Below are the redesigned **flagship page wireframes (ASCII)** for Stella Ops as an **evidence-based release control plane** with **hybrid reachability** as a first-class gate and explanation layer. I’m keeping the pages “small” in feel: the **most important words first**, then compact supporting text, with **deep detail behind links/panels**. --- ## 0) Shared Shell (applies to all flagship pages) ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Stella Ops [ Search: release | digest | CVE | env | target ] Tenant: ACME User ▼ │ │ Offline: OK Feed Snapshot: 2026-01-15 Policy Baseline: prod-baseline v3.1 Evidence: ON│ ├───────────────┬────────────────────────────────────────────────────────────────────────────┤ │ CONTROL PLANE │ Breadcrumb:
> │ │ RELEASES │ │ │ APPROVALS │ │ │ SECURITY │ │ │ EVIDENCE │ │ │ OPERATIONS │ │ │ SETTINGS │ │ └───────────────┴────────────────────────────────────────────────────────────────────────────┘ Conventions: - Primary actions are top-right. - “Open Evidence” and “Open Proof Chain” are always one click away when decisions happen. - Digests show short form + copy action; full value in hover/expand. - Gate states: [PASS] [WARN] [BLOCK] - Reachability states: Reachable / Unreachable / Uncertain + Confidence + Witness link ``` --- ## 1) CONTROL PLANE — Overview (new `/`) **Goal:** answer in one screen: **what’s deployed where**, **what’s pending**, **what changed**, **what needs me**. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ CONTROL PLANE │ │ Release governance with evidence. Promote by digest. Explain every decision. [Docs →] │ │ [Create Release]│ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ENVIRONMENT PIPELINE │ │ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │ │ DEV │ --->│ QA │ --->│ STAGING │ --->│ PROD │ │ │ │ v1.3.0 │ │ v1.2.5 │ │ v1.2.4 │ │ v1.2.3 │ │ │ │ OK │ │ OK │ │ PENDING │ │ OK │ │ │ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │ │ Deployed by digest. Click an environment to see targets, drift, and evidence. │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌───────────────────────────────────────────────┐ ┌──────────────────────────────────────┐ │ │ │ ACTION INBOX │ │ DRIFT & RISK CHANGES │ │ │ │ (what needs attention) │ │ (since last evidence) │ │ │ │ │ │ │ │ │ │ • 3 approvals pending │ │ • 2 promotions newly BLOCKED │ │ │ │ • 1 blocked promotion (reachability) │ │ • 5 CVEs updated (1 reachable) │ │ │ │ • 2 failed deployments (retry available) │ │ • 1 feed stale risk (OSV 36h old) │ │ │ │ • 1 key expiring in 14 days │ │ • 0 config drifts in prod │ │ │ │ │ │ │ │ │ │ [Go to Approvals] [Go to Deployments] │ │ [View Drift] [View Security Impact] │ │ │ └───────────────────────────────────────────────┘ └──────────────────────────────────────┘ │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ PENDING PROMOTIONS │ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ Release From → To Status Gates Risk Delta Actions │ │ │ │ v1.2.5 QA → Staging Waiting [PASS][WARN] +2 new CVEs [Open Approval] │ │ │ │ v1.2.6 Dev → QA Auto-approved [PASS] net safer [Deploy Now] │ │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 2) RELEASES — List (`/releases`) **Goal:** inventory releases as **immutable bundles**, show **where deployed**, and enable **promotion/evidence**. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ RELEASES │ │ Immutable digest bundles. Promote releases across environments. [Docs →] │ │ [Create Release] [Export CSV] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: [Search release/component/digest…] [Env ▼] [Deployed ▼] [Gate ▼] [Date ▼] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ Release Bundle Digest Components Deployed Where Gates Evidence Action│ │ │ v1.2.6 sha256:9c1…3a 12 Dev, QA [PASS] Signed [View]│ │ │ v1.2.5 sha256:7aa…2f 12 QA [WARN] Signed [View]│ │ │ v1.2.4 sha256:0b2…c9 11 Staging [PASS] Signed [View]│ │ │ v1.2.3 sha256:1d9…11 11 Prod [PASS] Signed [View]│ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ │ Multi-select actions: [Request Promotion] [Generate Evidence] [Replay Verify] [Compare] │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 3) RELEASES — Release Detail (`/releases/:releaseId`) **Goal:** one flagship screen that ties **promotion + gates + reachability + evidence + proof chain**. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ RELEASE v1.2.5 │ │ Bundle: sha256:7aa…2f (copy) Created: 2026-01-15 Source: CI build #882 [Docs →] │ │ [Request Promotion] [Rollback] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ DEPLOYMENT MAP │ │ Dev: v1.3.0 (not this) QA: v1.2.5 (THIS) Staging: pending Prod: v1.2.3 │ │ [Open Environment QA] [Open Approval] [Open Deployments] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Tabs: [Overview] [Components] [Gates] [Promotions] [Deployments] [Evidence] [Proof Chain] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ OVERVIEW │ │ ┌───────────────────────────────────────────────┐ ┌──────────────────────────────────────┐ │ │ │ GATE SUMMARY (Policy: stg-baseline v3.1) │ │ SECURITY IMPACT │ │ │ │ SBOM signed: [PASS] │ │ New CVEs: 2 (1 reachable) │ │ │ │ Provenance present: [PASS] │ │ Fixed CVEs: 5 │ │ │ │ Reachability coverage: [WARN] 89% │ │ VEX: 2 not-affected, 1 under review │ │ │ │ Critical reachable: [BLOCK] 1 (0.82 conf) │ │ Exceptions: 0 │ │ │ │ │ │ [Open Findings for this Release] │ │ │ │ [Open Reachability Witness] [Explain] │ └──────────────────────────────────────┘ │ │ └───────────────────────────────────────────────┘ │ │ │ MOST RECENT EVIDENCE PACKET │ │ Evidence: EVD-2026-0045 Signed: YES Verified: YES Feed Snapshot: 2026-01-15 │ │ [Open Evidence Packet] [Export Bundle] [Replay Verify] │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 4) APPROVALS — Inbox (`/approvals`) **Goal:** make approvals the **decision cockpit**: diff-first, evidence-first, reachability-first. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ APPROVALS │ │ Decide promotions with policy + reachability, backed by signed evidence. [Docs →] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: [Pending ▼] [Env ▼] [Team ▼] [Policy Baseline ▼] [Search…] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ PENDING (3) │ │ ├──────────────────────────────────────────────────────────────────────────────────────────┤ │ │ v1.2.5 QA → Staging Requested by: deploy-bot 2h ago │ │ │ WHAT CHANGED: +3 pkgs +2 CVEs (1 reachable) -5 fixed Drift: none │ │ │ GATES: SBOM[PASS] Provenance[PASS] Reachability[BLOCK] VEX[WARN] │ │ │ Actions: [Open] [Open Evidence] [Open Witness] [Request Exception] [Approve] [Reject] │ │ ├──────────────────────────────────────────────────────────────────────────────────────────┤ │ │ v1.2.6 Dev → QA Auto-approved gates. Waiting deploy window. │ │ │ WHAT CHANGED: net safer -2 CVEs Coverage: 92% │ │ │ Actions: [Deploy Now] [Open Evidence] │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 5) APPROVALS — Approval Detail (`/approvals/:approvalId`) **Goal:** show everything needed to make a decision—without navigating away. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ APPROVAL: v1.2.5 QA → Staging │ │ Requested by: deploy-bot 2h ago Policy: stg-baseline v3.1 Feed Snapshot: 2026-01-15 │ │ [Open Evidence] [Docs →] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ LEFT: DIFF & GATES RIGHT: DECISION & COMMENTS │ │ ┌───────────────────────────────────────────────────────┐ ┌─────────────────────────────┐ │ │ │ WHAT CHANGED (Diff-first) │ │ DECISION │ │ │ │ Components changed: 3 │ │ [Approve] [Reject] │ │ │ │ New CVEs: 2 (1 reachable) │ │ Require comment: [____] │ │ │ │ Fixed CVEs: 5 │ │ Optional: [Request Exception]│ │ │ │ Config drift: none │ └─────────────────────────────┘ │ │ ├───────────────────────────────────────────────────────┤ │ │ │ GATES (expandable) │ ┌─────────────────────────────┐ │ │ │ SBOM signed: [PASS] │ │ COMMENTS / AUDIT NOTES │ │ │ │ Provenance attested: [PASS] │ │ - user1: needs exception? │ │ │ │ Reachability: [BLOCK] │ │ - sec: confirm witness path │ │ │ │ VEX consensus: [WARN] │ │ [Add comment] │ │ │ │ │ └─────────────────────────────┘ │ │ │ [Explain Gate Results] [Open Proof Chain] │ │ │ └───────────────────────────────────────────────────────┘ │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ REACHABILITY WITNESS (the moat) │ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ Finding: CVE-2026-1234 in log4j │ │ │ State: Reachable Confidence: 0.82 Reason: static path + runtime signal present │ │ │ Witness Path: main() → processRequest() → Logger.log() → vulnerable() │ │ │ Guards: none detected Dynamic loading: no │ │ │ Actions: [Open Full Witness] [Export DOT] [Replay Verify] │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 6) ENVIRONMENTS — List (`/environments`) **Goal:** show environments as **release destinations** (not just config objects). ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ ENVIRONMENTS │ │ What is deployed where, with policy and evidence. [Docs →] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ Environment Current Release Freeze Targets Policy Baseline Last Deploy Action│ │ │ Dev v1.3.0 Off 12 dev-baseline v2.0 10m ago [Open]│ │ │ QA v1.2.5 Off 8 qa-baseline v2.5 2h ago [Open]│ │ │ Staging v1.2.4 On 6 stg-baseline v3.1 6h ago [Open]│ │ │ Prod v1.2.3 Off 20 prod-baseline v3.1 1d ago [Open]│ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 7) ENVIRONMENTS — Environment Detail (`/environments/:envId`) **Goal:** environment as a “release ledger”: targets, drift, promotions, evidence. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ ENVIRONMENT: Staging │ │ Current: v1.2.4 Policy: stg-baseline v3.1 Freeze: ON (window 18:00–20:00 UTC) [Docs →]│ │ [Request Promotion] [Open Evidence] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Tabs: [Overview] [Targets] [Promotions] [Deployments] [Drift] [Evidence] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ OVERVIEW │ │ ┌───────────────────────────────────────────────┐ ┌──────────────────────────────────────┐ │ │ │ RELEASE HISTORY (ledger) │ │ CURRENT RISK SNAPSHOT │ │ │ │ v1.2.2 → v1.2.3 → v1.2.4 (current) │ │ Gate summary: [PASS][WARN] │ │ │ │ Last promotion: QA → Staging 6h ago │ │ Reachability coverage: 89% │ │ │ │ Evidence: EVD-2026-0044 (verified) │ │ Drift since evidence: none │ │ │ │ [Open Proof Chain] │ │ [Open Findings Impacting Staging] │ │ │ └───────────────────────────────────────────────┘ └──────────────────────────────────────┘ │ │ │ TARGETS (quick view) │ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ Target Type Status Deployed Digest Last Seen Action │ │ │ │ stg-host-01 Docker OK sha256:abc… 1m ago [Details] │ │ │ │ stg-compose-02 Compose OK sha256:abc… 1m ago [Details] │ │ │ │ stg-ecs-service ECS OK sha256:abc… 2m ago [Details] │ │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 8) DEPLOYMENTS — List (`/deployments`) **Goal:** operational truth: deployments as executions with artifacts + evidence. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ DEPLOYMENTS │ │ Execution history by environment and release, with evidence for every run. [Docs →] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: [Env ▼] [Release ▼] [Status ▼] [Target Type ▼] [Date ▼] [Search…] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ Deployment Env Release Started Duration Status Evidence Action │ │ │ DEP-2026-045 Prod v1.2.3 2h ago 3m12s OK Verified [Open] │ │ │ DEP-2026-044 Staging v1.2.4 6h ago 2m55s OK Verified [Open] │ │ │ DEP-2026-043 QA v1.2.5 10h ago 5m01s FAILED Partial [Open] │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 9) DEPLOYMENTS — Run Detail (`/deployments/:deployId`) **Goal:** show workflow DAG, logs, generated artifacts (immutable), and evidence. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ DEPLOYMENT: DEP-2026-045 │ │ Env: Prod Release: v1.2.3 Plan Hash: ph_91a… Agent: prod-agent-02 [Docs→]│ │ [Open Evidence] [Rollback] [Replay Verify]│ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Tabs: [Workflow] [Targets] [Artifacts] [Logs] [Evidence] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ WORKFLOW (DAG) │ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ Fetch Digests → Generate compose.stella.lock.yml → Deploy → Verify → Seal Evidence │ │ │ OK OK OK OK OK │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ │ │ ARTIFACTS (immutable outputs) │ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ compose.stella.lock.yml sha256:11a… [View] [Download] │ │ │ deploy.stella.script.dll sha256:22b… [View] [Download] │ │ │ release.evidence.json sha256:33c… [View] [Download] │ │ │ stella.version.json sha256:44d… [View] [Download] │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 10) EVIDENCE — Evidence Center (`/evidence`) **Goal:** one unified hub for evidence packets (release/promotion/deploy/audit), verification, export, replay. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE │ │ Search, verify, export signed evidence packets and proof chains. [Docs →]│ │ [Create Audit Bundle] [Export] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: [Type ▼] [Release ▼] [Env ▼] [Signed ▼] [Verified ▼] [Date ▼] [Search…] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ Evidence ID Type Subject Signed Verified Snapshot Action │ │ │ EVD-2026-0045 Promotion v1.2.5 QA→Staging Yes Yes 2026-01-15 [Open] │ │ │ EVD-2026-0044 Deployment DEP-2026-044 Yes Yes 2026-01-15 [Open] │ │ │ EVD-2026-0043 Release v1.2.3 Yes Yes 2026-01-14 [Open] │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 11) EVIDENCE — Evidence Packet Viewer (`/evidence/:evidenceId`) **Goal:** evidence as a structured “who/what/why/how/when” record + bundle contents + verify. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ EVIDENCE PACKET: EVD-2026-0045 │ │ Type: Promotion Subject: v1.2.5 QA→Staging Signed: YES Verified: YES [Docs →]│ │ [Download Bundle] [Open Proof Chain] [Replay Verify]│ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ SUMMARY (audit-friendly) │ │ Who: user1@acme What: release bundle sha256:7aa…2f When: 2026-01-15 10:23 UTC │ │ Why: Gate verdict BLOCK (reachability) + VEX WARN │ │ How: workflow ph_91a… agent prod-agent-02 │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ CONTENTS │ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ SBOM (CycloneDX 1.7) sha256:aa1… [View] [Download] │ │ │ │ Policy verdict (K4 lattice) sha256:bb2… [View] [Explain] │ │ │ │ Reachability witness slice sha256:cc3… [Open Witness] [Export DOT] │ │ │ │ VEX statements (OpenVEX) sha256:dd4… [View] │ │ │ │ Attestations (DSSE) sha256:ee5… [View] │ │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 12) SECURITY — Findings (release-aware) (`/security/findings`) **Goal:** security becomes decision support: every finding shows **impact on releases/environments**. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY FINDINGS │ │ Findings with reachability and release impact. Triage feeds the release gates. [Docs →]│ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: [Search CVE/pkg/release…] [Severity ▼] [Reachability ▼] [Env Impact ▼] [Date ▼] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ Sev Finding Component Reachability (conf) Impacts Gate Impact │ │ │ CRIT CVE-2026-1234 log4j@2.14.1 Reachable (0.82) v1.2.5 Staging BLOCK │ │ │ HIGH CVE-2026-5678 spring@5.2.1 Uncertain (0.55) v1.2.6 QA WARN │ │ │ MED CVE-2026-9012 commons-io@2.4 Unreachable (0.90) v1.2.3 Prod PASS │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ │ Selecting a row opens a detail drawer: Witness, VEX status, Exceptions, Evidence links. │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 13) SECURITY — Vulnerability Detail (impact-first) (`/security/vulnerabilities/:cveId`) **Goal:** unify CVE intelligence with **where it matters** (deployed + gated) + VEX + reachability witness. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ VULNERABILITY: CVE-2026-1234 │ │ Severity: Critical CVSS: 9.8 EPSS: 0.72 Exploited: Yes (KEV) [Docs →]│ │ [Open Findings] [Open Evidence] [Open Witness] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ IMPACT (where it matters) │ │ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ Deployed Environments: Staging (via v1.2.5), Prod (via v1.2.3) │ │ │ │ Gate Impact: Blocks QA→Staging promotions for v1.2.5 │ │ │ │ Fix path: Upgrade log4j to 2.17.x (available) │ │ │ └──────────────────────────────────────────────────────────────────────────────────────────┘ │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ REACHABILITY SUMMARY │ │ State: Reachable Confidence: 0.82 Witness: main()→processRequest()→Logger.log()→vuln() │ │ Guards: none detected Dynamic loading: no │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## 14) Reachability Witness Viewer (full page when needed) (`/witness/:id`) **Goal:** this is your “best-in-class” differentiator page—clear, exportable, replayable. ``` ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ REACHABILITY WITNESS │ │ Subject: CVE-2026-1234 Component: log4j@2.14.1 Release: v1.2.5 Env: Staging [Docs →]│ │ State: Reachable Confidence: 0.82 Snapshot: 2026-01-15 Deterministic: YES │ │ [Export DOT] [Export Mermaid] [Replay Verify] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ PATH (human-readable) │ │ main() → processRequest() → Logger.log() → vulnerable_function() │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ EXPLANATION (why confidence is 0.82) │ │ • Static path found: yes │ │ • Runtime signal present: yes │ │ • Guards detected: none │ │ • Dynamic loading: no │ │ • Reflection: no │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ GRAPH (collapsed by default; expand on demand) │ │ [ Expand Graph Viewer ] │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` ---