Finalize UI truthfulness and bootstrap hardening
This commit is contained in:
master
@@ -0,0 +1,169 @@
|
||||
# Sprint 20260415-008 - UI Truthful State Cutover And TODO Wiring
|
||||
|
||||
## Topic & Scope
|
||||
- Remove remaining mounted fake runtime data from admin and operator UI flows and replace it with real backend clients, truthful browser persistence, or explicit empty/unsupported states.
|
||||
- Resolve UI TODOs that currently hide placeholder behavior, prioritizing mounted routes first and converting dead or unreachable prototypes into verified cleanup decisions instead of silent simulation.
|
||||
- Bring checked-feature docs and QA evidence back in sync with actual runtime behavior so verified pages stop depending on mock services or seeded rows.
|
||||
- Working directory: `src/Web/StellaOps.Web`.
|
||||
- Allowed cross-module edits when required to expose truthful UI contracts: `src/Integrations/**`, `src/Authority/**`, `src/Policy/**`, `src/ReleaseOrchestrator/**`, `src/Findings/**`, `src/ReachGraph/**`, `src/Doctor/**`, `docs/features/checked/web/**`, `docs/modules/ui/**`, and `docs/api/**`.
|
||||
- Expected evidence: targeted Angular/Vitest specs, Playwright route checks for mounted pages, selective backend tests when new UI contracts are introduced, and updated sprint/doc execution logs.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Depends on `docs/implplan/SPRINT_20260415_001_DOCS_real_service_cutover_plan.md` for the repo-wide no-fake-live-runtime direction.
|
||||
- Mounted UI rewires that already have clients (`integration-activity`, `export-center`, `issuer-trust`, `offline-kit`) can proceed in parallel with backend contract investigation for `configuration-pane`, policy conflict previews, and image-security.
|
||||
- Dead-component cleanup (`release-detail.store`, `graph-side-panels`, `node-diff-table`) must not remove any still-mounted route without confirming router usage first.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- `src/Web/StellaOps.Web/AGENTS.md`
|
||||
- `docs/modules/ui/architecture.md`
|
||||
- `docs/UI_GUIDE.md`
|
||||
- `docs/features/checked/web/configuration-pane.md`
|
||||
- `docs/features/checked/web/offline-kit-ui-integration.md`
|
||||
- `docs/features/checked/web/release-management-ui.md`
|
||||
- `docs/api/gateway/export-center.md`
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### FE-TRUTH-001 - Rewire mounted surfaces that already have real backend clients
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer / Documentation author / Test Automation
|
||||
Task description:
|
||||
- Replace local fake arrays and simulated loaders in `features/integration-hub/integration-activity.component.ts`, `features/evidence-export/export-center.component.ts`, and `features/issuer-trust/components/issuer-*.component.ts` with the existing `AuditLogClient`, `EXPORT_CENTER_API`, and `TrustHttpService` flows.
|
||||
- Preserve loading, empty, and error states without seeding fallback data. If an audit feed or export stream is unavailable, the UI must show the actual transport state instead of synthetic records.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] No mounted integration-activity, export-center, or issuer-trust route seeds hardcoded runtime records.
|
||||
- [ ] Existing clients and endpoints provide the rendered data, or the page shows a truthful empty, error, or unavailable state.
|
||||
- [ ] Targeted UI tests cover both empty and populated flows for each surface.
|
||||
|
||||
### FE-TRUTH-002 - Remove seeded browser-side fallbacks from topology and offline bundle management
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer / Test Automation
|
||||
Task description:
|
||||
- Delete unused mock topology helpers and comments in `features/topology/environments-command.component.ts` and remove seeded fake bundles from `features/offline-kit/components/bundle-management.component.ts`.
|
||||
- Keep these routes usable by rendering actual API state or browser-persisted bundle state only. When no topology or bundles exist, show the same truthful empty-state pattern used elsewhere in Web.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] No topology or offline-kit route populates rows or cards from local fake seed data.
|
||||
- [ ] Empty-state rendering is explicit and stable when APIs, browser cache, or user-imported bundles have no records.
|
||||
- [ ] Focused tests prove no fake default data appears on first render.
|
||||
|
||||
### FE-TRUTH-003 - Replace the configuration-pane mock service with real integrations and health wiring
|
||||
Status: DONE
|
||||
Dependency: FE-TRUTH-001
|
||||
Owners: Developer / Documentation author / Test Automation
|
||||
Task description:
|
||||
- Replace `features/configuration-pane/services/configuration-pane-api.service.ts` mock implementations with truthful runtime integrations that compose existing integration CRUD, test, health, and audit/history sources.
|
||||
- If a pane subsection has no backing contract yet, ship an explicit unsupported or unavailable state and record the missing contract in sprint risks and docs instead of generating fake connector history, health, or export rows.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] `configuration-pane-api.service.ts` no longer returns hardcoded connector or configuration records in mounted flows.
|
||||
- [ ] Configuration, health, and audit/history sections are backed by real services or clearly marked unsupported or unavailable.
|
||||
- [ ] Checked-feature docs and tests stop asserting behavior that only exists in mocks.
|
||||
|
||||
### FE-TRUTH-004 - Remove dead or misleading release and graph mock artifacts
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer / Documentation author
|
||||
Task description:
|
||||
- Delete or quarantine unused mock-only surfaces in `features/releases/state/release-detail.store.ts` and `features/graph/graph-side-panels.component.ts`, and clean misleading mock remnants in `features/release-orchestrator/releases/create-deployment/create-deployment.component.ts`.
