feat(ui): ship trust-owned identity watchlist shell

src/Web/StellaOps.Web/tests/e2e/watchlist-shell.spec.ts

@@ -0,0 +1,334 @@
+import { expect, test, type Page, type Route } from '@playwright/test';
+
+import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
+
+const adminSession: StubAuthSession = {
+  subjectId: 'e2e-admin-user',
+  tenant: 'tenant-default',
+  scopes: [
+    'admin',
+    'ui.read',
+    'ui.admin',
+    'release:read',
+    'release:write',
+    'release:publish',
+    'scanner:read',
+    'sbom:read',
+    'advisory:read',
+    'vex:read',
+    'vex:export',
+    'exception:read',
+    'exception:approve',
+    'exceptions:read',
+    'findings:read',
+    'vuln:view',
+    'policy:read',
+    'policy:author',
+    'policy:review',
+    'policy:approve',
+    'policy:simulate',
+    'policy:audit',
+    'orch:read',
+    'orch:operate',
+    'health:read',
+    'notify.viewer',
+    'signer:read',
+    'authority:audit.read',
+  ],
+};
+
+const mockConfig = {
+  authority: {
+    issuer: '/authority',
+    clientId: 'stella-ops-ui',
+    authorizeEndpoint: '/authority/connect/authorize',
+    tokenEndpoint: '/authority/connect/token',
+    logoutEndpoint: '/authority/connect/logout',
+    redirectUri: 'https://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
+    scope: 'openid profile email ui.read',
+    audience: '/gateway',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: '/authority',
+    scanner: '/scanner',
+    policy: '/policy',
+    concelier: '/concelier',
+    attestor: '/attestor',
+    gateway: '/gateway',
+  },
+  quickstartMode: true,
+  setup: 'complete',
+};
+
+function isoMinutesAgo(minutes: number): string {
+  return new Date(Date.now() - minutes * 60 * 1000).toISOString();
+}
+
+const watchlistEntries = [
+  {
+    id: '11111111-1111-1111-1111-111111111111',
+    tenantId: 'tenant-default',
+    displayName: 'GitHub Actions Watcher',
+    description: 'Track GitHub release signers',
+    issuer: 'https://token.actions.githubusercontent.com',
+    subjectAlternativeName: 'repo:org/*',
+    matchMode: 'Glob',
+    scope: 'Tenant',
+    severity: 'Critical',
+    enabled: true,
+    suppressDuplicatesMinutes: 60,
+    channelOverrides: ['slack:security-alerts'],
+    tags: ['ci', 'github'],
+    createdAt: '2026-03-01T08:00:00Z',
+    updatedAt: '2026-03-06T08:00:00Z',
+    createdBy: 'admin@example.com',
+    updatedBy: 'admin@example.com',
+  },
+  {
+    id: '22222222-2222-2222-2222-222222222222',
+    tenantId: 'tenant-default',
+    displayName: 'Google Cloud IAM',
+    description: 'Track Google Cloud service account identities',
+    issuer: 'https://accounts.google.com',
+    matchMode: 'Prefix',
+    scope: 'Tenant',
+    severity: 'Warning',
+    enabled: true,
+    suppressDuplicatesMinutes: 120,
+    tags: ['cloud', 'gcp'],
+    createdAt: '2026-03-02T08:00:00Z',
+    updatedAt: '2026-03-05T08:00:00Z',
+    createdBy: 'admin@example.com',
+    updatedBy: 'admin@example.com',
+  },
+];
+
+const watchlistAlerts = [
+  {
+    alertId: 'alert-001',
+    watchlistEntryId: '11111111-1111-1111-1111-111111111111',
+    watchlistEntryName: 'GitHub Actions Watcher',
+    severity: 'Critical',
+    matchedIssuer: 'https://token.actions.githubusercontent.com',
+    matchedSan: 'repo:org/app:ref:refs/heads/main',
+    rekorUuid: 'abc123def456',
+    rekorLogIndex: 12345678,
+    occurredAt: isoMinutesAgo(15),
+  },
+  {
+    alertId: 'alert-002',
+    watchlistEntryId: '22222222-2222-2222-2222-222222222222',
+    watchlistEntryName: 'Google Cloud IAM',
+    severity: 'Warning',
+    matchedIssuer: 'https://accounts.google.com',
+    matchedSan: 'service-account@project.iam.gserviceaccount.com',
+    rekorUuid: 'xyz789abc012',
+    rekorLogIndex: 12345679,
+    occurredAt: isoMinutesAgo(120),
+  },
+];
+
