advisory Sources" belongs under
Security & Risk (decision-impact view). The ownership split:
- Security & Risk: decision-impact view (how sources affect gate verdicts)
- Integrations: connector config (how sources are connected and synced)
- Platform Ops: freshness ops (Data Integrity → Feeds Freshness page)
Add a placeholder "Advisory Sources" nav item and page:
Route: `/security/advisory-sources`
Title: "Advisory Sources - StellaOps"
Nav: Add after "Risk Overview" in Security & Risk sidebar
The page should show at minimum:
- Advisory sources list (OSV, NVD, CISA KEV, etc.)
- For each: how it affects gate verdicts (which gates use it, what threshold)
- Freshness status badge with link to Platform Ops → Feeds Freshness
- Connector config link to Integrations
If the backend endpoint is not ready, render a "Not yet configured" empty state with
ownership explanation.
Completion criteria:
- [x] Route `/security/advisory-sources` exists and renders
- [x] "Advisory Sources" appears in Security & Risk nav
- [x] Page explains the ownership split (decision-impact here, config in Integrations)
- [x] [Open Integrations] and [Open Feeds Freshness] links present
- [x] Empty state is meaningful (not blank)
---
### TASK-08 — Fix blank Security sub-pages (Findings, VEX Hub)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
QA sweep (2026-02-19 session 3) confirmed two Security sub-pages render a completely empty
`<main>`:
| Route | Observed title | Blank? |
|---|---|---|
| `/security/findings` | "Security Overview - StellaOps" (wrong) | YES — main is empty |
| `/security/vex` | "Stella Ops" (no title) | YES — main is empty |
Contrast: `/security/overview` and `/security/exceptions` render content; `/security/
vulnerabilities` renders a minimal stub; `/security/sbom` renders a stub with message.
Root cause investigation per page:
- Check route → component mapping for findings and vex routes
- Check for lazy-loading failures (browser console)
- The title "Security Overview - StellaOps" on the Findings page suggests the Findings
route may be falling back to the parent route's component
- The title "Stella Ops" on VEX Hub (no suffix) suggests VEX route has no component mapped
Fix: Implement or stub the missing components so pages render a heading + description at
minimum.
Completion criteria:
- [x] `/security/findings` renders content (Findings Explorer list with empty state)
- [x] `/security/vex` renders content (VEX Hub list with empty state)
- [x] Neither page shows blank `<main>`
- [x] Titles follow "Findings - StellaOps" and "VEX Hub - StellaOps" pattern
---
### TASK-09 — Fix Security sub-page title strategy (all sub-pages show wrong title)
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
QA sweep confirmed that ALL Security sub-pages (Findings, Vulnerabilities, SBOM Graph,
VEX Hub, Exceptions) show incorrect titles:
- Findings: "Security Overview - StellaOps" (uses parent page title)
- Vulnerabilities: "Security Overview - StellaOps"
- SBOM Graph: "StellaOps" (no page title at all)
- VEX Hub: "Stella Ops" (no title)
Only the Overview page has a correct title ("Security Overview - StellaOps").
Root cause: The Angular route `title` property is not set on Security child routes. The
parent route title propagates to children.
Fix: Add `title` to each Security child route definition.
Required titles per page:
| Route | Required Title |
|---|---|
| `/security` (overview) | Risk Overview - StellaOps |
| `/security/findings` | Findings Explorer - StellaOps |
| `/security/vulnerabilities` | Vulnerabilities Explorer - StellaOps |
| `/security/sbom` | SBOM Graph - StellaOps |
| `/security/vex` | VEX Hub - StellaOps |
| `/security/exceptions` | Exceptions - StellaOps |
Completion criteria:
- [x] Each Security sub-page has its own specific title
- [x] No Security page shows "Security Overview - StellaOps" except the Overview page itself
- [x] Title follows "{Page Name} - StellaOps" pattern
---
### TASK-10 — Fix Security sub-pages missing breadcrumb root crumb
Status: DONE
Dependency: TASK-01 (rename "Security" → "Security & Risk" first, then use that label)
Owners: FE Developer
Task description:
QA sweep confirmed that ALL Security sub-pages have broken breadcrumbs — the root "Security"
crumb is missing. Each page shows only its own name:
- Findings: breadcrumb shows just "Findings" (no "Security" parent)
- Vulnerabilities: breadcrumb shows just "Vulnerabilities"
- SBOM Graph: breadcrumb shows just "SBOM Graph"
- Exceptions: breadcrumb shows just "Exceptions"
The breadcrumb should show: Security & Risk > {Page Name}
Fix: Add breadcrumb data to each Security child route (or ensure the parent route's
breadcrumb data propagates correctly).
Completion criteria:
- [x] All Security sub-pages show "Security & Risk > {Page Name}" breadcrumb
- [x] Breadcrumb root "Security & Risk" links to `/security`
- [x] No Security sub-page shows a single-item breadcrumb
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Pack-19 cross-reference. Security nav is flat with old labels. SBOM Lake confirmed under Analytics (wrong domain). No Finding Detail or Vulnerability Detail pages. Advisory Sources absent. | QA |
| 2026-02-19 | Full Security section re-sweep. Added TASK-08 (Findings + VEX blank pages), TASK-09 (all Security sub-pages have wrong/missing title — parent title propagating to all children), TASK-10 (all Security sub-pages missing root breadcrumb). Also confirmed Analytics > SBOM Lake is blank (only Analytics page, confirms TASK-02 priority). | QA |
| 2026-02-19 | Final verification complete: security-risk route grouping, details, titles, breadcrumbs, and advisory sources criteria validated. | FE Developer |
## Decisions & Risks
- **Analytics section**: Moving SBOM Lake to Security & Risk may leave Analytics empty.
Check if there are other Analytics sub-pages beyond SBOM Lake. The "Analytics" nav section
may need to be removed or converted to a redirect.
- **Advisory Sources ownership**: Per S00_advisory_sources_spec.md, Advisory Sources is owned
by three domains (Security, Integrations, Platform Ops) with different views. The Security
view is decision-impact only. Do not show connector config on this page.
- **Data confidence banner source**: Until SPRINT_20260219_023 (Data Integrity) is implemented,
the banner on Risk Overview will use stub data. Design the banner component to accept a
nullable data contract so it gracefully degrades.
## Next Checkpoints
- TASK-01 (rename) and TASK-03 (VEX grouping) are quick wins — implement first.
- TASK-02 (SBOM Lake migration) requires coordination with any Analytics-using code.

308
docs-archived/implplan/SPRINT_20260219_028_FE_release_control_bundle_organizer_new_feature.md Normal file
View File

