Closes the bootstrap gap two parallel QA agents surfaced on 2026-04-22:
fresh Authority DBs lacked the `default` tenant row so setup-wizard admin
creation failed with users_tenant_id_fkey and /connect/token returned
invalid_grant. Fix is on the migration path per AGENTS.md §2.7; the init
script stays seeds-only as established in SPRINT_20260422_003.
- New embedded migration 003_seed_default_tenants.sql performs
`INSERT ... ON CONFLICT (tenant_id) DO NOTHING` for `default` and
`installation`. Numeric prefix (not S-prefix) so the migration runner's
Startup category auto-applies it; S-prefix files route to Seed category
which is intentionally manual-only per
StartupMigrationHost.cs:158.
- `default` is strictly required (Authority's
StandardPluginBootstrapper.DefaultTenantId; /internal/users bootstrap
inserts under this FK). `installation` is not Authority-FK-referenced
today but matches the empirical workaround both QA agents converged on
and serves as defense for cross-service inserts that join
authority.tenants.tenant_id.
Fresh-volume verification (docs/qa/authority-default-tenant-20260422/):
1. docker compose down -v (20 volumes removed incl. compose_postgres-data)
2. docker compose up -d — 62 containers, Authority healthy in ~15s.
3. Startup log: applying 001 (144ms) → 002 (13ms) → 003 (7ms).
authority.tenants contains default + installation.
4. POST /api/v1/setup/sessions → 201; database/valkey/migrations prereqs
ran; admin/execute with admin/Admin@Stella2026! → 200 "Bootstrap
administrator 'admin' ensured successfully."
5. POST /connect/token (password, stellaops-cli, ui.admin openid) → 200
+ JWT carrying role=admin, stellaops:tenant=default.
6. docker compose restart authority → "Database is up to date for
Authority." Clean no-op.
Docs: docs/modules/authority/architecture.md §1.1 "Seeded bootstrap
tenants (migration-owned)". Cross-link added to the archived prior
sprint's Decisions & Risks so the lineage is traceable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_007 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. 34 assertions, 0 fail,
0 deferred.
FE-QA-EVID-001 — Evidence: 7/7 PASS
/evidence/{overview, audit-log, verify-replay, exports, capsules, proofs,
bundles}. Alias chains to /ops/operations/audit confirmed intentional per
evidence.routes.ts.
FE-QA-OPS-002 — Ops: 8/8 PASS
/ops/operations/{jobengine, feeds-airgap, doctor, audit, notifications,
health-slo, watchlist} + /ops/scripts. Doctor full diagnostics grid
rendered with real data.
FE-QA-SETUP-003 — Setup + Admin: 12 + 7 PASS
Setup: /setup{, /integrations, /trust-signing (+ issuers/keys/certificates
/audit sub-tabs aliased correctly), /identity-providers, /tenant-branding,
/workflows, /ai-preferences, /topology}.
Admin: all /console-admin/{tenants, users, roles, clients, audit, branding,
assistant} preserved console origin under "Console Administration" heading.
FE-QA-EVIDOPS-004 — Retention coverage:
New e2e/routes/sprint-007-evidence-ops-setup-admin.e2e.spec.ts with 27
Playwright assertions covering origin, canonical-or-alias URL, and
identity-matching body text. Uses the existing auth.fixture.ts pattern.
Evidence: docs/qa/feature-checks/runs/web/sprint-007-evidence-ops-setup-admin/
run-001/ (EVIDENCE.md + tier2-ui-check.json + 36 screenshots + verify.mjs).
Authority default-tenant gap (same as FE-QA-REL-001 discovery):
stellaops_authority had zero tenants and zero users; setup wizard admin
bootstrap failed with users_tenant_id_fkey FK violation. Worked around
in-session by inserting `installation` + `default` tenants and calling
POST /api/v1/setup/sessions/{id}/steps/admin/execute. This is the same
bug two parallel agents independently hit — needs a real Authority sprint
to seed `default` through migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_006 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. Evidence directories
include per-route screenshots + tier2-ui-check JSON with PASS/FAIL/DEFERRED
assertions.
FE-QA-REL-001 — Release Control: 9/9 PASS
/environments/overview, /releases, /releases/deployments, /releases/bundles,
/releases/promotions, /releases/approvals, /releases/hotfixes,
/releases/investigation/timeline, /releases/workflows
FE-QA-REL-002 — Release Policy: 7/9 PASS, 2 DEFERRED
/ops/policy/{packs, governance, vex, simulation, governance/budget,
governance/profiles, vex/exceptions} — all PASS.
