stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

ui fixes

Browse Source
This commit is contained in:
master
2026-02-21 16:21:33 +02:00
parent 7e36c1f151
commit b911537870
116 changed files with 4365 additions and 5903 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
docs/INSTALL_GUIDE.md
View File

@@ -1,47 +1,118 @@
# Installation guide (Docker Compose + air-gap)
# Installation Guide
This guide explains how to run StellaOps from this repository using deterministic deployment bundles under `deploy/`.
How to run Stella Ops from this repository using Docker Compose.
## Prerequisites
- Docker Engine with Compose v2.
- Enough disk for container images plus scan artifacts (SBOMs, logs, caches).
- For production-style installs, plan for persistent volumes (PostgreSQL + object storage) and a secrets provider.
## Connected host (dev / evaluation)
- Docker Engine with Compose v2 (`docker compose version`)
- Enough disk for container images plus scan artifacts (SBOMs, logs, caches)
- For production-style installs, plan for persistent volumes (PostgreSQL + object storage) and a secrets provider
StellaOps ships reproducible Compose profiles pinned to immutable digests.
## Quick path (automated setup scripts)
```bash
cd deploy/compose
cp env/dev.env.example dev.env
docker compose --env-file dev.env -f docker-compose.dev.yaml config
docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
The fastest way to get running. The setup scripts validate prerequisites, configure the environment, start infrastructure, build solutions, build Docker images, and launch the full platform.
**Windows (PowerShell 7):**
```powershell
.\scripts\setup.ps1 # full setup
.\scripts\setup.ps1 -InfraOnly # infrastructure only (PostgreSQL, Valkey, RustFS, Rekor, Zot)
```
Verify:
**Linux / macOS:**
```bash
docker compose --env-file dev.env -f docker-compose.dev.yaml ps
./scripts/setup.sh # full setup
./scripts/setup.sh --infra-only # infrastructure only
```
Defaults are defined by the selected env file. For the dev profile, the UI listens on `https://localhost:8443` by default; see `devops/compose/env/dev.env.example` for the full port map.
The scripts will:
1. Check prerequisites (dotnet 10.x, node 20+, docker, git)
2. Offer to install hosts file entries automatically
3. Copy `env/stellaops.env.example` to `.env` if needed (works out of the box)
4. Start infrastructure and wait for healthy containers
5. Build .NET solutions and Docker images
6. Launch the full platform with health checks
## Air-gapped host (Compose profile)
Open **https://stella-ops.local** when setup completes.
Use the air-gap profile to avoid outbound hostnames and to align defaults with offline operation:
## Manual path (step by step)
### 1. Environment file
```bash
cd deploy/compose
cp env/airgap.env.example airgap.env
docker compose --env-file airgap.env -f docker-compose.airgap.yaml config
docker compose --env-file airgap.env -f docker-compose.airgap.yaml up -d
cd devops/compose
cp env/stellaops.env.example .env
```
For offline bundles, imports, and update workflows, use:
The example file ships with working local-dev defaults. For production, change `POSTGRES_PASSWORD` and review all values.
### 2. Hosts file
Stella Ops services bind to unique loopback IPs so all can use port 443 without collisions. Add the entries from `devops/compose/hosts.stellaops.local` to your hosts file:
- **Windows:** `C:\Windows\System32\drivers\etc\hosts` (run editor as Administrator)
- **Linux / macOS:** `sudo sh -c 'cat devops/compose/hosts.stellaops.local >> /etc/hosts'`
### 3. Start infrastructure
```bash
cd devops/compose
docker compose -f docker-compose.dev.yml up -d
docker compose -f docker-compose.dev.yml ps # verify all healthy
```
### 4. Start the full platform
```bash
docker compose -f docker-compose.stella-ops.yml up -d
```
Optional overlays:
```bash
# With Sigstore transparency log
docker compose -f docker-compose.stella-ops.yml --profile sigstore up -d
# With telemetry stack (Prometheus, Tempo, Loki)
docker compose -f docker-compose.stella-ops.yml -f docker-compose.telemetry.yml up -d
```
### 5. Verify
```bash
docker compose -f docker-compose.stella-ops.yml ps
curl -k https://stella-ops.local # should return the Angular UI
```
## Air-gapped deployments
For offline/air-gapped environments, use the sealed CI compose file and offline telemetry overlay:
```bash
# Sealed CI environment (authority, signer, attestor in isolation)
docker compose -f docker-compose.sealed-ci.yml up -d
# Offline observability (no external endpoints)
docker compose -f docker-compose.stella-ops.yml -f docker-compose.telemetry-offline.yml up -d
# Tile proxy for air-gapped Sigstore verification
docker compose -f docker-compose.stella-ops.yml -f docker-compose.tile-proxy.yml up -d
```
For offline bundles, imports, and update workflows, see:
- `docs/OFFLINE_KIT.md`
- `docs/modules/airgap/guides/overview.md`
- `docs/modules/airgap/guides/importer.md`
- `docs/modules/airgap/guides/controller.md`
## Regional compliance overlays
| Region | Testing | Production |
|--------|---------|------------|
| China (SM2/SM3/SM4) | `docker-compose.compliance-china.yml` + `docker-compose.crypto-sim.yml` | `docker-compose.compliance-china.yml` + `docker-compose.sm-remote.yml` |
| Russia (GOST) | `docker-compose.compliance-russia.yml` + `docker-compose.crypto-sim.yml` | `docker-compose.compliance-russia.yml` + `docker-compose.cryptopro.yml` |
| EU (eIDAS) | `docker-compose.compliance-eu.yml` + `docker-compose.crypto-sim.yml` | `docker-compose.compliance-eu.yml` |
See `devops/compose/README.md` for detailed compliance deployment instructions.
