- Workflow: add PostgreSQL auto-migration (8 tables in schema `workflow`)
with AddStartupMigrations wiring and embedded SQL migration
- Scheduler: add missing `schema_version` and `source` columns to
`scheduler.schedules` table in both init script and migration
- Platform: delay analytics maintenance 15s to avoid race with migration
020_AnalyticsRollups creating compute_daily_rollups()
- Docker: install libgssapi-krb5-2 in runtime image to eliminate Npgsql
Kerberos probe warnings across all 59 services
- Docker: remove `# syntax=docker/dockerfile:1.7` directive from both
Dockerfiles to avoid BuildKit frontend pull failures on flaky DNS
- Postgres init: add `workflow` schema to 01-create-schemas.sql
Verified: 75 containers, 0 unhealthy, 0 recurring errors after full
wipe-and-rebuild cycle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ScriptsEndpoints to the Scheduler WebService for CRUD operations on
automation scripts. Add a reusable script-picker overlay component for
selecting scripts from the UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace deadletter grid filters with a compact inline filter bar using
StellaFilterMulti chips. Add missing CSS for scripts search input.
Fix glossary tooltip positioning.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Align hardcoded --color-brand-primary fallbacks to the amber brand color
across chat messages, advisory sources, symbol sources, entity cards,
replay controls, and topology commands.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Close button now uses quick-click to dismiss and long-press to reveal
mute options. Chat stream emits 'start' immediately so the mascot
thinking animation plays during the HTTP wait with an 800ms minimum
duration. User preferences page gains a tutorial reset button.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Page help panel now animates in/out with a genie effect. A persistent
help badge in the breadcrumb lets users reopen the panel after closing.
Long-press on close reveals per-page and global dismiss options.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove standalone GovernanceAuditComponent and AuditPolicyComponent in
favor of the unified audit log with policy-specific category chips,
structured governance diffs, and per-event policy detail fields. Evidence
and policy-decisioning routes now redirect to the consolidated audit page
under Operations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Import now supports three sources: server-side path (USB/NFS volumes),
backend URL download, and browser file upload. Export/import workflows
refactored from routed pages to overlay dialogs. Docs updated with
volume mount instructions and source comparison table.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The /environments/{id}/readiness endpoint now resolves environment names
(e.g. "dev", "prod-us-east") via IEnvironmentService, returning an empty
list for unregistered environments instead of a 404.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Session metadata and full session now written to both sessionStorage and
localStorage so that new tabs and window.open() inherit the auth state
without requiring a fresh login.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The workflow service registers endpoints under /api/workflow/ (no v1 prefix),
but the gateway config only had /api/v1/workflows/* which routes to the
release-orchestrator. Added a dedicated route for the workflow engine.
Found during E2E testing — workflow definitions and instances were returning
404 through the gateway.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove jobengine and jobengine-worker containers from docker-compose
- Create release-orchestrator service (120 endpoints) with full auth, tenant, and infrastructure DI
- Wire workflow engine to PostgreSQL with definition store (wf_definitions table)
- Deploy 4 canonical workflow definitions on startup (release-promotion, scan-execution, advisory-refresh, compliance-sweep)
- Fix workflow definition JSON to match canonical contract schema (set-state, call-transport, decision)
- Add WorkflowClient to release-orchestrator for starting workflow instances on promotion
- Add WorkflowTriggerClient + endpoint to scheduler for triggering workflows from system schedules
- Update gateway routes from jobengine.stella-ops.local to release-orchestrator.stella-ops.local
- Remove Platform.Database dependency on JobEngine.Infrastructure
- Fix workflow csproj duplicate Content items (EmbeddedResource + SDK default)
- System-managed schedules with source column, SystemScheduleBootstrap, inline edit UI
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The sidebar component had its own hardcoded navSections array separate from
NAVIGATION_GROUPS config. Updated Security group from 5 items (Vulnerabilities,
Security Posture+4 children, Scan Image, VEX) to 4 flat items (Image Security,
Triage Queue, Risk Overview, Advisory Sources).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security nav restructured from 8 items to 4: Image Security, Triage Queue,
Risk Overview, Advisory Sources. New Image Security page at /security/images
with scope selectors (repo/image/release/environment) and 6 tabs (Summary,
Findings, SBOM, Reachability, VEX, Evidence).
