Archived sprint files inherit the rename without the post-move status edits
since git recorded the rename against pre-edit content. Applies the
OBSOLETE/DONE annotations directly on the archived copies so the record is
internally consistent.
Integration-detail component + spec: small polish pass. integration-hub-ui
spec: trivial assertion tweak. Playwright: refreshed live-frontdoor-auth
snapshot.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devops/compose: docker-compose.stella-ops.legacy.yml +
docker-compose.stella-services.yml receive small service wiring updates.
Playwright: refreshed auth-state/report fixtures from the latest
integrations + setup-wizard + policy-runtime live runs. Includes a new
playwright-report-integrations/ bundle.
Docs: SPRINT_20260410_001 (runtime no-mocks) significantly expanded with
additional NOMOCK tasks reflecting the Postgres-backed work shipped across
Policy, Graph, Excititor, VexLens, Scanner, VexHub. SPRINT_20260413_004
(UI-only setup bootstrap closure) log updates.
Gitignore: narrow the earlier `output/` rule to `/output/` so the tracked
src/Web/StellaOps.Web/output/playwright fixtures continue to be picked up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewire the setup wizard UI to the persistent session endpoints:
resume-aware state service, truthful step status (draft / applying /
applied / failed), and wizard shell that no longer treats
test-connection as completion. Refresh the integrations hub to expose
Secrets / Feed Mirrors / Object Storage categories and align the
onboarding wizard validation with the backend contract for
optional-auth local connectors.
Modernize the release-orchestrator environments pages against the new
environment/target API (models + client), plus adjacent navigation,
route-surface, and test-surface refresh. Add Playwright harnesses for
live setup-wizard bootstrap / integrations bootstrap / state truth
checks, and commit their evidence.
Closes UISETUP-* from SPRINT_20260413_003 and the UI-facing tasks of
SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updated auth state, report JSON, and screenshot snapshots captured from
the latest live-stack run of the mirror operator journey and front-door
auth flows. Includes tmp-feedmirror-auth/state fixtures used by the
feed-mirror UI verification path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The scan route was added to security.routes.ts which isn't loaded by the
app router. The app loads security-risk.routes.ts at /security/*. Added
the scan route to security-risk.routes.ts so /security/scan resolves.
Verified: Scan Image page loads at /security/scan with heading, image
input, and submit button. 111/111 canonical routes passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
scopes. Previously these policies were referenced by endpoints but never
registered, causing System.InvalidOperationException on every topology
API call.
Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes
KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
Concelier. The regions/targets/bindings endpoints return 401 because
hasPrincipal=False — the gateway authenticates the user but doesn't
pass the identity to the backend via ReverseProxy. Microservice routes
use Valkey transport which includes envelope headers. Topology endpoints
need either: (a) Valkey transport registration in Concelier, or
(b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
This is an architecture-level fix.
Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
