stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Archive live search ingestion browser validation sprint

Browse Source
This commit is contained in:
master
2026-03-08 10:47:19 +02:00
parent af09659f30
commit d0f2cc3b2c
16 changed files with 926 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
docs-archived/implplan/SPRINT_20260308_006_FE_security_operations_leaves_cutover.md Normal file
View File

@@ -0,0 +1,101 @@
# Sprint 20260308_006_FE - Security Operations Leaves Cutover
## Topic & Scope
- Complete the high-confidence security and operator leaves that are mounted but weakly surfaced: `Mission Alerts`, `Mission Activity`, `Unknowns`, and `Notifications`.
- Replace stale `/analyze/unknowns*` and `/notify` links with mounted canonical routes while preserving bookmark compatibility and operator context.
- Expose these leaves from the live shells so operators can reach them from current navigation instead of relying on typed URLs or overview-card luck.
- Working directory: `src/Web/StellaOps.Web/`.
- Expected evidence: targeted Angular tests, Playwright coverage for mission/security/notify journeys, checked-feature docs, and archived sprint notes.
## Dependencies & Concurrency
- Depends on the shipped `Platform Ops`, `Watchlist`, `Unified Audit`, and `Topology / Trust` cutovers already archived in `docs-archived/implplan/`.
- Safe parallelism: backend contracts are already present; this sprint is frontend-only and limited to route ownership, navigation exposure, UI workflow repair, tests, and docs.
## Documentation Prerequisites
- `AGENTS.md`
- `docs/modules/ui/AGENTS.md`
- `src/Web/StellaOps.Web/AGENTS.md`
- `docs/modules/ui/README.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/implementation_plan.md`
- `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`
- `docs/modules/ui/component-preservation-map/components/weak-route/mission-control/README.md`
- `docs/modules/ui/component-preservation-map/components/weak-route/notify/README.md`
- `docs/modules/ui/component-preservation-map/components/weak-route/unknowns-tracking/README.md`
## Delivery Tracker
### FE-SOL-001 - Freeze canonical mission, unknowns, and notify route ownership
Status: DONE
Dependency: none
Owners: Developer / Implementer
Task description:
- Make `Mission Control` the canonical owner for alerts and activity, `Security` the canonical owner for unknowns tracking, and `Ops > Operations` the canonical owner for notifications.
- Add or repair alias coverage for stale `/analyze/unknowns*` and `/notify` entry points so bookmarks resolve into mounted pages with preserved query state.
Completion criteria:
- [x] Canonical owners and alias policy are defined for mission alerts/activity, security unknowns, and notifications.
- [x] Stale `/analyze/unknowns*` and `/notify` links land on mounted canonical pages.
- [x] Shared navigation config no longer points these leaves at dead paths.
### FE-SOL-002 - Surface the leaves from the live shells
Status: DONE
Dependency: FE-SOL-001
Owners: Developer / Implementer
Task description:
- Expose the mounted leaves from current shell navigation so operators can reach them without memorizing routes.
- Mission Control should surface alerts and activity, Security should surface unknowns, and Operations should surface notifications from active tabs/cards/submenus rather than leaving them as weak-route debt.
Completion criteria:
- [x] Mission Control exposes alerts and activity from the live shell.
- [x] Security exposes unknowns from the live shell.
- [x] Operations exposes notifications from the live shell.
### FE-SOL-003 - Repair leaf-local workflow links and actions
Status: DONE
Dependency: FE-SOL-001
Owners: Developer / Implementer
Task description:
- Fix stale internal links inside the unknowns subtree and any leaf-local handoffs that still target dead routes.
- Preserve the current operator flows inside mission alerts/activity and notifications, but ensure all deep links stay inside canonical owners and return-to-context behavior remains intact.
Completion criteria:
- [x] Unknowns dashboard, detail, grey queue, and determinization links stay inside canonical security routes.
- [x] Mission alerts and activity handoffs remain usable and route-backed.
- [x] Notifications shell keeps working watchlist and delivery drill-ins without stale owner routes.
### FE-SOL-004 - Verify cutover, sync docs, and archive
Status: DONE
Dependency: FE-SOL-002, FE-SOL-003
Owners: Developer / Implementer, QA
Task description:
- Add focused tests for the repaired alias contract and surfaced leaves, then run targeted Angular and Playwright verification.
- Record the shipped behavior in checked-feature docs and archive the sprint only when all delivery tasks are done.
Completion criteria:
- [x] Targeted Angular tests cover alias repair, surfacing, and local link fixes.
- [x] Playwright verifies at least one end-to-end journey across mission, security unknowns, and notifications leaves.
- [x] UI docs and checked-feature notes reflect the shipped behavior.
- [x] Sprint moved to `docs-archived/implplan/` only after all tasks are marked DONE.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-08 | Sprint created and moved to DOING for the security operations leaves cutover. | Codex |
| 2026-03-08 | Added canonical `/analyze/unknowns*` and `/notify` alias coverage, repaired shared navigation targets, and surfaced alerts/activity/unknowns/notifications from live sidebar shells. | Codex |
| 2026-03-08 | Verified the cutover with focused Angular tests, Playwright UI flow coverage, and a production build; docs synced and sprint ready for archive. | Codex |
## Decisions & Risks
- Risk: some of these pages are mounted already, but current navigation does not acknowledge them.
- Mitigation: treat this as a surfacing and alias cutover, not a new product branch.
- Risk: unknowns tracking still contains stale `/analyze/*` internal links that could leave the operator on broken paths.
- Mitigation: repair both the bookmark aliases and the leaf-local links in the same sprint.
- Risk: notifications has both setup-admin and ops-delivery concepts.
- Mitigation: keep admin rule configuration under `Setup > Notifications`, but keep delivery and operator notification workflows under `Ops > Operations > Notifications`.
- Risk: the local Angular dev proxy reserves `/notify`, which makes browser-level navigation to that alias unstable in Playwright even though the app route is correct.
- Mitigation: keep `/notify` alias coverage in router-contract tests and use the mounted canonical notifications page for browser-level workflow verification.
- Delivery rule: this sprint is only complete when these leaves are reachable from live shells, stale links are repaired, and the core operator journey is verified end to end.
## Next Checkpoints
- 2026-03-08: canonical owners, alias contract, and shell exposure complete.
- 2026-03-08: targeted verification passes, sprint archived, and commit created.

