stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bd78523564bb268967f604801b431d72ffbb1103
git.stella-ops.org/docs/modules/web/architecture.md

299 lines
14 KiB
Markdown
Raw Blame History

# component_architecture_web.md - **Stella Ops Web** (2025Q4)
> Angular 21 frontend SPA for StellaOps console.
> **Scope.** Frontend architecture for **Web**: the Angular 21 single-page application providing the StellaOps console interface.
> **Note:** For the comprehensive Web UI architecture including all features, see [`../ui/architecture.md`](../ui/architecture.md). This file provides a condensed overview.
---
## 0) Mission & boundaries
**Mission.** Provide an **intuitive, responsive web interface** for StellaOps operators to manage scans, review findings, configure policies, and monitor system health.
**Boundaries.**
* Web is a **frontend-only** application. All data comes from backend APIs.
* Web **does not** store sensitive data locally beyond session tokens.
* Supports **offline-first** patterns for air-gapped console access.
---
## 1) Solution & project layout
```
src/Web/StellaOps.Web/
├─ src/
│ ├─ app/
│ │ ├─ core/ # Core services, guards, interceptors
│ │ │ ├─ services/
│ │ │ ├─ guards/
│ │ │ └─ interceptors/
│ │ ├─ shared/ # Shared components, pipes, directives
│ │ │ ├─ components/
│ │ │ ├─ pipes/
│ │ │ └─ directives/
│ │ ├─ features/ # Feature modules
│ │ │ ├─ dashboard/
│ │ │ ├─ scans/
│ │ │ ├─ findings/
│ │ │ ├─ policies/
│ │ │ ├─ settings/
│ │ │ └─ admin/
│ │ └─ app.routes.ts
│ ├─ assets/
│ ├─ environments/
│ └─ styles/
├─ angular.json
├─ package.json
└─ tsconfig.json
```
---
## 2) Technology stack
* **Framework**: Angular 21 with standalone components
* **State management**: NgRx Signals
* **UI components**: Angular Material
* **HTTP**: Angular HttpClient with interceptors
* **Routing**: Angular Router with lazy loading
* **Build**: Angular CLI with esbuild
---
## 3) Key features
| Feature | Path | Description |
|---------|------|-------------|
| Dashboard | `/dashboard` | Overview metrics and alerts |
| Scans | `/scans` | Scan history and details |
| Findings | `/findings` | Vulnerability findings list |
| Compare | `/compare` | Diff view between scans |
| Policies | `/policies` | Policy configuration |
| Settings | `/settings` | User and system settings |
### 3.1 VEX Gate Inline Actions (Sprint 20260208_073)
Quiet-triage promote actions now support inline VEX gating with deterministic evidence tiers:
- `src/Web/StellaOps.Web/src/app/features/vex_gate/vex-gate-button.directive.ts`
- Morphs action buttons into tier-aware gate states:
- Tier 1 -> green (`allow`)
- Tier 2 -> amber (`review`)
- Tier 3 -> red (`block`)
- Emits a `gateBlocked` event on tier-3 actions.
- `src/Web/StellaOps.Web/src/app/features/vex_gate/vex-evidence-sheet.component.ts`
- Renders inline evidence details with tier/verdict metadata and optional DSSE verification hints.
- Integrated in quiet-triage lane promote actions:
- `src/Web/StellaOps.Web/src/app/features/triage/components/quiet-lane/quiet-lane-container.component.ts`
- `src/Web/StellaOps.Web/src/app/features/triage/components/quiet-lane/parked-item-card.component.ts`
The UI behavior remains offline-first and deterministic:
- Tier mapping is derived from local finding attributes only.
- No additional network dependency is required to render gate/evidence states.
### 3.2 Signals Runtime Dashboard (Sprint 20260208_072)
Signals runtime operations now include a dedicated dashboard route:
- Route: `ops/signals`
- Route registration:
- `src/Web/StellaOps.Web/src/app/app.routes.ts`
- `src/Web/StellaOps.Web/src/app/features/signals/signals.routes.ts`
- Feature implementation:
- `src/Web/StellaOps.Web/src/app/features/signals/signals-runtime-dashboard.component.ts`
- `src/Web/StellaOps.Web/src/app/features/signals/services/signals-runtime-dashboard.service.ts`
- `src/Web/StellaOps.Web/src/app/features/signals/models/signals-runtime-dashboard.models.ts`
Dashboard behavior:
- Aggregates signal runtime metrics (`signals/sec`, error rate, average latency) using `SignalsClient` and falls back to gateway request summaries when available.
- Computes deterministic per-host probe health snapshots (eBPF/ETW/dyld/unknown) from signal payload telemetry.