|
||||
- Confirm router usage before removal. If any surface is still mounted, convert it to a truthful-state implementation instead of treating it as dead-code cleanup.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Unused mock stores and generators are removed from live codepaths or deleted outright after usage verification.
|
||||
- [x] Mounted release and deployment flows do not describe or depend on local fake state.
|
||||
- [x] Regression tests or route checks prove cleanup did not remove a reachable operator flow.
|
||||
|
||||
### FE-TRUTH-005 - Make policy conflict previews truthful
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer / Documentation author / Test Automation
|
||||
Task description:
|
||||
- Replace generated preview JSON and rule text in `features/policy-governance/conflict-resolution-wizard.component.ts` with real preview payloads when the API exposes them.
|
||||
- If the backend only returns metadata, render metadata-only previews and explicit messaging that source content is unavailable, then log the required contract follow-up in sprint risks and docs.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Conflict-resolution wizard no longer fabricates preview content or rule bodies.
|
||||
- [x] Preview UI reflects real backend payloads or an explicit unavailable-state message.
|
||||
- [x] Any missing backend contract is documented with the owning module and follow-up path.
|
||||
|
||||
### FE-TRUTH-006 - Replace image-security placeholder data across summary and sibling tabs
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer / Documentation author / Test Automation
|
||||
Task description:
|
||||
- Resolve the `image-summary-tab` TODO by wiring score, findings, reachability, SBOM, VEX, and evidence surfaces to real clients for the active image scope.
|
||||
- Treat this as a feature-family cutover rather than a single-file TODO: sibling tabs and shared scope UI must stop seeding fake data in mounted routes. If an API is missing, disable or mark the affected view unavailable instead of inventing content.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Summary cards and sibling image-security tabs render real API-backed data for the current image or a truthful unsupported or empty state.
|
||||
- [x] No hardcoded findings, reachability, SBOM, VEX, evidence, or environment badges remain in mounted image-security flows.
|
||||
- [x] Focused tests cover at least one populated and one empty or error path for the feature family.
|
||||
|
||||
### FE-TRUTH-007 - Resolve the lineage node-diff vulnerability-impact TODO
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer / Documentation author
|
||||
Task description:
|
||||
- Confirm whether `features/lineage/components/node-diff-table/diff-table.component.ts` is intentionally dead per the preservation map or still required by a reachable lineage workflow.
|
||||
- If dead, delete or quarantine the component and close the TODO by removal. If retained, implement truthful vulnerability-impact retrieval and tests against the real lineage contract.
|
||||
|
||||
Completion criteria:
|
||||
- [x] The sprint records whether `node-diff-table` is dead or supported.
|
||||
- [x] The TODO is removed either by deletion or by real data wiring.
|
||||
- [x] Docs reflect the chosen path if the component remains supported.
|
||||
|
||||
### FE-TRUTH-008 - Refresh checked-feature docs and verification artifacts after the cutover
|
||||
Status: DONE
|
||||
Dependency: FE-TRUTH-001, FE-TRUTH-002, FE-TRUTH-003, FE-TRUTH-004, FE-TRUTH-005, FE-TRUTH-006, FE-TRUTH-007
|
||||
Owners: Documentation author / QA / Test Automation
|
||||
Task description:
|
||||
- Update checked-feature pages, UI architecture notes, and verification evidence to match the post-cutover behavior.
|
||||
- Re-run targeted behavioral verification for each mounted route touched by this sprint so `VERIFIED` claims are backed by real runtime flows instead of build-only evidence or screenshots of fake data.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Affected checked-feature docs no longer claim verified behavior that depends on mock services or seeded rows.
|
||||
- [x] QA evidence includes route-level behavioral checks for mounted pages touched by the sprint.
|
||||
- [x] Sprint execution log records the proof runs and any remaining blocked contracts.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-04-15 | Sprint created from the mounted UI fake-data punch list and the remaining UI TODO inventory. The work is staged so existing-client rewires land first, the fully mock configuration pane follows, and contract-dependent TODOs only ship with truthful unsupported states when backend payloads are absent. | Project Manager |
|
||||
| 2026-04-15 | FE-TRUTH-001 completed. Integration activity now renders unified audit plus live integration metadata, export center uses the registered export-center API without seeded profiles or runs, and issuer trust list/detail render `TRUST_API` data with truthful loading and empty states. Targeted Angular specs passed for `integration-activity`, `export-center`, and `issuer-trust`. FE-TRUTH-002 is now in progress. | Developer |
|
||||
| 2026-04-15 | FE-TRUTH-002 completed. The topology environments command no longer carries the dead mock readiness and layout fallback block, and bundle management now renders only browser-persisted manifests instead of seeded example bundles or asset lists. Targeted Angular specs passed for `offline-kit-ui-integration` and `environments-command`. FE-TRUTH-003 is now in progress. | Developer |
|
||||
| 2026-04-15 | FE-TRUTH-003 completed. `configuration-pane-api.service.ts` now composes live integrations inventory, health probes, connection tests, updates, deletion, export payloads, and audit-backed history instead of returning seeded connector rows. The checked feature doc was updated to reflect the truthful cutover and marked for recheck because the old `VERIFIED` evidence referenced synthetic `Primary Database` content. Targeted Angular specs passed for the configuration-pane service and mounted page, and the combined touched-page regression set passed across 7 files / 30 tests. | Developer |
|
||||