## Hardening: require Authority for Concelier job triggers
@@ -54,14 +125,9 @@ CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=false
Store the client secret outside source control (Docker secrets, mounted file, or Kubernetes Secret). For audit fields and alerting guidance, see `docs/modules/concelier/operations/authority-audit-runbook.md`.
## Quota / licensing (optional)
Quota enforcement is configuration-driven. For the current posture and operational implications, see:
- `docs/QUOTA_OVERVIEW.md`
- `docs/QUOTA_ENFORCEMENT_FLOW.md`
- `docs/license-jwt-quota.md`
## Next steps
- Quick start: `docs/quickstart.md`
- Quickstart: `docs/quickstart.md`
- Developer setup details: `docs/dev/DEV_ENVIRONMENT_SETUP.md`
- Architecture overview: `docs/ARCHITECTURE_OVERVIEW.md`
- Detailed technical index: `docs/technical/README.md`
- Compose profiles reference: `devops/compose/README.md`

76
docs/dev/DEV_ENVIRONMENT_SETUP.md
View File

@@ -65,67 +65,25 @@ The scripts will check for required tools (dotnet 10.x, node 20+, npm 10+, docke
Each service binds to a unique loopback IP so all can use ports 443/80 without collisions.
Full details: [`docs/technical/architecture/port-registry.md`](../technical/architecture/port-registry.md).
Add the block below to your hosts file:
### Automated (recommended)
- **Windows:** `C:\Windows\System32\drivers\etc\hosts` (run editor as Administrator)
- **Linux / macOS:** `/etc/hosts` (use `sudo`)
The setup scripts (`scripts/setup.ps1` / `scripts/setup.sh`) will detect missing entries and offer to install them automatically.
```
# Stella Ops local development hostnames
# Each service gets a unique loopback IP so all can bind :443/:80 simultaneously.
127.1.0.1 stella-ops.local
127.1.0.2 router.stella-ops.local
127.1.0.3 platform.stella-ops.local
127.1.0.4 authority.stella-ops.local
127.1.0.5 gateway.stella-ops.local
127.1.0.6 attestor.stella-ops.local
127.1.0.7 evidencelocker.stella-ops.local
127.1.0.8 scanner.stella-ops.local
127.1.0.9 concelier.stella-ops.local
127.1.0.10 excititor.stella-ops.local
127.1.0.11 vexhub.stella-ops.local
127.1.0.12 vexlens.stella-ops.local
127.1.0.13 vulnexplorer.stella-ops.local
127.1.0.14 policy-engine.stella-ops.local
127.1.0.15 policy-gateway.stella-ops.local
127.1.0.16 riskengine.stella-ops.local
127.1.0.17 orchestrator.stella-ops.local
127.1.0.18 taskrunner.stella-ops.local
127.1.0.19 scheduler.stella-ops.local
127.1.0.20 graph.stella-ops.local
127.1.0.21 cartographer.stella-ops.local
127.1.0.22 reachgraph.stella-ops.local
127.1.0.23 timelineindexer.stella-ops.local
127.1.0.24 timeline.stella-ops.local
127.1.0.25 findings.stella-ops.local
127.1.0.26 doctor.stella-ops.local
127.1.0.27 opsmemory.stella-ops.local
127.1.0.28 notifier.stella-ops.local
127.1.0.29 notify.stella-ops.local
127.1.0.30 signer.stella-ops.local
127.1.0.31 smremote.stella-ops.local
127.1.0.32 airgap-controller.stella-ops.local
127.1.0.33 airgap-time.stella-ops.local
127.1.0.34 packsregistry.stella-ops.local
127.1.0.35 registry-token.stella-ops.local
127.1.0.36 binaryindex.stella-ops.local
127.1.0.37 issuerdirectory.stella-ops.local
127.1.0.38 symbols.stella-ops.local
127.1.0.39 sbomservice.stella-ops.local
127.1.0.40 exportcenter.stella-ops.local
127.1.0.41 replay.stella-ops.local
127.1.0.42 integrations.stella-ops.local
127.1.0.43 signals.stella-ops.local
127.1.0.44 advisoryai.stella-ops.local
127.1.0.45 unknowns.stella-ops.local
### Manual
# Stella Ops infrastructure (local dev containers)
127.1.1.1 db.stella-ops.local
127.1.1.2 cache.stella-ops.local
127.1.1.3 s3.stella-ops.local
127.1.1.4 rekor.stella-ops.local
127.1.1.5 registry.stella-ops.local
```
Append the contents of [`devops/compose/hosts.stellaops.local`](../../devops/compose/hosts.stellaops.local) to your hosts file:
- **Windows:** Run an elevated PowerShell and run:
```powershell
Get-Content devops\compose\hosts.stellaops.local | Add-Content C:\Windows\System32\drivers\etc\hosts
```
- **Linux / macOS:**
```bash
sudo sh -c 'cat devops/compose/hosts.stellaops.local >> /etc/hosts'
```
The file contains ~50 entries mapping services to unique loopback IPs (127.1.0.1 through 127.1.1.5).
See the file for the full list.
