doctor and setup fixes

2026-02-21 09:45:32 +02:00
parent 1ec797d5e8
commit 7e36c1f151
82 changed files with 5336 additions and 761 deletions
--- a/docs/implplan/SPRINT_20260220_040_FE_ui_advisory_gap_closure.md
+++ b/docs/implplan/SPRINT_20260220_040_FE_ui_advisory_gap_closure.md
@@ -0,0 +1,158 @@
+# Sprint 040 - UI Advisory Gap Closure
+
+## Topic & Scope
+- Close the identified UI implementation gaps from the advisory review so canonical IA, scope behavior, and run-centric operations are consistent in code and docs.
+- Implement missing runtime contracts for global scope URL sync, degraded/offline UX surfaces, route migration telemetry alignment, and run-detail live refresh.
+- Update verification artifacts (docs and targeted tests) for navigation/RBAC/search/telemetry/scope behavior.
+- Working directory: `src/Web/StellaOps.Web/` (with required docs updates in `docs/modules/ui/v2-rewire/`).
+- Expected evidence: passing targeted frontend tests, updated IA/contracts docs, and migration/verification documentation.
+
+## Dependencies & Concurrency
+- Depends on active Pack-22/23 canonical IA references in `docs/modules/ui/v2-rewire/`.
+- Safe to run in parallel with unrelated Doctor/platform-health feature work as long as edits stay scoped to files listed in this sprint.
+
+## Documentation Prerequisites
+- `docs/modules/ui/v2-rewire/source-of-truth.md`
+- `docs/modules/ui/v2-rewire/authority-matrix.md`
+- `docs/modules/ui/v2-rewire/S00_route_deprecation_map.md`
+- `docs/modules/ui/v2-rewire/pack-23.md`
+
+## Delivery Tracker
+
+### 040-T1 - Canonical IA ownership alignment in nav/routes/docs
+Status: DONE
+Dependency: none
+Owners: Developer (FE), Documentation author
+Task description:
+- Align canonical ownership language and root menu expectations across route comments, sidebar labels, and v2-rewire source-of-truth/authority docs.
+- Ensure Administration remains alias-window compatibility, not a conflicting primary operator root in canonical UX framing.
+
+Completion criteria:
+- [x] Sidebar and canonical docs use a consistent root-module story
+- [x] Route annotations no longer conflict with canonical ownership model
+
+### 040-T2 - RBAC visibility matrix and enforcement for root/major surfaces
+Status: DONE
+Dependency: 040-T1
+Owners: Developer (FE), Documentation author
+Task description:
+- Add explicit UI RBAC matrix for root modules and key sub-surfaces.
+- Apply scope gates to sidebar visibility and major route domains where currently auth-only.
+
+Completion criteria:
+- [x] Documented matrix exists in v2-rewire docs
+- [x] Route and nav gating reflects the documented matrix
+
+### 040-T3 - Global scope contract and URL synchronization
+Status: DONE
+Dependency: 040-T1
+Owners: Developer (FE)
+Task description:
+- Define and implement URL-sync behavior for global scope (`regions`, `environments`, `timeWindow`) with deterministic merge semantics.
+- Ensure deep links can hydrate scope and context changes persist back into URL without clobbering unrelated params.
+
+Completion criteria:
+- [x] Scope state can be hydrated from URL query parameters
+- [x] Scope updates write canonical query parameters back to current route
+
+### 040-T4 - Mobile scope controls behavior
+Status: DONE
+Dependency: 040-T3
+Owners: Developer (FE)
+Task description:
+- Replace “hide scope entirely under 1200px” behavior with an explicit mobile/tablet scope entry point.
+- Provide keyboard and screen-reader-friendly mobile interaction for scope controls.
+
+Completion criteria:
+- [x] Scope remains operable on mobile/tablet layouts
+- [x] Desktop behavior remains unchanged for full scope bar
+
+### 040-T5 - Standard degraded/offline UI state component
+Status: DONE
+Dependency: 040-T1
+Owners: Developer (FE)
+Task description:
+- Implement shared degraded/offline decision-impact component supporting `BLOCKING`, `DEGRADED`, `INFO`, retry action, correlation ID, and last-known-good context.
+- Integrate into at least one high-value run-centric surface.
+
+Completion criteria:
+- [x] Shared component exists and is reusable
+- [x] Integrated surface shows standardized degraded contract fields
+
+### 040-T6 - Legacy route telemetry alignment and cutover consistency
+Status: DONE
+Dependency: 040-T1
+Owners: Developer (FE), Documentation author
+Task description:
+- Align legacy-route telemetry mapping with active redirect templates and alias-window routes.
+- Remove stale target mappings and codify deterministic mapping behavior.
+
+Completion criteria:
+- [x] Telemetry mapping reflects canonical redirect map
+- [x] Docs include updated cutover/alias telemetry expectations
+
+### 040-T7 - Wire global search to real search client
