git.stella-ops.org/docs/qa/LOCAL_DEVOPS_SECURITY_JOURNEY_20260317.md

Local DevOps/Security Journey - 2026-03-17

Perspective: DevOps or security engineer evaluating Stella Ops as a replacement for custom CI/CD scripts and partial deployment-security tooling.

Method

• Fresh local compose runtime using devops/compose/docker-compose.stella-ops.yml
• Browser-driven walkthrough with local Playwright automation and screenshot capture
• Minimal document pre-read; product understanding driven primarily by the running system and only enough local documentation to frame the intended architecture

Environment

• Date: 2026-03-17
• Host: local developer machine
• Login used: admin / Admin@Stella2026!
• Screenshot artifacts: output/playwright/

---

Baseline Findings Recorded Before Deeper Pass

Runtime readiness

• The product shell is reachable at https://stella-ops.local.
• The gateway does not reach full ready state on fresh startup:
  • /health returns ready:false
  • missing microservice: vexhub
• stellaops-vexhub-web crashes on startup migration with:
  • relation "vexhub.vex_sources" does not exist
• This contaminates VEX-dependent surfaces and means the first-run product experience is already partially broken before a user begins meaningful work.

Welcome and first-run positioning

• Root navigation lands on /welcome.
• The welcome page is visually sparse and brand-heavy:
  • RELEASE CONTROL PLANE
  • ENCRYPTED IDENTITY PIPELINE
  • Sign In
• It does not explain:
  • what Stella replaces in an existing pipeline
  • what the first operator action should be
  • how a user with Docker/Compose or script-based delivery should approach adoption

First authenticated landing

• Successful login lands on /mission-control/board.
• The dashboard shell is broad and polished, but the first impression is mixed:
  • strong top-level information architecture
  • unclear relationship between demo/seed data and real operational state
  • limited guidance on the next concrete action for a fresh install

First-round product observations

• /setup is the strongest onboarding surface found so far because it groups the right domains and exposes a first-time path.
• /setup/integrations is one of the clearest product areas because it explains setup order in operator language.
• /setup/integrations/registries has a concrete onboarding wizard with useful hints such as Harbor health probing and AuthRef secret indirection.
• /security/scan accepts an image submission (alpine:3.19) and shows a scan ID, but the scan remains PENDING without enough user-facing explanation.
• /ops/policy/vex renders a real user-facing failure:
  • VEX Hub error: 503
• /docs explains Stella's value proposition better than /welcome or the dashboard.

Initial product-shaping concerns

• Internal Stella terminology appears before user value is established.
• Demo-like metrics are mixed with honest empty-state data.
• Some surfaces feel operationally credible; others feel seeded or disconnected.
• The product is easier to understand once inside Setup, Integrations, Release, Evidence, and Docs than it is from the initial welcome and dashboard journey.

---

Investigation Status

• Baseline recorded.
• Deeper route and workflow pass completed for this session.
• Primary breadth artifact: output/playwright/route-survey-20260317.json
• Issue screenshots: output/playwright/deep-route-survey/
• Focused flow screenshots: output/playwright/deep-flows/
• Action-pack artifacts:
  • output/playwright/action-packs/setup-admin-actions-20260317.json
  • output/playwright/action-packs/security-release-actions-20260317.json
  • output/playwright/action-packs/evidence-ops-admin-actions-20260317.json
  • output/playwright/action-packs/integrations-release-shell-actions-20260317.json
  • output/playwright/action-packs/topology-policy-actions-20260317.json
  • output/playwright/action-packs/focused-run-actions-20260317.json
  • output/playwright/action-packs/micro-run-actions-20260317.json

---

Route Survey Summary

Coverage

• 88 authenticated routes surveyed in a single logged-in browser session.
• Route families covered:
  • Mission Control
  • Setup and Admin
  • Integrations
  • Topology
  • Security
  • Triage
  • Releases
  • Policy
  • Evidence
  • Operations
  • Console Admin
  • User Preferences
  • Docs
  • 403 and 404 recovery pages

Survey outcomes

• 88 routes loaded without browser-level navigation exceptions.
• 16 routes mutated URL after initial render or otherwise failed the simple stability check.
• 4 routes returned hard HTTP errors from product APIs during normal page load:
  • /setup/identity-providers -> 403
  • /security/risk -> multiple 404s
  • /security/unknowns -> 404
  • /ops/policy/vex -> 503
• Several additional routes completed render while background requests aborted or context requests dropped.

