# Stella Ops UI Structure - Part 5: Route Summary & Observations

---

## 1. COMPLETE ROUTE TABLE

### 1.1 Home & Dashboard Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/` | `HomeDashboardComponent` | features/home/ | requireAuthGuard |
| `/welcome` | `WelcomePageComponent` | features/welcome/ | - |
| `/dashboard/sources` | `SourcesDashboardComponent` | features/dashboard/ | - |

### 1.2 Analyze Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/findings` | `FindingsContainerComponent` | features/findings/container/ | requireAuthGuard |
| `/findings/:scanId` | `FindingsContainerComponent` | features/findings/container/ | requireAuthGuard |
| `/vulnerabilities` | `VulnerabilityExplorerComponent` | features/vulnerabilities/ | requireAuthGuard |
| `/vulnerabilities/:vulnId` | `VulnerabilityDetailComponent` | features/vulnerabilities/ | requireAuthGuard |
| `/graph` | `GraphExplorerComponent` | features/graph/ | requireAuthGuard |
| `/lineage` | `LineageGraphContainerComponent` | features/lineage/components/ | requireAuthGuard |
| `/lineage/:artifact/compare` | `LineageCompareComponent` | features/lineage/components/ | requireAuthGuard |
| `/lineage/compare` | `LineageCompareComponent` | features/lineage/components/ | requireAuthGuard |
| `/reachability` | `ReachabilityCenterComponent` | features/reachability/ | requireAuthGuard |
| `/admin/vex-hub` | `VexHubDashboardComponent` | features/vex-hub/ | requireAuthGuard |
| `/admin/vex-hub/search` | `VexStatementSearchComponent` | features/vex-hub/ | requireAuthGuard |
| `/admin/vex-hub/search/detail/:id` | `VexStatementDetailComponent` | features/vex-hub/ | requireAuthGuard |
| `/admin/vex-hub/stats` | `VexHubStatsComponent` | features/vex-hub/ | requireAuthGuard |
| `/admin/vex-hub/consensus` | `VexConsensusComponent` | features/vex-hub/ | requireAuthGuard |
| `/admin/vex-hub/explorer` | `VexHubComponent` | features/vex-hub/ | requireAuthGuard |
| `/analyze/unknowns` | unknownsRoutes | features/unknowns-tracking/ | requireAuthGuard |
| `/analyze/patch-map` | `PatchMapComponent` | features/binary-index/ | requireAuthGuard |
| `/scans/:scanId` | `ScanDetailPageComponent` | features/scans/ | - |
| `/compare/:currentId` | `CompareViewComponent` | features/compare/components/ | requireAuthGuard |
| `/cvss/receipts/:receiptId` | `CvssReceiptComponent` | features/cvss/ | requireAuthGuard |

### 1.3 Triage Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/triage/artifacts` | `TriageArtifactsComponent` | features/triage/ | requireAuthGuard |
| `/triage/artifacts/:artifactId` | `TriageWorkspaceComponent` | features/triage/ | requireAuthGuard |
| `/triage/audit-bundles` | `TriageAuditBundlesComponent` | features/triage/ | requireAuthGuard |
| `/triage/audit-bundles/new` | `TriageAuditBundleNewComponent` | features/triage/ | requireAuthGuard |
| `/exceptions` | `TriageArtifactsComponent` | features/triage/ | requireAuthGuard |
| `/risk` | `RiskDashboardComponent` | features/risk/ | requireAuthGuard |

### 1.4 Policy Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/policy-studio/packs` | `PolicyWorkspaceComponent` | features/policy-studio/workspace/ | requirePolicyViewerGuard |
| `/policy-studio/packs/:packId/editor` | `PolicyEditorComponent` | features/policy-studio/editor/ | requirePolicyAuthorGuard |
| `/policy-studio/packs/:packId/yaml` | `PolicyYamlEditorComponent` | features/policy-studio/yaml/ | requirePolicyAuthorGuard |
| `/policy-studio/packs/:packId/simulate` | `PolicySimulationComponent` | features/policy-studio/simulation/ | requirePolicySimulatorGuard |
| `/policy-studio/packs/:packId/approvals` | `PolicyApprovalsComponent` | features/policy-studio/approvals/ | requirePolicyReviewOrApproveGuard |
| `/policy-studio/packs/:packId/rules` | `PolicyRuleBuilderComponent` | features/policy-studio/rule-builder/ | requirePolicyAuthorGuard |
| `/policy-studio/packs/:packId/explain/:runId` | `PolicyExplainComponent` | features/policy-studio/explain/ | requirePolicyViewerGuard |
| `/policy-studio/packs/:packId/dashboard` | `PolicyDashboardComponent` | features/policy-studio/dashboard/ | requirePolicyViewerGuard |
| `/orchestrator` | `OrchestratorDashboardComponent` | features/orchestrator/ | requireOrchViewerGuard |
| `/orchestrator/jobs` | `OrchestratorJobsComponent` | features/orchestrator/ | requireOrchViewerGuard |
| `/orchestrator/jobs/:jobId` | `OrchestratorJobDetailComponent` | features/orchestrator/ | requireOrchViewerGuard |
| `/orchestrator/quotas` | `OrchestratorQuotasComponent` | features/orchestrator/ | requireOrchOperatorGuard |

