28 KiB
28 KiB
Pack 10 — Integrations + Security Data Ops (Feeds & AirGap)
Below is the Mermaid IA for the menus + per-screen navigation graphs, and then ASCII mocks for each screen. For every screen: Formerly (old location/name) + why this is moved/reshaped.
10.1 Menu graph (Mermaid) — Integrations + Feeds/AirGap Ops
flowchart TD
%% ROOT (only the parts this pack touches)
ROOT[Stella Ops Console] --> INT[Integrations]
ROOT --> OPS[Platform Ops]
%% INTEGRATIONS
INT --> INT_HUB[Integrations Hub\n(overview + connectors)]
INT_HUB --> INT_DETAIL[Integration Detail]
INT_HUB --> INT_ADD[Add Integration Wizard]
INT_HUB --> INT_FILTERS[Category Filters\nSCM / CI-CD / Registries / Secrets&Config / Notifications / Security Data]
%% FEEDS & AIRGAP (Platform Ops)
OPS --> FEED_OPS[Feeds & AirGap Ops\n(Security Data Ops)]
FEED_OPS --> FEED_SOURCES[Sources & Freshness]
FEED_OPS --> FEED_MIRRORS[Feed Mirrors]
FEED_OPS --> FEED_AIRGAP[AirGap Bundles]
FEED_OPS --> FEED_LOCKS[Version Locks]
%% Cross-links (2nd-class entry points)
INT_HUB -. "Degraded/Disconnected impact" .-> FEED_SOURCES
FEED_SOURCES -. "Open connector config" .-> INT_DETAIL
FEED_OPS -. "Shows up on Dashboard: Nightly Ops Signals" .-> ROOT
Key placement decisions (keeps the reorg “release-first”):
- Integrations = “connectors & configuration surface” (what talks to what).
- Feeds & AirGap Ops = “operator workflows & determinism controls” (mirrors, airgap bundles, version locks). This aligns with your ask that freshness + sync failures are visible, and that determinism controls exist without being “third class.”
10.2 Screen — Integrations Hub
Formerly
- Settings → Integrations (
/settings/integrations) - Also implicitly included “Feeds” (OSV/NVD cards) here.
Why change
- This is a first-response triage page: if approvals are blocked, SBOM scans are stale, or evidence generation fails, the operator needs a single place to see which dependency is degraded and what it impacts.
- Adds a required concept: “Impact on Release Control” (what gates become unreliable if an integration is down).
Screen graph (Mermaid)
flowchart LR
A[Integrations Hub] -->|click card| B[Integration Detail]
A -->|Add Integration| C[Add Integration Wizard]
A -->|filter: SCM/CI/CD/Registries/Secrets/Feeds| A
A -->|feeds degraded?| D[Feeds & AirGap Ops: Sources]
B -->|view logs| B
B -->|test connection| B
B -->|back| A
ASCII mock
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Integrations Hub (Formerly: Settings ▸ Integrations) │
│ Org: Acme Region: All Env Scope: All Window: 30d │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Summary: Connected: 6 Degraded: 1 Disconnected: 1 Last full health check: 02:10 │
│ │
│ Filters: [All] [SCM] [CI/CD] [Registries] [Secrets & Config] [Notifications] [Security Data]│
│ Actions: [+ Add Integration] [Run Health Check] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Needs Attention (Impact on Release Control) │
│ • NVD Feed: DISCONNECTED → CVE freshness unknown → Policy gates may be unreliable │
│ • Jenkins: DEGRADED → Build attestations delayed → Release bundle evidence may lag │
│ • Vault: OK (but token expires in 3d) → Env var resolution risk upcoming │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrations (table view) │
│ ┌──────────────────────┬──────────────┬──────────────┬─────────────┬──────────────────────┐ │
│ │ Name │ Type │ Status │ Last Sync │ Used By │ │
│ ├──────────────────────┼──────────────┼──────────────┼─────────────┼──────────────────────┤ │
│ │ GitHub Enterprise │ SCM │ CONNECTED │ 5m ago │ Bundles, Changelog │ │
│ │ GitLab SaaS │ SCM │ CONNECTED │ 2m ago │ Bundles, Changelog │ │
│ │ Jenkins │ CI/CD │ DEGRADED │ 1h ago │ Attestations, Builds │ │
│ │ Harbor Registry │ Registry │ CONNECTED │ 30m ago │ SBOM ingest, Images │ │
│ │ HashiCorp Vault │ Secrets │ CONNECTED │ 10m ago │ Env vars, Bundles │ │
