## Pack 5 — Integrations + Administration + moved “Policy Governance” + moved “Trust & Signing” Below are **(1) Mermaid graphs** for the **menus** and for **each screen**, and **(2) an ASCII mock** per screen, each preceded by: **where it lived before + why it moved**. (Where you see “Formerly: …” that’s intended to be shown on-screen under the title as a small breadcrumb/helper label, per your requirement.) --- # 1) Integrations ## 1.1 Integrations menu graph (Mermaid) ```mermaid graph TD IN_ROOT["Integrations (root menu)"] --> IN_OV["Connections (Overview)"] IN_ROOT --> IN_CATALOG["Catalog / Add Integration"] IN_ROOT --> IN_SEC_DATA["Security Data Sources (CVE/VEX/Advisories)"] IN_ROOT --> IN_SENSORS["Sensors & Reachability Sources (Build/Image/Runtime)"] IN_OV --> IN_DETAIL["Integration Detail"] IN_DETAIL --> IN_TEST["Test Connection"] IN_DETAIL --> IN_SYNC["Sync & Health History"] IN_DETAIL --> IN_PERMS["Scopes / Permissions"] IN_DETAIL --> IN_IMPACT["Impact Map: Releases, Bundles, SBOM, Approvals, Evidence"] IN_DETAIL --> IN_ALERTS["Alerts & Routing"] IN_CATALOG --> IN_ADD["Add Integration Wizard"] IN_ADD --> IN_DETAIL IN_SEC_DATA --> IN_FEEDS["Feeds: NVD / OSV / Vendor / Internal"] IN_FEEDS --> IN_FEED_DETAIL["Feed Detail (sync status, errors, retention)"] IN_SENSORS --> IN_BUILD["Build Reachability Source"] IN_SENSORS --> IN_IMAGE["Image/Dover Reachability Source"] IN_SENSORS --> IN_RUNTIME["Runtime Reachability Source"] ``` > Note: **Feed mirroring / airgap bundling** stays under **Operations → Feeds & Airgap** (because that’s “run/operate”), but **Integrations** must show **dependency + impact** (“if NVD down, what breaks?”). --- ## 1.2 Screen: Integrations → Connections (Overview) **Formerly:** `Settings → Integrations` (`/settings/integrations`) **Why moved:** Integrations are **not “settings”** in StellaOps—they’re **operational dependencies** that directly affect **release decisions**, **SBOM freshness**, **reachability coverage**, **evidence completeness**, and **nightly jobs**. Making this a **root menu** also lets the dashboard link to it as a **first-class dependency view**. ### Screen graph (Mermaid) ```mermaid graph LR A["Integrations → Connections (Overview)"] --> B["Integration Detail"] A --> C["Add Integration Wizard"] A --> D["Security Data Sources"] A --> E["Sensors & Reachability Sources"] A --> F["Operations → Nightly Ops Report (jobs impacted)"] B --> G["Test Connection"] B --> H["Sync & Health History"] B --> I["Impact Map"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Integrations ▸ Connections [ + Add Integration ]| | Formerly: Settings ▸ Integrations | |--------------------------------------------------------------------------------------------------| | Status Summary: Connected 6 Degraded 1 Disconnected 1 Filter: [All|SCM|CI/CD|Reg|...] | |--------------------------------------------------------------------------------------------------| | NAME / TYPE STATUS LAST OK IMPACT (what breaks if degraded) | |--------------------------------------------------------------------------------------------------| | GitHub Enterprise / SCM CONNECTED 5m ago Release Bundles: changelog, repo mapping | | GitLab SaaS / SCM CONNECTED 2m ago Release Bundles: changelog, repo mapping | | Jenkins / CI DEGRADED 1h ago Provenance gaps, build reachability stale | | Harbor / Registry CONNECTED 30m ago Digest resolution, image inventory | | HashiCorp Vault / Secrets CONNECTED 10m ago Bundle variables (env config), approvals | | Slack / Notifications CONNECTED - Alerts routing | | OSV Feed / Feeds CONNECTED 1h ago CVE ingestion (OSV) | | NVD Feed / Feeds DISCONNECTED ? CVE ingestion (NVD) -> SBOM rescan risk | |--------------------------------------------------------------------------------------------------| | Attention: NVD Feed DISCONNECTED → CVE freshness degraded → approvals may switch to "Needs Review"| | Deep Links: [View Nightly Ops Report] [Go to Feed Mirror & Airgap Ops] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.3 Screen: Integrations → Integration Detail **Formerly:** there was no dedicated “detail page” (tiles only under Settings → Integrations). **Why