+const watchlistEntriesRoute = /\/api\/v1\/watchlist(?:\?.*)?$/;
+const watchlistAlertsRoute = /\/api\/v1\/watchlist\/alerts(?:\?.*)?$/;
+
+async function fulfillJson(route: Route, body: unknown): Promise<void> {
+  await route.fulfill({
+    status: 200,
+    contentType: 'application/json',
+    body: JSON.stringify(body),
+  });
+}
+
+async function setupHarness(page: Page): Promise<void> {
+  await page.addInitScript((session) => {
+    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
+  }, adminSession);
+
+  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/.well-known/openid-configuration', (route) =>
+    fulfillJson(route, {
+      issuer: 'https://127.0.0.1:4400/authority',
+      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
+      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
+      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
+      response_types_supported: ['code'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+    })
+  );
+  await page.route('**/authority/.well-known/jwks.json', (route) =>
+    fulfillJson(route, { keys: [] })
+  );
+  await page.route('**/console/profile**', (route) =>
+    fulfillJson(route, {
+      subjectId: adminSession.subjectId,
+      username: 'qa-tester',
+      displayName: 'QA Test User',
+      tenant: adminSession.tenant,
+      roles: ['admin'],
+      scopes: adminSession.scopes,
+    })
+  );
+  await page.route('**/console/token/introspect**', (route) =>
+    fulfillJson(route, {
+      active: true,
+      tenant: adminSession.tenant,
+      subject: adminSession.subjectId,
+      scopes: adminSession.scopes,
+    })
+  );
+  await page.route('**/api/v2/context/regions', (route) =>
+    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }])
+  );
+  await page.route('**/api/v2/context/environments**', (route) =>
+    fulfillJson(route, [
+      {
+        environmentId: 'prod',
+        regionId: 'eu-west',
+        environmentType: 'prod',
+        displayName: 'Prod',
+        sortOrder: 1,
+        enabled: true,
+      },
+    ])
+  );
+  await page.route('**/api/v2/context/preferences', (route) =>
+    fulfillJson(route, {
+      tenantId: adminSession.tenant,
+      actorId: adminSession.subjectId,
+      regions: ['eu-west'],
+      environments: ['prod'],
+      timeWindow: '24h',
+      stage: 'all',
+      updatedAt: '2026-03-07T12:00:00Z',
+      updatedBy: adminSession.subjectId,
+    })
+  );
+  await page.route('**/doctor/api/v1/doctor/trends**', (route) => fulfillJson(route, []));
+  await page.route('**/api/v1/approvals**', (route) => fulfillJson(route, []));
+  await page.route('**/api/v1/trust/dashboard**', (route) =>
+    fulfillJson(route, {
+      keys: { total: 12, active: 9, expiringSoon: 2, expired: 1, revoked: 0, pendingRotation: 1 },
+      issuers: { total: 8, fullTrust: 3, partialTrust: 3, minimalTrust: 1, untrusted: 1, blocked: 0, averageTrustScore: 86.4 },
+      certificates: { total: 5, valid: 4, expiringSoon: 1, expired: 0, revoked: 0, invalidChains: 0 },
+      recentEvents: [],
+      expiryAlerts: [],
+    })
+  );
+  await page.route(watchlistEntriesRoute, (route) =>
+    fulfillJson(route, { items: watchlistEntries, totalCount: watchlistEntries.length })
+  );
+  await page.route(watchlistAlertsRoute, (route) =>
+    fulfillJson(route, { items: watchlistAlerts, totalCount: watchlistAlerts.length })
+  );
+  await page.route('**/api/v1/notify/channels**', (route) =>
+    fulfillJson(route, [
+      {
+        schemaVersion: '1.0',
+        channelId: 'channel-1',
+        tenantId: 'tenant-default',
+        name: 'Security Slack',
+        displayName: 'Security Slack',
+        type: 'Slack',
+        enabled: true,
+        config: { secretRef: 'notify/slack', target: '#security', endpoint: 'https://hooks.slack.com', properties: {} },