### 1.5 Ops Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/sbom-sources` | `SourcesListComponent` | features/sbom-sources/components/ | requireAuthGuard |
| `/sbom-sources/new` | `SourceWizardComponent` | features/sbom-sources/components/ | requireAuthGuard |
| `/sbom-sources/:id` | `SourceDetailComponent` | features/sbom-sources/components/ | requireAuthGuard |
| `/sbom-sources/:id/edit` | `SourceWizardComponent` | features/sbom-sources/components/ | requireAuthGuard |
| `/ops/quotas` | quotaRoutes | features/quota-dashboard/ | requireAuthGuard |
| `/ops/quotas/tenants` | `TenantQuotaTableComponent` | features/quota-dashboard/ | requireAuthGuard |
| `/ops/quotas/tenants/:tenantId` | `TenantQuotaDetailComponent` | features/quota-dashboard/ | requireAuthGuard |
| `/ops/quotas/throttle` | `ThrottleContextComponent` | features/quota-dashboard/ | requireAuthGuard |
| `/ops/quotas/alerts` | `QuotaAlertConfigComponent` | features/quota-dashboard/ | requireAuthGuard |
| `/ops/quotas/forecast` | `QuotaForecastComponent` | features/quota-dashboard/ | requireAuthGuard |
| `/ops/quotas/reports` | `QuotaReportExportComponent` | features/quota-dashboard/ | requireAuthGuard |
| `/ops/orchestrator/dead-letter` | deadletterRoutes | features/deadletter/ | requireAuthGuard |
| `/ops/orchestrator/slo` | sloRoutes | features/slo-monitoring/ | requireAuthGuard |
| `/ops/health` | platformHealthRoutes | features/platform-health/ | requireAuthGuard |
| `/ops/feeds` | feedMirrorRoutes | features/feed-mirror/ | requireAuthGuard |
| `/ops/feeds/mirror/:mirrorId` | `MirrorDetailComponent` | features/feed-mirror/ | requireAuthGuard |
| `/ops/feeds/airgap/import` | `AirgapImportComponent` | features/feed-mirror/ | requireAuthGuard |
| `/ops/feeds/airgap/export` | `AirgapExportComponent` | features/feed-mirror/ | requireAuthGuard |
| `/ops/feeds/version-locks` | `VersionLockComponent` | features/feed-mirror/ | requireAuthGuard |
| `/ops/offline-kit` | offlineKitRoutes | features/offline-kit/ | requireAuthGuard |
| `/ops/aoc` | AOC_COMPLIANCE_ROUTES | features/aoc-compliance/ | requireAuthGuard |
| `/ops/doctor` | DOCTOR_ROUTES | features/doctor/ | requireAuthGuard |
| `/scheduler` | schedulerOpsRoutes | features/scheduler-ops/ | requireAuthGuard |
| `/scheduler/runs` | `SchedulerRunsComponent` | features/scheduler-ops/ | requireAuthGuard |
| `/scheduler/schedules` | `ScheduleManagementComponent` | features/scheduler-ops/ | requireAuthGuard |
| `/scheduler/workers` | `WorkerFleetComponent` | features/scheduler-ops/ | requireAuthGuard |

### 1.6 Notify Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/notify` | `NotifyPanelComponent` | features/notify/ | - |

### 1.7 Admin Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/console/admin` | consoleAdminRoutes | features/console-admin/ | requireAuthGuard + ui.admin |
| `/console/admin/tenants` | `TenantsListComponent` | features/console-admin/tenants/ | authority:tenants:read |
| `/console/admin/users` | `UsersListComponent` | features/console-admin/users/ | authority:users:read |
| `/console/admin/roles` | `RolesListComponent` | features/console-admin/roles/ | authority:roles:read |
| `/console/admin/clients` | `ClientsListComponent` | features/console-admin/clients/ | authority:clients:read |
| `/console/admin/tokens` | `TokensListComponent` | features/console-admin/tokens/ | authority:tokens:read |
| `/console/admin/audit` | `AuditLogComponent` | features/console-admin/audit/ | authority:audit:read |
| `/console/admin/branding` | `BrandingEditorComponent` | features/console-admin/branding/ | authority:branding:read |
| `/admin/audit` | auditLogRoutes | features/audit-log/ | requireAuthGuard |
| `/admin/notifications` | adminNotificationsRoutes | features/admin-notifications/ | requireAuthGuard |
| `/admin/trust` | trustAdminRoutes | features/trust-admin/ | requireAuthGuard + signer:read |
| `/admin/policy/governance` | policyGovernanceRoutes | features/policy-governance/ | requireAuthGuard |
| `/admin/policy/simulation` | policySimulationRoutes | features/policy-simulation/ | requireAuthGuard |
| `/admin/registries` | registryAdminRoutes | features/registry-admin/ | requireAuthGuard |
| `/admin/issuers` | issuerTrustRoutes | features/issuer-trust/ | requireAuthGuard |
| `/ops/scanner` | scannerOpsRoutes | features/scanner-ops/ | requireAuthGuard |
| `/concelier/trivy-db-settings` | `TrivyDbSettingsPageComponent` | features/trivy-db-settings/ | - |

### 1.8 Console Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/console/profile` | `ConsoleProfileComponent` | features/console/ | - |
| `/console/status` | `ConsoleStatusComponent` | features/console/ | - |
| `/console/configuration` | CONFIGURATION_PANE_ROUTES | features/configuration-pane/ | requireAuthGuard |

### 1.9 Release Orchestrator Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/release-orchestrator` | DASHBOARD_ROUTES | features/release-orchestrator/dashboard/ | requireAuthGuard |
| `/release-orchestrator/environments` | ENVIRONMENT_ROUTES | features/release-orchestrator/environments/ | requireAuthGuard |
| `/release-orchestrator/releases` | RELEASE_ROUTES | features/release-orchestrator/releases/ | requireAuthGuard |
| `/release-orchestrator/workflows` | WORKFLOW_ROUTES | features/release-orchestrator/workflows/ | requireAuthGuard |
| `/release-orchestrator/approvals` | APPROVAL_ROUTES | features/release-orchestrator/approvals/ | requireAuthGuard |
| `/release-orchestrator/deployments` | DEPLOYMENT_ROUTES | features/release-orchestrator/deployments/ | requireAuthGuard |
| `/release-orchestrator/evidence` | EVIDENCE_ROUTES | features/release-orchestrator/evidence/ | requireAuthGuard |

### 1.10 Evidence Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/evidence` | evidenceExportRoutes | features/evidence-export/ | requireAuthGuard |
| `/evidence/bundles` | `EvidenceBundlesComponent` | features/evidence-export/ | requireAuthGuard |
| `/evidence/export` | `ExportCenterComponent` | features/evidence-export/ | requireAuthGuard |
| `/evidence/replay` | `ReplayControlsComponent` | features/evidence-export/ | requireAuthGuard |
| `/evidence/provenance` | `ProvenanceVisualizationComponent` | features/evidence-export/ | requireAuthGuard |
| `/evidence-packs` | `EvidencePackListComponent` | features/evidence-pack/ | requireAuthGuard |
| `/evidence-packs/:packId` | `EvidencePackViewerComponent` | features/evidence-pack/ | requireAuthGuard |
| `/proofs/:subjectDigest` | `ProofChainComponent` | features/proof-chain/ | requireAuthGuard |

### 1.11 Integration Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/integrations` | integrationHubRoutes | features/integration-hub/ | requireAuthGuard |
| `/integrations/registries` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
| `/integrations/scm` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
| `/integrations/ci` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
| `/integrations/hosts` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
| `/integrations/feeds` | `IntegrationListComponent` | features/integration-hub/ | requireAuthGuard |
| `/integrations/activity` | `IntegrationActivityComponent` | features/integration-hub/ | requireAuthGuard |
| `/integrations/:integrationId` | `IntegrationDetailComponent` | features/integration-hub/ | requireAuthGuard |

### 1.12 Other Routes

| Route | Component | Location | Guards |
|---|---|---|---|
| `/ai-runs` | `AiRunsListComponent` | features/ai-runs/ | requireAuthGuard |
| `/ai-runs/:runId` | `AiRunViewerComponent` | features/ai-runs/ | requireAuthGuard |
| `/change-trace` | changeTraceRoutes | features/change-trace/ | requireAuthGuard |
| `/setup` | setupWizardRoutes | features/setup-wizard/ | - |
| `/auth/callback` | `AuthCallbackComponent` | features/auth/ | - |
| `**` | redirectTo: '' | - | - |

---

## 2. ROUTE COUNT SUMMARY

| Category | Route Count |
|---|---|
| Home & Dashboard | 3 |
| Analyze | 20 |
| Triage | 6 |
| Policy | 12 |
| Ops | 30+ |
| Notify | 1 |
| Admin | 17+ |
| Console | 3 |
| Release Orchestrator | 7 |
| Evidence | 8 |
| Integrations | 8 |
| Other | 5 |
| **TOTAL** | **~120+ routes** |

---

## 3. OBSERVATIONS

### 3.1 Navigation Structure Observations

1. **7 top-level navigation groups** defined in `navigation.config.ts`:
   - HOME, ANALYZE, TRIAGE, POLICY, OPS, NOTIFY, ADMIN

2. **Deep nesting in OPS section**: The Ops navigation group contains sub-items with their own children (e.g., Quotas has 6 sub-routes, SLO Monitoring has 3 sub-routes)

3. **Admin section size**: Admin group contains 17+ items in the navigation configuration

4. **Inconsistent route prefixes**:
   - VEX Hub is at `/admin/vex-hub` but shown in Analyze menu
   - Scanner Ops is at `/ops/scanner` but listed under Admin menu
   - Some scheduler routes are at `/scheduler` (not `/ops/scheduler`)

### 3.2 Feature Module Observations

1. **77 feature directories** under `src/app/features/`

2. **Duplicate/similar named modules**:
   - `evidence/` and `evidence-export/` and `evidence-pack/` and `evidence-thread/`
   - `proof/` and `proof-chain/` and `proof-studio/` and `proofs/`
   - `unknowns/` and `unknowns-tracking/`
   - `integrations/` and `integration-hub/`
   - `vex-hub/` and `vex-studio/`
   - `triage/` and `triage-inbox/`
   - `policy/` and `policy-gates/` and `policy-governance/` and `policy-simulation/` and `policy-studio/`

3. **Orphaned/unused modules** (exist as directories but not in main routes):
   - `advisory-ai/`
   - `aoc/` (vs `aoc-compliance/`)
   - `evidence/` (vs `evidence-export/`)
   - `exceptions/` (route uses triage component)
   - `integrations/` (vs `integration-hub/`)
   - `opsmemory/`
   - `policy/` (vs `policy-studio/`)
   - `proof/` (vs `proof-chain/`)
   - `proofs/` (vs `proof-chain/`)
   - `releases/` (vs release-orchestrator)
   - `runs/`
   - `sbom/`
   - `scores/`
   - `secret-detection/`
   - `settings/`
   - `snapshot/`
   - `sources/`
   - `triage-inbox/`
   - `unknowns/` (vs `unknowns-tracking/`)
   - `verdicts/`
   - `vex-studio/`
   - `vuln-explorer/` (vs `vulnerabilities/`)

### 3.3 Route Path Observations

1. **Mixed path conventions**:
   - Some use `/admin/` prefix: `/admin/vex-hub`, `/admin/trust`, `/admin/audit`
   - Some use `/console/admin/`: `/console/admin/tenants`, `/console/admin/users`
   - Some use `/ops/`: `/ops/quotas`, `/ops/health`, `/ops/feeds`
   - Some use root: `/scheduler`, `/evidence`, `/integrations`

2. **Inconsistent pluralization**:
   - `/vulnerabilities` (plural) vs `/risk` (singular)
   - `/findings` (plural) vs `/graph` (singular)
   - `/integrations` (plural) vs `/scheduler` (singular)

3. **Deep routes**:
   - `/policy-studio/packs/:packId/explain/:runId` - 5 segments
   - `/admin/vex-hub/search/detail/:id` - 5 segments
   - `/ops/orchestrator/dead-letter/queue` - 4 segments

### 3.4 Guard/Scope Observations

1. **Different guard patterns used**:
   - `requireAuthGuard` - basic authentication
   - `requireOrchViewerGuard` - orchestrator read access
   - `requireOrchOperatorGuard` - orchestrator operator access
   - `requirePolicyViewerGuard` - policy read
   - `requirePolicyAuthorGuard` - policy authoring
   - `requirePolicySimulatorGuard` - policy simulation
   - `requirePolicyReviewerGuard` - policy review
   - `requirePolicyApproverGuard` - policy approval
   - `requirePolicyReviewOrApproveGuard` - either review or approve

