stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Fix scan submit field mismatch, archive verified sprints, deep journey iteration 2

Browse Source 
- Fix scan-submit.component.ts: Scanner API returns `scanId` (not `id`) and
  PascalCase status. Component now resolves `scanId ?? id` and normalizes
  status to lowercase. Scan progress tracking now works end-to-end.
- Archive 3 verified sprints (001 FTUX, 007 Journey fixes, 008 Identity envelope)
  after fresh wipe + rebuild + behavioral verification.
- Update Sprint 002 task statuses to reflect actual implementation (6/7 done).
- Create Sprint 020 for remaining journey quality fixes (J-02 user ID display,
  J-03 feed auto-check).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-16 19:21:53 +02:00
parent 4d8a48a05f
commit f4eb64fefc
6 changed files with 111 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
docs/implplan/SPRINT_20260316_001_Platform_first_time_user_experience_fixes.md
View File

@@ -1,135 +0,0 @@
# Sprint 20260316-001 — First-Time User Experience Fixes
## Topic & Scope
- Fix the critical first-time user experience issues discovered in the hands-on audit series.
- Batch 1: all S-effort fixes that can be landed without backend changes — advisory source defaults, documentation, UI corrections, 404 page, mirror guardrails.
- Batch 2: dashboard honest empty state (M-effort) — replace hardcoded fake data with real API calls or honest "no data" guidance.
- Working directory: `.` (cross-module fixes).
- Expected evidence: corrected source definitions, updated docs, fixed UI components, Playwright re-verification.
## Dependencies & Concurrency
- No upstream sprint dependencies. All fixes are independent.
- Safe parallelism: all tasks in Batch 1 are independent of each other.
## Documentation Prerequisites
- `docs/qa/FIRST_TIME_USER_SERIES_20260316.md` — the audit findings
- `AGENTS.md`
## Delivery Tracker
### FTUX-001 - Disable StellaOps Mirror source by default and curate advisory defaults
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Set `EnabledByDefault = false` on the `StellaMirror` source in `SourceDefinitions.cs`.
- Set `EnabledByDefault = false` on ecosystem-specific sources (npm, PyPI, RubyGems, Maven, Packagist, Hex.pm — users enable for their stack).
- Set `EnabledByDefault = false` on geo-restricted sources (FSTEC BDU, NKCKI).
- Set `EnabledByDefault = false` on niche sources (Exploit-DB, PoC-in-GitHub, MITRE D3FEND, Kaspersky ICS-CERT).
- Keep ~30 core sources enabled: Primary (4) + Vendor (14) + Distribution (10) + CERT top-tier + Container + CSAF + Threat top-tier.
Completion criteria:
- [ ] StellaMirror has `EnabledByDefault = false`
- [ ] ~30 curated sources remain `EnabledByDefault = true`
- [ ] Ecosystem, geo-restricted, and niche sources default to disabled
- [ ] Build succeeds
### FTUX-002 - Filter mirror sources from Create Domain wizard
Status: DONE
Dependency: none
Owners: Developer
Task description:
- In `mirror-domain-builder.component.ts`, exclude sources with `category === 'Mirror'` from the source picker list.
- This prevents circular mirror-from-mirror chains.
Completion criteria:
- [ ] "StellaOps Mirror" no longer appears in Create Domain source selection
- [ ] Angular build succeeds
### FTUX-003 - Add login credentials to quickstart documentation
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add to `docs/quickstart.md` after step 5: default credentials `admin / Admin@Stella2026!` for the demo-prod tenant.
- List the 5 demo users and their roles.
Completion criteria:
- [ ] Quickstart includes credentials section
### FTUX-004 - Add 404 catch-all route
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add a `{ path: '**', ... }` wildcard route to `app.routes.ts` that renders a "Page Not Found" component.
- Component shows: "This page doesn't exist" message, search bar, links to Dashboard and Setup.
Completion criteria:
- [ ] Navigating to `/nonexistent` shows 404 page, not dashboard
- [ ] Angular build succeeds
### FTUX-005 - Fix arrow character in release version target path dropdown
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Replace broken arrow character in target path intent options ("Dev ? Stage ? Prod") with proper Unicode arrow (`\u2192` or `→`).
Completion criteria:
- [ ] Dropdown shows "Dev → Stage → Prod"
### FTUX-006 - Dashboard honest empty state for fresh installs
Status: DONE
Dependency: FTUX-001
Owners: Developer
