- SPRINT_20260408_005_Audit_endpoint_filters_deprecation: FILTER-004, -006,
-008 marked DONE with commit 54e7f871a; FILTER-005, -007 DONE with
d4d75200c; FILTER-010 DONE with 665bd6db4. DEPRECATE-001/002/003 still
TODO with mandatory 30-day + 90-day wait windows; CAPSULE-001 stays
BLOCKED. Sprint cannot be archived until the verification windows pass.
- SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge: corrected VXLM-003
and VXLM-004 from DONE → DOING. Adapters still back VEX decisions,
fix verifications, and audit bundles with ConcurrentDictionary; the
VulnExplorer.Api and VulnExplorer.WebService project directories were not
deleted; migration 010 is present but unused. Execution log records the
finding; commit 414049ef8 message was misleading.
- SPRINT_20260408_004_Timeline_unified_audit_sink: scope confirmation logged.
AUDIT-002 through AUDIT-007 remain TODO (~15–25 hr breadth work); too
large for a single session. Sprint stays active.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TASK-013: SchedulerPersistenceExtensions now calls AddStartupMigrations so
the embedded SQL files (including 007 job_kind + 008 doctor_trends) run on
every cold start. Deletes duplicate migrations 007_add_job_kind_plugin_config
(kept 007_add_schedule_job_kind.sql with tenant-scoped index) and
008_doctor_trends_table (kept 008_add_doctor_trends.sql with RLS + BRIN
time-series index).
TASK-010: Doctor UI trend service now calls
/api/v1/scheduler/doctor/trends/categories/{category} (was
/api/v1/doctor/scheduler/...) so it routes through the scheduler plugin
endpoints rather than the deprecated standalone doctor-scheduler path.
TASK-009: New DoctorJobPluginTests exercises plugin lifecycle: identity,
config validation for full/quick/categories/plugins modes, plan creation,
JSON schema shape, and PluginConfig round-trip (including alerts). 10 tests
added, all pass (26/26 in Plugin.Tests project).
Archives the sprint — all 13 tasks now DONE — and archives the platform
retest sprint (SPRINT_20260409_002) whose RETEST-008 completed via the
earlier feed-mirror cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds PowerShell helpers to seed the local Stella Ops stack with a working
GitLab + integrations configuration:
- bootstrap-local-gitlab-secrets.ps1 provisions GitLab's JWT signing secret
and admin PAT into Vault/Authority.
- register-local-integrations.ps1 POSTs the canonical integration records
(GitLab, Jenkins, Harbor, Gitea, Nexus, etc.) against the Integrations
service for first-run local environments.
Docs: INSTALL_GUIDE.md + integrations/LOCAL_SERVICES.md document the new
helpers. devops/compose README and router-gateway-local.json get the
corresponding route wiring. Two new sprint files track the follow-on work
(SPRINT_20260413_002, SPRINT_20260413_003).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds MigrationSqlTransactionClassifier to recognize migration SQL that opens
its own transactions (BEGIN/COMMIT/ROLLBACK) so MigrationRunner can skip
wrapping those files in an outer transaction. StartupMigrationHost now surfaces
a MigrationCategory indicator for runtime-aligned bootstrap. Test harness
extended with an explicit-transaction fixture and execution scenario coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Map 532 state-changing endpoints across 9 services for AuditActionFilter
- Plan 5-batch migration: convention helper → complex services → dual-write →
read migration → drop local tables
- Reclassify Authority auth-protocol and Policy gate-bypass audit as domain evidence
- 24 days active work + 120-day verification pipeline
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mark CP-005 DONE: TenantAwareCryptoProviderRegistry decorator, ITenantCryptoPreferenceProvider
interface, AddTenantAwareCryptoResolution DI extension, PlatformCryptoPreferenceProvider,
14 unit tests (all pass), and sprint tracker update.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create timeline.unified_audit_events table with SHA-256 hash chain
- Create timeline.unified_audit_sequences for per-tenant tracking
- Replace IngestAuditEventStore (in-memory) with PostgresUnifiedAuditEventStore
- Preserve chain integrity via serializable isolation
- Mark AUDIT-001 as DONE in sprint tracker
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add crypto provider panel to Platform Settings at /setup/crypto-providers
- Show provider health status with status dots, latency, and last-checked time
- Collapsible start commands with copy-to-clipboard for stopped providers
- Auto-refresh every 30s using interval+switchMap, stopped on destroy
- Provider selection with confirmation dialog via existing ConfirmDialogComponent
- Priority ordering via number input per provider preference
- Active provider banner and per-card active badge
- Disabled "Set as Active" for stopped/unreachable providers with tooltip
- Algorithm scope mapping table for configured preferences
- Backward-compatible redirect from /settings/crypto-providers
- Setup overview card added for Crypto Providers
- Sprint CP-003/CP-004 marked DONE with execution log
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Major edge routing improvements including corridor spacing, crossing reduction,
focused gateway boundary repairs, setter families, and advanced restabilization.