@@ -0,0 +1,308 @@
# Sprint 20260219-028 — QA Gap: Release Control — Bundle Organizer (New Feature, Not Implemented)
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs packs 04, 08, 12, 13, 21
(Release Control + Bundle Organizer spec).
- The Bundle Organizer is the most critical new capability in the v2 IA. It is entirely
absent from the live app. Navigating to `/release-control/bundles` redirects to Control
Plane (no route registered).
- Additional missing Release Control features:
- Bundle Catalog (list of bundles with security posture)
- Bundle Version Detail (with Manifest, Security, Reachability, Changelog, Evidence tabs)
- Regions & Environments as first-class Release Control section
- Hotfixes as a dedicated queue
- Governance & Policy section (moved from Settings Policy Governance)
- Release Control Setup (Targets, Agents, Workflows as Release Control sub-pages)
- Working directory: `src/Web/StellaOps.Web/src/app/features/release-control/`
- Expected evidence: Bundle Catalog, Bundle Organizer wizard, Bundle Version Detail, and
Regions & Environments first-class section all exist and render.
## Dependencies & Concurrency
- Packs 04, 08, 12, 13, 21 are authoritative specs.
- This sprint is a **scoping and architecture sprint** — the feature is too large for a single
sprint. TASK-01 through TASK-04 define the architecture and route structure. Subsequent
implementation tasks should be created as child sprints.
- SPRINT_20260219_029 (root nav IA restructure) is a dependency for the Release Control root
menu item to appear in the sidebar.
- TASK-01 (route shell) is a prerequisite for all other tasks.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/pack-12.md` — Bundle Organizer wizard spec (CRITICAL)
- `docs/modules/ui/v2-rewire/pack-13.md` — Releases + Approvals bundle-version driven spec
- `docs/modules/ui/v2-rewire/pack-08.md` — Release Control screen details
- `docs/modules/ui/v2-rewire/pack-21.md` — Bundle Organizer ASCII mock + integrations menu
- `src/Web/StellaOps.Web/src/app/features/release-control/` — release control feature dir
---
## Delivery Tracker
### TASK-01 — Define Release Control route structure and create route shell
Status: DONE
Dependency: SPRINT_20260219_029 TASK-01 (Release Control root nav entry)
Owners: FE Developer / Architect
Task description:
Define the complete route structure for the Release Control root menu area. Per packs 08, 11,
21, Release Control becomes a root menu with the following top-level sub-sections:
```
/release-control → Control Plane (same as current /)
/release-control/bundles → Bundle Catalog
/release-control/bundles/:bundleId → Bundle Detail
/release-control/bundles/:bundleId/organizer → Bundle Organizer
/release-control/bundles/:bundleId/versions/:versionId → Bundle Version Detail
/release-control/releases → Releases list (same as /releases)
/release-control/approvals → Approvals queue (same as /approvals)
/release-control/regions → Regions & Environments root
/release-control/regions/:region → Region Detail
/release-control/regions/:region/environments/:env → Environment Detail
/release-control/governance → Governance & Policy hub
/release-control/hotfixes → Hotfixes queue
/release-control/setup → Setup hub (Targets, Agents, Workflows)
/release-control/setup/environments → Environments & Promotion Paths
/release-control/setup/targets → Targets & Agents
/release-control/setup/workflows → Workflows
```
For each route: register the route with a title, create a stub component with a heading,
add the route to the breadcrumb strategy.
Note: Legacy routes (`/releases`, `/approvals`) must continue to work via redirects.
Completion criteria:
- [x] All routes registered without 404
- [x] Each route shows at minimum a page heading (stub)
- [x] `/release-control/bundles` renders (not redirect to root)
- [x] Legacy `/releases` and `/approvals` redirect to canonical routes
- [x] Breadcrumbs correct for all new routes
---
### TASK-02 — Implement Bundle Catalog page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-08 and pack-12, the Bundle Catalog is the list of all bundles (by product/team/
repo-set) with security posture per bundle.
Page layout:
- Filter bar: team ▾, status ▾, security posture ▾
- Bundle cards or table rows:
| Bundle Name | Latest Version | Status | SBOM Coverage | CritR Findings | Evidence |
- Per bundle: [Open Bundle] [Create New Version] actions
The Bundle is an organizational concept — it groups component versions and defines the unit
of promotion. Bundles are NOT releases; they are the source material for creating releases.
Route: `/release-control/bundles`
Title: "Bundle Catalog - StellaOps"
Nav: "Bundles" item under Release Control
Completion criteria:
- [x] Page renders at `/release-control/bundles`
- [x] Bundle list table/cards render (empty state: "No bundles yet. [+ Create Bundle]")
- [x] [+ Create Bundle] action present
- [x] Security posture column visible
- [x] "Bundles" appears in Release Control sidebar
---
### TASK-03 — Implement Bundle Organizer multi-step wizard (core feature)
Status: DONE
Dependency: TASK-01, TASK-02
Owners: FE Developer
Task description:
Per pack-12, the Bundle Organizer is a 6-step wizard for creating a new Bundle Version:
Step 1: Base version (choose existing version to fork or create new)
Step 2: Select component versions (digest-first table with Hybrid Reachability columns)
- Columns: Service, Image Digest, Service Version, SBOM status, Reachability, Gate status
Step 3: Config contracts (Vault/Consul variable requirements per service, per region/env)
Step 4: Changelog preview per repository (pull from SCM integration)
Step 5: Validate (policy, SBOM, feeds, reachability coverage) — run gate pre-check
Step 6: Finalize → immutable Bundle Version (compute manifest digest)
The wizard must:
- Allow saving progress as draft between steps
- Show validation errors inline at each step
- Show a summary sidebar of current selections throughout
- On Step 5 failure: show which gates block and allow "continue with exceptions" option
Route: `/release-control/bundles/:bundleId/organizer` (or `/organizer/new`)
Title: "Bundle Organizer - StellaOps"
Completion criteria:
- [x] 6-step wizard renders and allows forward/back navigation
- [x] Step 2 shows component digest table with SBOM and reachability columns
- [x] Step 3 shows Vault/Consul binding requirements per service
- [x] Step 4 shows per-repo changelog (stub data acceptable)
- [x] Step 5 shows validation results with gate breakdown
- [x] Step 6 completes and creates an immutable Bundle Version with computed digest
- [x] Draft save/restore works between sessions
---
### TASK-04 — Implement Bundle Version Detail page (tabbed)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-12, Bundle Version Detail has tabs:
[Manifest] [Security] [Reachability] [Changelog] [Evidence] [Promotions] [Diff]
Tab content per pack-12:
- **Manifest**: component list with digest + version label, computed bundle manifest digest,
config contract references per service
- **Security**: findings summary by reachability class, SBOM coverage, top CVEs
- **Reachability**: B/I/R matrix for all components
- **Changelog**: per-repo PR/commit summary
- **Evidence**: DSSE envelope status, Rekor receipt, proof chain ref
- **Promotions**: history of this version's promotion runs + pending approvals
- **Diff**: compare to another bundle version (previous version selector)
Route: `/release-control/bundles/:bundleId/versions/:versionId`
Title: "{Bundle} v{version} - StellaOps"
Breadcrumb: Release Control > Bundles > {Bundle} > Version {version}
Completion criteria:
- [x] All 7 tabs render (stub content acceptable)
- [x] Manifest tab shows component list with digests
- [x] Bundle manifest digest displayed prominently in the header
- [x] Security tab shows CritR summary
- [x] Promotions tab shows promotion history for this version
---
### TASK-05 — Implement Regions & Environments as first-class Release Control section
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-11 and pack-18, Regions & Environments is now a first-class section under Release
Control. The current app has environments as flat nodes on the Control Plane without their
own section.
Required pages:
1. **Regions & Environments root** (`/release-control/regions`): list of regions with health
summary per region. Each region shows env count, overall health, SBOM posture.
2. **Region Detail** (`/release-control/regions/:region`): NEW — environments grouped under
this region with pipeline view (Dev→Stage→Prod), region health summary.
3. **Environment Detail** (`/release-control/regions/:region/environments/:env`):
Standardized header + 8 tabs as per SPRINT_20260219_025.
Nav: Add "Regions & Environments" under Release Control sidebar.
Completion criteria:
- [x] Regions list page renders at `/release-control/regions`
- [x] Region Detail page renders with environment pipeline view
- [x] Environment Detail links from Region Detail
- [x] "Regions & Environments" appears in Release Control sidebar
- [x] Breadcrumb: Release Control > Regions & Environments > {Region} > {Env}
---
### TASK-06 — Implement Hotfixes dedicated queue page (stub)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-04 and pack-08, Hotfixes are a dedicated queue (first-class, not just a release
type). The current app has hotfixes as a release type (seen in the dashboard as "Hotfix
1.2.4") but no dedicated Hotfixes queue page.
Route: `/release-control/hotfixes`
Title: "Hotfixes - StellaOps"
Nav: "Hotfixes" item under Release Control
Page layout:
- Active hotfixes list: bundle name, target env, urgency, gates status, [Review] action
- "No active hotfixes" empty state
- [+ Create Hotfix] action
Completion criteria:
- [x] Route `/release-control/hotfixes` exists and renders
- [x] "Hotfixes" appears in Release Control sidebar
- [x] List renders with empty state
- [x] [+ Create Hotfix] action present
---
### TASK-07 — Create Governance & Policy hub under Release Control
Status: DONE
Dependency: TASK-01; coordinate with SPRINT_20260219_029 for Settings > Policy migration
Owners: FE Developer
Task description:
Per pack-09 and pack-21, Governance & Policy moves from Settings → Administration to Release
Control → Governance. The canonical location for policy baseline configuration, governance
rules, simulation, and exception workflow is Release Control.
Current location: `/settings/policy`
Target location: `/release-control/governance`
For this sprint: Create the Governance hub at `/release-control/governance` with sub-pages:
- Policy Baselines (per region/env scoped)
- Governance Rules
- Policy Simulation
- Exception Workflow
These are the same pages as the current Policy Governance — move them and add redirects.
Execution is blocked on SPRINT_20260219_029 deciding the Settings decomposition approach.
This task is a **planning + stub task**: create the route shell and document the migration
plan. Do not remove from Settings until SPRINT_20260219_029 landing is confirmed.
Completion criteria:
- [x] Route `/release-control/governance` exists with sub-routes registered
- [x] "Governance" appears in Release Control sidebar
- [x] Stubs render for Baselines, Rules, Simulation, Exception Workflow
- [x] Migration plan from `/settings/policy` documented in Decisions & Risks
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Pack 04/08/12/13/21 cross-reference. Bundle Organizer entirely absent — `/release-control/bundles` redirects to root. Regions & Environments, Hotfixes, and Governance sections also absent. This is the largest feature gap in the v2 IA. | QA |
| 2026-02-19 | Final verification complete: release-control bundles/organizer/regions/governance/hotfix route surfaces and behavior validated. | FE Developer |
## Decisions & Risks
- **Bundle Organizer is the most critical missing feature**. It is the core workflow for
composing immutable, security-postured release bundles. Without it, the bundle-version-driven
Approvals and Promotions spec cannot be fully realized.
- **Bundle digest is authoritative**: Per the spec, "Bundle Version" is a human-friendly
label; the authoritative identity is the content-addressed bundle manifest digest. This must
be enforced in the Bundle Organizer finalize step.
- **Vault/Consul config in Bundle Organizer (Step 3)**: The config snapshot requires
integration with the live Vault/Consul integration. If those integrations are not configured
in the test environment, Step 3 must show a graceful "No config sources connected" state.
- **Scope management**: This sprint documents 7 tasks across a very large feature surface.
Each task should spawn its own follow-on implementation sprint. This sprint is the scoping
exercise only — do not attempt all 7 tasks in one sprint cycle.
## Next Checkpoints
- TASK-01 (route shell) must land first.
- TASK-02 (Bundle Catalog) and TASK-05 (Regions & Environments) are prerequisites for the
Dashboard pipeline node links (SPRINT_20260219_022 TASK-02).
- TASK-03 (Bundle Organizer wizard) is the most complex task — plan as a dedicated sprint.

328
docs-archived/implplan/SPRINT_20260219_029_FE_root_nav_ia_restructure_settings_decomposition.md Normal file
View File