Important interpretation note

• The route survey used one authenticated browser session because replaying saved auth state did not reliably restore protected-route access.
• When a route looks broken in this note, it reflects either:
  • a product/runtime defect confirmed by response codes or clear user-facing error text
  • or a UX/data credibility issue visible to a fresh user
• The vexhub startup failure remains an environment contaminant for all VEX-backed flows.

---

What The Product Teaches Well

Setup is the strongest self-learning area

• /setup does the best job of explaining the system in operator-facing chunks:
  • identity
  • trust
  • integrations
  • topology
  • notifications
  • usage
  • system settings
• The first-time path is visible and sensible.
• The page explains that setup is a journey, not just a card wall.

Integrations are close to adoptable

• /setup/integrations explains setup order well.
• /setup/integrations/registries is particularly strong:
  • clear 6-step flow
  • concrete hints for Harbor
  • good secret-handling guidance via AuthRef
  • scoped, practical inputs instead of vague platform terminology
• This is one of the few areas that already feels like it could replace bespoke onboarding docs for a real platform team.

System Settings and Security Data are understandable

• /setup/system correctly frames itself as a handoff surface into health, doctor, SLO, and jobs instead of pretending to be the health system itself.
• /setup/security-data is concrete and operator-legible:
  • advisory sources
  • mirror
  • Trivy DB
  • version locks
• These pages are examples of Stella working well when it uses plain task language.

Release, evidence, and operational shells are structurally good

• /releases/promotions/create clearly communicates the promotion model:
  • identity
  • target
  • inputs
  • gates
  • approvals
  • launch
• /evidence/verify-replay is one of the clearest evidence surfaces because it shows:
  • request replay
  • replay list
  • quick verify
  • determinism framing
• /ops/operations/doctor has good information scent even without interaction depth in this pass.
• /settings/user-preferences is polished and easy to understand.

Docs explain Stella better than the product entrypoint

• /docs immediately explains the intended buyer/operator:
  • non-Kubernetes container estates
  • Compose/hosts/VMs/scripted automation
  • security + evidence + release governance
• This page explains Stella's value proposition more effectively than /welcome or the dashboard.

---

Core Product Problems Found In The Deeper Pass

1. Startup/readiness defects contaminate the first-run story

• The local runtime never reached clean ready state because vexhub failed startup migration.
• The product shell remains usable enough to explore, but the user is already inside a partially broken system.
• This matters because Stella's value proposition is operational trust, and the first experience visibly breaks that promise.

2. The old route inventory is not reliable enough to be a learning aid

• One of the old-path routes, /ops/platform-setup/topology-wizard, bounced to /welcome in a fresh authenticated session.
• That confirms the user's instruction to treat prior route notes as referential only.
• A fresh operator cannot rely on hidden route knowledge; the product must teach the path from inside the UI.

3. Context propagation is inconsistent across the product

• Several routes drop tenant and regions from the URL entirely:
  • /triage/artifacts
  • /evidence/verify-replay
  • /evidence/exports
  • /ops/operations/notifications
  • /ops/operations/dead-letter
  • all /console-admin/*
  • /settings/user-preferences
  • /docs
• Some of those routes also show topbar context drift:
  • REGION All regions
  • ENV No env defined yet
  • Policy: No baseline
• Other pages in the same journey still show:
  • TENANT Demo Production
  • REGION 4 regions
  • ENV All environments
  • Policy: Core Policy Pack latest
• To a fresh user, this makes the platform feel internally inconsistent even when the page itself is not obviously broken.