83
docs-archived/implplan/SPRINT_20260308_008_FE_live_search_ingestion_browser_validation.md Normal file
View File

@@ -0,0 +1,83 @@
# Sprint 20260308-008 - FE Live Search Ingestion Browser Validation
## Topic & Scope
- Bring the AdvisoryAI search corpus into a known-good ingested state for local verification instead of relying on stale or missing data.
- Validate the shipped search experience through a real browser using Playwright against the live search endpoints, not only mocked FE lanes.
- Keep the work centered on the Web search verification lane; only use AdvisoryAI startup/rebuild commands as operational prerequisites for the browser tests.
- Working directory: `src/Web/StellaOps.Web`.
- Expected evidence: corpus rebuild output, live Playwright browser results, and sprint execution log updates.
## Dependencies & Concurrency
- Depends on the archived search rollout/correction sprints in `docs-archived/implplan/SPRINT_20260306_001_*`, `002_*`, `004_*`, `005_*`, `006_*`, and the later archived 2026-03-07 search corrective set.
- Safe parallelism: do not edit unrelated Router, topology, or shell cutover files while executing this validation lane.
- Operational dependency: the local AdvisoryAI WebService must be running and reachable on the documented local port before the live browser suite starts.
## Documentation Prerequisites
- `docs/qa/feature-checks/FLOW.md`
- `docs/code-of-conduct/TESTING_PRACTICES.md`
- `docs/modules/advisory-ai/knowledge-search.md`
- `src/AdvisoryAI/__Tests/INFRASTRUCTURE.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
### FE-LIVESEARCH-001 - Prepare the local ingestion corpus
Status: DONE
Dependency: none
Owners: QA, Developer (FE)
Task description:
- Start or verify the local AdvisoryAI WebService.
- Run the documented `sources prepare` and index rebuild order so live search suggestions and grounded answers come from a fresh ingested corpus.
Completion criteria:
- [x] Local AdvisoryAI health responds successfully.
- [x] `sources prepare` completes successfully or a documented equivalent local corpus path is used.
- [x] Knowledge and unified search rebuilds succeed with recorded output.
### FE-LIVESEARCH-002 - Execute browser-level Playwright validation against the live search service
Status: DONE
Dependency: FE-LIVESEARCH-001
Owners: QA, Test Automation
Task description:
- Run the existing live Playwright search suites that proxy browser search traffic into the local AdvisoryAI service.
- Exercise real search flows from the browser and confirm grounded results, viable suggestions, and contextual handoff behavior.
Completion criteria:
- [x] Live Playwright search suites pass against the rebuilt local corpus.
- [x] Browser verification covers suggestions, grounded answer panel, and Ask-AdvisoryAI handoff.
- [x] Failures are triaged as data-ingestion, FE, or backend issues with exact evidence.
### FE-LIVESEARCH-003 - Record outcomes and close or follow up
Status: DONE
Dependency: FE-LIVESEARCH-002
Owners: QA, Project Manager
Task description:
- Record the exact commands, routes, and outcomes from the live browser lane.
- If defects remain, split them into focused follow-up sprints instead of leaving this ingestion-validation lane ambiguous.
Completion criteria:
- [x] Sprint execution log contains the live setup and browser evidence.
- [x] Any remaining issues are translated into focused follow-up work with clear ownership.
- [x] This sprint is archived only if all tasks are complete.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-08 | Sprint created to set up local AdvisoryAI ingestion and verify the shipped search UX from a real browser using Playwright against live endpoints. | Developer |
| 2026-03-08 | Verified `sources prepare` from the locally built CLI against the repo root with `docs.documentCount=461`, `doctor.mergedSeedCount=31`, and `doctor.controlCount=31`; then started the source-run AdvisoryAI WebService on `http://127.0.0.1:10451` and confirmed `/health` returned `200`. | QA |
| 2026-03-08 | Rebuilt the live search indexes against the source-run service and verified `POST /v1/search/query` for `database connectivity` returned `contextAnswer.status=grounded` with top card `PostgreSQL connectivity`. | QA |
| 2026-03-08 | Ran `npx playwright test tests/e2e/unified-search-contextual-suggestions.live.e2e.spec.ts --config playwright.config.ts` with `LIVE_ADVISORYAI_SEARCH_BASE_URL=http://127.0.0.1:10451`; result `8 passed`, `3 skipped` where skips were explicit corpus-unready branches that are now bypassed because the routes are ready. | QA |
## Decisions & Risks
- Decision: prefer the documented local ingestion/rebuild flow already used by the live search suites instead of inventing a second setup path.
- Decision: use browser-level Playwright verification against live search endpoints as the acceptance lane for this sprint.
- Decision: use the source-run AdvisoryAI WebService on `127.0.0.1:10451` for this lane instead of the compose-hosted service because the compose instance was reachable but returned an empty rebuild corpus in this workspace.
- Decision: the Playwright test runner is sufficient browser evidence for this sprint; direct MCP browser control was unavailable because the Playwright MCP Bridge extension is not installed in this environment.
- Risk: the local AdvisoryAI WebService may not be running or may lack database/env prerequisites.
- Mitigation: treat service startup and rebuild as first-class setup work, record exact blockers, and only proceed to browser validation after health is green.
- Risk: a reachable AdvisoryAI service can still be logically unready if it points at the wrong database or stale corpus.
- Mitigation: require both rebuild output and a grounded direct query (`database connectivity`) before allowing the browser suite to count as valid evidence.
## Next Checkpoints
- 2026-03-08: local AdvisoryAI service healthy and indexes rebuilt.
- 2026-03-08: live Playwright search browser suite executed with recorded outcome.

67
docs/features/checked/web/security-operations-leaves-ui.md Normal file
View File

@@ -0,0 +1,67 @@
# Security Operations Leaves UI
## Module
Web
## Status
VERIFIED
## Description
Shipped the weak-route security operations leaves as fully surfaced operator workflows. `Mission Control` now exposes alerts and activity, `Security` owns unknowns tracking and determinization flows, and `Ops > Operations` owns notifications. Stale `/analyze/unknowns*` and `/notify` entry points now resolve into mounted canonical pages instead of dead owner paths.
## Implementation Details
- **Feature directories**:
- `src/Web/StellaOps.Web/src/app/features/mission-control/`
- `src/Web/StellaOps.Web/src/app/features/unknowns-tracking/`
- `src/Web/StellaOps.Web/src/app/features/notify/`
- **Primary components**:
- `mission-alerts-page` (`src/Web/StellaOps.Web/src/app/features/mission-control/mission-alerts-page.component.ts`)
- `mission-activity-page` (`src/Web.StellaOps.Web/src/app/features/mission-control/mission-activity-page.component.ts`)
- `unknowns-dashboard` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/unknowns-dashboard.component.ts`)
- `grey-queue-dashboard` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts`)
- `determinization-review` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts`)
- `notify-panel` (`src/Web.StellaOps.Web/src/app/features/notify/notify-panel.component.ts`)
- **Canonical routes**:
- `/mission-control/alerts`
- `/mission-control/activity`
- `/security/unknowns`
- `/security/unknowns/:unknownId`
- `/security/unknowns/:unknownId/determinization`
- `/security/unknowns/queue/grey`
- `/ops/operations/notifications`
- **Legacy aliases**:
- `/analyze/unknowns`
- `/analyze/unknowns/:unknownId`
- `/analyze/unknowns/:unknownId/determinization`
- `/analyze/unknowns/queue/grey`
- `/notify`
- **Secondary entry points**:
- sidebar `Mission Control > Alerts`
- sidebar `Mission Control > Activity`
- sidebar `Security > Unknowns`
- sidebar `Operations > Notifications`
## E2E Test Plan
- **Setup**:
- [x] Start the local Angular test server with `npm run serve:test`.
- [x] Use a test session with mission, scanner, ops, and notify viewer scopes.
- **Core verification**:
- [x] Open `/analyze/unknowns` and verify redirect into canonical `/security/unknowns`.
- [x] Drill into unknown detail and verify the identification workflow stays mounted.
- [x] Open the canonical notifications shell and verify the operator page and watchlist handoff render.
- [x] Open `/mission-control/alerts` and `/mission-control/activity` and verify both pages render live operator links.
## Verification
- Run:
- `npm run test -- --watch=false --include src/app/layout/app-sidebar/app-sidebar.component.spec.ts --include src/tests/security/security-operations-leaves-cutover.spec.ts --include src/tests/unknowns/unknowns-tracking-ui.behavior.spec.ts --include src/tests/unknowns/unknowns-route-handoffs.spec.ts --include src/tests/notify/notify-watchlist-handoff.spec.ts`
- `npx playwright test --config playwright.config.ts tests/e2e/security-operations-leaves-cutover.spec.ts --workers=1`
- `npm run build`
- Tier 0 (source): pass
- Tier 1 (build/tests): pass
- Tier 2 (behavior): pass
- Notes:
- Angular targeted tests passed: `5` files, `16` tests.
- Playwright passed: `1` security-operations cutover scenario.
- The browser flow uses `/ops/operations/notifications` because the local frontend proxy reserves `/notify`; the `/notify` alias remains covered by the route-contract test.
- Production build passed; existing bundle-budget warnings remain unchanged from the baseline.
- Verified on (UTC): 2026-03-08T08:42:15Z

3
docs/modules/ui/README.md
View File

@@ -9,6 +9,8 @@
The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
## Latest updates (2026-03-08)
- Shipped the `Mission Control`, `Security`, and `Ops > Operations` security-leaves cutover, including canonical surfacing for alerts, activity, unknowns, and notifications plus repaired `/analyze/unknowns*` and `/notify` ownership.
- Added checked-feature verification for the security operations leaves cutover at `../../features/checked/web/security-operations-leaves-ui.md`.
- Shipped the canonical `Setup > Topology` and `Setup > Trust & Signing` cutover, including repaired legacy trust bookmarks, fixed `Platform Setup` handoffs, and expanded topology shell exposure.
- Added checked-feature verification for topology and trust administration at `../../features/checked/web/topology-trust-administration-ui.md`.
- Shipped the execution-operations cutover for canonical JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows under `Ops > Operations`.
@@ -83,6 +85,7 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
- ./quota-health-aoc-operations/README.md
- ./execution-operations/README.md
- ./topology-trust-administration/README.md
- ./security-operations-leaves/README.md
- ./triage-explainability-workspace/README.md
- ./workflow-visualization-replay/README.md
- ./contextual-actions-patterns/README.md

4
docs/modules/ui/TASKS.md
View File

@@ -104,6 +104,10 @@
- [DONE] FE-TTA-002 Complete topology shell exposure and platform setup handoffs
- [DONE] FE-TTA-003 Merge legacy trust settings and issuer entry points into usable trust administration
- [DONE] FE-TTA-004 Verify cutover, sync docs, and archive
- [DONE] FE-SOL-001 Freeze canonical mission, unknowns, and notify route ownership
- [DONE] FE-SOL-002 Surface the leaves from the live shells
- [DONE] FE-SOL-003 Repair leaf-local workflow links and actions
- [DONE] FE-SOL-004 Verify cutover, sync docs, and archive
- [DONE] FE-PO-001 Freeze Operations overview taxonomy and submenu structure
- [DONE] FE-PO-002 Overview page regrouping and blocking-card contract
- [DONE] FE-PO-003 Legacy widget absorption matrix for Platform Ops

