git.stella-ops.org/src/Web/StellaOps.Web/tests/e2e/evidence-capsules-cutover.spec.ts

import { expect, test, type Page, type Route } from '@playwright/test';

import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';

const operatorSession: StubAuthSession = {
  subjectId: 'evidence-capsules-e2e-user',
  tenant: 'tenant-default',
  scopes: [
    'admin',
    'ui.read',
    'ui.admin',
    'release:read',
    'policy:read',
    'policy:audit',
    'signer:read',
  ],
};

const mockConfig = {
  authority: {
    issuer: '/authority',
    clientId: 'stella-ops-ui',
    authorizeEndpoint: '/authority/connect/authorize',
    tokenEndpoint: '/authority/connect/token',
    logoutEndpoint: '/authority/connect/logout',
    redirectUri: 'https://127.0.0.1:4400/auth/callback',
    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
    scope: 'openid profile email ui.read',
    audience: '/gateway',
    dpopAlgorithms: ['ES256'],
    refreshLeewaySeconds: 60,
  },
  apiBaseUrls: {
    authority: '/authority',
    scanner: '/scanner',
    policy: '/policy',
    concelier: '/concelier',
    attestor: '/attestor',
    gateway: '/gateway',
  },
  quickstartMode: true,
  setup: 'complete',
};

const aiRun = {
  runId: 'run-ai-001',
  tenantId: operatorSession.tenant,
  userId: 'operator@example.com',
  conversationId: 'conv-001',
  status: 'complete',
  createdAt: '2026-03-08T10:00:00Z',
  updatedAt: '2026-03-08T10:05:00Z',
  completedAt: '2026-03-08T10:05:00Z',
  timeline: [
    {
      eventId: 'event-001',
      type: 'evidence_pack_created',
      timestamp: '2026-03-08T10:02:00Z',
      content: {
        kind: 'evidence_pack',
        packId: 'cap-ai-001',
        claimCount: 3,
        evidenceCount: 5,
        contentDigest: 'sha256:cap-ai-001',
      },
    },
  ],
  artifacts: [],
};

const aiCapsule = {
  packId: 'cap-ai-001',
  version: '1.0.0',
  createdAt: '2026-03-08T10:02:30Z',
  tenantId: operatorSession.tenant,
  subject: {
    type: 'Cve',
    cveId: 'CVE-2026-2222',
    component: 'pkg:npm/example@1.2.3',
  },
  claims: [
    {
      claimId: 'claim-ai-001',
      text: 'The vulnerability is not exploitable in this conversation scope.',
      type: 'VulnerabilityStatus',
      status: 'not_affected',
      confidence: 0.91,
      evidenceIds: ['ev-ai-001'],
      source: 'ai',
    },
  ],
  evidence: [
    {
      evidenceId: 'ev-ai-001',
      type: 'Attestation',
      uri: 'stella://attestor/cap-ai-001',
      digest: 'sha256:ev-ai-001',
      collectedAt: '2026-03-08T10:02:10Z',
      snapshot: {
        type: 'attestation',
        data: { signed: true },
      },
    },
  ],
  context: {
    runId: 'run-ai-001',
    conversationId: 'conv-001',
    generatedBy: 'AdvisoryAI v2.1',
  },
};

const releaseCapsule = {
  packId: 'cap-rel-001',
  version: '1.0.0',
  createdAt: '2026-03-08T10:03:00Z',
  tenantId: operatorSession.tenant,
  subject: {
    type: 'Finding',
    findingId: 'finding-rel-001',
    cveId: 'CVE-2026-1111',
    component: 'pkg:oci/payments@4.2.0',
  },
  claims: [
    {
      claimId: 'claim-rel-001',
      text: 'Release evidence is fully signed and replay matched.',
      type: 'Compliance',
      status: 'verified',
      confidence: 0.98,
      evidenceIds: ['ev-rel-001'],
      source: 'system',
    },
  ],
  evidence: [
    {
      evidenceId: 'ev-rel-001',
      type: 'Policy',
      uri: 'stella://policy/run-rel-001',
      digest: 'sha256:ev-rel-001',
      collectedAt: '2026-03-08T10:02:45Z',
      snapshot: {
        type: 'policy',
        data: { verdict: 'pass' },
      },
    },
  ],
  context: {
    runId: 'run-rel-001',
    generatedBy: 'Release Orchestrator',
  },
};

const releaseRunDetail = {
  runId: 'run-rel-001',
  releaseId: 'rel-001',
  releaseName: 'Payments API',
  releaseSlug: 'payments-api',
  releaseType: 'standard',
  releaseVersionId: 'ver-001',
  releaseVersionNumber: 42,
  releaseVersionDigest: 'sha256:release-001',
  lane: 'standard',
  status: 'running',
  outcome: 'in_progress',
  targetEnvironment: 'prod',
  targetRegion: 'eu-west',
  scopeSummary: 'stage -> prod',
  requestedAt: '2026-03-08T09:58:00Z',
  updatedAt: '2026-03-08T10:04:00Z',
  needsApproval: false,
  blockedByDataIntegrity: false,
  correlationKey: 'corr-rel-001',
  statusRow: {
    runStatus: 'running',
    gateStatus: 'passed',
    approvalStatus: 'not-required',
    dataTrustStatus: 'healthy',
  },
};