added:** You need a **single pane** that explains **scope + health + impact**. This is also where you show **reachability-source coverage** and **how this integration feeds Release Bundle Organizer**. ### Screen graph (Mermaid) ```mermaid graph TD A["Integration Detail"] --> B["Edit Configuration"] A --> C["Test Connection"] A --> D["Sync Now / Re-auth"] A --> E["Sync & Health History"] A --> F["Permissions/Scopes"] A --> G["Impact Map (Releases/Bundles/SBOM/Evidence)"] A --> H["Alert Routing (who gets paged)"] A --> I["Related: Ops Nightly Report"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Integrations ▸ Connection Detail: NVD Feed [Edit] [Test] | | Formerly: Settings ▸ Integrations (tile) | |--------------------------------------------------------------------------------------------------| | Status: DISCONNECTED Last Successful Sync: 2026-02-17 01:12 UTC Owner: Security Ops | | Endpoint: https://... Auth: API Key (expired) | |--------------------------------------------------------------------------------------------------| | HEALTH & HISTORY | IMPACT MAP | |----------------------------------------------|--------------------------------------------------| | Last 24h: 0 OK / 12 Failures | Dashboards: CVE freshness widget = RED | | Error: 401 Unauthorized | Nightly jobs: SBOM rescan may fail / partial | | Retries: exponential backoff | Approvals: policy gates fall back to "manual" | | [View Full History] | Evidence: missing CVE snapshot for attestations | |----------------------------------------------|--------------------------------------------------| | REACHABILITY INPUTS (for findings context) | USED BY RELEASE BUNDLE ORGANIZER | | Build reachability: N/A | - enriches bundle with "CVE snapshot version" | | Image/Dover reachability: N/A | - pins vulnerability dataset used for release | | Runtime reachability: N/A | | |--------------------------------------------------------------------------------------------------| | Actions: [Re-authenticate] [Sync Now] [Open Nightly Ops Report filtered to "CVE Feeds"] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.4 Screen: Integrations → Add Integration Wizard **Formerly:** `Settings → Integrations → Add Integration` button **Why kept here:** still valid, but now it sits under a **root Integrations** area and must force the user to confirm **impact mapping** (what features depend on it) and **which regions/environments it supports**. ### Screen graph (Mermaid) ```mermaid graph LR A["Add Integration Wizard"] --> B["Choose Type (SCM/CI/Registry/Secrets/Feeds/Notifications/Sensor)"] B --> C["Configure Endpoint & Auth"] C --> D["Select Regions/Envs Scope"] D --> E["Define Impact Map + Owners"] E --> F["Test Connection"] F --> G["Create & Go to Detail"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Integrations ▸ Add Integration (Wizard) Step 3 of 6 | | Formerly: Settings ▸ Integrations ▸ Add Integration | |--------------------------------------------------------------------------------------------------| | 1) Type 2) Auth 3) Scope (Regions/Envs) 4) Impact 5) Test 6) Done |--------------------------------------------------------------------------------------------------| | Scope (where this integration is valid): | | Regions: [x] us-east [x] eu-west [ ] ap-south | | Environments: [x] prod [x] staging [x] dev | |--------------------------------------------------------------------------------------------------| | Impact Mapping (required): | | [x] Release Bundles (changelog / metadata) | | [x] SBOM ingestion / CVE sync | | [ ] Approvals routing | | Owner (pager): security-oncall | |--------------------------------------------------------------------------------------------------| | [Back] [Next: Impact Mapping] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.5 Screen: Integrations → Security Data Sources **Formerly:** `Settings → Security Data` (no screenshot provided, but it exists in nav) **Why moved:** This is **operational security data** (feeds, advisory sources, SBOM parsing rules, reachability dataset versions). It belongs next to **Integrations**, because it’s fundamentally “external dependency + sync + health + impact”. ### Screen graph (Mermaid) ```mermaid graph TD A["Integrations → Security Data Sources"] --> B["Feeds (NVD/OSV/Vendor/Internal)"] A --> C["VEX Sources (vendor statements, internal VEX)"] A --> D["Dataset Versions & Retention"] B --> E["Feed Detail"] E --> F["Sync History"] E --> G["Errors & Remediation"] E --> H["Used By: Approvals / Evidence snapshots"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Integrations ▸ Security Data Sources | | Formerly: Settings ▸ Security Data | |--------------------------------------------------------------------------------------------------| | DATASETS USED FOR RELEASE DECISIONS (must be auditable) | |--------------------------------------------------------------------------------------------------| | Source Type Status Last Sync Dataset Version Used by | |--------------------------------------------------------------------------------------------------| | NVD CVE Feed DISCONNECTED - - Approvals, Evidence, SBOM | | OSV CVE Feed CONNECTED 1h 2026.02.18.01 Approvals, Evidence, SBOM | | Vendor VEX VEX CONNECTED 24h 2026.02.17 VEX Hub, Findings | | Internal VEX VEX CONNECTED 5m live VEX Hub, Exceptions | |--------------------------------------------------------------------------------------------------| | Controls: [Retention policy] [Dataset snapshot rules] [Export dataset attestation] | | Cross-links: [Operations ▸ Feed Mirrors] [Operations ▸ Nightly Jobs] | +--------------------------------------------------------------------------------------------------+ ``` --- # 2) Administration ## 2.1 Administration menu graph (Mermaid) ```mermaid graph TD ADM_ROOT["Administration (root menu)"] --> ADM_IAM["Identity & Access"] ADM_ROOT --> ADM_TENANT["Tenant & Branding"] ADM_ROOT --> ADM_NOTIF["Notifications"] ADM_ROOT --> ADM_USAGE["Usage & Limits"] ADM_ROOT --> ADM_SYSTEM["System (Admin-only)"] ADM_IAM --> ADM_USERS["Users"] ADM_IAM --> ADM_ROLES["Roles"] ADM_IAM --> ADM_OAUTH["OAuth Clients"] ADM_IAM --> ADM_TOKENS["API Tokens"] ADM_IAM --> ADM_TENANTS["Tenants"] ADM_NOTIF --> ADM_RULES["Rules"] ADM_NOTIF --> ADM_CHANNELS["Channels"] ADM_NOTIF --> ADM_TEMPLATES["Templates"] ADM_NOTIF --> ADM_LOG["Delivery Log"] ``` --- ## 2.2 Screen: Administration → Identity & Access **Formerly:** `Settings → Identity & Access` (`/settings/admin`) **Why moved:** This is pure **admin control plane** (users/roles/tokens/tenants). Keeping it out of the release/security nav reduces clutter and avoids “settings dumping ground”. ### Screen graph (Mermaid) ```mermaid graph LR A["Administration → Identity & Access"] --> B["Users"] A --> C["Roles"] A --> D["OAuth Clients"] A --> E["API Tokens"] A --> F["Tenants"] A --> G["Audit Log (Evidence & Audit)"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Administration ▸ Identity & Access | | Formerly: Settings ▸ Identity & Access | | Tabs: [Users] [Roles] [OAuth Clients] [API Tokens] [Tenants] | |--------------------------------------------------------------------------------------------------| | Users [ + Add User]| |--------------------------------------------------------------------------------------------------| | Name Email Role Status Actions | |--------------------------------------------------------------------------------------------------| | alice.johnson alice@company.com Release Admin Active [Edit] [Disable] | | david.wilson david@company.com Approver Active [Edit] [Disable] | | ... | |--------------------------------------------------------------------------------------------------| | Note: Role "Approver" can approve releases but cannot edit policy baselines. | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.3 Screen: Administration → Tenant & Branding **Formerly:** `Settings → Tenant / Branding` (no screenshot provided) **Why moved:** Tenant-level admin belongs together with Identity, Usage, Notifications. ### Screen graph (Mermaid) ```mermaid graph TD A["Administration → Tenant & Branding"] --> B["Tenant Profile"] A --> C["Branding (logo/colors)"] A --> D["Regions enabled (global config)"] A --> E["Data retention defaults"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Administration ▸ Tenant & Branding | | Formerly: Settings ▸ Tenant / Branding | |--------------------------------------------------------------------------------------------------| | Tenant Profile | Branding | |----------------------------------------|----------------------------------------------------------| | Name: ExampleCorp | Logo: [Upload] | | Default Region: eu-west | Theme: Light / Dark | | Enabled Regions: [x] us-east [x] eu-west [ ] ap-south | | Retention: Evidence 365d, Logs 30d | Product Name: "Stella Ops" / "ExampleOps" | |--------------------------------------------------------------------------------------------------| | [Save Changes] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.4 Screen: Administration → Notifications **Formerly:** `Settings → Notifications` (`/settings/notifications`) **Why moved:** Notification rules are **tenant-admin policy**. Channels still depend on integrations (Slack/Webhook/Email), so this screen should “consume” those and link back. ### Screen graph (Mermaid) ```mermaid graph LR A["Administration → Notifications"] --> B["Notification Rules"] A --> C["Channels"] A --> D["Templates"] A --> E["Delivery Log"] C --> F["Integrations → Slack/Webhook detail"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Administration ▸ Notifications | | Formerly: Settings ▸ Notifications | |--------------------------------------------------------------------------------------------------| | [Notification Rules] [Channels] [Templates] | |--------------------------------------------------------------------------------------------------| | Rules | Channels | Templates | |------------------------------|--------------------------------------------|---------------------| | + Add Rule | Email ACTIVE | Edit Templates | | | Slack ACTIVE (via Integrations) | | | | Webhook NOT CONFIGURED | | |--------------------------------------------------------------------------------------------------| | Activity / Delivery Log | | [View Log] (filter: release approvals, critical findings, feed failures, nightly job failures) | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.5 Screen: Administration → Usage & Limits **Formerly:** * `Settings → Usage & Limits` (`/settings/usage`) * **and** `Operations → Quotas` (overlapping/duplicated concepts) **Why moved & changed:** unify into one **tenant-level** view: **consumption + quota config + throttles**. Operations can still show “operator quota dashboard”, but **admin owns quotas/limits**. ### Screen graph (Mermaid) ```mermaid graph TD A["Administration → Usage & Limits"] --> B["Usage Summary"] A --> C["Quota Configuration"] A --> D["Throttle Events (read-only)"] D --> E["Operations → Quota / Throttle report (detail)"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Administration ▸ Usage & Limits | | Formerly: Settings ▸ Usage & Limits + Operations ▸ Quotas | |--------------------------------------------------------------------------------------------------| | Scans Storage Evidence Packets API Requests | | 6,500/10,000 42GB/100GB 2,800/10,000 15,000/100,000 | |--------------------------------------------------------------------------------------------------| | Quota Configuration | | Configure limits and throttle settings for your tenant. | | [Configure Quotas] | |--------------------------------------------------------------------------------------------------| | Throttle Events (last 24h): none → [View in Operations ▸ Quotas] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.6 Screen: Administration → System **Formerly:** `Settings → System` (`/settings/system`) **Why moved:** This is strictly **admin-only platform control**. Also, it must link to operational diagnostics (**Ops → Platform Health**, **Ops → Nightly Jobs**, **Ops → Dead Letter**). ### Screen graph (Mermaid) ```mermaid graph TD A["Administration → System"] --> B["Health Check (components)"] A --> C["Doctor (diagnostics)"] A --> D["SLO Monitoring"] A --> E["Background Jobs (admin view)"] E --> F["Operations → Scheduler / Nightly Jobs"] B --> G["Operations → Platform Health"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Administration ▸ System (Admin