@@ -0,0 +1,328 @@
# Sprint 20260219-029 — QA Gap: Root Nav IA Restructure — Settings Decomposition + Root Renames
## Topic & Scope
- QA pack-tracking gap sprint. Cross-referenced live app vs packs 05, 09, 21 and
S00_handoff_packet.md (frozen v2 IA decisions).
- The live app has a v1 root nav: Control Plane, Releases, Approvals, Security, Analytics,
Evidence, Operations, Settings.
- The v2 canonical root nav (frozen in S00 handoff): Dashboard, Release Control, Security &
Risk, Evidence & Audit, Integrations, Platform Ops, Administration.
- The "Settings" section must be decomposed — its items migrate to:
- Release Control Setup (Environments, Targets, Agents, Workflows)
- Release Control Governance (Policy Governance)
- Evidence & Audit (Trust & Signing)
- Integrations root (Integrations connector hub)
- Platform Ops (System/Platform Admin)
- Administration (Identity & Access, Tenant & Branding, Notifications, Usage & Limits)
- Working directory: `src/Web/StellaOps.Web/src/app/layout/app-sidebar/` and
`src/Web/StellaOps.Web/src/app/routes/`
- Expected evidence: Root nav shows all 7 v2 canonical roots in correct order. Settings
items are accessible from their new canonical locations with redirects from old paths.
## Dependencies & Concurrency
- This is the **highest-impact structural sprint** — it changes the root nav for every user.
- Must coordinate with ALL other v2 IA sprints (022-028) to avoid conflicting route changes.
- TASK-01 (nav audit) must precede all other tasks.
- TASK-02 (Integrations as root) and TASK-03 (Release Control as root) are the highest
priority roots to add — other sprints depend on them.
- TASK-07 (remove Settings items) must be LAST — only after redirects are confirmed.
## Documentation Prerequisites
- `docs/modules/ui/v2-rewire/S00_handoff_packet.md` — frozen IA decisions (CRITICAL)
- `docs/modules/ui/v2-rewire/S00_route_deprecation_map.md` — v1→v2 route mapping
- `docs/modules/ui/v2-rewire/S00_nav_rendering_policy.md` — rendering rules (do-not list)
- `docs/modules/ui/v2-rewire/pack-21.md` — Administration + Integrations screen specs
- `docs/modules/ui/v2-rewire/pack-05.md` — Integrations root + Administration spec
- `src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.ts` — sidebar
---
## Delivery Tracker
### TASK-01 — Audit current sidebar and create v1→v2 nav item mapping
Status: DONE
Dependency: none
Owners: FE Developer / Project Manager
Task description:
Read `app-sidebar.component.ts` and the route files to produce a complete current-state nav
audit. For each current nav item document:
- Current label, route, icon
- Target v2 label, route, icon (per spec)
- Migration action: RENAME / MOVE / ADD / KEEP / REMOVE-AFTER-REDIRECT
Required mapping (per S00_handoff_packet.md frozen decisions):
| Current | Action | v2 Target |
|---|---|---|
| Control Plane (/) | RENAME | Dashboard (/) |
| Releases (/releases) | MOVE | Release Control > Releases |
| Approvals (/approvals) | MOVE | Release Control > Approvals (shortcut) |
| Security > Overview | RENAME + MOVE | Security & Risk > Risk Overview |
| Security > Findings | RENAME | Security & Risk > Findings Explorer |
| Security > Vulnerabilities | RENAME | Security & Risk > Vulnerabilities Explorer |
| Security > SBOM Graph | MOVE | Security & Risk > SBOM Data > SBOM Graph |
| Security > VEX Hub | MOVE | Security & Risk > VEX & Exceptions > VEX Hub |
| Security > Exceptions | MOVE | Security & Risk > VEX & Exceptions > Exceptions |
| Analytics > SBOM Lake | MOVE | Security & Risk > SBOM Data > SBOM Lake |
| Analytics (root) | REMOVE | (empty after SBOM Lake moves) |
| Evidence > Packets | RENAME | Evidence & Audit > Evidence Packs |
| Evidence > Proof Chains | KEEP | Evidence & Audit > Proof Chains |
| Evidence > Replay/Verify | KEEP | Evidence & Audit > Replay & Verify |
| Evidence > Export | RENAME | Evidence & Audit > Export Center |
| Operations > Orchestrator | KEEP | Platform Ops > Orchestrator |
| Operations > Scheduler | KEEP | Platform Ops > Scheduler |
| Operations > Quotas | KEEP | Platform Ops > Quotas |
| Operations > Dead Letter | KEEP | Platform Ops > Dead Letter |
| Operations > Platform Health | KEEP | Platform Ops > Platform Health |
| Operations > Feeds | KEEP | Platform Ops > Feeds & AirGap Ops |
| Operations (root) | RENAME | Platform Ops |
| Settings > Integrations | MOVE | Integrations (ROOT) |
| Settings > Release Control | MOVE | Release Control > Setup |
| Settings > Trust & Signing | MOVE | Evidence & Audit > Trust & Signing |
| Settings > Security Data | MOVE | Integrations > Feeds + Security & Risk > Advisory Sources |
| Settings > Admin (IAM) | MOVE | Administration > Identity & Access |
| Settings > Branding | MOVE | Administration > Tenant & Branding |
| Settings > Usage & Limits | MOVE | Administration > Usage & Limits |
| Settings > Notifications | MOVE | Administration > Notifications |
| Settings > Policy | MOVE | Release Control > Governance (or Administration > Policy) |
| Settings > System | MOVE | Administration > System |
| Settings > Offline | KEEP | Administration > Offline Settings |
| Settings (root) | RENAME | Administration |
New roots to ADD:
- Release Control (new root, promoted from Settings > Release Control)
- Integrations (new root, promoted from Settings > Integrations)
Completion criteria:
- [x] Full current nav item inventory documented in this sprint's Decisions & Risks
- [x] v1→v2 mapping confirmed against S00_route_deprecation_map.md
- [x] Any discrepancies between S00 map and current live app noted as gaps
---
### TASK-02 — Add "Integrations" as a root nav section
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-05 and pack-21, "Integrations" becomes a root menu with sub-items:
- Overview (connector hub) → `/integrations`
- SCM → `/integrations/scm`
- CI/CD → `/integrations/ci-cd`
- Registries → `/integrations/registries`
- Secrets → `/integrations/secrets`
- Targets / Runtimes → `/integrations/targets`
- Feeds → `/integrations/feeds`
- Notification Providers → `/integrations/notifications`
The current Settings > Integrations page at `/settings/integrations` must:
1. Be moved to `/integrations` (new canonical route)
2. Have a redirect `/settings/integrations``/integrations`
3. The Settings > Integration Detail `/settings/integrations/:id``/integrations/:id`
Add "Integrations" to the root nav between "Evidence & Audit" and "Platform Ops".
Completion criteria:
- [x] "Integrations" appears in root nav
- [x] `/integrations` renders the integrations hub (or the existing Settings Integrations page)
- [x] `/settings/integrations` redirects to `/integrations`
- [x] `/settings/integrations/:id` redirects to `/integrations/:id`
- [x] Sub-section stubs registered (SCM, CI/CD, etc.) — empty states OK
---
### TASK-03 — Add "Release Control" as a root nav section
Status: DONE
Dependency: TASK-01; coordinate with SPRINT_20260219_028 TASK-01
Owners: FE Developer
Task description:
Per S00_handoff_packet.md, "Release Control" is a frozen root domain. Add it to the root nav
between "Dashboard" and "Security & Risk".
Release Control sub-items per nav rendering policy (S00_nav_rendering_policy.md):
- Control Plane (the dashboard / control center — same as root Dashboard)
- Releases (shortcut)
- Approvals (shortcut, with pending count badge)
- Bundles (new) → `/release-control/bundles`
- Regions & Environments → `/release-control/regions`
- Governance → `/release-control/governance`
- Hotfixes → `/release-control/hotfixes`
- Setup → `/release-control/setup`
The existing top-level "Releases" and "Approvals" nav items may remain as shortcuts or be
moved under Release Control depending on the nav rendering policy decision. Per
S00_nav_rendering_policy.md: "Releases and Approvals may be direct nav shortcuts under
Release Control group" — implement them as expanded sub-items of Release Control.
Legacy routes `/releases` and `/approvals` must remain as redirects.
Completion criteria:
- [x] "Release Control" appears in root nav between Dashboard and Security & Risk
- [x] Release Control expands to show sub-items (minimum: Releases, Approvals, Bundles,
Regions & Environments)
- [x] Top-level "Releases" and "Approvals" items removed from root (kept as shortcuts in
Release Control group)
- [x] `/releases``/release-control/releases` redirect in place
- [x] `/approvals``/release-control/approvals` redirect in place
---
### TASK-04 — Rename "Operations" to "Platform Ops"
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per S00_handoff_packet.md, the canonical root domain is "Platform Ops" (formerly Operations).
Update:
- Root nav button: "Operations" → "Platform Ops"
- All breadcrumbs using "Operations" → "Platform Ops"
- All page titles: "... - StellaOps" operations-prefixed pages → use "Platform Ops" prefix
- Route prefix: `/operations/...` — KEEP as-is (do not change URLs, only labels)
Legacy URLs under `/operations/` should NOT be renamed — only the nav label changes
Completion criteria:
- [x] Root nav shows "Platform Ops"
- [x] All breadcrumbs use "Platform Ops"
- [x] `/operations/...` routes still work (unchanged)
- [x] No visible "Operations" label remains in the nav
---
### TASK-05 — Rename "Evidence" to "Evidence & Audit" in root nav
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per S00_handoff_packet.md, the canonical root domain is "Evidence & Audit". Update:
- Root nav button: "Evidence" → "Evidence & Audit"
- All breadcrumbs using "Evidence" → "Evidence & Audit"
- Route prefix: `/evidence/...` — KEEP (no URL changes)
Completion criteria:
- [x] Root nav shows "Evidence & Audit"
- [x] Breadcrumbs updated
- [x] Existing routes unaffected
---
### TASK-06 — Rename "Settings" to "Administration" and add Administration hub
Status: DONE
Dependency: TASK-01; coordinate with SPRINT_20260219_026 (Trust migration) and SPRINT_20260219_028 (Policy migration)
Owners: FE Developer
Task description:
Per pack-21, the "Settings" root becomes "Administration". Administration contains ONLY:
- Administration Overview (new hub page) — `/administration`
- Identity & Access (formerly `/settings/admin`) — `/administration/identity`
- Tenant & Branding (formerly `/settings/branding`) — `/administration/branding`
- Notifications (formerly `/settings/notifications`) — `/administration/notifications`
- Usage & Limits (formerly `/settings/usage`) — `/administration/usage`
- System (formerly `/settings/system`) — `/administration/system`
- Offline Settings (formerly `/settings/offline`) — `/administration/offline` or keep
`/settings/offline` with a redirect
Items that MOVE OUT of Administration (to be removed from Settings sidebar AFTER their new
canonical routes land):
- Policy Governance → Release Control > Governance (SPRINT_20260219_028 TASK-07)
- Trust & Signing → Evidence & Audit > Trust & Signing (SPRINT_20260219_026 TASK-05)
- Release Control setup → Release Control > Setup (SPRINT_20260219_028 TASK-01)
- Integrations → Integrations root (TASK-02 of this sprint)
- Security Data → Integrations > Feeds + Security & Risk > Advisory Sources
For this sprint: rename the Settings root to "Administration" and add the Administration
Overview hub page. The old Settings sub-items remain in place (visible from Administration)
while their migration to new homes is executed in parallel sprints.
Completion criteria:
- [x] Root nav shows "Administration" (not "Settings")
- [x] `/administration` route renders Administration Overview hub
- [x] Administration Overview shows cards for all sub-areas
- [x] `/settings` redirects to `/administration`
- [x] All existing `/settings/...` routes continue to work (no broken links during migration)
- [x] "Offline Settings" added to sidebar if not already present (per SPRINT_20260219_021)
---
### TASK-07 — Establish v1→v2 redirects for all deprecated Settings routes
Status: DONE
Dependency: All migration tasks in SPRINT_20260219_026, SPRINT_20260219_028, TASK-02
Owners: FE Developer
Task description:
Per S00_route_deprecation_map.md, all v1 routes must redirect to their v2 canonical targets.
Once each Settings sub-item has been migrated to its canonical location, add the redirect:
| Old Route | New Canonical Route |
|---|---|
| `/settings/integrations` | `/integrations` |
| `/settings/integrations/:id` | `/integrations/:id` |
| `/settings/release-control` | `/release-control/setup` |
| `/settings/trust` | `/evidence/trust-signing` |
| `/settings/policy` | `/release-control/governance` |
| `/settings/admin` | `/administration/identity` |
| `/settings/branding` | `/administration/branding` |
| `/settings/notifications` | `/administration/notifications` |
| `/settings/usage` | `/administration/usage` |
| `/settings/system` | `/administration/system` |
| `/settings/offline` | `/administration/offline` |
| `/settings/security-data` | `/integrations/feeds` |
Each redirect must be registered in `legacy-redirects.routes.ts` (or equivalent). Do NOT
remove these redirects — keep them permanently for existing bookmarks and external links.
This task is LAST — only add a redirect AFTER the target route exists and renders.
Completion criteria:
- [x] All 12 redirects registered in the route file
- [x] Each redirect tested: source URL → correct destination
- [x] No 404 for any deprecated route
- [x] Redirects documented in S00_route_deprecation_map.md update
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from QA sweep. Full nav audit from live app cross-referenced with S00 frozen IA. Live nav confirmed as v1 structure. Integrations, Release Control not root menus. Settings not yet renamed to Administration. | QA |
| 2026-02-19 | Final verification complete: canonical root nav, settings decomposition redirects, and administration/integrations/release-control routing validated. | FE Developer |
## Decisions & Risks
- **Breaking risk**: Root nav changes affect every user and every page. Roll out in phases:
1. Phase 1: Add new roots (Release Control, Integrations) alongside existing nav
2. Phase 2: Rename Operations → Platform Ops, Evidence → Evidence & Audit, Security →
Security & Risk, Settings → Administration
3. Phase 3: Move Settings items to canonical locations + add redirects
4. Phase 4: Remove old nav items once redirects are confirmed stable
- **Releases and Approvals shortcut policy**: Per S00_nav_rendering_policy.md, Releases and
Approvals "may be direct nav shortcuts under Release Control group." Do NOT make them
top-level roots — they are shortcuts within Release Control.
- **FORBIDDEN placements** (per S00 authority-matrix.md): Trust in Evidence is OK (allowed);
Policy in Release Control is OK (allowed); System as top-level root is FORBIDDEN.
- **Settings→Administration timeline**: Do not rush the rename — Settings decomposition is
complex. The rename (TASK-06) can happen before all items are migrated, as long as all
`/settings/...` routes continue to work.
## Next Checkpoints
- TASK-01 (nav audit) is a prerequisite — complete this before writing any code.
- TASK-02 (Integrations root) and TASK-03 (Release Control root) are highest priority.
- TASK-04 and TASK-05 (renames) are quick and can be done in parallel with TASK-02/03.
- TASK-07 (redirects) is final — only after all migrations land.

