# Stella Ops β€” QA Issues Report **Date:** 2026-02-19 **Tester:** Claude Code (Playwright automated walkthrough) **Stack:** Fresh `docker compose up` from `devops/compose/docker-compose.stella-ops.yml` **Auth:** `admin` / default credentials **Base URL:** `https://stella-ops.local/` **Build:** v1.0.0 (as shown in sidebar footer) --- ## Summary | Severity | Count | |----------|-------| | πŸ”΄ Critical | 1 | | 🟠 High | 4 | | 🟑 Medium | 7 | | πŸ”΅ Low | 6 | | **Total** | **18** | --- ## πŸ”΄ Critical ### ISSUE-001 β€” All v2 navigation routes redirect to home (`/`) **Pages:** `/release-control/*`, `/security-risk/*`, `/evidence-audit/*`, `/platform-ops/*`, `/administration/*`, `/dashboard` **Reproduction:** Navigate to any of the 22+ new v2 IA routes introduced in SPRINT_20260218_006–016. **Observed:** Every route silently redirects to `/` (Control Plane dashboard). No 404, no error β€” just home. **Expected:** Each route renders its designated v2 component. **Impact:** The entire v2 information architecture (Release Control, Security & Risk, Evidence & Audit, Platform Ops, Administration, Dashboard v3) is inaccessible. Only the old v1 routes work. **Notes:** This is the primary blocker for SPRINT_20260218 sprint delivery. The new sidebar components exist in source but the routes are not wired to the deployed build. The `/integrations` route is the only v2-era route that partially works. **Affected routes tested:** ``` /release-control β†’ / (Control Plane) /release-control/releases β†’ / /release-control/approvals β†’ / /release-control/environmentsβ†’ / /release-control/bundles β†’ / /release-control/promotions β†’ / /release-control/runs β†’ / /security-risk β†’ / /security-risk/findings β†’ / /security-risk/advisory-sources β†’ / /security-risk/vulnerabilities β†’ / /evidence-audit β†’ / /evidence-audit/packs β†’ / /evidence-audit/proofs β†’ / /evidence-audit/audit β†’ / /platform-ops β†’ / /platform-ops/health β†’ / /platform-ops/feeds β†’ / /administration β†’ / /administration/identity-access β†’ / /administration/policy-governance β†’ / /dashboard β†’ / ``` --- ## 🟠 High ### ISSUE-002 β€” Integration Hub (`/integrations`) fires 10 API errors on load **Page:** `https://stella-ops.local/integrations` **Reproduction:** Navigate to `/integrations`. **Observed:** Page loads visually (shows Integration Hub with all category counts as 0) but generates 10 console errors: ``` Failed to load resource: server responded with an error /api/v1/integrations?type=0&pageSize=1 /api/v1/integrations?type=1&pageSize=1 /api/v1/integrations?type=2&pageSize=1 /api/v1/integrations?type=3&pageSize=1 /api/v1/integrations?type=4&pageSize=1 (plus 5x "ERROR N @ chunk-2UEM7CYT.js:3") ``` **Expected:** API calls succeed; summary counts reflect actual integration state (the old `/settings/integrations` shows 8 integrations with seed data). **Impact:** The v2 Integration Hub is broken β€” all counts show 0 and the "Recent Activity" section shows a placeholder ("Integration activity timeline coming soon…"). Users cannot use this page. **Note:** `/settings/integrations` works correctly (8 integrations shown). The backend API endpoint `/api/v1/integrations` may not be connected to the integrations service. --- ### ISSUE-003 β€” After creating a release, redirects to orphaned route `/release-orchestrator/releases` **Page:** `/releases/create` **Reproduction:** Create a release through the 3-step wizard β†’ click "Create Release" on step 3. **Observed:** After submit, browser navigates to `/release-orchestrator/releases`. **Expected:** Should navigate to `/releases` (the current releases list route). **Impact:** The post-create redirect lands on an old route that no longer exists in the sidebar IA and was renamed. The URL works (Angular handles it), but it's a stale reference that will break when the old route aliases are removed during the v2 cutover (SPRINT_20260218_016). --- ### ISSUE-004 β€” Identity & Access (`/settings/admin`) shows "No users found" with admin logged in **Page:** `https://stella-ops.local/settings/admin` **Reproduction:** Navigate to Settings β†’ Identity & Access β†’ Users tab. **Observed:** "No users found" message shown even though the `admin` user is currently authenticated. **Expected:** At minimum the `admin` user should appear in the user list. **Impact:** Administrators cannot view or manage users from this page. User management is effectively broken. **Screenshot context:** Bootstrap admin email is `admin@unknown.local` (possibly indicating the user was seeded without persisting to the listing query). --- ### ISSUE-005 β€” Approvals badge count (3) does not match Pending filter results (2) **Page:** `/approvals` **Reproduction:** Observe sidebar badge β†’ click through to Approvals page β†’ filter defaults to "Pending" status. **Observed:** - Sidebar badge: **3 pending** - Pending filter: **Results (2)** - All filter: **Results (4)** **Expected:** Badge should equal the "Pending" filtered count. The badge logic and the pending query are sourced differently. **Impact:** Misleading count for approvers β€” could cause someone to think they've missed an item or search for a non-existent third pending approval. --- ## 🟑 Medium ### ISSUE-006 β€” Platform Health shows "NaNms" P95 latency and "/" service count **Page:** `https://stella-ops.local/operations/health` **Reproduction:** Navigate to Operations β†’ Platform Health. **Observed:** - "Avg Latency **NaNms** β€” P95 across services" - "Services **/** Healthy" (shows a bare `/` instead of a number) - "No services available in current snapshot" - "Dependencies: 0 nodes Β· 0 connections" **Expected:** Should show either real service health data or a meaningful empty state ("No health data available yet" with guidance). **Impact:** The health dashboard is completely non-functional on a fresh install. The NaN renders because it divides by zero services. The "/" is a formatting bug where a fraction like "0/0" is rendered without the surrounding numbers. --- ### ISSUE-007 β€” Approve button on Approvals list has no confirmation step **Page:** `/approvals` **Reproduction:** On the approvals list, click "Approve" directly on any approval card. **Observed:** No confirmation dialog, modal, or reason input appears. The action fires silently (or may silently fail β€” no success/error toast was observed). **Expected:** A confirmation dialog or inline form should appear asking for a decision reason, especially since approvals are policy-gated actions that must produce signed evidence. **Impact:** Accidental approvals are possible with a single click. Audit trail for the decision reason is missing if no reason is captured. --- ### ISSUE-008 β€” SBOM Graph is a placeholder: "not yet available in this build" **Page:** `https://stella-ops.local/security/sbom` **Reproduction:** Navigate to Security β†’ SBOM Graph. **Observed:** Page renders with heading "SBOM Graph" and single message: "SBOM graph visualization is not yet available in this build." **Expected:** SBOM dependency graph visualization. **Impact:** Feature is advertised in navigation but completely unimplemented in the deployed build. --- ### ISSUE-009 β€” Vulnerabilities page is a placeholder: "pending data integration" **Page:** `https://stella-ops.local/security/vulnerabilities` **Reproduction:** Navigate to Security β†’ Vulnerabilities. **Observed:** Page renders with heading "Vulnerabilities" and message: "Vulnerability list is pending data integration." **Expected:** Vulnerability explorer with CVE list, filters, and triage actions. **Impact:** Feature is advertised in navigation but has no functional content. --- ### ISSUE-010 β€” Promote button on a deployed release does nothing **Page:** `/releases/rel-001` (Platform Release 1.2.3 β€” DEPLOYED) **Reproduction:** Click the "Promote" button on a deployed release detail page. **Observed:** No navigation, no modal, no drawer β€” the page stays unchanged. **Expected:** A promotion dialog or navigation to the promotion wizard. **Impact:** Users cannot initiate a promotion from the release detail page β€” a core workflow action is broken. --- ### ISSUE-011 β€” Security sub-pages carry wrong ``: "Security Overview - StellaOps" **Pages affected:** - `/security/findings` β†’ title: "Security Overview - StellaOps" - `/security/vex` β†’ title: "Security Overview - StellaOps" - `/security/sbom` β†’ title: "Security Overview - StellaOps" **Expected:** Each page should have its own title, e.g. "Security Findings - StellaOps", "VEX Hub - StellaOps". **Impact:** Browser tabs, bookmarks, and screen-reader announcements all say "Security Overview" regardless of which security sub-page is open. Causes confusion and breaks accessibility. --- ### ISSUE-012 β€” Integration Hub "Recent Activity" is a permanent placeholder **Page:** `https://stella-ops.local/integrations` **Observed:** "Integration activity timeline coming soon…" italic placeholder text under Recent Activity heading. **Expected:** Activity timeline showing integration sync events, errors, and status changes. **Impact:** The activity view the section promises is not implemented. --- ## πŸ”΅ Low ### ISSUE-013 β€” Many pages have generic `<title>` "StellaOps" (no page context) **Pages affected:** | Route | Title | |-------|-------| | `/security/vulnerabilities` | StellaOps | | `/evidence/proof-chains` | StellaOps | | `/evidence/replay` | StellaOps | | `/evidence/export` | StellaOps | | `/operations/orchestrator` | StellaOps | | `/settings/integrations` | StellaOps | | `/settings/release-control` | StellaOps | | `/settings/security-data` | StellaOps | | `/settings/admin` | StellaOps | | `/settings/system` | StellaOps | **Expected:** `<Page Name> - StellaOps` **Impact:** Browser tabs are undifferentiable, bookmarks are unlabelled, screen readers announce the wrong page context. This likely affects all pages whose route modules don't call Angular's `Title` service. --- ### ISSUE-014 β€” Release detail breadcrumb references old "Release Orchestrator" path **Page:** `/releases/rel-001` **Observed:** Breadcrumb reads: `Release Orchestrator / Releases / Platform Release 1.2.3` **Links to:** `/release-orchestrator` and `/release-orchestrator/releases` **Expected:** `Releases / Platform Release 1.2.3` (linking to `/releases`) **Impact:** Clicking the breadcrumb links navigates to old route aliases that will be removed at v2 cutover. Low impact now; will become a broken link after SPRINT_20260218_016. --- ### ISSUE-015 β€” Evidence Proof Chains page shows error state on load with no input **Page:** `https://stella-ops.local/evidence/proof-chains` **Observed:** Page immediately shows "Subject digest is required β€” Retry" with no input field offered. **Expected:** An empty state with a search or input field to enter a subject digest; error should only appear after a failed search. **Impact:** Page is confusing on first load β€” appears broken but is just waiting for a digest input that it never prompts for. --- ### ISSUE-016 β€” `/evidence` redirects to `/evidence/bundles` (not to Packets) **Page:** Navigate to `/evidence` (from Evidence nav button). **Observed:** Redirects to `/evidence/bundles` β€” heading "Evidence Bundles". **Expected per sidebar label:** "Packets" (sidebar link text) β€” `/evidence` should land on Evidence Packets, not Evidence Bundles. The sub-page URL `/evidence/bundles` is not in the sidebar nav. **Impact:** Minor navigation inconsistency β€” sidebar says "Packets", page says "Bundles", route says "bundles". Naming is not aligned. --- ### ISSUE-017 β€” Scheduler nav link lands on `/operations/scheduler/runs` not `/operations/scheduler` **Page:** Click Operations β†’ Scheduler in the sidebar. **Observed:** Navigates to `/operations/scheduler/runs`. **Expected:** `/operations/scheduler` (the root scheduler