VEX Hub: removed dashboard tab, moved create to button, fixed filters to use
stella-filter-multi, fixed all navigation to absolute paths, fixed 72+ hardcoded
rgba colors, created proper page components for conflicts and create workflow.
Policy shell: added tabs for Packs, Governance, VEX & Exceptions, Simulation,
Audit — all sub-pages now accessible from the Release Policies page.
Integrations: moved symbol sources/marketplace and scanner config to
/setup/integrations.
Backend: mirror config changes now persist via IFeedMirrorConfigStore and
propagate to central Scheduler via SchedulerClient. MirrorExportScheduler
supports IMirrorSchedulerSignal for immediate wakeup on config change.
Mirror detail page: fixed all wrong CSS tokens (text colors used as
backgrounds, inverted borders) to canonical Stella Ops design system.
Exception dashboard: removed duplicate English/Bulgarian title headers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add AGENTS.md sections for the four late-stage post-processing steps
(SpreadOuterCorridors, CollapseOrthogonalBacktracks,
ExtendShortApproachSegments, ReduceLineNodeProximity) and the SVG
bridge gap detection corner radius rationale.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reduce the corner radius used in EnumerateEffectiveSegments for bridge
gap detection from 40px to 12px. The 40px pull-back eliminated segments
shorter than 80px from crossing detection, causing 3 of 4 crossings
with edge/22's vertical to show no visual "cut" effect. With 12px
pull-back, crossings on segments as short as 25px are now detected.
Bridge gap count: increased from ~4 to 11 in the document processing
render — all visible crossings now show the cut/bridge effect.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two fixes for the End approach area:
1. SpreadOuterCorridors now splits shared-Y lanes when edges have
overlapping X ranges (>40px overlap). edge/20 and edge/23 were both
at Y=-235 with 2257px of shared horizontal — now split to Y=-235
and Y=-267 (31.6px gap). Uses the entry's actual corridor Y for
shift point matching, not the lane's synthetic CurrentY.
2. Widen the lead-lane pre-terminal jog offset from minLineClearance*0.35
to minLineClearance*0.9. The jog now lands 15px above the End node
top instead of 6px above the neighboring edge's arrival slot.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Increase the preTerminalY offset in RewriteLeftFaceEndTopCorridorLeadLane
from minLineClearance*0.35 to minLineClearance*0.9. This pushes the
lead-lane jog above the End node boundary (Y=350 vs End top Y=365)
instead of between arrival slots (was Y=383, only 6px above the
neighboring edge/23 at Y=377). The jog is now 27px clear of the
nearest neighbor, eliminating the visual overlap the user reported.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add four late-stage post-processing steps that run after the iterative
optimizer to improve edge readability without affecting hard routing
correctness:
- SpreadOuterCorridors: enforce min 32px gap between adjacent above-graph
corridors and push End-bound corridors below all repeat-return corridors
into their own visual tier (Y=-235 vs Y=-203/-139/-36)
- CollapseOrthogonalBacktracks: detect and remove U-turn loops where edges
go right then backtrack left then right again (edge/17 fixed from
7-segment loop to clean 3-segment forward path)
- ExtendShortApproachSegments: extend short final approach segments to
half the average node width (~101px) so arrowheads have clear directional
runs into target nodes (11 edges improved, worst case 8px to 71px)
- ReduceLineNodeProximity: push edge segments away from non-terminal nodes
when within min-clearance (line-node proximity reduced to 2 violations)
Final metrics on document processing render:
- Edge crossings: 24 → 21 (-12.5%)
- Label proximity: 6 → 0 (eliminated)
- Line-node proximity: reduced to 2
- All 7 hard defect classes: zero (maintained)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce WorkflowCancelContracts, update IWorkflowRuntimeApi with cancel
support, and refine Postgres/Mongo projection store serialization.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add KnowledgeSearchDataSourceProvider for connection policy adoption,
update PostgresKnowledgeSearchStore and chat audit logger, refine
SearchAnalyticsService and SearchQualityMonitor queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce SecurityVulnerabilityEndpoints, VulnerabilityDetailService,
and supporting contracts for the vulnerability detail page backend.