│ │ Slack │ Notification │ CONNECTED │ - │ Approvals alerts │ │
│ │ OSV Feed │ SecurityData │ CONNECTED │ 1h ago │ Vulnerability scans │ │
│ │ NVD Feed │ SecurityData │ DISCONNECTED │ - │ Vulnerability scans │ │
│ └──────────────────────┴──────────────┴──────────────┴─────────────┴──────────────────────┘ │
│ Hint: click any row/card → Integration Detail │
└────────────────────────────────────────────────────────────────────────────────────────────┘
10.3 Screen — Integration Detail
Formerly
- No dedicated “detail” surface in the screenshots (integrations were mostly cards). This is effectively new, but replaces the need to “hunt” across settings + ops pages.
Why change
- You need traceability from an outage → which releases / gates / bundles / envs are impacted.
- Enables the missing operational requirement you called out: nightly job failures due to integration issues are explainable from the integration itself.
Screen graph (Mermaid)
flowchart TD
A[Integration Detail] --> B[Config & Credentials]
A --> C[Health & Logs]
A --> D[Mappings]
A --> E[Permissions/Scopes]
A --> F[Downstream Impact]
C -->|retry connection| C
C -->|open affected jobs| G[Nightly Ops Report (Platform Ops)]
A -->|back| H[Integrations Hub]
ASCII mock
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Integration Detail: NVD Feed (Formerly: shown as card in Settings ▸ Integrations) │
│ Type: Security Data Source Status: DISCONNECTED Owner: security-team │
│ Region: US-East (toggle) EU-West (toggle) APAC (toggle) │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Overview] [Config] [Health & Logs] [Mappings] [Permissions] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Overview │
│ Last successful sync: — │
│ Freshness SLA: 6h Current freshness: UNKNOWN → Gating risk: HIGH │
│ Used by: Vulnerability scan ingestion, Release gates, Nightly rescans │
│ │
│ Downstream impact │
│ • Approvals & Gates: “CVE freshness” gate → currently degraded │
│ • Nightly SBOM rescan: will flag “data source unavailable” │
│ • Audit bundles: will include “feed freshness unknown” note │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Health & Logs (latest) │
│ 02:11 ERROR connect timeout to nvd.example.gov │
│ 02:11 WARN falling back to OSV only (coverage reduced) │
│ Action: [Retry Connection] [Test DNS] [View Related Nightly Jobs] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
10.4 Screen — Add Integration Wizard
Formerly
- “+ Add Integration” existed on Settings → Integrations, but without a standardized “impact/mapping” workflow shown.
Why change
-
This wizard becomes the enforcement point for:
- Region scoping (your missing “environments per region” theme).
- Mapping to downstream use (Release Bundle Organizer, approvals, SBOM ingest, etc.).
- Secrets hygiene (Vault/Consul integration must be wired correctly).
Screen graph (Mermaid)
flowchart LR
S[Add Integration Wizard] --> A[1. Choose Type]
A --> B[2. Configure Connection]
B --> C[3. Scope & Mapping\n(Region/Env/Repos/Targets)]
C --> D[4. Test Connection]
D --> E[5. Save & Initial Sync]
E --> F[Integration Detail]
ASCII mock
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Add Integration Wizard (Formerly: + Add Integration on Settings ▸ Integrations) │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Step 1/5 — Choose type │
│ [SCM] GitHub / GitLab │
│ [CI/CD] Jenkins / Actions │
│ [Registry] Harbor / ECR / GCR │
│ [Secrets] Vault │
│ [Config] Consul (recommended for bundle vars) │
│ [Notifications] Slack / Email / Webhook │
│ [Security Data] OSV / NVD / CISA │
│ │
│ Next: [Continue] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
10.5 Screen — Feeds & AirGap Ops (Sources & Freshness)
Formerly
- Operations → Feeds (
/operations/feeds) Screen title: “Feed Mirror & AirGap Operations” - Also partially represented as OSV/NVD “Feeds” cards under Settings → Integrations.
