setup and mock fixes

docs/modules/ui/README.md

@@ -6,11 +6,20 @@
 
 > **Related:** See [`../web/`](../web/) for triage-specific UX documentation (Smart-Diff, Triage Canvas, Risk Dashboard).
 
-The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
-
-## Latest updates (2025-11-30)
-- Docs refreshed per `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; added observability runbook stub and TASKS mirror.
-- Access-control guidance from 2025-11-03 remains valid; ensure Authority scopes are verified before enabling uploads.
+The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
+
+## Latest updates (2026-02-21)
+- Runtime mock cutover completed for policy simulation history/conflict/batch flows and graph explorer data loading in `src/Web/StellaOps.Web/src/app/**`.
+- Runtime bindings now resolve to backend APIs for:
+  - Policy simulation history/compare/reproducibility/pin (`/policy/simulations/**`)
+  - Policy conflict detection/resolution (`/policy/conflicts/**`)
+  - Policy batch evaluations (`/policy/batch-evaluations/**`)
+  - Graph explorer tile/metadata reads (`/api/graph/**`)
+- Inline component mock datasets were removed from these runtime paths; test/dev mock clients remain available only via explicit test wiring.
+
+## Latest updates (2025-11-30)
+- Docs refreshed per `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; added observability runbook stub and TASKS mirror.
+- Access-control guidance from 2025-11-03 remains valid; ensure Authority scopes are verified before enabling uploads.
 