| 2026-04-15 | FE-TRUTH-004 completed. Router and codepath verification showed the mounted deployment entry point remains the canonical `/releases/deployments/new` compatibility redirect into `/releases/promotions/create`, while `features/release-orchestrator/releases/create-deployment/create-deployment.component.ts`, `features/releases/state/release-detail.store.ts`, and `features/graph/graph-side-panels.component.ts` were orphaned dead code. Those artifacts and the dead deployment wizard spec were removed, the graph barrel stopped exporting the deleted side panel, graph checked-feature docs were pruned, and targeted Angular specs passed for release routes, mounted release detail pages, and the graph page. | Developer |
|
||||
| 2026-04-15 | FE-TRUTH-005 completed. Contract review across `policy-governance.models.ts`, `policy-governance.client.ts`, and `GovernanceCompatibilityEndpoints.cs` confirmed the mounted conflict API exposes source identifiers, version, and path metadata only, with no rule-body preview payload. The resolution wizard now renders metadata-only previews plus an explicit unavailable message instead of fabricated `condition` or `action` fields, the checked policy-governance feature doc is marked `RECHECK REQUIRED`, and the focused wizard Vitest spec passed with 3 tests. | Developer |
|
||||
| 2026-04-15 | FE-TRUTH-006 completed. The mounted `/security/images` route now derives scope from live releases, release components, environments, findings, and SBOM explorer rows instead of seeded repositories, image refs, environment badges, or placeholder tabs. Summary, findings, reachability, SBOM, VEX, and evidence tabs now render release-filtered live data or explicit unavailable states, and the focused image-security Angular suite passed with 8 tests covering populated and empty flows. | Developer |
|
||||
| 2026-04-15 | FE-TRUTH-007 completed. Runtime reference scans confirmed `features/lineage/components/node-diff-table/diff-table.component.ts` was a dead duplicate with no route, selector, or mounted consumer while the active lineage workspace already uses `features/lineage/components/diff-table/`. The node-diff-table component, duplicate specs, dead checked-feature doc, and preservation-map investigate entry were removed, lineage checked docs were pruned of stale model references, and the remaining lineage Angular suite passed across 5 files / 17 tests. | Developer |
|
||||
| 2026-04-15 | FE-TRUTH-008 completed. Rebuilt the current Web dist, copied it into the live `compose_console-dist` volume because the gateway was serving stale frontend assets, and reran strict Playwright verification against `tests/e2e/ui-truthful-state-cutover.recheck.spec.ts` with `PLAYWRIGHT_BASE_URL=https://stella-ops.local`. Mounted route rechecks passed for integration activity, export center, offline-kit bundle management, setup topology, configuration pane, policy governance conflicts, and image security; fresh `docs/qa/feature-checks/runs/web/**` artifacts and checked-feature doc updates were added. `issuer-trust-management-ui.md` was downgraded to `RECHECK REQUIRED` because `features/issuer-trust/*` no longer owns a mounted route and the canonical issuer page is served by `features/trust-admin/*`. | Developer |
|
||||
| 2026-04-16 | Closure cleanup completed. The orphaned `docs/features/checked/web/issuer-trust-management-ui.md` page was retired, canonical issuer-route ownership was consolidated into `trust-scoring-dashboard-ui.md`, and the sprint is ready for archival because no task statuses remain open. | Developer |
|
||||
|
||||
## Decisions & Risks
|
||||
- Decision: mounted Web UI must follow the `src/Web/StellaOps.Web/AGENTS.md` no-mockups convention. Live routes may use real backend clients, truthful browser persistence, or explicit unavailable states only.
|
||||
- Decision: `integration-activity`, `export-center`, and `issuer-trust` already have client or contract surfaces in the repo, so they should be treated as UI rewires before any new backend work is considered.
|
||||
- Risk: `configuration-pane` is the highest-risk mounted fake because the entire API service is synthetic while checked-feature docs currently mark the page verified.
|
||||
- Decision: configuration-pane now treats the integrations API as the source of truth for mounted registry, vault, and settings-store rows, and it renders database, cache, and telemetry sections as truthful empty states until the backend exposes those contracts.
|
||||
- Decision: `docs/features/checked/web/configuration-pane.md` returned to `VERIFIED` after the run-008 live replay confirmed the mounted `/setup/configuration-pane` route no longer depends on the removed synthetic `Primary Database` row.
|
||||
- Decision: `offline-kit` bundle management may persist browser-local state, but it must never seed example bundles on first render.
|
||||
- Risk: `conflict-resolution-wizard` preview content likely needs a backend contract addition because current models carry metadata only. If no preview payload exists, the truthful fallback is metadata-only UI.
|
||||
- Decision: FE-TRUTH-005 confirmed the current Policy governance conflict contract exposes metadata only (`id`, `type`, `name`, optional `version`, optional `path`). The wizard now renders that metadata and an explicit unavailable-state notice instead of generating fake rule content.
|
||||
- Risk: the image-security TODO is broader than `image-summary-tab`; sibling tabs still seed placeholder findings, reachability, SBOM, VEX, evidence, and scope data and must be cut over together to avoid mixed-truth pages.
|
||||
- Decision: FE-TRUTH-006 treats the mounted `/security/images` route as release-scoped because no image-level handoff or deep-link contract exists in the current Web shell. The scope bar now lists live releases and environments, findings/reachability/VEX are filtered from `/api/v2/security/findings`, SBOM rows come from `/api/v2/security/sbom-explorer`, and the evidence tab is an explicit release-level unavailable state.
|
||||
- Decision: FE-TRUTH-008 added `docs/features/checked/web/image-security-release-backed-ui.md` plus route-level run-001 evidence so `/security/images` is covered by a dedicated checked-feature page.
|
||||
- Risk: `release-detail.store`, `graph-side-panels`, and possibly `node-diff-table` appear unmounted or dead. Route reachability must be confirmed before backend effort is spent on them.