---
@@ -133,7 +91,7 @@ Add the block below to your hosts file:
```bash
cd devops/compose
cp env/stellaops.env.example .env # edit POSTGRES_PASSWORD at minimum
cp env/stellaops.env.example .env # works out of the box; change POSTGRES_PASSWORD for production
docker compose -f docker-compose.dev.yml up -d
docker compose -f docker-compose.dev.yml ps
```

198
docs/implplan/SPRINT_20260221_041_FE_prealpha_ia_ops_setup_rewire.md Normal file
View File

@@ -0,0 +1,198 @@
# Sprint 20260221_041 - Pre-Alpha IA Rewire (Ops + Setup)
## Topic & Scope
- Rewire the Web UI to pre-alpha IA where root workspaces are Mission Control, Releases, Security, Evidence, Ops, and Setup.
- Consolidate Platform + Policy under Ops, move Topology under Setup, and remove compatibility redirects/alias routing.
- Complete missing distinct surfaces called out in advisory gap review (release/hotfix split, security detail surfaces, topology map/connectivity/drift, evidence overview default, global header contracts).
- Working directory: `src/Web/StellaOps.Web/`.
- Expected evidence: route/nav contract changes, distinct page surfaces, updated docs, and targeted frontend tests.
## Dependencies & Concurrency
- Depends on current Pack-22/23 contracts in `docs/modules/ui/v2-rewire/` and existing pre-alpha frontend branch state.
- Safe parallelism: frontend-only changes in `src/Web/StellaOps.Web/`; docs updates in `docs/modules/ui/v2-rewire/` can run in parallel if contracts stay consistent.
## Documentation Prerequisites
- `docs/modules/ui/README.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/v2-rewire/source-of-truth.md`
## Delivery Tracker
### 041-T1 - Root IA/nav rewrite (Mission Control + Ops + Setup)
Status: DONE
Dependency: none
Owners: Developer (FE)
Task description:
- Rewrite shell navigation roots to: Mission Control, Releases, Security, Evidence, Ops, Setup.
- Remove Topology as root; place topology entries under Setup.
- Remove Platform and Policy roots; expose their capabilities under Ops.
Completion criteria:
- [x] Sidebar root groups match target IA and scope gates
- [x] No root menu points to legacy Platform/Policy/Administration/Topology roots
### 041-T2 - Canonical route tree rebuild (no alias redirects)
Status: DONE
Dependency: 041-T1
Owners: Developer (FE)
Task description:
- Rebuild `app.routes.ts` and child route trees to pre-alpha canonical paths.
- Remove legacy alias windows and redirect maps used for backward compatibility.
- Keep only canonical pre-alpha route entries needed for first-version UX.
Completion criteria:
- [x] `LEGACY_REDIRECT_ROUTES` not used by router
- [x] Canonical route trees are reachable without alias redirects
### 041-T3 - Mission Control menu expansion
Status: DONE
Dependency: 041-T1
Owners: Developer (FE)
Task description:
- Split Mission Control into distinct root-visible surfaces (Mission Board, Alerts, Activity).
- Ensure breadcrumb/title metadata is distinct for each surface.
Completion criteria:
- [x] Mission Control has dedicated routes for board/alerts/activity
- [x] Sidebar children and route metadata are aligned
### 041-T4 - Ops consolidation (Platform + Policy + Integrations)
Status: DONE
Dependency: 041-T2
Owners: Developer (FE)
Task description:
- Move Policy governance/simulation/profile surfaces under Ops.
- Move Platform ops/integrations/setup controls under Ops taxonomy.
- Provide one canonical Ops route tree with explicit sub-areas.
Completion criteria:
- [x] Policy capabilities are routed under `/ops/**`
- [x] Platform capabilities are routed under `/ops/**`
### 041-T5 - Setup consolidation (Administration renamed + Topology moved)
Status: DONE
Dependency: 041-T2
Owners: Developer (FE)
Task description:
- Rename Administration workspace to Setup.
- Move topology surfaces (overview/map/targets/hosts/agents/connectivity/drift/details) into Setup.
- Keep IAM/tenant/notifications/usage/system in Setup.
Completion criteria:
- [x] Setup route tree includes admin + topology surfaces
- [x] Topology is no longer a root route domain
### 041-T6 - Releases completion and full hotfix split
Status: DONE
Dependency: 041-T2
Owners: Developer (FE)
Task description:
- Add missing Releases surfaces: overview, promotion queue, environments inventory, environment detail, deployment history.
- Fully split hotfix flows into list/create/detail screens.
- Keep run-centric detail as source of truth while exposing distinct list-level surfaces.
Completion criteria:
- [x] Releases menu exposes all required pre-alpha screens
- [x] Hotfix has separate list/create/detail routes
### 041-T7 - Security split completion and distinct reports
Status: DONE
Dependency: 041-T2
Owners: Developer (FE)
Task description:
- Add first-class Advisories & VEX and Supply-Chain Data surfaces.
- Add dedicated detail routes for CVE/component/artifact/environment-risk views.
- Implement distinct Security Reports page/component (not reused disposition view).
Completion criteria:
- [x] Security detail routes exist and are linked from triage
- [x] `/security/reports` is a distinct screen/component
### 041-T8 - Evidence default and topology detail gaps
Status: DONE
Dependency: 041-T2
Owners: Developer (FE)
Task description:
- Make Evidence Overview the default landing page.
- Add missing topology surfaces: map/connectivity/runtime-drift/detail pages where absent.
- Preserve evidence capsule/replay/export/audit flows with distinct route contracts.
