Sprint 1: Scanner entry point + vulnerability navigation (S1-T01 to T07)

S1-T01: Add "Scan Image" to sidebar under Security > Security Posture children
  - New nav item with scanner:read scope, route /security/scan

S1-T02: Create Scan Image page (scan-submit.component.ts)
  - Image reference input, force rescan toggle, metadata fields
  - Submits POST /api/v1/scans/, polls for status every 3s
  - Shows progress badges (queued/scanning/completed/failed)
  - "View findings" link on completion
  - Route registered in security.routes.ts

S1-T04: Rename "Triage" to "Vulnerabilities" in sidebar + breadcrumbs
  - Sidebar label: Triage → Vulnerabilities
  - Route title and breadcrumb data updated
  - Internal route /triage/artifacts unchanged

S1-T05: Add 10 security terms to command palette quick actions
  - Scan image, View vulnerabilities, Search CVE, View findings,
    Create release, View audit log, Run diagnostics, Configure
    advisory sources, View promotions, Check policy gates

S1-T06: Add CTA buttons to Security Posture page
  - "Scan an Image" (primary) → /security/scan
  - "View Active Findings" (secondary) → /triage/artifacts

S1-T07: Gateway routes for scanner endpoints
  - /api/v1/scans → scanner.stella-ops.local (ReverseProxy)
  - /api/v1/scan-policies → scanner.stella-ops.local (ReverseProxy)
  - Added to both compose mount and source appsettings

Angular build: 0 errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/implplan/SPRINT_20260316_002_Scanner_entry_point_and_vulnerability_navigation.md

@@ -0,0 +1,68 @@
+# Sprint 20260316-002 — Scanner Entry Point + Vulnerability Navigation
+
+## Topic & Scope
+- Make vulnerability scanning discoverable: add Scan Image page, scan policy system, sidebar/command palette entries, and Security Posture CTAs.
+- Rename Triage to Vulnerabilities in navigation for security engineer discoverability.
+- Working directory: `src/Web/StellaOps.Web/`, `devops/compose/`, `src/Router/StellaOps.Gateway.WebService/`.
+- Expected evidence: scan submit form works, policies CRUD, gateway routes verified, command palette indexes security terms, sidebar shows Vulnerabilities.
+
+## Dependencies & Concurrency
+- No upstream sprint dependencies. Independent of Sprint 2-6.
+- Scanner backend `POST /api/v1/scans/` already exists (ScanEndpoints.cs:41).
+
+## Documentation Prerequisites
+- `AGENTS.md`
+- `docs/qa/FULL_PRODUCT_DEEP_DIVE_20260316.md`
+- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScanEndpoints.cs`
+
+## Delivery Tracker
+
+### S1-T01 - Add "Scan Image" to sidebar navigation
+Status: TODO
+Dependency: none
+Owners: Developer
+
+### S1-T02 - Create Scan Image page
+Status: TODO
+Dependency: S1-T01
+Owners: Developer
+
+### S1-T03 - Full scan policy system
+Status: TODO
+Dependency: S1-T02
+Owners: Developer
+
+### S1-T04 - Rename Triage to Vulnerabilities in sidebar
+Status: TODO
+Dependency: none
+Owners: Developer
+
+### S1-T05 - Add security terms to command palette
+Status: TODO
+Dependency: none
+Owners: Developer
+
+### S1-T06 - Add CTA buttons to Security Posture page
+Status: TODO
+Dependency: S1-T02
+Owners: Developer
+
+### S1-T07 - Gateway route for scanner scan endpoint
+Status: TODO
+Dependency: none
+Owners: Developer
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-16 | Sprint created from Product UX Overhaul plan. | Developer |
+
+## Decisions & Risks
+- Scanner endpoint already exists — this sprint is primarily frontend + gateway routing.
+- Scan policy backend may need new CRUD endpoints on Scanner or Platform service.
+- Webhook endpoint for auto-scan-on-push needs registry integration to support push notifications.
+
+## Next Checkpoints
+- Scan Image page submits successfully and shows SSE progress
+- Sidebar shows "Vulnerabilities" instead of "Triage"
+- Command palette returns results for "scan", "vulnerability", "CVE"