271
docs-archived/implplan/SPRINT_20260219_030_FE_operations_blank_pages_and_route_bugs.md Normal file
View File

@@ -0,0 +1,271 @@
# Sprint 20260219-030 — QA Gap: Operations Section — Blank Pages (Scheduler, Quotas, Health, Dead Letter, Feeds)
## Topic & Scope
- QA pack-tracking gap sprint. Full Operations section sweep via Playwright (2026-02-19).
- 5 out of 6 Operations sub-pages render a completely blank `<main>`. Only the Orchestrator
page renders content — but it contains an internal link with the wrong route prefix.
- Critical UX regressions:
- Status bar "Feed: Live" links to `/operations/feeds` which is blank.
- Status bar "Offline: OK" links to `/settings/offline` which is also blank (see SPRINT_021).
- The Orchestrator "Jobs" link goes to `/orchestrator/jobs` (legacy prefix) instead of
`/operations/orchestrator/jobs`.
- Working directory: `src/Web/StellaOps.Web/src/app/features/platform-ops/` (or wherever
the Operations feature components live under the current routing).
- Expected evidence: All 6 Operations sub-pages render content; internal Orchestrator links
use correct route prefixes; Feeds page shows feed status.
## Dependencies & Concurrency
- SPRINT_20260219_023 (Data Integrity new section) depends on Operations being functional —
Data Integrity is a new Operations sub-section; the existing sub-pages must work first.
- SPRINT_20260219_029 TASK-04 (rename "Operations" → "Platform Ops") depends on these pages
being stable — fix blank pages before renaming.
- TASK-01 (blank page investigation) is the root cause prerequisite for all other tasks.
- TASK-02 through TASK-06 are independent of each other once the root cause is understood.
## Documentation Prerequisites
- `src/Web/StellaOps.Web/src/app/features/platform-ops/` — Operations feature directory
- `src/Web/StellaOps.Web/src/app/routes/` — route definitions for Operations
- `docs/modules/ui/v2-rewire/pack-15.md` — Data Integrity spec (shows what Operations should
eventually contain)
---
## Delivery Tracker
### TASK-01 — Investigate root cause of blank Operations pages
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
QA sweep confirmed the following Operations sub-pages render a completely empty `<main>`:
| Route | Observed title | Nav label | Blank? |
|---|---|---|---|
| `/operations/scheduler` | "StellaOps" | Scheduler | YES |
| `/operations/quotas` | "Stella Ops" | Quotas | YES |
| `/operations/health` | "Stella Ops" | Platform Health | YES |
| `/operations/dead-letter` | "StellaOps" | Dead Letter | YES |
| `/operations/feeds` | "StellaOps" | Feeds | YES |
Working page:
| `/operations/orchestrator` | "Operations - StellaOps" | Orchestrator | Renders (with bugs) |
Title inconsistencies in blank pages: some show "StellaOps", some show "Stella Ops" (with
space) — suggesting some routes have no title defined at all while others partially resolve.
Investigation checklist:
1. Open browser console on each blank page — check for JS errors (module load failures,
injection errors, or unhandled exceptions)
2. Examine the Operations route file — verify each sub-route maps to a component (not just
a path with no component)
3. Check if components exist on disk or if they're placeholder/empty files
4. Verify lazy-loading chunk registration (are component files part of the bundle?)
5. Check for guard or resolver that silently blocks rendering without error
Root cause hypothesis: The Operations feature area likely has component placeholders or
route stubs registered but the actual component implementations are empty or missing.
Completion criteria:
- [x] Root cause documented in Decisions & Risks
- [x] Whether pages need component implementation vs route fix vs lazy-load fix is determined
- [x] Each blank page's component file located (or confirmed missing) on disk
---
### TASK-02 — Fix Operations > Scheduler page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Per pack-15 and S00_handoff_packet.md, the Scheduler page shows the execution schedule for
all recurring ops jobs (sbom-nightly-rescan, reachability-runtime-ingest, feed-sync, etc.).
At minimum the page must render:
- Page heading: "Scheduler"
- List or table of scheduled jobs: job name, schedule (cron), next run, last run, status
- [Trigger Now] and [Pause] actions per job
- Empty state if no jobs configured: "No scheduled jobs configured."
Route: `/operations/scheduler`
Title: "Scheduler - StellaOps"
Breadcrumb: Operations > Scheduler
Completion criteria:
- [x] Page renders with heading and job list (empty state acceptable)
- [x] Title: "Scheduler - StellaOps"
- [x] Breadcrumb: Operations > Scheduler
- [x] "Scheduler" nav item active when on this page
---
### TASK-03 — Fix Operations > Quotas page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
The Quotas page shows resource consumption against configured limits. At minimum:
- Page heading: "Quotas"
- Table: resource name, current usage, limit, % used, status
- Resources: scan jobs, replay requests, export runs, API calls
- [Edit Limits] action (admin only)
Route: `/operations/quotas`
Title: "Quotas - StellaOps"
Breadcrumb: Operations > Quotas
Completion criteria:
- [x] Page renders with heading and quota table (empty/zero values acceptable)
- [x] Title: "Quotas - StellaOps"
- [x] Breadcrumb: Operations > Quotas
---
### TASK-04 — Fix Operations > Platform Health page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
Platform Health shows the health status of all internal services. At minimum:
- Page heading: "Platform Health"
- Service health table: service name, status (healthy/degraded/down), last check, uptime
- Services: Concelier, Scanner, Attestor, Policy, Evidence Locker, Orchestrator, Signals
- Color-coded status indicators
Route: `/operations/health`
Title: "Platform Health - StellaOps"
Breadcrumb: Operations > Platform Health
Completion criteria:
- [x] Page renders with heading and service health table
- [x] Title: "Platform Health - StellaOps"
- [x] Breadcrumb: Operations > Platform Health
---
### TASK-05 — Fix Operations > Dead Letter page
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
The Dead Letter page shows failed/unprocessable messages. At minimum:
- Page heading: "Dead Letter Queue"
- Table: message ID, type, error, timestamp, [Retry] action
- Filter: by type, time window
- Empty state: "No dead letter messages."
- [Retry All] bulk action
Route: `/operations/dead-letter`
Title: "Dead Letter Queue - StellaOps"
Breadcrumb: Operations > Dead Letter
Completion criteria:
- [x] Page renders with heading and DLQ table (empty state acceptable)
- [x] Title: "Dead Letter Queue - StellaOps"
- [x] Breadcrumb: Operations > Dead Letter
---
### TASK-06 — Fix Operations > Feeds page (status bar "Feed: Live" link target)
Status: DONE
Dependency: TASK-01
Owners: FE Developer
Task description:
The Feeds page is the target of the status bar "Feed: Live" indicator link. This is a
high-visibility entry point that currently leads to a blank page.
Per pack-15 and SPRINT_023 context, the Feeds page in Operations shows the air-gap/feed
mirror configuration and sync status. At minimum:
- Page heading: "Feeds & AirGap Operations"
- Feed sources list: name, type (OSV/NVD/KEV/etc.), last sync, status badge
- Each feed: last updated, next scheduled sync, [Force Sync] action
- Air-gap mode toggle or status indicator
Route: `/operations/feeds`
Title: "Feeds & AirGap Operations - StellaOps"
Breadcrumb: Operations > Feeds
Critical: The status bar "Feed: Live" indicator links here — this page MUST render content
so users who click the status bar find useful information.
Completion criteria:
- [x] Page renders with heading and feeds list (empty state acceptable)
- [x] Title: "Feeds & AirGap Operations - StellaOps"
- [x] Breadcrumb: Operations > Feeds
- [x] "Feed: Live" status bar link no longer leads to a blank page
---
### TASK-07 — Fix Orchestrator internal link wrong route prefix
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
The Orchestrator page (`/operations/orchestrator`) renders correctly but contains an internal
navigation link with the wrong route prefix:
Current (broken): "Jobs" → `/orchestrator/jobs`
Correct: "Jobs" → `/operations/orchestrator/jobs` (or `/operations/jobs`)
The link `/orchestrator/jobs` is a legacy route that no longer exists. Clicking it redirects
to the root (or produces a 404). This is the same legacy route prefix issue identified in
prior sprints.
Fix: Update the link in the Orchestrator Dashboard component to use the correct
`/operations/orchestrator/jobs` route (or whichever is the canonical path in the current
route config). Also verify the `jobs` sub-route exists under Operations.
Completion criteria:
- [x] Orchestrator "Jobs" link uses the correct route prefix
- [x] Clicking "Jobs" navigates to a valid route (not redirected to root)
- [x] If `/operations/orchestrator/jobs` does not exist as a route, register it as a stub
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Sprint created from Playwright QA sweep (session 3). Full Operations section sweep. 5/6 pages blank. Orchestrator renders but has wrong internal route `/orchestrator/jobs`. Status bar "Feed: Live" links to blank /operations/feeds page — critical UX failure. | QA |
| 2026-02-19 | Final verification complete: platform-ops pages no longer blank; feeds/status links and orchestrator jobs route behavior validated. | FE Developer |
## Decisions & Risks
- **Blast radius**: The Operations section is used by admins. All 5 blank pages represent
complete feature unavailability. This is a higher-severity issue than missing features —
features that exist in the nav and are inaccessible are worse than missing nav items.
- **Status bar links to blank pages**: Both "Feed: Live" (→ `/operations/feeds`) and
"Offline: OK" (→ `/settings/offline`, see SPRINT_021 TASK-05) are prominent status
indicators that link to blank pages. These are among the first things admins click
when troubleshooting. Fix TASK-06 and SPRINT_021 TASK-05 before any other polish work.
- **Root cause likely same for all 5 blank pages**: Given all 5 Operations sub-pages are
blank while the 6th (Orchestrator) works, the root cause is likely a component
registration pattern where Orchestrator has a complete component but the others have
empty/stub implementations that fail silently.
- **Title "Stella Ops" vs "StellaOps" vs nothing**: The inconsistent title formats across
blank pages (some "StellaOps", some "Stella Ops" with space) indicate different
generations or templates used to create the route stubs.
## Next Checkpoints
- TASK-01 (root cause) must be done first — results determine implementation strategy.
- TASK-06 (Feeds page) is highest priority due to the status bar regression.
- TASK-07 (Orchestrator route fix) is a quick fix that should be done immediately.
- TASK-02 through TASK-05 can be done in parallel once TASK-01 is complete.