const releaseRunEvidence = {
  runId: 'run-rel-001',
  replayDeterminismVerdict: 'match',
  replayMismatch: false,
  signatureStatus: 'verified',
};

const releaseRunTimeline = {
  runId: 'run-rel-001',
  events: [
    {
      eventId: 'timeline-001',
      eventClass: 'scan_completed',
      phase: 'ingest',
      status: 'completed',
      occurredAt: '2026-03-08T09:59:00Z',
      message: 'Ingest and scan completed for Payments API release.',
    },
    {
      eventId: 'timeline-002',
      eventClass: 'gate_passed',
      phase: 'gate',
      status: 'passed',
      occurredAt: '2026-03-08T10:00:30Z',
      message: 'Policy gate passed without blockers.',
    },
    {
      eventId: 'timeline-003',
      eventClass: 'evidence_verified',
      phase: 'evidence',
      status: 'completed',
      occurredAt: '2026-03-08T10:02:45Z',
      message: 'Evidence bundle signatures verified.',
    },
    {
      eventId: 'timeline-004',
      eventClass: 'deployment_running',
      phase: 'deployment',
      status: 'running',
      occurredAt: '2026-03-08T10:04:00Z',
      message: 'Production deployment is in progress.',
    },
  ],
};

const releaseRunGateDecision = {
  runId: 'run-rel-001',
  verdict: 'passed',
  blockers: [],
  riskBudgetDelta: 0,
};

const releaseRunApprovals = {
  runId: 'run-rel-001',
  checkpoints: [],
};

const releaseRunDeployments = {
  runId: 'run-rel-001',
  targets: [
    {
      targetId: 'target-001',
      targetName: 'payments-prod-eu-west',
      environment: 'prod',
      region: 'eu-west',
      status: 'running',
    },
  ],
};

const releaseRunSecurityInputs = {
  runId: 'run-rel-001',
  reachabilityCoveragePercent: 97,
  feedFreshnessStatus: 'fresh',
  vexStatementsApplied: 2,
  exceptionsApplied: 0,
};

const releaseRunReplay = {
  runId: 'run-rel-001',
  verdict: 'match',
};

const releaseRunAudit = {
  runId: 'run-rel-001',
  entries: [
    {
      auditId: 'audit-001',
      action: 'evidence_verified',
      actorId: 'release-orchestrator',
      occurredAt: '2026-03-08T10:02:45Z',
      correlationKey: 'corr-rel-001',
    },
  ],
};

async function fulfillJson(route: Route, body: unknown, status = 200): Promise<void> {
  await route.fulfill({
    status,
    contentType: 'application/json',
    body: JSON.stringify(body),
  });
}

async function setupHarness(page: Page): Promise<void> {
  await page.addInitScript((session) => {
    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
  }, operatorSession);

  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
  await page.route('**/platform/i18n/*.json', (route) => fulfillJson(route, {}));
  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
  await page.route('**/.well-known/openid-configuration', (route) =>
    fulfillJson(route, {
      issuer: 'https://127.0.0.1:4400/authority',
      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
      response_types_supported: ['code'],
      subject_types_supported: ['public'],
      id_token_signing_alg_values_supported: ['RS256'],
    }),
  );
  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
  await page.route('**/console/branding**', (route) =>
    fulfillJson(route, {
      tenantId: operatorSession.tenant,
      appName: 'Stella Ops',
      logoUrl: null,
      cssVariables: {},
    }),
  );
  await page.route('**/console/profile**', (route) =>
    fulfillJson(route, {
      subjectId: operatorSession.subjectId,
      username: 'evidence-capsules-e2e',
      displayName: 'Evidence Capsules E2E',
      tenant: operatorSession.tenant,
      roles: ['operator'],
      scopes: operatorSession.scopes,
    }),
  );
  await page.route('**/console/token/introspect**', (route) =>
    fulfillJson(route, {
      active: true,
      tenant: operatorSession.tenant,
      subject: operatorSession.subjectId,
      scopes: operatorSession.scopes,
    }),
  );
  await page.route('**/authority/console/tenants**', (route) =>
    fulfillJson(route, {
      tenants: [
        {
          tenantId: operatorSession.tenant,
          displayName: 'Default Tenant',
          isDefault: true,
          isActive: true,
        },
      ],
    }),
  );
  await page.route('**/console/tenants**', (route) =>
    fulfillJson(route, {
      tenants: [
        {
          id: operatorSession.tenant,
          displayName: 'Default Tenant',
          status: 'active',
          isolationMode: 'shared',
          defaultRoles: ['admin'],
        },
      ],
    }),
  );
  await page.route('**/api/v2/context/regions**', (route) =>
    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
  );
  await page.route('**/api/v2/context/environments**', (route) =>
    fulfillJson(route, [
      {
        environmentId: 'prod',
        regionId: 'eu-west',
        environmentType: 'prod',
        displayName: 'Production',
        sortOrder: 1,
        enabled: true,
      },
    ]),
  );
  await page.route('**/api/v2/context/preferences**', (route) =>
    fulfillJson(route, {
      tenantId: operatorSession.tenant,
      actorId: operatorSession.subjectId,
      regions: ['eu-west'],
      environments: ['prod'],
      timeWindow: '24h',
      stage: 'all',
      updatedAt: '2026-03-08T09:30:00Z',
      updatedBy: operatorSession.subjectId,
    }),
  );

