diff --git a/docs/qa/JOURNEY_NOTES_20260316.md b/docs/qa/JOURNEY_NOTES_20260316.md index 6bb71a9b8..952ba0920 100644 --- a/docs/qa/JOURNEY_NOTES_20260316.md +++ b/docs/qa/JOURNEY_NOTES_20260316.md @@ -36,14 +36,17 @@ - "Generate immediately" checkbox triggers a 503 → **silent failure, no user feedback** - Mirror domain created but bundle not generated -### 6. Topology Wizard (BLOCKED — auth passthrough) +### 6. Topology Wizard (STEPS 1-4 WORK, STEP 5 NATURAL BLOCKER) - 8-step wizard loads correctly: Region → Environment → Stage Order → Target → Agent → Infrastructure → Validate → Done -- **Step 1 (Region)**: Form renders, Create Region button works, BUT: - - POST /api/v1/regions returns 500 → ROOT CAUSE: missing auth policies → FIXED - - After fix: returns 401 → ROOT CAUSE: ReverseProxy doesn't forward identity envelope - - Concelier expects gateway-signed identity, not raw bearer tokens - - This is an **architecture-level issue**: ReverseProxy vs Microservice transport -- **Step 2 (Environment)**: POST /api/v1/environments → routes to JobEngine, also needs auth passthrough fix +- **Step 1 (Region)**: WORKS — identity envelope pre-auth middleware on Concelier +- **Step 2 (Environment)**: WORKS — added environment CRUD endpoints to Concelier +- **Step 3 (Stage Order)**: WORKS — pass-through step +- **Step 4 (Target)**: WORKS — added target CRUD endpoints to Concelier +- **Step 5 (Agent)**: BLOCKED — no agents deployed on fresh install, wizard requires agent assignment + - This is an expected blocker for fresh installs + - Should allow "Skip agent" or "Deploy agent later" + - Agent deployment requires an actual Docker host target which isn't available in pure compose setup +- Steps 6-8 (Infrastructure, Validate, Done): not reached yet (blocked by step 5) --- @@ -110,7 +113,7 @@ ## Issues Found (All Iterations) -### FIXED (12) +### FIXED (16) | # | Issue | Fix | |---|-------|-----| | 1 | Dashboard 100% hardcoded | Removed all fake data, setup guide | @@ -125,11 +128,14 @@ | 10 | Topology 503 (no routes) | Added 6 ReverseProxy routes | | 11 | Envs route wrong service | Route to JobEngine | | 12 | Topology auth policies missing | Registered Topology.Read/Manage/Admin | +| 13 | Topology wizard 401 (ReverseProxy auth) | Pre-auth middleware reads identity envelope | +| 14-env | Environment CRUD on wrong service | Added env CRUD endpoints to Concelier | +| 14-tgt | Target CRUD missing | Added target CRUD endpoints to Concelier | +| 14-agt | Agent list missing | Added agents list endpoint to Concelier | -### NOT FIXED (7) +### NOT FIXED (5) | # | Issue | Severity | Root Cause | |---|-------|----------|-----------| -| 13 | Topology wizard 401 (auth passthrough) | CRITICAL | ReverseProxy doesn't forward identity envelope to Concelier | | 14 | "Created by" raw user ID hash | MEDIUM | No user ID → display name resolution | | 15 | Mirror generate-immediately fails silently | MEDIUM | 503 from Concelier exports, no user feedback | | 16 | v2 context API console errors | LOW | /api/v2/context/regions, /preferences, /approvals return errors | @@ -139,7 +145,39 @@ --- -## Architecture Issue: Gateway Auth for Topology +## Journey Resumption Plan + +### Immediate Next (this session or next): +1. **Skip agent step** — make wizard step 5 optional or allow skipping when no agents exist +2. **Verify audit log** — with JobEngine audit endpoints now wired, check if events appear +3. **Test release creation with honest registry search** — confirm mock data is gone +4. **Push through wizard steps 6-8** — Infrastructure, Validate, Done + +### Phase 2: Real Deployment (next session) +1. Push a real Docker image to the Zot registry (stellaops-registry) +2. Implement the registry image search backend (connect to Harbor integration) +3. Scan the image (trigger scanner) +4. Verify findings in Security Posture +5. Create a release with the real scanned image +6. Promote through Dev → Stage → Prod +7. Check evidence/decision capsules generation + +### Phase 3: Policy & Evidence +1. Create a custom policy pack +2. Run simulation against a release +3. Test policy gate blocking a promotion +4. Export an audit bundle +5. Test replay/verify + +### Phase 4: Operational +1. Test notification channels +2. Run full Doctor check +3. Test offline kit +4. Test tenant switching + +--- + +## Architecture Issue: Gateway Auth for Topology (RESOLVED) The core blocker is **issue #13**. The gateway has two transport types: