42 KiB
42 KiB
Pack 6 — Operations (keep IA intact; add Nightly + make Ops screens “2nd-class” not buried)
This pack stays consistent with the root menus already agreed:
- Dashboard
- Release Control
- Security
- Evidence & Audit
- Operations
- Integrations
- Administration
Operations here is strictly: platform + pipelines + feeds + background jobs + execution diagnostics that support release/hotfix/audit, but do not replace them.
1) Operations menu graph (Mermaid)
flowchart TD
OPS[Operations] --> OPS0[Operations Overview]
OPS --> OPS1[Nightly Ops Report]
OPS --> OPS2[Scheduler]
OPS --> OPS3[Orchestrator]
OPS --> OPS4[Platform Health]
OPS --> OPS5[Dead Letter Queue]
OPS --> OPS6[Feeds & Airgap]
OPS --> OPS7[Quotas & Throttling]
OPS2 --> OPS2a[Runs]
OPS2 --> OPS2b[Schedules]
OPS2 --> OPS2c[Worker Fleet]
OPS3 --> OPS3a[Jobs]
OPS3 --> OPS3b[Backfill]
OPS3 --> OPS3c[Access & Permissions]
OPS6 --> OPS6a[Feed Mirrors]
OPS6 --> OPS6b[Airgap Bundles]
OPS6 --> OPS6c[Version Locks]
2) Operations Overview
Previously
- Formerly: no dedicated overview; operators bounced between
Platform Health,Scheduler,Feeds,Dead Letter, etc.
Now (Redesign)
- Now:
Operations → Operations Overview
Why changed
- You need a single ops landing that answers: “Is the platform able to produce trustworthy release decisions right now?” That means: feeds synced, SBOM scans healthy, reachability ingest healthy, scheduler ok, DLQ clean.
Screen graph (Mermaid)
flowchart TD
A[Operations Overview] --> B[Nightly Ops Report]
A --> C[Platform Health]
A --> D[Feeds & Airgap]
A --> E[Scheduler Runs]
A --> F[Dead Letter Queue]
A --> G[Integrations Overview]
A --> H[Dashboard (impact view)]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS OVERVIEW Time: 24h ▾ │
│ Formerly: (new) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ RELEASE-DECISION READINESS │
│ ┌───────────────────────┐ ┌───────────────────────┐ ┌────────────────────────┐ ┌─────────────┐ │
│ │ CVE Data Freshness │ │ SBOM Rescan Health │ │ Reachability Ingest │ │ Evidence Pipe│ │
│ │ OSV: OK NVD: DOWN │ │ OK (last: 02:00) │ │ Build OK / Image OK │ │ OK (DSSE/Log)│ │
│ └───────────────────────┘ └───────────────────────┘ │ Runtime DEGRADED │ └─────────────┘ │
│ └────────────────────────┘ │
│ │
│ EXECUTION HEALTH │
│ ┌────────────────────────────┐ ┌───────────────────────────┐ ┌───────────────────────────┐ │
│ │ Scheduler: DEGRADED │ │ Dead Letter: 0 retryable │ │ Feeds Mirror: NO DATA │ │
│ │ Runs load failed (API) │ │ Errors last 7d: none │ │ Status unknown │ │
│ │ [Open Runs] │ │ [Open DLQ] │ │ [Open Feeds] │ │
│ └────────────────────────────┘ └───────────────────────────┘ └───────────────────────────┘ │
│ │
│ TOP IMPACT (what’s blocked) │
│ - Approvals may switch to manual review due to NVD down │
│ - Prod runtime reachability ingest degraded → “reachable” confidence reduced │
│ [Open Dashboard impact panel] [Open Nightly Ops Report] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
3) Nightly Ops Report (critical missing piece you asked for)
Previously
- Formerly: partially implied by
Scheduler Runsand scattered integration tiles; not consolidated.
Now
- Now:
Operations → Nightly Ops Report
Why changed
-
You explicitly require reporting when:
- SBOM re-scan nightly fails/stales
- CVE sources not synced
- integrations not connectable
- reachability ingest (Build / Image/Dover / Runtime) is degraded
-
This is not a “first-class product feature page,” but it must be second-class and linked from Dashboard + Approvals.