Completion criteria:
- [x] `/evidence` lands on overview
- [x] Setup topology includes map/connectivity/runtime-drift/detail routes
### 041-T9 - Global header contract completion
Status: DONE
Dependency: 041-T1
Owners: Developer (FE)
Task description:
- Add contextual primary action slot/button in top bar by active workspace.
- Add stage selector to global scope controls.
- Add live event stream status chip.
Completion criteria:
- [x] Topbar renders contextual primary action per workspace
- [x] Scope controls include Stage
- [x] Context chips include Live Event Stream state
### 041-T10 - Integrations consolidation for advisory + VEX
Status: DONE
Dependency: 041-T4
Owners: Developer (FE)
Task description:
- Replace split advisory feeds + VEX source menus with unified Advisory & VEX Sources surface.
- Keep internal tabs for provider families while preserving integration management capabilities.
Completion criteria:
- [x] Unified Advisory & VEX sources route exists under Ops Integrations
- [x] Old split menu entries removed from canonical nav
### 041-T11 - Docs sync for new pre-alpha IA
Status: DONE
Dependency: 041-T1, 041-T2, 041-T4, 041-T5
Owners: Documentation author, Developer (FE)
Task description:
- Update v2-rewire source-of-truth docs and route map docs to reflect new canonical IA.
- Record rationale and removed redirect policy for pre-alpha first release.
Completion criteria:
- [x] Docs describe canonical roots and route tree accurately
- [x] Sprint decisions reference updated doc paths
### 041-T12 - Targeted tests and verification evidence
Status: DONE
Dependency: 041-T6, 041-T7, 041-T8, 041-T9, 041-T10
Owners: Developer (FE), QA
Task description:
- Update/create targeted tests for nav roots, route contracts, scope chips, and canonical pages.
- Execute targeted test command set and log results.
Completion criteria:
- [x] Targeted tests for changed contracts are passing
- [x] Execution Log contains command and summary evidence
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-21 | Sprint created; 041-T1 moved to DOING; implementation started for pre-alpha IA root/nav and route consolidation. | Developer (FE) |
| 2026-02-21 | Completed canonical IA rewire: roots switched to Mission Control/Releases/Security/Evidence/Ops/Setup, Topology moved under Setup, Platform+Policy consolidated under Ops, and legacy redirect route trees retired. Updated docs `docs/modules/ui/v2-rewire/source-of-truth.md` and `docs/modules/ui/v2-rewire/S00_route_deprecation_map.md`. | Developer (FE) |
| 2026-02-21 | Verification evidence: `npm run build` succeeded; targeted tests passed: `npm run test -- --watch=false --include=\"src/app/app.component.spec.ts\" --include=\"src/tests/navigation/legacy-redirects.spec.ts\" --include=\"src/tests/platform-ops/platform-ops-routes.spec.ts\" --include=\"src/tests/release-control/release-control-routes.spec.ts\" --include=\"src/tests/evidence-audit/evidence-audit-routes.spec.ts\" --include=\"src/tests/platform/platform-setup-routes.spec.ts\" --include=\"src/tests/dashboard/dashboard-route-aliases.spec.ts\" --include=\"src/tests/context/platform-context-url-sync.service.spec.ts\" --include=\"src/tests/audit_log/unified-audit-log-viewer.behavior.spec.ts\"`. | Developer (FE) |
| 2026-02-21 | End-user Playwright validation completed for canonical IA pages: `npm run test:e2e -- tests/e2e/prealpha-canonical-full-sweep.spec.ts` passed (`105/105`). Additional interaction/a11y surfaces were stabilized and verified with `npm run test:e2e -- tests/e2e/accessibility.spec.ts tests/e2e/witness-drawer.spec.ts tests/e2e/witness-viewer.spec.ts tests/e2e/workflow-time-travel.spec.ts tests/e2e/graph-platform-client.spec.ts` (`36 passed, 8 intentionally skipped`). | QA / Developer (FE) |
| 2026-02-21 | Full-suite Playwright rerun after stabilization: `npm run test:e2e` now reports `166 passed`, `195 skipped`, `53 failed`, `33 did not run` (down from prior 80 failures). Remaining failures are concentrated in legacy-route/old-workbench contracts (`web-checked-feature-recheck`, old login/auth-smoke assumptions, pack-conformance legacy expectations). | QA / Developer (FE) |
## Decisions & Risks
- Decision: pre-alpha policy removes backward-compatibility aliases/redirects; canonical routes only.
- Decision: Ops is the single operational root for former Platform + Policy + Integrations surfaces.
- Decision: Setup is the single configuration/governance root for former Administration + Topology.
- Risk: existing tests and bookmarks built for alias windows will fail/break by design; mitigated by updating tests and docs in this sprint.
- Risk: broad route refactor may cause temporary dead links during implementation; mitigated by staged task completion and verification passes.
- Cross-module note: docs updates are required under `docs/modules/ui/v2-rewire/` to keep code/docs contracts aligned.
- Residual risk: full `npm run test -- --watch=false` still reports numerous unrelated failing suites in this branch baseline; sprint verification therefore uses targeted route/nav contract tests for changed surfaces.
- Residual risk: full `npm run test:e2e` still includes many legacy/unchecked suites asserting removed redirect-era routes or older workbench contracts; canonical pre-alpha route suite is green and should be treated as release gate for this IA cut.
## Next Checkpoints
- 2026-02-21 UTC: Root IA/nav + route tree merged to canonical pre-alpha shape.
- 2026-02-22 UTC: Releases/Security/Evidence/Setup surface completion + docs sync.
- 2026-02-22 UTC: Targeted test verification and sprint status review.

