Archived sprint files inherit the rename without the post-move status edits
since git recorded the rename against pre-edit content. Applies the
OBSOLETE/DONE annotations directly on the archived copies so the record is
internally consistent.
Integration-detail component + spec: small polish pass. integration-hub-ui
spec: trivial assertion tweak. Playwright: refreshed live-frontdoor-auth
snapshot.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devops/compose: docker-compose.stella-ops.legacy.yml +
docker-compose.stella-services.yml receive small service wiring updates.
Playwright: refreshed auth-state/report fixtures from the latest
integrations + setup-wizard + policy-runtime live runs. Includes a new
playwright-report-integrations/ bundle.
Docs: SPRINT_20260410_001 (runtime no-mocks) significantly expanded with
additional NOMOCK tasks reflecting the Postgres-backed work shipped across
Policy, Graph, Excititor, VexLens, Scanner, VexHub. SPRINT_20260413_004
(UI-only setup bootstrap closure) log updates.
Gitignore: narrow the earlier `output/` rule to `/output/` so the tracked
src/Web/StellaOps.Web/output/playwright fixtures continue to be picked up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
app.config: wiring updates for VEX hub statement providers + integration
hub DI.
VEX hub client: large refactor and expansion of vex-hub.client.ts (+spec)
with the shape needed by the statement detail panel and the new
noise-gating surfaces. vex-statement-detail-panel.component aligned with
the new client contract.
Integration hub component: extends the bootstrap + verification flow
(browser-backed, no mocks) and updates the spec coverage accordingly.
New tooling:
- scripts/run-policy-orchestrator-proof-e2e.mjs to drive the orchestrator
proof flow from outside the Angular test harness.
- src/tests/triage/noise-gating-api.providers.spec.ts covers the DI
providers wiring for the triage noise-gating surface.
- tests/e2e/integrations/policy-orchestrator.e2e.spec.ts exercises the
policy orchestrator UI end-to-end.
- tsconfig.spec.vex.json isolates the VEX spec compile so it does not
fight the main triage configs.
- angular.json + package.json wire the new spec/e2e targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewire the setup wizard UI to the persistent session endpoints:
resume-aware state service, truthful step status (draft / applying /
applied / failed), and wizard shell that no longer treats
test-connection as completion. Refresh the integrations hub to expose
Secrets / Feed Mirrors / Object Storage categories and align the
onboarding wizard validation with the backend contract for
optional-auth local connectors.
Modernize the release-orchestrator environments pages against the new
environment/target API (models + client), plus adjacent navigation,
route-surface, and test-surface refresh. Add Playwright harnesses for
live setup-wizard bootstrap / integrations bootstrap / state truth
checks, and commit their evidence.
Closes UISETUP-* from SPRINT_20260413_003 and the UI-facing tasks of
SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Integration hub: extends integration.models with fields needed by the wizard
(capabilities, credentials, readiness), updates the shell and list components,
adds routing for the new hub flow, and broadens the integration-list spec.
Integration wizard: new integrations-hub.component, extended wizard with
capability/credential handling, updated template + type models, and broader
spec coverage.
Sprint docs: SPRINT_20260413_003 (UI-driven local setup rerun) updated with
wiring notes; SPRINT_20260410_001 (no-mocks) adjusted. ReleaseOrchestrator
architecture doc gets a minor clarification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TASK-013: SchedulerPersistenceExtensions now calls AddStartupMigrations so
the embedded SQL files (including 007 job_kind + 008 doctor_trends) run on
every cold start. Deletes duplicate migrations 007_add_job_kind_plugin_config
(kept 007_add_schedule_job_kind.sql with tenant-scoped index) and
008_doctor_trends_table (kept 008_add_doctor_trends.sql with RLS + BRIN
time-series index).
TASK-010: Doctor UI trend service now calls
/api/v1/scheduler/doctor/trends/categories/{category} (was
/api/v1/doctor/scheduler/...) so it routes through the scheduler plugin
endpoints rather than the deprecated standalone doctor-scheduler path.
TASK-009: New DoctorJobPluginTests exercises plugin lifecycle: identity,
config validation for full/quick/categories/plugins modes, plan creation,
JSON schema shape, and PluginConfig round-trip (including alerts). 10 tests
added, all pass (26/26 in Plugin.Tests project).
Archives the sprint — all 13 tasks now DONE — and archives the platform
retest sprint (SPRINT_20260409_002) whose RETEST-008 completed via the
earlier feed-mirror cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updated auth state, report JSON, and screenshot snapshots captured from
the latest live-stack run of the mirror operator journey and front-door
auth flows. Includes tmp-feedmirror-auth/state fixtures used by the
feed-mirror UI verification path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Deletes the Angular seed client and trims feed-mirror.client.ts of its
fabricated responses (-579 lines), letting the real backend drive the UI.
app.config.ts drops the mock provider bindings. Simplifies usage settings
page to read from real platform data. Setup wizard, command palette, and
keyboard-shortcuts components get small cleanups along with the
mirror-dashboard search model trim.