- Presents provider/status distribution summaries and probe status tables without introducing network-only dependencies beyond existing local API clients.
Verification coverage:
- `src/Web/StellaOps.Web/src/tests/signals_runtime_dashboard/signals-runtime-dashboard.service.spec.ts`
- `src/Web/StellaOps.Web/src/tests/signals_runtime_dashboard/signals-runtime-dashboard.component.spec.ts`
### 3.3 Audit Trail Reason Capsule (Sprint 20260208_067)
Findings and triage views now expose a per-row "Why am I seeing this?" reason capsule:
- Audit reasons client contract:
- `src/Web/StellaOps.Web/src/app/core/api/audit-reasons.client.ts`
- Uses `/api/audit/reasons/:verdictId` with deterministic fallback records for offline/unavailable API conditions.
- Reusable capsule component:
- `src/Web/StellaOps.Web/src/app/features/triage/components/reason-capsule/reason-capsule.component.ts`
- Displays policy name, rule ID, graph revision ID, and inputs digest.
- UI integration points:
- `src/Web/StellaOps.Web/src/app/features/findings/findings-list.component.ts`
- `src/Web/StellaOps.Web/src/app/features/findings/findings-list.component.html`
- `src/Web/StellaOps.Web/src/app/features/triage/components/triage-list/triage-list.component.ts`
Verification coverage:
- `src/Web/StellaOps.Web/src/tests/audit_reason_capsule/audit-reasons.client.spec.ts`
- `src/Web/StellaOps.Web/src/tests/audit_reason_capsule/reason-capsule.component.spec.ts`
- `src/Web/StellaOps.Web/src/tests/audit_reason_capsule/findings-list.reason-capsule.spec.ts`
### 3.4 Pack Registry Browser (Sprint 20260208_068)
TaskRunner pack operations now include a dedicated registry browser route:
- Route: `ops/packs`
- Route registration:
- `src/Web/StellaOps.Web/src/app/app.routes.ts`
- `src/Web/StellaOps.Web/src/app/features/pack-registry/pack-registry.routes.ts`
- Feature implementation:
- `src/Web/StellaOps.Web/src/app/features/pack-registry/pack-registry-browser.component.ts`
- `src/Web/StellaOps.Web/src/app/features/pack-registry/services/pack-registry-browser.service.ts`
- `src/Web/StellaOps.Web/src/app/features/pack-registry/models/pack-registry-browser.models.ts`
Browser behavior:
- Lists available and installed packs using `PackRegistryClient`, with deterministic ordering and capability filters.
- Displays DSSE signature status per pack and per version history entry (`verified`, `present`, `unsigned`) and signer metadata when available.
- Executes install/upgrade actions only after compatibility evaluation; incompatible packs are blocked with explicit operator feedback.
- Supports version-history drill-down per pack without introducing additional external dependencies.
Verification coverage:
- `src/Web/StellaOps.Web/src/tests/pack_registry_browser/pack-registry-browser.service.spec.ts`
- `src/Web/StellaOps.Web/src/tests/pack_registry_browser/pack-registry-browser.component.spec.ts`
### 3.5 Pipeline Run-Centric View (Sprint 20260208_069)
Release Orchestrator now provides a unified pipeline run-centric surface that links release status, approvals, deployment progress, evidence state, and first-signal telemetry:
- Route registration:
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.routes.ts`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/runs/runs.routes.ts`
- Feature implementation:
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/runs/models/pipeline-runs.models.ts`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/runs/services/pipeline-runs.service.ts`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/runs/pipeline-runs-list.component.ts`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/runs/pipeline-run-detail.component.ts`
- Dashboard integration entry point:
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.component.html`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.component.ts`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.component.scss`
Run-centric behavior:
- Normalizes recent releases into deterministic `pipeline-<releaseId>` run IDs.
- Correlates approvals and active deployments to each run for one-table operator triage.
- Provides per-run stage progression (scan, gates, approval, evidence, deployment) with explicit status details.
- Integrates `FirstSignalCardComponent` on run detail pages for first-signal evidence visibility.
Verification coverage:
- `src/Web/StellaOps.Web/src/tests/pipeline_run_centric/pipeline-runs.service.spec.ts`
- `src/Web/StellaOps.Web/src/tests/pipeline_run_centric/pipeline-runs-list.component.spec.ts`
### 3.6 Reachability Center Coverage Summary (Sprint 20260208_070)
Reachability Center now includes explicit asset/sensor coverage summaries and missing-sensor indicators:
- Feature implementation:
- `src/Web/StellaOps.Web/src/app/features/reachability/reachability-center.component.ts`
- Verification coverage:
- `src/Web/StellaOps.Web/src/app/features/reachability/reachability-center.component.spec.ts`
Coverage behavior:
- Computes deterministic fleet asset coverage percent from fixture rows.