112
docs-archived/implplan/SPRINT_20260220_001_Symbols_marketplace_contracts_and_persistence.md Normal file
View File

@@ -0,0 +1,112 @@
# Sprint 20260220_001 - Symbol Marketplace: Contracts and Persistence
## Topic & Scope
- Establish the domain model and persistence layer for the Symbol/Debug Pack Marketplace.
- Create `StellaOps.Symbols.Marketplace` project with source registry, catalog, freshness, and trust scoring models.
- Add repository interfaces and in-memory implementations for marketplace data access.
- Add `SymbolSource = 7` integration type to the integration enum.
- Working directory: `src/Symbols/StellaOps.Symbols.Marketplace/` and `src/Integrations/__Libraries/StellaOps.Integrations.Core/`.
- Expected evidence: unit tests for trust scoring and model construction, compilable project.
## Dependencies & Concurrency
- No upstream sprint dependencies.
- Safe to parallelize with Sprint 002 (API) once models are stable.
## Documentation Prerequisites
- `docs/modules/platform/moat-gap-analysis.md` (symbol proof score context).
- `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/AdvisorySourceReadRepository.cs` (pattern reference for freshness repository).
## Delivery Tracker
### MKT-01 - Domain models for Symbol Marketplace
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `Models/SymbolPackSource.cs` — registry of symbol providers (vendor/distro/community/partner).
- Create `Models/SymbolPackCatalogEntry.cs` — catalog entry for installable packs.
- Create `Models/SymbolSourceFreshnessRecord.cs` — freshness projection mirroring advisory source pattern.
- Create `Models/SymbolSourceTrustScore.cs` — four-dimension trust scoring record.
Completion criteria:
- [x] All four model files compile under `StellaOps.Symbols.Marketplace` namespace
- [x] Models follow record pattern consistent with existing codebase
### MKT-02 - Create Marketplace project file
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `StellaOps.Symbols.Marketplace.csproj` targeting net10.0.
Completion criteria:
- [x] Project file exists and builds
### MKT-03 - Repository interfaces and implementations
Status: DONE
Dependency: MKT-01
Owners: Developer
Task description:
- Create `ISymbolSourceReadRepository.cs` with source listing and freshness retrieval.
- Create `IMarketplaceCatalogRepository.cs` with catalog listing, search, install/uninstall.
Completion criteria:
- [x] Interfaces are defined with async methods
- [x] Methods mirror AdvisorySourceReadRepository pattern
### MKT-04 - Trust scorer interface and implementation
Status: DONE
Dependency: MKT-01
Owners: Developer
Task description:
- Create `ISymbolSourceTrustScorer` interface.
- Implement `DefaultSymbolSourceTrustScorer` with weighted scoring: Freshness=0.3, Signature=0.3, Coverage=0.2, SLA=0.2.
Completion criteria:
- [x] Scorer produces correct weighted averages
- [x] Unit tests verify four-dimension scoring
### MKT-05 - Add IntegrationType.SymbolSource
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `SymbolSource = 7` to `IntegrationType` enum.
- Add provider values: `MicrosoftSymbols = 700, UbuntuDebuginfod = 701, FedoraDebuginfod = 702, DebianDebuginfod = 703, PartnerSymbols = 704`.
Completion criteria:
- [x] Enum values added without breaking existing assignments
- [x] Project compiles
### MKT-06 - Unit tests for marketplace models and scorer
Status: DONE
Dependency: MKT-01, MKT-04
Owners: Developer
Task description:
- Create `SymbolSourceTrustScorerTests.cs` — test four-dimension scoring logic.
- Create `SymbolSourceFreshnessRecordTests.cs` — test model construction.
- Create `SymbolPackCatalogEntryTests.cs` — test model construction.
Completion criteria:
- [x] All tests pass
- [x] Scorer tests verify boundary values and weighted averages
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Trust score weights (0.3/0.3/0.2/0.2) are initial values; may need tuning based on production feedback.
- Freshness pattern mirrors advisory sources to maintain architectural consistency.
## Next Checkpoints
- Models and tests complete before API sprint (002) begins endpoint wiring.

71
docs-archived/implplan/SPRINT_20260220_002_Symbols_marketplace_api_and_cli.md Normal file
View File

@@ -0,0 +1,71 @@
# Sprint 20260220_002 - Symbol Marketplace: API and CLI
## Topic & Scope
- Expose Symbol Marketplace functionality via HTTP API endpoints.
- Create SymbolSourceEndpoints extension method following the ReleaseControlEndpoints pattern.
- Wire endpoints into the Symbols Server Program.cs.
- Working directory: `src/Symbols/StellaOps.Symbols.Server/`.
- Expected evidence: endpoints compile and are wired into the application.
## Dependencies & Concurrency
- Depends on Sprint 001 (MKT-01 through MKT-04) for domain models and repository interfaces.
- Safe to parallelize with Sprint 003 (UI) once endpoint contracts are stable.
## Documentation Prerequisites
- `src/Platform/StellaOps.Platform.WebService/Endpoints/ReleaseControlEndpoints.cs` (pattern reference).
- Sprint 001 models and interfaces.
## Delivery Tracker
### MKT-07 - Symbol Source endpoints
Status: DONE
Dependency: MKT-03
Owners: Developer
Task description:
- Create `Endpoints/SymbolSourceEndpoints.cs` with IEndpointRouteBuilder extension.
- Implement source CRUD: list, get by ID, create, update, disable.
- Implement summary and freshness detail endpoints.
Completion criteria:
- [x] All source endpoints defined under `/api/v1/symbols/sources`
- [x] Follows MapGroup + WithTags pattern
### MKT-08 - Marketplace catalog endpoints
Status: DONE
Dependency: MKT-03
Owners: Developer
Task description:
- Add marketplace catalog endpoints: list, search, get detail, install, uninstall, list installed, trigger sync.
Completion criteria:
- [x] All catalog endpoints defined under `/api/v1/symbols/marketplace`
- [x] Install/uninstall return appropriate status codes
### MKT-09 - Wire endpoints into Program.cs
Status: DONE
Dependency: MKT-07, MKT-08
Owners: Developer
Task description:
- Add `app.MapSymbolSourceEndpoints()` call to `src/Symbols/StellaOps.Symbols.Server/Program.cs`.
- Add project reference to Marketplace project in Server csproj.
Completion criteria:
- [x] Endpoints are reachable when server starts
- [x] Server project compiles with new reference
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Endpoints follow the existing Symbols Server inline pattern but use extension method for new marketplace surface.
- Authentication follows existing RequireAuthorization pattern.
## Next Checkpoints
- API surface stable before UI sprint (003) begins binding.

98
docs-archived/implplan/SPRINT_20260220_003_FE_symbol_sources_marketplace_ui.md Normal file
View File

@@ -0,0 +1,98 @@
# Sprint 20260220_003 - FE: Symbol Sources Marketplace UI
## Topic & Scope
- Build Angular UI components for the Symbol Sources and Marketplace features.
- Create API service, list/detail/catalog components, routes, and sidebar entries.
- Working directory: `src/Web/StellaOps.Web/src/app/`.
- Expected evidence: components render, routes navigate correctly.
## Dependencies & Concurrency
- Depends on Sprint 002 (MKT-07 through MKT-09) for API endpoint contracts.
- Safe to parallelize documentation (Sprint 004).
## Documentation Prerequisites
- `src/Web/StellaOps.Web/src/app/features/security-risk/advisory-sources.component.ts` (pattern reference).
- `src/Web/StellaOps.Web/src/app/routes/security-risk.routes.ts` (route structure).
## Delivery Tracker
### MKT-14 - Symbol Sources API service
Status: DONE
Dependency: MKT-07
Owners: Developer
Task description:
- Create `features/security-risk/symbol-sources/symbol-sources.api.ts`.
- Define TypeScript interfaces mirroring backend models.
- Implement service methods: listSources, getSourceSummary, listCatalog, installPack, uninstallPack.
Completion criteria:
- [x] Service injectable and compilable
- [x] All endpoint paths match backend API surface
### MKT-15 - Symbol Sources list component
Status: DONE
Dependency: MKT-14
Owners: Developer
Task description:
- Create `features/security-risk/symbol-sources/symbol-sources-list.component.ts`.
- Standalone Angular component with freshness summary cards and source table.
- Follow advisory-sources component pattern.
Completion criteria:
- [x] Component renders summary cards and table
- [x] Freshness status badges use state machine colors
### MKT-16 - Symbol Source detail component
Status: DONE
Dependency: MKT-14
Owners: Developer
Task description:
- Create `features/security-risk/symbol-sources/symbol-source-detail.component.ts`.
- Show status timeline, pack coverage, trust breakdown for a single source.
Completion criteria:
- [x] Component loads source by ID from route parameter
- [x] Trust score dimensions displayed
### MKT-17 - Symbol Marketplace catalog component
Status: DONE
Dependency: MKT-14
Owners: Developer
Task description:
- Create `features/security-risk/symbol-sources/symbol-marketplace-catalog.component.ts`.
- Search/filter catalog entries with install/uninstall buttons.
Completion criteria:
- [x] Component renders catalog grid with search
- [x] Install/uninstall actions trigger API calls
### MKT-18 - Routes and sidebar integration
Status: DONE
Dependency: MKT-15, MKT-16, MKT-17
Owners: Developer
Task description:
- Add symbol-sources and symbol-marketplace routes to `routes/security-risk.routes.ts`.
- Add sidebar items under security-risk section in `app-sidebar.component.ts`.
Completion criteria:
- [x] Routes navigate to correct components
- [x] Sidebar shows Symbol Sources and Symbol Marketplace items
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Components follow advisory-sources pattern for consistency.
- Standalone components with inject() for DI, signals where appropriate.
## Next Checkpoints
- UI functional before documentation sprint (004) finalizes architecture docs.

67
docs-archived/implplan/SPRINT_20260220_004_DOCS_symbol_marketplace_architecture_and_moat.md Normal file
View File

@@ -0,0 +1,67 @@
# Sprint 20260220_004 - DOCS: Symbol Marketplace Architecture and Moat
## Topic & Scope
- Document the Symbol Marketplace architecture, primitives, DB schema, API surface, and integration points.
- Update moat gap analysis to reflect improved symbol proof score.
- Update moat strategy summary with Symbol Marketplace thesis.
- Working directory: `docs/`.
- Expected evidence: architecture doc, updated moat docs.
## Dependencies & Concurrency
- Depends on Sprints 001-003 for implementation details.
- Safe to start architecture doc skeleton early.
## Documentation Prerequisites
- `docs/modules/platform/moat-gap-analysis.md` (current symbol proof score).
- `docs/product/moat-strategy-summary.md` (moat enhancement roadmap).
## Delivery Tracker
### MKT-20 - Create marketplace architecture doc
Status: DONE
Dependency: MKT-01, MKT-07
Owners: Documentation Author
Task description:
- Create `docs/modules/symbols/marketplace-architecture.md`.
- Document architecture overview, domain primitives, DB schema, API surface, integration points, trust scoring model.
Completion criteria:
- [x] Architecture doc covers all marketplace components
- [x] API surface matches implemented endpoints
### MKT-21 - Update moat gap analysis
Status: DONE
Dependency: MKT-20
Owners: Documentation Author
Task description:
- Update `docs/modules/platform/moat-gap-analysis.md` — update symbolized call-stack proofs score from 85% to 95%.
Completion criteria:
- [x] Score updated with rationale
### MKT-22 - Update moat strategy summary
Status: DONE
Dependency: MKT-20
Owners: Documentation Author
Task description:
- Update `docs/product/moat-strategy-summary.md` — add Symbol Marketplace thesis under moat enhancement roadmap.
Completion criteria:
- [x] Symbol Marketplace referenced in strategy document
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Architecture doc structure follows existing module dossier pattern.
- Moat score increase from 85% to 95% reflects marketplace + trust scoring additions.
## Next Checkpoints
- All docs reviewed and consistent with implementation.

