Archive live search ingestion browser validation sprint

docs/features/checked/web/security-operations-leaves-ui.md

@@ -0,0 +1,67 @@
+# Security Operations Leaves UI
+
+## Module
+Web
+
+## Status
+VERIFIED
+
+## Description
+Shipped the weak-route security operations leaves as fully surfaced operator workflows. `Mission Control` now exposes alerts and activity, `Security` owns unknowns tracking and determinization flows, and `Ops > Operations` owns notifications. Stale `/analyze/unknowns*` and `/notify` entry points now resolve into mounted canonical pages instead of dead owner paths.
+
+## Implementation Details
+- **Feature directories**:
+  - `src/Web/StellaOps.Web/src/app/features/mission-control/`
+  - `src/Web/StellaOps.Web/src/app/features/unknowns-tracking/`
+  - `src/Web/StellaOps.Web/src/app/features/notify/`
+- **Primary components**:
+  - `mission-alerts-page` (`src/Web/StellaOps.Web/src/app/features/mission-control/mission-alerts-page.component.ts`)
+  - `mission-activity-page` (`src/Web.StellaOps.Web/src/app/features/mission-control/mission-activity-page.component.ts`)
+  - `unknowns-dashboard` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/unknowns-dashboard.component.ts`)
+  - `grey-queue-dashboard` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts`)
+  - `determinization-review` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts`)
+  - `notify-panel` (`src/Web.StellaOps.Web/src/app/features/notify/notify-panel.component.ts`)
+- **Canonical routes**:
+  - `/mission-control/alerts`
+  - `/mission-control/activity`
+  - `/security/unknowns`
+  - `/security/unknowns/:unknownId`
+  - `/security/unknowns/:unknownId/determinization`
+  - `/security/unknowns/queue/grey`
+  - `/ops/operations/notifications`
+- **Legacy aliases**:
+  - `/analyze/unknowns`
+  - `/analyze/unknowns/:unknownId`
+  - `/analyze/unknowns/:unknownId/determinization`
+  - `/analyze/unknowns/queue/grey`
+  - `/notify`
+- **Secondary entry points**:
+  - sidebar `Mission Control > Alerts`
+  - sidebar `Mission Control > Activity`
+  - sidebar `Security > Unknowns`
+  - sidebar `Operations > Notifications`
+
+## E2E Test Plan
+- **Setup**:
+  - [x] Start the local Angular test server with `npm run serve:test`.
+  - [x] Use a test session with mission, scanner, ops, and notify viewer scopes.
+- **Core verification**:
+  - [x] Open `/analyze/unknowns` and verify redirect into canonical `/security/unknowns`.
+  - [x] Drill into unknown detail and verify the identification workflow stays mounted.
+  - [x] Open the canonical notifications shell and verify the operator page and watchlist handoff render.
+  - [x] Open `/mission-control/alerts` and `/mission-control/activity` and verify both pages render live operator links.
+
+## Verification
+- Run:
+  - `npm run test -- --watch=false --include src/app/layout/app-sidebar/app-sidebar.component.spec.ts --include src/tests/security/security-operations-leaves-cutover.spec.ts --include src/tests/unknowns/unknowns-tracking-ui.behavior.spec.ts --include src/tests/unknowns/unknowns-route-handoffs.spec.ts --include src/tests/notify/notify-watchlist-handoff.spec.ts`
+  - `npx playwright test --config playwright.config.ts tests/e2e/security-operations-leaves-cutover.spec.ts --workers=1`
+  - `npm run build`
+- Tier 0 (source): pass
+- Tier 1 (build/tests): pass
+- Tier 2 (behavior): pass
+- Notes:
+  - Angular targeted tests passed: `5` files, `16` tests.
+  - Playwright passed: `1` security-operations cutover scenario.
+  - The browser flow uses `/ops/operations/notifications` because the local frontend proxy reserves `/notify`; the `/notify` alias remains covered by the route-contract test.
+  - Production build passed; existing bundle-budget warnings remain unchanged from the baseline.
+- Verified on (UTC): 2026-03-08T08:42:15Z

