Restructure solution layout by module

src/Web/StellaOps.Web/docs/DeterministicInstall.md

@@ -0,0 +1,42 @@
+# Deterministic Install & Headless Chromium
+
+Offline runners must avoid ad-hoc network calls while staying reproducible. The Angular workspace now ships a locked dependency graph and helpers for provisioning a Chromium binary without embedding it directly in `npm install`.
+
+## Prerequisites
+
+- Node.js **20.11.0** or newer (matches the `engines` constraint).
+- npm **10.2.0** or newer.
+- Local npm cache location available to both the connected “seed” machine and the offline runner (for example, `/opt/stellaops/npm-cache`).
+
+## One-Time Cache Priming (Connected Host)
+
+```bash
+export NPM_CONFIG_CACHE=/opt/stellaops/npm-cache
+npm run ci:install
+```
+
+`ci:install` executes `npm ci --prefer-offline --no-audit --no-fund` so every package and integrity hash lands in the cache without touching arbitrary registries afterwards.
+
+If you plan to bundle a Chromium binary, download it while still connected:
+
+```bash
+npx @puppeteer/browsers install chrome@stable --path .cache/chromium
+```
+
+Archive both the npm cache and `.cache/chromium/` directory; include them in your Offline Kit transfer.
+
+## Offline Runner Execution
+
+1. Extract the pre-warmed npm cache to the offline host and export `NPM_CONFIG_CACHE` to that directory.
+2. Optionally copy the `.cache/chromium/` folder next to `package.json` (the Karma launcher auto-detects platform-specific paths inside this directory).
+3. Run `npm run ci:install` to restore dependencies without network access.
+4. Validate Chromium availability with `npm run verify:chromium`. This command exits non-zero and prints the search paths if no binary is discovered.
+5. Execute tests via `npm run test:ci` (internally calls `verify:chromium` before running `ng test --watch=false`).
+
+## Chromium Options
+
+- **System package** – Install `chromium`, `chromium-browser`, or `google-chrome-stable` via your distribution repository or the Offline Kit. The launcher checks `/usr/bin/chromium-browser`, `/usr/bin/chromium`, and `/usr/bin/google-chrome(-stable)` automatically.
+- **Environment override** – Set `CHROME_BIN` or `STELLAOPS_CHROMIUM_BIN` to the executable path if you host Chromium in a custom location.
+- **Offline cache drop** – Place the extracted archive under `.cache/chromium/` (`chrome-linux64/chrome`, `chrome-win64/chrome.exe`, or `chrome-mac/Chromium.app/...`). The Karma harness resolves these automatically.
+
+Consult `src/Web/StellaOps.Web/README.md` for a shortened operator flow overview.

src/Web/StellaOps.Web/docs/TrivyDbSettings.md

@@ -0,0 +1,37 @@
+# WEB1.TRIVY-SETTINGS – Backend Contract & UI Wiring Notes
+
+## 1. Known backend surfaces
+
+- `POST /jobs/export:trivy-db`  
+  Payload is wrapped as `{ "trigger": "<source>", "parameters": { ... } }` and accepts the overrides shown in `TrivyDbExportJob` (`publishFull`, `publishDelta`, `includeFull`, `includeDelta`).  
+  Evidence: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs:263`, `src/Cli/StellaOps.Cli/Services/Models/Transport/JobTriggerRequest.cs:5`, `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportJob.cs:27`.
+- Export configuration defaults sit under `TrivyDbExportOptions.Oras` and `.OfflineBundle`. Both booleans default to `true`, so overriding to `false` must be explicit.  
+  Evidence: `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportOptions.cs:8`.
+
+## 2. Clarifications needed from Concelier backend
+
+| Topic | Questions to resolve | Suggested owner |
+| --- | --- | --- |
+| Settings endpoint surface | `Program.cs` only exposes `/jobs/*` and health endpoints—there is currently **no** `/exporters/trivy-db/settings` route. Confirm the intended path (`/api/v1/concelier/exporters/trivy-db/settings`?), verbs (`GET`/`PUT` or `PATCH`), and DTO schema (flat booleans vs nested `oras`/`offlineBundle`). | Concelier WebService |
+| Auth scopes | Verify required roles (likely `concelier.export` or `concelier.admin`) and whether UI needs to request additional scopes beyond existing dashboard access. | Authority & Concelier teams |
+| Concurrency control | Determine if settings payload includes an ETag or timestamp we must echo (`If-Match`) to avoid stomping concurrent edits. | Concelier WebService |
+| Validation & defaults | Clarify server-side validation rules (e.g., must `publishDelta` be `false` when `publishFull` is `false`?) and shape of Problem+JSON responses. | Concelier WebService |
+| Manual run trigger | Confirm whether settings update should immediately kick an export or if UI should call `POST /jobs/export:trivy-db` separately (current CLI behaviour suggests a separate call). | Concelier WebService |
+
+## 3. Proposed Angular implementation (pending contract lock)
+
+- **Feature module**: `app/concelier/trivy-db-settings/` with a standalone routed page (`TrivyDbSettingsPage`) and a reusable form component (`TrivyDbSettingsForm`).
+- **State & transport**:
+  - Client wrapper under `core/api/concelier-exporter.client.ts` exposing `getTrivyDbSettings`, `updateTrivyDbSettings`, and `runTrivyDbExport`.
+  - Store built with `@ngrx/signals` keeping `settings`, `isDirty`, `lastFetchedAt`, and error state; optimistic updates gated on ETag confirmation once the backend specifies the shape.
+  - Shared DTOs generated from the confirmed schema to keep Concelier/CLI alignment.
+- **UX flow**:
+  - Load settings on navigation; show inline info about current publish/bundle defaults.
+  - “Run export now” button opens confirmation modal summarising overrides, then calls `runTrivyDbExport` (separate API call) while reusing local state.
+  - Surface Problem+JSON errors via existing toast/notification pattern and capture correlation IDs for ops visibility.
+- **Offline posture**: cache latest successful settings payload in IndexedDB (read-only when offline) and disable the run button when token/scopes are missing.
+
+## 4. Next steps
+
+1. Share section 2 with Concelier WebService owners to confirm the REST contract (blocking before scaffolding DTOs).
+2. Once confirmed, scaffold the Angular workspace and feature shell, keeping deterministic build outputs per `src/Web/StellaOps.Web/AGENTS.md`.