Archive live search ingestion browser validation sprint

2026-03-08 10:47:19 +02:00
parent af09659f30
commit d0f2cc3b2c
16 changed files with 926 additions and 11 deletions
--- a/docs-archived/implplan/SPRINT_20260308_006_FE_security_operations_leaves_cutover.md
+++ b/docs-archived/implplan/SPRINT_20260308_006_FE_security_operations_leaves_cutover.md
@@ -0,0 +1,101 @@
 # Sprint 20260308_006_FE - Security Operations Leaves Cutover
 ## Topic & Scope
 - Complete the high-confidence security and operator leaves that are mounted but weakly surfaced: `Mission Alerts`, `Mission Activity`, `Unknowns`, and `Notifications`.
 - Replace stale `/analyze/unknowns*` and `/notify` links with mounted canonical routes while preserving bookmark compatibility and operator context.
 - Expose these leaves from the live shells so operators can reach them from current navigation instead of relying on typed URLs or overview-card luck.
 - Working directory: `src/Web/StellaOps.Web/`.
 - Expected evidence: targeted Angular tests, Playwright coverage for mission/security/notify journeys, checked-feature docs, and archived sprint notes.
 ## Dependencies & Concurrency
 - Depends on the shipped `Platform Ops`, `Watchlist`, `Unified Audit`, and `Topology / Trust` cutovers already archived in `docs-archived/implplan/`.
 - Safe parallelism: backend contracts are already present; this sprint is frontend-only and limited to route ownership, navigation exposure, UI workflow repair, tests, and docs.
 ## Documentation Prerequisites
 - `AGENTS.md`
 - `docs/modules/ui/AGENTS.md`
 - `src/Web/StellaOps.Web/AGENTS.md`
 - `docs/modules/ui/README.md`
 - `docs/modules/ui/architecture.md`
 - `docs/modules/ui/implementation_plan.md`
 - `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`
 - `docs/modules/ui/component-preservation-map/components/weak-route/mission-control/README.md`
 - `docs/modules/ui/component-preservation-map/components/weak-route/notify/README.md`
 - `docs/modules/ui/component-preservation-map/components/weak-route/unknowns-tracking/README.md`
 ## Delivery Tracker
 ### FE-SOL-001 - Freeze canonical mission, unknowns, and notify route ownership
 Status: DONE
 Dependency: none
 Owners: Developer / Implementer
 Task description:
 - Make `Mission Control` the canonical owner for alerts and activity, `Security` the canonical owner for unknowns tracking, and `Ops > Operations` the canonical owner for notifications.
 - Add or repair alias coverage for stale `/analyze/unknowns*` and `/notify` entry points so bookmarks resolve into mounted pages with preserved query state.
 Completion criteria:
 - [x] Canonical owners and alias policy are defined for mission alerts/activity, security unknowns, and notifications.
 - [x] Stale `/analyze/unknowns*` and `/notify` links land on mounted canonical pages.
 - [x] Shared navigation config no longer points these leaves at dead paths.
 ### FE-SOL-002 - Surface the leaves from the live shells
 Status: DONE
 Dependency: FE-SOL-001
 Owners: Developer / Implementer
 Task description:
 - Expose the mounted leaves from current shell navigation so operators can reach them without memorizing routes.
 - Mission Control should surface alerts and activity, Security should surface unknowns, and Operations should surface notifications from active tabs/cards/submenus rather than leaving them as weak-route debt.
 Completion criteria:
 - [x] Mission Control exposes alerts and activity from the live shell.
 - [x] Security exposes unknowns from the live shell.
 - [x] Operations exposes notifications from the live shell.
 ### FE-SOL-003 - Repair leaf-local workflow links and actions
 Status: DONE
 Dependency: FE-SOL-001
 Owners: Developer / Implementer
 Task description:
 - Fix stale internal links inside the unknowns subtree and any leaf-local handoffs that still target dead routes.
 - Preserve the current operator flows inside mission alerts/activity and notifications, but ensure all deep links stay inside canonical owners and return-to-context behavior remains intact.
 Completion criteria:
 - [x] Unknowns dashboard, detail, grey queue, and determinization links stay inside canonical security routes.
 - [x] Mission alerts and activity handoffs remain usable and route-backed.
 - [x] Notifications shell keeps working watchlist and delivery drill-ins without stale owner routes.
 ### FE-SOL-004 - Verify cutover, sync docs, and archive
 Status: DONE
 Dependency: FE-SOL-002, FE-SOL-003
 Owners: Developer / Implementer, QA
 Task description:
 - Add focused tests for the repaired alias contract and surfaced leaves, then run targeted Angular and Playwright verification.
 - Record the shipped behavior in checked-feature docs and archive the sprint only when all delivery tasks are done.
 Completion criteria:
 - [x] Targeted Angular tests cover alias repair, surfacing, and local link fixes.
 - [x] Playwright verifies at least one end-to-end journey across mission, security unknowns, and notifications leaves.
 - [x] UI docs and checked-feature notes reflect the shipped behavior.
 - [x] Sprint moved to `docs-archived/implplan/` only after all tasks are marked DONE.
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2026-03-08 | Sprint created and moved to DOING for the security operations leaves cutover. | Codex |
 | 2026-03-08 | Added canonical `/analyze/unknowns*` and `/notify` alias coverage, repaired shared navigation targets, and surfaced alerts/activity/unknowns/notifications from live sidebar shells. | Codex |
 | 2026-03-08 | Verified the cutover with focused Angular tests, Playwright UI flow coverage, and a production build; docs synced and sprint ready for archive. | Codex |
 ## Decisions & Risks
 - Risk: some of these pages are mounted already, but current navigation does not acknowledge them.
 - Mitigation: treat this as a surfacing and alias cutover, not a new product branch.
 - Risk: unknowns tracking still contains stale `/analyze/*` internal links that could leave the operator on broken paths.
 - Mitigation: repair both the bookmark aliases and the leaf-local links in the same sprint.
 - Risk: notifications has both setup-admin and ops-delivery concepts.
 - Mitigation: keep admin rule configuration under `Setup > Notifications`, but keep delivery and operator notification workflows under `Ops > Operations > Notifications`.
 - Risk: the local Angular dev proxy reserves `/notify`, which makes browser-level navigation to that alias unstable in Playwright even though the app route is correct.
 - Mitigation: keep `/notify` alias coverage in router-contract tests and use the mounted canonical notifications page for browser-level workflow verification.
 - Delivery rule: this sprint is only complete when these leaves are reachable from live shells, stale links are repaired, and the core operator journey is verified end to end.