 ## Responsibilities
 - Render real-time status for ingestion, scanning, policy, and exports via SSE.

docs/modules/ui/v2-rewire/S00_endpoint_contract_ledger_v2_pack22.md

@@ -27,6 +27,8 @@ Supersedes for new IA planning: `S00_endpoint_contract_ledger_v1.md` remains his
 | Releases | Approvals queue (cross-release) | `source-of-truth.md 3.3`, `pack-22.md 5`, `pack-17.md` | `/release-control/approvals` (legacy) | Existing `/api/v1/approvals`; add `/api/v2/releases/approvals` alias with richer metadata | `EXISTS_COMPAT` | `Policy` + `ReleaseOrchestrator` + `Platform` | Existing reviewer/approver scopes (`orch:read` path for queue projection) | Shipped release identity fields, blocker summaries, and region/env filters in `/api/v2/releases/approvals` projection | Single queue UX dependency unblocked for FE contract migration; v1 approvals endpoint remains for backward compatibility | `S22-T03-REL-04` |
 | Topology | Regions, Environments, Targets/Hosts, Agents | `source-of-truth.md 3.4`, `pack-22.md 5`, `pack-18.md` | Legacy under `/release-control/regions`, `/platform-ops/agents`, `/integrations/hosts` | `GET /api/v2/topology/regions`; `GET /api/v2/topology/environments`; `GET /api/v2/topology/targets`; `GET /api/v2/topology/hosts`; `GET /api/v2/topology/agents` | `EXISTS_COMPAT` | `Platform` + `ReleaseOrchestrator` + `Integrations` | `platform.topology.read` policy now mapped to existing `orch:read` scope in Platform auth wiring | Shipped migration `049_TopologyInventory.sql` with normalized region/environment/target/host/agent projection tables and sync watermark tracking | Duplicate inventory placement can now be removed from Integrations/Operations nav during FE route migration | `S22-T04-TOP-01` |
 | Topology | Promotion Paths, Workflows, Gate Profiles | `source-of-truth.md 3.4`, `pack-22.md 5`, `pack-13.md` | Legacy setup pages under `/release-control/setup/*` | `GET /api/v2/topology/promotion-paths`; `GET /api/v2/topology/workflows`; `GET /api/v2/topology/gate-profiles`; write routes in follow-up sprint | `EXISTS_COMPAT` | `ReleaseOrchestrator` + `Policy` + `Platform` | Topology read policy uses existing `orch:read` scope; write-authoring scopes stay in module-owned follow-up routes | Shipped deterministic read projections for paths/workflows/gate profiles with region/environment filters; write contracts remain follow-up scope | FE can consume read contracts now; explicit write routes can phase in a subsequent sprint without blocking Pack 22 IA cutover | `S22-T04-TOP-02` |
+| Policy | Policy Simulation Studio (history, compare, reproducibility, conflicts, batch evaluations) | `source-of-truth.md 3.8`, `pack-22.md 5` | `/policy/simulation/*` | `GET /policy/simulations/history`; `GET /policy/simulations/compare`; `POST /policy/simulations/{simulationId}/verify`; `PATCH /policy/simulations/{simulationId}`; `POST /policy/conflicts/detect`; `POST /policy/conflicts/{conflictId}/resolve`; `POST /policy/conflicts/auto-resolve`; `POST /policy/batch-evaluations`; `GET /policy/batch-evaluations`; `GET /policy/batch-evaluations/{batchId}`; `POST /policy/batch-evaluations/{batchId}/cancel` | `EXISTS_COMPAT` | `Policy` | Existing `policy:simulate` + policy read scopes | FE runtime cutover (Sprint 042) removed inline component mock datasets and now binds these screens to backend responses through `POLICY_SIMULATION_API -> PolicySimulationHttpClient` | Keep mock simulation service for test harness wiring only; runtime bindings must remain tokenized in app config | `S22-T10-POL-01` |
+| Security | Graph Explorer (runtime graph metadata/tile fetch) | `source-of-truth.md 3.5`, `pack-19.md`, `pack-22.md 5` | `/analyze/graph` | `GET /api/graph/graphs`; `GET /api/graph/graphs/{graphId}/tiles` | `EXISTS_COMPAT` | `Graph` + `Platform` | Existing `graph:read` viewer scope | FE runtime cutover (Sprint 042) removed inline `MOCK_NODES`/`MOCK_EDGES` from graph explorer and now maps graph tile payloads to canvas node/edge view-models | If graph inventory is empty, UI renders deterministic empty state; endpoint aliasing remains gateway-owned | `S22-T10-SEC-04` |
 | Security | Findings unified explorer with pivots | `source-of-truth.md 3.5`, `pack-22.md 5`, `pack-19.md` | `/security-risk/findings`, `/security-risk/vulnerabilities`, `/security-risk/reachability` | `GET /api/v2/security/findings`; legacy `/api/v1/security/findings` and `/api/v1/security/vulnerabilities` retained during migration | `EXISTS_COMPAT` | `Scanner` + `Platform` | `platform.security.read` mapped to existing `findings:read` viewer scope in Platform policy map | Shipped pivot/facet schema (CVE/package/component/release/environment), disposition summary columns, and deterministic filter/sort envelope in B22-04 | Legacy endpoints stay available through cutover window; FE security explorer can migrate to v2 contract | `S22-T05-SEC-01` |
 | Security | Disposition (VEX + Exceptions UX join) | `source-of-truth.md 2.3`, `source-of-truth.md 3.5`, `pack-22.md 5` | `/security-risk/vex`, `/security-risk/exceptions` (legacy split) | `GET /api/v2/security/disposition`; `GET /api/v2/security/disposition/{findingId}`; exception/VEX writes remain module-owned routes | `EXISTS_COMPAT` | `Policy` + `Scanner` + `Platform` | `platform.security.read` mapped to `findings:read` for read projection; exception/VEX writes keep module approval scopes | Shipped migration `050_SecurityDispositionProjection.sql` for read-only disposition projection joining VEX state and exception state | Write authority boundaries preserved by design: no combined `/api/v2/security/disposition/exceptions` POST route in Platform | `S22-T05-SEC-02` |
 | Security | SBOM Explorer (table/graph/diff) | `source-of-truth.md 2.3`, `source-of-truth.md 3.5`, `pack-22.md 5` | `/security-risk/sbom`, `/security-risk/sbom-lake` | `GET /api/v2/security/sbom-explorer?mode=table|graph|diff` with release compare filters | `EXISTS_COMPAT` | `Scanner` + `Graph` + `Platform` | `platform.security.read` mapped to existing `findings:read` viewer scope | Shipped unified response envelope for table/graph/diff views with deterministic diff composition from migration `050` projection objects | Enables FE to collapse dual SBOM routes onto one v2 explorer contract | `S22-T05-SEC-03` |