stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7943cfb3afd97bd90c578d5e8138315a4c1a7ff8
git.stella-ops.org/docs/qa/console-ui-qa-strategy.md
master 7943cfb3af chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates 
Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:06:39 +03:00

9.7 KiB
Raw Blame History

Console UI QA Strategy

Goal

  • Produce QA work that proves Stella Ops can be operated to release with confidence.
  • Focus downstream agents on route truth, tab truth, evidence linkage, and corrective-action handoffs instead of generic visual review.
  • Turn runtime findings into concrete test and fix work under src/Web/StellaOps.Web/.

Required Reading

  • docs/product/release-with-confidence-product-card.md
  • docs/qa/console-ui-traversal-map.md
  • docs/qa/feature-checks/FLOW.md
  • docs/UI_GUIDE.md
  • src/Web/AGENTS.md

Preconditions

  1. Start the Web app and required local services before any UI verification.
  2. Use authenticated QA sessions. For local-source passes, seed the persisted auth keys used by AuthSessionStore:
    • stellaops.auth.session.full
    • stellaops.auth.session.info
    • stellaops:wasEverAuth
  3. Do not rely on window.__stellaopsTestSession as the only bootstrap path. The current live guard contract is storage-based.
  4. If running against the live frontdoor instead of the local source server, export STELLAOPS_FRONTDOOR_PASSWORD or STELLAOPS_ADMIN_PASS before starting the run.
  5. Do not write transient Playwright output into a watched Angular source path during a live ng serve pass unless rebuild churn is acceptable. Prefer a temp directory or write once after the traversal completes.

What Counts As A Pass

  • The route lands on the correct canonical page or canonical child route.
  • The page clearly states what surface the operator is on.
  • The page preserves release, evidence, policy, or admin context instead of silently collapsing into another workspace.
  • Every visible tab lands on a truthful state with distinct route or content identity.
  • Empty states tell the operator what is missing and what action to take next.
  • Primary CTAs lead to the owning corrective workflow.

What Counts As A Failure

  • Redirects that lose authority, tenant, or base-url context.
  • Evidence routes that silently become unrelated Ops pages without preserving evidence identity.
  • Pages with no stable page identity in the main surface.
  • Tabs that render but do not change route or state in a way the operator can understand.
  • Placeholder or empty content presented without an explanation of what data or action is missing.
  • Broken admin or setup handoffs that prevent the operator from reaching the owning page.

Execution Order

  1. Resolve active route and redirect defects first.
  2. Verify Release Control and Release Policies next.
  3. Verify Security next.
  4. Verify Evidence and Ops next.
  5. Verify Setup and Admin last.

This order is intentional. A polished admin page does not compensate for ambiguous release, policy, or evidence truth.

Route-Family Checks

Release Control

Entry route Seek for Required interactions Failure signals
/environments/overview clear environment readiness ownership load page, verify the main panel is not just nav chrome, check whether topology or readiness content exists missing top-level page identity or only shell text
/releases release list anchored to versions or bundles verify sort and filter chips, empty-state truth, drill into release identity when possible page title only, no release context in main panel
/releases/deployments deployment state and approval queue visibility switch visible state filters, confirm counts and state labels remain coherent filters that do not change visible state or route
/releases/bundles digest-first bundle identity and validation context verify bundle states, digest-oriented copy, and bundle creation handoff if present tag-first copy or missing digest and evidence context
/releases/promotions promotion queue and readiness verify page state and empty-state guidance generic list shell without promotion meaning
/releases/approvals approvals segmented by decision state click all tabs: Pending, Approved, Rejected, Expiring, My Team tabs render but do not change state or route

Release Policies

Entry route Seek for Required interactions Failure signals
/ops/policy/packs release policy entry surface confirm the page has main-panel identity and is not only nav chrome title exists but no main-panel page identity
/ops/policy/governance governance ownership click Governance, VEX & Exceptions, Simulation, Audit; confirm route changes and headings follow cross-links present but content stays ambiguous
/ops/policy/vex VEX conflict and exception truth click local VEX tabs such as Search, Stats, Consensus, Explorer, Conflicts, Exceptions VEX surface lacks distinct page state or operator action
/ops/policy/simulation what-if and promotion-gate simulation click Shadow Mode, Promotion Gate, Test & Validate, Pre-Promotion Review, Effective Policies, Exceptions simulation tabs do not expose a reviewable scenario or result state