132
docs-archived/implplan/SPRINT_20260220_005_Telemetry_federated_privacy_primitives.md Normal file
View File

@@ -0,0 +1,132 @@
# Sprint 20260220-005 -- Telemetry: Federated Privacy Primitives
## Topic & Scope
- Build the core privacy-preserving primitives for federated runtime telemetry.
- Differential privacy budget tracking, k-anonymity aggregation, consent management, and bundle building.
- Working directory: `src/Telemetry/StellaOps.Telemetry.Federation/`
- Expected evidence: unit tests for all primitives, deterministic aggregation with seeded RNG.
## Dependencies & Concurrency
- No upstream sprint dependencies; this is the foundation for Sprints 006-009.
- Safe to implement in parallel with non-Telemetry sprints.
## Documentation Prerequisites
- `docs/modules/telemetry/federation-architecture.md` (created in Sprint 009)
- Existing `src/Telemetry/StellaOps.Telemetry.Core/` DI patterns
## Delivery Tracker
### FPT-01 - Project skeleton
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `StellaOps.Telemetry.Federation.csproj` targeting net10.0.
- Create `FederationServiceCollectionExtensions.cs` with DI registrations for all federation services.
- Create `FederatedTelemetryOptions.cs` with configurable k-anonymity threshold, epsilon budget, reset period, aggregation interval, sealed mode flag, and predicate types.
Completion criteria:
- [x] Project builds successfully
- [x] DI extension registers all five services
- [x] Options class has all required properties with defaults
### FPT-02 - Privacy budget tracker
Status: DONE
Dependency: FPT-01
Owners: Developer
Task description:
- Create `Privacy/IPrivacyBudgetTracker.cs` interface with RemainingEpsilon, TotalBudget, IsBudgetExhausted, TrySpend, Reset, GetSnapshot.
- Create `Privacy/PrivacyBudgetTracker.cs` implementation using thread-safe Interlocked operations.
- Include Laplacian noise helper method.
- Create `Privacy/PrivacyBudgetSnapshot.cs` record type.
Completion criteria:
- [x] Thread-safe budget tracking with atomic operations
- [x] Laplacian noise helper produces correct distribution
- [x] Budget exhaustion prevents further spending
### FPT-03 - Telemetry aggregator
Status: DONE
Dependency: FPT-01
Owners: Developer
Task description:
- Create `Aggregation/ITelemetryAggregator.cs` interface.
- Create `Aggregation/TelemetryAggregator.cs` implementation applying k-anonymity suppression and Laplacian noise.
- Create record types: TelemetryFact, AggregationBucket, AggregationResult.
Completion criteria:
- [x] K-anonymity suppresses buckets below threshold
- [x] Laplacian noise added to surviving bucket counts
- [x] Epsilon spending tracked via IPrivacyBudgetTracker
### FPT-04 - Consent manager
Status: DONE
Dependency: FPT-01
Owners: Developer
Task description:
- Create `Consent/IConsentManager.cs` interface with GetConsentState, GrantConsent, RevokeConsent.
- Create `Consent/ConsentManager.cs` in-memory implementation with TTL support.
- Create record types: ConsentState, ConsentProof.
Completion criteria:
- [x] Grant/revoke lifecycle works correctly
- [x] TTL expiry transitions consent to revoked
- [x] DSSE digest placeholder generated for proof
### FPT-05 - Federated bundle builder
Status: DONE
Dependency: FPT-01
Owners: Developer
Task description:
- Create `Bundles/IFederatedTelemetryBundleBuilder.cs` interface with Build and Verify methods.
- Create `Bundles/FederatedTelemetryBundleBuilder.cs` implementation.
- Create FederatedBundle record type.
Completion criteria:
- [x] Build produces a bundle from aggregation + consent proof
- [x] Verify round-trips successfully
- [x] Bundle includes DSSE digest placeholders
### FPT-06 - Register predicates
Status: DONE
Dependency: FPT-01
Owners: Developer
Task description:
- Document predicate types `stella.ops/federatedConsent@v1` and `stella.ops/federatedTelemetry@v1` in sprint decisions.
- Actual registration deferred to Attestor migration pattern.
Completion criteria:
- [x] Predicate types documented in Decisions & Risks section
### FPT-07 - Unit tests
Status: DONE
Dependency: FPT-02, FPT-03, FPT-04, FPT-05
Owners: Developer
Task description:
- Create `StellaOps.Telemetry.Federation.Tests/` test project.
- `PrivacyBudgetTrackerTests.cs` -- budget exhaustion, reset, spend tracking.
- `TelemetryAggregatorTests.cs` -- k-suppression, noise addition, deterministic with fixed seed.
- `ConsentManagerTests.cs` -- grant/revoke lifecycle, TTL expiry.
- `FederatedTelemetryBundleBuilderTests.cs` -- build + verify round-trip.
Completion criteria:
- [x] All tests pass
- [x] Deterministic aggregation tests use fixed seed
- [x] Budget exhaustion scenario covered
- [x] Consent TTL expiry scenario covered
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Predicate types: `stella.ops/federatedConsent@v1` and `stella.ops/federatedTelemetry@v1` will be registered via the existing Attestor predicate schema registry migration pattern (FPT-06).
- Laplacian noise uses standard double-precision arithmetic; acceptable for telemetry privacy guarantees.
- In-memory consent manager is sufficient for MVP; persistent store deferred to follow-up sprint.
## Next Checkpoints
- Sprint 006 depends on all primitives being available.
- Sprint 009 (docs) should reference the final API surface.

102
docs-archived/implplan/SPRINT_20260220_006_Telemetry_federation_sync_and_intelligence.md Normal file
View File

@@ -0,0 +1,102 @@
# Sprint 20260220-006 -- Telemetry: Federation Sync and Intelligence
## Topic & Scope
- Implement background sync service and exploit intelligence merging for federated telemetry.
- Working directory: `src/Telemetry/StellaOps.Telemetry.Federation/`
- Expected evidence: sync service lifecycle, intelligence normalization, egress policy integration.
## Dependencies & Concurrency
- Upstream: Sprint 005 (privacy primitives must be available).
- Safe to implement in parallel with Sprints 007-009 once primitives exist.
## Documentation Prerequisites
- Sprint 005 completion (IPrivacyBudgetTracker, ITelemetryAggregator, IConsentManager, IFederatedTelemetryBundleBuilder)
## Delivery Tracker
### FTS-01 - Federated sync service
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `Sync/FederatedTelemetrySyncService.cs` as a BackgroundService.
- Periodically aggregates telemetry facts, checks consent, builds bundles, and syncs to federation peers.
- Respects privacy budget exhaustion and sealed mode.
Completion criteria:
- [x] BackgroundService lifecycle (start/stop/cancellation)
- [x] Aggregation triggered on configurable interval
- [x] Consent check before bundle creation
- [x] Budget exhaustion halts sync cycle
### FTS-02 - Exploit intelligence merger interface
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `Intelligence/IExploitIntelligenceMerger.cs` interface for merging shared exploit corpus from federation peers.
- Create `Intelligence/ExploitIntelligenceMerger.cs` implementation.
Completion criteria:
- [x] Merge produces deduplicated exploit intelligence
- [x] Conflict resolution by latest observation timestamp
### FTS-03 - Intelligence normalizer
Status: DONE
Dependency: FTS-02
Owners: Developer
Task description:
- Create `Intelligence/FederatedIntelligenceNormalizer.cs` to normalize incoming exploit data from heterogeneous federation peers.
Completion criteria:
- [x] CVE ID normalization
- [x] Artifact digest format normalization
- [x] Timestamp UTC normalization
### FTS-04 - Egress policy integration
Status: DONE
Dependency: FTS-01
Owners: Developer
Task description:
- Create `Sync/EgressPolicyIntegration.cs` to validate outbound federation traffic against the platform egress policy.
Completion criteria:
- [x] Egress check before outbound bundle transmission
- [x] Blocked egress logged and bundle marked as pending
### FTS-05 - Sync service DI registration
Status: DONE
Dependency: FTS-01, FTS-02, FTS-03, FTS-04
Owners: Developer
Task description:
- Extend `FederationServiceCollectionExtensions.cs` to register sync and intelligence services.
Completion criteria:
- [x] All sync/intelligence services registered in DI
### FTS-06 - Unit tests for sync and intelligence
Status: DONE
Dependency: FTS-01, FTS-02, FTS-03, FTS-04
Owners: Developer
Task description:
- Add tests for sync service lifecycle, intelligence merging, normalization, and egress policy.
Completion criteria:
- [x] Sync service start/stop tests
- [x] Intelligence merge deduplication test
- [x] Normalizer format tests
- [x] Egress blocked scenario test
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Sync service uses configurable interval from FederatedTelemetryOptions.AggregationInterval.
- Egress policy integration reuses existing IEgressPolicy from AirGap module.
## Next Checkpoints
- Sprint 007 API endpoints depend on sync service availability.

99
docs-archived/implplan/SPRINT_20260220_007_Telemetry_federation_api_cli_doctor.md Normal file
View File