Screen graph (Mermaid)
flowchart TD
A[Nightly Ops Report] --> B[Job Run Detail]
A --> C[Scheduler Runs (filtered)]
A --> D[Integrations (impacted)]
A --> E[Feeds & Airgap (if feed-related)]
A --> F[Dashboard (impact)]
A --> G[Security Findings (if rescan anomalies)]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ NIGHTLY OPS REPORT Date: Today ▾ │
│ Formerly: (new; scattered across Scheduler/Integrations/Feeds) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ PIPELINES (nightly) │
│ ┌─────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Job Status Last Run Freshness SLA Impact │ │
│ │ SBOM Rescan (images) OK 02:00 < 24h Approvals trustworthy │ │
│ │ CVE Feed Sync (OSV) OK 01:10 < 6h Findings accurate │ │
│ │ CVE Feed Sync (NVD) FAIL - < 6h Approvals may go manual │ │
│ │ Reachability Ingest (Build) OK 02:05 < 24h build reach coverage OK │ │
│ │ Reachability Ingest (Image) OK 02:07 < 24h image reach coverage OK │ │
│ │ Reachability Ingest (Runtime)DEGRADED 02:15 < 24h runtime reach confidence ↓ │ │
│ │ Integration Health Check WARN 02:20 < 24h Jenkins degraded │ │
│ └─────────────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ FAILURES / REMEDIATION │
│ - NVD Feed: 401/timeout → [Open Integration Detail] [Open Feed Mirrors] │
│ - Runtime reachability ingest: agent missing in eu-central → [Worker Fleet] │
│ │
│ EXPORT: [Download nightly report JSON/CSV] (for audit/compliance evidence) │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
4) Scheduler (Runs / Schedules / Worker Fleet)
4.1 Scheduler menu screen (entry)
Previously
- Formerly:
Operations → Scheduler(you had “Scheduler Runs” page directly)
Now
- Now:
Operations → Scheduleris an entry page with tabs/links to Runs/Schedules/Worker Fleet.
Why changed
- Preserve current functionality but reduce “dead end” screens. Also gives operators quick pivot to Worker Fleet, which you already expose as a button.
Screen graph (Mermaid)
flowchart TD
A[Operations → Scheduler] --> B[Runs]
A --> C[Schedules]
A --> D[Worker Fleet]
B --> E[Nightly Ops Report]
B --> F[Job Run Detail]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ SCHEDULER │
│ Formerly: Operations ▸ Scheduler (Runs) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Runs] [Schedules] [Worker Fleet] │
│ Quick actions: [Retry Connection] [Open Nightly Ops Report] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
4.2 Scheduler → Runs
Previously
- Formerly:
Operations → Schedulerpage (“Scheduler Runs”)
Now
- Now:
Operations → Scheduler → Runs
Why changed
-
Same screen, but:
- must link to nightly pipelines (SBOM rescan, CVE sync, reachability ingest)
- must indicate when Runs page is failing (API) and suggest “what breaks”
Screen graph (Mermaid)
flowchart TD
A[Scheduler Runs] --> B[Run Detail]
A --> C[Schedules]
A --> D[Worker Fleet]
A --> E[Nightly Ops Report]
A --> F[Integrations (if failures due to dependency)]
ASCII mock (based on your screenshot)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ SCHEDULER ▸ RUNS [Manage Schedules]│
│ Formerly: Operations ▸ Scheduler Runs │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ ⚠ Failed to load scheduler runs [Retry Connection] │
│ Impact if persists: Nightly SBOM rescans may be stale; approvals confidence reduced │
│ │
│ Filters: Status ▾ Time Range: Last 24h ▾ │
│ Metrics: Total 0 | Completed 0 | Running 0 | Failed 0 │
│ │
│ Runs table (when available): job name | status | start | end | region/env | error | link │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
4.3 Scheduler → Schedules (NEW screen)
Previously
- Formerly: button “Manage Schedules” existed, but not represented in navigation structure.
Now
- Now:
Operations → Scheduler → Schedules
Why changed
- Schedules are how you guarantee: nightly SBOM rescans, CVE sync, reachability ingest. Must be visible.