18
docs/modules/ui/TASKS.md Normal file
View File

@@ -0,0 +1,18 @@
# UI Task Board
## Active Sprint Links
- `docs/implplan/SPRINT_20260221_041_FE_prealpha_ia_ops_setup_rewire.md`
## Delivery Tasks
- [DONE] 041-T1 Root IA/nav rewrite (Mission Control + Ops + Setup)
- [DONE] 041-T2 Canonical route tree rebuild (no alias redirects)
- [DONE] 041-T3 Mission Control menu expansion
- [DONE] 041-T4 Ops consolidation (Platform + Policy + Integrations)
- [DONE] 041-T5 Setup consolidation (Administration renamed + Topology moved)
- [DONE] 041-T6 Releases completion and full hotfix split
- [DONE] 041-T7 Security split completion and distinct reports
- [DONE] 041-T8 Evidence default and topology detail gaps
- [DONE] 041-T9 Global header contract completion
- [DONE] 041-T10 Integrations consolidation for advisory + VEX
- [DONE] 041-T11 Docs sync for new pre-alpha IA
- [DONE] 041-T12 Targeted tests and verification evidence

130
docs/modules/ui/v2-rewire/S00_route_deprecation_map.md
View File

@@ -1,109 +1,59 @@
# S00 Route Deprecation Map (Pack 22/23 Canonical)
# S00 Route Retirement Map (Pre-Alpha Canonical)
Status: Active
Date: 2026-02-20
Date: 2026-02-21
Working directory: `docs/modules/ui/v2-rewire`
Canonical source: `source-of-truth.md`, `pack-22.md`
Canonical source: `source-of-truth.md`, `pack-22.md`, `pack-23.md`
## Purpose
Define deterministic route migration from pre-Pack22 root families to Pack22/23 canonical IA:
Define the pre-alpha routing contract where only canonical roots are supported and legacy families are retired.
- `/dashboard` (Mission Control)
- `/releases` (run-centric subroots under `/releases/versions*` and `/releases/runs*`)
- `/security` (workspace subroots under `/security/posture`, `/security/triage`, `/security/disposition`, `/security/sbom/*`, `/security/reachability`)
- `/evidence` (capsule-first subroots under `/evidence/capsules`, `/evidence/exports`, `/evidence/verification/*`, `/evidence/audit-log`)
- `/topology`
- `/platform` (ops/integrations/setup canonical root; legacy `/operations`, `/integrations`, `/administration` are alias-window routes)
Canonical root families:
- `/` and `/mission-control`
- `/releases`
- `/security`
- `/evidence`
- `/ops`
- `/setup`
## Action definitions
| Action | Meaning |
| --- | --- |
| `canonical` | Route family is authoritative and must be used by nav and breadcrumbs. |
| `redirect` | Legacy route redirects to canonical route. |
| `alias-window` | Legacy route remains temporarily available and is tracked via alias telemetry. |
| `canonical` | Route family is authoritative and must be used by nav, breadcrumbs, and deep links. |
| `retired` | Legacy route family is removed from active router trees. No compatibility redirects or alias windows. |
## Root family mapping
## Root family status
| Legacy root family | Canonical target | Action |
| Legacy root family | Canonical replacement | Action |
| --- | --- | --- |
| `/release-control/*` | split between `/releases/*` and `/topology/*` | `redirect` + `alias-window` |
| `/security-risk/*` | `/security/*` | `redirect` + `alias-window` |
| `/evidence-audit/*` | `/evidence/*` | `redirect` + `alias-window` |
| `/platform-ops/*` | `/platform/ops/*` | `redirect` + `alias-window` |
| `/operations/*` (old ops shell) | `/platform/ops/*` | `redirect` + `alias-window` |
| `/integrations/*` (legacy root) | `/platform/integrations/*` | `redirect` + `alias-window` |
| `/administration/*` (legacy root) | `/platform/setup/*` | `redirect` + `alias-window` |
| `/settings/release-control/*` | `/topology/promotion-graph`, `/topology/regions`, `/topology/targets`, `/topology/agents`, `/topology/workflows` | `redirect` |
| `/release-control/*` | `/releases/*` and `/setup/topology/*` | `retired` |
| `/security-risk/*` | `/security/*` | `retired` |
| `/evidence-audit/*` | `/evidence/*` | `retired` |
| `/platform-ops/*` | `/ops/operations/*` | `retired` |
| `/platform/*` | `/ops/*` | `retired` |
| `/policy*` (root-level variants) | `/ops/policy/*` | `retired` |
| `/topology/*` (root-level) | `/setup/topology/*` | `retired` |
| `/administration/*` | `/setup/*` | `retired` |
| `/operations/*` (legacy root) | `/ops/operations/*` | `retired` |
| `/integrations/*` (legacy root) | `/ops/integrations/*` | `retired` |
## Release Control decomposition
## Canonical ownership map
| Legacy path | Canonical target | Action |
| --- | --- | --- |
| `/release-control/releases` | `/releases/runs` | `redirect` |
| `/release-control/releases/:id` | `/releases/runs/:id/timeline` | `redirect` |
| `/release-control/approvals` | `/releases/approvals` | `redirect` |
| `/release-control/runs` | `/releases/runs` | `redirect` |
| `/release-control/deployments` | `/releases/runs` | `redirect` |
| `/release-control/promotions` | `/releases/runs` | `redirect` |
| `/release-control/hotfixes` | `/releases/hotfix` | `redirect` |
| `/release-control/regions` | `/topology/regions` | `redirect` |
| `/release-control/setup` | `/topology/promotion-graph` | `redirect` |
| `/release-control/setup/environments-paths` | `/topology/promotion-graph` | `redirect` |
