feat(ui): ship triage explainability workspace

src/Web/StellaOps.Web/tests/e2e/triage-explainability-workspace.spec.ts

@@ -0,0 +1,331 @@
+import { expect, test, type Page, type Route } from '@playwright/test';
+
+import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
+
+const securitySession: StubAuthSession = {
+  subjectId: 'triage-e2e-user',
+  tenant: 'tenant-default',
+  scopes: [
+    'admin',
+    'ui.read',
+    'scanner:read',
+    'sbom:read',
+    'advisory:read',
+    'vex:read',
+    'findings:read',
+    'vuln:view',
+    'vuln:read',
+    'vex:write',
+  ],
+};
+
+const mockConfig = {
+  authority: {
+    issuer: '/authority',
+    clientId: 'stella-ops-ui',
+    authorizeEndpoint: '/authority/connect/authorize',
+    tokenEndpoint: '/authority/connect/token',
+    logoutEndpoint: '/authority/connect/logout',
+    redirectUri: 'https://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
+    scope: 'openid profile email ui.read',
+    audience: '/gateway',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: '/authority',
+    scanner: '/scanner',
+    policy: '/policy',
+    concelier: '/concelier',
+    attestor: '/attestor',
+    gateway: '/gateway',
+  },
+  quickstartMode: true,
+  setup: 'complete',
+};
+
+const vulnerabilityList = {
+  items: [
+    {
+      vulnId: 'finding-review-001',
+      cveId: 'CVE-2026-4001',
+      title: 'Review-worthy reachable finding',
+      severity: 'critical',
+      status: 'open',
+      publishedAt: '2026-03-07T08:00:00Z',
+      modifiedAt: '2026-03-07T09:00:00Z',
+      reachabilityStatus: 'reachable',
+      reachabilityScore: 92,
+      affectedComponents: [
+        {
+          purl: 'pkg:oci/review@1.0.0',
+          name: 'review-service',
+          version: '1.0.0',
+          assetIds: ['asset-review-prod'],
+        },
+      ],
+    },
+    {
+      vulnId: 'finding-quiet-001',
+      cveId: 'CVE-2026-4002',
+      title: 'Quiet lane finding',
+      severity: 'low',
+      status: 'fixed',
+      publishedAt: '2026-03-07T08:00:00Z',
+      modifiedAt: '2026-03-07T09:00:00Z',
+      reachabilityStatus: 'unreachable',
+      reachabilityScore: 10,
+      affectedComponents: [
+        {
+          purl: 'pkg:oci/quiet@1.0.0',
+          name: 'quiet-service',
+          version: '1.0.0',
+          assetIds: ['asset-builder-quiet'],
+        },
+      ],
+    },
+  ],
+  total: 2,
+  hasMore: false,
+  page: 1,
+  pageSize: 20,
+};
+
+const unifiedEvidence = {
+  findingId: 'finding-review-001',
+  cveId: 'CVE-2026-4001',
+  componentPurl: 'pkg:oci/review@1.0.0',
+  reachability: {
+    subgraphId: 'sg-review-001',
+    status: 'reachable',
+    confidence: 0.92,
+    method: 'graph',
+    entryPoints: [
+      {
+        id: 'ep-1',
+        type: 'http',
+        name: 'POST /deploy',
+        location: 'src/review.ts:40',
+        distance: 3,
+      },
+    ],
+    callChain: {
+      pathLength: 3,
+      pathCount: 1,
+      keySymbols: ['handleDeploy', 'applyPolicy', 'vulnerableFunction'],
+      callGraphUri: '/graphs/review-001',
+    },
+    graphUri: '/graphs/review-001',
+  },
+  attestations: [
+    {
+      id: 'att-001',
+      predicateType: 'https://slsa.dev/provenance/v1',
+      subjectDigest: 'sha256:reviewdigest',
+      signer: 'key-review',
+      signedAt: '2026-03-07T09:05:00Z',
+      verificationStatus: 'verified',
+      transparencyLogEntry: 'rekor-001',
+    },
+  ],
+  policy: {
+    policyVersion: '2026.03.07',
+    policyDigest: 'sha256:policydigest',
+    verdict: 'warn',
+    rulesFired: [
+      {
+        ruleId: 'RULE-201',
+        name: 'reachable-critical',
+        effect: 'warn',