+        labels: {},
+        metadata: {},
+        createdBy: 'system',
+        createdAt: '2026-03-01T08:00:00Z',
+        updatedBy: 'system',
+        updatedAt: '2026-03-01T08:00:00Z',
+      },
+    ])
+  );
+  await page.route('**/api/v1/notify/rules**', (route) =>
+    fulfillJson(route, [
+      {
+        schemaVersion: '1.0',
+        ruleId: 'rule-1',
+        tenantId: 'tenant-default',
+        name: 'Critical alerts',
+        enabled: true,
+        match: { eventKinds: ['watchlist.alert'], labels: ['critical'], minSeverity: 'critical' },
+        actions: [{ actionId: 'action-1', channel: 'channel-1', digest: 'instant', enabled: true, metadata: {} }],
+        labels: {},
+        metadata: {},
+        createdBy: 'system',
+        createdAt: '2026-03-01T08:00:00Z',
+        updatedBy: 'system',
+        updatedAt: '2026-03-01T08:00:00Z',
+      },
+    ])
+  );
+  await page.route('**/api/v1/notify/deliveries**', (route) =>
+    fulfillJson(route, {
+      items: [
+        {
+          deliveryId: 'delivery-1',
+          tenantId: 'tenant-default',
+          channelId: 'channel-1',
+          ruleId: 'rule-1',
+          kind: 'watchlist.alert',
+          status: 'Sent',
+          rendered: { target: '#security', subject: 'Critical watchlist alert' },
+          createdAt: '2026-03-07T14:32:00Z',
+        },
+      ],
+      totalCount: 1,
+    })
+  );
+  await page.route('**/api/v1/notify/channels/*/health**', (route) =>
+    fulfillJson(route, {
+      status: 'Healthy',
+      message: 'Channel operating normally',
+      checkedAt: '2026-03-07T16:15:00Z',
+      traceId: 'trace-1',
+    })
+  );
+}
+
+test.beforeEach(async ({ page }) => {
+  await setupHarness(page);
+});
+
+test('watchlist shell supports entries, alerts, and tuning in one routed page', async ({ page }) => {
+  await page.goto('/setup/trust-signing/watchlist/entries', { waitUntil: 'networkidle' });
+
+  await expect(page.getByTestId('watchlist-page')).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Entries' })).toHaveClass(/active/);
+  await expect(page.getByTestId('create-entry-btn')).toBeVisible();
+
+  await page.getByRole('button', { name: 'Alerts' }).click();
+  await expect(page).toHaveURL(/\/setup\/trust-signing\/watchlist\/alerts/);
+  await expect(page.getByTestId('alerts-window-select')).toHaveValue('24h');
+  await page.getByRole('button', { name: 'View' }).first().click();
+  await expect(page.getByTestId('alert-detail')).toBeVisible();
+  await page.getByRole('button', { name: 'Jump to rule' }).click();
+  await expect(page).toHaveURL(/\/setup\/trust-signing\/watchlist\/entries/);
+  await expect(page.getByTestId('entry-form')).toBeVisible();
+
+  await page.getByRole('button', { name: 'Tuning' }).click();
+  await expect(page).toHaveURL(/\/setup\/trust-signing\/watchlist\/tuning/);
+  await expect(page.getByTestId('tuning-form')).toBeVisible();
+});
+
+test('mission alerts deep-link into the canonical watchlist alerts flow', async ({ page }) => {
+  await page.goto('/mission-control/alerts', { waitUntil: 'networkidle' });
+
+  await page.getByRole('link', { name: 'Identity watchlist alert requires signer review' }).click();
+  await expect(page).toHaveURL(/\/setup\/trust-signing\/watchlist\/alerts/);
+  await expect(page.getByTestId('alert-detail')).toBeVisible();
+});
+
+test('notifications hand off to watchlist tuning without spawning a second shell', async ({ page }) => {
+  await page.goto('/ops/operations/notifications', { waitUntil: 'networkidle' });
+
+  await expect(page.getByText('Watchlist handoff')).toBeVisible();
+  await page.getByRole('link', { name: 'Open watchlist tuning' }).click();
+  await expect(page).toHaveURL(/\/setup\/trust-signing\/watchlist\/tuning/);
+  await expect(page.getByTestId('tuning-form')).toBeVisible();
+});