I’ll extend the redesign for the **remaining “Settings/Admin” screens** you just shared, keeping the **main IA reorg intact**, adding **Release Control as a root menu**, and introducing the missing **Release Bundle Organizer**. Below: **Mermaid graphs per menu**, then **per-screen: (1) where it lived before, (2) why it moved/changed, (3) ASCII mock**, and each mock includes a **“Previously called”** line for transition. --- ## 1) Updated top-level navigation (keeping the main reorg intact) ```mermaid flowchart LR RC[Release Control] --- SR[Security & Risk] RC --- EA[Evidence & Audit] RC --- INT[Integrations] RC --- OPS[Platform Ops] RC --- ADM[Administration] SR --- SR1[Findings & Reachability] SR --- SR2[VEX Hub] SR --- SR3[Exceptions] SR --- SR4[Advisory Sources] EA --- EA1[Evidence Packets] EA --- EA2[Proof Chains] EA --- EA3[Replay / Verify] EA --- EA4[Export Center] INT --- INT1[SCM] INT --- INT2[CI/CD] INT --- INT3[Registries] INT --- INT4[Secrets] INT --- INT5[Targets / Runtimes] INT --- INT6[Feeds] INT --- INT7[Notification Providers] OPS --- OPS1[Platform Health] OPS --- OPS2[Background Jobs] OPS --- OPS3[Scheduler] OPS --- OPS4[Dead Letter] OPS --- OPS5[Quotas & Usage] OPS --- OPS6[Feed Mirror & AirGap Ops] OPS --- OPS7[Nightly Ops Report] ADM --- ADM0[Admin Overview] ADM --- ADM1[Identity & Access] ADM --- ADM2[Tenant & Branding] ADM --- ADM3[Notifications] ADM --- ADM4[Usage & Limits] ADM --- ADM5[Policy Governance] ADM --- ADM6[Trust & Signing] ADM --- ADM7[System] ``` --- # PACK: Administration + Release Control Setup + Integrations --- ## 2) Administration menu → screen graph ```mermaid flowchart TB ADM[Administration] --> A0[Admin Overview] ADM --> A1[Identity & Access] ADM --> A2[Tenant & Branding] ADM --> A3[Notifications] ADM --> A4[Usage & Limits] ADM --> A5[Policy Governance] ADM --> A6[Trust & Signing] ADM --> A7[System] A3 -.channels live in.-> INTN[Integrations > Notification Providers] A4 -.operational drilldown.-> OPSQ[Platform Ops > Quotas & Usage] A7 -.operational drilldown.-> OPSH[Platform Ops > Platform Health] A7 -.jobs drilldown.-> OPSJ[Platform Ops > Background Jobs] A5 -.gates apply to.-> RCG[Release Control > Gates & Approvals] A6 -.evidence uses.-> EA[Evidence & Audit] ``` --- ## Screen A0 — Administration Overview **Previously:** There was no single “admin hub”; admin functions were scattered under **Settings** (and some under **Operations**). **Now:** `Administration → Overview` **Why:** Admin users need a **single choke-point** for identity, policy governance, trust, notifications, and tenant controls—without mixing it with runtime ops dashboards. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] [Region: All ▼] [Env: All ▼] [Status: OK] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Administration — Overview │ │ │ Previously called: (new) — consolidates legacy Settings pages │ │ Release Ctrl │ │ │ Security&Risk │ Quick Health │ │ Evidence │ ┌──────────────┬──────────────┬──────────────┬────────────┐ │ │ Integrations │ │ Integrations │ Policy Pack │ Quotas │ Jobs │ │ │ Platform Ops │ │ 6 ok /2 warn │ Core latest │ 65% scans │ 0 failing │ │ │ Administration│ └──────────────┴──────────────┴──────────────┴────────────┘ │ │ ▸ Overview │ │ │ Identity │ Admin Areas │ │ Tenant │ ┌─────────────────────┐ ┌─────────────────────┐ │ │ Notifications│ │ Identity & Access │ │ Policy Governance │ │ │ Usage&Limits │ │ (Users/Roles/Keys) │ │ (Baselines/Rules) │ │ │ Policy Gov │ │ Formerly: Settings │ │ Formerly: Settings │ │ │ Trust&Sign │ └─────────────────────┘ └─────────────────────┘ │ │ System │ ┌─────────────────────┐ ┌─────────────────────┐ │ │ │ │ Notifications │ │ Trust & Signing │ │ │ │ │ Formerly: Settings │ │ Formerly: Settings │ │ │ │ └─────────────────────┘ └─────────────────────┘ │ │ │ ┌─────────────────────┐ ┌─────────────────────┐ │ │ │ │ Tenant & Branding │ │ Usage & Limits │ │ │ │ │ Formerly: Settings │ │ Formerly: Settings │ │ │ │ └─────────────────────┘ └─────────────────────┘ │ │ │ ┌────────────────────────────────────────────────────────┐ │ │ │ │ System (Admin) — diagnostics & admin tools │ │ │ │ │ Formerly: Settings > System │ │ │ │ └────────────────────────────────────────────────────────┘ │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen A1 — Identity & Access **Previously:** `Settings → Identity & Access` **Now:** `Administration → Identity & Access` **Why:** This is **pure admin** (RBAC, OAuth, API keys, tenants). It shouldn’t compete with release/security workflows. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] [Admin] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Identity & Access │ │ Administration│ Previously called: Settings > Identity & Access │ │ Overview │ │ │ ▸ Identity │ Tabs: [Users] [Roles] [OAuth/SSO Clients] [API Tokens] [Tenants] │ │ Tenant │ │ │ Notifications│ [ + Add User ] [Invite] [Import] [Audit Log→] │ │ Usage&Limits │ │ │ Policy Gov │ Users │ │ Trust&Sign │ ┌──────────────────────────────────────────────────────────┐ │ │ System │ │ Name Email Role Status Actions │ │ │ │ │ -------- ----------------- -------- ------- -------- │ │ │ │ │ ... │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ │ │ │ Notes: API Tokens are used by Agents/CI integrations; link to │ │ │ Integrations → CI/CD for token scope testing. │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen A2 — Tenant & Branding **Previously:** `Settings → Tenant / Branding` **Now:** `Administration → Tenant & Branding` **Why:** Tenant configuration is **identity-adjacent** (domains, default policy pack, org metadata). Keeping it in Admin prevents accidental mixing with operational tooling. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Tenant & Branding │ │ Administration│ Previously called: Settings > Tenant / Branding │ │ Overview │ │ │ Identity │ Tenants │ │ ▸ Tenant │ ┌──────────────────────────────────────────────────────────┐ │ │ Notifications│ │ Tenant Domain(s) Default Policy Status │ │ │ Usage&Limits │ │ Core core.example.com Core Pack Active │ │ │ Policy Gov │ │ … │ │ │ Trust&Sign │ └──────────────────────────────────────────────────────────┘ │ │ System │ │ │ │ Branding (selected tenant) │ │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ │ Logo [Upload] App Name [Stella Ops] Support URL […] │ │ │ │ │ Theme: Light/Dark Legal Footer Privacy/License links │ │ │ │ └──────────────────────────────────────────────────────────┘ │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen A3 — Notifications **Previously:** `Settings → Notifications` **Now:** `Administration → Notifications` **Why:** Notification *policy* (who gets notified, on what events) is governance/admin. The channel connectivity lives in Integrations, but rules/templates remain here. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Notifications │ │ Administration│ Previously called: Settings > Notifications │ │ Overview │ │ │ Identity │ Rules Channels (connectivity) │ │ Tenant │ ┌──────────────────────────┐ ┌───────────────────────────┐ │ │ ▸ Notifications││ + Add Rule │ │ Email ✅ Active │ │ │ Usage&Limits ││ - “Critical reachable…” │ │ Slack ✅ Active │ │ │ Policy Gov ││ - “Bundle blocked…” │ │ Webhook ⚠ Not configured │ │ │ Trust&Sign │└──────────────────────────┘ │ [Manage in Integrations →] │ │ │ System │ └───────────────────────────┘ │ │ │ Templates Delivery / Activity Log │ │ │ ┌──────────────────────────┐ ┌─────────────────────────┐ │ │ │ │ Default templates │ │ View log Export │ │ │ │ │ [Edit Templates] │ │ Filter: last 7d ▼ │ │ │ │ └──────────────────────────┘ └─────────────────────────┘ │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen A4 — Usage & Limits **Previously:** `Settings → Usage & Limits` **Now:** `Administration → Usage & Limits` (admin-facing) **Why:** This becomes the **policy/contract view** (limits, entitlements, throttle settings). Operational drilldown (queues, retries, per-job usage) stays in Platform Ops. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] [Month: Feb 2026 ▼] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Usage & Limits │ │ Administration│ Previously called: Settings > Usage & Limits │ │ Overview │ │ │ Identity │ Usage snapshot │ │ Tenant │ ┌──────────────┬──────────────┬──────────────┬────────────┐ │ │ Notifications│ │ Scans 6500/ │ Storage 42/ │ Evidence 2800│ API 15k/ │ │ │ ▸ Usage&Limits│ │ 10k │ 100 GB │ /10k │ 100k │ │ │ Policy Gov │ └──────────────┴──────────────┴──────────────┴────────────┘ │ │ Trust&Sign │ │ │ System │ Limits & throttles (tenant) │ │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ │ Configure Quotas | Burst rules | Per-integration caps │ │ │ │ │ [Open Platform Ops → Quotas & Usage] (drilldown dashboard) │ │ │ │ └──────────────────────────────────────────────────────────┘ │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen A5 — Policy Governance **Previously:** `Settings → Policy Governance` **Now:** `Administration → Policy Governance` (with strong cross-links to Release Control gates) **Why:** Policies are **organizational governance**. The effect is felt in Release Control (gates), Security (exceptions), Evidence (decision capsule), but the configuration belongs in Admin. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Policy Pack: Core (latest) ▼] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Policy Governance │ │ Administration│ Previously called: Settings > Policy Governance │ │ Overview │ │ │ Identity │ Policy Baselines (per env/region) Governance Rules │ │ Tenant │ ┌───────────────────────────────┐ ┌─────────────────────┐│ │ Notifications│ │ + Create Baseline │ │ Edit Rules ││ │ Usage&Limits │ │ Baselines: Dev/Stage/Prod │ │ Gate: Reachable crit ││ │ ▸ Policy Gov │ └───────────────────────────────┘ └─────────────────────┘│ │ Trust&Sign │ │ │ System │ Simulation Exception Workflow │ │ │ ┌───────────────────────────────┐ ┌──────────────────────┐│ │ │ │ Run Simulation (what-if) │ │ Configure approvals ││ │ │ │ Inputs: bundle/digest/env │ │ Links to Exceptions ││ │ │ └───────────────────────────────┘ └──────────────────────┘│ │ │ │ │ │ Shortcuts: [Go to Release Control → Gates] [Go to Security → Exceptions] │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen A6 — Trust & Signing **Previously:** `Settings → Trust & Signing` **Now:** `Administration → Trust & Signing` (but “used by” Evidence & Audit) **Why:** Key material, issuers, certs, and transparency log integration are **security administration** concerns. Evidence consumes these; it shouldn’t configure them. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Trust & Signing │ │ Administration│ Previously called: Settings > Trust & Signing │ │ Overview │ │ │ Identity │ Signing Keys Issuers Certificates │ │ Tenant │ ┌──────────────┐ ┌─────────────┐ ┌────────────────────────┐ │ │ Notifications│ │ Manage Keys │ │ Manage │ │ Manage Certs │ │ │ Usage&Limits │ └──────────────┘ └─────────────┘ └────────────────────────┘ │ │ Policy Gov │ │ │ ▸ Trust&Sign │ Transparency Log Trust Scoring Audit Log │ │ System │ ┌─────────────────────┐ ┌─────────────────┐ ┌─────────────┐ │ │ │ │ Configure Rekor │ │ Edit Score cfg │ │ View log │ │ │ │ └─────────────────────┘ └─────────────────┘ └─────────────┘ │ │ │ │ │ │ Used by: Evidence Packets, Proof Chains, Decision Capsules │ │ │ [Open Evidence & Audit → Proof Chains] │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen A7 — System (Admin) **Previously:** `Settings → System` **Now:** `Administration → System` (admin-only controls) + links into Platform Ops for the operational views **Why:** This page becomes the **administrative console** (diagnostics, SLO config, admin job controls). Routine monitoring lives in Platform Ops. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] [Admin-only tools] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ System │ │ Administration│ Previously called: Settings > System │ │ Overview │ │ │ Identity │ Health Check Doctor / Diagnostics │ │ Tenant │ ┌─────────────────────────┐ ┌─────────────────────────────┐│ │ Notifications│ │ All systems operational │ │ Run Doctor Export report ││ │ Usage&Limits │ │ [View in Platform Ops →] │ │ Last run: … ││ │ Policy Gov │ └─────────────────────────┘ └─────────────────────────────┘│ │ Trust&Sign │ │ │ ▸ System │ SLO Monitoring Background Jobs (admin controls) │ │ │ ┌─────────────────────────┐ ┌─────────────────────────────┐│ │ │ │ View SLOs / edit targets│ │ View jobs (Platform Ops →) ││ │ │ └─────────────────────────┘ │ Nightly Ops Report (→) ││ │ │ └─────────────────────────────┘│ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- # Release Control becomes a ROOT menu (and absorbs “Settings → Release