stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-21.md
master c2f13fe588 preparation for ui re-shelling
2026-02-18 23:03:07 +02:00

639 lines
52 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Ill extend the redesign for the **remaining “Settings/Admin” screens** you just shared, keeping the **main IA reorg intact**, adding **Release Control as a root menu**, and introducing the missing **Release Bundle Organizer**. Below: **Mermaid graphs per menu**, then **per-screen: (1) where it lived before, (2) why it moved/changed, (3) ASCII mock**, and each mock includes a **“Previously called”** line for transition.
---
## 1) Updated top-level navigation (keeping the main reorg intact)
```mermaid
flowchart LR
RC[Release Control] --- SR[Security & Risk]
RC --- EA[Evidence & Audit]
RC --- INT[Integrations]
RC --- OPS[Platform Ops]
RC --- ADM[Administration]
SR --- SR1[Findings & Reachability]
SR --- SR2[VEX Hub]
SR --- SR3[Exceptions]
SR --- SR4[Advisory Sources]
EA --- EA1[Evidence Packets]
EA --- EA2[Proof Chains]
EA --- EA3[Replay / Verify]
EA --- EA4[Export Center]
INT --- INT1[SCM]
INT --- INT2[CI/CD]
INT --- INT3[Registries]
INT --- INT4[Secrets]
INT --- INT5[Targets / Runtimes]
INT --- INT6[Feeds]
INT --- INT7[Notification Providers]
OPS --- OPS1[Platform Health]
OPS --- OPS2[Background Jobs]
OPS --- OPS3[Scheduler]
OPS --- OPS4[Dead Letter]
OPS --- OPS5[Quotas & Usage]
OPS --- OPS6[Feed Mirror & AirGap Ops]
OPS --- OPS7[Nightly Ops Report]
ADM --- ADM0[Admin Overview]
ADM --- ADM1[Identity & Access]
ADM --- ADM2[Tenant & Branding]
ADM --- ADM3[Notifications]
ADM --- ADM4[Usage & Limits]
ADM --- ADM5[Policy Governance]
ADM --- ADM6[Trust & Signing]
ADM --- ADM7[System]
```
---
# PACK: Administration + Release Control Setup + Integrations
---
## 2) Administration menu → screen graph
```mermaid
flowchart TB
ADM[Administration] --> A0[Admin Overview]
ADM --> A1[Identity & Access]
ADM --> A2[Tenant & Branding]
ADM --> A3[Notifications]
ADM --> A4[Usage & Limits]
ADM --> A5[Policy Governance]
ADM --> A6[Trust & Signing]
ADM --> A7[System]
A3 -.channels live in.-> INTN[Integrations > Notification Providers]
A4 -.operational drilldown.-> OPSQ[Platform Ops > Quotas & Usage]
A7 -.operational drilldown.-> OPSH[Platform Ops > Platform Health]
A7 -.jobs drilldown.-> OPSJ[Platform Ops > Background Jobs]
A5 -.gates apply to.-> RCG[Release Control > Gates & Approvals]
A6 -.evidence uses.-> EA[Evidence & Audit]
```
---
## Screen A0 — Administration Overview
**Previously:** There was no single “admin hub”; admin functions were scattered under **Settings** (and some under **Operations**).