- Computes deterministic runtime sensor coverage percent from online vs expected sensors.
- Surfaces a missing-sensor indicator section listing impacted assets and supports one-click filtering to `missing`.
- Shows per-row sensor gap labels (`all sensors online`, `missing N sensors`) to make observation gaps explicit.
### 3.7 SBOM Graph Reachability Overlay with Time Slider (Sprint 20260208_071)
Graph explorer overlay behavior now supports deterministic lattice-state reachability halos with temporal snapshot exploration:
- Feature implementation:
- `src/Web/StellaOps.Web/src/app/features/graph/graph-overlays.component.ts`
- `src/Web/StellaOps.Web/src/app/features/graph/graph-canvas.component.ts`
Behavior details:
- Reachability legend in overlay controls maps lattice states `SR/SU/RO/RU/CR/CU/X` to explicit halo colors.
- Time slider now binds to deterministic snapshot checkpoints (`current`, `1d`, `7d`, `30d`) and renders timeline event text for each selection.
- Reachability mock data generation is deterministic per `(nodeId, snapshot)` so repeated runs produce stable lattice status, confidence, and observation timestamps.
- Canvas halo stroke colors are derived from lattice state (not generic status), and halo titles include lattice state plus observed timestamp for operator audit context.
Verification coverage:
- `src/Web/StellaOps.Web/src/tests/graph_reachability_overlay/graph-overlays.component.spec.ts`
- `src/Web/StellaOps.Web/src/tests/graph_reachability_overlay/graph-canvas.component.spec.ts`
---
## 4) Authentication
* **OIDC/OAuth2** via Authority module
* **Token refresh** handled by interceptor
* **Session timeout** with configurable duration
---
## 5) Configuration
```typescript
// environment.ts
export const environment = {
production: false,
apiUrl: 'http://localhost:5000/api/v1',
authorityUrl: 'http://localhost:5001',
clientId: 'stellaops-web'
};
```
---
## Related Documentation
* UI module: `../ui/architecture.md`
* Authority: `../authority/architecture.md`
* Auth smoke tests: `../ui/operations/auth-smoke.md`
## 6) Signed Score + Vulnerability Detail Contracts (Sprint 20260304_309)
Delivered contracts:
- `src/Web/StellaOps.Web/src/app/features/security/vulnerability-detail.facade.ts`
- Single API-backed facade for vulnerability detail loading and signed-score verification.
- Consolidates route/malformed/not-found handling for both Security and Security-Risk route trees.
- `src/Web/StellaOps.Web/src/app/features/security/vulnerability-detail-page.component.ts`
- No static CVE payloads. Reads route id and renders deterministic loading/error/not-found states.
- Uses API-backed fields for CVSS/EPSS/KEV, environment impact, gate impact, and witness path.
- `src/Web/StellaOps.Web/src/app/features/security-risk/vulnerability-detail-page.component.ts`
- Uses the shared Security vulnerability detail view; no placeholder text-only implementation remains.
- `src/Web/StellaOps.Web/src/app/shared/components/score/signed-score-ribbon.component.ts`
- Reusable signed-score ribbon for vulnerability and triage detail contexts.
- Supports collapsed/expanded factor breakdown, provenance links, verify action, and policy gate badge (`pass|warn|block`).
- Reuses existing shared score primitives (`ScorePillComponent`, `ScoreBadgeComponent`) instead of duplicating score visuals.
Scanner replay route contract (Web client):
- Implemented by `src/Web/StellaOps.Web/src/app/core/api/proof.client.ts` (`ScoreReplayClient`).
- Canonical paths:
- `POST /api/v1/scans/{scanId}/score/replay`
- `GET /api/v1/scans/{scanId}/score/bundle`
- `POST /api/v1/scans/{scanId}/score/verify`
- `GET /api/v1/scans/{scanId}/score/history`
- Compatibility aliases remain backend-side (`/api/v1/score/{scanId}/...`) while clients migrate, but Web now uses canonical scanner routes.
Coverage:
- `src/Web/StellaOps.Web/src/app/core/api/proof.client.spec.ts`
- `src/Web/StellaOps.Web/src/tests/sprint309/signed-score-ribbon.component.spec.ts`
- `src/Web/StellaOps.Web/src/tests/sprint309/security-vulnerability-detail-page.component.spec.ts`
- `src/Web/StellaOps.Web/src/tests/sprint309/security-risk-vulnerability-detail-page.component.spec.ts`
Remaining planned FE capability (explicitly still planned):
- Signed-score ribbon integration into additional triage detail canvases beyond vulnerability detail routes (not in sprint 309 scope).
Reference in New Issue View Git Blame Copy Permalink