+        reason: 'Reachable critical finding requires operator review.',
+      },
+    ],
+  },
+  manifests: {
+    artifactDigest: 'sha256:reviewdigest',
+    manifestHash: 'sha256:manifestreview',
+    feedSnapshotHash: 'sha256:feedreview',
+    policyHash: 'sha256:policydigest',
+  },
+  verification: {
+    status: 'verified',
+    hashesVerified: true,
+    attestationsVerified: true,
+    evidenceComplete: true,
+    verifiedAt: '2026-03-07T09:06:00Z',
+  },
+  replayCommand: 'stella replay finding-review-001',
+  evidenceBundleUrl: '/bundles/review-001.zip',
+  generatedAt: '2026-03-07T09:06:00Z',
+};
+
+async function fulfillJson(route: Route, body: unknown, status = 200): Promise<void> {
+  await route.fulfill({
+    status,
+    contentType: 'application/json',
+    body: JSON.stringify(body),
+  });
+}
+
+async function navigateClientSide(page: Page, target: string): Promise<void> {
+  await page.evaluate((url) => {
+    window.history.pushState({}, '', url);
+    window.dispatchEvent(new PopStateEvent('popstate', { state: window.history.state }));
+  }, target);
+}
+
+async function setupHarness(page: Page): Promise<void> {
+  await page.addInitScript((session) => {
+    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
+  }, securitySession);
+
+  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/.well-known/openid-configuration', (route) =>
+    fulfillJson(route, {
+      issuer: 'https://127.0.0.1:4400/authority',
+      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
+      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
+      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
+      response_types_supported: ['code'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+    })
+  );
+  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
+  await page.route('**/console/profile**', (route) =>
+    fulfillJson(route, {
+      subjectId: securitySession.subjectId,
+      username: 'triage-e2e',
+      displayName: 'Triage E2E',
+      tenant: securitySession.tenant,
+      roles: ['security-operator'],
+      scopes: securitySession.scopes,
+    })
+  );
+  await page.route('**/console/token/introspect**', (route) =>
+    fulfillJson(route, {
+      active: true,
+      tenant: securitySession.tenant,
+      subject: securitySession.subjectId,
+      scopes: securitySession.scopes,
+    })
+  );
+  await page.route('**/api/v2/context/regions', (route) =>
+    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }])
+  );
+  await page.route('**/api/v2/context/environments**', (route) =>
+    fulfillJson(route, [
+      {
+        environmentId: 'prod',
+        regionId: 'eu-west',
+        environmentType: 'prod',
+        displayName: 'Prod',
+        sortOrder: 1,
+        enabled: true,
+      },
+    ])
+  );
+  await page.route('**/api/v2/context/preferences', (route) =>
+    fulfillJson(route, {
+      tenantId: securitySession.tenant,
+      actorId: securitySession.subjectId,
+      regions: ['eu-west'],
+      environments: ['prod'],
+      timeWindow: '24h',
+      stage: 'all',
+      updatedAt: '2026-03-07T12:00:00Z',
+      updatedBy: securitySession.subjectId,
+    })
+  );
+  await page.route('**/doctor/api/v1/doctor/trends**', (route) => fulfillJson(route, []));
+  await page.route('**/api/v1/approvals**', (route) => fulfillJson(route, []));
+  await page.route('**/api/v1/telemetry/ttfs', (route) => fulfillJson(route, { accepted: true }, 202));
+  await page.route('**/vuln/vuln**', (route) => fulfillJson(route, vulnerabilityList));
+  await page.route('**/v1/vex-decisions**', (route) =>
+    fulfillJson(route, { items: [], count: 0, continuationToken: null })