Closes NOMOCK-002.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
JobEngine page:
- Replace custom segmented toggle with StellaPageTabsComponent
- Fix SCHEDULER_API_BASE_URL factory (new URL() always threw on relative paths)
- Fix listSchedules to include disabled schedules
- Add source field mapping for system schedule badge
Audit log page:
- Remove Overview tab, default to All Events
- Replace custom filters with standard app-filter-bar (matching other pages)
- Remove policy-specific column toggles and category chips
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New audit-event-details-panel component with HTTP context, request body, before state sections
- Highlight [REDACTED] PII values with warning badge
- Auto-construct diff view from details.beforeState when Diff is absent
- Add release/attestor/doctor/signals/advisory-ai/riskengine module support
- Replace raw JSON dumps with semantic rendering
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add crypto provider panel to Platform Settings at /setup/crypto-providers
- Show provider health status with status dots, latency, and last-checked time
- Collapsible start commands with copy-to-clipboard for stopped providers
- Auto-refresh every 30s using interval+switchMap, stopped on destroy
- Provider selection with confirmation dialog via existing ConfirmDialogComponent
- Priority ordering via number input per provider preference
- Active provider banner and per-card active badge
- Disabled "Set as Active" for stopped/unreachable providers with tooltip
- Algorithm scope mapping table for configured preferences
- Backward-compatible redirect from /settings/crypto-providers
- Setup overview card added for Crypto Providers
- Sprint CP-003/CP-004 marked DONE with execution log
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ScriptsEndpoints to the Scheduler WebService for CRUD operations on
automation scripts. Add a reusable script-picker overlay component for
selecting scripts from the UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace deadletter grid filters with a compact inline filter bar using
StellaFilterMulti chips. Add missing CSS for scripts search input.
Fix glossary tooltip positioning.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Align hardcoded --color-brand-primary fallbacks to the amber brand color
across chat messages, advisory sources, symbol sources, entity cards,
replay controls, and topology commands.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Close button now uses quick-click to dismiss and long-press to reveal
mute options. Chat stream emits 'start' immediately so the mascot
thinking animation plays during the HTTP wait with an 800ms minimum
duration. User preferences page gains a tutorial reset button.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Page help panel now animates in/out with a genie effect. A persistent
help badge in the breadcrumb lets users reopen the panel after closing.
Long-press on close reveals per-page and global dismiss options.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove standalone GovernanceAuditComponent and AuditPolicyComponent in
favor of the unified audit log with policy-specific category chips,
structured governance diffs, and per-event policy detail fields. Evidence
and policy-decisioning routes now redirect to the consolidated audit page
under Operations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Import now supports three sources: server-side path (USB/NFS volumes),
backend URL download, and browser file upload. Export/import workflows
refactored from routed pages to overlay dialogs. Docs updated with
volume mount instructions and source comparison table.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Session metadata and full session now written to both sessionStorage and
localStorage so that new tabs and window.open() inherit the auth state
without requiring a fresh login.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove jobengine and jobengine-worker containers from docker-compose
- Create release-orchestrator service (120 endpoints) with full auth, tenant, and infrastructure DI
- Wire workflow engine to PostgreSQL with definition store (wf_definitions table)
- Deploy 4 canonical workflow definitions on startup (release-promotion, scan-execution, advisory-refresh, compliance-sweep)
- Fix workflow definition JSON to match canonical contract schema (set-state, call-transport, decision)
- Add WorkflowClient to release-orchestrator for starting workflow instances on promotion
- Add WorkflowTriggerClient + endpoint to scheduler for triggering workflows from system schedules
- Update gateway routes from jobengine.stella-ops.local to release-orchestrator.stella-ops.local
- Remove Platform.Database dependency on JobEngine.Infrastructure
- Fix workflow csproj duplicate Content items (EmbeddedResource + SDK default)
- System-managed schedules with source column, SystemScheduleBootstrap, inline edit UI
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The sidebar component had its own hardcoded navSections array separate from
NAVIGATION_GROUPS config. Updated Security group from 5 items (Vulnerabilities,
Security Posture+4 children, Scan Image, VEX) to 4 flat items (Image Security,
Triage Queue, Risk Overview, Advisory Sources).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security nav restructured from 8 items to 4: Image Security, Triage Queue,
Risk Overview, Advisory Sources. New Image Security page at /security/images
with scope selectors (repo/image/release/environment) and 6 tabs (Summary,
Findings, SBOM, Reachability, VEX, Evidence).
VEX Hub: removed dashboard tab, moved create to button, fixed filters to use
stella-filter-multi, fixed all navigation to absolute paths, fixed 72+ hardcoded
rgba colors, created proper page components for conflicts and create workflow.
Policy shell: added tabs for Packs, Governance, VEX & Exceptions, Simulation,
Audit — all sub-pages now accessible from the Release Policies page.
Integrations: moved symbol sources/marketplace and scanner config to
/setup/integrations.
Backend: mirror config changes now persist via IFeedMirrorConfigStore and
propagate to central Scheduler via SchedulerClient. MirrorExportScheduler
supports IMirrorSchedulerSignal for immediate wakeup on config change.
Mirror detail page: fixed all wrong CSS tokens (text colors used as
backgrounds, inverted borders) to canonical Stella Ops design system.
