stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

preparation for ui re-shelling

Browse Source
This commit is contained in:
master
2026-02-18 23:03:07 +02:00
parent cb3e361fcf
commit c2f13fe588
46 changed files with 16727 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

409
docs/modules/ui/v2-rewire/pack-10.md Normal file
View File

@@ -0,0 +1,409 @@
## Pack 10 — Integrations + Security Data Ops (Feeds & AirGap)
Below is the **Mermaid IA for the menus + per-screen navigation graphs**, and then **ASCII mocks for each screen**.
For every screen: **Formerly (old location/name)** + **why this is moved/reshaped**.
---
## 10.1 Menu graph (Mermaid) — Integrations + Feeds/AirGap Ops
```mermaid
flowchart TD
%% ROOT (only the parts this pack touches)
ROOT[Stella Ops Console] --> INT[Integrations]
ROOT --> OPS[Platform Ops]
%% INTEGRATIONS
INT --> INT_HUB[Integrations Hub\n(overview + connectors)]
INT_HUB --> INT_DETAIL[Integration Detail]
INT_HUB --> INT_ADD[Add Integration Wizard]
INT_HUB --> INT_FILTERS[Category Filters\nSCM / CI-CD / Registries / Secrets&Config / Notifications / Security Data]
%% FEEDS & AIRGAP (Platform Ops)
OPS --> FEED_OPS[Feeds & AirGap Ops\n(Security Data Ops)]
FEED_OPS --> FEED_SOURCES[Sources & Freshness]
FEED_OPS --> FEED_MIRRORS[Feed Mirrors]
FEED_OPS --> FEED_AIRGAP[AirGap Bundles]
FEED_OPS --> FEED_LOCKS[Version Locks]
%% Cross-links (2nd-class entry points)
INT_HUB -. "Degraded/Disconnected impact" .-> FEED_SOURCES
FEED_SOURCES -. "Open connector config" .-> INT_DETAIL
FEED_OPS -. "Shows up on Dashboard: Nightly Ops Signals" .-> ROOT
```
Key placement decisions (keeps the reorg “release-first”):
* **Integrations** = “connectors & configuration surface” (what talks to what).
* **Feeds & AirGap Ops** = “operator workflows & determinism controls” (mirrors, airgap bundles, version locks).
This aligns with your ask that **freshness + sync failures are visible**, and that **determinism controls exist without being “third class.”**
---
# 10.2 Screen — Integrations Hub
### Formerly
* **Settings → Integrations** (`/settings/integrations`)
* Also implicitly included “Feeds” (OSV/NVD cards) here.
### Why change
* This is a **first-response triage page**: if approvals are blocked, SBOM scans are stale, or evidence generation fails, the operator needs **a single place** to see **which dependency is degraded and what it impacts**.
* Adds a required concept: **“Impact on Release Control”** (what gates become unreliable if an integration is down).