2
docs/modules/ui/implementation_plan.md
View File

@@ -32,12 +32,14 @@ Provide a living plan for UI deliverables, dependencies, and evidence.
- `docs/features/checked/web/quota-health-aoc-operations-ui.md` - shipped verification note for canonical quota, health, and AOC owner routes, repaired deep links, route-backed filters, and completed operator actions.
- `docs/features/checked/web/execution-operations-ui.md` - shipped verification note for canonical execution routes, repaired jobengine and scheduler aliases, completed dead-letter actions, and usable scanner-support workflows.
- `docs/features/checked/web/topology-trust-administration-ui.md` - shipped verification note for canonical topology and trust setup shells, repaired settings/admin/platform aliases, and platform-setup handoffs.
- `docs/features/checked/web/security-operations-leaves-ui.md` - shipped verification note for mission alerts/activity surfacing, unknowns route repair, notifications ownership, and legacy security alias cutover.
- `docs/modules/ui/reachability-witnessing/README.md` - detailed witness and proof UX dossier plus cross-shell deep-link contract.
- `docs/modules/ui/platform-ops-consolidation/README.md` - detailed Operations overview taxonomy and legacy absorption plan.
- `docs/modules/ui/offline-operations/README.md` - detailed owner-shell contract for Offline Kit, Feeds & Airgap, Evidence handoffs, and stale alias policy.
- `docs/modules/ui/quota-health-aoc-operations/README.md` - canonical owner-shell contract for quota, health, and AOC operations cutover plus alias and action rules.
- `docs/modules/ui/execution-operations/README.md` - canonical execution owner-shell contract for JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows.
- `docs/modules/ui/topology-trust-administration/README.md` - canonical setup owner contract for topology inventory, trust administration, legacy trust redirects, and platform-setup handoffs.
- `docs/modules/ui/security-operations-leaves/README.md` - canonical owner contract for mission alerts/activity, security unknowns, notifications, and stale `/analyze`/`/notify` handoffs.
- `docs/modules/ui/triage-explainability-workspace/README.md` - detailed artifact workspace and audit-bundle UX dossier.
- `docs/modules/ui/workflow-visualization-replay/README.md` - detailed run-detail graph, timeline, replay, and evidence UX dossier.
- `docs/modules/ui/contextual-actions-patterns/README.md` - shared placement contract for stray actions, pages, drawers, and tabs.

60
docs/modules/ui/security-operations-leaves/README.md Normal file
View File

@@ -0,0 +1,60 @@
# Security Operations Leaves
## Purpose
- Make the preserved weak-route leaves fully usable from the live shells instead of leaving them reachable only by typed URLs or overview-card luck.
- Keep `Mission Control`, `Security`, and `Ops > Operations` as the owners of their respective operator workflows instead of reviving a separate legacy security-ops product.
## Canonical Owner
- Owner shells:
- `Mission Control`
- `Security`
- `Ops > Operations`
- Primary routes:
- `/mission-control/alerts`
- `/mission-control/activity`
- `/mission-control/release-health`
- `/mission-control/security-posture`
- `/security/unknowns`
- `/security/unknowns/:unknownId`
- `/security/unknowns/:unknownId/determinization`
- `/security/unknowns/queue/grey`
- `/ops/operations/notifications`
## Legacy Alias Policy
- Preserve stale bookmarks and old links by redirecting:
- `/analyze/unknowns`
- `/analyze/unknowns/:unknownId`
- `/analyze/unknowns/:unknownId/determinization`
- `/analyze/unknowns/queue/grey`
- `/notify`
- Redirects must preserve query params and fragments so tenant, region, environment, return-to-context, and tab state survive the handoff.
- `Setup > Notifications` remains the admin/configuration surface. `Ops > Operations > Notifications` remains the operator delivery and alert workflow surface.
## UX Rules
- `Mission Control` owns the cross-product alert and recent-activity pages and must surface them directly from the live sidebar.
- `Security` owns unknowns tracking, detail review, grey queue, and determinization flows.
- `Ops > Operations` owns notification delivery, channel health, and operator watchlist handoffs.
- Internal links inside the unknowns subtree must stay inside `/security/unknowns*`, not dead `/analyze/*` routes.
- Browser-level verification should use the mounted notifications page because the local frontend proxy reserves `/notify`; the alias itself is still required in app routing and verified at route-contract level.
## Preserved Value
- Keep:
- mission alert and activity summaries as operator landing pages
- unknowns tracking and determinization workflows
- notification delivery and watchlist handoff workflows
- Why:
- these are already mounted product capabilities with useful operator actions
- the product issue was surfacing debt and stale route ownership, not lack of feature value
## Shipped In This Cut
- Added top-level alias coverage for stale `/analyze/unknowns*` and `/notify` entry points.
- Retargeted shared navigation config from dead analyze and notify paths to the canonical security and operations owners.
- Surfaced `Alerts`, `Activity`, `Unknowns`, and `Notifications` from the live sidebar shells.
- Repaired unknowns grey-queue and determinization links so breadcrumbs and return paths stay inside canonical security routes.
- Added focused Angular and Playwright verification for the cutover.
## Related Docs
- `docs/features/checked/web/security-operations-leaves-ui.md`
- `docs/features/checked/web/unknowns-tracking-ui.md`
- `docs/modules/ui/watchlist-operations/README.md`
- `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`

27
src/Web/StellaOps.Web/src/app/app.routes.ts
View File

@@ -218,6 +218,33 @@ export const routes: Routes = [
{ path: '**', redirectTo: '/administration' },
],
},
{
path: 'analyze',
children: [
{ path: 'unknowns', redirectTo: preserveAppRedirect('/security/unknowns'), pathMatch: 'full' },
{
path: 'unknowns/queue/grey',
redirectTo: preserveAppRedirect('/security/unknowns/queue/grey'),
pathMatch: 'full',
},
{
path: 'unknowns/:unknownId/determinization',
redirectTo: preserveAppRedirect('/security/unknowns/:unknownId/determinization'),
pathMatch: 'full',
},
{
path: 'unknowns/:unknownId',
redirectTo: preserveAppRedirect('/security/unknowns/:unknownId'),
pathMatch: 'full',
},
{ path: '**', redirectTo: '/security', pathMatch: 'full' },
],
},
{
path: 'notify',
redirectTo: preserveAppRedirect('/ops/operations/notifications'),
pathMatch: 'full',
},
{
path: 'platform-ops',
loadChildren: () => import('./routes/platform-ops.routes').then((m) => m.PLATFORM_OPS_ROUTES),

