test(web): behavioral QA of Release + Security console surfaces (SPRINT_20260421_006)
Closes SPRINT_20260421_006 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. Evidence directories
include per-route screenshots + tier2-ui-check JSON with PASS/FAIL/DEFERRED
assertions.
FE-QA-REL-001 — Release Control: 9/9 PASS
/environments/overview, /releases, /releases/deployments, /releases/bundles,
/releases/promotions, /releases/approvals, /releases/hotfixes,
/releases/investigation/timeline, /releases/workflows
FE-QA-REL-002 — Release Policy: 7/9 PASS, 2 DEFERRED
/ops/policy/{packs, governance, vex, simulation, governance/budget,
governance/profiles, vex/exceptions} — all PASS.
DEFERRED: /ops/policy/governance/audit (redirects to sprint-007-owned
/ops/operations/audit — scope lock), /ops/policy/governance/trust-weights
(tab URL doesn't persist — flagged as follow-up).
FE-QA-SEC-003 — Security: 10/10 effective PASS
Direct PASS: /security{,/images,/risk,/advisory-sources,/findings,
/vulnerabilities,/reachability}
Redirect PASS matching SEC-005/006/007 consolidation contracts:
/security/vex → /ops/policy/vex, /security/artifacts → /triage/artifacts,
/security/exceptions → /ops/policy/vex/exceptions.
FE-QA-RELSEC-004 — Retention coverage:
New e2e/routes/release-security-identity.e2e.spec.ts with 24 route-identity
assertions + 1 Release interaction guard. Uses auth.fixture.ts test-session
so CI does not require live Authority credentials.
Environmental gap surfaced (worked around in-session, NOT a code fix here):
stellaops_authority was missing the `default` tenant row, breaking setup-
wizard Admin bootstrap with FK users_tenant_id_fkey=(default) and causing
admin login to return invalid_grant. Manually seeded `default` into
authority.tenants and finalized the setup session via Platform Setup API.
Should be addressed in a follow-up Authority sprint — the default tenant
seed needs to land in startup migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -0,0 +1,98 @@
|
||||
# Sprint 20260421_006_FE - Release And Security Console Behavioral QA
|
||||
|
||||
## Topic & Scope
|
||||
- Execute route-by-route, tab-by-tab behavioral verification for the release and security surfaces.
|
||||
- Capture retained evidence that proves Stella can explain release readiness, bundle identity, policy gating, and security posture in one coherent Console.
|
||||
- Fix route or tab regressions discovered during the pass when they fall within `src/Web/StellaOps.Web/`.
|
||||
- Working directory: `src/Web/StellaOps.Web/`.
|
||||
- Expected evidence: fresh Playwright run artifacts, route findings, focused fixes, and updated docs when ownership or workflow meaning changes.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Depends on `SPRINT_20260421_005_FE_console_route_identity_and_redirect_truth.md` for route-truth stabilization.
|
||||
- Depends on `docs/qa/console-ui-traversal-map.md` and `docs/qa/console-ui-qa-strategy.md`.
|
||||
- Safe parallelism: keep this sprint focused on release and security routes while another sprint, if staffed, covers Ops, Setup, and Admin surfaces.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- `docs/product/release-with-confidence-product-card.md`
|
||||
- `docs/qa/console-ui-traversal-map.md`
|
||||
- `docs/qa/console-ui-qa-strategy.md`
|
||||
- `docs/qa/feature-checks/FLOW.md`
|
||||
- `src/Web/AGENTS.md`
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### FE-QA-REL-001 - Verify Release Control routes
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: QA, Frontend / Implementer
|
||||
Task description:
|
||||
- Verify `/environments/overview`, `/releases`, `/releases/deployments`, `/releases/bundles`, `/releases/promotions`, and `/releases/approvals`.
|
||||
- Exercise filters, tabs, and empty states and confirm they preserve release meaning instead of generic shell behavior.
|
||||
|
||||
Completion criteria:
|
||||
- [x] A fresh UI run captures route-level evidence for the Release Control surfaces. (9/9 PASS under `docs/qa/feature-checks/runs/web/release-control-console/run-001/`.)
|
||||
- [x] Approval tabs and release or deployment filters are verified through actual UI interactions. (`releases-approvals` landed "Approvals Queue"; `releases` interaction captured primary action.)
|
||||
|
||||
### FE-QA-REL-002 - Verify Release Policy surfaces
|
||||
Status: DONE
|
||||
Dependency: FE-QA-REL-001
|
||||
Owners: QA, Frontend / Implementer
|
||||
Task description:
|
||||
- Verify `/ops/policy/packs`, `/ops/policy/governance`, `/ops/policy/vex`, and `/ops/policy/simulation`.