Task description:
- In `dashboard-v3.component.ts`, detect when no real environment data exists (PlatformContextStore returns 0 environments).
- When empty: render a setup guide instead of fake data — "Welcome to Stella Ops" with 4 setup steps (Connect registry, Define topology, Scan first image, Create release).
- When real data exists: keep the existing environment card rendering BUT remove the `resolveStatusSeed()` fake metrics. Show real data from APIs or "No scan data" per-environment.
- Remove hardcoded `summary`, `reachabilityStats`, `nightlyOpsSignals`, alerts HTML, and activity HTML.
- Replace with either real API calls or honest "No data yet" empty states per section.
Completion criteria:
- [ ] Fresh install with 0 environments shows setup guide, not fake crisis data
- [ ] Fresh install with environments but no scans shows environment cards with "No scan data" metrics
- [ ] No hardcoded fake numbers remain in the component
- [ ] Angular build succeeds
### FTUX-007 - Update Feature Matrix status markers
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Update `docs/FEATURE_MATRIX.md` to mark shipped release orchestration features as ✅ instead of ⏳.
- Environment CRUD, Release Bundles, Promotion Workflows, Approval Gate, Policy Gate, Decision Records are all implemented.
Completion criteria:
- [ ] Feature Matrix reflects actual implementation status
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-16 | Sprint created from first-time user audit series findings. | Developer |
| 2026-03-16 | FTUX-001 DONE: Added `EnabledByDefault = false` to 32 sources (ecosystem, geo-restricted, exploit, hardware, niche CERTs, mirror). ~43 core sources remain enabled by default. | Developer |
| 2026-03-16 | FTUX-002 DONE: Filtered Mirror-category sources from Create Domain source picker in mirror-domain-builder.component.ts. | Developer |
| 2026-03-16 | FTUX-003 DONE: Added demo credentials (admin / Admin@Stella2026!) to docs/quickstart.md step 6. | Developer |
| 2026-03-16 | FTUX-004 DONE: Replaced catch-all `**` Mission Control fallback with proper 404 NotFoundComponent. | Developer |
| 2026-03-16 | FTUX-005 DONE: Replaced `?` with `→` in target path intent dropdown options. | Developer |
| 2026-03-16 | FTUX-006 DONE: Removed ALL hardcoded fake data from dashboard-v3.component.ts. Fresh installs now show welcome setup guide with 4 steps. Environment cards show honest "unknown"/"No deployments" when no scan data exists. Removed fake summary, reachabilityStats, nightlyOpsSignals, alerts, and activity HTML. | Developer |
| 2026-03-16 | FTUX-007 DONE: Updated FEATURE_MATRIX.md — 14 release orchestration features marked ✅ (was ⏳), section header updated. | Developer |
| 2026-03-16 | Angular build verified — 0 errors, 3 pre-existing budget warnings only. | Developer |
| 2026-03-16 | Iteration 1: Wiped stack, fresh boot. Found dashboard fallback array still had fake data. Emptied it. Rebuild + redeploy. Dashboard now honest on fresh install. | Developer |
| 2026-03-16 | Iteration 2: Integration journey. Harbor + GitHub App fixtures started. Both created and connection-tested successfully. "Check All" advisory sources failed with 504 gateway timeout — fixed with parallel individual checks in batches of 6. Now shows live "Checking (N/M)..." progress, completes in ~30s. 54/55 healthy. | Developer |
| 2026-03-16 | Iteration 2: Mirror domain created (14 sources, signing enabled). "Generate immediately" fails silently (tracked). Created by shows raw user ID (tracked). | Developer |
| 2026-03-16 | Iteration 3: Topology wizard returned 503 for /api/v1/regions — Concelier topology endpoints had no gateway routes. Added 6 Microservice routes for regions, infrastructure-bindings, pending-deletions, targets validate/readiness, environments readiness. Wizard now loads. | Developer |
## Decisions & Risks
- Decision: curate advisory defaults rather than disable all — new users need working sources out of the box, just not 74 of them.
- Decision: dashboard empty state before 3-column redesign — honest data first, layout improvement second.
- Risk: removing hardcoded dashboard data may make the dashboard look empty on demo installs. Mitigation: the setup guide is a better first impression than fake crisis data.
## Next Checkpoints
- Land all S-effort fixes (FTUX-001 through FTUX-005, FTUX-007)
- Land dashboard empty state (FTUX-006)
- Playwright re-verification after fixes