Control”) ## 3) Release Control setup menu → screen graph ```mermaid flowchart TB RC[Release Control] --> RCH[Control Plane] RC --> RCL[Releases Ledger] RC --> RCB[Release Bundles] RC --> RCG[Gates & Approvals] RC --> RCD[Deployments] RC --> RCE[Regions & Environments] RC --> RCP[Promotion Graph] RC --> RCS[Setup] RCS --> S1[Environments & Promotion Paths] RCS --> S2[Targets & Agents] RCS --> S3[Workflows] RCS --> S4[Bundle Templates] RCB --> BO[Release Bundle Organizer] ``` --- ## Screen RC-S0 — Release Control → Setup (hub) **Previously:** `Settings → Release Control` (hub with Environments/Targets/Agents/Workflows) **Now:** `Release Control → Setup` **Why:** This configuration directly governs how promotions, deployments, and gates work. It’s operationally part of release control, not general settings. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Region: All ▼] [Env: All ▼] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Release Control — Setup │ │ Release Ctrl │ Previously called: Settings > Release Control │ │ ControlPlane │ │ │ Releases │ Setup areas │ │ Bundles │ ┌───────────────────────┐ ┌───────────────────────┐ │ │ Gates │ │ Environments & Paths │ │ Targets & Agents │ │ │ Deployments │ │ (Dev→Stage→Prod) │ │ (where/how deploy) │ │ │ Regions&Env │ │ Formerly: Environments│ │ Formerly: Targets/Agents│ │ │ Promotion │ └───────────────────────┘ └───────────────────────┘ │ │ ▸ Setup │ ┌───────────────────────┐ ┌───────────────────────────────┐ │ │ │ │ Workflows │ │ Bundle Templates │ │ │ │ │ Formerly: Workflows │ │ (for bundle organizer) │ │ │ │ └───────────────────────┘ └───────────────────────────────┘ │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen RC-S1 — Environments & Promotion Paths **Previously:** `Settings → Release Control → Environments` **Now:** `Release Control → Setup → Environments & Promotion Paths` (and linked from `Regions & Environments`) **Why:** This is the **promotion graph definition** (pipelines, stages, gates). It must be adjacent to release visibility. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Release Control / Setup / Environments & Paths │ │ Previously called: Settings > Release Control > Environments │ ├──────────────────────────────────────────────────────────────────────────────┤ │ [ + Add Environment ] [ + Add Region ] [Edit Promotion Graph] [Policy Baseline→] │ │ │ │ Regions (left) Promotion Paths (right) │ │ ┌───────────────────────┐ ┌───────────────────────────────────────────┐ │ │ │ US-East │ │ Dev → Stage → Prod │ │ │ │ EU-Sovereign │ │ Gates: SBOM OK | Reachability | Approvals │ │ │ │ AirGap-01 │ │ Exceptions: allowed via workflow │ │ │ └───────────────────────┘ └───────────────────────────────────────────┘ │ │ │ │ Environment details │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Env: Stage (EU-Sovereign) Targets: 3 Agents: 2 Workflow: Blue/Green │ │ │ │ Baseline: Core Policy Pack Notifications: Stage-Release channel │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ └──────────────────────────────────────────────────────────────────────────────┘ ``` --- ## Screen RC-S2 — Targets & Agents **Previously:** `Settings → Release Control → Targets` and `Agents` **Now:** `Release Control → Setup → Targets & Agents` **Why:** These define *how* releases reach runtime. They are release-control primitives, while the *connectors* (SSH, Nomad, ECS, etc.) are Integrations. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Release Control / Setup / Targets & Agents │ │ Previously called: Settings > Release Control > Targets + Agents │ ├──────────────────────────────────────────────────────────────────────────────┤ │ Targets Agents │ │ [ + Add Target ] [ + Register Agent ] │ │ ┌───────────────────────────────────────────────┐ ┌──────────────────────┐ │ │ │ Name Type Region Status │ │ Agent Region Status │ │ │ │ swarm-01 DockerSwarm EU ✅ Healthy │ │ ag-12 EU ✅ │ │ │ │ ecs-prod AWS ECS US ⚠ Degraded │ │ ag-09 US ⚠ │ │ │ └───────────────────────────────────────────────┘ └──────────────────────┘ │ │ │ │ Mapping │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Env: Stage → Targets: swarm-01, nomad-02 → Agents: ag-12 │ │ │ │ Env: Prod → Targets: ecs-prod → Agents: ag-09 │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Notes: Connectivity lives in Integrations > Targets/Runtimes (SSH/VPN creds). │ └──────────────────────────────────────────────────────────────────────────────┘ ``` --- ## Screen RC-S3 — Workflows **Previously:** `Settings → Release Control → Workflows` **Now:** `Release Control → Setup → Workflows` **Why:** Workflows are the executable “release doctrine” (blue/green, canary, rollback). They must live next to promotions and approvals. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Release Control / Setup / Workflows │ │ Previously called: Settings > Release Control > Workflows │ ├──────────────────────────────────────────────────────────────────────────────┤ │ [ + New Workflow ] [Import] [Validate] │ │ │ │ Workflow Templates │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Blue/Green — steps: preflight → deploy → smoke → promote → attest │ │ │ │ Canary — steps: 5% → 25% → 50% → 100% with gates at each stage │ │ │ │ Rollback — steps: select prior digest/bundle → deploy → verify → lock │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Default mapping │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Dev: Canary Stage: Blue/Green Prod: Blue/Green (strict gates) │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ └──────────────────────────────────────────────────────────────────────────────┘ ``` --- # Missing crucial capability added: Release Bundle Organizer ## Screen RC-B0 — Release Bundles (Organizer) **Previously:** This capability was **missing / implicit** (digest-first releases existed, but no first-class bundling and config snapshot composition). **Now:** `Release Control → Bundles → Bundle Organizer` **Why:** You need a **bundle abstraction**: “microservice digests + env-derived variables (Vault/Consul) + changelog per repository” becoming an immutable versioned unit that can be gated, approved, exported (air-gap), and promoted. ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Release Control / Bundles / Bundle Organizer │ │ Previously called: (new) — fills gap between Release Digest and Multi-svc ship│ ├──────────────────────────────────────────────────────────────────────────────┤ │ Bundle: [Repo Group: payments-platform ▼] Version: [v1.8.0 ▼] Status: Draft│ │ [Create Bundle] [Save Draft] [Compute Bundle Digest] [Run Gates] [Request Approval]│ │ │ │ Included Services (digest-first → bundle version) │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Service Image Digest Service Ver SBOM Reachability Gate │ │ │ │ payments-api sha256:… 1.8.0 ✅ OK ✅ runtime ✅ │ │ │ │ billing-worker sha256:… 2.3.1 ⚠ crit ⚠ image-only ❌ │ │ │ │ ui-gateway sha256:… 0.19.4 ✅ OK ✅ build+run ✅ │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Variables Snapshot (derived per env) │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Environment: Stage (EU) │ │ │ │ Vault: /kv/stage/payments/* Snapshot: vaultsnap-91a2 Diff: masked │ │ │ │ Consul: /config/stage/payments/* Snapshot: consulsnap-33f1 Diff: masked │ │ │ │ [View resolved manifest] [Export env overlay] │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Changelog (per repository) │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ payments-api: PR#1823 Fix tax rounding | PR#1831 Upgrade openssl │ │ │ │ billing-worker: PR#944 Retry logic | PR#951 Patch CVE-… │ │ │ │ [Pull from SCM Integration] [Edit release notes] │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Evidence hooks │ │ - Generates: Bundle Manifest, Evidence Packet, Decision Capsule, Export Kit │ │ - Links: Security Findings, Exceptions, Approvals, Proof Chains │ └──────────────────────────────────────────────────────────────────────────────┘ ``` **Implementation note (UI semantics):** * “Bundle Version” is a **human-friendly label**; the authoritative identity remains **content-addressed** (bundle digest) + evidence. * Vault/Consul snapshots are explicit objects, so auditors can see “what config was used” without exposing secrets (masked diffs). --- # Integrations is still essential, but kept clean: connectivity & sync health live here ## 4) Integrations menu → screen graph ```mermaid flowchart TB INT[Integrations] --> I0[Overview] INT --> I1[SCM] INT --> I2[CI/CD] INT --> I3[Registries] INT --> I4[Secrets] INT --> I5[Targets / Runtimes] INT --> I6[Feeds] INT --> I7[Notification Providers] I0 --> ID[Integration Detail] I6 -.advisory freshness drives.