DEFERRED: /ops/policy/governance/audit (redirects to sprint-007-owned
/ops/operations/audit — scope lock), /ops/policy/governance/trust-weights
(tab URL doesn't persist — flagged as follow-up).
FE-QA-SEC-003 — Security: 10/10 effective PASS
Direct PASS: /security{,/images,/risk,/advisory-sources,/findings,
/vulnerabilities,/reachability}
Redirect PASS matching SEC-005/006/007 consolidation contracts:
/security/vex → /ops/policy/vex, /security/artifacts → /triage/artifacts,
/security/exceptions → /ops/policy/vex/exceptions.
FE-QA-RELSEC-004 — Retention coverage:
New e2e/routes/release-security-identity.e2e.spec.ts with 24 route-identity
assertions + 1 Release interaction guard. Uses auth.fixture.ts test-session
so CI does not require live Authority credentials.
Environmental gap surfaced (worked around in-session, NOT a code fix here):
stellaops_authority was missing the `default` tenant row, breaking setup-
wizard Admin bootstrap with FK users_tenant_id_fkey=(default) and causing
admin login to return invalid_grant. Manually seeded `default` into
authority.tenants and finalized the setup session via Platform Setup API.
Should be addressed in a follow-up Authority sprint — the default tenant
seed needs to land in startup migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SPRINT_20260422_001 (Notify compat surface restoration) — closes
NOTIFY-COMPAT-003 final criterion. notify-web rebuilt, 7/7 gateway probes
green post-rebuild (8th returns contracted 501 notify_overrides_not_supported).
Browser replay via direct Node+Playwright driver (MCP bridge rejected the
self-signed cert) confirmed Dashboard/Channels/Quiet Hours/Overrides/
Escalation/Throttle tabs render without runtime-unavailable banners. All 3
tasks DONE.
SPRINT_20260421_003 (Concelier advisory connector runtime alignment) —
all 7 tasks were already DONE before this session; archival is purely
administrative.
Evidence bundle at docs/qa/notify-compat-20260422/ includes EVIDENCE.md,
verify.mjs + verify_with_token.mjs, verify-results.json, and screenshots
for each verified tab.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to SPRINT_20260419_028 TEST-RUNNER-001.
- scripts/test-targeted-xunit.ps1: refinements to the helper.
- docs/code-of-conduct/TESTING_PRACTICES.md: default targeted xUnit v3
verification to the new helper.
- docs/qa/feature-checks/FLOW.md: call out Microsoft Testing Platform
filter-ignore behaviour and point to the helper.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Walked through the full vulnerability triage workflow as a security
engineer. Found the artifact workspace — the product's killer feature
(evidence-grade findings with reachability, attestations, policy gating,
delta comparison, deterministic replay, VEX decisions). Recorded a VEX
decision for CVE-2023-38545.
Critical UX findings:
- UX-D1: No "Scan" entry point anywhere in the UI — scanner exists
(2 containers) but has no discoverable trigger from the console
- UX-D2: Triage workspace (best feature) hidden under "Triage" label —
security engineers look for "Vulnerabilities" or "Findings"
- UX-D3: Record Decision dialog unreachable on smaller viewports —
needs proper modal overlay instead of in-page drawer
- UX-D4: Security Posture shows 0 findings while Triage has 1 active
HIGH finding — different data sources
Assessment: The triage artifact workspace is 10/10 UX. The discoverability
is 2/10. Three changes would transform the security engineer experience.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All medium fixes verified on live stack:
- Registry search: returns empty (no mock data) — confirmed
- Post-seal guidance: "What's next?" panel shows on release creation
- User ID display: truncated to "User 209d1257..."
- Mirror generate: shows failure status with retry guidance
- Wizard error handling: already implemented (was incorrectly logged)
Audit log remains at 0 events — this is a product gap, not a UI issue.
Services need to emit audit events (write path missing across modules).
MapAuditEndpoints() only exposes the query interface.
Topology wizard step 5 (Agent) is an expected fresh-install blocker.
Final score: 21 fixed, 2 low-priority UI issues, 2 product gaps.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
scopes. Previously these policies were referenced by endpoints but never
registered, causing System.InvalidOperationException on every topology
API call.
Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes
KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
Concelier. The regions/targets/bindings endpoints return 401 because
hasPrincipal=False — the gateway authenticates the user but doesn't
pass the identity to the backend via ReverseProxy. Microservice routes
use Valkey transport which includes envelope headers. Topology endpoints
need either: (a) Valkey transport registration in Concelier, or
(b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
This is an architecture-level fix.
Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