only) | | Formerly: Settings ▸ System | |--------------------------------------------------------------------------------------------------| | [Health Check] [Doctor] [SLO Monitoring] | | All systems operational Run diagnostics View & configure SLOs | | [View Details] [Run Doctor] [View SLOs] | |--------------------------------------------------------------------------------------------------| | [Background Jobs] | | Monitor and manage background job processing. | | [View Jobs] → deep link: Operations ▸ Scheduler / Nightly Ops Report | +--------------------------------------------------------------------------------------------------+ ``` --- # 3) Moved into Release Control: “Policy Governance” ## 3.1 Screen: Release Control → Governance & Policy **Formerly:** `Settings → Policy Governance` (`/settings/policy`) **Why moved:** These rules/baselines **define release gates** and belong with **Release Control** (environments, targets, workflows). This is a *core* function, not a generic setting. ### Screen graph (Mermaid) ```mermaid graph TD A["Release Control → Governance & Policy"] --> B["Policy Baselines (per env/region)"] A --> C["Governance Rules (org-wide)"] A --> D["Policy Simulation"] A --> E["Exception Workflow"] E --> F["Security → Exceptions (requests & approvals)"] C --> G["Approvals / Policy Gates (uses these rules)"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Release Control ▸ Governance & Policy | | Formerly: Settings ▸ Policy Governance | |--------------------------------------------------------------------------------------------------| | [Policy Baselines] [Governance Rules] [Policy Simulation] | | Create / manage baselines Define org rules for releases Test changes before applying | | [ + Create Baseline ] [Edit Rules] [Run Simulation] | |--------------------------------------------------------------------------------------------------| | [Exception Workflow] | | Configure how policy exceptions are requested & approved. | | [Configure Workflow] → deep link: Security ▸ Exceptions | +--------------------------------------------------------------------------------------------------+ ``` --- # 4) Moved into Evidence & Audit: “Trust & Signing” ## 4.1 Screen: Evidence & Audit → Trust & Signing **Formerly:** `Settings → Trust & Signing` (`/settings/trust`) **Why moved:** Trust & signing is the **spine of auditing** (DSSE envelopes, Rekor/transparency logs, signing keys, audit log). It should sit with **Evidence Bundles / Proof Chains / Replay/Verify**. ### Screen graph (Mermaid) ```mermaid graph TD A["Evidence & Audit → Trust & Signing"] --> B["Signing Keys"] A --> C["Issuers"] A --> D["Certificates"] A --> E["Transparency Log (Rekor config)"] A --> F["Trust Scoring"] A --> G["Trust Audit Log"] A --> H["Evidence Bundles"] A --> I["Proof Chains"] ``` ### ASCII mock ``` +--------------------------------------------------------------------------------------------------+ | Evidence & Audit ▸ Trust & Signing | | Formerly: Settings ▸ Trust & Signing | |--------------------------------------------------------------------------------------------------| | [Signing Keys] [Issuers] [Certificates] | | Manage keys for Trusted issuers TLS/signing certs | | evidence & attests for VEX/attests upload/manage | | [Manage Keys] [Manage Issuers] [Manage Certificates] | |--------------------------------------------------------------------------------------------------| | [Transparency Log] [Trust Scoring] [Audit Log] | | Configure Rekor logs Scoring policy for artifacts Trust-related audit events | | [Configure Rekor] [Edit Score Config] [View Audit Log] | +--------------------------------------------------------------------------------------------------+ ``` --- ## What’s next (Pack 6 suggestion) If you want me to continue immediately, Pack 6 should cover: **Operations** (Scheduler, Dead Letter, Platform Health, Orchestrator, Feeds & Airgap), and ensure each has: * Mermaid menu graph * Mermaid per-screen graph * ASCII mock with “Formerly …” label * Explicit surfacing of: **nightly SBOM rescans**, **CVE feed sync health**, **integration failures**, and **hybrid reachability freshness**.