49 KiB
49 KiB
Below are the redesigned flagship page wireframes (ASCII) for Stella Ops as an evidence-based release control plane with hybrid reachability as a first-class gate and explanation layer.
I’m keeping the pages “small” in feel: the most important words first, then compact supporting text, with deep detail behind links/panels.
0) Shared Shell (applies to all flagship pages)
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Stella Ops [ Search: release | digest | CVE | env | target ] Tenant: ACME User ▼ │
│ Offline: OK Feed Snapshot: 2026-01-15 Policy Baseline: prod-baseline v3.1 Evidence: ON│
├───────────────┬────────────────────────────────────────────────────────────────────────────┤
│ CONTROL PLANE │ Breadcrumb: <Section> > <Page> │
│ RELEASES │ │
│ APPROVALS │ <router-outlet> │
│ SECURITY │ │
│ EVIDENCE │ │
│ OPERATIONS │ │
│ SETTINGS │ │
└───────────────┴────────────────────────────────────────────────────────────────────────────┘
Conventions:
- Primary actions are top-right.
- “Open Evidence” and “Open Proof Chain” are always one click away when decisions happen.
- Digests show short form + copy action; full value in hover/expand.
- Gate states: [PASS] [WARN] [BLOCK]
- Reachability states: Reachable / Unreachable / Uncertain + Confidence + Witness link
1) CONTROL PLANE — Overview (new /)
Goal: answer in one screen: what’s deployed where, what’s pending, what changed, what needs me.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ CONTROL PLANE │
│ Release governance with evidence. Promote by digest. Explain every decision. [Docs →] │
│ [Create Release]│
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ENVIRONMENT PIPELINE │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ DEV │ --->│ QA │ --->│ STAGING │ --->│ PROD │ │
│ │ v1.3.0 │ │ v1.2.5 │ │ v1.2.4 │ │ v1.2.3 │ │
│ │ OK │ │ OK │ │ PENDING │ │ OK │ │
│ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │
│ Deployed by digest. Click an environment to see targets, drift, and evidence. │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌───────────────────────────────────────────────┐ ┌──────────────────────────────────────┐ │
│ │ ACTION INBOX │ │ DRIFT & RISK CHANGES │ │
│ │ (what needs attention) │ │ (since last evidence) │ │
│ │ │ │ │ │
│ │ • 3 approvals pending │ │ • 2 promotions newly BLOCKED │ │
│ │ • 1 blocked promotion (reachability) │ │ • 5 CVEs updated (1 reachable) │ │
│ │ • 2 failed deployments (retry available) │ │ • 1 feed stale risk (OSV 36h old) │ │
│ │ • 1 key expiring in 14 days │ │ • 0 config drifts in prod │ │
│ │ │ │ │ │
│ │ [Go to Approvals] [Go to Deployments] │ │ [View Drift] [View Security Impact] │ │
│ └───────────────────────────────────────────────┘ └──────────────────────────────────────┘ │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ PENDING PROMOTIONS │
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Release From → To Status Gates Risk Delta Actions │ │
│ │ v1.2.5 QA → Staging Waiting [PASS][WARN] +2 new CVEs [Open Approval] │ │
│ │ v1.2.6 Dev → QA Auto-approved [PASS] net safer [Deploy Now] │ │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
2) RELEASES — List (/releases)
Goal: inventory releases as immutable bundles, show where deployed, and enable promotion/evidence.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ RELEASES │
│ Immutable digest bundles. Promote releases across environments. [Docs →] │
│ [Create Release] [Export CSV] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: [Search release/component/digest…] [Env ▼] [Deployed ▼] [Gate ▼] [Date ▼] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Release Bundle Digest Components Deployed Where Gates Evidence Action│
│ │ v1.2.6 sha256:9c1…3a 12 Dev, QA [PASS] Signed [View]│
│ │ v1.2.5 sha256:7aa…2f 12 QA [WARN] Signed [View]│
│ │ v1.2.4 sha256:0b2…c9 11 Staging [PASS] Signed [View]│
│ │ v1.2.3 sha256:1d9…11 11 Prod [PASS] Signed [View]│
│ └──────────────────────────────────────────────────────────────────────────────────────────┘
│
│ Multi-select actions: [Request Promotion] [Generate Evidence] [Replay Verify] [Compare] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
3) RELEASES — Release Detail (/releases/:releaseId)
Goal: one flagship screen that ties promotion + gates + reachability + evidence + proof chain.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ RELEASE v1.2.5 │
