## Pack 10 — Integrations + Security Data Ops (Feeds & AirGap) Below is the **Mermaid IA for the menus + per-screen navigation graphs**, and then **ASCII mocks for each screen**. For every screen: **Formerly (old location/name)** + **why this is moved/reshaped**. --- ## 10.1 Menu graph (Mermaid) — Integrations + Feeds/AirGap Ops ```mermaid flowchart TD %% ROOT (only the parts this pack touches) ROOT[Stella Ops Console] --> INT[Integrations] ROOT --> OPS[Platform Ops] %% INTEGRATIONS INT --> INT_HUB[Integrations Hub\n(overview + connectors)] INT_HUB --> INT_DETAIL[Integration Detail] INT_HUB --> INT_ADD[Add Integration Wizard] INT_HUB --> INT_FILTERS[Category Filters\nSCM / CI-CD / Registries / Secrets&Config / Notifications / Security Data] %% FEEDS & AIRGAP (Platform Ops) OPS --> FEED_OPS[Feeds & AirGap Ops\n(Security Data Ops)] FEED_OPS --> FEED_SOURCES[Sources & Freshness] FEED_OPS --> FEED_MIRRORS[Feed Mirrors] FEED_OPS --> FEED_AIRGAP[AirGap Bundles] FEED_OPS --> FEED_LOCKS[Version Locks] %% Cross-links (2nd-class entry points) INT_HUB -. "Degraded/Disconnected impact" .-> FEED_SOURCES FEED_SOURCES -. "Open connector config" .-> INT_DETAIL FEED_OPS -. "Shows up on Dashboard: Nightly Ops Signals" .-> ROOT ``` Key placement decisions (keeps the reorg “release-first”): * **Integrations** = “connectors & configuration surface” (what talks to what). * **Feeds & AirGap Ops** = “operator workflows & determinism controls” (mirrors, airgap bundles, version locks). This aligns with your ask that **freshness + sync failures are visible**, and that **determinism controls exist without being “third class.”** --- # 10.2 Screen — Integrations Hub ### Formerly * **Settings → Integrations** (`/settings/integrations`) * Also implicitly included “Feeds” (OSV/NVD cards) here. ### Why change * This is a **first-response triage page**: if approvals are blocked, SBOM scans are stale, or evidence generation fails, the operator needs **a single place** to see **which dependency is degraded and what it impacts**. * Adds a required concept: **“Impact on Release Control”** (what gates become unreliable if an integration is down). ### Screen graph (Mermaid) ```mermaid flowchart LR A[Integrations Hub] -->|click card| B[Integration Detail] A -->|Add Integration| C[Add Integration Wizard] A -->|filter: SCM/CI/CD/Registries/Secrets/Feeds| A A -->|feeds degraded?| D[Feeds & AirGap Ops: Sources] B -->|view logs| B B -->|test connection| B B -->|back| A ``` ### ASCII mock ```text ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Integrations Hub (Formerly: Settings ▸ Integrations) │ │ Org: Acme Region: All Env Scope: All Window: 30d │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Summary: Connected: 6 Degraded: 1 Disconnected: 1 Last full health check: 02:10 │ │ │ │ Filters: [All] [SCM] [CI/CD] [Registries] [Secrets & Config] [Notifications] [Security Data]│ │ Actions: [+ Add Integration] [Run Health Check] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Needs Attention (Impact on Release Control) │ │ • NVD Feed: DISCONNECTED → CVE freshness unknown → Policy gates may be unreliable │ │ • Jenkins: DEGRADED → Build attestations delayed → Release bundle evidence may lag │ │ • Vault: OK (but token expires in 3d) → Env var resolution risk upcoming │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Integrations (table view) │ │ ┌──────────────────────┬──────────────┬──────────────┬─────────────┬──────────────────────┐ │ │ │ Name │ Type │ Status │ Last Sync │ Used By │ │ │ ├──────────────────────┼──────────────┼──────────────┼─────────────┼──────────────────────┤ │ │ │ GitHub Enterprise │ SCM │ CONNECTED │ 5m ago │ Bundles, Changelog │ │ │ │ GitLab SaaS │ SCM │ CONNECTED │ 2m ago │ Bundles, Changelog │ │ │ │ Jenkins │ CI/CD │ DEGRADED │ 1h ago │ Attestations, Builds │ │ │ │ Harbor Registry │ Registry │ CONNECTED │ 30m ago │ SBOM ingest, Images │ │ │ │ HashiCorp Vault │ Secrets │ CONNECTED │ 10m ago │ Env vars, Bundles │ │ │ │ Slack │ Notification │ CONNECTED │ - │ Approvals alerts │ │ │ │ OSV Feed │ SecurityData │ CONNECTED │ 1h ago │ Vulnerability scans │ │ │ │ NVD Feed │ SecurityData │ DISCONNECTED │ - │ Vulnerability scans │ │ │ └──────────────────────┴──────────────┴──────────────┴─────────────┴──────────────────────┘ │ │ Hint: click any row/card → Integration Detail │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 10.3 Screen — Integration Detail ### Formerly * No dedicated “detail” surface in the screenshots (integrations were mostly **cards**). This is effectively **new**, but replaces the need to “hunt” across settings + ops pages. ### Why change * You need **traceability** from an outage → **which releases / gates / bundles / envs are impacted**. * Enables the missing operational requirement you called out: **nightly job failures due to integration issues** are explainable from the integration itself. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Integration Detail] --> B[Config & Credentials] A --> C[Health & Logs] A --> D[Mappings] A --> E[Permissions/Scopes] A --> F[Downstream Impact] C -->|retry connection| C C -->|open affected jobs| G[Nightly Ops Report (Platform Ops)] A -->|back| H[Integrations Hub] ``` ### ASCII mock ```text ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Integration Detail: NVD Feed (Formerly: shown as card in Settings ▸ Integrations) │ │ Type: Security Data Source Status: DISCONNECTED Owner: security-team │ │ Region: US-East (toggle) EU-West (toggle) APAC (toggle) │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Tabs: [Overview] [Config] [Health & Logs] [Mappings] [Permissions] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Overview │ │ Last successful sync: — │ │ Freshness SLA: 6h Current freshness: UNKNOWN → Gating risk: HIGH │ │ Used by: Vulnerability scan ingestion, Release gates, Nightly rescans │ │ │ │ Downstream impact │ │ • Approvals & Gates: “CVE freshness” gate → currently degraded │ │ • Nightly SBOM rescan: will flag “data source unavailable” │ │ • Audit bundles: will include “feed freshness unknown” note │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Health & Logs (latest) │ │ 02:11 ERROR connect timeout to nvd.example.gov │ │ 02:11 WARN falling back to OSV only (coverage reduced) │ │ Action: [Retry Connection] [Test DNS] [View Related Nightly Jobs] │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 10.4 Screen — Add Integration Wizard ### Formerly * **“+ Add Integration”** existed on Settings → Integrations, but without a standardized “impact/mapping” workflow shown. ### Why change * This wizard becomes the enforcement point for: * **Region scoping** (your missing “environments per region” theme). * **Mapping to downstream use** (Release Bundle Organizer, approvals, SBOM ingest, etc.). * **Secrets hygiene** (Vault/Consul integration must be wired correctly). ### Screen graph (Mermaid) ```mermaid flowchart LR S[Add Integration Wizard] --> A[1. Choose Type] A --> B[2. Configure Connection] B --> C[3. Scope & Mapping\n(Region/Env/Repos/Targets)] C --> D[4. Test Connection] D --> E[5. Save & Initial Sync] E --> F[Integration Detail] ``` ### ASCII mock ```text ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Add Integration Wizard (Formerly: + Add Integration on Settings ▸ Integrations) │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Step 1/5 — Choose type │ │ [SCM] GitHub / GitLab │ │ [CI/CD] Jenkins / Actions │ │ [Registry] Harbor / ECR / GCR │ │ [Secrets] Vault │ │ [Config] Consul (recommended for bundle vars) │ │ [Notifications] Slack / Email / Webhook │ │ [Security Data] OSV / NVD / CISA │ │ │ │ Next: [Continue] │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 10.5 Screen — Feeds & AirGap Ops (Sources & Freshness) ### Formerly * **Operations → Feeds** (`/operations/feeds`) Screen title: **“Feed Mirror & AirGap Operations”** * Also partially represented as OSV/NVD “Feeds” cards under Settings → Integrations. ### Why change * This becomes the **operator-grade control surface** for: * **Freshness** (are CVE sources synced, within SLA?). * **Determinism** (version locks). * **AirGap readiness** (bundles). * It is “second-class” (reachable from Dashboard “Nightly Ops Signals”), not buried. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Feeds & AirGap Ops] --> B[Sources & Freshness] A --> C[Feed Mirrors] A --> D[AirGap Bundles] A --> E[Version Locks] B -->|open source integration| F[Integration Detail] B -->|create mirror| C E -->|lock for release| G[Release Detail\n(Determinism tab)] ``` ### ASCII mock ```text ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Feeds & AirGap Ops (Formerly: Operations ▸ Feeds → "Feed Mirror & AirGap Operations") │ │ Org: Acme Region: US-East Window: 7d │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Tabs: [Sources & Freshness] [Feed Mirrors] [AirGap Bundles] [Version Locks] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Sources & Freshness │ │ ┌───────────────┬──────────────┬───────────────┬──────────────┬───────────────────────────┐ │ │ │ Source │ Status │ Last Sync │ Freshness SLA │ Notes / Impact │ │ │ ├───────────────┼──────────────┼───────────────┼──────────────┼───────────────────────────┤ │ │ │ OSV │ OK │ 1h ago │ 6h │ Full OK │ │ │ │ NVD │ DISCONNECTED │ — │ 6h │ Approval gating risk HIGH │ │ │ │ CISA KEV │ OK │ 3h ago │ 24h │ OK │ │ │ └───────────────┴──────────────┴───────────────┴──────────────┴───────────────────────────┘ │ │ Actions: [Retry failed sources] [Open Integration Detail] [Create Mirror] │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 10.6 Screen — Feeds & AirGap Ops (Feed Mirrors) ### Formerly * Operations → Feeds → **Feed Mirrors** tab. ### Why change * Keep same capability, but add: * Region scoping and storage accounting per region. * A clear connection to **gating data freshness** and **nightly job health**. ### Screen graph (Mermaid) ```mermaid flowchart LR A[Feed Mirrors] --> B[Create/Edit Mirror] A --> C[Mirror Detail] C -->|force sync| C C -->|view sync logs| C A -->|back| D[Feeds & AirGap Ops] ``` ### ASCII mock ```text ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Feeds & AirGap Ops ▸ Feed Mirrors (Formerly: Operations ▸ Feeds ▸ Feed Mirrors) │ │ Region: EU-West │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ KPI: Total Mirrors: 4 Synced: 3 Stale: 1 Errors: 0 Storage: 28GB │ │ Actions: [+ Create Mirror] [Sync All] [Export Mirror Config] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Mirrors │ │ ┌───────────────┬──────────┬───────────────┬───────────┬───────────┬──────────────────────┐ │ │ │ Mirror Name │ Source │ Status │ Last Sync │ Storage │ Actions │ │ │ ├───────────────┼──────────┼───────────────┼───────────┼───────────┼──────────────────────┤ │ │ │ nvd-eu-mirror │ NVD │ STALE (8h) │ 8h ago │ 12GB │ [Sync] [Edit] [Logs] │ │ │ │ osv-eu-mirror │ OSV │ SYNCED │ 1h ago │ 4GB │ [Sync] [Edit] [Logs] │ │ │ │ kev-eu-mirror │ CISA KEV │ SYNCED │ 3h ago │ 1GB │ [Sync] [Edit] [Logs] │ │ │ └───────────────┴──────────┴───────────────┴───────────┴───────────┴──────────────────────┘ │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 10.7 Screen — Feeds & AirGap Ops (AirGap Bundles) ### Formerly * Operations → Feeds → **AirGap Bundles** tab. ### Why change * This is essential for environments that must prove: * The release decision was made using a **known dataset snapshot**. * The bundle contains **feeds + policy pack versions + evidence tooling metadata**. ### Screen graph (Mermaid) ```mermaid flowchart TD A[AirGap Bundles] --> B[Create AirGap Bundle] A --> C[Bundle Detail] C -->|download| C C -->|verify signatures| C C -->|pin version locks| D[Version Locks] ``` ### ASCII mock ```text ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Feeds & AirGap Ops ▸ AirGap Bundles (Formerly: Operations ▸ Feeds ▸ AirGap Bundles) │ │ Region: APAC │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Actions: [+ Create Bundle] [Download latest] [Verify bundle] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Bundles │ │ ┌───────────────────┬───────────┬──────────────┬───────────────┬──────────────────────────┐ │ │ │ Bundle Name │ Target Env│ Contents │ Built At │ Actions │ │ │ ├───────────────────┼───────────┼──────────────┼───────────────┼──────────────────────────┤ │ │ │ apac-prod-2026-02- │ Prod │ OSV+NVD+KEV │ 2026-02-18 02: │ [Download] [Verify] │ │ │ │ apac-uat-2026-02- │ UAT │ OSV+KEV │ 2026-02-17 02: │ [Download] [Verify] │ │ │ └───────────────────┴───────────┴──────────────┴───────────────┴──────────────────────────┘ │ │ Notes: Bundle embeds version locks + signing metadata for audit. │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 10.8 Screen — Feeds & AirGap Ops (Version Locks) ### Formerly * Operations → Feeds → **Version Locks** tab. ### Why change * Version locks are the core of **reproducible gating**: * “This approval used NVD snapshot X, OSV snapshot Y.” * Essential for external audits and internal replay/verify. ### Screen graph (Mermaid) ```mermaid flowchart LR A[Version Locks] --> B[Create Lock] A --> C[Lock Detail] A --> D[Apply Lock to Region/Env] A --> E[Apply Lock to Release] E --> F[Release Detail\nDeterminism tab] ``` ### ASCII mock ```text ┌────────────────────────────────────────────────────────────────────────────────────────────┐ │ Feeds & AirGap Ops ▸ Version Locks (Formerly: Operations ▸ Feeds ▸ Version Locks) │ │ Region: US-East │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Actions: [+ Create Version Lock] [Apply to Release] [Apply to Env] │ ├────────────────────────────────────────────────────────────────────────────────────────────┤ │ Locks │ │ ┌───────────────┬───────────────┬───────────────┬──────────────────────┬───────────────────┐ │ │ │ Lock ID │ Sources │ Created │ Scope │ Actions │ │ │ ├───────────────┼───────────────┼───────────────┼──────────────────────┼───────────────────┤ │ │ │ lock-2026-02-18│ NVD, OSV, KEV │ 2026-02-18 │ US-East / Prod │ [View] [Apply] │ │ │ │ lock-2026-02-17│ OSV, KEV │ 2026-02-17 │ APAC / UAT │ [View] [Apply] │ │ │ └───────────────┴───────────────┴───────────────┴──────────────────────┴───────────────────┘ │ │ Audit note: locks are referenced in Evidence Bundles + Replay/Verify. │ └────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## What changed vs the *previous* draft (to keep the reorg intact) * I’m keeping **Integrations Hub** under **Integrations** (configuration + dependency map). * I’m placing **Feeds & AirGap Ops** under **Platform Ops** (operator workflows + determinism tooling), but it remains **second-class** because: * It’s linked from **Integrations Hub** (source issues → ops controls), * and it should be linked from the **Dashboard “Nightly Ops Signals”** card. --- If you want, I can do **Pack 11** next for the remaining “Settings-class” pages you attached (Usage & Limits, Notifications, Identity & Access, Trust & Signing, System) but **in the new IA**, with the same: **Mermaid menu + per-screen graphs + ASCII mocks + Formerly/Why**.