10
src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts
View File

@@ -61,14 +61,14 @@ export const NAVIGATION_GROUPS: NavGroup[] = [
{
id: 'lineage',
label: 'Lineage',
route: '/lineage',
route: '/security/lineage',
icon: 'git-branch',
tooltip: 'Explore SBOM lineage and smart diff',
},
{
id: 'reachability',
label: 'Reachability',
route: '/reachability',
route: '/security/reachability',
icon: 'network',
tooltip: 'Reachability analysis and coverage',
},
@@ -82,14 +82,14 @@ export const NAVIGATION_GROUPS: NavGroup[] = [
{
id: 'unknowns',
label: 'Unknowns',
route: '/analyze/unknowns',
route: '/security/unknowns',
icon: 'help-circle',
tooltip: 'Track and identify unknown components',
},
{
id: 'patch-map',
label: 'Patch Map',
route: '/analyze/patch-map',
route: '/security/patch-map',
icon: 'grid',
tooltip: 'Fleet-wide binary patch coverage heatmap',
},
@@ -470,7 +470,7 @@ export const NAVIGATION_GROUPS: NavGroup[] = [
{
id: 'notifications',
label: 'Notifications',
route: '/notify',
route: OPERATIONS_PATHS.notifications,
icon: 'notification',
tooltip: 'Notification center',
},

6
src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts
View File

@@ -29,11 +29,11 @@ import { GreyQueuePanelComponent } from '../unknowns/grey-queue-panel.component'
<nav class="mb-6 text-sm">
<ol class="flex items-center space-x-2">
<li>
<a routerLink="/analyze/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
<a routerLink="/security/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
</li>
<li class="text-gray-400">/</li>
<li>
<a [routerLink]="['/analyze/unknowns', unknownId()]" class="text-blue-600 hover:underline">
<a [routerLink]="['/security/unknowns', unknownId()]" class="text-blue-600 hover:underline">
{{ unknownId() | slice:0:8 }}...
</a>
</li>
@@ -228,7 +228,7 @@ import { GreyQueuePanelComponent } from '../unknowns/grey-queue-panel.component'
Export Proof JSON
</button>
<a
[routerLink]="['/analyze/unknowns', unknownId()]"
[routerLink]="['/security/unknowns', unknownId()]"
class="block w-full px-3 py-2 text-sm text-left rounded border hover:bg-gray-50"
>
Back to Unknown Detail

4
src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts
View File

@@ -26,7 +26,7 @@ import {
<!-- Header -->
<div class="mb-6">
<nav class="text-sm mb-2">
<a routerLink="/analyze/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
<a routerLink="/security/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
<span class="text-gray-400 mx-2">/</span>
<span class="text-gray-600">Grey Queue</span>
</nav>
@@ -164,7 +164,7 @@ import {
</td>
<td class="px-4 py-3 text-right">
<a
[routerLink]="['/analyze/unknowns', item.id, 'determinization']"
[routerLink]="['/security/unknowns', item.id, 'determinization']"
class="text-blue-600 hover:underline text-sm"
>
Review

22
src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.spec.ts
View File

@@ -35,7 +35,8 @@ describe('AppSidebarComponent', () => {
const text = fixture.nativeElement.textContent as string;
expect(text).toContain('Dashboard');
expect(text).toContain('Security & Risk');
expect(text).toContain('Alerts');
expect(text).toContain('Activity');
expect(text).not.toContain('Analytics');
});
@@ -69,6 +70,25 @@ describe('AppSidebarComponent', () => {
expect(fixture.nativeElement.textContent).toContain('Trust & Signing');
});
it('surfaces mission, unknowns, and notifications leaves in the live sidebar shells', () => {
setScopes([
StellaOpsScopes.UI_READ,
StellaOpsScopes.RELEASE_READ,
StellaOpsScopes.SCANNER_READ,
StellaOpsScopes.UI_ADMIN,
StellaOpsScopes.ORCH_READ,
StellaOpsScopes.NOTIFY_VIEWER,
]);
const fixture = createComponent();
const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
const hrefs = links.map((link) => link.getAttribute('href'));
expect(hrefs).toContain('/mission-control/alerts');
expect(hrefs).toContain('/mission-control/activity');
expect(hrefs).toContain('/security/unknowns');
expect(hrefs).toContain('/ops/operations/notifications');
});
function setScopes(scopes: readonly StellaOpsScope[]): void {
const baseUser = authService.user();
if (!baseUser) {

8
src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.ts
View File

@@ -723,6 +723,12 @@ export class AppSidebarComponent implements AfterViewInit {
StellaOpsScopes.RELEASE_READ,
StellaOpsScopes.SCANNER_READ,
],
children: [
{ id: 'mc-alerts', label: 'Alerts', route: '/mission-control/alerts', icon: 'bell' },
{ id: 'mc-activity', label: 'Activity', route: '/mission-control/activity', icon: 'clock' },
{ id: 'mc-release-health', label: 'Release Health', route: '/mission-control/release-health', icon: 'activity' },
{ id: 'mc-security-posture', label: 'Security Posture', route: '/mission-control/security-posture', icon: 'shield' },
],
},
{
id: 'releases',
@@ -797,6 +803,7 @@ export class AppSidebarComponent implements AfterViewInit {
{ id: 'sec-audit-bundles', label: 'Audit Bundles', route: '/triage/audit-bundles', icon: 'archive' },
{ id: 'sec-supply-chain', label: 'Supply-Chain Data', route: '/security/supply-chain-data', icon: 'graph' },
{ id: 'sec-reachability', label: 'Reachability', route: '/security/reachability', icon: 'cpu' },
{ id: 'sec-unknowns', label: 'Unknowns', route: '/security/unknowns', icon: 'help-circle' },
{ id: 'sec-reports', label: 'Reports', route: '/security/reports', icon: 'book-open' },
],
},
@@ -841,6 +848,7 @@ export class AppSidebarComponent implements AfterViewInit {
children: [
{ id: 'ops-policy', label: 'Policy', route: '/ops/policy', icon: 'shield' },
{ id: 'ops-platform-setup', label: 'Platform Setup', route: '/ops/platform-setup', icon: 'cog' },
{ id: 'ops-notifications', label: 'Notifications', route: '/ops/operations/notifications', icon: 'bell' },
],
},
{