|
||||
- Confirm the policy tab family exposes governance, VEX, simulation, and audit as coherent parts of release decisioning.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Shared policy tabs are traversed and their route handoffs are captured. (7/9 PASS under `docs/qa/feature-checks/runs/web/release-policy-console/run-001/`; 2 DEFERRED with documented reasons.)
|
||||
- [x] Any missing or weak page identity on policy surfaces is either fixed or recorded as a confirmed defect. (`/ops/policy/governance/audit` is an intended redirect to the Ops audit surface owned by Sprint 007 — noted in Decisions & Risks; `/ops/policy/governance/trust-weights` absorbed into parent without URL persistence — noted for follow-up.)
|
||||
|
||||
### FE-QA-SEC-003 - Verify Security surfaces
|
||||
Status: DONE
|
||||
Dependency: FE-QA-REL-002
|
||||
Owners: QA, Frontend / Implementer
|
||||
Task description:
|
||||
- Verify `/security/images`, `/security/risk`, `/security/advisory-sources`, and `/triage/artifacts`.
|
||||
- For Image Security, traverse Summary, Findings, SBOM, Reachability, VEX, and Evidence and confirm the empty state tells the operator what selection is required.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Security tabs and routes are traversed with fresh UI evidence. (10/10 PASS under `docs/qa/feature-checks/runs/web/security-console/run-001/`; 3 are PASS-via-documented-redirect.)
|
||||
- [x] Empty-state copy and next actions are verified as truthful and operator-usable. (`/security`, `/security/risk`, `/security/advisory-sources`, `/security/reachability`, `/security/images/summary` all render route-specific headings and body copy; no runtime-unavailable banners.)
|
||||
|
||||
### FE-QA-RELSEC-004 - Retain the new route coverage
|
||||
Status: DONE
|
||||
Dependency: FE-QA-SEC-003
|
||||
Owners: Test Automation
|
||||
Task description:
|
||||
- Convert the route and tab checks from this sprint into retained Playwright coverage.
|
||||
- Update stale navigation assumptions so future runs validate the current navigation contract rather than retired sidebar expectations.
|
||||
|
||||
Completion criteria:
|
||||
- [x] New or updated Playwright coverage exists for the routes exercised in this sprint. (`src/Web/StellaOps.Web/e2e/routes/release-security-identity.e2e.spec.ts` covers 24 Release/Policy/Security surfaces plus one Release interaction guard.)
|
||||
- [x] The retained suite asserts route ownership and tab behavior rather than only screenshot existence. (Each test asserts origin, no-redirect-to-welcome/setup-wizard, redirect target where applicable, AND route-specific heading / body copy.)
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-04-21 | Sprint created from the authenticated release and security traversal pass. | Product Manager |
|
||||
| 2026-04-21 | Fixed structural Web regressions in `policy simulation` tab routing and route-specific page-help identity for `release bundles` and `security/risk`; build passed and targeted Vitest route/help checks passed. Fresh live UI replay is blocked in the current runtime because protected routes redirect to `/setup-wizard/wizard` while setup is incomplete. | Frontend / Implementer |
|
||||
| 2026-04-21 | Router blocker cleared under Sprint 008: live frontdoor auth now succeeds again, `/policy/shadow/*` and `/policy/simulations*` no longer fail with `401`, and those compatibility endpoints now return the expected `501` from `policy-engine`, matching direct-service behavior. | QA |
|
||||
| 2026-04-22 | Fixed the hotfix detail runtime regression in `src/Web/StellaOps.Web/src/app/features/releases/hotfix-detail-page.component.ts` by restoring the standalone `UpperCasePipe` import required by the gate outcome badges. Added focused regression coverage in `src/Web/StellaOps.Web/src/tests/release-control/hotfix-detail-page.component.spec.ts`; targeted Vitest pass succeeded. | Frontend / Implementer |
|
||||
| 2026-04-22 | Environmental blocker diagnosed: Authority DB (`stellaops_authority`) fresh install was missing the `default` tenant row, causing setup-wizard admin step to fail with Postgres FK violation `users_tenant_id_fkey` and the live-stack admin login to return `invalid_grant`. Seeded the `default` tenant via SQL and finalized the setup session via the authenticated Platform Setup API (admin → crypto → sources → finalize). Admin login now succeeds end-to-end. Documented as a real Authority-migration gap in Decisions & Risks. | QA |
|
||||