docs/modules/ui/README.md

@@ -9,6 +9,8 @@
 The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
 
 ## Latest updates (2026-03-08)
+- Shipped the `Mission Control`, `Security`, and `Ops > Operations` security-leaves cutover, including canonical surfacing for alerts, activity, unknowns, and notifications plus repaired `/analyze/unknowns*` and `/notify` ownership.
+- Added checked-feature verification for the security operations leaves cutover at `../../features/checked/web/security-operations-leaves-ui.md`.
 - Shipped the canonical `Setup > Topology` and `Setup > Trust & Signing` cutover, including repaired legacy trust bookmarks, fixed `Platform Setup` handoffs, and expanded topology shell exposure.
 - Added checked-feature verification for topology and trust administration at `../../features/checked/web/topology-trust-administration-ui.md`.
 - Shipped the execution-operations cutover for canonical JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows under `Ops > Operations`.
@@ -83,6 +85,7 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
 - ./quota-health-aoc-operations/README.md
 - ./execution-operations/README.md
 - ./topology-trust-administration/README.md
+- ./security-operations-leaves/README.md
 - ./triage-explainability-workspace/README.md
 - ./workflow-visualization-replay/README.md
 - ./contextual-actions-patterns/README.md

docs/modules/ui/TASKS.md

@@ -104,6 +104,10 @@
 - [DONE] FE-TTA-002 Complete topology shell exposure and platform setup handoffs
 - [DONE] FE-TTA-003 Merge legacy trust settings and issuer entry points into usable trust administration
 - [DONE] FE-TTA-004 Verify cutover, sync docs, and archive
+- [DONE] FE-SOL-001 Freeze canonical mission, unknowns, and notify route ownership
+- [DONE] FE-SOL-002 Surface the leaves from the live shells
+- [DONE] FE-SOL-003 Repair leaf-local workflow links and actions
+- [DONE] FE-SOL-004 Verify cutover, sync docs, and archive
 - [DONE] FE-PO-001 Freeze Operations overview taxonomy and submenu structure
 - [DONE] FE-PO-002 Overview page regrouping and blocking-card contract
 - [DONE] FE-PO-003 Legacy widget absorption matrix for Platform Ops

docs/modules/ui/implementation_plan.md

@@ -32,12 +32,14 @@ Provide a living plan for UI deliverables, dependencies, and evidence.
 - `docs/features/checked/web/quota-health-aoc-operations-ui.md` - shipped verification note for canonical quota, health, and AOC owner routes, repaired deep links, route-backed filters, and completed operator actions.
 - `docs/features/checked/web/execution-operations-ui.md` - shipped verification note for canonical execution routes, repaired jobengine and scheduler aliases, completed dead-letter actions, and usable scanner-support workflows.
 - `docs/features/checked/web/topology-trust-administration-ui.md` - shipped verification note for canonical topology and trust setup shells, repaired settings/admin/platform aliases, and platform-setup handoffs.
+- `docs/features/checked/web/security-operations-leaves-ui.md` - shipped verification note for mission alerts/activity surfacing, unknowns route repair, notifications ownership, and legacy security alias cutover.
 - `docs/modules/ui/reachability-witnessing/README.md` - detailed witness and proof UX dossier plus cross-shell deep-link contract.
 - `docs/modules/ui/platform-ops-consolidation/README.md` - detailed Operations overview taxonomy and legacy absorption plan.
 - `docs/modules/ui/offline-operations/README.md` - detailed owner-shell contract for Offline Kit, Feeds & Airgap, Evidence handoffs, and stale alias policy.
 - `docs/modules/ui/quota-health-aoc-operations/README.md` - canonical owner-shell contract for quota, health, and AOC operations cutover plus alias and action rules.
 - `docs/modules/ui/execution-operations/README.md` - canonical execution owner-shell contract for JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows.
 - `docs/modules/ui/topology-trust-administration/README.md` - canonical setup owner contract for topology inventory, trust administration, legacy trust redirects, and platform-setup handoffs.
+- `docs/modules/ui/security-operations-leaves/README.md` - canonical owner contract for mission alerts/activity, security unknowns, notifications, and stale `/analyze`/`/notify` handoffs.
 - `docs/modules/ui/triage-explainability-workspace/README.md` - detailed artifact workspace and audit-bundle UX dossier.
 - `docs/modules/ui/workflow-visualization-replay/README.md` - detailed run-detail graph, timeline, replay, and evidence UX dossier.
 - `docs/modules/ui/contextual-actions-patterns/README.md` - shared placement contract for stray actions, pages, drawers, and tabs.

docs/modules/ui/security-operations-leaves/README.md

@@ -0,0 +1,60 @@
+# Security Operations Leaves
+
+## Purpose
+- Make the preserved weak-route leaves fully usable from the live shells instead of leaving them reachable only by typed URLs or overview-card luck.
+- Keep `Mission Control`, `Security`, and `Ops > Operations` as the owners of their respective operator workflows instead of reviving a separate legacy security-ops product.
+
+## Canonical Owner
+- Owner shells:
+  - `Mission Control`
+  - `Security`
+  - `Ops > Operations`
+- Primary routes:
+  - `/mission-control/alerts`
+  - `/mission-control/activity`
+  - `/mission-control/release-health`
+  - `/mission-control/security-posture`
+  - `/security/unknowns`
+  - `/security/unknowns/:unknownId`
+  - `/security/unknowns/:unknownId/determinization`
+  - `/security/unknowns/queue/grey`
+  - `/ops/operations/notifications`
+
+## Legacy Alias Policy
+- Preserve stale bookmarks and old links by redirecting:
+  - `/analyze/unknowns`
+  - `/analyze/unknowns/:unknownId`
+  - `/analyze/unknowns/:unknownId/determinization`
+  - `/analyze/unknowns/queue/grey`
+  - `/notify`
+- Redirects must preserve query params and fragments so tenant, region, environment, return-to-context, and tab state survive the handoff.
+- `Setup > Notifications` remains the admin/configuration surface. `Ops > Operations > Notifications` remains the operator delivery and alert workflow surface.
+
+## UX Rules
+- `Mission Control` owns the cross-product alert and recent-activity pages and must surface them directly from the live sidebar.
+- `Security` owns unknowns tracking, detail review, grey queue, and determinization flows.
+- `Ops > Operations` owns notification delivery, channel health, and operator watchlist handoffs.
+- Internal links inside the unknowns subtree must stay inside `/security/unknowns*`, not dead `/analyze/*` routes.
+- Browser-level verification should use the mounted notifications page because the local frontend proxy reserves `/notify`; the alias itself is still required in app routing and verified at route-contract level.
+
+## Preserved Value
+- Keep:
+  - mission alert and activity summaries as operator landing pages
+  - unknowns tracking and determinization workflows
+  - notification delivery and watchlist handoff workflows
+- Why:
+  - these are already mounted product capabilities with useful operator actions
+  - the product issue was surfacing debt and stale route ownership, not lack of feature value
+
+## Shipped In This Cut
+- Added top-level alias coverage for stale `/analyze/unknowns*` and `/notify` entry points.
+- Retargeted shared navigation config from dead analyze and notify paths to the canonical security and operations owners.
+- Surfaced `Alerts`, `Activity`, `Unknowns`, and `Notifications` from the live sidebar shells.
+- Repaired unknowns grey-queue and determinization links so breadcrumbs and return paths stay inside canonical security routes.
+- Added focused Angular and Playwright verification for the cutover.
+
+## Related Docs
+- `docs/features/checked/web/security-operations-leaves-ui.md`
+- `docs/features/checked/web/unknowns-tracking-ui.md`
+- `docs/modules/ui/watchlist-operations/README.md`
+- `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`