### Screen graph (Mermaid)
```mermaid
flowchart LR
A[Integrations Hub] -->|click card| B[Integration Detail]
A -->|Add Integration| C[Add Integration Wizard]
A -->|filter: SCM/CI/CD/Registries/Secrets/Feeds| A
A -->|feeds degraded?| D[Feeds & AirGap Ops: Sources]
B -->|view logs| B
B -->|test connection| B
B -->|back| A
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Integrations Hub (Formerly: Settings ▸ Integrations) │
│ Org: Acme Region: All Env Scope: All Window: 30d │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Summary: Connected: 6 Degraded: 1 Disconnected: 1 Last full health check: 02:10 │
│ │
│ Filters: [All] [SCM] [CI/CD] [Registries] [Secrets & Config] [Notifications] [Security Data]│
│ Actions: [+ Add Integration] [Run Health Check] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Needs Attention (Impact on Release Control) │
│ • NVD Feed: DISCONNECTED → CVE freshness unknown → Policy gates may be unreliable │
│ • Jenkins: DEGRADED → Build attestations delayed → Release bundle evidence may lag │
│ • Vault: OK (but token expires in 3d) → Env var resolution risk upcoming │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrations (table view) │
│ ┌──────────────────────┬──────────────┬──────────────┬─────────────┬──────────────────────┐ │
│ │ Name │ Type │ Status │ Last Sync │ Used By │ │
│ ├──────────────────────┼──────────────┼──────────────┼─────────────┼──────────────────────┤ │
│ │ GitHub Enterprise │ SCM │ CONNECTED │ 5m ago │ Bundles, Changelog │ │
│ │ GitLab SaaS │ SCM │ CONNECTED │ 2m ago │ Bundles, Changelog │ │
│ │ Jenkins │ CI/CD │ DEGRADED │ 1h ago │ Attestations, Builds │ │
│ │ Harbor Registry │ Registry │ CONNECTED │ 30m ago │ SBOM ingest, Images │ │
│ │ HashiCorp Vault │ Secrets │ CONNECTED │ 10m ago │ Env vars, Bundles │ │
│ │ Slack │ Notification │ CONNECTED │ - │ Approvals alerts │ │
│ │ OSV Feed │ SecurityData │ CONNECTED │ 1h ago │ Vulnerability scans │ │
│ │ NVD Feed │ SecurityData │ DISCONNECTED │ - │ Vulnerability scans │ │
│ └──────────────────────┴──────────────┴──────────────┴─────────────┴──────────────────────┘ │
│ Hint: click any row/card → Integration Detail │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.3 Screen — Integration Detail
### Formerly
* No dedicated “detail” surface in the screenshots (integrations were mostly **cards**).
This is effectively **new**, but replaces the need to “hunt” across settings + ops pages.
### Why change
* You need **traceability** from an outage → **which releases / gates / bundles / envs are impacted**.
* Enables the missing operational requirement you called out: **nightly job failures due to integration issues** are explainable from the integration itself.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Integration Detail] --> B[Config & Credentials]
A --> C[Health & Logs]
A --> D[Mappings]
A --> E[Permissions/Scopes]
A --> F[Downstream Impact]
C -->|retry connection| C
C -->|open affected jobs| G[Nightly Ops Report (Platform Ops)]
A -->|back| H[Integrations Hub]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Integration Detail: NVD Feed (Formerly: shown as card in Settings ▸ Integrations) │
│ Type: Security Data Source Status: DISCONNECTED Owner: security-team │
│ Region: US-East (toggle) EU-West (toggle) APAC (toggle) │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Overview] [Config] [Health & Logs] [Mappings] [Permissions] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Overview │
│ Last successful sync: — │
│ Freshness SLA: 6h Current freshness: UNKNOWN → Gating risk: HIGH │
│ Used by: Vulnerability scan ingestion, Release gates, Nightly rescans │
│ │
│ Downstream impact │
│ • Approvals & Gates: “CVE freshness” gate → currently degraded │
│ • Nightly SBOM rescan: will flag “data source unavailable” │
│ • Audit bundles: will include “feed freshness unknown” note │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Health & Logs (latest) │
│ 02:11 ERROR connect timeout to nvd.example.gov │
│ 02:11 WARN falling back to OSV only (coverage reduced) │
│ Action: [Retry Connection] [Test DNS] [View Related Nightly Jobs] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.4 Screen — Add Integration Wizard
### Formerly
* **“+ Add Integration”** existed on Settings → Integrations, but without a standardized “impact/mapping” workflow shown.
### Why change
* This wizard becomes the enforcement point for:
* **Region scoping** (your missing “environments per region” theme).
* **Mapping to downstream use** (Release Bundle Organizer, approvals, SBOM ingest, etc.).
* **Secrets hygiene** (Vault/Consul integration must be wired correctly).