|
||||
- Decision: `create-deployment.component.ts` appears largely API-backed already, so the sprint should remove only remaining misleading mock remnants unless deeper reachable fake state is confirmed during implementation.
|
||||
- Decision: route verification confirmed `/releases/deployments/new` is a compatibility redirect to `/releases/promotions/create`; the local `create-deployment.component.ts` wizard was unreachable and removed instead of being kept as a second deployment entry flow.
|
||||
- Decision: `features/releases/state/release-detail.store.ts` and `features/graph/graph-side-panels.component.ts` were unreferenced by mounted routes or components and were deleted as dead mock-bearing artifacts.
|
||||
- Decision: FE-TRUTH-007 confirmed `features/lineage/components/node-diff-table/` was a dead duplicate preserved only by tests, docs, and the preservation map. The mounted lineage flow already uses `features/lineage/components/diff-table/`, so the node-prefixed variant was deleted instead of wiring another unreachable TODO.
|
||||
- Decision: every feature doc under `docs/features/checked/web/**` touched by this sprint must be updated before closure so verified status reflects runtime truth rather than design intent.
|
||||
- Decision: FE-TRUTH-008 replays mounted truthful-state routes against the live `stella-ops.local` gateway, not the dev testbed, because stale compiled assets can otherwise hide whether the checked docs match the actually served UI.
|
||||
- Decision: the orphaned `issuer-trust-management-ui.md` checked page was retired on 2026-04-16 because canonical issuer management is already owned by the mounted `features/trust-admin/*` workspace and its checked docs.
|
||||
|
||||
## Next Checkpoints
|
||||
- Land the lowest-risk rewires first: integration activity, export center, issuer trust, topology cleanup, and offline-kit empty-state truthfulness.
|
||||
- Tackle `configuration-pane` as a dedicated follow-on change so the page can be verified independently after the simpler mounted routes stop using fake state.
|
||||
- Finish with policy-governance, image-security, dead-component decisions, and the QA/doc refresh once the real contract surface is settled.
|
||||
@@ -0,0 +1,154 @@
|
||||
# Sprint 20260416_002 - Bootstrap, Auth, and Integration Onboarding Hardening
|
||||
|
||||
## Topic & Scope
|
||||
- Make fresh-install bootstrap actually self-serve: a clean `docker compose` local environment must be completable without hidden API workarounds or missing OAuth client seed data.
|
||||
- Align CLI, Platform setup sessions, and Authority so the first authenticated action after bootstrap is deterministic and works in a fresh shell.
|
||||
- Make local-fixture integration onboarding a first-party product flow instead of an operator improvisation exercise.
|
||||
- Working directory: `src/Platform/`.
|
||||
- Cross-module edits allowed: `src/Cli/**`, `src/Authority/**`, `devops/compose/**`, `docs/modules/cli/**`, `docs/modules/platform/**`, `docs/modules/authority/**`, `docs/setup/**`, `docs/integrations/**`, `docs/API_CLI_REFERENCE.md`, `docs/INSTALL_GUIDE.md`, `docs/quickstart.md`, `docs/dev/DEV_ENVIRONMENT_SETUP.md`.
|
||||
- Expected evidence: setup/session API tests, CLI auth and integration regression tests, local compose rebuild transcripts, and updated module docs.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Depends on the archived reset/rebuild stream [SPRINT_20260416_001_Platform_local_compose_reset_rebuild_and_cli_integration_bootstrap.md](</C:/dev/New folder/git.stella-ops.org/docs-archived/implplan/SPRINT_20260416_001_Platform_local_compose_reset_rebuild_and_cli_integration_bootstrap.md>) for concrete failure evidence.
|
||||
- Safe parallelism is moderate:
|
||||
separate workers can own `src/Platform/**`, `src/Cli/**`, and `src/Authority/**` only when the contract is agreed first.
|
||||
- Do not treat local compose fixture hacks as final behavior; the product contract must be settled before more bootstrap shortcuts land.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- `AGENTS.md`
|
||||
- `docs/modules/platform/platform-service.md`
|
||||
- `docs/modules/cli/architecture.md`
|
||||
- `docs/modules/cli/guides/setup-guide.md`
|
||||
- `docs/setup/setup-wizard-ux.md`
|
||||
- `docs/modules/authority/operations/monitoring.md`
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### PLATFORM-BOOT-001 - Make the admin setup step resumable without losing required secrets
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer / Implementer, Documentation author
|
||||
Task description:
|
||||
- The setup session is correct to sanitize `users.superuser.password` from persisted draft state, but the current product still needs that value to survive long enough to complete the admin apply. The fresh-install operator experience must not require a hidden direct API call after the CLI or UI appears to have accepted the password.
|
||||
- Introduce an explicit secret-handling contract for setup: either an encrypted transient secret store keyed by setup session and step, or an apply-only secret channel with a backend-issued draft token or handle that survives resume but never rehydrates plaintext into normal draft reads.
|
||||
- CLI and UI must both follow the same contract. The setup session model must clearly separate `draftValues` from secret-bearing step payloads so the operator understands what is persisted and what must be re-entered.
|
||||
|
||||
Completion criteria:
|
||||
- [x] A clean setup session can complete the `admin` step without any out-of-band API call.
|
||||
- [x] Resuming an interrupted setup session does not silently drop the admin password required for apply.
|
||||
- [x] Platform and CLI tests prove the secret is sanitized from normal session reads while still allowing a truthful apply path.
|
||||
|
||||
### PLATFORM-BOOT-002 - Seed a first-party CLI auth client during bootstrap
|
||||
Status: DONE
|
||||
Dependency: PLATFORM-BOOT-001
|
||||
Owners: Developer / Implementer, Documentation author
|
||||
Task description:
|
||||
- A fresh environment must always contain at least one supported CLI login path. The current local Authority seed has only `stella-ops-ui` with `authorization_code` and `refresh_token`, which leaves fresh-shell CLI admin flows dead on arrival.
|
||||
- Define and provision first-party clients intentionally:
|
||||
one public CLI client for human interactive login using device-code or PKCE, and one confidential or service-principal path for automation where appropriate.
|
||||
- The bootstrap contract must state which client IDs exist by default, which grants they support, and which scopes they are allowed to request in local or dev versus production.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Fresh local rebuilds expose a supported CLI-auth client without manual DB surgery.
|
||||
- [x] `stella auth login` works in a fresh shell after bootstrap using the seeded first-party client path.
|
||||
- [x] Authority docs and seed or runtime tests explicitly cover the default CLI client inventory and grants.
|
||||
|
||||
### PLATFORM-BOOT-003 - Make CLI auth behavior match the documented product contract
|
||||
Status: DONE
|
||||
Dependency: PLATFORM-BOOT-002
|
||||
Owners: Developer / Implementer, Documentation author
|
||||
Task description:
|
||||
- Current CLI docs promise device-code-first login behavior, while the live bootstrap evidence still falls back into client or password assumptions and missing `client_id` failures. That mismatch is not acceptable for a world-class operator surface.
|
||||
- Reconcile docs and implementation so `stella auth login` has one obvious default flow for humans, deterministic fallback behavior, and clean guidance for non-interactive automation. Machine-readable commands must not emit unrelated startup noise into JSON or table payloads.
|
||||
- Review SM remote crypto probe behavior and logging so optional provider failures do not pollute unrelated command output.
|
||||
|
||||
Completion criteria:
|
||||
- [x] CLI auth flow and docs describe the same default login path and required configuration.
|
||||
- [x] JSON-producing CLI commands remain parseable even when optional crypto providers are unavailable.
|
||||
- [x] Regression coverage exists for fresh-shell auth, token cache reuse, and tenant-scoped authenticated commands.
|
||||
|
||||
### PLATFORM-BOOT-004 - Turn local integration onboarding into a first-party CLI workflow
|
||||
Status: DONE
|
||||
Dependency: PLATFORM-BOOT-003
|
||||
Owners: Developer / Implementer, Documentation author
|
||||
Task description:
|
||||
- "Using just CLI setup all possible integrations" should mean the product provides a supported first-party onboarding workflow for local fixtures, not that operators must manually mint third-party credentials against GitLab or other fixture APIs.
|
||||
- Define a fixture bootstrap contract for local compose:
|
||||
deterministic test credentials or Stella-controlled bootstrap endpoints for fixtures that require secrets, plus a manifest-driven CLI command that stages secrets, creates integrations, and runs health tests.
|
||||
- Be explicit about the boundary: Stella Ops can orchestrate credential staging and connector registration, but it cannot invent credentials for arbitrary external systems in production. Local or dev fixtures are different because Stella owns that test environment.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Local fixture integrations can be registered end to end through a first-party CLI workflow without direct calls to fixture-native APIs.
|
||||
- [x] The workflow clearly distinguishes "fixture bootstrap" from real production third-party credential bring-your-own-secret flows.
|
||||
- [x] Docs and tests cover the supported local-fixture onboarding command surface and resulting health verification.
|
||||
|
||||
### PLATFORM-BOOT-005 - Enforce truthful bootstrap readiness and post-boot health gates
|
||||
Status: DONE
|
||||
Dependency: PLATFORM-BOOT-004
|
||||
Owners: Developer / Implementer, Test Automation
|
||||
Task description:
|
||||
- The product must distinguish between required bootstrap blockers and non-critical outliers. Today the stack is "healthy enough" for some admin paths while several services remain crash-looping or unhealthy, which is acceptable for triage but not as a polished product contract.
|
||||
- Define which services are mandatory for setup completion, which are optional, and how setup or diagnostics present those states. `docker compose up` plus `stella setup run` should produce a trustworthy readiness summary instead of forcing operators to infer health from raw container status.
|
||||
- This work should wire platform diagnostics and compose or runtime evidence together so local QA and customer operators get the same truth model.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Setup and diagnostics clearly report required-versus-optional service readiness.
|
||||
- [x] Local compose verification fails loudly when a required setup dependency is unhealthy.
|
||||
- [x] Documentation and automated checks cover the expected health baseline for a fresh local install.
|
||||
|
||||
### PLATFORM-BOOT-006 - Replay the fresh-install flow on rebuilt current images and close any remaining bootstrap regressions
|
||||
Status: DONE
|
||||
Dependency: PLATFORM-BOOT-005
|
||||
Owners: Developer / Implementer, Test Automation
|
||||
Task description:
|
||||
- Archive readiness must be proven against images built from the current repo state, not previously cached `stellaops/*:dev` tags. The replay must rebuild the services touched by this sprint, reset the local compose volumes again, and rerun the end-to-end CLI bootstrap flow on that fresh stack.
|
||||
- Any replay failure that blocks `stella setup`, `stella auth login`, or `stella config integrations bootstrap local --include-gitlab --include-gitlab-registry` on the rebuilt stack is in scope for this task. The goal is to leave no hidden "works in tests but not in a clean install" gap behind.
|
||||
|
||||
Completion criteria:
|
||||
- [x] The local compose replay runs against freshly rebuilt current repo images for the services changed by this sprint.
|
||||
- [x] `stella setup`, `stella auth login`, and full local integration bootstrap complete successfully on that rebuilt stack without hidden API workarounds.
|
||||
- [x] The sprint execution log records the rebuild/replay evidence and the sprint is archived only after that proof passes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-04-16 | Sprint created from the completed local reset or rebuild stream after confirming three product-class gaps: admin setup secret loss, missing first-party CLI auth client seed, and non-first-party local integration credential bootstrap. | Project Manager |
|
||||
| 2026-04-16 | Started PLATFORM-BOOT-001 implementation. Confirmed the current backend sanitizes `users.superuser.password` out of `draftValues` and therefore breaks resumable `admin` apply; implementing a protected setup-secret companion store plus additive session metadata so probe or apply can reuse retained secrets without exposing plaintext in normal reads. | Developer / Implementer |
|
||||
| 2026-04-16 | Completed PLATFORM-BOOT-001. Added protected setup-secret companion storage plus `secretDrafts` session metadata, server-side secret hydration for probe or apply, finalize cleanup, CLI or UI surface updates, and refreshed docs for the retained-secret contract. | Developer / Implementer |
|
||||
| 2026-04-16 | Verification for PLATFORM-BOOT-001: `dotnet build src/Platform/StellaOps.Platform.WebService/StellaOps.Platform.WebService.csproj -v minimal` passed; `src/Platform/__Tests/StellaOps.Platform.WebService.Tests/bin/Debug/net10.0/StellaOps.Platform.WebService.Tests.exe -class "StellaOps.Platform.WebService.Tests.SetupEndpointsTests"` passed 8/8; `...PlatformStartupContractTests` passed 2/2; `...PlatformDurableRuntimeTests` passed 1/1; `src/Cli/__Tests/StellaOps.Cli.Tests/bin/Debug/net10.0/StellaOps.Cli.Tests.exe -class "StellaOps.Cli.Tests.Services.BackendOperationsClientTests"` passed 24/24; `npx vitest run src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts src/app/features/setup-wizard/components/step-content.defaults.spec.ts --config vitest.codex.config.ts` passed 2 files and 14 tests. | Test Automation |
|
||||
| 2026-04-16 | Started PLATFORM-BOOT-002. Confirmed the standard Authority plugin seeds bootstrap clients from `etc/authority/plugins/standard.yaml`, not the existing compose env overrides; implementing explicit human and automation CLI bootstrap clients plus CLI-side default-client and fresh-shell login behavior. | Developer / Implementer |
|
||||
| 2026-04-16 | Completed PLATFORM-BOOT-002. Seeded first-party `stellaops-cli` and `stellaops-cli-automation` clients in `etc/authority/plugins/standard.yaml`, removed misleading compose bootstrap-client env overrides, defaulted CLI bootstrap fallback to `stellaops-cli`, and made `stella auth login` choose the human interactive path for that client while preserving explicit env or config overrides and client-credentials for automation clients. | Developer / Implementer |
|
||||
| 2026-04-16 | Verification for PLATFORM-BOOT-002: `dotnet build src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StellaOps.Authority.Plugin.Standard.Tests.csproj -v minimal` passed; `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/bin/Debug/net10.0/StellaOps.Authority.Plugin.Standard.Tests.exe -noLogo -noColor -class "StellaOps.Authority.Plugin.Standard.Tests.StandardPluginBootstrapperTests" -class "StellaOps.Authority.Plugin.Standard.Tests.StandardPluginOptionsTests"` passed 16/16; `dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -v minimal` passed; `dotnet build src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -v minimal` passed; `src/Cli/__Tests/StellaOps.Cli.Tests/bin/Debug/net10.0/StellaOps.Cli.Tests.exe -noLogo -noColor -class "StellaOps.Cli.Tests.Configuration.CliBootstrapperTests" -class "StellaOps.Cli.Tests.Commands.CommandHandlersTests"` passed 3/3. | Test Automation |
|
||||
| 2026-04-16 | Started PLATFORM-BOOT-003. Confirmed the live CLI auth handler is already human-password-first for the seeded `stellaops-cli` client, while several CLI docs still describe device-code or browser defaults; also confirmed startup authority or crypto diagnostics currently run before command dispatch and can pollute otherwise machine-readable output. | Developer / Implementer |
|
||||
| 2026-04-16 | Completed PLATFORM-BOOT-003. Added CLI startup diagnostic gating so optional Authority or crypto warnings emit only for verbose human-readable invocations, updated `auth login` help text and docs to match the seeded human password-bootstrap contract, and refreshed quickstart or dev notes for the SM remote warning surface. | Developer / Implementer |
|
||||
| 2026-04-16 | Verification for PLATFORM-BOOT-003: `dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -v minimal` passed; `dotnet build src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -v minimal` passed; `src/Cli/__Tests/StellaOps.Cli.Tests/bin/Debug/net10.0/StellaOps.Cli.Tests.exe -noLogo -noColor -class "StellaOps.Cli.Tests.Services.CliStartupDiagnosticsPolicyTests" -class "StellaOps.Cli.Tests.Commands.CommandHandlersTests" -class "StellaOps.Cli.Tests.Commands.RiskBudgetCommandTenantHeaderTests" -class "StellaOps.Cli.Tests.Commands.UnknownsGreyQueueCommandTests"` passed 27/27. | Test Automation |
|
||||
| 2026-04-16 | Started PLATFORM-BOOT-004. Confirmed the CLI already exposes the required low-level integrations and secret-authority APIs; implementing a manifest-driven `config integrations bootstrap local` flow so the Stella-owned compose fixture lane can create or update entries, stage GitLab secrets into Vault, and verify the resulting catalog without operator-side fixture API calls. | Developer / Implementer |
|
||||
| 2026-04-16 | Completed PLATFORM-BOOT-004. Added the manifest-driven `stella config integrations bootstrap local` workflow, embedded the owned local compose fixture catalog contract, staged GitLab PAT material through Secret Authority into Vault, bound returned `authref://...` values to the GitLab integrations, and refreshed operator docs so local fixture bootstrap is first-party while production remains BYO-secret. | Developer / Implementer |
|
||||
| 2026-04-16 | Verification for PLATFORM-BOOT-004: `dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -v minimal` passed; `dotnet build src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -v minimal` passed; `src/Cli/__Tests/StellaOps.Cli.Tests/bin/Debug/net10.0/StellaOps.Cli.Tests.exe -noLogo -noColor -class "StellaOps.Cli.Tests.Commands.IntegrationsCommandGroupTests"` passed 6/6 including the new local bootstrap coverage for default and GitLab-enabled manifests. | Test Automation |
|
||||
| 2026-04-16 | Started PLATFORM-BOOT-005. Confirmed `PlatformHealthService` and `admin diagnostics health` are still synthetic, while the setup capability contract already distinguishes operational minimums from recommended post-boot surfaces; implementing one backend readiness model for required versus optional dependencies and wiring both setup status and admin diagnostics onto it. | Developer / Implementer |
|
||||
| 2026-04-16 | Completed PLATFORM-BOOT-005. Replaced synthetic Platform health with a cached readiness contract that distinguishes required setup blockers from optional post-boot services, added `/api/v1/platform/health/readiness`, attached required-only readiness to setup session reads, blocked finalize when required readiness is unhealthy, and wired `stella setup status` plus `stella admin diagnostics health` onto the same backend truth model. | Developer / Implementer |
|
||||
| 2026-04-16 | Verification for PLATFORM-BOOT-005: `dotnet build src/Platform/StellaOps.Platform.WebService/StellaOps.Platform.WebService.csproj -v minimal` passed; `dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -v minimal` passed; `dotnet build src/Platform/__Tests/StellaOps.Platform.WebService.Tests/StellaOps.Platform.WebService.Tests.csproj -v minimal` passed; `dotnet build src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -v minimal` passed; `src/Platform/__Tests/StellaOps.Platform.WebService.Tests/bin/Debug/net10.0/StellaOps.Platform.WebService.Tests.exe -noLogo -noColor -class "StellaOps.Platform.WebService.Tests.HealthEndpointsTests" -class "StellaOps.Platform.WebService.Tests.SetupEndpointsTests"` passed 11/11; `src/Cli/__Tests/StellaOps.Cli.Tests/bin/Debug/net10.0/StellaOps.Cli.Tests.exe -noLogo -noColor -class "StellaOps.Cli.Tests.Commands.SetupAndAdminReadinessTests"` passed 2/2. | Test Automation |
|
||||
| 2026-04-16 | Started PLATFORM-BOOT-006 replay closure. A clean-volume replay against the running compose stack showed the CLI setup path works anonymously when pointed at `http://platform.stella-ops.local`, but the stack was still serving stale `stellaops/platform:dev` and `stellaops/authority:dev` images from before this sprint. Fresh PostgreSQL volumes therefore converged only through Platform migration `063` and missed `066_PlatformSetupSessionSecrets.sql`, causing pre-migration secret drafts to disappear before the `admin` step. Rebuilding the sprint-touched images and rerunning the replay from empty volumes is now in progress. | Developer / Implementer |
|
||||
| 2026-04-16 | Replay debugging for PLATFORM-BOOT-006 surfaced three real regressions in the live fresh-install path: setup endpoints rejected chunked JSON bodies because `ContentLength` was `null`, CLI auth scope overrides could not beat the baked-in default `concelier.jobs.trigger`, and the local GitLab fixture bootstrap hardcoded unsupported PAT scopes for GitLab 17.8.1. Fixed those with targeted changes in `SetupEndpoints.cs`, `CliBootstrapper.cs`, and `LocalIntegrationBootstrapper.cs`, plus focused regression coverage. | Developer / Implementer |
|
||||
| 2026-04-16 | Completed PLATFORM-BOOT-006. Rebuilt and replayed the fresh-volume local install against current images, confirmed `stella setup` finalized successfully, confirmed fresh-shell `stella auth login --force` requested and cached `integration:read integration:write integration:operate` for tenant `demo-prod`, then reran `stella config integrations bootstrap local --include-gitlab --include-gitlab-registry --format json` to a fully healthy 16-entry catalog after recreating the heavy GitLab fixture with `GITLAB_ENABLE_REGISTRY=true`. | Developer / Implementer |
|
||||
| 2026-04-16 | Verification for PLATFORM-BOOT-006: `dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -v minimal` passed; `src/Cli/__Tests/StellaOps.Cli.Tests/bin/Debug/net10.0/StellaOps.Cli.Tests.exe -noLogo -noColor -class "StellaOps.Cli.Tests.Configuration.CliBootstrapperTests"` passed 3/3; `src/Cli/__Tests/StellaOps.Cli.Tests/bin/Debug/net10.0/StellaOps.Cli.Tests.exe -noLogo -noColor -class "StellaOps.Cli.Tests.Commands.IntegrationsCommandGroupTests"` passed 6/6; live replay succeeded for `stella setup -c devops/compose/setup.bootstrap.local.yaml -y run`, `stella auth login --force`, and `stella config integrations bootstrap local --include-gitlab --include-gitlab-registry --format json` with final `allHealthy: true`. | Test Automation |
|
||||
|
||||
## Decisions & Risks
|
||||
- Product decision: setup session draft state must remain sanitized, but sanitization is not allowed to break resumable completion of required steps.
