Files

master 4db038123b documentation cleanse, sprints work and planning. remaining non EF DAL migration to EF

2026-02-25 01:24:07 +02:00

16 KiB

Raw Blame History

Stella Ops — QA Issues Report

Date: 2026-02-19 Tester: Claude Code (Playwright automated walkthrough) Stack: Fresh docker compose up from devops/compose/docker-compose.stella-ops.yml Auth: admin / default credentials Base URL: https://stella-ops.local/ Build: v1.0.0 (as shown in sidebar footer)

Summary

Severity	Count
🔴 Critical	1
🟠 High	4
🟡 Medium	7
🔵 Low	6
Total	18

🔴 Critical

ISSUE-001 — All v2 navigation routes redirect to home (`/`)

Pages: /release-control/*, /security-risk/*, /evidence-audit/*, /platform-ops/*, /administration/*, /dashboard Reproduction: Navigate to any of the 22+ new v2 IA routes introduced in SPRINT_20260218_006–016. Observed: Every route silently redirects to / (Control Plane dashboard). No 404, no error — just home. Expected: Each route renders its designated v2 component. Impact: The entire v2 information architecture (Release Control, Security & Risk, Evidence & Audit, Platform Ops, Administration, Dashboard v3) is inaccessible. Only the old v1 routes work. Notes: This is the primary blocker for SPRINT_20260218 sprint delivery. The new sidebar components exist in source but the routes are not wired to the deployed build. The /integrations route is the only v2-era route that partially works. Affected routes tested:

/release-control             → / (Control Plane)
/release-control/releases    → /
/release-control/approvals   → /
/release-control/environments→ /
/release-control/bundles     → /
/release-control/promotions  → /
/release-control/runs        → /
/security-risk               → /
/security-risk/findings      → /
/security-risk/advisory-sources → /
/security-risk/vulnerabilities → /
/evidence-audit              → /
/evidence-audit/packs        → /
/evidence-audit/proofs       → /
/evidence-audit/audit        → /
/platform-ops                → /
/platform-ops/health         → /
/platform-ops/feeds          → /
/administration              → /
/administration/identity-access → /
/administration/policy-governance → /
/dashboard                   → /

🟠 High

ISSUE-002 — Integration Hub (`/integrations`) fires 10 API errors on load

Page: https://stella-ops.local/integrations Reproduction: Navigate to /integrations. Observed: Page loads visually (shows Integration Hub with all category counts as 0) but generates 10 console errors:

Failed to load resource: server responded with an error
  /api/v1/integrations?type=0&pageSize=1
  /api/v1/integrations?type=1&pageSize=1
  /api/v1/integrations?type=2&pageSize=1
  /api/v1/integrations?type=3&pageSize=1
  /api/v1/integrations?type=4&pageSize=1
  (plus 5x "ERROR N @ chunk-2UEM7CYT.js:3")

Expected: API calls succeed; summary counts reflect actual integration state (the old /settings/integrations shows 8 integrations with seed data). Impact: The v2 Integration Hub is broken — all counts show 0 and the "Recent Activity" section shows a placeholder ("Integration activity timeline coming soon…"). Users cannot use this page. Note: /settings/integrations works correctly (8 integrations shown). The backend API endpoint /api/v1/integrations may not be connected to the integrations service.

ISSUE-003 — After creating a release, redirects to orphaned route `/release-orchestrator/releases`

Page: /releases/create Reproduction: Create a release through the 3-step wizard → click "Create Release" on step 3. Observed: After submit, browser navigates to /release-orchestrator/releases. Expected: Should navigate to /releases (the current releases list route). Impact: The post-create redirect lands on an old route that no longer exists in the sidebar IA and was renamed. The URL works (Angular handles it), but it's a stale reference that will break when the old route aliases are removed during the v2 cutover (SPRINT_20260218_016).

ISSUE-004 — Identity & Access (`/settings/admin`) shows "No users found" with admin logged in

Page: https://stella-ops.local/settings/admin Reproduction: Navigate to Settings → Identity & Access → Users tab. Observed: "No users found" message shown even though the admin user is currently authenticated. Expected: At minimum the admin user should appear in the user list. Impact: Administrators cannot view or manage users from this page. User management is effectively broken. Screenshot context: Bootstrap admin email is admin@unknown.local (possibly indicating the user was seeded without persisting to the listing query).

ISSUE-005 — Approvals badge count (3) does not match Pending filter results (2)

Page: /approvals Reproduction: Observe sidebar badge → click through to Approvals page → filter defaults to "Pending" status. Observed:

Sidebar badge: 3 pending
Pending filter: Results (2)
All filter: Results (4) Expected: Badge should equal the "Pending" filtered count. The badge logic and the pending query are sourced differently. Impact: Misleading count for approvers — could cause someone to think they've missed an item or search for a non-existent third pending approval.

🟡 Medium

ISSUE-006 — Platform Health shows "NaNms" P95 latency and "/" service count

Page: https://stella-ops.local/operations/health Reproduction: Navigate to Operations → Platform Health. Observed:

"Avg Latency NaNms — P95 across services"
"Services / Healthy" (shows a bare / instead of a number)
"No services available in current snapshot"
"Dependencies: 0 nodes · 0 connections" Expected: Should show either real service health data or a meaningful empty state ("No health data available yet" with guidance). Impact: The health dashboard is completely non-functional on a fresh install. The NaN renders because it divides by zero services. The "/" is a formatting bug where a fraction like "0/0" is rendered without the surrounding numbers.

ISSUE-007 — Approve button on Approvals list has no confirmation step

Page: /approvals Reproduction: On the approvals list, click "Approve" directly on any approval card. Observed: No confirmation dialog, modal, or reason input appears. The action fires silently (or may silently fail — no success/error toast was observed). Expected: A confirmation dialog or inline form should appear asking for a decision reason, especially since approvals are policy-gated actions that must produce signed evidence. Impact: Accidental approvals are possible with a single click. Audit trail for the decision reason is missing if no reason is captured.

ISSUE-008 — SBOM Graph is a placeholder: "not yet available in this build"

Page: https://stella-ops.local/security/sbom Reproduction: Navigate to Security → SBOM Graph. Observed: Page renders with heading "SBOM Graph" and single message: "SBOM graph visualization is not yet available in this build." Expected: SBOM dependency graph visualization. Impact: Feature is advertised in navigation but completely unimplemented in the deployed build.

ISSUE-009 — Vulnerabilities page is a placeholder: "pending data integration"

Page: https://stella-ops.local/security/vulnerabilities Reproduction: Navigate to Security → Vulnerabilities. Observed: Page renders with heading "Vulnerabilities" and message: "Vulnerability list is pending data integration." Expected: Vulnerability explorer with CVE list, filters, and triage actions. Impact: Feature is advertised in navigation but has no functional content.

ISSUE-010 — Promote button on a deployed release does nothing

Page: /releases/rel-001 (Platform Release 1.2.3 — DEPLOYED) Reproduction: Click the "Promote" button on a deployed release detail page. Observed: No navigation, no modal, no drawer — the page stays unchanged. Expected: A promotion dialog or navigation to the promotion wizard. Impact: Users cannot initiate a promotion from the release detail page — a core workflow action is broken.

ISSUE-011 — Security sub-pages carry wrong `<title>`: "Security Overview - StellaOps"

Pages affected:

/security/findings → title: "Security Overview - StellaOps"
/security/vex → title: "Security Overview - StellaOps"
/security/sbom → title: "Security Overview - StellaOps" Expected: Each page should have its own title, e.g. "Security Findings - StellaOps", "VEX Hub - StellaOps". Impact: Browser tabs, bookmarks, and screen-reader announcements all say "Security Overview" regardless of which security sub-page is open. Causes confusion and breaks accessibility.

ISSUE-012 — Integration Hub "Recent Activity" is a permanent placeholder

Page: https://stella-ops.local/integrations Observed: "Integration activity timeline coming soon…" italic placeholder text under Recent Activity heading. Expected: Activity timeline showing integration sync events, errors, and status changes. Impact: The activity view the section promises is not implemented.

🔵 Low

ISSUE-013 — Many pages have generic `<title>` "StellaOps" (no page context)

Pages affected:

Route	Title
`/security/vulnerabilities`	StellaOps
`/evidence/proof-chains`	StellaOps
`/evidence/replay`	StellaOps
`/evidence/export`	StellaOps
`/operations/orchestrator`	StellaOps
`/settings/integrations`	StellaOps
`/settings/release-control`	StellaOps
`/settings/security-data`	StellaOps
`/settings/admin`	StellaOps
`/settings/system`	StellaOps

Expected: <Page Name> - StellaOps Impact: Browser tabs are undifferentiable, bookmarks are unlabelled, screen readers announce the wrong page context. This likely affects all pages whose route modules don't call Angular's Title service.

Page: /releases/rel-001 Observed: Breadcrumb reads: Release Orchestrator / Releases / Platform Release 1.2.3 Links to: /release-orchestrator and /release-orchestrator/releases Expected: Releases / Platform Release 1.2.3 (linking to /releases) Impact: Clicking the breadcrumb links navigates to old route aliases that will be removed at v2 cutover. Low impact now; will become a broken link after SPRINT_20260218_016.

ISSUE-015 — Evidence Proof Chains page shows error state on load with no input

Page: https://stella-ops.local/evidence/proof-chains Observed: Page immediately shows "Subject digest is required — Retry" with no input field offered. Expected: An empty state with a search or input field to enter a subject digest; error should only appear after a failed search. Impact: Page is confusing on first load — appears broken but is just waiting for a digest input that it never prompts for.