### Screen graph (Mermaid)
```mermaid
flowchart LR
S[Add Integration Wizard] --> A[1. Choose Type]
A --> B[2. Configure Connection]
B --> C[3. Scope & Mapping\n(Region/Env/Repos/Targets)]
C --> D[4. Test Connection]
D --> E[5. Save & Initial Sync]
E --> F[Integration Detail]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Add Integration Wizard (Formerly: + Add Integration on Settings ▸ Integrations) │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Step 1/5 — Choose type │
│ [SCM] GitHub / GitLab │
│ [CI/CD] Jenkins / Actions │
│ [Registry] Harbor / ECR / GCR │
│ [Secrets] Vault │
│ [Config] Consul (recommended for bundle vars) │
│ [Notifications] Slack / Email / Webhook │
│ [Security Data] OSV / NVD / CISA │
│ │
│ Next: [Continue] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.5 Screen — Feeds & AirGap Ops (Sources & Freshness)
### Formerly
* **Operations → Feeds** (`/operations/feeds`)
Screen title: **“Feed Mirror & AirGap Operations”**
* Also partially represented as OSV/NVD “Feeds” cards under Settings → Integrations.
### Why change
* This becomes the **operator-grade control surface** for:
* **Freshness** (are CVE sources synced, within SLA?).
* **Determinism** (version locks).
* **AirGap readiness** (bundles).
* It is “second-class” (reachable from Dashboard “Nightly Ops Signals”), not buried.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Feeds & AirGap Ops] --> B[Sources & Freshness]
A --> C[Feed Mirrors]
A --> D[AirGap Bundles]
A --> E[Version Locks]
B -->|open source integration| F[Integration Detail]
B -->|create mirror| C
E -->|lock for release| G[Release Detail\n(Determinism tab)]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops (Formerly: Operations ▸ Feeds → "Feed Mirror & AirGap Operations") │
│ Org: Acme Region: US-East Window: 7d │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Sources & Freshness] [Feed Mirrors] [AirGap Bundles] [Version Locks] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Sources & Freshness │
│ ┌───────────────┬──────────────┬───────────────┬──────────────┬───────────────────────────┐ │
│ │ Source │ Status │ Last Sync │ Freshness SLA │ Notes / Impact │ │
│ ├───────────────┼──────────────┼───────────────┼──────────────┼───────────────────────────┤ │
│ │ OSV │ OK │ 1h ago │ 6h │ Full OK │ │
│ │ NVD │ DISCONNECTED │ — │ 6h │ Approval gating risk HIGH │ │
│ │ CISA KEV │ OK │ 3h ago │ 24h │ OK │ │
│ └───────────────┴──────────────┴───────────────┴──────────────┴───────────────────────────┘ │
│ Actions: [Retry failed sources] [Open Integration Detail] [Create Mirror] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.6 Screen — Feeds & AirGap Ops (Feed Mirrors)
### Formerly
* Operations → Feeds → **Feed Mirrors** tab.
### Why change
* Keep same capability, but add:
* Region scoping and storage accounting per region.
* A clear connection to **gating data freshness** and **nightly job health**.
### Screen graph (Mermaid)
```mermaid
flowchart LR
A[Feed Mirrors] --> B[Create/Edit Mirror]
A --> C[Mirror Detail]
C -->|force sync| C
C -->|view sync logs| C
A -->|back| D[Feeds & AirGap Ops]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ Feed Mirrors (Formerly: Operations ▸ Feeds ▸ Feed Mirrors) │
│ Region: EU-West │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ KPI: Total Mirrors: 4 Synced: 3 Stale: 1 Errors: 0 Storage: 28GB │
│ Actions: [+ Create Mirror] [Sync All] [Export Mirror Config] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Mirrors │
│ ┌───────────────┬──────────┬───────────────┬───────────┬───────────┬──────────────────────┐ │
│ │ Mirror Name │ Source │ Status │ Last Sync │ Storage │ Actions │ │
│ ├───────────────┼──────────┼───────────────┼───────────┼───────────┼──────────────────────┤ │
│ │ nvd-eu-mirror │ NVD │ STALE (8h) │ 8h ago │ 12GB │ [Sync] [Edit] [Logs] │ │
│ │ osv-eu-mirror │ OSV │ SYNCED │ 1h ago │ 4GB │ [Sync] [Edit] [Logs] │ │
│ │ kev-eu-mirror │ CISA KEV │ SYNCED │ 3h ago │ 1GB │ [Sync] [Edit] [Logs] │ │
│ └───────────────┴──────────┴───────────────┴───────────┴───────────┴──────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.7 Screen — Feeds & AirGap Ops (AirGap Bundles)
### Formerly
* Operations → Feeds → **AirGap Bundles** tab.
