Repair live watchlist frontdoor routing

docs/implplan/SPRINT_20260309_017_Router_watchlist_frontdoor_scope_repair.md

@@ -0,0 +1,78 @@
+# Sprint 20260309-017 - Router Watchlist Frontdoor Scope Repair
+
+## Topic & Scope
+- Repair the live watchlist contract exposed from Notifications so the frontdoor routes to the correct service and the backend authorizes the scopes the UI actually receives.
+- Keep the fix at the source layers: router frontdoor mapping, Attestor watchlist authorization, and the watchlist documentation that defines the operator-facing contract.
+- Verify with targeted Attestor tests plus authenticated live Playwright actions against `https://stella-ops.local` after rebuilding only the touched services.
+- Working directory: `devops/compose`.
+- Allowed coordination edits: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/**`, `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/**`, `docs/modules/attestor/**`, `src/Web/StellaOps.Web/scripts/live-ops-policy-action-sweep.mjs`, `docs/implplan/SPRINT_20260309_017_Router_watchlist_frontdoor_scope_repair.md`.
+- Expected evidence: targeted `.csproj` test run, rebuilt router/attestor images, redeployed live stack slice, refreshed Playwright artifacts for Notifications -> Watchlist actions.
+
+## Dependencies & Concurrency
+- Depends on `SPRINT_20260309_001_Platform_scratch_setup_bootstrap_restore.md` for the scratch rebuild baseline and `SPRINT_20260309_002_FE_live_frontdoor_canonical_route_sweep.md` for the authenticated failure inventory.
+- Safe parallelism: do not absorb unrelated Policy, Search, or component-revival changes; stage only the router/Attestor/docs slice for this iteration.
+
+## Documentation Prerequisites
+- `AGENTS.md`
+- `docs/code-of-conduct/CODE_OF_CONDUCT.md`
+- `docs/qa/feature-checks/FLOW.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/guides/identity-watchlist.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Delivery Tracker
+
+### WATCHLIST-LIVE-017-001 - Repair frontdoor watchlist routing and auth alignment
+Status: DONE
+Dependency: none
+Owners: Developer, Test Automation
+Task description:
+- Correct the live `/api/v1/watchlist*` frontdoor route so requests reach Attestor instead of Scanner, then align Attestor watchlist authorization and admin checks with the canonical trust scope family already issued to the console session.
+- Add targeted tests that prove trust-scoped users can read and mutate tenant watchlist data and that admin-only behaviors still require the elevated admin scope.
+
+Completion criteria:
+- [ ] `/api/v1/watchlist` and `/api/v1/watchlist/alerts` route to Attestor through the frontdoor.
+- [ ] Watchlist read/write/admin behavior accepts the canonical trust scopes used by the live UI session.
+- [ ] Targeted Attestor tests fail before the change and pass after it.
+
+### WATCHLIST-LIVE-017-002 - Rebuild and redeploy the repaired router/attestor slice
+Status: DONE
+Dependency: WATCHLIST-LIVE-017-001
+Owners: Developer, QA
+Task description:
+- Rebuild the changed images from source, redeploy only the touched runtime slice, and confirm the direct and frontdoor watchlist endpoints are ready before browser verification resumes.
+
+Completion criteria:
+- [ ] Router and Attestor images are rebuilt from the current source.
+- [ ] The compose stack is updated without disturbing unrelated in-flight work.
+- [ ] Direct and frontdoor probes reach the watchlist surface successfully.
+
+### WATCHLIST-LIVE-017-003 - Reverify Notifications watchlist actions with Playwright
+Status: DONE
+Dependency: WATCHLIST-LIVE-017-002
+Owners: QA
+Task description:
+- Rerun the authenticated Notifications/Watchlist action checks with Playwright, confirm the watchlist pages and actions no longer fail, and capture any remaining defects for the next iteration.
+
+Completion criteria:
+- [ ] Authenticated Playwright rechecks cover the Notifications -> Watchlist tuning and alerts actions on the rebuilt stack.
+- [ ] Artifacts are refreshed under `src/Web/StellaOps.Web/output/playwright/`.
+- [ ] Remaining failures, if any, are written into the execution log instead of being masked.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-09 | Sprint created after the rebuilt live Notifications sweep proved `/api/v1/watchlist*` was frontdoored to Scanner and the Attestor watchlist auth still enforced stale legacy scope names not present in the live console session. | Developer |
+| 2026-03-09 | Repointed `/api/v1/watchlist*` to Attestor in both router configs, aligned watchlist auth/admin checks with `trust:*` plus legacy aliases, and switched watchlist tenant resolution onto the canonical tenant resolver. | Developer |
+| 2026-03-09 | Added targeted Attestor watchlist authorization tests and updated watchlist docs to advertise the trust-scope contract that the live console session actually uses. | Developer |
+| 2026-03-09 | Rebuilt `router-gateway` and `attestor`, redeployed only those services, verified direct Attestor readiness (`/health/ready`) and frontdoor watchlist API `200`, then reran Playwright to confirm Notifications links now open watchlist tuning and alerts with zero runtime errors. | QA |
+
+## Decisions & Risks
+- Decision: align watchlist authorization with the canonical trust scope family (`trust:read`, `trust:write`, `trust:admin`) instead of preserving the stale dotted `watchlist.*` scopes that the Authority session no longer issues.
+- Decision: keep legacy `watchlist:*` and `watchlist.*` aliases accepted in Attestor while moving the documented/live contract to `trust:*`, so older automation stays compatible during the transition.
+- Risk: the reverse-proxy and default router configs must stay in sync; update both or the fallback transport mode will drift again.
+
+## Next Checkpoints
+- 2026-03-09: land the router/Attestor/test/doc fix slice.
+- 2026-03-09: rebuild and redeploy router plus Attestor from source.
+- 2026-03-09: rerun Playwright Notifications watchlist actions and commit the iteration.