4. Demo/seed behavior still leaks into critical operator judgments

• The product mixes strong, honest empty states with seeded operational-looking content.
• Example surfaces that look seeded or at least not grounded in this actual local session:
  • /security/vulnerabilities shows named CVEs with reachability/exceptions
  • /releases/deployments shows realistic deployment history rows
  • /mission-control/alerts and /mission-control/activity show plausible but unproven operational narratives
  • /ops/operations/signals shows five events and a 60% error rate
• Example surfaces that are honest-but-empty or clearly disconnected:
  • scans stay PENDING
  • audit log remains 0
  • decision capsules say create a release first
• The inconsistency is the trust problem, not the existence of fixtures by itself.

5. Some pages are clearly broken in user-visible ways

/setup/identity-providers

• User-facing message:
  • Failed to load providers
  • Identity Provider API error: Unknown error
• Under the hood this is a 403 from /api/v1/platform/identity-providers.
• This is exactly the kind of page a new admin would try early in setup.

/security/risk

• Multiple 404s during page load:
  • /authority/risk/risk/status
  • /authority/risk/risk
  • /api/gate/verdict
  • /api/risk-budget/kpis
  • /api/risk-budget/snapshot
• This is not a subtle UX issue; it looks like an unimplemented or miswired feature surface.

/security/unknowns

• Still broken with scanner unknowns API 404.
• Fresh users see a real failure instead of a usable explanation or disabled state.

/ops/policy/vex

• Visible 503 because VEX Hub is down.
• The UI shows the failure, which is honest, but the product path is still broken.

/console-admin/tenants, /console-admin/clients, /console-admin/tokens

• These routes render headings and then remain in indefinite loading states:
  • Loading tenants...
  • Loading OAuth2 clients...
  • Loading tokens...
• That makes the whole Console Admin area feel half-connected.

6. Report and dashboard surfaces still blur posture, reporting, and action

• /security/reports exposes Export CSV and Generate PDF, which is better than the earlier first pass suggested, but the page still behaves like a security-posture workspace more than a true report center.
• /security/reports and /security share very similar content structure and headings.
• For a fresh user, the distinction between:
  • posture
  • report generation
  • evidence export is still not as crisp as it should be.

7. The scan flow still does not close the loop

• Submitting alpine:3.19 creates a scan ID and moves to a progress view.
• The resulting status remained PENDING during this session.
• The page does not adequately explain whether:
  • the engine is intentionally simulated
  • the job is queued
  • or the scan path is not fully wired in local compose mode
• A technically competent evaluator reads this as "stuck" unless explicitly told otherwise.

8. Audit/evidence trust is undermined by a silent emptiness gap

• /evidence/audit-log still reports 0 Total Events (7d).
• The page even lists the kinds of actions that should appear automatically:
  • release seals
  • promotions
  • approvals
  • policy changes
  • VEX decisions
  • integration changes
• Given that the local product was actively used during this session, the empty audit log feels suspect, not reassuring.

---

Route Family Notes

Mission Control

• /mission-control/board
  • Broad shell is strong.
  • Still suffers from trust problems because its numbers and status cards are not obviously tied to anything the user has just done.
• /mission-control/alerts
  • Reads like a plausible operational summary.
  • Good copy, but not clearly tied to real local state.
• /mission-control/activity
  • Nicely grouped by release runs, evidence, and audit.
  • Again feels more like a prepared story than an earned activity stream.

Setup And Admin

• /setup
  • Best first-time self-learning surface.
• /setup/identity-access
  • Useful and understandable.
  • Good explanation of least privilege and canonical clients/tokens.
• /setup/trust-signing
  • Better than expected in this pass.
  • Not empty; shows a meaningful overview with key counts and tabs.
• /setup/notifications
  • Strong distinction between setup-time configuration and operations-time runtime monitoring.
• /setup/system
  • Good "handoff, not verdict" framing.
• /setup/security-data
  • Good operator language and strong task grouping.
• /setup/identity-providers
  • Broken by 403.

Integrations

• /setup/integrations
  • Strong overview and order guidance.
  • URL mutated after initial load; likely context injection, not a blocker by itself.
• /setup/integrations/registries
  • Wizard remains one of the strongest product flows.
• /setup/integrations/runtime-hosts
  • Late URL mutation, but page renders.
• /setup/integrations/advisory-vex-sources
  • Loaded with grouped categories and looked materially populated.
  • Late URL mutation observed.

