Sprint 4 — Sidebar restructure (S4-T01+T02):
5 groups: Release Control, Security, Operations, Audit & Evidence, Setup & Admin
Groups 4+5 collapsed by default for new users
Operations extracted from Release Control into own group
Audit extracted from Security into own group
groupOrder and resolveMenuGroupLabel updated
Approvals badge moved to section-level
Sprint 2 — Demo data badges (S2-T04+T05):
Backend: isDemo=true on all compatibility/seed responses in
PackAdapterEndpoints, QuotaCompatibilityEndpoints, VulnerabilitiesController
Frontend: "(Demo)" badges on Usage & Limits page quotas
Frontend: "(Demo)" badges on triage artifact list when seed data
New PlatformItemResponse/PlatformListResponse with IsDemo field
Sprint 6 — Audit emission infrastructure (S6-T01+T02):
New shared library: src/__Libraries/StellaOps.Audit.Emission/
- AuditActionAttribute: [AuditAction("module", "action")] endpoint tag
- AuditActionFilter: IEndpointFilter that auto-emits UnifiedAuditEvent
- HttpAuditEventEmitter: POSTs to Timeline /api/v1/audit/ingest
- Single-line DI: services.AddAuditEmission(configuration)
Timeline service: POST /api/v1/audit/ingest ingestion endpoint
- IngestAuditEventStore: 10k-event ring buffer
- CompositeUnifiedAuditEventProvider: merges HTTP-polled + ingested
Documentation: docs/modules/audit/AUDIT_EMISSION_GUIDE.md
Angular build: 0 errors. .NET builds: 0 errors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
scopes. Previously these policies were referenced by endpoints but never
registered, causing System.InvalidOperationException on every topology
API call.
Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes
KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
Concelier. The regions/targets/bindings endpoints return 401 because
hasPrincipal=False — the gateway authenticates the user but doesn't
pass the identity to the backend via ReverseProxy. Microservice routes
use Valkey transport which includes envelope headers. Topology endpoints
need either: (a) Valkey transport registration in Concelier, or
(b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
This is an architecture-level fix.
Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mirror.md: added section 8 covering the 4-step UI wizard flow, wizard
vs env var comparison table, and air-gap bundle import via UI and CLI.
architecture.md: added 6 consumer API endpoints (GET/PUT /consumer,
discover, verify-signature, import, import/status) to REST API section.
airgap-operations-runbook.md: cross-reference to UI import alternative.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The gateway service was a redundant deployment of the same
StellaOps.Gateway.WebService binary already running as router-gateway.
It served no unique purpose — all traffic is handled by router-gateway
(slot 0). This removes the container, its route table entries, nginx
proxy blocks, health/quota stubs, and redirects STELLAOPS_GATEWAY_URL
to router.stella-ops.local so the Angular frontend resolves API base
URLs through the canonical frontdoor.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Enhance ContextHeaderComponent to be the single canonical header primitive:
- Add configurable heading level (h1/h2/h3) for semantic HTML in nested shells
- Add testId input for Playwright targeting (data-testid)
- Add ARIA labels on return button and chip list (role=list/listitem)
- Add back-arrow indicator for improved return-button affordance
- Add JSDoc on all inputs for developer ergonomics
Deprecate PageHeaderComponent to a thin compatibility wrapper that delegates
to ContextHeaderComponent.
Adopt canonical header on 4 representative pages:
- RegistryAdminComponent (admin/setup surface)
- PackRegistryBrowserComponent (operational surface)
- DeadLetterDashboardComponent (operational surface)
- OfflineKitComponent (operational surface)
Each adopted page gains eyebrow breadcrumb context, consistent subtitle
placement, and projected actions via the shared header-actions slot,
replacing ~80 lines of repeated ad-hoc header markup.
15 focused component tests covering title rendering, eyebrow/subtitle
display, chips with ARIA, back action, action slot projection, heading
levels, testId, and responsive layout structure. All pass.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Settings shell now owns only personal user preferences (appearance,
language, layout, AI assistant). All 14 admin/tenant/ops leaves
converted to controlled redirects pointing at their canonical owners
(Administration, Setup, Ops). Language merged into user-preferences.
Identity-providers rehomed from settings to administration as
canonical owner. Navigation config updated. 22 new route tests added.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sync TASKS.md, implementation_plan.md, and orphan-revival-batch README
to reflect all 11 shipped orphan component adoption sprints.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