+Status: DONE
+Dependency: 040-T1
+Owners: Developer (FE)
+Task description:
+- Replace mock timeout-based search with API-backed search via existing search client.
+- Keep keyboard navigation, grouped results, and recent-search persistence behavior.
+
+Completion criteria:
+- [x] Global search issues client-backed queries
+- [x] Existing keyboard and selection UX still works
+
+### 040-T8 - Release Run detail live refresh contract
+Status: DONE
+Dependency: 040-T5
+Owners: Developer (FE)
+Task description:
+- Add run-detail live refresh model (poll cadence, stale/degraded indication, retry/manual refresh) while preserving deterministic rendering and non-destructive fallbacks.
+
+Completion criteria:
+- [x] Run detail auto-refreshes while active
+- [x] Stale/degraded state is visible with explicit operator action
+
+### 040-T9 - A11y and performance acceptance criteria documentation
+Status: DONE
+Dependency: 040-T1
+Owners: Documentation author
+Task description:
+- Add explicit acceptance gates for accessibility and performance in v2-rewire docs.
+- Define measurable criteria and mandatory checks for shell/search/scope/nav interactions.
+
+Completion criteria:
+- [x] A11y/perf gates are documented with pass/fail criteria
+- [x] Sprint links to those gates in decisions/risks
+
+### 040-T10 - UI verification plan and targeted tests
+Status: DONE
+Dependency: 040-T2, 040-T3, 040-T6, 040-T7, 040-T8
+Owners: Developer (FE), QA
+Task description:
+- Update/add targeted unit tests for changed behaviors (nav model, search wiring, telemetry map behavior, context URL sync, run-detail refresh signals where feasible).
+- Add UI verification plan doc for deterministic re-check of this sprint scope.
+
+Completion criteria:
+- [x] Targeted tests for changed contracts are present and passing
+- [x] Verification plan doc captures deterministic execution path
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-02-20 | Sprint created and task 040-T1 moved to DOING. | Developer (FE) |
+| 2026-02-20 | Implemented canonical IA/RBAC/scope/search/legacy telemetry/run-live contracts; added and updated targeted unit tests for nav, context URL sync, global search, route migration, telemetry, topology routes, and release live refresh. | Developer (FE) |
+| 2026-02-20 | Verification run completed: `npm run test -- --watch=false --include src/tests/navigation/legacy-redirects.spec.ts --include src/tests/routes/legacy-route-migration-framework.component.spec.ts --include src/tests/navigation/legacy-route-telemetry.service.spec.ts --include src/tests/context/platform-context-url-sync.service.spec.ts --include src/tests/navigation/nav-model.spec.ts --include src/tests/navigation/nav-route-integrity.spec.ts --include src/tests/global_search/global-search.component.spec.ts --include src/tests/topology/topology-routes.spec.ts --include src/tests/releases/release-detail.live-refresh.spec.ts` (9 files, 55 tests, all pass). | QA/Developer (FE) |
+| 2026-02-20 | Updated route deprecation contract docs and migration mappings for run-centric redirects (`/releases/runs`) and topology setup aliases (`/topology/promotion-graph`, `/topology/regions`, `/topology/workflows`). | Documentation author |
+
+## Decisions & Risks
+- Cross-module doc edits are required under `docs/modules/ui/v2-rewire/` to keep canonical contracts in sync with FE implementation.
+- Work is intentionally layered over an already dirty frontend tree per user direction (“do it on top”); unrelated changes are preserved.
+- Risk: route-scope guards can hide pages for low-scope users if matrix assumptions are wrong. Mitigation: keep fallback redirects and add explicit matrix docs plus targeted tests.
+- Risk: context URL sync can loop if merge semantics are incorrect. Mitigation: idempotent query diffing and scoped key updates only.
+- Decision: legacy redirect telemetry is now derived entirely from `LEGACY_REDIRECT_ROUTE_TEMPLATES`, and template entries were updated to canonical Pack22/23 targets to keep route behavior and telemetry in lockstep.
+- Decision: topology operator entry points now deep-link to run-centric release flows (`/releases/runs`) instead of activity/deployment aliases, matching advisory UX language.
+
+## Next Checkpoints
+- Sprint 040 delivered; maintain alias telemetry during cutover window and remove obsolete alias routes in the planned cutover sprint after hit-rate review.
--- a/docs/modules/ui/v2-rewire/S00_route_deprecation_map.md
+++ b/docs/modules/ui/v2-rewire/S00_route_deprecation_map.md
@@ -1,4 +1,4 @@
-# S00 Route Deprecation Map (Pack 22 Canonical)
+# S00 Route Deprecation Map (Pack 22/23 Canonical)