docs/modules/attestor/architecture.md

@@ -927,11 +927,13 @@ The Attestor provides proactive monitoring for signing identities appearing in t
 
 ### Scope Hierarchy
 
-| Scope | Visibility | Who Can Create |
-|-------|------------|----------------|
-| `tenant` | Owning tenant only | Tenant admins |
-| `global` | All tenants | Platform admins |
-| `system` | All tenants (read-only) | System bootstrap |
+| Scope | Visibility | Who Can Create |
+|-------|------------|----------------|
+| `tenant` | Owning tenant only | Operators with `trust:write` |
+| `global` | All tenants | Platform admins with `trust:admin` |
+| `system` | All tenants (read-only) | System bootstrap |
+
+Authorization for the live watchlist surface follows the canonical trust scope family (`trust:read`, `trust:write`, `trust:admin`). The service still accepts legacy `watchlist:*` aliases for backward compatibility, but new clients and UI sessions should rely on the trust scopes.
 
 ### Event Flow
 

docs/modules/attestor/guides/identity-watchlist.md

@@ -52,10 +52,12 @@ A watchlist entry defines an identity pattern to monitor and alert configuration
 
 | Scope | Description | Who Can Create |
 |-------|-------------|----------------|
-| `tenant` | Visible only to owning tenant | Any user with `watchlist:write` |
-| `global` | Shared across all tenants | Administrators only |
+| `tenant` | Visible only to owning tenant | Any user with `trust:write` |
+| `global` | Shared across all tenants | Administrators with `trust:admin` |
 | `system` | System-managed entries | System only |
 
+Console and frontdoor watchlist flows use the canonical trust scope family: `trust:read`, `trust:write`, and `trust:admin`. Legacy `watchlist:*` aliases remain accepted for older clients, but new integrations should use the trust scopes.
+
 ## CLI Usage
 
 ### Adding a Watchlist Entry