stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
917 Commits 1 Branch 0 Tags
4e07f7bd722a1b89f6ba32567c697d2553bc8300
Commit Graph

33 Commits

Author SHA1 Message Date
master
4e07f7bd72 Complete first-time user journey notes — full fresh install walkthrough 
Documented the complete journey from fresh install through:
- Login, dashboard, integrations (Harbor + GitHub App)
- Advisory sources (42 curated, 54 healthy)
- Mirror domain creation (14 sources, signing)
- Topology wizard (blocked at auth passthrough)
- Release creation (sealed end-to-end with mock component)
- Approvals queue, security posture, policy studio
- Evidence/audit, doctor diagnostics

22 findings total (12 fixed, 10 tracked):
- Critical: ReverseProxy auth passthrough (#13), audit log empty (#20)
- High: Mock registry search in releases (#22)
- Medium: No post-seal guidance (#21), silent failures, user ID hashes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 08:19:10 +02:00
master
da76d6e93e Add topology auth policies + journey findings notes 
Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
  policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
  scopes. Previously these policies were referenced by endpoints but never
  registered, causing System.InvalidOperationException on every topology
  API call.

Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
  use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes

KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
  Concelier. The regions/targets/bindings endpoints return 401 because
  hasPrincipal=False — the gateway authenticates the user but doesn't
  pass the identity to the backend via ReverseProxy. Microservice routes
  use Valkey transport which includes envelope headers. Topology endpoints
  need either: (a) Valkey transport registration in Concelier, or
  (b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
  This is an architecture-level fix.

Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 08:12:39 +02:00
master
534aabfa2a First-time user experience fixes and platform contract repairs 
FTUX fixes (Sprint 316-001):
- Remove all hardcoded fake data from dashboard — fresh installs show
  honest setup guide instead of fake crisis data (5 fake criticals gone)
- Curate advisory source defaults: 32 sources disabled by default
  (ecosystem, geo-restricted, exploit, hardware, mirror). ~43 core
  sources remain enabled. StellaOps Mirror no longer enabled at priority 1.
- Filter Mirror-category sources from Create Domain wizard to prevent
  circular mirror-from-mirror chains
- Add 404 catch-all route — unknown URLs show "Page Not Found" instead
  of silently rendering the dashboard
- Fix arrow characters in release target path dropdown (? → →)
- Add login credentials to quickstart documentation
- Update Feature Matrix: 14 release orchestration features marked as
  shipped (was marked planned)

Platform contract repairs (from prior session):
- Add /api/v1/jobengine/quotas/summary endpoint on Platform
- Fix gateway route prefix matching for /policy/shadow/* and
  /policy/simulations/* (regex routes instead of exact match)
- Fix VexHub PostgresVexSourceRepository missing interface method
- Fix advisory-vex-sources sweep text expectation
- Fix mirror operator journey auth (session storage token extraction)

Verified: 110/111 canonical routes passing (1 unrelated stale approval ref)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 02:05:38 +02:00
master
08390f0ca4 Repair first-time identity and trust operator journeys 2026-03-15 12:33:56 +02:00
master
c9a30331ce Close scratch iteration 008 and enforce full surface audits 2026-03-13 11:00:12 +02:00
master
6afd8f951e Harden canonical route sweep rechecks 2026-03-11 18:44:38 +02:00
master
8e1cb9448d consolidation of some of the modules, localization fixes, product advisories work, qa work 2026-03-05 03:54:22 +02:00
master
4db038123b documentation cleanse, sprints work and planning. remaining non EF DAL migration to EF 2026-02-25 01:24:07 +02:00
master
b07d27772e search and ai stabilization work, localization stablized. 2026-02-24 23:29:36 +02:00
master
e05d803490 cleanup 2026-02-23 21:30:15 +02:00
master
e746577380 wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10 2026-02-23 15:30:50 +02:00
master
04cacdca8a Gaps fill up, fixes, ui restructuring 2026-02-19 22:10:54 +02:00
master
49cdebe2f1 compose and authority fixes. finish sprints. 2026-02-18 12:00:10 +02:00
master
70fdbfcf25 Stabilize U 2026-02-16 07:33:20 +02:00
master
ab794e167c frontend styling fixes 2026-02-15 12:00:34 +02:00
master
e9aeadc040 save checkpoint 2026-02-14 09:11:48 +02:00
master
9ca2de05df more features checks. setup improvements 2026-02-13 02:04:55 +02:00
master
9911b7d73c save checkpoint 2026-02-12 21:02:43 +02:00
master
5bca406787 save checkpoint: save features 2026-02-12 10:27:23 +02:00
master
6571c83bd4 qa(exportcenter): close remaining oci distribution and referrer features 2026-02-11 17:00:17 +02:00
master
9b58589ba0 qa(exportcenter): verify oci digest identity and advance queue 2026-02-11 16:49:55 +02:00
master
7b7cf07060 qa(exportcenter): close local evidence cache feature and start oci digest checks 2026-02-11 16:40:21 +02:00
master
159a909d88 qa: start exportcenter feature 004 checking run scaffold 2026-02-11 16:29:03 +02:00
master
7f865d7bc7 qa: verify exportcenter telemetry-worker feature and advance queue 2026-02-11 16:27:24 +02:00
master
110cb43e4d qa: close exportcenter features 001-002 and unblock policy build 2026-02-11 16:21:54 +02:00
master
33360e8d9d qa(advisoryai): verify deterministic replay feature 2026-02-11 14:28:58 +02:00
master
4424848283 qa(attestor): verify ai explanation attestation types feature 2026-02-11 14:10:23 +02:00
master
d2aca4c9d3 qa(advisoryai): verify codex companion and sync FLOW/task state 2026-02-11 14:05:06 +02:00
master
4e5300660d qa(advisoryai): verify orchestrator, guardrails, and action-policy features 2026-02-11 13:48:23 +02:00
master
e716bc6adc and one more 2026-02-11 01:32:58 +02:00
master
fa4823f46c one more save checkpoint 2026-02-11 01:32:51 +02:00
master
cf5b72974f save checkpoint 2026-02-11 01:32:14 +02:00
master
5593212b41 save checkpoint. addition features and their state. check some ofthem 2026-02-10 07:54:44 +02:00