|
||||
- Implemented contract: setup sessions now split sanitized `draftValues` from retained-secret `secretDrafts`; plaintext setup secrets live only in protected companion storage and are deleted on finalize. Docs: [platform-service.md](</C:/dev/New folder/git.stella-ops.org/docs/modules/platform/platform-service.md>), [setup-guide.md](</C:/dev/New folder/git.stella-ops.org/docs/modules/cli/guides/setup-guide.md>), [setup-wizard-ux.md](</C:/dev/New folder/git.stella-ops.org/docs/setup/setup-wizard-ux.md>), [API_CLI_REFERENCE.md](</C:/dev/New folder/git.stella-ops.org/docs/API_CLI_REFERENCE.md>).
|
||||
- Product decision: a fresh Stella Ops install must always include a first-party supported CLI auth path. Requiring operators to discover or invent `client_id` values is not acceptable.
|
||||
- Implemented bootstrap contract: local or dev Authority now seeds `stella-ops-ui`, `stellaops-cli`, and `stellaops-cli-automation` through `etc/authority/plugins/standard.yaml`; the CLI defaults to `stellaops-cli` only when no explicit Authority client ID is configured, so env or appsettings overrides still win.
|
||||
- Product decision: until Authority enables device-code as the real default fresh-shell path, the truthful human CLI login contract is interactive username or password on the seeded `stellaops-cli` client. PKCE redirect URIs are seeded now, but the shipped CLI help and docs now describe the password-bootstrap default explicitly.
|
||||
- Implemented output contract: startup Authority and crypto diagnostics are opt-in for verbose human-readable invocations and stay suppressed for structured output commands such as `--json`, `--raw`, and `--format json`. Docs: `docs/modules/cli/README.md`, `docs/modules/cli/architecture.md`, `docs/modules/cli/guides/commands/reference.md`, `docs/modules/cli/guides/troubleshooting.md`, `docs/quickstart.md`, `docs/dev/DEV_ENVIRONMENT_SETUP.md`.
|
||||
- Product decision: local compose fixtures are part of Stella's owned test surface. For that environment, fixture credential bootstrap should be a Stella-managed workflow, not a manual side quest through third-party APIs.
|
||||
- Implemented local bootstrap contract: `stella config integrations bootstrap local` now loads an embedded local compose manifest, creates or updates the deterministic fixture catalog, stages GitLab credentials through Secret Authority into Vault, and verifies connector test plus runtime health. Operator docs now make that command the primary local path while keeping `secrets targets`, `secrets upsert-bundle`, and explicit `create` or `update` operations as the production BYO-secret workflow. Docs: `docs/modules/cli/guides/setup-guide.md`, `docs/modules/cli/guides/commands/reference.md`, `docs/API_CLI_REFERENCE.md`, `docs/integrations/LOCAL_SERVICES.md`, `docs/INSTALL_GUIDE.md`, `devops/compose/README.md`.
|
||||
- Replay decision: the fresh-install closure must validate the actual compose fixture contracts, not just CLI mocks. The final replay therefore fixed chunked setup-body handling, CLI authority-scope override precedence, and the local GitLab PAT scope inventory (`api` only on GitLab 17.8.1), then reran the registry variant only after starting the heavy GitLab fixture with `GITLAB_ENABLE_REGISTRY=true`.
|
||||
- Product decision: setup completion must gate on required control-plane readiness only, while admin diagnostics must still show optional post-boot service degradation instead of hiding it.
|
||||
- Implemented readiness contract: Platform now exposes `GET /api/v1/platform/health/readiness` as the canonical required-versus-optional dependency model, setup session reads attach the required-only readiness slice, finalize fails when any required dependency is blocked, and `stella admin diagnostics health` surfaces the full readiness view for operators. Docs: [platform-service.md](</C:/dev/New folder/git.stella-ops.org/docs/modules/platform/platform-service.md>), [setup-wizard-capabilities.md](</C:/dev/New folder/git.stella-ops.org/docs/setup/setup-wizard-capabilities.md>), [setup-guide.md](</C:/dev/New folder/git.stella-ops.org/docs/modules/cli/guides/setup-guide.md>), [admin-reference.md](</C:/dev/New folder/git.stella-ops.org/docs/modules/cli/guides/admin/admin-reference.md>).
|
||||
- Residual risk: the Authority architecture still documents device-code or PKCE as the intended long-term human posture; if that implementation lands later, CLI help or docs must be revised again so the seeded password-bootstrap fallback does not become stale in the opposite direction.
|
||||
- Risk: solving bootstrap or auth cleanly may require explicit schema or seed-data changes in Authority and Platform. Those changes must preserve production safety and not overfit to local compose only.
|
||||
- Test risk: Microsoft.Testing.Platform still ignores `dotnet test --filter` in this repo (`MTP0001`), so targeted verification for this task used xUnit in-proc class runners instead of suite-wide filter claims.
|
||||
- Replay risk: `docker compose up` currently pulls `stellaops/*:dev` tags from the local Docker cache, not from the just-tested repo output. Archive proof therefore requires an explicit local image rebuild step before the final fresh-volume replay; otherwise the compose evidence can silently lag the code and migrations that the sprint claims to ship.
|
||||
|
||||
## Next Checkpoints
|
||||
- Re-run the full local reset or rebuild flow once the hardening tasks land; archive this sprint only after that replay succeeds without workarounds.
|
||||
Reference in New Issue
Block a user