Screen graph (Mermaid)
flowchart TD
A[Scheduler Schedules] --> B[Schedule Detail]
A --> C[Runs (filtered)]
A --> D[Nightly Ops Report]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ SCHEDULER ▸ SCHEDULES [New Schedule] │
│ Formerly: Operations ▸ Scheduler (Manage Schedules button) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Nightly Critical Pipelines │
│ - SBOM Rescan (images): 02:00 daily Regions: all Envs: prod/staging SLA: <24h │
│ - CVE Sync OSV: hourly SLA: <6h │
│ - CVE Sync NVD: hourly SLA: <6h │
│ - Reachability Ingest: 02:05 daily Sources: build/image/runtime │
│ - Integration Health Check 02:20 daily │
│ Actions: [Edit] [Disable] [Run Now] [View Runs] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
4.4 Scheduler → Worker Fleet (NEW screen)
Previously
- Formerly: “Worker Fleet” button existed on Scheduler Runs.
Now
- Now:
Operations → Scheduler → Worker Fleet
Why changed
- Worker issues directly cause: reachability ingest gaps, scan gaps, sync gaps. Operators need a first hop.
Screen graph (Mermaid)
flowchart TD
A[Worker Fleet] --> B[Worker Detail]
A --> C[Scheduler Runs]
A --> D[Platform Health]
A --> E[Regions & Environments (Release Control)]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ SCHEDULER ▸ WORKER FLEET │
│ Formerly: Operations ▸ Scheduler (Worker Fleet button) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Worker Region Capabilities Last Seen Status Notes │
│ worker-us-01 us-east sbom-scan + ingest 1m OK - │
│ worker-eu-02 eu-central runtime reach ingest 3h DEGRADED runtime coverage ↓ │
│ worker-ap-01 ap-south feed mirror 2m OK - │
│ │
│ Actions: [Open Worker] [Drain] [Restart] (admin permissions required) │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
5) Orchestrator
5.1 Orchestrator Dashboard
Previously
- Formerly:
Operations → Orchestrator(“Orchestrator Dashboard”)
Now
- Now:
Operations → Orchestrator → Dashboard
Why changed
-
Preserve, but add:
- “what you can do” (access rights) stays
- link to Jobs, Backfill, DLQ, Scheduler
Screen graph (Mermaid)
flowchart TD
A[Orchestrator Dashboard] --> B[Jobs]
A --> C[Backfill]
A --> D[Dead Letter Queue]
A --> E[Scheduler Runs]
A --> F[Administration → Identity & Access (role request)]
ASCII mock (based on your screenshot)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ ORCHESTRATOR ▸ DASHBOARD │
│ Formerly: Operations ▸ Orchestrator │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Jobs (View job status and history) [Open Jobs] │
│ │
│ Your Orchestrator Access │
│ - View Jobs: Granted │
│ - Operate: Denied │
│ - Manage Quotas: Denied │
│ - Initiate Backfill: Denied │
│ │
│ Links: [Dead Letter Queue] [Scheduler Runs] [Request Role] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
5.2 Orchestrator → Jobs (NEW explicit page)
Previously
- Formerly: hidden behind “Jobs” card.
Now
- Now:
Operations → Orchestrator → Jobs
Why changed
- Jobs are where you diagnose “why isn’t SBOM data updating” or “why is evidence bundle not generating”.
Screen graph (Mermaid)
flowchart TD
A[Orchestrator Jobs] --> B[Job Detail]
A --> C[Dead Letter Queue (filtered by job)]
A --> D[Scheduler Runs (job schedule)]
A --> E[Nightly Ops Report]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ ORCHESTRATOR ▸ JOBS │
│ Formerly: Operations ▸ Orchestrator (Jobs card) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Job Name Category Last Run Status Failures(7d) Links │
│ SBOM Rescan Images security 02:00 OK 0 [Runs] [DLQ] │
│ CVE Sync NVD security - FAIL 12 [Runs] [Int] │
│ Evidence Bundle Export evidence 03:00 OK 0 [Runs] [DLQ] │
│ Reachability Ingest Runtime security 02:15 DEGRADED 3 [Runs] [Fleet] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
5.3 Orchestrator → Backfill (NEW explicit page)
Previously
- Formerly: implied by “Initiate Backfill” permission but no UX.
Now
- Now:
Operations → Orchestrator → Backfill
Why changed
- Operators often need to backfill after restoring a feed, adding a registry integration, or enabling a region.
