docs: seed vuln parity sbom list with available fixtures

docs/db/reports/vuln-parity-sbom-sample-20251209.md

@@ -12,10 +12,10 @@ Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts d
 | # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes |
 |---|-----------|-----------|------|---------------|-------|
 | 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | <fill> | Deterministic compose sample used in sbom-vex proof. |
-| 2 | <add> | go | <fill> | TODO: pick Go SBOM fixture; store under docs/db/reports/assets/vuln-parity-20251211/. |
-| 3 | <add> | pypi | <fill> | TODO: pick Python SBOM fixture. |
-| 4 | <add> | maven | <fill> | TODO: pick Java/Maven SBOM fixture. |
-| 5 | <add> | rpm/deb | <fill> | TODO: pick OS package SBOM fixture (if available). |
+| 2 | docs/examples/policies/sample-sbom.json | npm | small | <fill> | Tiny npm sample for quick parity sanity. |
+| 3 | tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/sbom-snapshot.json | mixed | <fill> | Graph indexer SBOM snapshot used in tests. |
+| 4 | <add: go> | go | <fill> | TODO: create/store Go SBOM under docs/db/reports/assets/vuln-parity-20251211/. |
+| 5 | <add: pypi/maven/os> | pypi or maven or rpm/deb | <fill> | TODO: add one non-npm ecosystem SBOM for coverage. |
 
 ## Determinism guardrails
 - Do not change sample set after hashes recorded.

docs/implplan/SPRINT_0211_0001_0003_ui_iii.md

@@ -74,3 +74,4 @@
 | 2025-11-30 | Normalised sprint to standard template and renamed file from `SPRINT_211_ui_iii.md` to `SPRINT_0211_0001_0003_ui_iii.md`; no task status changes. | Planning |
 | 2025-12-06 | Corrected working directory to `src/Web/StellaOps.Web`; unblocked Delivery Tracker items accordingly. Reachability fixtures still required. | Implementer |
 | 2025-12-06 | Added Policy Studio scope help text to Console Profile and introduced policy auth fixtures + seeding helper (`src/Web/StellaOps.Web/src/app/testing/auth-*.ts`) with APP_INITIALIZER hook (`window.__stellaopsTestSession`) for Cypress/e2e stubbing. | Implementer |
+| 2025-12-06 | Tightened approvals guard (requires `policy:read` + review/approve) and updated workspace scope hints; attempted Playwright `tests/e2e/auth.spec.ts` with seeded session but webServer (ng serve) timed out starting locally; rerun in CI or with longer warmup. | Implementer |

src/Web/StellaOps.Web/playwright.config.ts

@@ -18,5 +18,6 @@ export default defineConfig({
     url: `http://127.0.0.1:${port}`,
     stdout: 'ignore',
     stderr: 'ignore',
+    timeout: 120_000,
   },
 });

src/Web/StellaOps.Web/src/app/app.routes.ts

@@ -99,7 +99,7 @@ export const routes: Routes = [
   },
   {
     path: 'policy-studio/packs/:packId/approvals',
-    canMatch: [requirePolicyReviewerGuard],
+    canMatch: [requirePolicyReviewOrApproveGuard],
     loadComponent: () =>
       import('./features/policy-studio/approvals/policy-approvals.component').then(
         (m) => m.PolicyApprovalsComponent

src/Web/StellaOps.Web/src/app/core/auth/auth.guard.ts

@@ -101,6 +101,28 @@ export function requireAnyScopeGuard(
   };
 }
 
+/**
+ * Guard requiring policy:read and either policy:review or policy:approve for approval workflows.
+ */
+export const requirePolicyReviewOrApproveGuard: CanMatchFn = () => {
+  const auth = inject(AuthSessionStore);
+  const router = inject(Router);
+
+  if (!auth.isAuthenticated()) {
+    return router.createUrlTree(['/welcome']);
+  }
+
+  const scopes = auth.session()?.scopes ?? [];
+  if (scopes.includes(StellaOpsScopes.ADMIN)) return true;
+
+  const hasRead = scopes.includes(StellaOpsScopes.POLICY_READ);
+  const hasReviewOrApprove =
+    scopes.includes(StellaOpsScopes.POLICY_REVIEW) || scopes.includes(StellaOpsScopes.POLICY_APPROVE);
+
+  if (hasRead && hasReviewOrApprove) return true;
+  return router.createUrlTree(['/console/profile']);
+};
+
 // Pre-built guards for common scope requirements (UI-ORCH-32-001)
 
 /**

src/Web/StellaOps.Web/src/app/features/console/console-profile.component.html

@@ -35,6 +35,7 @@
         <li><strong>Approver</strong>: policy:read, policy:review, policy:approve, policy:simulate</li>
         <li><strong>Operator</strong>: policy:read, policy:operate, policy:activate, policy:run, policy:simulate</li>
         <li><strong>Audit</strong>: policy:read, policy:audit</li>
+        <li><strong>Admin</strong>: policy:author/review/approve/operate/audit/simulate/read (or admin)</li>
       </ul>
       <p class="console-profile__hint">
         Use this list to verify your token covers the flows you need (editor, simulate, approvals, dashboard, audit exports).

src/Web/StellaOps.Web/src/app/features/policy-studio/workspace/policy-workspace.component.ts

@@ -133,6 +133,9 @@ export class PolicyWorkspaceComponent {
   protected canAuthor = false;
   protected canSimulate = false;
   protected canReview = false;
+  protected canApprove = false;
+  protected canOperate = false;
+  protected canAudit = false;
   protected canView = false;
   protected scopeHint = '';
   protected refreshing = false;
@@ -167,11 +170,17 @@ export class PolicyWorkspaceComponent {
     this.canSimulate = this.auth.canSimulatePolicies?.() ?? false;
     this.canReview = this.auth.canReviewPolicies?.() ?? false;
     this.canView = this.auth.canViewPolicies?.() ?? false;
+    this.canApprove = this.auth.canApprovePolicies?.() ?? false;
+    this.canOperate = this.auth.canOperatePolicies?.() ?? false;
+    this.canAudit = this.auth.canAuditPolicies?.() ?? false;
     const missing: string[] = [];
     if (!this.canView) missing.push('policy:read');
     if (!this.canAuthor) missing.push('policy:author');
     if (!this.canSimulate) missing.push('policy:simulate');
     if (!this.canReview) missing.push('policy:review');
+    if (!this.canApprove) missing.push('policy:approve');
+    if (!this.canOperate) missing.push('policy:operate');
+    if (!this.canAudit) missing.push('policy:audit');
     this.scopeHint = missing.length ? `Missing scopes: ${missing.join(', ')}` : '';
   }
 }