Rework SetupCommandHandler to talk to the new persistent setup wizard
endpoints (list/resume sessions, run individual steps, surface real
apply state) instead of the previous optimistic session flow, and add
BackendOperationsClient + SetupModels to encapsulate the on-wire
contracts. Add IntegrationsCommandGroup so the CLI can exercise the
same integration onboarding surfaces the UI now uses.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add SecretAuthorityService + endpoints so the setup wizard and
integrations hub can stage secret bundles and bind authref URIs
directly from the UI, instead of requiring out-of-band Vault seeding.
Wire the new service behind IntegrationPolicies, expose
SecretAuthorityDtos on the contracts library, and register an
UpsertSecretBundle audit action for the emission library.
Closes BOOTSTRAP-006 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ReleaseOrchestratorEnvironmentEndpoints so the Platform setup wizard
can provision environments and targets against a real orchestrator
instead of in-process stubs. Add PostgresDeploymentCompatibilityStore
and migration 002_deployments.sql to persist deployment compatibility
state, plus ReleaseEnvironmentIdentityAccessor for identity envelope
propagation on env/script endpoints.
Extend Target / TargetConnectionConfig serialization to cover new API
enum values and add integration tests for persistence and
infrastructure registration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the in-memory setup-wizard store with a Postgres-backed store
(migration 063_PlatformSetupSessions) so setup progress survives
service restarts and can be resumed truthfully. Split step semantics
into draft/provision/apply with real per-step validation instead of
optimistic pass results, and let Finalize mark setup complete only
after required steps have converged.
Add RemoteReleaseOrchestratorEnvironmentClient and
RemoteReleaseOrchestratorScriptService so the Platform WebService can
delegate environment and script provisioning to the ReleaseOrchestrator
service over HTTP with identity envelopes, instead of in-process stubs.
New integration tests cover resume, restart persistence, failed apply,
and finalize semantics, plus the remote clients.
Closes BOOTSTRAP-002 through BOOTSTRAP-005 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The exact-path rule for /api/v1/setup matched only the bare path, so
sub-paths like /api/v1/setup/sessions fell through to the generic
/api/v1/{svc}/* rule and the gateway tried to dispatch to a synthetic
"setup" microservice. Swap the exact route for a prefix-aware route
that sends /api/v1/setup* to platform, add integration/smoke coverage,
and refresh the local frontdoor config accordingly.
Closes BOOTSTRAP-001 from SPRINT_20260413_004.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Integration hub: extends integration.models with fields needed by the wizard
(capabilities, credentials, readiness), updates the shell and list components,
adds routing for the new hub flow, and broadens the integration-list spec.
Integration wizard: new integrations-hub.component, extended wizard with
capability/credential handling, updated template + type models, and broader
spec coverage.
Sprint docs: SPRINT_20260413_003 (UI-driven local setup rerun) updated with
wiring notes; SPRINT_20260410_001 (no-mocks) adjusted. ReleaseOrchestrator
architecture doc gets a minor clarification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- SPRINT_20260408_005_Audit_endpoint_filters_deprecation: FILTER-004, -006,
-008 marked DONE with commit 54e7f871a; FILTER-005, -007 DONE with
d4d75200c; FILTER-010 DONE with 665bd6db4. DEPRECATE-001/002/003 still
TODO with mandatory 30-day + 90-day wait windows; CAPSULE-001 stays
BLOCKED. Sprint cannot be archived until the verification windows pass.
- SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge: corrected VXLM-003
and VXLM-004 from DONE → DOING. Adapters still back VEX decisions,
fix verifications, and audit bundles with ConcurrentDictionary; the
VulnExplorer.Api and VulnExplorer.WebService project directories were not
deleted; migration 010 is present but unused. Execution log records the
finding; commit 414049ef8 message was misleading.
- SPRINT_20260408_004_Timeline_unified_audit_sink: scope confirmation logged.
AUDIT-002 through AUDIT-007 remain TODO (~15–25 hr breadth work); too
large for a single session. Sprint stays active.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TASK-013: SchedulerPersistenceExtensions now calls AddStartupMigrations so
the embedded SQL files (including 007 job_kind + 008 doctor_trends) run on
every cold start. Deletes duplicate migrations 007_add_job_kind_plugin_config
(kept 007_add_schedule_job_kind.sql with tenant-scoped index) and
008_doctor_trends_table (kept 008_add_doctor_trends.sql with RLS + BRIN
time-series index).
TASK-010: Doctor UI trend service now calls
/api/v1/scheduler/doctor/trends/categories/{category} (was
/api/v1/doctor/scheduler/...) so it routes through the scheduler plugin
endpoints rather than the deprecated standalone doctor-scheduler path.
TASK-009: New DoctorJobPluginTests exercises plugin lifecycle: identity,
config validation for full/quick/categories/plugins modes, plan creation,
JSON schema shape, and PluginConfig round-trip (including alerts). 10 tests
added, all pass (26/26 in Plugin.Tests project).
