stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

preparation for ui re-shelling

Browse Source
This commit is contained in:
master
2026-02-18 23:03:07 +02:00
parent cb3e361fcf
commit c2f13fe588
46 changed files with 16727 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

638
docs/modules/ui/v2-rewire/pack-21.md Normal file
View File

@@ -0,0 +1,638 @@
Ill extend the redesign for the **remaining “Settings/Admin” screens** you just shared, keeping the **main IA reorg intact**, adding **Release Control as a root menu**, and introducing the missing **Release Bundle Organizer**. Below: **Mermaid graphs per menu**, then **per-screen: (1) where it lived before, (2) why it moved/changed, (3) ASCII mock**, and each mock includes a **“Previously called”** line for transition.
---
## 1) Updated top-level navigation (keeping the main reorg intact)
```mermaid
flowchart LR
RC[Release Control] --- SR[Security & Risk]
RC --- EA[Evidence & Audit]
RC --- INT[Integrations]
RC --- OPS[Platform Ops]
RC --- ADM[Administration]
SR --- SR1[Findings & Reachability]
SR --- SR2[VEX Hub]
SR --- SR3[Exceptions]
SR --- SR4[Advisory Sources]
EA --- EA1[Evidence Packets]
EA --- EA2[Proof Chains]
EA --- EA3[Replay / Verify]
EA --- EA4[Export Center]
INT --- INT1[SCM]
INT --- INT2[CI/CD]
INT --- INT3[Registries]
INT --- INT4[Secrets]
INT --- INT5[Targets / Runtimes]
INT --- INT6[Feeds]
INT --- INT7[Notification Providers]
OPS --- OPS1[Platform Health]
OPS --- OPS2[Background Jobs]
OPS --- OPS3[Scheduler]
OPS --- OPS4[Dead Letter]
OPS --- OPS5[Quotas & Usage]
OPS --- OPS6[Feed Mirror & AirGap Ops]
OPS --- OPS7[Nightly Ops Report]
ADM --- ADM0[Admin Overview]
ADM --- ADM1[Identity & Access]
ADM --- ADM2[Tenant & Branding]
ADM --- ADM3[Notifications]
ADM --- ADM4[Usage & Limits]
ADM --- ADM5[Policy Governance]
ADM --- ADM6[Trust & Signing]
ADM --- ADM7[System]
```
---
# PACK: Administration + Release Control Setup + Integrations
---
## 2) Administration menu → screen graph
```mermaid
flowchart TB
ADM[Administration] --> A0[Admin Overview]
ADM --> A1[Identity & Access]
ADM --> A2[Tenant & Branding]
ADM --> A3[Notifications]
ADM --> A4[Usage & Limits]
ADM --> A5[Policy Governance]
ADM --> A6[Trust & Signing]
ADM --> A7[System]
A3 -.channels live in.-> INTN[Integrations > Notification Providers]
A4 -.operational drilldown.-> OPSQ[Platform Ops > Quotas & Usage]
A7 -.operational drilldown.-> OPSH[Platform Ops > Platform Health]
A7 -.jobs drilldown.-> OPSJ[Platform Ops > Background Jobs]
A5 -.gates apply to.-> RCG[Release Control > Gates & Approvals]
A6 -.evidence uses.-> EA[Evidence & Audit]
```
---
## Screen A0 — Administration Overview
**Previously:** There was no single “admin hub”; admin functions were scattered under **Settings** (and some under **Operations**).
