# Baseline Test Results — 2026-02-26

Pre-deployment baseline: code changes committed but NOT yet deployed to containers.

## Issue 1: API Errors (401 Unauthorized on every API call)

All API endpoints return **401 Unauthorized** (not 403 as originally estimated).
The bootstrap admin user has zero roles/scopes in its JWT token.

| Status | Endpoint | Category |
|--------|----------|----------|
| 401 | `/api/v2/context/regions` | Platform context |
| 401 | `/api/v1/platform/preferences/language` | Platform preferences |
| 401 | `/api/v1/platform/localization/locales` | Platform localization |
| 401 | `/console/branding?tenantId=default` | Console branding |
| 401 | `/api/v2/releases/approvals?status=pending` | Release approvals |
| 401 | `/api/release-jobengine/approvals?statuses=pending` | Release orchestrator |
| 401 | `/api/v1/platform/health/summary` | Platform health |
| 401 | `/api/v1/integrations?type=1&pageSize=1` | Integrations |
| 401 | `/api/v1/authority/quotas/history?aggregation=daily` | Authority quotas |
| 401 | `/scheduler/api/v1/scheduler/runs` | Scheduler |
| 404 | `/api/v1/notifier/rules` | Notifier (routing issue) |
| 404 | `/api/v1/signals?limit=200` | Signals (routing issue) |
| 404 | `/api/v1/audit/events?limit=10` | Audit (routing issue) |

**Root cause:** Bootstrap admin user created with `roles: Array.Empty<string>()`.
**Fix status:** Code changes applied (StandardPluginBootstrapper + StandardUserCredentialStore). Need container rebuild.

---

## Issue 2: Route Test Results (83 routes tested)

### Legend
- **OK** = Page renders its own component (unique H1, not "Dashboard")
- **FALLBACK** = Route hits the `**` wildcard and renders Dashboard instead of its own page
- **NO_H1** = Component renders but has no H1 element

---

### Mission Control (3 routes)

| Route | H1 | Status |
|-------|-----|--------|
| `/mission-control/board` | Dashboard | OK |
| `/mission-control/release-health` | Dashboard | FALLBACK |
| `/mission-control/security-posture` | Dashboard | FALLBACK |

**2 FALLBACK** — `release-health` and `security-posture` sub-routes don't exist in mission-control.routes.ts.

---

### Releases (15 routes)

| Route | H1 | Status |
|-------|-----|--------|
| `/releases` | Release Ops Overview | OK |
| `/releases/overview` | Release Ops Overview | OK |
| `/releases/versions` | Release Versions | OK |
| `/releases/versions/new` | Create Release Version | OK |
| `/releases/runs` | Release Runs | OK |
| `/releases/approvals` | Release Run Approvals Queue | OK |
| `/releases/promotion-queue` | Promotions | OK |
| `/releases/hotfixes` | Hotfixes | OK |
| `/releases/hotfixes/new` | Create Hotfix | OK |
| `/releases/environments` | Regions & Environments | OK |
| `/releases/deployments` | Deployments | OK |
| `/releases/bundles` | Dashboard | FALLBACK |

**1 FALLBACK** — `/releases/bundles` falls back to Dashboard. The route file `bundles.routes.ts` exists but the current **deployed** build doesn't include it (our fix adds it but isn't deployed yet).

**11 OK** — All core release routes work.

---

### Security (20 routes)

| Route | H1 | Status |
|-------|-----|--------|
| `/security` | Security / Posture | OK |
| `/security/posture` | Security / Posture | OK |
| `/security/triage` | Security / Triage | OK |
| `/security/supply-chain-data` | Security / Supply-Chain Data | OK |
| `/security/reachability` | Reachability Center | OK |
| `/security/reports` | Security Reports | OK |
| `/security/disposition` | Security / Advisories & VEX | OK |
| `/security/findings` | Dashboard | FALLBACK |
| `/security/vulnerabilities` | Dashboard | FALLBACK |
| `/security/advisory-sources` | Dashboard | FALLBACK |
| `/security/vex` | Dashboard | FALLBACK |
| `/security/exceptions` | Dashboard | FALLBACK |
| `/security/exceptions/approvals` | Dashboard | FALLBACK |
| `/security/lineage` | Dashboard | FALLBACK |
| `/security/risk` | Dashboard | FALLBACK |
| `/security/unknowns` | Dashboard | FALLBACK |
| `/security/patch-map` | Dashboard | FALLBACK |
| `/security/artifacts` | Dashboard | FALLBACK |
| `/security/symbol-sources` | Dashboard | FALLBACK |
| `/security/symbol-marketplace` | Dashboard | FALLBACK |
| `/security/remediation` | Dashboard | FALLBACK |
| `/security/sbom` | Dashboard | FALLBACK |
| `/security/sbom-lake` | Dashboard | FALLBACK |
| `/security/secret-detection` | Dashboard | FALLBACK |
| `/security/timeline` | Dashboard | FALLBACK |

**17 FALLBACK** — The deployed build still uses `security.routes.ts` (14 simplified routes), NOT `security-risk.routes.ts` (30+ comprehensive routes). Our fix swaps the import but isn't deployed yet.

**7 OK** — Only the routes defined in the old `security.routes.ts` work (posture, triage, supply-chain-data, reachability, reports, disposition, and the root).

