- Workflow: add PostgreSQL auto-migration (8 tables in schema `workflow`)
with AddStartupMigrations wiring and embedded SQL migration
- Scheduler: add missing `schema_version` and `source` columns to
`scheduler.schedules` table in both init script and migration
- Platform: delay analytics maintenance 15s to avoid race with migration
020_AnalyticsRollups creating compute_daily_rollups()
- Docker: install libgssapi-krb5-2 in runtime image to eliminate Npgsql
Kerberos probe warnings across all 59 services
- Docker: remove `# syntax=docker/dockerfile:1.7` directive from both
Dockerfiles to avoid BuildKit frontend pull failures on flaky DNS
- Postgres init: add `workflow` schema to 01-create-schemas.sql
Verified: 75 containers, 0 unhealthy, 0 recurring errors after full
wipe-and-rebuild cycle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ScriptsEndpoints to the Scheduler WebService for CRUD operations on
automation scripts. Add a reusable script-picker overlay component for
selecting scripts from the UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace deadletter grid filters with a compact inline filter bar using
StellaFilterMulti chips. Add missing CSS for scripts search input.
Fix glossary tooltip positioning.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Align hardcoded --color-brand-primary fallbacks to the amber brand color
across chat messages, advisory sources, symbol sources, entity cards,
replay controls, and topology commands.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Close button now uses quick-click to dismiss and long-press to reveal
mute options. Chat stream emits 'start' immediately so the mascot
thinking animation plays during the HTTP wait with an 800ms minimum
duration. User preferences page gains a tutorial reset button.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Page help panel now animates in/out with a genie effect. A persistent
help badge in the breadcrumb lets users reopen the panel after closing.
Long-press on close reveals per-page and global dismiss options.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove standalone GovernanceAuditComponent and AuditPolicyComponent in
favor of the unified audit log with policy-specific category chips,
structured governance diffs, and per-event policy detail fields. Evidence
and policy-decisioning routes now redirect to the consolidated audit page
under Operations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Import now supports three sources: server-side path (USB/NFS volumes),
backend URL download, and browser file upload. Export/import workflows
refactored from routed pages to overlay dialogs. Docs updated with
volume mount instructions and source comparison table.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The /environments/{id}/readiness endpoint now resolves environment names
(e.g. "dev", "prod-us-east") via IEnvironmentService, returning an empty
list for unregistered environments instead of a 404.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Session metadata and full session now written to both sessionStorage and
localStorage so that new tabs and window.open() inherit the auth state
without requiring a fresh login.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The workflow service registers endpoints under /api/workflow/ (no v1 prefix),
but the gateway config only had /api/v1/workflows/* which routes to the
release-orchestrator. Added a dedicated route for the workflow engine.
Found during E2E testing — workflow definitions and instances were returning
404 through the gateway.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove jobengine and jobengine-worker containers from docker-compose
- Create release-orchestrator service (120 endpoints) with full auth, tenant, and infrastructure DI
- Wire workflow engine to PostgreSQL with definition store (wf_definitions table)
- Deploy 4 canonical workflow definitions on startup (release-promotion, scan-execution, advisory-refresh, compliance-sweep)
- Fix workflow definition JSON to match canonical contract schema (set-state, call-transport, decision)
- Add WorkflowClient to release-orchestrator for starting workflow instances on promotion
- Add WorkflowTriggerClient + endpoint to scheduler for triggering workflows from system schedules
- Update gateway routes from jobengine.stella-ops.local to release-orchestrator.stella-ops.local
- Remove Platform.Database dependency on JobEngine.Infrastructure
- Fix workflow csproj duplicate Content items (EmbeddedResource + SDK default)
- System-managed schedules with source column, SystemScheduleBootstrap, inline edit UI
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The sidebar component had its own hardcoded navSections array separate from
NAVIGATION_GROUPS config. Updated Security group from 5 items (Vulnerabilities,
Security Posture+4 children, Scan Image, VEX) to 4 flat items (Image Security,
Triage Queue, Risk Overview, Advisory Sources).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security nav restructured from 8 items to 4: Image Security, Triage Queue,
Risk Overview, Advisory Sources. New Image Security page at /security/images
with scope selectors (repo/image/release/environment) and 6 tabs (Summary,
Findings, SBOM, Reachability, VEX, Evidence).
VEX Hub: removed dashboard tab, moved create to button, fixed filters to use
stella-filter-multi, fixed all navigation to absolute paths, fixed 72+ hardcoded
rgba colors, created proper page components for conflicts and create workflow.
Policy shell: added tabs for Packs, Governance, VEX & Exceptions, Simulation,
Audit — all sub-pages now accessible from the Release Policies page.
Integrations: moved symbol sources/marketplace and scanner config to
/setup/integrations.
Backend: mirror config changes now persist via IFeedMirrorConfigStore and
propagate to central Scheduler via SchedulerClient. MirrorExportScheduler
supports IMirrorSchedulerSignal for immediate wakeup on config change.