  await page.route('**/v1/runs/run-ai-001**', (route) => fulfillJson(route, aiRun));
  await page.route('**/v1/evidence-packs/cap-ai-001**', (route) => fulfillJson(route, aiCapsule));
  await page.route('**/v1/evidence-packs/cap-rel-001**', (route) => fulfillJson(route, releaseCapsule));

  await page.route('**/api/**', async (route) => {
    const requestUrl = route.request().url();
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/timeline')) {
      return fulfillJson(route, releaseRunTimeline);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/gate-decision')) {
      return fulfillJson(route, releaseRunGateDecision);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/approvals')) {
      return fulfillJson(route, releaseRunApprovals);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/deployments')) {
      return fulfillJson(route, releaseRunDeployments);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/security-inputs')) {
      return fulfillJson(route, releaseRunSecurityInputs);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/evidence')) {
      return fulfillJson(route, releaseRunEvidence);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/replay')) {
      return fulfillJson(route, releaseRunReplay);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001/audit')) {
      return fulfillJson(route, releaseRunAudit);
    }
    if (requestUrl.includes('/api/v2/releases/runs/run-rel-001')) {
      return fulfillJson(route, releaseRunDetail);
    }
    if (requestUrl.includes('/api/v1/workflows/run-rel-001')) {
      return route.fulfill({
        status: 404,
        contentType: 'application/json',
        body: JSON.stringify({ message: 'not found' }),
      });
    }

    return fulfillJson(route, {});
  });
  await page.route('**/gateway/**', (route) => {
    const requestUrl = route.request().url();
    if (requestUrl.includes('/v1/runs/run-ai-001')) {
      return fulfillJson(route, aiRun);
    }
    if (requestUrl.includes('/v1/evidence-packs/cap-ai-001')) {
      return fulfillJson(route, aiCapsule);
    }
    if (requestUrl.includes('/v1/evidence-packs/cap-rel-001')) {
      return fulfillJson(route, releaseCapsule);
    }

    return fulfillJson(route, {});
  });
  await page.route('**/policy/**', (route) => fulfillJson(route, {}));
  await page.route('**/scanner/**', (route) => fulfillJson(route, {}));
  await page.route('**/concelier/**', (route) => fulfillJson(route, {}));
  await page.route('**/attestor/**', (route) => fulfillJson(route, {}));
}

test.beforeEach(async ({ page }) => {
  await setupHarness(page);
});

test('AI runs deep-link into canonical decision capsules and return to the live AI run context', async ({ page }) => {
  await page.goto('/ops/operations/ai-runs/run-ai-001', { waitUntil: 'networkidle' });

  await expect(page.getByRole('heading', { name: 'AI Run' })).toBeVisible();
  await page.getByRole('button', { name: 'cap-ai-001' }).click();

  await expect(page).toHaveURL(/\/evidence\/capsules\/cap-ai-001\?returnTo=/);
  await expect(page.getByRole('heading', { name: 'Decision Capsule' })).toBeVisible();

  await page.getByRole('button', { name: /Back to Previous Context/i }).click();

  await expect(page).toHaveURL(/\/ops\/operations\/ai-runs\/run-ai-001$/);
  await expect(page.getByRole('heading', { name: 'AI Run' })).toBeVisible();
});

test('legacy evidence-pack bookmarks land on canonical capsules and related runs open the live release workspace', async ({ page }) => {
  await page.goto('/evidence-packs/cap-rel-001?scope=release', { waitUntil: 'networkidle' });

  await expect(page).toHaveURL(/\/evidence\/capsules\/cap-rel-001\?scope=release$/);
  await expect(page.getByRole('heading', { name: 'Decision Capsule' })).toBeVisible();

  await page.getByRole('button', { name: 'run-rel-001' }).click();

  await expect(page).toHaveURL(/\/releases\/runs\/run-rel-001\/evidence\?returnTo=/);
  await expect(page.getByRole('heading', { name: 'Payments API' })).toBeVisible();
  await expect(page.getByRole('heading', { name: 'Determinism', exact: true })).toBeVisible();
});