**Now:** `Administration → Overview`
**Why:** Admin users need a **single choke-point** for identity, policy governance, trust, notifications, and tenant controls—without mixing it with runtime ops dashboards.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Region: All ▼] [Env: All ▼] [Status: OK] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Administration — Overview │
│ │ Previously called: (new) — consolidates legacy Settings pages │
│ Release Ctrl │ │
│ Security&Risk │ Quick Health │
│ Evidence │ ┌──────────────┬──────────────┬──────────────┬────────────┐ │
│ Integrations │ │ Integrations │ Policy Pack │ Quotas │ Jobs │ │
│ Platform Ops │ │ 6 ok /2 warn │ Core latest │ 65% scans │ 0 failing │ │
│ Administration│ └──────────────┴──────────────┴──────────────┴────────────┘ │
│ ▸ Overview │ │
│ Identity │ Admin Areas │
│ Tenant │ ┌─────────────────────┐ ┌─────────────────────┐ │
│ Notifications│ │ Identity & Access │ │ Policy Governance │ │
│ Usage&Limits │ │ (Users/Roles/Keys) │ │ (Baselines/Rules) │ │
│ Policy Gov │ │ Formerly: Settings │ │ Formerly: Settings │ │
│ Trust&Sign │ └─────────────────────┘ └─────────────────────┘ │
│ System │ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ │ Notifications │ │ Trust & Signing │ │
│ │ │ Formerly: Settings │ │ Formerly: Settings │ │
│ │ └─────────────────────┘ └─────────────────────┘ │
│ │ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ │ Tenant & Branding │ │ Usage & Limits │ │
│ │ │ Formerly: Settings │ │ Formerly: Settings │ │
│ │ └─────────────────────┘ └─────────────────────┘ │
│ │ ┌────────────────────────────────────────────────────────┐ │
│ │ │ System (Admin) — diagnostics & admin tools │ │
│ │ │ Formerly: Settings > System │ │
│ │ └────────────────────────────────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A1 — Identity & Access
**Previously:** `Settings → Identity & Access`
**Now:** `Administration → Identity & Access`
**Why:** This is **pure admin** (RBAC, OAuth, API keys, tenants). It shouldnt compete with release/security workflows.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Admin] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Identity & Access │
│ Administration│ Previously called: Settings > Identity & Access │
│ Overview │ │
│ ▸ Identity │ Tabs: [Users] [Roles] [OAuth/SSO Clients] [API Tokens] [Tenants] │
│ Tenant │ │
│ Notifications│ [ + Add User ] [Invite] [Import] [Audit Log→] │
│ Usage&Limits │ │
│ Policy Gov │ Users │
│ Trust&Sign │ ┌──────────────────────────────────────────────────────────┐ │
│ System │ │ Name Email Role Status Actions │ │
│ │ │ -------- ----------------- -------- ------- -------- │ │
│ │ │ ... │
│ │ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ │ Notes: API Tokens are used by Agents/CI integrations; link to │
│ │ Integrations → CI/CD for token scope testing. │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A2 — Tenant & Branding
**Previously:** `Settings → Tenant / Branding`
**Now:** `Administration → Tenant & Branding`
**Why:** Tenant configuration is **identity-adjacent** (domains, default policy pack, org metadata). Keeping it in Admin prevents accidental mixing with operational tooling.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Tenant & Branding │
│ Administration│ Previously called: Settings > Tenant / Branding │
│ Overview │ │
│ Identity │ Tenants │
│ ▸ Tenant │ ┌──────────────────────────────────────────────────────────┐ │
│ Notifications│ │ Tenant Domain(s) Default Policy Status │ │
│ Usage&Limits │ │ Core core.example.com Core Pack Active │ │
│ Policy Gov │ │ … │ │
│ Trust&Sign │ └──────────────────────────────────────────────────────────┘ │
│ System │ │
│ │ Branding (selected tenant) │
│ │ ┌──────────────────────────────────────────────────────────┐ │
│ │ │ Logo [Upload] App Name [Stella Ops] Support URL […] │ │
│ │ │ Theme: Light/Dark Legal Footer Privacy/License links │ │
│ │ └──────────────────────────────────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A3 — Notifications
**Previously:** `Settings → Notifications`
**Now:** `Administration → Notifications`
**Why:** Notification *policy* (who gets notified, on what events) is governance/admin. The channel connectivity lives in Integrations, but rules/templates remain here.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Notifications │
│ Administration│ Previously called: Settings > Notifications │
│ Overview │ │
│ Identity │ Rules Channels (connectivity) │
│ Tenant │ ┌──────────────────────────┐ ┌───────────────────────────┐ │
