fix(web): remediate orphan revival regressions

2026-03-08 20:23:37 +02:00
parent d6b2e354f0
commit f40043ed50
23 changed files with 823 additions and 683 deletions
--- a/docs/features/checked/web/evidence-thread-persona-workspaces-routes.md
+++ b/docs/features/checked/web/evidence-thread-persona-workspaces-routes.md
@@ -12,6 +12,8 @@ SPRINT_20260308_021_FE_unreachable_evidence_thread_and_persona_workspaces_routes
 ## Description
 Reconnected the disconnected evidence-thread and persona-workspace route families under the canonical `/evidence` route shell. Evidence threads and auditor/developer workspaces are now reachable through Evidence-owned URLs, acting as evidence lenses rather than a parallel product shell.

+Sprint `SPRINT_20260308_024_FE_orphan_revival_regression_remediation.md` completed the cutover by fixing evidence-thread list-row and back-button navigation to use the same canonical `/evidence/threads/*` URLs instead of the dead legacy `/evidence-thread` frontdoor.
+
 ## Canonical URL Contract
 - `/evidence/threads` - Evidence thread list
 - `/evidence/threads/:artifactDigest` - Evidence thread detail
--- a/docs/features/checked/web/filter-bar-unification.md
+++ b/docs/features/checked/web/filter-bar-unification.md
@@ -4,9 +4,13 @@ Sprint: `SPRINT_20260308_015_FE_orphan_filter_bar_unification.md`
 Feature IDs: FE-OFB-001 through FE-OFB-004
 Status: Shipped

+## Post-remediation note
+
+Sprint `SPRINT_20260308_024_FE_orphan_revival_regression_remediation.md` partially rolled back this adoption on mounted audit hosts. `audit-log-table` and `trust-audit-log` no longer use the shared filter bar because that migration removed actor, multi-select, and date-filter behavior. The shared bar remains mounted only on the adopters where it preserves real page semantics.
+
 ## What shipped

-The dormant shared `FilterBarComponent` (`src/Web/StellaOps.Web/src/app/shared/ui/filter-bar/filter-bar.component.ts`) has been adopted across all seven eligible mounted list pages. Each page's bespoke filter toolbar markup has been replaced by a single `<app-filter-bar>` element that renders search input, single-select filter dropdowns, active-filter chips, and a clear-all button through the shared component's existing API.
+The dormant shared `FilterBarComponent` (`src/Web/StellaOps.Web/src/app/shared/ui/filter-bar/filter-bar.component.ts`) was adopted across seven mounted list pages in the original sprint. After remediation, five mounted pages still use the shared bar; the two audit-family pages listed below reverted to page-local controls to preserve truthful operator workflows.

 ## Shared contract (unchanged)

@@ -26,7 +30,7 @@ The `FilterBarComponent` API was sufficient without extension:

 | Page | File | Filter options exposed |
 | --- | --- | --- |
-| Audit Log Table | `features/audit-log/audit-log-table.component.ts` | module, action, severity, dateRange |
+| Audit Log Table | `features/audit-log/audit-log-table.component.ts` | rolled back in sprint `024`; page-local filters restored |
 | Secret Findings List | `features/secret-detection/secret-findings-list.component.ts` | severity, status, category |
 | Console Admin Audit Log | `features/console-admin/audit/audit-log.component.ts` | eventType (16 event types) |

@@ -36,7 +40,7 @@ The `FilterBarComponent` API was sufficient without extension:
 | --- | --- | --- |
 | Release List | `features/release-orchestrator/releases/release-list/release-list.component.ts` | type, stage, gate, risk, blocked, needsApproval, hotfixLane, replayMismatch |
 | Evidence Pack List | `features/evidence-pack/evidence-pack-list.component.ts` | (search only, no dropdowns) |
-| Trust Audit Log | `features/trust-admin/trust-audit-log.component.ts` | resourceType, severity |
+| Trust Audit Log | `features/trust-admin/trust-audit-log.component.ts` | rolled back in sprint `024`; start/end date filters restored via page-local controls |
 | Certificate Inventory | `features/trust-admin/certificate-inventory.component.ts` | status, type |