 Status: Active  
 Date: 2026-02-20  
@@ -7,14 +7,14 @@ Canonical source: `source-of-truth.md`, `pack-22.md`

 ## Purpose

-Define deterministic route migration from pre-Pack22 root families to Pack22 canonical IA:
+Define deterministic route migration from pre-Pack22 root families to Pack22/23 canonical IA:

- `/dashboard`
+- `/dashboard` (Mission Control)
 - `/releases` (run-centric subroots under `/releases/versions*` and `/releases/runs*`)
- `/security` (workspace subroots under `/security/overview`, `/security/triage`, `/security/advisories-vex`, `/security/supply-chain-data/*`)
- `/evidence` (capsule-first subroots under `/evidence/overview`, `/evidence/capsules`, `/evidence/exports/export`, `/evidence/verification/*`)
+- `/security` (workspace subroots under `/security/posture`, `/security/triage`, `/security/disposition`, `/security/sbom/*`, `/security/reachability`)
+- `/evidence` (capsule-first subroots under `/evidence/capsules`, `/evidence/exports`, `/evidence/verification/*`, `/evidence/audit-log`)
 - `/topology`
- `/platform` (setup/ops/integrations canonical root; legacy `/operations`, `/integrations`, `/administration` are alias-window routes)
+- `/platform` (ops/integrations/setup canonical root; legacy `/operations`, `/integrations`, `/administration` are alias-window routes)

 ## Action definitions

@@ -35,7 +35,7 @@ Define deterministic route migration from pre-Pack22 root families to Pack22 can
 | `/operations/*` (old ops shell) | `/platform/ops/*` | `redirect` + `alias-window` |
 | `/integrations/*` (legacy root) | `/platform/integrations/*` | `redirect` + `alias-window` |
 | `/administration/*` (legacy root) | `/platform/setup/*` | `redirect` + `alias-window` |
-| `/settings/release-control/*` | `/topology/*` | `redirect` |
+| `/settings/release-control/*` | `/topology/promotion-graph`, `/topology/regions`, `/topology/targets`, `/topology/agents`, `/topology/workflows` | `redirect` |