+  );
+  await page.route('**/api/v1/triage/scans/asset-review-prod/gated-buckets', (route) =>
+    fulfillJson(route, {
+      scanId: 'asset-review-prod',
+      unreachableCount: 0,
+      policyDismissedCount: 0,
+      backportedCount: 0,
+      vexNotAffectedCount: 0,
+      supersededCount: 0,
+      userMutedCount: 0,
+      totalHiddenCount: 0,
+      actionableCount: 1,
+      totalCount: 1,
+      computedAt: '2026-03-07T09:06:00Z',
+    })
+  );
+  await page.route('**/api/v1/triage/findings/finding-review-001/evidence**', (route) =>
+    fulfillJson(route, unifiedEvidence)
+  );
+  await page.route('**/v1/audit-bundles', async (route) => {
+    if (route.request().method() === 'GET') {
+      await fulfillJson(route, { bundles: [], continuationToken: null, hasMore: false });
+      return;
+    }
+
+    await fulfillJson(route, {
+      bundleId: 'bundle-review-001',
+      status: 'completed',
+      subject: {
+        type: 'IMAGE',
+        name: 'asset-review-prod',
+        digest: { sha256: 'sha256:reviewdigest' },
+      },
+      createdAt: '2026-03-07T09:10:00Z',
+      sha256: 'sha256:bundle-review-001',
+      integrityRootHash: 'sha256:root-review-001',
+      downloadUrl: '/v1/audit-bundles/bundle-review-001/download',
+      ociReference: 'oci://stellaops/audit-bundles@bundle-review-001',
+      statusUrl: '/v1/audit-bundles/bundle-review-001',
+    });
+  });
+}
+
+test.beforeEach(async ({ page }) => {
+  await setupHarness(page);
+});
+
+test('artifact workspace supports lane movement and bundle creation shortcuts', async ({ page }) => {
+  await page.goto('/triage/artifacts?lane=review', { waitUntil: 'networkidle' });
+
+  await expect(page.getByTestId('triage-lane-review')).toHaveClass(/lane-pill--active/);
+  await expect(page.getByTestId('triage-artifact-row-asset-review-prod')).toBeVisible();
+
+  await page.getByLabel('Select asset-review-prod').check();
+  await page.getByRole('button', { name: 'Move to Quiet' }).click();
+  await expect(page.getByText('No artifacts match the current lane and filters.')).toBeVisible();
+
+  await page.getByTestId('triage-lane-quiet').click();
+  await expect(page.getByTestId('triage-artifact-row-asset-review-prod')).toBeVisible();
+
+  await page.getByLabel('Select asset-review-prod').check();
+  await page.getByRole('button', { name: 'Build audit bundle' }).click();
+
+  await expect(page).toHaveURL(/\/triage\/audit-bundles\/new\?artifactId=asset-review-prod$/);
+  await expect(page.getByLabel('Name')).toHaveValue('asset-review-prod');
+});
+
+test('workspace preserves panel and tab state and security aliases resolve into canonical triage routes', async ({ page }) => {
+  await page.goto('/triage/artifacts?lane=review', { waitUntil: 'networkidle' });
+
+  await page.getByTestId('triage-open-asset-review-prod').click();
+  await expect(page).toHaveURL(/\/triage\/artifacts\/asset-review-prod\?lane=review&panel=history$/);
+  await expect(page.getByText('Recent decision events')).toBeVisible();
+
+  await page.getByRole('tab', { name: 'Reachability' }).click();
+  await page.getByTestId('triage-panel-ai').click();
+
+  await expect(page).toHaveURL(/\/triage\/artifacts\/asset-review-prod\?lane=review&panel=ai&findingId=finding-review-001&tab=reachability$/);
+  await expect(page.getByText('Suggested next move')).toBeVisible();
+
+  await navigateClientSide(page, '/security/artifacts/asset-review-prod?tab=reachability&panel=history');
+  await expect(page).toHaveURL(/\/triage\/artifacts\/asset-review-prod\?tab=reachability&panel=history$/);
+  await expect(page.getByText('Recent decision events')).toBeVisible();
+});