@@ -0,0 +1,99 @@
# Sprint 20260220-007 -- Telemetry: Federation API, CLI, Doctor
## Topic & Scope
- Expose federated telemetry capabilities via Platform WebService REST endpoints.
- Add authorization scopes and policies for federation management.
- Working directory: `src/Platform/StellaOps.Platform.WebService/`
- Expected evidence: endpoint tests, scope/policy constants, endpoint registration in Program.cs.
## Dependencies & Concurrency
- Upstream: Sprint 005 (privacy primitives), Sprint 006 (sync/intelligence).
- Can scaffold endpoints while primitives are being built.
## Documentation Prerequisites
- Existing endpoint patterns in `src/Platform/StellaOps.Platform.WebService/Endpoints/ReleaseControlEndpoints.cs`
- Existing scope/policy patterns in `Constants/PlatformScopes.cs` and `Constants/PlatformPolicies.cs`
## Delivery Tracker
### FAC-01 - Federation telemetry endpoints
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `Endpoints/FederationTelemetryEndpoints.cs` with endpoints:
- GET /api/v1/telemetry/federation/consent -- get consent state
- POST /api/v1/telemetry/federation/consent/grant -- grant consent
- POST /api/v1/telemetry/federation/consent/revoke -- revoke consent
- GET /api/v1/telemetry/federation/status -- federation status
- GET /api/v1/telemetry/federation/bundles -- list bundles
- GET /api/v1/telemetry/federation/bundles/{id} -- bundle detail
- GET /api/v1/telemetry/federation/intelligence -- exploit corpus
- GET /api/v1/telemetry/federation/privacy-budget -- budget snapshot
- POST /api/v1/telemetry/federation/trigger -- trigger aggregation
Completion criteria:
- [x] All 9 endpoints implemented
- [x] Proper authorization policies applied
- [x] Error handling follows existing patterns
### FAC-02 - Authorization scopes
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `FederationRead` and `FederationManage` scopes to `PlatformScopes.cs`.
- Add `FederationRead` and `FederationManage` policies to `PlatformPolicies.cs`.
Completion criteria:
- [x] Scopes added to PlatformScopes
- [x] Policies added to PlatformPolicies
- [x] Read endpoints use FederationRead
- [x] Write endpoints use FederationManage
### FAC-03 - Endpoint registration
Status: DONE
Dependency: FAC-01, FAC-02
Owners: Developer
Task description:
- Register `MapFederationTelemetryEndpoints()` in Platform WebService Program.cs.
Completion criteria:
- [x] Endpoints registered in app pipeline
### FAC-04 - Endpoint contract models
Status: DONE
Dependency: FAC-01
Owners: Developer
Task description:
- Create request/response models for federation endpoints in `Contracts/FederationTelemetryModels.cs`.
Completion criteria:
- [x] All request/response DTOs defined
- [x] Models match federation primitive types
### FAC-05 - Endpoint tests
Status: DONE
Dependency: FAC-01, FAC-02, FAC-03, FAC-04
Owners: Developer
Task description:
- Create `FederationTelemetryEndpointsTests.cs` in Platform test project.
Completion criteria:
- [x] Tests for consent grant/revoke lifecycle
- [x] Tests for bundle listing
- [x] Tests for privacy budget snapshot
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Endpoint pattern follows ReleaseControlEndpoints.cs conventions.
- PlatformRequestContextResolver reused for tenant resolution.
## Next Checkpoints
- Sprint 008 UI depends on these endpoints being available.

121
docs-archived/implplan/SPRINT_20260220_008_FE_telemetry_federation_ui.md Normal file
View File

@@ -0,0 +1,121 @@
# Sprint 20260220-008 -- FE: Telemetry Federation UI
## Topic & Scope
- Build Angular UI for federated telemetry management under Platform Ops.
- Overview dashboard, consent management, bundle explorer, intelligence viewer, privacy budget monitor.
- Working directory: `src/Web/StellaOps.Web/src/app/`
- Expected evidence: components render, routes navigate, API service calls backend.
## Dependencies & Concurrency
- Upstream: Sprint 007 (API endpoints must be available).
- Safe to scaffold components before API is complete.
## Documentation Prerequisites
- Existing component patterns in `src/Web/StellaOps.Web/src/app/features/platform-ops/`
- Route patterns in `src/Web/StellaOps.Web/src/app/routes/platform-ops.routes.ts`
- Sidebar patterns in `src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.ts`
## Delivery Tracker
### FUI-01 - Federation routes
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add P10 federation telemetry routes to `routes/platform-ops.routes.ts`.
- Five routes: overview, consent, bundles, intelligence, privacy.
Completion criteria:
- [x] All 5 routes added under P10 section
- [x] Lazy-loaded components
- [x] Breadcrumb data set
### FUI-02 - Sidebar navigation item
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Federation sidebar item under platform-ops children in `app-sidebar.component.ts`.
Completion criteria:
- [x] Federation item visible under Platform Ops group
- [x] Route points to /platform-ops/federation-telemetry
### FUI-03 - API service
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `features/platform-ops/federation-telemetry/federation-telemetry.api.ts`.
- Service calls /api/v1/telemetry/federation/* endpoints.
Completion criteria:
- [x] All endpoint methods defined
- [x] Typed request/response interfaces
- [x] HttpClient injection
### FUI-04 - Federation overview component
Status: DONE
Dependency: FUI-03
Owners: Developer
Task description:
- Create `features/platform-ops/federation-telemetry/federation-overview.component.ts`.
- Dashboard with status cards, consent state, budget gauge, bundle history.
Completion criteria:
- [x] Standalone component with OnPush strategy
- [x] Status cards for consent, budget, bundle count
- [x] Navigation links to sub-pages
### FUI-05 - Consent management component
Status: DONE
Dependency: FUI-03
Owners: Developer
Task description:
- Create `features/platform-ops/federation-telemetry/consent-management.component.ts`.
- Grant/revoke UI with DSSE proof display.
Completion criteria:
- [x] Grant button triggers API call
- [x] Revoke button triggers API call
- [x] Current consent state displayed
- [x] DSSE digest shown when granted
### FUI-06 - Bundle explorer component
Status: DONE
Dependency: FUI-03
Owners: Developer
Task description:
- Create `features/platform-ops/federation-telemetry/bundle-explorer.component.ts`.
- Table of bundles with verification status.
Completion criteria:
- [x] Bundle list table with columns: ID, site, created, verified
- [x] Click navigates to detail view
### FUI-07 - Intelligence viewer and privacy monitor components
Status: DONE
Dependency: FUI-03
Owners: Developer
Task description:
- Create `features/platform-ops/federation-telemetry/intelligence-viewer.component.ts` -- table of shared exploit corpus.
- Create `features/platform-ops/federation-telemetry/privacy-budget-monitor.component.ts` -- epsilon gauge, suppression stats, k-anonymity history.
Completion criteria:
- [x] Intelligence viewer displays CVE table
- [x] Privacy monitor shows epsilon remaining gauge
- [x] Suppression stats displayed
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Angular standalone components with signals and OnPush change detection per codebase convention.
- Lazy loading for all federation sub-routes.
## Next Checkpoints
- Sprint 009 documentation references UI component paths.

96
docs-archived/implplan/SPRINT_20260220_009_DOCS_telemetry_federation_architecture.md Normal file
View File

@@ -0,0 +1,96 @@
# Sprint 20260220-009 -- DOCS: Telemetry Federation Architecture
## Topic & Scope
- Create architecture documentation, predicate schemas, consent proof schema, and operational runbook for federated telemetry.
- Working directory: `docs/`
- Expected evidence: complete architecture doc, contract schemas, operational runbook.
## Dependencies & Concurrency
- Upstream: Sprints 005-008 (implementation must be substantially complete for accurate docs).
- Can scaffold documentation structure in parallel with implementation.
## Documentation Prerequisites
- Implementation details from Sprints 005-008.
- Existing docs patterns in `docs/modules/`, `docs/contracts/`, `docs/runbooks/`.
## Delivery Tracker
### FDC-01 - Federation architecture document
Status: DONE
Dependency: none
Owners: Documentation
Task description:
- Create `docs/modules/telemetry/federation-architecture.md`.
- Cover: privacy model, k-anonymity, differential privacy, consent flow, sync lifecycle, intelligence merging, bundle format, sealed mode behavior.
Completion criteria:
- [x] Architecture overview with data flow diagram
- [x] Privacy guarantees section
- [x] Consent lifecycle section
- [x] Sync service behavior section
- [x] Intelligence merging section
### FDC-02 - Federated telemetry predicate schema
Status: DONE
Dependency: none
Owners: Documentation
Task description:
- Create `docs/contracts/federated-telemetry-v1.md`.
- Define `stella.ops/federatedTelemetry@v1` predicate schema.
Completion criteria:
- [x] Schema definition with all fields
- [x] Validation rules
- [x] Example payload
### FDC-03 - Federated consent predicate schema
Status: DONE
Dependency: none
Owners: Documentation
Task description:
- Create `docs/contracts/federated-consent-v1.md`.
- Define `stella.ops/federatedConsent@v1` predicate schema.
Completion criteria:
- [x] Schema definition with all fields
- [x] Consent lifecycle states
- [x] Example payload
### FDC-04 - Operational runbook
Status: DONE
Dependency: none
Owners: Documentation
Task description:
- Create `docs/runbooks/federated-telemetry-operations.md`.
- Cover: enabling federation, consent management, budget monitoring, troubleshooting sync failures, sealed mode operations.
Completion criteria:
- [x] Enable/disable federation procedure
- [x] Consent management procedures
- [x] Budget monitoring and reset procedures
- [x] Sync failure troubleshooting
### FDC-05 - Cross-reference updates
Status: DONE
Dependency: FDC-01, FDC-02, FDC-03, FDC-04
Owners: Documentation
Task description:
- Update `docs/README.md` to reference new federation docs.
- Ensure federation architecture is linked from telemetry module index.
Completion criteria:
- [x] README updated with federation section
- [x] Cross-references validated
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Documentation created based on implementation; any implementation changes require doc updates.
## Next Checkpoints
- All docs complete before feature is considered shipped.

120
docs-archived/implplan/SPRINT_20260220_010_Remediation_registry_and_persistence.md Normal file
View File

@@ -0,0 +1,120 @@
# Sprint 20260220-010 — Remediation Registry and Persistence
## Topic & Scope
- Create the `src/Remediation/` module skeleton with Core, WebService, Persistence, and Tests projects.
- Define domain models: FixTemplate, PrSubmission, Contributor, MarketplaceSource.
- Create SQL migration for remediation schema.
- Implement IRemediationRegistry, IContributorTrustScorer, and repository interfaces.
- Working directory: `src/Remediation/`.
- Expected evidence: compilable projects, passing unit tests, SQL migration.
## Dependencies & Concurrency
- No upstream sprint dependencies.
- Can run in parallel with Sprints 011-015.
## Documentation Prerequisites
- `docs/modules/remediation/architecture.md` (created in Sprint 015).
## Delivery Tracker
### REM-01 - Module skeleton and .csproj files
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `src/Remediation/StellaOps.Remediation.Core/StellaOps.Remediation.Core.csproj` (net10.0, classlib)
- Create `src/Remediation/StellaOps.Remediation.WebService/StellaOps.Remediation.WebService.csproj` (net10.0, web)
- Create `src/Remediation/StellaOps.Remediation.Persistence/StellaOps.Remediation.Persistence.csproj` (net10.0, classlib)
- Create `src/Remediation/__Tests/StellaOps.Remediation.Tests/StellaOps.Remediation.Tests.csproj` (net10.0, test)
Completion criteria:
- [x] All four .csproj files exist and target net10.0
- [x] `dotnet build` succeeds for each project
### REM-02 - Domain models
Status: DONE
Dependency: REM-01
Owners: Developer
Task description:
- Create FixTemplate.cs, PrSubmission.cs, Contributor.cs, MarketplaceSource.cs in Core/Models/
Completion criteria:
- [x] All four model records exist with documented properties
- [x] Models compile without warnings
### REM-03 - SQL migration
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `001_remediation_registry_schema.sql` with tables: fix_templates, pr_submissions, contributors, marketplace_sources
- Include indexes on cve_id, purl, status
Completion criteria:
- [x] Migration file exists with all four tables
- [x] Indexes created for query-hot columns
### REM-04 - IRemediationRegistry interface and repository implementations
Status: DONE
Dependency: REM-02
Owners: Developer
Task description:
- Define IRemediationRegistry in Core/Abstractions/
- Create IFixTemplateRepository and PostgresFixTemplateRepository in Persistence/
- Create IPrSubmissionRepository and PostgresPrSubmissionRepository in Persistence/
Completion criteria:
- [x] Interface defines CRUD for templates and submissions
- [x] Repository interfaces and Postgres stubs exist
### REM-05 - IContributorTrustScorer
Status: DONE
Dependency: REM-02
Owners: Developer
Task description:
- Define IContributorTrustScorer in Core/Abstractions/
- Implement ContributorTrustScorer in Core/Services/
- Score formula: (verified * 1.0 - rejected * 0.5) / max(total, 1) clamped to [0, 1]
- Trust tiers: trusted (>0.8), established (>0.5), new (>0.2), untrusted
Completion criteria:
- [x] Interface and implementation exist
- [x] Unit tests validate score calculation and tier assignment
### REM-06 - WebService endpoints
Status: DONE
Dependency: REM-04
Owners: Developer
Task description:
- Create RemediationRegistryEndpoints.cs with template and submission CRUD
- Create RemediationMatchEndpoints.cs for CVE/PURL matching
- Create RemediationSourceEndpoints.cs for marketplace source management
- Create RemediationContractModels.cs for API DTOs
Completion criteria:
- [x] All endpoint classes compile
- [x] Routes follow /api/v1/remediation/* pattern
### REM-07 - Auth policies
Status: DONE
Dependency: REM-06
Owners: Developer
Task description:
- Add remediation.read, remediation.submit, remediation.manage authorization policies
Completion criteria:
- [x] Policies registered in Program.cs
- [x] Endpoints use RequireAuthorization
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- New top-level module under src/Remediation/ — follows existing module patterns.
## Next Checkpoints
- Module compiles and tests pass.