 ## Release Control decomposition

@@ -49,29 +49,40 @@ Define deterministic route migration from pre-Pack22 root families to Pack22 can
 | `/release-control/promotions` | `/releases/runs` | `redirect` |
 | `/release-control/hotfixes` | `/releases/hotfix` | `redirect` |
 | `/release-control/regions` | `/topology/regions` | `redirect` |
-| `/release-control/setup` | `/platform/setup` | `redirect` |
-| `/release-control/setup/environments-paths` | `/topology/environments` | `redirect` |
+| `/release-control/setup` | `/topology/promotion-graph` | `redirect` |
+| `/release-control/setup/environments-paths` | `/topology/promotion-graph` | `redirect` |
 | `/release-control/setup/targets-agents` | `/topology/targets` | `redirect` |
-| `/release-control/setup/workflows` | `/platform/setup/workflows-gates` | `redirect` |
+| `/release-control/setup/workflows` | `/topology/workflows` | `redirect` |
+
+## Settings alias decomposition
+
+| Legacy path | Canonical target | Action |
+| --- | --- | --- |
+| `/settings/release-control` | `/topology/promotion-graph` | `redirect` |
+| `/settings/release-control/environments` | `/topology/regions` | `redirect` |
+| `/settings/release-control/targets` | `/topology/targets` | `redirect` |
+| `/settings/release-control/agents` | `/topology/agents` | `redirect` |
+| `/settings/release-control/workflows` | `/topology/workflows` | `redirect` |

 ## Security consolidation

 | Legacy path | Canonical target | Action |
 | --- | --- | --- |
-| `/security-risk` | `/security/overview` | `redirect` |
+| `/security-risk` | `/security/posture` | `redirect` |
 | `/security-risk/findings*` | `/security/triage*` | `redirect` |
 | `/security-risk/vulnerabilities*` | `/security/triage*` | `redirect` |
-| `/security-risk/vex` | `/security/advisories-vex` | `redirect` |
-| `/security-risk/exceptions` | `/security/advisories-vex` | `redirect` |
-| `/security-risk/sbom` | `/security/supply-chain-data/graph` | `redirect` |
-| `/security-risk/sbom-lake` | `/security/supply-chain-data/lake` | `redirect` |
+| `/security-risk/vex` | `/security/disposition` | `redirect` |
+| `/security-risk/exceptions` | `/security/disposition` | `redirect` |
+| `/security-risk/sbom` | `/security/sbom/graph` | `redirect` |
+| `/security-risk/sbom-lake` | `/security/sbom/lake` | `redirect` |
 | `/security-risk/advisory-sources` | `/platform/integrations/feeds` | `redirect` |
+| `/sbom-sources` | `/platform/integrations/sbom-sources` | `redirect` |

 ## Evidence and Operations renames

 | Legacy path | Canonical target | Action |
 | --- | --- | --- |
-| `/evidence-audit` | `/evidence/overview` | `redirect` |
+| `/evidence-audit` | `/evidence/capsules` | `redirect` |
 | `/evidence-audit/packs*` | `/evidence/capsules*` | `redirect` |
 | `/evidence-audit/audit-log` | `/evidence/audit-log` | `redirect` |
 | `/evidence-audit/replay` | `/evidence/verification/replay` | `redirect` |
@@ -86,6 +97,7 @@ Define deterministic route migration from pre-Pack22 root families to Pack22 can
  - `oldPath`,
  - `newPath`,
  - tenant/user context metadata.
+- Legacy detection and expected target resolution are derived from `LEGACY_REDIRECT_ROUTE_TEMPLATES` to prevent drift between redirect behavior and telemetry mapping.
 - Alias telemetry must remain active until Pack22 cutover approval.

