# UI Page-by-Page Verification Results

**Date:** 2026-02-15
**Tester:** QA Agent (Playwright browser automation)
**Environment:** `https://stella-ops.local` (Docker Compose, 50+ services)
**Auth:** OAuth 2.0 Authorization Code + PKCE + DPoP via OpenIddict Authority
**User:** `admin` (Platform Admin, admin@stella-ops.local)

---

## Authentication Flow

| Step | Result |
|------|--------|
| Welcome page loads | PASS — StellaOps branded landing page |
| Sign In button triggers OAuth redirect | PASS — Redirects to `/connect/authorize` with PKCE challenge |
| Login form renders | PASS — Username + Password fields |
| Credentials accepted | PASS — PBKDF2 password hash verified by CryptoPasswordHasher |
| OAuth callback completes | PASS — Code exchange + DPoP token issued |
| Redirect to authenticated dashboard | PASS — Lands on `/` with full sidebar |
| Session persists (SPA navigation) | PASS — sessionStorage auth token |
| Session lost on full page reload | KNOWN — SPA stores tokens in sessionStorage only |

---

## Page Verification Summary

### Legend
- **PASS (data)**: Page loads, renders real backend data
- **PASS (ui)**: Page loads with proper UI structure; backend API returns 404/401 (service not routed)
- **PASS (empty)**: Page loads, no data yet (expected — empty state)
- **ERROR**: Page fails to render or crashes

| # | Page | URL | Title | Headings | Data | Verdict |
|---|------|-----|-------|----------|------|---------|
| 1 | Control Plane Dashboard | `/` | Control Plane - StellaOps | Control Plane, Environment Pipeline, Pending Approvals, Active Deployments, Recent Releases | 4 environments (Dev/Staging/UAT/Prod), 3 pending approvals, 4 recent releases table | **PASS (data)** |
| 2 | Releases | `/releases` | Releases - StellaOps | Releases (0) | UI with search, status/environment filters, status cards. Backend 404 for `/api/release-orchestrator/releases` | **PASS (ui)** |
| 3 | Approvals | `/approvals` | Approvals - StellaOps | Approvals | Filters (status, environment, search). Backend 404 — graceful "Failed to load" | **PASS (ui)** |
| 4 | Security Overview | `/security` → `/security/overview` | Security Overview - StellaOps | Security Overview, Recent Findings, Top Affected Packages, VEX Coverage, Active Exceptions | Dashboard with security posture sections | **PASS (ui)** |
| 5 | Security Findings | `/security/findings` | Security Overview - StellaOps | Security Findings | Table (1) with findings list. Backend 404 for scanner findings API | **PASS (ui)** |
| 6 | Vulnerabilities | `/security/vulnerabilities` | Security Overview - StellaOps | Vulnerabilities | "Vulnerability list is pending data integration" | **PASS (empty)** |
| 7 | SBOM Graph | `/security/sbom` | Security Overview - StellaOps | SBOM Graph | "SBOM graph visualization is not yet available in this build" | **PASS (empty)** |
| 8 | VEX Hub | `/security/vex` | Security Overview - StellaOps | VEX Statement Dashboard | VEX Hub error: 401 from backend. Shows retry button | **PASS (ui)** |
| 9 | Security Exceptions | `/security/exceptions` | Security Overview - StellaOps | Security Exceptions | Table (1) with exceptions list. Backend 404 for policy exception API | **PASS (ui)** |
| 10 | Analytics (main) | `/analytics` | — | (Did not navigate — link not found in nav) | Analytics nav group exists but `/analytics` route not wired | **N/A** |
| 11 | SBOM Lake | `/analytics/sbom-lake` | SBOM Lake - StellaOps | SBOM Lake, Attestation Coverage Metrics, Coverage by Attestation Type, Approval Velocity, Gap Analysis | Rich dashboard with charts. Backend 401 for analytics APIs — shows "Unable to load SBOM analytics" | **PASS (ui)** |
| 12 | Evidence Bundles | `/evidence` → `/evidence/bundles` | Bundles - StellaOps | Evidence Bundles | "Download and verify sealed evidence bundles" | **PASS (empty)** |
| 13 | Evidence Proof Chains | `/evidence/proof-chains` | Proof Chains - StellaOps | Evidence Chain | "Subject digest is required" — correct validation | **PASS (ui)** |
| 14 | Evidence Replay | `/evidence/replay` | Replay - StellaOps | Verdict Replay, Request Replay, Replay Requests, Determinism Overview | Full replay UI with determinism verification description | **PASS (ui)** |
| 15 | Evidence Export | `/evidence/export` | Export - StellaOps | Export Center, StellaBundle (OCI referrer), Daily Compliance Export, Audit Bundle | 3 export profiles with descriptions | **PASS (ui)** |
| 16 | Orchestrator Dashboard | `/operations/orchestrator` | Operations - StellaOps | Orchestrator Dashboard, Your Orchestrator Access | "Monitor and manage orchestrated jobs" | **PASS (ui)** |
| 17 | Scheduler Runs | `/operations/scheduler` → `/operations/scheduler/runs` | Operations - StellaOps | Scheduler Runs | "Monitor and manage scheduled task executions" — shows 1 Failed status | **PASS (ui)** |
| 18 | Operator Quotas | `/operations/quotas` | Operations - StellaOps | Operator Quota Dashboard, Consumption Trend, Quota Forecast, Top Tenants, Throttle Events | Rich dashboard. Backend 404 for quota APIs — "Loading consumption data..." | **PASS (ui)** |
| 19 | Dead-Letter Queue | `/operations/deadletter` → `/operations/dead-letter` | Operations - StellaOps | Dead-Letter Queue Management, Error Distribution, By Tenant, Queue Browser | Full CRUD UI. Backend 404 — "No dead-letter entries match" | **PASS (ui)** |
| 20 | Platform Health | `/operations/health` | Operations - StellaOps | Platform Health, Active Incidents, Service Health, Degraded (1), Healthy (9) | **Real data: 9 healthy + 1 degraded service. Last updated timestamp.** | **PASS (data)** |
| 21 | Feed Mirror & AirGap | `/operations/feeds` | Feed Mirror & AirGap Operations - StellaOps | Feed Mirror & AirGap Operations, NVD Mirror, GitHub Security Advisories, RHEL OVAL, OSV Database | 4 feed sources with status cards. Shows 1 error state | **PASS (ui)** |
| 22 | Integrations | `/settings/integrations` | Settings - StellaOps | Integrations, GitHub Enterprise, GitLab SaaS, Jenkins, Harbor Registry, HashiCorp Vault | 5 integration connectors. 1 shows "Disconnected" | **PASS (ui)** |
| 23 | Trust & Signing | `/settings/trust` | Settings - StellaOps | Trust & Signing, Signing Keys, Issuers, Certificates, Transparency Log, Trust Scoring | 6 trust management sections | **PASS (ui)** |
| 24 | Identity & Access (Admin) | `/settings/admin` | Settings - StellaOps | Identity & Access, Users | **Real data: 5 users from DB (Platform Admin, Jane Smith, Bob Wilson, Scanner Service, Alice Johnson). Table with name, email, role, status.** Tabs: Users, Roles, OAuth Clients, API Tokens, Tenants | **PASS (data)** |