| `/release-control/setup/targets-agents` | `/topology/targets` | `redirect` |
| `/release-control/setup/workflows` | `/topology/workflows` | `redirect` |
| Workspace | Scope |
| --- | --- |
| `Mission Control` | Mission board, alerts, activity |
| `Releases` | Versions, runs, approvals, hotfix lane, promotions, environments, deployment history |
| `Security` | Posture, triage, advisories/VEX, supply-chain data, reachability, reports |
| `Evidence` | Overview, capsules, verify/replay, proofs, exports, audit log |
| `Ops` | Operations, data integrity, integrations, policy, platform setup |
| `Setup` | Administration surfaces + topology (overview/map/targets/hosts/agents/connectivity/drift) |
## Settings alias decomposition
## Enforcement checkpoints
| Legacy path | Canonical target | Action |
| --- | --- | --- |
| `/settings/release-control` | `/topology/promotion-graph` | `redirect` |
| `/settings/release-control/environments` | `/topology/regions` | `redirect` |
| `/settings/release-control/targets` | `/topology/targets` | `redirect` |
| `/settings/release-control/agents` | `/topology/agents` | `redirect` |
| `/settings/release-control/workflows` | `/topology/workflows` | `redirect` |
## Security consolidation
| Legacy path | Canonical target | Action |
| --- | --- | --- |
| `/security-risk` | `/security/posture` | `redirect` |
| `/security-risk/findings*` | `/security/triage*` | `redirect` |
| `/security-risk/vulnerabilities*` | `/security/triage*` | `redirect` |
| `/security-risk/vex` | `/security/disposition` | `redirect` |
| `/security-risk/exceptions` | `/security/disposition` | `redirect` |
| `/security-risk/sbom` | `/security/sbom/graph` | `redirect` |
| `/security-risk/sbom-lake` | `/security/sbom/lake` | `redirect` |
| `/security-risk/advisory-sources` | `/platform/integrations/feeds` | `redirect` |
| `/sbom-sources` | `/platform/integrations/sbom-sources` | `redirect` |
## Evidence and Operations renames
| Legacy path | Canonical target | Action |
| --- | --- | --- |
| `/evidence-audit` | `/evidence/capsules` | `redirect` |
| `/evidence-audit/packs*` | `/evidence/capsules*` | `redirect` |
| `/evidence-audit/audit-log` | `/evidence/audit-log` | `redirect` |
| `/evidence-audit/replay` | `/evidence/verification/replay` | `redirect` |
| `/platform-ops` | `/platform/ops` | `redirect` |
| `/platform-ops/data-integrity` | `/platform/ops/data-integrity` | `redirect` |
| `/platform-ops/orchestrator*` | `/platform/ops/orchestrator*` | `redirect` |
| `/platform-ops/agents` | `/topology/agents` | `redirect` |
## Telemetry expectations
- Legacy alias hits must emit deterministic `legacy_route_hit` telemetry with:
- `oldPath`,
- `newPath`,
- tenant/user context metadata.
- Legacy detection and expected target resolution are derived from `LEGACY_REDIRECT_ROUTE_TEMPLATES` to prevent drift between redirect behavior and telemetry mapping.
- Alias telemetry must remain active until Pack22 cutover approval.
## Cutover checkpoint
Before alias removal:
- Legacy hit rate for `/release-control/*`, `/security-risk/*`, `/evidence-audit/*`, `/platform-ops/*` is reviewed.
- Route-to-endpoint matrix in `docs/qa/` confirms canonical routes are using Pack22 endpoints.
- Sprint closure notes record alias telemetry evidence and final removal plan.
- App-level route declarations must not include legacy redirect route maps.
- No `redirectTo` entries are permitted in active pre-alpha route trees.
- Search shortcuts, contextual primary actions, and sidebar links must target canonical roots only.
- QA route tests must assert retired legacy trees are empty and canonical trees are present.

44
docs/modules/ui/v2-rewire/source-of-truth.md
View File

@@ -1,7 +1,7 @@
# UI v2 Rewire Source of Truth
Status: Active
Date: 2026-02-20
Date: 2026-02-21
Working directory: `docs/modules/ui/v2-rewire`
## 1) Hard rules
@@ -15,6 +15,7 @@ Working directory: `docs/modules/ui/v2-rewire`
4. Canonical planning references must come from this file plus `authority-matrix.md`, not raw packs alone.
5. `pack-23.md` is the active Platform IA override for all conflicts with `pack-22.md` and lower packs.
6. `pack-22.md` remains authority for non-Platform areas unless `pack-23.md` explicitly overrides them.
7. Pre-alpha policy is canonical-only routing: no legacy redirects and no alias windows.
## 2) Canonical IA (v3)
@@ -26,8 +27,8 @@ Canonical top-level modules are:
- `Releases`
- `Security`
- `Evidence`
- `Topology`
- `Platform`
- `Ops`
- `Setup`
### 2.2 Global context
@@ -39,7 +40,8 @@ Required global context controls:
- Region multi-select
- Environment multi-select scoped to Region selection
- Time window selector
- Status indicators (offline/feed/policy/evidence)
- Stage selector
- Status indicators (offline/feed/policy/evidence/live event stream)
### 2.3 Ownership decisions resolved by precedence
@@ -47,16 +49,17 @@ These are authoritative for planning and replace older conflicting placements:
- `Release Control` root is decomposed:
- release lifecycle surfaces move to `Releases`,
- inventory/setup surfaces move to `Topology`.