 ## Cutover checkpoint
--- a/docs/modules/ui/v2-rewire/S01_a11y_perf_acceptance.md
+++ b/docs/modules/ui/v2-rewire/S01_a11y_perf_acceptance.md
@@ -0,0 +1,47 @@
+# S01 Accessibility and Performance Acceptance Gates
+
+Status: Active  
+Date: 2026-02-20  
+Working directory: `docs/modules/ui/v2-rewire`
+
+## Purpose
+
+Define mandatory pass/fail gates for the navigation shell, global scope controls, search, and run-centric release surfaces.
+
+## Accessibility gates (must pass)
+
+| Area | Gate | Pass criteria |
+| --- | --- | --- |
+| Keyboard entry points | `Ctrl+K` opens search, `Escape` closes active search/scope overlays | Works from any authenticated shell page without focus traps. |
+| Scope controls | Region, Environment, Time Window controls are keyboard-operable on desktop and tablet/mobile | Scope panel is reachable via topbar `Scope` button and supports `Tab`, `Enter`, `Space`, `Escape`. |
+| Focus visibility | Shell controls have visible focus treatment | Focus ring contrast ratio >= 3:1 against adjacent background. |
+| Nav semantics | Sidebar and topbar expose valid navigation landmarks | Screen readers announce main nav and scope dialog labels correctly. |
+| Status/degraded messaging | Degraded state banner is announced and actionable | Impact (`BLOCKING`, `DEGRADED`, `INFO`) and retry action are readable by assistive tech. |
+
+## Performance gates (must pass)
+
+| Area | Gate | Pass criteria |
+| --- | --- | --- |
+| Shell route transitions | Canonical root navigation (`/dashboard`, `/releases`, `/security`, `/evidence`, `/topology`, `/platform`) | Route-to-render under 500ms median in local CI profile build. |
+| Search interaction | Debounced global search | Input-to-result update <= 300ms median for cached responses and <= 800ms for uncached responses. |
+| Scope URL sync | Context change URL patching | No duplicate navigations/loops; one URL update per scope mutation. |
+| Run detail live refresh | Active run polling cadence | Poll interval 15s with no overlapping requests; terminal runs stop polling. |
+| Mobile shell | Scope panel render | Scope panel opens in <= 200ms and does not trigger layout overflow at <= 1199px width. |
+
+## Required checks per sprint close
+
+1. Run unit tests covering updated contracts:
+   - `src/tests/global_search/global-search.component.spec.ts`
+   - `src/tests/context/platform-context-url-sync.service.spec.ts`
+   - `src/tests/navigation/legacy-route-telemetry.service.spec.ts`
+   - `src/tests/releases/release-detail.live-refresh.spec.ts`
+2. Run route integrity checks:
+   - `src/tests/navigation/nav-model.spec.ts`
+   - `src/tests/navigation/nav-route-integrity.spec.ts`
+   - `src/tests/navigation/legacy-redirects.spec.ts`
+3. Execute one manual keyboard walkthrough on desktop and <= 1199px layout for:
+   - Scope controls
+   - Global search
+   - Run detail degraded banner retry action
+
+If any gate fails, sprint closure remains `BLOCKED` until evidence of fix is logged in `docs/implplan/SPRINT_*.md`.
--- a/docs/modules/ui/v2-rewire/S02_ui_verification_plan.md
+++ b/docs/modules/ui/v2-rewire/S02_ui_verification_plan.md
@@ -0,0 +1,46 @@
+# S02 UI Verification Plan - Sprint 040
+
+Status: Active  
+Date: 2026-02-20  
+Working directory: `src/Web/StellaOps.Web/`
+
+## Scope under verification
+
+- Canonical root IA labels and route ownership (Mission Control + 5 domain roots)
+- RBAC-gated visibility for root and major alias-window surfaces
+- Global scope URL synchronization (`regions`, `environments`, `timeWindow`)
+- Mobile/tablet scope control entry point
+- Legacy route telemetry alignment with redirect templates
+- Global search API wiring
+- Release run-detail live refresh + degraded-state contract
+
+## Deterministic verification sequence
+
+1. Unit and route tests:
+   - `src/tests/navigation/nav-model.spec.ts`
+   - `src/tests/navigation/nav-route-integrity.spec.ts`
+   - `src/tests/navigation/legacy-redirects.spec.ts`
+   - `src/tests/navigation/legacy-route-telemetry.service.spec.ts`
+   - `src/tests/context/platform-context-url-sync.service.spec.ts`
+   - `src/tests/global_search/global-search.component.spec.ts`
+   - `src/tests/releases/release-detail.live-refresh.spec.ts`
+2. Manual route checks:
+   - `/dashboard` renders Mission Control label in sidebar and breadcrumb.
+   - `/security/posture`, `/security/disposition`, `/security/sbom/lake`, `/security/reachability` resolve without alias errors.
+   - `/topology/promotion-graph` is canonical; `/topology/promotion-paths` redirects.
+3. Alias telemetry checks:
+   - Navigate to `/ops/health`, `/security-risk/sbom-lake`, `/release-control/setup`.
+   - Confirm a `legacy_route_hit` event is emitted with expected `oldPath` and resolved `newPath`.
+4. Scope synchronization checks:
+   - Open `/security/posture?regions=us-east&environments=prod&timeWindow=7d`; verify context hydrates.
+   - Change scope selectors; verify URL query updates without losing unrelated query keys.
+5. Run live-refresh checks:
+   - Open active run detail (`/releases/runs/:runId/timeline`) and verify periodic refresh status transitions (`LIVE` -> `SYNCING`).
+   - Simulate backend failure and verify degraded banner shows retry + correlation ID.
+   - Verify terminal run status stops polling.
+
+## Evidence capture requirements
+
+- Record test pass/fail and command outputs in sprint execution log.
+- Include failing scenario notes for any non-deterministic behavior or flaky assertions.
+- If a route alias is intentionally preserved, document the retention reason and next removal checkpoint.
--- a/docs/modules/ui/v2-rewire/authority-matrix.md
+++ b/docs/modules/ui/v2-rewire/authority-matrix.md
@@ -9,7 +9,7 @@ This matrix defines which pack is authoritative for each capability and which pa