**Now:** `Administration → Overview`
**Why:** Admin users need a **single choke-point** for identity, policy governance, trust, notifications, and tenant controls—without mixing it with runtime ops dashboards.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Region: All ▼] [Env: All ▼] [Status: OK] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Administration — Overview │
│ │ Previously called: (new) — consolidates legacy Settings pages │
│ Release Ctrl │ │
│ Security&Risk │ Quick Health │
│ Evidence │ ┌──────────────┬──────────────┬──────────────┬────────────┐ │
│ Integrations │ │ Integrations │ Policy Pack │ Quotas │ Jobs │ │
│ Platform Ops │ │ 6 ok /2 warn │ Core latest │ 65% scans │ 0 failing │ │
│ Administration│ └──────────────┴──────────────┴──────────────┴────────────┘ │
│ ▸ Overview │ │
│ Identity │ Admin Areas │
│ Tenant │ ┌─────────────────────┐ ┌─────────────────────┐ │
│ Notifications│ │ Identity & Access │ │ Policy Governance │ │
│ Usage&Limits │ │ (Users/Roles/Keys) │ │ (Baselines/Rules) │ │
│ Policy Gov │ │ Formerly: Settings │ │ Formerly: Settings │ │
│ Trust&Sign │ └─────────────────────┘ └─────────────────────┘ │
│ System │ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ │ Notifications │ │ Trust & Signing │ │
│ │ │ Formerly: Settings │ │ Formerly: Settings │ │
│ │ └─────────────────────┘ └─────────────────────┘ │
│ │ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ │ Tenant & Branding │ │ Usage & Limits │ │
│ │ │ Formerly: Settings │ │ Formerly: Settings │ │
│ │ └─────────────────────┘ └─────────────────────┘ │
│ │ ┌────────────────────────────────────────────────────────┐ │
│ │ │ System (Admin) — diagnostics & admin tools │ │
│ │ │ Formerly: Settings > System │ │
│ │ └────────────────────────────────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A1 — Identity & Access
**Previously:** `Settings → Identity & Access`
**Now:** `Administration → Identity & Access`
**Why:** This is **pure admin** (RBAC, OAuth, API keys, tenants). It shouldnt compete with release/security workflows.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Admin] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Identity & Access │
│ Administration│ Previously called: Settings > Identity & Access │
│ Overview │ │
│ ▸ Identity │ Tabs: [Users] [Roles] [OAuth/SSO Clients] [API Tokens] [Tenants] │
│ Tenant │ │
│ Notifications│ [ + Add User ] [Invite] [Import] [Audit Log→] │
│ Usage&Limits │ │
│ Policy Gov │ Users │
│ Trust&Sign │ ┌──────────────────────────────────────────────────────────┐ │
│ System │ │ Name Email Role Status Actions │ │
│ │ │ -------- ----------------- -------- ------- -------- │ │
│ │ │ ... │
│ │ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ │ Notes: API Tokens are used by Agents/CI integrations; link to │
│ │ Integrations → CI/CD for token scope testing. │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A2 — Tenant & Branding
**Previously:** `Settings → Tenant / Branding`
**Now:** `Administration → Tenant & Branding`
**Why:** Tenant configuration is **identity-adjacent** (domains, default policy pack, org metadata). Keeping it in Admin prevents accidental mixing with operational tooling.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Tenant & Branding │
│ Administration│ Previously called: Settings > Tenant / Branding │
│ Overview │ │
│ Identity │ Tenants │
│ ▸ Tenant │ ┌──────────────────────────────────────────────────────────┐ │
│ Notifications│ │ Tenant Domain(s) Default Policy Status │ │
│ Usage&Limits │ │ Core core.example.com Core Pack Active │ │
│ Policy Gov │ │ … │ │
│ Trust&Sign │ └──────────────────────────────────────────────────────────┘ │
│ System │ │
│ │ Branding (selected tenant) │
│ │ ┌──────────────────────────────────────────────────────────┐ │
│ │ │ Logo [Upload] App Name [Stella Ops] Support URL […] │ │
│ │ │ Theme: Light/Dark Legal Footer Privacy/License links │ │
│ │ └──────────────────────────────────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A3 — Notifications
**Previously:** `Settings → Notifications`
**Now:** `Administration → Notifications`
**Why:** Notification *policy* (who gets notified, on what events) is governance/admin. The channel connectivity lives in Integrations, but rules/templates remain here.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Notifications │
│ Administration│ Previously called: Settings > Notifications │
│ Overview │ │
│ Identity │ Rules Channels (connectivity) │
│ Tenant │ ┌──────────────────────────┐ ┌───────────────────────────┐ │