Mirror detail page: fixed all wrong CSS tokens (text colors used as
backgrounds, inverted borders) to canonical Stella Ops design system.
Exception dashboard: removed duplicate English/Bulgarian title headers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add AGENTS.md sections for the four late-stage post-processing steps
(SpreadOuterCorridors, CollapseOrthogonalBacktracks,
ExtendShortApproachSegments, ReduceLineNodeProximity) and the SVG
bridge gap detection corner radius rationale.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reduce the corner radius used in EnumerateEffectiveSegments for bridge
gap detection from 40px to 12px. The 40px pull-back eliminated segments
shorter than 80px from crossing detection, causing 3 of 4 crossings
with edge/22's vertical to show no visual "cut" effect. With 12px
pull-back, crossings on segments as short as 25px are now detected.
Bridge gap count: increased from ~4 to 11 in the document processing
render — all visible crossings now show the cut/bridge effect.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two fixes for the End approach area:
1. SpreadOuterCorridors now splits shared-Y lanes when edges have
overlapping X ranges (>40px overlap). edge/20 and edge/23 were both
at Y=-235 with 2257px of shared horizontal — now split to Y=-235
and Y=-267 (31.6px gap). Uses the entry's actual corridor Y for
shift point matching, not the lane's synthetic CurrentY.
2. Widen the lead-lane pre-terminal jog offset from minLineClearance*0.35
to minLineClearance*0.9. The jog now lands 15px above the End node
top instead of 6px above the neighboring edge's arrival slot.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Increase the preTerminalY offset in RewriteLeftFaceEndTopCorridorLeadLane
from minLineClearance*0.35 to minLineClearance*0.9. This pushes the
lead-lane jog above the End node boundary (Y=350 vs End top Y=365)
instead of between arrival slots (was Y=383, only 6px above the
neighboring edge/23 at Y=377). The jog is now 27px clear of the
nearest neighbor, eliminating the visual overlap the user reported.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add four late-stage post-processing steps that run after the iterative
optimizer to improve edge readability without affecting hard routing
correctness:
- SpreadOuterCorridors: enforce min 32px gap between adjacent above-graph
corridors and push End-bound corridors below all repeat-return corridors
into their own visual tier (Y=-235 vs Y=-203/-139/-36)
- CollapseOrthogonalBacktracks: detect and remove U-turn loops where edges
go right then backtrack left then right again (edge/17 fixed from
7-segment loop to clean 3-segment forward path)
- ExtendShortApproachSegments: extend short final approach segments to
half the average node width (~101px) so arrowheads have clear directional
runs into target nodes (11 edges improved, worst case 8px to 71px)
- ReduceLineNodeProximity: push edge segments away from non-terminal nodes
when within min-clearance (line-node proximity reduced to 2 violations)
Final metrics on document processing render:
- Edge crossings: 24 → 21 (-12.5%)
- Label proximity: 6 → 0 (eliminated)
- Line-node proximity: reduced to 2
- All 7 hard defect classes: zero (maintained)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce WorkflowCancelContracts, update IWorkflowRuntimeApi with cancel
support, and refine Postgres/Mongo projection store serialization.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add KnowledgeSearchDataSourceProvider for connection policy adoption,
update PostgresKnowledgeSearchStore and chat audit logger, refine
SearchAnalyticsService and SearchQualityMonitor queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce SecurityVulnerabilityEndpoints, VulnerabilityDetailService,
and supporting contracts for the vulnerability detail page backend.
Includes integration tests for the new endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce PostgresDeploymentCompatibilityStore with migration 011, in-memory
fallback, deployment endpoints, and Postgres fixture for integration tests.
Update Scheduler repository with connection policy adoption.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce PostgresGraphSavedViewStore with SQL migration, in-memory fallback,
CompatibilityEndpoints for UI contract alignment, and integration tests
with a shared Postgres fixture.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce IntegrationDiscovery DTOs, GitLabCiConnectorPlugin,
GitLabContainerRegistryConnectorPlugin, CLI integrations command group,
and expand impact/service test coverage for all connector plugins.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Major edge routing improvements including corridor spacing, crossing reduction,
focused gateway boundary repairs, setter families, and advanced restabilization.
Adds workflow renderer tests for document-processing and artifact inspection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce GatewayRegistrationResyncService to recover stale registrations,
extract IGatewayTransportClient interface, add EndpointsUpdate and
RegistrationResyncRequest frame types, and expand transport test coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Set ClientName on every Redis/Valkey connection across Scanner, Signals,
Concelier, Notify, Scheduler, Timeline, and Router for easier connection
attribution in monitoring.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract connection string building into PostgresConnectionStringPolicy so all
services use consistent pooling, application_name, and timeout settings.
Adopt the new policy in 20+ module DataSource/ServiceCollectionExtensions classes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