 ## Next Checkpoints
 - 2026-03-08: canonical owners, alias contract, and shell exposure complete.
 - 2026-03-08: targeted verification passes, sprint archived, and commit created.
--- a/docs-archived/implplan/SPRINT_20260308_008_FE_live_search_ingestion_browser_validation.md
+++ b/docs-archived/implplan/SPRINT_20260308_008_FE_live_search_ingestion_browser_validation.md
@@ -0,0 +1,83 @@
 # Sprint 20260308-008 - FE Live Search Ingestion Browser Validation
 ## Topic & Scope
 - Bring the AdvisoryAI search corpus into a known-good ingested state for local verification instead of relying on stale or missing data.
 - Validate the shipped search experience through a real browser using Playwright against the live search endpoints, not only mocked FE lanes.
 - Keep the work centered on the Web search verification lane; only use AdvisoryAI startup/rebuild commands as operational prerequisites for the browser tests.
 - Working directory: `src/Web/StellaOps.Web`.
 - Expected evidence: corpus rebuild output, live Playwright browser results, and sprint execution log updates.
 ## Dependencies & Concurrency
 - Depends on the archived search rollout/correction sprints in `docs-archived/implplan/SPRINT_20260306_001_*`, `002_*`, `004_*`, `005_*`, `006_*`, and the later archived 2026-03-07 search corrective set.
 - Safe parallelism: do not edit unrelated Router, topology, or shell cutover files while executing this validation lane.
 - Operational dependency: the local AdvisoryAI WebService must be running and reachable on the documented local port before the live browser suite starts.
 ## Documentation Prerequisites
 - `docs/qa/feature-checks/FLOW.md`
 - `docs/code-of-conduct/TESTING_PRACTICES.md`
 - `docs/modules/advisory-ai/knowledge-search.md`
 - `src/AdvisoryAI/__Tests/INFRASTRUCTURE.md`
 - `src/Web/StellaOps.Web/AGENTS.md`
 ## Delivery Tracker
 ### FE-LIVESEARCH-001 - Prepare the local ingestion corpus
 Status: DONE
 Dependency: none
 Owners: QA, Developer (FE)
 Task description:
 - Start or verify the local AdvisoryAI WebService.
 - Run the documented `sources prepare` and index rebuild order so live search suggestions and grounded answers come from a fresh ingested corpus.
 Completion criteria:
 - [x] Local AdvisoryAI health responds successfully.
 - [x] `sources prepare` completes successfully or a documented equivalent local corpus path is used.
 - [x] Knowledge and unified search rebuilds succeed with recorded output.
 ### FE-LIVESEARCH-002 - Execute browser-level Playwright validation against the live search service
 Status: DONE
 Dependency: FE-LIVESEARCH-001
 Owners: QA, Test Automation
 Task description:
 - Run the existing live Playwright search suites that proxy browser search traffic into the local AdvisoryAI service.
 - Exercise real search flows from the browser and confirm grounded results, viable suggestions, and contextual handoff behavior.
 Completion criteria:
 - [x] Live Playwright search suites pass against the rebuilt local corpus.
 - [x] Browser verification covers suggestions, grounded answer panel, and Ask-AdvisoryAI handoff.
 - [x] Failures are triaged as data-ingestion, FE, or backend issues with exact evidence.
 ### FE-LIVESEARCH-003 - Record outcomes and close or follow up
 Status: DONE
 Dependency: FE-LIVESEARCH-002
 Owners: QA, Project Manager
 Task description:
 - Record the exact commands, routes, and outcomes from the live browser lane.
 - If defects remain, split them into focused follow-up sprints instead of leaving this ingestion-validation lane ambiguous.
 Completion criteria:
 - [x] Sprint execution log contains the live setup and browser evidence.
 - [x] Any remaining issues are translated into focused follow-up work with clear ownership.
 - [x] This sprint is archived only if all tasks are complete.
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2026-03-08 | Sprint created to set up local AdvisoryAI ingestion and verify the shipped search UX from a real browser using Playwright against live endpoints. | Developer |
 | 2026-03-08 | Verified `sources prepare` from the locally built CLI against the repo root with `docs.documentCount=461`, `doctor.mergedSeedCount=31`, and `doctor.controlCount=31`; then started the source-run AdvisoryAI WebService on `http://127.0.0.1:10451` and confirmed `/health` returned `200`. | QA |
 | 2026-03-08 | Rebuilt the live search indexes against the source-run service and verified `POST /v1/search/query` for `database connectivity` returned `contextAnswer.status=grounded` with top card `PostgreSQL connectivity`. | QA |
 | 2026-03-08 | Ran `npx playwright test tests/e2e/unified-search-contextual-suggestions.live.e2e.spec.ts --config playwright.config.ts` with `LIVE_ADVISORYAI_SEARCH_BASE_URL=http://127.0.0.1:10451`; result `8 passed`, `3 skipped` where skips were explicit corpus-unready branches that are now bypassed because the routes are ready. | QA |
 ## Decisions & Risks
 - Decision: prefer the documented local ingestion/rebuild flow already used by the live search suites instead of inventing a second setup path.
 - Decision: use browser-level Playwright verification against live search endpoints as the acceptance lane for this sprint.
 - Decision: use the source-run AdvisoryAI WebService on `127.0.0.1:10451` for this lane instead of the compose-hosted service because the compose instance was reachable but returned an empty rebuild corpus in this workspace.
 - Decision: the Playwright test runner is sufficient browser evidence for this sprint; direct MCP browser control was unavailable because the Playwright MCP Bridge extension is not installed in this environment.
 - Risk: the local AdvisoryAI WebService may not be running or may lack database/env prerequisites.
 - Mitigation: treat service startup and rebuild as first-class setup work, record exact blockers, and only proceed to browser validation after health is green.
 - Risk: a reachable AdvisoryAI service can still be logically unready if it points at the wrong database or stale corpus.
 - Mitigation: require both rebuild output and a grounded direct query (`database connectivity`) before allowing the browser suite to count as valid evidence.
 ## Next Checkpoints
 - 2026-03-08: local AdvisoryAI service healthy and indexes rebuilt.
 - 2026-03-08: live Playwright search browser suite executed with recorded outcome.
--- a/docs/features/checked/web/security-operations-leaves-ui.md
+++ b/docs/features/checked/web/security-operations-leaves-ui.md
@@ -0,0 +1,67 @@
 # Security Operations Leaves UI
 ## Module
 Web
 ## Status
 VERIFIED
 ## Description
 Shipped the weak-route security operations leaves as fully surfaced operator workflows. `Mission Control` now exposes alerts and activity, `Security` owns unknowns tracking and determinization flows, and `Ops > Operations` owns notifications. Stale `/analyze/unknowns*` and `/notify` entry points now resolve into mounted canonical pages instead of dead owner paths.
 ## Implementation Details
 - **Feature directories**:
  - `src/Web/StellaOps.Web/src/app/features/mission-control/`
  - `src/Web/StellaOps.Web/src/app/features/unknowns-tracking/`
  - `src/Web/StellaOps.Web/src/app/features/notify/`
 - **Primary components**:
  - `mission-alerts-page` (`src/Web/StellaOps.Web/src/app/features/mission-control/mission-alerts-page.component.ts`)
  - `mission-activity-page` (`src/Web.StellaOps.Web/src/app/features/mission-control/mission-activity-page.component.ts`)
  - `unknowns-dashboard` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/unknowns-dashboard.component.ts`)
  - `grey-queue-dashboard` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts`)
  - `determinization-review` (`src/Web.StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts`)
  - `notify-panel` (`src/Web.StellaOps.Web/src/app/features/notify/notify-panel.component.ts`)
 - **Canonical routes**:
  - `/mission-control/alerts`
  - `/mission-control/activity`
  - `/security/unknowns`
  - `/security/unknowns/:unknownId`
  - `/security/unknowns/:unknownId/determinization`
  - `/security/unknowns/queue/grey`
  - `/ops/operations/notifications`
 - **Legacy aliases**:
  - `/analyze/unknowns`
  - `/analyze/unknowns/:unknownId`
  - `/analyze/unknowns/:unknownId/determinization`
  - `/analyze/unknowns/queue/grey`
  - `/notify`
 - **Secondary entry points**:
  - sidebar `Mission Control > Alerts`
  - sidebar `Mission Control > Activity`
  - sidebar `Security > Unknowns`
  - sidebar `Operations > Notifications`
 ## E2E Test Plan
 - **Setup**:
  - [x] Start the local Angular test server with `npm run serve:test`.
  - [x] Use a test session with mission, scanner, ops, and notify viewer scopes.
 - **Core verification**:
  - [x] Open `/analyze/unknowns` and verify redirect into canonical `/security/unknowns`.
  - [x] Drill into unknown detail and verify the identification workflow stays mounted.
  - [x] Open the canonical notifications shell and verify the operator page and watchlist handoff render.
  - [x] Open `/mission-control/alerts` and `/mission-control/activity` and verify both pages render live operator links.
 ## Verification
 - Run:
  - `npm run test -- --watch=false --include src/app/layout/app-sidebar/app-sidebar.component.spec.ts --include src/tests/security/security-operations-leaves-cutover.spec.ts --include src/tests/unknowns/unknowns-tracking-ui.behavior.spec.ts --include src/tests/unknowns/unknowns-route-handoffs.spec.ts --include src/tests/notify/notify-watchlist-handoff.spec.ts`
  - `npx playwright test --config playwright.config.ts tests/e2e/security-operations-leaves-cutover.spec.ts --workers=1`
  - `npm run build`
 - Tier 0 (source): pass
 - Tier 1 (build/tests): pass
 - Tier 2 (behavior): pass
 - Notes:
  - Angular targeted tests passed: `5` files, `16` tests.
  - Playwright passed: `1` security-operations cutover scenario.
  - The browser flow uses `/ops/operations/notifications` because the local frontend proxy reserves `/notify`; the `/notify` alias remains covered by the route-contract test.
  - Production build passed; existing bundle-budget warnings remain unchanged from the baseline.
 - Verified on (UTC): 2026-03-08T08:42:15Z
--- a/docs/modules/ui/README.md
+++ b/docs/modules/ui/README.md
@@ -9,6 +9,8 @@
 The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
 ## Latest updates (2026-03-08)
 - Shipped the `Mission Control`, `Security`, and `Ops > Operations` security-leaves cutover, including canonical surfacing for alerts, activity, unknowns, and notifications plus repaired `/analyze/unknowns*` and `/notify` ownership.
 - Added checked-feature verification for the security operations leaves cutover at `../../features/checked/web/security-operations-leaves-ui.md`.
 - Shipped the canonical `Setup > Topology` and `Setup > Trust & Signing` cutover, including repaired legacy trust bookmarks, fixed `Platform Setup` handoffs, and expanded topology shell exposure.
 - Added checked-feature verification for topology and trust administration at `../../features/checked/web/topology-trust-administration-ui.md`.
 - Shipped the execution-operations cutover for canonical JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows under `Ops > Operations`.
@@ -83,6 +85,7 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
 - ./quota-health-aoc-operations/README.md
 - ./execution-operations/README.md
 - ./topology-trust-administration/README.md
 - ./security-operations-leaves/README.md
 - ./triage-explainability-workspace/README.md
 - ./workflow-visualization-replay/README.md
 - ./contextual-actions-patterns/README.md
--- a/docs/modules/ui/TASKS.md
+++ b/docs/modules/ui/TASKS.md
@@ -104,6 +104,10 @@
 - [DONE] FE-TTA-002 Complete topology shell exposure and platform setup handoffs
 - [DONE] FE-TTA-003 Merge legacy trust settings and issuer entry points into usable trust administration
 - [DONE] FE-TTA-004 Verify cutover, sync docs, and archive
 - [DONE] FE-SOL-001 Freeze canonical mission, unknowns, and notify route ownership
 - [DONE] FE-SOL-002 Surface the leaves from the live shells
 - [DONE] FE-SOL-003 Repair leaf-local workflow links and actions
 - [DONE] FE-SOL-004 Verify cutover, sync docs, and archive
 - [DONE] FE-PO-001 Freeze Operations overview taxonomy and submenu structure
 - [DONE] FE-PO-002 Overview page regrouping and blocking-card contract
 - [DONE] FE-PO-003 Legacy widget absorption matrix for Platform Ops
--- a/docs/modules/ui/implementation_plan.md
+++ b/docs/modules/ui/implementation_plan.md
@@ -32,12 +32,14 @@ Provide a living plan for UI deliverables, dependencies, and evidence.
 - `docs/features/checked/web/quota-health-aoc-operations-ui.md` - shipped verification note for canonical quota, health, and AOC owner routes, repaired deep links, route-backed filters, and completed operator actions.
 - `docs/features/checked/web/execution-operations-ui.md` - shipped verification note for canonical execution routes, repaired jobengine and scheduler aliases, completed dead-letter actions, and usable scanner-support workflows.
 - `docs/features/checked/web/topology-trust-administration-ui.md` - shipped verification note for canonical topology and trust setup shells, repaired settings/admin/platform aliases, and platform-setup handoffs.
 - `docs/features/checked/web/security-operations-leaves-ui.md` - shipped verification note for mission alerts/activity surfacing, unknowns route repair, notifications ownership, and legacy security alias cutover.
 - `docs/modules/ui/reachability-witnessing/README.md` - detailed witness and proof UX dossier plus cross-shell deep-link contract.
 - `docs/modules/ui/platform-ops-consolidation/README.md` - detailed Operations overview taxonomy and legacy absorption plan.
 - `docs/modules/ui/offline-operations/README.md` - detailed owner-shell contract for Offline Kit, Feeds & Airgap, Evidence handoffs, and stale alias policy.
 - `docs/modules/ui/quota-health-aoc-operations/README.md` - canonical owner-shell contract for quota, health, and AOC operations cutover plus alias and action rules.
 - `docs/modules/ui/execution-operations/README.md` - canonical execution owner-shell contract for JobEngine, Scheduler, Dead-Letter, and companion Scanner Ops workflows.
 - `docs/modules/ui/topology-trust-administration/README.md` - canonical setup owner contract for topology inventory, trust administration, legacy trust redirects, and platform-setup handoffs.
 - `docs/modules/ui/security-operations-leaves/README.md` - canonical owner contract for mission alerts/activity, security unknowns, notifications, and stale `/analyze`/`/notify` handoffs.
 - `docs/modules/ui/triage-explainability-workspace/README.md` - detailed artifact workspace and audit-bundle UX dossier.
 - `docs/modules/ui/workflow-visualization-replay/README.md` - detailed run-detail graph, timeline, replay, and evidence UX dossier.
 - `docs/modules/ui/contextual-actions-patterns/README.md` - shared placement contract for stray actions, pages, drawers, and tabs.
--- a/docs/modules/ui/security-operations-leaves/README.md
+++ b/docs/modules/ui/security-operations-leaves/README.md
@@ -0,0 +1,60 @@
 # Security Operations Leaves
 ## Purpose
 - Make the preserved weak-route leaves fully usable from the live shells instead of leaving them reachable only by typed URLs or overview-card luck.
 - Keep `Mission Control`, `Security`, and `Ops > Operations` as the owners of their respective operator workflows instead of reviving a separate legacy security-ops product.
 ## Canonical Owner
 - Owner shells:
  - `Mission Control`
  - `Security`
  - `Ops > Operations`
 - Primary routes:
  - `/mission-control/alerts`
  - `/mission-control/activity`
  - `/mission-control/release-health`
  - `/mission-control/security-posture`
  - `/security/unknowns`
  - `/security/unknowns/:unknownId`
  - `/security/unknowns/:unknownId/determinization`
  - `/security/unknowns/queue/grey`
  - `/ops/operations/notifications`
 ## Legacy Alias Policy
 - Preserve stale bookmarks and old links by redirecting:
  - `/analyze/unknowns`
  - `/analyze/unknowns/:unknownId`
  - `/analyze/unknowns/:unknownId/determinization`
  - `/analyze/unknowns/queue/grey`
  - `/notify`
 - Redirects must preserve query params and fragments so tenant, region, environment, return-to-context, and tab state survive the handoff.
 - `Setup > Notifications` remains the admin/configuration surface. `Ops > Operations > Notifications` remains the operator delivery and alert workflow surface.
 ## UX Rules
 - `Mission Control` owns the cross-product alert and recent-activity pages and must surface them directly from the live sidebar.
 - `Security` owns unknowns tracking, detail review, grey queue, and determinization flows.
 - `Ops > Operations` owns notification delivery, channel health, and operator watchlist handoffs.
 - Internal links inside the unknowns subtree must stay inside `/security/unknowns*`, not dead `/analyze/*` routes.
 - Browser-level verification should use the mounted notifications page because the local frontend proxy reserves `/notify`; the alias itself is still required in app routing and verified at route-contract level.
 ## Preserved Value
 - Keep:
  - mission alert and activity summaries as operator landing pages
  - unknowns tracking and determinization workflows
  - notification delivery and watchlist handoff workflows
 - Why:
  - these are already mounted product capabilities with useful operator actions
  - the product issue was surfacing debt and stale route ownership, not lack of feature value
 ## Shipped In This Cut
 - Added top-level alias coverage for stale `/analyze/unknowns*` and `/notify` entry points.
 - Retargeted shared navigation config from dead analyze and notify paths to the canonical security and operations owners.
 - Surfaced `Alerts`, `Activity`, `Unknowns`, and `Notifications` from the live sidebar shells.
 - Repaired unknowns grey-queue and determinization links so breadcrumbs and return paths stay inside canonical security routes.
 - Added focused Angular and Playwright verification for the cutover.
 ## Related Docs
 - `docs/features/checked/web/security-operations-leaves-ui.md`
 - `docs/features/checked/web/unknowns-tracking-ui.md`
 - `docs/modules/ui/watchlist-operations/README.md`
 - `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`
--- a/src/Web/StellaOps.Web/src/app/app.routes.ts
+++ b/src/Web/StellaOps.Web/src/app/app.routes.ts
@@ -218,6 +218,33 @@ export const routes: Routes = [
      { path: '**', redirectTo: '/administration' },
    ],
  },
  {
    path: 'analyze',
    children: [
      { path: 'unknowns', redirectTo: preserveAppRedirect('/security/unknowns'), pathMatch: 'full' },
      {
        path: 'unknowns/queue/grey',
        redirectTo: preserveAppRedirect('/security/unknowns/queue/grey'),
        pathMatch: 'full',
      },
      {
        path: 'unknowns/:unknownId/determinization',
        redirectTo: preserveAppRedirect('/security/unknowns/:unknownId/determinization'),
        pathMatch: 'full',
      },
      {
        path: 'unknowns/:unknownId',
        redirectTo: preserveAppRedirect('/security/unknowns/:unknownId'),
        pathMatch: 'full',
      },
      { path: '**', redirectTo: '/security', pathMatch: 'full' },
    ],
  },
  {
    path: 'notify',
    redirectTo: preserveAppRedirect('/ops/operations/notifications'),
    pathMatch: 'full',
  },
  {
    path: 'platform-ops',
    loadChildren: () => import('./routes/platform-ops.routes').then((m) => m.PLATFORM_OPS_ROUTES),
--- a/src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts
+++ b/src/Web/StellaOps.Web/src/app/core/navigation/navigation.config.ts
@@ -61,14 +61,14 @@ export const NAVIGATION_GROUPS: NavGroup[] = [
      {
        id: 'lineage',
        label: 'Lineage',
-        route: '/lineage',
+        route: '/security/lineage',
        icon: 'git-branch',
        tooltip: 'Explore SBOM lineage and smart diff',
      },
      {
        id: 'reachability',
        label: 'Reachability',
-        route: '/reachability',
+        route: '/security/reachability',
        icon: 'network',
        tooltip: 'Reachability analysis and coverage',
      },
@@ -82,14 +82,14 @@ export const NAVIGATION_GROUPS: NavGroup[] = [
      {
        id: 'unknowns',
        label: 'Unknowns',
-        route: '/analyze/unknowns',
+        route: '/security/unknowns',
        icon: 'help-circle',
        tooltip: 'Track and identify unknown components',
      },
      {
        id: 'patch-map',
        label: 'Patch Map',
-        route: '/analyze/patch-map',
+        route: '/security/patch-map',
        icon: 'grid',
        tooltip: 'Fleet-wide binary patch coverage heatmap',
      },
@@ -470,7 +470,7 @@ export const NAVIGATION_GROUPS: NavGroup[] = [
      {
        id: 'notifications',
        label: 'Notifications',
-        route: '/notify',
+        route: OPERATIONS_PATHS.notifications,
        icon: 'notification',
        tooltip: 'Notification center',
      },
--- a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts
@@ -29,11 +29,11 @@ import { GreyQueuePanelComponent } from '../unknowns/grey-queue-panel.component'
      <nav class="mb-6 text-sm">
        <ol class="flex items-center space-x-2">
          <li>
-            <a routerLink="/analyze/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
+            <a routerLink="/security/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
          </li>
          <li class="text-gray-400">/</li>
          <li>
-            <a [routerLink]="['/analyze/unknowns', unknownId()]" class="text-blue-600 hover:underline">
+            <a [routerLink]="['/security/unknowns', unknownId()]" class="text-blue-600 hover:underline">
              {{ unknownId() | slice:0:8 }}...
            </a>
          </li>
@@ -228,7 +228,7 @@ import { GreyQueuePanelComponent } from '../unknowns/grey-queue-panel.component'
                  Export Proof JSON
                </button>
                <a
-                  [routerLink]="['/analyze/unknowns', unknownId()]"
+                  [routerLink]="['/security/unknowns', unknownId()]"
                  class="block w-full px-3 py-2 text-sm text-left rounded border hover:bg-gray-50"
                >
                  Back to Unknown Detail
--- a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts
+++ b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts
@@ -26,7 +26,7 @@ import {
      <!-- Header -->
      <div class="mb-6">
        <nav class="text-sm mb-2">
-          <a routerLink="/analyze/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
+          <a routerLink="/security/unknowns" class="text-blue-600 hover:underline">Unknowns</a>
          <span class="text-gray-400 mx-2">/</span>
          <span class="text-gray-600">Grey Queue</span>
        </nav>
@@ -164,7 +164,7 @@ import {
                  </td>
                  <td class="px-4 py-3 text-right">
                    <a
-                      [routerLink]="['/analyze/unknowns', item.id, 'determinization']"
+                      [routerLink]="['/security/unknowns', item.id, 'determinization']"
                      class="text-blue-600 hover:underline text-sm"
                    >
                      Review
--- a/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.spec.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.spec.ts
@@ -35,7 +35,8 @@ describe('AppSidebarComponent', () => {
    const text = fixture.nativeElement.textContent as string;
    expect(text).toContain('Dashboard');
-    expect(text).toContain('Security & Risk');
+    expect(text).toContain('Alerts');
    expect(text).toContain('Activity');
    expect(text).not.toContain('Analytics');
  });
@@ -69,6 +70,25 @@ describe('AppSidebarComponent', () => {
    expect(fixture.nativeElement.textContent).toContain('Trust & Signing');
  });
  it('surfaces mission, unknowns, and notifications leaves in the live sidebar shells', () => {
    setScopes([
      StellaOpsScopes.UI_READ,
      StellaOpsScopes.RELEASE_READ,
      StellaOpsScopes.SCANNER_READ,
      StellaOpsScopes.UI_ADMIN,
      StellaOpsScopes.ORCH_READ,
      StellaOpsScopes.NOTIFY_VIEWER,
    ]);
    const fixture = createComponent();
    const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
    const hrefs = links.map((link) => link.getAttribute('href'));
    expect(hrefs).toContain('/mission-control/alerts');
    expect(hrefs).toContain('/mission-control/activity');
    expect(hrefs).toContain('/security/unknowns');
    expect(hrefs).toContain('/ops/operations/notifications');
  });
  function setScopes(scopes: readonly StellaOpsScope[]): void {
    const baseUser = authService.user();
    if (!baseUser) {
--- a/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.ts
+++ b/src/Web/StellaOps.Web/src/app/layout/app-sidebar/app-sidebar.component.ts
@@ -723,6 +723,12 @@ export class AppSidebarComponent implements AfterViewInit {
        StellaOpsScopes.RELEASE_READ,
        StellaOpsScopes.SCANNER_READ,
      ],
      children: [
        { id: 'mc-alerts', label: 'Alerts', route: '/mission-control/alerts', icon: 'bell' },
        { id: 'mc-activity', label: 'Activity', route: '/mission-control/activity', icon: 'clock' },
        { id: 'mc-release-health', label: 'Release Health', route: '/mission-control/release-health', icon: 'activity' },
        { id: 'mc-security-posture', label: 'Security Posture', route: '/mission-control/security-posture', icon: 'shield' },
      ],
    },
    {
      id: 'releases',
@@ -797,6 +803,7 @@ export class AppSidebarComponent implements AfterViewInit {
        { id: 'sec-audit-bundles', label: 'Audit Bundles', route: '/triage/audit-bundles', icon: 'archive' },
        { id: 'sec-supply-chain', label: 'Supply-Chain Data', route: '/security/supply-chain-data', icon: 'graph' },
        { id: 'sec-reachability', label: 'Reachability', route: '/security/reachability', icon: 'cpu' },
        { id: 'sec-unknowns', label: 'Unknowns', route: '/security/unknowns', icon: 'help-circle' },
        { id: 'sec-reports', label: 'Reports', route: '/security/reports', icon: 'book-open' },
      ],
    },
@@ -841,6 +848,7 @@ export class AppSidebarComponent implements AfterViewInit {
      children: [
        { id: 'ops-policy', label: 'Policy', route: '/ops/policy', icon: 'shield' },
        { id: 'ops-platform-setup', label: 'Platform Setup', route: '/ops/platform-setup', icon: 'cog' },
        { id: 'ops-notifications', label: 'Notifications', route: '/ops/operations/notifications', icon: 'bell' },
      ],
    },
    {
--- a/src/Web/StellaOps.Web/src/tests/security/security-operations-leaves-cutover.spec.ts
+++ b/src/Web/StellaOps.Web/src/tests/security/security-operations-leaves-cutover.spec.ts
@@ -0,0 +1,74 @@
 import { TestBed } from '@angular/core/testing';
 import { provideRouter, Route, Router } from '@angular/router';
 import { routes } from '../../app/app.routes';
 import { NAVIGATION_GROUPS } from '../../app/core/navigation/navigation.config';
 function resolveRedirect(route: Route | undefined, params: Record<string, string> = {}): string | undefined {
  const redirect = route?.redirectTo;
  if (typeof redirect === 'string') {
    return redirect;
  }
  if (typeof redirect !== 'function') {
    return undefined;
  }
  return TestBed.runInInjectionContext(() => {
    const router = TestBed.inject(Router);
    const target = redirect({
      params,
      queryParams: {},
      fragment: null,
    } as never) as unknown;
    return typeof target === 'string' ? target : router.serializeUrl(target as never);
  });
 }
 describe('security operations leaves cutover contract', () => {
  beforeEach(() => {
    TestBed.configureTestingModule({
      providers: [provideRouter([])],
    });
  });
  it('redirects stale analyze unknowns entry points into canonical security routes', () => {
    const analyze = routes.find((route) => route.path === 'analyze');
    const children = analyze?.children ?? [];
    expect(resolveRedirect(children.find((route) => route.path === 'unknowns'))).toBe('/security/unknowns');
    expect(resolveRedirect(children.find((route) => route.path === 'unknowns/queue/grey'))).toBe(
      '/security/unknowns/queue/grey',
    );
    expect(resolveRedirect(children.find((route) => route.path === 'unknowns/:unknownId'), { unknownId: 'unk-101' })).toBe(
      '/security/unknowns/unk-101',
    );
    expect(
      resolveRedirect(children.find((route) => route.path === 'unknowns/:unknownId/determinization'), {
        unknownId: 'unk-101',
      }),
    ).toBe('/security/unknowns/unk-101/determinization');
  });
  it('redirects the legacy notify root into canonical operations notifications', () => {
    expect(resolveRedirect(routes.find((route) => route.path === 'notify'))).toBe('/ops/operations/notifications');
  });
  it('retargets security analyze and notify navigation leaves to canonical owners', () => {
    const analyzeGroup = NAVIGATION_GROUPS.find((group) => group.id === 'analyze');
    const notifyGroup = NAVIGATION_GROUPS.find((group) => group.id === 'notify');
    expect(analyzeGroup).toBeDefined();
    expect(notifyGroup).toBeDefined();
    const analyzeRoutes = new Map((analyzeGroup?.items ?? []).map((item) => [item.id, item.route]));
    const notifyRoutes = new Map((notifyGroup?.items ?? []).map((item) => [item.id, item.route]));
    expect(analyzeRoutes.get('lineage')).toBe('/security/lineage');
    expect(analyzeRoutes.get('reachability')).toBe('/security/reachability');
    expect(analyzeRoutes.get('unknowns')).toBe('/security/unknowns');
    expect(analyzeRoutes.get('patch-map')).toBe('/security/patch-map');
    expect(notifyRoutes.get('notifications')).toBe('/ops/operations/notifications');
  });
 });
--- a/src/Web/StellaOps.Web/src/tests/unknowns/unknowns-route-handoffs.spec.ts
+++ b/src/Web/StellaOps.Web/src/tests/unknowns/unknowns-route-handoffs.spec.ts
@@ -0,0 +1,138 @@
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { ActivatedRoute, provideRouter } from '@angular/router';
 import { of } from 'rxjs';
 import { UnknownsClient } from '../../app/core/api/unknowns.client';
 import { DeterminizationReviewComponent } from '../../app/features/unknowns-tracking/determinization-review.component';
 import { GreyQueueDashboardComponent } from '../../app/features/unknowns-tracking/grey-queue-dashboard.component';
 describe('unknowns route handoffs', () => {
  it('keeps grey queue review links inside canonical security unknowns routes', async () => {
    const unknownsClient = {
      getPolicyUnknownsSummary: jasmine.createSpy('getPolicyUnknownsSummary').and.returnValue(
        of({ hot: 1, warm: 0, cold: 0, resolved: 0, total: 1 }),
      ),
      listPolicyUnknowns: jasmine.createSpy('listPolicyUnknowns').and.returnValue(
        of({
          items: [
            {
              id: 'unknown-grey-1',
              packageId: 'openssl',
              packageVersion: '3.0.14',
              band: 'hot',
              score: 94,
              uncertaintyFactor: 0.2,
              exploitPressure: 0.5,
              firstSeenAt: '2026-03-08T07:00:00Z',
              lastEvaluatedAt: '2026-03-08T07:30:00Z',
              reasonCode: 'policy.unknown',
              reasonCodeShort: 'Unknown',
              observationState: 'ManualReviewRequired',
              conflictInfo: {
                hasConflict: true,
                severity: 0.71,
                suggestedPath: 'Manual review',
                conflicts: [
                  {
                    signal1: 'vex:a',
                    signal2: 'vex:b',
                    type: 'issuer-conflict',
                    description: 'Issuer disagreement requires review.',
                    severity: 0.71,
                  },
                ],
              },
            },
          ],
          totalCount: 1,
        }),
      ),
    };
    await TestBed.configureTestingModule({
      imports: [GreyQueueDashboardComponent],
      providers: [
        provideRouter([]),
        { provide: UnknownsClient, useValue: unknownsClient as unknown as UnknownsClient },
      ],
    }).compileComponents();
    const fixture = TestBed.createComponent(GreyQueueDashboardComponent);
    fixture.detectChanges();
    await fixture.whenStable();
    fixture.detectChanges();
    const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
    const hrefs = links.map((link) => link.getAttribute('href'));
    expect(hrefs).toContain('/security/unknowns');
    expect(hrefs).toContain('/security/unknowns/unknown-grey-1/determinization');
  });
  it('keeps determinization breadcrumbs and return links inside canonical security unknowns routes', async () => {
    const unknownsClient = {
      getPolicyUnknownDetail: jasmine.createSpy('getPolicyUnknownDetail').and.returnValue(
        of({
          unknown: {
            id: 'unknown-grey-1',
            packageId: 'openssl',
            packageVersion: '3.0.14',
            band: 'hot',
            score: 94,
            uncertaintyFactor: 0.2,
            exploitPressure: 0.5,
            firstSeenAt: '2026-03-08T07:00:00Z',
            lastEvaluatedAt: '2026-03-08T07:30:00Z',
            reasonCode: 'policy.unknown',
            reasonCodeShort: 'Unknown',
            observationState: 'ManualReviewRequired',
            conflictInfo: {
              hasConflict: true,
              severity: 0.71,
              suggestedPath: 'Manual review',
              conflicts: [
                {
                  signal1: 'vex:a',
                  signal2: 'vex:b',
                  type: 'issuer-conflict',
                  description: 'Issuer disagreement requires review.',
                  severity: 0.71,
                },
              ],
            },
          },
        }),
      ),
      triageUnknown: jasmine.createSpy('triageUnknown'),
    };
    await TestBed.configureTestingModule({
      imports: [DeterminizationReviewComponent],
      providers: [
        provideRouter([]),
        { provide: UnknownsClient, useValue: unknownsClient as unknown as UnknownsClient },
        {
          provide: ActivatedRoute,
          useValue: {
            snapshot: {
              paramMap: {
                get: (key: string) => (key === 'unknownId' ? 'unknown-grey-1' : null),
              },
            },
          },
        },
      ],
    }).compileComponents();
    const fixture = TestBed.createComponent(DeterminizationReviewComponent);
    fixture.detectChanges();
    await fixture.whenStable();
    fixture.detectChanges();
    const links = Array.from(fixture.nativeElement.querySelectorAll('a')) as HTMLAnchorElement[];
    const hrefs = links.map((link) => link.getAttribute('href'));
    expect(hrefs).toContain('/security/unknowns');
    expect(hrefs).toContain('/security/unknowns/unknown-grey-1');
  });
 });
--- a/src/Web/StellaOps.Web/tests/e2e/security-operations-leaves-cutover.spec.ts
+++ b/src/Web/StellaOps.Web/tests/e2e/security-operations-leaves-cutover.spec.ts
@@ -0,0 +1,328 @@
 import { expect, test, type Page, type Route } from '@playwright/test';
 import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
 const operatorSession: StubAuthSession = {
  subjectId: 'security-ops-e2e-user',
  tenant: 'tenant-default',
  scopes: [
    'admin',
    'ui.read',
    'ui.admin',
    'release:read',
    'scanner:read',
    'sbom:read',
    'orch:read',
    'notify.viewer',
    'signer:read',
  ],
 };
 const mockConfig = {
  authority: {
    issuer: '/authority',
    clientId: 'stella-ops-ui',
    authorizeEndpoint: '/authority/connect/authorize',
    tokenEndpoint: '/authority/connect/token',
    logoutEndpoint: '/authority/connect/logout',
    redirectUri: 'https://127.0.0.1:4400/auth/callback',
    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
    scope: 'openid profile email ui.read',
    audience: '/gateway',
    dpopAlgorithms: ['ES256'],
    refreshLeewaySeconds: 60,
  },
  apiBaseUrls: {
    authority: '/authority',
    scanner: '/scanner',
    policy: '/policy',
    concelier: '/concelier',
    attestor: '/attestor',
    gateway: '/gateway',
  },
  quickstartMode: true,
  setup: 'complete',
 };
 const unknownsList = {
  items: [
    {
      id: 'unknown-101',
      type: 'binary',
      name: 'openssl',
      path: '/usr/lib/libssl.so',
      artifactDigest: 'sha256:artifact-a',
      artifactRef: 'registry.example/app@sha256:artifact-a',
      sha256: 'sha256:file-a',
      status: 'open',
      confidence: 92,
      createdAt: '2026-03-08T07:00:00Z',
      updatedAt: '2026-03-08T07:10:00Z',
    },
  ],
  total: 1,
 };
 const unknownsStats = {
  total: 7,
  byType: {
    binary: 4,
    symbol: 2,
    package: 1,
    file: 0,
    license: 0,
  },
  byStatus: {
    open: 5,
    pending: 1,
    resolved: 1,
    unresolvable: 0,
  },
  resolutionRate: 14.2,
  avgConfidence: 73.4,
  lastUpdated: '2026-03-08T07:10:00Z',
 };
 const unknownDetail = {
  unknown: {
    id: 'unknown-101',
    type: 'binary',
    name: 'openssl',
    path: '/usr/lib/libssl.so',
    artifactDigest: 'sha256:artifact-a',
    artifactRef: 'registry.example/app@sha256:artifact-a',
    sha256: 'sha256:file-a',
    status: 'open',
    confidence: 92,
    createdAt: '2026-03-08T07:00:00Z',
    updatedAt: '2026-03-08T07:10:00Z',
  },
  candidates: [
    {
      rank: 1,
      name: 'openssl',
      purl: 'pkg:generic/openssl@3.0.14',
      cpe: 'cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*:*:*',
      confidence: 96,
      source: 'fingerprint',
      matchDetails: 'Fingerprint digest match',
    },
  ],
  fingerprintAnalysis: {
    matchType: 'exact',
    matchPercentage: 98,
    missingInfo: [],
  },
  symbolResolution: {
    totalSymbols: 15,
    resolvedSymbols: 14,
    missingSymbols: ['SSL_CTX_new'],
    symbolServerStatus: 'partial',
  },
  similarCount: 3,
  sbomImpact: {
    currentCompleteness: 91,
    impactDelta: 4,
    knownCves: 2,
    message: 'Resolution improves SBOM completeness and vulnerability attribution.',
  },
 };
 const notifyChannels = [
  {
