git.stella-ops.org/docs/modules/ui/v2-rewire/authority-matrix.md

UI v2 Rewire Authority Matrix

Status: Canonical planning reference Date: 2026-02-20

This matrix defines which pack is authoritative for each capability and which packs are superseded.

A) Capability authority

Capability area	Authoritative pack(s)	Superseded packs	Notes
Global IA and naming	pack-23.md, pack-22.md	pack-21.md and lower for overlaps	Canonical roots are Mission Control, Releases, Security, Evidence, Topology, Platform.
Dashboard mission control	pack-22.md, pack-16.md	pack-01.md, pack-04.md, pack-08.md, pack-11.md	Pack 22 defines posture framing; Pack 16 keeps detailed signal cards where unchanged.
Releases lifecycle consolidation	pack-22.md, pack-12.md, pack-13.md, pack-14.md, pack-17.md	Standalone lifecycle module variants in older packs	Runs/deployments/promotions/hotfixes are views under Releases, not roots.
Topology inventory and setup	pack-22.md, pack-18.md	Prior placements under Release Control and Platform Ops	Regions/env/targets/hosts/agents/workflows/gate profiles belong to Topology.
Security consolidation	pack-22.md, pack-19.md	pack-03.md, pack-07.md and split-view variants	Findings + Disposition + SBOM Explorer as consolidated IA.
Evidence and audit chain	pack-22.md, pack-20.md	pack-03.md, pack-09.md, pack-11.md	Evidence must be linked from Releases and Security decisions.
Operations runtime posture	pack-23.md, pack-15.md, pack-10.md	pack-03.md, pack-06.md, pack-09.md, pack-11.md	Ops runs under Platform and owns runtime operability state; agents stay in Topology.
Integrations configuration	pack-23.md, pack-10.md, pack-21.md	pack-02.md, pack-05.md, pack-09.md	Integrations runs under Platform and is limited to external systems/connectors.
Administration governance	pack-22.md, pack-21.md	pack-02.md, pack-05.md, pack-09.md, pack-11.md	Identity/tenant/notification/usage/policy/system remain admin-owned under Platform -> Setup.

B) Explicit higher-pack overrides

Decision	Replaced guidance	Canonical guidance
Root domain naming	Dashboard, Release Control, Security & Risk, Evidence & Audit, Platform Ops, top-level Administration	Mission Control, Releases, Security, Evidence, Topology, Platform (pack-23.md)
Bundle naming	Bundle-first labels in packs 12/21	UI term is Release Version; bundle semantics remain in data model (pack-22.md)
Lifecycle menu sprawl	Standalone Promotions, Deployments, Runs, Hotfixes menus	Lifecycle surfaces live under Releases list/detail/activity/approvals (pack-22.md)
Region/environment nav placement	Deep menu under release-control variants	Global context selectors + Topology inventory pages (pack-22.md)
Security navigation split	Separate VEX, Exceptions, SBOM Graph, SBOM Lake menus	Consolidated Disposition Center and SBOM surfaces (pack-22.md)
Feed and VEX source setup placement	Security-owned advisory sources setup variants	Integrations-owned feed/source configuration (pack-22.md)
Agent module placement	Platform Ops ownership variants	Topology -> Agents (pack-22.md)

C) Pack lifecycle classification

Pack	Status for planning	Primary reason
pack-01.md	Superseded baseline	Early drafts replaced by higher packs.
pack-02.md	Superseded baseline	Early settings/admin/integration placement replaced.
pack-03.md	Superseded baseline	Early security/evidence/ops model replaced.
pack-04.md	Superseded baseline	Early release control model replaced.
pack-05.md	Superseded baseline	Transitional admin/integration moves replaced.
pack-06.md	Superseded baseline	Ops structure replaced by packs 15 and 22.
pack-07.md	Superseded baseline	Security model replaced by packs 19 and 22.
pack-08.md	Superseded baseline	Historical reference only.
pack-09.md	Superseded baseline	Settings migration draft replaced.
pack-10.md	Active partial authority	Integrations/feeds/airgap detail where not overridden.
pack-11.md	Superseded baseline	Replaced by packs 12-22.
pack-12.md	Active authority	Release composition deep specification.
pack-13.md	Active authority	Promotion flow baseline for Releases.
pack-14.md	Active authority	Run timeline/checkpoint semantics.
pack-15.md	Active authority	Data Integrity operations model.
pack-16.md	Active authority	Dashboard signal-level model.
pack-17.md	Active authority	Approvals detail model.
pack-18.md	Active authority	Environment/topology detail shell standard.
pack-19.md	Active authority	Security decision model details.
pack-20.md	Active authority	Evidence chain structure.
pack-21.md	Active fallback authority	Pre-Pack-22 admin/integration organization details where not overridden.
pack-23.md	Highest-precedence authority	Platform global menu with Ops/Integrations/Setup consolidation and ownership boundaries.
pack-22.md	Active authority	IA consolidation baseline and naming model before Platform delta in Pack 23.

D) Raw pack usage policy

For sprint planning, use raw packs only through this sequence:

1. Find capability in Section A.
2. Start with listed authoritative pack(s).
3. Open superseded packs only for migration context or missing implementation detail.

E) UI RBAC visibility matrix

Surface	Primary scope gate (any)	Fallback/notes
Mission Control root	ui.read, release:read, scanner:read, sbom:read	Redirect unauthorized users to /console/profile.
Releases root	release:read, release:write, release:publish	Approvals queue additionally expects approval/governance scopes.
Security root	scanner:read, sbom:read, advisory:read, vex:read, exception:read, findings:read, vuln:view	Disposition and SBOM tabs remain visible only when parent root is visible.
Evidence root	release:read, policy:audit, authority:audit.read, signer:read, vex:export	Trust mutation routes stay under Platform -> Setup.
Topology root	release:read, orch:read, orch:operate, ui.admin	Includes regions/env, targets/runtimes, and agent fleet.
Platform root	ui.admin, orch:read, orch:operate, health:read, notify.viewer	Covers ops, integrations, and setup/admin surfaces.
Legacy alias roots (/operations, /integrations, /administration, /platform-ops)	Same gate as Platform root	Alias-window only; tracked by legacy_route_hit telemetry.