stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
12d7eda923aee51eae6d07a0ea5ab88030e021a1
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-22.md
master 1ec797d5e8 ui progressing
2026-02-20 23:32:20 +02:00

6.7 KiB
Raw Blame History

Pack 22 - Release-First IA Consolidation Advisory

Status: Active authority (partially superseded by Pack 23 for Platform IA) Date: 2026-02-20 Precedence: Overrides pack-21.md and lower packs for overlapping IA, naming, and ownership decisions. Pack 23 supersedes Pack 22 for Platform menu placement and Ops/Integrations/Setup ownership boundaries.

1) Intent

  • Reframe IA around Stella Ops core loop:
    • Release -> Gate (security + ops) -> Promote/Deploy -> Evidence -> Audit/Replay.
  • Remove duplicated menus that represent the same lifecycle object from different angles.
  • Keep backend semantics strict:
    • release identity is immutable and digest-first,
    • workflow/run/deployment/promotion are execution artifacts of a release.

2) Canonical mental model

  • Release (formerly Bundle): immutable unit of change, identified by digest and metadata.
  • Workflow/Pipeline: policy and orchestration template.
  • Run: workflow execution instance for a release and context.
  • Promotion: environment transition.
  • Deployment: apply release to targets/runtimes.
  • Hotfix: release type with expedited gate defaults (not a separate product root).

3) Canonical global navigation

Top-level modules:

  1. Dashboard
  2. Releases
  3. Security
  4. Evidence
  5. Topology
  6. Operations
  7. Integrations
  8. Administration

Persistent top bar context:

  • Search
  • Region multi-select
  • Environment multi-select (scoped by selected regions)
  • Time window selector
  • Status indicators (offline/feed/policy/evidence)

4) Consolidation rules

  • Bundle term is deprecated in UI:
    • use Release.
  • Create Bundle becomes:
    • Create Release.
  • Current Release action label becomes:
    • Deploy Release.
  • The following become views inside Releases and are not standalone modules:
    • Runs,
    • Deployments,
    • Promotions,
    • Hotfixes.
  • Regions & Environments is not daily navigation:
    • global context lives in top bar,
    • inventory/setup lives under Topology.
  • Security surface is consolidated:
    • Overview,
    • Triage,
    • Advisories & VEX,
    • Supply-Chain Data.
  • Disposition is a UX concept embedded in triage/detail:
    • Effective VEX,
    • Waivers/Exceptions,
    • Policy Gate Trace.
  • VEX/advisory feed configuration belongs to Integrations, not Security.

5) Canonical module surfaces

Dashboard

  • Mission control posture:
    • deploying now,
    • blocked promotions,
    • hotfix lane,
    • risk posture,
    • evidence posture.
  • Quick actions:
    • Create Release,
    • Create Hotfix,
    • Approvals Queue,
    • Export Evidence,
    • Replay decision capsule.

Releases

  • Releases List (standard + hotfix in one list).
  • Release Detail tabs:
    • Overview,
    • Timeline,
    • Deploy,
    • Security,
    • Evidence,
    • Audit.
  • Approvals Queue (cross-release).
  • Activity (cross-release runs timeline).

Security

  • Overview:
    • blocker-first posture,
    • freshness/confidence,
    • expiring waivers and conflicts.
  • Triage:
    • single dataset with pivots and facets,
    • sticky evidence rail (Why, SBOM, Reachability, Effective VEX, Waiver, Policy Trace, Export).
  • Advisories & VEX:
    • provider health,
    • VEX library,
    • conflicts and resolution,
    • issuer trust.
  • Supply-Chain Data:
    • SBOM Viewer,
    • SBOM Graph,
    • SBOM Lake,
    • Reachability coverage,
    • Coverage/Unknowns.
  • Reports:
    • optional route family,
    • evidence export handoff remains owned by Evidence.

Evidence

  • Audit Log.
  • Evidence Packs:
    • Export Center,
    • Proof Chains,
    • Replay and Verify.
  • Trust and Signing:
    • user-facing trust posture can be reached here,
    • admin owner mutations remain governed by Administration scopes.

Topology

  • Regions.
  • Environments.
  • Targets and Hosts.
  • Agents.
  • Promotion Paths.
  • Workflows.
  • Gate Profiles.

Implementation update (2026-02-20):

  • Dedicated operator pages now back canonical Topology routes:
    • /topology/overview,
    • /topology/regions + /topology/environments (region-first + flat/graph views),
    • /topology/environments/:environmentId/posture (topology-first tabs),
    • /topology/targets,
    • /topology/hosts,
    • /topology/agents,
    • /topology/promotion-paths.
  • Generic inventory fallback remains only for non-primary Topology routes (/topology/workflows, /topology/gate-profiles).
  • Region/environment global multi-select filters propagate as comma-joined query scope on Topology reads.

Operations

  • Platform Health.
  • Orchestrator and Jobs.
  • Scheduler.
  • Data Integrity.
  • Offline Kit.
  • Quotas and Limits.

Integrations

  • Registries.
  • SCM.
  • CI/CD.
  • Hosts/Targets connectors.
  • Secrets.
  • Advisory feeds.
  • VEX sources/feeds.
  • Integration Health.
  • Integration Activity.

Administration

  • Identity and Access.
  • Tenants and Branding.
  • Notifications.
  • Usage and Limits.
  • Policy Governance.
  • System.

6) Old-to-new mapping (route/module intent)

Legacy intent New canonical placement
Release Control root Split into Releases + Topology
Bundles Releases (rename Bundle -> Release)
Promotions Releases -> Release Detail -> Timeline and Releases -> Activity
Deployments Releases -> Release Detail -> Deploy and Releases -> Activity
Run Timeline Releases -> Activity and Release Detail -> Timeline
Hotfixes Releases filter/type + Dashboard hotfix lane
Regions & Environments menu Top bar context + Topology inventory
Security & Risk -> VEX and Exceptions Security -> Triage disposition rail + Security -> Advisories & VEX
Security -> SBOM Graph and SBOM Lake Security -> Supply-Chain Data tabs
Security -> Advisory Sources config Integrations feeds and source setup
Platform Ops -> Agents Topology -> Agents

7) Backend dependency directives

  • Add/extend v2 contract namespaces for canonical modules:
    • /api/v2/context/*,
    • /api/v2/releases/*,
    • /api/v2/topology/*,
    • /api/v2/security/*,
    • /api/v2/evidence/*,
    • /api/v2/integrations/*,
    • /api/v2/operations/*.
  • Keep legacy aliases during migration window (/api/v1/* and domain legacy paths) with explicit deprecation telemetry.
  • Required DB migration families (Platform release DB sequence continues after 046_TrustSigningAdministration.sql):
    • 047_GlobalContextAndFilters.sql,
    • 048_ReleaseReadModels.sql,
    • 049_TopologyInventory.sql,
    • 050_SecurityDispositionProjection.sql,
    • 051_IntegrationSourceHealth.sql.

8) Planning acceptance gates

  • Canonical docs (source-of-truth.md, authority-matrix.md, contract ledger) updated before sprint execution.
  • Every new screen/route has endpoint classification:
    • EXISTS_COMPAT,
    • EXISTS_ADAPT,
    • MISSING_NEW.
  • Backend migrations are listed in sprint completion criteria before FE route cutover tasks can be marked done.