 | Capability area | Authoritative pack(s) | Superseded packs | Notes |
 | --- | --- | --- | --- |
-| Global IA and naming | `pack-23.md`, `pack-22.md` | `pack-21.md` and lower for overlaps | Canonical roots are Dashboard, Releases, Security, Evidence, Topology, Platform, Administration. |
+| Global IA and naming | `pack-23.md`, `pack-22.md` | `pack-21.md` and lower for overlaps | Canonical roots are Mission Control, Releases, Security, Evidence, Topology, Platform. |
 | Dashboard mission control | `pack-22.md`, `pack-16.md` | `pack-01.md`, `pack-04.md`, `pack-08.md`, `pack-11.md` | Pack 22 defines posture framing; Pack 16 keeps detailed signal cards where unchanged. |
 | Releases lifecycle consolidation | `pack-22.md`, `pack-12.md`, `pack-13.md`, `pack-14.md`, `pack-17.md` | Standalone lifecycle module variants in older packs | Runs/deployments/promotions/hotfixes are views under Releases, not roots. |
 | Topology inventory and setup | `pack-22.md`, `pack-18.md` | Prior placements under Release Control and Platform Ops | Regions/env/targets/hosts/agents/workflows/gate profiles belong to Topology. |
@@ -17,17 +17,17 @@ This matrix defines which pack is authoritative for each capability and which pa
 | Evidence and audit chain | `pack-22.md`, `pack-20.md` | `pack-03.md`, `pack-09.md`, `pack-11.md` | Evidence must be linked from Releases and Security decisions. |
 | Operations runtime posture | `pack-23.md`, `pack-15.md`, `pack-10.md` | `pack-03.md`, `pack-06.md`, `pack-09.md`, `pack-11.md` | Ops runs under Platform and owns runtime operability state; agents stay in Topology. |
 | Integrations configuration | `pack-23.md`, `pack-10.md`, `pack-21.md` | `pack-02.md`, `pack-05.md`, `pack-09.md` | Integrations runs under Platform and is limited to external systems/connectors. |
-| Administration governance | `pack-22.md`, `pack-21.md` | `pack-02.md`, `pack-05.md`, `pack-09.md`, `pack-11.md` | Identity/tenant/notification/usage/policy/system remain Administration-owned. |
+| Administration governance | `pack-22.md`, `pack-21.md` | `pack-02.md`, `pack-05.md`, `pack-09.md`, `pack-11.md` | Identity/tenant/notification/usage/policy/system remain admin-owned under `Platform -> Setup`. |