-> SR4[Security & Risk > Advisory Sources] I6 -.offline mirroring handled by.-> OPS6[Platform Ops > Feed Mirror & AirGap Ops] I4 -.config snapshots used by.-> RCB[Release Bundles] I1 -.changelog used by.-> RCB I3 -.digests & image sbom used by.-> RC[Release Control] ``` --- ## Screen I0 — Integrations Overview **Previously:** `Settings → Integrations` **Now:** `Integrations → Overview` (root menu) **Why:** Integrations are cross-cutting. This page becomes the **single source of truth for connectivity + data freshness**, with clear escalation links (Nightly Ops Report, Feed Mirror, DLQ). ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Top bar: [Search…] [Tenant: Core ▼] │ ├───────────────┬──────────────────────────────────────────────────────────────┤ │ NAV │ Integrations │ │ Integrations │ Previously called: Settings > Integrations │ │ ▸ Overview │ │ │ SCM │ Status summary │ │ CI/CD │ ┌───────────────┬───────────────┬───────────────┐ │ │ Registries │ │ Connected: 6 │ Degraded: 1 │ Disconnected:1│ │ │ Secrets │ └───────────────┴───────────────┴───────────────┘ │ │ Targets │ │ │ Feeds │ Filters: [All] [SCM] [CI/CD] [Registries] [Secrets] [Feeds] │ │ Notify Prov │ │ │ │ Cards │ │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ │ GitHub Enterprise ✅ last sync 5m scope: 42 repos │ │ │ │ │ Jenkins ⚠ degraded last sync 1h errors: 3 │ │ │ │ │ NVD Feed ❌ disconnected last ok: 2d (blocks rescans) │ │ │ │ │ Vault ✅ last sync 10m paths: 18 │ │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ │ │ │ Escalation: [Nightly Ops Report →] [Platform Ops → DLQ] │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- ## Screen ID — Integration Detail (template) **Previously:** You’d click an integration card; details were inconsistent. **Now:** Every integration has a standardized detail page. **Why:** You need uniform answers to: **Is it connected? What data is stale? What is blocked downstream?** ```text ┌──────────────────────────────────────────────────────────────────────────────┐ │ Integrations / Detail: NVD Feed │ │ Previously called: Settings > Integrations (card detail) │ ├──────────────────────────────────────────────────────────────────────────────┤ │ Status: ❌ Disconnected Last healthy sync: 2d ago Owner: SecOps │ │ [Test Connection] [Reconnect] [View Errors] [Open DLQ] [Open Nightly Report] │ │ │ │ Sync Health │ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ Schedule: hourly Last attempt: 1h ago Result: timeout │ │ │ │ Freshness SLA: 6h Current freshness: 2d (breach) │ │ │ │ Downstream impact: CVE re-scan blocked; policy “re-evaluate on update” stale│ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Configuration (readable, safe) │ │ - Endpoint: … │ │ - Auth: (masked) │ │ - Proxy: … │ └──────────────────────────────────────────────────────────────────────────────┘ ``` --- ## What happened to “Settings → Security Data”? This legacy menu item typically mixed **two different concerns**: 1. **Connectivity & syncing** of advisory sources (NVD/OSV/etc.) 2. **Security decisioning** (how sources are interpreted in policy gates) **Redesign mapping (explicit):** * **Connectivity + freshness** → `Integrations → Feeds` (and offline mirroring in `Platform Ops → Feed Mirror & AirGap Ops`) * **How advisories affect risk/gates** → `Security & Risk → Advisory Sources` (If you want, I’ll produce the **Advisory Sources** ASCII in the next Security pack so it stays consistent with your “second class screens” requirement.) --- ## Quick confirmation against the constraints you gave * **Main reorganization preserved** (same root modules, Release Control is root, Admin is last/root). * **Every screen includes “Previously called …”** in the mock header. * **Release bundle organizer added** with Vault/Consul variables + per-repo changelog. If you want the next message to continue, I’ll do the **Security Data / Advisory Sources** redesign as a focused pack (since it straddles Security & Risk + Integrations + Ops), and include Mermaid + ASCII the same way.