│ ▸ Notifications││ + Add Rule │ │ Email ✅ Active │ │
│ Usage&Limits ││ - “Critical reachable…” │ │ Slack ✅ Active │ │
│ Policy Gov ││ - “Bundle blocked…” │ │ Webhook ⚠ Not configured │ │
│ Trust&Sign │└──────────────────────────┘ │ [Manage in Integrations →] │ │
│ System │ └───────────────────────────┘ │
│ │ Templates Delivery / Activity Log │
│ │ ┌──────────────────────────┐ ┌─────────────────────────┐ │
│ │ │ Default templates │ │ View log Export │ │
│ │ │ [Edit Templates] │ │ Filter: last 7d ▼ │ │
│ │ └──────────────────────────┘ └─────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A4 — Usage & Limits
**Previously:** `Settings → Usage & Limits`
**Now:** `Administration → Usage & Limits` (admin-facing)
**Why:** This becomes the **policy/contract view** (limits, entitlements, throttle settings). Operational drilldown (queues, retries, per-job usage) stays in Platform Ops.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Month: Feb 2026 ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Usage & Limits │
│ Administration│ Previously called: Settings > Usage & Limits │
│ Overview │ │
│ Identity │ Usage snapshot │
│ Tenant │ ┌──────────────┬──────────────┬──────────────┬────────────┐ │
│ Notifications│ │ Scans 6500/ │ Storage 42/ │ Evidence 2800│ API 15k/ │ │
│ ▸ Usage&Limits│ │ 10k │ 100 GB │ /10k │ 100k │ │
│ Policy Gov │ └──────────────┴──────────────┴──────────────┴────────────┘ │
│ Trust&Sign │ │
│ System │ Limits & throttles (tenant) │
│ │ ┌──────────────────────────────────────────────────────────┐ │
│ │ │ Configure Quotas | Burst rules | Per-integration caps │ │
│ │ │ [Open Platform Ops → Quotas & Usage] (drilldown dashboard) │ │
│ │ └──────────────────────────────────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A5 — Policy Governance
**Previously:** `Settings → Policy Governance`
**Now:** `Administration → Policy Governance` (with strong cross-links to Release Control gates)
**Why:** Policies are **organizational governance**. The effect is felt in Release Control (gates), Security (exceptions), Evidence (decision capsule), but the configuration belongs in Admin.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Policy Pack: Core (latest) ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Policy Governance │
│ Administration│ Previously called: Settings > Policy Governance │
│ Overview │ │
│ Identity │ Policy Baselines (per env/region) Governance Rules │
│ Tenant │ ┌───────────────────────────────┐ ┌─────────────────────┐│
│ Notifications│ │ + Create Baseline │ │ Edit Rules ││
│ Usage&Limits │ │ Baselines: Dev/Stage/Prod │ │ Gate: Reachable crit ││
│ ▸ Policy Gov │ └───────────────────────────────┘ └─────────────────────┘│
│ Trust&Sign │ │
│ System │ Simulation Exception Workflow │
│ │ ┌───────────────────────────────┐ ┌──────────────────────┐│
│ │ │ Run Simulation (what-if) │ │ Configure approvals ││
│ │ │ Inputs: bundle/digest/env │ │ Links to Exceptions ││
│ │ └───────────────────────────────┘ └──────────────────────┘│
│ │ │
│ │ Shortcuts: [Go to Release Control → Gates] [Go to Security → Exceptions] │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A6 — Trust & Signing
**Previously:** `Settings → Trust & Signing`
**Now:** `Administration → Trust & Signing` (but “used by” Evidence & Audit)
**Why:** Key material, issuers, certs, and transparency log integration are **security administration** concerns. Evidence consumes these; it shouldnt configure them.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Trust & Signing │
│ Administration│ Previously called: Settings > Trust & Signing │
│ Overview │ │
│ Identity │ Signing Keys Issuers Certificates │
│ Tenant │ ┌──────────────┐ ┌─────────────┐ ┌────────────────────────┐ │
│ Notifications│ │ Manage Keys │ │ Manage │ │ Manage Certs │ │
│ Usage&Limits │ └──────────────┘ └─────────────┘ └────────────────────────┘ │
│ Policy Gov │ │
│ ▸ Trust&Sign │ Transparency Log Trust Scoring Audit Log │
│ System │ ┌─────────────────────┐ ┌─────────────────┐ ┌─────────────┐ │
│ │ │ Configure Rekor │ │ Edit Score cfg │ │ View log │ │
│ │ └─────────────────────┘ └─────────────────┘ └─────────────┘ │
│ │ │
│ │ Used by: Evidence Packets, Proof Chains, Decision Capsules │
│ │ [Open Evidence & Audit → Proof Chains] │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen A7 — System (Admin)