Why change
-
This becomes the operator-grade control surface for:
- Freshness (are CVE sources synced, within SLA?).
- Determinism (version locks).
- AirGap readiness (bundles).
-
It is “second-class” (reachable from Dashboard “Nightly Ops Signals”), not buried.
Screen graph (Mermaid)
flowchart TD
A[Feeds & AirGap Ops] --> B[Sources & Freshness]
A --> C[Feed Mirrors]
A --> D[AirGap Bundles]
A --> E[Version Locks]
B -->|open source integration| F[Integration Detail]
B -->|create mirror| C
E -->|lock for release| G[Release Detail\n(Determinism tab)]
ASCII mock
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops (Formerly: Operations ▸ Feeds → "Feed Mirror & AirGap Operations") │
│ Org: Acme Region: US-East Window: 7d │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Sources & Freshness] [Feed Mirrors] [AirGap Bundles] [Version Locks] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Sources & Freshness │
│ ┌───────────────┬──────────────┬───────────────┬──────────────┬───────────────────────────┐ │
│ │ Source │ Status │ Last Sync │ Freshness SLA │ Notes / Impact │ │
│ ├───────────────┼──────────────┼───────────────┼──────────────┼───────────────────────────┤ │
│ │ OSV │ OK │ 1h ago │ 6h │ Full OK │ │
│ │ NVD │ DISCONNECTED │ — │ 6h │ Approval gating risk HIGH │ │
│ │ CISA KEV │ OK │ 3h ago │ 24h │ OK │ │
│ └───────────────┴──────────────┴───────────────┴──────────────┴───────────────────────────┘ │
│ Actions: [Retry failed sources] [Open Integration Detail] [Create Mirror] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
10.6 Screen — Feeds & AirGap Ops (Feed Mirrors)
Formerly
- Operations → Feeds → Feed Mirrors tab.
Why change
-
Keep same capability, but add:
- Region scoping and storage accounting per region.
- A clear connection to gating data freshness and nightly job health.
Screen graph (Mermaid)
flowchart LR
A[Feed Mirrors] --> B[Create/Edit Mirror]
A --> C[Mirror Detail]
C -->|force sync| C
C -->|view sync logs| C
A -->|back| D[Feeds & AirGap Ops]
ASCII mock
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ Feed Mirrors (Formerly: Operations ▸ Feeds ▸ Feed Mirrors) │
│ Region: EU-West │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ KPI: Total Mirrors: 4 Synced: 3 Stale: 1 Errors: 0 Storage: 28GB │
│ Actions: [+ Create Mirror] [Sync All] [Export Mirror Config] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Mirrors │
│ ┌───────────────┬──────────┬───────────────┬───────────┬───────────┬──────────────────────┐ │
│ │ Mirror Name │ Source │ Status │ Last Sync │ Storage │ Actions │ │
│ ├───────────────┼──────────┼───────────────┼───────────┼───────────┼──────────────────────┤ │
│ │ nvd-eu-mirror │ NVD │ STALE (8h) │ 8h ago │ 12GB │ [Sync] [Edit] [Logs] │ │
│ │ osv-eu-mirror │ OSV │ SYNCED │ 1h ago │ 4GB │ [Sync] [Edit] [Logs] │ │
│ │ kev-eu-mirror │ CISA KEV │ SYNCED │ 3h ago │ 1GB │ [Sync] [Edit] [Logs] │ │
│ └───────────────┴──────────┴───────────────┴───────────┴───────────┴──────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
10.7 Screen — Feeds & AirGap Ops (AirGap Bundles)
Formerly
- Operations → Feeds → AirGap Bundles tab.