 ## B) Explicit higher-pack overrides

 | Decision | Replaced guidance | Canonical guidance |
 | --- | --- | --- |
-| Root domain naming | `Release Control`, `Security & Risk`, `Evidence & Audit`, `Platform Ops` roots | `Releases`, `Security`, `Evidence`, `Platform`, plus `Topology` root (`pack-23.md`) |
-| Bundle naming | Bundle-first labels in packs 12/21 | UI term is `Release`; bundle semantics remain in data model (`pack-22.md`) |
+| Root domain naming | `Dashboard`, `Release Control`, `Security & Risk`, `Evidence & Audit`, `Platform Ops`, top-level `Administration` | `Mission Control`, `Releases`, `Security`, `Evidence`, `Topology`, `Platform` (`pack-23.md`) |
+| Bundle naming | Bundle-first labels in packs 12/21 | UI term is `Release Version`; bundle semantics remain in data model (`pack-22.md`) |
 | Lifecycle menu sprawl | Standalone Promotions, Deployments, Runs, Hotfixes menus | Lifecycle surfaces live under `Releases` list/detail/activity/approvals (`pack-22.md`) |
 | Region/environment nav placement | Deep menu under release-control variants | Global context selectors + Topology inventory pages (`pack-22.md`) |
-| Security navigation split | Separate VEX, Exceptions, SBOM Graph, SBOM Lake menus | Consolidated `Disposition` and `SBOM Explorer` surfaces (`pack-22.md`) |
+| Security navigation split | Separate VEX, Exceptions, SBOM Graph, SBOM Lake menus | Consolidated `Disposition Center` and `SBOM` surfaces (`pack-22.md`) |
 | Feed and VEX source setup placement | Security-owned advisory sources setup variants | Integrations-owned feed/source configuration (`pack-22.md`) |
 | Agent module placement | Platform Ops ownership variants | `Topology -> Agents` (`pack-22.md`) |

@@ -66,3 +66,15 @@ For sprint planning, use raw packs only through this sequence:
 1. Find capability in Section A.
 2. Start with listed authoritative pack(s).
 3. Open superseded packs only for migration context or missing implementation detail.
+
+## E) UI RBAC visibility matrix
+
+| Surface | Primary scope gate (`any`) | Fallback/notes |
+| --- | --- | --- |
+| Mission Control root | `ui.read`, `release:read`, `scanner:read`, `sbom:read` | Redirect unauthorized users to `/console/profile`. |
+| Releases root | `release:read`, `release:write`, `release:publish` | Approvals queue additionally expects approval/governance scopes. |
+| Security root | `scanner:read`, `sbom:read`, `advisory:read`, `vex:read`, `exception:read`, `findings:read`, `vuln:view` | Disposition and SBOM tabs remain visible only when parent root is visible. |
+| Evidence root | `release:read`, `policy:audit`, `authority:audit.read`, `signer:read`, `vex:export` | Trust mutation routes stay under `Platform -> Setup`. |
+| Topology root | `release:read`, `orch:read`, `orch:operate`, `ui.admin` | Includes regions/env, targets/runtimes, and agent fleet. |
+| Platform root | `ui.admin`, `orch:read`, `orch:operate`, `health:read`, `notify.viewer` | Covers ops, integrations, and setup/admin surfaces. |
+| Legacy alias roots (`/operations`, `/integrations`, `/administration`, `/platform-ops`) | Same gate as Platform root | Alias-window only; tracked by `legacy_route_hit` telemetry. |
--- a/docs/modules/ui/v2-rewire/source-of-truth.md
+++ b/docs/modules/ui/v2-rewire/source-of-truth.md
@@ -22,13 +22,12 @@ Working directory: `docs/modules/ui/v2-rewire`

 Canonical top-level modules are:

- `Dashboard`
+- `Mission Control`
 - `Releases`
 - `Security`
 - `Evidence`
 - `Topology`
 - `Platform`
- `Administration`