page) with the runs as a sub-view. **Impact:** Minor β€” the redirect is functional but means the scheduler root route appears to have no direct landing page. --- ### ISSUE-018 β€” `/settings/admin` is labeled "Identity & Access" in sidebar but Settings section uses "Identity & Access" inconsistently **Page:** Settings group in sidebar. **Observed:** The Settings sidebar link for the admin page reads "Identity & Access", which is correct β€” but the page was also previously accessible at the legacy path `/settings/admin`. The link in the sidebar still uses `/settings/admin` (the implementation path) rather than a semantic path like `/settings/identity`. **Impact:** Minor URL semantics issue; the path exposes an internal implementation name (`admin`) rather than the user-facing label (`identity-access`). --- ## Pages Verified β€” No Issues | Page | URL | Status | |------|-----|--------| | Welcome / Sign In | `/welcome` | βœ… | | Control Plane Dashboard | `/` | βœ… | | Releases List | `/releases` | βœ… | | Release Detail | `/releases/rel-001` | βœ… (Promote broken, see ISSUE-010) | | Approvals List | `/approvals` | βœ… (count mismatch, see ISSUE-005) | | Approval Detail | `/approvals/apr-001` | βœ… | | Security Overview | `/security/overview` | βœ… | | Security Findings | `/security/findings` | βœ… | | Security VEX Hub | `/security/vex` | βœ… | | Security Exceptions | `/security/exceptions` | βœ… | | SBOM Lake | `/analytics/sbom-lake` | βœ… | | Evidence Bundles | `/evidence/bundles` | βœ… | | Verdict Replay | `/evidence/replay` | βœ… | | Export Center | `/evidence/export` | βœ… | | Orchestrator Dashboard | `/operations/orchestrator` | βœ… | | Scheduler Runs | `/operations/scheduler/runs` | βœ… | | Quota Dashboard | `/operations/quotas` | βœ… | | Dead-Letter Queue | `/operations/dead-letter` | βœ… | | Feed Mirror & AirGap | `/operations/feeds` | βœ… | | Integrations (legacy) | `/settings/integrations` | βœ… | | Integrations SCM | `/integrations/scm` | βœ… | | Integrations Registries | `/integrations/registries` | βœ… | | Integration Detail | `/settings/integrations/jenkins-1` | βœ… | | Integration Onboarding | `/integrations/onboarding/registry` | βœ… | | Release Control Settings | `/settings/release-control` | βœ… | | Trust & Signing | `/settings/trust` | βœ… | | Security Data | `/settings/security-data` | βœ… | | Tenant / Branding | `/settings/branding` | βœ… | | Usage & Limits | `/settings/usage` | βœ… | | Notifications | `/settings/notifications` | βœ… | | Policy Governance | `/settings/policy` | βœ… | | System | `/settings/system` | βœ… | | Create Release Wizard (3 steps) | `/releases/create` | βœ… (redirect bug, see ISSUE-003) | --- ## Actions Verified | Action | Result | |--------|--------| | Sign In (OAuth/OIDC) | βœ… Works | | Global Search (type "hotfix") | βœ… Inline results shown | | Sidebar expand/collapse all sections | βœ… Works | | Release list filter by status/environment | βœ… Works | | Release detail Timeline tab | βœ… Works | | Approval list filter by Status/Environment | βœ… Works | | Approval detail Explain gate | βœ… Opens explanation | | Approval detail Add Comment | βœ… Comment saved | | Create Release wizard (3 steps) | βœ… Completes (bad redirect after) | | Export CSV (Findings) | βœ… Button present | | Add Integration (opens onboarding) | βœ… Navigates to onboarding | | User menu (Profile / Settings / Sign out) | βœ… All present | --- ## Environment Notes - Fresh install with no scan data β†’ all security counters (CVE counts, SBOM, reachability) are zero. Zero counts are **expected**, not bugs. - Seed data is present for: Releases (5), Approvals (4), Integrations (8), and some environmental data. - Several services reported `unhealthy` in Docker (`stellaops-signals`, `stellaops-smremote`, `stellaops-advisory-ai-worker`, etc.) β€” these backend health states may explain some of the data gaps (Platform Health no snapshot, Integration Hub API failures).