### Why change
* This is essential for environments that must prove:
* The release decision was made using a **known dataset snapshot**.
* The bundle contains **feeds + policy pack versions + evidence tooling metadata**.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[AirGap Bundles] --> B[Create AirGap Bundle]
A --> C[Bundle Detail]
C -->|download| C
C -->|verify signatures| C
C -->|pin version locks| D[Version Locks]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ AirGap Bundles (Formerly: Operations ▸ Feeds ▸ AirGap Bundles) │
│ Region: APAC │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Actions: [+ Create Bundle] [Download latest] [Verify bundle] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Bundles │
│ ┌───────────────────┬───────────┬──────────────┬───────────────┬──────────────────────────┐ │
│ │ Bundle Name │ Target Env│ Contents │ Built At │ Actions │ │
│ ├───────────────────┼───────────┼──────────────┼───────────────┼──────────────────────────┤ │
│ │ apac-prod-2026-02- │ Prod │ OSV+NVD+KEV │ 2026-02-18 02: │ [Download] [Verify] │ │
│ │ apac-uat-2026-02- │ UAT │ OSV+KEV │ 2026-02-17 02: │ [Download] [Verify] │ │
│ └───────────────────┴───────────┴──────────────┴───────────────┴──────────────────────────┘ │
│ Notes: Bundle embeds version locks + signing metadata for audit. │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.8 Screen — Feeds & AirGap Ops (Version Locks)
### Formerly
* Operations → Feeds → **Version Locks** tab.
### Why change
* Version locks are the core of **reproducible gating**:
* “This approval used NVD snapshot X, OSV snapshot Y.”
* Essential for external audits and internal replay/verify.
### Screen graph (Mermaid)
```mermaid
flowchart LR
A[Version Locks] --> B[Create Lock]
A --> C[Lock Detail]
A --> D[Apply Lock to Region/Env]
A --> E[Apply Lock to Release]
E --> F[Release Detail\nDeterminism tab]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ Version Locks (Formerly: Operations ▸ Feeds ▸ Version Locks) │
│ Region: US-East │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Actions: [+ Create Version Lock] [Apply to Release] [Apply to Env] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Locks │
│ ┌───────────────┬───────────────┬───────────────┬──────────────────────┬───────────────────┐ │
│ │ Lock ID │ Sources │ Created │ Scope │ Actions │ │
│ ├───────────────┼───────────────┼───────────────┼──────────────────────┼───────────────────┤ │
│ │ lock-2026-02-18│ NVD, OSV, KEV │ 2026-02-18 │ US-East / Prod │ [View] [Apply] │ │
│ │ lock-2026-02-17│ OSV, KEV │ 2026-02-17 │ APAC / UAT │ [View] [Apply] │ │
│ └───────────────┴───────────────┴───────────────┴──────────────────────┴───────────────────┘ │
│ Audit note: locks are referenced in Evidence Bundles + Replay/Verify. │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
## What changed vs the *previous* draft (to keep the reorg intact)
* Im keeping **Integrations Hub** under **Integrations** (configuration + dependency map).
* Im placing **Feeds & AirGap Ops** under **Platform Ops** (operator workflows + determinism tooling), but it remains **second-class** because:
* Its linked from **Integrations Hub** (source issues → ops controls),
* and it should be linked from the **Dashboard “Nightly Ops Signals”** card.
---
If you want, I can do **Pack 11** next for the remaining “Settings-class” pages you attached (Usage & Limits, Notifications, Identity & Access, Trust & Signing, System) but **in the new IA**, with the same: **Mermaid menu + per-screen graphs + ASCII mocks + Formerly/Why**.