Screen graph (Mermaid)
flowchart TD
A[Backfill] --> B[Backfill Run Detail]
A --> C[Scheduler Runs]
A --> D[Nightly Ops Report]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ ORCHESTRATOR ▸ BACKFILL │
│ Formerly: (implicit; access permission only) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Backfill type: [SBOM] [CVE Dataset] [Reachability] [Evidence Index] │
│ Scope: Region ▾ Environment ▾ Time range ▾ │
│ [Start Backfill] (requires permission) │
│ │
│ Recent Backfills: none │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
6) Platform Health
Previously
- Formerly:
Operations → Platform Health(your screenshot shows this)
Now
- Now:
Operations → Platform Health
Why changed
-
Keep it under operations, but make it release-decision aware:
- show dependencies (feeds, integrations, signing log)
- show “what feature is impacted” if a dependency is unhealthy
Screen graph (Mermaid)
flowchart TD
A[Platform Health] --> B[Service Health Detail]
A --> C[Dependencies Detail]
A --> D[Operations Overview]
A --> E[Integrations (dependency)]
A --> F[Dashboard (impact)]
ASCII mock (based on your screenshot)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ PLATFORM HEALTH Auto-refresh: 10s│
│ Formerly: Operations ▸ Platform Health │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ ⚠ Unable to load platform health data. Try refreshing. │
│ Impact: release gating, SBOM ingestion, evidence export may be degraded │
│ │
│ Service Health (group by state) Dependencies │
│ ┌─────────────────────────────────────────────┐ ┌───────────────────────────────────────┐ │
│ │ HEALTHY: ... DEGRADED: ... DOWN: ... │ │ Feeds: NVD down, OSV ok │ │
│ │ [View service list] │ │ SCM: ok CI: warn Registry: ok │ │
│ └─────────────────────────────────────────────┘ └───────────────────────────────────────┘ │
│ │
│ Incident Timeline (last 24h): none │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
7) Dead Letter Queue
Previously
- Formerly:
Operations → Dead Letter(your screenshot)
Now
- Now:
Operations → Dead Letter Queue
Why changed
-
Keep, but ensure DLQ clearly states:
- which pipeline failed (SBOM rescan, CVE sync, evidence export, reach ingest)
- quick actions: replay job, open job detail, open integration/feeds
Screen graph (Mermaid)
flowchart TD
A[Dead Letter Queue] --> B[DLQ Entry Detail]
A --> C[Replay (job retry)]
A --> D[Orchestrator Jobs (filtered)]
A --> E[Scheduler Runs (filtered)]
A --> F[Integrations Detail]
A --> G[Feeds & Airgap]
ASCII mock (based on your screenshot)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ DEAD LETTER QUEUE MANAGEMENT [Export CSV] [Refresh]│
│ Formerly: Operations ▸ Dead Letter │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Error Distribution (last 7 days): No data │
│ By Tenant: No data │
│ │
│ Queue Browser │
│ Error Type ▾ Status ▾ Search (job id / entry id) ____ [Clear] │
│ │
│ No dead-letter entries match your filters │
│ (When entries exist: show Job, Pipeline, Region/Env, Error, Retryable?, Link to Integration) │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
8) Feeds & Airgap (Feed Mirrors / Airgap Bundles / Version Locks)
8.1 Feeds & Airgap entry
Previously
- Formerly:
Operations → Feeds(“Feed Mirror & AirGap Operations”)
Now
- Now:
Operations → Feeds & Airgap(same content, clearer name)
Why changed
- This is operational infrastructure for offline/airgap + mirroring. It remains under operations, but must link to Integrations + Security Data Sources for impact.
Screen graph (Mermaid)
flowchart TD
A[Feeds & Airgap] --> B[Feed Mirrors]
A --> C[Airgap Bundles]
A --> D[Version Locks]
A --> E[Integrations → Security Data Sources]
A --> F[Nightly Ops Report]
ASCII mock (based on your screenshot)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ FEEDS & AIRGAP OPERATIONS [Refresh] │
│ Formerly: Operations ▸ Feeds (Feed Mirror & AirGap Operations) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Feed Mirrors] [Airgap Bundles] [Version Locks] │
│ Status: No sync data | Status unknown │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
8.2 Feed Mirrors tab
Formerly: same page under Operations → Feeds (tab “Feed Mirrors”).
Why changed: keep but add dependency/impact to releases.