│ ▸ Notifications││ + Add Rule │ │ Email ✅ Active │ │
│ Usage&Limits ││ - “Critical reachable…” │ │ Slack ✅ Active │ │
│ Policy Gov ││ - “Bundle blocked…” │ │ Webhook ⚠ Not configured │ │
│ Trust&Sign │└──────────────────────────┘ │ [Manage in Integrations →] │ │
│ System │ └───────────────────────────┘ │
│ │ Templates Delivery / Activity Log │
│ │ ┌──────────────────────────┐ ┌─────────────────────────┐ │
│ │ │ Default templates │ │ View log Export │ │
│ │ │ [Edit Templates] │ │ Filter: last 7d ▼ │ │
│ │ └──────────────────────────┘ └─────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A4 — Usage & Limits
**Previously:** `Settings → Usage & Limits`
**Now:** `Administration → Usage & Limits` (admin-facing)
**Why:** This becomes the **policy/contract view** (limits, entitlements, throttle settings). Operational drilldown (queues, retries, per-job usage) stays in Platform Ops.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Month: Feb 2026 ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Usage & Limits │
│ Administration│ Previously called: Settings > Usage & Limits │
│ Overview │ │
│ Identity │ Usage snapshot │
│ Tenant │ ┌──────────────┬──────────────┬──────────────┬────────────┐ │
│ Notifications│ │ Scans 6500/ │ Storage 42/ │ Evidence 2800│ API 15k/ │ │
│ ▸ Usage&Limits│ │ 10k │ 100 GB │ /10k │ 100k │ │
│ Policy Gov │ └──────────────┴──────────────┴──────────────┴────────────┘ │
│ Trust&Sign │ │
│ System │ Limits & throttles (tenant) │
│ │ ┌──────────────────────────────────────────────────────────┐ │
│ │ │ Configure Quotas | Burst rules | Per-integration caps │ │
│ │ │ [Open Platform Ops → Quotas & Usage] (drilldown dashboard) │ │
│ │ └──────────────────────────────────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A5 — Policy Governance
**Previously:** `Settings → Policy Governance`
**Now:** `Administration → Policy Governance` (with strong cross-links to Release Control gates)
**Why:** Policies are **organizational governance**. The effect is felt in Release Control (gates), Security (exceptions), Evidence (decision capsule), but the configuration belongs in Admin.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Policy Pack: Core (latest) ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Policy Governance │
│ Administration│ Previously called: Settings > Policy Governance │
│ Overview │ │
│ Identity │ Policy Baselines (per env/region) Governance Rules │
│ Tenant │ ┌───────────────────────────────┐ ┌─────────────────────┐│
│ Notifications│ │ + Create Baseline │ │ Edit Rules ││
│ Usage&Limits │ │ Baselines: Dev/Stage/Prod │ │ Gate: Reachable crit ││
│ ▸ Policy Gov │ └───────────────────────────────┘ └─────────────────────┘│
│ Trust&Sign │ │
│ System │ Simulation Exception Workflow │
│ │ ┌───────────────────────────────┐ ┌──────────────────────┐│
│ │ │ Run Simulation (what-if) │ │ Configure approvals ││
│ │ │ Inputs: bundle/digest/env │ │ Links to Exceptions ││
│ │ └───────────────────────────────┘ └──────────────────────┘│
│ │ │
│ │ Shortcuts: [Go to Release Control → Gates] [Go to Security → Exceptions] │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A6 — Trust & Signing
**Previously:** `Settings → Trust & Signing`
**Now:** `Administration → Trust & Signing` (but “used by” Evidence & Audit)
**Why:** Key material, issuers, certs, and transparency log integration are **security administration** concerns. Evidence consumes these; it shouldnt configure them.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Trust & Signing │
│ Administration│ Previously called: Settings > Trust & Signing │
│ Overview │ │
│ Identity │ Signing Keys Issuers Certificates │
│ Tenant │ ┌──────────────┐ ┌─────────────┐ ┌────────────────────────┐ │
│ Notifications│ │ Manage Keys │ │ Manage │ │ Manage Certs │ │
│ Usage&Limits │ └──────────────┘ └─────────────┘ └────────────────────────┘ │
│ Policy Gov │ │
│ ▸ Trust&Sign │ Transparency Log Trust Scoring Audit Log │
│ System │ ┌─────────────────────┐ ┌─────────────────┐ ┌─────────────┐ │
│ │ │ Configure Rekor │ │ Edit Score cfg │ │ View log │ │
│ │ └─────────────────────┘ └─────────────────┘ └─────────────┘ │
│ │ │
│ │ Used by: Evidence Packets, Proof Chains, Decision Capsules │
│ │ [Open Evidence & Audit → Proof Chains] │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A7 — System (Admin)