│ Bundle: sha256:7aa…2f (copy) Created: 2026-01-15 Source: CI build #882 [Docs →] │
│ [Request Promotion] [Rollback] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ DEPLOYMENT MAP │
│ Dev: v1.3.0 (not this) QA: v1.2.5 (THIS) Staging: pending Prod: v1.2.3 │
│ [Open Environment QA] [Open Approval] [Open Deployments] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Overview] [Components] [Gates] [Promotions] [Deployments] [Evidence] [Proof Chain] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ OVERVIEW │
│ ┌───────────────────────────────────────────────┐ ┌──────────────────────────────────────┐ │
│ │ GATE SUMMARY (Policy: stg-baseline v3.1) │ │ SECURITY IMPACT │ │
│ │ SBOM signed: [PASS] │ │ New CVEs: 2 (1 reachable) │ │
│ │ Provenance present: [PASS] │ │ Fixed CVEs: 5 │ │
│ │ Reachability coverage: [WARN] 89% │ │ VEX: 2 not-affected, 1 under review │ │
│ │ Critical reachable: [BLOCK] 1 (0.82 conf) │ │ Exceptions: 0 │ │
│ │ │ │ [Open Findings for this Release] │ │
│ │ [Open Reachability Witness] [Explain] │ └──────────────────────────────────────┘ │
│ └───────────────────────────────────────────────┘ │
│
│ MOST RECENT EVIDENCE PACKET │
│ Evidence: EVD-2026-0045 Signed: YES Verified: YES Feed Snapshot: 2026-01-15 │
│ [Open Evidence Packet] [Export Bundle] [Replay Verify] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
4) APPROVALS — Inbox (/approvals)
Goal: make approvals the decision cockpit: diff-first, evidence-first, reachability-first.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ APPROVALS │
│ Decide promotions with policy + reachability, backed by signed evidence. [Docs →] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: [Pending ▼] [Env ▼] [Team ▼] [Policy Baseline ▼] [Search…] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │ PENDING (3) │
│ ├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │ v1.2.5 QA → Staging Requested by: deploy-bot 2h ago │
│ │ WHAT CHANGED: +3 pkgs +2 CVEs (1 reachable) -5 fixed Drift: none │
│ │ GATES: SBOM[PASS] Provenance[PASS] Reachability[BLOCK] VEX[WARN] │
│ │ Actions: [Open] [Open Evidence] [Open Witness] [Request Exception] [Approve] [Reject] │
│ ├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │ v1.2.6 Dev → QA Auto-approved gates. Waiting deploy window. │
│ │ WHAT CHANGED: net safer -2 CVEs Coverage: 92% │
│ │ Actions: [Deploy Now] [Open Evidence] │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘
└────────────────────────────────────────────────────────────────────────────────────────────┘
5) APPROVALS — Approval Detail (/approvals/:approvalId)
Goal: show everything needed to make a decision—without navigating away.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ APPROVAL: v1.2.5 QA → Staging │
│ Requested by: deploy-bot 2h ago Policy: stg-baseline v3.1 Feed Snapshot: 2026-01-15 │
│ [Open Evidence] [Docs →] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ LEFT: DIFF & GATES RIGHT: DECISION & COMMENTS │
│ ┌───────────────────────────────────────────────────────┐ ┌─────────────────────────────┐ │
│ │ WHAT CHANGED (Diff-first) │ │ DECISION │ │
│ │ Components changed: 3 │ │ [Approve] [Reject] │ │
│ │ New CVEs: 2 (1 reachable) │ │ Require comment: [____] │ │
│ │ Fixed CVEs: 5 │ │ Optional: [Request Exception]│ │
│ │ Config drift: none │ └─────────────────────────────┘ │
│ ├───────────────────────────────────────────────────────┤ │
│ │ GATES (expandable) │ ┌─────────────────────────────┐ │
│ │ SBOM signed: [PASS] │ │ COMMENTS / AUDIT NOTES │ │
│ │ Provenance attested: [PASS] │ │ - user1: needs exception? │ │
│ │ Reachability: [BLOCK] │ │ - sec: confirm witness path │ │
│ │ VEX consensus: [WARN] │ │ [Add comment] │ │
│ │ │ └─────────────────────────────┘ │
│ │ [Explain Gate Results] [Open Proof Chain] │ │
│ └───────────────────────────────────────────────────────┘ │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ REACHABILITY WITNESS (the moat) │
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Finding: CVE-2026-1234 in log4j │
│ │ State: Reachable Confidence: 0.82 Reason: static path + runtime signal present │
│ │ Witness Path: main() → processRequest() → Logger.log() → vulnerable() │
│ │ Guards: none detected Dynamic loading: no │
│ │ Actions: [Open Full Witness] [Export DOT] [Replay Verify] │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
6) ENVIRONMENTS — List (/environments)
Goal: show environments as release destinations (not just config objects).