Topology

• /setup/topology/overview
  • Good information structure but it mutates URL after initial load.
  • Content still leans heavily on degraded/unknown status without enough explanation.
• /setup/topology/map, /setup/topology/targets, /setup/topology/agents
  • Similar late URL mutation pattern.
• Topology as a concept is present, but a fresh user still does not get a crisp "here is how you model your current Docker/host estate" guided path from the normal navigation alone.

Security And Triage

• /security
  • Strong shell, but still fixture-heavy or trust-ambiguous.
• /security/findings
  • Weak compared with the rest of Security.
  • No clear heading in the route survey and the surface starts from a "no baseline recommendations" framing, which is not a first-time user's mental model.
• /security/vulnerabilities
  • Richer, but clearly showing seeded-looking CVE content.
• /security/risk
  • Broken.
• /security/unknowns
  • Broken.
• /security/disposition
  • Loaded in the route survey; not broken in that pass.
• /triage/artifacts
  • Still a compelling concept, but it drops URL context and therefore feels slightly detached from the rest of the scoped application shell.

Releases

• /releases/versions
  • Good catalog framing.
• /releases/runs
  • Good concept and filters.
• /releases/deployments
  • Looks operationally real but likely fixture-backed.
• /releases/approvals
  • Honest empty state.
• /releases/promotions
  • Honest and well explained.
• /releases/promotions/create
  • Strong conceptual wizard.
• /releases/bundles
  • Good explanation of digest-first identity and validation gates.
• Release management as a category is one of Stella's clearest strengths.

Policy

• /ops/policy/overview
  • Still a strong shell.
• /ops/policy/governance and /ops/policy/simulation
  • Loaded cleanly and present a serious operator-facing control plane.
• /ops/policy/vex
  • Broken by upstream runtime failure.
• Policy pages also show context drift through the topbar's Policy: No baseline, which clashes with other shells showing Core Policy Pack latest.

Evidence

• /evidence/overview
  • Strong overview but context drift is visible.
• /evidence/capsules
  • Honest empty state: create a release first.
• /evidence/verify-replay
  • Strong concept surface but drops URL context.
• /evidence/exports
  • Useful structure, but also drops URL context and shows aborted background requests.
• /evidence/audit-log
  • Well explained, but the all-zero event story damages trust.

Operations

• /ops/operations
  • Good summary shell.
• /ops/operations/doctor
  • Promising and informative.
• /ops/operations/signals
  • Reads like realistic ops data but may be seeded; trust ambiguity remains.
• /ops/operations/feeds-airgap
  • Good operator language and healthy-looking structure.
• /ops/operations/notifications
  • Strong separation from Setup Notifications, but it drops tenant/region context in the URL and topbar.
• /ops/operations/data-integrity
  • Interesting concept, but title duplication (Data Integrity - StellaOps - StellaOps) and aborted background requests make it feel less finished.
• /ops/operations/health-slo
  • Weak snapshot in this environment: no services available despite a clearly running system.
• /ops/operations/dead-letter
  • Functional shell, but context drift is again visible.

Console Admin, User Preferences, Docs, Recovery Pages

• /console-admin/*
  • Mixed quality.
  • Branding works best.
  • Tenants/clients/tokens feel incompletely wired.
• /settings/user-preferences
  • One of the cleanest and most polished pages in the product.
• /docs
  • Best explanation of Stella's purpose.
• /console/profile
  • Good 403 page with sensible recovery links.
• /nonexistent
  • Good 404 page with recovery links.