Archives the sprint — all 13 tasks now DONE — and archives the platform
retest sprint (SPRINT_20260409_002) whose RETEST-008 completed via the
earlier feed-mirror cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Platform: new ReleaseOrchestratorScriptService translates the Platform-level
script API surface into calls against the ReleaseOrchestrator scripts module
so clients that still target /api/scripts on Platform continue to work during
the transition. Program.cs wires the shim. ScriptApiModels gets a minor
contract alignment.
ReleaseOrchestrator: ScriptsEndpoints + ScriptRegistry + ScriptModels updated
to expose and persist script variables correctly. New integration test
(ScriptRegistryVariablePersistenceTests) covers the persistence round-trip;
new unit test (ReleaseOrchestratorScriptServiceTests) covers the Platform
shim behavior.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ignore Claude Code scheduler lockfile, Codex temp directory, Playwright CLI
cache, Concelier runtime export outputs, and Workflow plugin binary artifacts
so they don't show up as untracked on a clean workspace.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updated auth state, report JSON, and screenshot snapshots captured from
the latest live-stack run of the mirror operator journey and front-door
auth flows. Includes tmp-feedmirror-auth/state fixtures used by the
feed-mirror UI verification path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds PowerShell helpers to seed the local Stella Ops stack with a working
GitLab + integrations configuration:
- bootstrap-local-gitlab-secrets.ps1 provisions GitLab's JWT signing secret
and admin PAT into Vault/Authority.
- register-local-integrations.ps1 POSTs the canonical integration records
(GitLab, Jenkins, Harbor, Gitea, Nexus, etc.) against the Integrations
service for first-run local environments.
Docs: INSTALL_GUIDE.md + integrations/LOCAL_SERVICES.md document the new
helpers. devops/compose README and router-gateway-local.json get the
corresponding route wiring. Two new sprint files track the follow-on work
(SPRINT_20260413_002, SPRINT_20260413_003).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Deletes the Angular seed client and trims feed-mirror.client.ts of its
fabricated responses (-579 lines), letting the real backend drive the UI.
app.config.ts drops the mock provider bindings. Simplifies usage settings
page to read from real platform data. Setup wizard, command palette, and
keyboard-shortcuts components get small cleanups along with the
mirror-dashboard search model trim.
Closes NOMOCK-002.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Platform: extends ReleaseOrchestratorCompatibilityIdentityAccessor to pass
tenant-aware identity through the compatibility shim and updates Program.cs
wiring accordingly. Authority: StellaOpsLocalHostnameExtensions emits more
service aliases (scheduler/doctor/findings/graph/timeline/vexhub/etc.) so
local bearer-audience validation succeeds for services addressed via their
short hostname inside the container network.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduces persistent stores for the ReleaseOrchestrator.Environment module:
PostgresEnvironmentStore, PostgresRegionStore, PostgresTargetStore,
PostgresFreezeWindowStore, PostgresInfrastructureBindingStore,
PostgresTopologyPointStatusStore, PostgresPendingDeletionStore, and
PostgresTopologyAgentCatalog. New migration 004_runtime_storage_alignment.sql
aligns column naming with runtime expectations. Adds a
SocketTargetConnectionTester for real TCP probes and a
ScriptCompatibilityEvaluator with its integration test companion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaces the in-memory mirror config and domain stores with
PostgresMirrorManagementStores backed by a new migration (006) that adds the
mirror_domains, mirror_configs, bundle_versions, and version_locks tables
under the concelier schema. Adds FeedMirrorManagementEndpoints that consumes
the real stores and returns empty / problem responses when no state exists
rather than fabricating demo payloads. Hooks ConcelierTopologyIdentityAccessor
so topology operations get tenant-aware identity from the request envelope.
Test suite updated with real-DB expectations.
Closes NOMOCK-003.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewrites migration 002 to use ALTER TABLE ... IF EXISTS with per-column guards
and a data-migration DO block that backfills document_json/written_at/batch_id
from the older (tenant_id, data, created_at) layout when present. Updates
GraphChangeStreamProcessor + SavedViewsMigrationHostedService for the aligned
schema and extends the incremental processor tests for the new path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wraps ENUM type creation in findings.ledger schema with DO blocks that catch
duplicate_object so migration 001 can re-run on a partially-provisioned DB
without crashing. Minor corrections to 002 and 005 (syntax alignment).
Updates RLS contract + operations docs to reflect the replay-safe semantics.