**Previously:** `Settings → System`
**Now:** `Administration → System` (admin-only controls) + links into Platform Ops for the operational views
**Why:** This page becomes the **administrative console** (diagnostics, SLO config, admin job controls). Routine monitoring lives in Platform Ops.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] [Admin-only tools] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ System │
│ Administration│ Previously called: Settings > System │
│ Overview │ │
│ Identity │ Health Check Doctor / Diagnostics │
│ Tenant │ ┌─────────────────────────┐ ┌─────────────────────────────┐│
│ Notifications│ │ All systems operational │ │ Run Doctor Export report ││
│ Usage&Limits │ │ [View in Platform Ops →] │ │ Last run: … ││
│ Policy Gov │ └─────────────────────────┘ └─────────────────────────────┘│
│ Trust&Sign │ │
│ ▸ System │ SLO Monitoring Background Jobs (admin controls) │
│ │ ┌─────────────────────────┐ ┌─────────────────────────────┐│
│ │ │ View SLOs / edit targets│ │ View jobs (Platform Ops →) ││
│ │ └─────────────────────────┘ │ Nightly Ops Report (→) ││
│ │ └─────────────────────────────┘│
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
# Release Control becomes a ROOT menu (and absorbs “Settings → Release Control”)
## 3) Release Control setup menu → screen graph
```mermaid
flowchart TB
RC[Release Control] --> RCH[Control Plane]
RC --> RCL[Releases Ledger]
RC --> RCB[Release Bundles]
RC --> RCG[Gates & Approvals]
RC --> RCD[Deployments]
RC --> RCE[Regions & Environments]
RC --> RCP[Promotion Graph]
RC --> RCS[Setup]
RCS --> S1[Environments & Promotion Paths]
RCS --> S2[Targets & Agents]
RCS --> S3[Workflows]
RCS --> S4[Bundle Templates]
RCB --> BO[Release Bundle Organizer]
```
---
## Screen RC-S0 — Release Control → Setup (hub)
**Previously:** `Settings → Release Control` (hub with Environments/Targets/Agents/Workflows)
**Now:** `Release Control → Setup`
**Why:** This configuration directly governs how promotions, deployments, and gates work. Its operationally part of release control, not general settings.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Region: All ▼] [Env: All ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Release Control — Setup │
│ Release Ctrl │ Previously called: Settings > Release Control │
│ ControlPlane │ │
│ Releases │ Setup areas │
│ Bundles │ ┌───────────────────────┐ ┌───────────────────────┐ │
│ Gates │ │ Environments & Paths │ │ Targets & Agents │ │
│ Deployments │ │ (Dev→Stage→Prod) │ │ (where/how deploy) │ │
│ Regions&Env │ │ Formerly: Environments│ │ Formerly: Targets/Agents│ │
│ Promotion │ └───────────────────────┘ └───────────────────────┘ │
│ ▸ Setup │ ┌───────────────────────┐ ┌───────────────────────────────┐ │
│ │ │ Workflows │ │ Bundle Templates │ │
│ │ │ Formerly: Workflows │ │ (for bundle organizer) │ │
│ │ └───────────────────────┘ └───────────────────────────────┘ │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen RC-S1 — Environments & Promotion Paths
**Previously:** `Settings → Release Control → Environments`
**Now:** `Release Control → Setup → Environments & Promotion Paths` (and linked from `Regions & Environments`)
**Why:** This is the **promotion graph definition** (pipelines, stages, gates). It must be adjacent to release visibility.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Setup / Environments & Paths │
│ Previously called: Settings > Release Control > Environments │
├──────────────────────────────────────────────────────────────────────────────┤
│ [ + Add Environment ] [ + Add Region ] [Edit Promotion Graph] [Policy Baseline→] │
│ │
│ Regions (left) Promotion Paths (right) │
│ ┌───────────────────────┐ ┌───────────────────────────────────────────┐ │
│ │ US-East │ │ Dev → Stage → Prod │ │
│ │ EU-Sovereign │ │ Gates: SBOM OK | Reachability | Approvals │ │
│ │ AirGap-01 │ │ Exceptions: allowed via workflow │ │
│ └───────────────────────┘ └───────────────────────────────────────────┘ │
│ │
│ Environment details │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Env: Stage (EU-Sovereign) Targets: 3 Agents: 2 Workflow: Blue/Green │ │
│ │ Baseline: Core Policy Pack Notifications: Stage-Release channel │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
## Screen RC-S2 — Targets & Agents
**Previously:** `Settings → Release Control → Targets` and `Agents`
**Now:** `Release Control → Setup → Targets & Agents`
**Why:** These define *how* releases reach runtime. They are release-control primitives, while the *connectors* (SSH, Nomad, ECS, etc.) are Integrations.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Setup / Targets & Agents │
│ Previously called: Settings > Release Control > Targets + Agents │