---

Action-Level Findings

Shared shell controls are more real than the first pass suggested, but not always legible

• Global search behaves more like AI or knowledge retrieval than command navigation. Searching scan from User Preferences returned:
  • Best answer
  • Related Questions
  • Ask AI
  • knowledge snippets and endpoint references
• That behavior is useful, but it is a surprise if the user expects Ctrl+K or the shell search box to act like a route launcher.
• The region control is not a simple single-select picker. Toggling EU West from REGION 4 regions resulted in:
  • URL change to regions=apac,us-east,us-west
  • topbar change to REGION 3 regions
• The control appears to behave as a multi-select toggle, but the shell does not explain that model clearly.
• The window control works well. Selecting 7d updated the topbar to WINDOW 7d and added timeWindow=7d to the URL.
• The stage control exposes All / Dev / Stage / Prod, but choosing Prod left the shell at STAGE All. This looks like a real state-application defect.
• Deep-link scope hydration is still inconsistent. In different authenticated runs:
  • /releases/versions/new loaded with REGION All regions and ENV No env defined yet
  • /releases/promotions/create loaded once with REGION No regions defined
  • later in-session navigation to the same routes kept the active 3 regions / All environments / 7d scope correctly

Setup and admin actions reveal some of Stella's strongest product design

• Guided setup entry works and feels approachable:
  • Welcome to Stella Ops
  • autodetection steps
  • simple "ready" state
• The weak point is that the autodetection copy is theatrical rather than informative. It does not tell the operator what was actually detected or what it means for next steps.
• Identity & Access is one of the strongest action surfaces in the product:
  • Users explains enrollment flow clearly
  • Add User opens an inline create form
  • Roles exposes built-in permissions in a way an operator can actually inspect
  • OAuth Clients and API Tokens explicitly explain that setup is read-only here and point the user to the canonical admin routes
  • Tenants shows a real, editable tenant row with suspend and branding actions
• Trust & Signing improves once actions are tried:
  • Watchlist opens a real workspace with tuning guidance, noisy-rule framing, and a return path to notifications
  • Audit Log opens and shows example trust events
• The weaker part of Trust & Signing is discoverability inside the overview. Signing Keys, Trusted Issuers, and Certificates did not obviously move the user out of the overview in action testing, while Watchlist and Audit Log clearly did.
• Setup Notifications and Ops Notifications are one of the best paired workflows in the product:
  • setup clearly owns lifecycle, templates, throttles, and routing design
  • ops clearly owns live delivery validation and test sends
  • both pages link to each other cleanly
• Console Admin Branding is another strong page:
  • practical token editing
  • live preview
  • safe, understandable scope
• Console Admin Tenants remains weak:
  • heading loads
  • Create Tenant button renders
  • body still says Loading tenants...

Evidence and operations actions split cleanly into "genuinely useful" and "still suspicious"

• Export Center is one of the strongest true action surfaces in Stella.
• Create Profile opens a real modal with:
  • profile name
  • description
  • export format choices
  • include/exclude content switches
  • schedule options
• Run Now is not just decorative. It created a new completed export run and surfaced output details such as:
  • StellaBundle (OCI referrer)
  • completed run ID
  • output path under /exports/...
  • download action
• Audit Log View All Events works and exposes:
  • module filters
  • action filters
  • severity filters
  • date-range filters
• The trust problem remains: the event table still showed 0 events loaded after extensive product use in this session.
• Doctor Diagnostics is one of the clearest examples of a real, valuable action path:
  • Quick Check ran successfully
  • result set was not a no-op
  • output showed 7 passed / 1 warnings / 1 failed / 5 skipped / 14 total / 1.1s
• This is important because it proves at least some cross-service operator workflows are wired and useful in local mode.
• Replay & Verify still has a real action-level problem:
  • the page surfaces a visible Start Verification button
  • both locator-based and text-based attempts found the control
  • the button remained effectively unclickable because the element sat outside the usable viewport/drawer geometry
• That looks less like a missing feature and more like a layout or interaction defect in the quick-verify panel itself.
• The 403 and 404 recovery pages behave well once authenticated:
  • Go to Dashboard from /console/profile returns to Mission Control
  • Go to Dashboard from /nonexistent does the same

Integrations, releases, and promotions hold up much better once actions are pushed