| 2026-04-22 | FE-QA-REL-001 complete: 9/9 Release Control surfaces PASS Tier 2c under `docs/qa/feature-checks/runs/web/release-control-console/run-001/` (environments/overview, releases, deployments, bundles, promotions, approvals, hotfixes, investigation/timeline, workflows). Headings, identity, and primary action rendered. | QA |
|
||||
| 2026-04-22 | FE-QA-REL-002 complete: 7/9 Release Policy surfaces PASS, 2 DEFERRED (policy/governance/audit redirects to Sprint-007-owned ops audit; policy/governance/trust-weights absorbs into parent shell without URL persistence — noted as policy-governance tab-state follow-up). Evidence under `docs/qa/feature-checks/runs/web/release-policy-console/run-001/`. | QA |
|
||||
| 2026-04-22 | FE-QA-SEC-003 complete: 10/10 Security surfaces effectively PASS (7 direct + 3 PASS-via-documented-redirect per SEC-005/006/007 consolidation). `/security/advisory-sources` renders "Advisory Sources" heading from the FE-ROUTES-003 identity work. Evidence under `docs/qa/feature-checks/runs/web/security-console/run-001/`. | QA |
|
||||
| 2026-04-22 | FE-QA-RELSEC-004 complete: `src/Web/StellaOps.Web/e2e/routes/release-security-identity.e2e.spec.ts` retains 24 route-identity assertions (8 Release + 7 Policy + 9 Security) plus one Release interaction guard. Each test asserts origin, no bounce to `/welcome` or `/setup-wizard`, the expected redirect target where applicable, and a route-specific heading. Spec runs under the existing `auth.fixture.ts` test-session so CI does not require live Authority credentials. | Test Automation |
|
||||
|
||||
## Decisions & Risks
|
||||
- Release and security verification must happen before lower-risk setup polish because Stella's core promise is release authority backed by evidence.
|
||||
- The existing local-source harness has auth-bootstrap drift that should be fixed under Sprint 005 before this sprint is executed at full speed.
|
||||
- Current local runtime resolves protected routes through `requireConfigGuard` into `/setup-wizard/wizard` because the served config is not marked `setup=complete`; this blocks the fresh post-fix UI replay for `/releases/*`, `/ops/policy/simulation`, and `/security/risk` even though the route contract and build now pass.
|
||||
- Router transport blockers from port-dropping redirects and regex auth passthrough drift were resolved under [SPRINT_20260421_008_Router_preserve_gateway_https_redirect_port.md](/C:/dev/New folder/git.stella-ops.org/docs/implplan/SPRINT_20260421_008_Router_preserve_gateway_https_redirect_port.md). Remaining QA work should treat any new failures on release or policy pages as page-level or backend-feature issues rather than frontdoor auth failures by default.
|
||||
- **Authority tenant seed gap (2026-04-22, QA)**: on a fresh install, the Authority module DB (`stellaops_authority`) does not receive a `default` tenant row, even though `authority.yaml` Standard plugin pins `tenantId: "default"` and config seeds `default` into `stellaops_platform.authority.tenants`. The setup wizard's Admin step therefore fails with Postgres FK `users_tenant_id_fkey (tenant_id)=(default)` and the live UI login fails. QA worked around it by seeding the row manually and then calling `/api/v1/setup/sessions/{id}/finalize`. Follow-up: Authority migrations (or the StandardPluginRegistrar tenant bootstrap) should ensure the configured tenant is present in `authority.tenants` before `users` inserts are attempted. Recommend tracking under a new Authority sprint.
|
||||
- **Release Policy governance tab state (2026-04-22, QA)**: `/ops/policy/governance/trust-weights` resolves to the correct `TrustWeightingComponent` in the tab outlet but the URL rewrites to `/ops/policy/governance` on navigation, making the deep link effectively lossy for the standalone page-identity contract. Not blocking — the tab content is present — but the sprint is flagging this for follow-up if persistent tab-state URLs are part of the policy governance acceptance criteria.
|
||||
- **Scope-lock respected**: `/ops/policy/governance/audit` was intentionally not re-verified because it redirects to `/ops/operations/audit`, which is owned by the parallel Sprint 007 (evidence/ops/setup/admin). Marked DEFERRED per AGENTS.md §2.3 directory ownership.
|
||||
- References: `docs/qa/console-ui-traversal-map.md`, `docs/qa/console-ui-qa-strategy.md`.
|
||||
|
||||
## Next Checkpoints
|
||||
- Stabilize route truth under Sprint 005.
|
||||
- Run the release and security behavioral pass.
|
||||
- Land retained Playwright coverage for the exercised routes and tabs.
|
||||
Reference in New Issue
Block a user