 ## Exclusions
@@ -46,10 +50,9 @@ The `FilterBarComponent` API was sufficient without extension:

 ## Design decisions

- Multi-select dropdowns on the audit-log-table were simplified to single-select to match the shared bar's existing contract. The underlying filter arrays still work but now hold at most one value.
- Date-range inputs on the audit-log-table were mapped to preset dropdown options (24h, 7d, 30d, 90d).
- Date inputs on trust-admin pages were removed from the filter bar; dates remain in component state for API queries but are not exposed through the shared bar.
+- Audit-log and trust-audit pages were reverted to bespoke controls because the shared bar could not preserve their real semantics.
 - Query-state persistence on the release-list via `buildQueryParams()` and route subscription remains intact.
+- Future shared filter-bar expansion must prove parity before replacing mounted audit-family pages again.

 ## Test coverage

--- a/docs/features/checked/web/orphan-finding-list-consolidation.md
+++ b/docs/features/checked/web/orphan-finding-list-consolidation.md
@@ -2,6 +2,10 @@

 Sprint: SPRINT_20260308_020_FE_orphan_finding_list_consolidation

+## Post-remediation note
+
+Sprint `SPRINT_20260308_024_FE_orphan_revival_regression_remediation.md` rolled back both mounted adopters described below. The shared `FindingListComponent` is no longer mounted on `FindingsContainerComponent` or the `ReleaseDetailComponent` security tab because those hosts required fabricated timestamps, severity-derived risk scores, and invented package identities to satisfy the shared contract.
+
 ## Summary

 Revived the dormant shared `FindingListComponent` and `FindingRowComponent` by adopting them on two mounted surfaces that previously used bespoke finding list rendering:
--- a/docs/features/checked/web/orphan-revival-regression-remediation-ui.md
+++ b/docs/features/checked/web/orphan-revival-regression-remediation-ui.md
@@ -0,0 +1,34 @@
+# Orphan Revival Regression Remediation
+
+Sprint: `SPRINT_20260308_024_FE_orphan_revival_regression_remediation.md`
+Status: Shipped
+
+## What changed
+
+This remediation sprint closed the concrete regressions introduced by the orphan-revival batch and kept mounted behavior truthful where the revived shared components did not fit the live hosts.
+
+- Revived shared policy widgets build again: broken `policy-interop.models` imports were corrected in the shared policy components, and the glossary tooltip directive was fixed for strict-null and typing compliance.
+- Evidence-thread navigation now stays inside the canonical Evidence shell. Row click and back navigation both use `/evidence/threads` instead of dead `/evidence-thread` paths.
+- Audit and trust filtering capabilities were restored on mounted pages. `audit-log-table` and `trust-audit-log` were intentionally rolled back to page-local controls so actor filters, multi-select filters, and start/end date filters remain usable.
+- Fabricated finding evidence was removed from mounted consumers. `FindingsContainerComponent` and the `ReleaseDetailComponent` security tab no longer synthesize `last_seen`, `risk_score`, or fake package identities just to satisfy the shared `FindingListComponent` contract.
+
+## Bounded rollback decisions
+
+- `FilterBarComponent` remains valid, but not for every list page. Audit-log and trust-audit hosts keep their bespoke filter controls until the shared bar can support their real semantics without loss.
+- `FindingListComponent` remains available for future truthful adopters, but it is no longer mounted on findings and release-security hosts that would require invented data.
+
+## Verification
+
+- `npm run build`
+  - Result: passed
+  - Notes: only the existing Angular bundle-budget warnings remained
+- `npm test -- --watch=false --include src/tests/orphan_revival/orphan-revival-regression-remediation.spec.ts --include src/tests/evidence/evidence-thread-browser.component.spec.ts --include src/tests/releases/release-detail.live-refresh.spec.ts --include src/app/routes/evidence.routes.spec.ts`
+  - Result: passed
+  - Coverage: policy host rendering, evidence-thread canonical routes, audit/trust filter semantics, truthful findings rendering, release-security rendering, and evidence route declarations
+
+## Current shipped state
+
+- Canonical evidence-thread routes are usable and internally consistent.
+- Shared policy widgets stay mounted on the active policy surfaces without breaking the app build.
+- Audit and trust pages retain their full filtering workflows.
+- Findings and release-security views favor truthful bespoke rendering over forced shared-component reuse.