• The registry onboarding flow is stronger than the earlier route-only pass suggested.
• The wizard starts directly in Connection & Credentials, even though the stepper still shows:
  • 1 Provider
  • 2 Connection
  • 3 Scope
  • 4 Schedule
  • 5 Preflight
  • 6 Review
• That step numbering is slightly confusing because the provider choice is implicit rather than visibly completed.
• After filling:
  • endpoint
  • AuthRef URI
  • project / namespace the Next button enabled and advanced successfully into Discovery Scope.
• Discovery Scope uses a good guardrail:
  • repositories / namespaces / tag patterns are explicit
  • creation is blocked until at least one scope is defined
• Release creation also works once the form is driven by actual input placeholders instead of label-based automation:
  • filling release name, version, and target environment advanced from Basic Info to Components
  • this confirms the earlier failure was mostly selector/accessibility related, not a broken route
• Promotion creation is similarly real:
  • entering a release ID
  • clicking Load Target Environments advanced the flow to Select Region and Environment Path
• That means the release and promotion shells are not just static demos; they can be driven into later steps by a fresh operator.

Topology and policy are more operational than the initial dashboard impression

• Topology Overview -> Open Regions & Environments works and lands on a usable region-first inventory page.
• The topology map has working zoom and reset controls, but not consistently:
  • + worked
  • Reset worked
  • - was not reliably clickable by visible text
• That suggests an accessibility or control-labeling issue, not a dead feature.
• Agent Fleet still has a control problem:
  • Groups and All Agents are visible
  • All Agents was not interactable in the action pass
• Policy studio top-level navigation works well:
  • Governance
  • Simulation
  • Release Gates
• Governance sub-tabs also work and expose meaningful content:
  • Validator
  • Playground
  • Audit
• The Governance page is more mature than it first appears. It exposes:
  • current risk-budget utilization (72%)
  • contributors
  • alerts
  • budget acknowledgements
• Simulation sub-tabs are also real:
  • Console
  • Lint
  • Coverage
  • Promotion Gate
• Several simulation actions do real work:
  • Run Lint returned a concrete lint result set with 1 error / 1 warning / 1 info
  • Run Tests on Coverage did not materially change visible counters, which makes the action feel more like a refresh over seeded data
  • Check Requirements on Promotion Gate returned a real blocked state with actionable reasons
• Policy Lint is especially strong. It produced specific issues and suggested fixes, including:
  • missing explicit shadow target environment
  • coverage floor below the recommended baseline
  • operator override missing evidence reference
• Policy Promotion Gate is also credible:
  • blocked because shadow mode is not active
  • coverage passed
  • lint still has a blocking issue
  • security review passed
  • override path exists, with required reason capture
• Policy Simulation Console can be made to run if the operator provides actual input:
  • select policy pack
  • select SBOM
  • set environment
• After that, Run Simulation succeeded and returned:
  • Completed 187ms
  • 4 Total Findings
  • 1 deny
  • 3 warn
  • one changed component under diff-versus-active policy
• Release Gates is less cohesive at the action layer:
  • clicking Reachability jumps out of the policy shell into Security / Reachability
  • VEX and Freshness are not directly clickable from the visible gate summary
• That cross-shell jump can be justified, but it weakens the "one operator shell" promise stated on the Policy overview.

Action realism is now easier to separate from seeded behavior

• Actions that felt genuinely live in this session:
  • Doctor Quick Check
  • Export Center Run Now
  • registry wizard progression
  • release wizard progression
  • promotion target loading
  • policy lint
  • policy promotion requirement check
  • policy simulation console run
• Actions that still feel seeded, blocked, or trust-ambiguous:
  • audit log event counts
  • replay verification CTA geometry
  • policy coverage rerun
  • parts of the dashboard and reachability data

---

Cross-Cutting UX / Product Findings

FRESH-01 - Stella hides its adoption story behind docs instead of leading with it

Severity: HIGH

What a new technical user needs to learn immediately:

• what part of the current CI/CD pipeline stays in CI
• what Stella takes over
• how to start if they deploy with Compose, hosts, or scripts

Where Stella explains this well:

• /docs

Where Stella should explain this but does not:

• /welcome
• first authenticated landing on /mission-control/board

FRESH-02 - Context is not trustworthy enough across shells

Severity: HIGH

Problems observed:

• some routes keep tenant/region query context
• some silently drop it
• some shift topbar state from concrete scope to All regions / No env defined yet
• policy indicator changes between Core Policy Pack latest and No baseline

Impact:

• makes deep links and mental model of scope unreliable
• especially damaging for evidence, ops, and admin surfaces

