Archive completed Sprint 020 (all 6 quality fixes shipped)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -0,0 +1,111 @@
|
||||
# Sprint 20260316-020 — Deep Journey Quality Fixes
|
||||
|
||||
## Topic & Scope
|
||||
- Fix issues found during deep first-time DevOps/security engineer journey (iteration 2).
|
||||
- Scan submit field mismatch (HIGH), user ID display, feed auto-check.
|
||||
- Working directory: `src/Web/StellaOps.Web/`.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- No upstream dependencies.
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### J20-T01 - Fix scan submit scanId field mismatch
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Scanner API returns `scanId` (not `id`) and PascalCase status (`Pending`, `Completed`).
|
||||
- Component expected `id` and lowercase status.
|
||||
- Fixed: resolve `scanId ?? id`, normalize status to lowercase.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Scan submit extracts ID from `scanId` field
|
||||
- [x] Status polling handles PascalCase status values
|
||||
- [x] Angular build succeeds
|
||||
|
||||
### J20-T02 - Integration detail: show username instead of raw user ID
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integration detail page shows raw user ID hash (e.g., `9a2d07300a014c26ba215595bb282128`) in "Created by" field.
|
||||
- Should show `admin` or truncated form like "User 9a2d0730...".
|
||||
|
||||
### J20-T03 - Advisory sources: auto-check on first visit
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Dashboard Feed Status shows "0 healthy" until user manually clicks Check All.
|
||||
- Consider: trigger initial health check batch when advisory sources page is first loaded with 0 checked sources.
|
||||
- Alternative: show "Not yet checked" instead of "0 healthy" when no checks have run.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-03-16 | Sprint created from deep journey iteration 2. | Developer |
|
||||
| 2026-03-16 | J20-T01 DONE: Fixed scanId field mismatch + PascalCase status normalization. | Developer |
|
||||
|
||||
### J20-T04 - Fix critical route redirect race condition
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- PlatformContextUrlSyncService used router.navigateByUrl() to sync query params
|
||||
which re-evaluated canMatch guards during auth session hydration, causing random
|
||||
page redirects across ALL routes.
|
||||
- Fixed: replaced with Location.replaceState() which updates browser URL without
|
||||
triggering Angular router navigation (and thus guards).
|
||||
|
||||
### J20-T05 - Fix exception scope mismatch (singular vs plural)
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Authority issues 'exceptions:read' (plural) but guards checked 'exception:read' (singular).
|
||||
- Fixed scope constants and description map to use plural form.
|
||||
|
||||
### J20-T06 - Fix admin scope bypass (admin vs ui.admin)
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Guards checked for 'admin' scope but token has 'ui.admin'.
|
||||
- Fixed: admin bypass in all guards now accepts both 'admin' and 'ui.admin'.
|
||||
|
||||
## Decisions & Risks
|
||||
- J20-T01 is a blocking bug — scan submit is a primary user workflow.
|
||||
- J20-T02 and J20-T03 are UX polish items.
|
||||
- J20-T04 is the MOST CRITICAL fix — route redirects affected every page in the app.
|
||||
- J20-T05 and J20-T06 are correctness fixes that enable proper RBAC.
|
||||
|
||||
## Journey Path Record
|
||||
**Completed journey depth (iteration 2):**
|
||||
1. Fresh install → login → dashboard (3-column verified, welcome guide when empty, real data when populated)
|
||||
2. Sidebar 5 groups verified (Release Control, Security, Operations, Audit & Evidence, Setup & Admin)
|
||||
3. Integrations: Registry wizard 6-step flow completed (Harbor fixture)
|
||||
4. Advisory sources: 42 enabled, 36/42 healthy after Check All (batched parallel)
|
||||
5. Scan Image: form works, POST 202 returned, scanId extracted (FIXED)
|
||||
6. Trust & Signing: empty state guidance verified
|
||||
7. Notifications: 3 channels, 3 rules, delivery history, test send
|
||||
8. Topology: overview (4 regions, 10 environments, graph visualization), wizard 8-step rendering
|
||||
9. Release creation: 4-step wizard (Basic Info → Components → Inputs → Review & Seal)
|
||||
10. Evidence Overview: search router, 1842 evidence packs, operator/auditor toggle
|
||||
11. Security Reports: CSV/PDF export, VEX guidance text
|
||||
12. Security Posture: real finding counts (6 findings), CTAs working
|
||||
13. Operations Hub: 3 blocking, 5 degraded, 12 sub-nav tabs, pending operator actions list
|
||||
14. Releases Deployments: 5 deployments visible (1 RUNNING, 3 SUCCESS, 1 FAILED)
|
||||
15. Identity & Access: Users table (admin active), 5 tabs (Users, Roles, OAuth, Tokens, Tenants)
|
||||
|
||||
**Next journey iteration should go deeper into:**
|
||||
- Complete scan → view results in triage → make VEX decision → see in reports
|
||||
- Complete release creation → seal → promote through Dev→Stage→Prod
|
||||
- Trust key generation → attestation signing
|
||||
- Evidence capsule generation from sealed release
|
||||
- Policy simulation with real findings
|
||||
- Multi-user testing (operator, viewer, auditor roles)
|
||||
- Offline kit export + import cycle
|
||||
- Tenant switching between demo-prod / demo-staging / demo-dev
|
||||
- Diagnostics deep dive (Doctor reports)
|
||||
- Notification test send → verify delivery
|
||||
Reference in New Issue
Block a user