├──────────────────────────────────────────────────────────────────────────────┤
│ Targets Agents │
│ [ + Add Target ] [ + Register Agent ] │
│ ┌───────────────────────────────────────────────┐ ┌──────────────────────┐ │
│ │ Name Type Region Status │ │ Agent Region Status │ │
│ │ swarm-01 DockerSwarm EU ✅ Healthy │ │ ag-12 EU ✅ │ │
│ │ ecs-prod AWS ECS US ⚠ Degraded │ │ ag-09 US ⚠ │ │
│ └───────────────────────────────────────────────┘ └──────────────────────┘ │
│ │
│ Mapping │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Env: Stage → Targets: swarm-01, nomad-02 → Agents: ag-12 │ │
│ │ Env: Prod → Targets: ecs-prod → Agents: ag-09 │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Notes: Connectivity lives in Integrations > Targets/Runtimes (SSH/VPN creds). │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
## Screen RC-S3 — Workflows
**Previously:** `Settings → Release Control → Workflows`
**Now:** `Release Control → Setup → Workflows`
**Why:** Workflows are the executable “release doctrine” (blue/green, canary, rollback). They must live next to promotions and approvals.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Setup / Workflows │
│ Previously called: Settings > Release Control > Workflows │
├──────────────────────────────────────────────────────────────────────────────┤
│ [ + New Workflow ] [Import] [Validate] │
│ │
│ Workflow Templates │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Blue/Green — steps: preflight → deploy → smoke → promote → attest │ │
│ │ Canary — steps: 5% → 25% → 50% → 100% with gates at each stage │ │
│ │ Rollback — steps: select prior digest/bundle → deploy → verify → lock │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Default mapping │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Dev: Canary Stage: Blue/Green Prod: Blue/Green (strict gates) │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
# Missing crucial capability added: Release Bundle Organizer
## Screen RC-B0 — Release Bundles (Organizer)
**Previously:** This capability was **missing / implicit** (digest-first releases existed, but no first-class bundling and config snapshot composition).
**Now:** `Release Control → Bundles → Bundle Organizer`
**Why:** You need a **bundle abstraction**: “microservice digests + env-derived variables (Vault/Consul) + changelog per repository” becoming an immutable versioned unit that can be gated, approved, exported (air-gap), and promoted.
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Release Control / Bundles / Bundle Organizer │
│ Previously called: (new) — fills gap between Release Digest and Multi-svc ship│
├──────────────────────────────────────────────────────────────────────────────┤
│ Bundle: [Repo Group: payments-platform ▼] Version: [v1.8.0 ▼] Status: Draft│
│ [Create Bundle] [Save Draft] [Compute Bundle Digest] [Run Gates] [Request Approval]│
│ │
│ Included Services (digest-first → bundle version) │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Service Image Digest Service Ver SBOM Reachability Gate │ │
│ │ payments-api sha256:… 1.8.0 ✅ OK ✅ runtime ✅ │ │
│ │ billing-worker sha256:… 2.3.1 ⚠ crit ⚠ image-only ❌ │ │
│ │ ui-gateway sha256:… 0.19.4 ✅ OK ✅ build+run ✅ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Variables Snapshot (derived per env) │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Environment: Stage (EU) │ │
│ │ Vault: /kv/stage/payments/* Snapshot: vaultsnap-91a2 Diff: masked │ │
│ │ Consul: /config/stage/payments/* Snapshot: consulsnap-33f1 Diff: masked │ │
│ │ [View resolved manifest] [Export env overlay] │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Changelog (per repository) │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ payments-api: PR#1823 Fix tax rounding | PR#1831 Upgrade openssl │ │
│ │ billing-worker: PR#944 Retry logic | PR#951 Patch CVE-… │ │
│ │ [Pull from SCM Integration] [Edit release notes] │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Evidence hooks │
│ - Generates: Bundle Manifest, Evidence Packet, Decision Capsule, Export Kit │
│ - Links: Security Findings, Exceptions, Approvals, Proof Chains │
└──────────────────────────────────────────────────────────────────────────────┘
```
**Implementation note (UI semantics):**
* “Bundle Version” is a **human-friendly label**; the authoritative identity remains **content-addressed** (bundle digest) + evidence.
* Vault/Consul snapshots are explicit objects, so auditors can see “what config was used” without exposing secrets (masked diffs).