- inventory/topology surfaces move to `Setup -> Topology`.
- `Bundle` is deprecated in operator IA and renamed to `Release Version`.
- `Runs`, `Deployments`, `Promotions`, and `Hotfixes` are lifecycle views inside `Releases` and not top-level modules.
- `VEX` and `Exceptions` remain distinct data models, but are exposed in one operator workspace:
- `Security -> Disposition Center` tabs (`VEX Statements`, `Exceptions`, `Expiring`),
- feeds/source configuration lives in `Platform -> Integrations -> Feeds`.
- feeds/source configuration lives in `Ops -> Integrations -> Advisory & VEX Sources`.
- SBOM Graph/Lake are one `Security -> SBOM` workspace with mode tabs.
- Reachability is a first-class surface under `Security -> Reachability`.
- `Policy Governance` remains administration-owned under `Platform -> Setup`.
- Trust posture is visible in `Evidence`, while signing/trust mutation stays in `Platform -> Setup -> Trust & Signing`.
- Topology ownership is setup-owned under `Setup -> Topology`.
- Policy and former Platform ownership are consolidated under `Ops`.
- Trust posture is visible in `Evidence`, while signing/trust mutation stays under `Ops` setup/policy surfaces.
## 3) Canonical screen authorities
@@ -95,11 +98,12 @@ Superseded:
- Standalone menu treatment from earlier packs where runs/deployments/promotions/hotfixes were separate roots.
### 3.4 Topology
### 3.4 Setup + Topology
Authoritative packs:
- `pack-22.md` for module ownership and taxonomy.
- `pack-22.md` for topology taxonomy and environment detail structure.
- `pack-23.md` for platform ownership moves now consolidated under `Ops`.
- `pack-18.md` for environment detail shell standards reused inside topology-aware views.
### 3.5 Security
@@ -120,11 +124,11 @@ Authoritative packs:
- `pack-22.md` for evidence navigation framing and release linkage expectations.
- `pack-20.md` for evidence chain structure (packs/export/proof/replay/audit).
### 3.7 Operations
### 3.7 Ops
Authoritative packs:
- `pack-23.md` for Platform Ops placement and workflow prioritization.
- `pack-23.md` for Platform + Policy + Integrations consolidation under one root.
- `pack-15.md` for data integrity operating model.
- `pack-10.md` for feeds/airgap operational detail where still valid.
@@ -135,7 +139,7 @@ Authoritative packs:
- `pack-23.md` for Platform Integrations placement and topology ownership split.
- `pack-10.md` and `pack-21.md` for connector detail flows where not overridden.
### 3.9 Platform Administration
### 3.9 Setup Administration
Authoritative packs:
@@ -153,10 +157,12 @@ Use these terms in sprint tickets/specs:
- `Security & Risk` -> `Security`
- `Evidence & Audit` -> `Evidence`
- `Evidence Pack/Bundle` -> `Decision Capsule`
- `Platform Ops` -> `Platform -> Ops`
- `Integrations` root -> `Platform -> Integrations` (alias-window only at `/integrations`)
- `Setup` root -> `Platform -> Setup` (includes administration-owned setup/governance)
- `Regions & Environments` menu -> `Topology` module + global context switchers
- `Platform Ops` -> `Ops`
- `Policy` -> `Ops -> Policy`
- `Integrations` -> `Ops -> Integrations`
- `Administration` -> `Setup`
- `Topology` root -> `Setup -> Topology`
- `Regions & Environments` menu -> `Setup -> Topology` + global context switchers
## 5) Planning gaps to schedule first
@@ -164,6 +170,6 @@ Create first-wave dependency sprints for:
- backend global context contracts and persistence (`Region/Environment` top-bar model),
- releases read-model contracts for list/detail/activity/approvals queue,
- topology inventory contracts and synchronization,
- setup-owned topology inventory contracts and synchronization,
- security disposition aggregation contracts (VEX + Exceptions UX join),
- route deprecation map from `/release-control/*`, `/security-risk/*`, `/evidence-audit/*`, `/platform-ops/*` to canonical paths.
- route retirement cleanup from legacy families to canonical pre-alpha roots with no redirect compatibility layer.

132
docs/quickstart.md
View File

@@ -1,98 +1,90 @@
# Quickstart First Scan in Five Minutes
# Quickstart -- Local Dev Environment in Minutes
> **Status:** public α image ships late2025 (`registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha`). Commands below are ready the moment the tag lands.
Get Stella Ops running locally for development and evaluation.
## 0. Prerequisites (1 min)
> This guide is for **local development**. For production deployment, see the [Installation Guide](INSTALL_GUIDE.md).
| Requirement | Minimum | Notes |
|-------------|---------|-------|
| OS | Ubuntu22.04 LTS / Alma9 | x8664 or arm64 |
| Docker | Engine25 + Composev2 | `docker -v` |
| Resources | 2vCPU / 2GiB RAM / 10GiB SSD | Fits developer laptops |
| TLS trust | Built-in self-signed or your own certs | Replace `/certs` before production |
## Prerequisites
Keep Valkey and PostgreSQL bundled unless you already operate managed instances.
| Requirement | Minimum | Verify |
|-------------|---------|--------|
| OS | Windows 10+, macOS 12+, Ubuntu 22.04+ | x86-64 or arm64 |
| Docker | Engine 20.10+ with Compose v2 | `docker compose version` |
| .NET SDK | 10.x | `dotnet --version` |
| Node.js | 20+ | `node --version` |
| RAM | 16 GB (32 GB recommended) | |
| Disk | 50 GB free | |
## 1. Download the signed bundles (1 min)
## 1. Clone the repository
```bash
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.infrastructure.yml.sig \
docker-compose.infrastructure.yml
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.stella-ops.yml.sig \
docker-compose.stella-ops.yml
git clone <your-gitea-instance>/stella-ops/stella-ops.git
cd stella-ops
```
*Air-gapped?* The [Offline Update Kit](OFFLINE_KIT.md) ships these files plus feeds and plug-ins.