---

## Backend API Connectivity

| API Endpoint Pattern | Status | Notes |
|---------------------|--------|-------|
| `/api/policy/packs` | 404 | Policy packs not routed through gateway |
| `/api/release-orchestrator/releases` | 404 | Release orchestrator not routed |
| `/api/release-orchestrator/approvals` | 404 | Approvals endpoint not routed |
| `/gateway/scanner/api/v1/findings` | 404 | Scanner findings not routed |
| `/gateway/api/v1/policy/exception/requests` | 404 | Policy exceptions not routed |
| `/gateway/api/v1/vex/stats` | 404 | VEX stats not routed |
| `/api/analytics/*` | 401/404 | Analytics endpoints not configured |
| `/api/v1/authority/quotas/*` | 404 | Quota endpoints not routed |
| `/api/v1/orchestrator/deadletter` | 404 | Dead-letter endpoints not routed |
| Authority (login/token) | **200** | OAuth flow works end-to-end |
| Authority (users) | **200** | Admin users table loads real data |
| Health endpoints | **200** | Service health dashboard shows real data |
| Dashboard data | **200** | Environment pipeline, approvals, releases load |

---

## Console Errors

All console errors are HTTP 404/401 responses from backend APIs that aren't yet routed through the gateway. No JavaScript errors, no rendering crashes, no uncaught exceptions.

---

## Aggregate Results

| Metric | Count |
|--------|-------|
| **Total pages tested** | 24 |
| **Pages with real backend data** | 3 (Dashboard, Platform Health, Admin Users) |
| **Pages with proper UI (backend 404)** | 16 |
| **Pages with empty state (expected)** | 3 |
| **Pages not navigable** | 1 (Analytics main — no route) |
| **Pages that crash** | 0 |
| **JavaScript errors** | 0 |
| **Auth flow success** | YES |
| **Session management** | sessionStorage (SPA-only) |

---

## Bugs & Issues Found

### BUG-UI-001: Session lost on full page navigation
- **Severity:** Low (SPA design choice, not a bug per se)
- **Detail:** `page.goto()` causes full page reload, losing sessionStorage auth. SPA in-app navigation preserves session correctly.

### BUG-UI-002: `/analytics` main page not routed
- **Severity:** Low
- **Detail:** Analytics nav group expands but the `/analytics` link doesn't exist in the sidebar. Only `/analytics/sbom-lake` is navigable.

### BUG-UI-003: Gateway routes missing for 10+ backend APIs
- **Severity:** Medium
- **Detail:** Many backend service APIs return 404 through the gateway. The Router/Gateway needs route entries for: release-orchestrator, scanner findings, policy exceptions, VEX stats, analytics, quotas, dead-letter, orchestrator.
- **Impact:** Pages render UI correctly but show empty/error states instead of real data.
- **Root cause:** Gateway route configuration in `src/Router/StellaOps.Gateway.WebService/` doesn't include routes for all backend services.

---

## Screenshots

| File | Description |
|------|-------------|
| `screenshots/qa-ui-01-dashboard.png` | Authenticated Control Plane dashboard |
| `screenshots/qa-ui-admin-settings.png` | Admin Identity & Access with 5 real users |