---
# Integrations is still essential, but kept clean: connectivity & sync health live here
## 4) Integrations menu → screen graph
```mermaid
flowchart TB
INT[Integrations] --> I0[Overview]
INT --> I1[SCM]
INT --> I2[CI/CD]
INT --> I3[Registries]
INT --> I4[Secrets]
INT --> I5[Targets / Runtimes]
INT --> I6[Feeds]
INT --> I7[Notification Providers]
I0 --> ID[Integration Detail]
I6 -.advisory freshness drives.-> SR4[Security & Risk > Advisory Sources]
I6 -.offline mirroring handled by.-> OPS6[Platform Ops > Feed Mirror & AirGap Ops]
I4 -.config snapshots used by.-> RCB[Release Bundles]
I1 -.changelog used by.-> RCB
I3 -.digests & image sbom used by.-> RC[Release Control]
```
---
## Screen I0 — Integrations Overview
**Previously:** `Settings → Integrations`
**Now:** `Integrations → Overview` (root menu)
**Why:** Integrations are cross-cutting. This page becomes the **single source of truth for connectivity + data freshness**, with clear escalation links (Nightly Ops Report, Feed Mirror, DLQ).
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Top bar: [Search…] [Tenant: Core ▼] │
├───────────────┬──────────────────────────────────────────────────────────────┤
│ NAV │ Integrations │
│ Integrations │ Previously called: Settings > Integrations │
│ ▸ Overview │ │
│ SCM │ Status summary │
│ CI/CD │ ┌───────────────┬───────────────┬───────────────┐ │
│ Registries │ │ Connected: 6 │ Degraded: 1 │ Disconnected:1│ │
│ Secrets │ └───────────────┴───────────────┴───────────────┘ │
│ Targets │ │
│ Feeds │ Filters: [All] [SCM] [CI/CD] [Registries] [Secrets] [Feeds] │
│ Notify Prov │ │
│ │ Cards │
│ │ ┌──────────────────────────────────────────────────────────┐ │
│ │ │ GitHub Enterprise ✅ last sync 5m scope: 42 repos │ │
│ │ │ Jenkins ⚠ degraded last sync 1h errors: 3 │ │
│ │ │ NVD Feed ❌ disconnected last ok: 2d (blocks rescans) │ │
│ │ │ Vault ✅ last sync 10m paths: 18 │ │
│ │ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ │ Escalation: [Nightly Ops Report →] [Platform Ops → DLQ] │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
---
## Screen ID — Integration Detail (template)
**Previously:** Youd click an integration card; details were inconsistent.
**Now:** Every integration has a standardized detail page.
**Why:** You need uniform answers to: **Is it connected? What data is stale? What is blocked downstream?**
```text
┌──────────────────────────────────────────────────────────────────────────────┐
│ Integrations / Detail: NVD Feed │
│ Previously called: Settings > Integrations (card detail) │
├──────────────────────────────────────────────────────────────────────────────┤
│ Status: ❌ Disconnected Last healthy sync: 2d ago Owner: SecOps │
│ [Test Connection] [Reconnect] [View Errors] [Open DLQ] [Open Nightly Report] │
│ │
│ Sync Health │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Schedule: hourly Last attempt: 1h ago Result: timeout │ │
│ │ Freshness SLA: 6h Current freshness: 2d (breach) │ │
│ │ Downstream impact: CVE re-scan blocked; policy “re-evaluate on update” stale│ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Configuration (readable, safe) │
│ - Endpoint: … │
│ - Auth: (masked) │
│ - Proxy: … │
└──────────────────────────────────────────────────────────────────────────────┘
```
---
## What happened to “Settings → Security Data”?
This legacy menu item typically mixed **two different concerns**:
1. **Connectivity & syncing** of advisory sources (NVD/OSV/etc.)
2. **Security decisioning** (how sources are interpreted in policy gates)
**Redesign mapping (explicit):**
* **Connectivity + freshness** → `Integrations → Feeds` (and offline mirroring in `Platform Ops → Feed Mirror & AirGap Ops`)
* **How advisories affect risk/gates** → `Security & Risk → Advisory Sources`
(If you want, Ill produce the **Advisory Sources** ASCII in the next Security pack so it stays consistent with your “second class screens” requirement.)
---
## Quick confirmation against the constraints you gave
* **Main reorganization preserved** (same root modules, Release Control is root, Admin is last/root).
* **Every screen includes “Previously called …”** in the mock header.
* **Release bundle organizer added** with Vault/Consul variables + per-repo changelog.
If you want the next message to continue, Ill do the **Security Data / Advisory Sources** redesign as a focused pack (since it straddles Security & Risk + Integrations + Ops), and include Mermaid + ASCII the same way.
Reference in New Issue View Git Blame Copy Permalink