# Topology And Trust Administration ## Purpose - Make `Setup > Topology` and `Setup > Trust & Signing` the canonical owners for environment inventory and trust administration. - Keep legacy `settings`, `administration`, `admin`, and `platform/setup` entry points usable without preserving the old split-product shells. ## Canonical Owner - Owner shells: - `Setup > Topology` - `Setup > Trust & Signing` - Primary routes: - `/setup/topology/overview` - `/setup/topology/map` - `/setup/topology/regions` - `/setup/topology/targets` - `/setup/topology/hosts` - `/setup/topology/agents` - `/setup/topology/promotion-graph` - `/setup/topology/workflows` - `/setup/topology/gate-profiles` - `/setup/topology/connectivity` - `/setup/topology/runtime-drift` - `/setup/trust-signing` - `/setup/trust-signing/keys` - `/setup/trust-signing/issuers` - `/setup/trust-signing/certificates` - `/setup/trust-signing/watchlist` - `/setup/trust-signing/watchlist/entries` - `/setup/trust-signing/watchlist/alerts` - `/setup/trust-signing/watchlist/tuning` - `/setup/trust-signing/audit` - `/setup/trust-signing/airgap` - `/setup/trust-signing/incidents` - `/setup/trust-signing/analytics` - Secondary handoff route: - `/ops/platform-setup` ## Legacy Alias Policy - Preserve stale bookmarks and old links by redirecting: - `/platform/setup` - `/platform/setup/regions-environments` - `/platform/setup/promotion-paths` - `/platform/setup/workflows-gates` - `/platform/setup/gate-profiles` - `/platform/setup/trust-signing` - `/platform/setup/trust-signing/:page` - `/settings/trust` - `/settings/trust/issuers` - `/settings/trust/:page` - `/administration/trust` - `/administration/trust/issuers` - `/administration/trust/:page` - `/admin/trust` - `/admin/trust/:page` - `/admin/issuers` - Redirects must preserve query params and fragments so tenant, region, environment, and tab context survive the handoff. ## UX Rules - `Platform Setup` is a setup overview and handoff page, not the owner of topology or trust subtrees. - `Topology` owns region, environment, target, agent, promotion, workflow, gate-profile, connectivity, and runtime-drift navigation. - `Trust & Signing` owns keys, issuers, certificates, watchlist, audit, air-gap trust posture, incidents, and analytics. - Legacy settings or admin trust URLs should land directly on the live trust shell instead of placeholder pages. ## Preserved Value - Keep: - topology inventory and graph drill-ins - promotion, workflow, and gate-profile setup - trust summary, issuer management, certificate inventory, and watchlist - trust audit, incident, analytics, and air-gap administration - Why: - these are core release-setup capabilities, not experimental side branches - the product issue was weak wiring and stale route ownership, not missing product value ## Shipped In This Cut - Canonical setup alias helpers for trust and platform-setup handoffs. - Top-level `/admin/*` compatibility redirects for trust and notification bookmarks. - Expanded `Topology` shell tabs so preserved mounted pages are reachable from the live setup shell. - Preserved canonical `/ops/platform-setup/*` leaf URLs while keeping explicit topology drill-ins under `Setup > Topology`. - Retired live trust-placeholder ownership in favor of the real `Trust Management` shell. ## Related Docs - `docs/features/checked/web/topology-trust-administration-ui.md` - `docs/features/checked/web/platform-setup-canonical-route-preservation-ui.md` - `docs/modules/ui/watchlist-operations/README.md` - `docs/modules/ui/platform-ops-consolidation/README.md` - `docs/modules/ui/platform-setup-canonical-route-preservation/README.md` - `docs/modules/ui/component-preservation-map/RESTORATION_PRIORITIES.md`