 ### 2.2 Global context

@@ -49,16 +48,15 @@ These are authoritative for planning and replace older conflicting placements:
 - `Release Control` root is decomposed:
  - release lifecycle surfaces move to `Releases`,
  - inventory/setup surfaces move to `Topology`.
- `Bundle` is deprecated in operator IA and renamed to `Release`.
+- `Bundle` is deprecated in operator IA and renamed to `Release Version`.
 - `Runs`, `Deployments`, `Promotions`, and `Hotfixes` are lifecycle views inside `Releases` and not top-level modules.
- `VEX` and `Exceptions` are exposed as one UX concept:
-  - `Security -> Triage` disposition rail + detail tabs,
-  - `Security -> Advisories & VEX` for provider/library/conflict/trust operations,
-  - backend data models remain distinct.
- SBOM, reachability, and unknowns are unified under `Security -> Supply-Chain Data` tabs.
- Advisory feed and VEX source configuration belongs to `Integrations`, not Security.
- `Policy Governance` remains under `Administration`.
- Trust posture must be reachable from `Evidence`, while admin-owner trust mutations remain governed by administration scopes.
+- `VEX` and `Exceptions` remain distinct data models, but are exposed in one operator workspace:
+  - `Security -> Disposition Center` tabs (`VEX Statements`, `Exceptions`, `Expiring`),
+  - feeds/source configuration lives in `Platform -> Integrations -> Feeds`.
+- SBOM Graph/Lake are one `Security -> SBOM` workspace with mode tabs.
+- Reachability is a first-class surface under `Security -> Reachability`.
+- `Policy Governance` remains administration-owned under `Platform -> Setup`.
+- Trust posture is visible in `Evidence`, while signing/trust mutation stays in `Platform -> Setup -> Trust & Signing`.

 ## 3) Canonical screen authorities

@@ -76,7 +74,7 @@ Superseded for overlapping decisions:

 - `pack-21.md` and lower packs for root module grouping and naming.

-### 3.2 Dashboard
+### 3.2 Mission Control

 Authoritative packs:

@@ -108,7 +106,7 @@ Authoritative packs:

 Authoritative packs:

- `pack-22.md` for consolidation into `Overview`, `Triage`, `Advisories & VEX`, `Supply-Chain Data`, and optional `Reports`.
+- `pack-22.md` for consolidation into `Posture`, `Triage`, `SBOM`, `Reachability`, `Disposition Center`, and `Reports`.
 - `pack-19.md` for decision-first security detail behavior where not overridden.

 Superseded:
@@ -137,26 +135,27 @@ Authoritative packs:
 - `pack-23.md` for Platform Integrations placement and topology ownership split.
 - `pack-10.md` and `pack-21.md` for connector detail flows where not overridden.

-### 3.9 Administration
+### 3.9 Platform Administration

 Authoritative packs:

- `pack-22.md` for top-level scope.
+- `pack-22.md` for governance scope.
 - `pack-21.md` for detailed A0-A7 screen structure where not overridden.

 ## 4) Normalized terminology (canonical names)

 Use these terms in sprint tickets/specs:

- `Bundle` -> `Release`
- `Create Bundle` -> `Create Release`
- `Current Release` -> `Deploy Release`
- `Run Timeline` -> `Activity` (cross-release) or `Timeline` (release detail tab)
+- `Bundle` -> `Release Version`
+- `Create Bundle` -> `Create Release Version`
+- `Current Release` -> `Deploy/Promote`
+- `Run/Timeline/Pipeline` -> `Release Run`
 - `Security & Risk` -> `Security`
 - `Evidence & Audit` -> `Evidence`
+- `Evidence Pack/Bundle` -> `Decision Capsule`
 - `Platform Ops` -> `Platform -> Ops`
- `Integrations` root -> `Platform -> Integrations`
- `Setup` root -> `Platform -> Setup`
+- `Integrations` root -> `Platform -> Integrations` (alias-window only at `/integrations`)
+- `Setup` root -> `Platform -> Setup` (includes administration-owned setup/governance)
 - `Regions & Environments` menu -> `Topology` module + global context switchers

 ## 5) Planning gaps to schedule first