2. **Scope-based access defined in navigation config**:
   - `graph:read` for SBOM Graph
   - `policy:author`, `policy:simulate`, `policy:review`, `policy:approve`, `policy:read`
   - `ui.admin` for Admin section

3. **Some routes have no guards**: `/welcome`, `/notify`, `/scans/:scanId`, `/concelier/trivy-db-settings`

### 3.5 Dashboard Screen Observations

Multiple dashboard screens exist across the application:

1. **Home Dashboard** (`/`) - Security overview
2. **Orchestrator Dashboard** (`/orchestrator`) - Job management
3. **Policy Dashboard** (`/policy-studio/packs/:packId/dashboard`) - Per-pack metrics
4. **Quota Dashboard** (`/ops/quotas`) - License/quota metrics
5. **Platform Health Dashboard** (`/ops/health`) - Service health
6. **Feed Mirror Dashboard** (`/ops/feeds`) - Feed sync status
7. **Offline Dashboard** (`/ops/offline-kit/dashboard`) - Offline mode
8. **AOC Compliance Dashboard** (`/ops/aoc`) - Compliance metrics
9. **Release Dashboard** (`/release-orchestrator`) - Release pipeline
10. **VEX Hub Dashboard** (`/admin/vex-hub`) - VEX statements
11. **Doctor Dashboard** (`/ops/doctor`) - Diagnostics
12. **SLO Dashboard** (`/ops/orchestrator/slo`) - SLO health
13. **Dead-Letter Dashboard** (`/ops/orchestrator/dead-letter`) - Failed jobs
14. **Audit Dashboard** (`/admin/audit`) - Audit overview
15. **Trust Dashboard** (`/admin/trust/keys`) - Signing keys
16. **Sources Dashboard** (`/dashboard/sources`) - SBOM sources

### 3.6 Configuration/Settings Screen Observations

Multiple locations for configuration:

1. **Setup Wizard** (`/setup`) - Initial setup
2. **Configuration Pane** (`/console/configuration`) - Integration config
3. **Integration Hub** (`/integrations`) - Integration catalog
4. **Console Admin** (`/console/admin/*`) - User/tenant/role management
5. **Trust Admin** (`/admin/trust`) - Keys/certificates
6. **Registry Admin** (`/admin/registries`) - Registry tokens
7. **Notification Admin** (`/admin/notifications`) - Notification rules
8. **Policy Governance** (`/admin/policy/governance`) - Policy config
9. **Scanner Ops** (`/ops/scanner/settings`) - Scanner settings
10. **Quota Alert Config** (`/ops/quotas/alerts`) - Alert thresholds
11. **SLO Definitions** (`/ops/orchestrator/slo/definitions`) - SLO config
12. **Trivy DB Settings** (`/concelier/trivy-db-settings`) - Trivy config

### 3.7 Evidence/Proof Screen Observations

Multiple locations for evidence-related functionality:

1. **Evidence Center** (`/evidence`) - Bundles, export, replay, provenance
2. **Evidence Packs** (`/evidence-packs`) - Pack list/viewer
3. **Proof Chain** (`/proofs/:subjectDigest`) - Proof visualization
4. **Audit Bundles** (`/triage/audit-bundles`) - Audit evidence
5. **Release Evidence** (`/release-orchestrator/evidence`) - Release evidence

### 3.8 Shared Component Observations

Large number of shared components in `src/app/shared/components/`:
- 100+ shared components
- Mix of UI primitives (button, card, modal) and domain-specific (finding-detail, vex-status-chip)
- Some components are highly specific (e.g., `dsse-envelope-viewer`, `lattice-diagram`)

### 3.9 Feature Overlap Observations

1. **Findings vs Triage**: Both handle vulnerability findings with different workflows
2. **VEX Hub vs Triage VEX**: VEX decisions can be made in both places
3. **Evidence in multiple places**: Evidence features spread across 5 different feature modules
4. **Policy in multiple places**: Policy features spread across 5 different feature modules
5. **Audit logs in multiple places**: Console admin audit, unified audit log, trust audit, etc.

### 3.10 UI Pattern Observations

1. **Consistent patterns used**:
   - Tab navigation within features
   - Slide-out detail panels
   - Data tables with filters and pagination
   - Status badges with color coding (🟢🟡🔴)
   - Skeleton loading states

2. **Dashboard card pattern**: Used on home dashboard and several other dashboards

3. **Wizard pattern**: Used in setup wizard, source wizard, key rotation wizard

4. **Split-pane pattern**: Used in policy editor, triage workspace