Includes integration tests for the new endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce PostgresDeploymentCompatibilityStore with migration 011, in-memory
fallback, deployment endpoints, and Postgres fixture for integration tests.
Update Scheduler repository with connection policy adoption.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce PostgresGraphSavedViewStore with SQL migration, in-memory fallback,
CompatibilityEndpoints for UI contract alignment, and integration tests
with a shared Postgres fixture.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce IntegrationDiscovery DTOs, GitLabCiConnectorPlugin,
GitLabContainerRegistryConnectorPlugin, CLI integrations command group,
and expand impact/service test coverage for all connector plugins.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Major edge routing improvements including corridor spacing, crossing reduction,
focused gateway boundary repairs, setter families, and advanced restabilization.
Adds workflow renderer tests for document-processing and artifact inspection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce GatewayRegistrationResyncService to recover stale registrations,
extract IGatewayTransportClient interface, add EndpointsUpdate and
RegistrationResyncRequest frame types, and expand transport test coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Set ClientName on every Redis/Valkey connection across Scanner, Signals,
Concelier, Notify, Scheduler, Timeline, and Router for easier connection
attribution in monitoring.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract connection string building into PostgresConnectionStringPolicy so all
services use consistent pooling, application_name, and timeout settings.
Adopt the new policy in 20+ module DataSource/ServiceCollectionExtensions classes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When the corridor reroute pushes a horizontal segment away from a
blocking node, preserve the first point (source connection) and
insert a vertical step to reconnect the last point (target connection)
at the original Y. Previously, pushing all points uniformly would
disconnect the edge from its target node when the push Y exceeded
the target node's boundary.
Fixes edge/9 (Retry Decision → Set batchGenerateFailed) which was
pushed to Y=653 but the target node bottom is at Y=614 — the endpoint
now steps back up to Y=592 to reconnect.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix for the 2 remaining OIDC redirect failures: after login, the
page lands on Dashboard. When a test calls page.goto('/setup/...'),
Angular sometimes redirects back to Dashboard because the auth guard
hasn't settled.
Fix: After loginAndGetToken, navigate to /setup/integrations and
wait for [role="tab"] to render. This:
1. Settles the OIDC auth guard (validates token, caches auth state)
2. Lazy-loads the integration module chunk
3. Primes Angular's router with the /setup/ route tree
Subsequent page.goto() calls from tests will work reliably because
Angular already has auth state and the lazy chunk is cached.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three-layer edge-node clearance improvement:
1. A* proximity cost with correct coordinates: pass original (uninflated)
node bounds to ComputeNodeProximityCost so the pathfinder penalizes
edges near real node boundaries, not the inflated obstacle margin.
Weight=800, clearance=40px. Grid lines added at clearance distance
from real nodes.
2. Default LayerSpacing increased from 60 to 80, adaptive multiplier
floor raised from 0.92 to 1.0, giving wider routing corridors
between node rows.
3. Post-pipeline EnforceMinimumNodeClearance: final unconditional pass
pushes horizontal segments within 8px of node tops (12px push) or
within minClearance of node bottoms (full clearance push).
Also: bridge gap detection now uses curve-aware effective segments
(same preprocessing + corner pull-back as BuildRoundedEdgePath) so
gaps only appear at genuine visual crossings. Collector trunks and
same-group edges excluded from gap detection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
