Mark CP-005 DONE: TenantAwareCryptoProviderRegistry decorator, ITenantCryptoPreferenceProvider
interface, AddTenantAwareCryptoResolution DI extension, PlatformCryptoPreferenceProvider,
14 unit tests (all pass), and sprint tracker update.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove ExceptionLifecycleWorker + ExpiringNotificationWorker from scheduler-web
- Add both to AddSchedulerWorker() extension (worker-host already calls this)
- Move PostgresExceptionRepository to Worker library
- Web retains only SystemScheduleBootstrap (startup seed)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create timeline.unified_audit_events table with SHA-256 hash chain
- Create timeline.unified_audit_sequences for per-tenant tracking
- Replace IngestAuditEventStore (in-memory) with PostgresUnifiedAuditEventStore
- Preserve chain integrity via serializable isolation
- Mark AUDIT-001 as DONE in sprint tracker
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create ISchedulerJobPlugin abstraction with JobKind routing
- Add SchedulerPluginRegistry for plugin discovery and resolution
- Wrap existing scan logic as ScanJobPlugin (zero behavioral change)
- Extend Schedule model with JobKind (default "scan") and PluginConfig (jsonb)
- Add SQL migrations 007 (job_kind/plugin_config) and 008 (doctor_trends table)
- Implement DoctorJobPlugin replacing standalone doctor-scheduler service
- Add PostgresDoctorTrendRepository for persistent trend storage
- Register Doctor trend endpoints at /api/v1/scheduler/doctor/trends/*
- Seed 3 default Doctor schedules (daily full, hourly quick, weekly compliance)
- Comment out doctor-scheduler container in compose and services-matrix
- Update Doctor architecture docs and AGENTS.md with scheduling migration info
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix dual-schema violation (scheduler was writing to scheduler + scripts)
- Move ScriptsDataSource, PostgresScriptStore, script endpoints
- Update gateway routes and UI references
- Each service now owns exactly one schema
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add crypto provider panel to Platform Settings at /setup/crypto-providers
- Show provider health status with status dots, latency, and last-checked time
- Collapsible start commands with copy-to-clipboard for stopped providers
- Auto-refresh every 30s using interval+switchMap, stopped on destroy
- Provider selection with confirmation dialog via existing ConfirmDialogComponent
- Priority ordering via number input per provider preference
- Active provider banner and per-card active badge
- Disabled "Set as Active" for stopped/unreachable providers with tooltip
- Algorithm scope mapping table for configured preferences
- Backward-compatible redirect from /settings/crypto-providers
- Setup overview card added for Crypto Providers
- Sprint CP-003/CP-004 marked DONE with execution log
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ported 3 database backend plugins with namespace adaptation:
- Oracle: EF Core-based store with AQ signaling wiring (2 files)
- MongoDB: Delegates to DataStore.MongoDB extension method (2 files)
- PostgreSQL: Delegates to DataStore.PostgreSQL extension method (2 files)
Implementation files already exist in __Libraries DataStore projects
(ported in earlier commits). These plugins are thin IDependencyInjectionRoutine
wrappers that enable dynamic plugin loading via the workflow plugin system.
Also fleshed out the stub OracleWorkflowDataStoreExtensions to register
WorkflowDbContext, OracleWorkflowRuntimeStateStore, and
OracleWorkflowHostedJobLockService.
All namespaces converted from Ablera.Serdica to StellaOps.