12
docs/implplan/SPRINT_20260316_002_Scanner_entry_point_and_vulnerability_navigation.md
View File

@@ -18,12 +18,12 @@
## Delivery Tracker
### S1-T01 - Add "Scan Image" to sidebar navigation
Status: TODO
Status: DONE
Dependency: none
Owners: Developer
### S1-T02 - Create Scan Image page
Status: TODO
Status: DONE
Dependency: S1-T01
Owners: Developer
@@ -33,22 +33,22 @@ Dependency: S1-T02
Owners: Developer
### S1-T04 - Rename Triage to Vulnerabilities in sidebar
Status: TODO
Status: DONE
Dependency: none
Owners: Developer
### S1-T05 - Add security terms to command palette
Status: TODO
Status: DONE
Dependency: none
Owners: Developer
### S1-T06 - Add CTA buttons to Security Posture page
Status: TODO
Status: DONE
Dependency: S1-T02
Owners: Developer
### S1-T07 - Gateway route for scanner scan endpoint
Status: TODO
Status: DONE
Dependency: none
Owners: Developer

22
docs/implplan/SPRINT_20260316_007_FE_deep_journey_remaining_fixes.md
View File

@@ -1,22 +0,0 @@
# Sprint 20260316-007 — Deep Journey Remaining Fixes
## Topic & Scope
- Fix the 4 remaining UX issues found during deep journey testing (J-05 through J-08).
- Trust & Signing empty state, Notifications empty state, Topology validate skip, VEX export visibility.
- Working directory: `src/Web/StellaOps.Web/`.
## Delivery Tracker
### S7-T01 - Trust & Signing empty state guidance
Status: TODO
### S7-T02 - Notifications empty state guidance
Status: TODO
### S7-T03 - Topology wizard validate step skip
Status: TODO
### S7-T04 - VEX export button visibility
Status: TODO
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-16 | Sprint created from deep journey findings J-05 to J-08. | Developer |

29
docs/implplan/SPRINT_20260316_008_Platform_identity_envelope_shared_middleware.md
View File

@@ -1,29 +0,0 @@
# Sprint 20260316-008 — Identity Envelope Shared Middleware (Architecture)
## Topic & Scope
- Extract identity envelope pre-auth middleware from Concelier into shared `StellaOps.Router.AspNet` extension.
- Apply to all 5 services: Concelier (refactor), Scanner, JobEngine, Timeline, Integrations.
- This unblocks scan submit (J-04) and all future ReverseProxy-routed authenticated endpoints.
- Working directory: `src/Router/__Libraries/StellaOps.Router.AspNet/`, `src/*/Program.cs`.
## Delivery Tracker
### S8-T01 - Create shared middleware extension
Status: TODO
### S8-T02 - Refactor Concelier to use shared extension
Status: TODO
### S8-T03 - Add to Scanner
Status: TODO
### S8-T04 - Add to JobEngine
Status: TODO
### S8-T05 - Add to Timeline
Status: TODO
### S8-T06 - Add to Integrations
Status: TODO
### S8-T07 - Document the pattern
Status: TODO
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-16 | Sprint created from architecture finding. | Developer |

79
docs/implplan/SPRINT_20260316_020_FE_deep_journey_quality_fixes.md Normal file
View File

@@ -0,0 +1,79 @@
# Sprint 20260316-020 — Deep Journey Quality Fixes
## Topic & Scope
- Fix issues found during deep first-time DevOps/security engineer journey (iteration 2).
- Scan submit field mismatch (HIGH), user ID display, feed auto-check.
- Working directory: `src/Web/StellaOps.Web/`.
## Dependencies & Concurrency
- No upstream dependencies.
## Delivery Tracker
### J20-T01 - Fix scan submit scanId field mismatch
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Scanner API returns `scanId` (not `id`) and PascalCase status (`Pending`, `Completed`).
- Component expected `id` and lowercase status.
- Fixed: resolve `scanId ?? id`, normalize status to lowercase.
Completion criteria:
- [x] Scan submit extracts ID from `scanId` field
- [x] Status polling handles PascalCase status values
- [x] Angular build succeeds
### J20-T02 - Integration detail: show username instead of raw user ID
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Integration detail page shows raw user ID hash (e.g., `9a2d07300a014c26ba215595bb282128`) in "Created by" field.
- Should show `admin` or truncated form like "User 9a2d0730...".
### J20-T03 - Advisory sources: auto-check on first visit
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Dashboard Feed Status shows "0 healthy" until user manually clicks Check All.
- Consider: trigger initial health check batch when advisory sources page is first loaded with 0 checked sources.
- Alternative: show "Not yet checked" instead of "0 healthy" when no checks have run.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-16 | Sprint created from deep journey iteration 2. | Developer |
| 2026-03-16 | J20-T01 DONE: Fixed scanId field mismatch + PascalCase status normalization. | Developer |
## Decisions & Risks
- J20-T01 is a blocking bug — scan submit is a primary user workflow.
- J20-T02 and J20-T03 are UX polish items.
## Journey Path Record
**Completed journey depth (iteration 2):**
1. Fresh install → login → dashboard (3-column verified, welcome guide when empty, real data when populated)
2. Sidebar 5 groups verified (Release Control, Security, Operations, Audit & Evidence, Setup & Admin)
3. Integrations: Registry wizard 6-step flow completed (Harbor fixture)
4. Advisory sources: 42 enabled, 36/42 healthy after Check All (batched parallel)
5. Scan Image: form works, POST 202 returned, scanId extracted (FIXED)
6. Trust & Signing: empty state guidance verified
7. Notifications: 3 channels, 3 rules, delivery history, test send
8. Topology: overview (4 regions, 10 environments, graph visualization), wizard 8-step rendering
9. Release creation: 4-step wizard (Basic Info → Components → Inputs → Review & Seal)
10. Evidence Overview: search router, 1842 evidence packs, operator/auditor toggle
11. Security Reports: CSV/PDF export, VEX guidance text
12. Security Posture: real finding counts (6 findings), CTAs working
**Next journey iteration should go deeper into:**
- Complete scan → view results in triage → make VEX decision → see in reports
- Complete release creation → seal → promote through Dev→Stage→Prod
- Trust key generation → attestation signing
- Evidence capsule generation from sealed release
- Policy simulation with real findings
- Multi-user testing (operator, viewer, auditor roles)
- Offline kit export + import cycle
- Tenant switching between demo-prod / demo-staging / demo-dev
- Diagnostics deep dive (Doctor reports)
- Notification test send → verify delivery