**Previously:** `Settings → System`
**Now:** `Administration → System` (admin-only controls) + links into Platform Ops for the operational views
**Why:** This page becomes the **administrative console** (diagnostics, SLO config, admin job controls). Routine monitoring lives in Platform Ops.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Admin-only tools] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ System │
│ Administration│ Previously called: Settings > System │
│ Overview │ │
│ Identity │ Health Check Doctor / Diagnostics │
│ Tenant │ ┌─────────────────────────┐ ┌─────────────────────────────┐│
│ Notifications│ │ All systems operational │ │ Run Doctor Export report ││
│ Usage&Limits │ │ [View in Platform Ops →] │ │ Last run: … ││
│ Policy Gov │ └─────────────────────────┘ └─────────────────────────────┘│
│ Trust&Sign │ │
│ ▸ System │ SLO Monitoring Background Jobs (admin controls) │
│ │ ┌─────────────────────────┐ ┌─────────────────────────────┐│
│ │ │ View SLOs / edit targets│ │ View jobs (Platform Ops →) ││
│ │ └─────────────────────────┘ │ Nightly Ops Report (→) ││
│ │ └─────────────────────────────┘│
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
# Release Control becomes a ROOT menu (and absorbs “Settings → Release Control”)
## 3) Release Control setup menu → screen graph
```mermaid
flowchart TB
RC[Release Control] --> RCH[Control Plane]
RC --> RCL[Releases Ledger]
RC --> RCB[Release Bundles]
RC --> RCG[Gates & Approvals]
RC --> RCD[Deployments]
RC --> RCE[Regions & Environments]
RC --> RCP[Promotion Graph]
RC --> RCS[Setup]
RCS --> S1[Environments & Promotion Paths]
RCS --> S2[Targets & Agents]
RCS --> S3[Workflows]
RCS --> S4[Bundle Templates]
RCB --> BO[Release Bundle Organizer]
```
---
## Screen RC-S0 — Release Control → Setup (hub)
**Previously:** `Settings → Release Control` (hub with Environments/Targets/Agents/Workflows)
**Now:** `Release Control → Setup`
**Why:** This configuration directly governs how promotions, deployments, and gates work. Its operationally part of release control, not general settings.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Region: All ▼] [Env: All ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Release Control — Setup │
│ Release Ctrl │ Previously called: Settings > Release Control │
│ ControlPlane │ │
│ Releases │ Setup areas │
│ Bundles │ ┌───────────────────────┐ ┌───────────────────────┐ │
│ Gates │ │ Environments & Paths │ │ Targets & Agents │ │
│ Deployments │ │ (Dev→Stage→Prod) │ │ (where/how deploy) │ │
│ Regions&Env │ │ Formerly: Environments│ │ Formerly: Targets/Agents│ │
│ Promotion │ └───────────────────────┘ └───────────────────────┘ │
│ ▸ Setup │ ┌───────────────────────┐ ┌───────────────────────────────┐ │
│ │ │ Workflows │ │ Bundle Templates │ │
│ │ │ Formerly: Workflows │ │ (for bundle organizer) │ │
│ │ └───────────────────────┘ └───────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen RC-S1 — Environments & Promotion Paths
**Previously:** `Settings → Release Control → Environments`
**Now:** `Release Control → Setup → Environments & Promotion Paths` (and linked from `Regions & Environments`)
**Why:** This is the **promotion graph definition** (pipelines, stages, gates). It must be adjacent to release visibility.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Setup / Environments & Paths │
│ Previously called: Settings > Release Control > Environments │
├──────────────────────────────────────────────────────────────────────────────┤
│ [ + Add Environment ] [ + Add Region ] [Edit Promotion Graph] [Policy Baseline→] │
│ │
│ Regions (left) Promotion Paths (right) │
│ ┌───────────────────────┐ ┌───────────────────────────────────────────┐ │
│ │ US-East │ │ Dev → Stage → Prod │ │
│ │ EU-Sovereign │ │ Gates: SBOM OK | Reachability | Approvals │ │
│ │ AirGap-01 │ │ Exceptions: allowed via workflow │ │
│ └───────────────────────┘ └───────────────────────────────────────────┘ │
│ │
│ Environment details │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Env: Stage (EU-Sovereign) Targets: 3 Agents: 2 Workflow: Blue/Green │ │
│ │ Baseline: Core Policy Pack Notifications: Stage-Release channel │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
## Screen RC-S2 — Targets & Agents
**Previously:** `Settings → Release Control → Targets` and `Agents`
**Now:** `Release Control → Setup → Targets & Agents`
**Why:** These define *how* releases reach runtime. They are release-control primitives, while the *connectors* (SSH, Nomad, ECS, etc.) are Integrations.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Setup / Targets & Agents │
│ Previously called: Settings > Release Control > Targets + Agents │