74
src/Web/StellaOps.Web/src/tests/security/security-operations-leaves-cutover.spec.ts Normal file
View File

@@ -0,0 +1,74 @@
import { TestBed } from '@angular/core/testing';
import { provideRouter, Route, Router } from '@angular/router';
import { routes } from '../../app/app.routes';
import { NAVIGATION_GROUPS } from '../../app/core/navigation/navigation.config';
function resolveRedirect(route: Route | undefined, params: Record<string, string> = {}): string | undefined {
const redirect = route?.redirectTo;
if (typeof redirect === 'string') {
return redirect;
}
if (typeof redirect !== 'function') {
return undefined;
}
return TestBed.runInInjectionContext(() => {
const router = TestBed.inject(Router);
const target = redirect({
params,
queryParams: {},
fragment: null,
} as never) as unknown;
return typeof target === 'string' ? target : router.serializeUrl(target as never);
});
}
describe('security operations leaves cutover contract', () => {
beforeEach(() => {
TestBed.configureTestingModule({
providers: [provideRouter([])],
});
});
it('redirects stale analyze unknowns entry points into canonical security routes', () => {
const analyze = routes.find((route) => route.path === 'analyze');
const children = analyze?.children ?? [];
expect(resolveRedirect(children.find((route) => route.path === 'unknowns'))).toBe('/security/unknowns');
expect(resolveRedirect(children.find((route) => route.path === 'unknowns/queue/grey'))).toBe(
'/security/unknowns/queue/grey',
);
expect(resolveRedirect(children.find((route) => route.path === 'unknowns/:unknownId'), { unknownId: 'unk-101' })).toBe(
'/security/unknowns/unk-101',
);
expect(
resolveRedirect(children.find((route) => route.path === 'unknowns/:unknownId/determinization'), {
unknownId: 'unk-101',
}),
).toBe('/security/unknowns/unk-101/determinization');
});
it('redirects the legacy notify root into canonical operations notifications', () => {
expect(resolveRedirect(routes.find((route) => route.path === 'notify'))).toBe('/ops/operations/notifications');
});
it('retargets security analyze and notify navigation leaves to canonical owners', () => {
const analyzeGroup = NAVIGATION_GROUPS.find((group) => group.id === 'analyze');
const notifyGroup = NAVIGATION_GROUPS.find((group) => group.id === 'notify');
expect(analyzeGroup).toBeDefined();
expect(notifyGroup).toBeDefined();
const analyzeRoutes = new Map((analyzeGroup?.items ?? []).map((item) => [item.id, item.route]));
const notifyRoutes = new Map((notifyGroup?.items ?? []).map((item) => [item.id, item.route]));
expect(analyzeRoutes.get('lineage')).toBe('/security/lineage');
expect(analyzeRoutes.get('reachability')).toBe('/security/reachability');
expect(analyzeRoutes.get('unknowns')).toBe('/security/unknowns');
expect(analyzeRoutes.get('patch-map')).toBe('/security/patch-map');
expect(notifyRoutes.get('notifications')).toBe('/ops/operations/notifications');
});
});

138
src/Web/StellaOps.Web/src/tests/unknowns/unknowns-route-handoffs.spec.ts Normal file
View File

