# UI-Driven Vulnerability Annotation and State Management ## Module Web ## Status VERIFIED ## Description UI workflow for vulnerability lifecycle state management (`open -> in_review -> mitigated -> closed`, plus `false_positive` and `deferred` branches), VEX candidate review and approval, and auditable operator decision flow through the triage dashboard. ## Implementation Details - **Feature directory**: `src/Web/StellaOps.Web/src/app/features/vulnerabilities/` - **Route surface**: - `src/Web/StellaOps.Web/src/app/app.routes.ts` (`/vulnerabilities/triage`) - **Components**: - `vuln-triage-dashboard` (`src/Web/StellaOps.Web/src/app/features/vulnerabilities/components/vuln-triage-dashboard/vuln-triage-dashboard.component.ts`) - `vulnerability-detail` (`src/Web/StellaOps.Web/src/app/features/vulnerabilities/vulnerability-detail.component.ts`) - `vulnerability-explorer` (`src/Web/StellaOps.Web/src/app/features/vulnerabilities/vulnerability-explorer.component.ts`) - **APIs/Models**: - `src/Web/StellaOps.Web/src/app/core/api/vuln-annotation.client.ts` - `src/Web/StellaOps.Web/src/app/core/api/vuln-annotation.models.ts` - **Behavior coverage**: - `src/Web/StellaOps.Web/src/tests/vulnerabilities/ui-driven-vulnerability-annotation-and-state-management.behavior.spec.ts` - **Source**: `SPRINT_4000_0100_0002_vuln_annotation.md` ## E2E Test Plan - **Setup**: - [ ] Log in with a user that has vulnerability triage permissions - [ ] Navigate to `/vulnerabilities/triage` - [ ] Ensure fixture/API data exists for findings and pending VEX candidates - **Core verification**: - [ ] Verify summary, findings, and VEX candidate lists load on dashboard init - [ ] Verify state transition modal submits target state/justification and refreshes state - [ ] Verify candidate approve/reject actions submit deterministic payloads and refresh candidate/summary views - [ ] Verify details action routes to `/vulnerabilities/:vulnId` - **Edge cases**: - [ ] Verify graceful handling when vulnerability annotation APIs are unavailable - [ ] Verify empty-list rendering for filtered findings/candidates - [ ] Verify accessibility basics (keyboard navigation and semantic labels) ## Verification - Run ID: `docs/qa/feature-checks/runs/web/ui-driven-vulnerability-annotation-and-state-management/run-001/` - Date (UTC): 2026-02-11 - Tier 0: PASS (source/symbol verification for triage route mounting, details navigation wiring, and supported behavior harness under `src/tests/**`). - Tier 1: PASS (`npm run test` focused suite: 25 files / 123 tests; `npm run build` passed with known baseline warnings). - Tier 2: PASS (route declaration, init data load, state transition flow, candidate approve/reject flow, and details-route navigation behavior).