├──────────────────────────────────────────────────────────────────────────────┤
│ Targets Agents │
│ [ + Add Target ] [ + Register Agent ] │
│ ┌───────────────────────────────────────────────┐ ┌──────────────────────┐ │
│ │ Name Type Region Status │ │ Agent Region Status │ │
│ │ swarm-01 DockerSwarm EU ✅ Healthy │ │ ag-12 EU ✅ │ │
│ │ ecs-prod AWS ECS US ⚠ Degraded │ │ ag-09 US ⚠ │ │
│ └───────────────────────────────────────────────┘ └──────────────────────┘ │
│ │
│ Mapping │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Env: Stage → Targets: swarm-01, nomad-02 → Agents: ag-12 │ │
│ │ Env: Prod → Targets: ecs-prod → Agents: ag-09 │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Notes: Connectivity lives in Integrations > Targets/Runtimes (SSH/VPN creds). │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
## Screen RC-S3 — Workflows
**Previously:** `Settings → Release Control → Workflows`
**Now:** `Release Control → Setup → Workflows`
**Why:** Workflows are the executable “release doctrine” (blue/green, canary, rollback). They must live next to promotions and approvals.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Setup / Workflows │
│ Previously called: Settings > Release Control > Workflows │
├──────────────────────────────────────────────────────────────────────────────┤
│ [ + New Workflow ] [Import] [Validate] │
│ │
│ Workflow Templates │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Blue/Green — steps: preflight → deploy → smoke → promote → attest │ │
│ │ Canary — steps: 5% → 25% → 50% → 100% with gates at each stage │ │
│ │ Rollback — steps: select prior digest/bundle → deploy → verify → lock │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Default mapping │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Dev: Canary Stage: Blue/Green Prod: Blue/Green (strict gates) │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
# Missing crucial capability added: Release Bundle Organizer
## Screen RC-B0 — Release Bundles (Organizer)
**Previously:** This capability was **missing / implicit** (digest-first releases existed, but no first-class bundling and config snapshot composition).
**Now:** `Release Control → Bundles → Bundle Organizer`
**Why:** You need a **bundle abstraction**: “microservice digests + env-derived variables (Vault/Consul) + changelog per repository” becoming an immutable versioned unit that can be gated, approved, exported (air-gap), and promoted.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Bundles / Bundle Organizer │
│ Previously called: (new) — fills gap between Release Digest and Multi-svc ship│
├──────────────────────────────────────────────────────────────────────────────┤
│ Bundle: [Repo Group: payments-platform ▼] Version: [v1.8.0 ▼] Status: Draft│
│ [Create Bundle] [Save Draft] [Compute Bundle Digest] [Run Gates] [Request Approval]│
│ │
│ Included Services (digest-first → bundle version) │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Service Image Digest Service Ver SBOM Reachability Gate │ │
│ │ payments-api sha256:… 1.8.0 ✅ OK ✅ runtime ✅ │ │
│ │ billing-worker sha256:… 2.3.1 ⚠ crit ⚠ image-only ❌ │ │
│ │ ui-gateway sha256:… 0.19.4 ✅ OK ✅ build+run ✅ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Variables Snapshot (derived per env) │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Environment: Stage (EU) │ │
│ │ Vault: /kv/stage/payments/* Snapshot: vaultsnap-91a2 Diff: masked │ │
│ │ Consul: /config/stage/payments/* Snapshot: consulsnap-33f1 Diff: masked │ │
│ │ [View resolved manifest] [Export env overlay] │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Changelog (per repository) │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ payments-api: PR#1823 Fix tax rounding | PR#1831 Upgrade openssl │ │
│ │ billing-worker: PR#944 Retry logic | PR#951 Patch CVE-… │ │
│ │ [Pull from SCM Integration] [Edit release notes] │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Evidence hooks │
│ - Generates: Bundle Manifest, Evidence Packet, Decision Capsule, Export Kit │
│ - Links: Security Findings, Exceptions, Approvals, Proof Chains │
└──────────────────────────────────────────────────────────────────────────────┘
```
**Implementation note (UI semantics):**
* “Bundle Version” is a **human-friendly label**; the authoritative identity remains **content-addressed** (bundle digest) + evidence.
* Vault/Consul snapshots are explicit objects, so auditors can see “what config was used” without exposing secrets (masked diffs).
---
# Integrations is still essential, but kept clean: connectivity & sync health live here
## 4) Integrations menu → screen graph
```mermaid
flowchart TB
INT[Integrations] --> I0[Overview]
INT --> I1[SCM]
INT --> I2[CI/CD]
INT --> I3[Registries]
INT --> I4[Secrets]
INT --> I5[Targets / Runtimes]
INT --> I6[Feeds]
INT --> I7[Notification Providers]
I0 --> ID[Integration Detail]
I6 -.advisory freshness drives.-> SR4[Security & Risk > Advisory Sources]
I6 -.offline mirroring handled by.-> OPS6[Platform Ops > Feed Mirror & AirGap Ops]
I4 -.config snapshots used by.-> RCB[Release Bundles]
I1 -.changelog used by.-> RCB
I3 -.digests & image sbom used by.-> RC[Release Control]
```
---
## Screen I0 — Integrations Overview
**Previously:** `Settings → Integrations`
**Now:** `Integrations → Overview` (root menu)
**Why:** Integrations are cross-cutting. This page becomes the **single source of truth for connectivity + data freshness**, with clear escalation links (Nightly Ops Report, Feed Mirror, DLQ).
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Integrations │
│ Integrations │ Previously called: Settings > Integrations │
│ ▸ Overview │ │
│ SCM │ Status summary │
│ CI/CD │ ┌───────────────┬───────────────┬───────────────┐ │
│ Registries │ │ Connected: 6 │ Degraded: 1 │ Disconnected:1│ │
│ Secrets │ └───────────────┴───────────────┴───────────────┘ │
│ Targets │ │
│ Feeds │ Filters: [All] [SCM] [CI/CD] [Registries] [Secrets] [Feeds] │
│ Notify Prov │ │
│ │ Cards │
│ │ ┌──────────────────────────────────────────────────────────┐ │
│ │ │ GitHub Enterprise ✅ last sync 5m scope: 42 repos │ │
│ │ │ Jenkins ⚠ degraded last sync 1h errors: 3 │ │
│ │ │ NVD Feed ❌ disconnected last ok: 2d (blocks rescans) │ │
│ │ │ Vault ✅ last sync 10m paths: 18 │ │
│ │ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ │ Escalation: [Nightly Ops Report →] [Platform Ops → DLQ] │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen ID — Integration Detail (template)
**Previously:** Youd click an integration card; details were inconsistent.
**Now:** Every integration has a standardized detail page.
**Why:** You need uniform answers to: **Is it connected? What data is stale? What is blocked downstream?**
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Integrations / Detail: NVD Feed │
│ Previously called: Settings > Integrations (card detail) │
├──────────────────────────────────────────────────────────────────────────────┤
│ Status: ❌ Disconnected Last healthy sync: 2d ago Owner: SecOps │
│ [Test Connection] [Reconnect] [View Errors] [Open DLQ] [Open Nightly Report] │
│ │
│ Sync Health │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Schedule: hourly Last attempt: 1h ago Result: timeout │ │
│ │ Freshness SLA: 6h Current freshness: 2d (breach) │ │
│ │ Downstream impact: CVE re-scan blocked; policy “re-evaluate on update” stale│ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Configuration (readable, safe) │
│ - Endpoint: … │
│ - Auth: (masked) │
│ - Proxy: … │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
## What happened to “Settings → Security Data”?
This legacy menu item typically mixed **two different concerns**:
1. **Connectivity & syncing** of advisory sources (NVD/OSV/etc.)
2. **Security decisioning** (how sources are interpreted in policy gates)
**Redesign mapping (explicit):**
* **Connectivity + freshness** → `Integrations → Feeds` (and offline mirroring in `Platform Ops → Feed Mirror & AirGap Ops`)
* **How advisories affect risk/gates** → `Security & Risk → Advisory Sources`
(If you want, Ill produce the **Advisory Sources** ASCII in the next Security pack so it stays consistent with your “second class screens” requirement.)
---
## Quick confirmation against the constraints you gave
* **Main reorganization preserved** (same root modules, Release Control is root, Admin is last/root).
* **Every screen includes “Previously called …”** in the mock header.
* **Release bundle organizer added** with Vault/Consul variables + per-repo changelog.
If you want the next message to continue, Ill do the **Security Data / Advisory Sources** redesign as a focused pack (since it straddles Security & Risk + Integrations + Ops), and include Mermaid + ASCII the same way.