@@ -0,0 +1,138 @@
import { ComponentFixture, TestBed } from '@angular/core/testing';
import { ActivatedRoute, provideRouter } from '@angular/router';
import { of } from 'rxjs';
import { UnknownsClient } from '../../app/core/api/unknowns.client';
import { DeterminizationReviewComponent } from '../../app/features/unknowns-tracking/determinization-review.component';
import { GreyQueueDashboardComponent } from '../../app/features/unknowns-tracking/grey-queue-dashboard.component';
describe('unknowns route handoffs', () => {
it('keeps grey queue review links inside canonical security unknowns routes', async () => {
const unknownsClient = {
getPolicyUnknownsSummary: jasmine.createSpy('getPolicyUnknownsSummary').and.returnValue(
of({ hot: 1, warm: 0, cold: 0, resolved: 0, total: 1 }),
),
listPolicyUnknowns: jasmine.createSpy('listPolicyUnknowns').and.returnValue(
of({
items: [
{
id: 'unknown-grey-1',
packageId: 'openssl',
packageVersion: '3.0.14',
band: 'hot',
score: 94,
uncertaintyFactor: 0.2,
exploitPressure: 0.5,
firstSeenAt: '2026-03-08T07:00:00Z',
lastEvaluatedAt: '2026-03-08T07:30:00Z',
reasonCode: 'policy.unknown',
reasonCodeShort: 'Unknown',
observationState: 'ManualReviewRequired',
conflictInfo: {
hasConflict: true,
severity: 0.71,
suggestedPath: 'Manual review',
conflicts: [
{
signal1: 'vex:a',
signal2: 'vex:b',
type: 'issuer-conflict',
description: 'Issuer disagreement requires review.',
severity: 0.71,
},
],
},
},
],
totalCount: 1,
}),
),
};
await TestBed.configureTestingModule({
imports: [GreyQueueDashboardComponent],
providers: [
provideRouter([]),
{ provide: UnknownsClient, useValue: unknownsClient as unknown as UnknownsClient },
],
}).compileComponents();
const fixture = TestBed.createComponent(GreyQueueDashboardComponent);
fixture.detectChanges();
await fixture.whenStable();
fixture.detectChanges();
const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
const hrefs = links.map((link) => link.getAttribute('href'));
expect(hrefs).toContain('/security/unknowns');
expect(hrefs).toContain('/security/unknowns/unknown-grey-1/determinization');
});
it('keeps determinization breadcrumbs and return links inside canonical security unknowns routes', async () => {
const unknownsClient = {
getPolicyUnknownDetail: jasmine.createSpy('getPolicyUnknownDetail').and.returnValue(
of({
unknown: {
id: 'unknown-grey-1',
packageId: 'openssl',
packageVersion: '3.0.14',
band: 'hot',
score: 94,
uncertaintyFactor: 0.2,
exploitPressure: 0.5,
firstSeenAt: '2026-03-08T07:00:00Z',
lastEvaluatedAt: '2026-03-08T07:30:00Z',
reasonCode: 'policy.unknown',
reasonCodeShort: 'Unknown',
observationState: 'ManualReviewRequired',
conflictInfo: {
hasConflict: true,
severity: 0.71,
suggestedPath: 'Manual review',
conflicts: [
{
signal1: 'vex:a',
signal2: 'vex:b',
type: 'issuer-conflict',
description: 'Issuer disagreement requires review.',
severity: 0.71,
},
],
},
},
}),
),
triageUnknown: jasmine.createSpy('triageUnknown'),
};
await TestBed.configureTestingModule({
imports: [DeterminizationReviewComponent],
providers: [
provideRouter([]),
{ provide: UnknownsClient, useValue: unknownsClient as unknown as UnknownsClient },
{
provide: ActivatedRoute,
useValue: {
snapshot: {
paramMap: {
get: (key: string) => (key === 'unknownId' ? 'unknown-grey-1' : null),
},
},
},
},
],
}).compileComponents();
const fixture = TestBed.createComponent(DeterminizationReviewComponent);
fixture.detectChanges();
await fixture.whenStable();
fixture.detectChanges();
const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
const hrefs = links.map((link) => link.getAttribute('href'));
expect(hrefs).toContain('/security/unknowns');
expect(hrefs).toContain('/security/unknowns/unknown-grey-1');
});
});

328
src/Web/StellaOps.Web/tests/e2e/security-operations-leaves-cutover.spec.ts Normal file
View File

