stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Update journey notes: topology steps 1-4 working, plan for next phases

Browse Source 
- Topology wizard steps 1-4 all succeed on fresh install
- Step 5 (Agent) is a natural blocker — no agents on fresh compose setup
- Updated fix count: 16 fixed, 5 remaining
- Added detailed journey resumption plan covering 4 phases:
  Phase 1 (immediate): skip agent, verify audit, honest registry search
  Phase 2: real deployment with Zot registry + scanner
  Phase 3: policy & evidence testing
  Phase 4: operational testing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-16 09:51:29 +02:00
parent a86f0d1361
commit c13e47dbcb
1 changed files with 49 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
docs/qa/JOURNEY_NOTES_20260316.md
View File

@@ -36,14 +36,17 @@
- "Generate immediately" checkbox triggers a 503 → **silent failure, no user feedback** - "Generate immediately" checkbox triggers a 503 → **silent failure, no user feedback**
- Mirror domain created but bundle not generated - Mirror domain created but bundle not generated
### 6. Topology Wizard (BLOCKED — auth passthrough) ### 6. Topology Wizard (STEPS 1-4 WORK, STEP 5 NATURAL BLOCKER)
- 8-step wizard loads correctly: Region → Environment → Stage Order → Target → Agent → Infrastructure → Validate → Done - 8-step wizard loads correctly: Region → Environment → Stage Order → Target → Agent → Infrastructure → Validate → Done
- **Step 1 (Region)**: Form renders, Create Region button works, BUT: - **Step 1 (Region)**: WORKS — identity envelope pre-auth middleware on Concelier
- POST /api/v1/regions returns 500 → ROOT CAUSE: missing auth policies → FIXED - **Step 2 (Environment)**: WORKS — added environment CRUD endpoints to Concelier
- After fix: returns 401 → ROOT CAUSE: ReverseProxy doesn't forward identity envelope - **Step 3 (Stage Order)**: WORKS — pass-through step
- Concelier expects gateway-signed identity, not raw bearer tokens - **Step 4 (Target)**: WORKS — added target CRUD endpoints to Concelier
- This is an **architecture-level issue**: ReverseProxy vs Microservice transport - **Step 5 (Agent)**: BLOCKED — no agents deployed on fresh install, wizard requires agent assignment
- **Step 2 (Environment)**: POST /api/v1/environments → routes to JobEngine, also needs auth passthrough fix - This is an expected blocker for fresh installs
- Should allow "Skip agent" or "Deploy agent later"
- Agent deployment requires an actual Docker host target which isn't available in pure compose setup
- Steps 6-8 (Infrastructure, Validate, Done): not reached yet (blocked by step 5)
--- ---
@@ -110,7 +113,7 @@
## Issues Found (All Iterations) ## Issues Found (All Iterations)
### FIXED (12) ### FIXED (16)
| # | Issue | Fix | | # | Issue | Fix |
|---|-------|-----| |---|-------|-----|
| 1 | Dashboard 100% hardcoded | Removed all fake data, setup guide | | 1 | Dashboard 100% hardcoded | Removed all fake data, setup guide |
@@ -125,11 +128,14 @@
| 10 | Topology 503 (no routes) | Added 6 ReverseProxy routes | | 10 | Topology 503 (no routes) | Added 6 ReverseProxy routes |
| 11 | Envs route wrong service | Route to JobEngine | | 11 | Envs route wrong service | Route to JobEngine |
| 12 | Topology auth policies missing | Registered Topology.Read/Manage/Admin | | 12 | Topology auth policies missing | Registered Topology.Read/Manage/Admin |
| 13 | Topology wizard 401 (ReverseProxy auth) | Pre-auth middleware reads identity envelope |
| 14-env | Environment CRUD on wrong service | Added env CRUD endpoints to Concelier |
| 14-tgt | Target CRUD missing | Added target CRUD endpoints to Concelier |
| 14-agt | Agent list missing | Added agents list endpoint to Concelier |
### NOT FIXED (7) ### NOT FIXED (5)
| # | Issue | Severity | Root Cause | | # | Issue | Severity | Root Cause |
|---|-------|----------|-----------| |---|-------|----------|-----------|
| 13 | Topology wizard 401 (auth passthrough) | CRITICAL | ReverseProxy doesn't forward identity envelope to Concelier |
| 14 | "Created by" raw user ID hash | MEDIUM | No user ID → display name resolution | | 14 | "Created by" raw user ID hash | MEDIUM | No user ID → display name resolution |
| 15 | Mirror generate-immediately fails silently | MEDIUM | 503 from Concelier exports, no user feedback | | 15 | Mirror generate-immediately fails silently | MEDIUM | 503 from Concelier exports, no user feedback |
| 16 | v2 context API console errors | LOW | /api/v2/context/regions, /preferences, /approvals return errors | | 16 | v2 context API console errors | LOW | /api/v2/context/regions, /preferences, /approvals return errors |
@@ -139,7 +145,39 @@
--- ---
## Architecture Issue: Gateway Auth for Topology ## Journey Resumption Plan
### Immediate Next (this session or next):
1. **Skip agent step** — make wizard step 5 optional or allow skipping when no agents exist
2. **Verify audit log** — with JobEngine audit endpoints now wired, check if events appear
3. **Test release creation with honest registry search** — confirm mock data is gone
4. **Push through wizard steps 6-8** — Infrastructure, Validate, Done
### Phase 2: Real Deployment (next session)
1. Push a real Docker image to the Zot registry (stellaops-registry)
2. Implement the registry image search backend (connect to Harbor integration)
3. Scan the image (trigger scanner)
4. Verify findings in Security Posture
5. Create a release with the real scanned image
6. Promote through Dev → Stage → Prod
7. Check evidence/decision capsules generation
### Phase 3: Policy & Evidence
1. Create a custom policy pack
2. Run simulation against a release
3. Test policy gate blocking a promotion
4. Export an audit bundle
5. Test replay/verify
### Phase 4: Operational
1. Test notification channels
2. Run full Doctor check
3. Test offline kit
4. Test tenant switching
---
## Architecture Issue: Gateway Auth for Topology (RESOLVED)
The core blocker is **issue #13**. The gateway has two transport types: The core blocker is **issue #13**. The gateway has two transport types: