Fix release API proxy routes + wire pipeline to real data

- Add nginx proxy blocks for /api/v1/release-orchestrator/,
  /api/v1/release-control/, /api/v2/releases/, /api/v1/releases/,
  /api/v1/registries/ in Dockerfile.console
- All release UI calls now reach JobEngine (401 not 404)
- Registry search reaches Scanner service
- Pipeline page uses ReleaseManagementStore (real API, no mock data)
- Deployment wizard uses BundleOrganizerApi for create/seal
- Inline version/hotfix creation in deployment wizard wired to API
- Version detail shows "not found" error instead of blank screen
- Version wizard has promotion lane + duplicate component detection
- Sprint plan for 41 missing backend endpoints created

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/implplan/SPRINT_20260323_001_BE_release_api_proxy_and_endpoints.md

@@ -0,0 +1,237 @@
+# Sprint 20260323-001 — Release API Proxy Fix + Missing Backend Endpoints
+
+## Topic & Scope
+- Fix nginx proxy routes so the UI's `/api/v2/releases` calls reach the JobEngine backend.
+- Implement 41 missing backend endpoints across 5 service areas.
+- Working directories: `devops/docker/`, `src/JobEngine/`, `src/Platform/`, `src/EvidenceLocker/`
+- Expected evidence: all release CRUD flows work end-to-end via Playwright.
+
+## Dependencies & Concurrency
+- TASK-001 (proxy fix) is prerequisite for all UI testing.
+- TASK-002 through TASK-006 can run in parallel after TASK-001.
+
+## Documentation Prerequisites
+- `docs/modules/release-orchestrator/deployment/overview.md`
+- `docs/modules/release-orchestrator/deployment/strategies.md`
+- `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ReleaseEndpoints.cs`
+- `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ApprovalEndpoints.cs`
+
+## Delivery Tracker
+
+### TASK-001 - Fix nginx proxy routes for release APIs
+Status: TODO
+Dependency: none
+Owners: DevOps / FE
+
+Task description:
+The console nginx (`devops/docker/Dockerfile.console`) reverse-proxies API calls. The UI calls:
+- `/api/v2/releases/*` → should reach JobEngine at `/api/v1/release-orchestrator/releases/*`
+- `/api/v1/release-control/bundles/*` → should reach JobEngine bundle endpoints
+- `/api/v1/registries/images/search` → should reach Scanner service
+- `/api/v2/releases/approvals` → should reach JobEngine approval endpoints
+- `/api/v2/releases/activity` → should reach JobEngine release events
+- `/api/v2/releases/runs/*` → should reach JobEngine run workbench
+
+Options:
+A) Add nginx `location` blocks in `Dockerfile.console` to proxy these paths to the correct upstream services
+B) Add proxy routes in the Platform service (which already proxies many paths)
+C) Update the UI API clients to call the correct backend URLs directly (e.g., change `/api/v2/releases` to `/api/v1/release-orchestrator/releases`)
+
+Recommended: Option C (most reliable, no proxy chain) + Option A as fallback.
+
+Implementation for Option C:
+- Update `src/Web/StellaOps.Web/src/app/core/api/release-management.client.ts` — change base URLs
+- Update `release.store.ts` — ensure `loadReleases` calls the correct endpoint
+- Update `release-detail.component.ts` — fix all `/api/v2/releases/` calls to `/api/v1/release-orchestrator/releases/`
+- Update approval client — fix `/api/v2/releases/approvals` to `/api/v1/release-orchestrator/approvals`
+
+For nginx (Option A fallback), add to `Dockerfile.console`:
+```nginx
+location /api/v2/releases/ {
+    set $orchestrator_upstream http://orchestrator.stella-ops.local;
+    rewrite ^/api/v2/releases/(.*) /api/v1/release-orchestrator/releases/$1 break;
+    proxy_pass $orchestrator_upstream;
+}
+
+location /api/v1/release-control/ {
+    set $orchestrator_upstream http://orchestrator.stella-ops.local;
+    rewrite ^/api/v1/release-control/(.*) /api/v1/release-control/$1 break;
+    proxy_pass $orchestrator_upstream;
+}
+
+location /api/v1/registries/ {
+    set $scanner_upstream http://scanner.stella-ops.local;
+    rewrite ^/api/v1/registries/(.*) /api/v1/registries/$1 break;
+    proxy_pass $scanner_upstream;
+}
+```
+
+Completion criteria:
+- [ ] `/api/v2/releases` returns data from JobEngine (not 404)
+- [ ] `/api/v1/registries/images/search?q=nginx` returns results from Scanner
+- [ ] `/api/v1/release-control/bundles` POST creates a bundle in JobEngine
+- [ ] UI pipeline page shows real releases (if any exist)
+- [ ] UI version create wizard can search registry images
+
+### TASK-002 - Deployment monitoring endpoints (11 endpoints)
+Status: TODO
+Dependency: TASK-001
+Owners: BE (JobEngine)
+
+Task description:
+Add deployment monitoring endpoints to JobEngine's `ReleaseEndpoints.cs` or new `DeploymentEndpoints.cs`:
+
+```
+GET  /api/v1/release-orchestrator/deployments           — list deployments
+GET  /api/v1/release-orchestrator/deployments/{id}       — get deployment detail
+GET  /api/v1/release-orchestrator/deployments/{id}/logs  — get deployment logs
+GET  /api/v1/release-orchestrator/deployments/{id}/targets/{targetId}/logs — target logs
+GET  /api/v1/release-orchestrator/deployments/{id}/events  — deployment events
+GET  /api/v1/release-orchestrator/deployments/{id}/metrics — deployment metrics
+POST /api/v1/release-orchestrator/deployments/{id}/pause   — pause deployment
+POST /api/v1/release-orchestrator/deployments/{id}/resume  — resume deployment
+POST /api/v1/release-orchestrator/deployments/{id}/cancel  — cancel deployment
+POST /api/v1/release-orchestrator/deployments/{id}/rollback — rollback deployment
+POST /api/v1/release-orchestrator/deployments/{id}/targets/{targetId}/retry — retry target
+```
+
+Each endpoint needs:
+- Request/response models in contracts
+- Handler method with auth policy (ReleaseRead for GET, ReleaseWrite for POST)
+- Minimal implementation (can return mock/empty data initially, wired to real service later)
+
+Completion criteria:
+- [ ] All 11 endpoints return 200/201 (not 404)
+- [ ] GET /deployments returns a list (even if empty)
+- [ ] POST /pause returns success
+- [ ] Auth policies enforced
+
+### TASK-003 - Evidence management endpoints (6 endpoints)
+Status: TODO
+Dependency: TASK-001
+Owners: BE (EvidenceLocker or Attestor)
+
+Task description:
+Add evidence lifecycle endpoints — either in EvidenceLocker service or as a new endpoints file in JobEngine:
+
+```
+GET  /api/v1/release-orchestrator/evidence              — list evidence packets
+GET  /api/v1/release-orchestrator/evidence/{id}          — get evidence detail
+POST /api/v1/release-orchestrator/evidence/{id}/verify   — verify evidence integrity
+GET  /api/v1/release-orchestrator/evidence/{id}/export   — export evidence bundle
+GET  /api/v1/release-orchestrator/evidence/{id}/raw      — download raw evidence
+GET  /api/v1/release-orchestrator/evidence/{id}/timeline — evidence timeline
+```
+
+Completion criteria:
+- [ ] All 6 endpoints return valid responses
+- [ ] Verify endpoint checks hash integrity
+- [ ] Export returns downloadable content-type
+
+### TASK-004 - Environment/Target management endpoints (15 endpoints)
+Status: TODO
+Dependency: TASK-001
+Owners: BE (Platform)
+
+Task description:
+Add environment and target management endpoints to Platform service. These may already partially exist in the topology/environment subsystem — check before implementing.
+
+```
+GET    /api/v1/release-orchestrator/environments                    — list environments
+GET    /api/v1/release-orchestrator/environments/{id}                — get environment
+POST   /api/v1/release-orchestrator/environments                    — create environment
+PUT    /api/v1/release-orchestrator/environments/{id}                — update environment
+DELETE /api/v1/release-orchestrator/environments/{id}                — delete environment
+PUT    /api/v1/release-orchestrator/environments/{id}/settings       — update settings
+GET    /api/v1/release-orchestrator/environments/{id}/targets        — list targets
+POST   /api/v1/release-orchestrator/environments/{id}/targets        — add target
+PUT    /api/v1/release-orchestrator/environments/{id}/targets/{tid}  — update target
+DELETE /api/v1/release-orchestrator/environments/{id}/targets/{tid}  — remove target
+POST   /api/v1/release-orchestrator/environments/{id}/targets/{tid}/health-check — check health
+GET    /api/v1/release-orchestrator/environments/{id}/freeze-windows — list freeze windows
+POST   /api/v1/release-orchestrator/environments/{id}/freeze-windows — create freeze window
+PUT    /api/v1/release-orchestrator/environments/{id}/freeze-windows/{wid} — update
+DELETE /api/v1/release-orchestrator/environments/{id}/freeze-windows/{wid} — delete
+```
+
+NOTE: The Platform service already has environment data via PlatformContextStore. These endpoints may be aliases or extensions of existing topology endpoints. Check `src/Platform/` for existing environment CRUD before implementing new ones.
+
+Completion criteria:
+- [ ] Environment CRUD works
+- [ ] Target CRUD within environments works
+- [ ] Health check returns target status
+- [ ] Freeze window CRUD works
+
+### TASK-005 - Release dashboard endpoint (3 endpoints)
+Status: TODO
+Dependency: TASK-001
+Owners: BE (JobEngine)
+
+Task description:
+Add dashboard summary and promotion decision endpoints:
+
+```
+GET  /api/v1/release-orchestrator/dashboard          — aggregated dashboard data
+POST /api/v1/release-orchestrator/promotions/{id}/approve — approve promotion
+POST /api/v1/release-orchestrator/promotions/{id}/reject  — reject promotion
+```
+
+Dashboard endpoint should return: release counts by status, deployment health, pending approvals, gate summary.
+
+Completion criteria:
+- [ ] Dashboard returns aggregated stats
+- [ ] Approve/reject promotion updates approval status
+
+### TASK-006 - Registry image search in Scanner service
+Status: TODO
+Dependency: none
+Owners: BE (Scanner)
+
+Task description:
+Verify/implement registry image search endpoints in the Scanner service:
+
+```
+GET /api/v1/registries/images/search?q={query}  — search images by name
+GET /api/v1/registries/images/digests?repository={repo} — get image digests
+```
+
+These are called by Create Version and Create Hotfix wizards. If the Scanner service doesn't have these endpoints, add them. The response format expected by the UI:
+
+```json
+// Search response
+[
+  {
+    "name": "nginx",
+    "repository": "library/nginx",
+    "tags": ["latest", "1.25", "1.25-alpine"],
+    "digests": [
+      { "tag": "latest", "digest": "sha256:abc123...", "pushedAt": "2026-03-20T10:00:00Z" }
+    ],
+    "lastPushed": "2026-03-20T10:00:00Z"
+  }
+]
+```
+
+If no real registry is connected, return mock data so the wizard flow can be tested.
+
+Completion criteria:
+- [ ] Search returns image results for common queries (nginx, redis, postgres)
+- [ ] Digests returns tags + SHA digests for a given repository
+- [ ] Create Version wizard can search and select images
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-23 | Sprint created. TASK-001 is the critical path. | Planning |
+
+## Decisions & Risks
+- TASK-001 (proxy fix) is the blocker — without it, no UI endpoint reaches the backend.
+- Option C (fix UI API URLs) is preferred over nginx rewrites because it eliminates a proxy hop.
+- Environment endpoints (TASK-004) may overlap with existing Platform topology — investigate before duplicating.
+- Evidence endpoints (TASK-003) may belong in EvidenceLocker rather than JobEngine — architecture decision needed.
+- Registry search (TASK-006) needs a connected registry or mock data for testing.
+
+## Next Checkpoints
+- After TASK-001: re-run Playwright E2E tests to verify data flows
+- After TASK-002 + TASK-006: version/hotfix create → list → view flow should work end-to-end
+- After all tasks: full CRUD across all release control pages