Why change
-
This is essential for environments that must prove:
- The release decision was made using a known dataset snapshot.
- The bundle contains feeds + policy pack versions + evidence tooling metadata.
Screen graph (Mermaid)
flowchart TD
A[AirGap Bundles] --> B[Create AirGap Bundle]
A --> C[Bundle Detail]
C -->|download| C
C -->|verify signatures| C
C -->|pin version locks| D[Version Locks]
ASCII mock
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ AirGap Bundles (Formerly: Operations ▸ Feeds ▸ AirGap Bundles) │
│ Region: APAC │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Actions: [+ Create Bundle] [Download latest] [Verify bundle] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Bundles │
│ ┌───────────────────┬───────────┬──────────────┬───────────────┬──────────────────────────┐ │
│ │ Bundle Name │ Target Env│ Contents │ Built At │ Actions │ │
│ ├───────────────────┼───────────┼──────────────┼───────────────┼──────────────────────────┤ │
│ │ apac-prod-2026-02- │ Prod │ OSV+NVD+KEV │ 2026-02-18 02: │ [Download] [Verify] │ │
│ │ apac-uat-2026-02- │ UAT │ OSV+KEV │ 2026-02-17 02: │ [Download] [Verify] │ │
│ └───────────────────┴───────────┴──────────────┴───────────────┴──────────────────────────┘ │
│ Notes: Bundle embeds version locks + signing metadata for audit. │
└────────────────────────────────────────────────────────────────────────────────────────────┘
10.8 Screen — Feeds & AirGap Ops (Version Locks)
Formerly
- Operations → Feeds → Version Locks tab.
Why change
-
Version locks are the core of reproducible gating:
- “This approval used NVD snapshot X, OSV snapshot Y.”
- Essential for external audits and internal replay/verify.
Screen graph (Mermaid)
flowchart LR
A[Version Locks] --> B[Create Lock]
A --> C[Lock Detail]
A --> D[Apply Lock to Region/Env]
A --> E[Apply Lock to Release]
E --> F[Release Detail\nDeterminism tab]
ASCII mock
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ Version Locks (Formerly: Operations ▸ Feeds ▸ Version Locks) │
│ Region: US-East │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Actions: [+ Create Version Lock] [Apply to Release] [Apply to Env] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Locks │
│ ┌───────────────┬───────────────┬───────────────┬──────────────────────┬───────────────────┐ │
│ │ Lock ID │ Sources │ Created │ Scope │ Actions │ │
│ ├───────────────┼───────────────┼───────────────┼──────────────────────┼───────────────────┤ │
│ │ lock-2026-02-18│ NVD, OSV, KEV │ 2026-02-18 │ US-East / Prod │ [View] [Apply] │ │
│ │ lock-2026-02-17│ OSV, KEV │ 2026-02-17 │ APAC / UAT │ [View] [Apply] │ │
│ └───────────────┴───────────────┴───────────────┴──────────────────────┴───────────────────┘ │
│ Audit note: locks are referenced in Evidence Bundles + Replay/Verify. │
└────────────────────────────────────────────────────────────────────────────────────────────┘
What changed vs the previous draft (to keep the reorg intact)
-
I’m keeping Integrations Hub under Integrations (configuration + dependency map).
-
I’m placing Feeds & AirGap Ops under Platform Ops (operator workflows + determinism tooling), but it remains second-class because:
- It’s linked from Integrations Hub (source issues → ops controls),
- and it should be linked from the Dashboard “Nightly Ops Signals” card.
If you want, I can do Pack 11 next for the remaining “Settings-class” pages you attached (Usage & Limits, Notifications, Identity & Access, Trust & Signing, System) but in the new IA, with the same: Mermaid menu + per-screen graphs + ASCII mocks + Formerly/Why.