## 2. Run the setup script
## 2. Configure `.env` (1 min)
**Windows (PowerShell 7):**
Create `.env` with the essentials:
```dotenv
STELLA_OPS_COMPANY_NAME="Acme Corp"
STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
POSTGRES_USER=stella_admin
POSTGRES_PASSWORD=$(openssl rand -base64 18)
POSTGRES_HOST=postgres
VALKEY_PASSWORD=$(openssl rand -base64 18)
VALKEY_URL=valkey
```powershell
.\scripts\setup.ps1
```
Use existing Valkey/PostgreSQL endpoints by setting `POSTGRES_HOST` and `VALKEY_URL`. Keep credentials scoped to Stella Ops; Valkey counters enforce the transparent quota (`{{ quota_token }}` scans/day).
## 3. Launch services (1 min)
**Linux / macOS:**
```bash
docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
./scripts/setup.sh
```
- `StellaOps.Authority` issues short-lived OpToks for CLI/UI.
- `StellaOps.Scanner` hosts `/scan`, queues work to Workers.
- `StellaOps.Policy.Engine` and `StellaOps.Concelier` start with seeded policies, feeds sync in the background.
The script will:
- Verify all prerequisites are installed
- Offer to add hosts file entries (50 services need unique loopback IPs)
- Create `.env` from the example template (works out of the box, no editing needed)
- Start infrastructure (PostgreSQL, Valkey, RustFS)
- Build .NET solutions and Docker images
- Launch the full platform
- Run health checks and report status
## 4. Run your first scan (1 min)
### Infrastructure only (faster)
```bash
stella auth login \
--device-code \
--audiences scanner,attestor \
--scopes attestor.verify,attestor.read
stella scan image \
--image registry.stella-ops.org/demo/juice-shop:latest \
--sbom-type cyclonedx-json
To skip builds and just start infrastructure:
```powershell
.\scripts\setup.ps1 -InfraOnly # Windows
./scripts/setup.sh --infra-only # Linux/macOS
```
- Expect `<5s` warm scans once the Delta SBOM cache is primed.
- CLI exits non-zero if lattice policy blocks the image; use `stella policy explain --last` for context.
- Headers `X-Stella-Quota-Remaining` and the UI banner keep quota usage transparent.
## 3. Open the platform
> Need to inspect attestations only? Swap `attestor.verify` for `attestor.read`. Submission endpoints still need `attestor.write`.
Once setup completes, open **https://stella-ops.local** in your browser.
## 5. Verify & explore (1 min)
Accept the self-signed certificate warning on first visit.
- Check the Console (`https://localhost:8443`) to view findings, VEX evidence, and deterministic replay manifests.
- Export the DSSE bundle: `stella export run --format dsse`.
- Capture evidence for audit: `stella attest bundle --output demo.dsse.json`.
## What's running
### Sovereign mode in one click
After a full setup, you'll have 45+ services running locally:
- Import the Offline Update Kit (`stella offline-kit import ./stella-ouk-2025-alpha.tar.gz`) to replace every external feed.
- Apply a CryptoProfile (`stella authority crypto apply ./profiles/fips.yaml`) to swap signing algorithms without rebuilding.
| Service | URL | Purpose |
|---------|-----|---------|
| Web UI | https://stella-ops.local | Angular console |
| Authority | https://authority.stella-ops.local | OAuth2/OIDC |
| Scanner | https://scanner.stella-ops.local | SBOM/vulnerability scanning |
| Concelier | https://concelier.stella-ops.local | Advisory aggregation |
| PostgreSQL | db.stella-ops.local:5432 | Primary database |
| Valkey | cache.stella-ops.local:6379 | Cache and messaging |
### Next steps
Full service list: `devops/compose/docker-compose.stella-ops.yml`
- Harden the deployment with [SECURITY_HARDENING_GUIDE.md](SECURITY_HARDENING_GUIDE.md).
- Explore feature highlights in [`key-features.md`](key-features.md).
- Plan the rollout using the [evaluation checklist](onboarding/evaluation-checklist.md).
## Troubleshooting
**"stella-ops.local not found"** -- The hosts file entries are missing. Re-run the setup script and accept the hosts file installation, or manually append `devops/compose/hosts.stellaops.local` to your hosts file.
**Containers unhealthy** -- Check logs with `docker compose -f devops/compose/docker-compose.stella-ops.yml logs <service-name>`.
**Port conflicts** -- Override ports in `devops/compose/.env`. See `devops/compose/env/stellaops.env.example` for available port variables.
## Next steps
- [Developer setup details](dev/DEV_ENVIRONMENT_SETUP.md) -- manual steps, hybrid debugging, building individual modules
- [Installation Guide](INSTALL_GUIDE.md) -- production deployment, air-gap, regional compliance
- [Architecture overview](ARCHITECTURE_OVERVIEW.md) -- how the platform fits together