# Identity Watchlist ## Implementation Status - Status: `shipped` - Owner shell: `Setup > Trust & Signing` - Canonical routes: - `/setup/trust-signing/watchlist/entries` - `/setup/trust-signing/watchlist/alerts` - `/setup/trust-signing/watchlist/tuning` - Secondary entry points: - `Mission Control > Alerts` deep-links into `Alerts` - `Ops > Notifications` deep-links into `Tuning` and `Alerts` ## Recommendation Restore Watchlist as a narrow operational shell owned by `Setup > Trust & Signing`, not as a standalone top-level product. - Canonical mount: `/setup/trust-signing/watchlist` - Suggested user-facing title: `Identity Watchlist` - Suggested nav label: `Watchlist` This capability is primarily about trust policy administration around signer identities, with alert outcomes surfaced into `Mission Control` and `Ops > Notifications`. ## Why This Is The Right Shape - The current implementation already supports CRUD, pattern testing, scope, severity, deduplication, and alert history. - Those are configuration and trust-governance behaviors, not a broad cross-product workspace. - The supporting runbook and Attestor guide describe watchlist as an operator control around identities and alerting hygiene. - The best product shape is one owned shell with secondary visibility in alert-centric surfaces. ## Operator Modes ### 1. Tenant Trust Mode - Used by tenant operators tuning their own issuer, SAN, or key-id watch rules. - Focus: entries, scopes, severity, enable/disable, and match testing. ### 2. Platform Trust Admin Mode - Used by system admins managing global and system-scoped entries. - Focus: global coverage, noisy patterns, dedup performance, and notification routing. ### 3. Incident Triage Mode - Entered from `Mission Control > Alerts` or `Ops > Notifications`. - Focus: alert detail, matched identity context, and jumping back into the owning watchlist rule. ## Recommended IA ### Primary tabs - `Entries` - list, filter, create, edit, enable/disable, delete, and test matching rules - `Alerts` - recent watchlist alerts, alert severity, tenant/source context, and jump-to-entry actions - `Tuning` - dedup windows, notification channels, alert volume controls, and performance guidance ### Header context - scope switcher: `Tenant`, `Global`, `System` - summary chips: - enabled entries - alerts last 24h - suppression ratio - scan latency p99 ## Page Anatomy ### Entries tab - left: searchable/filterable table with scope, match mode, severity, enabled state, and recent-match count - right: split detail panel or drawer for create/edit - row actions: - enable/disable - edit - duplicate - delete - test pattern ### Alerts tab - top filters: - severity - time window - scope - tenant - suppression state - main list: - alert time - matched entry - signer identity - source channel - dedup status - detail drawer: - raw match context - related entry - recent similar alerts - jump to Mission Control or Notifications if needed ### Tuning tab - cards for: - dedup effectiveness - scan latency - top noisy rules - notification channel health - forms for: - default dedup window - per-severity channel overrides - alert storm guidance ## Route Contract Keep one canonical route family under trust/signing setup. ### Canonical routes - `/setup/trust-signing/watchlist` - `/setup/trust-signing/watchlist/entries` - `/setup/trust-signing/watchlist/alerts` - `/setup/trust-signing/watchlist/tuning` ### Query-param state - `tab=entries|alerts|tuning` - `scope=tenant|global|system` - `entryId=` for opening the edit drawer - `alertId=` for opening the alert detail drawer - `returnTo=` when entered from Mission Control or Notifications ### Alias and entry rules - `Mission Control > Alerts` should deep-link into `?tab=alerts&alertId=...` - `Ops > Notifications` should deep-link into `?tab=tuning` - no separate sidebar product or parallel route family should exist ## What To Merge ### Merge into `Entries` - `WatchlistPageComponent` list mode - existing create/edit form - existing pattern test behavior ### Merge into `Alerts` - `WatchlistPageComponent` alert table and alert drill-down behavior ### Merge into `Tuning` - duplicate-suppression controls - notification behavior controls - runbook-driven KPIs and tuning guidance ## Single Actions And Supporting Surfaces ### Create or edit rule - use a drawer or split detail panel inside `Entries` - add a standalone route only if audit/history requires a permalink ### Test pattern - keep inside the edit experience - never give it a dedicated page ### Alert detail - open as a drawer from `Alerts` - preserve deep links via `alertId` ### Dedup diagnostics - keep in `Tuning` - optionally expose summary KPIs in `Ops > Notifications` ## Cross-Product Entry Points - `Mission Control > Alerts` - watchlist source chip opens the `Alerts` tab - `Ops > Notifications` - channel health card links to `Tuning` - `Security` or `Evidence` surfaces - only deep-link to alert detail when a signer-identity event matters to an investigation ## UI Standards For Implementation - Use one shell component with tabbed child routes or stable tab state. - Preserve scope awareness in header and filters. - Support list/detail without forcing route churn for every edit. - Keep alert outcomes visible in mission/notification surfaces without duplicating the configuration shell. - Preserve deterministic sort order for entries and alerts. ## Non-Goals - Do not make Watchlist a top-level sidebar product. - Do not split configuration and alert history across different owner areas. - Do not move trust ownership into Mission Control. ## Source Inputs - `docs/modules/attestor/guides/identity-watchlist.md` - `docs/operations/watchlist-monitoring-runbook.md` - `docs/features/checked/web/identity-watchlist-management-ui.md` - `src/Web/StellaOps.Web/src/app/features/watchlist/watchlist-page.component.ts` - `src/Web/StellaOps.Web/src/app/routes/mission-control.routes.ts` - `src/Web/StellaOps.Web/src/app/routes/operations.routes.ts`