Exception dashboard: removed duplicate English/Bulgarian title headers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix for the 2 remaining OIDC redirect failures: after login, the
page lands on Dashboard. When a test calls page.goto('/setup/...'),
Angular sometimes redirects back to Dashboard because the auth guard
hasn't settled.
Fix: After loginAndGetToken, navigate to /setup/integrations and
wait for [role="tab"] to render. This:
1. Settles the OIDC auth guard (validates token, caches auth state)
2. Lazy-loads the integration module chunk
3. Primes Angular's router with the /setup/ route tree
Subsequent page.goto() calls from tests will work reliably because
Angular already has auth state and the lazy chunk is cached.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Landing page: check for tabs/heading instead of waiting for redirect
(redirect needs loadCounts XHR which is slow from browser)
- Pagination: merged into one test, pager check is conditional on data
loading (pager only renders when table has rows)
- Wizard step 2: increased timeouts for Harbor selection
Also: Angular rebuild was required (stale 2-day-old build was the
hidden blocker for 15 UI tests).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root cause found via screenshot: page.goto with domcontentloaded
returned before Angular even bootstrapped — the page still showed
Dashboard while the test checked for integration content.
Fix: Change waitUntil from domcontentloaded to load across all 37
goto calls. 'load' waits for initial JS/CSS to load, meaning Angular
has bootstrapped and the SPA router has processed the route.
Simplified waitForAngular to wait for route-level content selectors
without the URL check (the load event handles that now).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Problem: After waitForAngular, content assertions ran before Angular's
XHR data loaded. Tests checked textContent('body') at a point when
the table/heading hadn't rendered yet.
Fix: Replace point-in-time checks with Playwright auto-retry assertions:
- expect(locator).toBeVisible({ timeout: 15_000 }) — retries until visible
- expect(locator).toContainText('X', { timeout: 15_000 }) — retries until text appears
- expect(rows.first()).toBeVisible() — retries until table has data
Also: landing page test now uses waitForFunction to detect Angular redirect.
10 files changed, net -45 lines (simpler, more robust assertions).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The generic waitForAngular matched the sidebar nav immediately but
route content (tables, tabs, forms) hadn't rendered yet.
Updated waitForAngular selector to wait for route-level elements:
stella-page-tabs, .integration-list, .source-catalog, table tbody tr,
h1, [role=tablist], .detail-grid, .wizard-step, form.
Also fixed activity-timeline and pagination tests (still had
waitForTimeout(2_000) instead of waitForAngular).
Increased fallback timeout from 5s to 8s for slow-loading pages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The 3s waitForTimeout after page.goto wasn't enough for Angular to
bootstrap and render content. Replace with waitForAngular() helper
that waits for actual DOM elements (nav, headings) up to 15s, with
5s fallback.
32 calls updated across 10 test files.
Also adds waitForAngular to helpers.ts export.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The advisory source API tests go through the Valkey transport with
withRetry (3 attempts). With the 55s transport timeout, worst case
is 3 × 55s = 165s, exceeding the default 120s test timeout.
Set advisory lifecycle describe block to 300s via beforeEach to
give enough headroom for all retry attempts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three fixes resolving the cascading test failures:
1. Add withRetry() to integrations.e2e.spec.ts advisory section — the
6 API tests that 504'd on Concelier transport now retry up to 2x
2. Change all UI test page.goto from networkidle to domcontentloaded
across 9 test files — networkidle never fires when Angular XHR
calls 504, causing 30 UI tests to timeout. domcontentloaded fires
when HTML is parsed, then 3s wait lets Angular render.
3. Fix test dependencies — vault-consul-secrets detail test now creates
its own integration instead of depending on prior test state.
New test: catalog page aggregation report — verifies the advisory
source catalog page shows stats bar metrics and per-source freshness
data (the UI we built earlier this session).
Files changed: integrations.e2e.spec.ts, vault-consul-secrets, ui-*,
runtime-hosts, gitlab-integration, error-resilience, aaa-advisory-sync
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Problem: Each test created a new browser context and performed a full
OIDC login (120 logins in a 40min serial run). By test ~60, Chromium
was bloated and login took 30s+ instead of 3s.
Fix: apiToken and apiRequest are now worker-scoped — login happens
ONCE per Playwright worker, token is reused for all API tests.
liveAuthPage stays test-scoped (UI tests need fresh pages).
Impact: ~120 OIDC logins → 1 per worker. Eliminates auth overhead
as the bottleneck for later tests in the suite.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The POST /sync and POST /{sourceId}/sync tests start background fetch
jobs that degrade the Valkey messaging transport, causing 504 timeouts
on all subsequent Concelier API calls in the test suite.
Gate these two tests behind E2E_ACTIVE_SYNC=1 so the default suite
only runs read-only advisory source operations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Even a single sync trigger starts a background fetch job that degrades
the Valkey messaging transport for subsequent tests. Gate all sync
POST tests behind E2E_ACTIVE_SYNC=1 so the default suite only tests
read-only operations (catalog, status, enable/disable, UI).
Also fix tab switching test to navigate from registries tab (known state)
and verify URL instead of aria-selected attribute.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