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ ENVIRONMENTS │
│ What is deployed where, with policy and evidence. [Docs →] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Environment Current Release Freeze Targets Policy Baseline Last Deploy Action│
│ │ Dev v1.3.0 Off 12 dev-baseline v2.0 10m ago [Open]│
│ │ QA v1.2.5 Off 8 qa-baseline v2.5 2h ago [Open]│
│ │ Staging v1.2.4 On 6 stg-baseline v3.1 6h ago [Open]│
│ │ Prod v1.2.3 Off 20 prod-baseline v3.1 1d ago [Open]│
│ └──────────────────────────────────────────────────────────────────────────────────────────┘
└────────────────────────────────────────────────────────────────────────────────────────────┘
7) ENVIRONMENTS — Environment Detail (/environments/:envId)
Goal: environment as a “release ledger”: targets, drift, promotions, evidence.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ ENVIRONMENT: Staging │
│ Current: v1.2.4 Policy: stg-baseline v3.1 Freeze: ON (window 18:00–20:00 UTC) [Docs →]│
│ [Request Promotion] [Open Evidence] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Overview] [Targets] [Promotions] [Deployments] [Drift] [Evidence] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ OVERVIEW │
│ ┌───────────────────────────────────────────────┐ ┌──────────────────────────────────────┐ │
│ │ RELEASE HISTORY (ledger) │ │ CURRENT RISK SNAPSHOT │ │
│ │ v1.2.2 → v1.2.3 → v1.2.4 (current) │ │ Gate summary: [PASS][WARN] │ │
│ │ Last promotion: QA → Staging 6h ago │ │ Reachability coverage: 89% │ │
│ │ Evidence: EVD-2026-0044 (verified) │ │ Drift since evidence: none │ │
│ │ [Open Proof Chain] │ │ [Open Findings Impacting Staging] │ │
│ └───────────────────────────────────────────────┘ └──────────────────────────────────────┘ │
│
│ TARGETS (quick view) │
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Target Type Status Deployed Digest Last Seen Action │ │
│ │ stg-host-01 Docker OK sha256:abc… 1m ago [Details] │ │
│ │ stg-compose-02 Compose OK sha256:abc… 1m ago [Details] │ │
│ │ stg-ecs-service ECS OK sha256:abc… 2m ago [Details] │ │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
8) DEPLOYMENTS — List (/deployments)
Goal: operational truth: deployments as executions with artifacts + evidence.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ DEPLOYMENTS │
│ Execution history by environment and release, with evidence for every run. [Docs →] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: [Env ▼] [Release ▼] [Status ▼] [Target Type ▼] [Date ▼] [Search…] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Deployment Env Release Started Duration Status Evidence Action │
│ │ DEP-2026-045 Prod v1.2.3 2h ago 3m12s OK Verified [Open] │
│ │ DEP-2026-044 Staging v1.2.4 6h ago 2m55s OK Verified [Open] │
│ │ DEP-2026-043 QA v1.2.5 10h ago 5m01s FAILED Partial [Open] │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘
└────────────────────────────────────────────────────────────────────────────────────────────┘
9) DEPLOYMENTS — Run Detail (/deployments/:deployId)
Goal: show workflow DAG, logs, generated artifacts (immutable), and evidence.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ DEPLOYMENT: DEP-2026-045 │
│ Env: Prod Release: v1.2.3 Plan Hash: ph_91a… Agent: prod-agent-02 [Docs→]│
│ [Open Evidence] [Rollback] [Replay Verify]│
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Workflow] [Targets] [Artifacts] [Logs] [Evidence] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ WORKFLOW (DAG) │
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Fetch Digests → Generate compose.stella.lock.yml → Deploy → Verify → Seal Evidence │
│ │ OK OK OK OK OK │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘ │
│
│ ARTIFACTS (immutable outputs) │
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ compose.stella.lock.yml sha256:11a… [View] [Download] │
│ │ deploy.stella.script.dll sha256:22b… [View] [Download] │
│ │ release.evidence.json sha256:33c… [View] [Download] │
│ │ stella.version.json sha256:44d… [View] [Download] │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
10) EVIDENCE — Evidence Center (/evidence)
Goal: one unified hub for evidence packets (release/promotion/deploy/audit), verification, export, replay.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE │
│ Search, verify, export signed evidence packets and proof chains. [Docs →]│
│ [Create Audit Bundle] [Export] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: [Type ▼] [Release ▼] [Env ▼] [Signed ▼] [Verified ▼] [Date ▼] [Search…] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Evidence ID Type Subject Signed Verified Snapshot Action │