Plugin interface adapted from IPluginServiceRegistrator to IDependencyInjectionRoutine.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backport generic improvements from Serdica workflow engine to StellaOps:
Abstractions:
- Add IWorkflowActorRoleResolver interface and NullWorkflowActorRoleResolver
default implementation for server-side actor identity resolution
- Add expression-based Call overloads to WorkflowFlowBuilder (6 new methods
accepting WorkflowExpressionDefinition for payload instead of Func<> factory)
- Fix failure handler compilation: preserve empty handlers (0 steps) as empty
sequences instead of null, allowing "ignore failure and continue" semantics
- Add explanatory comments to WorkflowRegistrationAbstractions for JSON number
normalization logic
Contracts:
- Add NextTasks and WorkflowState to StartWorkflowResponse so callers can
see immediate next tasks after starting a workflow
- Add WorkflowInstanceId, NextTasks, and WorkflowState to
WorkflowTaskCompleteResponse for richer task completion feedback
Transport: verified Transport.GraphQL, Transport.Http, Transport.Microservice,
and Transport.LegacyRabbit are engine-embedded plugins (no separate directories
to add/remove). ElkSharp library confirmed present at src/__Libraries/.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Handle duplicate JSON property names in ToRuntimeValue — GroupBy
before ToDictionary prevents crash on case-insensitive duplicates
2. Normalize decimal-valued integers in sub-workflow payloads —
recursive NormalizePayloadNumbers converts 201000256548.0 to long
3. Add WorkflowExecutionActorContext — AsyncLocal propagation of
actor identity through OnComplete execution chains
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Workflow: add PostgreSQL auto-migration (8 tables in schema `workflow`)
with AddStartupMigrations wiring and embedded SQL migration
- Scheduler: add missing `schema_version` and `source` columns to
`scheduler.schedules` table in both init script and migration
- Platform: delay analytics maintenance 15s to avoid race with migration
020_AnalyticsRollups creating compute_daily_rollups()
- Docker: install libgssapi-krb5-2 in runtime image to eliminate Npgsql
Kerberos probe warnings across all 59 services
- Docker: remove `# syntax=docker/dockerfile:1.7` directive from both
Dockerfiles to avoid BuildKit frontend pull failures on flaky DNS
- Postgres init: add `workflow` schema to 01-create-schemas.sql
Verified: 75 containers, 0 unhealthy, 0 recurring errors after full
wipe-and-rebuild cycle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ScriptsEndpoints to the Scheduler WebService for CRUD operations on
automation scripts. Add a reusable script-picker overlay component for
selecting scripts from the UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace deadletter grid filters with a compact inline filter bar using
StellaFilterMulti chips. Add missing CSS for scripts search input.
Fix glossary tooltip positioning.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Align hardcoded --color-brand-primary fallbacks to the amber brand color
across chat messages, advisory sources, symbol sources, entity cards,
replay controls, and topology commands.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Close button now uses quick-click to dismiss and long-press to reveal
mute options. Chat stream emits 'start' immediately so the mascot
thinking animation plays during the HTTP wait with an 800ms minimum
duration. User preferences page gains a tutorial reset button.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Page help panel now animates in/out with a genie effect. A persistent
help badge in the breadcrumb lets users reopen the panel after closing.
Long-press on close reveals per-page and global dismiss options.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove standalone GovernanceAuditComponent and AuditPolicyComponent in
favor of the unified audit log with policy-specific category chips,
structured governance diffs, and per-event policy detail fields. Evidence
and policy-decisioning routes now redirect to the consolidated audit page
under Operations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Import now supports three sources: server-side path (USB/NFS volumes),
backend URL download, and browser file upload. Export/import workflows
refactored from routed pages to overlay dialogs. Docs updated with
volume mount instructions and source comparison table.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The /environments/{id}/readiness endpoint now resolves environment names
(e.g. "dev", "prod-us-east") via IEnvironmentService, returning an empty
list for unregistered environments instead of a 404.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Session metadata and full session now written to both sessionStorage and
localStorage so that new tabs and window.open() inherit the auth state
without requiring a fresh login.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The workflow service registers endpoints under /api/workflow/ (no v1 prefix),
but the gateway config only had /api/v1/workflows/* which routes to the
release-orchestrator. Added a dedicated route for the workflow engine.
Found during E2E testing — workflow definitions and instances were returning
404 through the gateway.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove jobengine and jobengine-worker containers from docker-compose
- Create release-orchestrator service (120 endpoints) with full auth, tenant, and infrastructure DI
- Wire workflow engine to PostgreSQL with definition store (wf_definitions table)
- Deploy 4 canonical workflow definitions on startup (release-promotion, scan-execution, advisory-refresh, compliance-sweep)
- Fix workflow definition JSON to match canonical contract schema (set-state, call-transport, decision)
- Add WorkflowClient to release-orchestrator for starting workflow instances on promotion
- Add WorkflowTriggerClient + endpoint to scheduler for triggering workflows from system schedules
- Update gateway routes from jobengine.stella-ops.local to release-orchestrator.stella-ops.local
- Remove Platform.Database dependency on JobEngine.Infrastructure
- Fix workflow csproj duplicate Content items (EmbeddedResource + SDK default)
- System-managed schedules with source column, SystemScheduleBootstrap, inline edit UI
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The sidebar component had its own hardcoded navSections array separate from
NAVIGATION_GROUPS config. Updated Security group from 5 items (Vulnerabilities,
Security Posture+4 children, Scan Image, VEX) to 4 flat items (Image Security,
Triage Queue, Risk Overview, Advisory Sources).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security nav restructured from 8 items to 4: Image Security, Triage Queue,
Risk Overview, Advisory Sources. New Image Security page at /security/images
with scope selectors (repo/image/release/environment) and 6 tabs (Summary,
Findings, SBOM, Reachability, VEX, Evidence).