@@ -0,0 +1,328 @@
import { expect, test, type Page, type Route } from '@playwright/test';
import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
const operatorSession: StubAuthSession = {
subjectId: 'security-ops-e2e-user',
tenant: 'tenant-default',
scopes: [
'admin',
'ui.read',
'ui.admin',
'release:read',
'scanner:read',
'sbom:read',
'orch:read',
'notify.viewer',
'signer:read',
],
};
const mockConfig = {
authority: {
issuer: '/authority',
clientId: 'stella-ops-ui',
authorizeEndpoint: '/authority/connect/authorize',
tokenEndpoint: '/authority/connect/token',
logoutEndpoint: '/authority/connect/logout',
redirectUri: 'https://127.0.0.1:4400/auth/callback',
postLogoutRedirectUri: 'https://127.0.0.1:4400/',
scope: 'openid profile email ui.read',
audience: '/gateway',
dpopAlgorithms: ['ES256'],
refreshLeewaySeconds: 60,
},
apiBaseUrls: {
authority: '/authority',
scanner: '/scanner',
policy: '/policy',
concelier: '/concelier',
attestor: '/attestor',
gateway: '/gateway',
},
quickstartMode: true,
setup: 'complete',
};
const unknownsList = {
items: [
{
id: 'unknown-101',
type: 'binary',
name: 'openssl',
path: '/usr/lib/libssl.so',
artifactDigest: 'sha256:artifact-a',
artifactRef: 'registry.example/app@sha256:artifact-a',
sha256: 'sha256:file-a',
status: 'open',
confidence: 92,
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
],
total: 1,
};
const unknownsStats = {
total: 7,
byType: {
binary: 4,
symbol: 2,
package: 1,
file: 0,
license: 0,
},
byStatus: {
open: 5,
pending: 1,
resolved: 1,
unresolvable: 0,
},
resolutionRate: 14.2,
avgConfidence: 73.4,
lastUpdated: '2026-03-08T07:10:00Z',
};
const unknownDetail = {
unknown: {
id: 'unknown-101',
type: 'binary',
name: 'openssl',
path: '/usr/lib/libssl.so',
artifactDigest: 'sha256:artifact-a',
artifactRef: 'registry.example/app@sha256:artifact-a',
sha256: 'sha256:file-a',
status: 'open',
confidence: 92,
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
candidates: [
{
rank: 1,
name: 'openssl',
purl: 'pkg:generic/openssl@3.0.14',
cpe: 'cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*:*:*',
confidence: 96,
source: 'fingerprint',
matchDetails: 'Fingerprint digest match',
},
],
fingerprintAnalysis: {
matchType: 'exact',
matchPercentage: 98,
missingInfo: [],
},
symbolResolution: {
totalSymbols: 15,
resolvedSymbols: 14,
missingSymbols: ['SSL_CTX_new'],
symbolServerStatus: 'partial',
},
similarCount: 3,
sbomImpact: {
currentCompleteness: 91,
impactDelta: 4,
knownCves: 2,
message: 'Resolution improves SBOM completeness and vulnerability attribution.',
},
};
const notifyChannels = [
{
channelId: 'chn-alerts',
tenantId: 'tenant-default',
name: 'slack-alerts',
displayName: 'Slack Alerts',
type: 'Slack',
enabled: true,
config: {
secretRef: 'secret://notify/slack-alerts',
target: '#security-alerts',
},
labels: {},
metadata: {},
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
];
const notifyRules = [
{
ruleId: 'rule-alerts',
tenantId: 'tenant-default',
name: 'Critical findings',
enabled: true,
match: {
minSeverity: 'critical',
eventKinds: ['scanner.report.ready'],
},
actions: [
{
actionId: 'act-alerts',
channel: 'chn-alerts',
digest: 'instant',
enabled: true,
},
],
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
];
const notifyDeliveries = {
items: [
{
deliveryId: 'delivery-001',
tenantId: 'tenant-default',
ruleId: 'rule-alerts',
actionId: 'act-alerts',
eventId: 'event-001',
kind: 'scanner.report.ready',
status: 'Sent',
rendered: {
channelType: 'Slack',
format: 'Slack',
target: '#security-alerts',
title: 'Critical finding detected',
body: 'A critical finding requires operator review.',
},
createdAt: '2026-03-08T07:10:00Z',
},
],
count: 1,
continuationToken: null,
};
async function fulfillJson(route: Route, body: unknown, status = 200): Promise<void> {
await route.fulfill({
status,
contentType: 'application/json',
body: JSON.stringify(body),
});
}
async function setupHarness(page: Page): Promise<void> {
await page.addInitScript((session) => {
(window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
}, operatorSession);
await page.route('**/api/**', (route) => fulfillJson(route, {}));
await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/platform/i18n/*.json', (route) => fulfillJson(route, {}));
await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/.well-known/openid-configuration', (route) =>
fulfillJson(route, {
issuer: 'https://127.0.0.1:4400/authority',
authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
response_types_supported: ['code'],
subject_types_supported: ['public'],
id_token_signing_alg_values_supported: ['RS256'],
}),
);
await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
await page.route('**/console/branding**', (route) =>
fulfillJson(route, {
tenantId: operatorSession.tenant,
appName: 'Stella Ops',
logoUrl: null,
cssVariables: {},
}),
);
await page.route('**/console/profile**', (route) =>
fulfillJson(route, {
subjectId: operatorSession.subjectId,
username: 'security-ops-e2e',
displayName: 'Security Ops E2E',
tenant: operatorSession.tenant,
roles: ['platform-admin'],
scopes: operatorSession.scopes,
}),
);
await page.route('**/console/token/introspect**', (route) =>
fulfillJson(route, {
active: true,
tenant: operatorSession.tenant,
subject: operatorSession.subjectId,
scopes: operatorSession.scopes,
}),
);
await page.route('**/authority/console/tenants**', (route) =>
fulfillJson(route, {
tenants: [
{
tenantId: operatorSession.tenant,
displayName: 'Default Tenant',
isDefault: true,
isActive: true,
},
],
}),
);
await page.route('**/api/v2/context/regions**', (route) =>
fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
);
await page.route('**/api/v2/context/environments**', (route) =>
fulfillJson(route, [
{
environmentId: 'prod',
regionId: 'eu-west',
environmentType: 'prod',
displayName: 'Production',
sortOrder: 1,
enabled: true,
},
]),
);
await page.route('**/api/v2/context/preferences**', (route) =>
fulfillJson(route, {
tenantId: operatorSession.tenant,
actorId: operatorSession.subjectId,
regions: ['eu-west'],
environments: ['prod'],
timeWindow: '24h',
stage: 'all',
updatedAt: '2026-03-08T07:00:00Z',
updatedBy: operatorSession.subjectId,
}),
);
await page.route(/\/api\/v1\/scanner\/unknowns\/stats(?:\?.*)?$/, (route) => fulfillJson(route, unknownsStats));
await page.route(/\/api\/v1\/scanner\/unknowns\/unknown-101(?:\?.*)?$/, (route) => fulfillJson(route, unknownDetail));
await page.route(/\/api\/v1\/scanner\/unknowns(?:\?.*)?$/, (route) => fulfillJson(route, unknownsList));
await page.route(/\/api\/v1\/notify\/channels(?:\?.*)?$/, (route) => fulfillJson(route, notifyChannels));
await page.route(/\/api\/v1\/notify\/rules(?:\?.*)?$/, (route) => fulfillJson(route, notifyRules));
await page.route(/\/api\/v1\/notify\/deliveries(?:\?.*)?$/, (route) => fulfillJson(route, notifyDeliveries));
}
test.beforeEach(async ({ page }) => {
await setupHarness(page);
});
test('security operations leaves keep aliases and canonical shells usable', async ({ page }) => {
await page.goto('/analyze/unknowns', { waitUntil: 'networkidle' });
await expect(page).toHaveURL(/\/security\/unknowns(?:\?.*)?$/);
await expect(page.getByRole('heading', { name: 'Unknowns Tracking' })).toBeVisible();
await page.getByRole('link', { name: 'Identify' }).click();
await expect(page).toHaveURL(/\/security\/unknowns\/unknown-101(?:\?.*)?$/);
await expect(page.getByRole('heading', { name: 'openssl' })).toBeVisible();
// `/notify` is reserved by the local dev proxy, so the alias contract is verified
// in route-level tests while the browser run covers the mounted canonical page.
await page.goto('/ops/operations/notifications', { waitUntil: 'networkidle' });
await expect(page).toHaveURL(/\/ops\/operations\/notifications(?:\?.*)?$/);
await expect(page.getByRole('heading', { name: 'Notify control plane' })).toBeVisible();
await expect(page.getByRole('link', { name: 'Review watchlist alerts' })).toBeVisible();
await page.goto('/mission-control/alerts', { waitUntil: 'networkidle' });
await expect(page.getByRole('heading', { name: 'Mission Alerts' })).toBeVisible();
await expect(
page.getByRole('link', { name: 'Identity watchlist alert requires signer review' }),
).toBeVisible();
await page.goto('/mission-control/activity', { waitUntil: 'networkidle' });
await expect(page.getByRole('heading', { name: 'Mission Activity' })).toBeVisible();
await expect(page.getByRole('link', { name: 'Open Audit Log' })).toBeVisible();
});