54
docs-archived/implplan/SPRINT_20260220_011_Signals_remediation_webhook_handler.md Normal file
View File

@@ -0,0 +1,54 @@
# Sprint 20260220-011 — Signals Remediation Webhook Handler
## Topic & Scope
- Add remediation PR detection to the Signals webhook pipeline.
- Detect PRs by title convention `fix(CVE-XXXX):` or label `stella-ops/remediation`.
- Extract CVE IDs and create PrSubmission records.
- Working directory: `src/Signals/StellaOps.Signals/`.
- Expected evidence: webhook handler service, unit tests.
## Dependencies & Concurrency
- Depends on Sprint 010 (Core models for PrSubmission).
- Can run in parallel with Sprints 012-015.
## Documentation Prerequisites
- Sprint 010 domain models.
## Delivery Tracker
### REM-08 - RemediationPrWebhookHandler service
Status: DONE
Dependency: REM-02 (Sprint 010)
Owners: Developer
Task description:
- Create `src/Signals/StellaOps.Signals/Services/RemediationPrWebhookHandler.cs`
- Implement IsRemediationPr() detection by title prefix and label
- Implement ExtractCveId() with regex extraction
Completion criteria:
- [x] Handler detects remediation PRs by title and label
- [x] CVE ID extraction works for standard CVE format
### REM-09 - Webhook handler unit tests
Status: DONE
Dependency: REM-08
Owners: Developer
Task description:
- Add tests for IsRemediationPr and ExtractCveId in Signals test project
Completion criteria:
- [x] Tests cover title-based detection, label-based detection, and CVE extraction
- [x] Tests pass
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Title convention `fix(CVE-XXXX):` aligns with conventional commit standard.
## Next Checkpoints
- Webhook handler tests pass.

65
docs-archived/implplan/SPRINT_20260220_012_Remediation_verification_pipeline.md Normal file
View File

@@ -0,0 +1,65 @@
# Sprint 20260220-012 — Remediation Verification Pipeline
## Topic & Scope
- Implement the verification pipeline that validates remediation PRs.
- Compare pre/post scan digests, reachability deltas, and produce fix-chain DSSE envelopes.
- Working directory: `src/Remediation/StellaOps.Remediation.Core/`.
- Expected evidence: IRemediationVerifier interface and implementation.
## Dependencies & Concurrency
- Depends on Sprint 010 (Core models).
- Can run in parallel with Sprints 011, 013-015.
## Documentation Prerequisites
- Sprint 010 domain models and registry interface.
## Delivery Tracker
### REM-13 - ReachGraph delta endpoint concept
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Document the conceptual POST /v1/reachability/delta endpoint for two-digest reachability diff
- This is a contract stub for future implementation
Completion criteria:
- [x] Concept documented in sprint decisions
### REM-14 - IRemediationVerifier interface
Status: DONE
Dependency: REM-02 (Sprint 010)
Owners: Developer
Task description:
- Define IRemediationVerifier in Core/Services/
- Define VerificationResult record with verdict, digests, affected paths
Completion criteria:
- [x] Interface defined with VerifyAsync method
- [x] VerificationResult record defined
### REM-15 - RemediationVerifier implementation
Status: DONE
Dependency: REM-14
Owners: Developer
Task description:
- Implement verification logic in Core/Services/RemediationVerifier.cs
- Stub external dependencies (scan service, reachability service)
Completion criteria:
- [x] Implementation compiles
- [x] Verification produces deterministic results for test inputs
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- REM-13: ReachGraph delta is a conceptual contract; actual implementation deferred.
- Verification pipeline stubs external scan/reachability calls for initial implementation.
## Next Checkpoints
- Verification pipeline compiles and stubs are testable.

53
docs-archived/implplan/SPRINT_20260220_013_Remediation_matching_sources_policy.md Normal file
View File

@@ -0,0 +1,53 @@
# Sprint 20260220-013 — Remediation Matching, Sources, and Policy
## Topic & Scope
- Implement IRemediationMatcher for CVE/PURL-based fix template matching.
- Add IntegrationType.Marketplace to integration enums.
- Working directory: `src/Remediation/`, `src/Integrations/`.
- Expected evidence: matcher interface, integration enum update.
## Dependencies & Concurrency
- Depends on Sprint 010 (Core models and registry).
- Cross-module edit: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationEnums.cs`.
## Documentation Prerequisites
- Sprint 010 domain models.
## Delivery Tracker
### REM-18 - IRemediationMatcher interface and implementation
Status: DONE
Dependency: REM-04 (Sprint 010)
Owners: Developer
Task description:
- Define IRemediationMatcher in Core/Abstractions/
- Implement matching logic that queries templates by CVE, PURL, and version
Completion criteria:
- [x] Interface and implementation exist
- [x] FindMatchesAsync filters by CVE, PURL, and version
### REM-20 - IntegrationType.Marketplace enum
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `Marketplace = 8` to IntegrationType enum
- Add providers: `CommunityFixes = 800, PartnerFixes = 801, VendorFixes = 802`
Completion criteria:
- [x] Enum values added to IntegrationEnums.cs
- [x] No compilation errors in Integrations module
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Cross-module edit to IntegrationEnums.cs is minimal and additive only.
## Next Checkpoints
- Matcher compiles, enum values added.

103
docs-archived/implplan/SPRINT_20260220_014_FE_remediation_marketplace_ui.md Normal file
View File

@@ -0,0 +1,103 @@
# Sprint 20260220-014 — FE Remediation Marketplace UI
## Topic & Scope
- Create Angular UI components for the remediation marketplace.
- Add API service, browse/detail/submit components, badge component.
- Add routes under /security-risk/remediation.
- Add sidebar navigation entry.
- Working directory: `src/Web/StellaOps.Web/src/app/`.
- Expected evidence: components compile, routes registered, sidebar entry visible.
## Dependencies & Concurrency
- Depends on Sprint 010 (backend API contracts for type alignment).
- Can run in parallel with backend sprints.
## Documentation Prerequisites
- Sprint 010 API contract models.
## Delivery Tracker
### REM-21 - Remediation API service
Status: DONE
Dependency: none
Owners: FE Developer
Task description:
- Create `features/security-risk/remediation/remediation.api.ts`
- Implement RemediationApiService with HttpClient methods for templates, submissions, contributors, matching
Completion criteria:
- [x] Service injectable with all API methods defined
- [x] Uses /api/v1/remediation/* endpoints
### REM-22 - Remediation browse component
Status: DONE
Dependency: REM-21
Owners: FE Developer
Task description:
- Create `features/security-risk/remediation/remediation-browse.component.ts`
- Search by CVE/PURL, filter by trust/status, display fix cards
Completion criteria:
- [x] Component renders marketplace browse view
- [x] OnPush change detection, standalone
### REM-23 - Remediation fix detail component
Status: DONE
Dependency: REM-21
Owners: FE Developer
Task description:
- Create `features/security-risk/remediation/remediation-fix-detail.component.ts`
- Show attestation chain, patch content, contributor trust, reachability delta
Completion criteria:
- [x] Component renders fix detail with attestation chain
- [x] OnPush change detection, standalone
### REM-24 - Remediation submit component
Status: DONE
Dependency: REM-21
Owners: FE Developer
Task description:
- Create `features/security-risk/remediation/remediation-submit.component.ts`
- PR submit form with verification status pipeline timeline
Completion criteria:
- [x] Component renders submit form and status timeline
- [x] OnPush change detection, standalone
### REM-25 - Remediation fixes badge component
Status: DONE
Dependency: REM-21
Owners: FE Developer
Task description:
- Create `features/security-risk/remediation/remediation-fixes-badge.component.ts`
- Contextual "N Available Fixes" badge for vulnerability detail page
Completion criteria:
- [x] Badge component renders fix count
- [x] OnPush change detection, standalone
### REM-26 - Routes and sidebar registration
Status: DONE
Dependency: REM-22, REM-23, REM-24
Owners: FE Developer
Task description:
- Add remediation routes to security-risk.routes.ts
- Add sidebar entry under security-risk children in app-sidebar.component.ts
Completion criteria:
- [x] Routes registered for /security-risk/remediation/*
- [x] Sidebar shows Remediation entry under Security and Risk
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- UI follows existing security-risk feature patterns (standalone, OnPush, signals).
## Next Checkpoints
- All components compile, routes work in dev.

53
docs-archived/implplan/SPRINT_20260220_015_Remediation_offline_cli_docs.md Normal file
View File

@@ -0,0 +1,53 @@
# Sprint 20260220-015 — Remediation Offline, CLI, and Documentation
## Topic & Scope
- Create architecture documentation for the Remediation module.
- Create PR predicate schema contract documentation.
- Working directory: `docs/`.
- Expected evidence: architecture doc, contract doc.
## Dependencies & Concurrency
- Depends on Sprints 010-014 for implementation details.
- Can be drafted in parallel.
## Documentation Prerequisites
- All prior Remediation sprints for implementation context.
## Delivery Tracker
### REM-27 - Remediation architecture documentation
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Create `docs/modules/remediation/architecture.md`
- Document module overview, domain model, API surface, verification pipeline, trust scoring
Completion criteria:
- [x] Architecture doc covers all key aspects of the module
- [x] Links to relevant sprint tasks and contracts
### REM-28 - Remediation PR predicate schema contract
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Create `docs/contracts/remediation-pr-v1.md`
- Document the fix-chain DSSE predicate schema for remediation PRs
Completion criteria:
- [x] Contract doc defines predicate type, subject, fields
- [x] Consistent with existing predicate schemas in docs/contracts/
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-19 | Implemented and verified against code/tests in this sprint scope. | Codex |
| 2026-02-20 | Sprint created. | Planning |
## Decisions & Risks
- Documentation drafted from implementation; will be refined as features mature.
## Next Checkpoints
- Docs reviewed and linked from module README.