Screen graph (Mermaid)
flowchart TD
A[Feed Mirrors] --> B[Mirror Detail]
A --> C[Security Data Sources]
A --> D[Nightly Ops Report]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ FEED MIRRORS │
│ Formerly: Operations ▸ Feeds ▸ Feed Mirrors │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Total mirrors: 0 | Synced: 0 | Stale: 0 | Errors: 0 | Total storage: 0B │
│ Search mirrors: ____ Status ▾ Feed Type ▾ [Refresh] │
│ │
│ No mirrors found matching your criteria │
│ (When configured: show NVD/OSV mirror status + last sync + staleness + errors) │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
8.3 Airgap Bundles tab
Formerly: tab existed but not emphasized. Why changed: Airgap is part of “operate in constrained networks” — must be second-class.
Screen graph (Mermaid)
flowchart TD
A[Airgap Bundles] --> B[Bundle Export Detail]
A --> C[Evidence & Audit → Export Center]
A --> D[Release Control → Bundle Catalog]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ AIRGAP BUNDLES │
│ Formerly: Operations ▸ Feeds ▸ AirGap Bundles │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Bundle Name Contents (feeds/sboms/policy) Size Created Status │
│ daily-airgap-2026-02 NVD+OSV + SBOM index + policy 2.1GB 02:30 READY │
│ ... │
│ Actions: [Download] [Verify] [Rebuild] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
8.4 Version Locks tab
Formerly: tab existed but unclear purpose. Why changed: Version locks are how you enforce determinism of datasets (feeds + SBOM tooling) for auditing.
Screen graph (Mermaid)
flowchart TD
A[Version Locks] --> B[Lock Detail]
A --> C[Evidence & Audit → Proof Chains]
A --> D[Integrations → Security Data Sources]
ASCII mock
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ VERSION LOCKS (Deterministic datasets for audit) │
│ Formerly: Operations ▸ Feeds ▸ Version Locks │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Lock Name Dataset(s) Locked Version Used By │
│ prod-release-lock OSV + internal VEX 2026.02.18.01 prod approvals │
│ audit-jan-2026 NVD snapshot 2026.01.31 auditor evidence │
│ Actions: [Create Lock] [Rotate] [Export Attestation] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
9) Quotas & Throttling
Previously
- Formerly:
Operations → Quotas(“Operator Quota Dashboard”) - Plus:
Settings → Usage & Limits(overlapping)
Now
- Now:
Operations → Quotas & Throttling= operational telemetry + throttles - Admin → Usage & Limits = configuration + entitlements (already in Pack 5)
Why changed
- Separates “observe” (ops) from “configure limits” (admin).
- Keeps existing “Operator Quota Dashboard” but clarifies scope.
Screen graph (Mermaid)
flowchart TD
A[Quotas & Throttling] --> B[Throttle Event Detail]
A --> C[Administration → Usage & Limits (configure quotas)]
A --> D[Operations Overview]
ASCII mock (based on your screenshot)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ OPERATIONS ▸ QUOTAS & THROTTLING [Export Report] [Refresh]│
│ Formerly: Operations ▸ Quotas │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Consumption Trend (30 days) | Quota Forecast │
│ (chart) | (chart) │
│ │
│ Top Tenants by Usage: No tenant data available │
│ Recent Throttle Events: none in last 24h │
│ │
│ Config: quotas are set in Administration ▸ Usage & Limits [Open] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
10) Mapping (guarantee reorg intact; no feature loss)
To show you I’m not drifting the IA, here is the preservation mapping for Operations items:
- Feeds (old Ops) → Operations → Feeds & Airgap (same content, clarified)
- Scheduler Runs (old Ops) → Operations → Scheduler → Runs (same, plus links)
- Orchestrator (old Ops) → Operations → Orchestrator (same, plus explicit Jobs/Backfill)
- Platform Health (old Ops) → Operations → Platform Health (same, plus impact)
- Dead Letter (old Ops) → Operations → Dead Letter Queue (same, plus pipeline context)
- Quotas (old Ops) → Operations → Quotas & Throttling (telemetry) while quota configuration stays in Administration → Usage & Limits (as in Pack 5)
- Nightly Ops Report (new but required by your criteria) sits under Operations, and is linked from Dashboard + Approvals + Integrations
If you reply “continue”, Pack 7 will convert the remaining Security screens (Overview, Findings, Vulnerabilities, VEX Hub, Exceptions, SBOM Graph, SBOM Lake) into the same: ✅ Mermaid menu graph + Mermaid per-screen graph + ASCII + Formerly/Why moved, and make sure reachability (build/image/runtime) is clearly second-class everywhere it matters.