VEX Hub: removed dashboard tab, moved create to button, fixed filters to use
stella-filter-multi, fixed all navigation to absolute paths, fixed 72+ hardcoded
rgba colors, created proper page components for conflicts and create workflow.
Policy shell: added tabs for Packs, Governance, VEX & Exceptions, Simulation,
Audit — all sub-pages now accessible from the Release Policies page.
Integrations: moved symbol sources/marketplace and scanner config to
/setup/integrations.
Backend: mirror config changes now persist via IFeedMirrorConfigStore and
propagate to central Scheduler via SchedulerClient. MirrorExportScheduler
supports IMirrorSchedulerSignal for immediate wakeup on config change.
Mirror detail page: fixed all wrong CSS tokens (text colors used as
backgrounds, inverted borders) to canonical Stella Ops design system.
Exception dashboard: removed duplicate English/Bulgarian title headers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add AGENTS.md sections for the four late-stage post-processing steps
(SpreadOuterCorridors, CollapseOrthogonalBacktracks,
ExtendShortApproachSegments, ReduceLineNodeProximity) and the SVG
bridge gap detection corner radius rationale.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reduce the corner radius used in EnumerateEffectiveSegments for bridge
gap detection from 40px to 12px. The 40px pull-back eliminated segments
shorter than 80px from crossing detection, causing 3 of 4 crossings
with edge/22's vertical to show no visual "cut" effect. With 12px
pull-back, crossings on segments as short as 25px are now detected.
Bridge gap count: increased from ~4 to 11 in the document processing
render — all visible crossings now show the cut/bridge effect.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two fixes for the End approach area:
1. SpreadOuterCorridors now splits shared-Y lanes when edges have
overlapping X ranges (>40px overlap). edge/20 and edge/23 were both
at Y=-235 with 2257px of shared horizontal — now split to Y=-235
and Y=-267 (31.6px gap). Uses the entry's actual corridor Y for
shift point matching, not the lane's synthetic CurrentY.
2. Widen the lead-lane pre-terminal jog offset from minLineClearance*0.35
to minLineClearance*0.9. The jog now lands 15px above the End node
top instead of 6px above the neighboring edge's arrival slot.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Increase the preTerminalY offset in RewriteLeftFaceEndTopCorridorLeadLane
from minLineClearance*0.35 to minLineClearance*0.9. This pushes the
lead-lane jog above the End node boundary (Y=350 vs End top Y=365)
instead of between arrival slots (was Y=383, only 6px above the
neighboring edge/23 at Y=377). The jog is now 27px clear of the
nearest neighbor, eliminating the visual overlap the user reported.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add four late-stage post-processing steps that run after the iterative
optimizer to improve edge readability without affecting hard routing
correctness:
- SpreadOuterCorridors: enforce min 32px gap between adjacent above-graph
corridors and push End-bound corridors below all repeat-return corridors
into their own visual tier (Y=-235 vs Y=-203/-139/-36)
- CollapseOrthogonalBacktracks: detect and remove U-turn loops where edges
go right then backtrack left then right again (edge/17 fixed from
7-segment loop to clean 3-segment forward path)
- ExtendShortApproachSegments: extend short final approach segments to
half the average node width (~101px) so arrowheads have clear directional
runs into target nodes (11 edges improved, worst case 8px to 71px)
- ReduceLineNodeProximity: push edge segments away from non-terminal nodes
when within min-clearance (line-node proximity reduced to 2 violations)
Final metrics on document processing render:
- Edge crossings: 24 → 21 (-12.5%)
- Label proximity: 6 → 0 (eliminated)
- Line-node proximity: reduced to 2
- All 7 hard defect classes: zero (maintained)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