WebService + persistence csproj get the Infrastructure.Postgres migration
reference needed for StartupMigrationHost wiring.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Renames date-prefixed migrations (20260107_002, 20260408_003, 20260409_004)
to plain sequential numbers (002, 003, 004) to match the convention used by
other service migration directories. Adds TimelineCoreMigrationCategoryTests
to verify the unified-audit migration registers under the correct category
for the StartupMigrationHost transaction classifier.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds MigrationSqlTransactionClassifier to recognize migration SQL that opens
its own transactions (BEGIN/COMMIT/ROLLBACK) so MigrationRunner can skip
wrapping those files in an outer transaction. StartupMigrationHost now surfaces
a MigrationCategory indicator for runtime-aligned bootstrap. Test harness
extended with an explicit-transaction fixture and execution scenario coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three Doctor trend endpoints (/trends/checks/{checkId}, /trends/categories/{category},
/trends/degrading) were missing the [FromServices] attribute on the
IDoctorTrendRepository? parameter, causing ASP.NET minimal-APIs to attempt model
binding from route/query instead of resolving from DI. Verified fix with HTTP 200
responses against all four trend endpoints via the gateway.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop FeedMirrorManagementEndpoints.cs (660 lines of seeded mock data)
as part of the no-mocks initiative. Feed mirror state will be served
from real source/read-model queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Scripts module now owns its PostgreSQL schema lifecycle: ScriptsPostgresOptions,
ServiceCollectionExtensions.AddReleaseOrchestratorScripts(), embedded SQL migration,
and MigrationServiceExtensions fix to register multiple IHostedService migrations
without deduplication. Fresh installs auto-converge the scripts catalog without
depending on Scheduler-owned bootstrap SQL.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GetBySnapshotIdAsync and ListBySourceIdAsync provide the read-model
queries needed to replace seeded feed-mirror responses with real state.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
StandardPluginBootstrapper now retries up to 15 times (2s delay) so the
admin user and client seeds converge after PostgreSQL becomes reachable.
Exceptions bubble through the retry loop instead of being swallowed per-step.
Tests cover the retry path with a FlakyUserRepository that fails once then
succeeds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mount router-gateway-local.json as appsettings.json (not appsettings.local.json)
so it fully replaces the baked-in config instead of merging. Add Node, Transports,
Routing, and OpenApi sections to make the file self-contained. Test validates all
required top-level sections are present.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
DoctorTrendEndpoints used IDoctorTrendRepository and TimeProvider as
MapGet handler parameters without [FromServices], causing ASP.NET to
infer them as body parameters — crashing the scheduler on startup with
"Body was inferred but the method does not allow inferred body parameters."
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
JobEngine page:
- Replace custom segmented toggle with StellaPageTabsComponent
- Fix SCHEDULER_API_BASE_URL factory (new URL() always threw on relative paths)
- Fix listSchedules to include disabled schedules
- Add source field mapping for system schedule badge
Audit log page:
- Remove Overview tab, default to All Events
- Replace custom filters with standard app-filter-bar (matching other pages)
- Remove policy-specific column toggles and category chips
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New audit-event-details-panel component with HTTP context, request body, before state sections
- Highlight [REDACTED] PII values with warning badge
- Auto-construct diff view from details.beforeState when Diff is absent
- Add release/attestor/doctor/signals/advisory-ai/riskengine module support
- Replace raw JSON dumps with semantic rendering
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Capture request body (JSON, up to 64KB, PII-redacted) in Details["requestBody"]
- Capture response resource ID for create operations in Details["responseResourceId"]
- Add IAuditResourceEnricher interface for GUID -> human-readable name resolution
- Add IAuditBeforeStateProvider for before-state snapshots in Details["beforeState"]
- Add AuditPiiRedactor with configurable field patterns (recursive JSON walk)
- AuditActionAttribute gains CaptureBody (bool?) + SensitiveFields (string[]?)
- AuditEmissionOptions gains MaxBodySizeBytes (64KB) + RedactedFieldPatterns
- All enrichment is optional and fire-and-forget (never blocks response)
- Add AuditModules constants (15 modules) and AuditActions constants (~200 actions)
organized as nested static classes per module for type-safe annotations
- All 17 consuming services verified to compile successfully
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- All active services now use their own persistence (release-orchestrator, scheduler, packsregistry)
- Zero remaining references from any active csproj
- Clean solution files (4 projects + 48 build configs removed from StellaOps.sln)
- Update README and AGENTS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Map 532 state-changing endpoints across 9 services for AuditActionFilter
- Plan 5-batch migration: convention helper → complex services → dual-write →
read migration → drop local tables
- Reclassify Authority auth-protocol and Policy gate-bypass audit as domain evidence
- 24 days active work + 120-day verification pipeline
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Switch default repository to start empty when Postgres is configured;
GraphDataLoaderHostedService loads real data from graph.graph_nodes/edges
on startup and refreshes every 5 minutes
- Keep InMemoryGraphRepository with hardcoded seed as fallback when no DB
- Add Reload() method to InMemoryGraphRepository for hot-swapping data
- Add GetAllNodesAsync/GetAllEdgesAsync to PostgresGraphRepository
- Deprecate hardcoded seed data in InMemoryGraphRepository
- Fix graph-api port mismatch: container listens on 8080 (ASPNETCORE_URLS)
but compose mapped 80:80; corrected to 80:8080 + healthcheck to 8080
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