---

### Evidence (6 routes)

| Route | H1 | Status |
|-------|-----|--------|
| `/evidence` | Evidence & Audit | OK |
| `/evidence/overview` | Evidence & Audit | OK |
| `/evidence/capsules` | NO_H1 | OK (renders, no H1) |
| `/evidence/verify-replay` | Verdict Replay | OK |
| `/evidence/exports` | Export Center | OK |
| `/evidence/audit-log` | Unified Audit Log | OK |

**0 FALLBACK** — All evidence routes work.

---

### Ops — Direct children (19 routes)

| Route | H1 | Status |
|-------|-----|--------|
| `/ops` | Ops | OK |
| `/ops/operations` | Platform Ops | OK |
| `/ops/operations/health-slo` | Platform Health | OK |
| `/ops/operations/scheduler` | Scheduler Runs | OK |
| `/ops/operations/quotas` | Operator Quota Dashboard | OK |
| `/ops/operations/offline-kit` | Offline Kit Management | OK |
| `/ops/operations/signals` | Signals Runtime Dashboard | OK |
| `/ops/operations/packs` | Pack Registry Browser | OK |
| `/ops/operations/feeds-airgap` | Feeds & Airgap | OK |
| `/ops/operations/data-integrity` | Data Integrity | OK |
| `/ops/integrations` | Integrations | OK |
| `/ops/policy` | Policy Governance | OK |
| `/ops/platform-setup` | Platform Setup | OK |
| `/ops/scanner-ops` | Dashboard | FALLBACK |
| `/ops/agents` | Dashboard | FALLBACK |
| `/ops/feeds` | Dashboard | FALLBACK |
| `/ops/airgap` | Dashboard | FALLBACK |
| `/ops/health-slo` | Dashboard | FALLBACK |
| `/ops/signals` | Dashboard | FALLBACK |
| `/ops/scheduler` | Dashboard | FALLBACK |
| `/ops/offline-kit` | Dashboard | FALLBACK |
| `/ops/quotas` | Dashboard | FALLBACK |
| `/ops/packs` | Dashboard | FALLBACK |

**10 FALLBACK** — All the new ops sub-routes and redirects we added aren't deployed yet.

**13 OK** — The original ops routes (operations/*, integrations, policy, platform-setup) all work.

---

### Setup (9 routes)

| Route | H1 | Status |
|-------|-----|--------|
| `/setup` | Setup | OK |
| `/setup/system` | System | OK |
| `/setup/topology/overview` | Topology | OK |
| `/setup/topology/environments` | Topology | OK |
| `/setup/integrations` | Integrations | OK |
| `/setup/identity-access` | Identity & Access | OK |
| `/setup/tenant-branding` | Tenant & Branding | OK |
| `/setup/notifications` | Notification Administration | OK |
| `/setup/usage` | Usage & Limits | OK |

**0 FALLBACK** — All setup routes work.

---

### Settings (1 route)

| Route | H1 | Status |
|-------|-----|--------|
| `/settings` | Integrations | OK |

**0 FALLBACK** — Settings works (though H1 says "Integrations" — may be a content issue).

---

### New Top-Level Routes (5 routes)

| Route | H1 | Status |
|-------|-----|--------|
| `/administration` | Dashboard | FALLBACK |
| `/administration/policy-governance` | Dashboard | FALLBACK |
| `/console-admin` | Dashboard | FALLBACK |
| `/platform/ops` | Dashboard | FALLBACK |
| `/platform/setup` | Dashboard | FALLBACK |

**5 FALLBACK** — All new top-level routes we added aren't deployed yet.

---

## Summary

### Route Test Totals

| Category | Tested | OK | FALLBACK | Notes |
|----------|--------|-----|----------|-------|
| Mission Control | 3 | 1 | 2 | release-health/security-posture sub-routes missing |
| Releases | 12 | 11 | 1 | bundles not deployed |
| Security | 25 | 7 | 18 | security-risk.routes swap not deployed |
| Evidence | 6 | 6 | 0 | All working |
| Ops (canonical) | 13 | 13 | 0 | All working |
| Ops (new aliases) | 10 | 0 | 10 | Redirects not deployed |
| Setup | 9 | 9 | 0 | All working |
| Settings | 1 | 1 | 0 | Working |
| New top-level | 5 | 0 | 5 | administration/console-admin/platform not deployed |
| **TOTAL** | **84** | **48** | **36** | |

### API Error Totals
- **10 endpoints** returning 401 Unauthorized (auth/scope issue)
- **3 endpoints** returning 404 Not Found (gateway routing issue)

---

## What the Deployed Fix Will Resolve

### After Authority container rebuild (Fix 1):
- Bootstrap admin gets `roles: ["admin"]` in user metadata
- Admin role seeded with all 150+ StellaOps scopes
- All 10 endpoints currently returning 401 should start returning 200
- The 3 returning 404 are gateway routing issues (separate problem)

### After Web container rebuild (Fix 2):
- 18 security FALLBACK routes should resolve (security-risk.routes swap)
- 10 ops alias/redirect FALLBACK routes should resolve
- 5 new top-level routes (administration, console-admin, platform) should resolve
- 1 releases/bundles route should resolve
- **Total: 34 of 36 FALLBACK routes should be fixed**

### Remaining after deployment (2 routes still expected to FALLBACK):
- `/mission-control/release-health` — needs route added to mission-control.routes.ts
- `/mission-control/security-posture` — needs route added to mission-control.routes.ts

---

## Next Steps

1. **Rebuild Authority container** — pick up bootstrap admin role + scope seeding
2. **Rebuild Web container** — pick up Angular route wiring
3. **Re-run this test** — verify 401s become 200s and 34 FALLBACKs become OK
4. **Fix remaining 2 mission-control sub-routes** if needed
5. **Investigate 3 API 404s** (notifier/rules, signals, audit/events) — likely gateway routing config