Adds workflow renderer tests for document-processing and artifact inspection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Target-join and boundary-slot detection now use ResolveNodeSizeClearance
(node dimensions only), while under-node/proximity use
ResolveMinLineClearance (scales with NodeSpacing via ElkLayoutClearance).
Face slot gaps depend on node face geometry, not inter-node spacing.
Routing corridors should scale with spacing for visual breathing room.
Created sprint 008 for wider spacing robustness. NodeSpacing=50 still
fails on target-join (scoring/test detection mismatch needs investigation).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace string-based conflict keys (source:{nodeId}, target:{nodeId}) with
geometric bounding-box overlap detection. Edges now conflict only when their
routed path bounding boxes overlap spatially (with 40px margin) or share a
repeat-collector label on the same source-target pair.
This enables true spatial parallelism: edges using different sides of the
same node can now be repaired in parallel instead of being serialized.
Sprint 006 TASK-001 final criterion met. All 4 tasks DONE.
Tests verified: StraightExit 2/2, HybridDeterministicMode 3/3,
DocumentProcessingWorkflow artifact 1/1 (all 44+ assertions pass).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Completes Sprint 323 TASK-001 using Option C (direct URL rewrite):
- release-management.client.ts: readBaseUrl and legacyBaseUrl now use
/api/v1/release-orchestrator/releases, eliminating the v2 proxy dependency
- All 15+ component files updated: activity, approvals, runs, versions,
bundle-organizer, sidebar queries, topology pages
- Spec files updated to match new URL patterns
- Added /releases/activity and /releases/versions backend route aliases
in ReleaseEndpoints.cs with ListActivity and ListVersions handlers
- Fixed orphaned audit-log-dashboard.component import → audit-log-table
- Both Angular build and JobEngine build pass clean
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add CRUD endpoints for script variables with validation and diff-compatible
models (ScriptEndpoints, ScriptApiModels, IScriptService, InMemoryScriptService).
Update PlatformScopes and PlatformPolicies for script.read/write permissions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).
Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.
Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add nginx proxy blocks for /api/v1/release-orchestrator/,
/api/v1/release-control/, /api/v2/releases/, /api/v1/releases/,
/api/v1/registries/ in Dockerfile.console
- All release UI calls now reach JobEngine (401 not 404)
- Registry search reaches Scanner service
- Pipeline page uses ReleaseManagementStore (real API, no mock data)
- Deployment wizard uses BundleOrganizerApi for create/seal
- Inline version/hotfix creation in deployment wizard wired to API
- Version detail shows "not found" error instead of blank screen
- Version wizard has promotion lane + duplicate component detection
- Sprint plan for 41 missing backend endpoints created
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root cause: the | slice pipe was used in the template but SlicePipe
was not in the standalone component's imports array. This caused
Angular's resolveDirective to throw 'Cannot read factory' on every
change detection cycle, preventing mock version cards from rendering
and breaking the Continue button validation.
Also: removed unused RouterModule import, converted computed signals
to methods for PlatformContextStore-dependent values, added
platformCtx.initialize() in constructor.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