ISSUE-016 — `/evidence` redirects to `/evidence/bundles` (not to Packets)

Page: Navigate to /evidence (from Evidence nav button). Observed: Redirects to /evidence/bundles — heading "Evidence Bundles". Expected per sidebar label: "Packets" (sidebar link text) — /evidence should land on Evidence Packets, not Evidence Bundles. The sub-page URL /evidence/bundles is not in the sidebar nav. Impact: Minor navigation inconsistency — sidebar says "Packets", page says "Bundles", route says "bundles". Naming is not aligned.

ISSUE-017 — Scheduler nav link lands on `/operations/scheduler/runs` not `/operations/scheduler`

Page: Click Operations → Scheduler in the sidebar. Observed: Navigates to /operations/scheduler/runs. Expected: /operations/scheduler (the root scheduler page) with the runs as a sub-view. Impact: Minor — the redirect is functional but means the scheduler root route appears to have no direct landing page.

ISSUE-018 — `/settings/admin` is labeled "Identity & Access" in sidebar but Settings section uses "Identity & Access" inconsistently

Page: Settings group in sidebar. Observed: The Settings sidebar link for the admin page reads "Identity & Access", which is correct — but the page was also previously accessible at the legacy path /settings/admin. The link in the sidebar still uses /settings/admin (the implementation path) rather than a semantic path like /settings/identity. Impact: Minor URL semantics issue; the path exposes an internal implementation name (admin) rather than the user-facing label (identity-access).

Pages Verified — No Issues

Page	URL	Status
Welcome / Sign In	`/welcome`	✅
Control Plane Dashboard	`/`	✅
Releases List	`/releases`	✅
Release Detail	`/releases/rel-001`	✅ (Promote broken, see ISSUE-010)
Approvals List	`/approvals`	✅ (count mismatch, see ISSUE-005)
Approval Detail	`/approvals/apr-001`	✅
Security Overview	`/security/overview`	✅
Security Findings	`/security/findings`	✅
Security VEX Hub	`/security/vex`	✅
Security Exceptions	`/security/exceptions`	✅
SBOM Lake	`/analytics/sbom-lake`	✅
Evidence Bundles	`/evidence/bundles`	✅
Verdict Replay	`/evidence/replay`	✅
Export Center	`/evidence/export`	✅
Orchestrator Dashboard	`/operations/orchestrator`	✅
Scheduler Runs	`/operations/scheduler/runs`	✅
Quota Dashboard	`/operations/quotas`	✅
Dead-Letter Queue	`/operations/dead-letter`	✅
Feed Mirror & AirGap	`/operations/feeds`	✅
Integrations (legacy)	`/settings/integrations`	✅
Integrations SCM	`/integrations/scm`	✅
Integrations Registries	`/integrations/registries`	✅
Integration Detail	`/settings/integrations/jenkins-1`	✅
Integration Onboarding	`/integrations/onboarding/registry`	✅
Release Control Settings	`/settings/release-control`	✅
Trust & Signing	`/settings/trust`	✅
Security Data	`/settings/security-data`	✅
Tenant / Branding	`/settings/branding`	✅
Usage & Limits	`/settings/usage`	✅
Notifications	`/settings/notifications`	✅
Policy Governance	`/settings/policy`	✅
System	`/settings/system`	✅
Create Release Wizard (3 steps)	`/releases/create`	✅ (redirect bug, see ISSUE-003)

Actions Verified

Action	Result
Sign In (OAuth/OIDC)	✅ Works
Global Search (type "hotfix")	✅ Inline results shown
Sidebar expand/collapse all sections	✅ Works
Release list filter by status/environment	✅ Works
Release detail Timeline tab	✅ Works
Approval list filter by Status/Environment	✅ Works
Approval detail Explain gate	✅ Opens explanation
Approval detail Add Comment	✅ Comment saved
Create Release wizard (3 steps)	✅ Completes (bad redirect after)
Export CSV (Findings)	✅ Button present
Add Integration (opens onboarding)	✅ Navigates to onboarding
User menu (Profile / Settings / Sign out)	✅ All present

Environment Notes

Fresh install with no scan data → all security counters (CVE counts, SBOM, reachability) are zero. Zero counts are expected, not bugs.
Seed data is present for: Releases (5), Approvals (4), Integrations (8), and some environmental data.
Several services reported unhealthy in Docker (stellaops-signals, stellaops-smremote, stellaops-advisory-ai-worker, etc.) — these backend health states may explain some of the data gaps (Platform Health no snapshot, Integration Hub API failures).

16 KiB Raw Blame History Unescape Escape