FRESH-03 - Broken setup/security pages appear too early in the journey

Severity: HIGH

Broken or partially broken pages a new operator is likely to visit early:

• Identity Providers
• Risk
• Unknowns
• VEX
• Console Admin Tenants

Impact:

• creates the impression of unfinished product edges before the user reaches Stella's strongest capabilities

FRESH-04 - Seed realism is a double-edged sword

Severity: HIGH

Positive:

• avoids a dead empty product
• helps pages look complete

Negative:

• makes it hard to know what Stella actually did during this session
• blurs the difference between seeded narrative and earned evidence

FRESH-05 - Several pages mutate URL after initial render

Severity: MEDIUM

Affected route families include:

• integrations
• topology
• security
• operations

Likely cause:

• late context/state injection or route normalization

Impact:

• makes the product feel less deterministic than its messaging promises

FRESH-06 - Some surfaces overuse Stella-internal wording

Severity: MEDIUM

Examples:

• Decisioning Studio
• canonical shell
• digest-first identity
• mutable VEX actions
• release-control plane

These terms are defensible after onboarding, but they arrive too early and too often for a first evaluator.

---

Prioritized Backlog From This Session

Critical / Immediate

1. Fix vexhub startup migration so local runtime reaches clean ready state.
2. Repair /security/risk so the page is not built on 404s.
3. Repair /security/unknowns or replace it with a truthful disabled/empty state.
4. Repair /setup/identity-providers so first-time admin setup does not hit a 403 dead end.
5. Fix or intentionally hide broken /console-admin/tenants, /console-admin/clients, and /console-admin/tokens loading states.

High

1. Rewrite /welcome around adoption outcomes, not Stella-brand phrasing.
2. Make the dashboard teach the next action explicitly for first-time users.
3. Normalize tenant/region/policy context behavior across Evidence, Ops, Admin, Docs, and Triage.
4. Make seeded/demo content visibly labeled or switch more surfaces to honest empty state.
5. Explain scan simulation or queue semantics directly on /security/scan while local engines are incomplete.
6. Ensure audit log reflects actual local actions or clearly explain why it does not.
7. Fix the Replay & Verify quick-verify button so the visible CTA is actually clickable.
8. Clarify whether the shell search and Ctrl+K are route navigation, knowledge search, or AI answer surfaces.
9. Make deep-link scope hydration consistent on release and promotion routes.

Medium

1. Reduce late URL mutation where possible.
2. Make /security/findings more legible for first-time use.
3. Sharpen the distinction between Security Posture, Security Reports, and Evidence Export.
4. Reduce duplicate or inconsistent topbar state such as Policy: No baseline versus Core Policy Pack latest.
5. Clean up low-fidelity details like the duplicated title on Data Integrity.
6. Make region selection semantics explicit; the control currently behaves like a multi-select toggle but reads like a single picker.
7. Fix the stage selector so choosing Prod or Stage actually applies to shell state.
8. Make the registry wizard's implicit provider step less confusing or reflect the true current step.
9. Ensure the Agent Fleet All Agents view switch is keyboard- and click-accessible.
10. Decide whether policy coverage reruns are computed live or fixture-backed and label that behavior clearly.

---

Session Verdict

Stella Ops has enough depth that the product still looks serious after a much larger investigation. The strongest areas are:

• Setup
• Integrations
• Release Management
• Evidence / Replay
• Operations Doctor
• Docs

But the first-run experience still has too many trust-breaking edges for a fresh evaluator:

• startup not clean
• critical setup/security pages broken
• context drift across shells
• scan flow not closing
• audit story not matching real activity
• ambiguity about which data is real versus seeded

This deeper pass now has action-level evidence behind it. Stella is not failing because it lacks surface area; it is failing the first-time evaluation because too many of its genuinely strong workflows are hidden behind startup defects, inconsistent scope handling, and a few key trust-breaking action gaps. When the actions do work, the strongest parts of Stella are now clear:

• registry onboarding
• release and promotion progression
• export generation
• doctor diagnostics
• policy linting and promotion-readiness checks
• policy simulation with actual result output