Security

Entry route Seek for Required interactions Failure signals
/security/images security posture attached to a release or image selection click Summary, Findings, SBOM, Reachability, VEX, Evidence tabs break context or the empty state hides what must be selected
/security/risk risk budget and verdict truth verify Current Verdict, Side-by-Side Risk Diff, Exception Workflow metrics or exceptions render as placeholders without explanation
/security/advisory-sources source freshness and feed ownership confirm the page has page-level identity and feed-specific actions or state route title only, no main-panel identity
/triage/artifacts vulnerability triage work surface confirm page identity, queue or state controls, and drill-in affordances route resolves but only shell text is present

Evidence

Entry route Seek for Required interactions Failure signals
/evidence/overview evidence-specific landing page confirm whether aliasing to Ops > Audit is intentional and understandable to an operator silent collapse into Audit with no Evidence identity
/evidence/audit-log audit-event search and log review exercise search and pagination controls if available search and log surface lacks audit identity
/evidence/verify-replay replay request, replay queue, quick verify click visible replay controls, confirm mismatch and empty-state copy is truthful replay surface exists but offers no actionable next step
/evidence/exports export ownership and workflow verify page identity and export actions route title only, no export-specific surface
/evidence/capsules proof-bundle and capsule ownership confirm whether this intentionally maps to Audit > Bundles or incorrectly loses capsule identity route lands in Audit with no capsule language

Ops

Entry route Seek for Required interactions Failure signals
/ops/operations/jobengine execution control plane click Runs, Schedules, Workers and verify state changes tabs render but do not alter the visible slice
/ops/operations/feeds-airgap feed and offline readiness verify the page is not mislabeled as generic dashboard content "About this page" points to the wrong workspace or no feed identity exists
/ops/operations/doctor diagnostics ownership confirm service-health and drift checks appear in the main panel title exists but no diagnostic identity or actions
/ops/operations/audit audit workspace click All Events, Timeline, Correlations, Exports, Bundles tabs do not preserve audit context
/ops/scripts operator scripts and filtering exercise visible language and visibility filters filters do not affect state or are mislabeled

Setup And Admin

Entry route Seek for Required interactions Failure signals
/setup setup workspace overview verify each tile links to the owning setup route setup overview lists areas but handoffs are broken
/setup/integrations integration ownership confirm page identity and integration-specific actions route title only, no integration surface
/setup/trust-signing trust and signing canonical child route click Signing Keys, Trusted Issuers, Certificates, Audit keys child route is fine, but parent trust identity must remain obvious
/setup/identity-providers identity-provider CRUD surface verify list and create affordances page lands but cannot express current state or next step
/setup/tenant-branding tenant and branding ownership confirm page identity and editable controls route title only, no branding-specific surface
/console-admin/* admin deep links verify redirects keep the correct origin and page ownership redirects drop the port or base URL or land on the wrong setup page

Retained Automation Requirements

  • Any manual route or tab discovered during QA must become retained Playwright coverage before the feature area is considered stable.
  • New or corrected tests must follow the current route contract, not the retired standalone Evidence sidebar expectation.
  • Admin-route coverage must explicitly assert the final URL origin so port-dropping redirects are caught.
  • Evidence-route coverage must assert whether a route is intentionally aliased or whether it must preserve standalone Evidence identity.

Downstream Sprint Split

  • SPRINT_20260421_005_FE_console_route_identity_and_redirect_truth.md
  • SPRINT_20260421_006_FE_release_and_security_console_behavioral_qa.md
  • SPRINT_20260421_007_FE_evidence_ops_setup_admin_console_behavioral_qa.md

These sprints are intentionally small enough that another agent can verify and fix within src/Web/StellaOps.Web/ without re-deriving the product model.