    channelId: 'chn-alerts',
    tenantId: 'tenant-default',
    name: 'slack-alerts',
    displayName: 'Slack Alerts',
    type: 'Slack',
    enabled: true,
    config: {
      secretRef: 'secret://notify/slack-alerts',
      target: '#security-alerts',
    },
    labels: {},
    metadata: {},
    createdAt: '2026-03-08T07:00:00Z',
    updatedAt: '2026-03-08T07:10:00Z',
  },
 ];
 const notifyRules = [
  {
    ruleId: 'rule-alerts',
    tenantId: 'tenant-default',
    name: 'Critical findings',
    enabled: true,
    match: {
      minSeverity: 'critical',
      eventKinds: ['scanner.report.ready'],
    },
    actions: [
      {
        actionId: 'act-alerts',
        channel: 'chn-alerts',
        digest: 'instant',
        enabled: true,
      },
    ],
    createdAt: '2026-03-08T07:00:00Z',
    updatedAt: '2026-03-08T07:10:00Z',
  },
 ];
 const notifyDeliveries = {
  items: [
    {
      deliveryId: 'delivery-001',
      tenantId: 'tenant-default',
      ruleId: 'rule-alerts',
      actionId: 'act-alerts',
      eventId: 'event-001',
      kind: 'scanner.report.ready',
      status: 'Sent',
      rendered: {
        channelType: 'Slack',
        format: 'Slack',
        target: '#security-alerts',
        title: 'Critical finding detected',
        body: 'A critical finding requires operator review.',
      },
      createdAt: '2026-03-08T07:10:00Z',
    },
  ],
  count: 1,
  continuationToken: null,
 };
 async function fulfillJson(route: Route, body: unknown, status = 200): Promise<void> {
  await route.fulfill({
    status,
    contentType: 'application/json',
    body: JSON.stringify(body),
  });
 }
 async function setupHarness(page: Page): Promise<void> {
  await page.addInitScript((session) => {
    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
  }, operatorSession);
  await page.route('**/api/**', (route) => fulfillJson(route, {}));
  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
  await page.route('**/platform/i18n/*.json', (route) => fulfillJson(route, {}));
  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
  await page.route('**/.well-known/openid-configuration', (route) =>
    fulfillJson(route, {
      issuer: 'https://127.0.0.1:4400/authority',
      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
      response_types_supported: ['code'],
      subject_types_supported: ['public'],
      id_token_signing_alg_values_supported: ['RS256'],
    }),
  );
  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
  await page.route('**/console/branding**', (route) =>
    fulfillJson(route, {
      tenantId: operatorSession.tenant,
      appName: 'Stella Ops',
      logoUrl: null,
      cssVariables: {},
    }),
  );
  await page.route('**/console/profile**', (route) =>
    fulfillJson(route, {
      subjectId: operatorSession.subjectId,
      username: 'security-ops-e2e',
      displayName: 'Security Ops E2E',
      tenant: operatorSession.tenant,
      roles: ['platform-admin'],
      scopes: operatorSession.scopes,
    }),
  );
  await page.route('**/console/token/introspect**', (route) =>
    fulfillJson(route, {
      active: true,
      tenant: operatorSession.tenant,
      subject: operatorSession.subjectId,
      scopes: operatorSession.scopes,
    }),
  );
  await page.route('**/authority/console/tenants**', (route) =>
    fulfillJson(route, {
      tenants: [
        {
          tenantId: operatorSession.tenant,
          displayName: 'Default Tenant',
          isDefault: true,
          isActive: true,
        },
      ],
    }),
  );
  await page.route('**/api/v2/context/regions**', (route) =>
    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
  );
  await page.route('**/api/v2/context/environments**', (route) =>
    fulfillJson(route, [
      {
        environmentId: 'prod',
        regionId: 'eu-west',
        environmentType: 'prod',
        displayName: 'Production',
        sortOrder: 1,
        enabled: true,
      },
    ]),
  );
  await page.route('**/api/v2/context/preferences**', (route) =>
    fulfillJson(route, {
      tenantId: operatorSession.tenant,
      actorId: operatorSession.subjectId,
      regions: ['eu-west'],
      environments: ['prod'],
      timeWindow: '24h',
      stage: 'all',
      updatedAt: '2026-03-08T07:00:00Z',
      updatedBy: operatorSession.subjectId,
    }),
  );
  await page.route(/\/api\/v1\/scanner\/unknowns\/stats(?:\?.*)?$/, (route) => fulfillJson(route, unknownsStats));
  await page.route(/\/api\/v1\/scanner\/unknowns\/unknown-101(?:\?.*)?$/, (route) => fulfillJson(route, unknownDetail));
  await page.route(/\/api\/v1\/scanner\/unknowns(?:\?.*)?$/, (route) => fulfillJson(route, unknownsList));
  await page.route(/\/api\/v1\/notify\/channels(?:\?.*)?$/, (route) => fulfillJson(route, notifyChannels));
  await page.route(/\/api\/v1\/notify\/rules(?:\?.*)?$/, (route) => fulfillJson(route, notifyRules));
  await page.route(/\/api\/v1\/notify\/deliveries(?:\?.*)?$/, (route) => fulfillJson(route, notifyDeliveries));
 }
 test.beforeEach(async ({ page }) => {
  await setupHarness(page);
 });
 test('security operations leaves keep aliases and canonical shells usable', async ({ page }) => {
  await page.goto('/analyze/unknowns', { waitUntil: 'networkidle' });
  await expect(page).toHaveURL(/\/security\/unknowns(?:\?.*)?$/);
  await expect(page.getByRole('heading', { name: 'Unknowns Tracking' })).toBeVisible();
  await page.getByRole('link', { name: 'Identify' }).click();
  await expect(page).toHaveURL(/\/security\/unknowns\/unknown-101(?:\?.*)?$/);
  await expect(page.getByRole('heading', { name: 'openssl' })).toBeVisible();
  // `/notify` is reserved by the local dev proxy, so the alias contract is verified
  // in route-level tests while the browser run covers the mounted canonical page.
  await page.goto('/ops/operations/notifications', { waitUntil: 'networkidle' });
  await expect(page).toHaveURL(/\/ops\/operations\/notifications(?:\?.*)?$/);
  await expect(page.getByRole('heading', { name: 'Notify control plane' })).toBeVisible();
  await expect(page.getByRole('link', { name: 'Review watchlist alerts' })).toBeVisible();
  await page.goto('/mission-control/alerts', { waitUntil: 'networkidle' });
  await expect(page.getByRole('heading', { name: 'Mission Alerts' })).toBeVisible();
  await expect(
    page.getByRole('link', { name: 'Identity watchlist alert requires signer review' }),
  ).toBeVisible();
  await page.goto('/mission-control/activity', { waitUntil: 'networkidle' });
  await expect(page.getByRole('heading', { name: 'Mission Activity' })).toBeVisible();
  await expect(page.getByRole('link', { name: 'Open Audit Log' })).toBeVisible();
 });