│ │ EVD-2026-0045 Promotion v1.2.5 QA→Staging Yes Yes 2026-01-15 [Open] │
│ │ EVD-2026-0044 Deployment DEP-2026-044 Yes Yes 2026-01-15 [Open] │
│ │ EVD-2026-0043 Release v1.2.3 Yes Yes 2026-01-14 [Open] │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘
└────────────────────────────────────────────────────────────────────────────────────────────┘
11) EVIDENCE — Evidence Packet Viewer (/evidence/:evidenceId)
Goal: evidence as a structured “who/what/why/how/when” record + bundle contents + verify.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE PACKET: EVD-2026-0045 │
│ Type: Promotion Subject: v1.2.5 QA→Staging Signed: YES Verified: YES [Docs →]│
│ [Download Bundle] [Open Proof Chain] [Replay Verify]│
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ SUMMARY (audit-friendly) │
│ Who: user1@acme What: release bundle sha256:7aa…2f When: 2026-01-15 10:23 UTC │
│ Why: Gate verdict BLOCK (reachability) + VEX WARN │
│ How: workflow ph_91a… agent prod-agent-02 │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ CONTENTS │
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ SBOM (CycloneDX 1.7) sha256:aa1… [View] [Download] │ │
│ │ Policy verdict (K4 lattice) sha256:bb2… [View] [Explain] │ │
│ │ Reachability witness slice sha256:cc3… [Open Witness] [Export DOT] │ │
│ │ VEX statements (OpenVEX) sha256:dd4… [View] │ │
│ │ Attestations (DSSE) sha256:ee5… [View] │ │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
12) SECURITY — Findings (release-aware) (/security/findings)
Goal: security becomes decision support: every finding shows impact on releases/environments.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY FINDINGS │
│ Findings with reachability and release impact. Triage feeds the release gates. [Docs →]│
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: [Search CVE/pkg/release…] [Severity ▼] [Reachability ▼] [Env Impact ▼] [Date ▼] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Sev Finding Component Reachability (conf) Impacts Gate Impact │
│ │ CRIT CVE-2026-1234 log4j@2.14.1 Reachable (0.82) v1.2.5 Staging BLOCK │
│ │ HIGH CVE-2026-5678 spring@5.2.1 Uncertain (0.55) v1.2.6 QA WARN │
│ │ MED CVE-2026-9012 commons-io@2.4 Unreachable (0.90) v1.2.3 Prod PASS │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘
│
│ Selecting a row opens a detail drawer: Witness, VEX status, Exceptions, Evidence links. │
└────────────────────────────────────────────────────────────────────────────────────────────┘
13) SECURITY — Vulnerability Detail (impact-first) (/security/vulnerabilities/:cveId)
Goal: unify CVE intelligence with where it matters (deployed + gated) + VEX + reachability witness.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ VULNERABILITY: CVE-2026-1234 │
│ Severity: Critical CVSS: 9.8 EPSS: 0.72 Exploited: Yes (KEV) [Docs →]│
│ [Open Findings] [Open Evidence] [Open Witness] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ IMPACT (where it matters) │
│ ┌──────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Deployed Environments: Staging (via v1.2.5), Prod (via v1.2.3) │ │
│ │ Gate Impact: Blocks QA→Staging promotions for v1.2.5 │ │
│ │ Fix path: Upgrade log4j to 2.17.x (available) │ │
│ └──────────────────────────────────────────────────────────────────────────────────────────┘ │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ REACHABILITY SUMMARY │
│ State: Reachable Confidence: 0.82 Witness: main()→processRequest()→Logger.log()→vuln() │
│ Guards: none detected Dynamic loading: no │
└────────────────────────────────────────────────────────────────────────────────────────────┘
14) Reachability Witness Viewer (full page when needed) (/witness/:id)
Goal: this is your “best-in-class” differentiator page—clear, exportable, replayable.
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ REACHABILITY WITNESS │
│ Subject: CVE-2026-1234 Component: log4j@2.14.1 Release: v1.2.5 Env: Staging [Docs →]│
│ State: Reachable Confidence: 0.82 Snapshot: 2026-01-15 Deterministic: YES │
│ [Export DOT] [Export Mermaid] [Replay Verify] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ PATH (human-readable) │
│ main() → processRequest() → Logger.log() → vulnerable_function() │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ EXPLANATION (why confidence is 0.82) │
│ • Static path found: yes │
│ • Runtime signal present: yes │
│ • Guards detected: none │
│ • Dynamic loading: no │
│ • Reflection: no │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ GRAPH (collapsed by default; expand on demand) │
│ [ Expand Graph Viewer ] │
└────────────────────────────────────────────────────────────────────────────────────────────┘